From 621d9e5c413e561293d7484b93882d985b3fe15f Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Sat, 24 Mar 2012 02:27:47 -0500 Subject: Removed unnecessary pki folder. Previously the source code was located inside a pki folder. This folder was created during svn migration and is no longer needed. This folder has now been removed and the contents have been moved up one level. Ticket #131 --- base/CMakeLists.txt | 33 + base/ca/CMakeLists.txt | 64 + base/ca/LICENSE | 291 + base/ca/setup/CMakeLists.txt | 8 + base/ca/setup/registry_instance | 63 + base/ca/shared/conf/CMakeLists.txt | 12 + base/ca/shared/conf/CS.cfg.in | 1108 +++ base/ca/shared/conf/acl.ldif | 53 + base/ca/shared/conf/adminCert.profile | 39 + base/ca/shared/conf/caAuditSigningCert.profile | 35 + base/ca/shared/conf/caCert.profile | 44 + base/ca/shared/conf/caOCSPCert.profile | 42 + base/ca/shared/conf/catalina.policy | 184 + base/ca/shared/conf/catalina.properties | 87 + base/ca/shared/conf/context.xml | 40 + base/ca/shared/conf/database.ldif | 4 + base/ca/shared/conf/db.ldif | 163 + base/ca/shared/conf/flatfile.txt | 2 + base/ca/shared/conf/index.ldif | 198 + base/ca/shared/conf/jk2.manifest | 2 + base/ca/shared/conf/jk2.properties | 26 + base/ca/shared/conf/jkconf.ant.xml | 51 + base/ca/shared/conf/jkconfig.manifest | 2 + base/ca/shared/conf/logging.properties | 70 + base/ca/shared/conf/manager.ldif | 48 + base/ca/shared/conf/proxy.conf | 34 + base/ca/shared/conf/registry.cfg | 232 + base/ca/shared/conf/schema.ldif | 489 ++ base/ca/shared/conf/server-minimal.xml | 25 + base/ca/shared/conf/server.xml | 277 + base/ca/shared/conf/serverCert.profile | 39 + base/ca/shared/conf/serverCertNick.conf | 1 + base/ca/shared/conf/shm.manifest | 2 + base/ca/shared/conf/subsystemCert.profile | 39 + base/ca/shared/conf/tomcat-jk2.manifest | 7 + base/ca/shared/conf/tomcat-users.xml | 45 + base/ca/shared/conf/tomcat6.conf | 58 + base/ca/shared/conf/uriworkermap.properties | 13 + base/ca/shared/conf/vlv.ldif | 544 ++ base/ca/shared/conf/vlvtasks.ldif | 40 + base/ca/shared/conf/web.xml | 989 +++ base/ca/shared/conf/workers.properties | 206 + base/ca/shared/conf/workers.properties.minimal | 17 + base/ca/shared/conf/workers2.properties | 132 + base/ca/shared/conf/workers2.properties.minimal | 55 + base/ca/shared/emails/ExpiredUnpublishJob | 6 + base/ca/shared/emails/ExpiredUnpublishJobItem | 2 + base/ca/shared/emails/certIssued_CA | 12 + base/ca/shared/emails/certIssued_CA.html | 17 + base/ca/shared/emails/certIssued_RA | 12 + base/ca/shared/emails/certIssued_RA.html | 17 + base/ca/shared/emails/certRequestRejected.html | 10 + base/ca/shared/emails/certRevoked_CA | 12 + base/ca/shared/emails/certRevoked_CA.html | 13 + base/ca/shared/emails/certRevoked_RA | 12 + base/ca/shared/emails/certRevoked_RA.html | 13 + base/ca/shared/emails/euJob1.html | 29 + base/ca/shared/emails/euJob1Item.html | 11 + base/ca/shared/emails/publishCerts.html | 29 + base/ca/shared/emails/publishCertsItem.html | 11 + base/ca/shared/emails/reqInQueue_CA | 5 + base/ca/shared/emails/reqInQueue_CA.html | 12 + base/ca/shared/emails/reqInQueue_RA | 5 + base/ca/shared/emails/reqInQueue_RA.html | 12 + base/ca/shared/emails/riq1Item.html | 5 + base/ca/shared/emails/riq1Summary.html | 12 + base/ca/shared/emails/rnJob1.txt | 8 + base/ca/shared/emails/rnJob1Item.txt | 8 + base/ca/shared/emails/rnJob1Summary.txt | 7 + base/ca/shared/etc/init.d/pki-cad | 87 + base/ca/shared/lib/systemd/system/pki-cad.target | 8 + base/ca/shared/lib/systemd/system/pki-cad@.service | 13 + base/ca/shared/profiles/ca/DomainController.cfg | 130 + base/ca/shared/profiles/ca/caAdminCert.cfg | 87 + base/ca/shared/profiles/ca/caAgentFileSigning.cfg | 86 + base/ca/shared/profiles/ca/caAgentServerCert.cfg | 85 + base/ca/shared/profiles/ca/caCACert.cfg | 95 + base/ca/shared/profiles/ca/caCMCUserCert.cfg | 86 + base/ca/shared/profiles/ca/caDirUserCert.cfg | 99 + base/ca/shared/profiles/ca/caDirUserRenewal.cfg | 12 + base/ca/shared/profiles/ca/caDualCert.cfg | 168 + base/ca/shared/profiles/ca/caDualRAuserCert.cfg | 94 + base/ca/shared/profiles/ca/caECDualCert.cfg | 168 + base/ca/shared/profiles/ca/caECUserCert.cfg | 101 + base/ca/shared/profiles/ca/caEncECUserCert.cfg | 93 + base/ca/shared/profiles/ca/caEncUserCert.cfg | 96 + base/ca/shared/profiles/ca/caFullCMCUserCert.cfg | 85 + base/ca/shared/profiles/ca/caIPAserviceCert.cfg | 97 + base/ca/shared/profiles/ca/caInstallCACert.cfg | 96 + .../profiles/ca/caInternalAuthAuditSigningCert.cfg | 80 + .../profiles/ca/caInternalAuthDRMstorageCert.cfg | 86 + .../shared/profiles/ca/caInternalAuthOCSPCert.cfg | 71 + .../profiles/ca/caInternalAuthServerCert.cfg | 86 + .../profiles/ca/caInternalAuthSubsystemCert.cfg | 88 + .../profiles/ca/caInternalAuthTransportCert.cfg | 86 + base/ca/shared/profiles/ca/caJarSigningCert.cfg | 86 + base/ca/shared/profiles/ca/caManualRenewal.cfg | 11 + base/ca/shared/profiles/ca/caOCSPCert.cfg | 70 + base/ca/shared/profiles/ca/caOtherCert.cfg | 85 + base/ca/shared/profiles/ca/caRACert.cfg | 85 + base/ca/shared/profiles/ca/caRARouterCert.cfg | 85 + base/ca/shared/profiles/ca/caRAagentCert.cfg | 95 + base/ca/shared/profiles/ca/caRAserverCert.cfg | 85 + base/ca/shared/profiles/ca/caRouterCert.cfg | 85 + .../shared/profiles/ca/caSSLClientSelfRenewal.cfg | 9 + base/ca/shared/profiles/ca/caServerCert.cfg | 85 + base/ca/shared/profiles/ca/caSignedLogCert.cfg | 74 + base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 84 + base/ca/shared/profiles/ca/caTPSCert.cfg | 85 + .../profiles/ca/caTempTokenDeviceKeyEnrollment.cfg | 144 + .../ca/caTempTokenUserEncryptionKeyEnrollment.cfg | 166 + .../ca/caTempTokenUserSigningKeyEnrollment.cfg | 166 + .../profiles/ca/caTokenDeviceKeyEnrollment.cfg | 143 + .../profiles/ca/caTokenMSLoginEnrollment.cfg | 171 + .../ca/caTokenUserEncryptionKeyEnrollment.cfg | 170 + .../ca/caTokenUserEncryptionKeyRenewal.cfg | 11 + .../ca/caTokenUserSigningKeyEnrollment.cfg | 170 + .../profiles/ca/caTokenUserSigningKeyRenewal.cfg | 11 + base/ca/shared/profiles/ca/caTransportCert.cfg | 85 + base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg | 99 + base/ca/shared/profiles/ca/caUserCert.cfg | 101 + base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg | 107 + base/ca/shared/webapps/ROOT/WEB-INF/web.xml | 29 + base/ca/shared/webapps/ROOT/index.jsp | 94 + .../shared/webapps/ca/WEB-INF/velocity.properties | 8 + base/ca/shared/webapps/ca/WEB-INF/web.xml | 2480 +++++++ base/ca/src/CMakeLists.txt | 57 + base/ca/src/com/netscape/ca/CAPolicy.java | 138 + base/ca/src/com/netscape/ca/CAService.java | 2122 ++++++ base/ca/src/com/netscape/ca/CMSCRLExtensions.java | 711 ++ base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 3140 ++++++++ .../src/com/netscape/ca/CRLWithExpiredCerts.java | 68 + .../src/com/netscape/ca/CertificateAuthority.java | 2024 +++++ base/ca/src/com/netscape/ca/SigningUnit.java | 389 + base/common/CMakeLists.txt | 16 + base/common/LICENSE | 291 + base/common/setup/CertServer.directory | 23 + base/common/setup/menu.xml | 10 + base/common/setup/web-app_2_3.dtd | 1063 +++ base/common/src/CMakeLists.txt | 1095 +++ base/common/src/LogMessages.properties | 2475 +++++++ base/common/src/UserMessages.properties | 1133 +++ base/common/src/com/netscape/certsrv/acls/ACL.java | 194 + .../src/com/netscape/certsrv/acls/ACLEntry.java | 245 + .../com/netscape/certsrv/acls/ACLsResources.java | 45 + .../com/netscape/certsrv/acls/EACLsException.java | 148 + .../common/src/com/netscape/certsrv/acls/IACL.java | 68 + .../src/com/netscape/certsrv/acls/IACLEntry.java | 34 + base/common/src/com/netscape/certsrv/apps/CMS.java | 1649 +++++ .../src/com/netscape/certsrv/apps/ICMSEngine.java | 1126 +++ .../com/netscape/certsrv/apps/ICommandQueue.java | 48 + .../certsrv/authentication/AuthCredentials.java | 105 + .../certsrv/authentication/AuthManagerProxy.java | 59 + .../certsrv/authentication/AuthMgrPlugin.java | 82 + .../certsrv/authentication/AuthResources.java | 44 + .../netscape/certsrv/authentication/AuthToken.java | 451 ++ .../certsrv/authentication/EAuthException.java | 91 + .../certsrv/authentication/EAuthInternalError.java | 39 + .../certsrv/authentication/EAuthMgrNotFound.java | 38 + .../authentication/EAuthMgrPluginNotFound.java | 38 + .../certsrv/authentication/EAuthUserError.java | 38 + .../certsrv/authentication/ECompSyntaxErr.java | 38 + .../certsrv/authentication/EFormSubjectDN.java | 38 + .../authentication/EInvalidCredentials.java | 38 + .../certsrv/authentication/EMissingCredential.java | 38 + .../certsrv/authentication/IAuthCredentials.java | 45 + .../certsrv/authentication/IAuthManager.java | 112 + .../certsrv/authentication/IAuthSubsystem.java | 239 + .../certsrv/authentication/IAuthToken.java | 225 + .../authentication/ISSLClientCertProvider.java | 42 + .../certsrv/authentication/ISharedToken.java | 32 + .../com/netscape/certsrv/authority/IAuthority.java | 64 + .../netscape/certsrv/authority/ICertAuthority.java | 101 + .../certsrv/authorization/AuthzManagerProxy.java | 59 + .../certsrv/authorization/AuthzMgrPlugin.java | 77 + .../certsrv/authorization/AuthzResources.java | 44 + .../netscape/certsrv/authorization/AuthzToken.java | 174 + .../certsrv/authorization/EAuthzAccessDenied.java | 38 + .../certsrv/authorization/EAuthzException.java | 91 + .../certsrv/authorization/EAuthzInternalError.java | 38 + .../certsrv/authorization/EAuthzMgrNotFound.java | 38 + .../authorization/EAuthzMgrPluginNotFound.java | 38 + .../authorization/EAuthzUnknownOperation.java | 38 + .../authorization/EAuthzUnknownProtectedRes.java | 38 + .../certsrv/authorization/IAuthzManager.java | 182 + .../certsrv/authorization/IAuthzSubsystem.java | 162 + .../src/com/netscape/certsrv/base/ASubsystem.java | 70 + .../netscape/certsrv/base/AttributeNameHelper.java | 68 + .../com/netscape/certsrv/base/BaseResources.java | 45 + .../com/netscape/certsrv/base/EBaseException.java | 159 + .../netscape/certsrv/base/EPropertyNotDefined.java | 46 + .../netscape/certsrv/base/EPropertyNotFound.java | 46 + .../netscape/certsrv/base/ExtendedPluginInfo.java | 88 + .../src/com/netscape/certsrv/base/IArgBlock.java | 283 + .../src/com/netscape/certsrv/base/IAttrSet.java | 70 + .../src/com/netscape/certsrv/base/IAuthInfo.java | 31 + .../com/netscape/certsrv/base/ICRLPrettyPrint.java | 48 + .../netscape/certsrv/base/ICertPrettyPrint.java | 38 + .../com/netscape/certsrv/base/IConfigStore.java | 297 + .../certsrv/base/IConfigStoreEventListener.java | 48 + .../com/netscape/certsrv/base/IExtPrettyPrint.java | 34 + .../netscape/certsrv/base/IExtendedPluginInfo.java | 79 + .../src/com/netscape/certsrv/base/IPluginImpl.java | 104 + .../netscape/certsrv/base/IPrettyPrintFormat.java | 66 + .../certsrv/base/ISecurityDomainSessionTable.java | 48 + .../netscape/certsrv/base/ISourceConfigStore.java | 81 + .../src/com/netscape/certsrv/base/ISubsystem.java | 78 + .../netscape/certsrv/base/ISubsystemSource.java | 36 + .../src/com/netscape/certsrv/base/ITimeSource.java | 41 + .../src/com/netscape/certsrv/base/KeyGenInfo.java | 229 + .../netscape/certsrv/base/MessageFormatter.java | 155 + .../netscape/certsrv/base/MetaAttributeDef.java | 198 + .../src/com/netscape/certsrv/base/MetaInfo.java | 115 + .../src/com/netscape/certsrv/base/Nonces.java | 123 + .../netscape/certsrv/base/PasswordResources.java | 42 + .../src/com/netscape/certsrv/base/Plugin.java | 59 + .../com/netscape/certsrv/base/SessionContext.java | 166 + .../src/com/netscape/certsrv/ca/CAResources.java | 42 + .../src/com/netscape/certsrv/ca/ECAException.java | 91 + .../com/netscape/certsrv/ca/EErrorPublishCRL.java | 42 + .../src/com/netscape/certsrv/ca/ICAService.java | 90 + .../com/netscape/certsrv/ca/ICMSCRLExtension.java | 72 + .../com/netscape/certsrv/ca/ICMSCRLExtensions.java | 56 + .../com/netscape/certsrv/ca/ICRLIssuingPoint.java | 543 ++ .../netscape/certsrv/ca/ICertificateAuthority.java | 503 ++ .../certsrv/cert/ICrossCertPairSubsystem.java | 62 + .../netscape/certsrv/client/IDataProcessor.java | 36 + .../certsrv/client/connection/IAuthenticator.java | 26 + .../certsrv/client/connection/IConnection.java | 50 + .../client/connection/IConnectionFactory.java | 43 + .../netscape/certsrv/common/ConfigConstants.java | 332 + .../src/com/netscape/certsrv/common/Constants.java | 731 ++ .../src/com/netscape/certsrv/common/DestDef.java | 56 + .../netscape/certsrv/common/NameValuePairs.java | 82 + .../src/com/netscape/certsrv/common/OpDef.java | 38 + .../src/com/netscape/certsrv/common/PrefixDef.java | 40 + .../src/com/netscape/certsrv/common/ScopeDef.java | 192 + .../src/com/netscape/certsrv/common/TaskId.java | 129 + .../com/netscape/certsrv/connector/IConnector.java | 61 + .../certsrv/connector/IHttpConnFactory.java | 51 + .../certsrv/connector/IHttpConnection.java | 41 + .../certsrv/connector/IHttpPKIMessage.java | 58 + .../netscape/certsrv/connector/IPKIMessage.java | 71 + .../certsrv/connector/IRemoteAuthority.java | 56 + .../certsrv/connector/IRequestEncoder.java | 49 + .../com/netscape/certsrv/connector/IResender.java | 39 + .../src/com/netscape/certsrv/dbs/DBResources.java | 38 + .../src/com/netscape/certsrv/dbs/EDBException.java | 85 + .../netscape/certsrv/dbs/EDBNotAvailException.java | 40 + .../certsrv/dbs/EDBRecordNotFoundException.java | 40 + .../com/netscape/certsrv/dbs/IDBAttrMapper.java | 80 + .../com/netscape/certsrv/dbs/IDBDynAttrMapper.java | 22 + .../src/com/netscape/certsrv/dbs/IDBObj.java | 41 + .../src/com/netscape/certsrv/dbs/IDBRegistry.java | 171 + .../src/com/netscape/certsrv/dbs/IDBSSession.java | 213 + .../com/netscape/certsrv/dbs/IDBSearchResults.java | 44 + .../src/com/netscape/certsrv/dbs/IDBSubsystem.java | 212 + .../com/netscape/certsrv/dbs/IDBVirtualList.java | 144 + .../netscape/certsrv/dbs/IElementProcessor.java | 36 + .../com/netscape/certsrv/dbs/IFilterConverter.java | 48 + .../src/com/netscape/certsrv/dbs/Modification.java | 87 + .../com/netscape/certsrv/dbs/ModificationSet.java | 61 + .../netscape/certsrv/dbs/certdb/ICertRecord.java | 176 + .../certsrv/dbs/certdb/ICertRecordList.java | 94 + .../certsrv/dbs/certdb/ICertificateRepository.java | 528 ++ .../certsrv/dbs/certdb/IRevocationInfo.java | 47 + .../certsrv/dbs/crldb/ICRLIssuingPointRecord.java | 161 + .../netscape/certsrv/dbs/crldb/ICRLRepository.java | 181 + .../com/netscape/certsrv/dbs/keydb/IKeyRecord.java | 153 + .../netscape/certsrv/dbs/keydb/IKeyRecordList.java | 49 + .../netscape/certsrv/dbs/keydb/IKeyRepository.java | 174 + .../src/com/netscape/certsrv/dbs/keydb/KeyId.java | 122 + .../netscape/certsrv/dbs/keydb/KeyIdAdapter.java | 37 + .../com/netscape/certsrv/dbs/keydb/KeyState.java | 106 + .../dbs/replicadb/IReplicaIDRepository.java | 30 + .../certsrv/dbs/repository/IRepository.java | 88 + .../certsrv/dbs/repository/IRepositoryRecord.java | 44 + .../certsrv/evaluators/IAccessEvaluator.java | 89 + .../certsrv/extensions/EExtensionsException.java | 58 + .../certsrv/extensions/ExtensionsResources.java | 34 + .../netscape/certsrv/extensions/ICMSExtension.java | 74 + .../com/netscape/certsrv/jobs/EJobsException.java | 77 + .../common/src/com/netscape/certsrv/jobs/IJob.java | 106 + .../src/com/netscape/certsrv/jobs/IJobCron.java | 42 + .../com/netscape/certsrv/jobs/IJobsScheduler.java | 162 + .../src/com/netscape/certsrv/jobs/JobPlugin.java | 72 + .../com/netscape/certsrv/jobs/JobsResources.java | 43 + .../com/netscape/certsrv/kra/EKRAException.java | 94 + .../src/com/netscape/certsrv/kra/IJoinShares.java | 36 + .../certsrv/kra/IKeyRecoveryAuthority.java | 321 + .../src/com/netscape/certsrv/kra/IKeyService.java | 179 + .../com/netscape/certsrv/kra/IProofOfArchival.java | 80 + .../src/com/netscape/certsrv/kra/IShare.java | 33 + .../src/com/netscape/certsrv/kra/KRAResources.java | 39 + .../com/netscape/certsrv/kra/ProofOfArchival.java | 463 ++ .../com/netscape/certsrv/ldap/ELdapException.java | 93 + .../certsrv/ldap/ELdapServerDownException.java | 40 + .../com/netscape/certsrv/ldap/ILdapAuthInfo.java | 100 + .../certsrv/ldap/ILdapBoundConnFactory.java | 38 + .../netscape/certsrv/ldap/ILdapConnFactory.java | 97 + .../com/netscape/certsrv/ldap/ILdapConnInfo.java | 80 + .../com/netscape/certsrv/ldap/ILdapConnModule.java | 59 + .../com/netscape/certsrv/ldap/LdapResources.java | 42 + .../certsrv/listeners/EListenersException.java | 91 + .../certsrv/listeners/IRequestListenerPlugin.java | 86 + .../certsrv/listeners/ListenersResources.java | 42 + .../com/netscape/certsrv/logging/AuditEvent.java | 347 + .../com/netscape/certsrv/logging/AuditFormat.java | 114 + .../com/netscape/certsrv/logging/ConsoleError.java | 38 + .../com/netscape/certsrv/logging/ConsoleLog.java | 124 + .../netscape/certsrv/logging/ELogException.java | 152 + .../com/netscape/certsrv/logging/ELogNotFound.java | 40 + .../certsrv/logging/ELogPluginNotFound.java | 40 + .../netscape/certsrv/logging/IBundleLogEvent.java | 37 + .../com/netscape/certsrv/logging/ILogEvent.java | 108 + .../netscape/certsrv/logging/ILogEventFactory.java | 52 + .../certsrv/logging/ILogEventListener.java | 135 + .../com/netscape/certsrv/logging/ILogQueue.java | 70 + .../netscape/certsrv/logging/ILogSubsystem.java | 108 + .../src/com/netscape/certsrv/logging/ILogger.java | 492 ++ .../com/netscape/certsrv/logging/LogPlugin.java | 32 + .../com/netscape/certsrv/logging/LogResources.java | 60 + .../netscape/certsrv/logging/SignedAuditEvent.java | 349 + .../com/netscape/certsrv/logging/SystemEvent.java | 348 + .../notification/ENotificationException.java | 77 + .../certsrv/notification/IEmailFormProcessor.java | 79 + .../certsrv/notification/IEmailResolver.java | 40 + .../certsrv/notification/IEmailResolverKeys.java | 35 + .../certsrv/notification/IEmailTemplate.java | 48 + .../certsrv/notification/IMailNotification.java | 80 + .../notification/NotificationResources.java | 43 + .../src/com/netscape/certsrv/ocsp/IDefStore.java | 177 + .../com/netscape/certsrv/ocsp/IOCSPAuthority.java | 184 + .../com/netscape/certsrv/ocsp/IOCSPService.java | 77 + .../src/com/netscape/certsrv/ocsp/IOCSPStore.java | 71 + .../certsrv/password/EPasswordCheckException.java | 91 + .../certsrv/password/IConfigPasswordCheck.java | 43 + .../netscape/certsrv/password/IPasswordCheck.java | 43 + .../certsrv/pattern/AttrSetCollection.java | 63 + .../src/com/netscape/certsrv/pattern/Pattern.java | 162 + .../netscape/certsrv/policy/EPolicyException.java | 169 + .../netscape/certsrv/policy/IEnrollmentPolicy.java | 35 + .../com/netscape/certsrv/policy/IExpression.java | 61 + .../policy/IGeneralNameAsConstraintsConfig.java | 53 + .../certsrv/policy/IGeneralNameConfig.java | 67 + .../netscape/certsrv/policy/IGeneralNameUtil.java | 77 + .../policy/IGeneralNamesAsConstraintsConfig.java | 53 + .../certsrv/policy/IGeneralNamesConfig.java | 52 + .../certsrv/policy/IKeyArchivalPolicy.java | 33 + .../certsrv/policy/IKeyRecoveryPolicy.java | 33 + .../certsrv/policy/IPolicyPredicateParser.java | 43 + .../netscape/certsrv/policy/IPolicyProcessor.java | 196 + .../com/netscape/certsrv/policy/IPolicyRule.java | 128 + .../com/netscape/certsrv/policy/IPolicySet.java | 105 + .../netscape/certsrv/policy/IRenewalPolicy.java | 33 + .../netscape/certsrv/policy/IRevocationPolicy.java | 33 + .../certsrv/policy/ISubjAltNameConfig.java | 48 + .../netscape/certsrv/policy/PolicyResources.java | 45 + .../netscape/certsrv/profile/CertInfoProfile.java | 102 + .../netscape/certsrv/profile/EDeferException.java | 48 + .../certsrv/profile/EProfileException.java | 47 + .../netscape/certsrv/profile/ERejectException.java | 46 + .../certsrv/profile/ICertInfoPolicyDefault.java | 32 + .../netscape/certsrv/profile/IEnrollProfile.java | 157 + .../certsrv/profile/IPolicyConstraint.java | 89 + .../netscape/certsrv/profile/IPolicyDefault.java | 136 + .../src/com/netscape/certsrv/profile/IProfile.java | 408 + .../certsrv/profile/IProfileAuthenticator.java | 120 + .../netscape/certsrv/profile/IProfileContext.java | 44 + .../com/netscape/certsrv/profile/IProfileEx.java | 36 + .../netscape/certsrv/profile/IProfileInput.java | 120 + .../netscape/certsrv/profile/IProfileOutput.java | 121 + .../netscape/certsrv/profile/IProfilePolicy.java | 49 + .../certsrv/profile/IProfileSubsystem.java | 134 + .../netscape/certsrv/profile/IProfileUpdater.java | 77 + .../com/netscape/certsrv/property/Descriptor.java | 93 + .../certsrv/property/EPropertyException.java | 42 + .../netscape/certsrv/property/IConfigTemplate.java | 68 + .../com/netscape/certsrv/property/IDescriptor.java | 90 + .../com/netscape/certsrv/property/PropertySet.java | 52 + .../netscape/certsrv/publish/ECompSyntaxErr.java | 46 + .../netscape/certsrv/publish/EMapperNotFound.java | 42 + .../certsrv/publish/EMapperPluginNotFound.java | 42 + .../certsrv/publish/EPublisherNotFound.java | 42 + .../certsrv/publish/EPublisherPluginNotFound.java | 42 + .../netscape/certsrv/publish/ERuleNotFound.java | 42 + .../certsrv/publish/ERulePluginNotFound.java | 42 + .../netscape/certsrv/publish/ICRLPublisher.java | 107 + .../netscape/certsrv/publish/ILdapCertMapper.java | 70 + .../netscape/certsrv/publish/ILdapCrlMapper.java | 60 + .../netscape/certsrv/publish/ILdapExpression.java | 69 + .../com/netscape/certsrv/publish/ILdapMapper.java | 80 + .../com/netscape/certsrv/publish/ILdapPlugin.java | 45 + .../netscape/certsrv/publish/ILdapPluginImpl.java | 53 + .../certsrv/publish/ILdapPublishModule.java | 43 + .../netscape/certsrv/publish/ILdapPublisher.java | 84 + .../com/netscape/certsrv/publish/ILdapRule.java | 77 + .../netscape/certsrv/publish/IPublishRuleSet.java | 122 + .../certsrv/publish/IPublisherProcessor.java | 360 + .../certsrv/publish/IXcertPublisherProcessor.java | 38 + .../certsrv/publish/LdapCertMapResult.java | 56 + .../com/netscape/certsrv/publish/MapperPlugin.java | 39 + .../com/netscape/certsrv/publish/MapperProxy.java | 62 + .../netscape/certsrv/publish/PublisherPlugin.java | 40 + .../netscape/certsrv/publish/PublisherProxy.java | 60 + .../com/netscape/certsrv/publish/RulePlugin.java | 40 + .../src/com/netscape/certsrv/ra/IRAService.java | 62 + .../certsrv/ra/IRegistrationAuthority.java | 170 + .../certsrv/registry/ERegistryException.java | 42 + .../com/netscape/certsrv/registry/IPluginInfo.java | 61 + .../netscape/certsrv/registry/IPluginRegistry.java | 91 + .../netscape/certsrv/request/ARequestNotifier.java | 546 ++ .../netscape/certsrv/request/AgentApproval.java | 66 + .../netscape/certsrv/request/AgentApprovals.java | 159 + .../certsrv/request/IEnrollmentRequest.java | 30 + .../src/com/netscape/certsrv/request/INotify.java | 40 + .../src/com/netscape/certsrv/request/IPolicy.java | 53 + .../src/com/netscape/certsrv/request/IRequest.java | 764 ++ .../com/netscape/certsrv/request/IRequestList.java | 56 + .../netscape/certsrv/request/IRequestListener.java | 54 + .../netscape/certsrv/request/IRequestNotifier.java | 130 + .../netscape/certsrv/request/IRequestQueue.java | 403 + .../netscape/certsrv/request/IRequestRecord.java | 112 + .../certsrv/request/IRequestScheduler.java | 45 + .../certsrv/request/IRequestSubsystem.java | 105 + .../certsrv/request/IRequestVirtualList.java | 50 + .../src/com/netscape/certsrv/request/IService.java | 48 + .../netscape/certsrv/request/PolicyMessage.java | 46 + .../com/netscape/certsrv/request/PolicyResult.java | 35 + .../com/netscape/certsrv/request/RequestId.java | 121 + .../netscape/certsrv/request/RequestIdAdapter.java | 37 + .../netscape/certsrv/request/RequestStatus.java | 182 + .../netscape/certsrv/request/ldap/IRequestMod.java | 55 + .../com/netscape/certsrv/security/Credential.java | 64 + .../certsrv/security/ICryptoSubsystem.java | 472 ++ .../netscape/certsrv/security/IEncryptionUnit.java | 175 + .../netscape/certsrv/security/ISigningUnit.java | 164 + .../netscape/certsrv/security/IStorageKeyUnit.java | 99 + .../src/com/netscape/certsrv/security/IToken.java | 41 + .../certsrv/security/ITransportKeyUnit.java | 111 + .../com/netscape/certsrv/security/KeyCertData.java | 821 +++ .../selftests/EDuplicateSelfTestException.java | 216 + .../selftests/EInvalidSelfTestException.java | 216 + .../selftests/EMissingSelfTestException.java | 225 + .../certsrv/selftests/ESelfTestException.java | 118 + .../com/netscape/certsrv/selftests/ISelfTest.java | 133 + .../certsrv/selftests/ISelfTestSubsystem.java | 338 + .../certsrv/selftests/SelfTestResources.java | 39 + .../src/com/netscape/certsrv/template/ArgList.java | 68 + .../src/com/netscape/certsrv/template/ArgSet.java | 74 + .../com/netscape/certsrv/template/ArgString.java | 45 + .../com/netscape/certsrv/template/IArgValue.java | 28 + .../com/netscape/certsrv/tks/ITKSAuthority.java | 56 + .../com/netscape/certsrv/usrgrp/Certificates.java | 49 + .../netscape/certsrv/usrgrp/EUsrGrpException.java | 87 + .../netscape/certsrv/usrgrp/ICertUserLocator.java | 49 + .../src/com/netscape/certsrv/usrgrp/IGroup.java | 74 + .../netscape/certsrv/usrgrp/IGroupConstants.java | 46 + .../com/netscape/certsrv/usrgrp/IIdEvaluator.java | 39 + .../com/netscape/certsrv/usrgrp/IUGSubsystem.java | 260 + .../src/com/netscape/certsrv/usrgrp/IUser.java | 171 + .../netscape/certsrv/usrgrp/IUserConstants.java | 66 + .../src/com/netscape/certsrv/usrgrp/IUsrGrp.java | 117 + .../netscape/certsrv/usrgrp/UsrGrpResources.java | 46 + .../src/com/netscape/certsrv/util/HttpInput.java | 258 + .../com/netscape/certsrv/util/IStatsSubsystem.java | 61 + .../src/com/netscape/certsrv/util/StatsEvent.java | 175 + .../netscape/cms/authentication/AVAPattern.java | 559 ++ .../authentication/AgentCertAuthentication.java | 332 + .../com/netscape/cms/authentication/CMCAuth.java | 1038 +++ .../src/com/netscape/cms/authentication/Crypt.java | 438 ++ .../com/netscape/cms/authentication/DNPattern.java | 216 + .../cms/authentication/DirBasedAuthentication.java | 676 ++ .../netscape/cms/authentication/FlatFileAuth.java | 686 ++ .../netscape/cms/authentication/HashAuthData.java | 118 + .../cms/authentication/HashAuthentication.java | 288 + .../netscape/cms/authentication/PortalEnroll.java | 468 ++ .../netscape/cms/authentication/RDNPattern.java | 232 + .../SSLclientCertAuthentication.java | 358 + .../netscape/cms/authentication/SharedSecret.java | 38 + .../cms/authentication/TokenAuthentication.java | 304 + .../authentication/UdnPwdDirAuthentication.java | 189 + .../authentication/UidPwdDirAuthentication.java | 269 + .../authentication/UidPwdPinDirAuthentication.java | 464 ++ .../com/netscape/cms/authorization/AAclAuthz.java | 858 +++ .../netscape/cms/authorization/BasicAclAuthz.java | 217 + .../netscape/cms/authorization/DirAclAuthz.java | 366 + .../cms/crl/CMSAuthInfoAccessExtension.java | 259 + .../crl/CMSAuthorityKeyIdentifierExtension.java | 165 + .../netscape/cms/crl/CMSCRLNumberExtension.java | 107 + .../netscape/cms/crl/CMSCRLReasonExtension.java | 96 + .../cms/crl/CMSCertificateIssuerExtension.java | 224 + .../cms/crl/CMSDeltaCRLIndicatorExtension.java | 108 + .../netscape/cms/crl/CMSFreshestCRLExtension.java | 232 + .../cms/crl/CMSHoldInstructionExtension.java | 153 + .../cms/crl/CMSInvalidityDateExtension.java | 99 + .../cms/crl/CMSIssuerAlternativeNameExtension.java | 284 + .../crl/CMSIssuingDistributionPointExtension.java | 332 + .../cms/evaluators/GroupAccessEvaluator.java | 183 + .../cms/evaluators/IPAddressAccessEvaluator.java | 128 + .../cms/evaluators/UserAccessEvaluator.java | 153 + .../cms/evaluators/UserOrigReqAccessEvaluator.java | 165 + .../common/src/com/netscape/cms/jobs/AJobBase.java | 301 + .../src/com/netscape/cms/jobs/PublishCertsJob.java | 392 + .../netscape/cms/jobs/RenewalNotificationJob.java | 706 ++ .../com/netscape/cms/jobs/RequestInQueueJob.java | 217 + .../com/netscape/cms/jobs/UnpublishExpiredJob.java | 385 + .../cms/listeners/CertificateIssuedListener.java | 450 ++ .../cms/listeners/CertificateRevokedListener.java | 368 + .../netscape/cms/listeners/PinRemovalListener.java | 175 + .../netscape/cms/listeners/RequestInQListener.java | 283 + .../src/com/netscape/cms/logging/LogEntry.java | 134 + .../src/com/netscape/cms/logging/LogFile.java | 1534 ++++ .../com/netscape/cms/logging/RollingLogFile.java | 658 ++ .../cms/notification/MailNotification.java | 197 + .../common/src/com/netscape/cms/ocsp/DefStore.java | 953 +++ .../src/com/netscape/cms/ocsp/LDAPStore.java | 750 ++ .../com/netscape/cms/password/PasswordChecker.java | 103 + .../src/com/netscape/cms/policy/APolicyRule.java | 363 + .../cms/policy/constraints/AgentPolicy.java | 161 + .../constraints/AttributePresentConstraints.java | 406 + .../cms/policy/constraints/DSAKeyConstraints.java | 252 + .../cms/policy/constraints/DefaultRevocation.java | 104 + .../cms/policy/constraints/IssuerConstraints.java | 216 + .../constraints/KeyAlgorithmConstraints.java | 225 + .../policy/constraints/ManualAuthentication.java | 101 + .../cms/policy/constraints/RSAKeyConstraints.java | 280 + .../cms/policy/constraints/RenewalConstraints.java | 242 + .../constraints/RenewalValidityConstraints.java | 351 + .../policy/constraints/RevocationConstraints.java | 215 + .../constraints/SigningAlgorithmConstraints.java | 449 ++ .../policy/constraints/SubCANameConstraints.java | 195 + .../cms/policy/constraints/UniqueSubjectName.java | 33 + .../constraints/UniqueSubjectNameConstraints.java | 313 + .../policy/constraints/ValidityConstraints.java | 317 + .../cms/policy/extensions/AuthInfoAccessExt.java | 394 + .../extensions/AuthorityKeyIdentifierExt.java | 425 ++ .../cms/policy/extensions/BasicConstraintsExt.java | 508 ++ .../extensions/CRLDistributionPointsExt.java | 484 ++ .../policy/extensions/CertificatePoliciesExt.java | 534 ++ .../extensions/CertificateRenewalWindowExt.java | 254 + .../extensions/CertificateScopeOfUseExt.java | 326 + .../cms/policy/extensions/ExtendedKeyUsageExt.java | 285 + .../cms/policy/extensions/GenericASN1Ext.java | 509 ++ .../cms/policy/extensions/IssuerAltNameExt.java | 249 + .../cms/policy/extensions/KeyUsageExt.java | 362 + .../cms/policy/extensions/NSCCommentExt.java | 293 + .../cms/policy/extensions/NSCertTypeExt.java | 535 ++ .../cms/policy/extensions/NameConstraintsExt.java | 475 ++ .../cms/policy/extensions/OCSPNoCheckExt.java | 190 + .../policy/extensions/PolicyConstraintsExt.java | 287 + .../cms/policy/extensions/PolicyMappingsExt.java | 426 ++ .../cms/policy/extensions/PresenceExt.java | 157 + .../extensions/PrivateKeyUsagePeriodExt.java | 252 + .../extensions/RemoveBasicConstraintsExt.java | 143 + .../cms/policy/extensions/SubjAltNameExt.java | 355 + .../cms/policy/extensions/SubjectAltNameExt.java | 331 + .../extensions/SubjectDirectoryAttributesExt.java | 428 ++ .../policy/extensions/SubjectKeyIdentifierExt.java | 377 + .../netscape/cms/profile/common/BasicProfile.java | 1171 +++ .../cms/profile/common/CACertCAEnrollProfile.java | 107 + .../cms/profile/common/CAEnrollProfile.java | 242 + .../netscape/cms/profile/common/EnrollProfile.java | 1468 ++++ .../cms/profile/common/EnrollProfileContext.java | 31 + .../cms/profile/common/ProfileContext.java | 39 + .../netscape/cms/profile/common/ProfilePolicy.java | 53 + .../cms/profile/common/RAEnrollProfile.java | 128 + .../profile/common/ServerCertCAEnrollProfile.java | 100 + .../profile/common/UserCertCAEnrollProfile.java | 100 + .../constraint/BasicConstraintsExtConstraint.java | 224 + .../cms/profile/constraint/CAEnrollConstraint.java | 48 + .../profile/constraint/CAValidityConstraint.java | 139 + .../cms/profile/constraint/EnrollConstraint.java | 214 + .../constraint/ExtendedKeyUsageExtConstraint.java | 156 + .../profile/constraint/ExtensionConstraint.java | 146 + .../cms/profile/constraint/KeyConstraint.java | 644 ++ .../profile/constraint/KeyUsageExtConstraint.java | 291 + .../constraint/NSCertTypeExtConstraint.java | 243 + .../cms/profile/constraint/NoConstraint.java | 101 + .../constraint/RenewGracePeriodConstraint.java | 165 + .../profile/constraint/SigningAlgConstraint.java | 160 + .../profile/constraint/SubjectNameConstraint.java | 136 + .../profile/constraint/UniqueKeyConstraint.java | 295 + .../constraint/UniqueSubjectNameConstraint.java | 251 + .../cms/profile/constraint/ValidityConstraint.java | 218 + .../cms/profile/def/AuthInfoAccessExtDefault.java | 454 ++ .../profile/def/AuthTokenSubjectNameDefault.java | 152 + .../def/AuthorityKeyIdentifierExtDefault.java | 190 + .../cms/profile/def/AutoAssignDefault.java | 96 + .../profile/def/BasicConstraintsExtDefault.java | 297 + .../netscape/cms/profile/def/CAEnrollDefault.java | 106 + .../cms/profile/def/CAValidityDefault.java | 348 + .../def/CRLDistributionPointsExtDefault.java | 696 ++ .../profile/def/CertificatePoliciesExtDefault.java | 796 ++ .../cms/profile/def/CertificateVersionDefault.java | 193 + .../netscape/cms/profile/def/EnrollDefault.java | 815 ++ .../netscape/cms/profile/def/EnrollExtDefault.java | 28 + .../profile/def/ExtendedKeyUsageExtDefault.java | 250 + .../cms/profile/def/FreshestCRLExtDefault.java | 584 ++ .../cms/profile/def/GenericExtDefault.java | 260 + .../com/netscape/cms/profile/def/ImageDefault.java | 105 + .../profile/def/InhibitAnyPolicyExtDefault.java | 271 + .../cms/profile/def/IssuerAltNameExtDefault.java | 317 + .../cms/profile/def/KeyUsageExtDefault.java | 511 ++ .../cms/profile/def/NSCCommentExtDefault.java | 246 + .../cms/profile/def/NSCertTypeExtDefault.java | 419 ++ .../cms/profile/def/NameConstraintsExtDefault.java | 670 ++ .../com/netscape/cms/profile/def/NoDefault.java | 111 + .../cms/profile/def/OCSPNoCheckExtDefault.java | 185 + .../profile/def/PolicyConstraintsExtDefault.java | 287 + .../cms/profile/def/PolicyMappingsExtDefault.java | 420 ++ .../def/PrivateKeyUsagePeriodExtDefault.java | 316 + .../cms/profile/def/SigningAlgDefault.java | 183 + .../cms/profile/def/SubjectAltNameExtDefault.java | 542 ++ .../def/SubjectDirAttributesExtDefault.java | 527 ++ .../profile/def/SubjectInfoAccessExtDefault.java | 448 ++ .../def/SubjectKeyIdentifierExtDefault.java | 217 + .../cms/profile/def/SubjectNameDefault.java | 184 + .../cms/profile/def/UserExtensionDefault.java | 136 + .../netscape/cms/profile/def/UserKeyDefault.java | 233 + .../cms/profile/def/UserSigningAlgDefault.java | 126 + .../cms/profile/def/UserSubjectNameDefault.java | 143 + .../cms/profile/def/UserValidityDefault.java | 149 + .../netscape/cms/profile/def/ValidityDefault.java | 263 + .../cms/profile/def/nsHKeySubjectNameDefault.java | 215 + .../cms/profile/def/nsNKeySubjectNameDefault.java | 423 ++ .../def/nsTokenDeviceKeySubjectNameDefault.java | 215 + .../def/nsTokenUserKeySubjectNameDefault.java | 456 ++ .../cms/profile/input/CMCCertReqInput.java | 122 + .../netscape/cms/profile/input/CertReqInput.java | 185 + .../cms/profile/input/DualKeyGenInput.java | 163 + .../cms/profile/input/EncryptionKeyGenInput.java | 184 + .../netscape/cms/profile/input/EnrollInput.java | 303 + .../cms/profile/input/FileSigningInput.java | 143 + .../netscape/cms/profile/input/GenericInput.java | 160 + .../com/netscape/cms/profile/input/ImageInput.java | 89 + .../netscape/cms/profile/input/KeyGenInput.java | 184 + .../cms/profile/input/SerialNumRenewInput.java | 89 + .../cms/profile/input/SigningKeyGenInput.java | 184 + .../netscape/cms/profile/input/SubjectDNInput.java | 142 + .../cms/profile/input/SubjectNameInput.java | 382 + .../cms/profile/input/SubmitterInfoInput.java | 102 + .../cms/profile/input/nsHKeyCertReqInput.java | 160 + .../cms/profile/input/nsNKeyCertReqInput.java | 129 + .../netscape/cms/profile/output/CMMFOutput.java | 161 + .../netscape/cms/profile/output/CertOutput.java | 120 + .../netscape/cms/profile/output/EnrollOutput.java | 134 + .../netscape/cms/profile/output/PKCS7Output.java | 158 + .../netscape/cms/profile/output/nsNKeyOutput.java | 110 + .../cms/profile/updater/SubsystemGroupUpdater.java | 321 + .../netscape/cms/publish/mappers/AVAPattern.java | 594 ++ .../cms/publish/mappers/LdapCaSimpleMap.java | 372 + .../cms/publish/mappers/LdapCertCompsMap.java | 178 + .../cms/publish/mappers/LdapCertExactMap.java | 199 + .../cms/publish/mappers/LdapCertSubjMap.java | 343 + .../cms/publish/mappers/LdapCrlIssuerCompsMap.java | 156 + .../cms/publish/mappers/LdapDNCompsMap.java | 457 ++ .../cms/publish/mappers/LdapEnhancedMap.java | 640 ++ .../cms/publish/mappers/LdapSimpleMap.java | 332 + .../cms/publish/mappers/MapAVAPattern.java | 652 ++ .../netscape/cms/publish/mappers/MapDNPattern.java | 201 + .../cms/publish/mappers/MapRDNPattern.java | 217 + .../com/netscape/cms/publish/mappers/NoMap.java | 104 + .../cms/publish/publishers/FileBasedPublisher.java | 443 ++ .../publish/publishers/LdapCaCertPublisher.java | 421 ++ .../publish/publishers/LdapCertSubjPublisher.java | 345 + .../publishers/LdapCertificatePairPublisher.java | 318 + .../cms/publish/publishers/LdapCrlPublisher.java | 379 + .../publishers/LdapEncryptCertPublisher.java | 359 + .../publish/publishers/LdapUserCertPublisher.java | 333 + .../cms/publish/publishers/OCSPPublisher.java | 355 + .../cms/publish/publishers/PublisherUtils.java | 136 + .../com/netscape/cms/request/RequestScheduler.java | 71 + .../src/com/netscape/cms/selftests/ASelfTest.java | 193 + .../com/netscape/cms/selftests/ca/CAPresence.java | 262 + .../com/netscape/cms/selftests/ca/CAValidity.java | 262 + .../selftests/common/SystemCertsVerification.java | 213 + .../netscape/cms/selftests/kra/KRAPresence.java | 251 + .../netscape/cms/selftests/ocsp/OCSPPresence.java | 280 + .../netscape/cms/selftests/ocsp/OCSPValidity.java | 280 + .../com/netscape/cms/selftests/ra/RAPresence.java | 261 + .../cms/selftests/tks/TKSKnownSessionKey.java | 302 + .../cms/servlet/admin/ACLAdminServlet.java | 905 +++ .../netscape/cms/servlet/admin/AdminResources.java | 42 + .../netscape/cms/servlet/admin/AdminServlet.java | 1296 ++++ .../cms/servlet/admin/AuthAdminServlet.java | 1721 +++++ .../cms/servlet/admin/AuthCredentials.java | 109 + .../netscape/cms/servlet/admin/CAAdminServlet.java | 1582 ++++ .../cms/servlet/admin/CMSAdminServlet.java | 3449 +++++++++ .../cms/servlet/admin/JobsAdminServlet.java | 1007 +++ .../cms/servlet/admin/KRAAdminServlet.java | 234 + .../cms/servlet/admin/LogAdminServlet.java | 2361 ++++++ .../cms/servlet/admin/OCSPAdminServlet.java | 543 ++ .../cms/servlet/admin/PolicyAdminServlet.java | 1258 ++++ .../cms/servlet/admin/ProfileAdminServlet.java | 2682 +++++++ .../cms/servlet/admin/PublisherAdminServlet.java | 3127 ++++++++ .../netscape/cms/servlet/admin/RAAdminServlet.java | 584 ++ .../cms/servlet/admin/RegistryAdminServlet.java | 373 + .../servlet/admin/SystemCertificateResource.java | 25 + .../admin/SystemCertificateResourceService.java | 80 + .../cms/servlet/admin/UsrGrpAdminServlet.java | 2313 ++++++ .../cms/servlet/base/CMSResourceService.java | 69 + .../com/netscape/cms/servlet/base/CMSServlet.java | 2294 ++++++ .../netscape/cms/servlet/base/CMSStartServlet.java | 117 + .../cms/servlet/base/DisplayHtmlServlet.java | 97 + .../cms/servlet/base/DynamicVariablesServlet.java | 333 + .../com/netscape/cms/servlet/base/GetStats.java | 184 + .../netscape/cms/servlet/base/IndexServlet.java | 118 + .../netscape/cms/servlet/base/PortsServlet.java | 90 + .../netscape/cms/servlet/base/ProxyServlet.java | 248 + .../cms/servlet/base/SystemInfoServlet.java | 287 + .../com/netscape/cms/servlet/base/UserInfo.java | 90 + .../com/netscape/cms/servlet/base/model/Link.java | 88 + .../cms/servlet/cert/CMCRevReqServlet.java | 1056 +++ .../servlet/cert/ChallengeRevocationServlet1.java | 716 ++ .../netscape/cms/servlet/cert/CloneRedirect.java | 142 + .../netscape/cms/servlet/cert/DirAuthServlet.java | 241 + .../cms/servlet/cert/DisableEnrollResult.java | 173 + .../netscape/cms/servlet/cert/DisplayBySerial.java | 488 ++ .../com/netscape/cms/servlet/cert/DisplayCRL.java | 481 ++ .../cms/servlet/cert/DisplayHashUserEnroll.java | 227 + .../com/netscape/cms/servlet/cert/DoRevoke.java | 1221 +++ .../com/netscape/cms/servlet/cert/DoRevokeTPS.java | 940 +++ .../com/netscape/cms/servlet/cert/DoUnrevoke.java | 671 ++ .../netscape/cms/servlet/cert/DoUnrevokeTPS.java | 618 ++ .../cms/servlet/cert/EnableEnrollResult.java | 184 + .../netscape/cms/servlet/cert/EnrollServlet.java | 1768 +++++ .../com/netscape/cms/servlet/cert/GetBySerial.java | 296 + .../com/netscape/cms/servlet/cert/GetCAChain.java | 407 + .../src/com/netscape/cms/servlet/cert/GetCRL.java | 467 ++ .../cms/servlet/cert/GetCertFromRequest.java | 350 + .../netscape/cms/servlet/cert/GetEnableStatus.java | 173 + .../src/com/netscape/cms/servlet/cert/GetInfo.java | 377 + .../cms/servlet/cert/HashEnrollServlet.java | 1241 ++++ .../servlet/cert/ImportCertsTemplateFiller.java | 381 + .../com/netscape/cms/servlet/cert/ListCerts.java | 672 ++ .../src/com/netscape/cms/servlet/cert/Monitor.java | 407 + .../netscape/cms/servlet/cert/ReasonToRevoke.java | 287 + .../cms/servlet/cert/RemoteAuthConfig.java | 624 ++ .../netscape/cms/servlet/cert/RenewalServlet.java | 523 ++ .../cms/servlet/cert/RevocationServlet.java | 392 + .../cert/RevocationSuccessTemplateFiller.java | 97 + .../com/netscape/cms/servlet/cert/SrchCerts.java | 762 ++ .../com/netscape/cms/servlet/cert/UpdateCRL.java | 530 ++ .../com/netscape/cms/servlet/cert/UpdateDir.java | 747 ++ .../cms/servlet/cert/model/CertificateData.java | 53 + .../cms/servlet/cert/scep/CRSEnrollment.java | 2135 ++++++ .../cms/servlet/cert/scep/ChallengePassword.java | 141 + .../cms/servlet/cert/scep/ExtensionsRequested.java | 176 + .../cms/servlet/common/AuthCredentials.java | 109 + .../cms/servlet/common/CMCOutputTemplate.java | 1112 +++ .../com/netscape/cms/servlet/common/CMSFile.java | 102 + .../netscape/cms/servlet/common/CMSFileLoader.java | 160 + .../cms/servlet/common/CMSGWResources.java | 44 + .../netscape/cms/servlet/common/CMSGateway.java | 372 + .../cms/servlet/common/CMSLoadTemplate.java | 60 + .../netscape/cms/servlet/common/CMSRequest.java | 300 + .../netscape/cms/servlet/common/CMSTemplate.java | 609 ++ .../cms/servlet/common/CMSTemplateParams.java | 70 + .../cms/servlet/common/ECMSGWException.java | 74 + .../cms/servlet/common/GenErrorTemplateFiller.java | 102 + .../servlet/common/GenPendingTemplateFiller.java | 287 + .../servlet/common/GenRejectedTemplateFiller.java | 92 + .../servlet/common/GenSuccessTemplateFiller.java | 63 + .../common/GenSvcPendingTemplateFiller.java | 79 + .../common/GenUnauthorizedTemplateFiller.java | 67 + .../common/GenUnexpectedErrorTemplateFiller.java | 76 + .../cms/servlet/common/ICMSTemplateFiller.java | 49 + .../com/netscape/cms/servlet/common/IRawJS.java | 26 + .../cms/servlet/common/IndexTemplateFiller.java | 114 + .../src/com/netscape/cms/servlet/common/RawJS.java | 35 + .../netscape/cms/servlet/common/ServletUtils.java | 106 + .../cms/servlet/connector/CloneServlet.java | 579 ++ .../cms/servlet/connector/ConnectorServlet.java | 1116 +++ .../servlet/connector/GenerateKeyPairServlet.java | 292 + .../servlet/connector/TokenKeyRecoveryServlet.java | 326 + .../servlet/csadmin/AdminAuthenticatePanel.java | 330 + .../netscape/cms/servlet/csadmin/AdminPanel.java | 690 ++ .../servlet/csadmin/AgentAuthenticatePanel.java | 229 + .../cms/servlet/csadmin/AuthenticatePanel.java | 192 + .../cms/servlet/csadmin/BackupKeyCertPanel.java | 450 ++ .../netscape/cms/servlet/csadmin/BaseServlet.java | 121 + .../netscape/cms/servlet/csadmin/CAInfoPanel.java | 327 + .../src/com/netscape/cms/servlet/csadmin/Cert.java | 179 + .../cms/servlet/csadmin/CertPrettyPrintPanel.java | 210 + .../cms/servlet/csadmin/CertRequestPanel.java | 757 ++ .../com/netscape/cms/servlet/csadmin/CertUtil.java | 667 ++ .../cms/servlet/csadmin/CheckIdentity.java | 117 + .../cms/servlet/csadmin/ConfigBaseServlet.java | 121 + .../csadmin/ConfigCertApprovalCallback.java | 33 + .../cms/servlet/csadmin/ConfigCertReqServlet.java | 50 + .../cms/servlet/csadmin/ConfigCloneServlet.java | 50 + .../cms/servlet/csadmin/ConfigDatabaseServlet.java | 196 + .../cms/servlet/csadmin/ConfigHSMLoginPanel.java | 296 + .../cms/servlet/csadmin/ConfigHSMServlet.java | 297 + .../servlet/csadmin/ConfigImportCertServlet.java | 50 + .../cms/servlet/csadmin/ConfigJoinServlet.java | 182 + .../cms/servlet/csadmin/ConfigRootCAServlet.java | 145 + .../cms/servlet/csadmin/CreateSubsystemPanel.java | 299 + .../cms/servlet/csadmin/DatabasePanel.java | 1591 ++++ .../cms/servlet/csadmin/DatabaseServlet.java | 49 + .../cms/servlet/csadmin/DisplayCertChainPanel.java | 236 + .../cms/servlet/csadmin/DisplayServlet.java | 49 + .../netscape/cms/servlet/csadmin/DonePanel.java | 897 +++ .../cms/servlet/csadmin/DownloadPKCS12.java | 136 + .../netscape/cms/servlet/csadmin/GetCertChain.java | 158 + .../cms/servlet/csadmin/GetConfigEntries.java | 228 + .../netscape/cms/servlet/csadmin/GetCookie.java | 315 + .../netscape/cms/servlet/csadmin/GetDomainXML.java | 239 + .../netscape/cms/servlet/csadmin/GetStatus.java | 109 + .../cms/servlet/csadmin/GetSubsystemCert.java | 129 + .../netscape/cms/servlet/csadmin/GetTokenInfo.java | 151 + .../cms/servlet/csadmin/GetTransportCert.java | 180 + .../cms/servlet/csadmin/HierarchyPanel.java | 194 + .../cms/servlet/csadmin/ImportAdminCertPanel.java | 341 + .../cms/servlet/csadmin/ImportCAChainPanel.java | 145 + .../cms/servlet/csadmin/ImportTransportCert.java | 179 + .../csadmin/LDAPSecurityDomainSessionTable.java | 295 + .../netscape/cms/servlet/csadmin/LoginServlet.java | 72 + .../cms/servlet/csadmin/MainPageServlet.java | 158 + .../netscape/cms/servlet/csadmin/ModulePanel.java | 338 + .../cms/servlet/csadmin/ModuleServlet.java | 90 + .../netscape/cms/servlet/csadmin/NamePanel.java | 993 +++ .../netscape/cms/servlet/csadmin/RegisterUser.java | 331 + .../cms/servlet/csadmin/RestoreKeyCertPanel.java | 718 ++ .../cms/servlet/csadmin/SavePKCS12Panel.java | 144 + .../cms/servlet/csadmin/SecurityDomainLogin.java | 87 + .../cms/servlet/csadmin/SecurityDomainPanel.java | 500 ++ .../csadmin/SecurityDomainSessionTable.java | 105 + .../netscape/cms/servlet/csadmin/SessionTimer.java | 68 + .../netscape/cms/servlet/csadmin/SizePanel.java | 669 ++ .../cms/servlet/csadmin/TokenAuthenticate.java | 146 + .../cms/servlet/csadmin/UpdateConnector.java | 203 + .../cms/servlet/csadmin/UpdateDomainXML.java | 568 ++ .../cms/servlet/csadmin/UpdateNumberRange.java | 290 + .../cms/servlet/csadmin/UpdateOCSPConfig.java | 182 + .../netscape/cms/servlet/csadmin/WelcomePanel.java | 128 + .../cms/servlet/csadmin/WelcomeServlet.java | 49 + .../cms/servlet/csadmin/WizardPanelBase.java | 1630 ++++ .../cms/servlet/filter/AdminRequestFilter.java | 134 + .../cms/servlet/filter/AgentRequestFilter.java | 134 + .../servlet/filter/EEClientAuthRequestFilter.java | 133 + .../cms/servlet/filter/EERequestFilter.java | 186 + .../cms/servlet/key/ConfirmRecoverBySerial.java | 187 + .../netscape/cms/servlet/key/DisplayBySerial.java | 194 + .../servlet/key/DisplayBySerialForRecovery.java | 213 + .../netscape/cms/servlet/key/DisplayTransport.java | 125 + .../netscape/cms/servlet/key/ExamineRecovery.java | 249 + .../cms/servlet/key/GetApprovalStatus.java | 235 + .../com/netscape/cms/servlet/key/GetAsyncPk12.java | 266 + .../src/com/netscape/cms/servlet/key/GetPk12.java | 260 + .../cms/servlet/key/GrantAsyncRecovery.java | 280 + .../netscape/cms/servlet/key/GrantRecovery.java | 308 + .../netscape/cms/servlet/key/KeyRecordParser.java | 87 + .../com/netscape/cms/servlet/key/KeyResource.java | 33 + .../cms/servlet/key/KeyResourceService.java | 129 + .../com/netscape/cms/servlet/key/KeysResource.java | 23 + .../cms/servlet/key/KeysResourceService.java | 91 + .../netscape/cms/servlet/key/RecoverBySerial.java | 529 ++ .../src/com/netscape/cms/servlet/key/SrchKey.java | 297 + .../cms/servlet/key/SrchKeyForRecovery.java | 318 + .../com/netscape/cms/servlet/key/model/KeyDAO.java | 202 + .../netscape/cms/servlet/key/model/KeyData.java | 76 + .../cms/servlet/key/model/KeyDataInfo.java | 85 + .../cms/servlet/key/model/KeyDataInfos.java | 87 + .../netscape/cms/servlet/ocsp/AddCAServlet.java | 310 + .../netscape/cms/servlet/ocsp/AddCRLServlet.java | 591 ++ .../cms/servlet/ocsp/CheckCertServlet.java | 216 + .../com/netscape/cms/servlet/ocsp/GetOCSPInfo.java | 164 + .../netscape/cms/servlet/ocsp/ListCAServlet.java | 198 + .../com/netscape/cms/servlet/ocsp/OCSPServlet.java | 276 + .../netscape/cms/servlet/ocsp/RemoveCAServlet.java | 214 + .../cms/servlet/processors/CMCProcessor.java | 433 ++ .../cms/servlet/processors/CRMFProcessor.java | 372 + .../cms/servlet/processors/IPKIProcessor.java | 33 + .../cms/servlet/processors/KeyGenProcessor.java | 120 + .../cms/servlet/processors/PKCS10Processor.java | 287 + .../cms/servlet/processors/PKIProcessor.java | 356 + .../cms/servlet/profile/ProfileApproveServlet.java | 532 ++ .../cms/servlet/profile/ProfileListServlet.java | 176 + .../cms/servlet/profile/ProfileProcessServlet.java | 960 +++ .../cms/servlet/profile/ProfileReviewServlet.java | 455 ++ .../cms/servlet/profile/ProfileSelectServlet.java | 411 ++ .../cms/servlet/profile/ProfileServlet.java | 511 ++ .../servlet/profile/ProfileSubmitCMCServlet.java | 904 +++ .../cms/servlet/profile/ProfileSubmitServlet.java | 1631 ++++ .../cms/servlet/profile/SSLClientCertProvider.java | 39 + .../cms/servlet/request/CertReqParser.java | 925 +++ .../netscape/cms/servlet/request/CheckRequest.java | 621 ++ .../netscape/cms/servlet/request/IReqParser.java | 42 + .../netscape/cms/servlet/request/KeyReqParser.java | 81 + .../cms/servlet/request/KeyRequestResource.java | 69 + .../servlet/request/KeyRequestResourceService.java | 165 + .../cms/servlet/request/KeyRequestsResource.java | 34 + .../request/KeyRequestsResourceService.java | 101 + .../cms/servlet/request/ProcessCertReq.java | 1933 +++++ .../netscape/cms/servlet/request/ProcessReq.java | 334 + .../com/netscape/cms/servlet/request/QueryReq.java | 558 ++ .../netscape/cms/servlet/request/ReqParser.java | 79 + .../netscape/cms/servlet/request/SearchReqs.java | 336 + .../servlet/request/model/ArchivalRequestData.java | 123 + .../cms/servlet/request/model/KeyRequestDAO.java | 326 + .../cms/servlet/request/model/KeyRequestInfo.java | 120 + .../cms/servlet/request/model/KeyRequestInfos.java | 89 + .../servlet/request/model/RecoveryRequestData.java | 155 + .../com/netscape/cms/servlet/tks/TokenServlet.java | 1340 ++++ .../netscape/cms/servlet/wizard/IWizardPanel.java | 111 + .../netscape/cms/servlet/wizard/WizardServlet.java | 489 ++ .../src/com/netscape/cms/shares/OldJoinShares.java | 86 + .../src/com/netscape/cms/shares/OldShare.java | 62 + .../src/com/netscape/cmscore/apps/CMSEngine.java | 2003 +++++ .../com/netscape/cmscore/apps/CommandQueue.java | 99 + .../com/netscape/cmscore/apps/PKIServerEvent.java | 42 + .../netscape/cmscore/apps/PKIServerListener.java | 35 + .../src/com/netscape/cmscore/apps/Setup.java | 348 + .../src/com/netscape/cmscore/apps/Upgrade.java | 329 + .../cmscore/authentication/AuthSubsystem.java | 515 ++ .../authentication/CertUserDBAuthentication.java | 260 + .../ChallengePhraseAuthentication.java | 411 ++ .../cmscore/authentication/NullAuthentication.java | 161 + .../authentication/PasswdUserDBAuthentication.java | 274 + .../SSLClientCertAuthentication.java | 291 + .../cmscore/authentication/VerifiedCert.java | 90 + .../cmscore/authentication/VerifiedCerts.java | 158 + .../cmscore/authorization/AuthzSubsystem.java | 474 ++ .../src/com/netscape/cmscore/base/ArgBlock.java | 717 ++ .../com/netscape/cmscore/base/FileConfigStore.java | 222 + .../cmscore/base/JDialogPasswordCallback.java | 270 + .../com/netscape/cmscore/base/PropConfigStore.java | 792 ++ .../netscape/cmscore/base/SimpleProperties.java | 463 ++ .../netscape/cmscore/base/SourceConfigStore.java | 59 + .../com/netscape/cmscore/base/SubsystemLoader.java | 75 + .../netscape/cmscore/base/SubsystemRegistry.java | 43 + .../com/netscape/cmscore/cert/CertDateCompare.java | 52 + .../com/netscape/cmscore/cert/CertPrettyPrint.java | 36 + .../src/com/netscape/cmscore/cert/CertUtils.java | 1103 +++ .../com/netscape/cmscore/cert/CertificatePair.java | 281 + .../netscape/cmscore/cert/CrlCachePrettyPrint.java | 262 + .../com/netscape/cmscore/cert/CrlPrettyPrint.java | 36 + .../cmscore/cert/CrossCertPairSubsystem.java | 505 ++ .../com/netscape/cmscore/cert/ExtPrettyPrint.java | 36 + .../netscape/cmscore/cert/OidLoaderSubsystem.java | 189 + .../netscape/cmscore/cert/PrettyPrintFormat.java | 165 + .../cmscore/cert/PrettyPrintResources.java | 293 + .../netscape/cmscore/cert/PubKeyPrettyPrint.java | 35 + .../netscape/cmscore/cert/X500NameSubsystem.java | 285 + .../cmscore/connector/HttpConnFactory.java | 308 + .../netscape/cmscore/connector/HttpConnection.java | 244 + .../netscape/cmscore/connector/HttpConnector.java | 207 + .../netscape/cmscore/connector/HttpPKIMessage.java | 231 + .../cmscore/connector/HttpRequestEncoder.java | 76 + .../netscape/cmscore/connector/LocalConnector.java | 211 + .../cmscore/connector/RemoteAuthority.java | 69 + .../cmscore/connector/RequestTransfer.java | 122 + .../com/netscape/cmscore/connector/Resender.java | 252 + .../src/com/netscape/cmscore/crmf/CRMFParser.java | 122 + .../cmscore/crmf/PKIArchiveOptionsContainer.java | 31 + .../com/netscape/cmscore/dbs/BigIntegerMapper.java | 121 + .../com/netscape/cmscore/dbs/ByteArrayMapper.java | 96 + .../src/com/netscape/cmscore/dbs/CRLDBSchema.java | 47 + .../cmscore/dbs/CRLIssuingPointRecord.java | 334 + .../com/netscape/cmscore/dbs/CRLRepository.java | 370 + .../src/com/netscape/cmscore/dbs/CertDBSchema.java | 54 + .../src/com/netscape/cmscore/dbs/CertRecord.java | 284 + .../com/netscape/cmscore/dbs/CertRecordList.java | 113 + .../com/netscape/cmscore/dbs/CertRecordMapper.java | 99 + .../cmscore/dbs/CertificateRepository.java | 2030 +++++ .../src/com/netscape/cmscore/dbs/DBRegistry.java | 564 ++ .../src/com/netscape/cmscore/dbs/DBSSession.java | 485 ++ .../src/com/netscape/cmscore/dbs/DBSUtil.java | 49 + .../com/netscape/cmscore/dbs/DBSearchResults.java | 93 + .../src/com/netscape/cmscore/dbs/DBSubsystem.java | 948 +++ .../com/netscape/cmscore/dbs/DBVirtualList.java | 782 ++ .../com/netscape/cmscore/dbs/DateArrayMapper.java | 109 + .../src/com/netscape/cmscore/dbs/DateMapper.java | 113 + .../com/netscape/cmscore/dbs/IntegerMapper.java | 89 + .../src/com/netscape/cmscore/dbs/KeyDBSchema.java | 51 + .../src/com/netscape/cmscore/dbs/KeyRecord.java | 386 + .../com/netscape/cmscore/dbs/KeyRecordList.java | 89 + .../com/netscape/cmscore/dbs/KeyRecordMapper.java | 112 + .../com/netscape/cmscore/dbs/KeyRepository.java | 586 ++ .../com/netscape/cmscore/dbs/KeyStateMapper.java | 82 + .../netscape/cmscore/dbs/LdapFilterConverter.java | 62 + .../src/com/netscape/cmscore/dbs/LongMapper.java | 119 + .../com/netscape/cmscore/dbs/MetaInfoMapper.java | 124 + .../netscape/cmscore/dbs/ObjectStreamMapper.java | 136 + .../com/netscape/cmscore/dbs/PublicKeyMapper.java | 136 + .../netscape/cmscore/dbs/ReplicaIDRepository.java | 83 + .../src/com/netscape/cmscore/dbs/Repository.java | 497 ++ .../com/netscape/cmscore/dbs/RepositoryRecord.java | 111 + .../com/netscape/cmscore/dbs/RepositorySchema.java | 34 + .../com/netscape/cmscore/dbs/RevocationInfo.java | 78 + .../netscape/cmscore/dbs/RevocationInfoMapper.java | 171 + .../src/com/netscape/cmscore/dbs/StringMapper.java | 95 + .../netscape/cmscore/dbs/StringVectorMapper.java | 111 + .../com/netscape/cmscore/dbs/X500NameMapper.java | 111 + .../netscape/cmscore/dbs/X509CertImplMapper.java | 369 + .../cmscore/extensions/CMSExtensionsMap.java | 160 + .../com/netscape/cmscore/extensions/KeyUsage.java | 230 + .../src/com/netscape/cmscore/jobs/CronItem.java | 168 + .../src/com/netscape/cmscore/jobs/CronRange.java | 84 + .../src/com/netscape/cmscore/jobs/JobCron.java | 355 + .../com/netscape/cmscore/jobs/JobsScheduler.java | 509 ++ .../netscape/cmscore/ldap/LdapAndExpression.java | 74 + .../com/netscape/cmscore/ldap/LdapConnModule.java | 132 + .../netscape/cmscore/ldap/LdapOrExpression.java | 80 + .../netscape/cmscore/ldap/LdapPredicateParser.java | 340 + .../netscape/cmscore/ldap/LdapPublishModule.java | 782 ++ .../netscape/cmscore/ldap/LdapRequestListener.java | 530 ++ .../src/com/netscape/cmscore/ldap/LdapRule.java | 301 + .../cmscore/ldap/LdapSimpleExpression.java | 473 ++ .../com/netscape/cmscore/ldap/PublishObject.java | 84 + .../netscape/cmscore/ldap/PublisherProcessor.java | 1498 ++++ .../cmscore/ldapconn/LdapAnonConnFactory.java | 467 ++ .../cmscore/ldapconn/LdapAnonConnection.java | 92 + .../netscape/cmscore/ldapconn/LdapAuthInfo.java | 298 + .../cmscore/ldapconn/LdapBoundConnFactory.java | 529 ++ .../cmscore/ldapconn/LdapBoundConnection.java | 220 + .../netscape/cmscore/ldapconn/LdapConnInfo.java | 119 + .../cmscore/ldapconn/LdapJssSSLSocketFactory.java | 109 + .../netscape/cmscore/listeners/ListenerPlugin.java | 52 + .../cmscore/logging/AuditEventFactory.java | 99 + .../com/netscape/cmscore/logging/AuditFormat.java | 111 + .../src/com/netscape/cmscore/logging/LogQueue.java | 123 + .../com/netscape/cmscore/logging/LogSubsystem.java | 270 + .../src/com/netscape/cmscore/logging/Logger.java | 374 + .../cmscore/logging/SignedAuditEventFactory.java | 125 + .../cmscore/logging/SignedAuditLogger.java | 39 + .../cmscore/logging/SystemEventFactory.java | 99 + .../cmscore/notification/EmailFormProcessor.java | 250 + .../cmscore/notification/EmailResolverKeys.java | 93 + .../cmscore/notification/EmailTemplate.java | 174 + .../cmscore/notification/ReqCertEmailResolver.java | 155 + .../notification/ReqCertSANameEmailResolver.java | 276 + .../com/netscape/cmscore/policy/AndExpression.java | 60 + .../netscape/cmscore/policy/GeneralNameUtil.java | 694 ++ .../cmscore/policy/GenericPolicyProcessor.java | 1548 ++++ .../cmscore/policy/JavaScriptRequestProxy.java | 48 + .../com/netscape/cmscore/policy/OrExpression.java | 67 + .../cmscore/policy/PolicyPredicateParser.java | 341 + .../src/com/netscape/cmscore/policy/PolicySet.java | 299 + .../netscape/cmscore/policy/SimpleExpression.java | 434 ++ .../netscape/cmscore/profile/ProfileSubsystem.java | 325 + .../common/src/com/netscape/cmscore/realm/ACL.java | 193 + .../src/com/netscape/cmscore/realm/ACLEntry.java | 243 + .../com/netscape/cmscore/realm/PKIJNDIRealm.java | 943 +++ .../com/netscape/cmscore/registry/PluginInfo.java | 52 + .../netscape/cmscore/registry/PluginRegistry.java | 294 + .../netscape/cmscore/request/ARequestQueue.java | 1578 ++++ .../netscape/cmscore/request/ARequestRecord.java | 42 + .../cmscore/request/CertRequestConstants.java | 73 + .../netscape/cmscore/request/ExtDataHashtable.java | 78 + .../com/netscape/cmscore/request/RequestAttr.java | 61 + .../com/netscape/cmscore/request/RequestQueue.java | 709 ++ .../netscape/cmscore/request/RequestRecord.java | 883 +++ .../cmscore/request/RequestRepository.java | 217 + .../netscape/cmscore/request/RequestSubsystem.java | 187 + .../src/com/netscape/cmscore/request/Schema.java | 50 + .../netscape/cmscore/security/CASigningCert.java | 162 + .../netscape/cmscore/security/CertificateInfo.java | 277 + .../netscape/cmscore/security/JssSubsystem.java | 2203 ++++++ .../cmscore/security/KRATransportCert.java | 107 + .../com/netscape/cmscore/security/KeyCertUtil.java | 1139 +++ .../netscape/cmscore/security/OCSPSigningCert.java | 140 + .../src/com/netscape/cmscore/security/PWCBsdr.java | 266 + .../src/com/netscape/cmscore/security/PWUtil.java | 73 + .../com/netscape/cmscore/security/PWsdrCache.java | 639 ++ .../com/netscape/cmscore/security/Provider.java | 57 + .../netscape/cmscore/security/RASigningCert.java | 113 + .../src/com/netscape/cmscore/security/SSLCert.java | 125 + .../cmscore/security/SSLSelfSignedCert.java | 119 + .../netscape/cmscore/security/SubsystemCert.java | 81 + .../cmscore/selftests/SelfTestOrderedInstance.java | 136 + .../cmscore/selftests/SelfTestSubsystem.java | 1900 +++++ .../netscape/cmscore/time/SimpleTimeSource.java | 29 + .../cmscore/usrgrp/CertDNCertUserLocator.java | 77 + .../cmscore/usrgrp/ExactMatchCertUserLocator.java | 83 + .../src/com/netscape/cmscore/usrgrp/Group.java | 125 + .../com/netscape/cmscore/usrgrp/UGSubsystem.java | 1685 +++++ .../src/com/netscape/cmscore/usrgrp/User.java | 218 + .../src/com/netscape/cmscore/util/Assert.java | 48 + .../netscape/cmscore/util/AssertionException.java | 36 + .../src/com/netscape/cmscore/util/Debug.java | 385 + .../netscape/cmscore/util/ExceptionFormatter.java | 94 + .../com/netscape/cmscore/util/FileAsString.java | 115 + .../netscape/cmscore/util/FileDialogFilter.java | 143 + .../src/com/netscape/cmscore/util/PFXUtils.java | 167 + .../netscape/cmscore/util/ProfileSubsystem.java | 312 + .../com/netscape/cmscore/util/StatsSubsystem.java | 195 + .../src/com/netscape/cmscore/util/UtilMessage.java | 181 + .../com/netscape/cmscore/util/UtilResources.java | 74 + base/common/test/CMakeLists.txt | 103 + .../netscape/certsrv/app/CMSEngineDefaultStub.java | 632 ++ .../certsrv/authentication/AuthTokenTest.java | 271 + .../certsrv/logging/LoggerDefaultStub.java | 71 + .../certsrv/request/AgentApprovalsTest.java | 82 + .../netscape/cmscore/dbs/CertRecordListTest.java | 87 + .../cmscore/dbs/DBRegistryDefaultStub.java | 79 + .../com/netscape/cmscore/dbs/DBRegistryTest.java | 175 + .../cmscore/dbs/DBSSessionDefaultStub.java | 79 + .../cmscore/dbs/DBSubsystemDefaultStub.java | 172 + .../cmscore/dbs/DBVirtualListDefaultStub.java | 87 + .../cmscore/dbs/RequestRecordDefaultStub.java | 44 + .../request/DBDynAttrMapperDefaultStub.java | 33 + .../cmscore/request/ExtAttrDynMapperTest.java | 278 + .../cmscore/request/ExtDataHashtableTest.java | 81 + .../cmscore/request/RequestDefaultStub.java | 269 + .../cmscore/request/RequestModDefaultStub.java | 21 + .../netscape/cmscore/request/RequestQueueTest.java | 60 + .../cmscore/request/RequestRecordTest.java | 168 + .../com/netscape/cmscore/request/RequestTest.java | 649 ++ .../com/netscape/cmscore/test/CMSBaseTestCase.java | 99 + .../test/com/netscape/cmscore/test/TestHelper.java | 30 + base/console/CMakeLists.txt | 4 + base/console/LICENSE | 291 + base/console/src/CMakeLists.txt | 661 ++ .../netscape/admin/certsrv/AttrCellRenderer.java | 60 + .../src/com/netscape/admin/certsrv/CMSAdmin.java | 969 +++ .../netscape/admin/certsrv/CMSAdminResources.java | 197 + .../com/netscape/admin/certsrv/CMSAdminUtil.java | 1298 ++++ .../netscape/admin/certsrv/CMSBaseMenuInfo.java | 178 + .../com/netscape/admin/certsrv/CMSBasePanel.java | 460 ++ .../admin/certsrv/CMSBaseResourceModel.java | 263 + .../com/netscape/admin/certsrv/CMSCAUILoader.java | 373 + .../com/netscape/admin/certsrv/CMSCCMUILoader.java | 107 + .../admin/certsrv/CMSContentTableModel.java | 100 + .../com/netscape/admin/certsrv/CMSEAUILoader.java | 136 + .../netscape/admin/certsrv/CMSKernelUILoader.java | 319 + .../com/netscape/admin/certsrv/CMSMessageBox.java | 124 + .../netscape/admin/certsrv/CMSOCSPUILoader.java | 100 + .../com/netscape/admin/certsrv/CMSPageFeeder.java | 150 + .../com/netscape/admin/certsrv/CMSPassword.java | 301 + .../com/netscape/admin/certsrv/CMSRAUILoader.java | 266 + .../admin/certsrv/CMSRemoteClassLoader.java | 109 + .../netscape/admin/certsrv/CMSResourceObject.java | 126 + .../netscape/admin/certsrv/CMSResourcePage.java | 154 + .../com/netscape/admin/certsrv/CMSServerInfo.java | 172 + .../com/netscape/admin/certsrv/CMSTableModel.java | 256 + .../com/netscape/admin/certsrv/CMSTaskModel.java | 288 + .../com/netscape/admin/certsrv/CMSTaskObject.java | 71 + .../com/netscape/admin/certsrv/CMSUIFramework.java | 242 + .../com/netscape/admin/certsrv/CellEditorData.java | 32 + .../src/com/netscape/admin/certsrv/Console.java | 1861 +++++ .../com/netscape/admin/certsrv/CustomComboBox.java | 78 + .../admin/certsrv/CustomComboBoxModel.java | 169 + .../admin/certsrv/DefaultTableCellEditor.java | 238 + .../netscape/admin/certsrv/EAdminException.java | 142 + .../netscape/admin/certsrv/GenericCellEditor.java | 223 + .../admin/certsrv/GenericCellRenderer.java | 153 + .../src/com/netscape/admin/certsrv/HourGlass.java | 52 + .../netscape/admin/certsrv/IAttributeContent.java | 30 + .../admin/certsrv/IConnectionListener.java | 29 + .../com/netscape/admin/certsrv/IDataProcessor.java | 36 + .../com/netscape/admin/certsrv/IDisplayPanel.java | 43 + .../com/netscape/admin/certsrv/IEditorPanel.java | 60 + .../com/netscape/admin/certsrv/IFilterPanel.java | 67 + .../com/netscape/admin/certsrv/IMenuAction.java | 40 + .../com/netscape/admin/certsrv/IRefreshTab.java | 41 + .../netscape/admin/certsrv/IRefreshTabPanel.java | 38 + .../admin/certsrv/IResourceSelectionListener.java | 39 + .../netscape/admin/certsrv/ISubSystemUILoader.java | 33 + .../src/com/netscape/admin/certsrv/IUIMapper.java | 89 + .../netscape/admin/certsrv/LabelCellRenderer.java | 116 + .../netscape/admin/certsrv/MultilineLabelUI.java | 534 ++ .../admin/certsrv/PasswordCellRenderer.java | 71 + .../certsrv/StatusItemContinuousProgress.java | 97 + .../netscape/admin/certsrv/UIMapperRegistry.java | 121 + .../netscape/admin/certsrv/certsrv-help.properties | 534 ++ .../netscape/admin/certsrv/config/ACIDialog.java | 517 ++ .../admin/certsrv/config/ACLDataModel.java | 47 + .../admin/certsrv/config/ACLEditDialog.java | 557 ++ .../admin/certsrv/config/ACLImplDataModel.java | 47 + .../netscape/admin/certsrv/config/ACLImplTab.java | 227 + .../netscape/admin/certsrv/config/ACLPanel.java | 231 + .../admin/certsrv/config/AutoRecoveryModel.java | 57 + .../netscape/admin/certsrv/config/CACertsTab.java | 392 + .../admin/certsrv/config/CMSAccessLogPanel.java | 210 + .../admin/certsrv/config/CMSAuditLogPanel.java | 210 + .../admin/certsrv/config/CMSAutoRecovery.java | 267 + .../admin/certsrv/config/CMSBaseConfigDialog.java | 1078 +++ .../admin/certsrv/config/CMSBaseConfigPanel.java | 180 + .../admin/certsrv/config/CMSBaseLDAPPanel.java | 692 ++ .../admin/certsrv/config/CMSBaseLogPanel.java | 366 + .../netscape/admin/certsrv/config/CMSBaseTab.java | 95 + .../admin/certsrv/config/CMSBlankPanel.java | 82 + .../certsrv/config/CMSCACertSettingPanel.java | 171 + .../admin/certsrv/config/CMSCAConnectorPanel.java | 237 + .../admin/certsrv/config/CMSCAGeneralPanel.java | 424 ++ .../admin/certsrv/config/CMSCALDAPPanel.java | 44 + .../admin/certsrv/config/CMSCRLCachePanel.java | 371 + .../admin/certsrv/config/CMSCRLFormatPanel.java | 448 ++ .../admin/certsrv/config/CMSCRLIPPanel.java | 327 + .../admin/certsrv/config/CMSCRLSettingPanel.java | 698 ++ .../admin/certsrv/config/CMSCertSettingPanel.java | 150 + .../certsrv/config/CMSCipherPreferenceDialog.java | 201 + .../certsrv/config/CMSCipherPreferencePane.java | 112 + .../admin/certsrv/config/CMSEAGeneralPanel.java | 169 + .../admin/certsrv/config/CMSEncryptionPanel.java | 835 +++ .../admin/certsrv/config/CMSErrorLogPanel.java | 180 + .../admin/certsrv/config/CMSKRAAutoPanel.java | 220 + .../admin/certsrv/config/CMSKRAPasswdPanel.java | 267 + .../admin/certsrv/config/CMSKRASchemePanel.java | 198 + .../admin/certsrv/config/CMSLDAPSettingPanel.java | 362 + .../admin/certsrv/config/CMSNetworkPanel.java | 465 ++ .../admin/certsrv/config/CMSOCSPGeneralPanel.java | 219 + .../admin/certsrv/config/CMSPasswordDialog.java | 310 + .../admin/certsrv/config/CMSPluginInstanceTab.java | 442 ++ .../admin/certsrv/config/CMSRACLMPanel.java | 313 + .../admin/certsrv/config/CMSRAConnectorPanel.java | 251 + .../admin/certsrv/config/CMSRAGeneralPanel.java | 185 + .../admin/certsrv/config/CMSRALDAPPanel.java | 44 + .../admin/certsrv/config/CMSRuleDataModel.java | 82 + .../admin/certsrv/config/CMSSMTPPanel.java | 170 + .../admin/certsrv/config/CMSSNMPPanel.java | 296 + .../certsrv/config/CMSSSL2CipherPreference.java | 36 + .../admin/certsrv/config/CMSSSL2CipherSet.java | 74 + .../certsrv/config/CMSSSL3CipherPreference.java | 37 + .../admin/certsrv/config/CMSSSL3CipherSet.java | 91 + .../admin/certsrv/config/CMSSelfTestsPanel.java | 219 + .../netscape/admin/certsrv/config/CMSTabPanel.java | 350 + .../certsrv/config/CMSUserCertSettingPanel.java | 155 + .../certsrv/config/CMStoAdminEncryptionPane.java | 67 + .../certsrv/config/CRLExtensionsConfigDialog.java | 76 + .../certsrv/config/CRLExtensionsInstanceTab.java | 114 + .../config/CRLExtensionsPluginSelectionDialog.java | 67 + .../certsrv/config/CRLExtensionsRuleDataModel.java | 69 + .../netscape/admin/certsrv/config/CRLIPEditor.java | 330 + .../admin/certsrv/config/ConfigTableModel.java | 42 + .../admin/certsrv/config/ConnectorEditor.java | 634 ++ .../certsrv/config/EvaluatorRegisterDialog.java | 41 + .../admin/certsrv/config/GeneralLogPanel.java | 250 + .../admin/certsrv/config/JobsConfigDialog.java | 62 + .../admin/certsrv/config/JobsImplDataModel.java | 68 + .../netscape/admin/certsrv/config/JobsImplTab.java | 323 + .../admin/certsrv/config/JobsInstanceTab.java | 104 + .../certsrv/config/JobsPluginSelectionDialog.java | 66 + .../admin/certsrv/config/JobsRegisterDialog.java | 40 + .../admin/certsrv/config/JobsRuleDataModel.java | 71 + .../admin/certsrv/config/JobsSettingPanel.java | 240 + .../admin/certsrv/config/KeyCreateDialog.java | 299 + .../admin/certsrv/config/ListCertsModel.java | 56 + .../admin/certsrv/config/ListKeysModel.java | 56 + .../admin/certsrv/config/LogConfigDialog.java | 62 + .../admin/certsrv/config/LogImplDataModel.java | 68 + .../netscape/admin/certsrv/config/LogImplTab.java | 315 + .../admin/certsrv/config/LogInstanceTab.java | 95 + .../certsrv/config/LogPluginSelectionDialog.java | 69 + .../admin/certsrv/config/LogRegisterDialog.java | 40 + .../admin/certsrv/config/LogRuleDataModel.java | 62 + .../admin/certsrv/config/MNSchemeWizard.java | 64 + .../admin/certsrv/config/MNSchemeWizardInfo.java | 107 + .../admin/certsrv/config/MapperConfigDialog.java | 64 + .../admin/certsrv/config/MapperImplDataModel.java | 68 + .../admin/certsrv/config/MapperImplTab.java | 320 + .../admin/certsrv/config/MapperInstanceTab.java | 95 + .../config/MapperPluginSelectionDialog.java | 74 + .../admin/certsrv/config/MapperRegisterDialog.java | 40 + .../admin/certsrv/config/MapperRuleDataModel.java | 62 + .../certsrv/config/OCSPStoresConfigDialog.java | 60 + .../certsrv/config/OCSPStoresInstanceTab.java | 132 + .../config/OCSPStoresPluginSelectionDialog.java | 67 + .../certsrv/config/OCSPStoresRuleDataModel.java | 69 + .../certsrv/config/PanelMapperConfigDialog.java | 409 ++ .../certsrv/config/PluginSelectionDialog.java | 375 + .../admin/certsrv/config/PolicyConfigDialog.java | 64 + .../admin/certsrv/config/PolicyImplDataModel.java | 68 + .../admin/certsrv/config/PolicyImplTab.java | 322 + .../admin/certsrv/config/PolicyInstanceTab.java | 139 + .../config/PolicyPluginSelectionDialog.java | 73 + .../admin/certsrv/config/PolicyRegisterDialog.java | 40 + .../admin/certsrv/config/PolicyRuleDataModel.java | 71 + .../certsrv/config/PolicyRuleOrderDialog.java | 331 + .../certsrv/config/ProfileComponentCellEditor.java | 109 + .../certsrv/config/ProfileConfigDataModel.java | 83 + .../admin/certsrv/config/ProfileConfigDialog.java | 396 + .../admin/certsrv/config/ProfileDataTable.java | 68 + .../admin/certsrv/config/ProfileEditDataModel.java | 88 + .../admin/certsrv/config/ProfileEditDialog.java | 931 +++ .../admin/certsrv/config/ProfileImplDataModel.java | 70 + .../admin/certsrv/config/ProfileImplTab.java | 382 + .../admin/certsrv/config/ProfileInstanceTab.java | 161 + .../admin/certsrv/config/ProfileListDataModel.java | 60 + .../certsrv/config/ProfileNonPolicyNewDialog.java | 429 ++ .../certsrv/config/ProfileNonPolicySelDialog.java | 386 + .../config/ProfilePluginSelectionDialog.java | 187 + .../certsrv/config/ProfilePolicyEditDataModel.java | 85 + .../certsrv/config/ProfilePolicyEditDialog.java | 698 ++ .../certsrv/config/ProfilePolicyNewDialog.java | 714 ++ .../config/ProfilePolicySelectionDialog.java | 515 ++ .../certsrv/config/ProfileRegisterDialog.java | 303 + .../admin/certsrv/config/ProfileRuleDataModel.java | 69 + .../certsrv/config/PublisherConfigDialog.java | 64 + .../certsrv/config/PublisherImplDataModel.java | 68 + .../admin/certsrv/config/PublisherImplTab.java | 321 + .../admin/certsrv/config/PublisherInstanceTab.java | 95 + .../config/PublisherPluginSelectionDialog.java | 74 + .../certsrv/config/PublisherRegisterDialog.java | 40 + .../certsrv/config/PublisherRuleDataModel.java | 62 + .../admin/certsrv/config/RegisterDialog.java | 286 + .../admin/certsrv/config/RuleConfigDialog.java | 64 + .../admin/certsrv/config/RuleImplDataModel.java | 68 + .../netscape/admin/certsrv/config/RuleImplTab.java | 320 + .../admin/certsrv/config/RuleInstanceTab.java | 97 + .../certsrv/config/RulePluginSelectionDialog.java | 74 + .../admin/certsrv/config/RuleRegisterDialog.java | 40 + .../admin/certsrv/config/RuleRuleDataModel.java | 70 + .../netscape/admin/certsrv/config/TKSKeysTab.java | 366 + .../admin/certsrv/config/UserCertsTab.java | 342 + .../netscape/admin/certsrv/config/ViewDialog.java | 189 + .../admin/certsrv/config/ViewSelfTestsDialog.java | 172 + .../admin/certsrv/config/ViewTableModel.java | 40 + .../certsrv/config/WBaseCertExtensionPage.java | 445 ++ .../admin/certsrv/config/WBaseCertRequestPage.java | 261 + .../netscape/admin/certsrv/config/WBaseDNPage.java | 493 ++ .../admin/certsrv/config/WBaseDNValidityPage.java | 207 + .../admin/certsrv/config/WBaseKeyPage.java | 248 + .../certsrv/config/WBaseManualCertRequestPage.java | 508 ++ .../admin/certsrv/config/WBaseValidityPage.java | 258 + .../netscape/admin/certsrv/config/WMNNewAgent.java | 293 + .../netscape/admin/certsrv/config/WMNOldAgent.java | 214 + .../admin/certsrv/config/WMNResultPage.java | 102 + .../admin/certsrv/config/WMNSelection.java | 226 + .../admin/certsrv/config/WMessageDigestPage.java | 240 + .../admin/certsrv/config/WarningDialog.java | 171 + .../config/install/ComponentCellRenderer.java | 32 + .../certsrv/config/install/InstallWizard.java | 202 + .../certsrv/config/install/InstallWizardInfo.java | 1724 +++++ .../admin/certsrv/config/install/WIAdminPage.java | 266 + .../config/install/WIAllCertsInstalledPage.java | 269 + .../config/install/WICACert1CustomPage.java | 72 + .../certsrv/config/install/WICACert1Page.java | 218 + .../certsrv/config/install/WICACert2Page.java | 72 + .../certsrv/config/install/WICACertDNPage.java | 97 + .../config/install/WICACertExtensionPage.java | 80 + .../admin/certsrv/config/install/WICACertPage.java | 172 + .../certsrv/config/install/WICACertSubmitPage.java | 79 + .../config/install/WICACertValidityPage.java | 75 + .../admin/certsrv/config/install/WICAKeyPage.java | 115 + .../config/install/WICAMessageDigestPage.java | 80 + .../config/install/WICAOCSPServicePage.java | 172 + .../config/install/WICARequestResultPage.java | 59 + .../config/install/WICASerialNumberPage.java | 381 + .../certsrv/config/install/WICATokenLogonPage.java | 76 + .../admin/certsrv/config/install/WICertDNPage.java | 153 + .../config/install/WICertExtensionPage.java | 168 + .../certsrv/config/install/WICertRequestPage.java | 73 + .../config/install/WICertSetupStatusPage.java | 144 + .../certsrv/config/install/WICertSubmitPage.java | 144 + .../certsrv/config/install/WICertValidityPage.java | 141 + .../config/install/WICloneCAKeyCertPage.java | 292 + .../config/install/WICloneKRAKeyCertPage.java | 292 + .../certsrv/config/install/WICloneMasterPage.java | 409 ++ .../config/install/WICloneOCSPKeyCertPage.java | 237 + .../admin/certsrv/config/install/WIClonePage.java | 142 + .../config/install/WICloneRAKeyCertPage.java | 242 + .../config/install/WICloneTKSKeyCertPage.java | 182 + .../config/install/WIConfigWebServerPage.java | 182 + .../config/install/WICreateInternalDBPage.java | 581 ++ .../certsrv/config/install/WIDBEnrollPage.java | 211 + .../config/install/WIDisplayCACertPage.java | 75 + .../certsrv/config/install/WIDisplayCertPage.java | 205 + .../config/install/WIDisplayKRACertPage.java | 77 + .../config/install/WIDisplayOCSPCertPage.java | 71 + .../config/install/WIDisplayRACertPage.java | 73 + .../config/install/WIDisplaySSLCertPage.java | 70 + .../certsrv/config/install/WIExistingDBPage.java | 282 + .../certsrv/config/install/WIGenCAKeyCertPage.java | 68 + .../config/install/WIGenCAKeyCertReqPage.java | 80 + .../config/install/WIGenKRAKeyCertPage.java | 70 + .../config/install/WIGenKRAKeyCertReqPage.java | 82 + .../certsrv/config/install/WIGenKeyCertPage.java | 143 + .../config/install/WIGenKeyCertReqPage.java | 291 + .../config/install/WIGenOCSPKeyCertPage.java | 62 + .../config/install/WIGenOCSPKeyCertReqPage.java | 77 + .../certsrv/config/install/WIGenRAKeyCertPage.java | 67 + .../config/install/WIGenRAKeyCertReqPage.java | 79 + .../config/install/WIGenSSLKeyCertReqPage.java | 76 + .../config/install/WIGenServerKeyCertPage.java | 62 + .../config/install/WIInstallCACertStatusPage.java | 70 + .../config/install/WIInstallCAIntroPage.java | 62 + .../certsrv/config/install/WIInstallCert1Page.java | 157 + .../certsrv/config/install/WIInstallCert2Page.java | 140 + .../config/install/WIInstallCertStatusPage.java | 248 + .../certsrv/config/install/WIInstallIntroPage.java | 133 + .../config/install/WIInstallKRACertStatusPage.java | 72 + .../config/install/WIInstallKRAIntroPage.java | 65 + .../install/WIInstallOCSPCertStatusPage.java | 67 + .../config/install/WIInstallOCSPIntroPage.java | 60 + .../config/install/WIInstallRACertStatusPage.java | 69 + .../config/install/WIInstallRAIntroPage.java | 61 + .../config/install/WIInstallSSLCertStatusPage.java | 65 + .../config/install/WIInstallSSLIntroPage.java | 58 + .../config/install/WIInternalDBInfoPage.java | 173 + .../certsrv/config/install/WIInternalDBPage.java | 313 + .../config/install/WIInternalTokenLogonPage.java | 67 + .../config/install/WIIntroMigrationPage.java | 162 + .../admin/certsrv/config/install/WIIntroPage.java | 217 + .../config/install/WIIntroSingleSignonPage.java | 162 + .../certsrv/config/install/WIKRACertDNPage.java | 105 + .../config/install/WIKRACertExtensionPage.java | 75 + .../config/install/WIKRACertSubmitPage.java | 80 + .../config/install/WIKRACertValidityPage.java | 77 + .../admin/certsrv/config/install/WIKRAKeyPage.java | 100 + .../config/install/WIKRAMessageDigestPage.java | 79 + .../certsrv/config/install/WIKRANumberPage.java | 378 + .../config/install/WIKRARequestResultPage.java | 58 + .../certsrv/config/install/WIKRAScheme1Page.java | 188 + .../certsrv/config/install/WIKRAScheme2Page.java | 309 + .../config/install/WIKRAStorageKeyPage.java | 356 + .../config/install/WIKRATokenLogonPage.java | 74 + .../admin/certsrv/config/install/WIKeyPage.java | 641 ++ .../config/install/WILDAPPublishingPage.java | 279 + .../certsrv/config/install/WILoggingPage.java | 202 + .../config/install/WILogonAllTokensPage.java | 264 + .../config/install/WIManualCACertRequestPage.java | 86 + .../config/install/WIManualCertRequestPage.java | 178 + .../config/install/WIManualKRACertRequestPage.java | 77 + .../install/WIManualOCSPCertRequestPage.java | 72 + .../config/install/WIManualRACertRequestPage.java | 74 + .../config/install/WIManualSSLCertRequestPage.java | 69 + .../certsrv/config/install/WIMasterOrClone.java | 172 + .../certsrv/config/install/WIMigrationPage.java | 715 ++ .../certsrv/config/install/WINetworkPage.java | 499 ++ .../certsrv/config/install/WIOCSPCertDNPage.java | 83 + .../config/install/WIOCSPCertSubmitPage.java | 76 + .../certsrv/config/install/WIOCSPKeyPage.java | 90 + .../config/install/WIOCSPMessageDigestPage.java | 80 + .../config/install/WIOCSPRequestResultPage.java | 63 + .../config/install/WIOCSPTokenLogonPage.java | 73 + .../certsrv/config/install/WIPasteCACertPage.java | 67 + .../certsrv/config/install/WIPasteCertPage.java | 500 ++ .../certsrv/config/install/WIPasteKRACertPage.java | 68 + .../config/install/WIPasteOCSPCertPage.java | 63 + .../certsrv/config/install/WIPasteRACertPage.java | 64 + .../certsrv/config/install/WIPasteSSLCertPage.java | 60 + .../certsrv/config/install/WIRACertDNPage.java | 86 + .../config/install/WIRACertExtensionPage.java | 75 + .../certsrv/config/install/WIRACertSubmitPage.java | 76 + .../config/install/WIRACertValidityPage.java | 74 + .../admin/certsrv/config/install/WIRAKeyPage.java | 94 + .../config/install/WIRAMessageDigestPage.java | 79 + .../config/install/WIRARequestResultPage.java | 58 + .../certsrv/config/install/WIRATokenLogonPage.java | 75 + .../certsrv/config/install/WIRecreateDBPage.java | 139 + .../config/install/WIRemoteCASubsystem.java | 291 + .../config/install/WIRemoteKRASubsystem.java | 371 + .../config/install/WIReplAgreementPage.java | 417 ++ .../config/install/WIRequestResultPage.java | 148 + .../admin/certsrv/config/install/WISMTPPage.java | 129 + .../config/install/WISSLMessageDigestPage.java | 79 + .../config/install/WISSLRequestResultPage.java | 58 + .../config/install/WISSLTokenLogonPage.java | 72 + .../certsrv/config/install/WIServerCertDNPage.java | 116 + .../config/install/WIServerCertExtensionPage.java | 71 + .../config/install/WIServerCertSubmitPage.java | 89 + .../config/install/WIServerCertValidityPage.java | 69 + .../certsrv/config/install/WIServerKeyPage.java | 93 + .../certsrv/config/install/WIServicesPage.java | 425 ++ .../certsrv/config/install/WISingleSignonPage.java | 532 ++ .../certsrv/config/install/WITokenLogonPage.java | 255 + .../certsrv/config/install/WITrustDBPage.java | 138 + .../admin/certsrv/connection/AdminConnection.java | 818 +++ .../certsrv/connection/BasicAuthenticator.java | 54 + .../admin/certsrv/connection/IAuthenticator.java | 30 + .../admin/certsrv/connection/IConnection.java | 55 + .../certsrv/connection/IConnectionFactory.java | 40 + .../admin/certsrv/connection/JSSConnection.java | 761 ++ .../certsrv/connection/PromptForTrustDialog.java | 316 + .../netscape/admin/certsrv/connection/Request.java | 70 + .../admin/certsrv/connection/Response.java | 133 + .../certsrv/connection/SSLConnectionFactory.java | 81 + .../admin/certsrv/images/CertificateServer.gif | Bin 0 -> 363 bytes .../admin/certsrv/images/CertificateServerL.gif | Bin 0 -> 501 bytes .../com/netscape/admin/certsrv/images/LOGobjs.gif | Bin 0 -> 174 bytes .../com/netscape/admin/certsrv/images/UGobjs.gif | Bin 0 -> 176 bytes .../src/com/netscape/admin/certsrv/images/acl.gif | Bin 0 -> 123 bytes .../com/netscape/admin/certsrv/images/aclobj.gif | Bin 0 -> 178 bytes .../netscape/admin/certsrv/images/aclplugin.gif | Bin 0 -> 173 bytes .../com/netscape/admin/certsrv/images/alertl.gif | Bin 0 -> 372 bytes .../netscape/admin/certsrv/images/allfolder16n.gif | Bin 0 -> 878 bytes .../netscape/admin/certsrv/images/allgroup16n.gif | Bin 0 -> 128 bytes .../netscape/admin/certsrv/images/alllogdoc16n.gif | Bin 0 -> 154 bytes .../admin/certsrv/images/alllogfolder16n.gif | Bin 0 -> 132 bytes .../netscape/admin/certsrv/images/alluser16n.gif | Bin 0 -> 85 bytes .../admin/certsrv/images/alluserwithcert16n.gif | Bin 0 -> 144 bytes .../src/com/netscape/admin/certsrv/images/auth.gif | Bin 0 -> 112 bytes .../com/netscape/admin/certsrv/images/authobj.gif | Bin 0 -> 179 bytes .../netscape/admin/certsrv/images/authplugin.gif | Bin 0 -> 167 bytes .../com/netscape/admin/certsrv/images/cert24.gif | Bin 0 -> 501 bytes .../com/netscape/admin/certsrv/images/cert41.gif | Bin 0 -> 2153 bytes .../com/netscape/admin/certsrv/images/cert42.gif | Bin 0 -> 2291 bytes .../netscape/admin/certsrv/images/cms-branding.gif | Bin 0 -> 2145 bytes .../com/netscape/admin/certsrv/images/error.gif | Bin 0 -> 368 bytes .../netscape/admin/certsrv/images/genobject.gif | Bin 0 -> 159 bytes .../com/netscape/admin/certsrv/images/jobobj.gif | Bin 0 -> 178 bytes .../netscape/admin/certsrv/images/jobplugin.gif | Bin 0 -> 173 bytes .../src/com/netscape/admin/certsrv/images/jobs.gif | Bin 0 -> 123 bytes .../com/netscape/admin/certsrv/images/ldapub.gif | Bin 0 -> 172 bytes .../com/netscape/admin/certsrv/images/messagel.gif | Bin 0 -> 693 bytes .../netscape/admin/certsrv/images/notsecure.gif | Bin 0 -> 157 bytes .../src/com/netscape/admin/certsrv/images/plug.gif | Bin 0 -> 175 bytes .../com/netscape/admin/certsrv/images/plugin.gif | Bin 0 -> 143 bytes .../netscape/admin/certsrv/images/pluginfolder.gif | Bin 0 -> 176 bytes .../admin/certsrv/images/red-ball-small.gif | Bin 0 -> 255 bytes .../com/netscape/admin/certsrv/images/rule-16.gif | Bin 0 -> 145 bytes .../admin/certsrv/images/ruleDisable-16.gif | Bin 0 -> 131 bytes .../admin/certsrv/images/ruleplugin-16.gif | Bin 0 -> 172 bytes .../com/netscape/admin/certsrv/images/rulesobj.gif | Bin 0 -> 188 bytes .../com/netscape/admin/certsrv/images/secure.gif | Bin 0 -> 173 bytes .../netscape/admin/certsrv/images/servlet-16.gif | Bin 0 -> 104 bytes .../admin/certsrv/images/servlet-plugin-16.gif | Bin 0 -> 164 bytes .../netscape/admin/certsrv/images/servletobj.gif | Bin 0 -> 172 bytes .../admin/certsrv/keycert/CertSetupWizard.java | 82 + .../admin/certsrv/keycert/CertSetupWizardInfo.java | 412 ++ .../admin/certsrv/keycert/WCACertRequest1Page.java | 237 + .../netscape/admin/certsrv/keycert/WCAKeyPage.java | 102 + .../admin/certsrv/keycert/WCertDNPage.java | 196 + .../admin/certsrv/keycert/WCertDNValidityPage.java | 100 + .../admin/certsrv/keycert/WCertExtensionPage.java | 273 + .../certsrv/keycert/WCertMessageDigestPage.java | 113 + .../admin/certsrv/keycert/WCertRequestPage.java | 81 + .../admin/certsrv/keycert/WCertTypePage.java | 500 ++ .../admin/certsrv/keycert/WCertValidityPage.java | 139 + .../admin/certsrv/keycert/WDisplayCertPage.java | 258 + .../admin/certsrv/keycert/WExecute1Page.java | 158 + .../admin/certsrv/keycert/WExecutePage.java | 158 + .../admin/certsrv/keycert/WGenerateReqPage.java | 92 + .../certsrv/keycert/WInstallCertChainPage.java | 141 + .../admin/certsrv/keycert/WInstallOpPage.java | 221 + .../admin/certsrv/keycert/WInstallStatusPage.java | 105 + .../certsrv/keycert/WIntroInstallCertPage.java | 93 + .../netscape/admin/certsrv/keycert/WIntroPage.java | 120 + .../certsrv/keycert/WIssueImportStatusPage.java | 105 + .../netscape/admin/certsrv/keycert/WKeyPage.java | 809 ++ .../certsrv/keycert/WManualCertRequestPage.java | 199 + .../certsrv/keycert/WOperationSelectionPage.java | 134 + .../certsrv/keycert/WOtherCertRequest1Page.java | 176 + .../admin/certsrv/keycert/WPasteCertPage.java | 261 + .../netscape/admin/certsrv/keycert/WRAKeyPage.java | 72 + .../admin/certsrv/keycert/WRequestStatusPage.java | 142 + .../admin/certsrv/keycert/WSSLKeyPage.java | 72 + .../admin/certsrv/keycert/WTokenLogonPage.java | 178 + .../admin/certsrv/keycert/WTokenSelectionPage.java | 158 + .../certsrv/keycert/WWarningExecute1Page.java | 161 + .../admin/certsrv/keycert/WWarningExecutePage.java | 154 + .../admin/certsrv/keycert/WWarningPage.java | 143 + .../certsrv/managecert/CertificateInfoDialog.java | 351 + .../admin/certsrv/managecert/ManageCertDialog.java | 362 + .../admin/certsrv/managecert/ManageCertModel.java | 55 + .../admin/certsrv/menu/CertManagementAction.java | 47 + .../netscape/admin/certsrv/menu/KeyCertAction.java | 48 + .../admin/certsrv/menu/PKCS11ManagementAction.java | 47 + .../admin/certsrv/menu/RefreshTabPane.java | 101 + .../admin/certsrv/misc/MessageFormatter.java | 138 + .../certsrv/notification/RequestCompletePanel.java | 280 + .../certsrv/notification/RequestInQPanel.java | 302 + .../certsrv/notification/RequestRevokedPanel.java | 283 + .../admin/certsrv/security/AbstractCipher.java | 82 + .../certsrv/security/AbstractCipherPreference.java | 279 + .../admin/certsrv/security/CRLAddCertDialog.java | 226 + .../admin/certsrv/security/CRLCertInfoPane.java | 112 + .../certsrv/security/CRLDeleteCertDialog.java | 201 + .../certsrv/security/CRLManagementDialog.java | 309 + .../netscape/admin/certsrv/security/CRLTable.java | 235 + .../admin/certsrv/security/CRLTableModel.java | 94 + .../admin/certsrv/security/CertBasicInfo.java | 83 + .../certsrv/security/CertDetailInfoDialog.java | 111 + .../netscape/admin/certsrv/security/CertInfo.java | 87 + .../admin/certsrv/security/CertInfoDialog.java | 528 ++ .../certsrv/security/CertInstallCertInfoPane.java | 391 + .../certsrv/security/CertInstallCertPane.java | 236 + .../certsrv/security/CertInstallTypePane.java | 296 + .../admin/certsrv/security/CertListTable.java | 316 + .../admin/certsrv/security/CertListTableModel.java | 91 + .../certsrv/security/CertManagementDialog.java | 220 + .../certsrv/security/CertRequestCertPane.java | 197 + .../security/CertRequestEnterPasswordPane.java | 217 + .../certsrv/security/CertRequestInfoPane.java | 403 + .../security/CertRequestSelectTokenPane.java | 302 + .../certsrv/security/CertRequestTypePane.java | 390 + .../certsrv/security/ChangeKeyPasswordDialog.java | 175 + .../admin/certsrv/security/CipherEntry.java | 190 + .../certsrv/security/CipherPreferenceDialog.java | 332 + .../admin/certsrv/security/CipherResourceSet.java | 26 + .../com/netscape/admin/certsrv/security/Comm.java | 158 + .../admin/certsrv/security/CreateTrustPane.java | 231 + .../admin/certsrv/security/EncryptionPane.java | 639 ++ .../certsrv/security/GuideCertInstallPane.java | 82 + .../certsrv/security/GuideCertRequestPane.java | 81 + .../certsrv/security/GuideCreateTrustPane.java | 79 + .../admin/certsrv/security/GuideIntroPane.java | 119 + .../admin/certsrv/security/IAbstractCipherSet.java | 44 + .../admin/certsrv/security/ICipherConstants.java | 76 + .../certsrv/security/IEncryptionPaneListener.java | 52 + .../admin/certsrv/security/IKeyCertPage.java | 26 + .../admin/certsrv/security/KeyCertTaskInfo.java | 116 + .../admin/certsrv/security/KeyCertUtility.java | 113 + .../admin/certsrv/security/KeyCertWizard.java | 328 + .../netscape/admin/certsrv/security/Message.java | 241 + .../admin/certsrv/security/MessageDialog.java | 66 + .../certsrv/security/PKCS11AddModuleDialog.java | 165 + .../certsrv/security/PKCS11ManagementDialog.java | 242 + .../netscape/admin/certsrv/security/Response.java | 407 + .../certsrv/security/SSL2CipherPreference.java | 56 + .../admin/certsrv/security/SSL2CipherSet.java | 85 + .../certsrv/security/SSL3CipherPreference.java | 64 + .../admin/certsrv/security/SSL3CipherSet.java | 119 + .../admin/certsrv/security/StatusPane.java | 153 + .../security/ToggleCipherPreferencePane.java | 181 + .../admin/certsrv/security/WizardObservable.java | 48 + .../admin/certsrv/status/AccessLogDataModel.java | 43 + .../admin/certsrv/status/AuditLogDataModel.java | 43 + .../netscape/admin/certsrv/status/CMSLogPanel.java | 360 + .../admin/certsrv/status/DefaultLogParser.java | 118 + .../admin/certsrv/status/ErrorLogDataModel.java | 43 + .../netscape/admin/certsrv/status/ILogParser.java | 38 + .../admin/certsrv/status/LogDataModel.java | 107 + .../admin/certsrv/status/LogEntryViewDialog.java | 202 + .../admin/certsrv/status/LogInstancePanel.java | 157 + .../netscape/admin/certsrv/status/StatusPanel.java | 246 + .../netscape/admin/certsrv/task/AuthDialog.java | 244 + .../com/netscape/admin/certsrv/task/CGITask.java | 400 + .../admin/certsrv/task/CMSCertRequest.java | 418 ++ .../netscape/admin/certsrv/task/CMSConfigCert.java | 207 + .../netscape/admin/certsrv/task/CMSImportCert.java | 429 ++ .../admin/certsrv/task/CMSMigrateCreate.java | 340 + .../com/netscape/admin/certsrv/task/CMSRemove.java | 166 + .../admin/certsrv/task/CMSRequestCert.java | 421 ++ .../netscape/admin/certsrv/task/CMSRestart.java | 186 + .../com/netscape/admin/certsrv/task/CMSStart.java | 179 + .../admin/certsrv/task/CMSStartDaemon.java | 284 + .../com/netscape/admin/certsrv/task/CMSStatus.java | 207 + .../com/netscape/admin/certsrv/task/CMSStop.java | 161 + .../admin/certsrv/task/CreateInstanceDialog.java | 246 + .../com/netscape/admin/certsrv/task/KeyCert.java | 62 + .../netscape/admin/certsrv/task/StatusDialog.java | 186 + .../netscape/admin/certsrv/ug/AuthBaseDialog.java | 355 + .../admin/certsrv/ug/AuthConfigDialog.java | 91 + .../admin/certsrv/ug/AuthImplDataModel.java | 72 + .../com/netscape/admin/certsrv/ug/AuthImplTab.java | 353 + .../netscape/admin/certsrv/ug/AuthInstanceTab.java | 141 + .../certsrv/ug/AuthPluginSelectionDialog.java | 95 + .../admin/certsrv/ug/AuthRegisterDialog.java | 40 + .../admin/certsrv/ug/AuthRuleDataModel.java | 64 + .../netscape/admin/certsrv/ug/AuthViewDialog.java | 65 + .../netscape/admin/certsrv/ug/CMSBaseUGTab.java | 153 + .../netscape/admin/certsrv/ug/CMSUGTabPanel.java | 136 + .../netscape/admin/certsrv/ug/CertDataModel.java | 85 + .../admin/certsrv/ug/CertImportDialog.java | 256 + .../admin/certsrv/ug/CertManagementDialog.java | 441 ++ .../netscape/admin/certsrv/ug/CertViewDialog.java | 201 + .../netscape/admin/certsrv/ug/GroupDataModel.java | 61 + .../com/netscape/admin/certsrv/ug/GroupEditor.java | 596 ++ .../admin/certsrv/ug/GroupListDataModel.java | 67 + .../netscape/admin/certsrv/ug/GroupListDialog.java | 284 + .../com/netscape/admin/certsrv/ug/GroupTab.java | 369 + .../netscape/admin/certsrv/ug/MemberDataModel.java | 140 + .../netscape/admin/certsrv/ug/UserDataModel.java | 68 + .../com/netscape/admin/certsrv/ug/UserEditor.java | 627 ++ .../admin/certsrv/ug/UserListDataModel.java | 70 + .../netscape/admin/certsrv/ug/UserListDialog.java | 369 + .../src/com/netscape/admin/certsrv/ug/UserTab.java | 374 + .../admin/certsrv/wizard/ConfigServlet.java | 24 + .../netscape/admin/certsrv/wizard/IWizardDone.java | 28 + .../admin/certsrv/wizard/IWizardPanel.java | 98 + .../admin/certsrv/wizard/WizardBasePanel.java | 290 + .../netscape/admin/certsrv/wizard/WizardInfo.java | 88 + .../admin/certsrv/wizard/WizardWidget.java | 428 ++ .../netscape/certsrv/common/ConfigConstants.java | 333 + .../src/com/netscape/certsrv/common/Constants.java | 749 ++ .../src/com/netscape/certsrv/common/DestDef.java | 57 + .../netscape/certsrv/common/NameValuePairs.java | 80 + .../src/com/netscape/certsrv/common/OpDef.java | 39 + .../src/com/netscape/certsrv/common/PrefixDef.java | 41 + .../src/com/netscape/certsrv/common/ScopeDef.java | 193 + .../src/com/netscape/certsrv/common/TaskId.java | 129 + base/console/templates/CMakeLists.txt | 12 + base/console/templates/pki_console_wrapper | 167 + base/deploy/CMakeLists.txt | 137 + base/deploy/LICENSE | 291 + base/deploy/config/pkideployment.cfg | 28 + base/deploy/src/pkidestroy | 151 + base/deploy/src/pkispawn | 174 + base/deploy/src/scriptlets/instance.py | 105 + base/deploy/src/scriptlets/pkiconfig.py | 96 + base/deploy/src/scriptlets/pkihelper.py | 222 + base/deploy/src/scriptlets/pkilogging.py | 46 + base/deploy/src/scriptlets/pkimessages.py | 86 + base/deploy/src/scriptlets/pkiscriptlet.py | 47 + base/deploy/src/scriptlets/security_databases.py | 78 + base/java-tools/CMakeLists.txt | 4 + base/java-tools/LICENSE | 291 + base/java-tools/doc/README | 161 + base/java-tools/src/CMakeLists.txt | 87 + .../java-tools/src/com/netscape/cmstools/AtoB.java | 146 + .../src/com/netscape/cmstools/AuditVerify.java | 334 + .../java-tools/src/com/netscape/cmstools/BtoA.java | 119 + .../src/com/netscape/cmstools/CMCEnroll.java | 467 ++ .../src/com/netscape/cmstools/CMCRequest.java | 1129 +++ .../src/com/netscape/cmstools/CMCResponse.java | 234 + .../src/com/netscape/cmstools/CMCRevoke.java | 426 ++ .../src/com/netscape/cmstools/CRMFPopClient.java | 620 ++ .../src/com/netscape/cmstools/DRMTool.cfg | 160 + .../src/com/netscape/cmstools/DRMTool.java | 5120 +++++++++++++ .../src/com/netscape/cmstools/ExtJoiner.java | 104 + .../src/com/netscape/cmstools/GenExtKeyUsage.java | 100 + .../com/netscape/cmstools/GenIssuerAltNameExt.java | 141 + .../netscape/cmstools/GenSubjectAltNameExt.java | 141 + .../src/com/netscape/cmstools/HttpClient.java | 403 + .../src/com/netscape/cmstools/OCSPClient.java | 276 + .../src/com/netscape/cmstools/PKCS10Client.java | 249 + .../src/com/netscape/cmstools/PKCS12Export.java | 301 + .../src/com/netscape/cmstools/PasswordCache.java | 870 +++ .../src/com/netscape/cmstools/PrettyPrintCert.java | 248 + .../src/com/netscape/cmstools/PrettyPrintCrl.java | 212 + .../src/com/netscape/cmstools/TestCRLSigning.java | 115 + .../src/com/netscape/cmstools/TokenInfo.java | 75 + base/java-tools/templates/CMakeLists.txt | 67 + .../templates/pki_java_command_wrapper.in | 150 + .../templates/pretty_print_cert_command_wrapper.in | 178 + .../templates/pretty_print_crl_command_wrapper.in | 164 + base/kra/CMakeLists.txt | 66 + base/kra/LICENSE | 291 + base/kra/functional/drmclient.py | 1014 +++ base/kra/functional/drmclient.readme.txt | 50 + .../netscape/cms/servlet/test/DRMRestClient.java | 266 + .../src/com/netscape/cms/servlet/test/DRMTest.java | 503 ++ .../servlet/test/GeneratePKIArchiveOptions.java | 222 + base/kra/setup/CMakeLists.txt | 8 + base/kra/setup/registry_instance | 63 + base/kra/shared/conf/CMakeLists.txt | 12 + base/kra/shared/conf/CS.cfg.in | 383 + base/kra/shared/conf/acl.ldif | 42 + base/kra/shared/conf/catalina.policy | 184 + base/kra/shared/conf/catalina.properties | 87 + base/kra/shared/conf/context.xml | 40 + base/kra/shared/conf/database.ldif | 4 + base/kra/shared/conf/db.ldif | 107 + base/kra/shared/conf/index.ldif | 198 + base/kra/shared/conf/jk2.manifest | 2 + base/kra/shared/conf/jk2.properties | 26 + base/kra/shared/conf/jkconf.ant.xml | 51 + base/kra/shared/conf/jkconfig.manifest | 2 + base/kra/shared/conf/logging.properties | 70 + base/kra/shared/conf/manager.ldif | 48 + base/kra/shared/conf/schema.ldif | 489 ++ base/kra/shared/conf/server-minimal.xml | 25 + base/kra/shared/conf/server.xml | 308 + base/kra/shared/conf/serverCert.profile | 37 + base/kra/shared/conf/serverCertNick.conf | 1 + base/kra/shared/conf/shm.manifest | 2 + base/kra/shared/conf/storageCert.profile | 37 + base/kra/shared/conf/subsystemCert.profile | 37 + base/kra/shared/conf/tomcat-jk2.manifest | 7 + base/kra/shared/conf/tomcat-users.xml | 45 + base/kra/shared/conf/tomcat6.conf | 58 + base/kra/shared/conf/transportCert.profile | 37 + base/kra/shared/conf/uriworkermap.properties | 13 + base/kra/shared/conf/vlv.ldif | 207 + base/kra/shared/conf/vlvtasks.ldif | 19 + base/kra/shared/conf/web.xml | 989 +++ base/kra/shared/conf/workers.properties | 206 + base/kra/shared/conf/workers.properties.minimal | 17 + base/kra/shared/conf/workers2.properties | 132 + base/kra/shared/conf/workers2.properties.minimal | 55 + base/kra/shared/etc/init.d/pki-krad | 87 + base/kra/shared/lib/systemd/system/pki-krad.target | 8 + .../shared/lib/systemd/system/pki-krad@.service | 13 + base/kra/shared/webapps/ROOT/WEB-INF/web.xml | 29 + base/kra/shared/webapps/ROOT/index.jsp | 98 + .../kra/shared/webapps/kra/WEB-INF/auth.properties | 16 + .../shared/webapps/kra/WEB-INF/velocity.properties | 8 + base/kra/shared/webapps/kra/WEB-INF/web.xml | 1115 +++ base/kra/src/CMakeLists.txt | 109 + base/kra/src/com/netscape/kra/ArchiveOptions.java | 154 + base/kra/src/com/netscape/kra/EncryptionUnit.java | 741 ++ .../src/com/netscape/kra/EnrollmentService.java | 872 +++ base/kra/src/com/netscape/kra/KRANotify.java | 50 + base/kra/src/com/netscape/kra/KRAPolicy.java | 78 + base/kra/src/com/netscape/kra/KRAService.java | 101 + .../src/com/netscape/kra/KeyRecoveryAuthority.java | 1785 +++++ .../src/com/netscape/kra/NetkeyKeygenService.java | 608 ++ base/kra/src/com/netscape/kra/RecoveryService.java | 710 ++ .../netscape/kra/SecurityDataRecoveryService.java | 388 + .../src/com/netscape/kra/SecurityDataService.java | 171 + base/kra/src/com/netscape/kra/StorageKeyUnit.java | 978 +++ .../com/netscape/kra/TokenKeyRecoveryService.java | 627 ++ .../kra/src/com/netscape/kra/TransportKeyUnit.java | 195 + base/migrate/41ToTxt/classes/CMS41LdifParser.class | Bin 0 -> 9562 bytes base/migrate/41ToTxt/classes/Main.class | Bin 0 -> 1615 bytes base/migrate/41ToTxt/run.bat | 192 + base/migrate/41ToTxt/run.sh | 191 + base/migrate/41ToTxt/src/Main.java | 464 ++ base/migrate/41ToTxt/src/compile.bat | 150 + base/migrate/41ToTxt/src/compile.sh | 150 + .../42SP2ToTxt/classes/CMS42SP2LdifParser.class | Bin 0 -> 9028 bytes base/migrate/42SP2ToTxt/classes/Main.class | Bin 0 -> 1552 bytes base/migrate/42SP2ToTxt/run.bat | 192 + base/migrate/42SP2ToTxt/run.sh | 205 + base/migrate/42SP2ToTxt/src/Main.java | 467 ++ base/migrate/42SP2ToTxt/src/compile.bat | 152 + base/migrate/42SP2ToTxt/src/compile.sh | 174 + base/migrate/42ToTxt/classes/CMS42LdifParser.class | Bin 0 -> 9562 bytes base/migrate/42ToTxt/classes/Main.class | Bin 0 -> 1615 bytes base/migrate/42ToTxt/run.bat | 192 + base/migrate/42ToTxt/run.sh | 205 + base/migrate/42ToTxt/src/Main.java | 467 ++ base/migrate/42ToTxt/src/compile.bat | 150 + base/migrate/42ToTxt/src/compile.sh | 168 + base/migrate/45ToTxt/classes/CMS45LdifParser.class | Bin 0 -> 9025 bytes base/migrate/45ToTxt/classes/Main.class | Bin 0 -> 1518 bytes base/migrate/45ToTxt/run.bat | 192 + base/migrate/45ToTxt/run.sh | 196 + base/migrate/45ToTxt/src/Main.java | 469 ++ base/migrate/45ToTxt/src/compile.bat | 152 + base/migrate/45ToTxt/src/compile.sh | 159 + base/migrate/47ToTxt/classes/CMS47LdifParser.class | Bin 0 -> 10672 bytes base/migrate/47ToTxt/classes/Main.class | Bin 0 -> 1517 bytes base/migrate/47ToTxt/run.bat | 192 + base/migrate/47ToTxt/run.sh | 205 + base/migrate/47ToTxt/src/Main.java | 578 ++ base/migrate/47ToTxt/src/compile.bat | 152 + base/migrate/47ToTxt/src/compile.sh | 174 + base/migrate/60ToTxt/classes/CMS60LdifParser.class | Bin 0 -> 9019 bytes base/migrate/60ToTxt/classes/Main.class | Bin 0 -> 1518 bytes base/migrate/60ToTxt/run.bat | 192 + base/migrate/60ToTxt/run.sh | 199 + base/migrate/60ToTxt/src/Main.java | 475 ++ base/migrate/60ToTxt/src/compile.bat | 152 + base/migrate/60ToTxt/src/compile.sh | 164 + base/migrate/61ToTxt/classes/CMS61LdifParser.class | Bin 0 -> 9117 bytes base/migrate/61ToTxt/classes/Main.class | Bin 0 -> 1497 bytes base/migrate/61ToTxt/run.bat | 192 + base/migrate/61ToTxt/run.sh | 202 + base/migrate/61ToTxt/src/Main.java | 483 ++ base/migrate/61ToTxt/src/compile.bat | 150 + base/migrate/61ToTxt/src/compile.sh | 160 + base/migrate/62ToTxt/classes/CMS62LdifParser.class | Bin 0 -> 9117 bytes base/migrate/62ToTxt/classes/Main.class | Bin 0 -> 1497 bytes base/migrate/62ToTxt/run.bat | 192 + base/migrate/62ToTxt/run.sh | 202 + base/migrate/62ToTxt/src/Main.java | 483 ++ base/migrate/62ToTxt/src/compile.bat | 150 + base/migrate/62ToTxt/src/compile.sh | 160 + base/migrate/63ToTxt/classes/CMS63LdifParser.class | Bin 0 -> 8978 bytes base/migrate/63ToTxt/classes/Main.class | Bin 0 -> 1501 bytes base/migrate/63ToTxt/run.bat | 192 + base/migrate/63ToTxt/run.sh | 202 + base/migrate/63ToTxt/src/Main.java | 483 ++ base/migrate/63ToTxt/src/compile.bat | 150 + base/migrate/63ToTxt/src/compile.sh | 160 + base/migrate/70ToTxt/classes/CMS70LdifParser.class | Bin 0 -> 8978 bytes base/migrate/70ToTxt/classes/Main.class | Bin 0 -> 1501 bytes base/migrate/70ToTxt/run.bat | 192 + base/migrate/70ToTxt/run.sh | 202 + base/migrate/70ToTxt/src/Main.java | 483 ++ base/migrate/70ToTxt/src/compile.bat | 152 + base/migrate/70ToTxt/src/compile.sh | 160 + base/migrate/71ToTxt/classes/CMS71LdifParser.class | Bin 0 -> 8978 bytes base/migrate/71ToTxt/classes/Main.class | Bin 0 -> 1501 bytes base/migrate/71ToTxt/run.bat | 192 + base/migrate/71ToTxt/run.sh | 202 + base/migrate/71ToTxt/src/Main.java | 483 ++ base/migrate/71ToTxt/src/compile.bat | 150 + base/migrate/71ToTxt/src/compile.sh | 160 + base/migrate/72ToTxt/classes/CMS72LdifParser.class | Bin 0 -> 9200 bytes base/migrate/72ToTxt/classes/Main.class | Bin 0 -> 1513 bytes base/migrate/72ToTxt/run.bat | 192 + base/migrate/72ToTxt/run.sh | 158 + base/migrate/72ToTxt/src/Main.java | 485 ++ base/migrate/72ToTxt/src/compile.bat | 150 + base/migrate/72ToTxt/src/compile.sh | 139 + base/migrate/73ToTxt/classes/CMS73LdifParser.class | Bin 0 -> 9188 bytes base/migrate/73ToTxt/classes/Main.class | Bin 0 -> 1505 bytes base/migrate/73ToTxt/run.bat | 192 + base/migrate/73ToTxt/run.sh | 157 + base/migrate/73ToTxt/src/Main.java | 485 ++ base/migrate/73ToTxt/src/compile.bat | 150 + base/migrate/73ToTxt/src/compile.sh | 138 + base/migrate/80/MigrateSecurityDomain.class | Bin 0 -> 6951 bytes base/migrate/80/MigrateSecurityDomain.java | 235 + base/migrate/80/readme | 29 + base/migrate/80/schema-add.ldif | 50 + base/migrate/CMakeLists.txt | 36 + base/migrate/LICENSE | 291 + base/migrate/TpsTo80/Makefile | 36 + base/migrate/TpsTo80/linux/migrateTPSData.i386 | Bin 0 -> 10408 bytes base/migrate/TpsTo80/linux/migrateTPSData.x86_64 | Bin 0 -> 12616 bytes base/migrate/TpsTo80/migrateTPSData.c | 501 ++ base/migrate/TpsTo80/readme | 44 + .../TpsTo80/solaris/migrateTPSData.sol9sparc | Bin 0 -> 15712 bytes base/migrate/TxtTo60/classes/CMS60LdifParser.class | Bin 0 -> 12047 bytes .../migrate/TxtTo60/classes/DummyAuthManager.class | Bin 0 -> 1187 bytes base/migrate/TxtTo60/classes/Main.class | Bin 0 -> 1518 bytes base/migrate/TxtTo60/run.bat | 186 + base/migrate/TxtTo60/run.sh | 193 + base/migrate/TxtTo60/src/Main.java | 630 ++ base/migrate/TxtTo60/src/compile.bat | 154 + base/migrate/TxtTo60/src/compile.sh | 166 + base/migrate/TxtTo61/classes/CMS61LdifParser.class | Bin 0 -> 12150 bytes .../migrate/TxtTo61/classes/DummyAuthManager.class | Bin 0 -> 1187 bytes base/migrate/TxtTo61/classes/Main.class | Bin 0 -> 1497 bytes base/migrate/TxtTo61/run.bat | 186 + base/migrate/TxtTo61/run.sh | 196 + base/migrate/TxtTo61/src/Main.java | 644 ++ base/migrate/TxtTo61/src/compile.bat | 152 + base/migrate/TxtTo61/src/compile.sh | 162 + base/migrate/TxtTo62/classes/CMS62LdifParser.class | Bin 0 -> 12355 bytes .../migrate/TxtTo62/classes/DummyAuthManager.class | Bin 0 -> 1187 bytes base/migrate/TxtTo62/classes/Main.class | Bin 0 -> 1497 bytes base/migrate/TxtTo62/run.bat | 186 + base/migrate/TxtTo62/run.sh | 196 + base/migrate/TxtTo62/src/Main.java | 655 ++ base/migrate/TxtTo62/src/compile.bat | 152 + base/migrate/TxtTo62/src/compile.sh | 162 + base/migrate/TxtTo70/classes/CMS70LdifParser.class | Bin 0 -> 12270 bytes .../migrate/TxtTo70/classes/DummyAuthManager.class | Bin 0 -> 1187 bytes base/migrate/TxtTo70/classes/Main.class | Bin 0 -> 1501 bytes base/migrate/TxtTo70/run.bat | 186 + base/migrate/TxtTo70/run.sh | 196 + base/migrate/TxtTo70/src/Main.java | 655 ++ base/migrate/TxtTo70/src/compile.bat | 154 + base/migrate/TxtTo70/src/compile.sh | 162 + base/migrate/TxtTo71/classes/CMS71LdifParser.class | Bin 0 -> 12270 bytes .../migrate/TxtTo71/classes/DummyAuthManager.class | Bin 0 -> 1187 bytes base/migrate/TxtTo71/classes/Main.class | Bin 0 -> 1501 bytes base/migrate/TxtTo71/run.bat | 186 + base/migrate/TxtTo71/run.sh | 196 + base/migrate/TxtTo71/src/Main.java | 655 ++ base/migrate/TxtTo71/src/compile.bat | 152 + base/migrate/TxtTo71/src/compile.sh | 162 + base/migrate/TxtTo72/classes/CMS72LdifParser.class | Bin 0 -> 12186 bytes .../migrate/TxtTo72/classes/DummyAuthManager.class | Bin 0 -> 1187 bytes base/migrate/TxtTo72/classes/Main.class | Bin 0 -> 1513 bytes base/migrate/TxtTo72/run.bat | 186 + base/migrate/TxtTo72/run.sh | 152 + base/migrate/TxtTo72/src/Main.java | 659 ++ base/migrate/TxtTo72/src/compile.bat | 152 + base/migrate/TxtTo72/src/compile.sh | 141 + base/migrate/TxtTo73/classes/CMS73LdifParser.class | Bin 0 -> 12166 bytes .../migrate/TxtTo73/classes/DummyAuthManager.class | Bin 0 -> 1187 bytes base/migrate/TxtTo73/classes/Main.class | Bin 0 -> 1505 bytes base/migrate/TxtTo73/run.bat | 186 + base/migrate/TxtTo73/run.sh | 152 + base/migrate/TxtTo73/src/Main.java | 659 ++ base/migrate/TxtTo73/src/compile.bat | 152 + base/migrate/TxtTo73/src/compile.sh | 141 + base/migrate/TxtTo80/classes/CS80LdifParser.class | Bin 0 -> 8542 bytes base/migrate/TxtTo80/classes/Main.class | Bin 0 -> 1626 bytes base/migrate/TxtTo80/run.sh | 394 + base/migrate/TxtTo80/src/Main.java | 593 ++ base/migrate/TxtTo80/src/compile.sh | 345 + base/migrate/kra/RecoverKey.class | Bin 0 -> 3566 bytes base/migrate/kra/RecoverKey.java | 101 + base/migrate/kra/RecoverPin.class | Bin 0 -> 5029 bytes base/migrate/kra/RecoverPin.java | 149 + base/migrate/kra/readme.txt | 130 + base/native-tools/CMakeLists.txt | 3 + base/native-tools/LICENSE | 291 + base/native-tools/doc/README | 55 + base/native-tools/src/CMakeLists.txt | 5 + base/native-tools/src/bulkissuance/CMakeLists.txt | 37 + base/native-tools/src/bulkissuance/bulkissuance.c | 807 ++ .../src/bulkissuance/bulkissuance.data | 1 + base/native-tools/src/bulkissuance/getopt.c | 126 + base/native-tools/src/p7tool/CMakeLists.txt | 33 + base/native-tools/src/p7tool/NSPRerrs.h | 161 + base/native-tools/src/p7tool/SECerrs.h | 523 ++ base/native-tools/src/p7tool/SSLerrs.h | 393 + base/native-tools/src/p7tool/p7tool.c | 375 + base/native-tools/src/p7tool/pppolicy.c | 309 + base/native-tools/src/p7tool/secerror.c | 119 + base/native-tools/src/p7tool/secerror.h | 44 + base/native-tools/src/p7tool/secpwd.c | 213 + base/native-tools/src/p7tool/secutil.c | 3665 +++++++++ base/native-tools/src/p7tool/secutil.h | 430 ++ base/native-tools/src/revoker/CMakeLists.txt | 30 + base/native-tools/src/revoker/getopt.c | 126 + base/native-tools/src/revoker/revoker.c | 882 +++ base/native-tools/src/setpin/CMakeLists.txt | 43 + base/native-tools/src/setpin/b64.c | 102 + base/native-tools/src/setpin/options.c | 184 + base/native-tools/src/setpin/options.h | 83 + base/native-tools/src/setpin/setpin.c | 1237 ++++ base/native-tools/src/setpin/setpin.conf | 83 + base/native-tools/src/setpin/setpin_options.c | 290 + base/native-tools/src/setpin/setpin_options.h | 56 + base/native-tools/src/sslget/CMakeLists.txt | 30 + base/native-tools/src/sslget/getopt.c | 126 + base/native-tools/src/sslget/sslget.c | 836 +++ base/native-tools/src/tkstool/CMakeLists.txt | 45 + base/native-tools/src/tkstool/NSPRerrs.h | 161 + base/native-tools/src/tkstool/SECerrs.h | 523 ++ base/native-tools/src/tkstool/SSLerrs.h | 393 + base/native-tools/src/tkstool/delete.c | 111 + base/native-tools/src/tkstool/file.c | 518 ++ base/native-tools/src/tkstool/find.c | 81 + base/native-tools/src/tkstool/help.c | 499 ++ base/native-tools/src/tkstool/key.c | 1350 ++++ base/native-tools/src/tkstool/list.c | 181 + base/native-tools/src/tkstool/modules.c | 63 + base/native-tools/src/tkstool/pppolicy.c | 306 + base/native-tools/src/tkstool/random.c | 173 + base/native-tools/src/tkstool/retrieve.c | 114 + base/native-tools/src/tkstool/secerror.c | 118 + base/native-tools/src/tkstool/secpwd.c | 213 + base/native-tools/src/tkstool/secutil.c | 3662 +++++++++ base/native-tools/src/tkstool/secutil.h | 430 ++ base/native-tools/src/tkstool/tkstool.c | 2660 +++++++ base/native-tools/src/tkstool/tkstool.h | 321 + base/native-tools/src/tkstool/util.c | 640 ++ base/native-tools/src/tkstool/version.c | 49 + base/ocsp/CMakeLists.txt | 65 + base/ocsp/LICENSE | 291 + base/ocsp/setup/CMakeLists.txt | 8 + base/ocsp/setup/registry_instance | 63 + base/ocsp/shared/conf/CMakeLists.txt | 12 + base/ocsp/shared/conf/CS.cfg.in | 333 + base/ocsp/shared/conf/acl.ldif | 29 + base/ocsp/shared/conf/catalina.policy | 184 + base/ocsp/shared/conf/catalina.properties | 87 + base/ocsp/shared/conf/context.xml | 40 + base/ocsp/shared/conf/database.ldif | 9 + base/ocsp/shared/conf/db.ldif | 67 + base/ocsp/shared/conf/index.ldif | 203 + base/ocsp/shared/conf/jk2.manifest | 2 + base/ocsp/shared/conf/jk2.properties | 31 + base/ocsp/shared/conf/jkconf.ant.xml | 55 + base/ocsp/shared/conf/jkconfig.manifest | 2 + base/ocsp/shared/conf/logging.properties | 70 + base/ocsp/shared/conf/manager.ldif | 48 + base/ocsp/shared/conf/schema.ldif | 489 ++ base/ocsp/shared/conf/server-minimal.xml | 29 + base/ocsp/shared/conf/server.xml | 258 + base/ocsp/shared/conf/serverCertNick.conf | 6 + base/ocsp/shared/conf/shm.manifest | 2 + base/ocsp/shared/conf/tomcat-jk2.manifest | 7 + base/ocsp/shared/conf/tomcat-users.xml | 45 + base/ocsp/shared/conf/tomcat6.conf | 58 + base/ocsp/shared/conf/uriworkermap.properties | 18 + base/ocsp/shared/conf/web.xml | 993 +++ base/ocsp/shared/conf/workers.properties | 211 + base/ocsp/shared/conf/workers.properties.minimal | 22 + base/ocsp/shared/conf/workers2.properties | 137 + base/ocsp/shared/conf/workers2.properties.minimal | 60 + base/ocsp/shared/etc/init.d/pki-ocspd | 87 + .../shared/lib/systemd/system/pki-ocspd.target | 8 + .../shared/lib/systemd/system/pki-ocspd@.service | 13 + base/ocsp/shared/webapps/ROOT/WEB-INF/web.xml | 29 + base/ocsp/shared/webapps/ROOT/index.jsp | 98 + .../webapps/ocsp/WEB-INF/velocity.properties | 13 + base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml | 647 ++ base/ocsp/src/CMakeLists.txt | 99 + .../ocsp/src/com/netscape/ocsp/EOCSPException.java | 74 + base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java | 643 ++ base/ocsp/src/com/netscape/ocsp/OCSPResources.java | 42 + base/ocsp/src/com/netscape/ocsp/SigningUnit.java | 370 + base/ra/CMakeLists.txt | 76 + base/ra/LICENSE | 291 + base/ra/apache/conf/httpd.conf | 1074 +++ base/ra/apache/conf/magic | 382 + base/ra/apache/conf/mime.types | 592 ++ base/ra/apache/conf/nss.conf | 267 + base/ra/apache/conf/perl.conf | 102 + base/ra/doc/CMakeLists.txt | 10 + base/ra/doc/CS.cfg.in | 242 + base/ra/emails/mail_approve_request.vm | 11 + base/ra/emails/mail_create_request.vm | 8 + base/ra/etc/init.d/pki-rad | 87 + base/ra/forms/admin/group/add.cgi | 86 + base/ra/forms/admin/group/add_member.cgi | 80 + base/ra/forms/admin/group/add_new.cgi | 86 + base/ra/forms/admin/group/delete.cgi | 79 + base/ra/forms/admin/group/delete_member.cgi | 79 + base/ra/forms/admin/group/index.cgi | 115 + base/ra/forms/admin/group/read.cgi | 125 + base/ra/forms/admin/index.cgi | 80 + base/ra/forms/admin/user/add.cgi | 99 + base/ra/forms/admin/user/add_new.cgi | 87 + base/ra/forms/admin/user/delete.cgi | 79 + base/ra/forms/admin/user/index.cgi | 118 + base/ra/forms/admin/user/read.cgi | 97 + base/ra/forms/agent/cert/index.cgi | 119 + base/ra/forms/agent/cert/read.cgi | 104 + base/ra/forms/agent/cert/revoke.cgi | 89 + base/ra/forms/agent/cert/submit.cgi | 104 + base/ra/forms/agent/error.cgi | 81 + base/ra/forms/agent/index.cgi | 83 + base/ra/forms/agent/request/add_note.cgi | 93 + base/ra/forms/agent/request/index.cgi | 146 + base/ra/forms/agent/request/op.cgi | 153 + base/ra/forms/agent/request/read.cgi | 119 + base/ra/forms/ee/agent/enroll.cgi | 127 + base/ra/forms/ee/agent/index.cgi | 68 + base/ra/forms/ee/agent/new.cgi | 68 + base/ra/forms/ee/agent/start.cgi | 69 + base/ra/forms/ee/agent/submit.cgi | 88 + base/ra/forms/ee/error.cgi | 81 + base/ra/forms/ee/index.cgi | 68 + base/ra/forms/ee/request/getcert.cgi | 93 + base/ra/forms/ee/request/importcert.cgi | 82 + base/ra/forms/ee/request/index.cgi | 68 + base/ra/forms/ee/request/status.cgi | 94 + base/ra/forms/ee/scep/enroll.cgi | 112 + base/ra/forms/ee/scep/index.cgi | 68 + base/ra/forms/ee/scep/installer.cgi | 74 + base/ra/forms/ee/scep/manager.cgi | 68 + base/ra/forms/ee/scep/pkiclient.cgi | 113 + base/ra/forms/ee/scep/submit.cgi | 91 + base/ra/forms/ee/server/admin.cgi | 68 + base/ra/forms/ee/server/index.cgi | 68 + base/ra/forms/ee/server/submit.cgi | 93 + base/ra/forms/ee/user/index.cgi | 68 + base/ra/forms/ee/user/renew.cgi | 165 + base/ra/forms/ee/user/renewal.cgi | 74 + base/ra/forms/ee/user/submit.cgi | 112 + base/ra/forms/ee/user/user.cgi | 68 + base/ra/forms/index.cgi | 76 + base/ra/lib/perl/PKI/Base/CertStore.pm | 151 + base/ra/lib/perl/PKI/Base/Conf.pm | 130 + base/ra/lib/perl/PKI/Base/PinStore.pm | 180 + base/ra/lib/perl/PKI/Base/Registry.pm | 55 + base/ra/lib/perl/PKI/Base/TimeTool.pm | 54 + base/ra/lib/perl/PKI/Base/UserStore.pm | 343 + base/ra/lib/perl/PKI/Base/Util.pm | 155 + base/ra/lib/perl/PKI/Conn/CA.pm | 390 + base/ra/lib/perl/PKI/RA/AdminAuthPanel.pm | 86 + base/ra/lib/perl/PKI/RA/AdminPanel.pm | 227 + base/ra/lib/perl/PKI/RA/AgentAuthPanel.pm | 86 + base/ra/lib/perl/PKI/RA/BasePanel.pm | 40 + base/ra/lib/perl/PKI/RA/CAInfoPanel.pm | 289 + base/ra/lib/perl/PKI/RA/CertInfo.pm | 133 + base/ra/lib/perl/PKI/RA/CertPrettyPrintPanel.pm | 85 + base/ra/lib/perl/PKI/RA/CertRequestPanel.pm | 301 + base/ra/lib/perl/PKI/RA/Common.pm | 50 + base/ra/lib/perl/PKI/RA/Config.pm | 170 + base/ra/lib/perl/PKI/RA/ConfigHSMLoginPanel.pm | 104 + base/ra/lib/perl/PKI/RA/ConfigHSMPanel.pm | 72 + base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm | 140 + base/ra/lib/perl/PKI/RA/DatabasePanel.pm | 109 + base/ra/lib/perl/PKI/RA/DisplayCertChain2Panel.pm | 179 + base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm | 348 + base/ra/lib/perl/PKI/RA/DonePanel.pm | 399 + base/ra/lib/perl/PKI/RA/GlobalVar.pm | 42 + base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm | 142 + base/ra/lib/perl/PKI/RA/Login.pm | 466 ++ base/ra/lib/perl/PKI/RA/LoginPanel.pm | 91 + base/ra/lib/perl/PKI/RA/ModulePanel.pm | 273 + base/ra/lib/perl/PKI/RA/Modutil.pm | 262 + base/ra/lib/perl/PKI/RA/NamePanel.pm | 570 ++ base/ra/lib/perl/PKI/RA/ReqCertInfo.pm | 235 + base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm | 199 + base/ra/lib/perl/PKI/RA/SizePanel.pm | 245 + base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm | 142 + base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm | 134 + base/ra/lib/perl/PKI/RA/WelcomePanel.pm | 90 + base/ra/lib/perl/PKI/RA/wizard.pm | 502 ++ base/ra/lib/perl/PKI/Request/Plugin/AutoAssign.pm | 52 + base/ra/lib/perl/PKI/Request/Plugin/CreatePin.pm | 75 + .../perl/PKI/Request/Plugin/EmailNotification.pm | 100 + base/ra/lib/perl/PKI/Request/Plugin/RequestToCA.pm | 89 + base/ra/lib/perl/PKI/Request/Queue.pm | 387 + base/ra/lib/perl/PKI/Service/Op.pm | 290 + base/ra/lib/perl/Template/Velocity.pm | 1099 +++ base/ra/scripts/nss_pcache | 66 + base/ra/scripts/schema.sql | 33 + base/ra/setup/CMakeLists.txt | 8 + base/ra/setup/registry_instance | 116 + base/scripts/enable_cvs_keywords_in_svn | 97 + base/scripts/pkicheck | 13 + base/scripts/pkimanifest | 100 + base/selinux/CMakeLists.txt | 11 + base/selinux/LICENSE | 291 + base/selinux/src/CMakeLists.txt | 28 + base/selinux/src/Makefile | 18 + base/selinux/src/pki.fc | 91 + base/selinux/src/pki.if | 745 ++ base/selinux/src/pki.sh | 41 + base/selinux/src/pki.te | 332 + base/setup/CMakeLists.txt | 43 + base/setup/LICENSE | 291 + .../jars/resteasy-jettison-provider-2.3-RC1.jar | Bin 0 -> 32378 bytes base/setup/pki-setup-proxy | 499 ++ base/setup/pkicommon.pm | 3580 +++++++++ base/setup/pkicreate | 3479 +++++++++ base/setup/pkiremove | 680 ++ base/setup/scripts/functions | 1121 +++ base/setup/scripts/pki_apache_initscript | 246 + base/setup/scripts/pkicontrol | 73 + base/silent/CMakeLists.txt | 17 + base/silent/LICENSE | 291 + base/silent/scripts/CMakeLists.txt | 10 + base/silent/scripts/pkisilent | 117 + base/silent/src/CMakeLists.txt | 82 + .../src/com/netscape/pkisilent/ConfigureCA.java | 1698 +++++ .../src/com/netscape/pkisilent/ConfigureDRM.java | 1374 ++++ .../src/com/netscape/pkisilent/ConfigureOCSP.java | 1181 +++ .../src/com/netscape/pkisilent/ConfigureRA.java | 881 +++ .../src/com/netscape/pkisilent/ConfigureSubCA.java | 1249 ++++ .../src/com/netscape/pkisilent/ConfigureTKS.java | 1121 +++ .../src/com/netscape/pkisilent/ConfigureTPS.java | 1088 +++ .../src/com/netscape/pkisilent/PKISilent.java | 59 + .../pkisilent/argparser/ArgParseException.java | 54 + .../netscape/pkisilent/argparser/ArgParser.java | 2085 ++++++ .../pkisilent/argparser/ArgParserTest.java | 1514 ++++ .../pkisilent/argparser/BooleanHolder.java | 54 + .../netscape/pkisilent/argparser/CharHolder.java | 54 + .../netscape/pkisilent/argparser/DoubleHolder.java | 54 + .../netscape/pkisilent/argparser/FloatHolder.java | 54 + .../netscape/pkisilent/argparser/IntHolder.java | 54 + .../netscape/pkisilent/argparser/LongHolder.java | 54 + .../netscape/pkisilent/argparser/ObjectHolder.java | 54 + .../pkisilent/argparser/SimpleExample.java | 53 + .../netscape/pkisilent/argparser/StringHolder.java | 54 + .../pkisilent/argparser/StringScanException.java | 56 + .../pkisilent/argparser/StringScanner.java | 567 ++ .../com/netscape/pkisilent/common/BaseState.java | 118 + .../com/netscape/pkisilent/common/CMSConfig.java | 569 ++ .../src/com/netscape/pkisilent/common/CMSLDAP.java | 609 ++ .../netscape/pkisilent/common/CMSProperties.java | 679 ++ .../src/com/netscape/pkisilent/common/CMSTask.java | 190 + .../pkisilent/common/CertificateRecord.java | 44 + .../com/netscape/pkisilent/common/ComCrypto.java | 767 ++ .../com/netscape/pkisilent/common/Con2Agent.java | 318 + .../com/netscape/pkisilent/common/DirEnroll.java | 470 ++ .../com/netscape/pkisilent/common/ParseXML.java | 170 + .../com/netscape/pkisilent/common/PostQuery.java | 141 + .../src/com/netscape/pkisilent/common/Request.java | 1138 +++ .../com/netscape/pkisilent/common/ServerInfo.java | 355 + .../com/netscape/pkisilent/common/TestClient.java | 941 +++ .../com/netscape/pkisilent/common/UserEnroll.java | 536 ++ .../com/netscape/pkisilent/common/Utilities.java | 347 + .../netscape/pkisilent/common/checkRequest.java | 617 ++ .../com/netscape/pkisilent/http/CertSelection.java | 45 + .../com/netscape/pkisilent/http/HTMLDocument.java | 595 ++ .../com/netscape/pkisilent/http/HTTPClient.java | 1231 ++++ .../com/netscape/pkisilent/http/HTTPResponse.java | 314 + base/silent/templates/pki_silent.template | 1732 +++++ base/silent/templates/subca_silent.template | 513 ++ base/symkey/CMakeLists.txt | 4 + base/symkey/LICENSE | 291 + base/symkey/src/CMakeLists.txt | 24 + base/symkey/src/com/netscape/symkey/Base.h | 44 + base/symkey/src/com/netscape/symkey/Buffer.cpp | 183 + base/symkey/src/com/netscape/symkey/Buffer.h | 173 + base/symkey/src/com/netscape/symkey/CMakeLists.txt | 63 + .../symkey/src/com/netscape/symkey/EncryptData.cpp | 250 + base/symkey/src/com/netscape/symkey/SessionKey.cpp | 2005 +++++ .../symkey/src/com/netscape/symkey/SessionKey.java | 167 + base/symkey/src/com/netscape/symkey/SymKey.cpp | 1407 ++++ base/symkey/src/com/netscape/symkey/SymKey.h | 55 + base/test/CMakeLists.txt | 3 + base/test/src/CMakeLists.txt | 20 + base/test/src/com/netscape/test/TestListener.java | 249 + base/test/src/com/netscape/test/TestRunner.java | 23 + base/tks/CMakeLists.txt | 65 + base/tks/LICENSE | 291 + base/tks/setup/CMakeLists.txt | 8 + base/tks/setup/registry_instance | 63 + base/tks/shared/conf/CMakeLists.txt | 12 + base/tks/shared/conf/CS.cfg.in | 350 + base/tks/shared/conf/acl.ldif | 30 + base/tks/shared/conf/catalina.policy | 184 + base/tks/shared/conf/catalina.properties | 87 + base/tks/shared/conf/context.xml | 40 + base/tks/shared/conf/database.ldif | 9 + base/tks/shared/conf/db.ldif | 66 + base/tks/shared/conf/index.ldif | 203 + base/tks/shared/conf/jk2.manifest | 2 + base/tks/shared/conf/jk2.properties | 31 + base/tks/shared/conf/jkconf.ant.xml | 55 + base/tks/shared/conf/jkconfig.manifest | 2 + base/tks/shared/conf/logging.properties | 70 + base/tks/shared/conf/manager.ldif | 48 + base/tks/shared/conf/schema.ldif | 489 ++ base/tks/shared/conf/server-minimal.xml | 29 + base/tks/shared/conf/server.xml | 258 + base/tks/shared/conf/serverCertNick.conf | 6 + base/tks/shared/conf/shm.manifest | 2 + base/tks/shared/conf/tomcat-jk2.manifest | 7 + base/tks/shared/conf/tomcat-users.xml | 45 + base/tks/shared/conf/tomcat6.conf | 58 + base/tks/shared/conf/uriworkermap.properties | 18 + base/tks/shared/conf/web.xml | 993 +++ base/tks/shared/conf/workers.properties | 211 + base/tks/shared/conf/workers.properties.minimal | 22 + base/tks/shared/conf/workers2.properties | 137 + base/tks/shared/conf/workers2.properties.minimal | 60 + base/tks/shared/etc/init.d/pki-tksd | 87 + base/tks/shared/lib/systemd/system/pki-tksd.target | 8 + .../shared/lib/systemd/system/pki-tksd@.service | 13 + base/tks/shared/webapps/ROOT/WEB-INF/web.xml | 28 + base/tks/shared/webapps/ROOT/index.jsp | 98 + .../shared/webapps/tks/WEB-INF/velocity.properties | 13 + base/tks/shared/webapps/tks/WEB-INF/web.xml | 476 ++ base/tks/src/CMakeLists.txt | 96 + base/tks/src/com/netscape/tks/TKSAuthority.java | 160 + base/tps/CMakeLists.txt | 208 + base/tps/LICENSE | 469 ++ base/tps/apache/LICENSE-2.0 | 678 ++ base/tps/apache/conf/httpd.conf | 1085 +++ base/tps/apache/conf/magic | 382 + base/tps/apache/conf/mime.types | 592 ++ base/tps/apache/conf/nss.conf | 280 + base/tps/apache/conf/perl.conf | 70 + base/tps/apache/pki_instance_command_wrapper | 192 + base/tps/apache/pki_subsystem_command_wrapper | 182 + base/tps/apache/readme.html | 1222 +++ base/tps/applets/1.2.4122DFB4.ijc | Bin 0 -> 11944 bytes base/tps/applets/1.2.416DA155.ijc | Bin 0 -> 11945 bytes base/tps/applets/1.3.42260AFA.ijc | Bin 0 -> 13117 bytes base/tps/applets/1.3.4255CC01.ijc | Bin 0 -> 14909 bytes base/tps/applets/1.3.42659461.ijc | Bin 0 -> 14879 bytes base/tps/applets/1.3.427BDDB8.ijc | Bin 0 -> 14527 bytes base/tps/applets/1.3.44724DDE.ijc | Bin 0 -> 14529 bytes base/tps/applets/1.3.45787308.ijc | Bin 0 -> 14893 bytes base/tps/applets/1.4.499dc06c.ijc | Bin 0 -> 14912 bytes base/tps/applets/1.4.4d40a449.ijc | Bin 0 -> 14874 bytes base/tps/applets/3FD00877.ijc | Bin 0 -> 13662 bytes base/tps/applets/4003196C.ijc | Bin 0 -> 13683 bytes base/tps/applets/402428AD.ijc | Bin 0 -> 13699 bytes base/tps/applets/404E4697.ijc | Bin 0 -> 11995 bytes base/tps/applets/4122DFB4.ijc | Bin 0 -> 11944 bytes base/tps/applets/listappletdates | 42 + base/tps/applets/readme.txt | 52 + base/tps/doc/CMakeLists.txt | 10 + base/tps/doc/CS.cfg.in | 1589 ++++ base/tps/etc/init.d/pki-tpsd | 87 + base/tps/forms/esc/cgi-bin/demo/enroll.cgi | 183 + base/tps/forms/esc/cgi-bin/demo/index.cgi | 47 + base/tps/forms/esc/cgi-bin/home/cachain.cgi | 52 + base/tps/forms/esc/cgi-bin/home/enroll.cgi | 183 + base/tps/forms/esc/cgi-bin/home/index.cgi | 51 + base/tps/forms/esc/cgi-bin/so/enroll.cgi | 193 + base/tps/forms/esc/cgi-bin/so/index.cgi | 48 + base/tps/forms/esc/cgi-bin/sow/ajax-list.cgi | 79 + base/tps/forms/esc/cgi-bin/sow/cfg.pl | 174 + base/tps/forms/esc/cgi-bin/sow/enroll.cgi | 246 + base/tps/forms/esc/cgi-bin/sow/enroll_temp.cgi | 246 + base/tps/forms/esc/cgi-bin/sow/format.cgi | 207 + base/tps/forms/esc/cgi-bin/sow/formatso.cgi | 207 + base/tps/forms/esc/cgi-bin/sow/index.cgi | 42 + base/tps/forms/esc/cgi-bin/sow/is_agent.cgi | 69 + base/tps/forms/esc/cgi-bin/sow/is_user.cgi | 71 + base/tps/forms/esc/cgi-bin/sow/main.cgi | 70 + base/tps/forms/esc/cgi-bin/sow/noaccess.cgi | 56 + base/tps/forms/esc/cgi-bin/sow/read.cgi | 128 + base/tps/forms/esc/cgi-bin/sow/read_temp.cgi | 125 + base/tps/forms/esc/cgi-bin/sow/search.cgi | 70 + base/tps/forms/esc/cgi-bin/sow/search_temp.cgi | 70 + base/tps/forms/esc/cgi-bin/sow/seturl.cgi | 207 + base/tps/forms/esc/cgi-bin/sow/welcome.cgi | 57 + base/tps/forms/esc/esc.cgi | 1239 ++++ base/tps/forms/esc/home.cgi | 40 + base/tps/forms/index.cgi | 76 + base/tps/forms/index.html | 22 + base/tps/lib/perl/PKI/Base/Conf.pm | 130 + base/tps/lib/perl/PKI/Base/Registry.pm | 55 + base/tps/lib/perl/PKI/Service/Op.pm | 127 + base/tps/lib/perl/PKI/TPS/AdminAuthPanel.pm | 93 + base/tps/lib/perl/PKI/TPS/AdminPanel.pm | 234 + base/tps/lib/perl/PKI/TPS/AgentAuthPanel.pm | 91 + base/tps/lib/perl/PKI/TPS/AuthDBPanel.pm | 172 + base/tps/lib/perl/PKI/TPS/BasePanel.pm | 39 + base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm | 315 + base/tps/lib/perl/PKI/TPS/CertInfo.pm | 132 + base/tps/lib/perl/PKI/TPS/CertPrettyPrintPanel.pm | 91 + base/tps/lib/perl/PKI/TPS/CertRequestPanel.pm | 306 + base/tps/lib/perl/PKI/TPS/Common.pm | 148 + base/tps/lib/perl/PKI/TPS/Config.pm | 169 + base/tps/lib/perl/PKI/TPS/ConfigHSMLoginPanel.pm | 112 + base/tps/lib/perl/PKI/TPS/ConfigHSMPanel.pm | 78 + base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm | 180 + base/tps/lib/perl/PKI/TPS/DatabasePanel.pm | 277 + .../tps/lib/perl/PKI/TPS/DisplayCertChain2Panel.pm | 186 + base/tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm | 355 + base/tps/lib/perl/PKI/TPS/DonePanel.pm | 437 ++ base/tps/lib/perl/PKI/TPS/GlobalVar.pm | 41 + base/tps/lib/perl/PKI/TPS/ImportAdminCertPanel.pm | 163 + base/tps/lib/perl/PKI/TPS/Login.pm | 466 ++ base/tps/lib/perl/PKI/TPS/LoginPanel.pm | 98 + base/tps/lib/perl/PKI/TPS/ModulePanel.pm | 278 + base/tps/lib/perl/PKI/TPS/Modutil.pm | 263 + base/tps/lib/perl/PKI/TPS/NamePanel.pm | 611 ++ base/tps/lib/perl/PKI/TPS/ReqCertInfo.pm | 234 + base/tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm | 204 + base/tps/lib/perl/PKI/TPS/SizePanel.pm | 249 + base/tps/lib/perl/PKI/TPS/SubsystemTypePanel.pm | 147 + base/tps/lib/perl/PKI/TPS/TKSInfoPanel.pm | 159 + base/tps/lib/perl/PKI/TPS/WelcomePanel.pm | 96 + base/tps/lib/perl/PKI/TPS/wizard.pm | 509 ++ base/tps/lib/perl/Template/Velocity.pm | 1052 +++ base/tps/scripts/addAgents.ldif | 60 + base/tps/scripts/addIndexes.ldif | 76 + base/tps/scripts/addTokens.ldif | 44 + base/tps/scripts/addVLVIndexes.ldif | 51 + base/tps/scripts/database.ldif | 39 + base/tps/scripts/nss_pcache | 66 + base/tps/scripts/schemaMods.ldif | 58 + base/tps/scripts/vlvtasks.ldif | 28 + base/tps/setup/CMakeLists.txt | 8 + base/tps/setup/create.pl | 973 +++ base/tps/setup/registry_instance | 116 + base/tps/src/CMakeLists.txt | 148 + base/tps/src/apdu/APDU.cpp | 331 + base/tps/src/apdu/APDU_Response.cpp | 111 + base/tps/src/apdu/Create_Object_APDU.cpp | 121 + base/tps/src/apdu/Create_Pin_APDU.cpp | 73 + base/tps/src/apdu/Delete_File_APDU.cpp | 59 + base/tps/src/apdu/External_Authenticate_APDU.cpp | 76 + base/tps/src/apdu/Format_Muscle_Applet_APDU.cpp | 107 + base/tps/src/apdu/Generate_Key_APDU.cpp | 68 + base/tps/src/apdu/Get_Data_APDU.cpp | 59 + base/tps/src/apdu/Get_IssuerInfo_APDU.cpp | 80 + base/tps/src/apdu/Get_Status_APDU.cpp | 59 + base/tps/src/apdu/Get_Version_APDU.cpp | 59 + base/tps/src/apdu/Import_Key_APDU.cpp | 79 + base/tps/src/apdu/Import_Key_Enc_APDU.cpp | 70 + base/tps/src/apdu/Initialize_Update_APDU.cpp | 66 + base/tps/src/apdu/Install_Applet_APDU.cpp | 112 + base/tps/src/apdu/Install_Load_APDU.cpp | 91 + base/tps/src/apdu/Lifecycle_APDU.cpp | 50 + base/tps/src/apdu/List_Objects_APDU.cpp | 61 + base/tps/src/apdu/List_Pins_APDU.cpp | 63 + base/tps/src/apdu/Load_File_APDU.cpp | 52 + base/tps/src/apdu/Put_Key_APDU.cpp | 53 + base/tps/src/apdu/Read_Buffer_APDU.cpp | 63 + base/tps/src/apdu/Read_Object_APDU.cpp | 88 + base/tps/src/apdu/Select_APDU.cpp | 49 + base/tps/src/apdu/Set_IssuerInfo_APDU.cpp | 76 + base/tps/src/apdu/Set_Pin_APDU.cpp | 76 + base/tps/src/apdu/Unblock_Pin_APDU.cpp | 50 + base/tps/src/apdu/Write_Object_APDU.cpp | 103 + base/tps/src/authentication/CMakeLists.txt | 52 + .../tps/src/authentication/LDAP_Authentication.cpp | 424 ++ base/tps/src/channel/Channel.cpp | 69 + base/tps/src/channel/Secure_Channel.cpp | 2550 +++++++ base/tps/src/cms/CertEnroll.cpp | 725 ++ base/tps/src/cms/ConnectionInfo.cpp | 78 + base/tps/src/cms/HttpConnection.cpp | 245 + base/tps/src/engine/RA.cpp | 3624 +++++++++ base/tps/src/httpClient/Cache.cpp | 496 ++ base/tps/src/httpClient/engine.cpp | 775 ++ base/tps/src/httpClient/http.cpp | 307 + base/tps/src/httpClient/httpClient.cpp | 130 + base/tps/src/httpClient/nscperror.cpp | 358 + base/tps/src/httpClient/request.cpp | 431 ++ base/tps/src/httpClient/response.cpp | 1115 +++ base/tps/src/include/apdu/APDU.h | 116 + base/tps/src/include/apdu/APDU_Response.h | 66 + base/tps/src/include/apdu/Create_Object_APDU.h | 57 + base/tps/src/include/apdu/Create_Pin_APDU.h | 57 + base/tps/src/include/apdu/Delete_File_APDU.h | 57 + .../src/include/apdu/External_Authenticate_APDU.h | 62 + .../src/include/apdu/Format_Muscle_Applet_APDU.h | 65 + base/tps/src/include/apdu/Generate_Key_APDU.h | 60 + base/tps/src/include/apdu/Get_Data_APDU.h | 58 + base/tps/src/include/apdu/Get_IssuerInfo_APDU.h | 58 + base/tps/src/include/apdu/Get_Status_APDU.h | 58 + base/tps/src/include/apdu/Get_Version_APDU.h | 58 + base/tps/src/include/apdu/Import_Key_APDU.h | 58 + base/tps/src/include/apdu/Import_Key_Enc_APDU.h | 58 + base/tps/src/include/apdu/Initialize_Update_APDU.h | 60 + base/tps/src/include/apdu/Install_Applet_APDU.h | 59 + base/tps/src/include/apdu/Install_Load_APDU.h | 58 + base/tps/src/include/apdu/Lifecycle_APDU.h | 57 + base/tps/src/include/apdu/List_Objects_APDU.h | 59 + base/tps/src/include/apdu/List_Pins_APDU.h | 60 + base/tps/src/include/apdu/Load_File_APDU.h | 57 + base/tps/src/include/apdu/Put_Key_APDU.h | 58 + base/tps/src/include/apdu/Read_Buffer_APDU.h | 61 + base/tps/src/include/apdu/Read_Object_APDU.h | 57 + base/tps/src/include/apdu/Select_APDU.h | 58 + base/tps/src/include/apdu/Set_IssuerInfo_APDU.h | 59 + base/tps/src/include/apdu/Set_Pin_APDU.h | 59 + base/tps/src/include/apdu/Unblock_Pin_APDU.h | 54 + base/tps/src/include/apdu/Write_Object_APDU.h | 57 + base/tps/src/include/authentication/AuthParams.h | 64 + .../src/include/authentication/Authentication.h | 80 + .../include/authentication/LDAP_Authentication.h | 85 + base/tps/src/include/channel/Channel.h | 55 + base/tps/src/include/channel/Secure_Channel.h | 158 + base/tps/src/include/cms/CertEnroll.h | 75 + base/tps/src/include/cms/ConnectionInfo.h | 66 + base/tps/src/include/cms/HttpConnection.h | 88 + base/tps/src/include/engine/RA.h | 374 + base/tps/src/include/engine/audit.h | 90 + .../src/include/httpClient/httpc/AccessLogger.h | 105 + base/tps/src/include/httpClient/httpc/Auth.h | 155 + base/tps/src/include/httpClient/httpc/ByteBuffer.h | 194 + base/tps/src/include/httpClient/httpc/CERTUtil.h | 65 + base/tps/src/include/httpClient/httpc/Cache.h | 226 + base/tps/src/include/httpClient/httpc/Connection.h | 117 + .../include/httpClient/httpc/ConnectionListener.h | 58 + .../tps/src/include/httpClient/httpc/DebugLogger.h | 185 + base/tps/src/include/httpClient/httpc/Defines.h | 219 + .../tps/src/include/httpClient/httpc/ErrorLogger.h | 93 + base/tps/src/include/httpClient/httpc/Iterator.h | 62 + .../src/include/httpClient/httpc/LogRotationTask.h | 132 + base/tps/src/include/httpClient/httpc/Logger.h | 117 + base/tps/src/include/httpClient/httpc/NSPRerrs.h | 160 + base/tps/src/include/httpClient/httpc/PSBuddy.h | 89 + .../src/include/httpClient/httpc/PSBuddyCache.h | 123 + .../tps/src/include/httpClient/httpc/PSBuddyList.h | 373 + .../src/include/httpClient/httpc/PSBuddyListener.h | 78 + .../src/include/httpClient/httpc/PSBuddyService.h | 121 + .../src/include/httpClient/httpc/PSCertExtension.h | 153 + .../tps/src/include/httpClient/httpc/PSCommonLib.h | 52 + base/tps/src/include/httpClient/httpc/PSConfig.h | 67 + .../src/include/httpClient/httpc/PSConfigManager.h | 66 + .../src/include/httpClient/httpc/PSConfigReader.h | 71 + base/tps/src/include/httpClient/httpc/PSCrypt.h | 79 + .../httpClient/httpc/PSDataSourceListener.h | 106 + .../include/httpClient/httpc/PSDataSourceManager.h | 152 + base/tps/src/include/httpClient/httpc/PSGroup.h | 97 + .../src/include/httpClient/httpc/PSGroupCache.h | 74 + base/tps/src/include/httpClient/httpc/PSHelper.h | 70 + base/tps/src/include/httpClient/httpc/PSListener.h | 55 + base/tps/src/include/httpClient/httpc/PSPRUtil.h | 92 + base/tps/src/include/httpClient/httpc/PSPlugin.h | 81 + .../src/include/httpClient/httpc/PSPluginManager.h | 102 + base/tps/src/include/httpClient/httpc/PSServer.h | 95 + .../tps/src/include/httpClient/httpc/PSServerLib.h | 62 + .../include/httpClient/httpc/PSServerListener.h | 85 + .../src/include/httpClient/httpc/PSServerManager.h | 145 + .../include/httpClient/httpc/PSServiceListener.h | 87 + .../include/httpClient/httpc/PSServiceManager.h | 145 + base/tps/src/include/httpClient/httpc/PSUser.h | 164 + base/tps/src/include/httpClient/httpc/PSWaspLib.h | 55 + base/tps/src/include/httpClient/httpc/Pool.h | 149 + .../src/include/httpClient/httpc/PresenceManager.h | 93 + .../src/include/httpClient/httpc/PresenceServer.h | 60 + .../include/httpClient/httpc/PresenceServerImpl.h | 111 + base/tps/src/include/httpClient/httpc/SECerrs.h | 522 ++ .../src/include/httpClient/httpc/SSLServerSocket.h | 93 + base/tps/src/include/httpClient/httpc/SSLSocket.h | 132 + base/tps/src/include/httpClient/httpc/SSLerrs.h | 392 + .../src/include/httpClient/httpc/ScheduledTask.h | 86 + base/tps/src/include/httpClient/httpc/Scheduler.h | 103 + .../src/include/httpClient/httpc/SecurityHeaders.h | 48 + .../include/httpClient/httpc/ServerConnection.h | 179 + .../httpClient/httpc/ServerHeaderProcessor.h | 72 + .../src/include/httpClient/httpc/ServerSocket.h | 113 + base/tps/src/include/httpClient/httpc/Socket.h | 157 + base/tps/src/include/httpClient/httpc/SocketINC.h | 163 + base/tps/src/include/httpClient/httpc/SocketLib.h | 62 + base/tps/src/include/httpClient/httpc/StringList.h | 151 + base/tps/src/include/httpClient/httpc/StringUtil.h | 74 + base/tps/src/include/httpClient/httpc/TaskList.h | 114 + base/tps/src/include/httpClient/httpc/ThreadPool.h | 159 + base/tps/src/include/httpClient/httpc/URLUtil.h | 92 + base/tps/src/include/httpClient/httpc/engine.h | 77 + base/tps/src/include/httpClient/httpc/http.h | 120 + base/tps/src/include/httpClient/httpc/request.h | 115 + base/tps/src/include/httpClient/httpc/response.h | 148 + base/tps/src/include/main/AttributeSpec.h | 68 + base/tps/src/include/main/AuthenticationEntry.h | 64 + base/tps/src/include/main/Base.h | 63 + base/tps/src/include/main/Buffer.h | 196 + base/tps/src/include/main/ConfigStore.h | 126 + base/tps/src/include/main/LogFile.h | 89 + base/tps/src/include/main/Login.h | 55 + base/tps/src/include/main/Memory.h | 130 + base/tps/src/include/main/MemoryMgr.h | 46 + base/tps/src/include/main/NameValueSet.h | 72 + base/tps/src/include/main/ObjectSpec.h | 79 + base/tps/src/include/main/PKCS11Obj.h | 80 + base/tps/src/include/main/PublishEntry.h | 57 + base/tps/src/include/main/RA_Context.h | 57 + base/tps/src/include/main/RA_Msg.h | 79 + base/tps/src/include/main/RA_Session.h | 61 + base/tps/src/include/main/RA_pblock.h | 74 + base/tps/src/include/main/RollingLogFile.h | 93 + base/tps/src/include/main/SecureId.h | 55 + base/tps/src/include/main/Util.h | 99 + base/tps/src/include/modules/tps/AP_Context.h | 57 + base/tps/src/include/modules/tps/AP_Session.h | 56 + base/tps/src/include/msg/RA_ASQ_Request_Msg.h | 62 + base/tps/src/include/msg/RA_ASQ_Response_Msg.h | 62 + base/tps/src/include/msg/RA_Begin_Op_Msg.h | 64 + base/tps/src/include/msg/RA_End_Op_Msg.h | 84 + .../include/msg/RA_Extended_Login_Request_Msg.h | 73 + .../include/msg/RA_Extended_Login_Response_Msg.h | 63 + base/tps/src/include/msg/RA_Login_Request_Msg.h | 63 + base/tps/src/include/msg/RA_Login_Response_Msg.h | 64 + base/tps/src/include/msg/RA_New_Pin_Request_Msg.h | 63 + base/tps/src/include/msg/RA_New_Pin_Response_Msg.h | 62 + base/tps/src/include/msg/RA_SecureId_Request_Msg.h | 63 + .../tps/src/include/msg/RA_SecureId_Response_Msg.h | 64 + .../src/include/msg/RA_Status_Update_Request_Msg.h | 65 + .../include/msg/RA_Status_Update_Response_Msg.h | 63 + .../tps/src/include/msg/RA_Token_PDU_Request_Msg.h | 63 + .../src/include/msg/RA_Token_PDU_Response_Msg.h | 62 + .../src/include/processor/RA_Enroll_Processor.h | 300 + .../src/include/processor/RA_Format_Processor.h | 57 + .../src/include/processor/RA_Pin_Reset_Processor.h | 57 + base/tps/src/include/processor/RA_Processor.h | 214 + .../tps/src/include/processor/RA_Renew_Processor.h | 57 + .../src/include/processor/RA_Unblock_Processor.h | 57 + base/tps/src/include/publisher/IConnector.h | 58 + base/tps/src/include/publisher/IPublish_Data.h | 56 + base/tps/src/include/publisher/IPublisher.h | 74 + base/tps/src/include/publisher/NetkeyPublisher.h | 74 + base/tps/src/include/selftests/SelfTest.h | 74 + base/tps/src/include/selftests/TPSPresence.h | 78 + .../include/selftests/TPSSystemCertsVerification.h | 76 + base/tps/src/include/selftests/TPSValidity.h | 79 + base/tps/src/include/service/NK_Context.h | 57 + base/tps/src/include/service/NK_Session.h | 58 + base/tps/src/include/tus/tus_db.h | 273 + base/tps/src/main/AttributeSpec.cpp | 115 + base/tps/src/main/AuthParams.cpp | 72 + base/tps/src/main/Authentication.cpp | 105 + base/tps/src/main/AuthenticationEntry.cpp | 91 + base/tps/src/main/Buffer.cpp | 243 + base/tps/src/main/ConfigStore.cpp | 893 +++ base/tps/src/main/LogFile.cpp | 298 + base/tps/src/main/Login.cpp | 72 + base/tps/src/main/Memory.cpp | 268 + base/tps/src/main/NameValueSet.cpp | 322 + base/tps/src/main/ObjectSpec.cpp | 515 ++ base/tps/src/main/PKCS11Obj.cpp | 491 ++ base/tps/src/main/RA_Context.cpp | 56 + base/tps/src/main/RA_Msg.cpp | 45 + base/tps/src/main/RA_Session.cpp | 75 + base/tps/src/main/RA_pblock.cpp | 176 + base/tps/src/main/RollingLogFile.cpp | 493 ++ base/tps/src/main/SecureId.cpp | 71 + base/tps/src/main/Util.cpp | 1168 +++ base/tps/src/modules/CMakeLists.txt | 2 + base/tps/src/modules/tokendb/CMakeLists.txt | 48 + base/tps/src/modules/tokendb/mod_tokendb.cpp | 7756 ++++++++++++++++++++ base/tps/src/modules/tps/AP_Context.cpp | 83 + base/tps/src/modules/tps/AP_Session.cpp | 1169 +++ base/tps/src/modules/tps/CMakeLists.txt | 52 + base/tps/src/modules/tps/mod_tps.cpp | 732 ++ base/tps/src/msg/RA_ASQ_Request_Msg.cpp | 70 + base/tps/src/msg/RA_ASQ_Response_Msg.cpp | 68 + base/tps/src/msg/RA_Begin_Op_Msg.cpp | 72 + base/tps/src/msg/RA_End_Op_Msg.cpp | 73 + base/tps/src/msg/RA_Extended_Login_Request_Msg.cpp | 114 + .../tps/src/msg/RA_Extended_Login_Response_Msg.cpp | 65 + base/tps/src/msg/RA_Login_Request_Msg.cpp | 71 + base/tps/src/msg/RA_Login_Response_Msg.cpp | 85 + base/tps/src/msg/RA_New_Pin_Request_Msg.cpp | 70 + base/tps/src/msg/RA_New_Pin_Response_Msg.cpp | 68 + base/tps/src/msg/RA_SecureId_Request_Msg.cpp | 69 + base/tps/src/msg/RA_SecureId_Response_Msg.cpp | 83 + base/tps/src/msg/RA_Status_Update_Request_Msg.cpp | 66 + base/tps/src/msg/RA_Status_Update_Response_Msg.cpp | 56 + base/tps/src/msg/RA_Token_PDU_Request_Msg.cpp | 63 + base/tps/src/msg/RA_Token_PDU_Response_Msg.cpp | 68 + base/tps/src/processor/RA_Enroll_Processor.cpp | 5194 +++++++++++++ base/tps/src/processor/RA_Format_Processor.cpp | 70 + base/tps/src/processor/RA_Pin_Reset_Processor.cpp | 1013 +++ base/tps/src/processor/RA_Processor.cpp | 3506 +++++++++ base/tps/src/processor/RA_Renew_Processor.cpp | 57 + base/tps/src/processor/RA_Unblock_Processor.cpp | 58 + base/tps/src/selftests/SelfTest.cpp | 220 + base/tps/src/selftests/TPSPresence.cpp | 204 + .../src/selftests/TPSSystemCertsVerification.cpp | 149 + base/tps/src/selftests/TPSValidity.cpp | 215 + base/tps/src/test/Test_ConfigStore.cfg | 28 + base/tps/src/test/Test_ConfigStore.cpp | 79 + base/tps/src/tus/CMakeLists.txt | 50 + base/tps/src/tus/tus_db.c | 4515 ++++++++++++ base/tps/stubs/modules/nss/mod_nss_stub.c | 51 + base/tps/tools/CMakeLists.txt | 1 + base/tps/tools/raclient/CMakeLists.txt | 47 + base/tps/tools/raclient/RA_Client.cpp | 1645 +++++ base/tps/tools/raclient/RA_Client.h | 78 + base/tps/tools/raclient/RA_Conn.cpp | 1037 +++ base/tps/tools/raclient/RA_Conn.h | 71 + base/tps/tools/raclient/RA_Token.cpp | 2008 +++++ base/tps/tools/raclient/RA_Token.h | 225 + base/tps/tools/raclient/enroll.tps | 42 + base/tps/tools/raclient/enroll1.test | 43 + base/tps/tools/raclient/format.tps | 45 + base/tps/tools/raclient/nt_enroll.test | 212 + base/tps/tools/raclient/readme.txt | 247 + base/tps/tools/raclient/reset_pin.tps | 42 + base/tps/tools/raclient/reset_pin1.test | 40 + base/tps/tools/raclient/reset_pin2.test | 39 + base/tps/tools/tus/add.c | 117 + base/tps/tools/tus/test.c | 117 + base/tps/ui/perl/Velocity.pm | 1047 +++ base/tps/wrappers/tpsclient.in | 78 + base/util/CMakeLists.txt | 4 + base/util/LICENSE | 291 + base/util/src/CMakeLists.txt | 369 + .../com/netscape/cmsutil/crypto/CryptoUtil.java | 1292 ++++ .../src/com/netscape/cmsutil/crypto/Module.java | 75 + .../src/com/netscape/cmsutil/crypto/Token.java | 57 + .../com/netscape/cmsutil/http/ConnectAsync.java | 46 + base/util/src/com/netscape/cmsutil/http/Http.java | 31 + .../src/com/netscape/cmsutil/http/HttpClient.java | 217 + .../netscape/cmsutil/http/HttpEofException.java | 35 + .../src/com/netscape/cmsutil/http/HttpMessage.java | 163 + .../cmsutil/http/HttpProtocolException.java | 35 + .../src/com/netscape/cmsutil/http/HttpRequest.java | 137 + .../com/netscape/cmsutil/http/HttpResponse.java | 139 + .../netscape/cmsutil/http/JssSSLSocketFactory.java | 182 + .../src/com/netscape/cmsutil/ldap/LDAPUtil.java | 101 + .../com/netscape/cmsutil/net/ISocketFactory.java | 38 + .../netscape/cmsutil/ocsp/BasicOCSPResponse.java | 195 + .../util/src/com/netscape/cmsutil/ocsp/CertID.java | 155 + .../src/com/netscape/cmsutil/ocsp/CertStatus.java | 35 + .../src/com/netscape/cmsutil/ocsp/GoodInfo.java | 98 + .../src/com/netscape/cmsutil/ocsp/KeyHashID.java | 105 + .../util/src/com/netscape/cmsutil/ocsp/NameID.java | 106 + .../src/com/netscape/cmsutil/ocsp/OCSPRequest.java | 140 + .../com/netscape/cmsutil/ocsp/OCSPResponse.java | 135 + .../netscape/cmsutil/ocsp/OCSPResponseStatus.java | 120 + .../src/com/netscape/cmsutil/ocsp/Request.java | 147 + .../src/com/netscape/cmsutil/ocsp/ResponderID.java | 34 + .../src/com/netscape/cmsutil/ocsp/Response.java | 34 + .../com/netscape/cmsutil/ocsp/ResponseBytes.java | 130 + .../com/netscape/cmsutil/ocsp/ResponseData.java | 222 + .../src/com/netscape/cmsutil/ocsp/RevokedInfo.java | 113 + .../src/com/netscape/cmsutil/ocsp/Signature.java | 159 + .../com/netscape/cmsutil/ocsp/SingleResponse.java | 182 + .../src/com/netscape/cmsutil/ocsp/TBSRequest.java | 210 + .../src/com/netscape/cmsutil/ocsp/UnknownInfo.java | 95 + .../netscape/cmsutil/password/IPasswordReader.java | 29 + .../netscape/cmsutil/password/IPasswordStore.java | 34 + .../netscape/cmsutil/password/IPasswordWriter.java | 30 + .../cmsutil/password/PlainPasswordFile.java | 70 + .../cmsutil/password/PlainPasswordReader.java | 58 + .../cmsutil/password/PlainPasswordWriter.java | 56 + .../com/netscape/cmsutil/radius/AccessAccept.java | 27 + .../netscape/cmsutil/radius/AccessChallenge.java | 27 + .../com/netscape/cmsutil/radius/AccessReject.java | 27 + .../com/netscape/cmsutil/radius/AccessRequest.java | 25 + .../src/com/netscape/cmsutil/radius/Attribute.java | 97 + .../netscape/cmsutil/radius/AttributeFactory.java | 154 + .../com/netscape/cmsutil/radius/AttributeSet.java | 56 + .../com/netscape/cmsutil/radius/Authenticator.java | 24 + .../cmsutil/radius/CHAPChallengeAttribute.java | 38 + .../cmsutil/radius/CHAPPasswordAttribute.java | 55 + .../cmsutil/radius/CallbackIdAttribute.java | 40 + .../cmsutil/radius/CallbackNumberAttribute.java | 40 + .../cmsutil/radius/CallerStationIdAttribute.java | 40 + .../cmsutil/radius/CallingStationIdAttribute.java | 40 + .../cmsutil/radius/ChallengeException.java | 43 + .../netscape/cmsutil/radius/FilterIdAttribute.java | 40 + .../radius/FramedAppleTalkLinkAttribute.java | 51 + .../radius/FramedAppleTalkNetworkAttribute.java | 49 + .../radius/FramedAppleTalkZoneAttribute.java | 40 + .../cmsutil/radius/FramedCompressionAttribute.java | 54 + .../cmsutil/radius/FramedIPAddressAttribute.java | 39 + .../cmsutil/radius/FramedIPNetmaskAttribute.java | 39 + .../cmsutil/radius/FramedIPXNetworkAttribute.java | 39 + .../cmsutil/radius/FramedMTUAttribute.java | 49 + .../cmsutil/radius/FramedProtocolAttribute.java | 56 + .../cmsutil/radius/FramedRouteAttribute.java | 40 + .../cmsutil/radius/FramedRoutingAttribute.java | 54 + .../netscape/cmsutil/radius/GenericAttribute.java | 35 + .../cmsutil/radius/IdleTimeoutAttribute.java | 52 + .../cmsutil/radius/LoginIPHostAttribute.java | 52 + .../cmsutil/radius/LoginLATGroupAttribute.java | 40 + .../cmsutil/radius/LoginLATNodeAttribute.java | 40 + .../cmsutil/radius/LoginLATPortAttribute.java | 40 + .../cmsutil/radius/LoginLATServiceAttribute.java | 40 + .../cmsutil/radius/LoginServiceAttribute.java | 58 + .../cmsutil/radius/LoginTCPPortAttribute.java | 52 + .../netscape/cmsutil/radius/NASClassAttribute.java | 40 + .../cmsutil/radius/NASIPAddressAttribute.java | 41 + .../cmsutil/radius/NASIdentifierAttribute.java | 40 + .../src/com/netscape/cmsutil/radius/NASPacket.java | 52 + .../netscape/cmsutil/radius/NASPortAttribute.java | 48 + .../cmsutil/radius/NASPortTypeAttribute.java | 53 + .../src/com/netscape/cmsutil/radius/Packet.java | 70 + .../com/netscape/cmsutil/radius/PacketFactory.java | 39 + .../cmsutil/radius/PortLimitAttribute.java | 51 + .../cmsutil/radius/ProxyStateAttribute.java | 40 + .../com/netscape/cmsutil/radius/RadiusConn.java | 230 + .../netscape/cmsutil/radius/RejectException.java | 39 + .../cmsutil/radius/ReplyMessageAttribute.java | 40 + .../cmsutil/radius/RequestAuthenticator.java | 44 + .../cmsutil/radius/ResponseAuthenticator.java | 32 + .../com/netscape/cmsutil/radius/ServerPacket.java | 47 + .../cmsutil/radius/ServiceTypeAttribute.java | 61 + .../cmsutil/radius/SessionTimeoutAttribute.java | 48 + .../netscape/cmsutil/radius/StateAttribute.java | 45 + .../cmsutil/radius/TerminationActionAttribute.java | 55 + .../netscape/cmsutil/radius/UserNameAttribute.java | 39 + .../cmsutil/radius/UserPasswordAttribute.java | 73 + .../cmsutil/radius/VendorSpecificAttribute.java | 52 + .../com/netscape/cmsutil/scep/CRSPKIMessage.java | 905 +++ base/util/src/com/netscape/cmsutil/util/Cert.java | 186 + base/util/src/com/netscape/cmsutil/util/Fmt.java | 605 ++ .../src/com/netscape/cmsutil/util/HMACDigest.java | 198 + base/util/src/com/netscape/cmsutil/util/Utils.java | 276 + .../src/com/netscape/cmsutil/xml/XMLObject.java | 187 + base/util/src/netscape/net/NetworkClient.java | 87 + .../src/netscape/net/TransferProtocolClient.java | 127 + base/util/src/netscape/net/smtp/SmtpClient.java | 235 + .../netscape/net/smtp/SmtpProtocolException.java | 35 + .../src/netscape/security/acl/AclEntryImpl.java | 182 + base/util/src/netscape/security/acl/AclImpl.java | 391 + .../netscape/security/acl/AllPermissionsImpl.java | 43 + base/util/src/netscape/security/acl/GroupImpl.java | 173 + base/util/src/netscape/security/acl/OwnerImpl.java | 105 + .../src/netscape/security/acl/PermissionImpl.java | 65 + .../src/netscape/security/acl/PrincipalImpl.java | 77 + .../src/netscape/security/acl/WorldGroupImpl.java | 42 + .../security/extensions/AccessDescription.java | 76 + .../extensions/AuthInfoAccessExtension.java | 272 + .../src/netscape/security/extensions/CertInfo.java | 120 + .../CertificateRenewalWindowExtension.java | 190 + .../security/extensions/CertificateScopeEntry.java | 103 + .../extensions/CertificateScopeOfUseExtension.java | 199 + .../extensions/ExtendedKeyUsageExtension.java | 226 + .../security/extensions/GenericASN1Extension.java | 448 ++ .../extensions/InhibitAnyPolicyExtension.java | 179 + .../netscape/security/extensions/KerberosName.java | 135 + .../security/extensions/NSCertTypeExtension.java | 377 + .../security/extensions/OCSPNoCheckExtension.java | 153 + .../extensions/PresenceServerExtension.java | 321 + .../extensions/SubjectInfoAccessExtension.java | 254 + .../src/netscape/security/pkcs/ContentInfo.java | 155 + .../netscape/security/pkcs/EncodingException.java | 33 + base/util/src/netscape/security/pkcs/PKCS10.java | 343 + .../netscape/security/pkcs/PKCS10Attribute.java | 238 + .../netscape/security/pkcs/PKCS10Attributes.java | 147 + base/util/src/netscape/security/pkcs/PKCS7.java | 446 ++ base/util/src/netscape/security/pkcs/PKCS8Key.java | 435 ++ .../src/netscape/security/pkcs/PKCS9Attribute.java | 1123 +++ .../netscape/security/pkcs/PKCS9Attributes.java | 312 + .../netscape/security/pkcs/ParsingException.java | 35 + .../src/netscape/security/pkcs/SignerInfo.java | 347 + base/util/src/netscape/security/provider/CMS.java | 52 + base/util/src/netscape/security/provider/DSA.java | 660 ++ .../netscape/security/provider/DSAKeyFactory.java | 232 + .../security/provider/DSAKeyPairGenerator.java | 398 + .../security/provider/DSAParameterGenerator.java | 299 + .../netscape/security/provider/DSAParameters.java | 130 + .../netscape/security/provider/DSAPrivateKey.java | 147 + .../netscape/security/provider/DSAPublicKey.java | 133 + base/util/src/netscape/security/provider/MD5.java | 378 + .../netscape/security/provider/RSAPublicKey.java | 152 + base/util/src/netscape/security/provider/SHA.java | 349 + base/util/src/netscape/security/provider/Sun.java | 135 + .../security/provider/X509CertificateFactory.java | 61 + .../netscape/security/util/ASN1CharStrConvMap.java | 168 + .../security/util/ASN1CharsetProvider.java | 30 + base/util/src/netscape/security/util/BigInt.java | 210 + base/util/src/netscape/security/util/BitArray.java | 257 + .../netscape/security/util/ByteArrayLexOrder.java | 58 + .../netscape/security/util/ByteArrayTagOrder.java | 44 + .../netscape/security/util/CertPrettyPrint.java | 345 + .../src/netscape/security/util/CrlPrettyPrint.java | 271 + .../src/netscape/security/util/DerEncoder.java | 40 + .../src/netscape/security/util/DerInputBuffer.java | 186 + .../src/netscape/security/util/DerInputStream.java | 662 ++ .../netscape/security/util/DerOutputStream.java | 729 ++ base/util/src/netscape/security/util/DerValue.java | 715 ++ .../src/netscape/security/util/ExtPrettyPrint.java | 1653 +++++ .../src/netscape/security/util/IA5Charset.java | 24 + .../netscape/security/util/IA5CharsetDecoder.java | 62 + .../netscape/security/util/IA5CharsetEncoder.java | 69 + .../netscape/security/util/ObjectIdentifier.java | 426 ++ .../netscape/security/util/PrettyPrintFormat.java | 160 + .../security/util/PrettyPrintResources.java | 301 + .../netscape/security/util/PrintableCharset.java | 46 + .../security/util/PrintableCharsetDecoder.java | 69 + .../security/util/PrintableCharsetEncoder.java | 71 + .../netscape/security/util/PubKeyPrettyPrint.java | 121 + .../netscape/security/util/UniversalCharset.java | 24 + .../security/util/UniversalCharsetDecoder.java | 98 + .../security/util/UniversalCharsetEncoder.java | 68 + .../src/netscape/security/x509/ACertAttrSet.java | 141 + base/util/src/netscape/security/x509/AVA.java | 301 + .../netscape/security/x509/AVAValueConverter.java | 86 + base/util/src/netscape/security/x509/AlgIdDSA.java | 185 + .../src/netscape/security/x509/AlgorithmId.java | 767 ++ .../util/src/netscape/security/x509/Attribute.java | 325 + .../x509/AuthorityKeyIdentifierExtension.java | 340 + .../security/x509/BasicConstraintsExtension.java | 295 + base/util/src/netscape/security/x509/CPSuri.java | 66 + .../security/x509/CRLDistributionPoint.java | 467 ++ .../x509/CRLDistributionPointsExtension.java | 391 + .../src/netscape/security/x509/CRLExtensions.java | 229 + .../netscape/security/x509/CRLNumberExtension.java | 226 + .../netscape/security/x509/CRLReasonExtension.java | 234 + .../src/netscape/security/x509/CertAndKeyGen.java | 290 + .../src/netscape/security/x509/CertAttrSet.java | 120 + .../src/netscape/security/x509/CertException.java | 165 + .../src/netscape/security/x509/CertParseError.java | 40 + .../security/x509/CertificateAlgorithmId.java | 189 + .../netscape/security/x509/CertificateChain.java | 137 + .../security/x509/CertificateExtensions.java | 276 + .../security/x509/CertificateIssuerExtension.java | 242 + .../security/x509/CertificateIssuerName.java | 172 + .../x509/CertificateIssuerUniqueIdentity.java | 185 + .../x509/CertificatePoliciesExtension.java | 338 + .../security/x509/CertificatePolicyId.java | 85 + .../security/x509/CertificatePolicyInfo.java | 110 + .../security/x509/CertificatePolicyMap.java | 100 + .../security/x509/CertificatePolicySet.java | 86 + .../security/x509/CertificateSerialNumber.java | 191 + .../security/x509/CertificateSubjectName.java | 203 + .../x509/CertificateSubjectUniqueIdentity.java | 185 + .../security/x509/CertificateValidity.java | 306 + .../netscape/security/x509/CertificateVersion.java | 247 + .../netscape/security/x509/CertificateX509Key.java | 190 + base/util/src/netscape/security/x509/DNSName.java | 82 + .../security/x509/DeltaCRLIndicatorExtension.java | 239 + .../netscape/security/x509/DirStrConverter.java | 171 + .../src/netscape/security/x509/DisplayText.java | 82 + .../src/netscape/security/x509/EDIPartyName.java | 154 + .../util/src/netscape/security/x509/Extension.java | 199 + .../src/netscape/security/x509/Extensions.java | 226 + .../security/x509/FreshestCRLExtension.java | 396 + .../src/netscape/security/x509/GeneralName.java | 199 + .../security/x509/GeneralNameInterface.java | 60 + .../src/netscape/security/x509/GeneralNames.java | 150 + .../security/x509/GeneralNamesException.java | 50 + .../src/netscape/security/x509/GeneralSubtree.java | 159 + .../netscape/security/x509/GeneralSubtrees.java | 106 + .../security/x509/GenericValueConverter.java | 143 + .../security/x509/HoldInstructionExtension.java | 354 + .../netscape/security/x509/IA5StringConverter.java | 123 + .../src/netscape/security/x509/IPAddressName.java | 277 + .../security/x509/InvalidIPAddressException.java | 33 + .../security/x509/InvalidityDateExtension.java | 241 + .../x509/IssuerAlternativeNameExtension.java | 240 + .../security/x509/IssuingDistributionPoint.java | 315 + .../x509/IssuingDistributionPointExtension.java | 416 ++ .../src/netscape/security/x509/KeyIdentifier.java | 87 + .../netscape/security/x509/KeyUsageExtension.java | 414 ++ .../netscape/security/x509/LdapDNStrConverter.java | 144 + .../security/x509/LdapV3DNStrConverter.java | 824 +++ .../security/x509/NSCCommentExtension.java | 230 + .../security/x509/NameConstraintsExtension.java | 315 + .../netscape/security/x509/NoticeReference.java | 94 + base/util/src/netscape/security/x509/OIDMap.java | 303 + base/util/src/netscape/security/x509/OIDName.java | 90 + .../util/src/netscape/security/x509/OtherName.java | 208 + .../src/netscape/security/x509/PKIXExtensions.java | 185 + .../netscape/security/x509/PolicyConstraint.java | 136 + .../security/x509/PolicyConstraintsExtension.java | 306 + .../security/x509/PolicyMappingsExtension.java | 258 + .../security/x509/PolicyQualifierInfo.java | 118 + .../netscape/security/x509/PolicyQualifiers.java | 107 + .../netscape/security/x509/PrintableConverter.java | 114 + .../security/x509/PrivateKeyUsageExtension.java | 339 + .../util/src/netscape/security/x509/Qualifier.java | 63 + base/util/src/netscape/security/x509/RDN.java | 303 + .../security/x509/RFC1779StrConverter.java | 102 + .../src/netscape/security/x509/RFC822Name.java | 85 + .../src/netscape/security/x509/ReasonFlags.java | 283 + .../netscape/security/x509/RevocationReason.java | 119 + .../netscape/security/x509/RevokedCertImpl.java | 454 ++ .../netscape/security/x509/RevokedCertificate.java | 95 + .../src/netscape/security/x509/SerialNumber.java | 124 + .../x509/SubjectAlternativeNameExtension.java | 242 + .../x509/SubjectDirAttributesExtension.java | 286 + .../x509/SubjectKeyIdentifierExtension.java | 222 + base/util/src/netscape/security/x509/URIName.java | 85 + .../src/netscape/security/x509/UniqueIdentity.java | 112 + .../src/netscape/security/x509/UserNotice.java | 96 + base/util/src/netscape/security/x509/X500Name.java | 699 ++ .../netscape/security/x509/X500NameAttrMap.java | 376 + .../src/netscape/security/x509/X500Signer.java | 116 + .../netscape/security/x509/X509AttributeName.java | 64 + .../src/netscape/security/x509/X509CRLImpl.java | 1071 +++ base/util/src/netscape/security/x509/X509Cert.java | 849 +++ .../src/netscape/security/x509/X509CertImpl.java | 1226 ++++ .../src/netscape/security/x509/X509CertInfo.java | 964 +++ .../security/x509/X509ExtensionException.java | 54 + base/util/src/netscape/security/x509/X509Key.java | 508 ++ base/util/test/CMakeLists.txt | 60 + .../extensions/GenericASN1ExtensionTest.java | 72 + .../com/netscape/security/util/BMPStringTest.java | 274 + .../com/netscape/security/util/IA5StringTest.java | 273 + .../test/com/netscape/security/util/JSSUtil.java | 73 + .../security/util/PrintableStringTest.java | 290 + .../com/netscape/security/util/StringTestUtil.java | 79 + .../netscape/security/util/TeletexStringTest.java | 273 + .../com/netscape/security/util/UTF8StringTest.java | 262 + .../security/util/UniversalStringTest.java | 262 + .../netscape/security/x509/ConverterTestUtil.java | 22 + .../security/x509/DirStrConverterTest.java | 122 + .../security/x509/GenericValueConverterTest.java | 125 + .../security/x509/IA5StringConverterTest.java | 93 + .../security/x509/PrintableConverterTest.java | 103 + 2987 files changed, 688935 insertions(+) create mode 100644 base/CMakeLists.txt create mode 100644 base/ca/CMakeLists.txt create mode 100644 base/ca/LICENSE create mode 100644 base/ca/setup/CMakeLists.txt create mode 100644 base/ca/setup/registry_instance create mode 100644 base/ca/shared/conf/CMakeLists.txt create mode 100644 base/ca/shared/conf/CS.cfg.in create mode 100644 base/ca/shared/conf/acl.ldif create mode 100644 base/ca/shared/conf/adminCert.profile create mode 100644 base/ca/shared/conf/caAuditSigningCert.profile create mode 100644 base/ca/shared/conf/caCert.profile create mode 100644 base/ca/shared/conf/caOCSPCert.profile create mode 100644 base/ca/shared/conf/catalina.policy create mode 100644 base/ca/shared/conf/catalina.properties create mode 100644 base/ca/shared/conf/context.xml create mode 100644 base/ca/shared/conf/database.ldif create mode 100644 base/ca/shared/conf/db.ldif create mode 100644 base/ca/shared/conf/flatfile.txt create mode 100644 base/ca/shared/conf/index.ldif create mode 100644 base/ca/shared/conf/jk2.manifest create mode 100644 base/ca/shared/conf/jk2.properties create mode 100644 base/ca/shared/conf/jkconf.ant.xml create mode 100644 base/ca/shared/conf/jkconfig.manifest create mode 100644 base/ca/shared/conf/logging.properties create mode 100644 base/ca/shared/conf/manager.ldif create mode 100644 base/ca/shared/conf/proxy.conf create mode 100644 base/ca/shared/conf/registry.cfg create mode 100644 base/ca/shared/conf/schema.ldif create mode 100644 base/ca/shared/conf/server-minimal.xml create mode 100644 base/ca/shared/conf/server.xml create mode 100644 base/ca/shared/conf/serverCert.profile create mode 100644 base/ca/shared/conf/serverCertNick.conf create mode 100644 base/ca/shared/conf/shm.manifest create mode 100644 base/ca/shared/conf/subsystemCert.profile create mode 100644 base/ca/shared/conf/tomcat-jk2.manifest create mode 100644 base/ca/shared/conf/tomcat-users.xml create mode 100644 base/ca/shared/conf/tomcat6.conf create mode 100644 base/ca/shared/conf/uriworkermap.properties create mode 100644 base/ca/shared/conf/vlv.ldif create mode 100644 base/ca/shared/conf/vlvtasks.ldif create mode 100644 base/ca/shared/conf/web.xml create mode 100644 base/ca/shared/conf/workers.properties create mode 100644 base/ca/shared/conf/workers.properties.minimal create mode 100644 base/ca/shared/conf/workers2.properties create mode 100644 base/ca/shared/conf/workers2.properties.minimal create mode 100644 base/ca/shared/emails/ExpiredUnpublishJob create mode 100644 base/ca/shared/emails/ExpiredUnpublishJobItem create mode 100644 base/ca/shared/emails/certIssued_CA create mode 100644 base/ca/shared/emails/certIssued_CA.html create mode 100644 base/ca/shared/emails/certIssued_RA create mode 100644 base/ca/shared/emails/certIssued_RA.html create mode 100644 base/ca/shared/emails/certRequestRejected.html create mode 100644 base/ca/shared/emails/certRevoked_CA create mode 100644 base/ca/shared/emails/certRevoked_CA.html create mode 100644 base/ca/shared/emails/certRevoked_RA create mode 100644 base/ca/shared/emails/certRevoked_RA.html create mode 100644 base/ca/shared/emails/euJob1.html create mode 100644 base/ca/shared/emails/euJob1Item.html create mode 100644 base/ca/shared/emails/publishCerts.html create mode 100644 base/ca/shared/emails/publishCertsItem.html create mode 100644 base/ca/shared/emails/reqInQueue_CA create mode 100644 base/ca/shared/emails/reqInQueue_CA.html create mode 100644 base/ca/shared/emails/reqInQueue_RA create mode 100644 base/ca/shared/emails/reqInQueue_RA.html create mode 100644 base/ca/shared/emails/riq1Item.html create mode 100644 base/ca/shared/emails/riq1Summary.html create mode 100644 base/ca/shared/emails/rnJob1.txt create mode 100644 base/ca/shared/emails/rnJob1Item.txt create mode 100644 base/ca/shared/emails/rnJob1Summary.txt create mode 100755 base/ca/shared/etc/init.d/pki-cad create mode 100644 base/ca/shared/lib/systemd/system/pki-cad.target create mode 100644 base/ca/shared/lib/systemd/system/pki-cad@.service create mode 100644 base/ca/shared/profiles/ca/DomainController.cfg create mode 100644 base/ca/shared/profiles/ca/caAdminCert.cfg create mode 100644 base/ca/shared/profiles/ca/caAgentFileSigning.cfg create mode 100644 base/ca/shared/profiles/ca/caAgentServerCert.cfg create mode 100644 base/ca/shared/profiles/ca/caCACert.cfg create mode 100644 base/ca/shared/profiles/ca/caCMCUserCert.cfg create mode 100644 base/ca/shared/profiles/ca/caDirUserCert.cfg create mode 100755 base/ca/shared/profiles/ca/caDirUserRenewal.cfg create mode 100644 base/ca/shared/profiles/ca/caDualCert.cfg create mode 100644 base/ca/shared/profiles/ca/caDualRAuserCert.cfg create mode 100644 base/ca/shared/profiles/ca/caECDualCert.cfg create mode 100644 base/ca/shared/profiles/ca/caECUserCert.cfg create mode 100644 base/ca/shared/profiles/ca/caEncECUserCert.cfg create mode 100644 base/ca/shared/profiles/ca/caEncUserCert.cfg create mode 100644 base/ca/shared/profiles/ca/caFullCMCUserCert.cfg create mode 100644 base/ca/shared/profiles/ca/caIPAserviceCert.cfg create mode 100644 base/ca/shared/profiles/ca/caInstallCACert.cfg create mode 100644 base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg create mode 100644 base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg create mode 100644 base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg create mode 100644 base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg create mode 100644 base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg create mode 100644 base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg create mode 100644 base/ca/shared/profiles/ca/caJarSigningCert.cfg create mode 100755 base/ca/shared/profiles/ca/caManualRenewal.cfg create mode 100644 base/ca/shared/profiles/ca/caOCSPCert.cfg create mode 100644 base/ca/shared/profiles/ca/caOtherCert.cfg create mode 100644 base/ca/shared/profiles/ca/caRACert.cfg create mode 100644 base/ca/shared/profiles/ca/caRARouterCert.cfg create mode 100644 base/ca/shared/profiles/ca/caRAagentCert.cfg create mode 100644 base/ca/shared/profiles/ca/caRAserverCert.cfg create mode 100644 base/ca/shared/profiles/ca/caRouterCert.cfg create mode 100755 base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg create mode 100644 base/ca/shared/profiles/ca/caServerCert.cfg create mode 100644 base/ca/shared/profiles/ca/caSignedLogCert.cfg create mode 100644 base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg create mode 100644 base/ca/shared/profiles/ca/caTPSCert.cfg create mode 100644 base/ca/shared/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg create mode 100644 base/ca/shared/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg create mode 100644 base/ca/shared/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg create mode 100644 base/ca/shared/profiles/ca/caTokenDeviceKeyEnrollment.cfg create mode 100644 base/ca/shared/profiles/ca/caTokenMSLoginEnrollment.cfg create mode 100644 base/ca/shared/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg create mode 100644 base/ca/shared/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg create mode 100644 base/ca/shared/profiles/ca/caTokenUserSigningKeyEnrollment.cfg create mode 100644 base/ca/shared/profiles/ca/caTokenUserSigningKeyRenewal.cfg create mode 100644 base/ca/shared/profiles/ca/caTransportCert.cfg create mode 100644 base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg create mode 100644 base/ca/shared/profiles/ca/caUserCert.cfg create mode 100644 base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg create mode 100644 base/ca/shared/webapps/ROOT/WEB-INF/web.xml create mode 100644 base/ca/shared/webapps/ROOT/index.jsp create mode 100644 base/ca/shared/webapps/ca/WEB-INF/velocity.properties create mode 100644 base/ca/shared/webapps/ca/WEB-INF/web.xml create mode 100644 base/ca/src/CMakeLists.txt create mode 100644 base/ca/src/com/netscape/ca/CAPolicy.java create mode 100644 base/ca/src/com/netscape/ca/CAService.java create mode 100644 base/ca/src/com/netscape/ca/CMSCRLExtensions.java create mode 100644 base/ca/src/com/netscape/ca/CRLIssuingPoint.java create mode 100644 base/ca/src/com/netscape/ca/CRLWithExpiredCerts.java create mode 100644 base/ca/src/com/netscape/ca/CertificateAuthority.java create mode 100644 base/ca/src/com/netscape/ca/SigningUnit.java create mode 100644 base/common/CMakeLists.txt create mode 100644 base/common/LICENSE create mode 100644 base/common/setup/CertServer.directory create mode 100644 base/common/setup/menu.xml create mode 100644 base/common/setup/web-app_2_3.dtd create mode 100644 base/common/src/CMakeLists.txt create mode 100644 base/common/src/LogMessages.properties create mode 100644 base/common/src/UserMessages.properties create mode 100644 base/common/src/com/netscape/certsrv/acls/ACL.java create mode 100644 base/common/src/com/netscape/certsrv/acls/ACLEntry.java create mode 100644 base/common/src/com/netscape/certsrv/acls/ACLsResources.java create mode 100644 base/common/src/com/netscape/certsrv/acls/EACLsException.java create mode 100644 base/common/src/com/netscape/certsrv/acls/IACL.java create mode 100644 base/common/src/com/netscape/certsrv/acls/IACLEntry.java create mode 100644 base/common/src/com/netscape/certsrv/apps/CMS.java create mode 100644 base/common/src/com/netscape/certsrv/apps/ICMSEngine.java create mode 100644 base/common/src/com/netscape/certsrv/apps/ICommandQueue.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/AuthCredentials.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/AuthManagerProxy.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/AuthMgrPlugin.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/AuthResources.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/AuthToken.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/EAuthException.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/EAuthInternalError.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/EAuthMgrNotFound.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/EAuthMgrPluginNotFound.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/EAuthUserError.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/ECompSyntaxErr.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/EFormSubjectDN.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/EInvalidCredentials.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/EMissingCredential.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/IAuthCredentials.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/IAuthManager.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/IAuthToken.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/ISSLClientCertProvider.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/ISharedToken.java create mode 100644 base/common/src/com/netscape/certsrv/authority/IAuthority.java create mode 100644 base/common/src/com/netscape/certsrv/authority/ICertAuthority.java create mode 100644 base/common/src/com/netscape/certsrv/authorization/AuthzManagerProxy.java create mode 100644 base/common/src/com/netscape/certsrv/authorization/AuthzMgrPlugin.java create mode 100644 base/common/src/com/netscape/certsrv/authorization/AuthzResources.java create mode 100644 base/common/src/com/netscape/certsrv/authorization/AuthzToken.java create mode 100644 base/common/src/com/netscape/certsrv/authorization/EAuthzAccessDenied.java create mode 100644 base/common/src/com/netscape/certsrv/authorization/EAuthzException.java create mode 100644 base/common/src/com/netscape/certsrv/authorization/EAuthzInternalError.java create mode 100644 base/common/src/com/netscape/certsrv/authorization/EAuthzMgrNotFound.java create mode 100644 base/common/src/com/netscape/certsrv/authorization/EAuthzMgrPluginNotFound.java create mode 100644 base/common/src/com/netscape/certsrv/authorization/EAuthzUnknownOperation.java create mode 100644 base/common/src/com/netscape/certsrv/authorization/EAuthzUnknownProtectedRes.java create mode 100644 base/common/src/com/netscape/certsrv/authorization/IAuthzManager.java create mode 100644 base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java create mode 100644 base/common/src/com/netscape/certsrv/base/ASubsystem.java create mode 100644 base/common/src/com/netscape/certsrv/base/AttributeNameHelper.java create mode 100644 base/common/src/com/netscape/certsrv/base/BaseResources.java create mode 100644 base/common/src/com/netscape/certsrv/base/EBaseException.java create mode 100644 base/common/src/com/netscape/certsrv/base/EPropertyNotDefined.java create mode 100644 base/common/src/com/netscape/certsrv/base/EPropertyNotFound.java create mode 100644 base/common/src/com/netscape/certsrv/base/ExtendedPluginInfo.java create mode 100644 base/common/src/com/netscape/certsrv/base/IArgBlock.java create mode 100644 base/common/src/com/netscape/certsrv/base/IAttrSet.java create mode 100644 base/common/src/com/netscape/certsrv/base/IAuthInfo.java create mode 100644 base/common/src/com/netscape/certsrv/base/ICRLPrettyPrint.java create mode 100644 base/common/src/com/netscape/certsrv/base/ICertPrettyPrint.java create mode 100644 base/common/src/com/netscape/certsrv/base/IConfigStore.java create mode 100644 base/common/src/com/netscape/certsrv/base/IConfigStoreEventListener.java create mode 100644 base/common/src/com/netscape/certsrv/base/IExtPrettyPrint.java create mode 100644 base/common/src/com/netscape/certsrv/base/IExtendedPluginInfo.java create mode 100644 base/common/src/com/netscape/certsrv/base/IPluginImpl.java create mode 100644 base/common/src/com/netscape/certsrv/base/IPrettyPrintFormat.java create mode 100644 base/common/src/com/netscape/certsrv/base/ISecurityDomainSessionTable.java create mode 100644 base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java create mode 100644 base/common/src/com/netscape/certsrv/base/ISubsystem.java create mode 100644 base/common/src/com/netscape/certsrv/base/ISubsystemSource.java create mode 100644 base/common/src/com/netscape/certsrv/base/ITimeSource.java create mode 100644 base/common/src/com/netscape/certsrv/base/KeyGenInfo.java create mode 100644 base/common/src/com/netscape/certsrv/base/MessageFormatter.java create mode 100644 base/common/src/com/netscape/certsrv/base/MetaAttributeDef.java create mode 100644 base/common/src/com/netscape/certsrv/base/MetaInfo.java create mode 100644 base/common/src/com/netscape/certsrv/base/Nonces.java create mode 100644 base/common/src/com/netscape/certsrv/base/PasswordResources.java create mode 100644 base/common/src/com/netscape/certsrv/base/Plugin.java create mode 100644 base/common/src/com/netscape/certsrv/base/SessionContext.java create mode 100644 base/common/src/com/netscape/certsrv/ca/CAResources.java create mode 100644 base/common/src/com/netscape/certsrv/ca/ECAException.java create mode 100644 base/common/src/com/netscape/certsrv/ca/EErrorPublishCRL.java create mode 100644 base/common/src/com/netscape/certsrv/ca/ICAService.java create mode 100644 base/common/src/com/netscape/certsrv/ca/ICMSCRLExtension.java create mode 100644 base/common/src/com/netscape/certsrv/ca/ICMSCRLExtensions.java create mode 100644 base/common/src/com/netscape/certsrv/ca/ICRLIssuingPoint.java create mode 100644 base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java create mode 100644 base/common/src/com/netscape/certsrv/cert/ICrossCertPairSubsystem.java create mode 100644 base/common/src/com/netscape/certsrv/client/IDataProcessor.java create mode 100644 base/common/src/com/netscape/certsrv/client/connection/IAuthenticator.java create mode 100644 base/common/src/com/netscape/certsrv/client/connection/IConnection.java create mode 100644 base/common/src/com/netscape/certsrv/client/connection/IConnectionFactory.java create mode 100644 base/common/src/com/netscape/certsrv/common/ConfigConstants.java create mode 100644 base/common/src/com/netscape/certsrv/common/Constants.java create mode 100644 base/common/src/com/netscape/certsrv/common/DestDef.java create mode 100644 base/common/src/com/netscape/certsrv/common/NameValuePairs.java create mode 100644 base/common/src/com/netscape/certsrv/common/OpDef.java create mode 100644 base/common/src/com/netscape/certsrv/common/PrefixDef.java create mode 100644 base/common/src/com/netscape/certsrv/common/ScopeDef.java create mode 100644 base/common/src/com/netscape/certsrv/common/TaskId.java create mode 100644 base/common/src/com/netscape/certsrv/connector/IConnector.java create mode 100644 base/common/src/com/netscape/certsrv/connector/IHttpConnFactory.java create mode 100644 base/common/src/com/netscape/certsrv/connector/IHttpConnection.java create mode 100644 base/common/src/com/netscape/certsrv/connector/IHttpPKIMessage.java create mode 100644 base/common/src/com/netscape/certsrv/connector/IPKIMessage.java create mode 100644 base/common/src/com/netscape/certsrv/connector/IRemoteAuthority.java create mode 100644 base/common/src/com/netscape/certsrv/connector/IRequestEncoder.java create mode 100644 base/common/src/com/netscape/certsrv/connector/IResender.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/DBResources.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/EDBException.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/EDBNotAvailException.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/EDBRecordNotFoundException.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/IDBAttrMapper.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/IDBDynAttrMapper.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/IDBObj.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/IDBRegistry.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/IDBSSession.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/IDBSearchResults.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/IDBVirtualList.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/IElementProcessor.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/IFilterConverter.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/Modification.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/ModificationSet.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecordList.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/certdb/IRevocationInfo.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/crldb/ICRLIssuingPointRecord.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/crldb/ICRLRepository.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecordList.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRepository.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/keydb/KeyId.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/keydb/KeyIdAdapter.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/keydb/KeyState.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/replicadb/IReplicaIDRepository.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/repository/IRepository.java create mode 100644 base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java create mode 100644 base/common/src/com/netscape/certsrv/evaluators/IAccessEvaluator.java create mode 100644 base/common/src/com/netscape/certsrv/extensions/EExtensionsException.java create mode 100644 base/common/src/com/netscape/certsrv/extensions/ExtensionsResources.java create mode 100644 base/common/src/com/netscape/certsrv/extensions/ICMSExtension.java create mode 100644 base/common/src/com/netscape/certsrv/jobs/EJobsException.java create mode 100644 base/common/src/com/netscape/certsrv/jobs/IJob.java create mode 100644 base/common/src/com/netscape/certsrv/jobs/IJobCron.java create mode 100644 base/common/src/com/netscape/certsrv/jobs/IJobsScheduler.java create mode 100644 base/common/src/com/netscape/certsrv/jobs/JobPlugin.java create mode 100644 base/common/src/com/netscape/certsrv/jobs/JobsResources.java create mode 100644 base/common/src/com/netscape/certsrv/kra/EKRAException.java create mode 100644 base/common/src/com/netscape/certsrv/kra/IJoinShares.java create mode 100644 base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java create mode 100644 base/common/src/com/netscape/certsrv/kra/IKeyService.java create mode 100644 base/common/src/com/netscape/certsrv/kra/IProofOfArchival.java create mode 100644 base/common/src/com/netscape/certsrv/kra/IShare.java create mode 100644 base/common/src/com/netscape/certsrv/kra/KRAResources.java create mode 100644 base/common/src/com/netscape/certsrv/kra/ProofOfArchival.java create mode 100644 base/common/src/com/netscape/certsrv/ldap/ELdapException.java create mode 100644 base/common/src/com/netscape/certsrv/ldap/ELdapServerDownException.java create mode 100644 base/common/src/com/netscape/certsrv/ldap/ILdapAuthInfo.java create mode 100644 base/common/src/com/netscape/certsrv/ldap/ILdapBoundConnFactory.java create mode 100644 base/common/src/com/netscape/certsrv/ldap/ILdapConnFactory.java create mode 100644 base/common/src/com/netscape/certsrv/ldap/ILdapConnInfo.java create mode 100644 base/common/src/com/netscape/certsrv/ldap/ILdapConnModule.java create mode 100644 base/common/src/com/netscape/certsrv/ldap/LdapResources.java create mode 100644 base/common/src/com/netscape/certsrv/listeners/EListenersException.java create mode 100644 base/common/src/com/netscape/certsrv/listeners/IRequestListenerPlugin.java create mode 100644 base/common/src/com/netscape/certsrv/listeners/ListenersResources.java create mode 100644 base/common/src/com/netscape/certsrv/logging/AuditEvent.java create mode 100644 base/common/src/com/netscape/certsrv/logging/AuditFormat.java create mode 100644 base/common/src/com/netscape/certsrv/logging/ConsoleError.java create mode 100644 base/common/src/com/netscape/certsrv/logging/ConsoleLog.java create mode 100644 base/common/src/com/netscape/certsrv/logging/ELogException.java create mode 100644 base/common/src/com/netscape/certsrv/logging/ELogNotFound.java create mode 100644 base/common/src/com/netscape/certsrv/logging/ELogPluginNotFound.java create mode 100644 base/common/src/com/netscape/certsrv/logging/IBundleLogEvent.java create mode 100644 base/common/src/com/netscape/certsrv/logging/ILogEvent.java create mode 100644 base/common/src/com/netscape/certsrv/logging/ILogEventFactory.java create mode 100644 base/common/src/com/netscape/certsrv/logging/ILogEventListener.java create mode 100644 base/common/src/com/netscape/certsrv/logging/ILogQueue.java create mode 100644 base/common/src/com/netscape/certsrv/logging/ILogSubsystem.java create mode 100644 base/common/src/com/netscape/certsrv/logging/ILogger.java create mode 100644 base/common/src/com/netscape/certsrv/logging/LogPlugin.java create mode 100644 base/common/src/com/netscape/certsrv/logging/LogResources.java create mode 100644 base/common/src/com/netscape/certsrv/logging/SignedAuditEvent.java create mode 100644 base/common/src/com/netscape/certsrv/logging/SystemEvent.java create mode 100644 base/common/src/com/netscape/certsrv/notification/ENotificationException.java create mode 100644 base/common/src/com/netscape/certsrv/notification/IEmailFormProcessor.java create mode 100644 base/common/src/com/netscape/certsrv/notification/IEmailResolver.java create mode 100644 base/common/src/com/netscape/certsrv/notification/IEmailResolverKeys.java create mode 100644 base/common/src/com/netscape/certsrv/notification/IEmailTemplate.java create mode 100644 base/common/src/com/netscape/certsrv/notification/IMailNotification.java create mode 100644 base/common/src/com/netscape/certsrv/notification/NotificationResources.java create mode 100644 base/common/src/com/netscape/certsrv/ocsp/IDefStore.java create mode 100644 base/common/src/com/netscape/certsrv/ocsp/IOCSPAuthority.java create mode 100644 base/common/src/com/netscape/certsrv/ocsp/IOCSPService.java create mode 100644 base/common/src/com/netscape/certsrv/ocsp/IOCSPStore.java create mode 100644 base/common/src/com/netscape/certsrv/password/EPasswordCheckException.java create mode 100644 base/common/src/com/netscape/certsrv/password/IConfigPasswordCheck.java create mode 100644 base/common/src/com/netscape/certsrv/password/IPasswordCheck.java create mode 100644 base/common/src/com/netscape/certsrv/pattern/AttrSetCollection.java create mode 100644 base/common/src/com/netscape/certsrv/pattern/Pattern.java create mode 100644 base/common/src/com/netscape/certsrv/policy/EPolicyException.java create mode 100644 base/common/src/com/netscape/certsrv/policy/IEnrollmentPolicy.java create mode 100644 base/common/src/com/netscape/certsrv/policy/IExpression.java create mode 100644 base/common/src/com/netscape/certsrv/policy/IGeneralNameAsConstraintsConfig.java create mode 100644 base/common/src/com/netscape/certsrv/policy/IGeneralNameConfig.java create mode 100644 base/common/src/com/netscape/certsrv/policy/IGeneralNameUtil.java create mode 100644 base/common/src/com/netscape/certsrv/policy/IGeneralNamesAsConstraintsConfig.java create mode 100644 base/common/src/com/netscape/certsrv/policy/IGeneralNamesConfig.java create mode 100644 base/common/src/com/netscape/certsrv/policy/IKeyArchivalPolicy.java create mode 100644 base/common/src/com/netscape/certsrv/policy/IKeyRecoveryPolicy.java create mode 100644 base/common/src/com/netscape/certsrv/policy/IPolicyPredicateParser.java create mode 100644 base/common/src/com/netscape/certsrv/policy/IPolicyProcessor.java create mode 100644 base/common/src/com/netscape/certsrv/policy/IPolicyRule.java create mode 100644 base/common/src/com/netscape/certsrv/policy/IPolicySet.java create mode 100644 base/common/src/com/netscape/certsrv/policy/IRenewalPolicy.java create mode 100644 base/common/src/com/netscape/certsrv/policy/IRevocationPolicy.java create mode 100644 base/common/src/com/netscape/certsrv/policy/ISubjAltNameConfig.java create mode 100644 base/common/src/com/netscape/certsrv/policy/PolicyResources.java create mode 100644 base/common/src/com/netscape/certsrv/profile/CertInfoProfile.java create mode 100644 base/common/src/com/netscape/certsrv/profile/EDeferException.java create mode 100644 base/common/src/com/netscape/certsrv/profile/EProfileException.java create mode 100644 base/common/src/com/netscape/certsrv/profile/ERejectException.java create mode 100644 base/common/src/com/netscape/certsrv/profile/ICertInfoPolicyDefault.java create mode 100644 base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java create mode 100644 base/common/src/com/netscape/certsrv/profile/IPolicyConstraint.java create mode 100644 base/common/src/com/netscape/certsrv/profile/IPolicyDefault.java create mode 100644 base/common/src/com/netscape/certsrv/profile/IProfile.java create mode 100644 base/common/src/com/netscape/certsrv/profile/IProfileAuthenticator.java create mode 100644 base/common/src/com/netscape/certsrv/profile/IProfileContext.java create mode 100644 base/common/src/com/netscape/certsrv/profile/IProfileEx.java create mode 100644 base/common/src/com/netscape/certsrv/profile/IProfileInput.java create mode 100644 base/common/src/com/netscape/certsrv/profile/IProfileOutput.java create mode 100644 base/common/src/com/netscape/certsrv/profile/IProfilePolicy.java create mode 100644 base/common/src/com/netscape/certsrv/profile/IProfileSubsystem.java create mode 100644 base/common/src/com/netscape/certsrv/profile/IProfileUpdater.java create mode 100644 base/common/src/com/netscape/certsrv/property/Descriptor.java create mode 100644 base/common/src/com/netscape/certsrv/property/EPropertyException.java create mode 100644 base/common/src/com/netscape/certsrv/property/IConfigTemplate.java create mode 100644 base/common/src/com/netscape/certsrv/property/IDescriptor.java create mode 100644 base/common/src/com/netscape/certsrv/property/PropertySet.java create mode 100644 base/common/src/com/netscape/certsrv/publish/ECompSyntaxErr.java create mode 100644 base/common/src/com/netscape/certsrv/publish/EMapperNotFound.java create mode 100644 base/common/src/com/netscape/certsrv/publish/EMapperPluginNotFound.java create mode 100644 base/common/src/com/netscape/certsrv/publish/EPublisherNotFound.java create mode 100644 base/common/src/com/netscape/certsrv/publish/EPublisherPluginNotFound.java create mode 100644 base/common/src/com/netscape/certsrv/publish/ERuleNotFound.java create mode 100644 base/common/src/com/netscape/certsrv/publish/ERulePluginNotFound.java create mode 100644 base/common/src/com/netscape/certsrv/publish/ICRLPublisher.java create mode 100644 base/common/src/com/netscape/certsrv/publish/ILdapCertMapper.java create mode 100644 base/common/src/com/netscape/certsrv/publish/ILdapCrlMapper.java create mode 100644 base/common/src/com/netscape/certsrv/publish/ILdapExpression.java create mode 100644 base/common/src/com/netscape/certsrv/publish/ILdapMapper.java create mode 100644 base/common/src/com/netscape/certsrv/publish/ILdapPlugin.java create mode 100644 base/common/src/com/netscape/certsrv/publish/ILdapPluginImpl.java create mode 100644 base/common/src/com/netscape/certsrv/publish/ILdapPublishModule.java create mode 100644 base/common/src/com/netscape/certsrv/publish/ILdapPublisher.java create mode 100644 base/common/src/com/netscape/certsrv/publish/ILdapRule.java create mode 100644 base/common/src/com/netscape/certsrv/publish/IPublishRuleSet.java create mode 100644 base/common/src/com/netscape/certsrv/publish/IPublisherProcessor.java create mode 100644 base/common/src/com/netscape/certsrv/publish/IXcertPublisherProcessor.java create mode 100644 base/common/src/com/netscape/certsrv/publish/LdapCertMapResult.java create mode 100644 base/common/src/com/netscape/certsrv/publish/MapperPlugin.java create mode 100644 base/common/src/com/netscape/certsrv/publish/MapperProxy.java create mode 100644 base/common/src/com/netscape/certsrv/publish/PublisherPlugin.java create mode 100644 base/common/src/com/netscape/certsrv/publish/PublisherProxy.java create mode 100644 base/common/src/com/netscape/certsrv/publish/RulePlugin.java create mode 100644 base/common/src/com/netscape/certsrv/ra/IRAService.java create mode 100644 base/common/src/com/netscape/certsrv/ra/IRegistrationAuthority.java create mode 100644 base/common/src/com/netscape/certsrv/registry/ERegistryException.java create mode 100644 base/common/src/com/netscape/certsrv/registry/IPluginInfo.java create mode 100644 base/common/src/com/netscape/certsrv/registry/IPluginRegistry.java create mode 100644 base/common/src/com/netscape/certsrv/request/ARequestNotifier.java create mode 100644 base/common/src/com/netscape/certsrv/request/AgentApproval.java create mode 100644 base/common/src/com/netscape/certsrv/request/AgentApprovals.java create mode 100644 base/common/src/com/netscape/certsrv/request/IEnrollmentRequest.java create mode 100644 base/common/src/com/netscape/certsrv/request/INotify.java create mode 100644 base/common/src/com/netscape/certsrv/request/IPolicy.java create mode 100644 base/common/src/com/netscape/certsrv/request/IRequest.java create mode 100644 base/common/src/com/netscape/certsrv/request/IRequestList.java create mode 100644 base/common/src/com/netscape/certsrv/request/IRequestListener.java create mode 100644 base/common/src/com/netscape/certsrv/request/IRequestNotifier.java create mode 100644 base/common/src/com/netscape/certsrv/request/IRequestQueue.java create mode 100644 base/common/src/com/netscape/certsrv/request/IRequestRecord.java create mode 100644 base/common/src/com/netscape/certsrv/request/IRequestScheduler.java create mode 100644 base/common/src/com/netscape/certsrv/request/IRequestSubsystem.java create mode 100644 base/common/src/com/netscape/certsrv/request/IRequestVirtualList.java create mode 100644 base/common/src/com/netscape/certsrv/request/IService.java create mode 100644 base/common/src/com/netscape/certsrv/request/PolicyMessage.java create mode 100644 base/common/src/com/netscape/certsrv/request/PolicyResult.java create mode 100644 base/common/src/com/netscape/certsrv/request/RequestId.java create mode 100644 base/common/src/com/netscape/certsrv/request/RequestIdAdapter.java create mode 100644 base/common/src/com/netscape/certsrv/request/RequestStatus.java create mode 100644 base/common/src/com/netscape/certsrv/request/ldap/IRequestMod.java create mode 100644 base/common/src/com/netscape/certsrv/security/Credential.java create mode 100644 base/common/src/com/netscape/certsrv/security/ICryptoSubsystem.java create mode 100644 base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java create mode 100644 base/common/src/com/netscape/certsrv/security/ISigningUnit.java create mode 100644 base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java create mode 100644 base/common/src/com/netscape/certsrv/security/IToken.java create mode 100644 base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java create mode 100644 base/common/src/com/netscape/certsrv/security/KeyCertData.java create mode 100644 base/common/src/com/netscape/certsrv/selftests/EDuplicateSelfTestException.java create mode 100644 base/common/src/com/netscape/certsrv/selftests/EInvalidSelfTestException.java create mode 100644 base/common/src/com/netscape/certsrv/selftests/EMissingSelfTestException.java create mode 100644 base/common/src/com/netscape/certsrv/selftests/ESelfTestException.java create mode 100644 base/common/src/com/netscape/certsrv/selftests/ISelfTest.java create mode 100644 base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java create mode 100644 base/common/src/com/netscape/certsrv/selftests/SelfTestResources.java create mode 100644 base/common/src/com/netscape/certsrv/template/ArgList.java create mode 100644 base/common/src/com/netscape/certsrv/template/ArgSet.java create mode 100644 base/common/src/com/netscape/certsrv/template/ArgString.java create mode 100644 base/common/src/com/netscape/certsrv/template/IArgValue.java create mode 100644 base/common/src/com/netscape/certsrv/tks/ITKSAuthority.java create mode 100644 base/common/src/com/netscape/certsrv/usrgrp/Certificates.java create mode 100644 base/common/src/com/netscape/certsrv/usrgrp/EUsrGrpException.java create mode 100644 base/common/src/com/netscape/certsrv/usrgrp/ICertUserLocator.java create mode 100644 base/common/src/com/netscape/certsrv/usrgrp/IGroup.java create mode 100644 base/common/src/com/netscape/certsrv/usrgrp/IGroupConstants.java create mode 100644 base/common/src/com/netscape/certsrv/usrgrp/IIdEvaluator.java create mode 100644 base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java create mode 100644 base/common/src/com/netscape/certsrv/usrgrp/IUser.java create mode 100644 base/common/src/com/netscape/certsrv/usrgrp/IUserConstants.java create mode 100644 base/common/src/com/netscape/certsrv/usrgrp/IUsrGrp.java create mode 100644 base/common/src/com/netscape/certsrv/usrgrp/UsrGrpResources.java create mode 100644 base/common/src/com/netscape/certsrv/util/HttpInput.java create mode 100644 base/common/src/com/netscape/certsrv/util/IStatsSubsystem.java create mode 100644 base/common/src/com/netscape/certsrv/util/StatsEvent.java create mode 100644 base/common/src/com/netscape/cms/authentication/AVAPattern.java create mode 100644 base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java create mode 100644 base/common/src/com/netscape/cms/authentication/CMCAuth.java create mode 100644 base/common/src/com/netscape/cms/authentication/Crypt.java create mode 100644 base/common/src/com/netscape/cms/authentication/DNPattern.java create mode 100644 base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java create mode 100644 base/common/src/com/netscape/cms/authentication/FlatFileAuth.java create mode 100644 base/common/src/com/netscape/cms/authentication/HashAuthData.java create mode 100644 base/common/src/com/netscape/cms/authentication/HashAuthentication.java create mode 100644 base/common/src/com/netscape/cms/authentication/PortalEnroll.java create mode 100644 base/common/src/com/netscape/cms/authentication/RDNPattern.java create mode 100644 base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java create mode 100644 base/common/src/com/netscape/cms/authentication/SharedSecret.java create mode 100644 base/common/src/com/netscape/cms/authentication/TokenAuthentication.java create mode 100644 base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java create mode 100644 base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java create mode 100644 base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java create mode 100644 base/common/src/com/netscape/cms/authorization/AAclAuthz.java create mode 100644 base/common/src/com/netscape/cms/authorization/BasicAclAuthz.java create mode 100644 base/common/src/com/netscape/cms/authorization/DirAclAuthz.java create mode 100644 base/common/src/com/netscape/cms/crl/CMSAuthInfoAccessExtension.java create mode 100644 base/common/src/com/netscape/cms/crl/CMSAuthorityKeyIdentifierExtension.java create mode 100644 base/common/src/com/netscape/cms/crl/CMSCRLNumberExtension.java create mode 100644 base/common/src/com/netscape/cms/crl/CMSCRLReasonExtension.java create mode 100644 base/common/src/com/netscape/cms/crl/CMSCertificateIssuerExtension.java create mode 100644 base/common/src/com/netscape/cms/crl/CMSDeltaCRLIndicatorExtension.java create mode 100644 base/common/src/com/netscape/cms/crl/CMSFreshestCRLExtension.java create mode 100644 base/common/src/com/netscape/cms/crl/CMSHoldInstructionExtension.java create mode 100644 base/common/src/com/netscape/cms/crl/CMSInvalidityDateExtension.java create mode 100644 base/common/src/com/netscape/cms/crl/CMSIssuerAlternativeNameExtension.java create mode 100644 base/common/src/com/netscape/cms/crl/CMSIssuingDistributionPointExtension.java create mode 100644 base/common/src/com/netscape/cms/evaluators/GroupAccessEvaluator.java create mode 100644 base/common/src/com/netscape/cms/evaluators/IPAddressAccessEvaluator.java create mode 100644 base/common/src/com/netscape/cms/evaluators/UserAccessEvaluator.java create mode 100644 base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java create mode 100644 base/common/src/com/netscape/cms/jobs/AJobBase.java create mode 100644 base/common/src/com/netscape/cms/jobs/PublishCertsJob.java create mode 100644 base/common/src/com/netscape/cms/jobs/RenewalNotificationJob.java create mode 100644 base/common/src/com/netscape/cms/jobs/RequestInQueueJob.java create mode 100644 base/common/src/com/netscape/cms/jobs/UnpublishExpiredJob.java create mode 100644 base/common/src/com/netscape/cms/listeners/CertificateIssuedListener.java create mode 100644 base/common/src/com/netscape/cms/listeners/CertificateRevokedListener.java create mode 100644 base/common/src/com/netscape/cms/listeners/PinRemovalListener.java create mode 100644 base/common/src/com/netscape/cms/listeners/RequestInQListener.java create mode 100644 base/common/src/com/netscape/cms/logging/LogEntry.java create mode 100644 base/common/src/com/netscape/cms/logging/LogFile.java create mode 100644 base/common/src/com/netscape/cms/logging/RollingLogFile.java create mode 100644 base/common/src/com/netscape/cms/notification/MailNotification.java create mode 100644 base/common/src/com/netscape/cms/ocsp/DefStore.java create mode 100644 base/common/src/com/netscape/cms/ocsp/LDAPStore.java create mode 100644 base/common/src/com/netscape/cms/password/PasswordChecker.java create mode 100644 base/common/src/com/netscape/cms/policy/APolicyRule.java create mode 100644 base/common/src/com/netscape/cms/policy/constraints/AgentPolicy.java create mode 100644 base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java create mode 100644 base/common/src/com/netscape/cms/policy/constraints/DSAKeyConstraints.java create mode 100644 base/common/src/com/netscape/cms/policy/constraints/DefaultRevocation.java create mode 100644 base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java create mode 100644 base/common/src/com/netscape/cms/policy/constraints/KeyAlgorithmConstraints.java create mode 100644 base/common/src/com/netscape/cms/policy/constraints/ManualAuthentication.java create mode 100644 base/common/src/com/netscape/cms/policy/constraints/RSAKeyConstraints.java create mode 100644 base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java create mode 100644 base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java create mode 100644 base/common/src/com/netscape/cms/policy/constraints/RevocationConstraints.java create mode 100644 base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java create mode 100644 base/common/src/com/netscape/cms/policy/constraints/SubCANameConstraints.java create mode 100644 base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectName.java create mode 100644 base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectNameConstraints.java create mode 100644 base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/BasicConstraintsExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/CRLDistributionPointsExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/CertificatePoliciesExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/CertificateRenewalWindowExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/CertificateScopeOfUseExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/ExtendedKeyUsageExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/GenericASN1Ext.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/IssuerAltNameExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/NSCCommentExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/NameConstraintsExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/OCSPNoCheckExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/PolicyMappingsExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/PresenceExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/RemoveBasicConstraintsExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/SubjectDirectoryAttributesExt.java create mode 100644 base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java create mode 100644 base/common/src/com/netscape/cms/profile/common/BasicProfile.java create mode 100644 base/common/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java create mode 100644 base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java create mode 100644 base/common/src/com/netscape/cms/profile/common/EnrollProfile.java create mode 100644 base/common/src/com/netscape/cms/profile/common/EnrollProfileContext.java create mode 100644 base/common/src/com/netscape/cms/profile/common/ProfileContext.java create mode 100644 base/common/src/com/netscape/cms/profile/common/ProfilePolicy.java create mode 100644 base/common/src/com/netscape/cms/profile/common/RAEnrollProfile.java create mode 100644 base/common/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java create mode 100644 base/common/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/CAEnrollConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/EnrollConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/ExtendedKeyUsageExtConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/ExtensionConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/KeyConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/KeyUsageExtConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/NoConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/SigningAlgConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/AutoAssignDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/BasicConstraintsExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/CAEnrollDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/CAValidityDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/CRLDistributionPointsExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/CertificatePoliciesExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/CertificateVersionDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/EnrollDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/EnrollExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/FreshestCRLExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/GenericExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/ImageDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/InhibitAnyPolicyExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/KeyUsageExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/NSCCommentExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/NSCertTypeExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/NoDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/OCSPNoCheckExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/PolicyConstraintsExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/PolicyMappingsExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/SigningAlgDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/SubjectDirAttributesExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/SubjectInfoAccessExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/SubjectNameDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/UserExtensionDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/UserKeyDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/UserSigningAlgDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/UserValidityDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/ValidityDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/nsHKeySubjectNameDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/nsNKeySubjectNameDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/nsTokenDeviceKeySubjectNameDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/CertReqInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/DualKeyGenInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/EncryptionKeyGenInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/EnrollInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/FileSigningInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/GenericInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/ImageInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/KeyGenInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/SigningKeyGenInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/SubjectDNInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/SubjectNameInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/SubmitterInfoInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/nsHKeyCertReqInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/nsNKeyCertReqInput.java create mode 100644 base/common/src/com/netscape/cms/profile/output/CMMFOutput.java create mode 100644 base/common/src/com/netscape/cms/profile/output/CertOutput.java create mode 100644 base/common/src/com/netscape/cms/profile/output/EnrollOutput.java create mode 100644 base/common/src/com/netscape/cms/profile/output/PKCS7Output.java create mode 100644 base/common/src/com/netscape/cms/profile/output/nsNKeyOutput.java create mode 100644 base/common/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java create mode 100644 base/common/src/com/netscape/cms/publish/mappers/AVAPattern.java create mode 100644 base/common/src/com/netscape/cms/publish/mappers/LdapCaSimpleMap.java create mode 100644 base/common/src/com/netscape/cms/publish/mappers/LdapCertCompsMap.java create mode 100644 base/common/src/com/netscape/cms/publish/mappers/LdapCertExactMap.java create mode 100644 base/common/src/com/netscape/cms/publish/mappers/LdapCertSubjMap.java create mode 100644 base/common/src/com/netscape/cms/publish/mappers/LdapCrlIssuerCompsMap.java create mode 100644 base/common/src/com/netscape/cms/publish/mappers/LdapDNCompsMap.java create mode 100644 base/common/src/com/netscape/cms/publish/mappers/LdapEnhancedMap.java create mode 100644 base/common/src/com/netscape/cms/publish/mappers/LdapSimpleMap.java create mode 100644 base/common/src/com/netscape/cms/publish/mappers/MapAVAPattern.java create mode 100644 base/common/src/com/netscape/cms/publish/mappers/MapDNPattern.java create mode 100644 base/common/src/com/netscape/cms/publish/mappers/MapRDNPattern.java create mode 100644 base/common/src/com/netscape/cms/publish/mappers/NoMap.java create mode 100644 base/common/src/com/netscape/cms/publish/publishers/FileBasedPublisher.java create mode 100644 base/common/src/com/netscape/cms/publish/publishers/LdapCaCertPublisher.java create mode 100644 base/common/src/com/netscape/cms/publish/publishers/LdapCertSubjPublisher.java create mode 100644 base/common/src/com/netscape/cms/publish/publishers/LdapCertificatePairPublisher.java create mode 100644 base/common/src/com/netscape/cms/publish/publishers/LdapCrlPublisher.java create mode 100644 base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java create mode 100644 base/common/src/com/netscape/cms/publish/publishers/LdapUserCertPublisher.java create mode 100644 base/common/src/com/netscape/cms/publish/publishers/OCSPPublisher.java create mode 100644 base/common/src/com/netscape/cms/publish/publishers/PublisherUtils.java create mode 100644 base/common/src/com/netscape/cms/request/RequestScheduler.java create mode 100644 base/common/src/com/netscape/cms/selftests/ASelfTest.java create mode 100644 base/common/src/com/netscape/cms/selftests/ca/CAPresence.java create mode 100644 base/common/src/com/netscape/cms/selftests/ca/CAValidity.java create mode 100644 base/common/src/com/netscape/cms/selftests/common/SystemCertsVerification.java create mode 100644 base/common/src/com/netscape/cms/selftests/kra/KRAPresence.java create mode 100644 base/common/src/com/netscape/cms/selftests/ocsp/OCSPPresence.java create mode 100644 base/common/src/com/netscape/cms/selftests/ocsp/OCSPValidity.java create mode 100644 base/common/src/com/netscape/cms/selftests/ra/RAPresence.java create mode 100644 base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/AdminResources.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/AuthCredentials.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/JobsAdminServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/LogAdminServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/RAAdminServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/RegistryAdminServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/SystemCertificateResource.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/SystemCertificateResourceService.java create mode 100644 base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/base/CMSResourceService.java create mode 100644 base/common/src/com/netscape/cms/servlet/base/CMSServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/base/DisplayHtmlServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/base/DynamicVariablesServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/base/GetStats.java create mode 100644 base/common/src/com/netscape/cms/servlet/base/IndexServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/base/PortsServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/base/ProxyServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/base/SystemInfoServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/base/UserInfo.java create mode 100644 base/common/src/com/netscape/cms/servlet/base/model/Link.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/ChallengeRevocationServlet1.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/CloneRedirect.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/DirAuthServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/DisableEnrollResult.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/DisplayBySerial.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/DisplayCRL.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/DisplayHashUserEnroll.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/DoRevoke.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/EnableEnrollResult.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/EnrollServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/GetBySerial.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/GetCAChain.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/GetCRL.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/GetCertFromRequest.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/GetEnableStatus.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/GetInfo.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/HashEnrollServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/ImportCertsTemplateFiller.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/ListCerts.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/Monitor.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/ReasonToRevoke.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/RemoteAuthConfig.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/RenewalServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/RevocationSuccessTemplateFiller.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/SrchCerts.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/UpdateCRL.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/UpdateDir.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/model/CertificateData.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/scep/ChallengePassword.java create mode 100644 base/common/src/com/netscape/cms/servlet/cert/scep/ExtensionsRequested.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/AuthCredentials.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/CMSFile.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/CMSFileLoader.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/CMSGWResources.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/CMSGateway.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/CMSLoadTemplate.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/CMSRequest.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/CMSTemplate.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/CMSTemplateParams.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/ECMSGWException.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/GenErrorTemplateFiller.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/GenRejectedTemplateFiller.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/GenSuccessTemplateFiller.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/GenSvcPendingTemplateFiller.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/GenUnauthorizedTemplateFiller.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/GenUnexpectedErrorTemplateFiller.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/ICMSTemplateFiller.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/IRawJS.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/IndexTemplateFiller.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/RawJS.java create mode 100644 base/common/src/com/netscape/cms/servlet/common/ServletUtils.java create mode 100644 base/common/src/com/netscape/cms/servlet/connector/CloneServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/connector/ConnectorServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/AuthenticatePanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/BackupKeyCertPanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/BaseServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/Cert.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/CertPrettyPrintPanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/CheckIdentity.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/ConfigBaseServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/ConfigCertReqServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/ConfigCloneServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/ConfigDatabaseServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/ConfigHSMLoginPanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/ConfigHSMServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/ConfigImportCertServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/ConfigJoinServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/ConfigRootCAServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/DatabaseServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/DisplayCertChainPanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/DisplayServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/DownloadPKCS12.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/GetCertChain.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/GetConfigEntries.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/GetCookie.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/GetDomainXML.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/GetStatus.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/GetSubsystemCert.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/GetTransportCert.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/HierarchyPanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java create mode 100755 base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/ImportTransportCert.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/LoginServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/MainPageServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/ModulePanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/ModuleServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/RegisterUser.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/SavePKCS12Panel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainLogin.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainSessionTable.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/SessionTimer.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/WelcomePanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/WelcomeServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java create mode 100644 base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java create mode 100644 base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java create mode 100644 base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java create mode 100644 base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/ConfirmRecoverBySerial.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/DisplayBySerial.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/DisplayBySerialForRecovery.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/DisplayTransport.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/ExamineRecovery.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/GetApprovalStatus.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/GetAsyncPk12.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/GetPk12.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/GrantRecovery.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/KeyResource.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/KeyResourceService.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/KeysResource.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/RecoverBySerial.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/SrchKey.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/SrchKeyForRecovery.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/model/KeyDAO.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/model/KeyData.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/model/KeyDataInfo.java create mode 100644 base/common/src/com/netscape/cms/servlet/key/model/KeyDataInfos.java create mode 100644 base/common/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/ocsp/CheckCertServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/ocsp/GetOCSPInfo.java create mode 100644 base/common/src/com/netscape/cms/servlet/ocsp/ListCAServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/processors/CMCProcessor.java create mode 100644 base/common/src/com/netscape/cms/servlet/processors/CRMFProcessor.java create mode 100644 base/common/src/com/netscape/cms/servlet/processors/IPKIProcessor.java create mode 100644 base/common/src/com/netscape/cms/servlet/processors/KeyGenProcessor.java create mode 100644 base/common/src/com/netscape/cms/servlet/processors/PKCS10Processor.java create mode 100644 base/common/src/com/netscape/cms/servlet/processors/PKIProcessor.java create mode 100644 base/common/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/profile/ProfileListServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/profile/ProfileSelectServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/profile/SSLClientCertProvider.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/CertReqParser.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/CheckRequest.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/IReqParser.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/KeyReqParser.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/KeyRequestResource.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/KeyRequestResourceService.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/KeyRequestsResource.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/KeyRequestsResourceService.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/ProcessCertReq.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/ProcessReq.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/QueryReq.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/ReqParser.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/SearchReqs.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/model/ArchivalRequestData.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/model/KeyRequestDAO.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/model/KeyRequestInfo.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/model/KeyRequestInfos.java create mode 100644 base/common/src/com/netscape/cms/servlet/request/model/RecoveryRequestData.java create mode 100644 base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java create mode 100644 base/common/src/com/netscape/cms/servlet/wizard/IWizardPanel.java create mode 100644 base/common/src/com/netscape/cms/servlet/wizard/WizardServlet.java create mode 100644 base/common/src/com/netscape/cms/shares/OldJoinShares.java create mode 100644 base/common/src/com/netscape/cms/shares/OldShare.java create mode 100644 base/common/src/com/netscape/cmscore/apps/CMSEngine.java create mode 100644 base/common/src/com/netscape/cmscore/apps/CommandQueue.java create mode 100644 base/common/src/com/netscape/cmscore/apps/PKIServerEvent.java create mode 100644 base/common/src/com/netscape/cmscore/apps/PKIServerListener.java create mode 100644 base/common/src/com/netscape/cmscore/apps/Setup.java create mode 100644 base/common/src/com/netscape/cmscore/apps/Upgrade.java create mode 100644 base/common/src/com/netscape/cmscore/authentication/AuthSubsystem.java create mode 100644 base/common/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java create mode 100644 base/common/src/com/netscape/cmscore/authentication/ChallengePhraseAuthentication.java create mode 100644 base/common/src/com/netscape/cmscore/authentication/NullAuthentication.java create mode 100644 base/common/src/com/netscape/cmscore/authentication/PasswdUserDBAuthentication.java create mode 100644 base/common/src/com/netscape/cmscore/authentication/SSLClientCertAuthentication.java create mode 100644 base/common/src/com/netscape/cmscore/authentication/VerifiedCert.java create mode 100644 base/common/src/com/netscape/cmscore/authentication/VerifiedCerts.java create mode 100644 base/common/src/com/netscape/cmscore/authorization/AuthzSubsystem.java create mode 100644 base/common/src/com/netscape/cmscore/base/ArgBlock.java create mode 100644 base/common/src/com/netscape/cmscore/base/FileConfigStore.java create mode 100644 base/common/src/com/netscape/cmscore/base/JDialogPasswordCallback.java create mode 100644 base/common/src/com/netscape/cmscore/base/PropConfigStore.java create mode 100644 base/common/src/com/netscape/cmscore/base/SimpleProperties.java create mode 100644 base/common/src/com/netscape/cmscore/base/SourceConfigStore.java create mode 100644 base/common/src/com/netscape/cmscore/base/SubsystemLoader.java create mode 100644 base/common/src/com/netscape/cmscore/base/SubsystemRegistry.java create mode 100644 base/common/src/com/netscape/cmscore/cert/CertDateCompare.java create mode 100644 base/common/src/com/netscape/cmscore/cert/CertPrettyPrint.java create mode 100644 base/common/src/com/netscape/cmscore/cert/CertUtils.java create mode 100644 base/common/src/com/netscape/cmscore/cert/CertificatePair.java create mode 100644 base/common/src/com/netscape/cmscore/cert/CrlCachePrettyPrint.java create mode 100644 base/common/src/com/netscape/cmscore/cert/CrlPrettyPrint.java create mode 100644 base/common/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java create mode 100644 base/common/src/com/netscape/cmscore/cert/ExtPrettyPrint.java create mode 100644 base/common/src/com/netscape/cmscore/cert/OidLoaderSubsystem.java create mode 100644 base/common/src/com/netscape/cmscore/cert/PrettyPrintFormat.java create mode 100644 base/common/src/com/netscape/cmscore/cert/PrettyPrintResources.java create mode 100644 base/common/src/com/netscape/cmscore/cert/PubKeyPrettyPrint.java create mode 100644 base/common/src/com/netscape/cmscore/cert/X500NameSubsystem.java create mode 100644 base/common/src/com/netscape/cmscore/connector/HttpConnFactory.java create mode 100644 base/common/src/com/netscape/cmscore/connector/HttpConnection.java create mode 100644 base/common/src/com/netscape/cmscore/connector/HttpConnector.java create mode 100644 base/common/src/com/netscape/cmscore/connector/HttpPKIMessage.java create mode 100644 base/common/src/com/netscape/cmscore/connector/HttpRequestEncoder.java create mode 100644 base/common/src/com/netscape/cmscore/connector/LocalConnector.java create mode 100644 base/common/src/com/netscape/cmscore/connector/RemoteAuthority.java create mode 100644 base/common/src/com/netscape/cmscore/connector/RequestTransfer.java create mode 100644 base/common/src/com/netscape/cmscore/connector/Resender.java create mode 100644 base/common/src/com/netscape/cmscore/crmf/CRMFParser.java create mode 100644 base/common/src/com/netscape/cmscore/crmf/PKIArchiveOptionsContainer.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/BigIntegerMapper.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/ByteArrayMapper.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/CRLDBSchema.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/CRLIssuingPointRecord.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/CRLRepository.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/CertDBSchema.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/CertRecord.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/CertRecordList.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/CertRecordMapper.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/DBRegistry.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/DBSSession.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/DBSUtil.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/DBSearchResults.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/DBVirtualList.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/DateArrayMapper.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/DateMapper.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/IntegerMapper.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/KeyDBSchema.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/KeyRecord.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/KeyRecordList.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/KeyRecordMapper.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/KeyRepository.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/KeyStateMapper.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/LdapFilterConverter.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/LongMapper.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/MetaInfoMapper.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/ObjectStreamMapper.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/PublicKeyMapper.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/ReplicaIDRepository.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/Repository.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/RepositoryRecord.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/RepositorySchema.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/RevocationInfo.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/RevocationInfoMapper.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/StringMapper.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/StringVectorMapper.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/X500NameMapper.java create mode 100644 base/common/src/com/netscape/cmscore/dbs/X509CertImplMapper.java create mode 100644 base/common/src/com/netscape/cmscore/extensions/CMSExtensionsMap.java create mode 100644 base/common/src/com/netscape/cmscore/extensions/KeyUsage.java create mode 100644 base/common/src/com/netscape/cmscore/jobs/CronItem.java create mode 100644 base/common/src/com/netscape/cmscore/jobs/CronRange.java create mode 100644 base/common/src/com/netscape/cmscore/jobs/JobCron.java create mode 100644 base/common/src/com/netscape/cmscore/jobs/JobsScheduler.java create mode 100644 base/common/src/com/netscape/cmscore/ldap/LdapAndExpression.java create mode 100644 base/common/src/com/netscape/cmscore/ldap/LdapConnModule.java create mode 100644 base/common/src/com/netscape/cmscore/ldap/LdapOrExpression.java create mode 100644 base/common/src/com/netscape/cmscore/ldap/LdapPredicateParser.java create mode 100644 base/common/src/com/netscape/cmscore/ldap/LdapPublishModule.java create mode 100644 base/common/src/com/netscape/cmscore/ldap/LdapRequestListener.java create mode 100644 base/common/src/com/netscape/cmscore/ldap/LdapRule.java create mode 100644 base/common/src/com/netscape/cmscore/ldap/LdapSimpleExpression.java create mode 100644 base/common/src/com/netscape/cmscore/ldap/PublishObject.java create mode 100644 base/common/src/com/netscape/cmscore/ldap/PublisherProcessor.java create mode 100644 base/common/src/com/netscape/cmscore/ldapconn/LdapAnonConnFactory.java create mode 100644 base/common/src/com/netscape/cmscore/ldapconn/LdapAnonConnection.java create mode 100644 base/common/src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java create mode 100644 base/common/src/com/netscape/cmscore/ldapconn/LdapBoundConnFactory.java create mode 100644 base/common/src/com/netscape/cmscore/ldapconn/LdapBoundConnection.java create mode 100644 base/common/src/com/netscape/cmscore/ldapconn/LdapConnInfo.java create mode 100644 base/common/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java create mode 100644 base/common/src/com/netscape/cmscore/listeners/ListenerPlugin.java create mode 100644 base/common/src/com/netscape/cmscore/logging/AuditEventFactory.java create mode 100644 base/common/src/com/netscape/cmscore/logging/AuditFormat.java create mode 100644 base/common/src/com/netscape/cmscore/logging/LogQueue.java create mode 100644 base/common/src/com/netscape/cmscore/logging/LogSubsystem.java create mode 100644 base/common/src/com/netscape/cmscore/logging/Logger.java create mode 100644 base/common/src/com/netscape/cmscore/logging/SignedAuditEventFactory.java create mode 100644 base/common/src/com/netscape/cmscore/logging/SignedAuditLogger.java create mode 100644 base/common/src/com/netscape/cmscore/logging/SystemEventFactory.java create mode 100644 base/common/src/com/netscape/cmscore/notification/EmailFormProcessor.java create mode 100644 base/common/src/com/netscape/cmscore/notification/EmailResolverKeys.java create mode 100644 base/common/src/com/netscape/cmscore/notification/EmailTemplate.java create mode 100644 base/common/src/com/netscape/cmscore/notification/ReqCertEmailResolver.java create mode 100644 base/common/src/com/netscape/cmscore/notification/ReqCertSANameEmailResolver.java create mode 100644 base/common/src/com/netscape/cmscore/policy/AndExpression.java create mode 100644 base/common/src/com/netscape/cmscore/policy/GeneralNameUtil.java create mode 100644 base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java create mode 100644 base/common/src/com/netscape/cmscore/policy/JavaScriptRequestProxy.java create mode 100644 base/common/src/com/netscape/cmscore/policy/OrExpression.java create mode 100644 base/common/src/com/netscape/cmscore/policy/PolicyPredicateParser.java create mode 100644 base/common/src/com/netscape/cmscore/policy/PolicySet.java create mode 100644 base/common/src/com/netscape/cmscore/policy/SimpleExpression.java create mode 100644 base/common/src/com/netscape/cmscore/profile/ProfileSubsystem.java create mode 100644 base/common/src/com/netscape/cmscore/realm/ACL.java create mode 100644 base/common/src/com/netscape/cmscore/realm/ACLEntry.java create mode 100644 base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java create mode 100644 base/common/src/com/netscape/cmscore/registry/PluginInfo.java create mode 100644 base/common/src/com/netscape/cmscore/registry/PluginRegistry.java create mode 100644 base/common/src/com/netscape/cmscore/request/ARequestQueue.java create mode 100644 base/common/src/com/netscape/cmscore/request/ARequestRecord.java create mode 100644 base/common/src/com/netscape/cmscore/request/CertRequestConstants.java create mode 100644 base/common/src/com/netscape/cmscore/request/ExtDataHashtable.java create mode 100644 base/common/src/com/netscape/cmscore/request/RequestAttr.java create mode 100644 base/common/src/com/netscape/cmscore/request/RequestQueue.java create mode 100644 base/common/src/com/netscape/cmscore/request/RequestRecord.java create mode 100644 base/common/src/com/netscape/cmscore/request/RequestRepository.java create mode 100644 base/common/src/com/netscape/cmscore/request/RequestSubsystem.java create mode 100644 base/common/src/com/netscape/cmscore/request/Schema.java create mode 100644 base/common/src/com/netscape/cmscore/security/CASigningCert.java create mode 100644 base/common/src/com/netscape/cmscore/security/CertificateInfo.java create mode 100644 base/common/src/com/netscape/cmscore/security/JssSubsystem.java create mode 100644 base/common/src/com/netscape/cmscore/security/KRATransportCert.java create mode 100644 base/common/src/com/netscape/cmscore/security/KeyCertUtil.java create mode 100644 base/common/src/com/netscape/cmscore/security/OCSPSigningCert.java create mode 100644 base/common/src/com/netscape/cmscore/security/PWCBsdr.java create mode 100644 base/common/src/com/netscape/cmscore/security/PWUtil.java create mode 100644 base/common/src/com/netscape/cmscore/security/PWsdrCache.java create mode 100644 base/common/src/com/netscape/cmscore/security/Provider.java create mode 100644 base/common/src/com/netscape/cmscore/security/RASigningCert.java create mode 100644 base/common/src/com/netscape/cmscore/security/SSLCert.java create mode 100644 base/common/src/com/netscape/cmscore/security/SSLSelfSignedCert.java create mode 100644 base/common/src/com/netscape/cmscore/security/SubsystemCert.java create mode 100644 base/common/src/com/netscape/cmscore/selftests/SelfTestOrderedInstance.java create mode 100644 base/common/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java create mode 100644 base/common/src/com/netscape/cmscore/time/SimpleTimeSource.java create mode 100644 base/common/src/com/netscape/cmscore/usrgrp/CertDNCertUserLocator.java create mode 100644 base/common/src/com/netscape/cmscore/usrgrp/ExactMatchCertUserLocator.java create mode 100644 base/common/src/com/netscape/cmscore/usrgrp/Group.java create mode 100644 base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java create mode 100644 base/common/src/com/netscape/cmscore/usrgrp/User.java create mode 100644 base/common/src/com/netscape/cmscore/util/Assert.java create mode 100644 base/common/src/com/netscape/cmscore/util/AssertionException.java create mode 100644 base/common/src/com/netscape/cmscore/util/Debug.java create mode 100644 base/common/src/com/netscape/cmscore/util/ExceptionFormatter.java create mode 100644 base/common/src/com/netscape/cmscore/util/FileAsString.java create mode 100644 base/common/src/com/netscape/cmscore/util/FileDialogFilter.java create mode 100644 base/common/src/com/netscape/cmscore/util/PFXUtils.java create mode 100644 base/common/src/com/netscape/cmscore/util/ProfileSubsystem.java create mode 100644 base/common/src/com/netscape/cmscore/util/StatsSubsystem.java create mode 100644 base/common/src/com/netscape/cmscore/util/UtilMessage.java create mode 100644 base/common/src/com/netscape/cmscore/util/UtilResources.java create mode 100644 base/common/test/CMakeLists.txt create mode 100644 base/common/test/com/netscape/certsrv/app/CMSEngineDefaultStub.java create mode 100644 base/common/test/com/netscape/certsrv/authentication/AuthTokenTest.java create mode 100644 base/common/test/com/netscape/certsrv/logging/LoggerDefaultStub.java create mode 100644 base/common/test/com/netscape/certsrv/request/AgentApprovalsTest.java create mode 100644 base/common/test/com/netscape/cmscore/dbs/CertRecordListTest.java create mode 100644 base/common/test/com/netscape/cmscore/dbs/DBRegistryDefaultStub.java create mode 100644 base/common/test/com/netscape/cmscore/dbs/DBRegistryTest.java create mode 100644 base/common/test/com/netscape/cmscore/dbs/DBSSessionDefaultStub.java create mode 100644 base/common/test/com/netscape/cmscore/dbs/DBSubsystemDefaultStub.java create mode 100644 base/common/test/com/netscape/cmscore/dbs/DBVirtualListDefaultStub.java create mode 100644 base/common/test/com/netscape/cmscore/dbs/RequestRecordDefaultStub.java create mode 100644 base/common/test/com/netscape/cmscore/request/DBDynAttrMapperDefaultStub.java create mode 100644 base/common/test/com/netscape/cmscore/request/ExtAttrDynMapperTest.java create mode 100644 base/common/test/com/netscape/cmscore/request/ExtDataHashtableTest.java create mode 100644 base/common/test/com/netscape/cmscore/request/RequestDefaultStub.java create mode 100644 base/common/test/com/netscape/cmscore/request/RequestModDefaultStub.java create mode 100644 base/common/test/com/netscape/cmscore/request/RequestQueueTest.java create mode 100644 base/common/test/com/netscape/cmscore/request/RequestRecordTest.java create mode 100644 base/common/test/com/netscape/cmscore/request/RequestTest.java create mode 100644 base/common/test/com/netscape/cmscore/test/CMSBaseTestCase.java create mode 100644 base/common/test/com/netscape/cmscore/test/TestHelper.java create mode 100644 base/console/CMakeLists.txt create mode 100644 base/console/LICENSE create mode 100644 base/console/src/CMakeLists.txt create mode 100644 base/console/src/com/netscape/admin/certsrv/AttrCellRenderer.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSAdmin.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSAdminResources.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSAdminUtil.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSBaseMenuInfo.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSBasePanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSBaseResourceModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSCAUILoader.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSCCMUILoader.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSContentTableModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSEAUILoader.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSKernelUILoader.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSMessageBox.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSOCSPUILoader.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSPageFeeder.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSPassword.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSRAUILoader.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSRemoteClassLoader.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSResourceObject.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSResourcePage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSServerInfo.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSTableModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSTaskModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSTaskObject.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CMSUIFramework.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CellEditorData.java create mode 100644 base/console/src/com/netscape/admin/certsrv/Console.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CustomComboBox.java create mode 100644 base/console/src/com/netscape/admin/certsrv/CustomComboBoxModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/DefaultTableCellEditor.java create mode 100644 base/console/src/com/netscape/admin/certsrv/EAdminException.java create mode 100644 base/console/src/com/netscape/admin/certsrv/GenericCellEditor.java create mode 100644 base/console/src/com/netscape/admin/certsrv/GenericCellRenderer.java create mode 100644 base/console/src/com/netscape/admin/certsrv/HourGlass.java create mode 100644 base/console/src/com/netscape/admin/certsrv/IAttributeContent.java create mode 100644 base/console/src/com/netscape/admin/certsrv/IConnectionListener.java create mode 100644 base/console/src/com/netscape/admin/certsrv/IDataProcessor.java create mode 100644 base/console/src/com/netscape/admin/certsrv/IDisplayPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/IEditorPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/IFilterPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/IMenuAction.java create mode 100644 base/console/src/com/netscape/admin/certsrv/IRefreshTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/IRefreshTabPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/IResourceSelectionListener.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ISubSystemUILoader.java create mode 100644 base/console/src/com/netscape/admin/certsrv/IUIMapper.java create mode 100644 base/console/src/com/netscape/admin/certsrv/LabelCellRenderer.java create mode 100644 base/console/src/com/netscape/admin/certsrv/MultilineLabelUI.java create mode 100644 base/console/src/com/netscape/admin/certsrv/PasswordCellRenderer.java create mode 100644 base/console/src/com/netscape/admin/certsrv/StatusItemContinuousProgress.java create mode 100644 base/console/src/com/netscape/admin/certsrv/UIMapperRegistry.java create mode 100644 base/console/src/com/netscape/admin/certsrv/certsrv-help.properties create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ACIDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ACLDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ACLEditDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ACLImplDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ACLImplTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ACLPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/AutoRecoveryModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CACertsTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSAccessLogPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSAuditLogPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSAutoRecovery.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSBaseConfigDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSBaseConfigPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSBaseLDAPPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSBaseLogPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSBaseTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSBlankPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSCACertSettingPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSCAConnectorPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSCAGeneralPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSCALDAPPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSCRLCachePanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSCRLFormatPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSCRLIPPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSCRLSettingPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSCertSettingPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSCipherPreferenceDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSCipherPreferencePane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSEAGeneralPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSEncryptionPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSErrorLogPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSKRAAutoPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSKRAPasswdPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSKRASchemePanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSLDAPSettingPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSNetworkPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSOCSPGeneralPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSPasswordDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSPluginInstanceTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSRACLMPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSRAConnectorPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSRAGeneralPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSRALDAPPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSRuleDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSSMTPPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSSNMPPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSSSL2CipherPreference.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSSSL2CipherSet.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSSSL3CipherPreference.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSSSL3CipherSet.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSSelfTestsPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSTabPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMSUserCertSettingPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CMStoAdminEncryptionPane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CRLExtensionsConfigDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CRLExtensionsInstanceTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CRLExtensionsPluginSelectionDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CRLExtensionsRuleDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/CRLIPEditor.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ConfigTableModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ConnectorEditor.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/EvaluatorRegisterDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/GeneralLogPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/JobsConfigDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/JobsImplDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/JobsImplTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/JobsInstanceTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/JobsPluginSelectionDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/JobsRegisterDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/JobsRuleDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/JobsSettingPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/KeyCreateDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ListCertsModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ListKeysModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/LogConfigDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/LogImplDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/LogImplTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/LogInstanceTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/LogPluginSelectionDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/LogRegisterDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/LogRuleDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/MNSchemeWizard.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/MNSchemeWizardInfo.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/MapperConfigDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/MapperImplDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/MapperImplTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/MapperInstanceTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/MapperPluginSelectionDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/MapperRegisterDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/MapperRuleDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/OCSPStoresConfigDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/OCSPStoresInstanceTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/OCSPStoresPluginSelectionDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/OCSPStoresRuleDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PanelMapperConfigDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PluginSelectionDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PolicyConfigDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PolicyImplDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PolicyImplTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PolicyInstanceTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PolicyPluginSelectionDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PolicyRegisterDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PolicyRuleDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PolicyRuleOrderDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfileComponentCellEditor.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfileConfigDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfileConfigDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfileDataTable.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfileEditDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfileEditDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfileImplDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfileImplTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfileInstanceTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfileListDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfileNonPolicyNewDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfileNonPolicySelDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfilePluginSelectionDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfilePolicyEditDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfilePolicyEditDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfilePolicyNewDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfilePolicySelectionDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfileRegisterDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ProfileRuleDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PublisherConfigDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PublisherImplDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PublisherImplTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PublisherInstanceTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PublisherPluginSelectionDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PublisherRegisterDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/PublisherRuleDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/RegisterDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/RuleConfigDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/RuleImplDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/RuleImplTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/RuleInstanceTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/RulePluginSelectionDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/RuleRegisterDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/RuleRuleDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/TKSKeysTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/UserCertsTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ViewDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ViewSelfTestsDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/ViewTableModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/WBaseCertExtensionPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/WBaseCertRequestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/WBaseDNPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/WBaseDNValidityPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/WBaseKeyPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/WBaseManualCertRequestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/WBaseValidityPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/WMNNewAgent.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/WMNOldAgent.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/WMNResultPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/WMNSelection.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/WMessageDigestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/WarningDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/ComponentCellRenderer.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/InstallWizard.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/InstallWizardInfo.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIAdminPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIAllCertsInstalledPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICACert1CustomPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICACert1Page.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICACert2Page.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICACertDNPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICACertExtensionPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICACertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICACertSubmitPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICACertValidityPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICAKeyPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICAMessageDigestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICAOCSPServicePage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICARequestResultPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICASerialNumberPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICATokenLogonPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICertDNPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICertExtensionPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICertRequestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICertSetupStatusPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICertSubmitPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICertValidityPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICloneCAKeyCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICloneKRAKeyCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICloneMasterPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICloneOCSPKeyCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIClonePage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICloneRAKeyCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICloneTKSKeyCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIConfigWebServerPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WICreateInternalDBPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIDBEnrollPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIDisplayCACertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIDisplayCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIDisplayKRACertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIDisplayOCSPCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIDisplayRACertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIDisplaySSLCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIExistingDBPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIGenCAKeyCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIGenCAKeyCertReqPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIGenKRAKeyCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIGenKRAKeyCertReqPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIGenKeyCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIGenKeyCertReqPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIGenOCSPKeyCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIGenOCSPKeyCertReqPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIGenRAKeyCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIGenRAKeyCertReqPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIGenSSLKeyCertReqPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIGenServerKeyCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInstallCACertStatusPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInstallCAIntroPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInstallCert1Page.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInstallCert2Page.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInstallCertStatusPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInstallIntroPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInstallKRACertStatusPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInstallKRAIntroPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInstallOCSPCertStatusPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInstallOCSPIntroPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInstallRACertStatusPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInstallRAIntroPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInstallSSLCertStatusPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInstallSSLIntroPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInternalDBInfoPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInternalDBPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIInternalTokenLogonPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIIntroMigrationPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIIntroPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIIntroSingleSignonPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIKRACertDNPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIKRACertExtensionPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIKRACertSubmitPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIKRACertValidityPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIKRAKeyPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIKRAMessageDigestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIKRANumberPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIKRARequestResultPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIKRAScheme1Page.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIKRAScheme2Page.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIKRAStorageKeyPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIKRATokenLogonPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIKeyPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WILDAPPublishingPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WILoggingPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WILogonAllTokensPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIManualCACertRequestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIManualCertRequestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIManualKRACertRequestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIManualOCSPCertRequestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIManualRACertRequestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIManualSSLCertRequestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIMasterOrClone.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIMigrationPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WINetworkPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIOCSPCertDNPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIOCSPCertSubmitPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIOCSPKeyPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIOCSPMessageDigestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIOCSPRequestResultPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIOCSPTokenLogonPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIPasteCACertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIPasteCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIPasteKRACertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIPasteOCSPCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIPasteRACertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIPasteSSLCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIRACertDNPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIRACertExtensionPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIRACertSubmitPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIRACertValidityPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIRAKeyPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIRAMessageDigestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIRARequestResultPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIRATokenLogonPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIRecreateDBPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIRemoteCASubsystem.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIRemoteKRASubsystem.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIReplAgreementPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIRequestResultPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WISMTPPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WISSLMessageDigestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WISSLRequestResultPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WISSLTokenLogonPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIServerCertDNPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIServerCertExtensionPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIServerCertSubmitPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIServerCertValidityPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIServerKeyPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WIServicesPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WISingleSignonPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WITokenLogonPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/config/install/WITrustDBPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/connection/AdminConnection.java create mode 100644 base/console/src/com/netscape/admin/certsrv/connection/BasicAuthenticator.java create mode 100644 base/console/src/com/netscape/admin/certsrv/connection/IAuthenticator.java create mode 100644 base/console/src/com/netscape/admin/certsrv/connection/IConnection.java create mode 100644 base/console/src/com/netscape/admin/certsrv/connection/IConnectionFactory.java create mode 100644 base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java create mode 100644 base/console/src/com/netscape/admin/certsrv/connection/PromptForTrustDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/connection/Request.java create mode 100644 base/console/src/com/netscape/admin/certsrv/connection/Response.java create mode 100644 base/console/src/com/netscape/admin/certsrv/connection/SSLConnectionFactory.java create mode 100644 base/console/src/com/netscape/admin/certsrv/images/CertificateServer.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/CertificateServerL.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/LOGobjs.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/UGobjs.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/acl.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/aclobj.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/aclplugin.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/alertl.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/allfolder16n.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/allgroup16n.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/alllogdoc16n.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/alllogfolder16n.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/alluser16n.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/alluserwithcert16n.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/auth.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/authobj.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/authplugin.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/cert24.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/cert41.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/cert42.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/cms-branding.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/error.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/genobject.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/jobobj.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/jobplugin.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/jobs.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/ldapub.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/messagel.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/notsecure.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/plug.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/plugin.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/pluginfolder.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/red-ball-small.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/rule-16.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/ruleDisable-16.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/ruleplugin-16.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/rulesobj.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/secure.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/servlet-16.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/servlet-plugin-16.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/images/servletobj.gif create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/CertSetupWizard.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/CertSetupWizardInfo.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WCACertRequest1Page.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WCAKeyPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WCertDNPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WCertDNValidityPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WCertExtensionPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WCertMessageDigestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WCertRequestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WCertTypePage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WCertValidityPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WDisplayCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WExecute1Page.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WExecutePage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WGenerateReqPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WInstallCertChainPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WInstallOpPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WInstallStatusPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WIntroInstallCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WIntroPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WIssueImportStatusPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WKeyPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WManualCertRequestPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WOperationSelectionPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WOtherCertRequest1Page.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WPasteCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WRAKeyPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WRequestStatusPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WSSLKeyPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WTokenLogonPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WTokenSelectionPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WWarningExecute1Page.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WWarningExecutePage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/keycert/WWarningPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/managecert/CertificateInfoDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/managecert/ManageCertDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/managecert/ManageCertModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/menu/CertManagementAction.java create mode 100644 base/console/src/com/netscape/admin/certsrv/menu/KeyCertAction.java create mode 100644 base/console/src/com/netscape/admin/certsrv/menu/PKCS11ManagementAction.java create mode 100644 base/console/src/com/netscape/admin/certsrv/menu/RefreshTabPane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/misc/MessageFormatter.java create mode 100644 base/console/src/com/netscape/admin/certsrv/notification/RequestCompletePanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/notification/RequestInQPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/notification/RequestRevokedPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/AbstractCipher.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/AbstractCipherPreference.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CRLAddCertDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CRLCertInfoPane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CRLDeleteCertDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CRLManagementDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CRLTable.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CRLTableModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CertBasicInfo.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CertDetailInfoDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CertInfo.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CertInfoDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CertInstallCertInfoPane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CertInstallCertPane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CertInstallTypePane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CertListTable.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CertListTableModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CertManagementDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CertRequestCertPane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CertRequestEnterPasswordPane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CertRequestInfoPane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CertRequestSelectTokenPane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CertRequestTypePane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/ChangeKeyPasswordDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CipherEntry.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CipherPreferenceDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CipherResourceSet.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/Comm.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/CreateTrustPane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/EncryptionPane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/GuideCertInstallPane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/GuideCertRequestPane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/GuideCreateTrustPane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/GuideIntroPane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/IAbstractCipherSet.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/ICipherConstants.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/IEncryptionPaneListener.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/IKeyCertPage.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/KeyCertTaskInfo.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/KeyCertUtility.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/KeyCertWizard.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/Message.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/MessageDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/PKCS11AddModuleDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/PKCS11ManagementDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/Response.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/SSL2CipherPreference.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/SSL2CipherSet.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/SSL3CipherPreference.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/SSL3CipherSet.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/StatusPane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/ToggleCipherPreferencePane.java create mode 100644 base/console/src/com/netscape/admin/certsrv/security/WizardObservable.java create mode 100644 base/console/src/com/netscape/admin/certsrv/status/AccessLogDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/status/AuditLogDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/status/CMSLogPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/status/DefaultLogParser.java create mode 100644 base/console/src/com/netscape/admin/certsrv/status/ErrorLogDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/status/ILogParser.java create mode 100644 base/console/src/com/netscape/admin/certsrv/status/LogDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/status/LogEntryViewDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/status/LogInstancePanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/status/StatusPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/task/AuthDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/task/CGITask.java create mode 100644 base/console/src/com/netscape/admin/certsrv/task/CMSCertRequest.java create mode 100644 base/console/src/com/netscape/admin/certsrv/task/CMSConfigCert.java create mode 100644 base/console/src/com/netscape/admin/certsrv/task/CMSImportCert.java create mode 100644 base/console/src/com/netscape/admin/certsrv/task/CMSMigrateCreate.java create mode 100644 base/console/src/com/netscape/admin/certsrv/task/CMSRemove.java create mode 100644 base/console/src/com/netscape/admin/certsrv/task/CMSRequestCert.java create mode 100644 base/console/src/com/netscape/admin/certsrv/task/CMSRestart.java create mode 100644 base/console/src/com/netscape/admin/certsrv/task/CMSStart.java create mode 100644 base/console/src/com/netscape/admin/certsrv/task/CMSStartDaemon.java create mode 100644 base/console/src/com/netscape/admin/certsrv/task/CMSStatus.java create mode 100644 base/console/src/com/netscape/admin/certsrv/task/CMSStop.java create mode 100644 base/console/src/com/netscape/admin/certsrv/task/CreateInstanceDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/task/KeyCert.java create mode 100644 base/console/src/com/netscape/admin/certsrv/task/StatusDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/AuthBaseDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/AuthConfigDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/AuthImplDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/AuthImplTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/AuthInstanceTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/AuthPluginSelectionDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/AuthRegisterDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/AuthRuleDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/AuthViewDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/CMSBaseUGTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/CMSUGTabPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/CertDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/CertImportDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/CertManagementDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/CertViewDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/GroupDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/GroupEditor.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/GroupListDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/GroupListDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/GroupTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/MemberDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/UserDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/UserEditor.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/UserListDataModel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/UserListDialog.java create mode 100644 base/console/src/com/netscape/admin/certsrv/ug/UserTab.java create mode 100644 base/console/src/com/netscape/admin/certsrv/wizard/ConfigServlet.java create mode 100644 base/console/src/com/netscape/admin/certsrv/wizard/IWizardDone.java create mode 100644 base/console/src/com/netscape/admin/certsrv/wizard/IWizardPanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/wizard/WizardBasePanel.java create mode 100644 base/console/src/com/netscape/admin/certsrv/wizard/WizardInfo.java create mode 100644 base/console/src/com/netscape/admin/certsrv/wizard/WizardWidget.java create mode 100644 base/console/src/com/netscape/certsrv/common/ConfigConstants.java create mode 100644 base/console/src/com/netscape/certsrv/common/Constants.java create mode 100644 base/console/src/com/netscape/certsrv/common/DestDef.java create mode 100644 base/console/src/com/netscape/certsrv/common/NameValuePairs.java create mode 100644 base/console/src/com/netscape/certsrv/common/OpDef.java create mode 100644 base/console/src/com/netscape/certsrv/common/PrefixDef.java create mode 100644 base/console/src/com/netscape/certsrv/common/ScopeDef.java create mode 100644 base/console/src/com/netscape/certsrv/common/TaskId.java create mode 100644 base/console/templates/CMakeLists.txt create mode 100755 base/console/templates/pki_console_wrapper create mode 100644 base/deploy/CMakeLists.txt create mode 100644 base/deploy/LICENSE create mode 100644 base/deploy/config/pkideployment.cfg create mode 100755 base/deploy/src/pkidestroy create mode 100755 base/deploy/src/pkispawn create mode 100644 base/deploy/src/scriptlets/instance.py create mode 100644 base/deploy/src/scriptlets/pkiconfig.py create mode 100644 base/deploy/src/scriptlets/pkihelper.py create mode 100644 base/deploy/src/scriptlets/pkilogging.py create mode 100644 base/deploy/src/scriptlets/pkimessages.py create mode 100644 base/deploy/src/scriptlets/pkiscriptlet.py create mode 100644 base/deploy/src/scriptlets/security_databases.py create mode 100644 base/java-tools/CMakeLists.txt create mode 100644 base/java-tools/LICENSE create mode 100644 base/java-tools/doc/README create mode 100644 base/java-tools/src/CMakeLists.txt create mode 100644 base/java-tools/src/com/netscape/cmstools/AtoB.java create mode 100644 base/java-tools/src/com/netscape/cmstools/AuditVerify.java create mode 100644 base/java-tools/src/com/netscape/cmstools/BtoA.java create mode 100644 base/java-tools/src/com/netscape/cmstools/CMCEnroll.java create mode 100644 base/java-tools/src/com/netscape/cmstools/CMCRequest.java create mode 100644 base/java-tools/src/com/netscape/cmstools/CMCResponse.java create mode 100644 base/java-tools/src/com/netscape/cmstools/CMCRevoke.java create mode 100644 base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java create mode 100644 base/java-tools/src/com/netscape/cmstools/DRMTool.cfg create mode 100644 base/java-tools/src/com/netscape/cmstools/DRMTool.java create mode 100644 base/java-tools/src/com/netscape/cmstools/ExtJoiner.java create mode 100644 base/java-tools/src/com/netscape/cmstools/GenExtKeyUsage.java create mode 100644 base/java-tools/src/com/netscape/cmstools/GenIssuerAltNameExt.java create mode 100644 base/java-tools/src/com/netscape/cmstools/GenSubjectAltNameExt.java create mode 100644 base/java-tools/src/com/netscape/cmstools/HttpClient.java create mode 100644 base/java-tools/src/com/netscape/cmstools/OCSPClient.java create mode 100644 base/java-tools/src/com/netscape/cmstools/PKCS10Client.java create mode 100644 base/java-tools/src/com/netscape/cmstools/PKCS12Export.java create mode 100644 base/java-tools/src/com/netscape/cmstools/PasswordCache.java create mode 100644 base/java-tools/src/com/netscape/cmstools/PrettyPrintCert.java create mode 100644 base/java-tools/src/com/netscape/cmstools/PrettyPrintCrl.java create mode 100644 base/java-tools/src/com/netscape/cmstools/TestCRLSigning.java create mode 100644 base/java-tools/src/com/netscape/cmstools/TokenInfo.java create mode 100644 base/java-tools/templates/CMakeLists.txt create mode 100644 base/java-tools/templates/pki_java_command_wrapper.in create mode 100644 base/java-tools/templates/pretty_print_cert_command_wrapper.in create mode 100644 base/java-tools/templates/pretty_print_crl_command_wrapper.in create mode 100644 base/kra/CMakeLists.txt create mode 100644 base/kra/LICENSE create mode 100644 base/kra/functional/drmclient.py create mode 100644 base/kra/functional/drmclient.readme.txt create mode 100644 base/kra/functional/src/com/netscape/cms/servlet/test/DRMRestClient.java create mode 100644 base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java create mode 100644 base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java create mode 100644 base/kra/setup/CMakeLists.txt create mode 100644 base/kra/setup/registry_instance create mode 100644 base/kra/shared/conf/CMakeLists.txt create mode 100644 base/kra/shared/conf/CS.cfg.in create mode 100644 base/kra/shared/conf/acl.ldif create mode 100644 base/kra/shared/conf/catalina.policy create mode 100644 base/kra/shared/conf/catalina.properties create mode 100644 base/kra/shared/conf/context.xml create mode 100644 base/kra/shared/conf/database.ldif create mode 100644 base/kra/shared/conf/db.ldif create mode 100644 base/kra/shared/conf/index.ldif create mode 100644 base/kra/shared/conf/jk2.manifest create mode 100644 base/kra/shared/conf/jk2.properties create mode 100644 base/kra/shared/conf/jkconf.ant.xml create mode 100644 base/kra/shared/conf/jkconfig.manifest create mode 100644 base/kra/shared/conf/logging.properties create mode 100644 base/kra/shared/conf/manager.ldif create mode 100644 base/kra/shared/conf/schema.ldif create mode 100644 base/kra/shared/conf/server-minimal.xml create mode 100644 base/kra/shared/conf/server.xml create mode 100644 base/kra/shared/conf/serverCert.profile create mode 100644 base/kra/shared/conf/serverCertNick.conf create mode 100644 base/kra/shared/conf/shm.manifest create mode 100644 base/kra/shared/conf/storageCert.profile create mode 100644 base/kra/shared/conf/subsystemCert.profile create mode 100644 base/kra/shared/conf/tomcat-jk2.manifest create mode 100644 base/kra/shared/conf/tomcat-users.xml create mode 100644 base/kra/shared/conf/tomcat6.conf create mode 100644 base/kra/shared/conf/transportCert.profile create mode 100644 base/kra/shared/conf/uriworkermap.properties create mode 100644 base/kra/shared/conf/vlv.ldif create mode 100644 base/kra/shared/conf/vlvtasks.ldif create mode 100644 base/kra/shared/conf/web.xml create mode 100644 base/kra/shared/conf/workers.properties create mode 100644 base/kra/shared/conf/workers.properties.minimal create mode 100644 base/kra/shared/conf/workers2.properties create mode 100644 base/kra/shared/conf/workers2.properties.minimal create mode 100755 base/kra/shared/etc/init.d/pki-krad create mode 100644 base/kra/shared/lib/systemd/system/pki-krad.target create mode 100644 base/kra/shared/lib/systemd/system/pki-krad@.service create mode 100644 base/kra/shared/webapps/ROOT/WEB-INF/web.xml create mode 100644 base/kra/shared/webapps/ROOT/index.jsp create mode 100644 base/kra/shared/webapps/kra/WEB-INF/auth.properties create mode 100644 base/kra/shared/webapps/kra/WEB-INF/velocity.properties create mode 100644 base/kra/shared/webapps/kra/WEB-INF/web.xml create mode 100644 base/kra/src/CMakeLists.txt create mode 100644 base/kra/src/com/netscape/kra/ArchiveOptions.java create mode 100644 base/kra/src/com/netscape/kra/EncryptionUnit.java create mode 100644 base/kra/src/com/netscape/kra/EnrollmentService.java create mode 100644 base/kra/src/com/netscape/kra/KRANotify.java create mode 100644 base/kra/src/com/netscape/kra/KRAPolicy.java create mode 100644 base/kra/src/com/netscape/kra/KRAService.java create mode 100644 base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java create mode 100644 base/kra/src/com/netscape/kra/NetkeyKeygenService.java create mode 100644 base/kra/src/com/netscape/kra/RecoveryService.java create mode 100644 base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java create mode 100644 base/kra/src/com/netscape/kra/SecurityDataService.java create mode 100644 base/kra/src/com/netscape/kra/StorageKeyUnit.java create mode 100644 base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java create mode 100644 base/kra/src/com/netscape/kra/TransportKeyUnit.java create mode 100644 base/migrate/41ToTxt/classes/CMS41LdifParser.class create mode 100644 base/migrate/41ToTxt/classes/Main.class create mode 100755 base/migrate/41ToTxt/run.bat create mode 100755 base/migrate/41ToTxt/run.sh create mode 100644 base/migrate/41ToTxt/src/Main.java create mode 100755 base/migrate/41ToTxt/src/compile.bat create mode 100755 base/migrate/41ToTxt/src/compile.sh create mode 100644 base/migrate/42SP2ToTxt/classes/CMS42SP2LdifParser.class create mode 100644 base/migrate/42SP2ToTxt/classes/Main.class create mode 100755 base/migrate/42SP2ToTxt/run.bat create mode 100755 base/migrate/42SP2ToTxt/run.sh create mode 100644 base/migrate/42SP2ToTxt/src/Main.java create mode 100755 base/migrate/42SP2ToTxt/src/compile.bat create mode 100755 base/migrate/42SP2ToTxt/src/compile.sh create mode 100644 base/migrate/42ToTxt/classes/CMS42LdifParser.class create mode 100644 base/migrate/42ToTxt/classes/Main.class create mode 100755 base/migrate/42ToTxt/run.bat create mode 100755 base/migrate/42ToTxt/run.sh create mode 100644 base/migrate/42ToTxt/src/Main.java create mode 100755 base/migrate/42ToTxt/src/compile.bat create mode 100755 base/migrate/42ToTxt/src/compile.sh create mode 100644 base/migrate/45ToTxt/classes/CMS45LdifParser.class create mode 100644 base/migrate/45ToTxt/classes/Main.class create mode 100755 base/migrate/45ToTxt/run.bat create mode 100755 base/migrate/45ToTxt/run.sh create mode 100644 base/migrate/45ToTxt/src/Main.java create mode 100755 base/migrate/45ToTxt/src/compile.bat create mode 100755 base/migrate/45ToTxt/src/compile.sh create mode 100644 base/migrate/47ToTxt/classes/CMS47LdifParser.class create mode 100644 base/migrate/47ToTxt/classes/Main.class create mode 100755 base/migrate/47ToTxt/run.bat create mode 100755 base/migrate/47ToTxt/run.sh create mode 100644 base/migrate/47ToTxt/src/Main.java create mode 100755 base/migrate/47ToTxt/src/compile.bat create mode 100755 base/migrate/47ToTxt/src/compile.sh create mode 100644 base/migrate/60ToTxt/classes/CMS60LdifParser.class create mode 100644 base/migrate/60ToTxt/classes/Main.class create mode 100755 base/migrate/60ToTxt/run.bat create mode 100755 base/migrate/60ToTxt/run.sh create mode 100644 base/migrate/60ToTxt/src/Main.java create mode 100755 base/migrate/60ToTxt/src/compile.bat create mode 100755 base/migrate/60ToTxt/src/compile.sh create mode 100644 base/migrate/61ToTxt/classes/CMS61LdifParser.class create mode 100644 base/migrate/61ToTxt/classes/Main.class create mode 100755 base/migrate/61ToTxt/run.bat create mode 100755 base/migrate/61ToTxt/run.sh create mode 100644 base/migrate/61ToTxt/src/Main.java create mode 100755 base/migrate/61ToTxt/src/compile.bat create mode 100755 base/migrate/61ToTxt/src/compile.sh create mode 100644 base/migrate/62ToTxt/classes/CMS62LdifParser.class create mode 100644 base/migrate/62ToTxt/classes/Main.class create mode 100755 base/migrate/62ToTxt/run.bat create mode 100755 base/migrate/62ToTxt/run.sh create mode 100644 base/migrate/62ToTxt/src/Main.java create mode 100755 base/migrate/62ToTxt/src/compile.bat create mode 100755 base/migrate/62ToTxt/src/compile.sh create mode 100644 base/migrate/63ToTxt/classes/CMS63LdifParser.class create mode 100644 base/migrate/63ToTxt/classes/Main.class create mode 100755 base/migrate/63ToTxt/run.bat create mode 100755 base/migrate/63ToTxt/run.sh create mode 100644 base/migrate/63ToTxt/src/Main.java create mode 100755 base/migrate/63ToTxt/src/compile.bat create mode 100755 base/migrate/63ToTxt/src/compile.sh create mode 100644 base/migrate/70ToTxt/classes/CMS70LdifParser.class create mode 100644 base/migrate/70ToTxt/classes/Main.class create mode 100755 base/migrate/70ToTxt/run.bat create mode 100755 base/migrate/70ToTxt/run.sh create mode 100644 base/migrate/70ToTxt/src/Main.java create mode 100755 base/migrate/70ToTxt/src/compile.bat create mode 100755 base/migrate/70ToTxt/src/compile.sh create mode 100644 base/migrate/71ToTxt/classes/CMS71LdifParser.class create mode 100644 base/migrate/71ToTxt/classes/Main.class create mode 100755 base/migrate/71ToTxt/run.bat create mode 100755 base/migrate/71ToTxt/run.sh create mode 100644 base/migrate/71ToTxt/src/Main.java create mode 100755 base/migrate/71ToTxt/src/compile.bat create mode 100755 base/migrate/71ToTxt/src/compile.sh create mode 100644 base/migrate/72ToTxt/classes/CMS72LdifParser.class create mode 100644 base/migrate/72ToTxt/classes/Main.class create mode 100755 base/migrate/72ToTxt/run.bat create mode 100755 base/migrate/72ToTxt/run.sh create mode 100644 base/migrate/72ToTxt/src/Main.java create mode 100755 base/migrate/72ToTxt/src/compile.bat create mode 100755 base/migrate/72ToTxt/src/compile.sh create mode 100644 base/migrate/73ToTxt/classes/CMS73LdifParser.class create mode 100644 base/migrate/73ToTxt/classes/Main.class create mode 100755 base/migrate/73ToTxt/run.bat create mode 100755 base/migrate/73ToTxt/run.sh create mode 100644 base/migrate/73ToTxt/src/Main.java create mode 100755 base/migrate/73ToTxt/src/compile.bat create mode 100755 base/migrate/73ToTxt/src/compile.sh create mode 100644 base/migrate/80/MigrateSecurityDomain.class create mode 100644 base/migrate/80/MigrateSecurityDomain.java create mode 100644 base/migrate/80/readme create mode 100644 base/migrate/80/schema-add.ldif create mode 100644 base/migrate/CMakeLists.txt create mode 100644 base/migrate/LICENSE create mode 100644 base/migrate/TpsTo80/Makefile create mode 100755 base/migrate/TpsTo80/linux/migrateTPSData.i386 create mode 100755 base/migrate/TpsTo80/linux/migrateTPSData.x86_64 create mode 100644 base/migrate/TpsTo80/migrateTPSData.c create mode 100644 base/migrate/TpsTo80/readme create mode 100755 base/migrate/TpsTo80/solaris/migrateTPSData.sol9sparc create mode 100644 base/migrate/TxtTo60/classes/CMS60LdifParser.class create mode 100644 base/migrate/TxtTo60/classes/DummyAuthManager.class create mode 100644 base/migrate/TxtTo60/classes/Main.class create mode 100755 base/migrate/TxtTo60/run.bat create mode 100755 base/migrate/TxtTo60/run.sh create mode 100644 base/migrate/TxtTo60/src/Main.java create mode 100755 base/migrate/TxtTo60/src/compile.bat create mode 100755 base/migrate/TxtTo60/src/compile.sh create mode 100644 base/migrate/TxtTo61/classes/CMS61LdifParser.class create mode 100644 base/migrate/TxtTo61/classes/DummyAuthManager.class create mode 100644 base/migrate/TxtTo61/classes/Main.class create mode 100755 base/migrate/TxtTo61/run.bat create mode 100755 base/migrate/TxtTo61/run.sh create mode 100644 base/migrate/TxtTo61/src/Main.java create mode 100755 base/migrate/TxtTo61/src/compile.bat create mode 100755 base/migrate/TxtTo61/src/compile.sh create mode 100644 base/migrate/TxtTo62/classes/CMS62LdifParser.class create mode 100644 base/migrate/TxtTo62/classes/DummyAuthManager.class create mode 100644 base/migrate/TxtTo62/classes/Main.class create mode 100755 base/migrate/TxtTo62/run.bat create mode 100755 base/migrate/TxtTo62/run.sh create mode 100644 base/migrate/TxtTo62/src/Main.java create mode 100755 base/migrate/TxtTo62/src/compile.bat create mode 100755 base/migrate/TxtTo62/src/compile.sh create mode 100644 base/migrate/TxtTo70/classes/CMS70LdifParser.class create mode 100644 base/migrate/TxtTo70/classes/DummyAuthManager.class create mode 100644 base/migrate/TxtTo70/classes/Main.class create mode 100755 base/migrate/TxtTo70/run.bat create mode 100755 base/migrate/TxtTo70/run.sh create mode 100644 base/migrate/TxtTo70/src/Main.java create mode 100755 base/migrate/TxtTo70/src/compile.bat create mode 100755 base/migrate/TxtTo70/src/compile.sh create mode 100644 base/migrate/TxtTo71/classes/CMS71LdifParser.class create mode 100644 base/migrate/TxtTo71/classes/DummyAuthManager.class create mode 100644 base/migrate/TxtTo71/classes/Main.class create mode 100755 base/migrate/TxtTo71/run.bat create mode 100755 base/migrate/TxtTo71/run.sh create mode 100644 base/migrate/TxtTo71/src/Main.java create mode 100755 base/migrate/TxtTo71/src/compile.bat create mode 100755 base/migrate/TxtTo71/src/compile.sh create mode 100644 base/migrate/TxtTo72/classes/CMS72LdifParser.class create mode 100644 base/migrate/TxtTo72/classes/DummyAuthManager.class create mode 100644 base/migrate/TxtTo72/classes/Main.class create mode 100755 base/migrate/TxtTo72/run.bat create mode 100755 base/migrate/TxtTo72/run.sh create mode 100644 base/migrate/TxtTo72/src/Main.java create mode 100755 base/migrate/TxtTo72/src/compile.bat create mode 100755 base/migrate/TxtTo72/src/compile.sh create mode 100644 base/migrate/TxtTo73/classes/CMS73LdifParser.class create mode 100644 base/migrate/TxtTo73/classes/DummyAuthManager.class create mode 100644 base/migrate/TxtTo73/classes/Main.class create mode 100755 base/migrate/TxtTo73/run.bat create mode 100755 base/migrate/TxtTo73/run.sh create mode 100644 base/migrate/TxtTo73/src/Main.java create mode 100755 base/migrate/TxtTo73/src/compile.bat create mode 100755 base/migrate/TxtTo73/src/compile.sh create mode 100644 base/migrate/TxtTo80/classes/CS80LdifParser.class create mode 100644 base/migrate/TxtTo80/classes/Main.class create mode 100755 base/migrate/TxtTo80/run.sh create mode 100644 base/migrate/TxtTo80/src/Main.java create mode 100755 base/migrate/TxtTo80/src/compile.sh create mode 100755 base/migrate/kra/RecoverKey.class create mode 100755 base/migrate/kra/RecoverKey.java create mode 100755 base/migrate/kra/RecoverPin.class create mode 100755 base/migrate/kra/RecoverPin.java create mode 100755 base/migrate/kra/readme.txt create mode 100644 base/native-tools/CMakeLists.txt create mode 100644 base/native-tools/LICENSE create mode 100644 base/native-tools/doc/README create mode 100644 base/native-tools/src/CMakeLists.txt create mode 100644 base/native-tools/src/bulkissuance/CMakeLists.txt create mode 100644 base/native-tools/src/bulkissuance/bulkissuance.c create mode 100644 base/native-tools/src/bulkissuance/bulkissuance.data create mode 100644 base/native-tools/src/bulkissuance/getopt.c create mode 100644 base/native-tools/src/p7tool/CMakeLists.txt create mode 100644 base/native-tools/src/p7tool/NSPRerrs.h create mode 100644 base/native-tools/src/p7tool/SECerrs.h create mode 100644 base/native-tools/src/p7tool/SSLerrs.h create mode 100644 base/native-tools/src/p7tool/p7tool.c create mode 100644 base/native-tools/src/p7tool/pppolicy.c create mode 100644 base/native-tools/src/p7tool/secerror.c create mode 100644 base/native-tools/src/p7tool/secerror.h create mode 100644 base/native-tools/src/p7tool/secpwd.c create mode 100644 base/native-tools/src/p7tool/secutil.c create mode 100644 base/native-tools/src/p7tool/secutil.h create mode 100644 base/native-tools/src/revoker/CMakeLists.txt create mode 100644 base/native-tools/src/revoker/getopt.c create mode 100644 base/native-tools/src/revoker/revoker.c create mode 100644 base/native-tools/src/setpin/CMakeLists.txt create mode 100644 base/native-tools/src/setpin/b64.c create mode 100644 base/native-tools/src/setpin/options.c create mode 100644 base/native-tools/src/setpin/options.h create mode 100644 base/native-tools/src/setpin/setpin.c create mode 100644 base/native-tools/src/setpin/setpin.conf create mode 100644 base/native-tools/src/setpin/setpin_options.c create mode 100644 base/native-tools/src/setpin/setpin_options.h create mode 100644 base/native-tools/src/sslget/CMakeLists.txt create mode 100644 base/native-tools/src/sslget/getopt.c create mode 100644 base/native-tools/src/sslget/sslget.c create mode 100644 base/native-tools/src/tkstool/CMakeLists.txt create mode 100644 base/native-tools/src/tkstool/NSPRerrs.h create mode 100644 base/native-tools/src/tkstool/SECerrs.h create mode 100644 base/native-tools/src/tkstool/SSLerrs.h create mode 100644 base/native-tools/src/tkstool/delete.c create mode 100644 base/native-tools/src/tkstool/file.c create mode 100644 base/native-tools/src/tkstool/find.c create mode 100644 base/native-tools/src/tkstool/help.c create mode 100644 base/native-tools/src/tkstool/key.c create mode 100644 base/native-tools/src/tkstool/list.c create mode 100644 base/native-tools/src/tkstool/modules.c create mode 100644 base/native-tools/src/tkstool/pppolicy.c create mode 100644 base/native-tools/src/tkstool/random.c create mode 100644 base/native-tools/src/tkstool/retrieve.c create mode 100644 base/native-tools/src/tkstool/secerror.c create mode 100644 base/native-tools/src/tkstool/secpwd.c create mode 100644 base/native-tools/src/tkstool/secutil.c create mode 100644 base/native-tools/src/tkstool/secutil.h create mode 100644 base/native-tools/src/tkstool/tkstool.c create mode 100644 base/native-tools/src/tkstool/tkstool.h create mode 100644 base/native-tools/src/tkstool/util.c create mode 100644 base/native-tools/src/tkstool/version.c create mode 100644 base/ocsp/CMakeLists.txt create mode 100644 base/ocsp/LICENSE create mode 100644 base/ocsp/setup/CMakeLists.txt create mode 100644 base/ocsp/setup/registry_instance create mode 100644 base/ocsp/shared/conf/CMakeLists.txt create mode 100644 base/ocsp/shared/conf/CS.cfg.in create mode 100644 base/ocsp/shared/conf/acl.ldif create mode 100644 base/ocsp/shared/conf/catalina.policy create mode 100644 base/ocsp/shared/conf/catalina.properties create mode 100644 base/ocsp/shared/conf/context.xml create mode 100644 base/ocsp/shared/conf/database.ldif create mode 100644 base/ocsp/shared/conf/db.ldif create mode 100644 base/ocsp/shared/conf/index.ldif create mode 100644 base/ocsp/shared/conf/jk2.manifest create mode 100644 base/ocsp/shared/conf/jk2.properties create mode 100644 base/ocsp/shared/conf/jkconf.ant.xml create mode 100644 base/ocsp/shared/conf/jkconfig.manifest create mode 100644 base/ocsp/shared/conf/logging.properties create mode 100644 base/ocsp/shared/conf/manager.ldif create mode 100644 base/ocsp/shared/conf/schema.ldif create mode 100644 base/ocsp/shared/conf/server-minimal.xml create mode 100644 base/ocsp/shared/conf/server.xml create mode 100644 base/ocsp/shared/conf/serverCertNick.conf create mode 100644 base/ocsp/shared/conf/shm.manifest create mode 100644 base/ocsp/shared/conf/tomcat-jk2.manifest create mode 100644 base/ocsp/shared/conf/tomcat-users.xml create mode 100644 base/ocsp/shared/conf/tomcat6.conf create mode 100644 base/ocsp/shared/conf/uriworkermap.properties create mode 100644 base/ocsp/shared/conf/web.xml create mode 100644 base/ocsp/shared/conf/workers.properties create mode 100644 base/ocsp/shared/conf/workers.properties.minimal create mode 100644 base/ocsp/shared/conf/workers2.properties create mode 100644 base/ocsp/shared/conf/workers2.properties.minimal create mode 100755 base/ocsp/shared/etc/init.d/pki-ocspd create mode 100644 base/ocsp/shared/lib/systemd/system/pki-ocspd.target create mode 100644 base/ocsp/shared/lib/systemd/system/pki-ocspd@.service create mode 100644 base/ocsp/shared/webapps/ROOT/WEB-INF/web.xml create mode 100644 base/ocsp/shared/webapps/ROOT/index.jsp create mode 100644 base/ocsp/shared/webapps/ocsp/WEB-INF/velocity.properties create mode 100644 base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml create mode 100644 base/ocsp/src/CMakeLists.txt create mode 100644 base/ocsp/src/com/netscape/ocsp/EOCSPException.java create mode 100644 base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java create mode 100644 base/ocsp/src/com/netscape/ocsp/OCSPResources.java create mode 100644 base/ocsp/src/com/netscape/ocsp/SigningUnit.java create mode 100644 base/ra/CMakeLists.txt create mode 100644 base/ra/LICENSE create mode 100644 base/ra/apache/conf/httpd.conf create mode 100644 base/ra/apache/conf/magic create mode 100644 base/ra/apache/conf/mime.types create mode 100644 base/ra/apache/conf/nss.conf create mode 100644 base/ra/apache/conf/perl.conf create mode 100644 base/ra/doc/CMakeLists.txt create mode 100644 base/ra/doc/CS.cfg.in create mode 100644 base/ra/emails/mail_approve_request.vm create mode 100644 base/ra/emails/mail_create_request.vm create mode 100755 base/ra/etc/init.d/pki-rad create mode 100755 base/ra/forms/admin/group/add.cgi create mode 100755 base/ra/forms/admin/group/add_member.cgi create mode 100755 base/ra/forms/admin/group/add_new.cgi create mode 100755 base/ra/forms/admin/group/delete.cgi create mode 100755 base/ra/forms/admin/group/delete_member.cgi create mode 100755 base/ra/forms/admin/group/index.cgi create mode 100755 base/ra/forms/admin/group/read.cgi create mode 100755 base/ra/forms/admin/index.cgi create mode 100755 base/ra/forms/admin/user/add.cgi create mode 100755 base/ra/forms/admin/user/add_new.cgi create mode 100755 base/ra/forms/admin/user/delete.cgi create mode 100755 base/ra/forms/admin/user/index.cgi create mode 100755 base/ra/forms/admin/user/read.cgi create mode 100755 base/ra/forms/agent/cert/index.cgi create mode 100755 base/ra/forms/agent/cert/read.cgi create mode 100755 base/ra/forms/agent/cert/revoke.cgi create mode 100755 base/ra/forms/agent/cert/submit.cgi create mode 100755 base/ra/forms/agent/error.cgi create mode 100755 base/ra/forms/agent/index.cgi create mode 100755 base/ra/forms/agent/request/add_note.cgi create mode 100755 base/ra/forms/agent/request/index.cgi create mode 100755 base/ra/forms/agent/request/op.cgi create mode 100755 base/ra/forms/agent/request/read.cgi create mode 100755 base/ra/forms/ee/agent/enroll.cgi create mode 100755 base/ra/forms/ee/agent/index.cgi create mode 100755 base/ra/forms/ee/agent/new.cgi create mode 100755 base/ra/forms/ee/agent/start.cgi create mode 100755 base/ra/forms/ee/agent/submit.cgi create mode 100755 base/ra/forms/ee/error.cgi create mode 100755 base/ra/forms/ee/index.cgi create mode 100755 base/ra/forms/ee/request/getcert.cgi create mode 100755 base/ra/forms/ee/request/importcert.cgi create mode 100755 base/ra/forms/ee/request/index.cgi create mode 100755 base/ra/forms/ee/request/status.cgi create mode 100755 base/ra/forms/ee/scep/enroll.cgi create mode 100755 base/ra/forms/ee/scep/index.cgi create mode 100755 base/ra/forms/ee/scep/installer.cgi create mode 100755 base/ra/forms/ee/scep/manager.cgi create mode 100755 base/ra/forms/ee/scep/pkiclient.cgi create mode 100755 base/ra/forms/ee/scep/submit.cgi create mode 100755 base/ra/forms/ee/server/admin.cgi create mode 100755 base/ra/forms/ee/server/index.cgi create mode 100755 base/ra/forms/ee/server/submit.cgi create mode 100755 base/ra/forms/ee/user/index.cgi create mode 100755 base/ra/forms/ee/user/renew.cgi create mode 100755 base/ra/forms/ee/user/renewal.cgi create mode 100755 base/ra/forms/ee/user/submit.cgi create mode 100755 base/ra/forms/ee/user/user.cgi create mode 100755 base/ra/forms/index.cgi create mode 100644 base/ra/lib/perl/PKI/Base/CertStore.pm create mode 100755 base/ra/lib/perl/PKI/Base/Conf.pm create mode 100644 base/ra/lib/perl/PKI/Base/PinStore.pm create mode 100644 base/ra/lib/perl/PKI/Base/Registry.pm create mode 100755 base/ra/lib/perl/PKI/Base/TimeTool.pm create mode 100644 base/ra/lib/perl/PKI/Base/UserStore.pm create mode 100755 base/ra/lib/perl/PKI/Base/Util.pm create mode 100644 base/ra/lib/perl/PKI/Conn/CA.pm create mode 100755 base/ra/lib/perl/PKI/RA/AdminAuthPanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/AdminPanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/AgentAuthPanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/BasePanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/CAInfoPanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/CertInfo.pm create mode 100755 base/ra/lib/perl/PKI/RA/CertPrettyPrintPanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/CertRequestPanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/Common.pm create mode 100755 base/ra/lib/perl/PKI/RA/Config.pm create mode 100755 base/ra/lib/perl/PKI/RA/ConfigHSMLoginPanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/ConfigHSMPanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/DatabasePanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/DisplayCertChain2Panel.pm create mode 100755 base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/DonePanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/GlobalVar.pm create mode 100755 base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/Login.pm create mode 100755 base/ra/lib/perl/PKI/RA/LoginPanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/ModulePanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/Modutil.pm create mode 100755 base/ra/lib/perl/PKI/RA/NamePanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/ReqCertInfo.pm create mode 100755 base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/SizePanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/WelcomePanel.pm create mode 100755 base/ra/lib/perl/PKI/RA/wizard.pm create mode 100644 base/ra/lib/perl/PKI/Request/Plugin/AutoAssign.pm create mode 100644 base/ra/lib/perl/PKI/Request/Plugin/CreatePin.pm create mode 100644 base/ra/lib/perl/PKI/Request/Plugin/EmailNotification.pm create mode 100644 base/ra/lib/perl/PKI/Request/Plugin/RequestToCA.pm create mode 100644 base/ra/lib/perl/PKI/Request/Queue.pm create mode 100644 base/ra/lib/perl/PKI/Service/Op.pm create mode 100755 base/ra/lib/perl/Template/Velocity.pm create mode 100755 base/ra/scripts/nss_pcache create mode 100644 base/ra/scripts/schema.sql create mode 100644 base/ra/setup/CMakeLists.txt create mode 100644 base/ra/setup/registry_instance create mode 100755 base/scripts/enable_cvs_keywords_in_svn create mode 100755 base/scripts/pkicheck create mode 100755 base/scripts/pkimanifest create mode 100644 base/selinux/CMakeLists.txt create mode 100644 base/selinux/LICENSE create mode 100644 base/selinux/src/CMakeLists.txt create mode 100644 base/selinux/src/Makefile create mode 100644 base/selinux/src/pki.fc create mode 100644 base/selinux/src/pki.if create mode 100755 base/selinux/src/pki.sh create mode 100644 base/selinux/src/pki.te create mode 100644 base/setup/CMakeLists.txt create mode 100644 base/setup/LICENSE create mode 100644 base/setup/jars/resteasy-jettison-provider-2.3-RC1.jar create mode 100755 base/setup/pki-setup-proxy create mode 100755 base/setup/pkicommon.pm create mode 100755 base/setup/pkicreate create mode 100755 base/setup/pkiremove create mode 100644 base/setup/scripts/functions create mode 100755 base/setup/scripts/pki_apache_initscript create mode 100755 base/setup/scripts/pkicontrol create mode 100644 base/silent/CMakeLists.txt create mode 100644 base/silent/LICENSE create mode 100644 base/silent/scripts/CMakeLists.txt create mode 100755 base/silent/scripts/pkisilent create mode 100644 base/silent/src/CMakeLists.txt create mode 100644 base/silent/src/com/netscape/pkisilent/ConfigureCA.java create mode 100644 base/silent/src/com/netscape/pkisilent/ConfigureDRM.java create mode 100644 base/silent/src/com/netscape/pkisilent/ConfigureOCSP.java create mode 100644 base/silent/src/com/netscape/pkisilent/ConfigureRA.java create mode 100644 base/silent/src/com/netscape/pkisilent/ConfigureSubCA.java create mode 100644 base/silent/src/com/netscape/pkisilent/ConfigureTKS.java create mode 100644 base/silent/src/com/netscape/pkisilent/ConfigureTPS.java create mode 100644 base/silent/src/com/netscape/pkisilent/PKISilent.java create mode 100644 base/silent/src/com/netscape/pkisilent/argparser/ArgParseException.java create mode 100755 base/silent/src/com/netscape/pkisilent/argparser/ArgParser.java create mode 100644 base/silent/src/com/netscape/pkisilent/argparser/ArgParserTest.java create mode 100644 base/silent/src/com/netscape/pkisilent/argparser/BooleanHolder.java create mode 100644 base/silent/src/com/netscape/pkisilent/argparser/CharHolder.java create mode 100644 base/silent/src/com/netscape/pkisilent/argparser/DoubleHolder.java create mode 100644 base/silent/src/com/netscape/pkisilent/argparser/FloatHolder.java create mode 100644 base/silent/src/com/netscape/pkisilent/argparser/IntHolder.java create mode 100644 base/silent/src/com/netscape/pkisilent/argparser/LongHolder.java create mode 100644 base/silent/src/com/netscape/pkisilent/argparser/ObjectHolder.java create mode 100644 base/silent/src/com/netscape/pkisilent/argparser/SimpleExample.java create mode 100644 base/silent/src/com/netscape/pkisilent/argparser/StringHolder.java create mode 100644 base/silent/src/com/netscape/pkisilent/argparser/StringScanException.java create mode 100644 base/silent/src/com/netscape/pkisilent/argparser/StringScanner.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/BaseState.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/CMSConfig.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/CMSLDAP.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/CMSProperties.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/CMSTask.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/CertificateRecord.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/ComCrypto.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/Con2Agent.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/DirEnroll.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/ParseXML.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/PostQuery.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/Request.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/ServerInfo.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/TestClient.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/UserEnroll.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/Utilities.java create mode 100644 base/silent/src/com/netscape/pkisilent/common/checkRequest.java create mode 100644 base/silent/src/com/netscape/pkisilent/http/CertSelection.java create mode 100644 base/silent/src/com/netscape/pkisilent/http/HTMLDocument.java create mode 100644 base/silent/src/com/netscape/pkisilent/http/HTTPClient.java create mode 100644 base/silent/src/com/netscape/pkisilent/http/HTTPResponse.java create mode 100755 base/silent/templates/pki_silent.template create mode 100755 base/silent/templates/subca_silent.template create mode 100644 base/symkey/CMakeLists.txt create mode 100644 base/symkey/LICENSE create mode 100644 base/symkey/src/CMakeLists.txt create mode 100644 base/symkey/src/com/netscape/symkey/Base.h create mode 100644 base/symkey/src/com/netscape/symkey/Buffer.cpp create mode 100644 base/symkey/src/com/netscape/symkey/Buffer.h create mode 100644 base/symkey/src/com/netscape/symkey/CMakeLists.txt create mode 100644 base/symkey/src/com/netscape/symkey/EncryptData.cpp create mode 100644 base/symkey/src/com/netscape/symkey/SessionKey.cpp create mode 100644 base/symkey/src/com/netscape/symkey/SessionKey.java create mode 100644 base/symkey/src/com/netscape/symkey/SymKey.cpp create mode 100644 base/symkey/src/com/netscape/symkey/SymKey.h create mode 100644 base/test/CMakeLists.txt create mode 100644 base/test/src/CMakeLists.txt create mode 100644 base/test/src/com/netscape/test/TestListener.java create mode 100644 base/test/src/com/netscape/test/TestRunner.java create mode 100644 base/tks/CMakeLists.txt create mode 100644 base/tks/LICENSE create mode 100644 base/tks/setup/CMakeLists.txt create mode 100644 base/tks/setup/registry_instance create mode 100644 base/tks/shared/conf/CMakeLists.txt create mode 100644 base/tks/shared/conf/CS.cfg.in create mode 100644 base/tks/shared/conf/acl.ldif create mode 100644 base/tks/shared/conf/catalina.policy create mode 100644 base/tks/shared/conf/catalina.properties create mode 100644 base/tks/shared/conf/context.xml create mode 100644 base/tks/shared/conf/database.ldif create mode 100644 base/tks/shared/conf/db.ldif create mode 100644 base/tks/shared/conf/index.ldif create mode 100644 base/tks/shared/conf/jk2.manifest create mode 100644 base/tks/shared/conf/jk2.properties create mode 100644 base/tks/shared/conf/jkconf.ant.xml create mode 100644 base/tks/shared/conf/jkconfig.manifest create mode 100644 base/tks/shared/conf/logging.properties create mode 100644 base/tks/shared/conf/manager.ldif create mode 100644 base/tks/shared/conf/schema.ldif create mode 100644 base/tks/shared/conf/server-minimal.xml create mode 100644 base/tks/shared/conf/server.xml create mode 100644 base/tks/shared/conf/serverCertNick.conf create mode 100644 base/tks/shared/conf/shm.manifest create mode 100644 base/tks/shared/conf/tomcat-jk2.manifest create mode 100644 base/tks/shared/conf/tomcat-users.xml create mode 100644 base/tks/shared/conf/tomcat6.conf create mode 100644 base/tks/shared/conf/uriworkermap.properties create mode 100644 base/tks/shared/conf/web.xml create mode 100644 base/tks/shared/conf/workers.properties create mode 100644 base/tks/shared/conf/workers.properties.minimal create mode 100644 base/tks/shared/conf/workers2.properties create mode 100644 base/tks/shared/conf/workers2.properties.minimal create mode 100755 base/tks/shared/etc/init.d/pki-tksd create mode 100644 base/tks/shared/lib/systemd/system/pki-tksd.target create mode 100644 base/tks/shared/lib/systemd/system/pki-tksd@.service create mode 100644 base/tks/shared/webapps/ROOT/WEB-INF/web.xml create mode 100644 base/tks/shared/webapps/ROOT/index.jsp create mode 100644 base/tks/shared/webapps/tks/WEB-INF/velocity.properties create mode 100644 base/tks/shared/webapps/tks/WEB-INF/web.xml create mode 100644 base/tks/src/CMakeLists.txt create mode 100644 base/tks/src/com/netscape/tks/TKSAuthority.java create mode 100644 base/tps/CMakeLists.txt create mode 100644 base/tps/LICENSE create mode 100644 base/tps/apache/LICENSE-2.0 create mode 100644 base/tps/apache/conf/httpd.conf create mode 100644 base/tps/apache/conf/magic create mode 100644 base/tps/apache/conf/mime.types create mode 100644 base/tps/apache/conf/nss.conf create mode 100644 base/tps/apache/conf/perl.conf create mode 100644 base/tps/apache/pki_instance_command_wrapper create mode 100644 base/tps/apache/pki_subsystem_command_wrapper create mode 100644 base/tps/apache/readme.html create mode 100644 base/tps/applets/1.2.4122DFB4.ijc create mode 100755 base/tps/applets/1.2.416DA155.ijc create mode 100755 base/tps/applets/1.3.42260AFA.ijc create mode 100644 base/tps/applets/1.3.4255CC01.ijc create mode 100755 base/tps/applets/1.3.42659461.ijc create mode 100644 base/tps/applets/1.3.427BDDB8.ijc create mode 100755 base/tps/applets/1.3.44724DDE.ijc create mode 100755 base/tps/applets/1.3.45787308.ijc create mode 100644 base/tps/applets/1.4.499dc06c.ijc create mode 100644 base/tps/applets/1.4.4d40a449.ijc create mode 100644 base/tps/applets/3FD00877.ijc create mode 100644 base/tps/applets/4003196C.ijc create mode 100644 base/tps/applets/402428AD.ijc create mode 100644 base/tps/applets/404E4697.ijc create mode 100644 base/tps/applets/4122DFB4.ijc create mode 100755 base/tps/applets/listappletdates create mode 100644 base/tps/applets/readme.txt create mode 100644 base/tps/doc/CMakeLists.txt create mode 100644 base/tps/doc/CS.cfg.in create mode 100755 base/tps/etc/init.d/pki-tpsd create mode 100755 base/tps/forms/esc/cgi-bin/demo/enroll.cgi create mode 100755 base/tps/forms/esc/cgi-bin/demo/index.cgi create mode 100755 base/tps/forms/esc/cgi-bin/home/cachain.cgi create mode 100755 base/tps/forms/esc/cgi-bin/home/enroll.cgi create mode 100755 base/tps/forms/esc/cgi-bin/home/index.cgi create mode 100755 base/tps/forms/esc/cgi-bin/so/enroll.cgi create mode 100755 base/tps/forms/esc/cgi-bin/so/index.cgi create mode 100755 base/tps/forms/esc/cgi-bin/sow/ajax-list.cgi create mode 100755 base/tps/forms/esc/cgi-bin/sow/cfg.pl create mode 100755 base/tps/forms/esc/cgi-bin/sow/enroll.cgi create mode 100755 base/tps/forms/esc/cgi-bin/sow/enroll_temp.cgi create mode 100755 base/tps/forms/esc/cgi-bin/sow/format.cgi create mode 100755 base/tps/forms/esc/cgi-bin/sow/formatso.cgi create mode 100755 base/tps/forms/esc/cgi-bin/sow/index.cgi create mode 100755 base/tps/forms/esc/cgi-bin/sow/is_agent.cgi create mode 100755 base/tps/forms/esc/cgi-bin/sow/is_user.cgi create mode 100755 base/tps/forms/esc/cgi-bin/sow/main.cgi create mode 100755 base/tps/forms/esc/cgi-bin/sow/noaccess.cgi create mode 100755 base/tps/forms/esc/cgi-bin/sow/read.cgi create mode 100755 base/tps/forms/esc/cgi-bin/sow/read_temp.cgi create mode 100755 base/tps/forms/esc/cgi-bin/sow/search.cgi create mode 100755 base/tps/forms/esc/cgi-bin/sow/search_temp.cgi create mode 100755 base/tps/forms/esc/cgi-bin/sow/seturl.cgi create mode 100755 base/tps/forms/esc/cgi-bin/sow/welcome.cgi create mode 100755 base/tps/forms/esc/esc.cgi create mode 100755 base/tps/forms/esc/home.cgi create mode 100755 base/tps/forms/index.cgi create mode 100644 base/tps/forms/index.html create mode 100755 base/tps/lib/perl/PKI/Base/Conf.pm create mode 100755 base/tps/lib/perl/PKI/Base/Registry.pm create mode 100755 base/tps/lib/perl/PKI/Service/Op.pm create mode 100755 base/tps/lib/perl/PKI/TPS/AdminAuthPanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/AdminPanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/AgentAuthPanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/AuthDBPanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/BasePanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/CertInfo.pm create mode 100755 base/tps/lib/perl/PKI/TPS/CertPrettyPrintPanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/CertRequestPanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/Common.pm create mode 100755 base/tps/lib/perl/PKI/TPS/Config.pm create mode 100755 base/tps/lib/perl/PKI/TPS/ConfigHSMLoginPanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/ConfigHSMPanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/DatabasePanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/DisplayCertChain2Panel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/DonePanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/GlobalVar.pm create mode 100755 base/tps/lib/perl/PKI/TPS/ImportAdminCertPanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/Login.pm create mode 100755 base/tps/lib/perl/PKI/TPS/LoginPanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/ModulePanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/Modutil.pm create mode 100755 base/tps/lib/perl/PKI/TPS/NamePanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/ReqCertInfo.pm create mode 100755 base/tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/SizePanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/SubsystemTypePanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/TKSInfoPanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/WelcomePanel.pm create mode 100755 base/tps/lib/perl/PKI/TPS/wizard.pm create mode 100755 base/tps/lib/perl/Template/Velocity.pm create mode 100644 base/tps/scripts/addAgents.ldif create mode 100644 base/tps/scripts/addIndexes.ldif create mode 100644 base/tps/scripts/addTokens.ldif create mode 100644 base/tps/scripts/addVLVIndexes.ldif create mode 100644 base/tps/scripts/database.ldif create mode 100755 base/tps/scripts/nss_pcache create mode 100644 base/tps/scripts/schemaMods.ldif create mode 100644 base/tps/scripts/vlvtasks.ldif create mode 100644 base/tps/setup/CMakeLists.txt create mode 100755 base/tps/setup/create.pl create mode 100644 base/tps/setup/registry_instance create mode 100644 base/tps/src/CMakeLists.txt create mode 100644 base/tps/src/apdu/APDU.cpp create mode 100644 base/tps/src/apdu/APDU_Response.cpp create mode 100644 base/tps/src/apdu/Create_Object_APDU.cpp create mode 100644 base/tps/src/apdu/Create_Pin_APDU.cpp create mode 100644 base/tps/src/apdu/Delete_File_APDU.cpp create mode 100644 base/tps/src/apdu/External_Authenticate_APDU.cpp create mode 100644 base/tps/src/apdu/Format_Muscle_Applet_APDU.cpp create mode 100644 base/tps/src/apdu/Generate_Key_APDU.cpp create mode 100644 base/tps/src/apdu/Get_Data_APDU.cpp create mode 100644 base/tps/src/apdu/Get_IssuerInfo_APDU.cpp create mode 100644 base/tps/src/apdu/Get_Status_APDU.cpp create mode 100644 base/tps/src/apdu/Get_Version_APDU.cpp create mode 100644 base/tps/src/apdu/Import_Key_APDU.cpp create mode 100644 base/tps/src/apdu/Import_Key_Enc_APDU.cpp create mode 100644 base/tps/src/apdu/Initialize_Update_APDU.cpp create mode 100644 base/tps/src/apdu/Install_Applet_APDU.cpp create mode 100644 base/tps/src/apdu/Install_Load_APDU.cpp create mode 100644 base/tps/src/apdu/Lifecycle_APDU.cpp create mode 100644 base/tps/src/apdu/List_Objects_APDU.cpp create mode 100644 base/tps/src/apdu/List_Pins_APDU.cpp create mode 100644 base/tps/src/apdu/Load_File_APDU.cpp create mode 100644 base/tps/src/apdu/Put_Key_APDU.cpp create mode 100644 base/tps/src/apdu/Read_Buffer_APDU.cpp create mode 100644 base/tps/src/apdu/Read_Object_APDU.cpp create mode 100644 base/tps/src/apdu/Select_APDU.cpp create mode 100644 base/tps/src/apdu/Set_IssuerInfo_APDU.cpp create mode 100644 base/tps/src/apdu/Set_Pin_APDU.cpp create mode 100644 base/tps/src/apdu/Unblock_Pin_APDU.cpp create mode 100644 base/tps/src/apdu/Write_Object_APDU.cpp create mode 100644 base/tps/src/authentication/CMakeLists.txt create mode 100644 base/tps/src/authentication/LDAP_Authentication.cpp create mode 100644 base/tps/src/channel/Channel.cpp create mode 100644 base/tps/src/channel/Secure_Channel.cpp create mode 100644 base/tps/src/cms/CertEnroll.cpp create mode 100644 base/tps/src/cms/ConnectionInfo.cpp create mode 100644 base/tps/src/cms/HttpConnection.cpp create mode 100644 base/tps/src/engine/RA.cpp create mode 100644 base/tps/src/httpClient/Cache.cpp create mode 100644 base/tps/src/httpClient/engine.cpp create mode 100644 base/tps/src/httpClient/http.cpp create mode 100644 base/tps/src/httpClient/httpClient.cpp create mode 100644 base/tps/src/httpClient/nscperror.cpp create mode 100644 base/tps/src/httpClient/request.cpp create mode 100644 base/tps/src/httpClient/response.cpp create mode 100644 base/tps/src/include/apdu/APDU.h create mode 100644 base/tps/src/include/apdu/APDU_Response.h create mode 100644 base/tps/src/include/apdu/Create_Object_APDU.h create mode 100644 base/tps/src/include/apdu/Create_Pin_APDU.h create mode 100644 base/tps/src/include/apdu/Delete_File_APDU.h create mode 100644 base/tps/src/include/apdu/External_Authenticate_APDU.h create mode 100644 base/tps/src/include/apdu/Format_Muscle_Applet_APDU.h create mode 100644 base/tps/src/include/apdu/Generate_Key_APDU.h create mode 100644 base/tps/src/include/apdu/Get_Data_APDU.h create mode 100644 base/tps/src/include/apdu/Get_IssuerInfo_APDU.h create mode 100644 base/tps/src/include/apdu/Get_Status_APDU.h create mode 100644 base/tps/src/include/apdu/Get_Version_APDU.h create mode 100644 base/tps/src/include/apdu/Import_Key_APDU.h create mode 100644 base/tps/src/include/apdu/Import_Key_Enc_APDU.h create mode 100644 base/tps/src/include/apdu/Initialize_Update_APDU.h create mode 100644 base/tps/src/include/apdu/Install_Applet_APDU.h create mode 100644 base/tps/src/include/apdu/Install_Load_APDU.h create mode 100644 base/tps/src/include/apdu/Lifecycle_APDU.h create mode 100644 base/tps/src/include/apdu/List_Objects_APDU.h create mode 100644 base/tps/src/include/apdu/List_Pins_APDU.h create mode 100644 base/tps/src/include/apdu/Load_File_APDU.h create mode 100644 base/tps/src/include/apdu/Put_Key_APDU.h create mode 100644 base/tps/src/include/apdu/Read_Buffer_APDU.h create mode 100644 base/tps/src/include/apdu/Read_Object_APDU.h create mode 100644 base/tps/src/include/apdu/Select_APDU.h create mode 100644 base/tps/src/include/apdu/Set_IssuerInfo_APDU.h create mode 100644 base/tps/src/include/apdu/Set_Pin_APDU.h create mode 100644 base/tps/src/include/apdu/Unblock_Pin_APDU.h create mode 100644 base/tps/src/include/apdu/Write_Object_APDU.h create mode 100644 base/tps/src/include/authentication/AuthParams.h create mode 100644 base/tps/src/include/authentication/Authentication.h create mode 100644 base/tps/src/include/authentication/LDAP_Authentication.h create mode 100644 base/tps/src/include/channel/Channel.h create mode 100644 base/tps/src/include/channel/Secure_Channel.h create mode 100644 base/tps/src/include/cms/CertEnroll.h create mode 100644 base/tps/src/include/cms/ConnectionInfo.h create mode 100644 base/tps/src/include/cms/HttpConnection.h create mode 100644 base/tps/src/include/engine/RA.h create mode 100644 base/tps/src/include/engine/audit.h create mode 100644 base/tps/src/include/httpClient/httpc/AccessLogger.h create mode 100644 base/tps/src/include/httpClient/httpc/Auth.h create mode 100644 base/tps/src/include/httpClient/httpc/ByteBuffer.h create mode 100644 base/tps/src/include/httpClient/httpc/CERTUtil.h create mode 100644 base/tps/src/include/httpClient/httpc/Cache.h create mode 100644 base/tps/src/include/httpClient/httpc/Connection.h create mode 100644 base/tps/src/include/httpClient/httpc/ConnectionListener.h create mode 100644 base/tps/src/include/httpClient/httpc/DebugLogger.h create mode 100644 base/tps/src/include/httpClient/httpc/Defines.h create mode 100644 base/tps/src/include/httpClient/httpc/ErrorLogger.h create mode 100644 base/tps/src/include/httpClient/httpc/Iterator.h create mode 100644 base/tps/src/include/httpClient/httpc/LogRotationTask.h create mode 100644 base/tps/src/include/httpClient/httpc/Logger.h create mode 100644 base/tps/src/include/httpClient/httpc/NSPRerrs.h create mode 100644 base/tps/src/include/httpClient/httpc/PSBuddy.h create mode 100644 base/tps/src/include/httpClient/httpc/PSBuddyCache.h create mode 100644 base/tps/src/include/httpClient/httpc/PSBuddyList.h create mode 100644 base/tps/src/include/httpClient/httpc/PSBuddyListener.h create mode 100644 base/tps/src/include/httpClient/httpc/PSBuddyService.h create mode 100644 base/tps/src/include/httpClient/httpc/PSCertExtension.h create mode 100644 base/tps/src/include/httpClient/httpc/PSCommonLib.h create mode 100644 base/tps/src/include/httpClient/httpc/PSConfig.h create mode 100644 base/tps/src/include/httpClient/httpc/PSConfigManager.h create mode 100644 base/tps/src/include/httpClient/httpc/PSConfigReader.h create mode 100644 base/tps/src/include/httpClient/httpc/PSCrypt.h create mode 100644 base/tps/src/include/httpClient/httpc/PSDataSourceListener.h create mode 100644 base/tps/src/include/httpClient/httpc/PSDataSourceManager.h create mode 100644 base/tps/src/include/httpClient/httpc/PSGroup.h create mode 100644 base/tps/src/include/httpClient/httpc/PSGroupCache.h create mode 100644 base/tps/src/include/httpClient/httpc/PSHelper.h create mode 100644 base/tps/src/include/httpClient/httpc/PSListener.h create mode 100644 base/tps/src/include/httpClient/httpc/PSPRUtil.h create mode 100644 base/tps/src/include/httpClient/httpc/PSPlugin.h create mode 100644 base/tps/src/include/httpClient/httpc/PSPluginManager.h create mode 100644 base/tps/src/include/httpClient/httpc/PSServer.h create mode 100644 base/tps/src/include/httpClient/httpc/PSServerLib.h create mode 100644 base/tps/src/include/httpClient/httpc/PSServerListener.h create mode 100644 base/tps/src/include/httpClient/httpc/PSServerManager.h create mode 100644 base/tps/src/include/httpClient/httpc/PSServiceListener.h create mode 100644 base/tps/src/include/httpClient/httpc/PSServiceManager.h create mode 100644 base/tps/src/include/httpClient/httpc/PSUser.h create mode 100644 base/tps/src/include/httpClient/httpc/PSWaspLib.h create mode 100644 base/tps/src/include/httpClient/httpc/Pool.h create mode 100644 base/tps/src/include/httpClient/httpc/PresenceManager.h create mode 100644 base/tps/src/include/httpClient/httpc/PresenceServer.h create mode 100644 base/tps/src/include/httpClient/httpc/PresenceServerImpl.h create mode 100644 base/tps/src/include/httpClient/httpc/SECerrs.h create mode 100644 base/tps/src/include/httpClient/httpc/SSLServerSocket.h create mode 100644 base/tps/src/include/httpClient/httpc/SSLSocket.h create mode 100644 base/tps/src/include/httpClient/httpc/SSLerrs.h create mode 100644 base/tps/src/include/httpClient/httpc/ScheduledTask.h create mode 100644 base/tps/src/include/httpClient/httpc/Scheduler.h create mode 100644 base/tps/src/include/httpClient/httpc/SecurityHeaders.h create mode 100644 base/tps/src/include/httpClient/httpc/ServerConnection.h create mode 100644 base/tps/src/include/httpClient/httpc/ServerHeaderProcessor.h create mode 100644 base/tps/src/include/httpClient/httpc/ServerSocket.h create mode 100644 base/tps/src/include/httpClient/httpc/Socket.h create mode 100644 base/tps/src/include/httpClient/httpc/SocketINC.h create mode 100644 base/tps/src/include/httpClient/httpc/SocketLib.h create mode 100644 base/tps/src/include/httpClient/httpc/StringList.h create mode 100644 base/tps/src/include/httpClient/httpc/StringUtil.h create mode 100644 base/tps/src/include/httpClient/httpc/TaskList.h create mode 100644 base/tps/src/include/httpClient/httpc/ThreadPool.h create mode 100644 base/tps/src/include/httpClient/httpc/URLUtil.h create mode 100644 base/tps/src/include/httpClient/httpc/engine.h create mode 100644 base/tps/src/include/httpClient/httpc/http.h create mode 100644 base/tps/src/include/httpClient/httpc/request.h create mode 100644 base/tps/src/include/httpClient/httpc/response.h create mode 100644 base/tps/src/include/main/AttributeSpec.h create mode 100644 base/tps/src/include/main/AuthenticationEntry.h create mode 100644 base/tps/src/include/main/Base.h create mode 100644 base/tps/src/include/main/Buffer.h create mode 100644 base/tps/src/include/main/ConfigStore.h create mode 100644 base/tps/src/include/main/LogFile.h create mode 100644 base/tps/src/include/main/Login.h create mode 100644 base/tps/src/include/main/Memory.h create mode 100644 base/tps/src/include/main/MemoryMgr.h create mode 100644 base/tps/src/include/main/NameValueSet.h create mode 100644 base/tps/src/include/main/ObjectSpec.h create mode 100644 base/tps/src/include/main/PKCS11Obj.h create mode 100644 base/tps/src/include/main/PublishEntry.h create mode 100644 base/tps/src/include/main/RA_Context.h create mode 100644 base/tps/src/include/main/RA_Msg.h create mode 100644 base/tps/src/include/main/RA_Session.h create mode 100644 base/tps/src/include/main/RA_pblock.h create mode 100644 base/tps/src/include/main/RollingLogFile.h create mode 100644 base/tps/src/include/main/SecureId.h create mode 100644 base/tps/src/include/main/Util.h create mode 100644 base/tps/src/include/modules/tps/AP_Context.h create mode 100644 base/tps/src/include/modules/tps/AP_Session.h create mode 100644 base/tps/src/include/msg/RA_ASQ_Request_Msg.h create mode 100644 base/tps/src/include/msg/RA_ASQ_Response_Msg.h create mode 100644 base/tps/src/include/msg/RA_Begin_Op_Msg.h create mode 100644 base/tps/src/include/msg/RA_End_Op_Msg.h create mode 100644 base/tps/src/include/msg/RA_Extended_Login_Request_Msg.h create mode 100644 base/tps/src/include/msg/RA_Extended_Login_Response_Msg.h create mode 100644 base/tps/src/include/msg/RA_Login_Request_Msg.h create mode 100644 base/tps/src/include/msg/RA_Login_Response_Msg.h create mode 100644 base/tps/src/include/msg/RA_New_Pin_Request_Msg.h create mode 100644 base/tps/src/include/msg/RA_New_Pin_Response_Msg.h create mode 100644 base/tps/src/include/msg/RA_SecureId_Request_Msg.h create mode 100644 base/tps/src/include/msg/RA_SecureId_Response_Msg.h create mode 100644 base/tps/src/include/msg/RA_Status_Update_Request_Msg.h create mode 100644 base/tps/src/include/msg/RA_Status_Update_Response_Msg.h create mode 100644 base/tps/src/include/msg/RA_Token_PDU_Request_Msg.h create mode 100644 base/tps/src/include/msg/RA_Token_PDU_Response_Msg.h create mode 100644 base/tps/src/include/processor/RA_Enroll_Processor.h create mode 100644 base/tps/src/include/processor/RA_Format_Processor.h create mode 100644 base/tps/src/include/processor/RA_Pin_Reset_Processor.h create mode 100644 base/tps/src/include/processor/RA_Processor.h create mode 100644 base/tps/src/include/processor/RA_Renew_Processor.h create mode 100644 base/tps/src/include/processor/RA_Unblock_Processor.h create mode 100644 base/tps/src/include/publisher/IConnector.h create mode 100644 base/tps/src/include/publisher/IPublish_Data.h create mode 100644 base/tps/src/include/publisher/IPublisher.h create mode 100644 base/tps/src/include/publisher/NetkeyPublisher.h create mode 100644 base/tps/src/include/selftests/SelfTest.h create mode 100644 base/tps/src/include/selftests/TPSPresence.h create mode 100644 base/tps/src/include/selftests/TPSSystemCertsVerification.h create mode 100644 base/tps/src/include/selftests/TPSValidity.h create mode 100644 base/tps/src/include/service/NK_Context.h create mode 100644 base/tps/src/include/service/NK_Session.h create mode 100644 base/tps/src/include/tus/tus_db.h create mode 100644 base/tps/src/main/AttributeSpec.cpp create mode 100644 base/tps/src/main/AuthParams.cpp create mode 100644 base/tps/src/main/Authentication.cpp create mode 100644 base/tps/src/main/AuthenticationEntry.cpp create mode 100644 base/tps/src/main/Buffer.cpp create mode 100644 base/tps/src/main/ConfigStore.cpp create mode 100644 base/tps/src/main/LogFile.cpp create mode 100644 base/tps/src/main/Login.cpp create mode 100644 base/tps/src/main/Memory.cpp create mode 100644 base/tps/src/main/NameValueSet.cpp create mode 100644 base/tps/src/main/ObjectSpec.cpp create mode 100644 base/tps/src/main/PKCS11Obj.cpp create mode 100644 base/tps/src/main/RA_Context.cpp create mode 100644 base/tps/src/main/RA_Msg.cpp create mode 100644 base/tps/src/main/RA_Session.cpp create mode 100644 base/tps/src/main/RA_pblock.cpp create mode 100644 base/tps/src/main/RollingLogFile.cpp create mode 100644 base/tps/src/main/SecureId.cpp create mode 100644 base/tps/src/main/Util.cpp create mode 100644 base/tps/src/modules/CMakeLists.txt create mode 100644 base/tps/src/modules/tokendb/CMakeLists.txt create mode 100644 base/tps/src/modules/tokendb/mod_tokendb.cpp create mode 100644 base/tps/src/modules/tps/AP_Context.cpp create mode 100644 base/tps/src/modules/tps/AP_Session.cpp create mode 100644 base/tps/src/modules/tps/CMakeLists.txt create mode 100644 base/tps/src/modules/tps/mod_tps.cpp create mode 100644 base/tps/src/msg/RA_ASQ_Request_Msg.cpp create mode 100644 base/tps/src/msg/RA_ASQ_Response_Msg.cpp create mode 100644 base/tps/src/msg/RA_Begin_Op_Msg.cpp create mode 100644 base/tps/src/msg/RA_End_Op_Msg.cpp create mode 100644 base/tps/src/msg/RA_Extended_Login_Request_Msg.cpp create mode 100644 base/tps/src/msg/RA_Extended_Login_Response_Msg.cpp create mode 100644 base/tps/src/msg/RA_Login_Request_Msg.cpp create mode 100644 base/tps/src/msg/RA_Login_Response_Msg.cpp create mode 100644 base/tps/src/msg/RA_New_Pin_Request_Msg.cpp create mode 100644 base/tps/src/msg/RA_New_Pin_Response_Msg.cpp create mode 100644 base/tps/src/msg/RA_SecureId_Request_Msg.cpp create mode 100644 base/tps/src/msg/RA_SecureId_Response_Msg.cpp create mode 100644 base/tps/src/msg/RA_Status_Update_Request_Msg.cpp create mode 100644 base/tps/src/msg/RA_Status_Update_Response_Msg.cpp create mode 100644 base/tps/src/msg/RA_Token_PDU_Request_Msg.cpp create mode 100644 base/tps/src/msg/RA_Token_PDU_Response_Msg.cpp create mode 100644 base/tps/src/processor/RA_Enroll_Processor.cpp create mode 100644 base/tps/src/processor/RA_Format_Processor.cpp create mode 100644 base/tps/src/processor/RA_Pin_Reset_Processor.cpp create mode 100644 base/tps/src/processor/RA_Processor.cpp create mode 100644 base/tps/src/processor/RA_Renew_Processor.cpp create mode 100644 base/tps/src/processor/RA_Unblock_Processor.cpp create mode 100644 base/tps/src/selftests/SelfTest.cpp create mode 100644 base/tps/src/selftests/TPSPresence.cpp create mode 100644 base/tps/src/selftests/TPSSystemCertsVerification.cpp create mode 100644 base/tps/src/selftests/TPSValidity.cpp create mode 100644 base/tps/src/test/Test_ConfigStore.cfg create mode 100644 base/tps/src/test/Test_ConfigStore.cpp create mode 100644 base/tps/src/tus/CMakeLists.txt create mode 100644 base/tps/src/tus/tus_db.c create mode 100644 base/tps/stubs/modules/nss/mod_nss_stub.c create mode 100644 base/tps/tools/CMakeLists.txt create mode 100644 base/tps/tools/raclient/CMakeLists.txt create mode 100644 base/tps/tools/raclient/RA_Client.cpp create mode 100644 base/tps/tools/raclient/RA_Client.h create mode 100644 base/tps/tools/raclient/RA_Conn.cpp create mode 100644 base/tps/tools/raclient/RA_Conn.h create mode 100644 base/tps/tools/raclient/RA_Token.cpp create mode 100644 base/tps/tools/raclient/RA_Token.h create mode 100644 base/tps/tools/raclient/enroll.tps create mode 100644 base/tps/tools/raclient/enroll1.test create mode 100644 base/tps/tools/raclient/format.tps create mode 100644 base/tps/tools/raclient/nt_enroll.test create mode 100644 base/tps/tools/raclient/readme.txt create mode 100644 base/tps/tools/raclient/reset_pin.tps create mode 100644 base/tps/tools/raclient/reset_pin1.test create mode 100644 base/tps/tools/raclient/reset_pin2.test create mode 100644 base/tps/tools/tus/add.c create mode 100644 base/tps/tools/tus/test.c create mode 100755 base/tps/ui/perl/Velocity.pm create mode 100755 base/tps/wrappers/tpsclient.in create mode 100644 base/util/CMakeLists.txt create mode 100644 base/util/LICENSE create mode 100644 base/util/src/CMakeLists.txt create mode 100644 base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java create mode 100644 base/util/src/com/netscape/cmsutil/crypto/Module.java create mode 100644 base/util/src/com/netscape/cmsutil/crypto/Token.java create mode 100644 base/util/src/com/netscape/cmsutil/http/ConnectAsync.java create mode 100644 base/util/src/com/netscape/cmsutil/http/Http.java create mode 100644 base/util/src/com/netscape/cmsutil/http/HttpClient.java create mode 100644 base/util/src/com/netscape/cmsutil/http/HttpEofException.java create mode 100644 base/util/src/com/netscape/cmsutil/http/HttpMessage.java create mode 100644 base/util/src/com/netscape/cmsutil/http/HttpProtocolException.java create mode 100644 base/util/src/com/netscape/cmsutil/http/HttpRequest.java create mode 100644 base/util/src/com/netscape/cmsutil/http/HttpResponse.java create mode 100644 base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java create mode 100644 base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java create mode 100644 base/util/src/com/netscape/cmsutil/net/ISocketFactory.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/BasicOCSPResponse.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/CertID.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/CertStatus.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/GoodInfo.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/KeyHashID.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/NameID.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/OCSPRequest.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/OCSPResponse.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/OCSPResponseStatus.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/Request.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/ResponderID.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/Response.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/ResponseBytes.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/ResponseData.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/RevokedInfo.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/Signature.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/SingleResponse.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/TBSRequest.java create mode 100644 base/util/src/com/netscape/cmsutil/ocsp/UnknownInfo.java create mode 100644 base/util/src/com/netscape/cmsutil/password/IPasswordReader.java create mode 100644 base/util/src/com/netscape/cmsutil/password/IPasswordStore.java create mode 100644 base/util/src/com/netscape/cmsutil/password/IPasswordWriter.java create mode 100644 base/util/src/com/netscape/cmsutil/password/PlainPasswordFile.java create mode 100644 base/util/src/com/netscape/cmsutil/password/PlainPasswordReader.java create mode 100644 base/util/src/com/netscape/cmsutil/password/PlainPasswordWriter.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/AccessAccept.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/AccessChallenge.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/AccessReject.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/AccessRequest.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/Attribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/AttributeFactory.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/AttributeSet.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/Authenticator.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/CHAPChallengeAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/CHAPPasswordAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/CallbackIdAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/CallbackNumberAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/CallerStationIdAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/CallingStationIdAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/ChallengeException.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/FilterIdAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/FramedAppleTalkLinkAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/FramedAppleTalkNetworkAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/FramedAppleTalkZoneAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/FramedCompressionAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/FramedIPAddressAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/FramedIPNetmaskAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/FramedIPXNetworkAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/FramedMTUAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/FramedProtocolAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/FramedRouteAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/FramedRoutingAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/GenericAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/IdleTimeoutAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/LoginIPHostAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/LoginLATGroupAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/LoginLATNodeAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/LoginLATPortAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/LoginLATServiceAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/LoginServiceAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/LoginTCPPortAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/NASClassAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/NASIPAddressAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/NASIdentifierAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/NASPacket.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/NASPortAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/NASPortTypeAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/Packet.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/PacketFactory.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/PortLimitAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/ProxyStateAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/RadiusConn.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/RejectException.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/ReplyMessageAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/RequestAuthenticator.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/ResponseAuthenticator.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/ServerPacket.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/ServiceTypeAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/SessionTimeoutAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/StateAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/TerminationActionAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/UserNameAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/UserPasswordAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/radius/VendorSpecificAttribute.java create mode 100644 base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java create mode 100644 base/util/src/com/netscape/cmsutil/util/Cert.java create mode 100644 base/util/src/com/netscape/cmsutil/util/Fmt.java create mode 100644 base/util/src/com/netscape/cmsutil/util/HMACDigest.java create mode 100644 base/util/src/com/netscape/cmsutil/util/Utils.java create mode 100644 base/util/src/com/netscape/cmsutil/xml/XMLObject.java create mode 100644 base/util/src/netscape/net/NetworkClient.java create mode 100644 base/util/src/netscape/net/TransferProtocolClient.java create mode 100644 base/util/src/netscape/net/smtp/SmtpClient.java create mode 100644 base/util/src/netscape/net/smtp/SmtpProtocolException.java create mode 100644 base/util/src/netscape/security/acl/AclEntryImpl.java create mode 100644 base/util/src/netscape/security/acl/AclImpl.java create mode 100644 base/util/src/netscape/security/acl/AllPermissionsImpl.java create mode 100644 base/util/src/netscape/security/acl/GroupImpl.java create mode 100644 base/util/src/netscape/security/acl/OwnerImpl.java create mode 100644 base/util/src/netscape/security/acl/PermissionImpl.java create mode 100644 base/util/src/netscape/security/acl/PrincipalImpl.java create mode 100644 base/util/src/netscape/security/acl/WorldGroupImpl.java create mode 100644 base/util/src/netscape/security/extensions/AccessDescription.java create mode 100644 base/util/src/netscape/security/extensions/AuthInfoAccessExtension.java create mode 100644 base/util/src/netscape/security/extensions/CertInfo.java create mode 100644 base/util/src/netscape/security/extensions/CertificateRenewalWindowExtension.java create mode 100644 base/util/src/netscape/security/extensions/CertificateScopeEntry.java create mode 100644 base/util/src/netscape/security/extensions/CertificateScopeOfUseExtension.java create mode 100644 base/util/src/netscape/security/extensions/ExtendedKeyUsageExtension.java create mode 100644 base/util/src/netscape/security/extensions/GenericASN1Extension.java create mode 100644 base/util/src/netscape/security/extensions/InhibitAnyPolicyExtension.java create mode 100644 base/util/src/netscape/security/extensions/KerberosName.java create mode 100644 base/util/src/netscape/security/extensions/NSCertTypeExtension.java create mode 100644 base/util/src/netscape/security/extensions/OCSPNoCheckExtension.java create mode 100644 base/util/src/netscape/security/extensions/PresenceServerExtension.java create mode 100644 base/util/src/netscape/security/extensions/SubjectInfoAccessExtension.java create mode 100644 base/util/src/netscape/security/pkcs/ContentInfo.java create mode 100644 base/util/src/netscape/security/pkcs/EncodingException.java create mode 100644 base/util/src/netscape/security/pkcs/PKCS10.java create mode 100644 base/util/src/netscape/security/pkcs/PKCS10Attribute.java create mode 100644 base/util/src/netscape/security/pkcs/PKCS10Attributes.java create mode 100644 base/util/src/netscape/security/pkcs/PKCS7.java create mode 100644 base/util/src/netscape/security/pkcs/PKCS8Key.java create mode 100644 base/util/src/netscape/security/pkcs/PKCS9Attribute.java create mode 100644 base/util/src/netscape/security/pkcs/PKCS9Attributes.java create mode 100644 base/util/src/netscape/security/pkcs/ParsingException.java create mode 100644 base/util/src/netscape/security/pkcs/SignerInfo.java create mode 100644 base/util/src/netscape/security/provider/CMS.java create mode 100644 base/util/src/netscape/security/provider/DSA.java create mode 100755 base/util/src/netscape/security/provider/DSAKeyFactory.java create mode 100644 base/util/src/netscape/security/provider/DSAKeyPairGenerator.java create mode 100755 base/util/src/netscape/security/provider/DSAParameterGenerator.java create mode 100755 base/util/src/netscape/security/provider/DSAParameters.java create mode 100644 base/util/src/netscape/security/provider/DSAPrivateKey.java create mode 100644 base/util/src/netscape/security/provider/DSAPublicKey.java create mode 100644 base/util/src/netscape/security/provider/MD5.java create mode 100644 base/util/src/netscape/security/provider/RSAPublicKey.java create mode 100644 base/util/src/netscape/security/provider/SHA.java create mode 100644 base/util/src/netscape/security/provider/Sun.java create mode 100644 base/util/src/netscape/security/provider/X509CertificateFactory.java create mode 100644 base/util/src/netscape/security/util/ASN1CharStrConvMap.java create mode 100644 base/util/src/netscape/security/util/ASN1CharsetProvider.java create mode 100644 base/util/src/netscape/security/util/BigInt.java create mode 100644 base/util/src/netscape/security/util/BitArray.java create mode 100644 base/util/src/netscape/security/util/ByteArrayLexOrder.java create mode 100644 base/util/src/netscape/security/util/ByteArrayTagOrder.java create mode 100644 base/util/src/netscape/security/util/CertPrettyPrint.java create mode 100644 base/util/src/netscape/security/util/CrlPrettyPrint.java create mode 100644 base/util/src/netscape/security/util/DerEncoder.java create mode 100644 base/util/src/netscape/security/util/DerInputBuffer.java create mode 100644 base/util/src/netscape/security/util/DerInputStream.java create mode 100644 base/util/src/netscape/security/util/DerOutputStream.java create mode 100644 base/util/src/netscape/security/util/DerValue.java create mode 100644 base/util/src/netscape/security/util/ExtPrettyPrint.java create mode 100644 base/util/src/netscape/security/util/IA5Charset.java create mode 100644 base/util/src/netscape/security/util/IA5CharsetDecoder.java create mode 100644 base/util/src/netscape/security/util/IA5CharsetEncoder.java create mode 100644 base/util/src/netscape/security/util/ObjectIdentifier.java create mode 100644 base/util/src/netscape/security/util/PrettyPrintFormat.java create mode 100644 base/util/src/netscape/security/util/PrettyPrintResources.java create mode 100644 base/util/src/netscape/security/util/PrintableCharset.java create mode 100644 base/util/src/netscape/security/util/PrintableCharsetDecoder.java create mode 100644 base/util/src/netscape/security/util/PrintableCharsetEncoder.java create mode 100644 base/util/src/netscape/security/util/PubKeyPrettyPrint.java create mode 100644 base/util/src/netscape/security/util/UniversalCharset.java create mode 100644 base/util/src/netscape/security/util/UniversalCharsetDecoder.java create mode 100644 base/util/src/netscape/security/util/UniversalCharsetEncoder.java create mode 100755 base/util/src/netscape/security/x509/ACertAttrSet.java create mode 100644 base/util/src/netscape/security/x509/AVA.java create mode 100644 base/util/src/netscape/security/x509/AVAValueConverter.java create mode 100644 base/util/src/netscape/security/x509/AlgIdDSA.java create mode 100644 base/util/src/netscape/security/x509/AlgorithmId.java create mode 100644 base/util/src/netscape/security/x509/Attribute.java create mode 100644 base/util/src/netscape/security/x509/AuthorityKeyIdentifierExtension.java create mode 100644 base/util/src/netscape/security/x509/BasicConstraintsExtension.java create mode 100644 base/util/src/netscape/security/x509/CPSuri.java create mode 100644 base/util/src/netscape/security/x509/CRLDistributionPoint.java create mode 100644 base/util/src/netscape/security/x509/CRLDistributionPointsExtension.java create mode 100755 base/util/src/netscape/security/x509/CRLExtensions.java create mode 100755 base/util/src/netscape/security/x509/CRLNumberExtension.java create mode 100644 base/util/src/netscape/security/x509/CRLReasonExtension.java create mode 100644 base/util/src/netscape/security/x509/CertAndKeyGen.java create mode 100755 base/util/src/netscape/security/x509/CertAttrSet.java create mode 100644 base/util/src/netscape/security/x509/CertException.java create mode 100644 base/util/src/netscape/security/x509/CertParseError.java create mode 100644 base/util/src/netscape/security/x509/CertificateAlgorithmId.java create mode 100644 base/util/src/netscape/security/x509/CertificateChain.java create mode 100644 base/util/src/netscape/security/x509/CertificateExtensions.java create mode 100644 base/util/src/netscape/security/x509/CertificateIssuerExtension.java create mode 100644 base/util/src/netscape/security/x509/CertificateIssuerName.java create mode 100644 base/util/src/netscape/security/x509/CertificateIssuerUniqueIdentity.java create mode 100644 base/util/src/netscape/security/x509/CertificatePoliciesExtension.java create mode 100644 base/util/src/netscape/security/x509/CertificatePolicyId.java create mode 100644 base/util/src/netscape/security/x509/CertificatePolicyInfo.java create mode 100644 base/util/src/netscape/security/x509/CertificatePolicyMap.java create mode 100644 base/util/src/netscape/security/x509/CertificatePolicySet.java create mode 100644 base/util/src/netscape/security/x509/CertificateSerialNumber.java create mode 100644 base/util/src/netscape/security/x509/CertificateSubjectName.java create mode 100644 base/util/src/netscape/security/x509/CertificateSubjectUniqueIdentity.java create mode 100644 base/util/src/netscape/security/x509/CertificateValidity.java create mode 100644 base/util/src/netscape/security/x509/CertificateVersion.java create mode 100644 base/util/src/netscape/security/x509/CertificateX509Key.java create mode 100644 base/util/src/netscape/security/x509/DNSName.java create mode 100755 base/util/src/netscape/security/x509/DeltaCRLIndicatorExtension.java create mode 100644 base/util/src/netscape/security/x509/DirStrConverter.java create mode 100644 base/util/src/netscape/security/x509/DisplayText.java create mode 100644 base/util/src/netscape/security/x509/EDIPartyName.java create mode 100644 base/util/src/netscape/security/x509/Extension.java create mode 100644 base/util/src/netscape/security/x509/Extensions.java create mode 100644 base/util/src/netscape/security/x509/FreshestCRLExtension.java create mode 100644 base/util/src/netscape/security/x509/GeneralName.java create mode 100644 base/util/src/netscape/security/x509/GeneralNameInterface.java create mode 100644 base/util/src/netscape/security/x509/GeneralNames.java create mode 100644 base/util/src/netscape/security/x509/GeneralNamesException.java create mode 100644 base/util/src/netscape/security/x509/GeneralSubtree.java create mode 100644 base/util/src/netscape/security/x509/GeneralSubtrees.java create mode 100644 base/util/src/netscape/security/x509/GenericValueConverter.java create mode 100644 base/util/src/netscape/security/x509/HoldInstructionExtension.java create mode 100644 base/util/src/netscape/security/x509/IA5StringConverter.java create mode 100644 base/util/src/netscape/security/x509/IPAddressName.java create mode 100644 base/util/src/netscape/security/x509/InvalidIPAddressException.java create mode 100755 base/util/src/netscape/security/x509/InvalidityDateExtension.java create mode 100644 base/util/src/netscape/security/x509/IssuerAlternativeNameExtension.java create mode 100644 base/util/src/netscape/security/x509/IssuingDistributionPoint.java create mode 100644 base/util/src/netscape/security/x509/IssuingDistributionPointExtension.java create mode 100644 base/util/src/netscape/security/x509/KeyIdentifier.java create mode 100644 base/util/src/netscape/security/x509/KeyUsageExtension.java create mode 100644 base/util/src/netscape/security/x509/LdapDNStrConverter.java create mode 100644 base/util/src/netscape/security/x509/LdapV3DNStrConverter.java create mode 100644 base/util/src/netscape/security/x509/NSCCommentExtension.java create mode 100644 base/util/src/netscape/security/x509/NameConstraintsExtension.java create mode 100644 base/util/src/netscape/security/x509/NoticeReference.java create mode 100644 base/util/src/netscape/security/x509/OIDMap.java create mode 100644 base/util/src/netscape/security/x509/OIDName.java create mode 100644 base/util/src/netscape/security/x509/OtherName.java create mode 100644 base/util/src/netscape/security/x509/PKIXExtensions.java create mode 100644 base/util/src/netscape/security/x509/PolicyConstraint.java create mode 100644 base/util/src/netscape/security/x509/PolicyConstraintsExtension.java create mode 100644 base/util/src/netscape/security/x509/PolicyMappingsExtension.java create mode 100644 base/util/src/netscape/security/x509/PolicyQualifierInfo.java create mode 100644 base/util/src/netscape/security/x509/PolicyQualifiers.java create mode 100644 base/util/src/netscape/security/x509/PrintableConverter.java create mode 100644 base/util/src/netscape/security/x509/PrivateKeyUsageExtension.java create mode 100644 base/util/src/netscape/security/x509/Qualifier.java create mode 100644 base/util/src/netscape/security/x509/RDN.java create mode 100644 base/util/src/netscape/security/x509/RFC1779StrConverter.java create mode 100644 base/util/src/netscape/security/x509/RFC822Name.java create mode 100755 base/util/src/netscape/security/x509/ReasonFlags.java create mode 100644 base/util/src/netscape/security/x509/RevocationReason.java create mode 100755 base/util/src/netscape/security/x509/RevokedCertImpl.java create mode 100644 base/util/src/netscape/security/x509/RevokedCertificate.java create mode 100644 base/util/src/netscape/security/x509/SerialNumber.java create mode 100644 base/util/src/netscape/security/x509/SubjectAlternativeNameExtension.java create mode 100644 base/util/src/netscape/security/x509/SubjectDirAttributesExtension.java create mode 100644 base/util/src/netscape/security/x509/SubjectKeyIdentifierExtension.java create mode 100644 base/util/src/netscape/security/x509/URIName.java create mode 100644 base/util/src/netscape/security/x509/UniqueIdentity.java create mode 100644 base/util/src/netscape/security/x509/UserNotice.java create mode 100644 base/util/src/netscape/security/x509/X500Name.java create mode 100644 base/util/src/netscape/security/x509/X500NameAttrMap.java create mode 100644 base/util/src/netscape/security/x509/X500Signer.java create mode 100644 base/util/src/netscape/security/x509/X509AttributeName.java create mode 100755 base/util/src/netscape/security/x509/X509CRLImpl.java create mode 100644 base/util/src/netscape/security/x509/X509Cert.java create mode 100755 base/util/src/netscape/security/x509/X509CertImpl.java create mode 100644 base/util/src/netscape/security/x509/X509CertInfo.java create mode 100644 base/util/src/netscape/security/x509/X509ExtensionException.java create mode 100644 base/util/src/netscape/security/x509/X509Key.java create mode 100644 base/util/test/CMakeLists.txt create mode 100644 base/util/test/com/netscape/security/extensions/GenericASN1ExtensionTest.java create mode 100644 base/util/test/com/netscape/security/util/BMPStringTest.java create mode 100644 base/util/test/com/netscape/security/util/IA5StringTest.java create mode 100644 base/util/test/com/netscape/security/util/JSSUtil.java create mode 100644 base/util/test/com/netscape/security/util/PrintableStringTest.java create mode 100644 base/util/test/com/netscape/security/util/StringTestUtil.java create mode 100644 base/util/test/com/netscape/security/util/TeletexStringTest.java create mode 100644 base/util/test/com/netscape/security/util/UTF8StringTest.java create mode 100644 base/util/test/com/netscape/security/util/UniversalStringTest.java create mode 100644 base/util/test/com/netscape/security/x509/ConverterTestUtil.java create mode 100644 base/util/test/com/netscape/security/x509/DirStrConverterTest.java create mode 100644 base/util/test/com/netscape/security/x509/GenericValueConverterTest.java create mode 100644 base/util/test/com/netscape/security/x509/IA5StringConverterTest.java create mode 100644 base/util/test/com/netscape/security/x509/PrintableConverterTest.java (limited to 'base') diff --git a/base/CMakeLists.txt b/base/CMakeLists.txt new file mode 100644 index 000000000..1c6e909ad --- /dev/null +++ b/base/CMakeLists.txt @@ -0,0 +1,33 @@ +project(base) + +# The order is important! +if (APPLICATION_FLAVOR_PKI_CORE) + add_subdirectory(test) + add_subdirectory(deploy) + add_subdirectory(setup) + add_subdirectory(symkey) + add_subdirectory(native-tools) + add_subdirectory(util) + add_subdirectory(java-tools) + add_subdirectory(common) + add_subdirectory(selinux) + add_subdirectory(ca) + add_subdirectory(kra) + add_subdirectory(ocsp) + add_subdirectory(tks) + add_subdirectory(silent) +endif (APPLICATION_FLAVOR_PKI_CORE) +if (APPLICATION_FLAVOR_PKI_RA) + add_subdirectory(ra) +endif (APPLICATION_FLAVOR_PKI_RA) +if (APPLICATION_FLAVOR_PKI_TPS) + add_subdirectory(tps) +endif (APPLICATION_FLAVOR_PKI_TPS) +if (APPLICATION_FLAVOR_PKI_CONSOLE) + add_subdirectory(test) + add_subdirectory(console) +endif (APPLICATION_FLAVOR_PKI_CONSOLE) +if (APPLICATION_FLAVOR_PKI_MIGRATE) + add_subdirectory(test) + add_subdirectory(migrate) +endif (APPLICATION_FLAVOR_PKI_MIGRATE) diff --git a/base/ca/CMakeLists.txt b/base/ca/CMakeLists.txt new file mode 100644 index 000000000..153208c2d --- /dev/null +++ b/base/ca/CMakeLists.txt @@ -0,0 +1,64 @@ +project(ca Java) + +add_subdirectory(src) +add_subdirectory(setup) +add_subdirectory(shared/conf) + +# install systemd scripts +install( + FILES + shared/lib/systemd/system/pki-cad.target + shared/lib/systemd/system/pki-cad@.service + DESTINATION + ${SYSTEMD_LIB_INSTALL_DIR} + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ +) + +# install init script +install( + FILES + shared/etc/init.d/pki-cad + DESTINATION + ${SYSCONF_INSTALL_DIR}/rc.d/init.d + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ +) + +# install directories +install( + DIRECTORY + shared/ + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME} + PATTERN + "CMakeLists.txt" EXCLUDE + PATTERN + "etc/*" EXCLUDE + PATTERN + "conf/CS.cfg.in" EXCLUDE + PATTERN + "lib/*" EXCLUDE +) + +# install empty directories +install( + DIRECTORY + DESTINATION + ${VAR_INSTALL_DIR}/lock/pki/ca +) + +install( + DIRECTORY + DESTINATION + ${VAR_INSTALL_DIR}/run/pki/ca +) + +install( + DIRECTORY + DESTINATION + ${SYSTEMD_ETC_INSTALL_DIR}/pki-cad.target.wants +) diff --git a/base/ca/LICENSE b/base/ca/LICENSE new file mode 100644 index 000000000..e281f4362 --- /dev/null +++ b/base/ca/LICENSE @@ -0,0 +1,291 @@ +This Program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published +by the Free Software Foundation; version 2 of the License. + +This Program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +for more details. + +You should have received a copy of the GNU General Public License +along with this Program; if not, write to the Free Software +Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. diff --git a/base/ca/setup/CMakeLists.txt b/base/ca/setup/CMakeLists.txt new file mode 100644 index 000000000..f5f069cdb --- /dev/null +++ b/base/ca/setup/CMakeLists.txt @@ -0,0 +1,8 @@ +set(VERSION ${APPLICATION_VERSION}) + +install( + FILES + registry_instance + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/setup +) diff --git a/base/ca/setup/registry_instance b/base/ca/setup/registry_instance new file mode 100644 index 000000000..3210b9131 --- /dev/null +++ b/base/ca/setup/registry_instance @@ -0,0 +1,63 @@ +# Establish PKI Variable "Slot" Substitutions + +PKI_FLAVOR=[PKI_FLAVOR] +export PKI_FLAVOR + +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +export PKI_SUBSYSTEM_TYPE + +PKI_USER=[PKI_USER] +export PKI_USER + +PKI_GROUP=[PKI_GROUP] +export PKI_GROUP + +PKI_INSTANCE_ID=[PKI_INSTANCE_ID] +export PKI_INSTANCE_ID + +PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH] +export PKI_INSTANCE_PATH + +PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] +export PKI_INSTANCE_INITSCRIPT + +PKI_SERVER_XML_CONF=[PKI_SERVER_XML_CONF] +export PKI_SERVER_XML_CONF + +# Use CATALINA_BASE + +CATALINA_BASE=$PKI_INSTANCE_PATH +export CATALINA_BASE + +TOMCAT_PROG=$PKI_INSTANCE_ID +export TOMCAT_PROG + +TOMCAT_USER=$PKI_USER +export TOMCAT_USER + +TOMCAT_GROUP=$PKI_GROUP +export TOMCAT_GROUP + +PKI_LOCKDIR="/var/lock/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}" +export PKI_LOCKDIR + +PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}" +export PKI_LOCKFILE + +PKI_PIDDIR="/var/run/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}" +export PKI_PIDDIR + +PKI_PIDFILE="${PKI_PIDDIR}/${PKI_INSTANCE_ID}.pid" +export PKI_PIDFILE + +TOMCAT_LOCKFILE=/var/lock/subsys/${PKI_INSTANCE_ID} +export TOMCAT_LOCKFILE + +TOMCAT_PIDFILE=[TOMCAT_PIDFILE] +export TOMCAT_PIDFILE + +pki_instance_configuration_file=${PKI_INSTANCE_PATH}/conf/CS.cfg +export pki_instance_configuration_file + +RESTART_SERVER=${PKI_INSTANCE_PATH}/conf/restart_server_after_configuration +export RESTART_SERVER diff --git a/base/ca/shared/conf/CMakeLists.txt b/base/ca/shared/conf/CMakeLists.txt new file mode 100644 index 000000000..e3cef5915 --- /dev/null +++ b/base/ca/shared/conf/CMakeLists.txt @@ -0,0 +1,12 @@ +set(VERSION ${APPLICATION_VERSION}) +set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR}) +set(MINOR_VERSION ${APPLICATION_VERSION_MINOR}) + +configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY) + +install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in new file mode 100644 index 000000000..980ed5854 --- /dev/null +++ b/base/ca/shared/conf/CS.cfg.in @@ -0,0 +1,1108 @@ +_000=## +_001=## Certificate Authority (CA) Configuration File +_002=## +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] +pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] +pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] +pkicreate.ee_secure_client_auth_port=[PKI_EE_SECURE_CLIENT_AUTH_PORT] +pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] +pkicreate.secure_port=[PKI_SECURE_PORT] +pkicreate.unsecure_port=[PKI_UNSECURE_PORT] +pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] +pkicreate.user=[PKI_USER] +pkicreate.arg11.group=[PKI_GROUP] +pkicreate.systemd.servicename=[PKI_SYSTEMD_SERVICENAME] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +installDate=[INSTALL_TIME] +preop.wizard.name=CA Setup Wizard +preop.product.name=CS +preop.product.version=@VERSION@ +preop.system.name=CA +preop.system.fullname=Certificate Authority +proxy.securePort=[PKI_PROXY_SECURE_PORT] +proxy.unsecurePort=[PKI_PROXY_UNSECURE_PORT] +cs.state._000=## +cs.state._001=## cs.state=0 (pre-operational) +cs.state._002=## cs.state=1 (running) +cs.state._003=## +cs.state=0 +cs.type=CA +authType=pwd +admin.interface.uri=ca/admin/console/config/wizard +ee.interface.uri=ca/ee/ca +agent.interface.uri=ca/agent/ca +preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 +securitydomain.flushinterval=86400000 +securitydomain.source=ldap +securitydomain.checkinterval=300000 +instanceRoot=[PKI_INSTANCE_PATH] +machineName=[PKI_MACHINE_NAME] +instanceId=[PKI_INSTANCE_ID] +pidDir=[PKI_PIDDIR] +service.machineName=[PKI_MACHINE_NAME] +service.instanceDir=[PKI_INSTANCE_ROOT] +service.securePort=[PKI_AGENT_SECURE_PORT] +service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] +service.clientauth_securePort=[PKI_EE_SECURE_CLIENT_AUTH_PORT] +service.unsecurePort=[PKI_UNSECURE_PORT] +service.instanceID=[PKI_INSTANCE_ID] +preop.admin.name=Certificate System Administrator +preop.admin.group=Certificate Manager Agents +preop.admincert.profile=caAdminCert +preop.pin=[PKI_RANDOM_NUMBER] +ca.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing +ca.cert.signing.certusage=SSLCA +ca.cert.ocsp_signing.certusage=StatusResponder +ca.cert.sslserver.certusage=SSLServer +ca.cert.subsystem.certusage=SSLClient +ca.cert.audit_signing.certusage=ObjectSigner +preop.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing +preop.cert.rsalist=audit_signing +preop.cert.signing.enable=true +preop.cert.ocsp_signing.enable=true +preop.cert.sslserver.enable=true +preop.cert.subsystem.enable=true +preop.cert.audit_signing.enable=true +preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.signing.dn=CN=Certificate Authority +preop.cert.signing.cncomponent.override=true +preop.cert.signing.keysize.size=2048 +preop.cert.signing.keysize.custom_size=2048 +preop.cert.signing.nickname=caSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.signing.profile=caCert.profile +preop.cert.signing.signing.required=true +preop.cert.signing.subsystem=ca +preop.cert.signing.type=selfsign +preop.cert.signing.userfriendlyname=CA Signing Certificate +preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.audit_signing.dn=CN=CA Audit Signing Certificate +preop.cert.audit_signing.keysize.custom_size=2048 +preop.cert.audit_signing.keysize.size=2048 +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.audit_signing.profile=caAuditSigningCert.profile +preop.cert.audit_signing.signing.required=false +preop.cert.audit_signing.subsystem=ca +preop.cert.audit_signing.type=local +preop.cert.audit_signing.userfriendlyname=CA Audit Signing Certificate +preop.cert.audit_signing.cncomponent.override=true +preop.cert.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.ocsp_signing.dn=CN=OCSP Signing Certificate +preop.cert.ocsp_signing.keysize.custom_size=2048 +preop.cert.ocsp_signing.keysize.size=2048 +preop.cert.ocsp_signing.nickname=ocspSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.ocsp_signing.profile=caOCSPCert.profile +preop.cert.ocsp_signing.signing.required=true +preop.cert.ocsp_signing.subsystem=ca +preop.cert.ocsp_signing.type=local +preop.cert.ocsp_signing.userfriendlyname=OCSP Signing Certificate +preop.cert.ocsp_signing.cncomponent.override=true +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] +preop.cert.sslserver.keysize.custom_size=2048 +preop.cert.sslserver.keysize.size=2048 +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.cert.sslserver.profile=serverCert.profile +preop.cert.sslserver.signing.required=false +preop.cert.sslserver.subsystem=ca +preop.cert.sslserver.type=local +preop.cert.sslserver.userfriendlyname=SSL Server Certificate +preop.cert.sslserver.cncomponent.override=false +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=CA Subsystem Certificate +preop.cert.subsystem.keysize.custom_size=2048 +preop.cert.subsystem.keysize.size=2048 +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.cert.subsystem.profile=subsystemCert.profile +preop.cert.subsystem.signing.required=false +preop.cert.subsystem.subsystem=ca +preop.cert.subsystem.type=local +preop.cert.subsystem.userfriendlyname=Subsystem Certificate +preop.cert.subsystem.cncomponent.override=true +preop.cert.admin.defaultSigningAlgorithm=SHA256withRSA +preop.cert.admin.dn=uid=admin,cn=admin +preop.cert.admin.keysize.custom_size=2048 +preop.cert.admin.keysize.size=2048 +preop.cert.admin.profile=adminCert.profile +preop.hierarchy.profile=caCert.profile +preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module +preop.configModules.module0.commonName=NSS Internal PKCS #11 Module +preop.configModules.module0.imagePath=../img/clearpixel.gif +preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module +preop.configModules.module1.commonName=nfast +preop.configModules.module1.imagePath=../img/clearpixel.gif +preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module +preop.configModules.module2.commonName=lunasa +preop.configModules.module2.imagePath=../img/clearpixel.gif +preop.configModules.count=3 +preop.module.token=Internal Key Storage Token +preop.name.caDN=CN=Certificate Authority +preop.name.sslDN=CN=[PKI_MACHINE_NAME] +preop.name.ocspDN=CN=OCSP Signing Certificate +preop.name.subsystemDN=CN=CA Subsystem Certificate +preop.name.canickname=caSigningCert cert-[PKI_INSTANCE_ID] +preop.name.ocspnickname=ocspSigningCert cert-[PKI_INSTANCE_ID] +preop.name.subsystemnickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.name.sslnickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.subsystem.count=0 +subsystem.count=0 +passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf +passwordClass=com.netscape.cmsutil.password.PlainPasswordFile +CrossCertPair._000=## +CrossCertPair._001=## CrossCertPair Import +CrossCertPair._002=## +CrossCertPair.ldap=internaldb +accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator +accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator +accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator +accessEvaluator.impl.user_origreq.class=com.netscape.cms.evaluators.UserOrigReqAccessEvaluator +auths._000=## +auths._001=## new authentication +auths._002=## +auths.impl._000=## +auths.impl._001=## authentication manager implementations +auths.impl._002=## +auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication +auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth +auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth +auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll +auths.impl.SSLclientCertAuth.class=com.netscape.cms.authentication.SSLclientCertAuthentication +auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication +auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication +auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication +auths.impl.UidPwdGroupDirAuth.class=com.netscape.cms.authentication.UidPwdGroupDirAuthentication +auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication +auths.impl.FlatFileAuth.class=com.netscape.cms.authentication.FlatFileAuth +auths.instance.TokenAuth.pluginName=TokenAuth +auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents +auths.instance.AgentCertAuth.pluginName=AgentCertAuth +auths.instance.raCertAuth.agentGroup=Registration Manager Agents +auths.instance.raCertAuth.pluginName=AgentCertAuth +auths.instance.flatFileAuth.pluginName=FlatFileAuth +auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/flatfile.txt +auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth +auths.revocationChecking.bufferSize=50 +auths.revocationChecking.ca=ca +auths.revocationChecking.enabled=true +auths.revocationChecking.unknownStateInterval=0 +auths.revocationChecking.validityInterval=120 +authz._000=## +authz._001=## new authorizatioin +authz._002=## +authz.evaluateOrder=deny,allow +authz.sourceType=ldap +authz.impl._000=## +authz.impl._001=## authorization manager implementations +authz.impl._002=## +authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz +authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz +authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz +authz.instance.DirAclAuthz.ldap=internaldb +authz.instance.DirAclAuthz.pluginName=DirAclAuthz +authz.instance.DirAclAuthz.ldap._000=## +authz.instance.DirAclAuthz.ldap._001=## Internal Database +authz.instance.DirAclAuthz.ldap._002=## +ca.ocsp=true +ca.certdbInc=20 +ca.crldbInc=20 +ca.id=ca +ca.local=true +ca.ocspUseCache=false +ca.enableNonces=true +ca.maxNumberOfNonces=100 +ca.reqdbInc=20 +ca.transitMaxRecords=1000000 +ca.transitRecordPageSize=200 +ca.maxSearchReturns._000=## +ca.maxSearchReturns._001=## limits number of search results +ca.maxSearchReturns._002=## returned by SearchReqs and SrchCerts +ca.maxSearchReturns._003=## +ca.maxSearchReturns=1000 +ca.scep._000=## +ca.scep._001=## Enable the following parameters to enable SCEP requests +ca.scep._002=## to be signed by a separate key pair: +ca.scep._003=## +ca.scep._004=## ca.scep.nickname= +ca.scep._005=## ca.scep.tokenname= +ca.scep._006=## +ca.scep.enable=false +ca.scep.hashAlgorithm=SHA1 +ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 +ca.scep.encryptionAlgorithm=DES3 +ca.scep.allowedEncryptionAlgorithms=DES3 +ca.scep.nonceSizeLimit=16 +ca.Policy._000=## +ca.Policy._001=## Certificate Policy Framework (deprecated) +ca.Policy._002=## +ca.Policy._003=## Set 'ca.Policy.enable=true' to allow the following: +ca.Policy._004=## +ca.Policy._005=## SERVLET-NAME URL-PATTERN +ca.Policy._006=## ==================================================== +ca.Policy._007=## caadminEnroll ca/admin/ca/adminEnroll.html +ca.Policy._008=## cabulkissuance ca/agent/ca/bulkissuance.html +ca.Policy._009=## cacertbasedenrollment ca/certbasedenrollment.html +ca.Policy._010=## caenrollment ca/enrollment.html +ca.Policy._011=## capolicy ca/capolicy +ca.Policy._012=## +ca.Policy.enable=false +ca.Policy.order=KeyAlgRule, RSAKeyRule, DefaultValidityRule, RenewalConstraintsRule, DefaultRenewalValidityRule, RevocationConstraintsRule, NSCertTypeExt, CMCertKeyUsageExt, RMCertKeyUsageExt, ClientCertKeyUsageExt, ServerCertKeyUsageExt, ObjSignCertKeyUsageExt, CRLSignCertKeyUsageExt, SubjectKeyIdentifierExt, CertificatePoliciesExt, NSCCommentExt, OCSPNoCheckExt, OCSPSigningExt, CODESigningExt, GenericASN1Ext, CRLDistributionPointsExt, SubjectAltNameExt, SigningAlgRule, AuthorityKeyIdentifierExt, AuthInfoAccessExt, BasicConstraintsExt, UniqueSubjectNameConstraints, NameConstraintsExt, PolicyConstraintsExt, SubCANameConstraints, PolicyMappingsExt, IssuerRule +ca.Policy.processor=classic +ca.Policy.impl._000=## +ca.Policy.impl._001=## Policy Implementations +ca.Policy.impl._002=## +ca.Policy.impl.AttributePresentConstraints.class=com.netscape.cms.policy.constraints.AttributePresentConstraints +ca.Policy.impl.AuthInfoAccessExt.class=com.netscape.cms.policy.extensions.AuthInfoAccessExt +ca.Policy.impl.AuthorityKeyIdentifierExt.class=com.netscape.cms.policy.extensions.AuthorityKeyIdentifierExt +ca.Policy.impl.BasicConstraintsExt.class=com.netscape.cms.policy.extensions.BasicConstraintsExt +ca.Policy.impl.CRLDistributionPointsExt.class=com.netscape.cms.policy.extensions.CRLDistributionPointsExt +ca.Policy.impl.CertificatePoliciesExt.class=com.netscape.cms.policy.extensions.CertificatePoliciesExt +ca.Policy.impl.CertificateRenewalWindowExt.class=com.netscape.cms.policy.extensions.CertificateRenewalWindowExt +ca.Policy.impl.CertificateScopeOfUseExt.class=com.netscape.cms.policy.extensions.CertificateScopeOfUseExt +ca.Policy.impl.DSAKeyConstraints.class=com.netscape.cms.policy.constraints.DSAKeyConstraints +ca.Policy.impl.ExtendedKeyUsageExt.class=com.netscape.cms.policy.extensions.ExtendedKeyUsageExt +ca.Policy.impl.GenericASN1Ext.class=com.netscape.cms.policy.extensions.GenericASN1Ext +ca.Policy.impl.IssuerAltNameExt.class=com.netscape.cms.policy.extensions.IssuerAltNameExt +ca.Policy.impl.IssuerConstraints.class=com.netscape.cms.policy.constraints.IssuerConstraints +ca.Policy.impl.KeyAlgorithmConstraints.class=com.netscape.cms.policy.constraints.KeyAlgorithmConstraints +ca.Policy.impl.KeyUsageExt.class=com.netscape.cms.policy.extensions.KeyUsageExt +ca.Policy.impl.NSCCommentExt.class=com.netscape.cms.policy.extensions.NSCCommentExt +ca.Policy.impl.NSCertTypeExt.class=com.netscape.cms.policy.extensions.NSCertTypeExt +ca.Policy.impl.NameConstraintsExt.class=com.netscape.cms.policy.extensions.NameConstraintsExt +ca.Policy.impl.OCSPNoCheckExt.class=com.netscape.cms.policy.extensions.OCSPNoCheckExt +ca.Policy.impl.PolicyConstraintsExt.class=com.netscape.cms.policy.extensions.PolicyConstraintsExt +ca.Policy.impl.PolicyMappingsExt.class=com.netscape.cms.policy.extensions.PolicyMappingsExt +ca.Policy.impl.PrivateKeyUsagePeriodExt.class=com.netscape.cms.policy.extensions.PrivateKeyUsagePeriodExt +ca.Policy.impl.RSAKeyConstraints.class=com.netscape.cms.policy.constraints.RSAKeyConstraints +ca.Policy.impl.RemoveBasicConstraintsExt.class=com.netscape.cms.policy.extensions.RemoveBasicConstraintsExt +ca.Policy.impl.RenewalConstraints.class=com.netscape.cms.policy.constraints.RenewalConstraints +ca.Policy.impl.RenewalValidityConstraints.class=com.netscape.cms.policy.constraints.RenewalValidityConstraints +ca.Policy.impl.RevocationConstraints.class=com.netscape.cms.policy.constraints.RevocationConstraints +ca.Policy.impl.SigningAlgorithmConstraints.class=com.netscape.cms.policy.constraints.SigningAlgorithmConstraints +ca.Policy.impl.SubCANameConstraints.class=com.netscape.cms.policy.constraints.SubCANameConstraints +ca.Policy.impl.SubjectAltNameExt.class=com.netscape.cms.policy.extensions.SubjectAltNameExt +ca.Policy.impl.SubjectDirectoryAttributesExt.class=com.netscape.cms.policy.extensions.SubjectDirectoryAttributesExt +ca.Policy.impl.SubjectKeyIdentifierExt.class=com.netscape.cms.policy.extensions.SubjectKeyIdentifierExt +ca.Policy.impl.UniqueSubjectNameConstraints.class=com.netscape.cms.policy.constraints.UniqueSubjectNameConstraints +ca.Policy.impl.ValidityConstraints.class=com.netscape.cms.policy.constraints.ValidityConstraints +ca.Policy.rule.AuthInfoAccessExt.ad0_location=http://[PKI_MACHINE_NAME]:8080/ocsp +ca.Policy.rule.AuthInfoAccessExt.ad0_location_type=URL +ca.Policy.rule.AuthInfoAccessExt.ad0_method=ocsp +ca.Policy.rule.AuthInfoAccessExt.enable=false +ca.Policy.rule.AuthInfoAccessExt.implName=AuthInfoAccessExt +ca.Policy.rule.AuthInfoAccessExt.numADs=1 +ca.Policy.rule.AuthInfoAccessExt.predicate=HTTP_PARAMS.certType==client +ca.Policy.rule.AuthorityKeyIdentifierExt.enable=true +ca.Policy.rule.AuthorityKeyIdentifierExt.implName=AuthorityKeyIdentifierExt +ca.Policy.rule.AuthorityKeyIdentifierExt.predicate= +ca.Policy.rule.BasicConstraintsExt.critical=true +ca.Policy.rule.BasicConstraintsExt.enable=true +ca.Policy.rule.BasicConstraintsExt.implName=BasicConstraintsExt +ca.Policy.rule.BasicConstraintsExt.maxPathLen= +ca.Policy.rule.BasicConstraintsExt.predicate=HTTP_PARAMS.certType == ca +ca.Policy.rule.BasicConstraintsExt.removeBasicExt=true +ca.Policy.rule.CMCertKeyUsageExt.crlSign=true +ca.Policy.rule.CMCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.CMCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.CMCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.CMCertKeyUsageExt.enable=true +ca.Policy.rule.CMCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.CMCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.CMCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.CMCertKeyUsageExt.keyCertsign=true +ca.Policy.rule.CMCertKeyUsageExt.keyEncipherment=false +ca.Policy.rule.CMCertKeyUsageExt.nonRepudiation=true +ca.Policy.rule.CMCertKeyUsageExt.predicate=HTTP_PARAMS.certType==ca +ca.Policy.rule.CODESigningExt.critical=false +ca.Policy.rule.CODESigningExt.enable=true +ca.Policy.rule.CODESigningExt.id0=1.3.6.1.5.5.7.3.3 +ca.Policy.rule.CODESigningExt.implName=ExtendedKeyUsageExt +ca.Policy.rule.CODESigningExt.predicate=HTTP_PARAMS.certType==codeSignClient +ca.Policy.rule.CRLDistributionPointsExt.enable=false +ca.Policy.rule.CRLDistributionPointsExt.implName=CRLDistributionPointsExt +ca.Policy.rule.CRLDistributionPointsExt.issuerName0= +ca.Policy.rule.CRLDistributionPointsExt.issuerName1= +ca.Policy.rule.CRLDistributionPointsExt.issuerName2= +ca.Policy.rule.CRLDistributionPointsExt.issuerType0= +ca.Policy.rule.CRLDistributionPointsExt.issuerType1= +ca.Policy.rule.CRLDistributionPointsExt.issuerType2= +ca.Policy.rule.CRLDistributionPointsExt.numPoints=0 +ca.Policy.rule.CRLDistributionPointsExt.pointName0= +ca.Policy.rule.CRLDistributionPointsExt.pointName1= +ca.Policy.rule.CRLDistributionPointsExt.pointName2= +ca.Policy.rule.CRLDistributionPointsExt.pointType0= +ca.Policy.rule.CRLDistributionPointsExt.pointType1= +ca.Policy.rule.CRLDistributionPointsExt.pointType2= +ca.Policy.rule.CRLDistributionPointsExt.predicate= +ca.Policy.rule.CRLDistributionPointsExt.reasons0= +ca.Policy.rule.CRLDistributionPointsExt.reasons1= +ca.Policy.rule.CRLDistributionPointsExt.reasons2= +ca.Policy.rule.CRLSignCertKeyUsageExt.crlSign=true +ca.Policy.rule.CRLSignCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.CRLSignCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.CRLSignCertKeyUsageExt.digitalSignature=false +ca.Policy.rule.CRLSignCertKeyUsageExt.enable=true +ca.Policy.rule.CRLSignCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.CRLSignCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.CRLSignCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.CRLSignCertKeyUsageExt.keyCertsign=false +ca.Policy.rule.CRLSignCertKeyUsageExt.keyEncipherment=false +ca.Policy.rule.CRLSignCertKeyUsageExt.nonRepudiation=false +ca.Policy.rule.CRLSignCertKeyUsageExt.predicate=HTTP_PARAMS.certType==caCrlSigning +ca.Policy.rule.CertificatePoliciesExt.critical=false +ca.Policy.rule.CertificatePoliciesExt.enable=false +ca.Policy.rule.CertificatePoliciesExt.implName=CertificatePoliciesExt +ca.Policy.rule.CertificatePoliciesExt.numCertPolicies=1 +ca.Policy.rule.CertificatePoliciesExt.predicate= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.cpsURI= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefNumbers= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefOrganization= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.policyId= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.userNoticeExplicitText= +ca.Policy.rule.ClientCertKeyUsageExt.crlSign=false +ca.Policy.rule.ClientCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.ClientCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.ClientCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.ClientCertKeyUsageExt.enable=true +ca.Policy.rule.ClientCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.ClientCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.ClientCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.ClientCertKeyUsageExt.keyCertsign=false +ca.Policy.rule.ClientCertKeyUsageExt.keyEncipherment=true +ca.Policy.rule.ClientCertKeyUsageExt.nonRepudiation=true +ca.Policy.rule.ClientCertKeyUsageExt.predicate=HTTP_PARAMS.certType==client +ca.Policy.rule.DSAKeyRule.enable=true +ca.Policy.rule.DSAKeyRule.implName=DSAKeyConstraints +ca.Policy.rule.DSAKeyRule.maxSize=1024 +ca.Policy.rule.DSAKeyRule.minSize=512 +ca.Policy.rule.DSAKeyRule.predicate= +ca.Policy.rule.DefaultRenewalValidityRule.enable=true +ca.Policy.rule.DefaultRenewalValidityRule.implName=RenewalValidityConstraints +ca.Policy.rule.DefaultRenewalValidityRule.maxValidity=365 +ca.Policy.rule.DefaultRenewalValidityRule.minValidity=30 +ca.Policy.rule.DefaultRenewalValidityRule.predicate= +ca.Policy.rule.DefaultRenewalValidityRule.renewalInterval=15 +ca.Policy.rule.DefaultValidityRule.enable=true +ca.Policy.rule.DefaultValidityRule.implName=ValidityConstraints +ca.Policy.rule.DefaultValidityRule.maxValidity=365 +ca.Policy.rule.DefaultValidityRule.minValidity=1 +ca.Policy.rule.DefaultValidityRule.predicate= +ca.Policy.rule.GenericASN1Ext.critical=false +ca.Policy.rule.GenericASN1Ext.enable=false +ca.Policy.rule.GenericASN1Ext.implName=GenericASN1Ext +ca.Policy.rule.GenericASN1Ext.name= +ca.Policy.rule.GenericASN1Ext.oid= +ca.Policy.rule.GenericASN1Ext.pattern= +ca.Policy.rule.GenericASN1Ext.predicate= +ca.Policy.rule.GenericASN1Ext.attribute.0.source= +ca.Policy.rule.GenericASN1Ext.attribute.0.type= +ca.Policy.rule.GenericASN1Ext.attribute.0.value= +ca.Policy.rule.GenericASN1Ext.attribute.1.source= +ca.Policy.rule.GenericASN1Ext.attribute.1.type= +ca.Policy.rule.GenericASN1Ext.attribute.1.value= +ca.Policy.rule.GenericASN1Ext.attribute.2.source= +ca.Policy.rule.GenericASN1Ext.attribute.2.type= +ca.Policy.rule.GenericASN1Ext.attribute.2.value= +ca.Policy.rule.GenericASN1Ext.attribute.3.source= +ca.Policy.rule.GenericASN1Ext.attribute.3.type= +ca.Policy.rule.GenericASN1Ext.attribute.3.value= +ca.Policy.rule.GenericASN1Ext.attribute.4.source= +ca.Policy.rule.GenericASN1Ext.attribute.4.type= +ca.Policy.rule.GenericASN1Ext.attribute.4.value= +ca.Policy.rule.GenericASN1Ext.attribute.5.source= +ca.Policy.rule.GenericASN1Ext.attribute.5.type= +ca.Policy.rule.GenericASN1Ext.attribute.5.value= +ca.Policy.rule.GenericASN1Ext.attribute.6.source= +ca.Policy.rule.GenericASN1Ext.attribute.6.type= +ca.Policy.rule.GenericASN1Ext.attribute.6.value= +ca.Policy.rule.GenericASN1Ext.attribute.7.source= +ca.Policy.rule.GenericASN1Ext.attribute.7.type= +ca.Policy.rule.GenericASN1Ext.attribute.7.value= +ca.Policy.rule.GenericASN1Ext.attribute.8.source= +ca.Policy.rule.GenericASN1Ext.attribute.8.type= +ca.Policy.rule.GenericASN1Ext.attribute.8.value= +ca.Policy.rule.GenericASN1Ext.attribute.9.source= +ca.Policy.rule.GenericASN1Ext.attribute.9.type= +ca.Policy.rule.GenericASN1Ext.attribute.9.value= +ca.Policy.rule.IssuerRule.enable=false +ca.Policy.rule.IssuerRule.implName=IssuerConstraints +ca.Policy.rule.IssuerRule.issuerDN= +ca.Policy.rule.IssuerRule.predicate=HTTP_PARAMS.certType==client AND certauthEnroll==on +ca.Policy.rule.KeyAlgRule.algorithms=RSA,DSA +ca.Policy.rule.KeyAlgRule.enable=true +ca.Policy.rule.KeyAlgRule.implName=KeyAlgorithmConstraints +ca.Policy.rule.KeyAlgRule.predicate= +ca.Policy.rule.NSCCommentExt.commentFile= +ca.Policy.rule.NSCCommentExt.enable=false +ca.Policy.rule.NSCCommentExt.implName=NSCCommentExt +ca.Policy.rule.NSCCommentExt.inputType=Text +ca.Policy.rule.NSCCommentExt.predicate= +ca.Policy.rule.NSCertTypeExt.enable=true +ca.Policy.rule.NSCertTypeExt.implName=NSCertTypeExt +ca.Policy.rule.NSCertTypeExt.predicate=HTTP_PARAMS.certType!=CEP-Request +ca.Policy.rule.NameConstraintsExt.critical=true +ca.Policy.rule.NameConstraintsExt.enable=false +ca.Policy.rule.NameConstraintsExt.implName=NameConstraintsExt +ca.Policy.rule.NameConstraintsExt.numExcludedSubtrees=3 +ca.Policy.rule.NameConstraintsExt.numPermittedSubtrees=3 +ca.Policy.rule.NameConstraintsExt.predicate=HTTP_PARAMS.certType == ca +ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.max=-1 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.min=0 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.max=-1 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.min=0 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.max=-1 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.min=0 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.max=-1 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.min=0 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.max=-1 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.min=0 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.max=-1 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.min=0 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base.generalNameValue= +ca.Policy.rule.OCSPNoCheckExt.critical=false +ca.Policy.rule.OCSPNoCheckExt.enable=true +ca.Policy.rule.OCSPNoCheckExt.implName=OCSPNoCheckExt +ca.Policy.rule.OCSPNoCheckExt.predicate=HTTP_PARAMS.certType==ocspResponder +ca.Policy.rule.OCSPSigningExt.critical=false +ca.Policy.rule.OCSPSigningExt.enable=true +ca.Policy.rule.OCSPSigningExt.id0=1.3.6.1.5.5.7.3.9 +ca.Policy.rule.OCSPSigningExt.implName=ExtendedKeyUsageExt +ca.Policy.rule.OCSPSigningExt.predicate=HTTP_PARAMS.certType==ocspResponder +ca.Policy.rule.ObjSignCertKeyUsageExt.crlSign=false +ca.Policy.rule.ObjSignCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.ObjSignCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.ObjSignCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.ObjSignCertKeyUsageExt.enable=true +ca.Policy.rule.ObjSignCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.ObjSignCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.ObjSignCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.ObjSignCertKeyUsageExt.keyCertsign=true +ca.Policy.rule.ObjSignCertKeyUsageExt.keyEncipherment=false +ca.Policy.rule.ObjSignCertKeyUsageExt.nonRepudiation=false +ca.Policy.rule.ObjSignCertKeyUsageExt.predicate=HTTP_PARAMS.certType==objSignClient +ca.Policy.rule.PolicyConstraintsExt.critical=false +ca.Policy.rule.PolicyConstraintsExt.enable=false +ca.Policy.rule.PolicyConstraintsExt.implName=PolicyConstraintsExt +ca.Policy.rule.PolicyConstraintsExt.inhibitPolicyMapping=0 +ca.Policy.rule.PolicyConstraintsExt.predicate=HTTP_PARAMS.certType==ca +ca.Policy.rule.PolicyConstraintsExt.reqExplicitPolicy=0 +ca.Policy.rule.PolicyMappingsExt.critical=false +ca.Policy.rule.PolicyMappingsExt.enable=false +ca.Policy.rule.PolicyMappingsExt.implName=PolicyMappingsExt +ca.Policy.rule.PolicyMappingsExt.numPolicyMappings=1 +ca.Policy.rule.PolicyMappingsExt.predicate=HTTP_PARAMS.certType==ca +ca.Policy.rule.PolicyMappingsExt.policyMap0.issuerDomainPolicy= +ca.Policy.rule.PolicyMappingsExt.policyMap0.subjectDomainPolicy= +ca.Policy.rule.RMCertKeyUsageExt.crlSign=false +ca.Policy.rule.RMCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.RMCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.RMCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.RMCertKeyUsageExt.enable=true +ca.Policy.rule.RMCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.RMCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.RMCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.RMCertKeyUsageExt.keyCertsign=false +ca.Policy.rule.RMCertKeyUsageExt.keyEncipherment=false +ca.Policy.rule.RMCertKeyUsageExt.nonRepudiation=true +ca.Policy.rule.RMCertKeyUsageExt.predicate=HTTP_PARAMS.certType==ra +ca.Policy.rule.RSAKeyRule.enable=false +ca.Policy.rule.RSAKeyRule.exponents=3,7,17,65537 +ca.Policy.rule.RSAKeyRule.implName=RSAKeyConstraints +ca.Policy.rule.RSAKeyRule.maxSize=2048 +ca.Policy.rule.RSAKeyRule.minSize=512 +ca.Policy.rule.RSAKeyRule.predicate= +ca.Policy.rule.RenewalConstraintsRule.enable=true +ca.Policy.rule.RenewalConstraintsRule.implName=RenewalConstraints +ca.Policy.rule.RenewalConstraintsRule.predicate= +ca.Policy.rule.RevocationConstraintsRule.enable=true +ca.Policy.rule.RevocationConstraintsRule.implName=RevocationConstraints +ca.Policy.rule.RevocationConstraintsRule.predicate= +ca.Policy.rule.ServerCertKeyUsageExt.crlSign=false +ca.Policy.rule.ServerCertKeyUsageExt.dataEncipherment=true +ca.Policy.rule.ServerCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.ServerCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.ServerCertKeyUsageExt.enable=true +ca.Policy.rule.ServerCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.ServerCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.ServerCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.ServerCertKeyUsageExt.keyCertsign=false +ca.Policy.rule.ServerCertKeyUsageExt.keyEncipherment=true +ca.Policy.rule.ServerCertKeyUsageExt.nonRepudiation=true +ca.Policy.rule.ServerCertKeyUsageExt.predicate=HTTP_PARAMS.certType==server +ca.Policy.rule.SigningAlgRule.algorithms=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +ca.Policy.rule.SigningAlgRule.enable=true +ca.Policy.rule.SigningAlgRule.implName=SigningAlgorithmConstraints +ca.Policy.rule.SigningAlgRule.predicate= +ca.Policy.rule.SubCANameConstraints.enable=true +ca.Policy.rule.SubCANameConstraints.implName=SubCANameConstraints +ca.Policy.rule.SubCANameConstraints.predicate=HTTP_PARAMS.certType == ca +ca.Policy.rule.SubjectAltNameExt.enable=true +ca.Policy.rule.SubjectAltNameExt.implName=SubjectAltNameExt +ca.Policy.rule.SubjectAltNameExt.numGeneralNames=3 +ca.Policy.rule.SubjectAltNameExt.predicate=HTTP_PARAMS.certType!=CEP-Request +ca.Policy.rule.SubjectAltNameExt.generalName0.generalNameChoice=rfc822Name +ca.Policy.rule.SubjectAltNameExt.generalName0.requestAttr=AUTH_TOKEN.mail +ca.Policy.rule.SubjectAltNameExt.generalName1.generalNameChoice=rfc822Name +ca.Policy.rule.SubjectAltNameExt.generalName1.requestAttr=AUTH_TOKEN.mailalternateaddress +ca.Policy.rule.SubjectAltNameExt.generalName2.generalNameChoice=rfc822Name +ca.Policy.rule.SubjectAltNameExt.generalName2.requestAttr=HTTP_PARAMS.csrRequestorEmail +ca.Policy.rule.SubjectKeyIdentifierExt.enable=true +ca.Policy.rule.SubjectKeyIdentifierExt.implName=SubjectKeyIdentifierExt +ca.Policy.rule.SubjectKeyIdentifierExt.predicate=HTTP_PARAMS.certType==ca +ca.Policy.rule.UniqueSubjectNameConstraints.enable=false +ca.Policy.rule.UniqueSubjectNameConstraints.implName=UniqueSubjectNameConstraints +ca.Policy.rule.UniqueSubjectNameConstraints.predicate= +ca.crl._000=## +ca.crl._001=## CA CRL +ca.crl._002=## +ca.crl.pageSize=100 +ca.crl.MasterCRL.allowExtensions=true +ca.crl.MasterCRL.alwaysUpdate=false +ca.crl.MasterCRL.autoUpdateInterval=240 +ca.crl.MasterCRL.caCertsOnly=false +ca.crl.MasterCRL.cacheUpdateInterval=15 +ca.crl.MasterCRL.class=com.netscape.ca.CRLIssuingPoint +ca.crl.MasterCRL.dailyUpdates=1:00 +ca.crl.MasterCRL.description=CA's complete Certificate Revocation List +ca.crl.MasterCRL.enable=true +ca.crl.MasterCRL.enableCRLCache=true +ca.crl.MasterCRL.enableCRLUpdates=true +ca.crl.MasterCRL.enableCacheTesting=false +ca.crl.MasterCRL.enableCacheRecovery=true +ca.crl.MasterCRL.enableDailyUpdates=true +ca.crl.MasterCRL.enableUpdateInterval=true +ca.crl.MasterCRL.extendedNextUpdate=true +ca.crl.MasterCRL.includeExpiredCerts=false +ca.crl.MasterCRL.minUpdateInterval=0 +ca.crl.MasterCRL.nextUpdateGracePeriod=0 +ca.crl.MasterCRL.publishOnStart=false +ca.crl.MasterCRL.saveMemory=false +ca.crl.MasterCRL.signingAlgorithm=SHA256withRSA +ca.crl.MasterCRL.updateSchema=1 +ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessLocation0= +ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessLocationType0=URI +ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessMethod0=caIssuers +ca.crl.MasterCRL.extension.AuthorityInformationAccess.class=com.netscape.cms.crl.CMSAuthInfoAccessExtension +ca.crl.MasterCRL.extension.AuthorityInformationAccess.critical=false +ca.crl.MasterCRL.extension.AuthorityInformationAccess.enable=false +ca.crl.MasterCRL.extension.AuthorityInformationAccess.numberOfAccessDescriptions=1 +ca.crl.MasterCRL.extension.AuthorityInformationAccess.type=CRLExtension +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.class=com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.critical=false +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable=false +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.type=CRLExtension +ca.crl.MasterCRL.extension.CRLNumber.class=com.netscape.cms.crl.CMSCRLNumberExtension +ca.crl.MasterCRL.extension.CRLNumber.critical=false +ca.crl.MasterCRL.extension.CRLNumber.enable=true +ca.crl.MasterCRL.extension.CRLNumber.type=CRLExtension +ca.crl.MasterCRL.extension.CRLReason.class=com.netscape.cms.crl.CMSCRLReasonExtension +ca.crl.MasterCRL.extension.CRLReason.critical=false +ca.crl.MasterCRL.extension.CRLReason.enable=true +ca.crl.MasterCRL.extension.CRLReason.type=CRLEntryExtension +ca.crl.MasterCRL.extension.DeltaCRLIndicator.class=com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension +ca.crl.MasterCRL.extension.DeltaCRLIndicator.critical=true +ca.crl.MasterCRL.extension.DeltaCRLIndicator.enable=false +ca.crl.MasterCRL.extension.DeltaCRLIndicator.type=CRLExtension +ca.crl.MasterCRL.extension.FreshestCRL.class=com.netscape.cms.crl.CMSFreshestCRLExtension +ca.crl.MasterCRL.extension.FreshestCRL.critical=false +ca.crl.MasterCRL.extension.FreshestCRL.enable=false +ca.crl.MasterCRL.extension.FreshestCRL.numPoints=0 +ca.crl.MasterCRL.extension.FreshestCRL.pointName0= +ca.crl.MasterCRL.extension.FreshestCRL.pointType0= +ca.crl.MasterCRL.extension.FreshestCRL.type=CRLExtension +ca.crl.MasterCRL.extension.InvalidityDate.class=com.netscape.cms.crl.CMSInvalidityDateExtension +ca.crl.MasterCRL.extension.InvalidityDate.critical=false +ca.crl.MasterCRL.extension.InvalidityDate.enable=true +ca.crl.MasterCRL.extension.InvalidityDate.type=CRLEntryExtension +ca.crl.MasterCRL.extension.IssuerAlternativeName.class=com.netscape.cms.crl.CMSIssuerAlternativeNameExtension +ca.crl.MasterCRL.extension.IssuerAlternativeName.critical=false +ca.crl.MasterCRL.extension.IssuerAlternativeName.enable=false +ca.crl.MasterCRL.extension.IssuerAlternativeName.name0= +ca.crl.MasterCRL.extension.IssuerAlternativeName.nameType0= +ca.crl.MasterCRL.extension.IssuerAlternativeName.numNames=0 +ca.crl.MasterCRL.extension.IssuerAlternativeName.type=CRLExtension +ca.crl.MasterCRL.extension.IssuingDistributionPoint.class=com.netscape.cms.crl.CMSIssuingDistributionPointExtension +ca.crl.MasterCRL.extension.IssuingDistributionPoint.critical=true +ca.crl.MasterCRL.extension.IssuingDistributionPoint.enable=false +ca.crl.MasterCRL.extension.IssuingDistributionPoint.indirectCRL=false +ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsCACerts=false +ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsUserCerts=false +ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlySomeReasons= +ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointName= +ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointType= +ca.crl.MasterCRL.extension.IssuingDistributionPoint.type=CRLExtension +ca.notification.certIssued.emailSubject=Your Certificate Request +ca.notification.certIssued.emailTemplate=[PKI_INSTANCE_PATH]/emails/certIssued_CA.html +ca.notification.certIssued.enabled=false +ca.notification.certIssued.senderEmail= +ca.notification.certRevoked.emailSubject=Your Certificate Revoked +ca.notification.certRevoked.emailTemplate=[PKI_INSTANCE_PATH]/emails/certRevoked_CA.html +ca.notification.certRevoked.enabled=false +ca.notification.certRevoked.senderEmail= +ca.notification.requestInQ.emailSubject=Certificate Request in Queue +ca.notification.requestInQ.emailTemplate=[PKI_INSTANCE_PATH]/emails/reqInQueue_CA.html +ca.notification.requestInQ.enabled=false +ca.notification.requestInQ.recipientEmail= +ca.notification.requestInQ.senderEmail= +ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_ID] +ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA +ca.ocsp_signing.tokenname=internal +ca.publish.createOwnDNEntry=false +ca.publish.queue.enable=true +ca.publish.queue.maxNumberOfThreads=3 +ca.publish.queue.pageSize=40 +ca.publish.queue.priorityLevel=0 +ca.publish.queue.saveStatus=200 +ca.publish.mapper.impl.LdapCaSimpleMap.class=com.netscape.cms.publish.mappers.LdapCaSimpleMap +ca.publish.mapper.impl.LdapDNCompsMap.class=com.netscape.cms.publish.mappers.LdapCertCompsMap +ca.publish.mapper.impl.LdapDNExactMap.class=com.netscape.cms.publish.mappers.LdapCertExactMap +ca.publish.mapper.impl.LdapEnhancedMap.class=com.netscape.cms.publish.mappers.LdapEnhancedMap +ca.publish.mapper.impl.LdapSimpleMap.class=com.netscape.cms.publish.mappers.LdapSimpleMap +ca.publish.mapper.impl.LdapSubjAttrMap.class=com.netscape.cms.publish.mappers.LdapCertSubjMap +ca.publish.mapper.impl.NoMap.class=com.netscape.cms.publish.mappers.NoMap +ca.publish.mapper.instance.LdapCaCertMap.createCAEntry=true +ca.publish.mapper.instance.LdapCaCertMap.dnPattern=UID=$subj.cn,OU=people,O=$subj.o +ca.publish.mapper.instance.LdapCaCertMap.pluginName=LdapCaSimpleMap +ca.publish.mapper.instance.LdapCrlMap.createCAEntry=true +ca.publish.mapper.instance.LdapCrlMap.dnPattern=UID=$subj.cn,OU=people,O=$subj.o +ca.publish.mapper.instance.LdapCrlMap.pluginName=LdapCaSimpleMap +ca.publish.mapper.instance.LdapUserCertMap.dnPattern=UID=$subj.UID,OU=people,O=$subj.o +ca.publish.mapper.instance.LdapUserCertMap.pluginName=LdapSimpleMap +ca.publish.mapper.instance.NoMap.pluginName=NoMap +ca.publish.publisher.impl.FileBasedPublisher.class=com.netscape.cms.publish.publishers.FileBasedPublisher +ca.publish.publisher.impl.LdapCaCertPublisher.class=com.netscape.cms.publish.publishers.LdapCaCertPublisher +ca.publish.publisher.impl.LdapCertificatePairPublisher.class=com.netscape.cms.publish.publishers.LdapCertificatePairPublisher +ca.publish.publisher.impl.LdapCrlPublisher.class=com.netscape.cms.publish.publishers.LdapCrlPublisher +ca.publish.publisher.impl.LdapDeltaCrlPublisher.class=com.netscape.cms.publish.publishers.LdapCrlPublisher +ca.publish.publisher.impl.LdapUserCertPublisher.class=com.netscape.cms.publish.publishers.LdapUserCertPublisher +ca.publish.publisher.impl.OCSPPublisher.class=com.netscape.cms.publish.publishers.OCSPPublisher +ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr=caCertificate;binary +ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass=pkiCA +ca.publish.publisher.instance.LdapCaCertPublisher.pluginName=LdapCaCertPublisher +ca.publish.publisher.instance.LdapCrlPublisher.crlAttr=certificateRevocationList;binary +ca.publish.publisher.instance.LdapCrlPublisher.pluginName=LdapCrlPublisher +ca.publish.publisher.instance.LdapCrlPublisher.crlObjectClass=pkiCA +ca.publish.publisher.instance.LdapCrossCertPairPublisher.caObjectClass=pkiCA +ca.publish.publisher.instance.LdapCrossCertPairPublisher.crossCertPairAttr=crossCertificatePair;binary +ca.publish.publisher.instance.LdapCrossCertPairPublisher.pluginName=LdapCertificatePairPublisher +ca.publish.publisher.instance.LdapDeltaCrlPublisher.crlAttr=deltaRevocationList;binary +ca.publish.publisher.instance.LdapDeltaCrlPublisher.crlObjectClass=pkiCA,deltaCRL +ca.publish.publisher.instance.LdapDeltaCrlPublisher.pluginName=LdapDeltaCrlPublisher +ca.publish.publisher.instance.LdapUserCertPublisher.certAttr=userCertificate;binary +ca.publish.publisher.instance.LdapUserCertPublisher.pluginName=LdapUserCertPublisher +ca.publish.rule.impl.Rule.class=com.netscape.cmscore.ldap.LdapRule +ca.publish.rule.instance.LdapCaCertRule.enable=false +ca.publish.rule.instance.LdapCaCertRule.mapper=LdapCaCertMap +ca.publish.rule.instance.LdapCaCertRule.pluginName=Rule +ca.publish.rule.instance.LdapCaCertRule.predicate= +ca.publish.rule.instance.LdapCaCertRule.publisher=LdapCaCertPublisher +ca.publish.rule.instance.LdapCaCertRule.type=cacert +ca.publish.rule.instance.LdapCrlRule.enable=false +ca.publish.rule.instance.LdapCrlRule.mapper=LdapCrlMap +ca.publish.rule.instance.LdapCrlRule.pluginName=Rule +ca.publish.rule.instance.LdapCrlRule.predicate= +ca.publish.rule.instance.LdapCrlRule.publisher=LdapCrlPublisher +ca.publish.rule.instance.LdapCrlRule.type=crl +ca.publish.rule.instance.LdapUserCertRule.enable=false +ca.publish.rule.instance.LdapUserCertRule.mapper=LdapUserCertMap +ca.publish.rule.instance.LdapUserCertRule.pluginName=Rule +ca.publish.rule.instance.LdapUserCertRule.predicate= +ca.publish.rule.instance.LdapUserCertRule.publisher=LdapUserCertPublisher +ca.publish.rule.instance.LdapUserCertRule.type=certs +ca.publish.rule.instance.LdapXCertRule.enable=false +ca.publish.rule.instance.LdapXCertRule.mapper=LdapCaCertMap +ca.publish.rule.instance.LdapXCertRule.pluginName=Rule +ca.publish.rule.instance.LdapXCertRule.predicate= +ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher +ca.publish.rule.instance.LdapXCertRule.type=xcert +cmc.cert.confirmRequired=false +cmc.lraPopWitness.verify.allow=true +cmc.revokeCert.verify=true +cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cms.passwordlist=internaldb,replicationdb +cms.password.ignore.publishing.failure=true +cms.version=@MAJOR_VERSION@.@MINOR_VERSION@ +cmsgateway._000=## +cmsgateway._001=## In the event that all Admin Certificates have been lost +cmsgateway._002=## for a given instance, perform the following steps to +cmsgateway._003=## re-enroll for a new Admin Certificate: +cmsgateway._004=## +cmsgateway._005=## (1) Become 'root' +cmsgateway._006=## (2) Type: 'service [PKI_INSTANCE_ID] stop' +cmsgateway._007=## (3) Edit '[PKI_INSTANCE_ROOT]/[PKI_INSTANCE_ID]/conf/CS.cfg' +cmsgateway._008=## and set the following name-value pairs (if necessary): +cmsgateway._009=## +cmsgateway._010=## ca.Policy.enable=true +cmsgateway._011=## cmsgateway.enableAdminEnroll=true +cmsgateway._012=## +cmsgateway._013=## (4) Type: 'service [PKI_INSTANCE_ID] start' +cmsgateway._014=## (5) Launch a browser and re-enroll for +cmsgateway._015=## a new Admin Certificate by typing: +cmsgateway._016=## +cmsgateway._017=## https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ca/admin/ca/adminEnroll.html +cmsgateway._018=## +cmsgateway._019=## (6) Verify that the browser contains the new +cmsgateway._020=## Admin Certificate by successfully navigating to: +cmsgateway._021=## +cmsgateway._022=## https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/ca/agent/ca/ +cmsgateway._023=## +cmsgateway._024=## (7) Optionally, disable the Certificate Policies Framework +cmsgateway._025=## by following steps (1) - (4), but ONLY resetting +cmsgateway._026=## 'ca.Policy.enable=false', as +cmsgateway._027=## 'cmsgateway.enableAdminEnroll=false' should have +cmsgateway._028=## already been reset. +cmsgateway._029=## +cmsgateway.enableAdminEnroll=false +https.port=8443 +http.port=8080 +dbs.enableSerialManagement=false +dbs.beginRequestNumber=1 +dbs.endRequestNumber=10000000 +dbs.requestIncrement=10000000 +dbs.requestLowWaterMark=2000000 +dbs.requestCloneTransferNumber=10000 +dbs.requestDN=ou=ca, ou=requests +dbs.requestRangeDN=ou=requests, ou=ranges +dbs.beginSerialNumber=1 +dbs.endSerialNumber=10000000 +dbs.serialIncrement=10000000 +dbs.serialLowWaterMark=2000000 +dbs.serialCloneTransferNumber=10000 +dbs.serialDN=ou=certificateRepository, ou=ca +dbs.serialRangeDN=ou=certificateRepository, ou=ranges +dbs.beginReplicaNumber=1 +dbs.endReplicaNumber=100 +dbs.replicaIncrement=100 +dbs.replicaLowWaterMark=20 +dbs.replicaCloneTransferNumber=5 +dbs.replicaDN=ou=replica +dbs.replicaRangeDN=ou=replica, ou=ranges +dbs.ldap=internaldb +dbs.newSchemaEntryAdded=true +debug.append=true +debug.enabled=true +debug.filename=[PKI_INSTANCE_PATH]/logs/debug +debug.hashkeytypes= +debug.level=0 +debug.showcaller=false +keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 +keys.ecc.curve.display.list=nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 +keys.ecc.curve.default=nistp256 +keys.rsa.keysize.default=2048 +internaldb._000=## +internaldb._001=## Internal Database +internaldb._002=## +internaldb.basedn= +internaldb.maxConns=15 +internaldb.minConns=3 +internaldb.ldapauth.authtype=BasicAuth +internaldb.ldapauth.bindDN=cn=Directory Manager +internaldb.ldapauth.bindPWPrompt=Internal LDAP Database +internaldb.ldapauth.clientCertNickname= +internaldb.ldapconn.host= +internaldb.ldapconn.port= +internaldb.ldapconn.secureConn=false +preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/schema.ldif +preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/database.ldif +preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/acl.ldif +preop.internaldb.index_ldif= +preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif +preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/index.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlvtasks.ldif +preop.internaldb.wait_dn=cn=index1160589769, cn=index, cn=tasks, cn=config +internaldb.multipleSuffix.enable=false +jobsScheduler._000=## +jobsScheduler._001=## jobScheduler +jobsScheduler._002=## +jobsScheduler.enabled=false +jobsScheduler.interval=1 +jobsScheduler.impl.PublishCertsJob.class=com.netscape.cms.jobs.PublishCertsJob +jobsScheduler.impl.RenewalNotificationJob.class=com.netscape.cms.jobs.RenewalNotificationJob +jobsScheduler.impl.RequestInQueueJob.class=com.netscape.cms.jobs.RequestInQueueJob +jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.cms.jobs.UnpublishExpiredJob +jobsScheduler.job.certRenewalNotifier.cron=0 3 * * 1-5 +jobsScheduler.job.certRenewalNotifier.emailSubject=Certificate Renewal Notification +jobsScheduler.job.certRenewalNotifier.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1.txt +jobsScheduler.job.certRenewalNotifier.enabled=false +jobsScheduler.job.certRenewalNotifier.notifyEndOffset=30 +jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=30 +jobsScheduler.job.certRenewalNotifier.pluginName=RenewalNotificationJob +jobsScheduler.job.certRenewalNotifier.senderEmail= +jobsScheduler.job.certRenewalNotifier.summary.emailSubject=Certificate Renewal Notification Summary +jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Summary.txt +jobsScheduler.job.certRenewalNotifier.summary.enabled=true +jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Item.txt +jobsScheduler.job.certRenewalNotifier.summary.recipientEmail= +jobsScheduler.job.certRenewalNotifier.summary.senderEmail= +jobsScheduler.job.publishCerts.cron=0 0 * * 2 +jobsScheduler.job.publishCerts.enabled=false +jobsScheduler.job.publishCerts.pluginName=PublishCertsJob +jobsScheduler.job.publishCerts.summary.emailSubject=Certs Publishing Summary +jobsScheduler.job.publishCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/publishCerts.html +jobsScheduler.job.publishCerts.summary.enabled=true +jobsScheduler.job.publishCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/publishCertsItem.html +jobsScheduler.job.publishCerts.summary.recipientEmail= +jobsScheduler.job.publishCerts.summary.senderEmail= +jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0 +jobsScheduler.job.requestInQueueNotifier.enabled=false +jobsScheduler.job.requestInQueueNotifier.pluginName=RequestInQueueJob +jobsScheduler.job.requestInQueueNotifier.subsystemId=ca +jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=Requests in Queue Summary Report +jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/riq1Summary.html +jobsScheduler.job.requestInQueueNotifier.summary.enabled=true +jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail= +jobsScheduler.job.requestInQueueNotifier.summary.senderEmail= +jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6 +jobsScheduler.job.unpublishExpiredCerts.enabled=false +jobsScheduler.job.unpublishExpiredCerts.pluginName=UnpublishExpiredJob +jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=Expired Certs Unpublished Summary +jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/euJob1.html +jobsScheduler.job.unpublishExpiredCerts.summary.enabled=true +jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/euJob1Item.html +jobsScheduler.job.unpublishExpiredCerts.summary.recipientEmail= +jobsScheduler.job.unpublishExpiredCerts.summary.senderEmail= +jss._000=## +jss._001=## JSS +jss._002=## +jss.configDir=[PKI_INSTANCE_PATH]/alias/ +jss.enable=true +jss.secmodName=secmod.db +jss.ocspcheck.enable=false +jss.ssl.cipherfortezza=true +jss.ssl.cipherpref= +jss.ssl.cipherversion=cipherdomestic +log._000=## +log._001=## Logging +log._002=## +log.impl.file.class=com.netscape.cms.logging.RollingLogFile +log.instance.SignedAudit._000=## +log.instance.SignedAudit._001=## Signed Audit Logging +log.instance.SignedAudit._002=## +log.instance.SignedAudit._003=## +log.instance.SignedAudit._004=## Available Audit events: +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER +log.instance.SignedAudit._006=## +log.instance.SignedAudit.bufferSize=512 +log.instance.SignedAudit.enable=true +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER +log.instance.SignedAudit.expirationTime=0 +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ca_audit +log.instance.SignedAudit.flushInterval=5 +log.instance.SignedAudit.level=1 +log.instance.SignedAudit.logSigning=false +log.instance.SignedAudit.maxFileSize=2000 +log.instance.SignedAudit.pluginName=file +log.instance.SignedAudit.rolloverInterval=2592000 +log.instance.SignedAudit.signedAudit=_002=## +log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] +log.instance.SignedAudit.type=signedAudit +log.instance.System._000=## +log.instance.System._001=## System Logging +log.instance.System._002=## +log.instance.System.bufferSize=512 +log.instance.System.enable=true +log.instance.System.expirationTime=0 +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system +log.instance.System.flushInterval=5 +log.instance.System.level=3 +log.instance.System.maxFileSize=2000 +log.instance.System.pluginName=file +log.instance.System.rolloverInterval=2592000 +log.instance.System.type=system +log.instance.Transactions._000=## +log.instance.Transactions._001=## Transaction Logging +log.instance.Transactions._002=## +log.instance.Transactions.bufferSize=512 +log.instance.Transactions.enable=true +log.instance.Transactions.expirationTime=0 +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions +log.instance.Transactions.flushInterval=5 +log.instance.Transactions.level=1 +log.instance.Transactions.maxFileSize=2000 +log.instance.Transactions.pluginName=file +log.instance.Transactions.rolloverInterval=2592000 +log.instance.Transactions.type=transaction +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access +logError.fileName=[PKI_INSTANCE_PATH]/logs/error +oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension +oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 +oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword +oidmap.challenge_password.oid=1.2.840.113549.1.9.7 +oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension +oidmap.extended_key_usage.oid=2.5.29.37 +oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 +oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 +oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension +oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 +oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension +oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 +oidmap.pse.class=netscape.security.extensions.PresenceServerExtension +oidmap.pse.oid=2.16.840.1.113730.1.18 +oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension +oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 +os.userid=nobody +profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert +profile.caUUIDdeviceCert.class_id=caEnrollImpl +profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUUIDdeviceCert.cfg +profile.caManualRenewal.class_id=caEnrollImpl +profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caManualRenewal.cfg +profile.caDirUserRenewal.class_id=caEnrollImpl +profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserRenewal.cfg +profile.caSSLClientSelfRenewal.class_id=caEnrollImpl +profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caSSLClientSelfRenewal.cfg +profile.DomainController.class_id=caEnrollImpl +profile.DomainController.config=[PKI_INSTANCE_PATH]/profiles/ca/DomainController.cfg +profile.caAgentFileSigning.class_id=caEnrollImpl +profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentFileSigning.cfg +profile.caAgentServerCert.class_id=caEnrollImpl +profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentServerCert.cfg +profile.caRAserverCert.class_id=caEnrollImpl +profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAserverCert.cfg +profile.caCACert.class_id=caEnrollImpl +profile.caCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCACert.cfg +profile.caInstallCACert.class_id=caEnrollImpl +profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInstallCACert.cfg +profile.caCMCUserCert.class_id=caEnrollImpl +profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCMCUserCert.cfg +profile.caDirUserCert.class_id=caEnrollImpl +profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserCert.cfg +profile.caDualCert.class_id=caEnrollImpl +profile.caDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualCert.cfg +profile.caECDualCert.class_id=caEnrollImpl +profile.caECDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caECDualCert.cfg +profile.caDualRAuserCert.class_id=caEnrollImpl +profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualRAuserCert.cfg +profile.caRAagentCert.class_id=caEnrollImpl +profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAagentCert.cfg +profile.caFullCMCUserCert.class_id=caEnrollImpl +profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caFullCMCUserCert.cfg +profile.caInternalAuthOCSPCert.class_id=caEnrollImpl +profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthOCSPCert.cfg +profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl +profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthAuditSigningCert.cfg +profile.caInternalAuthServerCert.class_id=caEnrollImpl +profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthServerCert.cfg +profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl +profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthSubsystemCert.cfg +profile.caInternalAuthDRMstorageCert.class_id=caEnrollImpl +profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthDRMstorageCert.cfg +profile.caInternalAuthTransportCert.class_id=caEnrollImpl +profile.caInternalAuthTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthTransportCert.cfg +profile.caOCSPCert.class_id=caEnrollImpl +profile.caOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOCSPCert.cfg +profile.caOtherCert.class_id=caEnrollImpl +profile.caOtherCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOtherCert.cfg +profile.caRACert.class_id=caEnrollImpl +profile.caRACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRACert.cfg +profile.caRARouterCert.class_id=caEnrollImpl +profile.caRARouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRARouterCert.cfg +profile.caRouterCert.class_id=caEnrollImpl +profile.caRouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRouterCert.cfg +profile.caServerCert.class_id=caEnrollImpl +profile.caServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caServerCert.cfg +profile.caSignedLogCert.class_id=caEnrollImpl +profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSignedLogCert.cfg +profile.caSimpleCMCUserCert.class_id=caEnrollImpl +profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSimpleCMCUserCert.cfg +profile.caTPSCert.class_id=caEnrollImpl +profile.caTPSCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTPSCert.cfg +profile.caAdminCert.class_id=caEnrollImpl +profile.caAdminCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAdminCert.cfg +profile.caTempTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg +profile.caTempTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTempTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg +profile.caTokenUserEncryptionKeyRenewal.class_id=caUserCertEnrollImpl +profile.caTokenUserEncryptionKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg +profile.caTempTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg +profile.caTokenUserSigningKeyRenewal.class_id=caUserCertEnrollImpl +profile.caTokenUserSigningKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyRenewal.cfg +profile.caTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenDeviceKeyEnrollment.cfg +profile.caTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg +profile.caTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyEnrollment.cfg +profile.caTokenMSLoginEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenMSLoginEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenMSLoginEnrollment.cfg +profile.caTransportCert.class_id=caEnrollImpl +profile.caTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTransportCert.cfg +profile.caUserCert.class_id=caEnrollImpl +profile.caUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserCert.cfg +profile.caECUserCert.class_id=caEnrollImpl +profile.caECUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caECUserCert.cfg +profile.caUserSMIMEcapCert.class_id=caEnrollImpl +profile.caUserSMIMEcapCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserSMIMEcapCert.cfg +profile.caJarSigningCert.class_id=caEnrollImpl +profile.caJarSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caJarSigningCert.cfg +profile.caIPAserviceCert.class_id=caEnrollImpl +profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caIPAserviceCert.cfg +profile.caEncUserCert.class_id=caEnrollImpl +profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caEncUserCert.cfg +profile.caEncECUserCert.class_id=caEnrollImpl +profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caEncECUserCert.cfg +registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg +request.assignee.enable=true +selftests._000=## +selftests._001=## Self Tests +selftests._002=## +selftests._003=## The Self-Test plugin SystemCertsVerification uses the +selftests._004=## following parameters (where certusage is optional): +selftests._005=## ca.cert.list = +selftests._006=## ca.cert..nickname +selftests._007=## ca.cert..certusage +selftests._008=## +selftests.container.instance.CAPresence=com.netscape.cms.selftests.ca.CAPresence +selftests.container.instance.CAValidity=com.netscape.cms.selftests.ca.CAValidity +selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification +selftests.container.logger.bufferSize=512 +selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile +selftests.container.logger.enable=true +selftests.container.logger.expirationTime=0 +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log +selftests.container.logger.flushInterval=5 +selftests.container.logger.level=1 +selftests.container.logger.maxFileSize=2000 +selftests.container.logger.register=false +selftests.container.logger.rolloverInterval=2592000 +selftests.container.logger.type=transaction +selftests.container.order.onDemand=CAPresence:critical, SystemCertsVerification:critical, CAValidity:critical +selftests.container.order.startup=CAPresence:critical, SystemCertsVerification:critical +selftests.plugin.CAPresence.CaSubId=ca +selftests.plugin.CAValidity.CaSubId=ca +selftests.plugin.SystemCertsVerification.SubId=ca +smtp.host=localhost +smtp.port=25 +subsystem.0.class=com.netscape.ca.CertificateAuthority +subsystem.0.id=ca +subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem +subsystem.1.id=profile +subsystem.2.class=com.netscape.cmscore.selftests.SelfTestSubsystem +subsystem.2.id=selftests +subsystem.3.class=com.netscape.cmscore.cert.CrossCertPairSubsystem +subsystem.3.id=CrossCertPair +subsystem.4.class=com.netscape.cmscore.util.StatsSubsystem +subsystem.4.id=stats +usrgrp._000=## +usrgrp._001=## User/Group +usrgrp._002=## +usrgrp.ldap=internaldb +multiroles._000=## +multiroles._001=## multiroles +multiroles._002=## +multiroles.enable=true +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Administrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group,ClonedSubsystems diff --git a/base/ca/shared/conf/acl.ldif b/base/ca/shared/conf/acl.ldif new file mode 100644 index 000000000..ceea1f27a --- /dev/null +++ b/base/ca/shared/conf/acl.ldif @@ -0,0 +1,53 @@ +dn: cn=aclResources,{rootSuffix} +objectClass: top +objectClass: CertACLS +cn: aclResources +resourceACLS: certServer.general.configuration:read,modify,delete:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";allow (modify,delete) group="Administrators":Administrators, auditors, and agents are allowed to read CMS general configuration but only administrators are allowed to modify and delete +resourceACLS: certServer.policy.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read policy configuration but only administrators allowed to modify +resourceACLS: certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify +resourceACLS: certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify +resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml +resourceACLS: certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" ;deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter +#resourceACLS: certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter. +resourceACLS: certServer.log.content.signedAudit:read:allow (read) group="Auditors":Only auditor is allowed to read the signed audit log +resourceACLS: certServer.log.content.system:read:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors":Administrators, auditors, and agents are allowed to read the log content +resourceACLS: certServer.log.content.transactions:read:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors":Administrators, auditors, and agents are allowed to read the log content +resourceACLS: certServer.ca.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read CA configuration but only administrators allowed to modify +resourceACLS: certServer.auth.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read authentication configuration but only administrators allowed to modify +resourceACLS: certServer.ocsp.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read ocsp configuration but only administrators allowed to modify +resourceACLS: certServer.registry.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":this acl is shared by all admin servlets +resourceACLS: certServer.profile.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read profile configuration but only administrators allowed to modify +resourceACLS: certServer.job.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read job configuration but only administrators allowed to modify +resourceACLS: certServer.publisher.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read publisher configuration but only administrators allowed to modify +resourceACLS: certServer.kra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read DRM configuration but only administrators allowed to modify +resourceACLS: certServer.ra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read RA configuration but only administrators allowed to modify +resourceACLS: certServer.ca.directory:update:allow (update) group="Certificate Manager Agents":Certificate Manager agents may update directory +resourceACLS: certServer.ca.certificate:import,unrevoke,revoke,read:allow (import,unrevoke,revoke,read) group="Certificate Manager Agents":Certificate Manager agents may import,unrevoke,revoke,read a certificate +resourceACLS: certServer.ca.certificates:revoke,list:allow (revoke,list) group="Certificate Manager Agents"|| group="Registration Manager Agents":Only certificate and registration manager agents revoke, list certificates +resourceACLS: certServer.ca.requests:list:allow (list) group="Certificate Manager Agents"|| group="Registration Manager Agents":Only certificate and registration manager agents list requests +resourceACLS: certServer.ca.request.enrollment:submit,read,execute,assign,unassign:allow (submit) user="anybody";allow (read,execute,assign,unassign) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read,execute,assign or unassign request +resourceACLS: certServer.ca.ocsp:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may read ocsp information +resourceACLS: certServer.ee.request.ocsp:submit:allow (submit) ipaddress=".*":Any clients can submit ocsp requests +resourceACLS: certServer.ca.crl:read,update:allow (read,update) group="Certificate Manager Agents":Certificate Manager agents may read or update crl +resourceACLS: certServer.ee.certificate:renew,revoke,read,import:allow (renew,revoke,read,import) user="anybody":Anybody may renew,import,revoke,read a certificate +resourceACLS: certServer.ee.certificates:revoke,list:allow (revoke,list) user="anybody":Anybody may revoke, list certificates +resourceACLS: certServer.ee.certchain:download,read:allow (download,read) user="anybody":Anybody may download a certificate chain +resourceACLS: certServer.ee.crl:read,add:allow (read,add) user="anybody":Anybody may add or retrieve CRL +resourceACLS: certServer.ee.request.enrollment:submit:allow (submit) user="anybody":Anybody may submit an enrollment request +resourceACLS: certServer.ee.requestStatus:read:allow (read) user="anybody":Anybody may read request status +resourceACLS: certServer.ee.request.revocation:submit:allow (submit) user="anybody":Anybody may submit a revocation request +resourceACLS: certServer.admin.certificate:import:allow (import) user="anybody":Any user may import a certificate +resourceACLS: certServer.admin.request.enrollment:submit,read,execute:allow (submit) user="anybody";allow (read,execute) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read or execute request +resourceACLS: certServer.ca.request.profile:approve,read:allow (approve,read) group="Certificate Manager Agents":Certificate Manager agents may approve profile +resourceACLS: certServer.ca.profiles:list:allow (list) group="Certificate Manager Agents":Certificate Manager agents may list profiles +resourceACLS: certServer.ca.profile:read,approve:allow (read,approve) group="Certificate Manager Agents":Certificate Manager agents may read profile +resourceACLS: certServer.ee.profile:submit,read:allow (submit,read) user="anybody":Anybody may submit certificate profiles +resourceACLS: certServer.ee.profiles:list:allow (list) user="anybody":Anybody may list certificate profiles +resourceACLS: certServer.ca.connector:submit:allow (submit) group="Trusted Managers":Only Trusted Managers submit requests +resourceACLS: certServer.ca.clone:submit:allow (submit) group="Certificate Manager Agents":Certificate Manager Agents are allowed to submit request to the master CA +resourceACLS: certServer.ca.systemstatus:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may view statistics +resourceACLS: certServer.ca.group:read,modify:allow (modify,read) group="Administrators":Only administrators are allowed to read and modify users and groups +resourceACLS: certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information +resourceACLS: certServer.ca.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent +resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration. +resourceACLS: certServer.admin.ocsp:read,modify:allow (modify,read) group="Enterprise OCSP Administrators":Only Enterprise Administrators are allowed to read or update the OCSP configuration. diff --git a/base/ca/shared/conf/adminCert.profile b/base/ca/shared/conf/adminCert.profile new file mode 100644 index 000000000..5e84d7492 --- /dev/null +++ b/base/ca/shared/conf/adminCert.profile @@ -0,0 +1,39 @@ +# +# Server Certificate +# +id=adminCert.profile +name=All Purpose admin server cert Profile +description=This profile creates an administrator's certificate +profileIDMapping=caAdminCert +profileSetIDMapping=adminCertSet +list=2,4,5,6,7 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 diff --git a/base/ca/shared/conf/caAuditSigningCert.profile b/base/ca/shared/conf/caAuditSigningCert.profile new file mode 100644 index 000000000..5983a186c --- /dev/null +++ b/base/ca/shared/conf/caAuditSigningCert.profile @@ -0,0 +1,35 @@ +# +# CA Audit Signing Cert Profile +# +id=caAuditSigningCert.profile +name=CA Audit Signing Certificate Profile +description=This profile creates a CA Audit signing certificate that is valid for audit log signing purpose. +profileIDMapping=caSignedLogCert +profileSetIDMapping=caLogSigningSet +list=2,4,6,8 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=false +6.default.params.keyUsageKeyEncipherment=false +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +8.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +8.default.name=AIA Extension Default +8.default.params.authInfoAccessADEnable_0=true +8.default.params.authInfoAccessADLocationType_0=URIName +8.default.params.authInfoAccessADLocation_0= +8.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +8.default.params.authInfoAccessCritical=false +8.default.params.authInfoAccessNumADs=1 diff --git a/base/ca/shared/conf/caCert.profile b/base/ca/shared/conf/caCert.profile new file mode 100644 index 000000000..3e9c83613 --- /dev/null +++ b/base/ca/shared/conf/caCert.profile @@ -0,0 +1,44 @@ +# +# CA Profile +# +id=caCert.profile +name=All Purpose CA Profile +description=This profile creates a CA certificate that is valid for all signing purposes. +profileIDMapping=caCACert +profileSetIDMapping=caCertSet +list=2,4,5,6,7,8 +2.default.class=com.netscape.cms.profile.def.CAValidityDefault +2.default.name=CA Certificate Validity Default +2.default.params.range=2922 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +4.default.params.localKey=true +5.default.class=com.netscape.cms.profile.def.BasicConstraintsExtDefault +5.default.name=Basic Constraints Extension Default +5.default.params.basicConstraintsCritical=true +5.default.params.basicConstraintsIsCA=true +5.default.params.basicConstraintsPathLen=-1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=false +6.default.params.keyUsageKeyEncipherment=false +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=true +6.default.params.keyUsageCrlSign=true +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault +7.default.name=Subject Key Identifier Extension Default +7.default.params.critical=false +8.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +8.default.name=AIA Extension Default +8.default.params.authInfoAccessADEnable_0=true +8.default.params.authInfoAccessADLocationType_0=URIName +8.default.params.authInfoAccessADLocation_0= +8.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +8.default.params.authInfoAccessCritical=false +8.default.params.authInfoAccessNumADs=1 diff --git a/base/ca/shared/conf/caOCSPCert.profile b/base/ca/shared/conf/caOCSPCert.profile new file mode 100644 index 000000000..b3c27c1b0 --- /dev/null +++ b/base/ca/shared/conf/caOCSPCert.profile @@ -0,0 +1,42 @@ +# +# OCSP CA Profile +# +id=caOCSPCert.profile +name=All Purpose CA OCSP Profile +description=This profile creates a CA OCSP certificate that is valid for all signing purposes. +profileIDMapping=caOCSPCert +profileSetIDMapping=ocspCertSet +list=2,4,6,8,9 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=false +6.default.params.keyUsageKeyEncipherment=false +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=true +6.default.params.keyUsageCrlSign=true +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault +7.default.name=Subject Key Identifier Extension Default +7.default.params.critical=false +8.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +8.default.name=AIA Extension Default +8.default.params.authInfoAccessADEnable_0=true +8.default.params.authInfoAccessADLocationType_0=URIName +8.default.params.authInfoAccessADLocation_0= +8.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +8.default.params.authInfoAccessCritical=false +8.default.params.authInfoAccessNumADs=1 +9.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +9.default.name=Extended Key Usage Extension Default +9.default.params.exKeyUsageCritical=false +9.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 diff --git a/base/ca/shared/conf/catalina.policy b/base/ca/shared/conf/catalina.policy new file mode 100644 index 000000000..cf8302cd0 --- /dev/null +++ b/base/ca/shared/conf/catalina.policy @@ -0,0 +1,184 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// Copyright (C) 2006-2010 Red Hat, Inc. +// All rights reserved. +// Modifications: configuration parameters +// --- END COPYRIGHT BLOCK --- + +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// ============================================================================ +// catalina.corepolicy - Security Policy Permissions for Tomcat 6 +// +// This file contains a default set of security policies to be enforced (by the +// JVM) when Catalina is executed with the "-security" option. In addition +// to the permissions granted here, the following additional permissions are +// granted to the codebase specific to each web application: +// +// * Read access to the document root directory +// +// $Id$ +// ============================================================================ + + +// ========== SYSTEM CODE PERMISSIONS ========================================= + + +// These permissions apply to javac +grant codeBase "file:${java.home}/lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions +grant codeBase "file:${java.home}/jre/lib/ext/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/../lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions when +// ${java.home} points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/lib/ext/-" { + permission java.security.AllPermission; +}; + + +// ========== CATALINA CODE PERMISSIONS ======================================= + + +// These permissions apply to the daemon code +grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the logging API +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + permission java.util.PropertyPermission "java.util.logging.config.class", "read"; + permission java.util.PropertyPermission "java.util.logging.config.file", "read"; + permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; + permission java.lang.RuntimePermission "shutdownHooks"; + permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; + permission java.util.PropertyPermission "catalina.base", "read"; + permission java.util.logging.LoggingPermission "control"; + permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write"; + permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write"; + permission java.lang.RuntimePermission "getClassLoader"; + // To enable per context logging configuration, permit read access to the appropriate file. + // Be sure that the logging configuration is secure before enabling such access + // eg for the examples web application: + // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; +}; + +// These permissions apply to the server startup code +grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the servlet API classes +// and those that are shared across all class loaders +// located in the "lib" directory +grant codeBase "file:${catalina.home}/lib/-" { + permission java.security.AllPermission; +}; + + +// ========== WEB APPLICATION PERMISSIONS ===================================== + + +// These permissions are granted by default to all web applications +// In addition, a web application will be given a read FilePermission +// and JndiPermission for all files and directories in its document root. +grant { + // Required for JNDI lookup of named JDBC DataSource's and + // javamail named MimePart DataSource used to send mail + permission java.util.PropertyPermission "java.home", "read"; + permission java.util.PropertyPermission "java.naming.*", "read"; + permission java.util.PropertyPermission "javax.sql.*", "read"; + + // OS Specific properties to allow read access + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.version", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "file.separator", "read"; + permission java.util.PropertyPermission "path.separator", "read"; + permission java.util.PropertyPermission "line.separator", "read"; + + // JVM properties to allow read access + permission java.util.PropertyPermission "java.version", "read"; + permission java.util.PropertyPermission "java.vendor", "read"; + permission java.util.PropertyPermission "java.vendor.url", "read"; + permission java.util.PropertyPermission "java.class.version", "read"; + permission java.util.PropertyPermission "java.specification.version", "read"; + permission java.util.PropertyPermission "java.specification.vendor", "read"; + permission java.util.PropertyPermission "java.specification.name", "read"; + + permission java.util.PropertyPermission "java.vm.specification.version", "read"; + permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; + permission java.util.PropertyPermission "java.vm.specification.name", "read"; + permission java.util.PropertyPermission "java.vm.version", "read"; + permission java.util.PropertyPermission "java.vm.vendor", "read"; + permission java.util.PropertyPermission "java.vm.name", "read"; + + // Required for OpenJMX + permission java.lang.RuntimePermission "getAttribute"; + + // Allow read of JAXP compliant XML parser debug + permission java.util.PropertyPermission "jaxp.debug", "read"; + + // Precompiled JSPs need access to this package. + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; + + // Precompiled JSPs need access to this system property. + permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; + +}; + + +// You can assign additional permissions to particular web applications by +// adding additional "grant" entries here, based on the code base for that +// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. +// +// Different permissions can be granted to JSP pages, classes loaded from +// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ +// directory, or even to individual jar files in the /WEB-INF/lib/ directory. +// +// For instance, assume that the standard "examples" application +// included a JDBC driver that needed to establish a network connection to the +// corresponding database and used the scrape taglib to get the weather from +// the NOAA web server. You might create a "grant" entries like this: +// +// The permissions granted to the context root directory apply to JSP pages. +// grant codeBase "file:${catalina.home}/webapps/examples/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; +// +// The permissions granted to the context WEB-INF/classes directory +// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" { +// }; +// +// The permission granted to your JDBC driver +// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// }; +// The permission granted to the scrape taglib +// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; + diff --git a/base/ca/shared/conf/catalina.properties b/base/ca/shared/conf/catalina.properties new file mode 100644 index 000000000..70cb7c05e --- /dev/null +++ b/base/ca/shared/conf/catalina.properties @@ -0,0 +1,87 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006-2010 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageAccess unless the +# corresponding RuntimePermission ("accessClassInPackage."+package) has +# been granted. +package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans. +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageDefinition unless the +# corresponding RuntimePermission ("defineClassInPackage."+package) has +# been granted. +# +# by default, no packages are restricted for definition, and none of +# the class loaders supplied with the JDK call checkPackageDefinition. +# +package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper. + +# +# +# List of comma-separated paths defining the contents of the "common" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. +# If left as blank,the JVM system loader will be used as Catalina's "common" +# loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +common.loader=${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB] + +# +# List of comma-separated paths defining the contents of the "server" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. +# If left as blank, the "common" loader will be used as Catalina's "server" +# loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +server.loader= + +# +# List of comma-separated paths defining the contents of the "shared" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_BASE path or absolute. If left as blank, +# the "common" loader will be used as Catalina's "shared" loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +# Please note that for single jars, e.g. bar.jar, you need the URL form +# starting with file:. +shared.loader= + +# +# String cache configuration. +tomcat.util.buf.StringCache.byte.enabled=true +#tomcat.util.buf.StringCache.char.enabled=true +#tomcat.util.buf.StringCache.trainThreshold=500000 +#tomcat.util.buf.StringCache.cacheSize=5000 diff --git a/base/ca/shared/conf/context.xml b/base/ca/shared/conf/context.xml new file mode 100644 index 000000000..8b6fe4905 --- /dev/null +++ b/base/ca/shared/conf/context.xml @@ -0,0 +1,40 @@ + + + + + + + + WEB-INF/web.xml + + + + + + + + diff --git a/base/ca/shared/conf/database.ldif b/base/ca/shared/conf/database.ldif new file mode 100644 index 000000000..4dfdcea69 --- /dev/null +++ b/base/ca/shared/conf/database.ldif @@ -0,0 +1,4 @@ +dn: cn=config +changetype: modify +replace: nsslapd-maxbersize +nsslapd-maxbersize: 209715200 diff --git a/base/ca/shared/conf/db.ldif b/base/ca/shared/conf/db.ldif new file mode 100644 index 000000000..00fa919b7 --- /dev/null +++ b/base/ca/shared/conf/db.ldif @@ -0,0 +1,163 @@ +dn: ou=people,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: people +aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare)userdn="ldap:///anyone";) + +dn: ou=groups,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: groups + +dn: cn=Certificate Manager Agents,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Certificate Manager Agents +description: Agents for Certificate Manager + +dn: cn=Registration Manager Agents,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Registration Manager Agents +description: Agents for Registration Manager + +dn: cn=Subsystem Group, ou=groups, {rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Subsystem Group +description: Subsystem Group + +dn: cn=Trusted Managers,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Trusted Managers +description: Managers trusted by this PKI instance + +dn: cn=Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Administrators +description: People who manage the Certificate System + +dn: cn=Auditors,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Auditors +description: People who can read the signed audits + +dn: cn=ClonedSubsystems,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: ClonedSubsystems +description: People who can clone the master subsystem + +dn: cn=Security Domain Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Security Domain Administrators +description: People who are the Security Domain administrators + +dn: cn=Enterprise CA Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Enterprise CA Administrators +description: People who are the administrators for the security domain for CA + +dn: cn=Enterprise KRA Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Enterprise KRA Administrators +description: People who are the administrators for the security domain for KRA + +dn: cn=Enterprise OCSP Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Enterprise OCSP Administrators +description: People who are the administrators for the security domain for OCSP + +dn: cn=Enterprise TKS Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Enterprise TKS Administrators +description: People who are the administrators for the security domain for TKS + +dn: cn=Enterprise RA Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Enterprise RA Administrators +description: People who are the administrators for the security domain for RA + +dn: cn=Enterprise TPS Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Enterprise TPS Administrators +description: People who are the administrators for the security domain for TPS + +dn: ou=requests,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: requests + +dn: cn=crossCerts,{rootSuffix} +cn: crossCerts +sn: crossCerts +objectClass: top +objectClass: person +objectClass: pkiCA +cACertificate;binary: +authorityRevocationList;binary: +certificateRevocationList;binary: +crossCertificatePair;binary: + +dn: ou=ca,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: ca + +dn: ou=certificateRepository,ou=ca,{rootSuffix} +objectClass: top +objectClass: repository +ou: certificateRepository +serialno: 011 + +dn: ou=crlIssuingPoints,ou=ca,{rootSuffix} +objectClass: top +objectClass: repository +ou: crlIssuingPoints +serialno: 010 + +dn: ou=ca, ou=requests,{rootSuffix} +objectClass: top +objectClass: repository +ou: ca +serialno: 010 +publishingStatus: -2 + +dn: ou=replica,{rootSuffix} +objectClass: top +objectClass: repository +ou: replica +serialno: 010 +nextRange: 1000 + +dn: ou=ranges,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: ranges + +dn: ou=replica, ou=ranges,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: replica + +dn: ou=requests, ou=ranges,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: requests + +dn: ou=certificateRepository, ou=ranges,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: certificateRepository + + diff --git a/base/ca/shared/conf/flatfile.txt b/base/ca/shared/conf/flatfile.txt new file mode 100644 index 000000000..75defd1da --- /dev/null +++ b/base/ca/shared/conf/flatfile.txt @@ -0,0 +1,2 @@ +#UID:172.16.24.238 +#PWD:1212 diff --git a/base/ca/shared/conf/index.ldif b/base/ca/shared/conf/index.ldif new file mode 100644 index 000000000..4bc8aebf9 --- /dev/null +++ b/base/ca/shared/conf/index.ldif @@ -0,0 +1,198 @@ +dn: cn=revokedby,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsSystemIndex: false +cn: revokedby + +dn: cn=issuedby,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsSystemIndex: false +cn: issuedby + +dn: cn=publicKeyData,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsSystemIndex: false +cn: publicKeyData + +dn: cn=clientId,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsSystemIndex: false +cn: clientId + +dn: cn=dataType,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsSystemIndex: false +cn: dataType + +dn: cn=status,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsSystemIndex: false +cn: status + +dn: cn=description,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: description + +dn: cn=serialno,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: serialno + +dn: cn=metaInfo,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: metaInfo + +dn: cn=certstatus,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: certstatus + +dn: cn=requestid,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: requestid + +dn: cn=requesttype,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: requesttype + +dn: cn=requeststate,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: requeststate + +dn: cn=requestowner,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: requestowner + +dn: cn=notbefore,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: notbefore + +dn: cn=notafter,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: notafter + +dn: cn=duration,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: duration + +dn: cn=dateOfCreate,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: dateOfCreate + +dn: cn=revokedOn,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: revokedOn + +dn: cn=archivedBy,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: archivedBy + +dn: cn=ownername,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: ownername + +dn: cn=subjectname,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: subjectname + +dn: cn=requestsourceid,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: requestsourceid + +dn: cn=revInfo,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: revInfo + +dn: cn=extension,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: extension diff --git a/base/ca/shared/conf/jk2.manifest b/base/ca/shared/conf/jk2.manifest new file mode 100644 index 000000000..986d7b874 --- /dev/null +++ b/base/ca/shared/conf/jk2.manifest @@ -0,0 +1,2 @@ +Main-Class: org.apache.jk.apr.TomcatStarter +Class-Path: ../lib/tomcat.jar log4j.jar log4j-core.jar ../lib/common/log4j.jar ../lib/common/log4j-core.jar ../lib/common/classes ../lib/common/commons-logging.jar bootstrap.jar ../server/lib/commons-logging.jar ../server/lib/jmx.jar jmx.jar commons-logging-api.jar diff --git a/base/ca/shared/conf/jk2.properties b/base/ca/shared/conf/jk2.properties new file mode 100644 index 000000000..093bae802 --- /dev/null +++ b/base/ca/shared/conf/jk2.properties @@ -0,0 +1,26 @@ +## THIS FILE MAY BE OVERRIDEN AT RUNTIME. MAKE SURE TOMCAT IS STOPED +## WHEN YOU EDIT THE FILE. + +## COMMENTS WILL BE _LOST_ + +## DOCUMENTATION OF THE FORMAT IN JkMain javadoc. + +# Set the desired handler list +# handler.list=apr,request,channelJni +# +# Override the default port for the socketChannel +# channelSocket.port=8019 +# Default: +# channelUnix.file=${jkHome}/work/jk2.socket +# Just to check if the the config is working +# shm.file=${jkHome}/work/jk2.shm + +# In order to enable jni use any channelJni directive +# channelJni.disabled = 0 +# And one of the following directives: + +# apr.jniModeSo=/opt/apache2/modules/mod_jk2.so + +# If set to inprocess the mod_jk2 will Register natives itself +# This will enable the starting of the Tomcat from mod_jk2 +# apr.jniModeSo=inprocess diff --git a/base/ca/shared/conf/jkconf.ant.xml b/base/ca/shared/conf/jkconf.ant.xml new file mode 100644 index 000000000..245cf98e2 --- /dev/null +++ b/base/ca/shared/conf/jkconf.ant.xml @@ -0,0 +1,51 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/base/ca/shared/conf/jkconfig.manifest b/base/ca/shared/conf/jkconfig.manifest new file mode 100644 index 000000000..3ba1f2e3e --- /dev/null +++ b/base/ca/shared/conf/jkconfig.manifest @@ -0,0 +1,2 @@ +Main-Class: org.apache.jk.config.WebXml2Jk +Class-Path: tomcat-jk2.jar commons-logging.jar crimson.jar xercesImpl.jar xmlApis.jar tomcat-util.jar log4j.jar log4j-core.jar diff --git a/base/ca/shared/conf/logging.properties b/base/ca/shared/conf/logging.properties new file mode 100644 index 000000000..796cfc071 --- /dev/null +++ b/base/ca/shared/conf/logging.properties @@ -0,0 +1,70 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006-2010 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler + +.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler + +############################################################ +# Handler specific properties. +# Describes specific configuration info for Handlers. +############################################################ + +1catalina.org.apache.juli.FileHandler.level = FINE +1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +1catalina.org.apache.juli.FileHandler.prefix = catalina. + +2localhost.org.apache.juli.FileHandler.level = FINE +2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +2localhost.org.apache.juli.FileHandler.prefix = localhost. + +3manager.org.apache.juli.FileHandler.level = FINE +3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +3manager.org.apache.juli.FileHandler.prefix = manager. + +4host-manager.org.apache.juli.FileHandler.level = FINE +4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +4host-manager.org.apache.juli.FileHandler.prefix = host-manager. + +java.util.logging.ConsoleHandler.level = FINE +java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter + + +############################################################ +# Facility specific properties. +# Provides extra control for each logger. +############################################################ + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler + +# For example, set the com.xyz.foo logger to only log SEVERE +# messages: +#org.apache.catalina.startup.ContextConfig.level = FINE +#org.apache.catalina.startup.HostConfig.level = FINE +#org.apache.catalina.session.ManagerBase.level = FINE +#org.apache.catalina.core.AprLifecycleListener.level=FINE diff --git a/base/ca/shared/conf/manager.ldif b/base/ca/shared/conf/manager.ldif new file mode 100644 index 000000000..52e486987 --- /dev/null +++ b/base/ca/shared/conf/manager.ldif @@ -0,0 +1,48 @@ +# acis for cert manager + +dn: ou=csusers,cn=config +objectClass: top +objectClass: organizationalUnit +ou: csusers + +dn: {rootSuffix} +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn=ldbm database,cn=plugins,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";) + +dn: cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";) + +dn: ou=csusers,cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";) + +dn: cn=tasks,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";) + + diff --git a/base/ca/shared/conf/proxy.conf b/base/ca/shared/conf/proxy.conf new file mode 100644 index 000000000..663ba5722 --- /dev/null +++ b/base/ca/shared/conf/proxy.conf @@ -0,0 +1,34 @@ +ProxyRequests Off + +# matches for ee port + + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + + +# matches for admin port + + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + + +# matches for agent port and eeca port + + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient require + ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + + +# static content + + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + + diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg new file mode 100644 index 000000000..f424bdb1b --- /dev/null +++ b/base/ca/shared/conf/registry.cfg @@ -0,0 +1,232 @@ +types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater +constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl +constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint +constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint +constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint +constraintPolicy.extensionConstraintImpl.class=com.netscape.cms.profile.constraint.ExtensionConstraint +constraintPolicy.extensionConstraintImpl.desc=Extension Constraint +constraintPolicy.extensionConstraintImpl.name=Extension Constraint +constraintPolicy.basicConstraintsExtConstraintImpl.class=com.netscape.cms.profile.constraint.BasicConstraintsExtConstraint +constraintPolicy.basicConstraintsExtConstraintImpl.desc=Basic Constraints Extension Constraint +constraintPolicy.basicConstraintsExtConstraintImpl.name=Basic Constraints Extension Constraint +constraintPolicy.keyConstraintImpl.class=com.netscape.cms.profile.constraint.KeyConstraint +constraintPolicy.keyConstraintImpl.desc=Key Constraint +constraintPolicy.keyConstraintImpl.name=Key Constraint +constraintPolicy.extendedKeyUsageExtConstraintImpl.class=com.netscape.cms.profile.constraint.ExtendedKeyUsageExtConstraint +constraintPolicy.extendedKeyUsageExtConstraintImpl.desc=Extended Key Usage Extension Constraint +constraintPolicy.extendedKeyUsageExtConstraintImpl.name=Extended Key Usage Extension Constraint +constraintPolicy.keyUsageExtConstraintImpl.class=com.netscape.cms.profile.constraint.KeyUsageExtConstraint +constraintPolicy.keyUsageExtConstraintImpl.desc=Key Usage Extension Constraint +constraintPolicy.keyUsageExtConstraintImpl.name=Key Usage Extension Constraint +constraintPolicy.nsCertTypeExtConstraintImpl.class=com.netscape.cms.profile.constraint.NSCertTypeExtConstraint +constraintPolicy.nsCertTypeExtConstraintImpl.desc=Netscape Certificate Type Extension Constraint +constraintPolicy.nsCertTypeExtConstraintImpl.name=Netscape Certificate Type Extension Constraint +constraintPolicy.noConstraintImpl.class=com.netscape.cms.profile.constraint.NoConstraint +constraintPolicy.noConstraintImpl.desc=No Constraint +constraintPolicy.noConstraintImpl.name=No Constraint +constraintPolicy.subjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.SubjectNameConstraint +constraintPolicy.subjectNameConstraintImpl.desc=Subject Name Constraint +constraintPolicy.subjectNameConstraintImpl.name=Subject Name Constraint +constraintPolicy.uniqueSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueSubjectNameConstraint +constraintPolicy.uniqueSubjectNameConstraintImpl.desc=Unique Subject Name Constraint +constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constraint +constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint +constraintPolicy.validityConstraintImpl.desc=Validity Constraint +constraintPolicy.validityConstraintImpl.name=Validity Constraint +constraintPolicy.renewGracePeriodConstraintImpl.class=com.netscape.cms.profile.constraint.RenewGracePeriodConstraint +constraintPolicy.renewGracePeriodConstraintImpl.desc=Renewal Grace Period Constraint +constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constraint +constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint +constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint +constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint +defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl +defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault +defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default +defaultPolicy.autoAssignDefaultImpl.name=Auto Request Assignment Default +defaultPolicy.genericExtDefaultImpl.class=com.netscape.cms.profile.def.GenericExtDefault +defaultPolicy.genericExtDefaultImpl.desc=Generic Extension +defaultPolicy.genericExtDefaultImpl.name=Generic Extension +defaultPolicy.imageDefaultImpl.class=com.netscape.cms.profile.def.ImageDefault +defaultPolicy.imageDefaultImpl.desc=Image Default +defaultPolicy.imageDefaultImpl.name=Image Default +defaultPolicy.privateKeyPeriodExtDefaultImpl.class=com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault +defaultPolicy.privateKeyPeriodExtDefaultImpl.desc=Private Key Period Ext Default +defaultPolicy.privateKeyPeriodExtDefaultImpl.name=Private Key Period Ext Default +defaultPolicy.authTokenSubjectNameDefaultImpl.class=com.netscape.cms.profile.def.AuthTokenSubjectNameDefault +defaultPolicy.authTokenSubjectNameDefaultImpl.desc=Token Supplied Subject Name Default +defaultPolicy.authTokenSubjectNameDefaultImpl.name=Token Supplied Subject Name Default +defaultPolicy.userSubjectNameDefaultImpl.class=com.netscape.cms.profile.def.UserSubjectNameDefault +defaultPolicy.userSubjectNameDefaultImpl.desc=User Supplied Subject Name Default +defaultPolicy.userSubjectNameDefaultImpl.name=User Supplied Subject Name Default +defaultPolicy.userKeyDefaultImpl.class=com.netscape.cms.profile.def.UserKeyDefault +defaultPolicy.userKeyDefaultImpl.desc=User Supplied Key Default +defaultPolicy.userKeyDefaultImpl.name=User Supplied Key Default +defaultPolicy.userValidityDefaultImpl.class=com.netscape.cms.profile.def.UserValidityDefault +defaultPolicy.userValidityDefaultImpl.desc=User Supplied Validity Default +defaultPolicy.userValidityDefaultImpl.name=User Supplied Validity Default +defaultPolicy.userExtensionDefaultImpl.class=com.netscape.cms.profile.def.UserExtensionDefault +defaultPolicy.userExtensionDefaultImpl.desc=User Supplied Extension Default +defaultPolicy.userExtensionDefaultImpl.name=User Supplied Extension Default +defaultPolicy.userSigningAlgDefaultImpl.class=com.netscape.cms.profile.def.UserSigningAlgDefault +defaultPolicy.userSigningAlgDefaultImpl.desc=User Supplied Signing Alg Default +defaultPolicy.userSigningAlgDefaultImpl.name=User Supplied Signing Alg Default +defaultPolicy.signingAlgDefaultImpl.class=com.netscape.cms.profile.def.SigningAlgDefault +defaultPolicy.signingAlgDefaultImpl.desc=Signing Algorithm Default +defaultPolicy.signingAlgDefaultImpl.name=Signing Algorithm Default +defaultPolicy.authorityKeyIdentifierExtDefaultImpl.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +defaultPolicy.authorityKeyIdentifierExtDefaultImpl.desc=Authority Key Identifier Extension Default +defaultPolicy.authorityKeyIdentifierExtDefaultImpl.name=Authority Key Identifier Extension Default +defaultPolicy.basicConstraintsExtDefaultImpl.class=com.netscape.cms.profile.def.BasicConstraintsExtDefault +defaultPolicy.basicConstraintsExtDefaultImpl.desc=Basic Constraints Extension Default +defaultPolicy.basicConstraintsExtDefaultImpl.name=Basic Constraints Extension Default +defaultPolicy.extendedKeyUsageExtDefaultImpl.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +defaultPolicy.extendedKeyUsageExtDefaultImpl.desc=Extended Key Usage Extension Default +defaultPolicy.extendedKeyUsageExtDefaultImpl.name=Extended Key Usage Extension Default +defaultPolicy.keyUsageExtDefaultImpl.class=com.netscape.cms.profile.def.KeyUsageExtDefault +defaultPolicy.keyUsageExtDefaultImpl.desc=Key Usage Extension Default +defaultPolicy.keyUsageExtDefaultImpl.name=Key Usage Extension Default +defaultPolicy.noDefaultImpl.class=com.netscape.cms.profile.def.NoDefault +defaultPolicy.noDefaultImpl.desc=No Default +defaultPolicy.noDefaultImpl.name=No Default +defaultPolicy.nsCertTypeExtDefaultImpl.desc=Netscape Certificate Type Extension Default +defaultPolicy.nsCertTypeExtDefaultImpl.name=Netscape Certificate Type Extension Default +defaultPolicy.nsCertTypeExtDefaultImpl.class=com.netscape.cms.profile.def.NSCertTypeExtDefault +defaultPolicy.nsTokenDeviceKeySubjectNameDefaultImpl.class=com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault +defaultPolicy.nsTokenDeviceKeySubjectNameDefaultImpl.desc=nsTokenDeviceKeySubjectNameDefaultImpl +defaultPolicy.nsTokenDeviceKeySubjectNameDefaultImpl.name=nsTokenDeviceKeySubjectNameDefault +defaultPolicy.nsTokenUserKeySubjectNameDefaultImpl.class=com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault +defaultPolicy.nsTokenUserKeySubjectNameDefaultImpl.desc=nsTokenUserKeySubjectNameDefaultImpl +defaultPolicy.nsTokenUserKeySubjectNameDefaultImpl.name=nsTokenUserKeySubjectNameDefault +defaultPolicy.ocspNoCheckExtDefaultImpl.class=com.netscape.cms.profile.def.OCSPNoCheckExtDefault +defaultPolicy.ocspNoCheckExtDefaultImpl.desc=OCSP No Check Extension Default +defaultPolicy.ocspNoCheckExtDefaultImpl.name=OCSP No Check Extension Default +defaultPolicy.issuerAltNameExtDefaultImpl.class=com.netscape.cms.profile.def.IssuerAltNameExtDefault +defaultPolicy.issuerAltNameExtDefaultImpl.desc=Issuer Alternative Name Extension Default +defaultPolicy.issuerAltNameExtDefaultImpl.name=Issuer Alternative Name Extension Default +defaultPolicy.subjectAltNameExtDefaultImpl.class=com.netscape.cms.profile.def.SubjectAltNameExtDefault +defaultPolicy.subjectAltNameExtDefaultImpl.desc=Subject Alternative Name Extension Default +defaultPolicy.subjectAltNameExtDefaultImpl.name=Subject Alternative Name Extension Default +defaultPolicy.subjectKeyIdentifierExtDefaultImpl.class=com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault +defaultPolicy.subjectKeyIdentifierExtDefaultImpl.desc=Subject Key Identifier Default +defaultPolicy.subjectKeyIdentifierExtDefaultImpl.name=Subject Key Identifier Default +defaultPolicy.subjectNameDefaultImpl.class=com.netscape.cms.profile.def.SubjectNameDefault +defaultPolicy.subjectNameDefaultImpl.desc=Subject Name Default +defaultPolicy.subjectNameDefaultImpl.name=Subject Name Default +defaultPolicy.validityDefaultImpl.class=com.netscape.cms.profile.def.ValidityDefault +defaultPolicy.validityDefaultImpl.desc=Validty Default +defaultPolicy.validityDefaultImpl.name=Validity Default +defaultPolicy.caValidityDefaultImpl.class=com.netscape.cms.profile.def.CAValidityDefault +defaultPolicy.caValidityDefaultImpl.desc=CA Certificate Validty Default +defaultPolicy.caValidityDefaultImpl.name=CA Certificate Validity Default +defaultPolicy.subjectInfoAccessExtDefaultImpl.class=com.netscape.cms.profile.def.SubjectInfoAccessExtDefault +defaultPolicy.subjectInfoAccessExtDefaultImpl.desc=Subject Info Access Extension Default +defaultPolicy.subjectInfoAccessExtDefaultImpl.name=Subject Info Access Extension Default +defaultPolicy.authInfoAccessExtDefaultImpl.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +defaultPolicy.authInfoAccessExtDefaultImpl.desc=Authority Info Access Extension Default +defaultPolicy.authInfoAccessExtDefaultImpl.name=Authority Info Access Extension Default +defaultPolicy.nscCommentExtDefaultImpl.class=com.netscape.cms.profile.def.NSCCommentExtDefault +defaultPolicy.nscCommentExtDefaultImpl.desc=Netscape Comment Extension Default +defaultPolicy.nscCommentExtDefaultImpl.name=Netscape Comment Extension Default +defaultPolicy.freshestCRLExtDefaultImpl.class=com.netscape.cms.profile.def.FreshestCRLExtDefault +defaultPolicy.freshestCRLExtDefaultImpl.desc=Freshest CRL Extension Default +defaultPolicy.freshestCRLExtDefaultImpl.name=Freshest CRL Extension Default +defaultPolicy.crlDistributionPointsExtDefaultImpl.class=com.netscape.cms.profile.def.CRLDistributionPointsExtDefault +defaultPolicy.crlDistributionPointsExtDefaultImpl.desc=CRL Distribution Points Extension Default +defaultPolicy.crlDistributionPointsExtDefaultImpl.name=CRL Distribution Points Extension Default +defaultPolicy.policyConstraintsExtDefaultImpl.class=com.netscape.cms.profile.def.PolicyConstraintsExtDefault +defaultPolicy.policyConstraintsExtDefaultImpl.desc=Policy Constraints Extension Default +defaultPolicy.policyConstraintsExtDefaultImpl.name=Policy Constraints Extension Default +defaultPolicy.policyMappingsExtDefaultImpl.class=com.netscape.cms.profile.def.PolicyMappingsExtDefault +defaultPolicy.policyMappingsExtDefaultImpl.desc=Policy Mappings Extension Default +defaultPolicy.policyMappingsExtDefaultImpl.name=Policy Mappings Extension Default +defaultPolicy.nameConstraintsExtDefaultImpl.class=com.netscape.cms.profile.def.NameConstraintsExtDefault +defaultPolicy.nameConstraintsExtDefaultImpl.desc=Name Constraints Extension Default +defaultPolicy.nameConstraintsExtDefaultImpl.name=Name Constraints Extension Default +defaultPolicy.certificateVersionDefaultImpl.class=com.netscape.cms.profile.def.CertificateVersionDefault +defaultPolicy.certificateVersionDefaultImpl.desc=Certificate Version Default +defaultPolicy.certificateVersionDefaultImpl.name=Certificate Version Default +defaultPolicy.certificatePoliciesExtDefaultImpl.class=com.netscape.cms.profile.def.CertificatePoliciesExtDefault +defaultPolicy.certificatePoliciesExtDefaultImpl.desc=Certificate Policies Extension Default +defaultPolicy.certificatePoliciesExtDefaultImpl.name=Certificate Policies Extension Default +defaultPolicy.subjectDirAttributesExtDefaultImpl.class=com.netscape.cms.profile.def.SubjectDirAttributesExtDefault +defaultPolicy.subjectDirAttributesExtDefaultImpl.desc=Subject Directory Attributes Extension Default +defaultPolicy.subjectDirAttributesExtDefaultImpl.name=Subject Directory Attributes Extension Default +defaultPolicy.inhibitAnyPolicyExtDefaultImpl.class=com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault +defaultPolicy.inhibitAnyPolicyExtDefaultImpl.desc=Inhibit Any-Policy Extension Default +defaultPolicy.inhibitAnyPolicyExtDefaultImpl.name=Inhibit Any-Policy Extension Default +profile.ids=caEnrollImpl,caCACertEnrollImpl,caServerCertEnrollImpl,caUserCertEnrollImpl +profile.caEnrollImpl.class=com.netscape.cms.profile.common.CAEnrollProfile +profile.caEnrollImpl.desc=Certificate Authority Generic Certificate Enrollment Profile +profile.caEnrollImpl.name=Generic Certificate Enrollment Profile +profile.caCACertEnrollImpl.class=com.netscape.cms.profile.common.CACertCAEnrollProfile +profile.caCACertEnrollImpl.desc=Certificate Authority CA Certificate Enrollment Profile +profile.caCACertEnrollImpl.name=CA Certificate Enrollment Profile +profile.caServerCertEnrollImpl.class=com.netscape.cms.profile.common.ServerCertCAEnrollProfile +profile.caServerCertEnrollImpl.desc=Certificate Authority Server Certificate Enrollment Profile +profile.caServerCertEnrollImpl.name=Server Certificate Enrollment Profile +profile.caUserCertEnrollImpl.class=com.netscape.cms.profile.common.UserCertCAEnrollProfile +profile.caUserCertEnrollImpl.desc=Certificate Authority User Certificate Enrollment Profile +profile.caUserCertEnrollImpl.name=User Certificate Enrollment Profile +profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,encKeyGenInputImpl,signKeyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl,serialNumRenewInputImpl +profileInput.fileSigningInputImpl.class=com.netscape.cms.profile.input.FileSigningInput +profileInput.fileSigningInputImpl.desc=File Signing Input +profileInput.fileSigningInputImpl.name=File Signing Input +profileInput.imageInputImpl.class=com.netscape.cms.profile.input.ImageInput +profileInput.imageInputImpl.desc=Image Input +profileInput.imageInputImpl.name=Image Input +profileInput.genericInputImpl.class=com.netscape.cms.profile.input.GenericInput +profileInput.genericInputImpl.desc=Generic Input +profileInput.genericInputImpl.name=Generic Input +profileInput.submitterInfoInputImpl.class=com.netscape.cms.profile.input.SubmitterInfoInput +profileInput.submitterInfoInputImpl.desc=Submitter Information Input +profileInput.submitterInfoInputImpl.name=Submitter Information Input +profileInput.certReqInputImpl.class=com.netscape.cms.profile.input.CertReqInput +profileInput.certReqInputImpl.desc=Certificate Request Input +profileInput.certReqInputImpl.name=Certificate Request Input +profileInput.cmcCertReqInputImpl.class=com.netscape.cms.profile.input.CMCCertReqInput +profileInput.cmcCertReqInputImpl.desc=CMC Certificate Request Input +profileInput.cmcCertReqInputImpl.name=CMC Certificate Request Input +profileInput.dualKeyGenInputImpl.class=com.netscape.cms.profile.input.DualKeyGenInput +profileInput.dualKeyGenInputImpl.desc=Dual Key Generation Input +profileInput.dualKeyGenInputImpl.name=Dual Key Generation Input +profileInput.signKeyGenInputImpl.class=com.netscape.cms.profile.input.SigningKeyGenInput +profileInput.signKeyGenInputImpl.desc=Encryption Key Generation Input +profileInput.signKeyGenInputImpl.name=Encryption Key Generation Input +profileInput.encKeyGenInputImpl.class=com.netscape.cms.profile.input.EncryptionKeyGenInput +profileInput.encKeyGenInputImpl.desc=Encryption Key Generation Input +profileInput.encKeyGenInputImpl.name=Encryption Key Generation Input +profileInput.keyGenInputImpl.class=com.netscape.cms.profile.input.KeyGenInput +profileInput.keyGenInputImpl.desc=Key Generation Input +profileInput.keyGenInputImpl.name=Key Generation Input +profileInput.nsNKeyCertReqInputImpl.class=com.netscape.cms.profile.input.nsNKeyCertReqInput +profileInput.nsNKeyCertReqInputImpl.desc=nsNKeyCertReqInputImpl +profileInput.nsNKeyCertReqInputImpl.name=nsNKeyCertReqInputImpl +profileInput.nsHKeyCertReqInputImpl.class=com.netscape.cms.profile.input.nsHKeyCertReqInput +profileInput.nsHKeyCertReqInputImpl.desc=nsHKeyCertReqInputImpl +profileInput.nsHKeyCertReqInputImpl.name=nsHKeyCertReqInputImpl +profileInput.serialNumRenewInputImpl.class=com.netscape.cms.profile.input.SerialNumRenewInput +profileInput.serialNumRenewInputImpl.desc=Certificate Renewal Request Serial Number Input +profileInput.serialNumRenewInputImpl.name=Certificate Renewal Request Serial Number Input +profileInput.subjectDNInputImpl.class=com.netscape.cms.profile.input.SubjectDNInput +profileInput.subjectDNInputImpl.desc=Subject DN Input +profileInput.subjectDNInputImpl.name=Subject DN Input +profileInput.subjectNameInputImpl.class=com.netscape.cms.profile.input.SubjectNameInput +profileInput.subjectNameInputImpl.desc=Subject Name Input +profileInput.subjectNameInputImpl.name=Subject Name Input +profileOutput.ids=certOutputImpl,cmmfOutputImpl,pkcs7OutputImpl,nsNKeyOutputImpl +profileOutput.certOutputImpl.class=com.netscape.cms.profile.output.CertOutput +profileOutput.certOutputImpl.desc=Certificate Output +profileOutput.certOutputImpl.name=Certificate Output +profileOutput.cmmfOutputImpl.class=com.netscape.cms.profile.output.CMMFOutput +profileOutput.cmmfOutputImpl.desc=CMMF Response Output +profileOutput.cmmfOutputImpl.name=CMMF Response Output +profileOutput.nsNKeyOutputImpl.class=com.netscape.cms.profile.output.nsNKeyOutput +profileOutput.nsNKeyOutputImpl.desc=nsNKeyOutputImpl +profileOutput.nsNKeyOutputImpl.name=nsNKeyOutputImpl +profileOutput.pkcs7OutputImpl.class=com.netscape.cms.profile.output.PKCS7Output +profileOutput.pkcs7OutputImpl.desc=PKCS7 Output +profileOutput.pkcs7OutputImpl.name=PKCS7 Output +profileUpdater.ids=subsystemGroupUpdaterImpl +profileUpdater.subsystemGroupUpdaterImpl.class=com.netscape.cms.profile.updater.SubsystemGroupUpdater +profileUpdater.subsystemGroupUpdaterImpl.desc=Updater for Subsystem Group +profileUpdater.subsystemGroupUpdaterImpl.name=Updater for Subsystem Group diff --git a/base/ca/shared/conf/schema.ldif b/base/ca/shared/conf/schema.ldif new file mode 100644 index 000000000..70578e21c --- /dev/null +++ b/base/ca/shared/conf/schema.ldif @@ -0,0 +1,489 @@ +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( usertype-oid NAME 'usertype' DESC 'Distinguish whether the user is administrator, agent or subsystem.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( userstate-oid NAME 'userstate' DESC 'Distinguish whether the user is administrator, agent or subsystem.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( cmsuser-oid NAME 'cmsuser' DESC 'CMS User' SUP top STRUCTURAL MUST usertype MAY userstate X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( archivedBy-oid NAME 'archivedBy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( adminMessages-oid NAME 'adminMessages' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( algorithm-oid NAME 'algorithm' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( algorithmId-oid NAME 'algorithmId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( signingAlgorithmId-oid NAME 'signingAlgorithmId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( autoRenew-oid NAME 'autoRenew' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( certStatus-oid NAME 'certStatus' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlName-oid NAME 'crlName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlSize-oid NAME 'crlSize' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( deltaSize-oid NAME 'deltaSize' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlNumber-oid NAME 'crlNumber' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( deltaNumber-oid NAME 'deltaNumber' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( firstUnsaved-oid NAME 'firstUnsaved' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlCache-oid NAME 'crlCache' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( revokedCerts-oid NAME 'revokedCerts' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( unrevokedCerts-oid NAME 'unrevokedCerts' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( expiredCerts-oid NAME 'expiredCerts' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlExtensions-oid NAME 'crlExtensions' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfArchival-oid NAME 'dateOfArchival' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfRecovery-oid NAME 'dateOfRecovery' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfRevocation-oid NAME 'dateOfRevocation' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfCreate-oid NAME 'dateOfCreate' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfModify-oid NAME 'dateOfModify' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( duration-oid NAME 'duration' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( extension-oid NAME 'extension' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( issuedBy-oid NAME 'issuedBy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( issueInfo-oid NAME 'issueInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( issuerName-oid NAME 'issuerName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( keySize-oid NAME 'keySize' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( clientId-oid NAME 'clientId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dataType-oid NAME 'dataType' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( status-oid NAME 'status' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( keyState-oid NAME 'keyState' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( metaInfo-oid NAME 'metaInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( nextUpdate-oid NAME 'nextUpdate' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( notAfter-oid NAME 'notAfter' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( notBefore-oid NAME 'notBefore' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( ownerName-oid NAME 'ownerName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( password-oid NAME 'password' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( p12Expiration-oid NAME 'p12Expiration' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( proofOfArchival-oid NAME 'proofOfArchival' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( publicKeyData-oid NAME 'publicKeyData' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( publicKeyFormat-oid NAME 'publicKeyFormat' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( privateKeyData-oid NAME 'privateKeyData' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestId-oid NAME 'requestId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestInfo-oid NAME 'requestInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestState-oid NAME 'requestState' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestResult-oid NAME 'requestResult' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestOwner-oid NAME 'requestOwner' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestAgentGroup-oid NAME 'requestAgentGroup' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestSourceId-oid NAME 'requestSourceId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestType-oid NAME 'requestType' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestFlag-oid NAME 'requestFlag' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestError-oid NAME 'requestError' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( resourceACLS-oid NAME 'resourceACLS' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( revInfo-oid NAME 'revInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( revokedBy-oid NAME 'revokedBy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( revokedOn-oid NAME 'revokedOn' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( serialno-oid NAME 'serialno' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( nextRange-oid NAME 'nextRange' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( publishingStatus-oid NAME 'publishingStatus' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( beginRange-oid NAME 'beginRange' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( endRange-oid NAME 'endRange' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( subjectName-oid NAME 'subjectName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( sessionContext-oid NAME 'sessionContext' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( thisUpdate-oid NAME 'thisUpdate' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( transId-oid NAME 'transId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( transStatus-oid NAME 'transStatus' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( transName-oid NAME 'transName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( transOps-oid NAME 'transOps' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( userDN-oid NAME 'userDN' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( userMessages-oid NAME 'userMessages' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( version-oid NAME 'version' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( Clone-oid NAME 'Clone' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( DomainManager-oid NAME 'DomainManager' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( SecurePort-oid NAME 'SecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( SecureAgentPort-oid NAME 'SecureAgentPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( SecureAdminPort-oid NAME 'SecureAdminPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( SecureEEClientAuthPort-oid NAME 'SecureEEClientAuthPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( UnSecurePort-oid NAME 'UnSecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( SubsystemName-oid NAME 'SubsystemName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( cmsUserGroup-oid NAME 'cmsUserGroup' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( CertACLS-oid NAME 'CertACLS' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY resourceACLS X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( repository-oid NAME 'repository' DESC 'CMS defined class' SUP top STRUCTURAL MUST ou MAY ( serialno $ description $ nextRange $ publishingStatus ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requestType $ requestFlag $ requestError $ userMessages $ adminMessages ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( transaction-oid NAME 'transaction' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( transId $ description $ transName $ transStatus $ transOps ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( crlIssuingPointRecord-oid NAME 'crlIssuingPointRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ crlNumber $ crlSize $ thisUpdate $ nextUpdate $ deltaNumber $ deltaSize $ firstUnsaved $ certificateRevocationList $ deltaRevocationList $ crlCache $ revokedCerts $ unrevokedCerts $ expiredCerts $ cACertificate ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( certificateRecord-oid NAME 'certificateRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( userDetails-oid NAME 'userDetails' DESC 'CMS defined class' SUP top STRUCTURAL MUST userDN MAY ( dateOfCreate $ dateOfModify $ password $ p12Expiration ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( keyRecord-oid NAME 'keyRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $ metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $ publicKeyFormat $ publicKeyData $ archivedBy $ clientId $ dataType $ status ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( pkiSecurityDomain-oid NAME 'pkiSecurityDomain' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( ou $ name ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $SecureEEClientAuthPort $ UnSecurePort ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( pkiRange-oid NAME 'pkiRange' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ beginRange $ endRange $ Host $ SecurePort ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( securityDomainSessionEntry-oid NAME 'securityDomainSessionEntry' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ host $ uid $ cmsUserGroup $ dateOfCreate ) X-ORIGIN 'user defined' ) diff --git a/base/ca/shared/conf/server-minimal.xml b/base/ca/shared/conf/server-minimal.xml new file mode 100644 index 000000000..7b542b6cf --- /dev/null +++ b/base/ca/shared/conf/server-minimal.xml @@ -0,0 +1,25 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/base/ca/shared/conf/server.xml b/base/ca/shared/conf/server.xml new file mode 100644 index 000000000..4056fbbb7 --- /dev/null +++ b/base/ca/shared/conf/server.xml @@ -0,0 +1,277 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + [PKI_UNSECURE_PORT_SERVER_COMMENT] + + + + [PKI_SECURE_PORT_SERVER_COMMENT] + + + + + [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] + + [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + + [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] + + [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + + [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT] + + [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + + + + + + + +[PKI_OPEN_AJP_PORT_COMMENT] + +[PKI_CLOSE_AJP_PORT_COMMENT] + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/base/ca/shared/conf/serverCert.profile b/base/ca/shared/conf/serverCert.profile new file mode 100644 index 000000000..8b436b247 --- /dev/null +++ b/base/ca/shared/conf/serverCert.profile @@ -0,0 +1,39 @@ +# +# Server Certificate +# +id=serverCert.profile +name=All Purpose SSL server cert Profile +description=This profile creates an SSL server certificate that is valid for SSL servers +profileIDMapping=caServerCert +profileSetIDMapping=serverCertSet +list=2,4,5,6,7 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 diff --git a/base/ca/shared/conf/serverCertNick.conf b/base/ca/shared/conf/serverCertNick.conf new file mode 100644 index 000000000..1b1f4fcad --- /dev/null +++ b/base/ca/shared/conf/serverCertNick.conf @@ -0,0 +1 @@ +Server-Cert cert-[PKI_INSTANCE_ID] diff --git a/base/ca/shared/conf/shm.manifest b/base/ca/shared/conf/shm.manifest new file mode 100644 index 000000000..0505c085b --- /dev/null +++ b/base/ca/shared/conf/shm.manifest @@ -0,0 +1,2 @@ +Main-Class: org.apache.jk.common.Shm +Class-Path: tomcat-jk2.jar commons-logging.jar tomcat-util.jar log4j.jar log4j-core.jar diff --git a/base/ca/shared/conf/subsystemCert.profile b/base/ca/shared/conf/subsystemCert.profile new file mode 100644 index 000000000..658e69511 --- /dev/null +++ b/base/ca/shared/conf/subsystemCert.profile @@ -0,0 +1,39 @@ +# +# Server Certificate +# +id=serverCert.profile +name=All Purpose SSL server cert Profile +description=This profile creates an SSL server certificate that is valid for SSL servers +profileIDMapping=caServerCert +profileSetIDMapping=serverCertSet +list=2,4,5,6,7 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 diff --git a/base/ca/shared/conf/tomcat-jk2.manifest b/base/ca/shared/conf/tomcat-jk2.manifest new file mode 100644 index 000000000..acfef4a90 --- /dev/null +++ b/base/ca/shared/conf/tomcat-jk2.manifest @@ -0,0 +1,7 @@ +Manifest-version: 1.0 +Extension-Name: org.apache.jk +Specification-Vendor: Apache Software Foundation +Specification-Version: 2.0 +Implementation-Vendor-Id: org.apache +Implementation-Vendor: Apache Software Foundation +Implementation-Version: 2.1 diff --git a/base/ca/shared/conf/tomcat-users.xml b/base/ca/shared/conf/tomcat-users.xml new file mode 100644 index 000000000..daa9260cc --- /dev/null +++ b/base/ca/shared/conf/tomcat-users.xml @@ -0,0 +1,45 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/base/ca/shared/conf/tomcat6.conf b/base/ca/shared/conf/tomcat6.conf new file mode 100644 index 000000000..2d7def5ec --- /dev/null +++ b/base/ca/shared/conf/tomcat6.conf @@ -0,0 +1,58 @@ +# Service-specific configuration file for tomcat6. This will be sourced by +# the SysV init script after the global configuration file +# /etc/tomcat6/tomcat6.conf, thus allowing values to be overridden in +# a per-service manner. +# +# NEVER change the init script itself. To change values for all services make +# your changes in /etc/tomcat6/tomcat6.conf +# +# To change values for a specific service make your edits here. +# To create a new service create a link from /etc/init.d/ to +# /etc/init.d/tomcat6 (do not copy the init script) and make a copy of the +# /etc/sysconfig/tomcat6 file to /etc/sysconfig/ and change +# the property values so the two services won't conflict. Register the new +# service in the system as usual (see chkconfig and similars). +# + +# Where your java installation lives +#JAVA_HOME="/usr/lib/jvm/java" + +# Where your tomcat installation lives +CATALINA_BASE="[PKI_INSTANCE_PATH]" +#CATALINA_HOME="/usr/share/tomcat6" +#JASPER_HOME="/usr/share/tomcat6" +#CATALINA_TMPDIR="/var/cache/tomcat6/temp" + +# You can pass some parameters to java here if you wish to +#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" + +# Use JAVA_OPTS to set java.library.path for libtcnative.so +#JAVA_OPTS="-Djava.library.path=/usr/lib64" + +# What user should run tomcat +TOMCAT_USER="[PKI_USER]" + +# You can change your tomcat locale here +#LANG="en_US" + +# Run tomcat under the Java Security Manager +#SECURITY_MANAGER="false" + +# Time to wait in seconds, before killing process +#SHUTDOWN_WAIT="30" + +# Whether to annoy the user with "attempting to shut down" messages or not +#SHUTDOWN_VERBOSE="false" + +# Set the TOMCAT_PID location +CATALINA_PID="[TOMCAT_PIDFILE]" + +# Set the tomcat log file +TOMCAT_LOG="[TOMCAT_LOG_DIR]/tomcat-initd.log" + +# Connector port is 8080 for this tomcat6 instance +#CONNECTOR_PORT="8080" + +# If you wish to further customize your tomcat environment, +# put your own definitions here +# (i.e. LD_LIBRARY_PATH for some jdbc drivers) diff --git a/base/ca/shared/conf/uriworkermap.properties b/base/ca/shared/conf/uriworkermap.properties new file mode 100644 index 000000000..c65445b10 --- /dev/null +++ b/base/ca/shared/conf/uriworkermap.properties @@ -0,0 +1,13 @@ +# uriworkermap.properties - IIS +# +# This file provides sample mappings for example ajp13w +# worker defined in workermap.properties.minimal +# The general sytax for this file is: +# [URL]=[Worker name] + +/servlet-examples/*=ajp13w + +# Optionally filter out all .jpeg files inside that context +# For no mapping the url has to start with exclamation (!) + +!/servlet-examples/*.jpeg=ajp13w diff --git a/base/ca/shared/conf/vlv.ldif b/base/ca/shared/conf/vlv.ldif new file mode 100644 index 000000000..a3b574608 --- /dev/null +++ b/base/ca/shared/conf/vlv.ldif @@ -0,0 +1,544 @@ +dn: cn=allCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=*) + +dn: cn=allExpiredCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allExpiredCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=EXPIRED) + +dn: cn=allInvalidCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allInvalidCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=INVALID) + +dn: cn=allInValidCertsNotBefore-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allInValidCertsNotBefore-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=INVALID) + +dn: cn=allNonRevokedCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allNonRevokedCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (|(certstatus=VALID)(certstatus=INVALID)(certstatus=EXPIRED)) + +dn: cn=allRevokedCaCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allRevokedCaCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(certStatus=REVOKED)(extension=2.5.29.19;*isCA=true*)) + +dn: cn=allRevokedCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allRevokedCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=REVOKED) + +dn: cn=allRevokedCertsNotAfter-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allRevokedCertsNotAfter-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=REVOKED) + +dn: cn=allRevokedExpiredCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allRevokedExpiredCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=REVOKED_EXPIRED) + +dn: cn=allRevokedOrRevokedExpiredCaCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allRevokedOrRevokedExpiredCaCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(|(certStatus=REVOKED)(certStatus=REVOKED_EXPIRED))(extension=2.5.29.19;*isCA=true*)) + +dn: cn=allRevokedOrRevokedExpiredCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allRevokedOrRevokedExpiredCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (|(certstatus=REVOKED)(certstatus=REVOKED_EXPIRED)) + +dn: cn=allValidCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allValidCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=VALID) + +dn: cn=allValidCertsNotAfter-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allValidCertsNotAfter-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=VALID) + +dn: cn=allValidOrRevokedCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allValidOrRevokedCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (|(certstatus=VALID)(certstatus=REVOKED)) + +dn: cn=caAll-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caAll-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=*) + +dn: cn=caCanceled-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caCanceled-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=canceled) + +dn: cn=caCanceledEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caCanceledEnrollment-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=canceled)(requesttype=enrollment)) + +dn: cn=caCanceledRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caCanceledRenewal-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=canceled)(requesttype=renewal)) + +dn: cn=caCanceledRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caCanceledRevocation-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=canceled)(requesttype=revocation)) + +dn: cn=caComplete-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caComplete-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=complete) + +dn: cn=caCompleteEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caCompleteEnrollment-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=complete)(requesttype=enrollment)) + +dn: cn=caCompleteRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caCompleteRenewal-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=complete)(requesttype=renewal)) + +dn: cn=caCompleteRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caCompleteRevocation-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=complete)(requesttype=revocation)) + +dn: cn=caEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caEnrollment-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requesttype=enrollment) + +dn: cn=caPending-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caPending-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=pending) + +dn: cn=caPendingEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caPendingEnrollment-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=pending)(requesttype=enrollment)) + +dn: cn=caPendingRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caPendingRenewal-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=pending)(requesttype=renewal)) + +dn: cn=caPendingRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caPendingRevocation-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=pending)(requesttype=revocation)) + +dn: cn=caRejected-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caRejected-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=rejected) + +dn: cn=caRejectedEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caRejectedEnrollment-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=rejected)(requesttype=enrollment)) + +dn: cn=caRejectedRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caRejectedRenewal-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=rejected)(requesttype=renewal)) + +dn: cn=caRejectedRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caRejectedRevocation-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=rejected)(requesttype=revocation)) + +dn: cn=caRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caRenewal-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requesttype=renewal) + +dn: cn=caRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caRevocation-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requesttype=revocation) + +dn: cn=allCerts-{instanceId}Index, cn=allCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allExpiredCerts-{instanceId}Index, cn=allExpiredCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allExpiredCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allInvalidCerts-{instanceId}Index, cn=allInvalidCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allInvalidCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allInValidCertsNotBefore-{instanceId}Index, cn=allInValidCertsNotBefore-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allInValidCertsNotBefore-{instanceId}Index +vlvSort: notBefore +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allNonRevokedCerts-{instanceId}Index, cn=allNonRevokedCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allNonRevokedCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allRevokedCaCerts-{instanceId}Index, cn=allRevokedCaCerts-{instanceId}, cn={database}, cn=ldb + m database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allRevokedCaCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allRevokedCerts-{instanceId}Index, cn=allRevokedCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allRevokedCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allRevokedCertsNotAfter-{instanceId}Index, cn=allRevokedCertsNotAfter-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allRevokedCertsNotAfter-{instanceId}Index +vlvSort: notAfter +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allRevokedExpiredCerts-{instanceId}Index, cn=allRevokedExpiredCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allRevokedExpiredCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allRevokedOrRevokedExpiredCaCerts-{instanceId}Index, cn=allRevokedOrRevokedExpiredCaCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allRevokedOrRevokedExpiredCaCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allRevokedOrRevokedExpiredCerts-{instanceId}Index, cn=allRevokedOrRevokedExpiredCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allRevokedOrRevokedExpiredCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allValidCerts-{instanceId}Index, cn=allValidCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allValidCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allValidCertsNotAfter-{instanceId}Index, cn=allValidCertsNotAfter-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allValidCertsNotAfter-{instanceId}Index +vlvSort: notAfter +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allValidOrRevokedCerts-{instanceId}Index, cn=allValidOrRevokedCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allValidOrRevokedCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caAll-{instanceId}Index, cn=caAll-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caAll-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caCanceled-{instanceId}Index, cn=caCanceled-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caCanceled-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caCanceledEnrollment-{instanceId}Index, cn=caCanceledEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caCanceledEnrollment-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caCanceledRenewal-{instanceId}Index, cn=caCanceledRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caCanceledRenewal-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caCanceledRevocation-{instanceId}Index, cn=caCanceledRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caCanceledRevocation-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caComplete-{instanceId}Index, cn=caComplete-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caComplete-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caCompleteEnrollment-{instanceId}Index, cn=caCompleteEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caCompleteEnrollment-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caCompleteRenewal-{instanceId}Index, cn=caCompleteRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caCompleteRenewal-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caCompleteRevocation-{instanceId}Index, cn=caCompleteRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caCompleteRevocation-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caEnrollment-{instanceId}Index, cn=caEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caEnrollment-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caPending-{instanceId}Index, cn=caPending-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caPending-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caPendingEnrollment-{instanceId}Index, cn=caPendingEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caPendingEnrollment-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caPendingRenewal-{instanceId}Index, cn=caPendingRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caPendingRenewal-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caPendingRevocation-{instanceId}Index, cn=caPendingRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caPendingRevocation-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caRejected-{instanceId}Index, cn=caRejected-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caRejected-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caRejectedEnrollment-{instanceId}Index, cn=caRejectedEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caRejectedEnrollment-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caRejectedRenewal-{instanceId}Index, cn=caRejectedRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caRejectedRenewal-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caRejectedRevocation-{instanceId}Index, cn=caRejectedRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caRejectedRevocation-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caRenewal-{instanceId}Index, cn=caRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caRenewal-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caRevocation-{instanceId}Index, cn=caRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caRevocation-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 diff --git a/base/ca/shared/conf/vlvtasks.ldif b/base/ca/shared/conf/vlvtasks.ldif new file mode 100644 index 000000000..5458e8a28 --- /dev/null +++ b/base/ca/shared/conf/vlvtasks.ldif @@ -0,0 +1,40 @@ +dn: cn=index1160589769, cn=index, cn=tasks, cn=config +objectclass: top +objectclass: extensibleObject +cn: index1160589769 +ttl: 10 +nsInstance: {database} +nsIndexVLVAttribute: allCerts-{instanceId}Index +nsIndexVLVAttribute: allExpiredCerts-{instanceId}Index +nsIndexVLVAttribute: allInvalidCerts-{instanceId}Index +nsIndexVLVAttribute: allInValidCertsNotBefore-{instanceId}Index +nsIndexVLVAttribute: allNonRevokedCerts-{instanceId}Index +nsIndexVLVAttribute: allRevokedCaCerts-{instanceId}Index +nsIndexVLVAttribute: allRevokedCerts-{instanceId}Index +nsIndexVLVAttribute: allRevokedCertsNotAfter-{instanceId}Index +nsIndexVLVAttribute: allRevokedExpiredCerts-{instanceId}Index +nsIndexVLVAttribute: allRevokedOrRevokedExpiredCaCerts-{instanceId}Index +nsIndexVLVAttribute: allRevokedOrRevokedExpiredCerts-{instanceId}Index +nsIndexVLVAttribute: allValidCerts-{instanceId}Index +nsIndexVLVAttribute: allValidCertsNotAfter-{instanceId}Index +nsIndexVLVAttribute: allValidOrRevokedCerts-{instanceId}Index +nsIndexVLVAttribute: caAll-{instanceId}Index +nsIndexVLVAttribute: caCanceled-{instanceId}Index +nsIndexVLVAttribute: caCanceledEnrollment-{instanceId}Index +nsIndexVLVAttribute: caCanceledRenewal-{instanceId}Index +nsIndexVLVAttribute: caCanceledRevocation-{instanceId}Index +nsIndexVLVAttribute: caComplete-{instanceId}Index +nsIndexVLVAttribute: caCompleteEnrollment-{instanceId}Index +nsIndexVLVAttribute: caCompleteRenewal-{instanceId}Index +nsIndexVLVAttribute: caCompleteRevocation-{instanceId}Index +nsIndexVLVAttribute: caEnrollment-{instanceId}Index +nsIndexVLVAttribute: caPending-{instanceId}Index +nsIndexVLVAttribute: caPendingEnrollment-{instanceId}Index +nsIndexVLVAttribute: caPendingRenewal-{instanceId}Index +nsIndexVLVAttribute: caPendingRevocation-{instanceId}Index +nsIndexVLVAttribute: caRejected-{instanceId}Index +nsIndexVLVAttribute: caRejectedEnrollment-{instanceId}Index +nsIndexVLVAttribute: caRejectedRenewal-{instanceId}Index +nsIndexVLVAttribute: caRejectedRevocation-{instanceId}Index +nsIndexVLVAttribute: caRenewal-{instanceId}Index +nsIndexVLVAttribute: caRevocation-{instanceId}Index diff --git a/base/ca/shared/conf/web.xml b/base/ca/shared/conf/web.xml new file mode 100644 index 000000000..fb22468ee --- /dev/null +++ b/base/ca/shared/conf/web.xml @@ -0,0 +1,989 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + default + org.apache.catalina.servlets.DefaultServlet + + debug + 0 + + + listings + false + + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + jsp + org.apache.jasper.servlet.JspServlet + + fork + false + + + xpoweredBy + false + + 3 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + default + / + + + + + + + + jsp + *.jsp + + + + jsp + *.jspx + + + + + + + + + + + + + + + + 30 + + + + + + + + + + + + abs + audio/x-mpeg + + + ai + application/postscript + + + aif + audio/x-aiff + + + aifc + audio/x-aiff + + + aiff + audio/x-aiff + + + aim + application/x-aim + + + art + image/x-jg + + + asf + video/x-ms-asf + + + asx + video/x-ms-asf + + + au + audio/basic + + + avi + video/x-msvideo + + + avx + video/x-rad-screenplay + + + bcpio + application/x-bcpio + + + bin + application/octet-stream + + + bmp + image/bmp + + + body + text/html + + + cdf + application/x-cdf + + + cer + application/x-x509-ca-cert + + + class + application/java + + + cpio + application/x-cpio + + + csh + application/x-csh + + + css + text/css + + + dib + image/bmp + + + doc + application/msword + + + dtd + application/xml-dtd + + + dv + video/x-dv + + + dvi + application/x-dvi + + + eps + application/postscript + + + etx + text/x-setext + + + exe + application/octet-stream + + + gif + image/gif + + + gtar + application/x-gtar + + + gz + application/x-gzip + + + hdf + application/x-hdf + + + hqx + application/mac-binhex40 + + + htc + text/x-component + + + htm + text/html + + + html + text/html + + + hqx + application/mac-binhex40 + + + ief + image/ief + + + jad + text/vnd.sun.j2me.app-descriptor + + + jar + application/java-archive + + + java + text/plain + + + jnlp + application/x-java-jnlp-file + + + jpe + image/jpeg + + + jpeg + image/jpeg + + + jpg + image/jpeg + + + js + text/javascript + + + jsf + text/plain + + + jspf + text/plain + + + kar + audio/x-midi + + + latex + application/x-latex + + + m3u + audio/x-mpegurl + + + mac + image/x-macpaint + + + man + application/x-troff-man + + + mathml + application/mathml+xml + + + me + application/x-troff-me + + + mid + audio/x-midi + + + midi + audio/x-midi + + + mif + application/x-mif + + + mov + video/quicktime + + + movie + video/x-sgi-movie + + + mp1 + audio/x-mpeg + + + mp2 + audio/x-mpeg + + + mp3 + audio/x-mpeg + + + mpa + audio/x-mpeg + + + mpe + video/mpeg + + + mpeg + video/mpeg + + + mpega + audio/x-mpeg + + + mpg + video/mpeg + + + mpv2 + video/mpeg2 + + + ms + application/x-wais-source + + + nc + application/x-netcdf + + + oda + application/oda + + + ogg + application/ogg + + + pbm + image/x-portable-bitmap + + + pct + image/pict + + + pdf + application/pdf + + + pgm + image/x-portable-graymap + + + pic + image/pict + + + pict + image/pict + + + pls + audio/x-scpls + + + png + image/png + + + pnm + image/x-portable-anymap + + + pnt + image/x-macpaint + + + ppm + image/x-portable-pixmap + + + ppt + application/powerpoint + + + ps + application/postscript + + + psd + image/x-photoshop + + + qt + video/quicktime + + + qti + image/x-quicktime + + + qtif + image/x-quicktime + + + ras + image/x-cmu-raster + + + rdf + application/rdf+xml + + + rgb + image/x-rgb + + + rm + application/vnd.rn-realmedia + + + roff + application/x-troff + + + rtf + application/rtf + + + rtx + text/richtext + + + sh + application/x-sh + + + shar + application/x-shar + + + smf + audio/x-midi + + + sit + application/x-stuffit + + + snd + audio/basic + + + src + application/x-wais-source + + + sv4cpio + application/x-sv4cpio + + + sv4crc + application/x-sv4crc + + + svg + image/svg+xml + + + swf + application/x-shockwave-flash + + + t + application/x-troff + + + tar + application/x-tar + + + tcl + application/x-tcl + + + tex + application/x-tex + + + texi + application/x-texinfo + + + texinfo + application/x-texinfo + + + tif + image/tiff + + + tiff + image/tiff + + + tr + application/x-troff + + + tsv + text/tab-separated-values + + + txt + text/plain + + + ulw + audio/basic + + + ustar + application/x-ustar + + + vxml + application/voicexml+xml + + + xbm + image/x-xbitmap + + + xht + application/xhtml+xml + + + xhtml + application/xhtml+xml + + + xml + application/xml + + + xpm + image/x-xpixmap + + + xsl + application/xml + + + xslt + application/xslt+xml + + + xul + application/vnd.mozilla.xul+xml + + + xwd + image/x-xwindowdump + + + wav + audio/x-wav + + + svg + image/svg + + + svgz + image/svg + + + vsd + application/x-visio + + + + wbmp + image/vnd.wap.wbmp + + + + wml + text/vnd.wap.wml + + + + wmlc + application/vnd.wap.wmlc + + + + wmls + text/vnd.wap.wmlscript + + + + wmlscriptc + application/vnd.wap.wmlscriptc + + + wrl + x-world/x-vrml + + + Z + application/x-compress + + + z + application/x-compress + + + zip + application/zip + + + + + + + + + + + + + + + + + index.html + index.htm + index.jsp + + + + 404 + /404.html + + + + 500 + /500.html + + + diff --git a/base/ca/shared/conf/workers.properties b/base/ca/shared/conf/workers.properties new file mode 100644 index 000000000..50d88557f --- /dev/null +++ b/base/ca/shared/conf/workers.properties @@ -0,0 +1,206 @@ +# workers.properties - +# +# This file provides jk derived plugins with the needed information to +# connect to the different tomcat workers. Note that the distributed +# version of this file requires modification before it is usable by a +# plugin. +# +# As a general note, the characters $( and ) are used internally to define +# macros. Do not use them in your own configuration!!! +# +# Whenever you see a set of lines such as: +# x=value +# y=$(x)\something +# +# the final value for y will be value\something +# +# Normaly all you will need to do is un-comment and modify the first three +# properties, i.e. workers.tomcat_home, workers.java_home and ps. +# Most of the configuration is derived from these. +# +# When you are done updating workers.tomcat_home, workers.java_home and ps +# you should have 3 workers configured: +# +# - An ajp12 worker that connects to localhost:8007 +# - An ajp13 worker that connects to localhost:8009 +# - A jni inprocess worker. +# - A load balancer worker +# +# However by default the plugins will only use the ajp12 worker. To have +# the plugins use other workers you should modify the worker.list property. +# +# + +# OPTIONS ( very important for jni mode ) + +# +# workers.tomcat_home should point to the location where you +# installed tomcat. This is where you have your conf, webapps and lib +# directories. +# +workers.tomcat_home=/var/tomcat3 + +# +# workers.java_home should point to your Java installation. Normally +# you should have a bin and lib directories beneath it. +# +workers.java_home=/opt/IBMJava2-13 + +# +# You should configure your environment slash... ps=\ on NT and / on UNIX +# and maybe something different elsewhere. +# +ps=/ + +# +#------ ADVANCED MODE ------------------------------------------------ +#--------------------------------------------------------------------- +# + +# +#------ DEFAULT worket list ------------------------------------------ +#--------------------------------------------------------------------- +# +# +# The workers that your plugins should create and work with +# +# Add 'inprocess' if you want JNI connector +worker.list=ajp12, ajp13 +# , inprocess + + +# +#------ DEFAULT ajp12 WORKER DEFINITION ------------------------------ +#--------------------------------------------------------------------- +# + +# +# Defining a worker named ajp12 and of type ajp12 +# Note that the name and the type do not have to match. +# +worker.ajp12.port=8007 +worker.ajp12.host=localhost +worker.ajp12.type=ajp12 +# +# Specifies the load balance factor when used with +# a load balancing worker. +# Note: +# ----> lbfactor must be > 0 +# ----> Low lbfactor means less work done by the worker. +worker.ajp12.lbfactor=1 + +# +#------ DEFAULT ajp13 WORKER DEFINITION ------------------------------ +#--------------------------------------------------------------------- +# + +# +# Defining a worker named ajp13 and of type ajp13 +# Note that the name and the type do not have to match. +# +worker.ajp13.port=8009 +worker.ajp13.host=localhost +worker.ajp13.type=ajp13 +# +# Specifies the load balance factor when used with +# a load balancing worker. +# Note: +# ----> lbfactor must be > 0 +# ----> Low lbfactor means less work done by the worker. +worker.ajp13.lbfactor=1 + +# +# Specify the size of the open connection cache. +#worker.ajp13.cachesize + +# +#------ DEFAULT LOAD BALANCER WORKER DEFINITION ---------------------- +#--------------------------------------------------------------------- +# + +# +# The loadbalancer (type lb) workers perform wighted round-robin +# load balancing with sticky sessions. +# Note: +# ----> If a worker dies, the load balancer will check its state +# once in a while. Until then all work is redirected to peer +# workers. +worker.loadbalancer.type=lb +worker.loadbalancer.balanced_workers=ajp12, ajp13 + + +# +#------ DEFAULT JNI WORKER DEFINITION--------------------------------- +#--------------------------------------------------------------------- +# + +# +# Defining a worker named inprocess and of type jni +# Note that the name and the type do not have to match. +# +worker.inprocess.type=jni + +# +#------ CLASSPATH DEFINITION ----------------------------------------- +#--------------------------------------------------------------------- +# + +# +# Additional class path components. +# +worker.inprocess.class_path=$(workers.tomcat_home)$(ps)lib$(ps)tomcat.jar + +# +# Setting the command line for tomcat. +# Note: The cmd_line string may not contain spaces. +# +worker.inprocess.cmd_line=start + +# Not needed, but can be customized. +#worker.inprocess.cmd_line=-config +#worker.inprocess.cmd_line=$(workers.tomcat_home)$(ps)conf$(ps)server.xml +#worker.inprocess.cmd_line=-home +#worker.inprocess.cmd_line=$(workers.tomcat_home) + +# +# The JVM that we are about to use +# +# This is for Java2 +# +# Windows +worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)bin$(ps)classic$(ps)jvm.dll +# IBM JDK1.3 +#worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)bin$(ps)classic$(ps)libjvm.so +# Unix - Sun VM or blackdown +#worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)lib$(ps)i386$(ps)classic$(ps)libjvm.so + +# +# And this is for jdk1.1.X +# +#worker.inprocess.jvm_lib=$(workers.java_home)$(ps)bin$(ps)javai.dll + + +# +# Setting the place for the stdout and stderr of tomcat +# +worker.inprocess.stdout=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stdout +worker.inprocess.stderr=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stderr + +# +# Setting the tomcat.home Java property +# +#worker.inprocess.sysprops=tomcat.home=$(workers.tomcat_home) + +# +# Java system properties +# +# worker.inprocess.sysprops=java.compiler=NONE +# worker.inprocess.sysprops=myprop=mypropvalue + +# +# Additional path components. +# +# worker.inprocess.ld_path=d:$(ps)SQLLIB$(ps)bin +# + + diff --git a/base/ca/shared/conf/workers.properties.minimal b/base/ca/shared/conf/workers.properties.minimal new file mode 100644 index 000000000..e3b5942c2 --- /dev/null +++ b/base/ca/shared/conf/workers.properties.minimal @@ -0,0 +1,17 @@ +# workers.properties.minimal - +# +# This file provides minimal jk configuration properties needed to +# connect to Tomcat. +# +# The workers that jk should create and work with +# +worker.list=ajp13w + + +# +# Defining a worker named ajp13w and of type ajp13 +# Note that the name and the type do not have to match. +# +worker.ajp13w.type=ajp13 +worker.ajp13w.host=localhost +worker.ajp13w.port=8009 diff --git a/base/ca/shared/conf/workers2.properties b/base/ca/shared/conf/workers2.properties new file mode 100644 index 000000000..778118ff2 --- /dev/null +++ b/base/ca/shared/conf/workers2.properties @@ -0,0 +1,132 @@ +[logger] +level=DEBUG + +[config:] +file=${serverRoot}/conf/workers2.properties +debug=0 +debugEnv=0 + +[uriMap:] +info=Maps the requests. Options: debug +debug=0 + +# Alternate file logger +#[logger.file:0] +#level=DEBUG +#file=${serverRoot}/logs/jk2.log + +[shm:] +info=Scoreboard. Required for reconfiguration and status with multiprocess servers +file=${serverRoot}/logs/jk2.shm +size=1000000 +debug=0 +disabled=0 + +[workerEnv:] +info=Global server options +timing=1 +debug=0 +# Default Native Logger (apache2 or win32 ) +# can be overriden to a file logger, useful +# when tracing win32 related issues +#logger=logger.file:0 + +[lb:lb] +info=Default load balancer. +debug=0 + +[lb:lb_1] +info=A second load balancer. +debug=0 + +[channel.socket:localhost:8009] +info=Ajp13 forwarding over socket +debug=0 +tomcatId=localhost:8009 + +[channel.socket:localhost:8019] +info=A second tomcat instance. +debug=0 +tomcatId=localhost:8019 +lb_factor=1 +#group=lb +group:lb:lb +#group=lb_1 +group:lb:lb_1 +disabled=0 + +[channel.un:/opt/33/work/jk2.socket] +info=A second channel connecting to localhost:8019 via unix socket +tomcatId=localhost:8019 +lb_factor=1 +debug=0 + +[channel.jni:jni] +info=The jni channel, used if tomcat is started inprocess + +[status:] +info=Status worker, displays runtime informations + +[vm:] +info=Parameters used to load a JVM in the server process +#JVM=C:\jdk\jre\bin\hotspot\jvm.dll +classpath=${TOMCAT_HOME}/bin/tomcat-jni.jar +classpath=${TOMCAT_HOME}/server/lib/commons-logging.jar +OPT=-Dtomcat.home=${TOMCAT_HOME} +OPT=-Dcatalina.home=${TOMCAT_HOME} +OPT=-Xmx128M +#OPT=-Djava.compiler=NONE +disabled=1 + +[worker.jni:onStartup] +info=Command to be executed by the VM on startup. This one will start tomcat. +class=org/apache/jk/apr/TomcatStarter +ARG=start +# For Tomcat 5 use the 'stard' for startup argument +# ARG=stard +disabled=1 +stdout=${serverRoot}/logs/stdout.log +stderr=${serverRoot}/logs/stderr.log + +[worker.jni:onShutdown] +info=Command to be executed by the VM on shutdown. This one will stop tomcat. +class=org/apache/jk/apr/TomcatStarter +ARG=stop +disabled=1 + +[uri:/jkstatus/*] +info=Display status information and checks the config file for changes. +group=status: + +[uri:127.0.0.1:8003] +info=Example virtual host. Make sure myVirtualHost is in /etc/hosts to test it +alias=myVirtualHost:8003 + +[uri:127.0.0.1:8003/ex] +info=Example webapp in the virtual host. It'll go to lb_1 ( i.e. localhost:8019 ) +context=/ex +group=lb_1 + +[uri:/examples] +info=Example webapp in the default context. +context=/examples +debug=0 + +[uri:/examples1/*] +info=A second webapp, this time going to the second tomcat only. +group=lb_1 +debug=0 + +[uri:/examples/servlet/*] +info=Prefix mapping + +[uri:/examples/*.jsp] +info=Extension mapping + +[uri:/examples/*] +info=Map the whole webapp + +[uri:/examples/servlet/HelloW] +info=Example with debug enabled. +debug=10 + diff --git a/base/ca/shared/conf/workers2.properties.minimal b/base/ca/shared/conf/workers2.properties.minimal new file mode 100644 index 000000000..41a0ba6c1 --- /dev/null +++ b/base/ca/shared/conf/workers2.properties.minimal @@ -0,0 +1,55 @@ +# +# This is the minimal JK2 connector configuration file. +# + +[logger] +info=Native logger +level=ERROR + +[config:] +file=${serverRoot}/conf/workers2.properties +debug=0 +debugEnv=0 + +[uriMap:] +info=Maps the requests. +debug=0 + +[shm:] +info=Scoreboard. Required for reconfiguration and status with multiprocess servers +file=anonymous +debug=0 + +[workerEnv:] +info=Global server options +timing=0 +debug=0 + +[lb:lb] +info=Default load balancer. +debug=0 + +[channel.socket:localhost:8009] +info=Ajp13 forwarding over socket +debug=0 +tomcatId=localhost:8009 + +[uri:/admin] +info=Tomcat HTML based administration web application. +debug=0 + +[uri:/manager] +info=A scriptable management web application for the Tomcat Web Server. +debug=0 + +[uri:/jsp-examples] +info=JSP 2.0 Examples. +debug=0 + +[uri:/servlets-examples] +info=Servlet 2.4 Examples. +debug=0 + +[uri:/*.jsp] +info=JSP Extension mapping. +debug=0 diff --git a/base/ca/shared/emails/ExpiredUnpublishJob b/base/ca/shared/emails/ExpiredUnpublishJob new file mode 100644 index 000000000..902125ee6 --- /dev/null +++ b/base/ca/shared/emails/ExpiredUnpublishJob @@ -0,0 +1,6 @@ +ExpiredUnpublishJob $InstanceID summary: +$SummaryItemList +Executed at: $ExecutionTime. +$SummaryTotalSuccess succeeded +$SummaryTotalFailure failed +End of summary. diff --git a/base/ca/shared/emails/ExpiredUnpublishJobItem b/base/ca/shared/emails/ExpiredUnpublishJobItem new file mode 100644 index 000000000..cb60a2b7d --- /dev/null +++ b/base/ca/shared/emails/ExpiredUnpublishJobItem @@ -0,0 +1,2 @@ +$SubjectDN == status: $TOKEN_STATUS + diff --git a/base/ca/shared/emails/certIssued_CA b/base/ca/shared/emails/certIssued_CA new file mode 100644 index 000000000..af2d2de9c --- /dev/null +++ b/base/ca/shared/emails/certIssued_CA @@ -0,0 +1,12 @@ +Your certificate request has been processed successfully. +SubjectDN= $SubjectDN +IssuerDN= $IssuerDN +notAfter= $NotAfter +notBefore= $NotBefore +Serial Number= 0x$HexSerialNumber + +To get your certificate, please follow this URL: +https://$HttpHost:$HttpPort/ca/ee/ca/displayBySerial?serialNumber=$SerialNumber + +Please contact your admin if there is any problem. +And, of course, this is just a \$SAMPLE\$ email notification form. diff --git a/base/ca/shared/emails/certIssued_CA.html b/base/ca/shared/emails/certIssued_CA.html new file mode 100644 index 000000000..b380346ac --- /dev/null +++ b/base/ca/shared/emails/certIssued_CA.html @@ -0,0 +1,17 @@ + + +

An automatically generated notification from $InstanceID

+Your certificate request has been processed successfully. +

+SubjectDN= $SubjectDN
+IssuerDN= $IssuerDN
+notAfter= $NotAfter
+notBefore= $NotBefore
+Serial Number= 0x$HexSerialNumber

+

+To get your certificate, please follow this +URL + +Please contact your admin if there is any problem. + + diff --git a/base/ca/shared/emails/certIssued_RA b/base/ca/shared/emails/certIssued_RA new file mode 100644 index 000000000..7bde6875b --- /dev/null +++ b/base/ca/shared/emails/certIssued_RA @@ -0,0 +1,12 @@ +Your certificate request has been processed successfully. +SubjectDN= $SubjectDN +IssuerDN= $IssuerDN +notAfter= $NotAfter +notBefore= $NotBefore +Serial Number= 0x$HexSerialNumber + +To get your certificate, please follow this URL: +https://$HttpHost:$HttpPort/displayCertFromRequest?requestId=$RequestId + +Please contact your admin if there is any problem. +And, of course, this is just a \$SAMPLE\$ email notification form. diff --git a/base/ca/shared/emails/certIssued_RA.html b/base/ca/shared/emails/certIssued_RA.html new file mode 100644 index 000000000..2d7d2e36e --- /dev/null +++ b/base/ca/shared/emails/certIssued_RA.html @@ -0,0 +1,17 @@ + + +

An automatically generated notification from $InstanceID

+Your certificate request has been processed successfully. +

+SubjectDN= $SubjectDN
+IssuerDN= $IssuerDN
+notAfter= $NotAfter
+notBefore= $NotBefore
+Serial Number= 0x$HexSerialNumber

+

+To get your certificate, please follow this +URL + +Please contact your admin if there is any problem. + + diff --git a/base/ca/shared/emails/certRequestRejected.html b/base/ca/shared/emails/certRequestRejected.html new file mode 100644 index 000000000..9cfa92d79 --- /dev/null +++ b/base/ca/shared/emails/certRequestRejected.html @@ -0,0 +1,10 @@ + + +

An automatically generated notification from $InstanceID

+Your certificate request has been rejected. +

+Request ID = $RequestId
+

+Please contact your admin for assistance. + + diff --git a/base/ca/shared/emails/certRevoked_CA b/base/ca/shared/emails/certRevoked_CA new file mode 100644 index 000000000..3539ceaf3 --- /dev/null +++ b/base/ca/shared/emails/certRevoked_CA @@ -0,0 +1,12 @@ +Your certificate request has been processed successfully. +SubjectDN= $SubjectDN +IssuerDN= $IssuerDN +notAfter= $NotAfter +notBefore= $NotBefore +Serial Number= 0x$HexSerialNumber + +To get your certificate, please follow this URL: +https://$HttpHost:$HttpPort/displayBySerial?op=displayBySerial&serialNumber=$SerialNumber + +Please contact your admin if there is any problem. +And, of course, this is just a \$SAMPLE\$ email notification form. diff --git a/base/ca/shared/emails/certRevoked_CA.html b/base/ca/shared/emails/certRevoked_CA.html new file mode 100644 index 000000000..025a0c94e --- /dev/null +++ b/base/ca/shared/emails/certRevoked_CA.html @@ -0,0 +1,13 @@ + + +

An automatically generated notification from $InstanceID

+Your certificate revocation request has been processed successfully. +

+SubjectDN= $SubjectDN
+IssuerDN= $IssuerDN
+RevocationDate= $RevocationDate
+Serial Number= 0x$HexSerialNumber

+

+Please contact your admin if there is any problem. + + diff --git a/base/ca/shared/emails/certRevoked_RA b/base/ca/shared/emails/certRevoked_RA new file mode 100644 index 000000000..3539ceaf3 --- /dev/null +++ b/base/ca/shared/emails/certRevoked_RA @@ -0,0 +1,12 @@ +Your certificate request has been processed successfully. +SubjectDN= $SubjectDN +IssuerDN= $IssuerDN +notAfter= $NotAfter +notBefore= $NotBefore +Serial Number= 0x$HexSerialNumber + +To get your certificate, please follow this URL: +https://$HttpHost:$HttpPort/displayBySerial?op=displayBySerial&serialNumber=$SerialNumber + +Please contact your admin if there is any problem. +And, of course, this is just a \$SAMPLE\$ email notification form. diff --git a/base/ca/shared/emails/certRevoked_RA.html b/base/ca/shared/emails/certRevoked_RA.html new file mode 100644 index 000000000..025a0c94e --- /dev/null +++ b/base/ca/shared/emails/certRevoked_RA.html @@ -0,0 +1,13 @@ + + +

An automatically generated notification from $InstanceID

+Your certificate revocation request has been processed successfully. +

+SubjectDN= $SubjectDN
+IssuerDN= $IssuerDN
+RevocationDate= $RevocationDate
+Serial Number= 0x$HexSerialNumber

+

+Please contact your admin if there is any problem. + + diff --git a/base/ca/shared/emails/euJob1.html b/base/ca/shared/emails/euJob1.html new file mode 100644 index 000000000..86bae4a52 --- /dev/null +++ b/base/ca/shared/emails/euJob1.html @@ -0,0 +1,29 @@ + + + + Summary for Unpublished Expired Certificates ($InstanceID) + + + +

Summary for Unpublished Expired Certificates

+ + + + + + + + + + + + +$SummaryItemList +
Serial NumberSubject DNIssuer DNExpiration date/timeStatus
+Executed at: $ExecutionTime

+$SummaryTotalSuccess succeeded

+$SummaryTotalFailure failed

+End of summary. +

+ + diff --git a/base/ca/shared/emails/euJob1Item.html b/base/ca/shared/emails/euJob1Item.html new file mode 100644 index 000000000..94732e4c3 --- /dev/null +++ b/base/ca/shared/emails/euJob1Item.html @@ -0,0 +1,11 @@ + +0x$HexSerialNumber + +$SubjectDN + +$IssuerDN + +$NotAfter + +$Status + diff --git a/base/ca/shared/emails/publishCerts.html b/base/ca/shared/emails/publishCerts.html new file mode 100644 index 000000000..c53f01fb6 --- /dev/null +++ b/base/ca/shared/emails/publishCerts.html @@ -0,0 +1,29 @@ + + + + Summary for Published Certificates ($InstanceID) + + + +

Summary for Published Certificates

+ + + + + + + + + + + + +$SummaryItemList +
Serial NumberSubject DNIssuer DNExpiration date/timeStatus
+Executed at: $ExecutionTime

+$SummaryTotalSuccess succeeded

+$SummaryTotalFailure failed

+End of summary. +

+ + diff --git a/base/ca/shared/emails/publishCertsItem.html b/base/ca/shared/emails/publishCertsItem.html new file mode 100644 index 000000000..94732e4c3 --- /dev/null +++ b/base/ca/shared/emails/publishCertsItem.html @@ -0,0 +1,11 @@ + +0x$HexSerialNumber + +$SubjectDN + +$IssuerDN + +$NotAfter + +$Status + diff --git a/base/ca/shared/emails/reqInQueue_CA b/base/ca/shared/emails/reqInQueue_CA new file mode 100644 index 000000000..7916ba5b4 --- /dev/null +++ b/base/ca/shared/emails/reqInQueue_CA @@ -0,0 +1,5 @@ +Request $RequestId is in queue. +requestor email is $RequestorEmail. +cert type is $CertType. +request type is $RequestType. +request process url: https://$HttpHost:$HttpPort/ca/agent/ca/profileReview?requestId=$RequestId diff --git a/base/ca/shared/emails/reqInQueue_CA.html b/base/ca/shared/emails/reqInQueue_CA.html new file mode 100644 index 000000000..3ccaac1fe --- /dev/null +++ b/base/ca/shared/emails/reqInQueue_CA.html @@ -0,0 +1,12 @@ + + +Request $RequestId is in queue. +

+requestor email is $RequestorEmail.

+cert type is $CertType.

+request type is $RequestType.

+Click + +this URL to process request + + diff --git a/base/ca/shared/emails/reqInQueue_RA b/base/ca/shared/emails/reqInQueue_RA new file mode 100644 index 000000000..41fa62b8a --- /dev/null +++ b/base/ca/shared/emails/reqInQueue_RA @@ -0,0 +1,5 @@ +Request $RequestId is in queue. +requestor email is $RequestorEmail. +cert type is $CertType. +request type is $RequestType. +request process url: https://$HttpHost:$HttpPort/ra/processReq?seqNum=$RequestId diff --git a/base/ca/shared/emails/reqInQueue_RA.html b/base/ca/shared/emails/reqInQueue_RA.html new file mode 100644 index 000000000..1b5bcfaf6 --- /dev/null +++ b/base/ca/shared/emails/reqInQueue_RA.html @@ -0,0 +1,12 @@ + + +Request $RequestId is in queue. +

+requestor email is $RequestorEmail.

+cert type is $CertType.

+request type is $RequestType.

+Click + +this URL to process request + + diff --git a/base/ca/shared/emails/riq1Item.html b/base/ca/shared/emails/riq1Item.html new file mode 100644 index 000000000..0550ddeaf --- /dev/null +++ b/base/ca/shared/emails/riq1Item.html @@ -0,0 +1,5 @@ + +$RequestorEmail +$CertType +$RequestType + diff --git a/base/ca/shared/emails/riq1Summary.html b/base/ca/shared/emails/riq1Summary.html new file mode 100644 index 000000000..cf68bc7df --- /dev/null +++ b/base/ca/shared/emails/riq1Summary.html @@ -0,0 +1,12 @@ + + + Request in Queue Summary Report from $InstanceID + + + +

Request in Queue Summary Report from $InstanceID

+Executed at: $ExecutionTime

+Total number of requests in Queue: $SummaryTotalNum

+

+ + diff --git a/base/ca/shared/emails/rnJob1.txt b/base/ca/shared/emails/rnJob1.txt new file mode 100644 index 000000000..f07250814 --- /dev/null +++ b/base/ca/shared/emails/rnJob1.txt @@ -0,0 +1,8 @@ +The following certificate is going to expire (or has expired) on + $NotAfter +Serial number = 0x$HexSerialNumber +SubjectDN = $SubjectDN +You can renew this certificate by clicking the "Renewal" button +at the following URL: + +https://$HttpHost:$HttpPort diff --git a/base/ca/shared/emails/rnJob1Item.txt b/base/ca/shared/emails/rnJob1Item.txt new file mode 100644 index 000000000..8080c0bde --- /dev/null +++ b/base/ca/shared/emails/rnJob1Item.txt @@ -0,0 +1,8 @@ +Serial number = 0x$HexSerialNumber +SubjectDN = $SubjectDN +Validity period = $NotBefore - $NotAfter +Suggested Renewal http host name = $HttpHost +Suggested Renewal http port number = $HttpPort +Renewal notification status = $Status +------- + diff --git a/base/ca/shared/emails/rnJob1Summary.txt b/base/ca/shared/emails/rnJob1Summary.txt new file mode 100644 index 000000000..65bf98583 --- /dev/null +++ b/base/ca/shared/emails/rnJob1Summary.txt @@ -0,0 +1,7 @@ +Automatically generated summary report from $InstanceID +executed at $ExecutionTime +======================================================== + +$SummaryItemList +$SummaryTotalSuccess succeeded +$SummaryTotalFailure failed diff --git a/base/ca/shared/etc/init.d/pki-cad b/base/ca/shared/etc/init.d/pki-cad new file mode 100755 index 000000000..772523287 --- /dev/null +++ b/base/ca/shared/etc/init.d/pki-cad @@ -0,0 +1,87 @@ +#!/bin/bash +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007-2010 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# pki-cad Startup script for pki-ca with tomcat6 +# +# chkconfig: - 81 19 +# description: Certificate Authority (Tomcat 6.0) +# processname: pki-cad +# piddir: /var/run/pki/ca +# + +PROG_NAME=`basename $0` +SERVICE_NAME="pki-cad" +SERVICE_PROG="/sbin/service" +PKI_PATH="/usr/share/pki/ca" +PKI_REGISTRY="/etc/sysconfig/pki/ca" +PKI_TYPE="pki-ca" +PKI_TOTAL_PORTS=7 + +# Avoid using 'systemctl' for now +SYSTEMCTL_SKIP_REDIRECT=1 +export SYSTEMCTL_SKIP_REDIRECT + +# Disallow 'others' the ability to 'write' to new files +umask 00002 + +command="$1" +pki_instance="$2" + +# Source function library. +. /etc/init.d/functions + +# Source the PKI function library +. /usr/share/pki/scripts/functions + +# See how we were called. +case $command in + status) + registry_status + exit $? + ;; + start) + start + exit $? + ;; + restart) + restart + exit $? + ;; + stop) + stop + exit $? + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + exit $? + ;; + reload) + echo "The 'reload' action is an unimplemented feature." + exit ${default_error} + ;; + *) + echo "unknown action ($command)" + usage + echo "where valid instance names include:" + list_instances + exit ${default_error} + ;; +esac + diff --git a/base/ca/shared/lib/systemd/system/pki-cad.target b/base/ca/shared/lib/systemd/system/pki-cad.target new file mode 100644 index 000000000..dab661403 --- /dev/null +++ b/base/ca/shared/lib/systemd/system/pki-cad.target @@ -0,0 +1,8 @@ +[Unit] +Description=PKI Certificate Authority Server +After=syslog.target network.target + +[Install] +WantedBy=multi-user.target + + diff --git a/base/ca/shared/lib/systemd/system/pki-cad@.service b/base/ca/shared/lib/systemd/system/pki-cad@.service new file mode 100644 index 000000000..e205d72fb --- /dev/null +++ b/base/ca/shared/lib/systemd/system/pki-cad@.service @@ -0,0 +1,13 @@ +[Unit] +Description=PKI Certificate Authority Server %i +After=pki-cad.target +BindTo=pki-cad.target + +[Service] +Type=forking +ExecStart=/usr/bin/pkicontrol start ca %i +ExecStop=/usr/bin/pkicontrol stop ca %i + +[Install] +WantedBy=multi-user.target + diff --git a/base/ca/shared/profiles/ca/DomainController.cfg b/base/ca/shared/profiles/ca/DomainController.cfg new file mode 100644 index 000000000..81cba3214 --- /dev/null +++ b/base/ca/shared/profiles/ca/DomainController.cfg @@ -0,0 +1,130 @@ +desc=This profile is for enrolling Domain Controller Certificate +enable=true +enableBy=admin +name=Domain Controller +visible=true +auth.instance_id=AgentCertAuth +input.list=i1,i2,i3 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +input.i3.class_id=genericInputImpl +input.i3.params.gi_display_name0=ccm +input.i3.params.gi_param_enable0=true +input.i3.params.gi_param_name0=ccm +input.i3.params.gi_display_name1=GUID +input.i3.params.gi_param_enable1=true +input.i3.params.gi_param_name1=GUID +input.i3.params.gi_num=2 +output.list=o1,o2 +output.o1.class_id=certOutputImpl +output.o2.class_id=pkcs7OutputImpl +policyset.list=set1 +policyset.set1.list=p2,p4,p5,subj,p6,p8,p9,p12,eku,gen,crldp +policyset.set1.subj.constraint.class_id=noConstraintImpl +policyset.set1.subj.constraint.name=No Constraint +policyset.set1.subj.default.class_id=nsTokenUserKeySubjectNameDefaultImpl +policyset.set1.subj.default.name=nsTokenUserKeySubjectNameDefault +#policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, E=$request.mail$, O=Token Key User +#policyset.set1.subj.default.params.dnpattern=CN=GEMSTAR,OU=Domain Controllers,DC=test,dc=local +policyset.set1.subj.default.params.dnpattern=CN=$request.ccm$ +policyset.set1.subj.default.params.ldap.enable=false +policyset.set1.subj.default.params.ldap.searchName=uid +policyset.set1.subj.default.params.ldapStringAttributes=uid,mail +policyset.set1.subj.default.params.ldap.basedn= +policyset.set1.subj.default.params.ldap.maxConns=4 +policyset.set1.subj.default.params.ldap.minConns=1 +policyset.set1.subj.default.params.ldap.ldapconn.Version=2 +policyset.set1.subj.default.params.ldap.ldapconn.host= +policyset.set1.subj.default.params.ldap.ldapconn.port= +policyset.set1.subj.default.params.ldap.ldapconn.secureConn=false +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=1825 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=true +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=true +policyset.set1.p5.default.params.keyUsageNonRepudiation=false +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=true +policyset.set1.p6.default.params.subjAltExtGNEnable_1=true +policyset.set1.p6.default.params.subjAltExtPattern_0=$request.ccm$ +policyset.set1.p6.default.params.subjAltExtType_0=DNSName +policyset.set1.p6.default.params.subjAltExtPattern_1=(Any)1.3.6.1.4.1.311.25.1,0410$request.GUID$ +policyset.set1.p6.default.params.subjAltExtType_1=OtherName +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=2 +policyset.set1.5.constraint.class_id=noConstraintImpl +policyset.set1.5.constraint.name=No Constraint +policyset.set1.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.set1.5.default.name=AIA Extension Default +policyset.set1.5.default.params.authInfoAccessADEnable_0=true +policyset.set1.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.set1.5.default.params.authInfoAccessADLocation_0=http://localhost.localdomain:9180/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit +policyset.set1.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.2 +policyset.set1.5.default.params.authInfoAccessCritical=false +policyset.set1.5.default.params.authInfoAccessNumADs=1 +policyset.set1.eku.constraint.class_id=noConstraintImpl +policyset.set1.eku.constraint.name=No Constraint +policyset.set1.eku.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.set1.eku.default.name=Extended Key Usage Extension Default +policyset.set1.eku.default.params.exKeyUsageCritical=false +policyset.set1.eku.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.crldp.constraint.class_id=noConstraintImpl +policyset.set1.crldp.constraint.name=No Constraint +policyset.set1.crldp.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.crldp.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.crldp.default.params.crlDistPointsCritical=false +policyset.set1.crldp.default.params.crlDistPointsNum=1 +policyset.set1.crldp.default.params.crlDistPointsEnable_0=true +policyset.set1.crldp.default.params.crlDistPointsIssuerName_0= +policyset.set1.crldp.default.params.crlDistPointsIssuerType_0= +policyset.set1.crldp.default.params.crlDistPointsPointName_0=http://localhost.localdomain:9180/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit +policyset.set1.crldp.default.params.crlDistPointsPointType_0=URIName +policyset.set1.crldp.default.params.crlDistPointsReasons_0= +policyset.set1.gen.constraint.class_id=noConstraintImpl +policyset.set1.gen.constraint.name=No Constraint +policyset.set1.gen.default.class_id=genericExtDefaultImpl +policyset.set1.gen.default.name=Generic Extension +#This is the Microsoft 'Certificate Template Name' Extensions. The Value is 'DomainController' +policyset.set1.gen.default.params.genericExtOID=1.3.6.1.4.1.311.20.2 +policyset.set1.gen.default.params.genericExtData=1e200044006f006d00610069006e0043006f006e00740072006f006c006c00650072 diff --git a/base/ca/shared/profiles/ca/caAdminCert.cfg b/base/ca/shared/profiles/ca/caAdminCert.cfg new file mode 100644 index 000000000..c44079a1e --- /dev/null +++ b/base/ca/shared/profiles/ca/caAdminCert.cfg @@ -0,0 +1,87 @@ +desc=This certificate profile is for enrolling Security Domain administrator's certificates with LDAP authentication against the internal LDAP database. +visible=false +enable=true +enableBy=admin +auth.instance_id=TokenAuth +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +name=Security Domain Administrator Certificate Enrollment +input.list=i1,i2,i3 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +input.i3.class_id=subjectDNInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=adminCertSet +policyset.adminCertSet.list=1,2,3,4,5,6,7,8 +policyset.adminCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.adminCertSet.1.constraint.name=Subject Name Constraint +policyset.adminCertSet.1.constraint.params.pattern=.* +policyset.adminCertSet.1.constraint.params.accept=true +policyset.adminCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.adminCertSet.1.default.name=Subject Name Default +policyset.adminCertSet.1.default.params.name= +policyset.adminCertSet.2.constraint.class_id=validityConstraintImpl +policyset.adminCertSet.2.constraint.name=Validity Constraint +policyset.adminCertSet.2.constraint.params.range=365 +policyset.adminCertSet.2.constraint.params.notBeforeCheck=false +policyset.adminCertSet.2.constraint.params.notAfterCheck=false +policyset.adminCertSet.2.default.class_id=validityDefaultImpl +policyset.adminCertSet.2.default.name=Validity Default +policyset.adminCertSet.2.default.params.range=365 +policyset.adminCertSet.2.default.params.startTime=0 +policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl +policyset.adminCertSet.3.constraint.name=Key Constraint +policyset.adminCertSet.3.constraint.params.keyType=RSA +policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl +policyset.adminCertSet.3.default.name=Key Default +policyset.adminCertSet.4.constraint.class_id=noConstraintImpl +policyset.adminCertSet.4.constraint.name=No Constraint +policyset.adminCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.adminCertSet.4.default.name=Authority Key Identifier Default +policyset.adminCertSet.5.constraint.class_id=noConstraintImpl +policyset.adminCertSet.5.constraint.name=No Constraint +policyset.adminCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.adminCertSet.5.default.name=AIA Extension Default +policyset.adminCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.adminCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.adminCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.adminCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.adminCertSet.5.default.params.authInfoAccessCritical=false +policyset.adminCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.adminCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.adminCertSet.6.constraint.params.keyUsageCritical=true +policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.adminCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.adminCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.adminCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.adminCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.adminCertSet.6.default.name=Key Usage Default +policyset.adminCertSet.6.default.params.keyUsageCritical=true +policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.adminCertSet.6.default.params.keyUsageCrlSign=false +policyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.adminCertSet.7.constraint.class_id=noConstraintImpl +policyset.adminCertSet.7.constraint.name=No Constraint +policyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.adminCertSet.7.default.name=Extended Key Usage Extension Default +policyset.adminCertSet.7.default.params.exKeyUsageCritical=false +policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.adminCertSet.8.constraint.name=No Constraint +policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.adminCertSet.8.default.name=Signing Alg +policyset.adminCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caAgentFileSigning.cfg b/base/ca/shared/profiles/ca/caAgentFileSigning.cfg new file mode 100644 index 000000000..26eb171b0 --- /dev/null +++ b/base/ca/shared/profiles/ca/caAgentFileSigning.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for getting file signing certificate with agent authentication. +visible=true +enable=true +enableBy=admin +auth.instance_id=AgentCertAuth +name=Agent-Authenticated File Signing +input.list=i1,i2,i3 +input.i1.class_id=keyGenInputImpl +input.i2.class_id=fileSigningInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=pkcs7OutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=(Name)$request.requestor_name$(Text)$request.file_signing_text$(Size)$request.file_signing_size$(DigestType)$request.file_signing_digest_type$(Digest)$request.file_signing_digest$ +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=365 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=180 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.3 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caAgentServerCert.cfg b/base/ca/shared/profiles/ca/caAgentServerCert.cfg new file mode 100644 index 000000000..d0aac7a8f --- /dev/null +++ b/base/ca/shared/profiles/ca/caAgentServerCert.cfg @@ -0,0 +1,85 @@ +desc=This certificate profile is for enrolling server certificates with agent authentication. +visible=true +enable=true +enableBy=admin +auth.instance_id=AgentCertAuth +name=Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=365 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=180 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caCACert.cfg b/base/ca/shared/profiles/ca/caCACert.cfg new file mode 100644 index 000000000..a88abdf1f --- /dev/null +++ b/base/ca/shared/profiles/ca/caCACert.cfg @@ -0,0 +1,95 @@ +desc=This certificate profile is for enrolling Certificate Authority certificates. +visible=true +enable=true +enableBy=admin +auth.class_id= +name=Manual Certificate Manager Signing Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=caCertSet +policyset.caCertSet.list=1,2,3,4,5,6,8,9,10 +policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.caCertSet.1.constraint.name=Subject Name Constraint +policyset.caCertSet.1.constraint.params.pattern=CN=.* +policyset.caCertSet.1.constraint.params.accept=true +policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.caCertSet.1.default.name=Subject Name Default +policyset.caCertSet.1.default.params.name= +policyset.caCertSet.2.constraint.class_id=validityConstraintImpl +policyset.caCertSet.2.constraint.name=Validity Constraint +policyset.caCertSet.2.constraint.params.range=2922 +policyset.caCertSet.2.constraint.params.notBeforeCheck=false +policyset.caCertSet.2.constraint.params.notAfterCheck=false +policyset.caCertSet.2.default.class_id=caValidityDefaultImpl +policyset.caCertSet.2.default.name=CA Certificate Validity Default +policyset.caCertSet.2.default.params.range=2922 +policyset.caCertSet.2.default.params.startTime=0 +policyset.caCertSet.3.constraint.class_id=keyConstraintImpl +policyset.caCertSet.3.constraint.name=Key Constraint +policyset.caCertSet.3.constraint.params.keyType=RSA +policyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.caCertSet.3.default.class_id=userKeyDefaultImpl +policyset.caCertSet.3.default.name=Key Default +policyset.caCertSet.4.constraint.class_id=noConstraintImpl +policyset.caCertSet.4.constraint.name=No Constraint +policyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.caCertSet.4.default.name=Authority Key Identifier Default +policyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint +policyset.caCertSet.5.constraint.params.basicConstraintsCritical=true +policyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true +policyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1 +policyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl +policyset.caCertSet.5.default.name=Basic Constraints Extension Default +policyset.caCertSet.5.default.params.basicConstraintsCritical=true +policyset.caCertSet.5.default.params.basicConstraintsIsCA=true +policyset.caCertSet.5.default.params.basicConstraintsPathLen=-1 +policyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.caCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.caCertSet.6.constraint.params.keyUsageCritical=true +policyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true +policyset.caCertSet.6.constraint.params.keyUsageCrlSign=true +policyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.caCertSet.6.default.name=Key Usage Default +policyset.caCertSet.6.default.params.keyUsageCritical=true +policyset.caCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.caCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.caCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.caCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.caCertSet.6.default.params.keyUsageKeyCertSign=true +policyset.caCertSet.6.default.params.keyUsageCrlSign=true +policyset.caCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.caCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.caCertSet.8.constraint.class_id=noConstraintImpl +policyset.caCertSet.8.constraint.name=No Constraint +policyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default +policyset.caCertSet.8.default.params.critical=false +policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.caCertSet.9.constraint.name=No Constraint +policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.caCertSet.9.default.name=Signing Alg +policyset.caCertSet.9.default.params.signingAlg=- +policyset.caCertSet.10.constraint.class_id=noConstraintImpl +policyset.caCertSet.10.constraint.name=No Constraint +policyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl +policyset.caCertSet.10.default.name=AIA Extension Default +policyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true +policyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName +policyset.caCertSet.10.default.params.authInfoAccessADLocation_0= +policyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.caCertSet.10.default.params.authInfoAccessCritical=false +policyset.caCertSet.10.default.params.authInfoAccessNumADs=1 diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg new file mode 100644 index 000000000..8d402f771 --- /dev/null +++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. +visible=true +enable=true +enableBy=admin +auth.instance_id=CMCAuth +authz.acl=group="Certificate Manager Agents" +name=Signed CMC-Authenticated User Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=cmcCertReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=cmcUserCertSet +policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 +policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint +policyset.cmcUserCertSet.1.constraint.params.pattern=.* +policyset.cmcUserCertSet.1.constraint.params.accept=true +policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.cmcUserCertSet.1.default.name=Subject Name Default +policyset.cmcUserCertSet.1.default.params.name= +policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl +policyset.cmcUserCertSet.2.constraint.name=Validity Constraint +policyset.cmcUserCertSet.2.constraint.params.range=365 +policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false +policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false +policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl +policyset.cmcUserCertSet.2.default.name=Validity Default +policyset.cmcUserCertSet.2.default.params.range=180 +policyset.cmcUserCertSet.2.default.params.startTime=0 +policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl +policyset.cmcUserCertSet.3.constraint.name=Key Constraint +policyset.cmcUserCertSet.3.constraint.params.keyType=- +policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl +policyset.cmcUserCertSet.3.default.name=Key Default +policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.4.constraint.name=No Constraint +policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default +policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.5.constraint.name=No Constraint +policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.cmcUserCertSet.5.default.name=AIA Extension Default +policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false +policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.cmcUserCertSet.6.default.name=Key Usage Default +policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true +policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.7.constraint.name=No Constraint +policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default +policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false +policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.cmcUserCertSet.8.constraint.name=No Constraint +policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.cmcUserCertSet.8.default.name=Signing Alg +policyset.cmcUserCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg new file mode 100644 index 000000000..ce42445cc --- /dev/null +++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg @@ -0,0 +1,99 @@ +desc=This certificate profile is for enrolling user certificates with directory-based authentication. +visible=true +enable=true +enableBy=admin +name=Directory-Authenticated User Dual-Use Certificate Enrollment +auth.instance_id=UserDirEnrollment +input.list=i1 +input.i1.class_id=keyGenInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=userCertSet +policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9 +policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.userCertSet.1.constraint.name=Subject Name Constraint +policyset.userCertSet.1.constraint.params.pattern=UID=.* +policyset.userCertSet.1.constraint.params.accept=true +policyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl +policyset.userCertSet.1.default.name=Subject Name Default +policyset.userCertSet.1.default.params.name= +policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl +policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint +policyset.userCertSet.10.constraint.params.renewal.graceBefore=30 +policyset.userCertSet.10.constraint.params.renewal.graceAfter=30 +policyset.userCertSet.10.default.class_id=noDefaultImpl +policyset.userCertSet.10.default.name=No Default +policyset.userCertSet.2.constraint.class_id=validityConstraintImpl +policyset.userCertSet.2.constraint.name=Validity Constraint +policyset.userCertSet.2.constraint.params.range=365 +policyset.userCertSet.2.constraint.params.notBeforeCheck=false +policyset.userCertSet.2.constraint.params.notAfterCheck=false +policyset.userCertSet.2.default.class_id=validityDefaultImpl +policyset.userCertSet.2.default.name=Validity Default +policyset.userCertSet.2.default.params.range=180 +policyset.userCertSet.2.default.params.startTime=0 +policyset.userCertSet.3.constraint.class_id=keyConstraintImpl +policyset.userCertSet.3.constraint.name=Key Constraint +policyset.userCertSet.3.constraint.params.keyType=RSA +policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.userCertSet.3.default.class_id=userKeyDefaultImpl +policyset.userCertSet.3.default.name=Key Default +policyset.userCertSet.4.constraint.class_id=noConstraintImpl +policyset.userCertSet.4.constraint.name=No Constraint +policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.userCertSet.4.default.name=Authority Key Identifier Default +policyset.userCertSet.5.constraint.class_id=noConstraintImpl +policyset.userCertSet.5.constraint.name=No Constraint +policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.userCertSet.5.default.name=AIA Extension Default +policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.userCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.userCertSet.5.default.params.authInfoAccessCritical=false +policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.userCertSet.6.constraint.params.keyUsageCritical=true +policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.userCertSet.6.default.name=Key Usage Default +policyset.userCertSet.6.default.params.keyUsageCritical=true +policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.default.params.keyUsageCrlSign=false +policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.userCertSet.7.constraint.class_id=noConstraintImpl +policyset.userCertSet.7.constraint.name=No Constraint +policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.userCertSet.7.default.name=Extended Key Usage Extension Default +policyset.userCertSet.7.default.params.exKeyUsageCritical=false +policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.userCertSet.8.constraint.class_id=noConstraintImpl +policyset.userCertSet.8.constraint.name=No Constraint +policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.userCertSet.8.default.name=Subject Alt Name Constraint +policyset.userCertSet.8.default.params.subjAltNameExtCritical=false +policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.userCertSet.9.constraint.name=No Constraint +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.userCertSet.9.default.name=Signing Alg +policyset.userCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caDirUserRenewal.cfg b/base/ca/shared/profiles/ca/caDirUserRenewal.cfg new file mode 100755 index 000000000..c643b9df4 --- /dev/null +++ b/base/ca/shared/profiles/ca/caDirUserRenewal.cfg @@ -0,0 +1,12 @@ +desc=This certificate profile is for renewing a certificate by serial number by using directory based authentication. +visible=true +enable=true +enableBy=admin +renewal=true +auth.instance_id=UserDirEnrollment +authz.acl=user_origreq="auth_token.uid" +name=Renewal: Directory-Authenticated User Certificate Self-Renew profile +input.list=i1 +input.i1.class_id=serialNumRenewInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl diff --git a/base/ca/shared/profiles/ca/caDualCert.cfg b/base/ca/shared/profiles/ca/caDualCert.cfg new file mode 100644 index 000000000..e85cbe002 --- /dev/null +++ b/base/ca/shared/profiles/ca/caDualCert.cfg @@ -0,0 +1,168 @@ +desc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later. +visible=true +enable=true +enableBy=admin +name=Manual User Signing & Encryption Certificates Enrollment +auth.class_id= +input.list=i1,i2,i3 +input.i1.class_id=dualKeyGenInputImpl +input.i2.class_id=subjectNameInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=encryptionCertSet,signingCertSet +policyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.encryptionCertSet.1.constraint.name=Subject Name Constraint +policyset.encryptionCertSet.1.constraint.params.pattern=UID=.* +policyset.encryptionCertSet.1.constraint.params.accept=true +policyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.encryptionCertSet.1.default.name=Subject Name Default +policyset.encryptionCertSet.1.default.params.name= +policyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl +policyset.encryptionCertSet.2.constraint.name=Validity Constraint +policyset.encryptionCertSet.2.constraint.params.range=365 +policyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false +policyset.encryptionCertSet.2.constraint.params.notAfterCheck=false +policyset.encryptionCertSet.2.default.class_id=validityDefaultImpl +policyset.encryptionCertSet.2.default.name=Validity Default +policyset.encryptionCertSet.2.default.params.range=180 +policyset.encryptionCertSet.2.default.params.startTime=0 +policyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl +policyset.encryptionCertSet.3.constraint.name=Key Constraint +policyset.encryptionCertSet.3.constraint.params.keyType=RSA +policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl +policyset.encryptionCertSet.3.default.name=Key Default +policyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.4.constraint.name=No Constraint +policyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.encryptionCertSet.4.default.name=Authority Key Identifier Default +policyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.5.constraint.name=No Constraint +policyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.encryptionCertSet.5.default.name=AIA Extension Default +policyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false +policyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true +policyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false +policyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false +policyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.encryptionCertSet.6.default.name=Key Usage Default +policyset.encryptionCertSet.6.default.params.keyUsageCritical=true +policyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false +policyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false +policyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false +policyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.7.constraint.name=No Constraint +policyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default +policyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false +policyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.8.constraint.name=No Constraint +policyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint +policyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false +policyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.encryptionCertSet.9.constraint.name=No Constraint +policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.encryptionCertSet.9.default.name=Signing Alg +policyset.encryptionCertSet.9.default.params.signingAlg=- +policyset.signingCertSet.list=1,2,3,4,6,7,8,9 +policyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.signingCertSet.1.constraint.name=Subject Name Constraint +policyset.signingCertSet.1.constraint.params.pattern=UID=.* +policyset.signingCertSet.1.constraint.params.accept=true +policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.signingCertSet.1.default.name=Subject Name Default +policyset.signingCertSet.1.default.params.name= +policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl +policyset.signingCertSet.2.constraint.name=Validity Constraint +policyset.signingCertSet.2.constraint.params.range=365 +policyset.signingCertSet.2.constraint.params.notBeforeCheck=false +policyset.signingCertSet.2.constraint.params.notAfterCheck=false +policyset.signingCertSet.2.default.class_id=validityDefaultImpl +policyset.signingCertSet.2.default.name=Validity Default +policyset.signingCertSet.2.default.params.range=180 +policyset.signingCertSet.2.default.params.startTime=60 +policyset.signingCertSet.3.constraint.class_id=keyConstraintImpl +policyset.signingCertSet.3.constraint.name=Key Constraint +policyset.signingCertSet.3.constraint.params.keyType=RSA +policyset.signingCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.signingCertSet.3.default.class_id=userKeyDefaultImpl +policyset.signingCertSet.3.default.name=Key Default +policyset.signingCertSet.4.constraint.class_id=noConstraintImpl +policyset.signingCertSet.4.constraint.name=No Constraint +policyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.signingCertSet.4.default.name=Authority Key Identifier Default +policyset.signingCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.signingCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.signingCertSet.6.constraint.params.keyUsageCritical=true +policyset.signingCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.signingCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.signingCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.signingCertSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.signingCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.signingCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.signingCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.signingCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.signingCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.signingCertSet.6.default.name=Key Usage Default +policyset.signingCertSet.6.default.params.keyUsageCritical=true +policyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.signingCertSet.6.default.params.keyUsageCrlSign=false +policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.signingCertSet.7.constraint.class_id=noConstraintImpl +policyset.signingCertSet.7.constraint.name=No Constraint +policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default +policyset.signingCertSet.7.default.params.exKeyUsageCritical=false +policyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.signingCertSet.8.constraint.class_id=noConstraintImpl +policyset.signingCertSet.8.constraint.name=No Constraint +policyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.signingCertSet.8.default.name=Subject Alt Name Constraint +policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false +policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.signingCertSet.9.constraint.name=No Constraint +policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.signingCertSet.9.default.name=Signing Alg +policyset.signingCertSet.9.default.params.signingAlg=- +policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC diff --git a/base/ca/shared/profiles/ca/caDualRAuserCert.cfg b/base/ca/shared/profiles/ca/caDualRAuserCert.cfg new file mode 100644 index 000000000..741e26a3f --- /dev/null +++ b/base/ca/shared/profiles/ca/caDualRAuserCert.cfg @@ -0,0 +1,94 @@ +desc=This certificate profile is for enrolling user certificates with RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=RA Agent-Authenticated User Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=userCertSet +policyset.userCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.userCertSet.1.constraint.name=Subject Name Constraint +policyset.userCertSet.1.constraint.params.pattern=.*UID=.* +policyset.userCertSet.1.constraint.params.accept=true +policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.userCertSet.1.default.name=Subject Name Default +policyset.userCertSet.1.default.params.name= +policyset.userCertSet.2.constraint.class_id=validityConstraintImpl +policyset.userCertSet.2.constraint.name=Validity Constraint +policyset.userCertSet.2.constraint.params.range=365 +policyset.userCertSet.2.constraint.params.notBeforeCheck=false +policyset.userCertSet.2.constraint.params.notAfterCheck=false +policyset.userCertSet.2.default.class_id=validityDefaultImpl +policyset.userCertSet.2.default.name=Validity Default +policyset.userCertSet.2.default.params.range=180 +policyset.userCertSet.2.default.params.startTime=0 +policyset.userCertSet.3.constraint.class_id=keyConstraintImpl +policyset.userCertSet.3.constraint.name=Key Constraint +policyset.userCertSet.3.constraint.params.keyType=RSA +policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.userCertSet.3.default.class_id=userKeyDefaultImpl +policyset.userCertSet.3.default.name=Key Default +policyset.userCertSet.4.constraint.class_id=noConstraintImpl +policyset.userCertSet.4.constraint.name=No Constraint +policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.userCertSet.4.default.name=Authority Key Identifier Default +policyset.userCertSet.5.constraint.class_id=noConstraintImpl +policyset.userCertSet.5.constraint.name=No Constraint +policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.userCertSet.5.default.name=AIA Extension Default +policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.userCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.userCertSet.5.default.params.authInfoAccessCritical=false +policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.userCertSet.6.constraint.params.keyUsageCritical=true +policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.userCertSet.6.default.name=Key Usage Default +policyset.userCertSet.6.default.params.keyUsageCritical=true +policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.default.params.keyUsageCrlSign=false +policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.userCertSet.7.constraint.class_id=noConstraintImpl +policyset.userCertSet.7.constraint.name=No Constraint +policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.userCertSet.7.default.name=Extended Key Usage Extension Default +policyset.userCertSet.7.default.params.exKeyUsageCritical=false +policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.userCertSet.8.constraint.class_id=noConstraintImpl +policyset.userCertSet.8.constraint.name=No Constraint +policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.userCertSet.8.default.name=Subject Alt Name Constraint +policyset.userCertSet.8.default.params.subjAltNameExtCritical=false +policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.userCertSet.9.constraint.name=No Constraint +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.userCertSet.9.default.name=Signing Alg +policyset.userCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caECDualCert.cfg b/base/ca/shared/profiles/ca/caECDualCert.cfg new file mode 100644 index 000000000..8bf081088 --- /dev/null +++ b/base/ca/shared/profiles/ca/caECDualCert.cfg @@ -0,0 +1,168 @@ +desc=This certificate profile is for enrolling dual user ECC certificates. It works only with Netscape 7.0 or later. +visible=false +enable=true +enableBy=admin +name=Manual User Signing & Encryption ECC Certificates Enrollment +auth.class_id= +input.list=i1,i2,i3 +input.i1.class_id=dualKeyGenInputImpl +input.i2.class_id=subjectNameInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=encryptionCertSet,signingCertSet +policyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.encryptionCertSet.1.constraint.name=Subject Name Constraint +policyset.encryptionCertSet.1.constraint.params.pattern=UID=.* +policyset.encryptionCertSet.1.constraint.params.accept=true +policyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.encryptionCertSet.1.default.name=Subject Name Default +policyset.encryptionCertSet.1.default.params.name= +policyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl +policyset.encryptionCertSet.2.constraint.name=Validity Constraint +policyset.encryptionCertSet.2.constraint.params.range=365 +policyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false +policyset.encryptionCertSet.2.constraint.params.notAfterCheck=false +policyset.encryptionCertSet.2.default.class_id=validityDefaultImpl +policyset.encryptionCertSet.2.default.name=Validity Default +policyset.encryptionCertSet.2.default.params.range=180 +policyset.encryptionCertSet.2.default.params.startTime=0 +policyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl +policyset.encryptionCertSet.3.constraint.name=Key Constraint +policyset.encryptionCertSet.3.constraint.params.keyType=EC +policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 +policyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl +policyset.encryptionCertSet.3.default.name=Key Default +policyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.4.constraint.name=No Constraint +policyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.encryptionCertSet.4.default.name=Authority Key Identifier Default +policyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.5.constraint.name=No Constraint +policyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.encryptionCertSet.5.default.name=AIA Extension Default +policyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false +policyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true +policyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false +policyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false +policyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.encryptionCertSet.6.default.name=Key Usage Default +policyset.encryptionCertSet.6.default.params.keyUsageCritical=true +policyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false +policyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false +policyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false +policyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.7.constraint.name=No Constraint +policyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default +policyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false +policyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.8.constraint.name=No Constraint +policyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint +policyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false +policyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.encryptionCertSet.9.constraint.name=No Constraint +policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.encryptionCertSet.9.default.name=Signing Alg +policyset.encryptionCertSet.9.default.params.signingAlg=- +policyset.signingCertSet.list=1,2,3,4,6,7,8,9 +policyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.signingCertSet.1.constraint.name=Subject Name Constraint +policyset.signingCertSet.1.constraint.params.pattern=UID=.* +policyset.signingCertSet.1.constraint.params.accept=true +policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.signingCertSet.1.default.name=Subject Name Default +policyset.signingCertSet.1.default.params.name= +policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl +policyset.signingCertSet.2.constraint.name=Validity Constraint +policyset.signingCertSet.2.constraint.params.range=365 +policyset.signingCertSet.2.constraint.params.notBeforeCheck=false +policyset.signingCertSet.2.constraint.params.notAfterCheck=false +policyset.signingCertSet.2.default.class_id=validityDefaultImpl +policyset.signingCertSet.2.default.name=Validity Default +policyset.signingCertSet.2.default.params.range=180 +policyset.signingCertSet.2.default.params.startTime=60 +policyset.signingCertSet.3.constraint.class_id=keyConstraintImpl +policyset.signingCertSet.3.constraint.name=Key Constraint +policyset.signingCertSet.3.constraint.params.keyType=EC +policyset.signingCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 +policyset.signingCertSet.3.default.class_id=userKeyDefaultImpl +policyset.signingCertSet.3.default.name=Key Default +policyset.signingCertSet.4.constraint.class_id=noConstraintImpl +policyset.signingCertSet.4.constraint.name=No Constraint +policyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.signingCertSet.4.default.name=Authority Key Identifier Default +policyset.signingCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.signingCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.signingCertSet.6.constraint.params.keyUsageCritical=true +policyset.signingCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.signingCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.signingCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.signingCertSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.signingCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.signingCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.signingCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.signingCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.signingCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.signingCertSet.6.default.name=Key Usage Default +policyset.signingCertSet.6.default.params.keyUsageCritical=true +policyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.signingCertSet.6.default.params.keyUsageCrlSign=false +policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.signingCertSet.7.constraint.class_id=noConstraintImpl +policyset.signingCertSet.7.constraint.name=No Constraint +policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default +policyset.signingCertSet.7.default.params.exKeyUsageCritical=false +policyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.signingCertSet.8.constraint.class_id=noConstraintImpl +policyset.signingCertSet.8.constraint.name=No Constraint +policyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.signingCertSet.8.default.name=Subject Alt Name Constraint +policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false +policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.signingCertSet.9.constraint.name=No Constraint +policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.signingCertSet.9.default.name=Signing Alg +policyset.signingCertSet.9.default.params.signingAlg=- +policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC diff --git a/base/ca/shared/profiles/ca/caECUserCert.cfg b/base/ca/shared/profiles/ca/caECUserCert.cfg new file mode 100644 index 000000000..a641e5800 --- /dev/null +++ b/base/ca/shared/profiles/ca/caECUserCert.cfg @@ -0,0 +1,101 @@ +desc=This certificate profile is for enrolling user ECC certificates. +visible=false +enable=true +enableBy=admin +name=Manual User Dual-Use ECC Certificate Enrollment +auth.class_id= +input.list=i1,i2,i3 +input.i1.class_id=keyGenInputImpl +input.i2.class_id=subjectNameInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=userCertSet +policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9 +policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.userCertSet.1.constraint.name=Subject Name Constraint +policyset.userCertSet.1.constraint.params.pattern=UID=.* +policyset.userCertSet.1.constraint.params.accept=true +policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.userCertSet.1.default.name=Subject Name Default +policyset.userCertSet.1.default.params.name= +policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl +policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint +policyset.userCertSet.10.constraint.params.renewal.graceBefore=30 +policyset.userCertSet.10.constraint.params.renewal.graceAfter=30 +policyset.userCertSet.10.default.class_id=noDefaultImpl +policyset.userCertSet.10.default.name=No Default +policyset.userCertSet.2.constraint.class_id=validityConstraintImpl +policyset.userCertSet.2.constraint.name=Validity Constraint +policyset.userCertSet.2.constraint.params.range=365 +policyset.userCertSet.2.constraint.params.notBeforeCheck=false +policyset.userCertSet.2.constraint.params.notAfterCheck=false +policyset.userCertSet.2.default.class_id=validityDefaultImpl +policyset.userCertSet.2.default.name=Validity Default +policyset.userCertSet.2.default.params.range=180 +policyset.userCertSet.2.default.params.startTime=0 +policyset.userCertSet.3.constraint.class_id=keyConstraintImpl +policyset.userCertSet.3.constraint.name=Key Constraint +policyset.userCertSet.3.constraint.params.keyType=EC +policyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 +policyset.userCertSet.3.default.class_id=userKeyDefaultImpl +policyset.userCertSet.3.default.name=Key Default +policyset.userCertSet.4.constraint.class_id=noConstraintImpl +policyset.userCertSet.4.constraint.name=No Constraint +policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.userCertSet.4.default.name=Authority Key Identifier Default +policyset.userCertSet.5.constraint.class_id=noConstraintImpl +policyset.userCertSet.5.constraint.name=No Constraint +policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.userCertSet.5.default.name=AIA Extension Default +policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.userCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.userCertSet.5.default.params.authInfoAccessCritical=false +policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.userCertSet.6.constraint.params.keyUsageCritical=true +policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.userCertSet.6.default.name=Key Usage Default +policyset.userCertSet.6.default.params.keyUsageCritical=true +policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.default.params.keyUsageCrlSign=false +policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.userCertSet.7.constraint.class_id=noConstraintImpl +policyset.userCertSet.7.constraint.name=No Constraint +policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.userCertSet.7.default.name=Extended Key Usage Extension Default +policyset.userCertSet.7.default.params.exKeyUsageCritical=false +policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.userCertSet.8.constraint.class_id=noConstraintImpl +policyset.userCertSet.8.constraint.name=No Constraint +policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.userCertSet.8.default.name=Subject Alt Name Constraint +policyset.userCertSet.8.default.params.subjAltNameExtCritical=false +policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.userCertSet.9.constraint.name=No Constraint +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.userCertSet.9.default.name=Signing Alg +policyset.userCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caEncECUserCert.cfg b/base/ca/shared/profiles/ca/caEncECUserCert.cfg new file mode 100644 index 000000000..66baa4bf8 --- /dev/null +++ b/base/ca/shared/profiles/ca/caEncECUserCert.cfg @@ -0,0 +1,93 @@ +desc=This certificate profile is for enrolling user ECC encryption certificates. It works only with latest Firefox. +visible=false +enable=true +enableBy=admin +name=Manual User Encryption ECC Certificates Enrollment +auth.class_id= +input.list=i1 +input.i1.class_id=encKeyGenInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=encryptionCertSet +policyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.encryptionCertSet.1.constraint.name=Subject Name Constraint +policyset.encryptionCertSet.1.constraint.params.pattern=CN=.* +policyset.encryptionCertSet.1.constraint.params.accept=true +policyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.encryptionCertSet.1.default.name=Subject Name Default +policyset.encryptionCertSet.1.default.params.name= +policyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl +policyset.encryptionCertSet.2.constraint.name=Validity Constraint +policyset.encryptionCertSet.2.constraint.params.range=365 +policyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false +policyset.encryptionCertSet.2.constraint.params.notAfterCheck=false +policyset.encryptionCertSet.2.default.class_id=validityDefaultImpl +policyset.encryptionCertSet.2.default.name=Validity Default +policyset.encryptionCertSet.2.default.params.range=180 +policyset.encryptionCertSet.2.default.params.startTime=0 +policyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl +policyset.encryptionCertSet.3.constraint.name=Key Constraint +policyset.encryptionCertSet.3.constraint.params.keyType=EC +policyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521 +policyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl +policyset.encryptionCertSet.3.default.name=Key Default +policyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.4.constraint.name=No Constraint +policyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.encryptionCertSet.4.default.name=Authority Key Identifier Default +policyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.5.constraint.name=No Constraint +policyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.encryptionCertSet.5.default.name=AIA Extension Default +policyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false +policyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true +policyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false +policyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false +policyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.encryptionCertSet.6.default.name=Key Usage Default +policyset.encryptionCertSet.6.default.params.keyUsageCritical=true +policyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false +policyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false +policyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false +policyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.7.constraint.name=No Constraint +policyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default +policyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false +policyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.8.constraint.name=No Constraint +policyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint +policyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false +policyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.encryptionCertSet.9.constraint.name=No Constraint +policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.encryptionCertSet.9.default.name=Signing Alg +policyset.encryptionCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caEncUserCert.cfg b/base/ca/shared/profiles/ca/caEncUserCert.cfg new file mode 100644 index 000000000..e49faf24e --- /dev/null +++ b/base/ca/shared/profiles/ca/caEncUserCert.cfg @@ -0,0 +1,96 @@ +desc=This certificate profile is for enrolling user encryption certificates with option to archive keys. +visible=false +enable=true +enableBy=admin +name=Manual User Encryption Certificates Enrollment +auth.class_id= +input.list=i1,i2,i3 +input.i1.class_id=certReqInputImpl +input.i2.class_id=subjectNameInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=encryptionCertSet +policyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.encryptionCertSet.1.constraint.name=Subject Name Constraint +policyset.encryptionCertSet.1.constraint.params.pattern=CN=.* +policyset.encryptionCertSet.1.constraint.params.accept=true +policyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.encryptionCertSet.1.default.name=Subject Name Default +policyset.encryptionCertSet.1.default.params.name= +policyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl +policyset.encryptionCertSet.2.constraint.name=Validity Constraint +policyset.encryptionCertSet.2.constraint.params.range=365 +policyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false +policyset.encryptionCertSet.2.constraint.params.notAfterCheck=false +policyset.encryptionCertSet.2.default.class_id=validityDefaultImpl +policyset.encryptionCertSet.2.default.name=Validity Default +policyset.encryptionCertSet.2.default.params.range=180 +policyset.encryptionCertSet.2.default.params.startTime=0 +policyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl +policyset.encryptionCertSet.3.constraint.name=Key Constraint +policyset.encryptionCertSet.3.constraint.params.keyType=RSA +policyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl +policyset.encryptionCertSet.3.default.name=Key Default +policyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.4.constraint.name=No Constraint +policyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.encryptionCertSet.4.default.name=Authority Key Identifier Default +policyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.5.constraint.name=No Constraint +policyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.encryptionCertSet.5.default.name=AIA Extension Default +policyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false +policyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true +policyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false +policyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false +policyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.encryptionCertSet.6.default.name=Key Usage Default +policyset.encryptionCertSet.6.default.params.keyUsageCritical=true +policyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false +policyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false +policyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false +policyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.7.constraint.name=No Constraint +policyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default +policyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false +policyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.8.constraint.name=No Constraint +policyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint +policyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false +policyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.encryptionCertSet.9.constraint.name=No Constraint +policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.encryptionCertSet.9.default.name=Signing Alg +policyset.encryptionCertSet.9.default.params.signingAlg=- + diff --git a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg new file mode 100644 index 000000000..c9507b56f --- /dev/null +++ b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg @@ -0,0 +1,85 @@ +desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. +enable=true +enableBy=admin +name=Signed CMC-Authenticated User Certificate Enrollment +visible=false +auth.instance_id=CMCAuth +input.list=i1,i2 +input.i1.class_id=cmcCertReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=cmcUserCertSet +policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 +policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint +policyset.cmcUserCertSet.1.constraint.params.accept=true +policyset.cmcUserCertSet.1.constraint.params.pattern=.* +policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.cmcUserCertSet.1.default.name=Subject Name Default +policyset.cmcUserCertSet.1.default.params.name= +policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl +policyset.cmcUserCertSet.2.constraint.name=Validity Constraint +policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false +policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false +policyset.cmcUserCertSet.2.constraint.params.range=365 +policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl +policyset.cmcUserCertSet.2.default.name=Validity Default +policyset.cmcUserCertSet.2.default.params.range=180 +policyset.cmcUserCertSet.2.default.params.startTime=0 +policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl +policyset.cmcUserCertSet.3.constraint.name=Key Constraint +policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.cmcUserCertSet.3.constraint.params.keyType=- +policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl +policyset.cmcUserCertSet.3.default.name=Key Default +policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.4.constraint.name=No Constraint +policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default +policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.5.constraint.name=No Constraint +policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.cmcUserCertSet.5.default.name=AIA Extension Default +policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false +policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.cmcUserCertSet.6.default.name=Key Usage Default +policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true +policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.7.constraint.name=No Constraint +policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default +policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false +policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.cmcUserCertSet.8.constraint.name=No Constraint +policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.cmcUserCertSet.8.default.name=Signing Alg +policyset.cmcUserCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caIPAserviceCert.cfg b/base/ca/shared/profiles/ca/caIPAserviceCert.cfg new file mode 100644 index 000000000..782df9061 --- /dev/null +++ b/base/ca/shared/profiles/ca/caIPAserviceCert.cfg @@ -0,0 +1,97 @@ +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, OU=pki-ipa, O=IPA +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.9.constraint.class_id=noConstraintImpl +policyset.serverCertSet.9.constraint.name=No Constraint +policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default +policyset.serverCertSet.9.default.params.crlDistPointsCritical=false +policyset.serverCertSet.9.default.params.crlDistPointsNum=1 +policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true +policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0= +policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0= +policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=https://ipa.example.com/ipa/crl/MasterCRL.bin +policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName +policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= diff --git a/base/ca/shared/profiles/ca/caInstallCACert.cfg b/base/ca/shared/profiles/ca/caInstallCACert.cfg new file mode 100644 index 000000000..43588fe30 --- /dev/null +++ b/base/ca/shared/profiles/ca/caInstallCACert.cfg @@ -0,0 +1,96 @@ +desc=This certificate profile is for enrolling Security Domain Certificate Authority certificates. +visible=true +enable=true +enableBy=admin +auth.instance_id=TokenAuth +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +name=Manual Security Domain Certificate Authority Signing Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=caCertSet +policyset.caCertSet.list=1,2,3,4,5,6,8,9,10 +policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.caCertSet.1.constraint.name=Subject Name Constraint +policyset.caCertSet.1.constraint.params.pattern=CN=.* +policyset.caCertSet.1.constraint.params.accept=true +policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.caCertSet.1.default.name=Subject Name Default +policyset.caCertSet.1.default.params.name= +policyset.caCertSet.2.constraint.class_id=validityConstraintImpl +policyset.caCertSet.2.constraint.name=Validity Constraint +policyset.caCertSet.2.constraint.params.range=720 +policyset.caCertSet.2.constraint.params.notBeforeCheck=false +policyset.caCertSet.2.constraint.params.notAfterCheck=false +policyset.caCertSet.2.default.class_id=validityDefaultImpl +policyset.caCertSet.2.default.name=Validity Default +policyset.caCertSet.2.default.params.range=720 +policyset.caCertSet.2.default.params.startTime=0 +policyset.caCertSet.3.constraint.class_id=keyConstraintImpl +policyset.caCertSet.3.constraint.name=Key Constraint +policyset.caCertSet.3.constraint.params.keyType=- +policyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.caCertSet.3.default.class_id=userKeyDefaultImpl +policyset.caCertSet.3.default.name=Key Default +policyset.caCertSet.4.constraint.class_id=noConstraintImpl +policyset.caCertSet.4.constraint.name=No Constraint +policyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.caCertSet.4.default.name=Authority Key Identifier Default +policyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint +policyset.caCertSet.5.constraint.params.basicConstraintsCritical=true +policyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true +policyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1 +policyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl +policyset.caCertSet.5.default.name=Basic Constraints Extension Default +policyset.caCertSet.5.default.params.basicConstraintsCritical=true +policyset.caCertSet.5.default.params.basicConstraintsIsCA=true +policyset.caCertSet.5.default.params.basicConstraintsPathLen=-1 +policyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.caCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.caCertSet.6.constraint.params.keyUsageCritical=true +policyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true +policyset.caCertSet.6.constraint.params.keyUsageCrlSign=true +policyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.caCertSet.6.default.name=Key Usage Default +policyset.caCertSet.6.default.params.keyUsageCritical=true +policyset.caCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.caCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.caCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.caCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.caCertSet.6.default.params.keyUsageKeyCertSign=true +policyset.caCertSet.6.default.params.keyUsageCrlSign=true +policyset.caCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.caCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.caCertSet.8.constraint.class_id=noConstraintImpl +policyset.caCertSet.8.constraint.name=No Constraint +policyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default +policyset.caCertSet.8.default.params.critical=false +policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.caCertSet.9.constraint.name=No Constraint +policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.caCertSet.9.default.name=Signing Alg +policyset.caCertSet.9.default.params.signingAlg=- +policyset.caCertSet.10.constraint.class_id=noConstraintImpl +policyset.caCertSet.10.constraint.name=No Constraint +policyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl +policyset.caCertSet.10.default.name=AIA Extension Default +policyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true +policyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName +policyset.caCertSet.10.default.params.authInfoAccessADLocation_0= +policyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.caCertSet.10.default.params.authInfoAccessCritical=false +policyset.caCertSet.10.default.params.authInfoAccessNumADs=1 diff --git a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg new file mode 100644 index 000000000..e0eb13d35 --- /dev/null +++ b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg @@ -0,0 +1,80 @@ +desc=This certificate profile is for enrolling audit signing certificates. +visible=false +enable=true +enableBy=admin +auth.instance_id=TokenAuth +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +name=Audit Signing Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=auditSigningCertSet +policyset.auditSigningCertSet.list=1,2,3,4,5,6,9 +policyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint +policyset.auditSigningCertSet.1.constraint.params.pattern=CN=.* +policyset.auditSigningCertSet.1.constraint.params.accept=true +policyset.auditSigningCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.auditSigningCertSet.1.default.name=Subject Name Default +policyset.auditSigningCertSet.1.default.params.name= +policyset.auditSigningCertSet.2.constraint.class_id=validityConstraintImpl +policyset.auditSigningCertSet.2.constraint.name=Validity Constraint +policyset.auditSigningCertSet.2.constraint.params.range=720 +policyset.auditSigningCertSet.2.constraint.params.notBeforeCheck=false +policyset.auditSigningCertSet.2.constraint.params.notAfterCheck=false +policyset.auditSigningCertSet.2.default.class_id=validityDefaultImpl +policyset.auditSigningCertSet.2.default.name=Validity Default +policyset.auditSigningCertSet.2.default.params.range=720 +policyset.auditSigningCertSet.2.default.params.startTime=0 +policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl +policyset.auditSigningCertSet.3.constraint.name=Key Constraint +policyset.auditSigningCertSet.3.constraint.params.keyType=- +policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl +policyset.auditSigningCertSet.3.default.name=Key Default +policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl +policyset.auditSigningCertSet.4.constraint.name=No Constraint +policyset.auditSigningCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.auditSigningCertSet.4.default.name=Authority Key Identifier Default +policyset.auditSigningCertSet.5.constraint.class_id=noConstraintImpl +policyset.auditSigningCertSet.5.constraint.name=No Constraint +policyset.auditSigningCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.auditSigningCertSet.5.default.name=AIA Extension Default +policyset.auditSigningCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.auditSigningCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.auditSigningCertSet.5.default.params.authInfoAccessCritical=false +policyset.auditSigningCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.auditSigningCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.auditSigningCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.auditSigningCertSet.6.constraint.params.keyUsageCritical=true +policyset.auditSigningCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.auditSigningCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.auditSigningCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.auditSigningCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.auditSigningCertSet.6.default.name=Key Usage Default +policyset.auditSigningCertSet.6.default.params.keyUsageCritical=true +policyset.auditSigningCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.auditSigningCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.auditSigningCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.auditSigningCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.auditSigningCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false +policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.auditSigningCertSet.9.constraint.name=No Constraint +policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.auditSigningCertSet.9.default.name=Signing Alg +policyset.auditSigningCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg new file mode 100644 index 000000000..d5da9f599 --- /dev/null +++ b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling Security Domain DRM storage certificates +visible=false +enable=true +enableBy=admin +auth.instance_id=TokenAuth +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +name=Security Domain DRM storage Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=drmStorageCertSet +policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9 +policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint +policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.* +policyset.drmStorageCertSet.1.constraint.params.accept=true +policyset.drmStorageCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.drmStorageCertSet.1.default.name=Subject Name Default +policyset.drmStorageCertSet.1.default.params.name= +policyset.drmStorageCertSet.2.constraint.class_id=validityConstraintImpl +policyset.drmStorageCertSet.2.constraint.name=Validity Constraint +policyset.drmStorageCertSet.2.constraint.params.range=720 +policyset.drmStorageCertSet.2.constraint.params.notBeforeCheck=false +policyset.drmStorageCertSet.2.constraint.params.notAfterCheck=false +policyset.drmStorageCertSet.2.default.class_id=validityDefaultImpl +policyset.drmStorageCertSet.2.default.name=Validity Default +policyset.drmStorageCertSet.2.default.params.range=720 +policyset.drmStorageCertSet.2.default.params.startTime=0 +policyset.drmStorageCertSet.3.constraint.class_id=keyConstraintImpl +policyset.drmStorageCertSet.3.constraint.name=Key Constraint +policyset.drmStorageCertSet.3.constraint.params.keyType=- +policyset.drmStorageCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.drmStorageCertSet.3.default.class_id=userKeyDefaultImpl +policyset.drmStorageCertSet.3.default.name=Key Default +policyset.drmStorageCertSet.4.constraint.class_id=noConstraintImpl +policyset.drmStorageCertSet.4.constraint.name=No Constraint +policyset.drmStorageCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.drmStorageCertSet.4.default.name=Authority Key Identifier Default +policyset.drmStorageCertSet.5.constraint.class_id=noConstraintImpl +policyset.drmStorageCertSet.5.constraint.name=No Constraint +policyset.drmStorageCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.drmStorageCertSet.5.default.name=AIA Extension Default +policyset.drmStorageCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.drmStorageCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.drmStorageCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.drmStorageCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.drmStorageCertSet.5.default.params.authInfoAccessCritical=false +policyset.drmStorageCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.drmStorageCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.drmStorageCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.drmStorageCertSet.6.constraint.params.keyUsageCritical=true +policyset.drmStorageCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.drmStorageCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.drmStorageCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.drmStorageCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.drmStorageCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.drmStorageCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.drmStorageCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.drmStorageCertSet.6.default.name=Key Usage Default +policyset.drmStorageCertSet.6.default.params.keyUsageCritical=true +policyset.drmStorageCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.drmStorageCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.drmStorageCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.drmStorageCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.drmStorageCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false +policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl +policyset.drmStorageCertSet.7.constraint.name=No Constraint +policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default +policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false +policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.drmStorageCertSet.9.constraint.name=No Constraint +policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.drmStorageCertSet.9.default.name=Signing Alg +policyset.drmStorageCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg new file mode 100644 index 000000000..de07df565 --- /dev/null +++ b/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg @@ -0,0 +1,71 @@ +desc=This certificate profile is for enrolling Security Domain OCSP Manager certificates. +visible=false +enable=true +enableBy=admin +auth.instance_id=TokenAuth +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +name=Security Domain OCSP Manager Signing Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=ocspCertSet +policyset.ocspCertSet.list=1,2,3,4,5,6,8,9 +policyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.ocspCertSet.1.constraint.name=Subject Name Constraint +policyset.ocspCertSet.1.constraint.params.pattern=CN=.* +policyset.ocspCertSet.1.constraint.params.accept=true +policyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.ocspCertSet.1.default.name=Subject Name Default +policyset.ocspCertSet.1.default.params.name= +policyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl +policyset.ocspCertSet.2.constraint.name=Validity Constraint +policyset.ocspCertSet.2.constraint.params.range=720 +policyset.ocspCertSet.2.constraint.params.notBeforeCheck=false +policyset.ocspCertSet.2.constraint.params.notAfterCheck=false +policyset.ocspCertSet.2.default.class_id=validityDefaultImpl +policyset.ocspCertSet.2.default.name=Validity Default +policyset.ocspCertSet.2.default.params.range=720 +policyset.ocspCertSet.2.default.params.startTime=0 +policyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl +policyset.ocspCertSet.3.constraint.name=Key Constraint +policyset.ocspCertSet.3.constraint.params.keyType=- +policyset.ocspCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl +policyset.ocspCertSet.3.default.name=Key Default +policyset.ocspCertSet.4.constraint.class_id=noConstraintImpl +policyset.ocspCertSet.4.constraint.name=No Constraint +policyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.ocspCertSet.4.default.name=Authority Key Identifier Default +policyset.ocspCertSet.5.constraint.class_id=noConstraintImpl +policyset.ocspCertSet.5.constraint.name=No Constraint +policyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.ocspCertSet.5.default.name=AIA Extension Default +policyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.ocspCertSet.5.default.params.authInfoAccessCritical=false +policyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl +policyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension +policyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false +policyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 +policyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.ocspCertSet.6.default.name=Extended Key Usage Default +policyset.ocspCertSet.6.default.params.exKeyUsageCritical=false +policyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 +policyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl +policyset.ocspCertSet.8.constraint.name=No Constraint +policyset.ocspCertSet.8.constraint.params.extCritical=false +policyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5 +policyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl +policyset.ocspCertSet.8.default.name=OCSP No Check Extension +policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false +policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.ocspCertSet.9.constraint.name=No Constraint +policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.ocspCertSet.9.default.name=Signing Alg +policyset.ocspCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg new file mode 100644 index 000000000..f639d243b --- /dev/null +++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling Security Domain server certificates. +visible=false +enable=true +enableBy=admin +auth.instance_id=TokenAuth +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +name=Security Domain Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=720 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=720 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=- +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg new file mode 100644 index 000000000..ed18a547e --- /dev/null +++ b/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg @@ -0,0 +1,88 @@ +desc=This certificate profile is for enrolling Security Domain subsystem certificates. +visible=false +enable=true +enableBy=admin +auth.instance_id=TokenAuth +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +name=Security Domain Subsystem Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +updater.list=u1 +updater.u1.class_id=subsystemGroupUpdaterImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=720 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=720 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=- +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg new file mode 100644 index 000000000..538c76071 --- /dev/null +++ b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling Security Domain Data Recovery Manager transport certificates. +visible=false +enable=true +enableBy=admin +auth.instance_id=TokenAuth +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +name=Security Domain Data Recovery Manager Transport Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=transportCertSet +policyset.transportCertSet.list=1,2,3,4,5,6,7,8 +policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.transportCertSet.1.constraint.name=Subject Name Constraint +policyset.transportCertSet.1.constraint.params.pattern=CN=.* +policyset.transportCertSet.1.constraint.params.accept=true +policyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.transportCertSet.1.default.name=Subject Name Default +policyset.transportCertSet.1.default.params.name= +policyset.transportCertSet.2.constraint.class_id=validityConstraintImpl +policyset.transportCertSet.2.constraint.name=Validity Constraint +policyset.transportCertSet.2.constraint.params.range=720 +policyset.transportCertSet.2.constraint.params.notBeforeCheck=false +policyset.transportCertSet.2.constraint.params.notAfterCheck=false +policyset.transportCertSet.2.default.class_id=validityDefaultImpl +policyset.transportCertSet.2.default.name=Validity Default +policyset.transportCertSet.2.default.params.range=720 +policyset.transportCertSet.2.default.params.startTime=0 +policyset.transportCertSet.3.constraint.class_id=keyConstraintImpl +policyset.transportCertSet.3.constraint.name=Key Constraint +policyset.transportCertSet.3.constraint.params.keyType=- +policyset.transportCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.transportCertSet.3.default.class_id=userKeyDefaultImpl +policyset.transportCertSet.3.default.name=Key Default +policyset.transportCertSet.4.constraint.class_id=noConstraintImpl +policyset.transportCertSet.4.constraint.name=No Constraint +policyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.transportCertSet.4.default.name=Authority Key Identifier Default +policyset.transportCertSet.5.constraint.class_id=noConstraintImpl +policyset.transportCertSet.5.constraint.name=No Constraint +policyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.transportCertSet.5.default.name=AIA Extension Default +policyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.transportCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.transportCertSet.5.default.params.authInfoAccessCritical=false +policyset.transportCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.transportCertSet.6.constraint.params.keyUsageCritical=true +policyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.transportCertSet.6.default.name=Key Usage Default +policyset.transportCertSet.6.default.params.keyUsageCritical=true +policyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.transportCertSet.6.default.params.keyUsageCrlSign=false +policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.transportCertSet.7.constraint.class_id=noConstraintImpl +policyset.transportCertSet.7.constraint.name=No Constraint +policyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.transportCertSet.7.default.name=Extended Key Usage Extension Default +policyset.transportCertSet.7.default.params.exKeyUsageCritical=false +policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.transportCertSet.8.constraint.name=No Constraint +policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.transportCertSet.8.default.name=Signing Alg +policyset.transportCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caJarSigningCert.cfg b/base/ca/shared/profiles/ca/caJarSigningCert.cfg new file mode 100644 index 000000000..5ddf00776 --- /dev/null +++ b/base/ca/shared/profiles/ca/caJarSigningCert.cfg @@ -0,0 +1,86 @@ +desc=This is an IPA profile for enrolling Jar Signing certificates. +enable=true +enableBy=admin +name=Manual Jar Signing Certificate Enrollment +visible=false +auth.class_id= +auth.instance_id=raCertAuth +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=caJarSigningSet +policyset.caJarSigningSet.list=1,2,3,4,5,6 +policyset.caJarSigningSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.caJarSigningSet.1.constraint.name=Subject Name Constraint +policyset.caJarSigningSet.1.constraint.params.accept=true +policyset.caJarSigningSet.1.constraint.params.pattern=.* +policyset.caJarSigningSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.caJarSigningSet.1.default.name=Subject Name Default +policyset.caJarSigningSet.1.default.params.name= +policyset.caJarSigningSet.2.constraint.class_id=validityConstraintImpl +policyset.caJarSigningSet.2.constraint.name=Validity Constraint +policyset.caJarSigningSet.2.constraint.params.notAfterCheck=false +policyset.caJarSigningSet.2.constraint.params.notBeforeCheck=false +policyset.caJarSigningSet.2.constraint.params.range=2922 +policyset.caJarSigningSet.2.default.class_id=validityDefaultImpl +policyset.caJarSigningSet.2.default.name=Validity Default +policyset.caJarSigningSet.2.default.params.range=1461 +policyset.caJarSigningSet.2.default.params.startTime=60 +policyset.caJarSigningSet.3.constraint.class_id=keyConstraintImpl +policyset.caJarSigningSet.3.constraint.name=Key Constraint +policyset.caJarSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.caJarSigningSet.3.constraint.params.keyType=RSA +policyset.caJarSigningSet.3.default.class_id=userKeyDefaultImpl +policyset.caJarSigningSet.3.default.name=Key Default +policyset.caJarSigningSet.4.constraint.class_id=keyUsageExtConstraintImpl +policyset.caJarSigningSet.4.constraint.name=Key Usage Extension Constraint +policyset.caJarSigningSet.4.constraint.params.keyUsageCritical=- +policyset.caJarSigningSet.4.constraint.params.keyUsageCrlSign=- +policyset.caJarSigningSet.4.constraint.params.keyUsageDataEncipherment=- +policyset.caJarSigningSet.4.constraint.params.keyUsageDecipherOnly=- +policyset.caJarSigningSet.4.constraint.params.keyUsageDigitalSignature=- +policyset.caJarSigningSet.4.constraint.params.keyUsageEncipherOnly=- +policyset.caJarSigningSet.4.constraint.params.keyUsageKeyAgreement=- +policyset.caJarSigningSet.4.constraint.params.keyUsageKeyCertSign=- +policyset.caJarSigningSet.4.constraint.params.keyUsageKeyEncipherment=- +policyset.caJarSigningSet.4.constraint.params.keyUsageNonRepudiation=- +policyset.caJarSigningSet.4.default.class_id=keyUsageExtDefaultImpl +policyset.caJarSigningSet.4.default.name=Key Usage Default +policyset.caJarSigningSet.4.default.params.keyUsageCritical=true +policyset.caJarSigningSet.4.default.params.keyUsageCrlSign=false +policyset.caJarSigningSet.4.default.params.keyUsageDataEncipherment=false +policyset.caJarSigningSet.4.default.params.keyUsageDecipherOnly=false +policyset.caJarSigningSet.4.default.params.keyUsageDigitalSignature=true +policyset.caJarSigningSet.4.default.params.keyUsageEncipherOnly=false +policyset.caJarSigningSet.4.default.params.keyUsageKeyAgreement=false +policyset.caJarSigningSet.4.default.params.keyUsageKeyCertSign=true +policyset.caJarSigningSet.4.default.params.keyUsageKeyEncipherment=false +policyset.caJarSigningSet.4.default.params.keyUsageNonRepudiation=false +policyset.caJarSigningSet.5.constraint.class_id=nsCertTypeExtConstraintImpl +policyset.caJarSigningSet.5.constraint.name=Netscape Certificate Type Extension Constraint +policyset.caJarSigningSet.5.constraint.params.nsCertCritical=- +policyset.caJarSigningSet.5.constraint.params.nsCertEmail=- +policyset.caJarSigningSet.5.constraint.params.nsCertEmailCA=- +policyset.caJarSigningSet.5.constraint.params.nsCertObjectSigning=- +policyset.caJarSigningSet.5.constraint.params.nsCertObjectSigningCA=- +policyset.caJarSigningSet.5.constraint.params.nsCertSSLCA=- +policyset.caJarSigningSet.5.constraint.params.nsCertSSLClient=- +policyset.caJarSigningSet.5.constraint.params.nsCertSSLServer=- +policyset.caJarSigningSet.5.default.class_id=nsCertTypeExtDefaultImpl +policyset.caJarSigningSet.5.default.name=Netscape Certificate Type Extension Default +policyset.caJarSigningSet.5.default.params.nsCertCritical=false +policyset.caJarSigningSet.5.default.params.nsCertEmail=false +policyset.caJarSigningSet.5.default.params.nsCertEmailCA=false +policyset.caJarSigningSet.5.default.params.nsCertObjectSigning=true +policyset.caJarSigningSet.5.default.params.nsCertObjectSigningCA=false +policyset.caJarSigningSet.5.default.params.nsCertSSLCA=false +policyset.caJarSigningSet.5.default.params.nsCertSSLClient=false +policyset.caJarSigningSet.5.default.params.nsCertSSLServer=false +policyset.caJarSigningSet.6.constraint.class_id=signingAlgConstraintImpl +policyset.caJarSigningSet.6.constraint.name=No Constraint +policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.caJarSigningSet.6.default.class_id=signingAlgDefaultImpl +policyset.caJarSigningSet.6.default.name=Signing Alg +policyset.caJarSigningSet.6.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caManualRenewal.cfg b/base/ca/shared/profiles/ca/caManualRenewal.cfg new file mode 100755 index 000000000..e470f2a28 --- /dev/null +++ b/base/ca/shared/profiles/ca/caManualRenewal.cfg @@ -0,0 +1,11 @@ +desc=This certificate profile is for renewing certificates to be approved manually by agents. +visible=true +enable=true +enableBy=admin +renewal=true +auth.instance_id= +name=Renewal: Renew certificate to be manually approved by agents +input.list=i1 +input.i1.class_id=serialNumRenewInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl diff --git a/base/ca/shared/profiles/ca/caOCSPCert.cfg b/base/ca/shared/profiles/ca/caOCSPCert.cfg new file mode 100644 index 000000000..bda3ee752 --- /dev/null +++ b/base/ca/shared/profiles/ca/caOCSPCert.cfg @@ -0,0 +1,70 @@ +desc=This certificate profile is for enrolling OCSP Manager certificates. +visible=true +enable=true +enableBy=admin +auth.class_id= +name=Manual OCSP Manager Signing Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=ocspCertSet +policyset.ocspCertSet.list=1,2,3,4,5,6,8,9 +policyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.ocspCertSet.1.constraint.name=Subject Name Constraint +policyset.ocspCertSet.1.constraint.params.pattern=CN=.* +policyset.ocspCertSet.1.constraint.params.accept=true +policyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.ocspCertSet.1.default.name=Subject Name Default +policyset.ocspCertSet.1.default.params.name= +policyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl +policyset.ocspCertSet.2.constraint.name=Validity Constraint +policyset.ocspCertSet.2.constraint.params.range=720 +policyset.ocspCertSet.2.constraint.params.notBeforeCheck=false +policyset.ocspCertSet.2.constraint.params.notAfterCheck=false +policyset.ocspCertSet.2.default.class_id=validityDefaultImpl +policyset.ocspCertSet.2.default.name=Validity Default +policyset.ocspCertSet.2.default.params.range=720 +policyset.ocspCertSet.2.default.params.startTime=0 +policyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl +policyset.ocspCertSet.3.constraint.name=Key Constraint +policyset.ocspCertSet.3.constraint.params.keyType=RSA +policyset.ocspCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl +policyset.ocspCertSet.3.default.name=Key Default +policyset.ocspCertSet.4.constraint.class_id=noConstraintImpl +policyset.ocspCertSet.4.constraint.name=No Constraint +policyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.ocspCertSet.4.default.name=Authority Key Identifier Default +policyset.ocspCertSet.5.constraint.class_id=noConstraintImpl +policyset.ocspCertSet.5.constraint.name=No Constraint +policyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.ocspCertSet.5.default.name=AIA Extension Default +policyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.ocspCertSet.5.default.params.authInfoAccessCritical=false +policyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl +policyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension +policyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false +policyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 +policyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.ocspCertSet.6.default.name=Extended Key Usage Default +policyset.ocspCertSet.6.default.params.exKeyUsageCritical=false +policyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 +policyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl +policyset.ocspCertSet.8.constraint.name=No Constraint +policyset.ocspCertSet.8.constraint.params.extCritical=false +policyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5 +policyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl +policyset.ocspCertSet.8.default.name=OCSP No Check Extension +policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false +policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.ocspCertSet.9.constraint.name=No Constraint +policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.ocspCertSet.9.default.name=Signing Alg +policyset.ocspCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caOtherCert.cfg b/base/ca/shared/profiles/ca/caOtherCert.cfg new file mode 100644 index 000000000..305a37b92 --- /dev/null +++ b/base/ca/shared/profiles/ca/caOtherCert.cfg @@ -0,0 +1,85 @@ +desc=This certificate profile is for enrolling other certificates. +visible=true +enable=true +enableBy=admin +auth.class_id= +name=Other Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=otherCertSet +policyset.otherCertSet.list=1,2,3,4,5,6,7,8 +policyset.otherCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.otherCertSet.1.constraint.name=Subject Name Constraint +policyset.otherCertSet.1.constraint.params.pattern=CN=.* +policyset.otherCertSet.1.constraint.params.accept=true +policyset.otherCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.otherCertSet.1.default.name=Subject Name Default +policyset.otherCertSet.1.default.params.name= +policyset.otherCertSet.2.constraint.class_id=validityConstraintImpl +policyset.otherCertSet.2.constraint.name=Validity Constraint +policyset.otherCertSet.2.constraint.params.range=720 +policyset.otherCertSet.2.constraint.params.notBeforeCheck=false +policyset.otherCertSet.2.constraint.params.notAfterCheck=false +policyset.otherCertSet.2.default.class_id=validityDefaultImpl +policyset.otherCertSet.2.default.name=Validity Default +policyset.otherCertSet.2.default.params.range=720 +policyset.otherCertSet.2.default.params.startTime=0 +policyset.otherCertSet.3.constraint.class_id=keyConstraintImpl +policyset.otherCertSet.3.constraint.name=Key Constraint +policyset.otherCertSet.3.constraint.params.keyType=RSA +policyset.otherCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.otherCertSet.3.default.class_id=userKeyDefaultImpl +policyset.otherCertSet.3.default.name=Key Default +policyset.otherCertSet.4.constraint.class_id=noConstraintImpl +policyset.otherCertSet.4.constraint.name=No Constraint +policyset.otherCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.otherCertSet.4.default.name=Authority Key Identifier Default +policyset.otherCertSet.5.constraint.class_id=noConstraintImpl +policyset.otherCertSet.5.constraint.name=No Constraint +policyset.otherCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.otherCertSet.5.default.name=AIA Extension Default +policyset.otherCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.otherCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.otherCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.otherCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.otherCertSet.5.default.params.authInfoAccessCritical=false +policyset.otherCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.otherCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.otherCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.otherCertSet.6.constraint.params.keyUsageCritical=true +policyset.otherCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.otherCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.otherCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.otherCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.otherCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.otherCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.otherCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.otherCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.otherCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.otherCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.otherCertSet.6.default.name=Key Usage Default +policyset.otherCertSet.6.default.params.keyUsageCritical=true +policyset.otherCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.otherCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.otherCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.otherCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.otherCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.otherCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.otherCertSet.6.default.params.keyUsageCrlSign=false +policyset.otherCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.otherCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.otherCertSet.7.constraint.class_id=noConstraintImpl +policyset.otherCertSet.7.constraint.name=No Constraint +policyset.otherCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.otherCertSet.7.default.name=Extended Key Usage Extension Default +policyset.otherCertSet.7.default.params.exKeyUsageCritical=false +policyset.otherCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 +policyset.otherCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.otherCertSet.8.constraint.name=No Constraint +policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.otherCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.otherCertSet.8.default.name=Signing Alg +policyset.otherCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caRACert.cfg b/base/ca/shared/profiles/ca/caRACert.cfg new file mode 100644 index 000000000..a3d8dc45f --- /dev/null +++ b/base/ca/shared/profiles/ca/caRACert.cfg @@ -0,0 +1,85 @@ +desc=This certificate profile is for enrolling Registration Manager certificates. +visible=true +enable=true +enableBy=admin +auth.class_id= +name=Manual Registration Manager Signing Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=raCertSet +policyset.raCertSet.list=1,2,3,4,5,6,7,8 +policyset.raCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.raCertSet.1.constraint.name=Subject Name Constraint +policyset.raCertSet.1.constraint.params.pattern=CN=.* +policyset.raCertSet.1.constraint.params.accept=true +policyset.raCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.raCertSet.1.default.name=Subject Name Default +policyset.raCertSet.1.default.params.name= +policyset.raCertSet.2.constraint.class_id=validityConstraintImpl +policyset.raCertSet.2.constraint.name=Validity Constraint +policyset.raCertSet.2.constraint.params.range=720 +policyset.raCertSet.2.constraint.params.notBeforeCheck=false +policyset.raCertSet.2.constraint.params.notAfterCheck=false +policyset.raCertSet.2.default.class_id=validityDefaultImpl +policyset.raCertSet.2.default.name=Validity Default +policyset.raCertSet.2.default.params.range=720 +policyset.raCertSet.2.default.params.startTime=0 +policyset.raCertSet.3.constraint.class_id=keyConstraintImpl +policyset.raCertSet.3.constraint.name=Key Constraint +policyset.raCertSet.3.constraint.params.keyType=RSA +policyset.raCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.raCertSet.3.default.class_id=userKeyDefaultImpl +policyset.raCertSet.3.default.name=Key Default +policyset.raCertSet.4.constraint.class_id=noConstraintImpl +policyset.raCertSet.4.constraint.name=No Constraint +policyset.raCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.raCertSet.4.default.name=Authority Key Identifier Default +policyset.raCertSet.5.constraint.class_id=noConstraintImpl +policyset.raCertSet.5.constraint.name=No Constraint +policyset.raCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.raCertSet.5.default.name=AIA Extension Default +policyset.raCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.raCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.raCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.raCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.raCertSet.5.default.params.authInfoAccessCritical=false +policyset.raCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.raCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.raCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.raCertSet.6.constraint.params.keyUsageCritical=true +policyset.raCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.raCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.raCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.raCertSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.raCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.raCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.raCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.raCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.raCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.raCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.raCertSet.6.default.name=Key Usage Default +policyset.raCertSet.6.default.params.keyUsageCritical=true +policyset.raCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.raCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.raCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.raCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.raCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.raCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.raCertSet.6.default.params.keyUsageCrlSign=false +policyset.raCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.raCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.raCertSet.7.constraint.class_id=noConstraintImpl +policyset.raCertSet.7.constraint.name=No Constraint +policyset.raCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.raCertSet.7.default.name=Extended Key Usage Extension Default +policyset.raCertSet.7.default.params.exKeyUsageCritical=false +policyset.raCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +policyset.raCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.raCertSet.8.constraint.name=No Constraint +policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.raCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.raCertSet.8.default.name=Signing Alg +policyset.raCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caRARouterCert.cfg b/base/ca/shared/profiles/ca/caRARouterCert.cfg new file mode 100644 index 000000000..284076686 --- /dev/null +++ b/base/ca/shared/profiles/ca/caRARouterCert.cfg @@ -0,0 +1,85 @@ +desc=This certificate profile is for enrolling router certificates. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=RA Agent-Authenticated Router Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=720 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=720 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caRAagentCert.cfg b/base/ca/shared/profiles/ca/caRAagentCert.cfg new file mode 100644 index 000000000..d330e6f01 --- /dev/null +++ b/base/ca/shared/profiles/ca/caRAagentCert.cfg @@ -0,0 +1,95 @@ +desc=This certificate profile is for enrolling RA agent user certificates with RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=RA Agent-Authenticated Agent User Certificate Enrollment +input.list=i1,i2,i3 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +input.i3.class_id=subjectDNInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=userCertSet +policyset.userCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.userCertSet.1.constraint.name=Subject Name Constraint +policyset.userCertSet.1.constraint.params.pattern=UID=.* +policyset.userCertSet.1.constraint.params.accept=true +policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.userCertSet.1.default.name=Subject Name Default +policyset.userCertSet.1.default.params.name= +policyset.userCertSet.2.constraint.class_id=validityConstraintImpl +policyset.userCertSet.2.constraint.name=Validity Constraint +policyset.userCertSet.2.constraint.params.range=365 +policyset.userCertSet.2.constraint.params.notBeforeCheck=false +policyset.userCertSet.2.constraint.params.notAfterCheck=false +policyset.userCertSet.2.default.class_id=validityDefaultImpl +policyset.userCertSet.2.default.name=Validity Default +policyset.userCertSet.2.default.params.range=180 +policyset.userCertSet.2.default.params.startTime=0 +policyset.userCertSet.3.constraint.class_id=keyConstraintImpl +policyset.userCertSet.3.constraint.name=Key Constraint +policyset.userCertSet.3.constraint.params.keyType=RSA +policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.userCertSet.3.default.class_id=userKeyDefaultImpl +policyset.userCertSet.3.default.name=Key Default +policyset.userCertSet.4.constraint.class_id=noConstraintImpl +policyset.userCertSet.4.constraint.name=No Constraint +policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.userCertSet.4.default.name=Authority Key Identifier Default +policyset.userCertSet.5.constraint.class_id=noConstraintImpl +policyset.userCertSet.5.constraint.name=No Constraint +policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.userCertSet.5.default.name=AIA Extension Default +policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.userCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.userCertSet.5.default.params.authInfoAccessCritical=false +policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.userCertSet.6.constraint.params.keyUsageCritical=true +policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.userCertSet.6.default.name=Key Usage Default +policyset.userCertSet.6.default.params.keyUsageCritical=true +policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.default.params.keyUsageCrlSign=false +policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.userCertSet.7.constraint.class_id=noConstraintImpl +policyset.userCertSet.7.constraint.name=No Constraint +policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.userCertSet.7.default.name=Extended Key Usage Extension Default +policyset.userCertSet.7.default.params.exKeyUsageCritical=false +policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.userCertSet.8.constraint.class_id=noConstraintImpl +policyset.userCertSet.8.constraint.name=No Constraint +policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.userCertSet.8.default.name=Subject Alt Name Constraint +policyset.userCertSet.8.default.params.subjAltNameExtCritical=false +policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.userCertSet.9.constraint.name=No Constraint +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.userCertSet.9.default.name=Signing Alg +policyset.userCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caRAserverCert.cfg b/base/ca/shared/profiles/ca/caRAserverCert.cfg new file mode 100644 index 000000000..297c001e3 --- /dev/null +++ b/base/ca/shared/profiles/ca/caRAserverCert.cfg @@ -0,0 +1,85 @@ +desc=This certificate profile is for enrolling server certificates with RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=365 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=180 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caRouterCert.cfg b/base/ca/shared/profiles/ca/caRouterCert.cfg new file mode 100644 index 000000000..2400c69b8 --- /dev/null +++ b/base/ca/shared/profiles/ca/caRouterCert.cfg @@ -0,0 +1,85 @@ +desc=This certificate profile is for enrolling router certificates. +visible=false +enable=true +enableBy=admin +auth.instance_id=flatFileAuth +name=One Time Pin Router Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=720 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=720 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg b/base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg new file mode 100755 index 000000000..d502e84d4 --- /dev/null +++ b/base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg @@ -0,0 +1,9 @@ +desc=This certificate profile is for renewing SSL client certificates. +visible=true +enable=true +enableBy=admin +renewal=true +auth.instance_id=SSLclientCertAuth +name=Renewal: Self-renew user SSL client certificates +output.list=o1 +output.o1.class_id=certOutputImpl diff --git a/base/ca/shared/profiles/ca/caServerCert.cfg b/base/ca/shared/profiles/ca/caServerCert.cfg new file mode 100644 index 000000000..060194d8a --- /dev/null +++ b/base/ca/shared/profiles/ca/caServerCert.cfg @@ -0,0 +1,85 @@ +desc=This certificate profile is for enrolling server certificates. +visible=true +enable=true +enableBy=admin +auth.class_id= +name=Manual Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=.*CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=720 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=720 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caSignedLogCert.cfg b/base/ca/shared/profiles/ca/caSignedLogCert.cfg new file mode 100644 index 000000000..ad5a09667 --- /dev/null +++ b/base/ca/shared/profiles/ca/caSignedLogCert.cfg @@ -0,0 +1,74 @@ +desc=This profile is for enrolling audit log signing certificates +visible=true +enable=true +enableBy=admin +auth.class_id= +name=Manual Log Signing Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=caLogSigningSet +policyset.caLogSigningSet.list=1,2,3,4,6,8,9 +policyset.caLogSigningSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.caLogSigningSet.1.constraint.name=Subject Name Constraint +policyset.caLogSigningSet.1.constraint.params.pattern=CN=.* +policyset.caLogSigningSet.1.constraint.params.accept=true +policyset.caLogSigningSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.caLogSigningSet.1.default.name=Subject Name Default +policyset.caLogSigningSet.1.default.params.name= +policyset.caLogSigningSet.2.constraint.class_id=validityConstraintImpl +policyset.caLogSigningSet.2.constraint.name=Validity Constraint +policyset.caLogSigningSet.2.constraint.params.range=365 +policyset.caLogSigningSet.2.constraint.params.notBeforeCheck=false +policyset.caLogSigningSet.2.constraint.params.notAfterCheck=false +policyset.caLogSigningSet.2.default.class_id=validityDefaultImpl +policyset.caLogSigningSet.2.default.name=Validity Default +policyset.caLogSigningSet.2.default.params.range=180 +policyset.caLogSigningSet.2.default.params.startTime=60 +policyset.caLogSigningSet.3.constraint.class_id=keyConstraintImpl +policyset.caLogSigningSet.3.constraint.name=Key Constraint +policyset.caLogSigningSet.3.constraint.params.keyType=RSA +policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.caLogSigningSet.3.default.class_id=userKeyDefaultImpl +policyset.caLogSigningSet.3.default.name=Key Default +policyset.caLogSigningSet.4.constraint.class_id=noConstraintImpl +policyset.caLogSigningSet.4.constraint.name=No Constraint +policyset.caLogSigningSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.caLogSigningSet.4.default.name=Authority Key Identifier Default +policyset.caLogSigningSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.caLogSigningSet.6.constraint.name=Key Usage Extension Constraint +policyset.caLogSigningSet.6.constraint.params.keyUsageCritical=true +policyset.caLogSigningSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.caLogSigningSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.caLogSigningSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.caLogSigningSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.caLogSigningSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.caLogSigningSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.caLogSigningSet.6.constraint.params.keyUsageCrlSign=false +policyset.caLogSigningSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.caLogSigningSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.caLogSigningSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.caLogSigningSet.6.default.name=Key Usage Default +policyset.caLogSigningSet.6.default.params.keyUsageCritical=true +policyset.caLogSigningSet.6.default.params.keyUsageDigitalSignature=true +policyset.caLogSigningSet.6.default.params.keyUsageNonRepudiation=true +policyset.caLogSigningSet.6.default.params.keyUsageDataEncipherment=false +policyset.caLogSigningSet.6.default.params.keyUsageKeyEncipherment=false +policyset.caLogSigningSet.6.default.params.keyUsageKeyAgreement=false +policyset.caLogSigningSet.6.default.params.keyUsageKeyCertSign=false +policyset.caLogSigningSet.6.default.params.keyUsageCrlSign=false +policyset.caLogSigningSet.6.default.params.keyUsageEncipherOnly=false +policyset.caLogSigningSet.6.default.params.keyUsageDecipherOnly=false +policyset.caLogSigningSet.8.constraint.class_id=noConstraintImpl +policyset.caLogSigningSet.8.constraint.name=No Constraint +policyset.caLogSigningSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.caLogSigningSet.8.default.name=Subject Key Identifier Extension Default +policyset.caLogSigningSet.8.default.params.critical=false +policyset.caLogSigningSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.caLogSigningSet.9.constraint.name=No Constraint +policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.caLogSigningSet.9.default.class_id=signingAlgDefaultImpl +policyset.caLogSigningSet.9.default.name=Signing Alg +policyset.caLogSigningSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg new file mode 100644 index 000000000..a823bab10 --- /dev/null +++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg @@ -0,0 +1,84 @@ +desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. +enable=true +enableBy=admin +name=Simple CMC Enrollment Request for User Certificate +visible=false +auth.instance_id= +input.list=i1 +input.i1.class_id=certReqInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=cmcUserCertSet +policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 +policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint +policyset.cmcUserCertSet.1.constraint.params.accept=true +policyset.cmcUserCertSet.1.constraint.params.pattern=.* +policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.cmcUserCertSet.1.default.name=Subject Name Default +policyset.cmcUserCertSet.1.default.params.name= +policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl +policyset.cmcUserCertSet.2.constraint.name=Validity Constraint +policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false +policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false +policyset.cmcUserCertSet.2.constraint.params.range=365 +policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl +policyset.cmcUserCertSet.2.default.name=Validity Default +policyset.cmcUserCertSet.2.default.params.range=180 +policyset.cmcUserCertSet.2.default.params.startTime=0 +policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl +policyset.cmcUserCertSet.3.constraint.name=Key Constraint +policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.cmcUserCertSet.3.constraint.params.keyType=- +policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl +policyset.cmcUserCertSet.3.default.name=Key Default +policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.4.constraint.name=No Constraint +policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default +policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.5.constraint.name=No Constraint +policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.cmcUserCertSet.5.default.name=AIA Extension Default +policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false +policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.cmcUserCertSet.6.default.name=Key Usage Default +policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true +policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.7.constraint.name=No Constraint +policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default +policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false +policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.cmcUserCertSet.8.constraint.name=No Constraint +policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.cmcUserCertSet.8.default.name=Signing Alg +policyset.cmcUserCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caTPSCert.cfg b/base/ca/shared/profiles/ca/caTPSCert.cfg new file mode 100644 index 000000000..5553d4f41 --- /dev/null +++ b/base/ca/shared/profiles/ca/caTPSCert.cfg @@ -0,0 +1,85 @@ +desc=This certificate profile is for enrolling TPS server certificates. +visible=true +enable=true +enableBy=admin +auth.class_id= +name=Manual TPS Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=720 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=720 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg b/base/ca/shared/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg new file mode 100644 index 000000000..530b3395a --- /dev/null +++ b/base/ca/shared/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg @@ -0,0 +1,144 @@ +desc=This profile is for enrolling token device keys +enable=true +enableBy=admin +lastModified=1068835451090 +name=Temporary Device Certificate Enrollment +visible=false +auth.instance_id=AgentCertAuth +input.list=i1 +input.i1.class_id=nsHKeyCertReqInputImpl +input.i1.name=nsHKeyCertReqInputImpl +output.list=o1 +output.o1.class_id=nsNKeyOutputImpl +output.o2.name=nsNKeyOutputImpl +policyset.list=set1 +#policyset.set1.list=p2,p3,p4,p5,p1,p7,p8,p9,p12,p6 +policyset.set1.list=p2,p4,p5,p1,p8,p9,p12 +policyset.set1.p1.constraint.class_id=noConstraintImpl +policyset.set1.p1.constraint.name=No Constraint +policyset.set1.p1.default.class_id=nsTokenDeviceKeySubjectNameDefaultImpl +policyset.set1.p1.default.name=nsTokenDeviceKeySubjectNameDefault +policyset.set1.p1.default.params.dnpattern=UID=Token Key Device - $request.tokencuid$ +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=7 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p3.constraint.class_id=noConstraintImpl +policyset.set1.p3.constraint.name=No Constraint +policyset.set1.p3.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.p3.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.p3.default.params.crlDistPointsCritical=false +policyset.set1.p3.default.params.crlDistPointsNum=1 +policyset.set1.p3.default.params.crlDistPointsEnable_0=false +policyset.set1.p3.default.params.crlDistPointsIssuerName_0= +policyset.set1.p3.default.params.crlDistPointsIssuerType_0= +policyset.set1.p3.default.params.crlDistPointsPointName_0= +policyset.set1.p3.default.params.crlDistPointsPointType_0=URIName +policyset.set1.p3.default.params.crlDistPointsReasons_0= +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=true +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=false +policyset.set1.p5.default.params.keyUsageNonRepudiation=false +policyset.set1.p7.constraint.class_id=noConstraintImpl +policyset.set1.p7.constraint.name=No Constraint +policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl +policyset.set1.p7.default.name=Certificate Policies Extension Default +policyset.set1.p7.default.params.Critical=false +policyset.set1.p7.default.params.PoliciesExt.num=5 +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=false +policyset.set1.p6.default.params.subjAltExtGNEnable_1=false +policyset.set1.p6.default.params.subjAltExtGNEnable_2=false +policyset.set1.p6.default.params.subjAltExtGNEnable_3=false +policyset.set1.p6.default.params.subjAltExtGNEnable_4=false +policyset.set1.p6.default.params.subjAltExtPattern_0= +policyset.set1.p6.default.params.subjAltExtPattern_1= +policyset.set1.p6.default.params.subjAltExtPattern_2= +policyset.set1.p6.default.params.subjAltExtPattern_3= +policyset.set1.p6.default.params.subjAltExtPattern_4= +policyset.set1.p6.default.params.subjAltExtType_0=OtherName +policyset.set1.p6.default.params.subjAltExtType_1=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=1 diff --git a/base/ca/shared/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg b/base/ca/shared/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg new file mode 100644 index 000000000..5f4c85f18 --- /dev/null +++ b/base/ca/shared/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg @@ -0,0 +1,166 @@ +desc=This profile is for enrolling Token Encryption key +enable=true +enableBy=admin +name=Temporary Token User Encryption Certificate Enrollment +visible=false +auth.instance_id=AgentCertAuth +input.list=i1 +input.i1.class_id=nsNKeyCertReqInputImpl +input.i1.name=nsNKeyCertReqInputImpl +output.list=o1 +output.o1.class_id=nsNKeyOutputImpl +output.o2.name=nsNKeyOutputImpl +policyset.list=set1 +#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14 +policyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12 +policyset.set1.p1.constraint.class_id=noConstraintImpl +policyset.set1.p1.constraint.name=No Constraint +policyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl +policyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault +#uncomment below to support SMIME +#policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, E=$request.mail$, O=Token Key User +policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User +#changed ldap.enable to true to support SMIME +policyset.set1.p1.default.params.ldap.enable=false +policyset.set1.p1.default.params.ldap.searchName=uid +policyset.set1.p1.default.params.ldapStringAttributes=uid,mail +policyset.set1.p1.default.params.ldap.basedn= +policyset.set1.p1.default.params.ldap.maxConns=4 +policyset.set1.p1.default.params.ldap.minConns=1 +policyset.set1.p1.default.params.ldap.ldapconn.Version=2 +policyset.set1.p1.default.params.ldap.ldapconn.host= +policyset.set1.p1.default.params.ldap.ldapconn.port= +policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=7 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=false +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=true +policyset.set1.p5.default.params.keyUsageNonRepudiation=false +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=true +policyset.set1.p6.default.params.subjAltExtGNEnable_1=false +policyset.set1.p6.default.params.subjAltExtGNEnable_2=false +policyset.set1.p6.default.params.subjAltExtGNEnable_3=false +policyset.set1.p6.default.params.subjAltExtGNEnable_4=false +policyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$ +policyset.set1.p6.default.params.subjAltExtPattern_1= +policyset.set1.p6.default.params.subjAltExtPattern_2= +policyset.set1.p6.default.params.subjAltExtPattern_3= +policyset.set1.p6.default.params.subjAltExtPattern_4= +policyset.set1.p6.default.params.subjAltExtType_0=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_1=OtherName +policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=1 +policyset.set1.p7.constraint.class_id=noConstraintImpl +policyset.set1.p7.constraint.name=No Constraint +policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl +policyset.set1.p7.default.name=Certificate Policies Extension Default +policyset.set1.p7.default.params.Critical=false +policyset.set1.p7.default.params.PoliciesExt.num=5 +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.p13.constraint.class_id=noConstraintImpl +policyset.set1.p13.constraint.name=No Constraint +policyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.params.crlDistPointsCritical=false +policyset.set1.p13.default.params.crlDistPointsNum=1 +policyset.set1.p13.default.params.crlDistPointsEnable_0=false +policyset.set1.p13.default.params.crlDistPointsIssuerName_0= +policyset.set1.p13.default.params.crlDistPointsIssuerType_0= +policyset.set1.p13.default.params.crlDistPointsPointName_0= +policyset.set1.p13.default.params.crlDistPointsPointType_0=URIName +policyset.set1.p13.default.params.crlDistPointsReasons_0= +policyset.set1.p14.constraint.class_id=noConstraintImpl +policyset.set1.p14.constraint.name=No Constraint +policyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl +policyset.set1.p14.default.name=AIA Extension Default +policyset.set1.p14.default.params.authInfoAccessADEnable_0=false +policyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName +policyset.set1.p14.default.params.authInfoAccessADLocation_0= +policyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.set1.p14.default.params.authInfoAccessCritical=false +policyset.set1.p14.default.params.authInfoAccessNumADs=1 diff --git a/base/ca/shared/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg b/base/ca/shared/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg new file mode 100644 index 000000000..8500b9d06 --- /dev/null +++ b/base/ca/shared/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg @@ -0,0 +1,166 @@ +desc=This profile is for enrolling Token Signing key +enable=true +enableBy=admin +name=Temporary Token User Signing Certificate Enrollment +visible=false +auth.instance_id=AgentCertAuth +input.list=i1 +input.i1.class_id=nsNKeyCertReqInputImpl +input.i1.name=nsNKeyCertReqInputImpl +output.list=o1 +output.o1.class_id=nsNKeyOutputImpl +output.o2.name=nsNKeyOutputImpl +policyset.list=set1 +#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14 +policyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12 +policyset.set1.p1.constraint.class_id=noConstraintImpl +policyset.set1.p1.constraint.name=No Constraint +policyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl +policyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault +#uncomment below to support SMIME +#policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, E=$request.mail$, O=Token Key User +policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User +#changed ldap.enable to true to support SMIME +policyset.set1.p1.default.params.ldap.enable=false +policyset.set1.p1.default.params.ldap.searchName=uid +policyset.set1.p1.default.params.ldapStringAttributes=uid,mail +policyset.set1.p1.default.params.ldap.basedn= +policyset.set1.p1.default.params.ldap.maxConns=4 +policyset.set1.p1.default.params.ldap.minConns=1 +policyset.set1.p1.default.params.ldap.ldapconn.Version=2 +policyset.set1.p1.default.params.ldap.ldapconn.host= +policyset.set1.p1.default.params.ldap.ldapconn.port= +policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=7 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=true +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=false +policyset.set1.p5.default.params.keyUsageNonRepudiation=true +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=true +policyset.set1.p6.default.params.subjAltExtGNEnable_1=false +policyset.set1.p6.default.params.subjAltExtGNEnable_2=false +policyset.set1.p6.default.params.subjAltExtGNEnable_3=false +policyset.set1.p6.default.params.subjAltExtGNEnable_4=false +policyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$ +policyset.set1.p6.default.params.subjAltExtPattern_1= +policyset.set1.p6.default.params.subjAltExtPattern_2= +policyset.set1.p6.default.params.subjAltExtPattern_3= +policyset.set1.p6.default.params.subjAltExtPattern_4= +policyset.set1.p6.default.params.subjAltExtType_0=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_1=OtherName +policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=1 +policyset.set1.p7.constraint.class_id=noConstraintImpl +policyset.set1.p7.constraint.name=No Constraint +policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl +policyset.set1.p7.default.name=Certificate Policies Extension Default +policyset.set1.p7.default.params.Critical=false +policyset.set1.p7.default.params.PoliciesExt.num=5 +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.p13.constraint.class_id=noConstraintImpl +policyset.set1.p13.constraint.name=No Constraint +policyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.params.crlDistPointsCritical=false +policyset.set1.p13.default.params.crlDistPointsNum=1 +policyset.set1.p13.default.params.crlDistPointsEnable_0=false +policyset.set1.p13.default.params.crlDistPointsIssuerName_0= +policyset.set1.p13.default.params.crlDistPointsIssuerType_0= +policyset.set1.p13.default.params.crlDistPointsPointName_0= +policyset.set1.p13.default.params.crlDistPointsPointType_0=URIName +policyset.set1.p13.default.params.crlDistPointsReasons_0= +policyset.set1.p14.constraint.class_id=noConstraintImpl +policyset.set1.p14.constraint.name=No Constraint +policyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl +policyset.set1.p14.default.name=AIA Extension Default +policyset.set1.p14.default.params.authInfoAccessADEnable_0=false +policyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName +policyset.set1.p14.default.params.authInfoAccessADLocation_0= +policyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.set1.p14.default.params.authInfoAccessCritical=false +policyset.set1.p14.default.params.authInfoAccessNumADs=1 diff --git a/base/ca/shared/profiles/ca/caTokenDeviceKeyEnrollment.cfg b/base/ca/shared/profiles/ca/caTokenDeviceKeyEnrollment.cfg new file mode 100644 index 000000000..ba0520963 --- /dev/null +++ b/base/ca/shared/profiles/ca/caTokenDeviceKeyEnrollment.cfg @@ -0,0 +1,143 @@ +desc=This profile is for enrolling token device keys +enable=true +enableBy=admin +lastModified=1068835451090 +name=Token Device Key Enrollment +visible=false +auth.instance_id=AgentCertAuth +input.list=i1 +input.i1.class_id=nsHKeyCertReqInputImpl +input.i1.name=nsHKeyCertReqInputImpl +output.list=o1 +output.o1.class_id=nsNKeyOutputImpl +output.o2.name=nsNKeyOutputImpl +policyset.list=set1 +#policyset.set1.list=p2,p3,p4,p5,p1,p7,p8,p9,p12,p6 +policyset.set1.list=p2,p4,p5,p1,p8,p9,p12 +policyset.set1.p1.constraint.class_id=noConstraintImpl +policyset.set1.p1.constraint.name=No Constraint +policyset.set1.p1.default.class_id=nsTokenDeviceKeySubjectNameDefaultImpl +policyset.set1.p1.default.name=nsTokenDeviceKeySubjectNameDefault +policyset.set1.p1.default.params.dnpattern=UID=Token Key Device - $request.tokencuid$ +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=1825 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p3.constraint.class_id=noConstraintImpl +policyset.set1.p3.constraint.name=No Constraint +policyset.set1.p3.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.p3.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.p3.default.params.crlDistPointsCritical=false +policyset.set1.p3.default.params.crlDistPointsNum=1 +policyset.set1.p3.default.params.crlDistPointsEnable_0=false +policyset.set1.p3.default.params.crlDistPointsIssuerName_0= +policyset.set1.p3.default.params.crlDistPointsIssuerType_0= +policyset.set1.p3.default.params.crlDistPointsPointName_0= +policyset.set1.p3.default.params.crlDistPointsPointType_0=URIName +policyset.set1.p3.default.params.crlDistPointsReasons_0= +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=true +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=false +policyset.set1.p5.default.params.keyUsageNonRepudiation=false +policyset.set1.p7.constraint.class_id=noConstraintImpl +policyset.set1.p7.constraint.name=No Constraint +policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl +policyset.set1.p7.default.name=Certificate Policies Extension Default +policyset.set1.p7.default.params.Critical=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=false +policyset.set1.p6.default.params.subjAltExtGNEnable_1=false +policyset.set1.p6.default.params.subjAltExtGNEnable_2=false +policyset.set1.p6.default.params.subjAltExtGNEnable_3=false +policyset.set1.p6.default.params.subjAltExtGNEnable_4=false +policyset.set1.p6.default.params.subjAltExtPattern_0= +policyset.set1.p6.default.params.subjAltExtPattern_1= +policyset.set1.p6.default.params.subjAltExtPattern_2= +policyset.set1.p6.default.params.subjAltExtPattern_3= +policyset.set1.p6.default.params.subjAltExtPattern_4= +policyset.set1.p6.default.params.subjAltExtType_0=OtherName +policyset.set1.p6.default.params.subjAltExtType_1=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=1 diff --git a/base/ca/shared/profiles/ca/caTokenMSLoginEnrollment.cfg b/base/ca/shared/profiles/ca/caTokenMSLoginEnrollment.cfg new file mode 100644 index 000000000..37c9af5e0 --- /dev/null +++ b/base/ca/shared/profiles/ca/caTokenMSLoginEnrollment.cfg @@ -0,0 +1,171 @@ +desc=This profile is for enrolling MS Login Certificate +enable=true +enableBy=admin +name=Token User MS Login Certificate Enrollment +visible=false +auth.instance_id=AgentCertAuth +input.list=i1 +input.i1.class_id=nsNKeyCertReqInputImpl +input.i1.name=nsNKeyCertReqInputImpl +output.list=o1 +output.o1.class_id=nsNKeyOutputImpl +output.o2.name=nsNKeyOutputImpl +policyset.list=set1 +#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14 +policyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12,p13,p14,p15 +policyset.set1.p1.constraint.class_id=noConstraintImpl +policyset.set1.p1.constraint.name=No Constraint +policyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl +policyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault +policyset.set1.p1.default.params.dnpattern=CN=uid=$request.uid$,E=$request.mail$, ou=$request.upn$, o=example +#changed ldap.enable to true to support SMIME +policyset.set1.p1.default.params.ldap.enable=true +policyset.set1.p1.default.params.ldap.searchName=uid +policyset.set1.p1.default.params.ldapStringAttributes=uid,mail,givenName,sn,upn +policyset.set1.p1.default.params.ldap.basedn=ou=People,dc=example,dc=com +policyset.set1.p1.default.params.ldap.maxConns=4 +policyset.set1.p1.default.params.ldap.minConns=1 +policyset.set1.p1.default.params.ldap.ldapconn.Version=2 +policyset.set1.p1.default.params.ldap.ldapconn.host=localhost.localdomain +policyset.set1.p1.default.params.ldap.ldapconn.port=389 +policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=1825 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=true +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=false +policyset.set1.p5.default.params.keyUsageNonRepudiation=true +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=true +policyset.set1.p6.default.params.subjAltExtGNEnable_1=true +policyset.set1.p6.default.params.subjAltExtGNEnable_2=false +policyset.set1.p6.default.params.subjAltExtGNEnable_3=false +policyset.set1.p6.default.params.subjAltExtGNEnable_4=false +policyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$ +policyset.set1.p6.default.params.subjAltExtPattern_1=(UTF8String)1.3.6.1.4.1.311.20.2.3,$request.upn$ +policyset.set1.p6.default.params.subjAltExtPattern_2= +policyset.set1.p6.default.params.subjAltExtPattern_3= +policyset.set1.p6.default.params.subjAltExtPattern_4= +policyset.set1.p6.default.params.subjAltExtType_0=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_1=OtherName +policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=2 +policyset.set1.p7.constraint.class_id=noConstraintImpl +policyset.set1.p7.constraint.name=No Constraint +policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl +policyset.set1.p7.default.name=Certificate Policies Extension Default +policyset.set1.p7.default.params.Critical=false +policyset.set1.p7.default.params.PoliciesExt.num=5 +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value= + policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= + policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false + policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value= + policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= + policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= + policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.p13.constraint.class_id=noConstraintImpl +policyset.set1.p13.constraint.name=No Constraint +policyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.params.crlDistPointsCritical=false +policyset.set1.p13.default.params.crlDistPointsNum=1 +policyset.set1.p13.default.params.crlDistPointsEnable_0=true +policyset.set1.p13.default.params.crlDistPointsIssuerName_0= +policyset.set1.p13.default.params.crlDistPointsIssuerType_0= +policyset.set1.p13.default.params.crlDistPointsPointName_0=http://localhost.localdomain:9443/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL +policyset.set1.p13.default.params.crlDistPointsPointType_0=URIName +policyset.set1.p13.default.params.crlDistPointsReasons_0= +policyset.set1.p14.constraint.class_id=noConstraintImpl +policyset.set1.p14.constraint.name=No Constraint +policyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl +policyset.set1.p14.default.name=AIA Extension Default +policyset.set1.p14.default.params.authInfoAccessADEnable_0=true +policyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName +policyset.set1.p14.default.params.authInfoAccessADLocation_0=http://localhost.localdomain:9443/ca/ocsp +policyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.set1.p14.default.params.authInfoAccessCritical=false +policyset.set1.p14.default.params.authInfoAccessNumADs=1 +policyset.set1.p15.constraint.class_id=noConstraintImpl +policyset.set1.p15.constraint.name=No Constraint +policyset.set1.p15.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.set1.p15.default.name=Extended Key Usage Extension Default +policyset.set1.p15.default.params.exKeyUsageCritical=false +policyset.set1.p15.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.4.1.311.20.2.2 + diff --git a/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg b/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg new file mode 100644 index 000000000..5b3ecd40c --- /dev/null +++ b/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg @@ -0,0 +1,170 @@ +desc=This profile is for enrolling Token Encryption key +enable=true +enableBy=admin +name=Token User Encryption Certificate Enrollment +visible=false +auth.instance_id=AgentCertAuth +input.list=i1 +input.i1.class_id=nsNKeyCertReqInputImpl +input.i1.name=nsNKeyCertReqInputImpl +output.list=o1 +output.o1.class_id=nsNKeyOutputImpl +output.o2.name=nsNKeyOutputImpl +policyset.list=set1 +#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14 +policyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12 +policyset.set1.p1.constraint.class_id=noConstraintImpl +policyset.set1.p1.constraint.name=No Constraint +policyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl +policyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault +policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User +#changed ldap.enable to true to support SMIME +policyset.set1.p1.default.params.ldap.enable=false +policyset.set1.p1.default.params.ldap.searchName=uid +policyset.set1.p1.default.params.ldapStringAttributes=uid,mail +policyset.set1.p1.default.params.ldap.basedn= +policyset.set1.p1.default.params.ldap.maxConns=4 +policyset.set1.p1.default.params.ldap.minConns=1 +policyset.set1.p1.default.params.ldap.ldapconn.Version=2 +policyset.set1.p1.default.params.ldap.ldapconn.host= +policyset.set1.p1.default.params.ldap.ldapconn.port= +policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=1825 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=false +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=true +policyset.set1.p5.default.params.keyUsageNonRepudiation=false +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=true +policyset.set1.p6.default.params.subjAltExtGNEnable_1=false +policyset.set1.p6.default.params.subjAltExtGNEnable_2=false +policyset.set1.p6.default.params.subjAltExtGNEnable_3=false +policyset.set1.p6.default.params.subjAltExtGNEnable_4=false +policyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$ +policyset.set1.p6.default.params.subjAltExtPattern_1= +policyset.set1.p6.default.params.subjAltExtPattern_2= +policyset.set1.p6.default.params.subjAltExtPattern_3= +policyset.set1.p6.default.params.subjAltExtPattern_4= +policyset.set1.p6.default.params.subjAltExtType_0=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_1=OtherName +policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=1 +policyset.set1.p7.constraint.class_id=noConstraintImpl +policyset.set1.p7.constraint.name=No Constraint +policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl +policyset.set1.p7.default.name=Certificate Policies Extension Default +policyset.set1.p7.default.params.Critical=false +policyset.set1.p7.default.params.PoliciesExt.num=5 +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.10.constraint.class_id=renewGracePeriodConstraintImpl +policyset.set1.10.constraint.name=Renewal Grace Period Constraint +policyset.set1.10.constraint.params.renewal.graceBefore=30 +policyset.set1.10.constraint.params.renewal.graceAfter=30 +policyset.set1.10.default.class_id=noDefaultImpl +policyset.set1.10.default.name=No Default +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.p13.constraint.class_id=noConstraintImpl +policyset.set1.p13.constraint.name=No Constraint +policyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.params.crlDistPointsCritical=false +policyset.set1.p13.default.params.crlDistPointsNum=1 +policyset.set1.p13.default.params.crlDistPointsEnable_0=false +policyset.set1.p13.default.params.crlDistPointsIssuerName_0= +policyset.set1.p13.default.params.crlDistPointsIssuerType_0= +policyset.set1.p13.default.params.crlDistPointsPointName_0= +policyset.set1.p13.default.params.crlDistPointsPointType_0=URIName +policyset.set1.p13.default.params.crlDistPointsReasons_0= +policyset.set1.p14.constraint.class_id=noConstraintImpl +policyset.set1.p14.constraint.name=No Constraint +policyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl +policyset.set1.p14.default.name=AIA Extension Default +policyset.set1.p14.default.params.authInfoAccessADEnable_0=false +policyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName +policyset.set1.p14.default.params.authInfoAccessADLocation_0= +policyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.set1.p14.default.params.authInfoAccessCritical=false +policyset.set1.p14.default.params.authInfoAccessNumADs=1 diff --git a/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg b/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg new file mode 100644 index 000000000..281e2a43e --- /dev/null +++ b/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg @@ -0,0 +1,11 @@ +desc=This certificate profile is for renewing a token encryption certificate +visible=false +enable=true +enableBy=admin +renewal=true +auth.instance_id=AgentCertAuth +name=smart card token signing cert renewal profile +input.list=i1 +input.i1.class_id=serialNumRenewInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl diff --git a/base/ca/shared/profiles/ca/caTokenUserSigningKeyEnrollment.cfg b/base/ca/shared/profiles/ca/caTokenUserSigningKeyEnrollment.cfg new file mode 100644 index 000000000..ebc231808 --- /dev/null +++ b/base/ca/shared/profiles/ca/caTokenUserSigningKeyEnrollment.cfg @@ -0,0 +1,170 @@ +desc=This profile is for enrolling Token Signing key +enable=true +enableBy=admin +name=Token User Signing Certificate Enrollment +visible=false +auth.instance_id=AgentCertAuth +input.list=i1 +input.i1.class_id=nsNKeyCertReqInputImpl +input.i1.name=nsNKeyCertReqInputImpl +output.list=o1 +output.o1.class_id=nsNKeyOutputImpl +output.o2.name=nsNKeyOutputImpl +policyset.list=set1 +#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14 +policyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12 +policyset.set1.p1.constraint.class_id=noConstraintImpl +policyset.set1.p1.constraint.name=No Constraint +policyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl +policyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault +policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User +#changed ldap.enable to true to support SMIME +policyset.set1.p1.default.params.ldap.enable=false +policyset.set1.p1.default.params.ldap.searchName=uid +policyset.set1.p1.default.params.ldapStringAttributes=uid,mail +policyset.set1.p1.default.params.ldap.basedn= +policyset.set1.p1.default.params.ldap.maxConns=4 +policyset.set1.p1.default.params.ldap.minConns=1 +policyset.set1.p1.default.params.ldap.ldapconn.Version=2 +policyset.set1.p1.default.params.ldap.ldapconn.host= +policyset.set1.p1.default.params.ldap.ldapconn.port= +policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=1825 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=true +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=false +policyset.set1.p5.default.params.keyUsageNonRepudiation=true +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=true +policyset.set1.p6.default.params.subjAltExtGNEnable_1=false +policyset.set1.p6.default.params.subjAltExtGNEnable_2=false +policyset.set1.p6.default.params.subjAltExtGNEnable_3=false +policyset.set1.p6.default.params.subjAltExtGNEnable_4=false +policyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$ +policyset.set1.p6.default.params.subjAltExtPattern_1= +policyset.set1.p6.default.params.subjAltExtPattern_2= +policyset.set1.p6.default.params.subjAltExtPattern_3= +policyset.set1.p6.default.params.subjAltExtPattern_4= +policyset.set1.p6.default.params.subjAltExtType_0=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_1=OtherName +policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=1 +policyset.set1.p7.constraint.class_id=noConstraintImpl +policyset.set1.p7.constraint.name=No Constraint +policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl +policyset.set1.p7.default.name=Certificate Policies Extension Default +policyset.set1.p7.default.params.Critical=false +policyset.set1.p7.default.params.PoliciesExt.num=5 +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.10.constraint.class_id=renewGracePeriodConstraintImpl +policyset.set1.10.constraint.name=Renewal Grace Period Constraint +policyset.set1.10.constraint.params.renewal.graceBefore=30 +policyset.set1.10.constraint.params.renewal.graceAfter=30 +policyset.set1.10.default.class_id=noDefaultImpl +policyset.set1.10.default.name=No Default +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.p13.constraint.class_id=noConstraintImpl +policyset.set1.p13.constraint.name=No Constraint +policyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.params.crlDistPointsCritical=false +policyset.set1.p13.default.params.crlDistPointsNum=1 +policyset.set1.p13.default.params.crlDistPointsEnable_0=false +policyset.set1.p13.default.params.crlDistPointsIssuerName_0= +policyset.set1.p13.default.params.crlDistPointsIssuerType_0= +policyset.set1.p13.default.params.crlDistPointsPointName_0= +policyset.set1.p13.default.params.crlDistPointsPointType_0=URIName +policyset.set1.p13.default.params.crlDistPointsReasons_0= +policyset.set1.p14.constraint.class_id=noConstraintImpl +policyset.set1.p14.constraint.name=No Constraint +policyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl +policyset.set1.p14.default.name=AIA Extension Default +policyset.set1.p14.default.params.authInfoAccessADEnable_0=false +policyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName +policyset.set1.p14.default.params.authInfoAccessADLocation_0= +policyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.set1.p14.default.params.authInfoAccessCritical=false +policyset.set1.p14.default.params.authInfoAccessNumADs=1 diff --git a/base/ca/shared/profiles/ca/caTokenUserSigningKeyRenewal.cfg b/base/ca/shared/profiles/ca/caTokenUserSigningKeyRenewal.cfg new file mode 100644 index 000000000..e89e32382 --- /dev/null +++ b/base/ca/shared/profiles/ca/caTokenUserSigningKeyRenewal.cfg @@ -0,0 +1,11 @@ +desc=This certificate profile is for renewing a token certificate +visible=false +enable=true +enableBy=admin +renewal=true +auth.instance_id=AgentCertAuth +name=smart card token signing cert renewal profile +input.list=i1 +input.i1.class_id=serialNumRenewInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl diff --git a/base/ca/shared/profiles/ca/caTransportCert.cfg b/base/ca/shared/profiles/ca/caTransportCert.cfg new file mode 100644 index 000000000..466e2b313 --- /dev/null +++ b/base/ca/shared/profiles/ca/caTransportCert.cfg @@ -0,0 +1,85 @@ +desc=This certificate profile is for enrolling Data Recovery Manager transport certificates. +visible=true +enable=true +enableBy=admin +auth.class_id= +name=Manual Data Recovery Manager Transport Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=transportCertSet +policyset.transportCertSet.list=1,2,3,4,5,6,7,8 +policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.transportCertSet.1.constraint.name=Subject Name Constraint +policyset.transportCertSet.1.constraint.params.pattern=CN=.* +policyset.transportCertSet.1.constraint.params.accept=true +policyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.transportCertSet.1.default.name=Subject Name Default +policyset.transportCertSet.1.default.params.name= +policyset.transportCertSet.2.constraint.class_id=validityConstraintImpl +policyset.transportCertSet.2.constraint.name=Validity Constraint +policyset.transportCertSet.2.constraint.params.range=720 +policyset.transportCertSet.2.constraint.params.notBeforeCheck=false +policyset.transportCertSet.2.constraint.params.notAfterCheck=false +policyset.transportCertSet.2.default.class_id=validityDefaultImpl +policyset.transportCertSet.2.default.name=Validity Default +policyset.transportCertSet.2.default.params.range=720 +policyset.transportCertSet.2.default.params.startTime=0 +policyset.transportCertSet.3.constraint.class_id=keyConstraintImpl +policyset.transportCertSet.3.constraint.name=Key Constraint +policyset.transportCertSet.3.constraint.params.keyType=RSA +policyset.transportCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.transportCertSet.3.default.class_id=userKeyDefaultImpl +policyset.transportCertSet.3.default.name=Key Default +policyset.transportCertSet.4.constraint.class_id=noConstraintImpl +policyset.transportCertSet.4.constraint.name=No Constraint +policyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.transportCertSet.4.default.name=Authority Key Identifier Default +policyset.transportCertSet.5.constraint.class_id=noConstraintImpl +policyset.transportCertSet.5.constraint.name=No Constraint +policyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.transportCertSet.5.default.name=AIA Extension Default +policyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.transportCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.transportCertSet.5.default.params.authInfoAccessCritical=false +policyset.transportCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.transportCertSet.6.constraint.params.keyUsageCritical=true +policyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.transportCertSet.6.default.name=Key Usage Default +policyset.transportCertSet.6.default.params.keyUsageCritical=true +policyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.transportCertSet.6.default.params.keyUsageCrlSign=false +policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.transportCertSet.7.constraint.class_id=noConstraintImpl +policyset.transportCertSet.7.constraint.name=No Constraint +policyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.transportCertSet.7.default.name=Extended Key Usage Extension Default +policyset.transportCertSet.7.default.params.exKeyUsageCritical=false +policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.transportCertSet.8.constraint.name=No Constraint +policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.transportCertSet.8.default.name=Signing Alg +policyset.transportCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg b/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg new file mode 100644 index 000000000..f1701081c --- /dev/null +++ b/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg @@ -0,0 +1,99 @@ +desc=This certificate profile is for enrolling device certificates to contain UUID in the Subject Alternative Name extension +visible=true +enable=false +enableBy=admin +name=Manual device Dual-Use Certificate Enrollment to contain UUID in SAN +auth.class_id= +input.list=i1,i2,i3 +input.i1.class_id=keyGenInputImpl +input.i2.class_id=subjectNameInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=userCertSet +policyset.userCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.userCertSet.1.constraint.name=Subject Name Constraint +policyset.userCertSet.1.constraint.params.pattern=UID=.* +policyset.userCertSet.1.constraint.params.accept=true +policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.userCertSet.1.default.name=Subject Name Default +policyset.userCertSet.1.default.params.name= +policyset.userCertSet.2.constraint.class_id=validityConstraintImpl +policyset.userCertSet.2.constraint.name=Validity Constraint +policyset.userCertSet.2.constraint.params.range=365 +policyset.userCertSet.2.constraint.params.notBeforeCheck=false +policyset.userCertSet.2.constraint.params.notAfterCheck=false +policyset.userCertSet.2.default.class_id=validityDefaultImpl +policyset.userCertSet.2.default.name=Validity Default +policyset.userCertSet.2.default.params.range=180 +policyset.userCertSet.2.default.params.startTime=0 +policyset.userCertSet.3.constraint.class_id=keyConstraintImpl +policyset.userCertSet.3.constraint.name=Key Constraint +policyset.userCertSet.3.constraint.params.keyType=RSA +policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.userCertSet.3.default.class_id=userKeyDefaultImpl +policyset.userCertSet.3.default.name=Key Default +policyset.userCertSet.4.constraint.class_id=noConstraintImpl +policyset.userCertSet.4.constraint.name=No Constraint +policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.userCertSet.4.default.name=Authority Key Identifier Default +policyset.userCertSet.5.constraint.class_id=noConstraintImpl +policyset.userCertSet.5.constraint.name=No Constraint +policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.userCertSet.5.default.name=AIA Extension Default +policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.userCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.userCertSet.5.default.params.authInfoAccessCritical=false +policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.userCertSet.6.constraint.params.keyUsageCritical=true +policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.userCertSet.6.default.name=Key Usage Default +policyset.userCertSet.6.default.params.keyUsageCritical=true +policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.default.params.keyUsageCrlSign=false +policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.userCertSet.7.constraint.class_id=noConstraintImpl +policyset.userCertSet.7.constraint.name=No Constraint +policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.userCertSet.7.default.name=Extended Key Usage Extension Default +policyset.userCertSet.7.default.params.exKeyUsageCritical=false +policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.userCertSet.8.constraint.class_id=noConstraintImpl +policyset.userCertSet.8.constraint.name=No Constraint +policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.userCertSet.8.default.name=Subject Alt Name Constraint +policyset.userCertSet.8.default.params.subjAltNameExtCritical=false +policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.userCertSet.8.default.params.subjAltExtType_1=OtherName +policyset.userCertSet.8.default.params.subjAltExtPattern_1=(IA5String)1.2.3.4,$server.source$ +policyset.userCertSet.8.default.params.subjAltExtGNEnable_1=true +policyset.userCertSet.8.default.params.subjAltExtSource_1=UUID4 +policyset.userCertSet.8.default.params.subjAltNameNumGNs=2 +policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.userCertSet.9.constraint.name=No Constraint +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.userCertSet.9.default.name=Signing Alg +policyset.userCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caUserCert.cfg b/base/ca/shared/profiles/ca/caUserCert.cfg new file mode 100644 index 000000000..9a5d83c9b --- /dev/null +++ b/base/ca/shared/profiles/ca/caUserCert.cfg @@ -0,0 +1,101 @@ +desc=This certificate profile is for enrolling user certificates. +visible=true +enable=true +enableBy=admin +name=Manual User Dual-Use Certificate Enrollment +auth.class_id= +input.list=i1,i2,i3 +input.i1.class_id=keyGenInputImpl +input.i2.class_id=subjectNameInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=userCertSet +policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9 +policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.userCertSet.1.constraint.name=Subject Name Constraint +policyset.userCertSet.1.constraint.params.pattern=UID=.* +policyset.userCertSet.1.constraint.params.accept=true +policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.userCertSet.1.default.name=Subject Name Default +policyset.userCertSet.1.default.params.name= +policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl +policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint +policyset.userCertSet.10.constraint.params.renewal.graceBefore=30 +policyset.userCertSet.10.constraint.params.renewal.graceAfter=30 +policyset.userCertSet.10.default.class_id=noDefaultImpl +policyset.userCertSet.10.default.name=No Default +policyset.userCertSet.2.constraint.class_id=validityConstraintImpl +policyset.userCertSet.2.constraint.name=Validity Constraint +policyset.userCertSet.2.constraint.params.range=365 +policyset.userCertSet.2.constraint.params.notBeforeCheck=false +policyset.userCertSet.2.constraint.params.notAfterCheck=false +policyset.userCertSet.2.default.class_id=validityDefaultImpl +policyset.userCertSet.2.default.name=Validity Default +policyset.userCertSet.2.default.params.range=180 +policyset.userCertSet.2.default.params.startTime=0 +policyset.userCertSet.3.constraint.class_id=keyConstraintImpl +policyset.userCertSet.3.constraint.name=Key Constraint +policyset.userCertSet.3.constraint.params.keyType=RSA +policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.userCertSet.3.default.class_id=userKeyDefaultImpl +policyset.userCertSet.3.default.name=Key Default +policyset.userCertSet.4.constraint.class_id=noConstraintImpl +policyset.userCertSet.4.constraint.name=No Constraint +policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.userCertSet.4.default.name=Authority Key Identifier Default +policyset.userCertSet.5.constraint.class_id=noConstraintImpl +policyset.userCertSet.5.constraint.name=No Constraint +policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.userCertSet.5.default.name=AIA Extension Default +policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.userCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.userCertSet.5.default.params.authInfoAccessCritical=false +policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.userCertSet.6.constraint.params.keyUsageCritical=true +policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.userCertSet.6.default.name=Key Usage Default +policyset.userCertSet.6.default.params.keyUsageCritical=true +policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.default.params.keyUsageCrlSign=false +policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.userCertSet.7.constraint.class_id=noConstraintImpl +policyset.userCertSet.7.constraint.name=No Constraint +policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.userCertSet.7.default.name=Extended Key Usage Extension Default +policyset.userCertSet.7.default.params.exKeyUsageCritical=false +policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.userCertSet.8.constraint.class_id=noConstraintImpl +policyset.userCertSet.8.constraint.name=No Constraint +policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.userCertSet.8.default.name=Subject Alt Name Constraint +policyset.userCertSet.8.default.params.subjAltNameExtCritical=false +policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.userCertSet.9.constraint.name=No Constraint +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.userCertSet.9.default.name=Signing Alg +policyset.userCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg b/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg new file mode 100644 index 000000000..c273e26f0 --- /dev/null +++ b/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg @@ -0,0 +1,107 @@ +desc=This certificate profile is for enrolling user certificates with S/MIME capabilities extension - OID: 1.2.840.113549.1.9.15 +visible=true +enable=true +enableBy=admin +name=Manual User Dual-Use S/MIME capabilities Certificate Enrollment +auth.class_id= +input.list=i1,i2,i3 +input.i1.class_id=keyGenInputImpl +input.i2.class_id=subjectNameInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=userCertSet +policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9,11 +policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.userCertSet.1.constraint.name=Subject Name Constraint +policyset.userCertSet.1.constraint.params.pattern=UID=.* +policyset.userCertSet.1.constraint.params.accept=true +policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.userCertSet.1.default.name=Subject Name Default +policyset.userCertSet.1.default.params.name= +policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl +policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint +policyset.userCertSet.10.constraint.params.renewal.graceBefore=30 +policyset.userCertSet.10.constraint.params.renewal.graceAfter=30 +policyset.userCertSet.10.default.class_id=noDefaultImpl +policyset.userCertSet.10.default.name=No Default +policyset.userCertSet.2.constraint.class_id=validityConstraintImpl +policyset.userCertSet.2.constraint.name=Validity Constraint +policyset.userCertSet.2.constraint.params.range=365 +policyset.userCertSet.2.constraint.params.notBeforeCheck=false +policyset.userCertSet.2.constraint.params.notAfterCheck=false +policyset.userCertSet.2.default.class_id=validityDefaultImpl +policyset.userCertSet.2.default.name=Validity Default +policyset.userCertSet.2.default.params.range=180 +policyset.userCertSet.2.default.params.startTime=0 +policyset.userCertSet.3.constraint.class_id=keyConstraintImpl +policyset.userCertSet.3.constraint.name=Key Constraint +policyset.userCertSet.3.constraint.params.keyType=RSA +policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.userCertSet.3.default.class_id=userKeyDefaultImpl +policyset.userCertSet.3.default.name=Key Default +policyset.userCertSet.4.constraint.class_id=noConstraintImpl +policyset.userCertSet.4.constraint.name=No Constraint +policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.userCertSet.4.default.name=Authority Key Identifier Default +policyset.userCertSet.5.constraint.class_id=noConstraintImpl +policyset.userCertSet.5.constraint.name=No Constraint +policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.userCertSet.5.default.name=AIA Extension Default +policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.userCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.userCertSet.5.default.params.authInfoAccessCritical=false +policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.userCertSet.6.constraint.params.keyUsageCritical=true +policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.userCertSet.6.default.name=Key Usage Default +policyset.userCertSet.6.default.params.keyUsageCritical=true +policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.default.params.keyUsageCrlSign=false +policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.userCertSet.7.constraint.class_id=noConstraintImpl +policyset.userCertSet.7.constraint.name=No Constraint +policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.userCertSet.7.default.name=Extended Key Usage Extension Default +policyset.userCertSet.7.default.params.exKeyUsageCritical=false +policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.userCertSet.8.constraint.class_id=noConstraintImpl +policyset.userCertSet.8.constraint.name=No Constraint +policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.userCertSet.8.default.name=Subject Alt Name Constraint +policyset.userCertSet.8.default.params.subjAltNameExtCritical=false +policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.userCertSet.9.constraint.name=No Constraint +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.userCertSet.9.default.name=Signing Alg +policyset.userCertSet.9.default.params.signingAlg=- +policyset.userCertSet.11.constraint.class_id=noConstraintImpl +policyset.userCertSet.11.constraint.name=No Constraint +policyset.userCertSet.11.default.class_id=genericExtDefaultImpl +policyset.userCertSet.11.default.name=Generic Extension +policyset.userCertSet.11.default.params.genericExtOID=1.2.840.113549.1.9.15 +policyset.userCertSet.11.default.params.genericExtData=3067300B06092A864886F70D010105300B06092A864886F70D01010B300B06092A864886F70D01010C300B06092A864886F70D01010D300A06082A864886F70D0307300B0609608648016503040102300B060960864801650304012A300B06092A864886F70D010101 diff --git a/base/ca/shared/webapps/ROOT/WEB-INF/web.xml b/base/ca/shared/webapps/ROOT/WEB-INF/web.xml new file mode 100644 index 000000000..59245836e --- /dev/null +++ b/base/ca/shared/webapps/ROOT/WEB-INF/web.xml @@ -0,0 +1,29 @@ + + + + + + Welcome to Tomcat + + Welcome to Tomcat + + + + diff --git a/base/ca/shared/webapps/ROOT/index.jsp b/base/ca/shared/webapps/ROOT/index.jsp new file mode 100644 index 000000000..85a4654c3 --- /dev/null +++ b/base/ca/shared/webapps/ROOT/index.jsp @@ -0,0 +1,94 @@ + +<% + // establish acceptable schemes + final String HTTP_SCHEME = "http"; + final String HTTPS_SCHEME = "https"; + + // establish known ports + final int EE_HTTP_PORT = [PKI_UNSECURE_PORT]; + final int AGENT_HTTPS_PORT = [PKI_AGENT_SECURE_PORT]; + final int EE_HTTPS_PORT = [PKI_EE_SECURE_PORT]; + final int ADMIN_HTTPS_PORT = [PKI_ADMIN_SECURE_PORT]; + + // establish known paths + final String ADMIN_PATH = "/[PKI_SUBSYSTEM_TYPE]/services"; + final String AGENT_PATH = "/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE]"; + final String EE_PATH = "/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE]"; + final String ERROR_PATH = "/[PKI_SUBSYSTEM_TYPE]/404.html"; + + // retrieve scheme from request + String scheme = request.getScheme(); + + // retrieve client hostname on which the request was sent + String client_hostname = request.getServerName(); + + // retrieve client port number on which the request was sent + int client_port = request.getServerPort(); + + // retrieve server hostname on which the request was received + String server_hostname = request.getLocalName(); + + // retrieve server port number on which the request was received + int server_port = request.getLocalPort(); + + // uncomment the following lines to write to 'catalina.out' + //System.out.println( "scheme = '" + scheme + "'" ); + //System.out.println( "client hostname = '" + client_hostname + "'" ); + //System.out.println( "client port = '" + client_port + "'" ); + //System.out.println( "server hostname = '" + server_hostname + "'" ); + //System.out.println( "server port = '" + server_port + "'" ); + + // compose the appropriate URL + String URL = ""; + + if( scheme.equals( HTTP_SCHEME ) ) { + if( server_port == EE_HTTP_PORT ) { + URL = scheme + "://" + client_hostname + ":" + client_port + EE_PATH; + } else { + // unknown HTTP server port: should never get here + URL = scheme + "://" + client_hostname + ":" + client_port + ERROR_PATH; + + // uncomment the following line to write to 'catalina.out' + //System.out.println( "Unknown HTTP server port: '" + server_port + "'" ); + } + } else if( scheme.equals( HTTPS_SCHEME ) ) { + if( server_port == AGENT_HTTPS_PORT ) { + URL = scheme + "://" + client_hostname + ":" + client_port + AGENT_PATH; + } else if( server_port == EE_HTTPS_PORT ) { + URL = scheme + "://" + client_hostname + ":" + client_port + EE_PATH; + } else if( server_port == ADMIN_HTTPS_PORT ) { + URL = scheme + "://" + client_hostname + ":" + client_port + ADMIN_PATH; + } else { + // unknown HTTPS server port: should never get here + URL = scheme + "://" + client_hostname + ":" + client_port + ERROR_PATH; + + // uncomment the following line to write to 'catalina.out' + //System.out.println( "Unknown HTTPS server port: '" + server_port + "'" ); + } + } else { + // unacceptable scheme: should never get here + URL = scheme + "://" + client_hostname + ":" + client_port + ERROR_PATH; + + // uncomment the following line to write to 'catalina.out' + //System.out.println( "Unacceptable scheme: '" + scheme + "'" ); + } + + // respond (back to browser) with the appropriate redirected URL + response.sendRedirect( URL ); +%> diff --git a/base/ca/shared/webapps/ca/WEB-INF/velocity.properties b/base/ca/shared/webapps/ca/WEB-INF/velocity.properties new file mode 100644 index 000000000..2dfae4bca --- /dev/null +++ b/base/ca/shared/webapps/ca/WEB-INF/velocity.properties @@ -0,0 +1,8 @@ +resource.loader = file +file.resource.loader.class = org.apache.velocity.runtime.resource.loader.FileResourceLoader +file.resource.loader.path = [PKI_INSTANCE_PATH]/[PKI_WEBAPPS_NAME]/[PKI_SUBSYSTEM_TYPE] +file.resource.loader.cache = true +file.resource.loader.modificationCheckInterval = 2 +input.encoding=UTF-8 +output.encoding=UTF-8 +runtime.log.logsystem.class=org.apache.velocity.runtime.log.NullLogSystem diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml new file mode 100644 index 000000000..5e91977aa --- /dev/null +++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -0,0 +1,2480 @@ + + + + + + AgentRequestFilter + com.netscape.cms.servlet.filter.AgentRequestFilter + + https_port + [PKI_AGENT_SECURE_PORT] + +[PKI_OPEN_ENABLE_PROXY_COMMENT] + + proxy_port + [PKI_PROXY_SECURE_PORT] + +[PKI_CLOSE_ENABLE_PROXY_COMMENT] + + active + true + + + + + AdminRequestFilter + com.netscape.cms.servlet.filter.AdminRequestFilter + + https_port + [PKI_ADMIN_SECURE_PORT] + +[PKI_OPEN_ENABLE_PROXY_COMMENT] + + proxy_port + [PKI_PROXY_SECURE_PORT] + +[PKI_CLOSE_ENABLE_PROXY_COMMENT] + + active + true + + + + + EERequestFilter + com.netscape.cms.servlet.filter.EERequestFilter + + http_port + [PKI_UNSECURE_PORT] + + + https_port + [PKI_EE_SECURE_PORT] + +[PKI_OPEN_ENABLE_PROXY_COMMENT] + + proxy_port + [PKI_PROXY_SECURE_PORT] + + + proxy_http_port + [PKI_PROXY_UNSECURE_PORT] + +[PKI_CLOSE_ENABLE_PROXY_COMMENT] + + active + true + + + + + EEClientAuthRequestFilter + com.netscape.cms.servlet.filter.EEClientAuthRequestFilter + + https_port + [PKI_EE_SECURE_CLIENT_AUTH_PORT] + +[PKI_OPEN_ENABLE_PROXY_COMMENT] + + proxy_port + [PKI_PROXY_SECURE_PORT] + +[PKI_CLOSE_ENABLE_PROXY_COMMENT] + + active + true + + + + + csadmin-wizard + com.netscape.cms.servlet.wizard.WizardServlet + + properties + /WEB-INF/velocity.properties + + + name + CA Setup Wizard + + + panels + welcome=com.netscape.cms.servlet.csadmin.WelcomePanel,module=com.netscape.cms.servlet.csadmin.ModulePanel,confighsmlogin=com.netscape.cms.servlet.csadmin.ConfigHSMLoginPanel,securitydomain=com.netscape.cms.servlet.csadmin.SecurityDomainPanel,securitydomain=com.netscape.cms.servlet.csadmin.DisplayCertChainPanel,subsystem=com.netscape.cms.servlet.csadmin.CreateSubsystemPanel,clone=com.netscape.cms.servlet.csadmin.DisplayCertChainPanel,restorekeys=com.netscape.cms.servlet.csadmin.RestoreKeyCertPanel,cahierarchy=com.netscape.cms.servlet.csadmin.HierarchyPanel,database=com.netscape.cms.servlet.csadmin.DatabasePanel,size=com.netscape.cms.servlet.csadmin.SizePanel,subjectname=com.netscape.cms.servlet.csadmin.NamePanel,certrequest=com.netscape.cms.servlet.csadmin.CertRequestPanel,backupkeys=com.netscape.cms.servlet.csadmin.BackupKeyCertPanel,savepk12=com.netscape.cms.servlet.csadmin.SavePKCS12Panel,importcachain=com.netscape.cms.servlet.csadmin.ImportCAChainPanel,admin=com.netscape.cms.servlet.csadmin.AdminPanel,importadmincert=com.netscape.cms.servlet.csadmin.ImportAdminCertPanel,done=com.netscape.cms.servlet.csadmin.DonePanel + + + + + csadmin-login + com.netscape.cms.servlet.csadmin.LoginServlet + + properties + /WEB-INF/velocity.properties + + + + + services + com.netscape.cms.servlet.csadmin.MainPageServlet + GetClientCert + false + authorityId + ca + ID + services + templatePath + /services.template + + + + caacl + com.netscape.cms.servlet.admin.ACLAdminServlet + ID + caacl + AuthzMgr + BasicAclAuthz + + + + caug + com.netscape.cms.servlet.admin.UsrGrpAdminServlet + ID + caug + AuthzMgr + BasicAclAuthz + + + + caserver + com.netscape.cms.servlet.admin.CMSAdminServlet + ID + caserver + AuthzMgr + BasicAclAuthz + + + + capolicy + com.netscape.cms.servlet.admin.PolicyAdminServlet + ID + capolicy + AuthzMgr + BasicAclAuthz + authority + ca + + + + calog + com.netscape.cms.servlet.admin.LogAdminServlet + ID + calog + AuthzMgr + BasicAclAuthz + + + + caGetAdminCertBySerial + com.netscape.cms.servlet.cert.GetBySerial + GetClientCert + false + AuthzMgr + BasicAclAuthz + authority + ca + ID + caGetAdminCertBySerial + resourceID + certServer.admin.certificate + + + + caUpdateConnector + com.netscape.cms.servlet.csadmin.UpdateConnector + GetClientCert + false + authority + ca + ID + caUpdateConnector + AuthMgr + TokenAuth + AuthzMgr + BasicAclAuthz + resourceID + certServer.ca.connectorInfo + + + + caRegisterUser + com.netscape.cms.servlet.csadmin.RegisterUser + GetClientCert + false + authority + ca + ID + caRegisterUser + AuthMgr + TokenAuth + GroupName + Certificate Manager Agents + AuthzMgr + BasicAclAuthz + resourceID + certServer.ca.registerUser + + + + caRegisterRaUser + com.netscape.cms.servlet.csadmin.RegisterUser + GetClientCert + false + authority + ca + ID + caRegisterRaUser + AuthMgr + TokenAuth + GroupName + Registration Manager Agents + AuthzMgr + BasicAclAuthz + resourceID + certServer.ca.registerUser + + + + caGetDomainXML + com.netscape.cms.servlet.csadmin.GetDomainXML + GetClientCert + false + authority + ca + ID + caGetDomainXML + + + + caUpdateDomainXML + com.netscape.cms.servlet.csadmin.UpdateDomainXML + GetClientCert + true + authority + ca + ID + caUpdateDomainXML + interface + agent + AuthMgr + certUserDBAuthMgr + AuthzMgr + BasicAclAuthz + resourceID + certServer.securitydomain.domainxml + + + + caUpdateNumberRange + com.netscape.cms.servlet.csadmin.UpdateNumberRange + GetClientCert + false + authority + ca + ID + caUpdateNumberRange + interface + ee + AuthMgr + TokenAuth + AuthzMgr + BasicAclAuthz + resourceID + certServer.clone.configuration.UpdateNumberRange + + + + caUpdateOCSPConfig + com.netscape.cms.servlet.csadmin.UpdateOCSPConfig + GetClientCert + false + authority + ca + ID + caUpdateOCSPConfig + interface + ee + AuthMgr + TokenAuth + AuthzMgr + BasicAclAuthz + resourceID + certServer.admin.ocsp + + + + caDownloadPKCS12 + com.netscape.cms.servlet.csadmin.DownloadPKCS12 + GetClientCert + false + authority + ca + ID + caDownloadPKCS12 + interface + ee + AuthMgr + TokenAuth + AuthzMgr + BasicAclAuthz + resourceID + certServer.clone.configuration + + + + caGetCertChain + com.netscape.cms.servlet.csadmin.GetCertChain + GetClientCert + false + authority + ca + ID + caGetCertChain + + + + caGetCertChainAdmin + com.netscape.cms.servlet.csadmin.GetCertChain + GetClientCert + false + authority + ca + ID + caGetCertChainAdmin + + + + caGetStatus + com.netscape.cms.servlet.csadmin.GetStatus + GetClientCert + false + authority + ca + ID + caGetStatus + + + + caGetConfigEntries + com.netscape.cms.servlet.csadmin.GetConfigEntries + GetClientCert + false + authority + ca + ID + caGetConfigEntries + AuthzMgr + BasicAclAuthz + AuthMgr + TokenAuth + resourceID + certServer.clone.configuration.GetConfigEntries + + + + caca + com.netscape.cms.servlet.admin.CAAdminServlet + ID + caca + AuthzMgr + BasicAclAuthz + + + + caregistry + com.netscape.cms.servlet.admin.RegistryAdminServlet + ID + caregistry + AuthzMgr + BasicAclAuthz + authority + ca + + + + caauths + com.netscape.cms.servlet.admin.AuthAdminServlet + ID + caauths + AuthzMgr + BasicAclAuthz + + + + castart + com.netscape.cms.servlet.base.CMSStartServlet + AuthzMgr + BasicAclAuthz + cfgPath + [PKI_INSTANCE_PATH]/conf/CS.cfg + ID + castart + 1 + + + + caprofile + com.netscape.cms.servlet.admin.ProfileAdminServlet + ID + caprofile + AuthzMgr + BasicAclAuthz + authority + ca + + + + cajobsScheduler + com.netscape.cms.servlet.admin.JobsAdminServlet + ID + cajobsScheduler + AuthzMgr + BasicAclAuthz + + + + caadminEnroll + com.netscape.cms.servlet.cert.EnrollServlet + GetClientCert + false + successTemplate + /admin/ca/EnrollSuccess.template + AuthzMgr + BasicAclAuthz + authority + ca + interface + admin + ID + caadminEnroll + resourceID + certServer.admin.request.enrollment + AuthMgr + passwdUserDBAuthMgr + + + + capublisher + com.netscape.cms.servlet.admin.PublisherAdminServlet + ID + capublisher + AuthzMgr + BasicAclAuthz + authority + ca + + + + caGetOCSPInfo + com.netscape.cms.servlet.ocsp.GetOCSPInfo + GetClientCert + true + AuthzMgr + BasicAclAuthz + interface + agent + authority + ca + templatePath + /agent/ca/getOCSPInfo.template + ID + caGetOCSPInfo + resourceID + certServer.ca.ocsp + AuthMgr + certUserDBAuthMgr + + + + caUpdateDir + com.netscape.cms.servlet.cert.UpdateDir + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /agent/ca/updateDir.template + interface + agent + ID + caUpdateDir + AuthMgr + certUserDBAuthMgr + resourceID + certServer.ca.directory + + + + caGetCertFromRequest-agent + com.netscape.cms.servlet.cert.GetCertFromRequest + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + interface + agent + ID + caGetCertFromRequest + resourceID + certServer.ca.certificate + AuthMgr + certUserDBAuthMgr + importCert + true + + + + caGetBySerial-agent + com.netscape.cms.servlet.cert.GetBySerial + GetClientCert + true + successTemplate + /ca/ImportCert.template + AuthzMgr + BasicAclAuthz + authority + ca + interface + agent + ID + caGetBySerial + AuthMgr + certUserDBAuthMgr + resourceID + certServer.ca.certificate + + + + caProfileSelect-agent + com.netscape.cms.servlet.profile.ProfileSelectServlet + GetClientCert + true + AuthzMgr + BasicAclAuthz + authorityId + ca + interface + agent + ID + caProfileSelect + unauthorizedTemplate + /GenUnauthorized.template + templatePath + /agent/ca/ProfileSelect.template + AuthMgr + certUserDBAuthMgr + resourceID + certServer.ca.profile + + + + caindex + com.netscape.cms.servlet.base.IndexServlet + ID + caindex + template + index.template + GetClientCert + true + AuthMgr + certUserDBAuthMgr + interface + agent + + + + caStats + com.netscape.cms.servlet.base.GetStats + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /agent/ca/getStats.template + ID + stats + interface + agent + resourceID + certServer.ca.systemstatus + AuthMgr + certUserDBAuthMgr + + + + caMonitor + com.netscape.cms.servlet.cert.Monitor + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + interface + agent + templatePath + /agent/ca/monitor.template + ID + caMonitor + resourceID + certServer.ca.systemstatus + AuthMgr + certUserDBAuthMgr + + + + caReasonToRevoke + com.netscape.cms.servlet.cert.ReasonToRevoke + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /agent/ca/reasonToRevoke.template + interface + agent + ID + caReasonToRevoke + AuthMgr + certUserDBAuthMgr + resourceID + certServer.ca.certificates + + + + caListRequests + com.netscape.cms.servlet.base.DisplayHtmlServlet + GetClientCert + true + htmlPath + /agent/ca/ListRequests.html + authority + ca + interface + agent + ID + caListRequests + unauthorizedTemplate + /agent/ca/GenUnauthorized.template + AuthMgr + certUserDBAuthMgr + + + + casearchReqs + com.netscape.cms.servlet.request.SearchReqs + GetClientCert + true + parser + CertReqParser.NODETAIL_PARSER + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /agent/ca/queryReq.template + interface + agent + ID + casearchReqs + resourceID + certServer.ca.requests + AuthMgr + certUserDBAuthMgr + timeLimits + 10 + + + + caProfileApprove + com.netscape.cms.servlet.profile.ProfileApproveServlet + GetClientCert + true + AuthzMgr + BasicAclAuthz + authorityId + ca + interface + agent + ID + caProfileApprove + unauthorizedTemplate + /agent/GenUnauthorized.template + templatePath + /agent/ca/ProfileApprove.template + AuthMgr + certUserDBAuthMgr + resourceID + certServer.ca.profile + + + + caUpdateDirectory + com.netscape.cms.servlet.base.DisplayHtmlServlet + GetClientCert + true + htmlPath + /agent/ca/UpdateDir.html + authority + ca + ID + caUpdateDirectory + unauthorizedTemplate + /agent/GenUnauthorized.template + interface + agent + AuthMgr + certUserDBAuthMgr + + + + caProfileReview + com.netscape.cms.servlet.profile.ProfileReviewServlet + GetClientCert + true + AuthzMgr + BasicAclAuthz + authorityId + ca + interface + agent + ID + caProfileReview + unauthorizedTemplate + /agent/GenUnauthorized.template + templatePath + /agent/ca/ProfileReview.template + AuthMgr + certUserDBAuthMgr + resourceID + certServer.ca.request.profile + + + + caConnector + com.netscape.cms.servlet.connector.ConnectorServlet + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + ID + caConnector + RequestEncoder + com.netscape.cmscore.connector.HttpRequestEncoder + resourceID + certServer.ca.connector + interface + agent + AuthMgr + certUserDBAuthMgr + + + + caSrchCerts-agent + com.netscape.cms.servlet.cert.SrchCerts + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /agent/ca/srchCert.template + interface + agent + ID + caSrchCerts + AuthMgr + certUserDBAuthMgr + resourceID + certServer.ca.certificates + timeLimits + 15 + + + + caheader + com.netscape.cms.servlet.base.IndexServlet + ID + caheader + GetClientCert + true + AuthMgr + certUserDBAuthMgr + template + /agent/header.template + interface + agent + + + + + caDisplayCertFromRequest-agent + com.netscape.cms.servlet.cert.GetCertFromRequest + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + interface + agent + ID + caDisplayCertFromRequest + resourceID + certServer.ca.certificate + AuthMgr + certUserDBAuthMgr + importCert + false + + + + caListCerts-agent + com.netscape.cms.servlet.cert.ListCerts + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /agent/ca/queryCert.template + interface + agent + ID + caListCerts + AuthMgr + certUserDBAuthMgr + resourceID + certServer.ca.certificates + maxResults + 1000 + + + + caqueryReq + com.netscape.cms.servlet.request.QueryReq + GetClientCert + true + parser + CertReqParser.NODETAIL_PARSER + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /agent/ca/queryReq.template + interface + agent + ID + caqueryReq + resourceID + certServer.ca.requests + AuthMgr + certUserDBAuthMgr + maxResults + 1000 + + + + caProcessReq + com.netscape.cms.servlet.request.ProcessReq + GetClientCert + true + parser + CertReqParser.DETAIL_PARSER + AuthzMgr + BasicAclAuthz + authority + ca + interface + agent + ID + caProcessReq + templatePath + /agent/ca/processReq.template + resourceID + certServer.ca.request.enrollment + AuthMgr + certUserDBAuthMgr + + + + caports + com.netscape.cms.servlet.base.PortsServlet + ID + caports + GetClientCert + false + interface + ee + + + + caSrchCert + com.netscape.cms.servlet.base.DisplayHtmlServlet + GetClientCert + true + htmlPath + /agent/ca/SrchCert.html + authority + ca + interface + agent + ID + caSrchCert + unauthorizedTemplate + /agent/GenUnauthorized.template + AuthMgr + certUserDBAuthMgr + + + + caProfileList-agent + com.netscape.cms.servlet.profile.ProfileListServlet + GetClientCert + true + AuthzMgr + BasicAclAuthz + authorityId + ca + interface + agent + ID + caProfileList + unauthorizedTemplate + /agent/GenUnauthorized.template + templatePath + /agent/ca/ProfileList.template + AuthMgr + certUserDBAuthMgr + resourceID + certServer.ca.profiles + + + + caDisplayBySerial-agent + com.netscape.cms.servlet.cert.DisplayBySerial + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /agent/ca/displayBySerial.template + interface + agent + ID + caDisplayBySerial + AuthMgr + certUserDBAuthMgr + resourceID + certServer.ca.certificate + + + + caSrchRevokeCert + com.netscape.cms.servlet.base.DisplayHtmlServlet + GetClientCert + true + htmlPath + /agent/ca/SrchRevokeCert.html + authority + ca + interface + agent + ID + caSrchRevokeCert + unauthorizedTemplate + /agent/GenUnauthorized.template + AuthMgr + certUserDBAuthMgr + + + + caDoUnrevoke + com.netscape.cms.servlet.cert.DoUnrevoke + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /agent/ca/unrevocationResult.template + interface + agent + ID + caDoUnrevoke + AuthMgr + certUserDBAuthMgr + resourceID + certServer.ca.certificate + + + + caDoRevoke-agent + com.netscape.cms.servlet.cert.DoRevoke + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /agent/ca/revocationResult.template + interface + agent + ID + caDoRevoke + AuthMgr + certUserDBAuthMgr + resourceID + certServer.ca.certificates + + + + caProfileProcess + com.netscape.cms.servlet.profile.ProfileProcessServlet + GetClientCert + true + AuthzMgr + BasicAclAuthz + authorityId + ca + interface + agent + ID + caProfileProcess + unauthorizedTemplate + /GenUnauthorized.template + templatePath + /agent/ca/ProfileProcess.template + AuthMgr + certUserDBAuthMgr + resourceID + certServer.ca.request.profile + + + + caProcessCertReq + com.netscape.cms.servlet.request.ProcessCertReq + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + interface + agent + ID + caProcessCertReq + resourceID + certServer.ca.request.enrollment + AuthMgr + certUserDBAuthMgr + + + + cabulkissuance + com.netscape.cms.servlet.cert.EnrollServlet + unauthorizedTemplate + /agent/ca/bulkissuance.template + rejectedTemplate + /agent/ca/bulkissuance.template + svcpendingTemplate + /agent/ca/bulkissuance.template + resourceID + certServer.ca.request.enrollment + GetClientCert + true + authority + ca + interface + agent + ID + cabulkissuance + errorTemplate + /agent/ca/bulkissuance.template + unexpectedErrorTemplate + /agent/ca/bulkissuance.template + pendingTemplate + /agent/ca/bulkissuance.template + AuthzMgr + BasicAclAuthz + successTemplate + /agent/ca/bulkissuance.template + AuthMgr + certUserDBAuthMgr + + + + caQueryBySerial + com.netscape.cms.servlet.base.DisplayHtmlServlet + GetClientCert + true + htmlPath + /agent/ca/queryBySerial.html + authority + ca + interface + agent + ID + caQueryBySerial + unauthorizedTemplate + /agent/GenUnauthorized.template + AuthMgr + certUserDBAuthMgr + + + + camasterCAUpdateCRL + com.netscape.cms.servlet.cert.UpdateCRL + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /agent/ca/updateCRL.template + interface + agent + ID + camasterCAUpdateCRL + resourceID + certServer.ca.crl + AuthMgr + certUserDBAuthMgr + + + + camasterCADisplayCRL + com.netscape.cms.servlet.cert.DisplayCRL + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /agent/ca/displayCRL.template + interface + agent + ID + camasterCADisplayCRL + resourceID + certServer.ca.crl + AuthMgr + certUserDBAuthMgr + + + + camasterCAGetInfo + com.netscape.cms.servlet.cert.GetInfo + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + interface + agent + ID + camasterCAGetInfo + resourceID + certServer.ca.crl + AuthMgr + certUserDBAuthMgr + + + + caProfileSubmit + com.netscape.cms.servlet.profile.ProfileSubmitServlet + GetClientCert + false + AuthzMgr + BasicAclAuthz + authorityId + ca + interface + ee + ID + caProfileSubmit + templatePath + /ee/ca/ProfileSubmit.template + resourceID + certServer.ee.profile + + + + caRenewal + com.netscape.cms.servlet.cert.RenewalServlet + GetClientCert + true + successTemplate + /ca/RenewalSuccess.template + AuthzMgr + BasicAclAuthz + authority + ca + interface + ee + ID + caRenewal + resourceID + certServer.ee.certificate + AuthMgr + sslClientCertAuthMgr + + + + caGetCertFromRequest + com.netscape.cms.servlet.cert.GetCertFromRequest + GetClientCert + false + successTemplate + /ee/ca/ImportCert.template + AuthzMgr + BasicAclAuthz + authority + ca + interface + ee + ID + caGetCertFromRequest + resourceID + certServer.ee.certificate + importCert + true + + + + caGetCRL + com.netscape.cms.servlet.cert.GetCRL + GetClientCert + false + AuthzMgr + BasicAclAuthz + authority + ca + interface + ee + templatePath + /ee/ca/displayCRL.template + ID + caGetCRL + resourceID + certServer.ee.crl + + + + caGetBySerial + com.netscape.cms.servlet.cert.GetBySerial + GetClientCert + false + successTemplate + /ee/ca/ImportCert.template + importCertTemplate + /ee/ca/ImportAdminCert.template + AuthzMgr + BasicAclAuthz + authority + ca + interface + ee + ID + caGetBySerial + resourceID + certServer.ee.certificate + interface + ee + + + + caGetAdminBySerial + com.netscape.cms.servlet.cert.GetBySerial + GetClientCert + false + successTemplate + /admin/ca/ImportCert.template + importCertTemplate + /admin/ca/ImportAdminCert.template + AuthzMgr + BasicAclAuthz + authority + ca + interface + admin + ID + caGetAdminBySerial + resourceID + certServer.admin.certificate + interface + admin + + + + cacertbasedenrollment + com.netscape.cms.servlet.cert.EnrollServlet + GetClientCert + true + successTemplate + /ca/EnrollSuccess.template + AuthzMgr + BasicAclAuthz + authority + ca + interface + ee + ID + cacertbasedenrollment + resourceID + certServer.ee.request.enrollment + + + + caProfileSelect + com.netscape.cms.servlet.profile.ProfileSelectServlet + GetClientCert + false + AuthzMgr + BasicAclAuthz + authorityId + ca + interface + ee + ID + caProfileSelect + templatePath + /ee/ca/ProfileSelect.template + resourceID + certServer.ee.profile + + + + caenrollment + com.netscape.cms.servlet.cert.EnrollServlet + GetClientCert + false + successTemplate + /ca/EnrollSuccess.template + AuthzMgr + BasicAclAuthz + authority + ca + interface + ee + ID + caenrollment + resourceID + certServer.ee.request.enrollment + + + + caCheckRequest + com.netscape.cms.servlet.request.CheckRequest + GetClientCert + false + AuthzMgr + BasicAclAuthz + authority + ca + interface + ee + templatePath + /ee/ca/requestStatus.template + ID + caCheckRequest + resourceID + certServer.ee.requestStatus + + + + caOCSP + com.netscape.cms.servlet.ocsp.OCSPServlet + GetClientCert + false + AuthzMgr + BasicAclAuthz + authority + ca + interface + ee + ID + caOCSP + resourceID + certServer.ee.request.ocsp + + + + caDoRevoke1 + com.netscape.cms.servlet.cert.DoRevokeTPS + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + interface + ee + templatePath + /ee/ca/revocationResult.template + ID + caDoRevoke1 + AuthMgr + certUserDBAuthMgr + resourceID + certServer.ca.certificates + + + + caSrchCerts + com.netscape.cms.servlet.cert.SrchCerts + GetClientCert + false + AuthzMgr + BasicAclAuthz + authority + ca + interface + ee + templatePath + /ee/ca/srchCert.template + ID + caSrchCerts + resourceID + certServer.ee.certificates + timeLimits + 10 + + + + caDynamicVariables + com.netscape.cms.servlet.base.DynamicVariablesServlet + ID + caDynamicVariables + GetClientCert + false + dynamicVariables + serverdate=serverdate(),subsystemname=subsystemname(),http=http(),authmgrs=authmgrs(),clacrlurl=clacrlurl() + authority + ca + interface + ee + + + + caDynamicVariables-agent + com.netscape.cms.servlet.base.DynamicVariablesServlet + ID + caDynamicVariables + GetClientCert + true + dynamicVariables + serverdate=serverdate(),subsystemname=subsystemname(),http=http(),authmgrs=authmgrs(),clacrlurl=clacrlurl() + authority + ca + interface + agent + + + + caDynamicVariables-admin + com.netscape.cms.servlet.base.DynamicVariablesServlet + ID + caDynamicVariables + GetClientCert + false + dynamicVariables + serverdate=serverdate(),subsystemname=subsystemname(),http=http(),authmgrs=authmgrs(),clacrlurl=clacrlurl() + authority + ca + interface + admin + + + + caProfileSubmitCMCSimple + com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet + GetClientCert + false + cert_request_type + pkcs10 + profileId + caSimpleCMCUserCert + AuthzMgr + BasicAclAuthz + outputFormat + cmc + authorityId + ca + ID + caProfileSubmitCMCSimple + templatePath + /ee/ca/ProfileSubmit.template + resourceID + certServer.ee.profile + interface + ee + + + + caDisplayCertFromRequest + com.netscape.cms.servlet.cert.GetCertFromRequest + GetClientCert + false + successTemplate + /ee/ca/displayCertFromRequest.template + AuthzMgr + BasicAclAuthz + authority + ca + ID + caDisplayCertFromRequest + resourceID + certServer.ee.certificate + importCert + false + interface + ee + + + + caListCerts + com.netscape.cms.servlet.cert.ListCerts + GetClientCert + false + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /ee/ca/queryCert.template + ID + caListCerts + resourceID + certServer.ee.certificates + interface + ee + maxResults + 1000 + + + + caProfileSubmitSSLClient + com.netscape.cms.servlet.profile.ProfileSubmitServlet + GetClientCert + false + AuthzMgr + BasicAclAuthz + authorityId + ca + ID + caProfileSubmitSSLClient + templatePath + /ee/ca/ProfileSubmit.template + resourceID + certServer.ee.profile + interface + ee + + + + caGetCAChain + com.netscape.cms.servlet.cert.GetCAChain + GetClientCert + false + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /ee/ca/displayCaCert.template + ID + caGetCAChain + resourceID + certServer.ee.certchain + interface + ee + + + + caProfileSubmitCMCFull + com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet + GetClientCert + false + cert_request_type + cmc + profileId + caFullCMCUserCert + AuthzMgr + BasicAclAuthz + authorityId + ca + ID + caProfileSubmitCMCFull + templatePath + /ee/ca/ProfileSubmit.template + resourceID + certServer.ee.profile + interface + ee + + + + caProfileList + com.netscape.cms.servlet.profile.ProfileListServlet + GetClientCert + false + AuthzMgr + BasicAclAuthz + authorityId + ca + ID + caProfileList + templatePath + /ee/ca/ProfileList.template + resourceID + certServer.ee.profiles + interface + ee + + + + caCMCRevReq + com.netscape.cms.servlet.cert.CMCRevReqServlet + GetClientCert + false + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /ee/ca/revocationResult.template + ID + caCMCRevReq + AuthMgr + CMCAuth + resourceID + certServer.ca.certificates + interface + ee + + + + caDoUnrevoke1 + com.netscape.cms.servlet.cert.DoUnrevokeTPS + GetClientCert + true + AuthzMgr + BasicAclAuthz + authority + ca + ID + caDoUnrevoke1 + AuthMgr + certUserDBAuthMgr + resourceID + certServer.ca.certificate + interface + ee + + + + caDisplayBySerial + com.netscape.cms.servlet.cert.DisplayBySerial + GetClientCert + false + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /ee/ca/displayBySerial.template + ID + caDisplayBySerial + resourceID + certServer.ee.certificate + interface + ee + + + + caRevocation + com.netscape.cms.servlet.cert.RevocationServlet + GetClientCert + true + successTemplate + /ee/ca/reasonToRevoke.template + AuthzMgr + BasicAclAuthz + authority + ca + ID + caRevocation + resourceID + certServer.ee.request.revocation + AuthMgr + sslClientCertAuthMgr + interface + ee + + + + caGetInfo + com.netscape.cms.servlet.cert.GetInfo + GetClientCert + false + AuthzMgr + BasicAclAuthz + authority + ca + ID + caGetInfo + resourceID + certServer.ee.crl + interface + ee + + + + caGetSubsystemCert + com.netscape.cms.servlet.csadmin.GetSubsystemCert + GetClientCert + false + AuthzMgr + BasicAclAuthz + authority + ca + ID + caGetSubsystemCert + resourceID + certServer.ee.certificate + interface + ee + + + + caDoRevoke + com.netscape.cms.servlet.cert.DoRevoke + GetClientCert + false + AuthzMgr + BasicAclAuthz + authority + ca + templatePath + /ee/ca/revocationResult.template + interface + ee + ID + caDoRevoke + resourceID + certServer.ee.certificates + interface + ee + + + + caSecurityDomainLogin + com.netscape.cms.servlet.csadmin.SecurityDomainLogin + properties + /WEB-INF/velocity.properties + GetClientCert + false + AuthzMgr + BasicAclAuthz + authority + ca + ID + caSecurityDomainLogin + resourceID + certServer.ee.certificates + + + + caGetCookie + com.netscape.cms.servlet.csadmin.GetCookie + properties + /WEB-INF/velocity.properties + GetClientCert + false + AuthzMgr + BasicAclAuthz + authority + ca + ID + caGetCookie + AuthMgr + passwdUserDBAuthMgr + templatePath + /admin/ca/sendCookie.template + errorTemplatePath + /admin/ca/securitydomainlogin.template + + + + caTokenAuthenticate + com.netscape.cms.servlet.csadmin.TokenAuthenticate + GetClientCert + false + authority + ca + ID + caTokenAuthenticate + interface + ee + + + + caGetTokenInfo + com.netscape.cms.servlet.csadmin.GetTokenInfo + GetClientCert + false + authority + ca + ID + caGetTokenInfo + interface + ee + + + + caProxyProfileSubmit + com.netscape.cms.servlet.base.ProxyServlet + destServlet + /ee/ca/profileSubmit + + + + caProxyBulkIssuance + com.netscape.cms.servlet.base.ProxyServlet + destServlet + /agent/ca/bulkissuance + + + + caSCEP + com.netscape.cms.servlet.cert.scep.CRSEnrollment + authority + ca + profileId + caRouterCert + + + + caRASCEP + com.netscape.cms.servlet.cert.scep.CRSEnrollment + authority + ca + profileId + caRARouterCert + + + + caProxyDoRevoke + com.netscape.cms.servlet.base.ProxyServlet + destServlet + /agent/ca/doRevoke + + +[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] + + AgentRequestFilter + /agent/* + /ca/getCertFromRequest + /ca/getBySerial + /ca/connector + /ca/displayCertFromRequest + /doRevoke + + + + AdminRequestFilter + /admin/* + /auths + /acl + /server + /caadmin + /caprofile + /jobsScheduler + /capublisher + /log + /ug + + + + EEClientAuthRequestFilter + /eeca/* + + + + EERequestFilter + /ee/* + /renewal + /certbasedenrollment + /ocsp + /enrollment + /profileSubmit + /cgi-bin/pkiclient.exe + +[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] + + + caacl + /acl + + + + caug + /ug + + + + caserver + /server + + + + capolicy + /capolicy + + + + calog + /log + + + + caGetAdminCertBySerial + /ca/getAdminCertBySerial + + + + caGetConfigEntries + /admin/ca/getConfigEntries + + + + caGetDomainXML + /admin/ca/getDomainXML + + + + caUpdateDomainXML + /agent/ca/updateDomainXML + + + + caUpdateNumberRange + /ee/ca/updateNumberRange + + + + caDownloadPKCS12 + /admin/console/config/savepkcs12 + + + + caGetCertChain + /ee/ca/getCertChain + + + + caGetCertChainAdmin + /admin/ca/getCertChain + + + + caGetStatus + /admin/ca/getStatus + + + + caca + /caadmin + + + + caregistry + /registry + + + + caauths + /auths + + + + castart + /start + + + + caprofile + /caprofile + + + + caDynamicVariables + /ee/dynamicVars.js + + + + caDynamicVariables-agent + /agent/dynamicVars.js + + + + caDynamicVariables-admin + /admin/dynamicVars.js + + + + cajobsScheduler + /jobsScheduler + + + + caadminEnroll + /admin/ca/adminEnroll + + + + capublisher + /capublisher + + + + caGetOCSPInfo + /agent/ca/getOCSPInfo + + + + caUpdateDir + /agent/ca/updateDir + + + + caGetCertFromRequest-agent + /ca/getCertFromRequest + + + + caGetBySerial-agent + /ca/getBySerial + + + + caProfileSelect-agent + /agent/ca/profileSelect + + + + caindex + /index + + + + caMonitor + /agent/ca/monitor + + + + caReasonToRevoke + /agent/ca/reasonToRevoke + + + + caListRequests + /agent/ca/listRequests.html + + + + casearchReqs + /agent/ca/searchReqs + + + + caProfileApprove + /agent/ca/profileApprove + + + + caUpdateDirectory + /agent/ca/updateDir.html + + + + caProfileReview + /agent/ca/profileReview + + + + caConnector + /ca/connector + + + + caSrchCerts-agent + /agent/ca/srchCerts + + + + caheader + /agent/header + + + + caDisplayCertFromRequest-agent + /ca/displayCertFromRequest + + + + caListCerts-agent + /agent/ca/listCerts + + + + caqueryReq + /agent/ca/queryReq + + + + caProcessReq + /agent/ca/processReq + + + + caports + /ee/ca/ports + + + + caSrchCert + /agent/ca/srchCert.html + + + + caProfileList-agent + /agent/ca/profileList + + + + caDisplayBySerial-agent + /agent/ca/displayBySerial + + + + caSrchRevokeCert + /agent/ca/srchRevokeCert.html + + + + caDoUnrevoke + /agent/ca/doUnrevoke + + + + caDoRevoke-agent + /agent/ca/doRevoke + + + + caProfileProcess + /agent/ca/profileProcess + + + + caProcessCertReq + /agent/ca/processCertReq + + + + cabulkissuance + /agent/ca/bulkissuance + + + + caQueryBySerial + /agent/ca/queryBySerial.html + + + + camasterCAUpdateCRL + /agent/ca/updateCRL + + + + camasterCADisplayCRL + /agent/ca/displayCRL + + + + camasterCAGetInfo + /agent/ca/getInfo + + + + caProfileSubmit + /ee/ca/profileSubmit + + + + caRenewal + /renewal + + + + caGetCertFromRequest + /ee/ca/getCertFromRequest + + + + caGetCRL + /ee/ca/getCRL + + + + caGetBySerial + /ee/ca/getBySerial + + + + caGetAdminBySerial + /admin/ca/getBySerial + + + + cacertbasedenrollment + /certbasedenrollment + + + + caProfileSelect + /ee/ca/profileSelect + + + + caenrollment + /enrollment + + + + caCheckRequest + /ee/ca/checkRequest + + + + caOCSP + /ocsp + + + + caDoRevoke1 + /ee/subsystem/ca/doRevoke + + + + caStats + /agent/ca/getStats + + + + caSrchCerts + /ee/ca/srchCerts + + + + caProfileSubmitCMCSimple + /ee/ca/profileSubmitCMCSimple + + + + caDisplayCertFromRequest + /ee/ca/displayCertFromRequest + + + + caListCerts + /ee/ca/listCerts + + + + caProfileSubmitSSLClient + /eeca/ca/profileSubmitSSLClient + + + + caGetCertFromRequest + /eeca/ca/getCertFromRequest + + + + caProfileSubmitSSLClient + /ee/ca/profileSubmitSSLClient + + + + caGetCAChain + /ee/ca/getCAChain + + + + caProfileSubmitCMCFull + /ee/ca/profileSubmitCMCFull + + + + caProfileList + /ee/ca/profileList + + + + caCMCRevReq + /ee/ca/CMCRevReq + + + + caDoUnrevoke1 + /ee/subsystem/ca/doUnrevoke + + + + caDisplayBySerial + /ee/ca/displayBySerial + + + + caRevocation + /ee/ca/revocation + + + + caGetInfo + /ee/ca/getInfo + + + + caDoRevoke + /ee/ca/doRevoke + + + + csadmin-login + /admin/console/config/login + + + + csadmin-wizard + /admin/console/config/wizard + + + + caUpdateConnector + /admin/ca/updateConnector + + + + caRegisterUser + /admin/ca/registerUser + + + + caRegisterRaUser + /admin/ca/registerRaUser + + + + services + /services + + + + caGetSubsystemCert + /admin/ca/getSubsystemCert + + + + caSecurityDomainLogin + /admin/ca/securityDomainLogin + + + + caGetCookie + /admin/ca/getCookie + + + + caTokenAuthenticate + /ee/ca/tokenAuthenticate + + + + caGetTokenInfo + /ee/ca/getTokenInfo + + + + caUpdateOCSPConfig + /ee/ca/updateOCSPConfig + + + + caProxyProfileSubmit + /profileSubmit + + + + caProxyBulkIssuance + /agent/bulkissuance + + + + caProxyDoRevoke + /doRevoke + + + + caSCEP + /cgi-bin/pkiclient.exe + + + + caRASCEP + /ee/ca/pkiclient + + + + + + + + + + 30 + + + diff --git a/base/ca/src/CMakeLists.txt b/base/ca/src/CMakeLists.txt new file mode 100644 index 000000000..12436f301 --- /dev/null +++ b/base/ca/src/CMakeLists.txt @@ -0,0 +1,57 @@ +project(pki-ca_java Java) + +# '/usr/share/java' jars +find_file(LDAPJDK_JAR + NAMES + ldapjdk.jar + PATHS + /usr/share/java +) + + +# '${JAVA_LIB_INSTALL_DIR}' jars +find_file(JSS_JAR + NAMES + jss4.jar + PATHS + ${JAVA_LIB_INSTALL_DIR} +) + +find_file(COMMONS_CODEC_JAR + NAMES + commons-codec.jar + PATHS + /usr/share/java +) + + +# identify java sources +set(pki-ca_java_SRCS + com/netscape/ca/CMSCRLExtensions.java + com/netscape/ca/CAService.java + com/netscape/ca/SigningUnit.java + com/netscape/ca/CRLWithExpiredCerts.java + com/netscape/ca/CRLIssuingPoint.java + com/netscape/ca/CAPolicy.java + com/netscape/ca/CertificateAuthority.java +) + + +# set classpath +set(CMAKE_JAVA_INCLUDE_PATH + ${PKI_CERTSRV_JAR} ${PKI_CMS_JAR} ${PKI_CMSCORE_JAR} + ${PKI_CMSUTIL_JAR} ${PKI_NSUTIL_JAR} + ${LDAPJDK_JAR} + ${JSS_JAR} ${COMMONS_CODEC_JAR} ${SYMKEY_JAR}) + + +# set version +set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) + + +# build pki-ca.jar +add_jar(pki-ca ${pki-ca_java_SRCS}) +add_dependencies(pki-ca symkey pki-nsutil pki-cmsutil pki-certsrv pki-cms pki-cmscore) +install_jar(pki-ca ${JAVA_JAR_INSTALL_DIR}/pki) +set(PKI_CA_JAR ${pki-ca_JAR_FILE} CACHE INTERNAL "pki-ca jar file") + diff --git a/base/ca/src/com/netscape/ca/CAPolicy.java b/base/ca/src/com/netscape/ca/CAPolicy.java new file mode 100644 index 000000000..4df28d344 --- /dev/null +++ b/base/ca/src/com/netscape/ca/CAPolicy.java @@ -0,0 +1,138 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.ca; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.policy.IPolicyProcessor; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileSubsystem; +import com.netscape.certsrv.request.IPolicy; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.PolicyResult; +import com.netscape.cmscore.policy.GenericPolicyProcessor; +import com.netscape.cmscore.util.Debug; + +/** + * XXX Just inherit 'GenericPolicyProcessor' (from RA) for now. + * This really bad. need to make a special case just for connector. + * would like a much better way of doing this to handle both EE and + * connectors. + * XXX2 moved to just implement IPolicy since GenericPolicyProcessor is + * unuseable for CA. + * + * @deprecated + * @version $Revision$, $Date$ + */ +public class CAPolicy implements IPolicy { + IConfigStore mConfig = null; + ICertificateAuthority mCA = null; + + public static String PROP_PROCESSOR = + "processor"; + // These are the different types of policy that are + // allowed for the "processor" property + public static String PR_TYPE_CLASSIC = "classic"; + + // XXX this way for now since generic just works for EE. + public GenericPolicyProcessor mPolicies = null; + + public CAPolicy() { + } + + public IPolicyProcessor getPolicyProcessor() { + return mPolicies; + } + + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { + mCA = (ICertificateAuthority) owner; + mConfig = config; + + String processorType = // XXX - need to upgrade 4.2 + config.getString(PROP_PROCESSOR, PR_TYPE_CLASSIC); + + Debug.trace("selected policy processor = " + processorType); + if (processorType.equals(PR_TYPE_CLASSIC)) { + mPolicies = new GenericPolicyProcessor(); + } else { + throw new EBaseException("Unknown policy processor type (" + + processorType + ")"); + } + + mPolicies.init(mCA, mConfig); + } + + public boolean isProfileRequest(IRequest request) { + String profileId = request.getExtDataInString("profileId"); + + if (profileId == null || profileId.equals("")) + return false; + else + return true; + } + + /** + */ + public PolicyResult apply(IRequest r) { + if (r == null) { + Debug.trace("in CAPolicy.apply(request=null)"); + return PolicyResult.REJECTED; + } + + Debug.trace("in CAPolicy.apply(requestType=" + + r.getRequestType() + ",requestId=" + + r.getRequestId().toString() + ",requestStatus=" + + r.getRequestStatus().toString() + ")"); + + if (isProfileRequest(r)) { + Debug.trace("CAPolicy: Profile-base Request " + + r.getRequestId().toString()); + + CMS.debug("CAPolicy: requestId=" + + r.getRequestId().toString()); + + String profileId = r.getExtDataInString("profileId"); + + if (profileId == null || profileId.equals("")) { + return PolicyResult.REJECTED; + } + + IProfileSubsystem ps = (IProfileSubsystem) + CMS.getSubsystem("profile"); + + try { + IProfile profile = ps.getProfile(profileId); + + r.setExtData("dbStatus", "NOT_UPDATED"); + profile.populate(r); + profile.validate(r); + return PolicyResult.ACCEPTED; + } catch (EBaseException e) { + CMS.debug("CAPolicy: " + e.toString()); + return PolicyResult.REJECTED; + } + } + Debug.trace("mPolicies = " + mPolicies.getClass()); + return mPolicies.apply(r); + } + +} diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java new file mode 100644 index 000000000..62bae3b5f --- /dev/null +++ b/base/ca/src/com/netscape/ca/CAService.java @@ -0,0 +1,2122 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.ca; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.math.BigInteger; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.Principal; +import java.security.cert.CRLException; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.Date; +import java.util.Enumeration; +import java.util.Hashtable; +import java.util.Vector; + +import netscape.security.extensions.CertInfo; +import netscape.security.util.BigInt; +import netscape.security.util.DerValue; +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.BasicConstraintsExtension; +import netscape.security.x509.CRLExtensions; +import netscape.security.x509.CRLReasonExtension; +import netscape.security.x509.CertificateAlgorithmId; +import netscape.security.x509.CertificateChain; +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.CertificateIssuerName; +import netscape.security.x509.CertificateSerialNumber; +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.CertificateValidity; +import netscape.security.x509.Extension; +import netscape.security.x509.LdapV3DNStrConverter; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.RevocationReason; +import netscape.security.x509.RevokedCertImpl; +import netscape.security.x509.SerialNumber; +import netscape.security.x509.X500Name; +import netscape.security.x509.X500NameAttrMap; +import netscape.security.x509.X509CRLImpl; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509CertInfo; +import netscape.security.x509.X509ExtensionException; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authority.IAuthority; +import com.netscape.certsrv.authority.ICertAuthority; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.MetaInfo; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.ca.ECAException; +import com.netscape.certsrv.ca.ICAService; +import com.netscape.certsrv.ca.ICRLIssuingPoint; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.connector.IConnector; +import com.netscape.certsrv.dbs.Modification; +import com.netscape.certsrv.dbs.ModificationSet; +import com.netscape.certsrv.dbs.certdb.ICertRecord; +import com.netscape.certsrv.dbs.certdb.ICertRecordList; +import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileSubsystem; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.IService; +import com.netscape.cmscore.base.SubsystemRegistry; +import com.netscape.cmscore.connector.HttpConnector; +import com.netscape.cmscore.connector.LocalConnector; +import com.netscape.cmscore.connector.RemoteAuthority; +import com.netscape.cmscore.crmf.CRMFParser; +import com.netscape.cmscore.crmf.PKIArchiveOptionsContainer; +import com.netscape.cmscore.dbs.CertRecord; +import com.netscape.cmscore.dbs.CertificateRepository; +import com.netscape.cmscore.dbs.RevocationInfo; +import com.netscape.cmscore.util.Debug; +import com.netscape.cmsutil.util.Utils; + +/** + * Request Service for CertificateAuthority. + */ +public class CAService implements ICAService, IService { + + public static final String CRMF_REQUEST = "CRMFRequest"; + public static final String CHALLENGE_PHRASE = "challengePhrase"; + public static final String SERIALNO_ARRAY = "serialNoArray"; + + // CCA->CLA connector + protected static IConnector mCLAConnector = null; + + private ICertificateAuthority mCA = null; + private Hashtable mServants = new Hashtable(); + private IConnector mKRAConnector = null; + private IConfigStore mConfig = null; + private boolean mArchivalRequired = true; + private Hashtable mCRLIssuingPoints = new Hashtable(); + + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + + public CAService(ICertificateAuthority ca) { + mCA = ca; + + // init services. + mServants.put( + IRequest.ENROLLMENT_REQUEST, + new serviceIssue(this)); + mServants.put( + IRequest.RENEWAL_REQUEST, + new serviceRenewal(this)); + mServants.put( + IRequest.REVOCATION_REQUEST, + new serviceRevoke(this)); + mServants.put( + IRequest.CMCREVOKE_REQUEST, + new serviceRevoke(this)); + mServants.put( + IRequest.REVOCATION_CHECK_CHALLENGE_REQUEST, + new serviceCheckChallenge(this)); + mServants.put( + IRequest.GETCERTS_FOR_CHALLENGE_REQUEST, + new getCertsForChallenge(this)); + mServants.put( + IRequest.UNREVOCATION_REQUEST, + new serviceUnrevoke(this)); + mServants.put( + IRequest.GETCACHAIN_REQUEST, + new serviceGetCAChain(this)); + mServants.put( + IRequest.GETCRL_REQUEST, + new serviceGetCRL(this)); + mServants.put( + IRequest.GETREVOCATIONINFO_REQUEST, + new serviceGetRevocationInfo(this)); + mServants.put( + IRequest.GETCERTS_REQUEST, + new serviceGetCertificates(this)); + mServants.put( + IRequest.CLA_CERT4CRL_REQUEST, + new serviceCert4Crl(this)); + mServants.put( + IRequest.CLA_UNCERT4CRL_REQUEST, + new serviceUnCert4Crl(this)); + mServants.put( + IRequest.GETCERT_STATUS_REQUEST, + new getCertStatus(this)); + } + + public void init(IConfigStore config) throws EBaseException { + mConfig = config; + + try { + // MOVED TO com.netscape.certsrv.apps.CMS + // java.security.Security.addProvider(new netscape.security.provider.CMS()); + // java.security.Provider pr = java.security.Security.getProvider("CMS"); + // if (pr != null) { + // ; + // } + // else + // Debug.trace("Something is wrong in CMS install !"); + java.security.cert.CertificateFactory cf = java.security.cert.CertificateFactory.getInstance("X.509"); + + Debug.trace("CertificateFactory Type : " + cf.getType()); + Debug.trace("CertificateFactory Provider : " + cf.getProvider().getInfo()); + } catch (java.security.cert.CertificateException e) { + Debug.trace("Something is happen in install CMS provider !" + e.toString()); + } + } + + public void startup() throws EBaseException { + IConfigStore kraConfig = mConfig.getSubStore("KRA"); + + if (kraConfig != null) { + mArchivalRequired = kraConfig.getBoolean( + "archivalRequired", true); + mKRAConnector = getConnector(kraConfig); + if (mKRAConnector != null) { + if (Debug.ON) { + Debug.trace("Started KRA Connector"); + } + mKRAConnector.start(); + } + } + + // clone ca to CLA (clone master) connector + IConfigStore claConfig = mConfig.getSubStore("CLA"); + + if (claConfig != null) { + mCLAConnector = getConnector(claConfig); + if (mCLAConnector != null) { + CMS.debug(CMS.getLogMessage("CMSCORE_CA_START_CONNECTOR")); + if (Debug.ON) { + Debug.trace("Started CLA Connector in CCA"); + } + mCLAConnector.start(); + } + } + } + + protected ICertificateAuthority getCA() { + return mCA; + } + + public IConnector getKRAConnector() { + return mKRAConnector; + } + + public void setKRAConnector(IConnector c) { + mKRAConnector = c; + } + + public IConnector getConnector(IConfigStore config) + throws EBaseException { + IConnector connector = null; + + if (config == null || config.size() <= 0) { + return null; + } + boolean enable = config.getBoolean("enable", true); + // provide a way to register a 3rd connector into RA + String extConnector = config.getString("class", null); + + if (extConnector != null) { + try { + connector = (IConnector) + Class.forName(extConnector).newInstance(); + // connector.start() will be called later on + return connector; + } catch (Exception e) { + // ignore external class if error + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_LOAD_CONNECTOR", extConnector, e.toString())); + } + } + + if (!enable) + return null; + boolean local = config.getBoolean("local"); + IAuthority authority = null; + + if (local) { + String id = config.getString("id"); + + authority = (IAuthority) SubsystemRegistry.getInstance().get(id); + if (authority == null) { + String msg = "local authority " + id + " not found."; + + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_AUTHORITY_NOT_FOUND", id)); + throw new EBaseException(msg); + } + connector = new LocalConnector((ICertAuthority) mCA, authority); + // log(ILogger.LL_INFO, "local Connector to "+id+" inited"); + } else { + String host = config.getString("host"); + int port = config.getInteger("port"); + String uri = config.getString("uri"); + String nickname = config.getString("nickName", null); + int resendInterval = config.getInteger("resendInterval", -1); + // Inserted by beomsuk + int timeout = config.getInteger("timeout", 0); + // Insert end + // Changed by beomsuk + //RemoteAuthority remauthority = + // new RemoteAuthority(host, port, uri); + RemoteAuthority remauthority = + new RemoteAuthority(host, port, uri, timeout); + + // Change end + if (nickname == null) + nickname = mCA.getNickname(); + // Changed by beomsuk + //connector = + // new HttpConnector(mCA, nickname, remauthority, resendInterval); + if (timeout == 0) + connector = new HttpConnector((IAuthority) mCA, nickname, remauthority, resendInterval, config); + else + connector = + new HttpConnector((IAuthority) mCA, nickname, remauthority, resendInterval, config, timeout); + // Change end + + // log(ILogger.LL_INFO, "remote authority "+ + // host+":"+port+" "+uri+" inited"); + } + return connector; + } + + public boolean isProfileRequest(IRequest request) { + String profileId = request.getExtDataInString("profileId"); + + if (profileId == null || profileId.equals("")) + return false; + else + return true; + } + + /** + * After population of defaults, and constraint validation, + * the profile request is processed here. + */ + public void serviceProfileRequest(IRequest request) + throws EBaseException { + CMS.debug("CAService: serviceProfileRequest requestId=" + + request.getRequestId().toString()); + + String profileId = request.getExtDataInString("profileId"); + + if (profileId == null || profileId.equals("")) { + throw new EBaseException("profileId not found"); + } + + IProfileSubsystem ps = (IProfileSubsystem) + CMS.getSubsystem("profile"); + IProfile profile = null; + + try { + profile = ps.getProfile(profileId); + } catch (EProfileException e) { + } + if (profile == null) { + throw new EProfileException("Profile not found " + profileId); + } + + // assumed rejected + request.setExtData("dbStatus", "NOT_UPDATED"); + + // profile.populate(request); + profile.validate(request); + profile.execute(request); + + // This function is called only from ConnectorServlet + + // serialize to request queue + } + + /** + * method interface for IService + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST used whenever a user private key archive + * request is made. This is an option in a cert enrollment request detected by an RA or a CA, so, if selected, it + * should be logged immediately following the certificate request. + *
+ * + * @param request a certificate enrollment request from an RA or CA + * @return true or false + */ + public boolean serviceRequest(IRequest request) { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(); + String auditArchiveID = ILogger.SIGNED_AUDIT_NON_APPLICABLE; + + boolean completed = false; + + // short cut profile-based request + if (isProfileRequest(request)) { + try { + CMS.debug("CAServic: x0 requestStatus=" + + request.getRequestStatus().toString() + " instance=" + request); + serviceProfileRequest(request); + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + CMS.debug("CAServic: x1 requestStatus=" + request.getRequestStatus().toString()); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + return true; + } catch (EBaseException e) { + CMS.debug("CAServic: x2 requestStatus=" + request.getRequestStatus().toString()); + // need to put error into the request + CMS.debug("CAService: serviceRequest " + e.toString()); + request.setExtData(IRequest.RESULT, IRequest.RES_ERROR); + request.setExtData(IRequest.ERROR, e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + return false; + } + } + + String type = request.getRequestType(); + IServant servant = mServants.get(type); + + if (servant == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_INVALID_REQUEST_TYPE", type)); + request.setExtData(IRequest.RESULT, IRequest.RES_ERROR); + request.setExtData(IRequest.ERROR, + new ECAException(CMS.getUserMessage("CMS_CA_UNRECOGNIZED_REQUEST_TYPE", type))); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + return true; + } + + try { + // send request to KRA first + if (type.equals(IRequest.ENROLLMENT_REQUEST) && + isPKIArchiveOptionPresent(request) && mKRAConnector != null) { + if (Debug.ON) { + Debug.trace("*** Sending enrollment request to KRA"); + } + boolean sendStatus = mKRAConnector.send(request); + + if (mArchivalRequired == true) { + if (sendStatus == false) { + request.setExtData(IRequest.RESULT, + IRequest.RES_ERROR); + request.setExtData(IRequest.ERROR, + new ECAException(CMS.getUserMessage("CMS_CA_SEND_KRA_REQUEST"))); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + return true; + } else { + if (request.getExtDataInString(IRequest.ERROR) != null) { + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + request.deleteExtData(IRequest.ERROR); + } + } + if (request.getExtDataInString(IRequest.ERROR) != null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + return true; + } + } + } else { + if (Debug.ON) { + Debug.trace("*** NOT Send to KRA type=" + type + " ENROLLMENT=" + IRequest.ENROLLMENT_REQUEST); + } + } + + completed = servant.service(request); + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + } catch (EBaseException e) { + request.setExtData(IRequest.RESULT, IRequest.RES_ERROR); + request.setExtData(IRequest.ERROR, e); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + return true; + } + + // XXX in case of key archival this may not always be the case. + if (Debug.ON) + Debug.trace("serviceRequest completed = " + completed); + + if (!(type.equals(IRequest.REVOCATION_REQUEST) || + type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + } + + return completed; + } + + /** + * register CRL Issuing Point + */ + public void addCRLIssuingPoint(String id, ICRLIssuingPoint crlIssuingPoint) { + mCRLIssuingPoints.put(id, crlIssuingPoint); + } + + /** + * get CRL Issuing Point + */ + public Hashtable getCRLIssuingPoints() { + return mCRLIssuingPoints; + } + + /** + * Checks if PKIArchiveOption present in the request. + */ + private boolean isPKIArchiveOptionPresent(IRequest request) { + String crmfBlob = request.getExtDataInString( + IRequest.HTTP_PARAMS, CRMF_REQUEST); + + if (crmfBlob == null) { + if (Debug.ON) { + Debug.trace("CRMF not found"); + } + } else { + try { + PKIArchiveOptionsContainer opts[] = CRMFParser.getPKIArchiveOptions(crmfBlob); + + if (opts != null) { + return true; + } + } catch (IOException e) { + } + return false; + } + return false; + } + + /// + /// CA related routines. + /// + + public X509CertImpl issueX509Cert(X509CertInfo certi) + throws EBaseException { + return issueX509Cert(certi, null, null); + } + + /** + * issue cert for enrollment. + */ + public X509CertImpl issueX509Cert(X509CertInfo certi, String profileId, String rid) + throws EBaseException { + CMS.debug("issueX509Cert"); + X509CertImpl certImpl = issueX509Cert("", certi, false, null); + + CMS.debug("storeX509Cert " + certImpl.getSerialNumber()); + storeX509Cert(profileId, rid, certImpl); + CMS.debug("done storeX509Cert"); + return certImpl; + } + + X509CertImpl issueX509Cert(String rid, X509CertInfo certi) + throws EBaseException { + return issueX509Cert(rid, certi, false, null); + } + + /** + * issue cert for enrollment. + */ + void storeX509Cert(String profileId, String rid, X509CertImpl cert) + throws EBaseException { + storeX509Cert(rid, cert, false, null, null, null, profileId); + } + + /** + * issue cert for enrollment. + */ + void storeX509Cert(String rid, X509CertImpl cert, String crmfReqId) + throws EBaseException { + storeX509Cert(rid, cert, false, null, crmfReqId, null, null); + } + + void storeX509Cert(String rid, X509CertImpl cert, String crmfReqId, + String challengePassword) throws EBaseException { + storeX509Cert(rid, cert, false, null, crmfReqId, challengePassword, null); + } + + /** + * issue cert for enrollment and renewal. + * renewal is expected to have original cert serial no. in cert info + * field. + */ + X509CertImpl issueX509Cert(String rid, X509CertInfo certi, + boolean renewal, BigInteger oldSerialNo) + throws EBaseException { + String algname = null; + X509CertImpl cert = null; + + // NOTE: In this implementation, the "oldSerialNo" + // parameter is NOT used! + + boolean doUTF8 = mConfig.getBoolean("dnUTF8Encoding", false); + + CMS.debug("dnUTF8Encoding " + doUTF8); + + try { + // check required fields in certinfo. + if (certi.get(X509CertInfo.SUBJECT) == null || + certi.get(X509CertInfo.KEY) == null) { + + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_MISSING_ATTR")); + // XXX how do you reject a request in the service object ? + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_REQD_FIELDS_IN_CERTISSUE")); + } + + // set default cert version. If policies added a extensions + // the version would already be set to version 3. + if (certi.get(X509CertInfo.VERSION) == null) { + certi.set(X509CertInfo.VERSION, mCA.getDefaultCertVersion()); + } + + // set default validity if not set. + // validity would normally be set by policies or by + // agent or by authentication module. + CertificateValidity validity = (CertificateValidity) + certi.get(X509CertInfo.VALIDITY); + Date begin = null, end = null; + + if (validity != null) { + begin = (Date) + validity.get(CertificateValidity.NOT_BEFORE); + end = (Date) + validity.get(CertificateValidity.NOT_AFTER); + } + if (validity == null || + (begin.getTime() == 0 && end.getTime() == 0)) { + if (Debug.ON) { + Debug.trace("setting default validity"); + } + + begin = CMS.getCurrentDate(); + end = new Date(begin.getTime() + mCA.getDefaultValidity()); + certi.set(CertificateValidity.NAME, + new CertificateValidity(begin, end)); + } + + /* + * For non-CA certs, check if validity exceeds CA time. + * If so, set to CA's not after if default validity + * exceeds ca's not after. + */ + + // First find out if it is a CA cert + boolean is_ca = false; + CertificateExtensions exts = null; + BasicConstraintsExtension bc_ext = null; + + try { + exts = (CertificateExtensions) + certi.get(X509CertInfo.EXTENSIONS); + if (exts != null) { + Enumeration e = exts.getAttributes(); + + while (e.hasMoreElements()) { + netscape.security.x509.Extension ext = (netscape.security.x509.Extension) e.nextElement(); + + if (ext.getExtensionId().toString().equals(PKIXExtensions.BasicConstraints_Id.toString())) { + bc_ext = (BasicConstraintsExtension) ext; + } + } + + if (bc_ext != null) { + Boolean isCA = (Boolean) bc_ext.get(BasicConstraintsExtension.IS_CA); + is_ca = isCA.booleanValue(); + } + } // exts != null + } catch (Exception e) { + CMS.debug("EnrollDefault: getExtension " + e.toString()); + } + + Date caNotAfter = + mCA.getSigningUnit().getCertImpl().getNotAfter(); + + if (begin.after(caNotAfter)) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_PAST_VALIDITY")); + throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_BEGIN_AFTER_CA_VALIDITY")); + } + + if (end.after(caNotAfter)) { + if (!is_ca) { + if (!mCA.isEnablePastCATime()) { + end = caNotAfter; + certi.set(CertificateValidity.NAME, + new CertificateValidity(begin, caNotAfter)); + CMS.debug("CAService: issueX509Cert: cert past CA's NOT_AFTER...ca.enablePastCATime != true...resetting"); + } else { + CMS.debug("CAService: issueX509Cert: cert past CA's NOT_AFTER...ca.enablePastCATime = true...not resetting"); + } + } else { + CMS.debug("CAService: issueX509Cert: CA cert issuance past CA's NOT_AFTER."); + } //!is_ca + mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_PAST_NOT_AFTER")); + } + + // check algorithm in certinfo. + AlgorithmId algid = null; + CertificateAlgorithmId algor = (CertificateAlgorithmId) + certi.get(X509CertInfo.ALGORITHM_ID); + + if (algor == null || algor.toString().equals(CertInfo.SERIALIZE_ALGOR.toString())) { + algname = mCA.getSigningUnit().getDefaultAlgorithm(); + algid = AlgorithmId.get(algname); + certi.set(X509CertInfo.ALGORITHM_ID, + new CertificateAlgorithmId(algid)); + } else { + algid = (AlgorithmId) + algor.get(CertificateAlgorithmId.ALGORITHM); + algname = algid.getName(); + } + } catch (CertificateException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_BAD_FIELD", e.toString())); + if (Debug.ON) { + e.printStackTrace(); + } + throw new ECAException( + CMS.getUserMessage("CMS_CA_ERROR_GETTING_FIELDS_IN_ISSUE")); + } catch (IOException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_BAD_FIELD", e.toString())); + if (Debug.ON) { + e.printStackTrace(); + } + throw new ECAException( + CMS.getUserMessage("CMS_CA_ERROR_GETTING_FIELDS_IN_ISSUE")); + } catch (NoSuchAlgorithmException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname)); + if (Debug.ON) { + e.printStackTrace(); + } + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + } + + // get old cert serial number if renewal + if (renewal) { + try { + CertificateSerialNumber serialno = (CertificateSerialNumber) + certi.get(X509CertInfo.SERIAL_NUMBER); + + if (serialno == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NULL_SERIAL_NUMBER")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } + SerialNumber serialnum = (SerialNumber) + serialno.get(CertificateSerialNumber.NUMBER); + + if (serialnum == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NULL_SERIAL_NUMBER")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } + } catch (CertificateException e) { + // not possible + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NO_ORG_SERIAL", e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } catch (IOException e) { + // not possible. + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NO_ORG_SERIAL", e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } + } + + // set issuer, serial number + try { + BigInteger serialNo = + mCA.getCertificateRepository().getNextSerialNumber(); + + certi.set(X509CertInfo.SERIAL_NUMBER, + new CertificateSerialNumber(serialNo)); + mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_SIGN_SERIAL", serialNo.toString(16))); + } catch (EBaseException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NO_NEXT_SERIAL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_NOSERIALNO", rid)); + } catch (CertificateException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_SERIAL", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SET_SERIALNO_FAILED", rid)); + } catch (IOException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_SERIAL", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SET_SERIALNO_FAILED", rid)); + } + + try { + certi.set(X509CertInfo.ISSUER, + new CertificateIssuerName(mCA.getX500Name())); + } catch (CertificateException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_ISSUER", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid)); + } catch (IOException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_ISSUER", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid)); + } + + byte[] utf8_encodingOrder = { DerValue.tag_UTF8String }; + + if (doUTF8 == true) { + try { + + CMS.debug("doUTF8 true, updating subject."); + + String subject = certi.get(X509CertInfo.SUBJECT).toString(); + + certi.set(X509CertInfo.SUBJECT, new CertificateSubjectName( + new X500Name(subject, + new LdapV3DNStrConverter(X500NameAttrMap.getDirDefault(), true), utf8_encodingOrder))); + + } catch (CertificateException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_SUBJECT", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid)); + } catch (IOException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_SUBJECT", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid)); + } + } + + CMS.debug("About to mCA.sign cert."); + cert = mCA.sign(certi, algname); + return cert; + } + + void storeX509Cert(String rid, X509CertImpl cert, + boolean renewal, BigInteger oldSerialNo) + throws EBaseException { + storeX509Cert(rid, cert, renewal, oldSerialNo, null, null, null); + } + + void storeX509Cert(String rid, X509CertImpl cert, + boolean renewal, BigInteger oldSerialNo, String crmfReqId, + String challengePassword, String profileId) throws EBaseException { + // now store in repository. + // if renewal, set the old serial number in the new cert, + // set the new serial number in the old cert. + + CMS.debug("In storeX509Cert"); + try { + BigInteger newSerialNo = cert.getSerialNumber(); + MetaInfo metaInfo = new MetaInfo(); + + if (profileId != null) + metaInfo.set("profileId", profileId); + if (rid != null) + metaInfo.set(CertRecord.META_REQUEST_ID, rid); + if (challengePassword != null && !challengePassword.equals("")) + metaInfo.set("challengePhrase", challengePassword); + if (crmfReqId != null) { + //System.out.println("Adding crmf reqid "+crmfReqId); + metaInfo.set(CertRecord.META_CRMF_REQID, crmfReqId); + } + if (renewal) + metaInfo.set(CertRecord.META_OLD_CERT, oldSerialNo.toString()); + mCA.getCertificateRepository().addCertificateRecord( + new CertRecord(newSerialNo, cert, metaInfo)); + + mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_STORE_SERIAL", cert.getSerialNumber().toString(16))); + if (renewal) { + + /* + mCA.getCertificateRepository().markCertificateAsRenewed( + BigIntegerMapper.BigIntegerToDB(oldSerialNo)); + mCA.mCertRepot.markCertificateAsRenewed(oldSerialNo); + */ + MetaInfo oldMeta = null; + CertRecord oldCertRec = (CertRecord) + mCA.getCertificateRepository().readCertificateRecord(oldSerialNo); + + if (oldCertRec == null) { + Exception e = + new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "Cannot read cert record for " + oldSerialNo)); + + e.printStackTrace(); + } + if (oldCertRec != null) + oldMeta = oldCertRec.getMetaInfo(); + if (oldMeta == null) { + if (Debug.ON) { + Debug.trace("No meta info! for " + oldSerialNo); + } + oldMeta = new MetaInfo(); + } else { + if (Debug.ON) { + System.out.println("Old meta info"); + Enumeration n = oldMeta.getElements(); + + while (n.hasMoreElements()) { + String name = n.nextElement(); + + System.out.println("name " + name + " value " + + oldMeta.get(name)); + } + } + } + oldMeta.set(CertRecord.META_RENEWED_CERT, + newSerialNo.toString()); + ModificationSet modSet = new ModificationSet(); + + modSet.add(CertRecord.ATTR_AUTO_RENEW, + Modification.MOD_REPLACE, + CertRecord.AUTO_RENEWAL_DONE); + modSet.add(ICertRecord.ATTR_META_INFO, + Modification.MOD_REPLACE, oldMeta); + mCA.getCertificateRepository().modifyCertificateRecord(oldSerialNo, modSet); + mCA.log(ILogger.LL_INFO, + CMS.getLogMessage("CMSCORE_CA_MARK_SERIAL", oldSerialNo.toString(16), newSerialNo.toString(16))); + if (Debug.ON) { + CertRecord check = (CertRecord) + mCA.getCertificateRepository().readCertificateRecord(oldSerialNo); + MetaInfo meta = check.getMetaInfo(); + + Enumeration n = oldMeta.getElements(); + + while (n.hasMoreElements()) { + String name = n.nextElement(); + + } + } + } + } catch (EBaseException e) { + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_NO_STORE_SERIAL", cert.getSerialNumber().toString(16))); + if (Debug.ON) + e.printStackTrace(); + throw e; + } + } + + /** + * revoke cert, check fields in crlentry, etc. + */ + public void revokeCert(RevokedCertImpl crlentry) + throws EBaseException { + revokeCert(crlentry, null); + } + + public void revokeCert(RevokedCertImpl crlentry, String requestId) + throws EBaseException { + BigInteger serialno = crlentry.getSerialNumber(); + Date revdate = crlentry.getRevocationDate(); + CRLExtensions crlentryexts = crlentry.getExtensions(); + + CertRecord certRec = (CertRecord) mCA.getCertificateRepository().readCertificateRecord(serialno); + + if (certRec == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_NOT_FOUND", serialno.toString(16))); + throw new ECAException( + CMS.getUserMessage("CMS_CA_CANT_FIND_CERT_SERIAL", + "0x" + serialno.toString(16))); + } + + // allow revoking certs that are on hold. + String certStatus = certRec.getStatus(); + + if (certStatus.equals(ICertRecord.STATUS_REVOKED) || + certStatus.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { + throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_ALREADY_REVOKED", + "0x" + Long.toHexString(serialno.longValue()))); + } + try { + mCA.getCertificateRepository().markAsRevoked(serialno, + new RevocationInfo(revdate, crlentryexts)); + mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_CERT_REVOKED", + serialno.toString(16))); + // inform all CRLIssuingPoints about revoked certificate + Enumeration eIPs = mCRLIssuingPoints.elements(); + + while (eIPs.hasMoreElements()) { + ICRLIssuingPoint ip = (ICRLIssuingPoint) eIPs.nextElement(); + + if (ip != null) { + boolean b = true; + + if (ip.isCACertsOnly()) { + X509CertImpl cert = certRec.getCertificate(); + + if (cert != null) + b = cert.getBasicConstraintsIsCA(); + } + if (ip.isProfileCertsOnly()) { + MetaInfo metaInfo = certRec.getMetaInfo(); + if (metaInfo != null) { + String profileId = (String) metaInfo.get("profileId"); + if (profileId != null) { + b = ip.checkCurrentProfile(profileId); + } + } + } + if (b) + ip.addRevokedCert(serialno, crlentry, requestId); + } + } + } catch (EBaseException e) { + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ERROR_REVOCATION", serialno.toString(), e.toString())); + //e.printStackTrace(); + throw e; + } + return; + } + + /** + * unrevoke cert, check serial number, etc. + */ + void unrevokeCert(BigInteger serialNo) + throws EBaseException { + unrevokeCert(serialNo, null); + } + + void unrevokeCert(BigInteger serialNo, String requestId) + throws EBaseException { + CertRecord certRec = (CertRecord) mCA.getCertificateRepository().readCertificateRecord(serialNo); + + if (certRec == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_NOT_FOUND", serialNo.toString(16))); + throw new ECAException( + CMS.getUserMessage("CMS_CA_CANT_FIND_CERT_SERIAL", + "0x" + serialNo.toString(16))); + } + RevocationInfo revInfo = (RevocationInfo) certRec.getRevocationInfo(); + CRLExtensions exts = null; + CRLReasonExtension reasonext = null; + + if (revInfo == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_ON_HOLD", serialNo.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_IS_NOT_ON_HOLD", + serialNo.toString())); + } + exts = revInfo.getCRLEntryExtensions(); + if (exts != null) { + try { + reasonext = (CRLReasonExtension) + exts.get(CRLReasonExtension.NAME); + } catch (X509ExtensionException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_ON_HOLD", serialNo.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_IS_NOT_ON_HOLD", + serialNo.toString())); + } + } else { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_ON_HOLD", serialNo.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_IS_NOT_ON_HOLD", + serialNo.toString())); + } + // allow unrevoking certs that are on hold. + if ((certRec.getStatus().equals(ICertRecord.STATUS_REVOKED) || + certRec.getStatus().equals(ICertRecord.STATUS_REVOKED_EXPIRED)) && + reasonext != null && + reasonext.getReason() == RevocationReason.CERTIFICATE_HOLD) { + try { + mCA.getCertificateRepository().unmarkRevoked(serialNo, revInfo, + certRec.getRevokedOn(), certRec.getRevokedBy()); + mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_CERT_UNREVOKED", serialNo.toString(16))); + // inform all CRLIssuingPoints about unrevoked certificate + Enumeration eIPs = mCRLIssuingPoints.elements(); + + while (eIPs.hasMoreElements()) { + ICRLIssuingPoint ip = eIPs.nextElement(); + + if (ip != null) { + boolean b = true; + + if (ip.isCACertsOnly()) { + X509CertImpl cert = certRec.getCertificate(); + + if (cert != null) + b = cert.getBasicConstraintsIsCA(); + } + if (ip.isProfileCertsOnly()) { + MetaInfo metaInfo = certRec.getMetaInfo(); + if (metaInfo != null) { + String profileId = (String) metaInfo.get("profileId"); + if (profileId != null) { + b = ip.checkCurrentProfile(profileId); + } + } + } + if (b) + ip.addUnrevokedCert(serialNo, requestId); + } + } + } catch (EBaseException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_ERROR_UNREVOKE", serialNo.toString(16))); + throw e; + } + } else { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_ON_HOLD", serialNo.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_IS_NOT_ON_HOLD", + "0x" + serialNo.toString(16))); + } + + return; + } + + /** + * Signed Audit Log + * + * This method is called to store messages to the signed audit log. + *

+ * + * @param msg signed audit log message + */ + private void audit(String msg) { + // in this case, do NOT strip preceding/trailing whitespace + // from passed-in String parameters + + if (mSignedAuditLogger == null) { + return; + } + + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } + + /** + * Signed Audit Log Subject ID + * + * This method is called to obtain the "SubjectID" for + * a signed audit log message. + *

+ * + * @return id string containing the signed audit log message SubjectID + */ + private String auditSubjectID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String subjectID = null; + + // Initialize subjectID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + subjectID = (String) + auditContext.get(SessionContext.USER_ID); + + if (subjectID != null) { + subjectID = subjectID.trim(); + } else { + subjectID = ILogger.NONROLEUSER; + } + } else { + subjectID = ILogger.UNIDENTIFIED; + } + + return subjectID; + } + + /** + * Signed Audit Log Requester ID + * + * This method is called to obtain the "RequesterID" for + * a signed audit log message. + *

+ * + * @return id string containing the signed audit log message RequesterID + */ + private String auditRequesterID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String requesterID = null; + + // Initialize requesterID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + requesterID = (String) + auditContext.get(SessionContext.REQUESTER_ID); + + if (requesterID != null) { + requesterID = requesterID.trim(); + } else { + requesterID = ILogger.UNIDENTIFIED; + } + } else { + requesterID = ILogger.UNIDENTIFIED; + } + + return requesterID; + } +} + +/// +/// servant classes +/// + +interface IServant { + public boolean service(IRequest request) throws EBaseException; +} + +class serviceIssue implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceIssue(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + // XXX This is ugly. should associate attributes with + // request types, not policy. + // XXX how do we know what to look for in request ? + + if (request.getExtDataInCertInfoArray(IRequest.CERT_INFO) != null) + return serviceX509(request); + else + return false; // Don't know what it is ????? + } + + public boolean serviceX509(IRequest request) + throws EBaseException { + // XXX This is ugly. should associate attributes with + // request types, not policy. + // XXX how do we know what to look for in request ? + X509CertInfo certinfos[] = + request.getExtDataInCertInfoArray(IRequest.CERT_INFO); + + if (certinfos == null || certinfos[0] == null) { + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CERT_REQUEST_NOT_FOUND", request.getRequestId().toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_ISSUEREQ")); + } + String challengePassword = + request.getExtDataInString(CAService.CHALLENGE_PHRASE); + + X509CertImpl[] certs = new X509CertImpl[certinfos.length]; + String rid = request.getRequestId().toString(); + int i; + + for (i = 0; i < certinfos.length; i++) { + try { + certs[i] = mService.issueX509Cert(rid, certinfos[i]); + } catch (EBaseException e) { + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUE_ERROR", Integer.toString(i), rid, e.toString())); + throw e; + } + } + String crmfReqId = request.getExtDataInString(IRequest.CRMF_REQID); + EBaseException ex = null; + + for (i = 0; i < certs.length; i++) { + try { + mService.storeX509Cert(rid, certs[i], crmfReqId, challengePassword); + } catch (EBaseException e) { + e.printStackTrace(); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_STORE_ERROR", Integer.toString(i), rid, e.toString())); + ex = e; // save to throw later. + break; + } + } + if (ex != null) { + for (int j = 0; j < i; j++) { + // delete the stored cert records from the database. + // we issue all or nothing. + BigInteger serialNo = + ((X509Certificate) certs[i]).getSerialNumber(); + + try { + mCA.getCertificateRepository().deleteCertificateRecord(serialNo); + } catch (EBaseException e) { + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_DELETE_CERT_ERROR", serialNo.toString(), e.toString())); + } + } + throw ex; + } + + request.setExtData(IRequest.ISSUED_CERTS, certs); + + return true; + } +} + +class serviceRenewal implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceRenewal(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + // XXX if one fails should all fail ? - can't backtrack. + X509CertInfo certinfos[] = + request.getExtDataInCertInfoArray(IRequest.CERT_INFO); + + if (certinfos == null || certinfos[0] == null) { + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CERT_REQUEST_NOT_FOUND", request.getRequestId().toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } + X509CertImpl issuedCerts[] = new X509CertImpl[certinfos.length]; + + for (int j = 0; j < issuedCerts.length; j++) + issuedCerts[j] = null; + String svcerrors[] = new String[certinfos.length]; + + for (int k = 0; k < svcerrors.length; k++) + svcerrors[k] = null; + String rid = request.getRequestId().toString(); + + for (int i = 0; i < certinfos.length; i++) { + try { + // get old serial number. + SerialNumber serialnum = null; + + try { + CertificateSerialNumber serialno = (CertificateSerialNumber) + certinfos[i].get(X509CertInfo.SERIAL_NUMBER); + + if (serialno == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NULL_SERIAL_NUMBER")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } + serialnum = (SerialNumber) + serialno.get(CertificateSerialNumber.NUMBER); + } catch (IOException e) { + if (Debug.ON) + e.printStackTrace(); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ERROR_GET_CERT", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } catch (CertificateException e) { + if (Debug.ON) + e.printStackTrace(); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ERROR_GET_CERT", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } + if (serialnum == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ERROR_GET_CERT", "")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } + BigInt serialnumBigInt = serialnum.getNumber(); + BigInteger oldSerialNo = serialnumBigInt.toBigInteger(); + + // get cert record + CertRecord certRecord = (CertRecord) + mCA.getCertificateRepository().readCertificateRecord(oldSerialNo); + + if (certRecord == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NOT_FROM_CA", oldSerialNo.toString())); + svcerrors[i] = new ECAException( + CMS.getUserMessage("CMS_CA_CANT_FIND_CERT_SERIAL", + oldSerialNo.toString())).toString(); + continue; + } + + // check if cert has been revoked. + String certStatus = certRecord.getStatus(); + + if (certStatus.equals(ICertRecord.STATUS_REVOKED) || + certStatus.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_RENEW_REVOKED", oldSerialNo.toString())); + svcerrors[i] = new ECAException( + CMS.getUserMessage("CMS_CA_CANNOT_RENEW_REVOKED_CERT", + "0x" + oldSerialNo.toString(16))).toString(); + continue; + } + + // check if cert has already been renewed. + MetaInfo metaInfo = certRecord.getMetaInfo(); + + if (metaInfo != null) { + String renewed = (String) + metaInfo.get(ICertRecord.META_RENEWED_CERT); + + if (renewed != null) { + BigInteger serial = new BigInteger(renewed); + X509CertImpl cert = + mCA.getCertificateRepository().getX509Certificate(serial); + + if (cert == null) { + // something wrong + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_MISSING_RENEWED", serial.toString())); + svcerrors[i] = new ECAException( + CMS.getUserMessage("CMS_CA_ERROR_GETTING_RENEWED_CERT", + oldSerialNo.toString(), serial.toString())).toString(); + continue; + } + // get cert record + CertRecord cRecord = (CertRecord) + mCA.getCertificateRepository().readCertificateRecord(serial); + + if (cRecord == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NOT_FROM_CA", serial.toString())); + svcerrors[i] = new ECAException( + CMS.getUserMessage("CMS_CA_CANT_FIND_CERT_SERIAL", + serial.toString())).toString(); + continue; + } + // Check renewed certificate already REVOKED or EXPIRED + String status = cRecord.getStatus(); + + if (status.equals(ICertRecord.STATUS_REVOKED) || + status.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { + Debug.trace("It is already revoked or Expired !!!"); + } // it is still new ... So just return this certificate to user + else { + Debug.trace("It is still new !!!"); + issuedCerts[i] = cert; + continue; + } + } + } + + // issue the cert. + issuedCerts[i] = + mService.issueX509Cert(rid, certinfos[i], true, oldSerialNo); + mService.storeX509Cert(rid, issuedCerts[i], true, oldSerialNo); + } catch (ECAException e) { + svcerrors[i] = e.toString(); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CANNOT_RENEW", Integer.toString(i), request + .getRequestId().toString())); + } + } + + // always set issued certs regardless of error. + request.setExtData(IRequest.ISSUED_CERTS, issuedCerts); + + // set and throw error if any. + int l; + + for (l = svcerrors.length - 1; l >= 0 && svcerrors[l] == null; l--) + ; + if (l >= 0) { + request.setExtData(IRequest.SVCERRORS, svcerrors); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NO_RENEW", request.getRequestId().toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_RENEW_FAILED")); + } + return true; + } +} + +class getCertsForChallenge implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public getCertsForChallenge(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + BigInteger[] serialNoArray = + request.getExtDataInBigIntegerArray(CAService.SERIALNO_ARRAY); + X509CertImpl[] certs = new X509CertImpl[serialNoArray.length]; + + for (int i = 0; i < serialNoArray.length; i++) { + certs[i] = mCA.getCertificateRepository().getX509Certificate(serialNoArray[i]); + } + request.setExtData(IRequest.OLD_CERTS, certs); + return true; + } +} + +class getCertStatus implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public getCertStatus(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) throws EBaseException { + BigInteger serialno = request.getExtDataInBigInteger("serialNumber"); + String issuerDN = request.getExtDataInString("issuerDN"); + CertificateRepository certDB = (CertificateRepository) + mCA.getCertificateRepository(); + + String status = null; + + if (serialno != null) { + CertRecord record = null; + + try { + record = (CertRecord) certDB.readCertificateRecord(serialno); + } catch (EBaseException ee) { + Debug.trace(ee.toString()); + } + + if (record != null) { + status = record.getStatus(); + if (status.equals("VALID")) { + X509CertImpl cacert = mCA.getCACert(); + Principal p = cacert.getSubjectDN(); + + if (!p.toString().equals(issuerDN)) { + status = "INVALIDCERTROOT"; + } + } + } + } + + request.setExtData(IRequest.CERT_STATUS, status); + return true; + } +} + +class serviceCheckChallenge implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + private MessageDigest mSHADigest = null; + + public serviceCheckChallenge(CAService service) { + mService = service; + mCA = mService.getCA(); + try { + mSHADigest = MessageDigest.getInstance("SHA1"); + } catch (NoSuchAlgorithmException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + } + } + + public boolean service(IRequest request) + throws EBaseException { + // note: some request attributes used below are set in + // authentication/ChallengePhraseAuthentication.java :( + BigInteger serialno = request.getExtDataInBigInteger("serialNumber"); + String pwd = request.getExtDataInString( + CAService.CHALLENGE_PHRASE); + CertificateRepository certDB = (CertificateRepository) mCA.getCertificateRepository(); + BigInteger[] bigIntArray = null; + + if (serialno != null) { + CertRecord record = null; + + try { + record = (CertRecord) certDB.readCertificateRecord(serialno); + } catch (EBaseException ee) { + Debug.trace(ee.toString()); + } + if (record != null) { + String status = record.getStatus(); + + if (status.equals("VALID")) { + boolean samepwd = compareChallengePassword(record, pwd); + + if (samepwd) { + bigIntArray = new BigInteger[1]; + bigIntArray[0] = record.getSerialNumber(); + } + } else { + bigIntArray = new BigInteger[0]; + } + } else + bigIntArray = new BigInteger[0]; + } else { + String subjectName = request.getExtDataInString("subjectName"); + + if (subjectName != null) { + String filter = "(&(x509cert.subject=" + subjectName + ")(certStatus=VALID))"; + ICertRecordList list = certDB.findCertRecordsInList(filter, null, 10); + int size = list.getSize(); + Enumeration en = list.getCertRecords(0, size - 1); + + if (!en.hasMoreElements()) { + bigIntArray = new BigInteger[0]; + } else { + Vector idv = new Vector(); + + while (en.hasMoreElements()) { + ICertRecord record = en.nextElement(); + boolean samepwd = compareChallengePassword(record, pwd); + + if (samepwd) { + BigInteger id = record.getSerialNumber(); + + idv.addElement(id); + } + } + bigIntArray = new BigInteger[idv.size()]; + idv.copyInto(bigIntArray); + } + } + } + + if (bigIntArray == null) + bigIntArray = new BigInteger[0]; + + request.setExtData(CAService.SERIALNO_ARRAY, bigIntArray); + return true; + } + + private boolean compareChallengePassword(ICertRecord record, String pwd) + throws EBaseException { + MetaInfo metaInfo = (MetaInfo) record.get(CertRecord.ATTR_META_INFO); + + if (metaInfo == null) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "metaInfo")); + } + + String hashpwd = hashPassword(pwd); + + // got metaInfo + String challengeString = + (String) metaInfo.get(CertRecord.META_CHALLENGE_PHRASE); + + if (!challengeString.equals(hashpwd)) { + return false; + } else + return true; + } + + private String hashPassword(String pwd) { + String salt = "lala123"; + byte[] pwdDigest = mSHADigest.digest((salt + pwd).getBytes()); + String b64E = Utils.base64encode(pwdDigest); + + return "{SHA}" + b64E; + } +} + +class serviceRevoke implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceRevoke(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + boolean sendStatus = true; + // XXX Need to think passing as array. + // XXX every implemented according to servlet. + RevokedCertImpl crlentries[] = + request.getExtDataInRevokedCertArray(IRequest.CERT_INFO); + + if (crlentries == null || + crlentries.length == 0 || + crlentries[0] == null) { + // XXX should this be an error ? + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRL_NOT_FOUND", request.getRequestId().toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_REVREQ")); + } + + RevokedCertImpl revokedCerts[] = + new RevokedCertImpl[crlentries.length]; + String svcerrors[] = null; + + for (int i = 0; i < crlentries.length; i++) { + try { + mService.revokeCert(crlentries[i], request.getRequestId().toString()); + revokedCerts[i] = crlentries[i]; + } catch (ECAException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CANNOT_REVOKE", Integer.toString(i), request + .getRequestId().toString(), e.toString())); + revokedCerts[i] = null; + if (svcerrors == null) { + svcerrors = new String[revokedCerts.length]; + } + svcerrors[i] = e.toString(); + } + } + + // #605941 - request.get(IRequest.CERT_INFO) store exact same thing + // request.set(IRequest.REVOKED_CERTS, revokedCerts); + + // if clone ca, send revoked cert records to CLA + if (CAService.mCLAConnector != null) { + CMS.debug(CMS.getLogMessage("CMSCORE_CA_CLONE_READ_REVOKED")); + BigInteger revokedCertIds[] = + new BigInteger[revokedCerts.length]; + + for (int i = 0; i < revokedCerts.length; i++) { + revokedCertIds[i] = revokedCerts[i].getSerialNumber(); + } + request.deleteExtData(IRequest.CERT_INFO); + request.deleteExtData(IRequest.OLD_CERTS); + request.setExtData(IRequest.REVOKED_CERT_RECORDS, revokedCertIds); + + CMS.debug(CMS.getLogMessage("CMSCORE_CA_CLONE_READ_REVOKED_CONNECTOR")); + + request.setRequestType(IRequest.CLA_CERT4CRL_REQUEST); + sendStatus = CAService.mCLAConnector.send(request); + if (sendStatus == false) { + request.setExtData(IRequest.RESULT, + IRequest.RES_ERROR); + request.setExtData(IRequest.ERROR, + new ECAException(CMS.getUserMessage("CMS_CA_SEND_CLA_REQUEST"))); + return sendStatus; + } else { + if (request.getExtDataInString(IRequest.ERROR) != null) { + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + request.deleteExtData(IRequest.ERROR); + } + } + if (request.getExtDataInString(IRequest.ERROR) != null) { + return sendStatus; + } + } + + if (svcerrors != null) { + request.setExtData(IRequest.SVCERRORS, svcerrors); + throw new ECAException(CMS.getUserMessage("CMS_CA_REVOKE_FAILED")); + } + + if (Debug.ON) { + Debug.trace("serviceRevoke sendStatus=" + sendStatus); + } + + return sendStatus; + } +} + +class serviceUnrevoke implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceUnrevoke(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + boolean sendStatus = true; + BigInteger oldSerialNo[] = + request.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); + + if (oldSerialNo == null || oldSerialNo.length < 1) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_UNREVOKE_MISSING_SERIAL")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_SERIAL_NUMBER")); + } + + String svcerrors[] = null; + boolean needOldCerts = false; + X509CertImpl oldCerts[] = request.getExtDataInCertArray(IRequest.OLD_CERTS); + + if (oldCerts == null || oldCerts.length < 1) { + needOldCerts = true; + oldCerts = new X509CertImpl[oldSerialNo.length]; + } + + for (int i = 0; i < oldSerialNo.length; i++) { + try { + if (oldSerialNo[i].compareTo(new BigInteger("0")) < 0) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_UNREVOKE_MISSING_SERIAL")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_SERIAL_NUMBER")); + } + if (needOldCerts) { + CertRecord certRec = (CertRecord) + mCA.getCertificateRepository().readCertificateRecord(oldSerialNo[i]); + + oldCerts[i] = certRec.getCertificate(); + } + mService.unrevokeCert(oldSerialNo[i], request.getRequestId().toString()); + } catch (ECAException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_UNREVOKE_FAILED", oldSerialNo[i].toString(), + request.getRequestId().toString())); + if (svcerrors == null) { + svcerrors = new String[oldSerialNo.length]; + } + svcerrors[i] = e.toString(); + } + } + + // if clone ca, send unrevoked cert serials to CLA + if (CAService.mCLAConnector != null) { + request.setRequestType(IRequest.CLA_UNCERT4CRL_REQUEST); + sendStatus = CAService.mCLAConnector.send(request); + if (sendStatus == false) { + request.setExtData(IRequest.RESULT, + IRequest.RES_ERROR); + request.setExtData(IRequest.ERROR, + new ECAException(CMS.getUserMessage("CMS_CA_SEND_CLA_REQUEST"))); + return sendStatus; + } else { + if (request.getExtDataInString(IRequest.ERROR) != null) { + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + request.deleteExtData(IRequest.ERROR); + } + } + + } + + if (needOldCerts) { + request.setExtData(IRequest.OLD_CERTS, oldCerts); + } + + if (svcerrors != null) { + request.setExtData(IRequest.SVCERRORS, svcerrors); + throw new ECAException(CMS.getUserMessage("CMS_CA_UNREVOKE_FAILED")); + } + + return sendStatus; + } +} + +class serviceGetCAChain implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceGetCAChain(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) throws EBaseException { + CertificateChain certChain = mCA.getCACertChain(); + ByteArrayOutputStream certChainOut = new ByteArrayOutputStream(); + try { + certChain.encode(certChainOut); + } catch (IOException e) { + mCA.log(ILogger.LL_FAILURE, e.toString()); + throw new EBaseException(e.toString()); + } + request.setExtData(IRequest.CACERTCHAIN, certChainOut.toByteArray()); + return true; + } +} + +class serviceGetCRL implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceGetCRL(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + try { + ICRLIssuingPointRecord crlRec = + mCA.getCRLRepository().readCRLIssuingPointRecord( + ICertificateAuthority.PROP_MASTER_CRL); + X509CRLImpl crl = new X509CRLImpl(crlRec.getCRL()); + + request.setExtData(IRequest.CRL, crl.getEncoded()); + } catch (EBaseException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_GETCRL_FIND_CRL")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_CRL_ISSUEPT_NOT_FOUND", e.toString())); + } catch (CRLException e) { + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_GETCRL_INST_CRL", ICertificateAuthority.PROP_MASTER_CRL)); + throw new ECAException( + CMS.getUserMessage("CMS_CA_CRL_ISSUEPT_NOGOOD", ICertificateAuthority.PROP_MASTER_CRL)); + } catch (X509ExtensionException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_GETCRL_NO_ISSUING_REC")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_CRL_ISSUEPT_EXT_NOGOOD", + ICertificateAuthority.PROP_MASTER_CRL)); + } + return true; + } +} + +class serviceGetRevocationInfo implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceGetRevocationInfo(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + Enumeration enum1 = request.getExtDataKeys(); + + while (enum1.hasMoreElements()) { + String name = enum1.nextElement(); + + if (name.equals(IRequest.ISSUED_CERTS)) { + X509CertImpl certsToCheck[] = + request.getExtDataInCertArray(IRequest.ISSUED_CERTS); + + CertificateRepository certDB = (CertificateRepository) mCA.getCertificateRepository(); + RevocationInfo info = + certDB.isCertificateRevoked(certsToCheck[0]); + + if (info != null) { + RevokedCertImpl revokedCerts[] = new RevokedCertImpl[1]; + RevokedCertImpl revokedCert = new RevokedCertImpl( + certsToCheck[0].getSerialNumber(), + info.getRevocationDate(), + info.getCRLEntryExtensions()); + + revokedCerts[0] = revokedCert; + request.setExtData(IRequest.REVOKED_CERTS, revokedCerts); + } + } + } + return true; + } +} + +class serviceGetCertificates implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceGetCertificates(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + Enumeration enum1 = request.getExtDataKeys(); + + while (enum1.hasMoreElements()) { + String name = enum1.nextElement(); + + if (name.equals(IRequest.CERT_FILTER)) { + String filter = request.getExtDataInString(IRequest.CERT_FILTER); + + CertificateRepository certDB = (CertificateRepository) mCA.getCertificateRepository(); + X509CertImpl[] certs = certDB.getX509Certificates(filter); + + if (certs != null) { + request.setExtData(IRequest.OLD_CERTS, certs); + } + } + } + return true; + } +} + +class serviceCert4Crl implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceCert4Crl(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + // XXX Need to think passing as array. + // XXX every implemented according to servlet. + BigInteger revokedCertIds[] = request.getExtDataInBigIntegerArray( + IRequest.REVOKED_CERT_RECORDS); + if (revokedCertIds == null || + revokedCertIds.length == 0) { + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CERT4CRL_NO_ENTRY", request.getRequestId().toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_CLAREQ")); + } + + CertRecord revokedCertRecs[] = new CertRecord[revokedCertIds.length]; + for (int i = 0; i < revokedCertIds.length; i++) { + revokedCertRecs[i] = (CertRecord) + mCA.getCertificateRepository().readCertificateRecord( + revokedCertIds[i]); + } + + if (revokedCertRecs == null || + revokedCertRecs.length == 0 || + revokedCertRecs[0] == null) { + // XXX should this be an error ? + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CERT4CRL_NO_ENTRY", request.getRequestId().toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_CLAREQ")); + } + + CertRecord recordedCerts[] = + new CertRecord[revokedCertRecs.length]; + String svcerrors[] = null; + + for (int i = 0; i < revokedCertRecs.length; i++) { + try { + // for CLA, record it into cert repost + ((CertificateRepository) mCA.getCertificateRepository()).addRevokedCertRecord(revokedCertRecs[i]); + // mService.revokeCert(crlentries[i]); + recordedCerts[i] = revokedCertRecs[i]; + // inform all CRLIssuingPoints about revoked certificate + Hashtable hips = mService.getCRLIssuingPoints(); + Enumeration eIPs = hips.elements(); + + while (eIPs.hasMoreElements()) { + ICRLIssuingPoint ip = eIPs.nextElement(); + // form RevokedCertImpl + RevokedCertImpl rci = + new RevokedCertImpl(revokedCertRecs[i].getSerialNumber(), + revokedCertRecs[i].getRevokedOn()); + + if (ip != null) { + ip.addRevokedCert(revokedCertRecs[i].getSerialNumber(), rci); + } + } + + } catch (ECAException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT4CRL_NO_REC", Integer.toString(i), + request.getRequestId().toString(), e.toString())); + recordedCerts[i] = null; + if (svcerrors == null) { + svcerrors = new String[recordedCerts.length]; + } + svcerrors[i] = e.toString(); + } + } + //need to record which gets recorded and which failed...cfu + // request.set(IRequest.REVOKED_CERTS, revokedCerts); + if (svcerrors != null) { + request.setExtData(IRequest.SVCERRORS, svcerrors); + throw new ECAException(CMS.getUserMessage("CMS_CA_CERT4CRL_FAILED")); + } + + return true; + } +} + +class serviceUnCert4Crl implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceUnCert4Crl(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + BigInteger oldSerialNo[] = + request.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); + + if (oldSerialNo == null || oldSerialNo.length < 1) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_UNREVOKE_MISSING_SERIAL")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_SERIAL_NUMBER")); + } + + String svcerrors[] = null; + + for (int i = 0; i < oldSerialNo.length; i++) { + try { + mCA.getCertificateRepository().deleteCertificateRecord(oldSerialNo[i]); + // inform all CRLIssuingPoints about unrevoked certificate + Hashtable hips = mService.getCRLIssuingPoints(); + Enumeration eIPs = hips.elements(); + + while (eIPs.hasMoreElements()) { + ICRLIssuingPoint ip = eIPs.nextElement(); + + if (ip != null) { + ip.addUnrevokedCert(oldSerialNo[i]); + } + } + } catch (EBaseException e) { + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_DELETE_CERT_ERROR", oldSerialNo[i].toString(), e.toString())); + if (svcerrors == null) { + svcerrors = new String[oldSerialNo.length]; + } + svcerrors[i] = e.toString(); + } + + } + + if (svcerrors != null) { + request.setExtData(IRequest.SVCERRORS, svcerrors); + throw new ECAException(CMS.getUserMessage("CMS_CA_UNCERT4CRL_FAILED")); + } + + return true; + } +} diff --git a/base/ca/src/com/netscape/ca/CMSCRLExtensions.java b/base/ca/src/com/netscape/ca/CMSCRLExtensions.java new file mode 100644 index 000000000..94693d69a --- /dev/null +++ b/base/ca/src/com/netscape/ca/CMSCRLExtensions.java @@ -0,0 +1,711 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.ca; + +import java.io.IOException; +import java.security.cert.CertificateException; +import java.util.Enumeration; +import java.util.Hashtable; +import java.util.StringTokenizer; +import java.util.Vector; + +import netscape.security.extensions.AuthInfoAccessExtension; +import netscape.security.x509.AuthorityKeyIdentifierExtension; +import netscape.security.x509.CRLExtensions; +import netscape.security.x509.CRLNumberExtension; +import netscape.security.x509.CRLReasonExtension; +import netscape.security.x509.DeltaCRLIndicatorExtension; +import netscape.security.x509.Extension; +import netscape.security.x509.FreshestCRLExtension; +import netscape.security.x509.HoldInstructionExtension; +import netscape.security.x509.InvalidityDateExtension; +import netscape.security.x509.IssuerAlternativeNameExtension; +import netscape.security.x509.IssuingDistributionPointExtension; +import netscape.security.x509.OIDMap; +import netscape.security.x509.PKIXExtensions; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.EPropertyNotDefined; +import com.netscape.certsrv.base.EPropertyNotFound; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.ca.ICMSCRLExtension; +import com.netscape.certsrv.ca.ICMSCRLExtensions; +import com.netscape.certsrv.ca.ICRLIssuingPoint; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.common.Constants; +import com.netscape.certsrv.common.NameValuePairs; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.cms.crl.CMSIssuingDistributionPointExtension; +import com.netscape.cmscore.base.SubsystemRegistry; + +public class CMSCRLExtensions implements ICMSCRLExtensions { + public static final String PROP_ENABLE = "enable"; + public static final String PROP_EXTENSION = "extension"; + public static final String PROP_CLASS = "class"; + public static final String PROP_TYPE = "type"; + public static final String PROP_CRITICAL = "critical"; + public static final String PROP_CRL_EXT = "CRLExtension"; + public static final String PROP_CRL_ENTRY_EXT = "CRLEntryExtension"; + + private ICRLIssuingPoint mCRLIssuingPoint = null; + + private IConfigStore mConfig = null; + private IConfigStore mCRLExtConfig = null; + + private Vector mCRLExtensionNames = new Vector(); + private Vector mCRLEntryExtensionNames = new Vector(); + private Vector mEnabledCRLExtensions = new Vector(); + private Vector mCriticalCRLExtensions = new Vector(); + private Hashtable mCRLExtensionClassNames = new Hashtable(); + private Hashtable mCRLExtensionIDs = new Hashtable(); + + private static final Vector mDefaultCRLExtensionNames = new Vector(); + private static final Vector mDefaultCRLEntryExtensionNames = new Vector(); + private static final Vector mDefaultEnabledCRLExtensions = new Vector(); + private static final Vector mDefaultCriticalCRLExtensions = new Vector(); + private static final Hashtable mDefaultCRLExtensionClassNames = new Hashtable(); + private static final Hashtable mDefaultCRLExtensionIDs = new Hashtable(); + + private ILogger mLogger = CMS.getLogger(); + + static { + + /* Default CRL Extensions */ + mDefaultCRLExtensionNames.addElement(AuthorityKeyIdentifierExtension.NAME); + mDefaultCRLExtensionNames.addElement(IssuerAlternativeNameExtension.NAME); + mDefaultCRLExtensionNames.addElement(CRLNumberExtension.NAME); + mDefaultCRLExtensionNames.addElement(DeltaCRLIndicatorExtension.NAME); + mDefaultCRLExtensionNames.addElement(IssuingDistributionPointExtension.NAME); + mDefaultCRLExtensionNames.addElement(FreshestCRLExtension.NAME); + mDefaultCRLExtensionNames.addElement(AuthInfoAccessExtension.NAME2); + + /* Default CRL Entry Extensions */ + mDefaultCRLEntryExtensionNames.addElement(CRLReasonExtension.NAME); + //mDefaultCRLEntryExtensionNames.addElement(HoldInstructionExtension.NAME); + mDefaultCRLEntryExtensionNames.addElement(InvalidityDateExtension.NAME); + //mDefaultCRLEntryExtensionNames.addElement(CertificateIssuerExtension.NAME); + + /* Default Enabled CRL Extensions */ + mDefaultEnabledCRLExtensions.addElement(CRLNumberExtension.NAME); + //mDefaultEnabledCRLExtensions.addElement(DeltaCRLIndicatorExtension.NAME); + mDefaultEnabledCRLExtensions.addElement(CRLReasonExtension.NAME); + mDefaultEnabledCRLExtensions.addElement(InvalidityDateExtension.NAME); + + /* Default Critical CRL Extensions */ + mDefaultCriticalCRLExtensions.addElement(DeltaCRLIndicatorExtension.NAME); + mDefaultCriticalCRLExtensions.addElement(IssuingDistributionPointExtension.NAME); + //mDefaultCriticalCRLExtensions.addElement(CertificateIssuerExtension.NAME); + + /* CRL extension IDs */ + mDefaultCRLExtensionIDs.put(PKIXExtensions.AuthorityKey_Id.toString(), + AuthorityKeyIdentifierExtension.NAME); + mDefaultCRLExtensionIDs.put(PKIXExtensions.IssuerAlternativeName_Id.toString(), + IssuerAlternativeNameExtension.NAME); + mDefaultCRLExtensionIDs.put(PKIXExtensions.CRLNumber_Id.toString(), + CRLNumberExtension.NAME); + mDefaultCRLExtensionIDs.put(PKIXExtensions.DeltaCRLIndicator_Id.toString(), + DeltaCRLIndicatorExtension.NAME); + mDefaultCRLExtensionIDs.put(PKIXExtensions.IssuingDistributionPoint_Id.toString(), + IssuingDistributionPointExtension.NAME); + mDefaultCRLExtensionIDs.put(PKIXExtensions.ReasonCode_Id.toString(), + CRLReasonExtension.NAME); + mDefaultCRLExtensionIDs.put(PKIXExtensions.HoldInstructionCode_Id.toString(), + HoldInstructionExtension.NAME); + mDefaultCRLExtensionIDs.put(PKIXExtensions.InvalidityDate_Id.toString(), + InvalidityDateExtension.NAME); + //mDefaultCRLExtensionIDs.put(PKIXExtensions.CertificateIssuer_Id.toString(), + // CertificateIssuerExtension.NAME); + mDefaultCRLExtensionIDs.put(PKIXExtensions.FreshestCRL_Id.toString(), + FreshestCRLExtension.NAME); + mDefaultCRLExtensionIDs.put(AuthInfoAccessExtension.ID.toString(), + AuthInfoAccessExtension.NAME2); + + /* Class names */ + mDefaultCRLExtensionClassNames.put(AuthorityKeyIdentifierExtension.NAME, + "com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension"); + mDefaultCRLExtensionClassNames.put(IssuerAlternativeNameExtension.NAME, + "com.netscape.cms.crl.CMSIssuerAlternativeNameExtension"); + mDefaultCRLExtensionClassNames.put(CRLNumberExtension.NAME, + "com.netscape.cms.crl.CMSCRLNumberExtension"); + mDefaultCRLExtensionClassNames.put(DeltaCRLIndicatorExtension.NAME, + "com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension"); + mDefaultCRLExtensionClassNames.put(IssuingDistributionPointExtension.NAME, + "com.netscape.cms.crl.CMSIssuingDistributionPointExtension"); + mDefaultCRLExtensionClassNames.put(CRLReasonExtension.NAME, + "com.netscape.cms.crl.CMSCRLReasonExtension"); + mDefaultCRLExtensionClassNames.put(HoldInstructionExtension.NAME, + "com.netscape.cms.crl.CMSHoldInstructionExtension"); + mDefaultCRLExtensionClassNames.put(InvalidityDateExtension.NAME, + "com.netscape.cms.crl.CMSInvalidityDateExtension"); + //mDefaultCRLExtensionClassNames.put(CertificateIssuerExtension.NAME, + // "com.netscape.cms.crl.CMSCertificateIssuerExtension"); + mDefaultCRLExtensionClassNames.put(FreshestCRLExtension.NAME, + "com.netscape.cms.crl.CMSFreshestCRLExtension"); + mDefaultCRLExtensionClassNames.put(AuthInfoAccessExtension.NAME2, + "com.netscape.cms.crl.CMSAuthInfoAccessExtension"); + + try { + OIDMap.addAttribute(DeltaCRLIndicatorExtension.class.getName(), + DeltaCRLIndicatorExtension.OID, + DeltaCRLIndicatorExtension.NAME); + } catch (CertificateException e) { + } + try { + OIDMap.addAttribute(HoldInstructionExtension.class.getName(), + HoldInstructionExtension.OID, + HoldInstructionExtension.NAME); + } catch (CertificateException e) { + } + try { + OIDMap.addAttribute(InvalidityDateExtension.class.getName(), + InvalidityDateExtension.OID, + InvalidityDateExtension.NAME); + } catch (CertificateException e) { + } + try { + OIDMap.addAttribute(FreshestCRLExtension.class.getName(), + FreshestCRLExtension.OID, + FreshestCRLExtension.NAME); + } catch (CertificateException e) { + } + } + + /** + * Constructs a CRL extensions for CRL issuing point. + */ + public CMSCRLExtensions(ICRLIssuingPoint crlIssuingPoint, IConfigStore config) { + boolean modifiedConfig = false; + + mConfig = config; + mCRLExtConfig = config.getSubStore(PROP_EXTENSION); + mCRLIssuingPoint = crlIssuingPoint; + + IConfigStore mFileConfig = + SubsystemRegistry.getInstance().get("MAIN").getConfigStore(); + + IConfigStore crlExtConfig = mFileConfig; + StringTokenizer st = new StringTokenizer(mCRLExtConfig.getName(), "."); + + while (st.hasMoreTokens()) { + String subStoreName = st.nextToken(); + IConfigStore newConfig = crlExtConfig.getSubStore(subStoreName); + + if (newConfig != null) { + crlExtConfig = newConfig; + } + } + + if (crlExtConfig != null) { + Enumeration enumExts = crlExtConfig.getSubStoreNames(); + + while (enumExts.hasMoreElements()) { + String extName = enumExts.nextElement(); + IConfigStore extConfig = crlExtConfig.getSubStore(extName); + + if (extConfig != null) { + modifiedConfig |= getEnableProperty(extName, extConfig); + modifiedConfig |= getCriticalProperty(extName, extConfig); + modifiedConfig |= getTypeProperty(extName, extConfig); + modifiedConfig |= getClassProperty(extName, extConfig); + } + } + + if (modifiedConfig) { + try { + mFileConfig.commit(true); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_SAVE_CONF", e.toString())); + } + } + } + } + + private boolean getEnableProperty(String extName, IConfigStore extConfig) { + boolean modifiedConfig = false; + + try { + if (extConfig.getBoolean(PROP_ENABLE)) { + mEnabledCRLExtensions.addElement(extName); + } + } catch (EPropertyNotFound e) { + extConfig.putBoolean(PROP_ENABLE, mDefaultEnabledCRLExtensions.contains(extName)); + modifiedConfig = true; + if (mDefaultEnabledCRLExtensions.contains(extName)) { + mEnabledCRLExtensions.addElement(extName); + } + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_NO_ENABLE", extName, + mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + } catch (EPropertyNotDefined e) { + extConfig.putBoolean(PROP_ENABLE, mDefaultEnabledCRLExtensions.contains(extName)); + modifiedConfig = true; + if (mDefaultEnabledCRLExtensions.contains(extName)) { + mEnabledCRLExtensions.addElement(extName); + } + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_UNDEFINE_ENABLE", extName, + mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + } catch (EBaseException e) { + extConfig.putBoolean(PROP_ENABLE, mDefaultEnabledCRLExtensions.contains(extName)); + modifiedConfig = true; + if (mDefaultEnabledCRLExtensions.contains(extName)) { + mEnabledCRLExtensions.addElement(extName); + } + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_ENABLE", extName, + mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + } + return modifiedConfig; + } + + private boolean getCriticalProperty(String extName, IConfigStore extConfig) { + boolean modifiedConfig = false; + + try { + if (extConfig.getBoolean(PROP_CRITICAL)) { + mCriticalCRLExtensions.addElement(extName); + } + } catch (EPropertyNotFound e) { + extConfig.putBoolean(PROP_CRITICAL, mDefaultCriticalCRLExtensions.contains(extName)); + modifiedConfig = true; + if (mDefaultCriticalCRLExtensions.contains(extName)) { + mCriticalCRLExtensions.addElement(extName); + } + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_NO_CRITICAL", extName, + mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + } catch (EPropertyNotDefined e) { + extConfig.putBoolean(PROP_CRITICAL, mDefaultCriticalCRLExtensions.contains(extName)); + modifiedConfig = true; + if (mDefaultCriticalCRLExtensions.contains(extName)) { + mCriticalCRLExtensions.addElement(extName); + } + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_UNDEFINE_CRITICAL", extName, + mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + } catch (EBaseException e) { + extConfig.putBoolean(PROP_CRITICAL, mDefaultCriticalCRLExtensions.contains(extName)); + modifiedConfig = true; + if (mDefaultCriticalCRLExtensions.contains(extName)) { + mCriticalCRLExtensions.addElement(extName); + } + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_CRITICAL", extName, + mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + } + return modifiedConfig; + } + + private boolean getTypeProperty(String extName, IConfigStore extConfig) { + boolean modifiedConfig = false; + String extType = null; + + try { + extType = extConfig.getString(PROP_TYPE); + if (extType.length() > 0) { + if (extType.equals(PROP_CRL_ENTRY_EXT)) { + mCRLEntryExtensionNames.addElement(extName); + } else if (extType.equals(PROP_CRL_EXT)) { + mCRLExtensionNames.addElement(extName); + } else { + if (mDefaultCRLEntryExtensionNames.contains(extName)) { + extConfig.putString(PROP_TYPE, PROP_CRL_ENTRY_EXT); + modifiedConfig = true; + mCRLEntryExtensionNames.addElement(extName); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_EXT", extName, PROP_CRL_ENTRY_EXT)); + } else if (mDefaultCRLExtensionNames.contains(extName)) { + extConfig.putString(PROP_TYPE, PROP_CRL_EXT); + modifiedConfig = true; + mCRLExtensionNames.addElement(extName); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_EXT", extName, PROP_CRL_EXT)); + } else { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_EXT", extName, "")); + } + } + } else { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_UNDEFINE_EXT", extName)); + } + } catch (EPropertyNotFound e) { + if (mDefaultCRLEntryExtensionNames.contains(extName)) { + extConfig.putString(PROP_TYPE, PROP_CRL_ENTRY_EXT); + modifiedConfig = true; + } else if (mDefaultCRLExtensionNames.contains(extName)) { + extConfig.putString(PROP_TYPE, PROP_CRL_EXT); + modifiedConfig = true; + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_MISSING_EXT", extName)); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_EXT", extName, "")); + } + return modifiedConfig; + } + + private boolean getClassProperty(String extName, IConfigStore extConfig) { + boolean modifiedConfig = false; + String extClass = null; + + try { + extClass = extConfig.getString(PROP_CLASS); + if (extClass.length() > 0) { + mCRLExtensionClassNames.put(extName, extClass); + + try { + @SuppressWarnings("unchecked") + Class crlExtClass = (Class) Class.forName(extClass); + + if (crlExtClass != null) { + ICMSCRLExtension cmsCRLExt = crlExtClass.newInstance(); + + if (cmsCRLExt != null) { + String id = cmsCRLExt.getCRLExtOID(); + + if (id != null) { + mCRLExtensionIDs.put(id, extName); + } + } + } + } catch (ClassCastException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INCORRECT_CLASS", extClass, e.toString())); + } catch (ClassNotFoundException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_FOUND", extClass, e.toString())); + } catch (InstantiationException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_INST", extClass, e.toString())); + } catch (IllegalAccessException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_ACCESS", extClass, e.toString())); + } + + } else { + if (mDefaultCRLExtensionClassNames.containsKey(extName)) { + extClass = mCRLExtensionClassNames.get(extName); + extConfig.putString(PROP_CLASS, extClass); + modifiedConfig = true; + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_DEFINED", extName)); + } + } catch (EPropertyNotFound e) { + if (mDefaultCRLExtensionClassNames.containsKey(extName)) { + extClass = mDefaultCRLExtensionClassNames.get(extName); + extConfig.putString(PROP_CLASS, extClass); + modifiedConfig = true; + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_MISSING", extName)); + } catch (EBaseException e) { + if (mDefaultCRLExtensionClassNames.containsKey(extName)) { + extClass = mDefaultCRLExtensionClassNames.get(extName); + extConfig.putString(PROP_CLASS, extClass); + modifiedConfig = true; + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_INVALID", extName)); + } + return modifiedConfig; + } + + public boolean isCRLExtension(String extName) { + return mCRLExtensionNames.contains(extName); + } + + public boolean isCRLEntryExtension(String extName) { + return mCRLEntryExtensionNames.contains(extName); + } + + public boolean isCRLExtensionEnabled(String extName) { + return ((mCRLExtensionNames.contains(extName) || mCRLEntryExtensionNames.contains(extName)) && + mEnabledCRLExtensions.contains(extName)); + } + + public boolean isCRLExtensionCritical(String extName) { + return mCriticalCRLExtensions.contains(extName); + } + + public String getCRLExtensionName(String id) { + String name = null; + + if (mCRLExtensionIDs.containsKey(id)) { + name = mCRLExtensionIDs.get(id); + } + return name; + } + + public Vector getCRLExtensionNames() { + return new Vector(mCRLExtensionNames); + } + + public Vector getCRLEntryExtensionNames() { + return new Vector(mCRLEntryExtensionNames); + } + + public void addToCRLExtensions(CRLExtensions crlExts, String extName, Extension ext) { + if (mCRLExtensionClassNames.containsKey(extName)) { + String name = mCRLExtensionClassNames.get(extName); + + try { + @SuppressWarnings("unchecked") + Class extClass = (Class) Class.forName(name); + + if (extClass != null) { + ICMSCRLExtension cmsCRLExt = extClass.newInstance(); + + if (cmsCRLExt != null) { + if (ext != null) { + if (isCRLExtensionCritical(extName) ^ ext.isCritical()) { + ext = cmsCRLExt.setCRLExtensionCriticality( + ext, isCRLExtensionCritical(extName)); + } + } else { + ext = cmsCRLExt.getCRLExtension(mCRLExtConfig.getSubStore(extName), + mCRLIssuingPoint, + isCRLExtensionCritical(extName)); + } + + if (crlExts != null && ext != null) { + crlExts.set(extName, ext); + } + } + } + } catch (ClassCastException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INCORRECT_CLASS", name, e.toString())); + } catch (ClassNotFoundException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_FOUND", name, e.toString())); + } catch (InstantiationException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_INST", name, e.toString())); + } catch (IllegalAccessException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_ACCESS", name, e.toString())); + } catch (IOException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_ADD", name, e.toString())); + } + } + } + + public NameValuePairs getConfigParams(String id) { + NameValuePairs nvp = null; + + if (mCRLEntryExtensionNames.contains(id) || + mCRLExtensionNames.contains(id)) { + nvp = new NameValuePairs(); + + /* + if (mCRLEntryExtensionNames.contains(id)) { + nvp.add(Constants.PR_CRLEXT_IMPL_NAME, "CRLEntryExtension"); + } else { + nvp.add(Constants.PR_CRLEXT_IMPL_NAME, "CRLExtension"); + } + + if (mCRLEntryExtensionNames.contains(id)) { + nvp.add(PROP_TYPE, "CRLEntryExtension"); + } else { + nvp.add(PROP_TYPE, "CRLExtension"); + } + */ + + if (mEnabledCRLExtensions.contains(id)) { + nvp.put(PROP_ENABLE, Constants.TRUE); + } else { + nvp.put(PROP_ENABLE, Constants.FALSE); + } + if (mCriticalCRLExtensions.contains(id)) { + nvp.put(PROP_CRITICAL, Constants.TRUE); + } else { + nvp.put(PROP_CRITICAL, Constants.FALSE); + } + + if (mCRLExtensionClassNames.containsKey(id)) { + String name = mCRLExtensionClassNames.get(id); + + if (name != null) { + + try { + Class extClass = Class.forName(name); + + if (extClass != null) { + ICMSCRLExtension cmsCRLExt = (ICMSCRLExtension) extClass.newInstance(); + + if (cmsCRLExt != null) { + cmsCRLExt.getConfigParams(mCRLExtConfig.getSubStore(id), nvp); + } + } + } catch (ClassNotFoundException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_FOUND", name, e.toString())); + } catch (InstantiationException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_INST", name, e.toString())); + } catch (IllegalAccessException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_ACCESS", name, e.toString())); + } + + int i = name.lastIndexOf('.'); + + if ((i > -1) && (i + 1 < name.length())) { + String idName = name.substring(i + 1); + + if (idName != null) { + nvp.put(Constants.PR_CRLEXT_IMPL_NAME, idName); + } + } + } + } + } + return nvp; + } + + public void setConfigParams(String id, NameValuePairs nvp, IConfigStore config) { + ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA); + String ipId = nvp.get("id"); + + ICRLIssuingPoint ip = null; + if (ipId != null && ca != null) { + ip = ca.getCRLIssuingPoint(ipId); + } + + for (String name : nvp.keySet()) { + String value = nvp.get(name); + + if (name.equals(PROP_ENABLE)) { + if (!(value.equals(Constants.TRUE) || value.equals(Constants.FALSE))) { + continue; + } + if (value.equals(Constants.TRUE)) { + if (!(mEnabledCRLExtensions.contains(id))) { + mEnabledCRLExtensions.addElement(id); + } + } + if (value.equals(Constants.FALSE)) { + mEnabledCRLExtensions.remove(id); + } + } + + if (name.equals(PROP_CRITICAL)) { + if (!(value.equals(Constants.TRUE) || value.equals(Constants.FALSE))) { + continue; + } + if (value.equals(Constants.TRUE)) { + if (!(mCriticalCRLExtensions.contains(id))) { + mCriticalCRLExtensions.addElement(id); + } + } + if (value.equals(Constants.FALSE)) { + mCriticalCRLExtensions.remove(id); + } + } + //Sync the onlyContainsCACerts with similar property in CRLIssuingPoint + //called caCertsOnly. + if (name.equals(CMSIssuingDistributionPointExtension.PROP_CACERTS)) { + NameValuePairs crlIssuingPointPairs = null; + boolean crlCACertsOnly = false; + + boolean issuingDistPointExtEnabled = false; + + CMSCRLExtensions cmsCRLExtensions = (CMSCRLExtensions) ip.getCRLExtensions(); + if (cmsCRLExtensions != null) { + issuingDistPointExtEnabled = + cmsCRLExtensions.isCRLExtensionEnabled(IssuingDistributionPointExtension.NAME); + } + + CMS.debug("issuingDistPointExtEnabled = " + issuingDistPointExtEnabled); + + if (!(value.equals(Constants.TRUE) || value.equals(Constants.FALSE))) { + continue; + } + + //Get value of caCertsOnly from CRLIssuingPoint + if ((ip != null) && (issuingDistPointExtEnabled == true)) { + crlCACertsOnly = ip.isCACertsOnly(); + CMS.debug("CRLCACertsOnly is: " + crlCACertsOnly); + crlIssuingPointPairs = new NameValuePairs(); + + } + + String newValue = ""; + boolean modifiedCRLConfig = false; + //If the CRLCACertsOnly prop is false change it to true to sync. + if (value.equals(Constants.TRUE) && (issuingDistPointExtEnabled == true)) { + if (crlCACertsOnly == false) { + CMS.debug(" value = true and CRLCACertsOnly is already false."); + crlIssuingPointPairs.put(Constants.PR_CA_CERTS_ONLY, Constants.TRUE); + newValue = Constants.TRUE; + ip.updateConfig(crlIssuingPointPairs); + modifiedCRLConfig = true; + } + } + + //If the CRLCACertsOnly prop is true change it to false to sync. + if (value.equals(Constants.FALSE) && (issuingDistPointExtEnabled == true)) { + crlIssuingPointPairs.put(Constants.PR_CA_CERTS_ONLY, Constants.FALSE); + if (ip != null) { + ip.updateConfig(crlIssuingPointPairs); + newValue = Constants.FALSE; + modifiedCRLConfig = true; + } + } + + if (modifiedCRLConfig == true) { + //Commit to this CRL IssuingPoint's config store + ICertificateAuthority CA = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA); + IConfigStore crlsSubStore = CA.getConfigStore(); + crlsSubStore = crlsSubStore.getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE); + crlsSubStore = crlsSubStore.getSubStore(ipId); + try { + crlsSubStore.putString(Constants.PR_CA_CERTS_ONLY, newValue); + crlsSubStore.commit(true); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_SAVE_CONF", e.toString())); + } + } + } + + config.putString(name, value); + } + } + + public String getClassPath(String name) { + Enumeration enum1 = mCRLExtensionClassNames.elements(); + + while (enum1.hasMoreElements()) { + String extClassName = enum1.nextElement(); + + if (extClassName != null) { + int i = extClassName.lastIndexOf('.'); + + if ((i > -1) && (i + 1 < extClassName.length())) { + String idName = extClassName.substring(i + 1); + + if (idName != null) { + if (name.equals(idName)) { + return extClassName; + } + } + } + } + } + + return null; + } + + private void log(int level, String msg) { + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level, + "CMSCRLExtension - " + msg); + } +} diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java new file mode 100644 index 000000000..d4b747b32 --- /dev/null +++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java @@ -0,0 +1,3140 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.ca; + +import java.io.IOException; +import java.math.BigInteger; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CRLException; +import java.util.Date; +import java.util.Enumeration; +import java.util.Hashtable; +import java.util.LinkedHashSet; +import java.util.Set; +import java.util.StringTokenizer; +import java.util.TimeZone; +import java.util.Vector; + +import netscape.security.util.BitArray; +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.CRLExtensions; +import netscape.security.x509.CRLNumberExtension; +import netscape.security.x509.CRLReasonExtension; +import netscape.security.x509.DeltaCRLIndicatorExtension; +import netscape.security.x509.Extension; +import netscape.security.x509.FreshestCRLExtension; +import netscape.security.x509.IssuingDistributionPoint; +import netscape.security.x509.IssuingDistributionPointExtension; +import netscape.security.x509.RevocationReason; +import netscape.security.x509.RevokedCertImpl; +import netscape.security.x509.RevokedCertificate; +import netscape.security.x509.X509CRLImpl; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509ExtensionException; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.ca.ECAException; +import com.netscape.certsrv.ca.EErrorPublishCRL; +import com.netscape.certsrv.ca.ICMSCRLExtensions; +import com.netscape.certsrv.ca.ICRLIssuingPoint; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.common.Constants; +import com.netscape.certsrv.common.NameValuePairs; +import com.netscape.certsrv.dbs.EDBNotAvailException; +import com.netscape.certsrv.dbs.IElementProcessor; +import com.netscape.certsrv.dbs.certdb.ICertificateRepository; +import com.netscape.certsrv.dbs.certdb.IRevocationInfo; +import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; +import com.netscape.certsrv.dbs.crldb.ICRLRepository; +import com.netscape.certsrv.logging.AuditFormat; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.publish.ILdapRule; +import com.netscape.certsrv.publish.IPublisherProcessor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.IRequestListener; +import com.netscape.certsrv.request.IRequestQueue; +import com.netscape.certsrv.request.IRequestVirtualList; +import com.netscape.certsrv.request.RequestId; +import com.netscape.certsrv.util.IStatsSubsystem; +import com.netscape.cmscore.dbs.CRLIssuingPointRecord; +import com.netscape.cmscore.dbs.CertRecord; +import com.netscape.cmscore.dbs.CertificateRepository; +import com.netscape.cmscore.util.Debug; + +/** + * This class encapsulates CRL issuing mechanism. CertificateAuthority + * contains a map of CRLIssuingPoint indexed by string ids. Each issuing + * point contains information about CRL issuing and publishing parameters + * as well as state information which includes last issued CRL, next CRL + * serial number, time of the next update etc. + * If autoUpdateInterval is set to non-zero value then worker thread + * is created that will perform CRL update at scheduled intervals. Update + * can also be triggered by invoking updateCRL method directly. Another + * parameter minUpdateInterval can be used to prevent CRL + * from being updated too often + *

+ * + * @author awnuk + * @author lhsiao + * @author galperin + * @version $Revision$, $Date$ + */ + +public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + + /* Foreign config param for IssuingDistributionPointExtension. */ + public static final String PROP_CACERTS = "onlyContainsCACerts"; + + public static final long SECOND = 1000L; + public static final long MINUTE = (SECOND * 60L); + + private static final int CRL_PAGE_SIZE = 10000; + + /* configuration file property names */ + + public IPublisherProcessor mPublisherProcessor = null; + + private ILogger mLogger = CMS.getLogger(); + + private IConfigStore mConfigStore; + + private int mCountMod = 0; + private int mCount = 0; + private int mPageSize = CRL_PAGE_SIZE; + + private CMSCRLExtensions mCMSCRLExtensions = null; + + /** + * Internal unique id of this CRL issuing point. + */ + protected String mId = null; + + /** + * Reference to the CertificateAuthority instance which owns this + * issuing point. + */ + protected ICertificateAuthority mCA = null; + + /** + * Reference to the CRL repository maintained in CA. + */ + protected ICRLRepository mCRLRepository = null; + + /** + * Reference to the cert repository maintained in CA. + */ + private ICertificateRepository mCertRepository = null; + + /** + * Enable CRL issuing point. + */ + private boolean mEnable = true; + + /** + * Description of the issuing point + */ + private String mDescription = null; + + /** + * CRL cache + */ + private Hashtable mCRLCerts = new Hashtable(); + private Hashtable mRevokedCerts = new Hashtable(); + private Hashtable mUnrevokedCerts = new Hashtable(); + private Hashtable mExpiredCerts = new Hashtable(); + private boolean mIncludeExpiredCerts = false; + private boolean mIncludeExpiredCertsOneExtraTime = false; + private boolean mCACertsOnly = false; + + private boolean mProfileCertsOnly = false; + private Vector mProfileList = null; + + /** + * Enable CRL cache. + */ + private boolean mEnableCRLCache = true; + private boolean mCRLCacheIsCleared = true; + private boolean mEnableCacheRecovery = false; + private String mFirstUnsaved = null; + private boolean mEnableCacheTesting = false; + + /** + * Last CRL cache update + */ + private long mLastCacheUpdate = 0; + + /** + * Time interval in milliseconds between consequential CRL cache + * updates performed automatically. + */ + private long mCacheUpdateInterval; + + /** + * Enable CRL updates. + */ + private boolean mEnableCRLUpdates = true; + + /** + * CRL update schema. + */ + private int mUpdateSchema = 1; + private int mSchemaCounter = 0; + + /** + * Enable CRL daily updates at listed times. + */ + private boolean mEnableDailyUpdates = false; + private Vector> mDailyUpdates = null; + private int mCurrentDay = 0; + private int mLastDay = 0; + private int mTimeListSize = 0; + private boolean mExtendedTimeList = false; + + /** + * Enable CRL auto update with interval + */ + private boolean mEnableUpdateFreq = false; + + /** + * Time interval in milliseconds between consequential CRL Enable CRL daily update at updates + * performed automatically. + */ + private long mAutoUpdateInterval; + + /** + * Minimum time interval in milliseconds between consequential + * CRL updates (manual or automatic). + */ + private long mMinUpdateInterval; + + /** + * Update CRL even if auto interval > 0 + */ + private boolean mAlwaysUpdate = false; + + /** + * next update grace period + */ + private long mNextUpdateGracePeriod; + + /** + * Boolean flag controlling whether CRLv2 extensions are to be + * used in CRL. + */ + private boolean mAllowExtensions = false; + + /** + * DN of the directory entry where CRLs from this issuing point + * are published. + */ + private String mPublishDN = null; + + /** + * signing algorithm + */ + private String mSigningAlgorithm = null; + private String mLastSigningAlgorithm = null; + + /** + * Cached value of the CRL extensions to be placed in CRL + */ + //protected CRLExtensions mCrlExtensions; + + /** + * CRL number + */ + private BigInteger mCRLNumber; + private BigInteger mNextCRLNumber; + private BigInteger mLastCRLNumber; + + /** + * Delta CRL number + */ + private BigInteger mDeltaCRLNumber; + private BigInteger mNextDeltaCRLNumber; + + /** + * Last CRL update date + */ + private Date mLastUpdate; + private Date mLastFullUpdate; + private long mLastScheduledUpdate = 0; + + /** + * Next scheduled CRL update date + */ + private Date mNextUpdate; + private Date mNextDeltaUpdate; + private boolean mExtendedNextUpdate; + + /** + * Worker thread doing auto-update + */ + private Thread mUpdateThread = null; + + /** + * for going one more round when auto-interval is set to 0 (turned off) + */ + private boolean mDoLastAutoUpdate = false; + + /** + * whether issuing point has been initialized. + */ + private int mInitialized = CRL_IP_NOT_INITIALIZED; + + /** + * number of entries in the CRL + */ + private long mCRLSize = -1; + private long mDeltaCRLSize = -1; + + /** + * update status, publishing status Strings to store in requests to + * display result. + */ + private String mCrlUpdateStatus; + private String mCrlUpdateError; + private String mCrlPublishStatus; + private String mCrlPublishError; + + /** + * begin, end serial number range of revoked certs if any. + */ + protected BigInteger mBeginSerial = null; + protected BigInteger mEndSerial = null; + + private int mUpdatingCRL = CRL_UPDATE_DONE; + + private boolean mDoManualUpdate = false; + private String mSignatureAlgorithmForManualUpdate = null; + + private boolean mPublishOnStart = false; + private long[] mSplits = new long[10]; + + private boolean mSaveMemory = false; + + /** + * Constructs a CRL issuing point from instantiating from class name. + * CRL Issuing point must be followed by method call init(CA, id, config); + */ + public CRLIssuingPoint() { + } + + public boolean isCRLIssuingPointEnabled() { + return mEnable; + } + + public void enableCRLIssuingPoint(boolean enable) { + if ((!enable) && (mEnable ^ enable)) { + clearCRLCache(); + updateCRLCacheRepository(); + } + mEnable = enable; + setAutoUpdates(); + } + + public boolean isCRLGenerationEnabled() { + return mEnableCRLUpdates; + } + + public String getCrlUpdateStatusStr() { + return mCrlUpdateStatus; + } + + public String getCrlUpdateErrorStr() { + return mCrlUpdateError; + } + + public String getCrlPublishStatusStr() { + return mCrlPublishStatus; + } + + public String getCrlPublishErrorStr() { + return mCrlPublishError; + } + + public ICMSCRLExtensions getCRLExtensions() { + return mCMSCRLExtensions; + } + + public int isCRLIssuingPointInitialized() { + return mInitialized; + } + + public boolean isManualUpdateSet() { + return mDoManualUpdate; + } + + public boolean areExpiredCertsIncluded() { + return mIncludeExpiredCerts; + } + + public boolean isCACertsOnly() { + return mCACertsOnly; + } + + public boolean isProfileCertsOnly() { + return (mProfileCertsOnly && mProfileList != null && mProfileList.size() > 0); + } + + public boolean checkCurrentProfile(String id) { + boolean b = false; + + if (mProfileCertsOnly && mProfileList != null && mProfileList.size() > 0) { + for (int k = 0; k < mProfileList.size(); k++) { + String profileId = mProfileList.elementAt(k); + if (id != null && profileId != null && profileId.equalsIgnoreCase(id)) { + b = true; + break; + } + } + } + + return b; + } + + /** + * Initializes a CRL issuing point config. + *

+ * + * @param ca reference to CertificateAuthority instance which + * owns this issuing point. + * @param id string id of this CRL issuing point. + * @param config configuration of this CRL issuing point. + * @exception EBaseException if initialization failed + * @exception IOException + */ + public void init(ISubsystem ca, String id, IConfigStore config) + throws EBaseException { + mCA = (ICertificateAuthority) ca; + mId = id; + + if (mId.equals(ICertificateAuthority.PROP_MASTER_CRL)) { + mCrlUpdateStatus = IRequest.CRL_UPDATE_STATUS; + mCrlUpdateError = IRequest.CRL_UPDATE_ERROR; + mCrlPublishStatus = IRequest.CRL_PUBLISH_STATUS; + mCrlPublishError = IRequest.CRL_PUBLISH_ERROR; + } else { + mCrlUpdateStatus = IRequest.CRL_UPDATE_STATUS + "_" + mId; + mCrlUpdateError = IRequest.CRL_UPDATE_ERROR + "_" + mId; + mCrlPublishStatus = IRequest.CRL_PUBLISH_STATUS + "_" + mId; + mCrlPublishError = IRequest.CRL_PUBLISH_ERROR + "_" + mId; + } + + mConfigStore = config; + + IConfigStore crlSubStore = mCA.getConfigStore().getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE); + mPageSize = crlSubStore.getInteger(ICertificateAuthority.PROP_CRL_PAGE_SIZE, CRL_PAGE_SIZE); + CMS.debug("CRL Page Size: " + mPageSize); + + mCountMod = config.getInteger("countMod", 0); + mCRLRepository = mCA.getCRLRepository(); + mCertRepository = mCA.getCertificateRepository(); + ((CertificateRepository) mCertRepository).addCRLIssuingPoint(mId, this); + mPublisherProcessor = mCA.getPublisherProcessor(); + + //mCRLPublisher = mCA.getCRLPublisher(); + ((CAService) mCA.getCAService()).addCRLIssuingPoint(mId, this); + + // read in config parameters. + initConfig(config); + + // create request listener. + String lname = RevocationRequestListener.class.getName(); + String crlListName = lname + "_" + mId; + + if (mCA.getRequestListener(crlListName) == null) { + mCA.registerRequestListener( + crlListName, new RevocationRequestListener()); + } + + for (int i = 0; i < mSplits.length; i++) { + mSplits[i] = 0; + } + + // this will start a thread if necessary for automatic updates. + setAutoUpdates(); + } + + private int checkTime(String time) { + String digits = "0123456789"; + + int len = time.length(); + if (len < 3 || len > 5) + return -1; + + int s = time.indexOf(':'); + if (s < 0 || s > 2 || (len - s) != 3) + return -1; + + int h = 0; + for (int i = 0; i < s; i++) { + h *= 10; + int k = digits.indexOf(time.charAt(i)); + if (k < 0) + return -1; + h += k; + } + if (h > 23) + return -1; + + int m = 0; + for (int i = s + 1; i < len; i++) { + m *= 10; + int k = digits.indexOf(time.charAt(i)); + if (k < 0) + return -1; + m += k; + } + if (m > 59) + return -1; + + return ((h * 60) + m); + } + + private boolean areTimeListsIdentical(Vector> list1, Vector> list2) { + boolean identical = true; + if (list1 == null || list2 == null) + identical = false; + if (identical && list1.size() != list2.size()) + identical = false; + for (int i = 0; identical && i < list1.size(); i++) { + Vector times1 = list1.elementAt(i); + Vector times2 = list2.elementAt(i); + if (times1.size() != times2.size()) + identical = false; + for (int j = 0; identical && j < times1.size(); j++) { + if ((((times1.elementAt(j))).intValue()) != (((times2.elementAt(j))).intValue())) { + identical = false; + } + } + } + CMS.debug("areTimeListsIdentical: identical: " + identical); + return identical; + } + + private int getTimeListSize(Vector> listedDays) { + int listSize = 0; + for (int i = 0; listedDays != null && i < listedDays.size(); i++) { + Vector listedTimes = listedDays.elementAt(i); + listSize += ((listedTimes != null) ? listedTimes.size() : 0); + } + CMS.debug("getTimeListSize: ListSize=" + listSize); + return listSize; + } + + private boolean isTimeListExtended(String list) { + boolean extendedTimeList = true; + if (list == null || list.indexOf('*') == -1) + extendedTimeList = false; + return extendedTimeList; + } + + private Vector> getTimeList(String list) { + boolean timeListPresent = false; + if (list == null || list.length() == 0) + return null; + if (list.charAt(0) == ',' || list.charAt(list.length() - 1) == ',') + return null; + + Vector> listedDays = new Vector>(); + + StringTokenizer days = new StringTokenizer(list, ";", true); + Vector listedTimes = null; + while (days.hasMoreTokens()) { + String dayList = days.nextToken().trim(); + if (dayList == null) + continue; + + if (dayList.equals(";")) { + if (timeListPresent) { + timeListPresent = false; + } else { + listedTimes = new Vector(); + listedDays.addElement(listedTimes); + } + continue; + } else { + listedTimes = new Vector(); + listedDays.addElement(listedTimes); + timeListPresent = true; + } + int t0 = -1; + StringTokenizer times = new StringTokenizer(dayList, ","); + while (times.hasMoreTokens()) { + String time = times.nextToken(); + int k = 1; + if (time.charAt(0) == '*') { + time = time.substring(1); + k = -1; + } + int t = checkTime(time); + if (t < 0) { + return null; + } else { + if (t > t0) { + listedTimes.addElement(new Integer(k * t)); + t0 = t; + } else { + return null; + } + } + } + } + if (!timeListPresent) { + listedTimes = new Vector(); + listedDays.addElement(listedTimes); + } + + return listedDays; + } + + private String checkProfile(String id, Enumeration e) { + if (e != null) { + while (e.hasMoreElements()) { + String profileId = e.nextElement(); + if (profileId != null && profileId.equalsIgnoreCase(id)) + return id; + } + } + return null; + } + + private Vector getProfileList(String list) { + Enumeration e = null; + IConfigStore pc = CMS.getConfigStore().getSubStore("profile"); + if (pc != null) + e = pc.getSubStoreNames(); + if (list == null) + return null; + if (list.length() > 0 && list.charAt(list.length() - 1) == ',') + return null; + + Vector listedProfiles = new Vector(); + + StringTokenizer elements = new StringTokenizer(list, ",", true); + int n = 0; + while (elements.hasMoreTokens()) { + String element = elements.nextToken().trim(); + if (element == null || element.length() == 0) + return null; + if (element.equals(",") && n % 2 == 0) + return null; + if (n % 2 == 0) { + String id = checkProfile(element, e); + if (id != null) { + listedProfiles.addElement(id); + } + } + n++; + } + if (n % 2 == 0) + return null; + + return listedProfiles; + } + + /** + * get CRL config store info + */ + protected void initConfig(IConfigStore config) + throws EBaseException { + + mEnable = config.getBoolean(Constants.PR_ENABLE, true); + mDescription = config.getString(Constants.PR_DESCRIPTION); + + // Get CRL cache config. + mEnableCRLCache = config.getBoolean(Constants.PR_ENABLE_CACHE, true); + mCacheUpdateInterval = MINUTE * config.getInteger(Constants.PR_CACHE_FREQ, 0); + mEnableCacheRecovery = config.getBoolean(Constants.PR_CACHE_RECOVERY, false); + mEnableCacheTesting = config.getBoolean(Constants.PR_CACHE_TESTING, false); + + // check if CRL generation is enabled + mEnableCRLUpdates = config.getBoolean(Constants.PR_ENABLE_CRL, true); + + // get update schema + mUpdateSchema = config.getInteger(Constants.PR_UPDATE_SCHEMA, 1); + mSchemaCounter = 0; + + // Get always update even if updated perdically. + mAlwaysUpdate = config.getBoolean(Constants.PR_UPDATE_ALWAYS, false); + + // Get list of daily updates. + mEnableDailyUpdates = config.getBoolean(Constants.PR_ENABLE_DAILY, false); + String daily = config.getString(Constants.PR_DAILY_UPDATES, null); + mDailyUpdates = getTimeList(daily); + mExtendedTimeList = isTimeListExtended(daily); + mTimeListSize = getTimeListSize(mDailyUpdates); + if (mDailyUpdates == null || mDailyUpdates.isEmpty() || mTimeListSize == 0) { + mEnableDailyUpdates = false; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_INVALID_TIME_LIST")); + } + + // Get auto update interval in minutes. + mEnableUpdateFreq = config.getBoolean(Constants.PR_ENABLE_FREQ, true); + mAutoUpdateInterval = MINUTE * config.getInteger(Constants.PR_UPDATE_FREQ, 0); + mMinUpdateInterval = MINUTE * config.getInteger(PROP_MIN_UPDATE_INTERVAL, 0); + if (mEnableUpdateFreq && mAutoUpdateInterval > 0 && + mAutoUpdateInterval < mMinUpdateInterval) + mAutoUpdateInterval = mMinUpdateInterval; + + // get next update grace period + mNextUpdateGracePeriod = MINUTE * config.getInteger(Constants.PR_GRACE_PERIOD, 0); + + // Get V2 or V1 CRL + mAllowExtensions = config.getBoolean(Constants.PR_EXTENSIONS, false); + + mIncludeExpiredCerts = config.getBoolean(Constants.PR_INCLUDE_EXPIREDCERTS, false); + mIncludeExpiredCertsOneExtraTime = config.getBoolean(Constants.PR_INCLUDE_EXPIREDCERTS_ONEEXTRATIME, false); + mCACertsOnly = config.getBoolean(Constants.PR_CA_CERTS_ONLY, false); + mProfileCertsOnly = config.getBoolean(Constants.PR_PROFILE_CERTS_ONLY, false); + if (mProfileCertsOnly) { + String profiles = config.getString(Constants.PR_PROFILE_LIST, null); + mProfileList = getProfileList(profiles); + } + + // Get default signing algorithm. + // check if algorithm is supported. + mSigningAlgorithm = mCA.getCRLSigningUnit().getDefaultAlgorithm(); + String algorithm = config.getString(Constants.PR_SIGNING_ALGORITHM, null); + + if (algorithm != null) { + // make sure this algorithm is acceptable to CA. + mCA.getCRLSigningUnit().checkSigningAlgorithmFromName(algorithm); + mSigningAlgorithm = algorithm; + } + + mPublishOnStart = config.getBoolean(PROP_PUBLISH_ON_START, false); + // if publish dn is null then certificate will be published to + // CA's entry in the directory. + mPublishDN = config.getString(PROP_PUBLISH_DN, null); + + mSaveMemory = config.getBoolean("saveMemory", false); + + mCMSCRLExtensions = new CMSCRLExtensions(this, config); + + mExtendedNextUpdate = + ((mUpdateSchema > 1 || (mEnableDailyUpdates && mExtendedTimeList)) && isDeltaCRLEnabled()) ? + config.getBoolean(Constants.PR_EXTENDED_NEXT_UPDATE, true) : + false; + + // Get serial number ranges if any. + mBeginSerial = config.getBigInteger(PROP_BEGIN_SERIAL, null); + if (mBeginSerial != null && mBeginSerial.compareTo(BigInteger.ZERO) < 0) { + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_PROPERTY_1", + PROP_BEGIN_SERIAL, "BigInteger", "positive number")); + } + mEndSerial = config.getBigInteger(PROP_END_SERIAL, null); + if (mEndSerial != null && mEndSerial.compareTo(BigInteger.ZERO) < 0) { + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_PROPERTY_1", + PROP_END_SERIAL, "BigInteger", "positive number")); + } + } + + /** + * Reads CRL issuing point, if missing, it creates one. + * Initializes CRL cache and republishes CRL if requested + * Called from auto update thread (run()). + * Do not call it from init(), because it will block CMS on start. + */ + private void initCRL() { + ICRLIssuingPointRecord crlRecord = null; + + mLastCacheUpdate = System.currentTimeMillis() + mCacheUpdateInterval; + + try { + crlRecord = mCRLRepository.readCRLIssuingPointRecord(mId); + } catch (EDBNotAvailException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_INST_CRL", e.toString())); + mInitialized = CRL_IP_INITIALIZATION_FAILED; + return; + } catch (EBaseException e) { + // CRL was never set. + // fall to the following.. + } + + if (crlRecord != null) { + mCRLNumber = crlRecord.getCRLNumber(); + if (crlRecord.getCRLSize() != null) { + mCRLSize = crlRecord.getCRLSize().longValue(); + } + mNextCRLNumber = mCRLNumber.add(BigInteger.ONE); + + if (crlRecord.getDeltaCRLSize() != null) { + mDeltaCRLSize = crlRecord.getDeltaCRLSize().longValue(); + } + + mDeltaCRLNumber = crlRecord.getDeltaCRLNumber(); + if (mDeltaCRLNumber == null) { + mDeltaCRLNumber = mCRLNumber; // better recovery later + } else { + if (mDeltaCRLNumber.compareTo(mCRLNumber) < 0) { + mDeltaCRLNumber = mCRLNumber; + clearCRLCache(); + mDeltaCRLSize = -1L; + } + } + mNextDeltaCRLNumber = mDeltaCRLNumber.add(BigInteger.ONE); + + if (mNextDeltaCRLNumber.compareTo(mNextCRLNumber) > 0) { + mNextCRLNumber = mNextDeltaCRLNumber; + } + + mLastCRLNumber = BigInteger.ZERO; + + mLastUpdate = crlRecord.getThisUpdate(); + if (mLastUpdate == null) { + mLastUpdate = new Date(0L); + } + mLastFullUpdate = null; + + mNextUpdate = crlRecord.getNextUpdate(); + if (isDeltaCRLEnabled()) { + mNextDeltaUpdate = (mNextUpdate != null) ? new Date(mNextUpdate.getTime()) : null; + } + + mFirstUnsaved = crlRecord.getFirstUnsaved(); + if (Debug.on()) { + Debug.trace("initCRL CRLNumber=" + mCRLNumber.toString() + " CRLSize=" + mCRLSize + + " FirstUnsaved=" + mFirstUnsaved); + } + if (mFirstUnsaved == null || + (mFirstUnsaved != null && mFirstUnsaved.equals(ICRLIssuingPointRecord.NEW_CACHE))) { + clearCRLCache(); + updateCRLCacheRepository(); + } else { + byte[] crl = crlRecord.getCRL(); + + if (crl != null) { + X509CRLImpl x509crl = null; + + if (mEnableCRLCache || mPublishOnStart) { + try { + x509crl = new X509CRLImpl(crl); + } catch (Exception e) { + clearCRLCache(); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_DECODE_CRL", e.toString())); + } catch (OutOfMemoryError e) { + clearCRLCache(); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_DECODE_CRL", e.toString())); + mInitialized = CRL_IP_INITIALIZATION_FAILED; + return; + } + } + if (x509crl != null) { + mLastFullUpdate = x509crl.getThisUpdate(); + if (mEnableCRLCache) { + if (mCRLCacheIsCleared && mUpdatingCRL == CRL_UPDATE_DONE) { + mRevokedCerts = crlRecord.getRevokedCerts(); + if (mRevokedCerts == null) { + mRevokedCerts = new Hashtable(); + } + mUnrevokedCerts = crlRecord.getUnrevokedCerts(); + if (mUnrevokedCerts == null) { + mUnrevokedCerts = new Hashtable(); + } + mExpiredCerts = crlRecord.getExpiredCerts(); + if (mExpiredCerts == null) { + mExpiredCerts = new Hashtable(); + } + if (isDeltaCRLEnabled()) { + mNextUpdate = x509crl.getNextUpdate(); + } + mCRLCerts = x509crl.getListOfRevokedCertificates(); + } + if (mFirstUnsaved != null && !mFirstUnsaved.equals(ICRLIssuingPointRecord.CLEAN_CACHE)) { + recoverCRLCache(); + } else { + mCRLCacheIsCleared = false; + } + mInitialized = CRL_IP_INITIALIZED; + } + if (mPublishOnStart) { + try { + publishCRL(x509crl); + x509crl = null; + } catch (EBaseException e) { + x509crl = null; + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), + e.toString())); + } catch (OutOfMemoryError e) { + x509crl = null; + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), + e.toString())); + } + } + } + } + } + } + + if (crlRecord == null) { + // no crl was ever created, or crl in db is corrupted. + // create new one. + try { + crlRecord = new CRLIssuingPointRecord(mId, BigInteger.ZERO, Long.valueOf(-1), + null, null, BigInteger.ZERO, Long.valueOf(-1), + mRevokedCerts, mUnrevokedCerts, mExpiredCerts); + mCRLRepository.addCRLIssuingPointRecord(crlRecord); + mCRLNumber = BigInteger.ZERO; //BIG_ZERO; + mNextCRLNumber = BigInteger.ONE; //BIG_ONE; + mLastCRLNumber = mCRLNumber; + mDeltaCRLNumber = mCRLNumber; + mNextDeltaCRLNumber = mNextCRLNumber; + mLastUpdate = new Date(0L); + if (crlRecord != null) { + // This will trigger updateCRLNow, which will also publish CRL. + if ((mDoManualUpdate == false) && + (mEnableCRLCache || mAlwaysUpdate || + (mEnableUpdateFreq && mAutoUpdateInterval > 0))) { + mInitialized = CRL_IP_INITIALIZED; + setManualUpdate(null); + } + } + } catch (EBaseException ex) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_CREATE_CRL", ex.toString())); + mInitialized = CRL_IP_INITIALIZATION_FAILED; + return; + } + } + mInitialized = CRL_IP_INITIALIZED; + } + + private Object configMonitor = new Object(); + + public boolean updateConfig(NameValuePairs params) { + synchronized (configMonitor) { + boolean noRestart = true; + boolean modifiedSchedule = false; + + for (String name : params.keySet()) { + String value = params.get(name); + + // -- Update Schema -- + if (name.equals(Constants.PR_ENABLE_CRL)) { + if (value.equals(Constants.FALSE) && mEnableCRLUpdates) { + mEnableCRLUpdates = false; + modifiedSchedule = true; + } else if (value.equals(Constants.TRUE) && (!mEnableCRLUpdates)) { + mEnableCRLUpdates = true; + modifiedSchedule = true; + } + } + + if (name.equals(Constants.PR_UPDATE_SCHEMA)) { + try { + if (value != null && value.length() > 0) { + int schema = Integer.parseInt(value.trim()); + if (mUpdateSchema != schema) { + mUpdateSchema = schema; + mSchemaCounter = 0; + modifiedSchedule = true; + } + } + } catch (NumberFormatException e) { + noRestart = false; + } + } + + if (name.equals(Constants.PR_EXTENDED_NEXT_UPDATE)) { + if (value.equals(Constants.FALSE) && mExtendedNextUpdate) { + mExtendedNextUpdate = false; + } else if (value.equals(Constants.TRUE) && (!mExtendedNextUpdate)) { + mExtendedNextUpdate = true; + } + } + + // -- Update Frequency -- + if (name.equals(Constants.PR_UPDATE_ALWAYS)) { + if (value.equals(Constants.FALSE) && mAlwaysUpdate) { + mAlwaysUpdate = false; + } else if (value.equals(Constants.TRUE) && (!mAlwaysUpdate)) { + mAlwaysUpdate = true; + } + } + + if (name.equals(Constants.PR_ENABLE_DAILY)) { + if (value.equals(Constants.FALSE) && mEnableDailyUpdates) { + mEnableDailyUpdates = false; + modifiedSchedule = true; + } else if (value.equals(Constants.TRUE) && (!mEnableDailyUpdates)) { + mEnableDailyUpdates = true; + modifiedSchedule = true; + } + } + + if (name.equals(Constants.PR_DAILY_UPDATES)) { + boolean extendedTimeList = isTimeListExtended(value); + Vector> dailyUpdates = getTimeList(value); + if (mExtendedTimeList != extendedTimeList) { + mExtendedTimeList = extendedTimeList; + modifiedSchedule = true; + } + if (!areTimeListsIdentical(mDailyUpdates, dailyUpdates)) { + mCurrentDay = 0; + mLastDay = 0; + mDailyUpdates = dailyUpdates; + mTimeListSize = getTimeListSize(mDailyUpdates); + modifiedSchedule = true; + } + if (mDailyUpdates == null || mDailyUpdates.isEmpty() || mTimeListSize == 0) { + mEnableDailyUpdates = false; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_INVALID_TIME_LIST")); + } + } + + if (name.equals(Constants.PR_ENABLE_FREQ)) { + if (value.equals(Constants.FALSE) && mEnableUpdateFreq) { + mEnableUpdateFreq = false; + modifiedSchedule = true; + } else if (value.equals(Constants.TRUE) && (!mEnableUpdateFreq)) { + mEnableUpdateFreq = true; + modifiedSchedule = true; + } + } + + if (name.equals(Constants.PR_UPDATE_FREQ)) { + try { + if (value != null && value.length() > 0) { + long t = MINUTE * Long.parseLong(value.trim()); + if (mAutoUpdateInterval != t) { + mAutoUpdateInterval = t; + modifiedSchedule = true; + } + } else { + if (mAutoUpdateInterval != 0) { + mAutoUpdateInterval = 0; + modifiedSchedule = true; + } + } + } catch (NumberFormatException e) { + noRestart = false; + } + } + + if (name.equals(Constants.PR_GRACE_PERIOD)) { + try { + if (value != null && value.length() > 0) { + mNextUpdateGracePeriod = MINUTE * Long.parseLong(value.trim()); + } + } catch (NumberFormatException e) { + noRestart = false; + } + } + + // -- CRL Cache -- + if (name.equals(Constants.PR_ENABLE_CACHE)) { + if (value.equals(Constants.FALSE) && mEnableCRLCache) { + clearCRLCache(); + updateCRLCacheRepository(); + mEnableCRLCache = false; + modifiedSchedule = true; + } else if (value.equals(Constants.TRUE) && (!mEnableCRLCache)) { + clearCRLCache(); + updateCRLCacheRepository(); + mEnableCRLCache = true; + modifiedSchedule = true; + } + } + + if (name.equals(Constants.PR_CACHE_FREQ)) { + try { + if (value != null && value.length() > 0) { + long t = MINUTE * Long.parseLong(value.trim()); + if (mCacheUpdateInterval != t) { + mCacheUpdateInterval = t; + modifiedSchedule = true; + } + } + } catch (NumberFormatException e) { + noRestart = false; + } + } + + if (name.equals(Constants.PR_CACHE_RECOVERY)) { + if (value.equals(Constants.FALSE) && mEnableCacheRecovery) { + mEnableCacheRecovery = false; + } else if (value.equals(Constants.TRUE) && (!mEnableCacheRecovery)) { + mEnableCacheRecovery = true; + } + } + + if (name.equals(Constants.PR_CACHE_TESTING)) { + if (value.equals(Constants.FALSE) && mEnableCacheTesting) { + clearCRLCache(); + updateCRLCacheRepository(); + mEnableCacheTesting = false; + setManualUpdate(null); + } else if (value.equals(Constants.TRUE) && (!mEnableCacheTesting)) { + mEnableCacheTesting = true; + } + } + + // -- CRL Format -- + if (name.equals(Constants.PR_SIGNING_ALGORITHM)) { + if (value != null) + value = value.trim(); + if (!mSigningAlgorithm.equals(value)) { + mSigningAlgorithm = value; + } + } + + if (name.equals(Constants.PR_EXTENSIONS)) { + if (value.equals(Constants.FALSE) && mAllowExtensions) { + clearCRLCache(); + updateCRLCacheRepository(); + mAllowExtensions = false; + } else if (value.equals(Constants.TRUE) && (!mAllowExtensions)) { + clearCRLCache(); + updateCRLCacheRepository(); + mAllowExtensions = true; + } + } + + if (name.equals(Constants.PR_INCLUDE_EXPIREDCERTS)) { + if (value.equals(Constants.FALSE) && mIncludeExpiredCerts) { + clearCRLCache(); + updateCRLCacheRepository(); + mIncludeExpiredCerts = false; + } else if (value.equals(Constants.TRUE) && (!mIncludeExpiredCerts)) { + clearCRLCache(); + updateCRLCacheRepository(); + mIncludeExpiredCerts = true; + } + } + + if (name.equals(Constants.PR_INCLUDE_EXPIREDCERTS_ONEEXTRATIME)) { + if (value.equals(Constants.FALSE) && mIncludeExpiredCertsOneExtraTime) { + mIncludeExpiredCertsOneExtraTime = false; + } else if (value.equals(Constants.TRUE) && (!mIncludeExpiredCertsOneExtraTime)) { + mIncludeExpiredCertsOneExtraTime = true; + } + } + + if (name.equals(Constants.PR_CA_CERTS_ONLY)) { + Extension distExt = getCRLExtension(IssuingDistributionPointExtension.NAME); + IssuingDistributionPointExtension iExt = (IssuingDistributionPointExtension) distExt; + IssuingDistributionPoint issuingDistributionPoint = null; + if (iExt != null) + issuingDistributionPoint = iExt.getIssuingDistributionPoint(); + if (value.equals(Constants.FALSE) && mCACertsOnly) { + clearCRLCache(); + updateCRLCacheRepository(); + mCACertsOnly = false; + } else if (value.equals(Constants.TRUE) && (!mCACertsOnly)) { + clearCRLCache(); + updateCRLCacheRepository(); + mCACertsOnly = true; + } + //attempt to sync the IssuingDistributionPoint Extension value of + //onlyContainsCACerts + if (issuingDistributionPoint != null && params.size() > 1) { + boolean onlyContainsCACerts = issuingDistributionPoint.getOnlyContainsCACerts(); + if (onlyContainsCACerts != mCACertsOnly) { + IConfigStore config = mCA.getConfigStore(); + IConfigStore crlsSubStore = + config.getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE); + IConfigStore crlSubStore = crlsSubStore.getSubStore(mId); + IConfigStore crlExtsSubStore = + crlSubStore.getSubStore(ICertificateAuthority.PROP_CRLEXT_SUBSTORE); + crlExtsSubStore = + crlExtsSubStore + .getSubStore(IssuingDistributionPointExtension.NAME); + + if (crlExtsSubStore != null) { + String val = ""; + if (mCACertsOnly == true) { + val = Constants.TRUE; + } else { + val = Constants.FALSE; + } + crlExtsSubStore.putString(PROP_CACERTS, val); + try { + crlExtsSubStore.commit(true); + } catch (Exception e) { + } + } + } + } + } + + if (name.equals(Constants.PR_PROFILE_CERTS_ONLY)) { + if (value.equals(Constants.FALSE) && mProfileCertsOnly) { + clearCRLCache(); + updateCRLCacheRepository(); + mProfileCertsOnly = false; + } else if (value.equals(Constants.TRUE) && (!mProfileCertsOnly)) { + clearCRLCache(); + updateCRLCacheRepository(); + mProfileCertsOnly = true; + } + } + + if (name.equals(Constants.PR_PROFILE_LIST)) { + Vector profileList = getProfileList(value); + if (((profileList != null) ^ (mProfileList != null)) || + (profileList != null && mProfileList != null && + (!mProfileList.equals(profileList)))) { + if (profileList != null) { + @SuppressWarnings("unchecked") + Vector newProfileList = (Vector) profileList.clone(); + mProfileList = newProfileList; + } else { + mProfileList = null; + } + clearCRLCache(); + updateCRLCacheRepository(); + } + if (mProfileList == null || mProfileList.isEmpty()) { + mProfileCertsOnly = false; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_INVALID_PROFILE_LIST")); + } + } + } + + if (modifiedSchedule) + setAutoUpdates(); + + return noRestart; + } + } + + /** + * This method is called during shutdown. + *

+ */ + public synchronized void shutdown() { + // this should stop a thread if necessary + if (mEnableCRLCache && mCacheUpdateInterval > 0) { + updateCRLCacheRepository(); + } + mEnable = false; + + setAutoUpdates(); + /* + if (mUpdateThread != null) { + try { + mUpdateThread.interrupt(); + } + catch (Exception e) { + } + } + */ + } + + /** + * Returns internal id of this CRL issuing point. + *

+ * + * @return internal id of this CRL issuing point + */ + public String getId() { + return mId; + } + + /** + * Returns internal description of this CRL issuing point. + *

+ * + * @return internal description of this CRL issuing point + */ + public String getDescription() { + return mDescription; + } + + /** + * Sets internal description of this CRL issuing point. + * + * @param description description for this CRL issuing point. + */ + public void setDescription(String description) { + mDescription = description; + } + + /** + * Returns DN of the directory entry where CRLs.from this issuing point + * are published. + *

+ * + * @return DN of the directory entry where CRLs are published. + */ + public String getPublishDN() { + return mPublishDN; + } + + /** + * Returns signing algorithm. + *

+ * + * @return SigningAlgorithm. + */ + public String getSigningAlgorithm() { + return mSigningAlgorithm; + } + + public String getLastSigningAlgorithm() { + return mLastSigningAlgorithm; + } + + /** + * Returns current CRL generation schema for this CRL issuing point. + *

+ * + * @return current CRL generation schema for this CRL issuing point + */ + public int getCRLSchema() { + return mUpdateSchema; + } + + /** + * Returns current CRL number of this CRL issuing point. + *

+ * + * @return current CRL number of this CRL issuing point + */ + public BigInteger getCRLNumber() { + return mCRLNumber; + } + + /** + * Returns current delta CRL number of this CRL issuing point. + *

+ * + * @return current delta CRL number of this CRL issuing point + */ + public BigInteger getDeltaCRLNumber() { + return (isDeltaCRLEnabled() && mDeltaCRLSize > -1) ? mDeltaCRLNumber : BigInteger.ZERO; + } + + /** + * Returns next CRL number of this CRL issuing point. + *

+ * + * @return next CRL number of this CRL issuing point + */ + public BigInteger getNextCRLNumber() { + return mNextDeltaCRLNumber; + } + + /** + * Returns number of entries in the CRL + *

+ * + * @return number of entries in the CRL + */ + public long getCRLSize() { + return (mCRLCerts.size() > 0 && mCRLSize == 0) ? mCRLCerts.size() : mCRLSize; + } + + /** + * Returns number of entries in delta CRL + *

+ * + * @return number of entries in delta CRL + */ + public long getDeltaCRLSize() { + return mDeltaCRLSize; + } + + /** + * Returns last update time + *

+ * + * @return last CRL update time + */ + public Date getLastUpdate() { + return mLastUpdate; + } + + /** + * Returns next update time + *

+ * + * @return next CRL update time + */ + public Date getNextUpdate() { + return mNextUpdate; + } + + /** + * Returns next update time + *

+ * + * @return next CRL update time + */ + public Date getNextDeltaUpdate() { + return mNextDeltaUpdate; + } + + /** + * Returns all the revoked certificates from the CRL cache. + *

+ * + * @return set of all the revoked certificates or null if there are none. + */ + public Set getRevokedCertificates(int start, int end) { + if (mCRLCacheIsCleared || mCRLCerts == null || mCRLCerts.isEmpty()) { + return null; + } else { + Set certSet = new LinkedHashSet(mCRLCerts.values()); + return certSet; + } + } + + /** + * Returns certificate authority. + *

+ * + * @return certificate authority + */ + public ISubsystem getCertificateAuthority() { + return mCA; + } + + /** + * Sets CRL auto updates + */ + + private synchronized void setAutoUpdates() { + if ((mEnable && mUpdateThread == null) && + ((mEnableCRLCache && mCacheUpdateInterval > 0) || + (mEnableCRLUpdates && + ((mEnableDailyUpdates && mDailyUpdates != null && + mTimeListSize > 0) || + (mEnableUpdateFreq && mAutoUpdateInterval > 0) || + (mInitialized == CRL_IP_NOT_INITIALIZED) || + mDoLastAutoUpdate || mDoManualUpdate)))) { + mUpdateThread = new Thread(this, "CRLIssuingPoint-" + mId); + log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_ISSUING_START_CRL", mId)); + mUpdateThread.setDaemon(true); + mUpdateThread.start(); + } + + if ((mInitialized == CRL_IP_INITIALIZED) && (((mNextUpdate != null) ^ + ((mEnableDailyUpdates && mDailyUpdates != null && mTimeListSize > 0) || + (mEnableUpdateFreq && mAutoUpdateInterval > 0))) || + (!mEnableCRLUpdates && mNextUpdate != null))) { + mDoLastAutoUpdate = true; + } + + if (mEnableUpdateFreq && mAutoUpdateInterval > 0 && + mAutoUpdateInterval < mMinUpdateInterval) { + mAutoUpdateInterval = mMinUpdateInterval; + } + + notifyAll(); + } + + /** + * Sets CRL manual-update + * Starts or stops worker thread as necessary. + */ + public synchronized void setManualUpdate(String signatureAlgorithm) { + if (!mDoManualUpdate) { + mDoManualUpdate = true; + mSignatureAlgorithmForManualUpdate = signatureAlgorithm; + if (mEnableUpdateFreq && mAutoUpdateInterval > 0 && mUpdateThread != null) { + notifyAll(); + } else { + setAutoUpdates(); + } + } + } + + /** + * @return auto update interval in milliseconds. + */ + public long getAutoUpdateInterval() { + return (mEnableUpdateFreq) ? mAutoUpdateInterval : 0; + } + + /** + * @return always update the CRL + */ + public boolean getAlwaysUpdate() { + return mAlwaysUpdate; + } + + /** + * @return next update grace period in minutes. + */ + + public long getNextUpdateGracePeriod() { + return mNextUpdateGracePeriod; + } + + /** + * Finds next update time expressed as delay or time of the next update. + * + * @param fromLastUpdate if true, function returns delay to the next update time + * otherwise returns the next update time. + * @param delta if true, function returns the next update time for delta CRL, + * otherwise returns the next update time for CRL. + * @return delay to the next update time or the next update time itself + */ + private long findNextUpdate(boolean fromLastUpdate, boolean delta) { + long now = System.currentTimeMillis(); + TimeZone tz = TimeZone.getDefault(); + int offset = tz.getOffset(now); + long oneDay = 1440L * MINUTE; + long nowToday = (now + (long) offset) % oneDay; + long startOfToday = now - nowToday; + + long lastUpdated = (mLastUpdate != null) ? mLastUpdate.getTime() : now; + long lastUpdateDay = lastUpdated - ((lastUpdated + (long) offset) % oneDay); + + long lastUpdate = (mLastUpdate != null && fromLastUpdate) ? mLastUpdate.getTime() : now; + long last = (lastUpdate + (long) offset) % oneDay; + long lastDay = lastUpdate - last; + + boolean isDeltaEnabled = isDeltaCRLEnabled(); + long next = 0L; + long nextUpdate = 0L; + + CMS.debug("findNextUpdate: fromLastUpdate: " + fromLastUpdate + " delta: " + delta); + + int numberOfDays = (int) ((startOfToday - lastUpdateDay) / oneDay); + if (numberOfDays > 0 && mDailyUpdates.size() > 1 && + ((mCurrentDay == mLastDay) || + (mCurrentDay != ((mLastDay + numberOfDays) % mDailyUpdates.size())))) { + mCurrentDay = (mLastDay + numberOfDays) % mDailyUpdates.size(); + } + + if ((delta || fromLastUpdate) && isDeltaEnabled && + (mUpdateSchema > 1 || (mEnableDailyUpdates && mExtendedTimeList)) && + mNextDeltaUpdate != null) { + nextUpdate = mNextDeltaUpdate.getTime(); + } else if (mNextUpdate != null) { + nextUpdate = mNextUpdate.getTime(); + } + + if (mEnableDailyUpdates && + mDailyUpdates != null && mDailyUpdates.size() > 0) { + int n = 0; + if (mDailyUpdates.size() == 1 && mDailyUpdates.elementAt(0).size() == 1 && + mEnableUpdateFreq && mAutoUpdateInterval > 0) { + // Interval updates with starting time + long firstTime = MINUTE * ((Integer) mDailyUpdates.elementAt(0).elementAt(0)).longValue(); + long t = firstTime; + long interval = mAutoUpdateInterval; + if (mExtendedNextUpdate && (!fromLastUpdate) && (!delta) && + isDeltaEnabled && mUpdateSchema > 1) { + interval *= mUpdateSchema; + } + while (t < oneDay) { + if (t - mMinUpdateInterval > last) + break; + t += interval; + n++; + } + + if (t <= oneDay) { + next = lastDay + t; + if (fromLastUpdate) { + n = n % mUpdateSchema; + if (t == firstTime) { + mSchemaCounter = 0; + } else if (n != mSchemaCounter) { + if (mSchemaCounter != 0 && (mSchemaCounter < n || n == 0)) { + mSchemaCounter = n; + } + } + } + } else { + next = lastDay + oneDay + firstTime; + if (fromLastUpdate) { + mSchemaCounter = 0; + } + } + } else { + // Daily updates following the list + if (last > nowToday) { + last = nowToday - 100; // 100ms - precision + } + int i, m; + for (i = 0, m = 0; i < mCurrentDay; i++) { + m += mDailyUpdates.elementAt(i).size(); + } + // search the current day + for (i = 0; i < mDailyUpdates.elementAt(mCurrentDay).size(); i++) { + long t = MINUTE * ((Integer) mDailyUpdates.elementAt(mCurrentDay).elementAt(i)).longValue(); + if (mEnableDailyUpdates && mExtendedTimeList) { + if (mExtendedNextUpdate && (!fromLastUpdate) && (!delta) && isDeltaEnabled) { + if (t < 0) { + t *= -1; + } else { + t = 0; + } + } else { + if (t < 0) { + t *= -1; + } + } + } + if (t - mMinUpdateInterval > last) { + if (mExtendedNextUpdate + && (!fromLastUpdate) && (!(mEnableDailyUpdates && mExtendedTimeList)) && (!delta) && + isDeltaEnabled && mUpdateSchema > 1) { + i += mUpdateSchema - ((i + m) % mUpdateSchema); + } + break; + } + n++; + } + + if (i < mDailyUpdates.elementAt(mCurrentDay).size()) { + // found inside the current day + next = (MINUTE * ((Integer) mDailyUpdates.elementAt(mCurrentDay).elementAt(i)).longValue()); + if (mEnableDailyUpdates && mExtendedTimeList && next < 0) { + next *= -1; + if (fromLastUpdate) { + mSchemaCounter = 0; + } + } + next += ((lastDay < lastUpdateDay) ? lastDay : lastUpdateDay) + (oneDay * (mCurrentDay - mLastDay)); + + if (fromLastUpdate && (!(mEnableDailyUpdates && mExtendedTimeList))) { + n = n % mUpdateSchema; + if (i == 0 && mCurrentDay == 0) { + mSchemaCounter = 0; + } else if (n != mSchemaCounter) { + if (mSchemaCounter != 0 && ((n == 0 && mCurrentDay == 0) || mSchemaCounter < n)) { + mSchemaCounter = n; + } + } + } + } else { + // done with today + int j = i - mDailyUpdates.elementAt(mCurrentDay).size(); + int nDays = 1; + long t = 0; + if (mDailyUpdates.size() > 1) { + while (nDays <= mDailyUpdates.size()) { + int nextDay = (mCurrentDay + nDays) % mDailyUpdates.size(); + if (j < mDailyUpdates.elementAt(nextDay).size()) { + if (nextDay == 0 && (!(mEnableDailyUpdates && mExtendedTimeList))) + j = 0; + t = MINUTE * ((Integer) mDailyUpdates.elementAt(nextDay).elementAt(j)).longValue(); + if (mEnableDailyUpdates && mExtendedTimeList) { + if (mExtendedNextUpdate && (!fromLastUpdate) && (!delta) && isDeltaEnabled) { + if (t < 0) { + t *= -1; + } else { + j++; + continue; + } + } else { + if (t < 0) { + t *= -1; + if (fromLastUpdate) { + mSchemaCounter = 0; + } + } + } + } + break; + } else { + j -= mDailyUpdates.elementAt(nextDay).size(); + } + nDays++; + } + } + next = ((lastDay < lastUpdateDay) ? lastDay : lastUpdateDay) + (oneDay * nDays) + t; + + if (fromLastUpdate && mDailyUpdates.size() < 2) { + mSchemaCounter = 0; + } + } + } + } else if (mEnableUpdateFreq && mAutoUpdateInterval > 0) { + // Interval updates without starting time + if (mExtendedNextUpdate && (!fromLastUpdate) && (!delta) && isDeltaEnabled && mUpdateSchema > 1) { + next = lastUpdate + (mUpdateSchema * mAutoUpdateInterval); + } else { + next = lastUpdate + mAutoUpdateInterval; + } + } + + if (fromLastUpdate && nextUpdate > 0 && (nextUpdate < next || nextUpdate >= now)) { + next = nextUpdate; + } + + CMS.debug("findNextUpdate: " + + ((new Date(next)).toString()) + ((fromLastUpdate) ? " delay: " + (next - now) : "")); + + return (fromLastUpdate) ? next - now : next; + } + + /** + * Implements Runnable interface. Defines auto-update + * logic used by worker thread. + *

+ */ + public void run() { + while (mEnable && ((mEnableCRLCache && mCacheUpdateInterval > 0) || + (mInitialized == CRL_IP_NOT_INITIALIZED) || + mDoLastAutoUpdate || (mEnableCRLUpdates && + ((mEnableDailyUpdates && mDailyUpdates != null && + mTimeListSize > 0) || + (mEnableUpdateFreq && mAutoUpdateInterval > 0) || + mDoManualUpdate)))) { + + synchronized (this) { + long delay = 0; + long delay2 = 0; + boolean doCacheUpdate = false; + boolean scheduledUpdates = mEnableCRLUpdates && + ((mEnableDailyUpdates && mDailyUpdates != null && + mTimeListSize > 0) || + (mEnableUpdateFreq && mAutoUpdateInterval > 0)); + + if (mInitialized == CRL_IP_NOT_INITIALIZED) + initCRL(); + if (mInitialized == CRL_IP_INITIALIZED && (!mEnable)) + break; + + if ((mEnableCRLUpdates && mDoManualUpdate) || mDoLastAutoUpdate) { + delay = 0; + } else if (scheduledUpdates) { + delay = findNextUpdate(true, false); + } + + if (mEnableCRLCache && mCacheUpdateInterval > 0) { + delay2 = mLastCacheUpdate + mCacheUpdateInterval - + System.currentTimeMillis(); + if (delay2 < delay || + (!(scheduledUpdates || mDoLastAutoUpdate || + (mEnableCRLUpdates && mDoManualUpdate)))) { + delay = delay2; + if (delay <= 0) { + doCacheUpdate = true; + mLastCacheUpdate = System.currentTimeMillis(); + } + } + } + + if (delay > 0) { + try { + wait(delay); + } catch (InterruptedException e) { + } + } else { + try { + if (doCacheUpdate) { + updateCRLCacheRepository(); + } else if (mAutoUpdateInterval > 0 || mDoLastAutoUpdate || mDoManualUpdate) { + updateCRL(); + } + } catch (Exception e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_CRL", + (doCacheUpdate) ? "update CRL cache" : "update CRL", e.toString())); + if (Debug.on()) { + Debug.trace((doCacheUpdate) ? "update CRL cache" : "update CRL" + " error " + e); + Debug.printStackTrace(e); + } + } + // put this here to prevent continuous loop if internal + // db is down. + if (mDoLastAutoUpdate) + mDoLastAutoUpdate = false; + if (mDoManualUpdate) { + mDoManualUpdate = false; + mSignatureAlgorithmForManualUpdate = null; + } + } + } + } + mUpdateThread = null; + } + + /** + * Updates CRL and publishes it. + * If time elapsed since last CRL update is less than + * minUpdateInterval silently returns. + * Otherwise determines nextUpdate by adding autoUpdateInterval or + * minUpdateInterval to the current time. If neither of the + * intervals are defined nextUpdate will be null. + * Then using specified configuration parameters it formulates new + * CRL, signs it, updates CRLIssuingPointRecord in the database + * and publishes CRL in the directory. + *

+ */ + private void updateCRL() throws EBaseException { + /* + if (mEnableUpdateFreq && mAutoUpdateInterval > 0 && + (System.currentTimeMillis() - mLastUpdate.getTime() < + mMinUpdateInterval)) { + // log or alternatively throw an Exception + return; + } + */ + if (mDoManualUpdate && mSignatureAlgorithmForManualUpdate != null) { + updateCRLNow(mSignatureAlgorithmForManualUpdate); + } else { + updateCRLNow(); + } + } + + /** + * This method may be overrided by CRLWithExpiredCerts.java + */ + public String getFilter() { + // PLEASE DONT CHANGE THE FILTER. It is indexed. + // Changing it will degrade performance. See + // also com.netscape.certsetup.LDAPUtil.java + String filter = ""; + + if (mIncludeExpiredCerts) + filter += "(|"; + filter += "(" + CertRecord.ATTR_CERT_STATUS + "=" + CertRecord.STATUS_REVOKED + ")"; + if (mIncludeExpiredCerts) + filter += "(" + CertRecord.ATTR_CERT_STATUS + "=" + CertRecord.STATUS_REVOKED_EXPIRED + "))"; + + if (mCACertsOnly) { + filter += "(x509cert.BasicConstraints.isCA=on)"; + } + + if (mProfileCertsOnly && mProfileList != null && mProfileList.size() > 0) { + if (mProfileList.size() > 1) { + filter += "(|"; + } + for (int k = 0; k < mProfileList.size(); k++) { + String id = mProfileList.elementAt(k); + filter += "(" + CertRecord.ATTR_META_INFO + "=profileId:" + id + ")"; + } + if (mProfileList.size() > 1) { + filter += ")"; + } + } + + // check if any ranges specified. + if (mBeginSerial != null) { + filter += "(" + CertRecord.ATTR_ID + ">=" + mBeginSerial.toString() + ")"; + } + if (mEndSerial != null) { + filter += "(" + CertRecord.ATTR_ID + "<=" + mEndSerial.toString() + ")"; + } + + // get all revoked non-expired certs. + if (mEndSerial != null || mBeginSerial != null || mCACertsOnly || + (mProfileCertsOnly && mProfileList != null && mProfileList.size() > 0)) { + filter = "(&" + filter + ")"; + } + + return filter; + } + + /** + * Gets a enumeration of revoked certs to put into CRL. + * This does not include expired certs. + * Override this method to make a CRL other than the + * full/complete CRL. + * + * @return Enumeration of CertRecords to put into CRL. + * @exception EBaseException if an error occured in the database. + */ + public void processRevokedCerts(IElementProcessor p) + throws EBaseException { + mCertRepository.processRevokedCerts(p, getFilter(), mPageSize); + } + + /** + * clears CRL cache + */ + public void clearCRLCache() { + mCRLCacheIsCleared = true; + mCRLCerts.clear(); + mRevokedCerts.clear(); + mUnrevokedCerts.clear(); + mExpiredCerts.clear(); + mSchemaCounter = 0; + } + + /** + * clears Delta-CRL cache + */ + public void clearDeltaCRLCache() { + mRevokedCerts.clear(); + mUnrevokedCerts.clear(); + mExpiredCerts.clear(); + mSchemaCounter = 0; + } + + /** + * recovers CRL cache + */ + private void recoverCRLCache() { + if (mEnableCacheRecovery) { + // 553815 - original filter was not aligned with any VLV index + // String filter = "(&(requeststate=complete)"+ + // "(|(requestType=" + IRequest.REVOCATION_REQUEST + ")"+ + // "(requestType=" + IRequest.UNREVOCATION_REQUEST + ")))"; + String filter = "(requeststate=complete)"; + if (Debug.on()) { + Debug.trace("recoverCRLCache mFirstUnsaved=" + mFirstUnsaved + " filter=" + filter); + } + IRequestQueue mQueue = mCA.getRequestQueue(); + + IRequestVirtualList list = mQueue.getPagedRequestsByFilter( + new RequestId(mFirstUnsaved), filter, 500, "requestId"); + if (Debug.on()) { + Debug.trace("recoverCRLCache size=" + list.getSize() + " index=" + list.getCurrentIndex()); + } + + CertRecProcessor cp = new CertRecProcessor(mCRLCerts, this, mLogger, mAllowExtensions); + boolean includeCert = true; + + int s = list.getSize() - list.getCurrentIndex(); + for (int i = 0; i < s; i++) { + IRequest request = null; + try { + request = list.getElementAt(i); + } catch (Exception e) { + // handled below + } + if (request == null) { + continue; + } + if (Debug.on()) { + Debug.trace("recoverCRLCache request=" + request.getRequestId().toString() + + " type=" + request.getRequestType()); + } + if (IRequest.REVOCATION_REQUEST.equals(request.getRequestType())) { + RevokedCertImpl revokedCert[] = + request.getExtDataInRevokedCertArray(IRequest.CERT_INFO); + for (int j = 0; j < revokedCert.length; j++) { + if (Debug.on()) { + Debug.trace("recoverCRLCache R j=" + j + " length=" + revokedCert.length + + " SerialNumber=0x" + revokedCert[j].getSerialNumber().toString(16)); + } + if (cp != null) + includeCert = cp.checkRevokedCertExtensions(revokedCert[j].getExtensions()); + if (includeCert) { + updateRevokedCert(REVOKED_CERT, revokedCert[j].getSerialNumber(), revokedCert[j]); + } + } + } else if (IRequest.UNREVOCATION_REQUEST.equals(request.getRequestType())) { + BigInteger serialNo[] = request.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); + for (int j = 0; j < serialNo.length; j++) { + if (Debug.on()) { + Debug.trace("recoverCRLCache U j=" + j + " length=" + serialNo.length + + " SerialNumber=0x" + serialNo[j].toString(16)); + } + updateRevokedCert(UNREVOKED_CERT, serialNo[j], null); + } + } + } + + try { + mCRLRepository.updateRevokedCerts(mId, mRevokedCerts, mUnrevokedCerts); + mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; + mCRLCacheIsCleared = false; + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_CRL_CACHE", e.toString())); + } + } else { + clearCRLCache(); + updateCRLCacheRepository(); + } + } + + public int getNumberOfRecentlyRevokedCerts() { + return mRevokedCerts.size(); + } + + public int getNumberOfRecentlyUnrevokedCerts() { + return mUnrevokedCerts.size(); + } + + public int getNumberOfRecentlyExpiredCerts() { + return mExpiredCerts.size(); + } + + private Extension getCRLExtension(String extName) { + if (mAllowExtensions == false) { + return null; + } + if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) == false) { + return null; + } + + CMSCRLExtensions exts = (CMSCRLExtensions) this.getCRLExtensions(); + CRLExtensions ext = new CRLExtensions(); + + Vector extNames = exts.getCRLExtensionNames(); + for (int i = 0; i < extNames.size(); i++) { + String curName = extNames.elementAt(i); + if (curName.equals(extName)) { + exts.addToCRLExtensions(ext, extName, null); + } + } + Extension theExt = null; + try { + theExt = ext.get(extName); + } catch (Exception e) { + } + + CMS.debug("CRLIssuingPoint.getCRLExtension extension: " + theExt); + return theExt; + } + + /** + * get required crl entry extensions + */ + public CRLExtensions getRequiredEntryExtensions(CRLExtensions exts) { + CRLExtensions entryExt = null; + + if (mAllowExtensions && exts != null && exts.size() > 0) { + entryExt = new CRLExtensions(); + Vector extNames = mCMSCRLExtensions.getCRLEntryExtensionNames(); + + for (int i = 0; i < extNames.size(); i++) { + String extName = extNames.elementAt(i); + + if (mCMSCRLExtensions.isCRLExtensionEnabled(extName)) { + int k; + + for (k = 0; k < exts.size(); k++) { + Extension ext = (Extension) exts.elementAt(k); + String name = mCMSCRLExtensions.getCRLExtensionName( + ext.getExtensionId().toString()); + + if (extName.equals(name)) { + if (!(ext instanceof CRLReasonExtension) || + (((CRLReasonExtension) ext).getReason().toInt() > + RevocationReason.UNSPECIFIED.toInt())) { + mCMSCRLExtensions.addToCRLExtensions(entryExt, extName, ext); + } + break; + } + } + if (k == exts.size()) { + mCMSCRLExtensions.addToCRLExtensions(entryExt, extName, null); + } + } + } + } + + return entryExt; + } + + private static final int REVOKED_CERT = 1; + private static final int UNREVOKED_CERT = 2; + private Object cacheMonitor = new Object(); + + /** + * update CRL cache with new revoked-unrevoked certificate info + */ + private void updateRevokedCert(int certType, + BigInteger serialNumber, + RevokedCertImpl revokedCert) { + updateRevokedCert(certType, serialNumber, revokedCert, null); + } + + private void updateRevokedCert(int certType, + BigInteger serialNumber, + RevokedCertImpl revokedCert, + String requestId) { + synchronized (cacheMonitor) { + if (requestId != null && mFirstUnsaved != null && + mFirstUnsaved.equals(ICRLIssuingPointRecord.CLEAN_CACHE)) { + mFirstUnsaved = requestId; + try { + mCRLRepository.updateFirstUnsaved(mId, mFirstUnsaved); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_CRL_CACHE", e.toString())); + } + } + if (certType == REVOKED_CERT) { + if (mUnrevokedCerts.containsKey(serialNumber)) { + mUnrevokedCerts.remove(serialNumber); + if (mCRLCerts.containsKey(serialNumber)) { + Date revocationDate = revokedCert.getRevocationDate(); + CRLExtensions entryExt = getRequiredEntryExtensions(revokedCert.getExtensions()); + RevokedCertImpl newRevokedCert = + new RevokedCertImpl(serialNumber, revocationDate, entryExt); + + mCRLCerts.put(serialNumber, newRevokedCert); + } + } else { + Date revocationDate = revokedCert.getRevocationDate(); + CRLExtensions entryExt = getRequiredEntryExtensions(revokedCert.getExtensions()); + RevokedCertImpl newRevokedCert = + new RevokedCertImpl(serialNumber, revocationDate, entryExt); + + mRevokedCerts.put(serialNumber, (RevokedCertificate) newRevokedCert); + } + } else if (certType == UNREVOKED_CERT) { + if (mRevokedCerts.containsKey(serialNumber)) { + mRevokedCerts.remove(serialNumber); + } else { + CRLExtensions entryExt = new CRLExtensions(); + + try { + entryExt.set(CRLReasonExtension.REMOVE_FROM_CRL.getName(), + CRLReasonExtension.REMOVE_FROM_CRL); + } catch (IOException e) { + } + RevokedCertImpl newRevokedCert = new RevokedCertImpl(serialNumber, + CMS.getCurrentDate(), entryExt); + + mUnrevokedCerts.put(serialNumber, (RevokedCertificate) newRevokedCert); + } + } + } + } + + /** + * registers revoked certificates + */ + public void addRevokedCert(BigInteger serialNumber, RevokedCertImpl revokedCert) { + addRevokedCert(serialNumber, revokedCert, null); + } + + public void addRevokedCert(BigInteger serialNumber, RevokedCertImpl revokedCert, + String requestId) { + + CertRecProcessor cp = new CertRecProcessor(mCRLCerts, this, mLogger, mAllowExtensions); + boolean includeCert = true; + if (cp != null) + includeCert = cp.checkRevokedCertExtensions(revokedCert.getExtensions()); + + if (mEnable && mEnableCRLCache && includeCert == true) { + updateRevokedCert(REVOKED_CERT, serialNumber, revokedCert, requestId); + + if (mCacheUpdateInterval == 0) { + try { + mCRLRepository.updateRevokedCerts(mId, mRevokedCerts, mUnrevokedCerts); + mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_REVOKED_CERT", mId, e.toString())); + } + } + } + } + + /** + * registers unrevoked certificates + */ + public void addUnrevokedCert(BigInteger serialNumber) { + addUnrevokedCert(serialNumber, null); + } + + public void addUnrevokedCert(BigInteger serialNumber, String requestId) { + if (mEnable && mEnableCRLCache) { + updateRevokedCert(UNREVOKED_CERT, serialNumber, null, requestId); + + if (mCacheUpdateInterval == 0) { + try { + mCRLRepository.updateRevokedCerts(mId, mRevokedCerts, mUnrevokedCerts); + mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_UNREVOKED_CERT", mId, e.toString())); + } + } + } + } + + /** + * registers expired certificates + */ + public void addExpiredCert(BigInteger serialNumber) { + + if (mEnable && mEnableCRLCache && (!mIncludeExpiredCerts)) { + if (!(mExpiredCerts.containsKey(serialNumber))) { + CRLExtensions entryExt = new CRLExtensions(); + + try { + entryExt.set(CRLReasonExtension.REMOVE_FROM_CRL.getName(), + CRLReasonExtension.REMOVE_FROM_CRL); + } catch (IOException e) { + } + RevokedCertImpl newRevokedCert = new RevokedCertImpl(serialNumber, + CMS.getCurrentDate(), entryExt); + + mExpiredCerts.put(serialNumber, (RevokedCertificate) newRevokedCert); + } + + if (mCacheUpdateInterval == 0) { + try { + mCRLRepository.updateExpiredCerts(mId, mExpiredCerts); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_EXPIRED_CERT", mId, e.toString())); + } + } + } + } + + private Object repositoryMonitor = new Object(); + + public void updateCRLCacheRepository() { + synchronized (repositoryMonitor) { + try { + mCRLRepository.updateCRLCache(mId, Long.valueOf(mCRLSize), + mRevokedCerts, mUnrevokedCerts, mExpiredCerts); + mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_CRL_CACHE", e.toString())); + } + } + } + + public boolean isDeltaCRLEnabled() { + return (mAllowExtensions && mEnableCRLCache && + mCMSCRLExtensions.isCRLExtensionEnabled(DeltaCRLIndicatorExtension.NAME) && + mCMSCRLExtensions.isCRLExtensionEnabled(CRLNumberExtension.NAME) && + mCMSCRLExtensions.isCRLExtensionEnabled(CRLReasonExtension.NAME)); + } + + public boolean isThisCurrentDeltaCRL(X509CRLImpl deltaCRL) { + boolean result = false; + + if (isDeltaCRLEnabled() && mDeltaCRLSize > -1) { + if (deltaCRL != null) { + CRLExtensions crlExtensions = deltaCRL.getExtensions(); + + if (crlExtensions != null) { + for (int k = 0; k < crlExtensions.size(); k++) { + Extension ext = (Extension) crlExtensions.elementAt(k); + + if (DeltaCRLIndicatorExtension.OID.equals(ext.getExtensionId().toString())) { + DeltaCRLIndicatorExtension dExt = (DeltaCRLIndicatorExtension) ext; + BigInteger crlNumber = null; + + try { + crlNumber = (BigInteger) dExt.get(DeltaCRLIndicatorExtension.NUMBER); + } catch (IOException e) { + } + if (crlNumber != null && (crlNumber.equals(mLastCRLNumber) || + mLastCRLNumber.equals(BigInteger.ZERO))) { + result = true; + } + } + } + } + } + } + return (result); + } + + public boolean isCRLCacheEnabled() { + return mEnableCRLCache; + } + + public boolean isCRLCacheEmpty() { + return ((mCRLCerts != null) ? mCRLCerts.isEmpty() : true); + } + + public boolean isCRLCacheTestingEnabled() { + return mEnableCacheTesting; + } + + public Date getRevocationDateFromCache(BigInteger serialNumber, + boolean checkDeltaCache, + boolean includeExpiredCerts) { + Date revocationDate = null; + + if (mCRLCerts.containsKey(serialNumber)) { + revocationDate = mCRLCerts.get(serialNumber).getRevocationDate(); + } + + if (checkDeltaCache && isDeltaCRLEnabled()) { + if (mUnrevokedCerts.containsKey(serialNumber)) { + revocationDate = null; + } + if (mRevokedCerts.containsKey(serialNumber)) { + revocationDate = mRevokedCerts.get(serialNumber).getRevocationDate(); + } + if (!includeExpiredCerts && mExpiredCerts.containsKey(serialNumber)) { + revocationDate = null; + } + } + + return revocationDate; + } + + public Vector getSplitTimes() { + Vector splits = new Vector(); + + for (int i = 0; i < mSplits.length; i++) { + splits.addElement(Long.valueOf(mSplits[i])); + } + return splits; + } + + public int isCRLUpdateInProgress() { + return mUpdatingCRL; + } + + /** + * updates CRL and publishes it now + */ + public void updateCRLNow() + throws EBaseException { + + updateCRLNow(null); + } + + public synchronized void updateCRLNow(String signingAlgorithm) + throws EBaseException { + + if ((!mEnable) || (!mEnableCRLUpdates && !mDoLastAutoUpdate)) + return; + CMS.debug("Updating CRL"); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, AuditFormat.LEVEL, + CMS.getLogMessage("CMSCORE_CA_CA_CRL_UPDATE_STARTED"), + new Object[] { + getId(), + getNextCRLNumber(), + Boolean.toString(isDeltaCRLEnabled()), + Boolean.toString(isCRLCacheEnabled()), + Boolean.toString(mEnableCacheRecovery), + Boolean.toString(mCRLCacheIsCleared), + mCRLCerts.size() + "," + mRevokedCerts.size() + "," + mUnrevokedCerts.size() + + "," + mExpiredCerts.size() + "" + } + ); + mUpdatingCRL = CRL_UPDATE_STARTED; + if (signingAlgorithm == null || signingAlgorithm.length() == 0) + signingAlgorithm = mSigningAlgorithm; + mLastSigningAlgorithm = signingAlgorithm; + Date thisUpdate = CMS.getCurrentDate(); + Date nextUpdate = null; + Date nextDeltaUpdate = null; + + if (mEnableCRLUpdates && ((mEnableDailyUpdates && + mDailyUpdates != null && mTimeListSize > 0) || + (mEnableUpdateFreq && mAutoUpdateInterval > 0))) { + + if ((!isDeltaCRLEnabled()) || mSchemaCounter == 0 || mUpdateSchema == 1) { + nextUpdate = new Date(findNextUpdate(false, false)); + mNextUpdate = new Date(nextUpdate.getTime()); + } + if (isDeltaCRLEnabled()) { + if (mUpdateSchema > 1 || (mEnableDailyUpdates && mExtendedTimeList && mTimeListSize > 1)) { + nextDeltaUpdate = new Date(findNextUpdate(false, true)); + if (mExtendedNextUpdate && mSchemaCounter > 0 && + mNextUpdate != null && mNextUpdate.equals(nextDeltaUpdate)) { + if (mEnableDailyUpdates && mExtendedTimeList && mTimeListSize > 1) { + mSchemaCounter = mTimeListSize - 1; + } else { + mSchemaCounter = mUpdateSchema - 1; + } + } + } else { + nextDeltaUpdate = new Date(nextUpdate.getTime()); + if (mUpdateSchema == 1) { + mSchemaCounter = 0; + } + } + } + } + + for (int i = 0; i < mSplits.length; i++) { + mSplits[i] = 0; + } + + mLastUpdate = thisUpdate; + // mNextUpdate = nextUpdate; + mNextDeltaUpdate = (nextDeltaUpdate != null) ? new Date(nextDeltaUpdate.getTime()) : null; + if (nextUpdate != null) { + nextUpdate.setTime((nextUpdate.getTime()) + mNextUpdateGracePeriod); + } + if (nextDeltaUpdate != null) { + nextDeltaUpdate.setTime((nextDeltaUpdate.getTime()) + mNextUpdateGracePeriod); + } + + mSplits[0] -= System.currentTimeMillis(); + @SuppressWarnings("unchecked") + Hashtable clonedRevokedCerts = + (Hashtable) mRevokedCerts.clone(); + @SuppressWarnings("unchecked") + Hashtable clonedUnrevokedCerts = + (Hashtable) mUnrevokedCerts.clone(); + @SuppressWarnings("unchecked") + Hashtable clonedExpiredCerts = + (Hashtable) mExpiredCerts.clone(); + + mSplits[0] += System.currentTimeMillis(); + + // starting from the beginning + + if ((!mEnableCRLCache) || + ((mCRLCacheIsCleared && mCRLCerts.isEmpty() && clonedRevokedCerts.isEmpty() && + clonedUnrevokedCerts.isEmpty() && clonedExpiredCerts.isEmpty()) || + (mCRLCerts.isEmpty() && (!clonedUnrevokedCerts.isEmpty())) || + (mCRLCerts.size() < clonedUnrevokedCerts.size()) || + (mCRLCerts.isEmpty() && (mCRLSize > 0)) || + (mCRLCerts.size() > 0 && mCRLSize == 0))) { + + mSplits[5] -= System.currentTimeMillis(); + mDeltaCRLSize = -1; + clearCRLCache(); + clonedRevokedCerts.clear(); + clonedUnrevokedCerts.clear(); + clonedExpiredCerts.clear(); + mSchemaCounter = 0; + + IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); + if (statsSub != null) { + statsSub.startTiming("generation"); + } + CertRecProcessor cp = new CertRecProcessor(mCRLCerts, this, mLogger, mAllowExtensions); + processRevokedCerts(cp); + + if (statsSub != null) { + statsSub.endTiming("generation"); + } + + mCRLCacheIsCleared = false; + mSplits[5] += System.currentTimeMillis(); + } else { + if (isDeltaCRLEnabled()) { + mSplits[1] -= System.currentTimeMillis(); + @SuppressWarnings("unchecked") + Hashtable deltaCRLCerts = + (Hashtable) clonedRevokedCerts.clone(); + + deltaCRLCerts.putAll(clonedUnrevokedCerts); + if (mIncludeExpiredCertsOneExtraTime) { + if (!clonedExpiredCerts.isEmpty()) { + for (Enumeration e = clonedExpiredCerts.keys(); e.hasMoreElements();) { + BigInteger serialNumber = e.nextElement(); + if ((mLastFullUpdate != null && + mLastFullUpdate.after((mExpiredCerts.get(serialNumber)).getRevocationDate())) || + mLastFullUpdate == null) { + deltaCRLCerts.put(serialNumber, clonedExpiredCerts.get(serialNumber)); + } + } + } + } else { + deltaCRLCerts.putAll(clonedExpiredCerts); + } + + mLastCRLNumber = mCRLNumber; + + CRLExtensions ext = new CRLExtensions(); + Vector extNames = mCMSCRLExtensions.getCRLExtensionNames(); + + for (int i = 0; i < extNames.size(); i++) { + String extName = extNames.elementAt(i); + + if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) && + (!extName.equals(FreshestCRLExtension.NAME))) { + mCMSCRLExtensions.addToCRLExtensions(ext, extName, null); + } + } + mSplits[1] += System.currentTimeMillis(); + + X509CRLImpl newX509DeltaCRL = null; + + try { + mSplits[2] -= System.currentTimeMillis(); + byte[] newDeltaCRL; + + // #56123 - dont generate CRL if no revoked certificates + if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { + if (deltaCRLCerts.size() == 0) { + CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No Delta CRL Generated"); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "No Revoked Certificates")); + } + } + X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), + AlgorithmId.get(signingAlgorithm), + thisUpdate, nextDeltaUpdate, deltaCRLCerts, ext); + + newX509DeltaCRL = mCA.sign(crl, signingAlgorithm); + newDeltaCRL = newX509DeltaCRL.getEncoded(); + mSplits[2] += System.currentTimeMillis(); + + mSplits[3] -= System.currentTimeMillis(); + mCRLRepository.updateDeltaCRL(mId, mNextDeltaCRLNumber, + Long.valueOf(deltaCRLCerts.size()), mNextDeltaUpdate, newDeltaCRL); + mSplits[3] += System.currentTimeMillis(); + + mDeltaCRLSize = deltaCRLCerts.size(); + + long totalTime = 0; + String splitTimes = " ("; + for (int i = 1; i < mSplits.length && i < 5; i++) { + totalTime += mSplits[i]; + if (i > 1) + splitTimes += ","; + splitTimes += Long.toString(mSplits[i]); + } + splitTimes += ")"; + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + CMS.getLogMessage("CMSCORE_CA_CA_DELTA_CRL_UPDATED"), + new Object[] { + getId(), + getNextCRLNumber(), + getCRLNumber(), + getLastUpdate(), + getNextDeltaUpdate(), + Long.toString(mDeltaCRLSize), + Long.toString(totalTime) + splitTimes + } + ); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA", e.toString())); + mDeltaCRLSize = -1; + } catch (NoSuchAlgorithmException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + mDeltaCRLSize = -1; + } catch (CRLException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + mDeltaCRLSize = -1; + } catch (X509ExtensionException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + mDeltaCRLSize = -1; + } catch (OutOfMemoryError e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + mDeltaCRLSize = -1; + } + + try { + mSplits[4] -= System.currentTimeMillis(); + publishCRL(newX509DeltaCRL, true); + mSplits[4] += System.currentTimeMillis(); + } catch (EBaseException e) { + newX509DeltaCRL = null; + if (Debug.on()) + Debug.printStackTrace(e); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); + } catch (OutOfMemoryError e) { + newX509DeltaCRL = null; + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); + } + } else { + mDeltaCRLSize = -1; + } + + mSplits[5] -= System.currentTimeMillis(); + + if (mSchemaCounter == 0) { + if (((!mCRLCerts.isEmpty()) && ((!clonedRevokedCerts.isEmpty()) || + (!clonedUnrevokedCerts.isEmpty()) || (!clonedExpiredCerts.isEmpty()))) || + (mCRLCerts.isEmpty() && (mCRLSize == 0) && (!clonedRevokedCerts.isEmpty()))) { + + if (!clonedUnrevokedCerts.isEmpty()) { + for (Enumeration e = clonedUnrevokedCerts.keys(); e.hasMoreElements();) { + BigInteger serialNumber = e.nextElement(); + + if (mCRLCerts.containsKey(serialNumber)) { + mCRLCerts.remove(serialNumber); + } + mUnrevokedCerts.remove(serialNumber); + } + } + + if (!clonedRevokedCerts.isEmpty()) { + for (Enumeration e = clonedRevokedCerts.keys(); e.hasMoreElements();) { + BigInteger serialNumber = e.nextElement(); + + mCRLCerts.put(serialNumber, mRevokedCerts.get(serialNumber)); + mRevokedCerts.remove(serialNumber); + } + } + + if (!clonedExpiredCerts.isEmpty()) { + for (Enumeration e = clonedExpiredCerts.keys(); e.hasMoreElements();) { + BigInteger serialNumber = e.nextElement(); + + if ((!mIncludeExpiredCertsOneExtraTime) || + (mLastFullUpdate != null && + mLastFullUpdate.after((mExpiredCerts.get(serialNumber)).getRevocationDate())) || + mLastFullUpdate == null) { + if (mCRLCerts.containsKey(serialNumber)) { + mCRLCerts.remove(serialNumber); + } + mExpiredCerts.remove(serialNumber); + } + } + } + } + mLastFullUpdate = mLastUpdate; + } + mSplits[5] += System.currentTimeMillis(); + } + + clonedRevokedCerts.clear(); + clonedUnrevokedCerts.clear(); + clonedExpiredCerts.clear(); + clonedRevokedCerts = null; + clonedUnrevokedCerts = null; + clonedExpiredCerts = null; + + if ((!isDeltaCRLEnabled()) || mSchemaCounter == 0) { + mSplits[6] -= System.currentTimeMillis(); + if (mNextDeltaCRLNumber.compareTo(mNextCRLNumber) > 0) { + mNextCRLNumber = mNextDeltaCRLNumber; + } + + CRLExtensions ext = null; + + if (mAllowExtensions) { + ext = new CRLExtensions(); + Vector extNames = mCMSCRLExtensions.getCRLExtensionNames(); + + for (int i = 0; i < extNames.size(); i++) { + String extName = extNames.elementAt(i); + + if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) && + (!extName.equals(DeltaCRLIndicatorExtension.NAME))) { + mCMSCRLExtensions.addToCRLExtensions(ext, extName, null); + } + } + } + mSplits[6] += System.currentTimeMillis(); + // for audit log + + X509CRLImpl newX509CRL; + + try { + byte[] newCRL; + + CMS.debug("Making CRL with algorithm " + + signingAlgorithm + " " + AlgorithmId.get(signingAlgorithm)); + + mSplits[7] -= System.currentTimeMillis(); + + // #56123 - dont generate CRL if no revoked certificates + if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { + if (mCRLCerts.size() == 0) { + CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No CRL Generated"); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "No Revoked Certificates")); + } + } + CMS.debug("before new X509CRLImpl"); + X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), + AlgorithmId.get(signingAlgorithm), + thisUpdate, nextUpdate, mCRLCerts, ext); + + CMS.debug("before sign"); + newX509CRL = mCA.sign(crl, signingAlgorithm); + + CMS.debug("before getEncoded()"); + newCRL = newX509CRL.getEncoded(); + CMS.debug("after getEncoded()"); + mSplits[7] += System.currentTimeMillis(); + + mSplits[8] -= System.currentTimeMillis(); + + Date nextUpdateDate = mNextUpdate; + if (isDeltaCRLEnabled() && (mUpdateSchema > 1 || + (mEnableDailyUpdates && mExtendedTimeList)) && mNextDeltaUpdate != null) { + nextUpdateDate = mNextDeltaUpdate; + } + if (mSaveMemory) { + mCRLRepository.updateCRLIssuingPointRecord( + mId, newCRL, thisUpdate, nextUpdateDate, + mNextCRLNumber, Long.valueOf(mCRLCerts.size())); + updateCRLCacheRepository(); + } else { + mCRLRepository.updateCRLIssuingPointRecord( + mId, newCRL, thisUpdate, nextUpdateDate, + mNextCRLNumber, Long.valueOf(mCRLCerts.size()), + mRevokedCerts, mUnrevokedCerts, mExpiredCerts); + mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; + } + + mSplits[8] += System.currentTimeMillis(); + + mCRLSize = mCRLCerts.size(); + mCRLNumber = mNextCRLNumber; + mDeltaCRLNumber = mCRLNumber; + mNextCRLNumber = mCRLNumber.add(BigInteger.ONE); + mNextDeltaCRLNumber = mNextCRLNumber; + + CMS.debug("Logging CRL Update to transaction log"); + long totalTime = 0; + long crlTime = 0; + long deltaTime = 0; + String splitTimes = " ("; + for (int i = 0; i < mSplits.length; i++) { + totalTime += mSplits[i]; + if (i > 0 && i < 5) { + deltaTime += mSplits[i]; + } else { + crlTime += mSplits[i]; + } + if (i > 0) + splitTimes += ","; + splitTimes += Long.toString(mSplits[i]); + } + splitTimes += + "," + + Long.toString(deltaTime) + "," + Long.toString(crlTime) + "," + + Long.toString(totalTime) + ")"; + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + CMS.getLogMessage("CMSCORE_CA_CA_CRL_UPDATED"), + new Object[] { + getId(), + getCRLNumber(), + getLastUpdate(), + getNextUpdate(), + Long.toString(mCRLSize), + Long.toString(totalTime), + Long.toString(crlTime), + Long.toString(deltaTime) + splitTimes + } + ); + CMS.debug("Finished Logging CRL Update to transaction log"); + + } catch (EBaseException e) { + newX509CRL = null; + mUpdatingCRL = CRL_UPDATE_DONE; + if (Debug.on()) + Debug.printStackTrace(e); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + } catch (NoSuchAlgorithmException e) { + newX509CRL = null; + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + } catch (CRLException e) { + newX509CRL = null; + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + } catch (X509ExtensionException e) { + newX509CRL = null; + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + } catch (OutOfMemoryError e) { + newX509CRL = null; + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + } + + try { + mSplits[9] -= System.currentTimeMillis(); + mUpdatingCRL = CRL_PUBLISHING_STARTED; + publishCRL(newX509CRL); + newX509CRL = null; + mSplits[9] += System.currentTimeMillis(); + } catch (EBaseException e) { + newX509CRL = null; + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); + } catch (OutOfMemoryError e) { + newX509CRL = null; + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); + } + } + + if (isDeltaCRLEnabled() && mDeltaCRLSize > -1 && mSchemaCounter > 0) { + mDeltaCRLNumber = mNextDeltaCRLNumber; + mNextDeltaCRLNumber = mDeltaCRLNumber.add(BigInteger.ONE); + } + + if ((!(mEnableDailyUpdates && mExtendedTimeList)) || mSchemaCounter == 0) + mSchemaCounter++; + if ((mEnableDailyUpdates && mExtendedTimeList && mSchemaCounter >= mTimeListSize) || + (mUpdateSchema > 1 && mSchemaCounter >= mUpdateSchema)) + mSchemaCounter = 0; + mLastDay = mCurrentDay; + + mUpdatingCRL = CRL_UPDATE_DONE; + notifyAll(); + } + + /** + * publish CRL. called from updateCRLNow() and init(). + */ + + public void publishCRL() + throws EBaseException { + publishCRL(null); + } + + protected void publishCRL(X509CRLImpl x509crl) + throws EBaseException { + publishCRL(x509crl, false); + } + + /* + * The Session Context is a Hashtable, but without type information. + * Suppress the warnings generated by adding to the session context + * + */ + protected void publishCRL(X509CRLImpl x509crl, boolean isDeltaCRL) + throws EBaseException { + SessionContext sc = SessionContext.getContext(); + + IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); + if (statsSub != null) { + statsSub.startTiming("crl_publishing"); + } + + if (mCountMod == 0) { + sc.put(SC_CRL_COUNT, Integer.toString(mCount)); + } else { + sc.put(SC_CRL_COUNT, Integer.toString(mCount % mCountMod)); + } + mCount++; + sc.put(SC_ISSUING_POINT_ID, mId); + if (isDeltaCRL) { + sc.put(SC_IS_DELTA_CRL, "true"); + } else { + sc.put(SC_IS_DELTA_CRL, "false"); + } + + ICRLIssuingPointRecord crlRecord = null; + + CMS.debug("Publish CRL"); + try { + if (x509crl == null) { + crlRecord = mCRLRepository.readCRLIssuingPointRecord(mId); + if (crlRecord != null) { + byte[] crl = (isDeltaCRL) ? crlRecord.getDeltaCRL() : crlRecord.getCRL(); + + if (crl != null) { + x509crl = new X509CRLImpl(crl); + } + } + } + if (x509crl != null && + mPublisherProcessor != null && mPublisherProcessor.enabled()) { + Enumeration rules = mPublisherProcessor.getRules(IPublisherProcessor.PROP_LOCAL_CRL); + if (rules == null || !rules.hasMoreElements()) { + CMS.debug("CRL publishing is not enabled."); + } else { + if (mPublishDN != null) { + mPublisherProcessor.publishCRL(mPublishDN, x509crl); + CMS.debug("CRL published to " + mPublishDN); + } else { + mPublisherProcessor.publishCRL(x509crl, getId()); + CMS.debug("CRL published."); + } + } + } + } catch (Exception e) { + CMS.debug("Could not publish CRL. Error " + e); + CMS.debug("Could not publish CRL. ID " + mId); + throw new EErrorPublishCRL( + CMS.getUserMessage("CMS_CA_ERROR_PUBLISH_CRL", mId, e.toString())); + } finally { + if (statsSub != null) { + statsSub.endTiming("crl_publishing"); + } + } + } + + protected void log(int level, String msg) { + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level, + "CRLIssuingPoint " + mId + " - " + msg); + } + + void setConfigParam(String name, String value) { + mConfigStore.putString(name, value); + } + + class RevocationRequestListener implements IRequestListener { + + public void init(ISubsystem sys, IConfigStore config) + throws EBaseException { + } + + public void set(String name, String val) { + } + + public void accept(IRequest r) { + String requestType = r.getRequestType(); + + if (requestType.equals(IRequest.REVOCATION_REQUEST) || + requestType.equals(IRequest.UNREVOCATION_REQUEST) || + requestType.equals(IRequest.CLA_CERT4CRL_REQUEST) || + requestType.equals(IRequest.CLA_UNCERT4CRL_REQUEST)) { + CMS.debug("Revocation listener called."); + // check if serial number is in begin/end range if set. + if (mBeginSerial != null || mEndSerial != null) { + CMS.debug( + "Checking if serial number is between " + + mBeginSerial + " and " + mEndSerial); + BigInteger[] serialNos = + r.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); + + if (serialNos == null || serialNos.length == 0) { + X509CertImpl oldCerts[] = + r.getExtDataInCertArray(IRequest.OLD_CERTS); + + if (oldCerts == null || oldCerts.length == 0) + return; + serialNos = new BigInteger[oldCerts.length]; + for (int i = 0; i < oldCerts.length; i++) { + serialNos[i] = oldCerts[i].getSerialNumber(); + } + } + + boolean inRange = false; + + for (int i = 0; i < serialNos.length; i++) { + if ((mBeginSerial == null || + serialNos[i].compareTo(mBeginSerial) >= 0) && + (mEndSerial == null || + serialNos[i].compareTo(mEndSerial) <= 0)) { + inRange = true; + } + } + if (!inRange) { + return; + } + } + + if (mAlwaysUpdate) { + try { + updateCRLNow(); + r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS); + if (mPublisherProcessor != null) { + r.setExtData(mCrlPublishStatus, IRequest.RES_SUCCESS); + } + } catch (EErrorPublishCRL e) { + // error already logged in updateCRLNow(); + r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS); + if (mPublisherProcessor != null) { + r.setExtData(mCrlPublishStatus, IRequest.RES_ERROR); + r.setExtData(mCrlPublishError, e); + } + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString())); + r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR); + r.setExtData(mCrlUpdateError, e); + } catch (Exception e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString())); + if (Debug.on()) + Debug.printStackTrace(e); + r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR); + r.setExtData(mCrlUpdateError, + new EBaseException( + CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString()))); + } + } + } + } + } +} + +class CertRecProcessor implements IElementProcessor { + private Hashtable mCRLCerts = null; + private boolean mAllowExtensions = false; + private ILogger mLogger; + private CRLIssuingPoint mIP = null; + + private boolean mIssuingDistPointAttempted = false; + private boolean mIssuingDistPointEnabled = false; + private BitArray mOnlySomeReasons = null; + + public CertRecProcessor(Hashtable crlCerts, CRLIssuingPoint ip, ILogger logger, + boolean allowExtensions) { + mCRLCerts = crlCerts; + mLogger = logger; + mIP = ip; + mAllowExtensions = allowExtensions; + mIssuingDistPointAttempted = false; + mIssuingDistPointEnabled = false; + mOnlySomeReasons = null; + } + + private boolean initCRLIssuingDistPointExtension() { + boolean result = false; + CMSCRLExtensions exts = null; + + if (mIssuingDistPointAttempted == true) { + if ((mIssuingDistPointEnabled == true) && (mOnlySomeReasons != null)) { + return true; + } else { + return false; + } + } + + mIssuingDistPointAttempted = true; + exts = (CMSCRLExtensions) mIP.getCRLExtensions(); + if (exts == null) { + return result; + } + boolean isIssuingDistPointExtEnabled = false; + isIssuingDistPointExtEnabled = + exts.isCRLExtensionEnabled(IssuingDistributionPointExtension.NAME); + if (isIssuingDistPointExtEnabled == false) { + mIssuingDistPointEnabled = false; + return false; + } + + mIssuingDistPointEnabled = true; + + //Get info out of the IssuingDistPointExtension + CRLExtensions ext = new CRLExtensions(); + Vector extNames = exts.getCRLExtensionNames(); + for (int i = 0; i < extNames.size(); i++) { + String extName = extNames.elementAt(i); + if (extName.equals(IssuingDistributionPointExtension.NAME)) { + exts.addToCRLExtensions(ext, extName, null); + } + } + Extension issuingDistExt = null; + try { + issuingDistExt = ext.get(IssuingDistributionPointExtension.NAME); + } catch (Exception e) { + } + + IssuingDistributionPointExtension iExt = null; + if (issuingDistExt != null) + iExt = (IssuingDistributionPointExtension) issuingDistExt; + IssuingDistributionPoint issuingDistributionPoint = null; + if (iExt != null) + issuingDistributionPoint = iExt.getIssuingDistributionPoint(); + + BitArray onlySomeReasons = null; + + if (issuingDistributionPoint != null) + onlySomeReasons = issuingDistributionPoint.getOnlySomeReasons(); + + boolean applyReasonMatch = false; + + if (onlySomeReasons != null) { + applyReasonMatch = !onlySomeReasons.toString().equals("0000000"); + CMS.debug("applyReasonMatch " + applyReasonMatch); + if (applyReasonMatch == true) { + mOnlySomeReasons = onlySomeReasons; + result = true; + } + } + return result; + } + + private boolean checkOnlySomeReasonsExtension(CRLExtensions entryExts) { + boolean includeCert = true; + //This is exactly how the Pretty Print code obtains the reason code + //through the extensions + if (entryExts == null) { + return includeCert; + } + + Extension crlReasonExt = null; + try { + crlReasonExt = entryExts.get(CRLReasonExtension.NAME); + } catch (Exception e) { + return includeCert; + } + + RevocationReason reason = null; + int reasonIndex = 0; + if (crlReasonExt != null) { + try { + CRLReasonExtension theReason = (CRLReasonExtension) crlReasonExt; + reason = (RevocationReason) theReason.get("value"); + reasonIndex = reason.toInt(); + CMS.debug("revoked reason " + reason); + } catch (Exception e) { + return includeCert; + } + } else { + return includeCert; + } + boolean reasonMatch = false; + if (reason != null) { + if (mOnlySomeReasons != null) { + reasonMatch = mOnlySomeReasons.get(reasonIndex); + if (reasonMatch != true) { + includeCert = false; + } else { + CMS.debug("onlySomeReasons match! reason: " + reason); + } + } + } + + return includeCert; + } + + public boolean checkRevokedCertExtensions(CRLExtensions crlExtensions) { + //For now just check the onlySomeReason CRL IssuingDistributionPoint extension + + boolean includeCert = true; + if ((crlExtensions == null) || (mAllowExtensions == false)) { + return includeCert; + } + boolean inited = initCRLIssuingDistPointExtension(); + + //If the CRLIssuingDistPointExtension is not available or + // if onlySomeReasons does not apply, bail. + if (inited == false) { + return includeCert; + } + + //Check the onlySomeReasonsExtension + includeCert = checkOnlySomeReasonsExtension(crlExtensions); + + return includeCert; + } + + public void process(Object o) throws EBaseException { + try { + CertRecord certRecord = (CertRecord) o; + + CRLExtensions entryExt = null, crlExts = null; + BigInteger serialNumber = certRecord.getSerialNumber(); + Date revocationDate = certRecord.getRevocationDate(); + IRevocationInfo revInfo = certRecord.getRevocationInfo(); + + if (revInfo != null) { + crlExts = revInfo.getCRLEntryExtensions(); + entryExt = mIP.getRequiredEntryExtensions(crlExts); + } + RevokedCertificate newRevokedCert = + new RevokedCertImpl(serialNumber, revocationDate, entryExt); + + boolean includeCert = checkRevokedCertExtensions(crlExts); + + if (includeCert == true) { + mCRLCerts.put(serialNumber, newRevokedCert); + if (serialNumber != null) { + CMS.debug("Putting certificate serial: 0x" + serialNumber.toString(16) + " into CRL hashtable"); + } + } + } catch (EBaseException e) { + CMS.debug( + "CA failed constructing CRL entry: " + + (mCRLCerts.size() + 1) + " " + e); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + } + } +} diff --git a/base/ca/src/com/netscape/ca/CRLWithExpiredCerts.java b/base/ca/src/com/netscape/ca/CRLWithExpiredCerts.java new file mode 100644 index 000000000..9ad619ff8 --- /dev/null +++ b/base/ca/src/com/netscape/ca/CRLWithExpiredCerts.java @@ -0,0 +1,68 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.ca; + +import java.math.BigInteger; + +import com.netscape.certsrv.base.EBaseException; +import com.netscape.cmscore.dbs.CertRecord; + +/** + * A CRL Issuing point that contains revoked certs, include onces that + * have expired. + */ +public class CRLWithExpiredCerts extends CRLIssuingPoint { + + /** + * overrides getRevokedCerts in CRLIssuingPoint to include + * all revoked certs, including once that have expired. + * + * @param thisUpdate parameter is ignored. + * + * @exception EBaseException if an exception occured getting revoked + * certificates from the database. + */ + public String getFilter() { + // PLEASE DONT CHANGE THE FILTER. It is indexed. + // Changing it will degrade performance. See + // also com.netscape.certsetup.LDAPUtil.java + String filter = + "(|(" + CertRecord.ATTR_CERT_STATUS + "=" + + CertRecord.STATUS_REVOKED + ")" + + "(" + CertRecord.ATTR_CERT_STATUS + "=" + + CertRecord.STATUS_REVOKED_EXPIRED + "))"; + + // check if any ranges specified. + if (mBeginSerial != null) + filter += "(" + CertRecord.ATTR_ID + ">=" + mBeginSerial.toString() + ")"; + if (mEndSerial != null) + filter += "(" + CertRecord.ATTR_ID + "<=" + mEndSerial.toString() + ")"; + // get all revoked non-expired certs. + if (mEndSerial != null || mBeginSerial != null) { + filter = "(&" + filter + ")"; + } + return filter; + } + + /** + * registers expired certificates + */ + public void addExpiredCert(BigInteger serialNumber) { + // don't do anything + } +} diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java new file mode 100644 index 000000000..c8783f566 --- /dev/null +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -0,0 +1,2024 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.ca; + +import java.io.ByteArrayInputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.math.BigInteger; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.PublicKey; +import java.security.cert.CRLException; +import java.security.cert.CertificateException; +import java.security.cert.CertificateParsingException; +import java.util.Date; +import java.util.Enumeration; +import java.util.Hashtable; +import java.util.Vector; + +import netscape.security.util.DerOutputStream; +import netscape.security.util.DerValue; +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.CertificateChain; +import netscape.security.x509.CertificateVersion; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CRLImpl; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509CertInfo; +import netscape.security.x509.X509ExtensionException; +import netscape.security.x509.X509Key; + +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.asn1.ASN1Util; +import org.mozilla.jss.asn1.GeneralizedTime; +import org.mozilla.jss.asn1.INTEGER; +import org.mozilla.jss.asn1.InvalidBERException; +import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; +import org.mozilla.jss.asn1.OCTET_STRING; +import org.mozilla.jss.crypto.SignatureAlgorithm; +import org.mozilla.jss.crypto.TokenException; +import org.mozilla.jss.pkix.cert.Extension; +import org.mozilla.jss.pkix.primitive.Name; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authority.ICertAuthority; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.EPropertyNotFound; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.base.Nonces; +import com.netscape.certsrv.ca.ECAException; +import com.netscape.certsrv.ca.ICRLIssuingPoint; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.dbs.IDBSubsystem; +import com.netscape.certsrv.dbs.certdb.ICertRecord; +import com.netscape.certsrv.dbs.certdb.ICertificateRepository; +import com.netscape.certsrv.dbs.crldb.ICRLRepository; +import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository; +import com.netscape.certsrv.ldap.ELdapException; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.ocsp.IOCSPService; +import com.netscape.certsrv.policy.IPolicyProcessor; +import com.netscape.certsrv.publish.ICRLPublisher; +import com.netscape.certsrv.publish.IPublisherProcessor; +import com.netscape.certsrv.request.ARequestNotifier; +import com.netscape.certsrv.request.IPolicy; +import com.netscape.certsrv.request.IRequestListener; +import com.netscape.certsrv.request.IRequestNotifier; +import com.netscape.certsrv.request.IRequestQueue; +import com.netscape.certsrv.request.IRequestScheduler; +import com.netscape.certsrv.request.IService; +import com.netscape.certsrv.security.ISigningUnit; +import com.netscape.certsrv.util.IStatsSubsystem; +import com.netscape.cmscore.dbs.CRLRepository; +import com.netscape.cmscore.dbs.CertRecord; +import com.netscape.cmscore.dbs.CertificateRepository; +import com.netscape.cmscore.dbs.DBSubsystem; +import com.netscape.cmscore.dbs.ReplicaIDRepository; +import com.netscape.cmscore.ldap.PublisherProcessor; +import com.netscape.cmscore.listeners.ListenerPlugin; +import com.netscape.cmscore.request.RequestSubsystem; +import com.netscape.cmscore.security.KeyCertUtil; +import com.netscape.cmscore.util.Debug; +import com.netscape.cmsutil.ocsp.BasicOCSPResponse; +import com.netscape.cmsutil.ocsp.CertID; +import com.netscape.cmsutil.ocsp.CertStatus; +import com.netscape.cmsutil.ocsp.GoodInfo; +import com.netscape.cmsutil.ocsp.KeyHashID; +import com.netscape.cmsutil.ocsp.NameID; +import com.netscape.cmsutil.ocsp.OCSPRequest; +import com.netscape.cmsutil.ocsp.OCSPResponse; +import com.netscape.cmsutil.ocsp.OCSPResponseStatus; +import com.netscape.cmsutil.ocsp.ResponderID; +import com.netscape.cmsutil.ocsp.ResponseBytes; +import com.netscape.cmsutil.ocsp.ResponseData; +import com.netscape.cmsutil.ocsp.RevokedInfo; +import com.netscape.cmsutil.ocsp.SingleResponse; +import com.netscape.cmsutil.ocsp.TBSRequest; +import com.netscape.cmsutil.ocsp.UnknownInfo; + +/** + * A class represents a Certificate Authority that is + * responsible for certificate specific operations. + *

+ * + * @author lhsiao + * @version $Revision$, $Date$ + */ +public class CertificateAuthority implements ICertificateAuthority, ICertAuthority, IOCSPService { + public static final String OFFICIAL_NAME = "Certificate Manager"; + + public final static OBJECT_IDENTIFIER OCSP_NONCE = new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.48.1.2"); + + protected ISubsystem mOwner = null; + protected IConfigStore mConfig = null; + protected ILogger mLogger = CMS.getLogger(); + protected Hashtable mCRLIssuePoints = new Hashtable(); + protected CRLIssuingPoint mMasterCRLIssuePoint = null; // the complete crl. + protected SigningUnit mSigningUnit; + protected SigningUnit mOCSPSigningUnit; + protected SigningUnit mCRLSigningUnit; + + protected X500Name mName = null; + protected X500Name mCRLName = null; + protected X500Name mOCSPName = null; + protected String mNickname = null; // nickname of CA signing cert. + protected String mOCSPNickname = null; // nickname of OCSP signing cert. + protected long mCertSerialNumberCounter = System.currentTimeMillis(); + protected long mRequestID = System.currentTimeMillis(); + + protected String[] mAllowedSignAlgors = null; + + protected CertificateRepository mCertRepot = null; + protected CRLRepository mCRLRepot = null; + protected ReplicaIDRepository mReplicaRepot = null; + + protected CertificateChain mCACertChain = null; + protected CertificateChain mOCSPCertChain = null; + protected X509CertImpl mCRLCert = null; + protected org.mozilla.jss.crypto.X509Certificate mCRLX509Cert = null; + protected X509CertImpl mCaCert = null; + protected org.mozilla.jss.crypto.X509Certificate mCaX509Cert = null; + protected X509CertImpl mOCSPCert = null; + protected org.mozilla.jss.crypto.X509Certificate mOCSPX509Cert = null; + protected String[] mCASigningAlgorithms = null; + + protected PublisherProcessor mPublisherProcessor = null; + protected IRequestQueue mRequestQueue = null; + protected CAPolicy mPolicy = null; + protected CAService mService = null; + protected IRequestNotifier mNotify = null; + protected IRequestNotifier mPNotify = null; + protected long mNumOCSPRequest = 0; + protected long mTotalTime = 0; + protected long mTotalData = 0; + protected long mSignTime = 0; + protected long mLookupTime = 0; + + protected static final int FASTSIGNING_DISABLED = 0; + protected static final int FASTSIGNING_ENABLED = 1; + + protected CertificateVersion mDefaultCertVersion; + protected long mDefaultValidity; + protected boolean mEnablePastCATime; + protected boolean mEnableOCSP; + protected int mFastSigning = FASTSIGNING_DISABLED; + + protected static final long SECOND = 1000; // 1000 milliseconds + protected static final long MINUTE = 60 * SECOND; + protected static final long HOUR = 60 * MINUTE; + protected static final long DAY = 24 * HOUR; + protected static final long YEAR = DAY * 365; + + protected static final String PROP_CERT_REPOS_DN = "CertificateRepositoryDN"; + protected static final String PROP_REPOS_DN = "RepositoryDN"; + protected static final String PROP_REPLICAID_DN = "dbs.replicadn"; + + // for the notification listeners + + /** + * Package constants + */ + + public IRequestListener mCertIssuedListener = null; + public IRequestListener mCertRevokedListener = null; + public IRequestListener mReqInQListener = null; + + /* cache responder ID for performance */ + private ResponderID mResponderIDByName = null; + private ResponderID mResponderIDByHash = null; + + protected Hashtable mListenerPlugins = null; + + /** + * Internal constants + */ + + protected ICRLPublisher mCRLPublisher = null; + private String mId = null; + + private boolean mByName = true; + + private boolean mUseNonces = true; + private int mMaxNonces = 100; + private Nonces mNonces = null; + + /** + * Constructs a CA subsystem. + */ + public CertificateAuthority() { + } + + /** + * Retrieves subsystem identifier. + */ + public String getId() { + return mId; + } + + public CertificateVersion getDefaultCertVersion() { + return mDefaultCertVersion; + } + + public boolean isEnablePastCATime() { + return mEnablePastCATime; + } + + /** + * Sets subsystem identifier. + */ + public void setId(String id) throws EBaseException { + mId = id; + } + + /** + * updates the Master CRL now + */ + public void updateCRLNow() throws EBaseException { + if (mMasterCRLIssuePoint != null) { + mMasterCRLIssuePoint.updateCRLNow(); + } + } + + public void publishCRLNow() throws EBaseException { + if (mMasterCRLIssuePoint != null) { + mMasterCRLIssuePoint.publishCRL(); + } + } + + public ICRLPublisher getCRLPublisher() { + return mCRLPublisher; + } + + /** + * @deprecated + */ + public IPolicyProcessor getPolicyProcessor() { + return mPolicy.getPolicyProcessor(); + } + + public boolean noncesEnabled() { + return mUseNonces; + } + + public Nonces getNonces() { + return mNonces; + } + + /** + * Initializes this CA subsystem. + *

+ * + * @param owner owner of this subsystem + * @param config configuration of this subsystem + * @exception EBaseException failed to initialize this CA + */ + public void init(ISubsystem owner, IConfigStore config) throws + EBaseException { + + try { + CMS.debug("CertificateAuthority init "); + mOwner = owner; + mConfig = config; + + // init cert & crl database. + initCaDatabases(); + + // init signing unit & CA cert. + try { + initSigUnit(); + // init default CA attributes like cert version, validity. + initDefCaAttrs(); + } catch (EBaseException e) { + if (CMS.isPreOpMode()) + ; + else + throw e; + } + + // init web gateway. + initWebGateway(); + + mUseNonces = mConfig.getBoolean("enableNonces", true); + mMaxNonces = mConfig.getInteger("maxNumberOfNonces", 100); + if (mUseNonces) { + mNonces = new Nonces(mMaxNonces); + CMS.debug("CertificateAuthority init: Nonces enabled. (" + mNonces.size() + ")"); + } + + // init request queue and related modules. + CMS.debug("CertificateAuthority init: initRequestQueue"); + initRequestQueue(); + if (CMS.isPreOpMode()) + return; + + // set certificate status to 10 minutes + mCertRepot.setCertStatusUpdateInterval( + mRequestQueue.getRequestRepository(), + mConfig.getInteger("certStatusUpdateInterval", 10 * 60), + mConfig.getBoolean("listenToCloneModifications", false)); + mCertRepot.setConsistencyCheck( + mConfig.getBoolean("ConsistencyCheck", false)); + mCertRepot.setSkipIfInConsistent( + mConfig.getBoolean("SkipIfInConsistent", false)); + + mService.init(config.getSubStore("connector")); + + initMiscellaneousListeners(); + + // instantiate CRL publisher + IConfigStore cpStore = null; + + mByName = config.getBoolean("byName", true); + + cpStore = config.getSubStore("crlPublisher"); + if (cpStore != null && cpStore.size() > 0) { + String publisherClass = cpStore.getString("class"); + + if (publisherClass != null) { + try { + @SuppressWarnings("unchecked") + Class pc = (Class) Class.forName(publisherClass); + + mCRLPublisher = pc.newInstance(); + mCRLPublisher.init(this, cpStore); + } catch (ClassNotFoundException ee) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_PUBLISHER", ee.toString())); + } catch (IllegalAccessException ee) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_PUBLISHER", ee.toString())); + } catch (InstantiationException ee) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_PUBLISHER", ee.toString())); + } + } + } + + // initialize publisher processor (publish remote admin + // rely on this subsystem, so it has to be initialized) + initPublish(); + + // Initialize CRL issuing points. + // note CRL framework depends on DBS, CRYPTO and PUBLISHING + // being functional. + initCRL(); + + } catch (EBaseException e) { + if (CMS.isPreOpMode()) + return; + else + throw e; + } + } + + /** + * return CA's request queue processor + */ + public IRequestQueue getRequestQueue() { + return mRequestQueue; + } + + /** + * registers listener + */ + public void registerRequestListener(IRequestListener listener) { + mNotify.registerListener(listener); + } + + /** + * registers listener with a name. + */ + public void registerRequestListener(String name, IRequestListener listener) { + mNotify.registerListener(name, listener); + } + + /** + * removes listener + */ + public void removeRequestListener(IRequestListener listener) { + mNotify.removeListener(listener); + } + + /** + * removes listener with a name. + */ + public void removeRequestListener(String name) { + mNotify.removeListener(name); + } + + /** + * register listener for pending requests + */ + public void registerPendingListener(IRequestListener listener) { + mPNotify.registerListener(listener); + } + + /** + * register listener for pending requests with a name. + */ + public void registerPendingListener(String name, IRequestListener listener) { + mPNotify.registerListener(name, listener); + } + + /** + * get listener from listener list + */ + public IRequestListener getRequestListener(String name) { + return mNotify.getListener(name); + } + + /** + * get notifiers registered by CA + */ + public IRequestNotifier getRequestNotifier() { + return mNotify; + } + + /** + * get listener from listener list + */ + public IRequestListener getPendingListener(String name) { + return mPNotify.getListener(name); + } + + public Enumeration getRequestListenerNames() { + return mNotify.getListenerNames(); + } + + public IRequestListener getRequestInQListener() { + return mReqInQListener; + } + + public IRequestListener getCertIssuedListener() { + return mCertIssuedListener; + } + + public IRequestListener getCertRevokedListener() { + return mCertRevokedListener; + } + + /** + * return CA's policy processor. + */ + public IPolicy getCAPolicy() { + return mPolicy; + } + + /** + * return CA's request queue service object. + */ + public IService getCAService() { + return mService; + } + + /** + * check if the ca is a clone. + */ + public boolean isClone() { + if (CAService.mCLAConnector != null) + return true; + else + return false; + } + + /** + * Starts up this subsystem. + */ + public void startup() throws EBaseException { + if (CMS.isPreOpMode()) { + return; + } + mService.startup(); + mRequestQueue.recover(); + + // Note that this could be null. + + // setup Admin operations + + initNotificationListeners(); + + startPublish(); + // startCRL(); + } + + /** + * Shutdowns this subsystem. + *

+ */ + public void shutdown() { + Enumeration enums = mCRLIssuePoints.elements(); + while (enums.hasMoreElements()) { + CRLIssuingPoint point = (CRLIssuingPoint) enums.nextElement(); + point.shutdown(); + } + + if (mMasterCRLIssuePoint != null) { + mMasterCRLIssuePoint.shutdown(); + } + + mSigningUnit = null; + mOCSPSigningUnit = null; + mCRLSigningUnit = null; + if (mCertRepot != null) { + mCertRepot.shutdown(); + mCertRepot = null; + } + mCRLRepot = null; + mPublisherProcessor.shutdown(); + } + + /** + * Retrieves the configuration store of this subsystem. + *

+ */ + public IConfigStore getConfigStore() { + return mConfig; + } + + /** + * Retrieves logger. + */ + public ILogger getLogger() { + return CMS.getLogger(); + } + + /** + * Retrieves database services. + */ + public IDBSubsystem getDBSubsystem() { + return DBSubsystem.getInstance(); + } + + public void setValidity(String enableCAPast) throws EBaseException { + if (enableCAPast.equals("true")) + mEnablePastCATime = true; + else + mEnablePastCATime = false; + mConfig.putString(PROP_ENABLE_PAST_CATIME, enableCAPast); + } + + public long getDefaultValidity() { + return mDefaultValidity; + } + + public SignatureAlgorithm getDefaultSignatureAlgorithm() { + return mSigningUnit.getDefaultSignatureAlgorithm(); + } + + public String getDefaultAlgorithm() { + return mSigningUnit.getDefaultAlgorithm(); + } + + public void setDefaultAlgorithm(String algorithm) throws EBaseException { + mSigningUnit.setDefaultAlgorithm(algorithm); + } + + public String getStartSerial() { + try { + BigInteger serial = + mCertRepot.getTheSerialNumber(); + + if (serial == null) + return ""; + else + return serial.toString(16); + } catch (EBaseException e) { + // shouldn't get here. + return ""; + } + } + + public void setStartSerial(String serial) throws EBaseException { + mCertRepot.setTheSerialNumber(new BigInteger(serial)); + } + + public String getMaxSerial() { + String serial = mCertRepot.getMaxSerial(); + + if (serial != null) + return serial; + else + return ""; + } + + public void setMaxSerial(String serial) throws EBaseException { + mCertRepot.setMaxSerial(serial); + } + + /** + * Retrieves certificate repository. + *

+ * + * @return certificate repository + */ + public ICertificateRepository getCertificateRepository() { + return mCertRepot; + } + + /** + * Retrieves replica repository. + *

+ * + * @return replica repository + */ + public IReplicaIDRepository getReplicaRepository() { + return mReplicaRepot; + } + + /** + * Retrieves CRL repository. + */ + public ICRLRepository getCRLRepository() { + return mCRLRepot; + } + + public IPublisherProcessor getPublisherProcessor() { + return mPublisherProcessor; + } + + /** + * Retrieves the CRL issuing point by id. + *

+ * + * @param id string id of the CRL issuing point + * @return CRL issuing point + */ + public ICRLIssuingPoint getCRLIssuingPoint(String id) { + return mCRLIssuePoints.get(id); + } + + /** + * Enumerates CRL issuing points + *

+ * + * @return security service + */ + public Enumeration getCRLIssuingPoints() { + return mCRLIssuePoints.elements(); + } + + public int getCRLIssuingPointsSize() { + return mCRLIssuePoints.size(); + } + + /** + * Adds CRL issuing point with the given identifier and description. + */ + @SuppressWarnings("unchecked") + public boolean addCRLIssuingPoint(IConfigStore crlSubStore, String id, + boolean enable, String description) { + crlSubStore.makeSubStore(id); + IConfigStore c = crlSubStore.getSubStore(id); + + if (c != null) { + c.putString("allowExtensions", "true"); + c.putString("alwaysUpdate", "false"); + c.putString("autoUpdateInterval", "240"); + c.putString("caCertsOnly", "false"); + c.putString("cacheUpdateInterval", "15"); + c.putString("class", "com.netscape.ca.CRLIssuingPoint"); + c.putString("dailyUpdates", "3:45"); + c.putString("description", description); + c.putBoolean("enable", enable); + c.putString("enableCRLCache", "true"); + c.putString("enableCRLUpdates", "true"); + c.putString("enableCacheTesting", "false"); + c.putString("enableCacheRecovery", "true"); + c.putString("enableDailyUpdates", "false"); + c.putString("enableUpdateInterval", "true"); + c.putString("extendedNextUpdate", "true"); + c.putString("includeExpiredCerts", "false"); + c.putString("minUpdateInterval", "0"); + c.putString("nextUpdateGracePeriod", "0"); + c.putString("publishOnStart", "false"); + c.putString("saveMemory", "false"); + c.putString("signingAlgorithm", "SHA256withRSA"); + c.putString("updateSchema", "1"); + + // crl extensions + // AuthorityInformationAccess + c.putString("extension.AuthorityInformationAccess.enable", "false"); + c.putString("extension.AuthorityInformationAccess.critical", "false"); + c.putString("extension.AuthorityInformationAccess.type", "CRLExtension"); + c.putString("extension.AuthorityInformationAccess.class", + "com.netscape.cms.crl.CMSAuthInfoAccessExtension"); + c.putString("extension.AuthorityInformationAccess.numberOfAccessDescriptions", "1"); + c.putString("extension.AuthorityInformationAccess.accessMethod0", "caIssuers"); + c.putString("extension.AuthorityInformationAccess.accessLocationType0", "URI"); + c.putString("extension.AuthorityInformationAccess.accessLocation0", ""); + // AuthorityKeyIdentifier + c.putString("extension.AuthorityKeyIdentifier.enable", "false"); + c.putString("extension.AuthorityKeyIdentifier.critical", "false"); + c.putString("extension.AuthorityKeyIdentifier.type", "CRLExtension"); + c.putString("extension.AuthorityKeyIdentifier.class", + "com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension"); + // IssuerAlternativeName + c.putString("extension.IssuerAlternativeName.enable", "false"); + c.putString("extension.IssuerAlternativeName.critical", "false"); + c.putString("extension.IssuerAlternativeName.type", "CRLExtension"); + c.putString("extension.IssuerAlternativeName.class", + "com.netscape.cms.crl.CMSIssuerAlternativeNameExtension"); + c.putString("extension.IssuerAlternativeName.numNames", "0"); + c.putString("extension.IssuerAlternativeName.nameType0", ""); + c.putString("extension.IssuerAlternativeName.name0", ""); + // CRLNumber + c.putString("extension.CRLNumber.enable", "true"); + c.putString("extension.CRLNumber.critical", "false"); + c.putString("extension.CRLNumber.type", "CRLExtension"); + c.putString("extension.CRLNumber.class", + "com.netscape.cms.crl.CMSCRLNumberExtension"); + // DeltaCRLIndicator + c.putString("extension.DeltaCRLIndicator.enable", "false"); + c.putString("extension.DeltaCRLIndicator.critical", "true"); + c.putString("extension.DeltaCRLIndicator.type", "CRLExtension"); + c.putString("extension.DeltaCRLIndicator.class", + "com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension"); + // IssuingDistributionPoint + c.putString("extension.IssuingDistributionPoint.enable", "false"); + c.putString("extension.IssuingDistributionPoint.critical", "true"); + c.putString("extension.IssuingDistributionPoint.type", "CRLExtension"); + c.putString("extension.IssuingDistributionPoint.class", + "com.netscape.cms.crl.CMSIssuingDistributionPointExtension"); + c.putString("extension.IssuingDistributionPoint.pointType", ""); + c.putString("extension.IssuingDistributionPoint.pointName", ""); + c.putString("extension.IssuingDistributionPoint.onlyContainsUserCerts", "false"); + c.putString("extension.IssuingDistributionPoint.onlyContainsCACerts", "false"); + c.putString("extension.IssuingDistributionPoint.onlySomeReasons", ""); + //"keyCompromise,cACompromise,affiliationChanged,superseded,cessationOfOperation,certificateHold"); + c.putString("extension.IssuingDistributionPoint.indirectCRL", "false"); + // CRLReason + c.putString("extension.CRLReason.enable", "true"); + c.putString("extension.CRLReason.critical", "false"); + c.putString("extension.CRLReason.type", "CRLEntryExtension"); + c.putString("extension.CRLReason.class", + "com.netscape.cms.crl.CMSCRLReasonExtension"); + // HoldInstruction - removed by RFC 5280 + // c.putString("extension.HoldInstruction.enable", "false"); + // c.putString("extension.HoldInstruction.critical", "false"); + // c.putString("extension.HoldInstruction.type", "CRLEntryExtension"); + // c.putString("extension.HoldInstruction.class", + // "com.netscape.cms.crl.CMSHoldInstructionExtension"); + // c.putString("extension.HoldInstruction.instruction", "none"); + // InvalidityDate + c.putString("extension.InvalidityDate.enable", "true"); + c.putString("extension.InvalidityDate.critical", "false"); + c.putString("extension.InvalidityDate.type", "CRLEntryExtension"); + c.putString("extension.InvalidityDate.class", + "com.netscape.cms.crl.CMSInvalidityDateExtension"); + // CertificateIssuer + /* + c.putString("extension.CertificateIssuer.enable", "false"); + c.putString("extension.CertificateIssuer.critical", "true"); + c.putString("extension.CertificateIssuer.type", "CRLEntryExtension"); + c.putString("extension.CertificateIssuer.class", + "com.netscape.cms.crl.CMSCertificateIssuerExtension"); + c.putString("extension.CertificateIssuer.numNames", "0"); + c.putString("extension.CertificateIssuer.nameType0", ""); + c.putString("extension.CertificateIssuer.name0", ""); + */ + // FreshestCRL + c.putString("extension.FreshestCRL.enable", "false"); + c.putString("extension.FreshestCRL.critical", "false"); + c.putString("extension.FreshestCRL.type", "CRLExtension"); + c.putString("extension.FreshestCRL.class", + "com.netscape.cms.crl.CMSFreshestCRLExtension"); + c.putString("extension.FreshestCRL.numPoints", "0"); + c.putString("extension.FreshestCRL.pointType0", ""); + c.putString("extension.FreshestCRL.pointName0", ""); + + String issuingPointClassName = null; + Class issuingPointClass = null; + CRLIssuingPoint issuingPoint = null; + + try { + issuingPointClassName = c.getString(PROP_CLASS); + issuingPointClass = (Class) Class.forName(issuingPointClassName); + issuingPoint = (CRLIssuingPoint) issuingPointClass.newInstance(); + issuingPoint.init(this, id, c); + mCRLIssuePoints.put(id, issuingPoint); + } catch (EPropertyNotFound e) { + crlSubStore.removeSubStore(id); + return false; + } catch (EBaseException e) { + crlSubStore.removeSubStore(id); + return false; + } catch (ClassNotFoundException e) { + crlSubStore.removeSubStore(id); + return false; + } catch (InstantiationException e) { + crlSubStore.removeSubStore(id); + return false; + } catch (IllegalAccessException e) { + crlSubStore.removeSubStore(id); + return false; + } + } + return true; + } + + /** + * Deletes CRL issuing point with the given identifier. + */ + public void deleteCRLIssuingPoint(IConfigStore crlSubStore, String id) { + CRLIssuingPoint ip = (CRLIssuingPoint) mCRLIssuePoints.get(id); + + if (ip != null) { + ip.shutdown(); + mCRLIssuePoints.remove(id); + ip = null; + crlSubStore.removeSubStore(id); + try { + mCRLRepot.deleteCRLIssuingPointRecord(id); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("FAILED_REMOVING_CRL_IP_2", id, e.toString())); + } + } + } + + /** + * Returns X500 name of the Certificate Authority + *

+ * + * @return CA name + */ + public X500Name getX500Name() { + return mName; + } + + public X500Name getCRLX500Name() { + return mCRLName; + } + + public X500Name getOCSPX500Name() { + return mOCSPName; + } + + /** + * Returns nickname of CA's signing cert. + *

+ * + * @return CA signing cert nickname. + */ + public String getNickname() { + return mNickname; + } + + /** + * Returns nickname of OCSP's signing cert. + *

+ * + * @return OCSP signing cert nickname. + */ + public String getOCSPNickname() { + return mOCSPNickname; + } + + /** + * Returns default signing unit used by this CA + *

+ * + * @return request identifier + */ + public ISigningUnit getSigningUnit() { + return mSigningUnit; + } + + public ISigningUnit getCRLSigningUnit() { + return mCRLSigningUnit; + } + + public ISigningUnit getOCSPSigningUnit() { + return mOCSPSigningUnit; + } + + public void setBasicConstraintMaxLen(int num) { + mConfig.putString("Policy.rule.BasicConstraintsExt.maxPathLen", "" + num); + } + + /** + * Signs CRL using the specified signature algorithm. + * If no algorithm is specified the CA's default signing algorithm + * is used. + *

+ * + * @param crl the CRL to be signed. + * @param algname the algorithm name to use. This is a JCA name such + * as MD5withRSA, etc. If set to null the default signing algorithm + * is used. + * + * @return the signed CRL + */ + public X509CRLImpl sign(X509CRLImpl crl, String algname) + throws EBaseException { + X509CRLImpl signedcrl = null; + + IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); + if (statsSub != null) { + statsSub.startTiming("signing"); + } + + try { + DerOutputStream out = new DerOutputStream(); + DerOutputStream tmp = new DerOutputStream(); + + if (algname == null) { + algname = mSigningUnit.getDefaultAlgorithm(); + } + + crl.encodeInfo(tmp); + AlgorithmId.get(algname).encode(tmp); + + byte[] tbsCertList = crl.getTBSCertList(); + + byte[] signature = mCRLSigningUnit.sign(tbsCertList, algname); + + if (crl.setSignature(signature)) { + tmp.putBitString(signature); + out.write(DerValue.tag_Sequence, tmp); + + if (crl.setSignedCRL(out.toByteArray())) { + signedcrl = crl; + // signedcrl = new X509CRLImpl(out.toByteArray()); + } else { + CMS.debug("Failed to add signed-CRL to CRL object."); + } + } else { + CMS.debug("Failed to add signature to CRL object."); + } + } catch (CRLException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_CRL_FAILED", e.getMessage())); + } catch (X509ExtensionException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_CRL_FAILED", e.getMessage())); + } catch (NoSuchAlgorithmException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_CRL_FAILED", e.getMessage())); + } catch (IOException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_CRL_FAILED", e.getMessage())); + } finally { + if (statsSub != null) { + statsSub.endTiming("signing"); + } + } + + return signedcrl; + } + + /** + * Signs the given certificate info using specified signing algorithm + * If no algorithm is specified the CA's default algorithm is used. + *

+ * + * @param certInfo the certificate info to be signed. + * @param algname the signing algorithm to use. These are names defined + * in JCA, such as MD5withRSA, etc. If null the CA's default + * signing algorithm will be used. + * @return signed certificate + */ + public X509CertImpl sign(X509CertInfo certInfo, String algname) + throws EBaseException { + + X509CertImpl signedcert = null; + + IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); + if (statsSub != null) { + statsSub.startTiming("signing"); + } + + try { + DerOutputStream out = new DerOutputStream(); + DerOutputStream tmp = new DerOutputStream(); + + if (certInfo == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_CERTINFO")); + return null; + } + + if (algname == null) { + algname = mSigningUnit.getDefaultAlgorithm(); + } + + CMS.debug("sign cert get algorithm"); + AlgorithmId alg = AlgorithmId.get(algname); + + // encode certificate info + CMS.debug("sign cert encoding cert"); + certInfo.encode(tmp); + byte[] rawCert = tmp.toByteArray(); + + // encode algorithm identifier + CMS.debug("sign cert encoding algorithm"); + alg.encode(tmp); + + CMS.debug("CA cert signing: signing cert"); + byte[] signature = mSigningUnit.sign(rawCert, algname); + + tmp.putBitString(signature); + + // Wrap the signed data in a SEQUENCE { data, algorithm, sig } + out.write(DerValue.tag_Sequence, tmp); + //log(ILogger.LL_INFO, "CertificateAuthority: done signing"); + + switch (mFastSigning) { + case FASTSIGNING_DISABLED: + signedcert = new X509CertImpl(out.toByteArray()); + break; + + case FASTSIGNING_ENABLED: + signedcert = new X509CertImpl(out.toByteArray(), certInfo); + break; + + default: + break; + } + } catch (NoSuchAlgorithmException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CERT", e.toString(), e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_CERT_FAILED", e.getMessage())); + } catch (IOException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CERT", e.toString(), e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_CERT_FAILED", e.getMessage())); + } catch (CertificateException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CERT", e.toString(), e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_CERT_FAILED", e.getMessage())); + } finally { + if (statsSub != null) { + statsSub.endTiming("signing"); + } + } + return signedcert; + } + + /** + * Sign a byte array using the specified algorithm. + * If algorithm is null the CA's default algorithm is used. + *

+ * + * @param data the data to be signed in a byte array. + * @param algname the algorithm to use. + * @return the signature in a byte array. + */ + public byte[] sign(byte[] data, String algname) + throws EBaseException { + return mSigningUnit.sign(data, algname); + } + + /** + * logs a message in the CA area. + * + * @param level the debug level. + * @param msg the message to debug. + */ + public void log(int level, String msg) { + mLogger.log(ILogger.EV_SYSTEM, ILogger.S_CA, + level, msg); + } + + /** + * Retrieves certificate chains of this CA. + * + * @return this CA's cert chain. + */ + public CertificateChain getCACertChain() { + return mCACertChain; + } + + public X509CertImpl getCACert() { + if (mCaCert != null) { + return mCaCert; + } + // during configuration + try { + String cert = mConfig.getString("signing.cert", null); + if (cert != null) { + return new X509CertImpl(CMS.AtoB(cert)); + } + } catch (EBaseException e) { + CMS.debug(e); + } catch (CertificateException e) { + CMS.debug(e); + } + return null; + } + + public org.mozilla.jss.crypto.X509Certificate getCaX509Cert() { + return mCaX509Cert; + } + + public String[] getCASigningAlgorithms() { + if (mCASigningAlgorithms != null) + return mCASigningAlgorithms; + + if (mCaCert == null) + return null; // CA not inited yet. + X509Key caPubKey = null; + + try { + caPubKey = (X509Key) mCaCert.get(X509CertImpl.PUBLIC_KEY); + } catch (CertificateParsingException e) { + } + if (caPubKey == null) + return null; // something seriously wrong. + AlgorithmId alg = caPubKey.getAlgorithmId(); + + if (alg == null) + return null; // something seriously wrong. + mCASigningAlgorithms = AlgorithmId.getSigningAlgorithms(alg); + if (mCASigningAlgorithms == null) { + CMS.debug( + "CA - no signing algorithms for " + alg.getName()); + } else { + CMS.debug( + "CA First signing algorithm is " + mCASigningAlgorithms[0]); + } + + return mCASigningAlgorithms; + } + + ////////// + // Initialization routines. + // + + /** + * init CA signing unit & cert chain. + */ + private void initSigUnit() + throws EBaseException { + try { + // init signing unit + mSigningUnit = new SigningUnit(); + IConfigStore caSigningCfg = + mConfig.getSubStore(PROP_SIGNING_SUBSTORE); + + mSigningUnit.init(this, caSigningCfg); + CMS.debug("CA signing unit inited"); + + // for identrus + IConfigStore CrlStore = mConfig.getSubStore(PROP_CRL_SIGNING_SUBSTORE); + + if (CrlStore != null && CrlStore.size() > 0) { + mCRLSigningUnit = new SigningUnit(); + mCRLSigningUnit.init(this, mConfig.getSubStore(PROP_CRL_SIGNING_SUBSTORE)); + } else { + mCRLSigningUnit = mSigningUnit; + } + + // init cert chain + CryptoManager manager = CryptoManager.getInstance(); + + int caChainNum = + caSigningCfg.getInteger(PROP_CA_CHAIN_NUM, 0); + + CMS.debug("cachainNum= " + caChainNum); + if (caChainNum > 0) { + // custom build chain (for cross cert chain) + // audit here *** + IConfigStore chainStore = + caSigningCfg.getSubStore(PROP_CA_CHAIN); + + if (chainStore == null) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", + "ca cert chain config error")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", + "ca cert chain config error")); + } + + java.security.cert.X509Certificate[] implchain = + new java.security.cert.X509Certificate[caChainNum]; + + for (int i = 0; i < caChainNum; i++) { + String subtreeName = PROP_CA_CERT + i; + // cert file name must be full path + String certFileName = + chainStore.getString(subtreeName, null); + + if ((certFileName == null) || certFileName.equals("")) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", "cert file config error")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", + "cert file config error")); + } + byte[] b64Bytes = getCertFromFile(certFileName); + String b64String = new String(b64Bytes); + byte[] certBytes = KeyCertUtil.convertB64EToByteArray(b64String); + + implchain[i] = new X509CertImpl(certBytes); + } // for + + mCACertChain = new CertificateChain(implchain); + CMS.debug("in init - custom built CA cert chain."); + } else { + // build ca chain the traditional way + org.mozilla.jss.crypto.X509Certificate[] chain = + manager.buildCertificateChain(mSigningUnit.getCert()); + // do this in case other subsyss expect a X509CertImpl + java.security.cert.X509Certificate[] implchain = + new java.security.cert.X509Certificate[chain.length]; + + for (int i = 0; i < chain.length; i++) { + implchain[i] = new X509CertImpl(chain[i].getEncoded()); + } + mCACertChain = new CertificateChain(implchain); + CMS.debug("in init - got CA chain from JSS."); + } + + IConfigStore OCSPStore = mConfig.getSubStore(PROP_OCSP_SIGNING_SUBSTORE); + + if (OCSPStore != null && OCSPStore.size() > 0) { + mOCSPSigningUnit = new SigningUnit(); + mOCSPSigningUnit.init(this, mConfig.getSubStore(PROP_OCSP_SIGNING_SUBSTORE)); + CMS.debug("Separate OCSP signing unit inited"); + } else { + mOCSPSigningUnit = mSigningUnit; + CMS.debug("Shared OCSP signing unit inited"); + } + + org.mozilla.jss.crypto.X509Certificate[] ocspChain = + manager.buildCertificateChain(mOCSPSigningUnit.getCert()); + // do this in case other subsyss expect a X509CertImpl + java.security.cert.X509Certificate[] ocspImplchain = + new java.security.cert.X509Certificate[ocspChain.length]; + + for (int i = 0; i < ocspChain.length; i++) { + ocspImplchain[i] = new X509CertImpl(ocspChain[i].getEncoded()); + } + mOCSPCertChain = new CertificateChain(ocspImplchain); + CMS.debug("in init - got OCSP chain from JSS."); + // init issuer name - take name from the cert. + + mCaX509Cert = mSigningUnit.getCert(); + mCaCert = new X509CertImpl(mCaX509Cert.getEncoded()); + getCASigningAlgorithms(); + mName = (X500Name) mCaCert.getSubjectDN(); + + mCRLX509Cert = mCRLSigningUnit.getCert(); + mCRLCert = new X509CertImpl(mCRLX509Cert.getEncoded()); + mCRLName = (X500Name) mCRLCert.getSubjectDN(); + + mOCSPX509Cert = mOCSPSigningUnit.getCert(); + mOCSPNickname = mOCSPSigningUnit.getNickname(); + mOCSPCert = new X509CertImpl(mOCSPX509Cert.getEncoded()); + mOCSPName = (X500Name) mOCSPCert.getSubjectDN(); + mNickname = mSigningUnit.getNickname(); + CMS.debug("in init - got CA name " + mName); + + } catch (CryptoManager.NotInitializedException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_SIGNING", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED")); + } catch (CertificateException e) { + if (Debug.ON) + e.printStackTrace(); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); + } catch (FileNotFoundException e) { + if (Debug.ON) + e.printStackTrace(); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); + } catch (IOException e) { + if (Debug.ON) + e.printStackTrace(); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); + } catch (TokenException e) { + if (Debug.ON) + e.printStackTrace(); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); + } + } + + /** + * read ca cert from path, converts and bytes + */ + byte[] getCertFromFile(String path) + throws FileNotFoundException, IOException { + + File file = new File(path); + Long l = Long.valueOf(file.length()); + byte[] b = new byte[l.intValue()]; + FileInputStream in = new FileInputStream(path); + in.read(b); + in.close(); + + return b; + } + + /** + * init default cert attributes. + */ + private void initDefCaAttrs() + throws EBaseException { + int version = mConfig.getInteger(PROP_X509CERT_VERSION, + CertificateVersion.V3); + + if (version != CertificateVersion.V1 && + version != CertificateVersion.V3) { + throw new ECAException( + CMS.getUserMessage("CMS_CA_X509CERT_VERSION_NOT_SUPPORTED")); + } + try { + mDefaultCertVersion = new CertificateVersion(version - 1); + } catch (IOException e) { + // should never occur. + } + + int validity_in_days = mConfig.getInteger(PROP_DEF_VALIDITY, 2 * 365); + + mDefaultValidity = validity_in_days * DAY; // days in config file. + + mEnablePastCATime = + mConfig.getBoolean(PROP_ENABLE_PAST_CATIME, false); + mEnableOCSP = + mConfig.getBoolean(PROP_ENABLE_OCSP, true); + + String fs = mConfig.getString(PROP_FAST_SIGNING, ""); + + if (fs.equals("enabled") || fs.equals("enable")) { + mFastSigning = FASTSIGNING_ENABLED; + } else { + mFastSigning = FASTSIGNING_DISABLED; + } + + } + + /** + * init cert & crl database + */ + private void initCaDatabases() + throws EBaseException { + int certdb_inc = mConfig.getInteger(PROP_CERTDB_INC, 5); + + String certReposDN = mConfig.getString(PROP_CERT_REPOS_DN, null); + + if (certReposDN == null) { + certReposDN = "ou=certificateRepository, ou=" + getId() + + ", " + getDBSubsystem().getBaseDN(); + } + String reposDN = mConfig.getString(PROP_REPOS_DN, null); + + if (reposDN == null) { + reposDN = "ou=certificateRepository, ou=" + getId() + + ", " + getDBSubsystem().getBaseDN(); + } + + int transitMaxRecords = mConfig.getInteger(PROP_CERTDB_TRANS_MAXRECORDS, 1000000); + int transitRecordPageSize = mConfig.getInteger(PROP_CERTDB_TRANS_PAGESIZE, 200); + + mCertRepot = new CertificateRepository( + DBSubsystem.getInstance(), + certReposDN, certdb_inc, reposDN); + + mCertRepot.setTransitMaxRecords(transitMaxRecords); + mCertRepot.setTransitRecordPageSize(transitRecordPageSize); + + CMS.debug("Cert Repot inited"); + + // init crl repot. + + int crldb_inc = mConfig.getInteger(PROP_CRLDB_INC, 5); + + mCRLRepot = new CRLRepository( + DBSubsystem.getInstance(), + crldb_inc, + "ou=crlIssuingPoints, ou=" + getId() + ", " + + getDBSubsystem().getBaseDN()); + CMS.debug("CRL Repot inited"); + + String replicaReposDN = mConfig.getString(PROP_REPLICAID_DN, null); + if (replicaReposDN == null) { + replicaReposDN = "ou=Replica," + getDBSubsystem().getBaseDN(); + } + mReplicaRepot = new ReplicaIDRepository( + DBSubsystem.getInstance(), 1, replicaReposDN); + CMS.debug("Replica Repot inited"); + + } + + /** + * init web gateway - just gets the ee gateway for this CA. + */ + private void initWebGateway() + throws EBaseException { + } + + private void startPublish() + throws EBaseException { + //xxx Note that CMS411 only support ca cert publishing to ldap + // if ldap publishing is not enabled while publishing isenabled + // there will be a lot of problem. + try { + if (mPublisherProcessor.enabled()) { + mPublisherProcessor.publishCACert(mCaCert); + CMS.debug("published ca cert"); + } + } catch (ELdapException e) { + // exception not thrown - not seen as a fatal error. + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_PUBLISH", e.toString())); + } + } + + /** + * init publishing + */ + private void initPublish() + throws EBaseException { + IConfigStore c = null; + + try { + c = mConfig.getSubStore(PROP_PUBLISH_SUBSTORE); + if (c != null && c.size() > 0) { + mPublisherProcessor = new PublisherProcessor( + getId() + "pp"); + mPublisherProcessor.init(this, c); + CMS.debug("Publishing inited"); + } else { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_PUBLISH")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_INIT_PUBLISH_MODULE_FAILED")); + } + + } catch (ELdapException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_ERROR_PUBLISH_MODULE", e.toString())); + //throw new ECAException( + // CAResources.INIT_PUBLISH_MODULE_FAILED, e); + } + } + + private void initMiscellaneousListeners() { + IConfigStore lc = null; + IConfigStore implc = null; + IConfigStore instc = null; + + mListenerPlugins = new Hashtable(); + try { + // Get list of listener implementations + lc = mConfig.getSubStore(PROP_LISTENER_SUBSTORE); + if (lc != null) { + + implc = lc.getSubStore(PROP_IMPL); + Enumeration names = implc.getSubStoreNames(); + + while (names.hasMoreElements()) { + String id = names.nextElement(); + + if (Debug.ON) + Debug.trace("registering listener impl: " + id); + String cl = implc.getString(id + "." + PROP_CLASS); + + ListenerPlugin plugin = new ListenerPlugin(id, cl); + + mListenerPlugins.put(id, plugin); + } + + instc = lc.getSubStore(PROP_INSTANCE); + Enumeration instances = instc.getSubStoreNames(); + + while (instances.hasMoreElements()) { + String id = (String) instances.nextElement(); + + if (Debug.ON) + Debug.trace("registering listener instance: " + id); + IConfigStore iConfig = instc.getSubStore(id); + String implName = instc.getString(id + "." + PROP_PLUGIN); + ListenerPlugin plugin = (ListenerPlugin) mListenerPlugins.get(implName); + + if (plugin == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_ERROR_LISTENER", implName)); + throw new Exception("Cannot initialize"); + } + String className = plugin.getClassPath(); + + try { + IRequestListener listener = null; + + listener = (IRequestListener) + Class.forName(className).newInstance(); + + //listener.init(id, implName, iConfig); + listener.init(this, iConfig); + // registerRequestListener(id, (IRequestListener) listener); + //log(ILogger.LL_INFO, + // "Listener instance " + id + " added"); + + } catch (Exception e) { + if (Debug.ON) { + e.printStackTrace(); + } + Debug.trace("failed to add listener instance"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_INIT_LISTENER", id, e.toString())); + throw e; + } + } + + } + + } catch (Exception e) { + log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_CA_FAILED_LISTENER", e.toString())); + } + + } + + /** + * init notification related listeners + */ + private void initNotificationListeners() { + IConfigStore nc = null; + + try { + nc = mConfig.getSubStore(PROP_NOTIFY_SUBSTORE); + if (nc != null && nc.size() > 0) { + // Initialize Certificate Issued notification listener + + String certificateIssuedListenerClassName = + nc.getString("certificateIssuedListenerClassName", + "com.netscape.cms.listeners.CertificateIssuedListener"); + + try { + mCertIssuedListener = + (IRequestListener) Class.forName(certificateIssuedListenerClassName).newInstance(); + mCertIssuedListener.init(this, nc); + } catch (Exception e1) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_REGISTER_LISTENER", certificateIssuedListenerClassName)); + } + + // Initialize Revoke Request notification listener + + String certificateRevokedListenerClassName = + nc.getString("certificateIssuedListenerClassName", + "com.netscape.cms.listeners.CertificateRevokedListener"); + + try { + mCertRevokedListener = + (IRequestListener) Class.forName(certificateRevokedListenerClassName).newInstance(); + mCertRevokedListener.init(this, nc); + } catch (Exception e1) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_REGISTER_LISTENER", certificateRevokedListenerClassName)); + } + + // Initialize Request In Queue notification listener + String requestInQListenerClassName = + nc.getString("certificateIssuedListenerClassName", + "com.netscape.cms.listeners.RequestInQListener"); + + try { + mReqInQListener = (IRequestListener) Class.forName(requestInQListenerClassName).newInstance(); + mReqInQListener.init(this, nc); + } catch (Exception e1) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_REGISTER_REQ_LISTENER", requestInQListenerClassName)); + } + + } else { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NOTIFY_NONE")); + } + } catch (Exception e) { + e.printStackTrace(); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NOTIFY_FAILED")); + // throw e; + } + } + + /** + * initialize request queue components + */ + private void initRequestQueue() + throws EBaseException { + mPolicy = new CAPolicy(); + ((CAPolicy) mPolicy).init(this, mConfig.getSubStore(PROP_POLICY)); + CMS.debug("CA policy inited"); + mService = new CAService(this); + CMS.debug("CA service inited"); + + mNotify = new ARequestNotifier(this); + CMS.debug("CA notifier inited"); + mPNotify = new ARequestNotifier(); + CMS.debug("CA pending notifier inited"); + + // instantiate CA request queue. + try { + int reqdb_inc = mConfig.getInteger("reqdbInc", 5); + + mRequestQueue = + RequestSubsystem.getInstance().getRequestQueue( + getId(), reqdb_inc, mPolicy, mService, mNotify, mPNotify); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_QUEUE_FAILED", e.toString())); + throw e; + } + + // init request scheduler if configured + String schedulerClass = + mConfig.getString("requestSchedulerClass", null); + + if (schedulerClass != null) { + try { + IRequestScheduler scheduler = (IRequestScheduler) + Class.forName(schedulerClass).newInstance(); + + mRequestQueue.setRequestScheduler(scheduler); + } catch (Exception e) { + // do nothing here + } + } + } + + /* + private void startCRL() + throws EBaseException + { + Enumeration e = mCRLIssuePoints.keys(); + while (e.hasMoreElements()) { + CRLIssuingPoint cp = (CRLIssuingPoint) + mCRLIssuePoints.get(e.nextElement()); + cp.startup(); + } + } + */ + + /** + * initialize CRL + */ + @SuppressWarnings("unchecked") + private void initCRL() + throws EBaseException { + IConfigStore crlConfig = mConfig.getSubStore(PROP_CRL_SUBSTORE); + + if ((crlConfig == null) || (crlConfig.size() <= 0)) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_MASTER_CRL")); + //throw new ECAException(CAResources.NO_CONFIG_FOR_MASTER_CRL); + return; + } + Enumeration issuePointIdEnum = crlConfig.getSubStoreNames(); + + if (issuePointIdEnum == null || !issuePointIdEnum.hasMoreElements()) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_MASTER_CRL_SUBSTORE")); + //throw new ECAException(CAResources.NO_CONFIG_FOR_MASTER_CRL); + return; + } + + // a Master/full crl must exist. + + while (issuePointIdEnum.hasMoreElements()) { + String issuePointId = issuePointIdEnum.nextElement(); + + CMS.debug( + "initializing crl issue point " + issuePointId); + IConfigStore issuePointConfig = null; + String issuePointClassName = null; + Class issuePointClass = null; + CRLIssuingPoint issuePoint = null; + + try { + issuePointConfig = crlConfig.getSubStore(issuePointId); + issuePointClassName = issuePointConfig.getString(PROP_CLASS); + issuePointClass = (Class) Class.forName(issuePointClassName); + issuePoint = issuePointClass.newInstance(); + issuePoint.init(this, issuePointId, issuePointConfig); + mCRLIssuePoints.put(issuePointId, issuePoint); + if (mMasterCRLIssuePoint == null && + issuePointId.equals(PROP_MASTER_CRL)) + mMasterCRLIssuePoint = issuePoint; + } catch (ClassNotFoundException e) { + throw new ECAException( + CMS.getUserMessage("CMS_CA_CRL_ISSUING_POINT_INIT_FAILED", + issuePointId, e.toString())); + } catch (InstantiationException e) { + throw new ECAException( + CMS.getUserMessage("CMS_CA_CRL_ISSUING_POINT_INIT_FAILED", + issuePointId, e.toString())); + } catch (IllegalAccessException e) { + throw new ECAException( + CMS.getUserMessage("CMS_CA_CRL_ISSUING_POINT_INIT_FAILED", + issuePointId, e.toString())); + } + } + + /* + if (mMasterCRLIssuePoint == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_FULL_CRL", PROP_MASTER_CRL)); + throw new ECAException(CAResources.NO_CONFIG_FOR_MASTER_CRL); + } + */ + log(ILogger.LL_INFO, "CRL Issuing Points inited"); + } + + public String getOfficialName() { + return OFFICIAL_NAME; + } + + public long getNumOCSPRequest() { + return mNumOCSPRequest; + } + + public long getOCSPRequestTotalTime() { + return mTotalTime; + } + + public long getOCSPTotalData() { + return mTotalData; + } + + public long getOCSPTotalSignTime() { + return mSignTime; + } + + public long getOCSPTotalLookupTime() { + return mLookupTime; + } + + public ResponderID getResponderIDByName() { + try { + X500Name name = getOCSPX500Name(); + Name.Template nameTemplate = new Name.Template(); + + return new NameID((Name) nameTemplate.decode( + new ByteArrayInputStream(name.getEncoded()))); + } catch (IOException e) { + return null; + } catch (InvalidBERException e) { + return null; + } + } + + public ResponderID getResponderIDByHash() { + + /* + KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key + --(excluding the tag and length fields) + */ + PublicKey publicKey = getOCSPSigningUnit().getPublicKey(); + MessageDigest md = null; + + try { + md = MessageDigest.getInstance("SHA1"); + } catch (NoSuchAlgorithmException e) { + return null; + } + md.update(publicKey.getEncoded()); + byte digested[] = md.digest(); + + return new KeyHashID(new OCTET_STRING(digested)); + } + + /** + * Process OCSPRequest. + */ + public OCSPResponse validate(OCSPRequest request) + throws EBaseException { + + if (!mEnableOCSP) { + CMS.debug("Local ocsp service is disable."); + return null; + } + + mNumOCSPRequest++; + IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); + long startTime = CMS.getCurrentDate().getTime(); + try { + //log(ILogger.LL_INFO, "start OCSP request"); + TBSRequest tbsReq = request.getTBSRequest(); + + // (3) look into database to check the + // certificate's status + Vector singleResponses = new Vector(); + if (statsSub != null) { + statsSub.startTiming("lookup"); + } + + long lookupStartTime = CMS.getCurrentDate().getTime(); + for (int i = 0; i < tbsReq.getRequestCount(); i++) { + com.netscape.cmsutil.ocsp.Request req = + tbsReq.getRequestAt(i); + CertID cid = req.getCertID(); + SingleResponse sr = processRequest(cid); + + singleResponses.addElement(sr); + } + long lookupEndTime = CMS.getCurrentDate().getTime(); + if (statsSub != null) { + statsSub.endTiming("lookup"); + } + mLookupTime += lookupEndTime - lookupStartTime; + + if (statsSub != null) { + statsSub.startTiming("build_response"); + } + SingleResponse res[] = new SingleResponse[singleResponses.size()]; + + singleResponses.copyInto(res); + + ResponderID rid = null; + if (mByName) { + if (mResponderIDByName == null) { + mResponderIDByName = getResponderIDByName(); + } + rid = mResponderIDByName; + } else { + if (mResponderIDByHash == null) { + mResponderIDByHash = getResponderIDByHash(); + } + rid = mResponderIDByHash; + } + + Extension nonce[] = null; + + for (int j = 0; j < tbsReq.getExtensionsCount(); j++) { + Extension thisExt = tbsReq.getRequestExtensionAt(j); + + if (thisExt.getExtnId().equals(OCSP_NONCE)) { + nonce = new Extension[1]; + nonce[0] = thisExt; + } + } + ResponseData rd = new ResponseData(rid, + new GeneralizedTime(CMS.getCurrentDate()), res, nonce); + if (statsSub != null) { + statsSub.endTiming("build_response"); + } + + if (statsSub != null) { + statsSub.startTiming("signing"); + } + long signStartTime = CMS.getCurrentDate().getTime(); + BasicOCSPResponse basicRes = sign(rd); + long signEndTime = CMS.getCurrentDate().getTime(); + mSignTime += signEndTime - signStartTime; + if (statsSub != null) { + statsSub.endTiming("signing"); + } + + OCSPResponse response = new OCSPResponse( + OCSPResponseStatus.SUCCESSFUL, + new ResponseBytes(ResponseBytes.OCSP_BASIC, + new OCTET_STRING(ASN1Util.encode(basicRes)))); + + //log(ILogger.LL_INFO, "done OCSP request"); + long endTime = CMS.getCurrentDate().getTime(); + mTotalTime += endTime - startTime; + return response; + } catch (Exception e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_REQUEST", e.toString())); + return null; + } + } + + private BasicOCSPResponse sign(ResponseData rd) throws EBaseException { + try { + DerOutputStream out = new DerOutputStream(); + DerOutputStream tmp = new DerOutputStream(); + + String algname = mOCSPSigningUnit.getDefaultAlgorithm(); + + byte rd_data[] = ASN1Util.encode(rd); + if (rd_data != null) { + mTotalData += rd_data.length; + } + rd.encode(tmp); + AlgorithmId.get(algname).encode(tmp); + CMS.debug("adding signature"); + byte[] signature = mOCSPSigningUnit.sign(rd_data, algname); + + tmp.putBitString(signature); + // optional, put the certificate chains in also + + DerOutputStream tmpChain = new DerOutputStream(); + DerOutputStream tmp1 = new DerOutputStream(); + java.security.cert.X509Certificate chains[] = + mOCSPCertChain.getChain(); + + for (int i = 0; i < chains.length; i++) { + tmpChain.putDerValue(new DerValue(chains[i].getEncoded())); + } + tmp1.write(DerValue.tag_Sequence, tmpChain); + tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0), + tmp1); + + out.write(DerValue.tag_Sequence, tmp); + + BasicOCSPResponse response = new BasicOCSPResponse(out.toByteArray()); + + return response; + } catch (Exception e) { + e.printStackTrace(); + // error e + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_SIGN", e.toString())); + return null; + } + } + + private SingleResponse processRequest(CertID cid) { + INTEGER serialNo = cid.getSerialNumber(); + + CMS.debug("process request " + serialNo); + CertStatus certStatus = null; + GeneralizedTime thisUpdate = new GeneralizedTime(CMS.getCurrentDate()); + GeneralizedTime nextUpdate = null; + + boolean ocspUseCache = true; + + try { + /* enable OCSP cache by default */ + ocspUseCache = mConfig.getBoolean("ocspUseCache", false); + } catch (EBaseException e) { + } + + if (ocspUseCache) { + String issuingPointId = PROP_MASTER_CRL; + + try { + issuingPointId = mConfig.getString( + "ocspUseCacheIssuingPointId", PROP_MASTER_CRL); + + } catch (EBaseException e) { + } + CRLIssuingPoint point = (CRLIssuingPoint) + getCRLIssuingPoint(issuingPointId); + + if (point.isCRLCacheEnabled()) { + // only do this if cache is enabled + BigInteger sno = new BigInteger(serialNo.toString()); + boolean checkDeltaCache = false; + boolean includeExpiredCerts = false; + + try { + checkDeltaCache = mConfig.getBoolean("ocspUseCacheCheckDeltaCache", false); + } catch (EBaseException e) { + } + try { + includeExpiredCerts = mConfig.getBoolean("ocspUseCacheIncludeExpiredCerts", false); + } catch (EBaseException e) { + } + Date revokedOn = point.getRevocationDateFromCache( + sno, checkDeltaCache, includeExpiredCerts); + + if (revokedOn == null) { + certStatus = new GoodInfo(); + } else { + certStatus = new RevokedInfo(new GeneralizedTime(revokedOn)); + } + return new SingleResponse(cid, certStatus, thisUpdate, nextUpdate); + } + } + + try { + ICertRecord rec = mCertRepot.readCertificateRecord(serialNo); + String status = rec.getStatus(); + + if (status == null) { + certStatus = new UnknownInfo(); + } else if (status.equals(CertRecord.STATUS_VALID)) { + certStatus = new GoodInfo(); + } else if (status.equals(CertRecord.STATUS_INVALID)) { + // not yet valid + certStatus = new UnknownInfo(); + } else if (status.equals(CertRecord.STATUS_REVOKED)) { + certStatus = new RevokedInfo(new GeneralizedTime(rec.getRevokedOn())); + } else if (status.equals(CertRecord.STATUS_EXPIRED)) { + certStatus = new UnknownInfo(); + } else if (status.equals(CertRecord.STATUS_REVOKED_EXPIRED)) { + certStatus = new RevokedInfo(new GeneralizedTime(rec.getRevokedOn())); + } else { + certStatus = new UnknownInfo(); + } + } catch (Exception e) { + // not found + certStatus = new UnknownInfo(); // not issued not all + } + + return new SingleResponse(cid, certStatus, thisUpdate, nextUpdate); + } +} diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java new file mode 100644 index 000000000..85e3621d7 --- /dev/null +++ b/base/ca/src/com/netscape/ca/SigningUnit.java @@ -0,0 +1,389 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.ca; + +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.PublicKey; +import java.security.SignatureException; + +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509Key; + +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.NoSuchTokenException; +import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.ObjectNotFoundException; +import org.mozilla.jss.crypto.PrivateKey; +import org.mozilla.jss.crypto.Signature; +import org.mozilla.jss.crypto.SignatureAlgorithm; +import org.mozilla.jss.crypto.TokenException; +import org.mozilla.jss.crypto.X509Certificate; +import org.mozilla.jss.util.IncorrectPasswordException; +import org.mozilla.jss.util.PasswordCallback; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.ca.ECAException; +import com.netscape.certsrv.common.Constants; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.security.ISigningUnit; +import com.netscape.cmscore.security.JssSubsystem; +import com.netscape.cmsutil.util.Cert; + +/** + * CA signing unit based on JSS. + * + * $Revision$ $Date$ + */ + +public final class SigningUnit implements ISigningUnit { + public static final String PROP_DEFAULT_SIGNALG = "defaultSigningAlgorithm"; + public static final String PROP_CERT_NICKNAME = "cacertnickname"; + // This signing unit is being used in OCSP and CRL also. So + // it is better to have a more generic name + public static final String PROP_RENAMED_CERT_NICKNAME = "certnickname"; + public static final String PROP_TOKEN_NAME = "tokenname"; + public static final String PROP_NEW_NICKNAME = "newNickname"; + + private CryptoManager mManager = null; + private CryptoToken mToken = null; + private PublicKey mPubk = null; + private PrivateKey mPrivk = null; + + protected X509Certificate mCert = null; + protected X509CertImpl mCertImpl = null; + protected String mNickname = null; + + private boolean mInited = false; + private ILogger mLogger = CMS.getLogger(); + private IConfigStore mConfig; + + private ISubsystem mOwner = null; + + private String mDefSigningAlgname = null; + private SignatureAlgorithm mDefSigningAlgorithm = null; + + public SigningUnit() { + } + + public X509Certificate getCert() { + return mCert; + } + + public X509CertImpl getCertImpl() { + return mCertImpl; + } + + public String getNickname() { + return mNickname; + } + + public String getNewNickName() throws EBaseException { + return mConfig.getString(PROP_NEW_NICKNAME, ""); + } + + public void setNewNickName(String name) { + mConfig.putString(PROP_NEW_NICKNAME, name); + } + + public PublicKey getPublicKey() { + return mPubk; + } + + public PrivateKey getPrivateKey() { + return mPrivk; + } + + public void updateConfig(String nickname, String tokenname) { + mConfig.putString(PROP_CERT_NICKNAME, nickname); + mConfig.putString(PROP_TOKEN_NAME, tokenname); + } + + public String getTokenName() throws EBaseException { + return mConfig.getString(PROP_TOKEN_NAME); + } + + public String getNickName() throws EBaseException { + try { + return mConfig.getString(PROP_RENAMED_CERT_NICKNAME); + } catch (EBaseException e) { + return mConfig.getString(PROP_CERT_NICKNAME); + } + } + + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { + mOwner = owner; + mConfig = config; + + String tokenname = null; + try { + mManager = CryptoManager.getInstance(); + + mNickname = getNickName(); + + tokenname = config.getString(PROP_TOKEN_NAME); + if (tokenname.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) || + tokenname.equalsIgnoreCase("Internal Key Storage Token")) { + mToken = mManager.getInternalKeyStorageToken(); + setNewNickName(mNickname); + } else { + mToken = mManager.getTokenByName(tokenname); + mNickname = tokenname + ":" + mNickname; + setNewNickName(mNickname); + } + CMS.debug(config.getName() + " Signing Unit nickname " + mNickname); + CMS.debug("Got token " + tokenname + " by name"); + + PasswordCallback cb = JssSubsystem.getInstance().getPWCB(); + + mToken.login(cb); // ONE_TIME by default. + + mCert = mManager.findCertByNickname(mNickname); + CMS.debug("Found cert by nickname: '" + mNickname + "' with serial number: " + mCert.getSerialNumber()); + + mCertImpl = new X509CertImpl(mCert.getEncoded()); + CMS.debug("converted to x509CertImpl"); + + mPrivk = mManager.findPrivKeyByCert(mCert); + CMS.debug("Got private key from cert"); + + mPubk = mCert.getPublicKey(); + CMS.debug("Got public key from cert"); + + // get def alg and check if def sign alg is valid for token. + mDefSigningAlgname = config.getString(PROP_DEFAULT_SIGNALG); + mDefSigningAlgorithm = + checkSigningAlgorithmFromName(mDefSigningAlgname); + CMS.debug( + "got signing algorithm " + mDefSigningAlgorithm); + mInited = true; + } catch (java.security.cert.CertificateException e) { + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CA_CERT", e.getMessage())); + throw new ECAException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); + } catch (CryptoManager.NotInitializedException e) { + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_INIT", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED")); + } catch (IncorrectPasswordException e) { + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_WRONG_PWD", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_INVALID_PASSWORD")); + } catch (NoSuchTokenException e) { + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_NOT_FOUND", tokenname, e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", tokenname)); + } catch (ObjectNotFoundException e) { + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CERT_NOT_FOUND", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); + } catch (TokenException e) { + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_ERROR")); + } catch (Exception e) { + CMS.debug("SigningUnit init: debug " + e.toString()); + } + } + + /** + * Check if the signing algorithm name is supported and valid for this + * signing unit's token and key. + * + * @param algname a signing algorithm name from JCA. + * @return the mapped JSS signature algorithm object. + * + * @exception EBaseException if signing algorithm is not supported. + */ + public SignatureAlgorithm checkSigningAlgorithmFromName(String algname) + throws EBaseException { + try { + SignatureAlgorithm sigalg = null; + + sigalg = mapAlgorithmToJss(algname); + if (sigalg == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, "")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + } + Signature signer = mToken.getSignatureContext(sigalg); + + signer.initSign(mPrivk); + return sigalg; + } catch (NoSuchAlgorithmException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + } catch (TokenException e) { + // from get signature context or from initSign + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + } catch (InvalidKeyException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED_FOR_KEY", algname)); + } + } + + /** + * @param algname is expected to be one of JCA's algorithm names. + */ + public byte[] sign(byte[] data, String algname) + throws EBaseException { + if (!mInited) { + throw new EBaseException("CASigningUnit not initialized!"); + } + try { + // XXX for now do this mapping until James changes the names + // to match JCA names and provide a getAlgorithm method. + SignatureAlgorithm signAlg = mDefSigningAlgorithm; + + if (algname != null) { + signAlg = checkSigningAlgorithmFromName(algname); + } + + // XXX use a pool of signers based on alg ? + // XXX Map algor. name to id. hack: use hardcoded define for now. + CMS.debug( + "Getting algorithm context for " + algname + " " + signAlg); + Signature signer = mToken.getSignatureContext(signAlg); + + signer.initSign(mPrivk); + signer.update(data); + // XXX add something more descriptive. + CMS.debug("Signing Certificate"); + return signer.sign(); + } catch (NoSuchAlgorithmException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + } catch (TokenException e) { + // from get signature context or from initSign + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + // XXX fix this exception later. + throw new EBaseException(e.toString()); + } catch (InvalidKeyException e) { + // XXX fix this exception later. + throw new EBaseException(e.toString()); + } catch (SignatureException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + // XXX fix this exception later. + throw new EBaseException(e.toString()); + } + } + + public boolean verify(byte[] data, byte[] signature, String algname) + throws EBaseException { + if (!mInited) { + throw new EBaseException("CASigningUnit not initialized!"); + } + try { + SignatureAlgorithm signAlg = mapAlgorithmToJss(algname); + + if (signAlg == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, "")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + } + // XXX make this configurable. hack: use hardcoded for now. + Signature signer = mToken.getSignatureContext(signAlg); + + signer.initVerify(mPubk); + signer.update(data); + return signer.verify(signature); + } catch (NoSuchAlgorithmException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + // XXX fix this exception later. + throw new EBaseException(e.toString()); + } catch (TokenException e) { + // from get signature context or from initSign + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + // XXX fix this exception later. + throw new EBaseException(e.toString()); + } catch (InvalidKeyException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + // XXX fix this exception later. + throw new EBaseException(e.toString()); + } catch (SignatureException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + // XXX fix this exception later. + throw new EBaseException(e.toString()); + } + } + + private void log(int level, String msg) { + if (mLogger == null) + return; + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, + level, "CASigningUnit: " + msg); + } + + /** + * returns default signature algorithm + */ + public SignatureAlgorithm getDefaultSignatureAlgorithm() { + return mDefSigningAlgorithm; + } + + /** + * returns default signing algorithm name. + */ + public String getDefaultAlgorithm() { + return mDefSigningAlgname; + } + + public void setDefaultAlgorithm(String algorithm) throws EBaseException { + mConfig.putString(PROP_DEFAULT_SIGNALG, algorithm); + mDefSigningAlgname = algorithm; + log(ILogger.LL_INFO, + "Default signing algorithm is set to " + algorithm); + } + + /** + * get all possible algorithms for the CA signing key type. + */ + public String[] getAllAlgorithms() throws EBaseException { + byte[] keybytes = mPubk.getEncoded(); + X509Key key = new X509Key(); + + try { + key.decode(keybytes); + } catch (java.security.InvalidKeyException e) { + String msg = "Invalid encoding in CA signing key."; + + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", msg)); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg)); + } + + if (key.getAlgorithmId().getOID().equals(AlgorithmId.DSA_oid)) { + return AlgorithmId.DSA_SIGNING_ALGORITHMS; + } else { + return AlgorithmId.ALL_SIGNING_ALGORITHMS; + } + } + + public static SignatureAlgorithm mapAlgorithmToJss(String algname) { + return Cert.mapAlgorithmToJss(algname); + } +} diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt new file mode 100644 index 000000000..10a7cc0bb --- /dev/null +++ b/base/common/CMakeLists.txt @@ -0,0 +1,16 @@ +project(common Java) + +install( + FILES + setup/CertServer.directory + setup/menu.xml + DESTINATION + ${DATA_INSTALL_DIR}/setup/ + PERMISSIONS + OWNER_WRITE OWNER_READ + GROUP_READ + WORLD_READ +) + +add_subdirectory(src) +add_subdirectory(test) diff --git a/base/common/LICENSE b/base/common/LICENSE new file mode 100644 index 000000000..e281f4362 --- /dev/null +++ b/base/common/LICENSE @@ -0,0 +1,291 @@ +This Program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published +by the Free Software Foundation; version 2 of the License. + +This Program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +for more details. + +You should have received a copy of the GNU General Public License +along with this Program; if not, write to the Free Software +Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. diff --git a/base/common/setup/CertServer.directory b/base/common/setup/CertServer.directory new file mode 100644 index 000000000..6d21bacb9 --- /dev/null +++ b/base/common/setup/CertServer.directory @@ -0,0 +1,23 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +[Desktop Entry] +Name=CertServer +Comment=Certificate Server +Icon= +Type=Directory diff --git a/base/common/setup/menu.xml b/base/common/setup/menu.xml new file mode 100644 index 000000000..562ea0261 --- /dev/null +++ b/base/common/setup/menu.xml @@ -0,0 +1,10 @@ + +

+ CertificateServer + CertServer.directory + + + CertServer + + + diff --git a/base/common/setup/web-app_2_3.dtd b/base/common/setup/web-app_2_3.dtd new file mode 100644 index 000000000..5e3ab01c0 --- /dev/null +++ b/base/common/setup/web-app_2_3.dtd @@ -0,0 +1,1063 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt new file mode 100644 index 000000000..a9d4a765c --- /dev/null +++ b/base/common/src/CMakeLists.txt @@ -0,0 +1,1095 @@ +project(pki-certsrv_java Java) + +find_file(JSS_JAR + NAMES + jss4.jar + PATHS + ${JAVA_LIB_INSTALL_DIR} + /usr/share/java +) + +find_file(LDAPJDK_JAR + NAMES + ldapjdk.jar + PATHS + ${JAVA_LIB_INSTALL_DIR} + /usr/share/java +) + +find_file(COMMONS_CODEC_JAR + NAMES + commons-codec.jar + PATHS + /usr/share/java +) + +find_file(TOMCAT_CATALINA_JAR + NAMES + catalina.jar + PATHS + /usr/share/java/tomcat6 +) + +find_file(SERVLET_JAR + NAMES + servlet.jar + PATHS + ${JAVA_LIB_INSTALL_DIR} + /usr/share/java +) + +find_file(VELOCITY_JAR + NAMES + velocity.jar + PATHS + ${JAVA_LIB_INSTALL_DIR} + /usr/share/java +) + +find_file(XALAN_JAR + NAMES + xalan-j2.jar + PATHS + ${JAVA_LIB_INSTALL_DIR} + /usr/share/java +) + +find_file(XERCES_JAR + NAMES + xerces-j2.jar + PATHS + ${JAVA_LIB_INSTALL_DIR} + /usr/share/java +) + +find_file(JAXRS_API_JAR + NAMES + jaxrs-api-2.2.1.GA.jar + PATHS + /usr/share/candlepin/lib +) + +find_file(RESTEASY_JAXRS_JAR + NAMES + resteasy-jaxrs-2.2.1.GA.jar + PATHS + /usr/share/candlepin/lib +) + +set(pki-certsrv_java_SRCS + com/netscape/certsrv/apps/ICommandQueue.java + com/netscape/certsrv/apps/CMS.java + com/netscape/certsrv/apps/ICMSEngine.java + com/netscape/certsrv/ldap/ILdapBoundConnFactory.java + com/netscape/certsrv/ldap/ILdapConnFactory.java + com/netscape/certsrv/ldap/ELdapException.java + com/netscape/certsrv/ldap/ILdapConnInfo.java + com/netscape/certsrv/ldap/ELdapServerDownException.java + com/netscape/certsrv/ldap/ILdapAuthInfo.java + com/netscape/certsrv/ldap/LdapResources.java + com/netscape/certsrv/ldap/ILdapConnModule.java + com/netscape/certsrv/listeners/ListenersResources.java + com/netscape/certsrv/listeners/IRequestListenerPlugin.java + com/netscape/certsrv/listeners/EListenersException.java + com/netscape/certsrv/common/TaskId.java + com/netscape/certsrv/common/DestDef.java + com/netscape/certsrv/common/NameValuePairs.java + com/netscape/certsrv/common/ScopeDef.java + com/netscape/certsrv/common/PrefixDef.java + com/netscape/certsrv/common/ConfigConstants.java + com/netscape/certsrv/common/OpDef.java + com/netscape/certsrv/common/Constants.java + com/netscape/certsrv/usrgrp/EUsrGrpException.java + com/netscape/certsrv/usrgrp/IGroupConstants.java + com/netscape/certsrv/usrgrp/Certificates.java + com/netscape/certsrv/usrgrp/ICertUserLocator.java + com/netscape/certsrv/usrgrp/IGroup.java + com/netscape/certsrv/usrgrp/IUser.java + com/netscape/certsrv/usrgrp/IUGSubsystem.java + com/netscape/certsrv/usrgrp/IIdEvaluator.java + com/netscape/certsrv/usrgrp/UsrGrpResources.java + com/netscape/certsrv/usrgrp/IUserConstants.java + com/netscape/certsrv/usrgrp/IUsrGrp.java + com/netscape/certsrv/pattern/Pattern.java + com/netscape/certsrv/pattern/AttrSetCollection.java + com/netscape/certsrv/publish/ILdapPlugin.java + com/netscape/certsrv/publish/ECompSyntaxErr.java + com/netscape/certsrv/publish/ERuleNotFound.java + com/netscape/certsrv/publish/ILdapPublishModule.java + com/netscape/certsrv/publish/EMapperPluginNotFound.java + com/netscape/certsrv/publish/RulePlugin.java + com/netscape/certsrv/publish/EPublisherNotFound.java + com/netscape/certsrv/publish/MapperPlugin.java + com/netscape/certsrv/publish/EPublisherPluginNotFound.java + com/netscape/certsrv/publish/IXcertPublisherProcessor.java + com/netscape/certsrv/publish/PublisherProxy.java + com/netscape/certsrv/publish/ICRLPublisher.java + com/netscape/certsrv/publish/ILdapPublisher.java + com/netscape/certsrv/publish/EMapperNotFound.java + com/netscape/certsrv/publish/ILdapPluginImpl.java + com/netscape/certsrv/publish/ILdapRule.java + com/netscape/certsrv/publish/IPublisherProcessor.java + com/netscape/certsrv/publish/LdapCertMapResult.java + com/netscape/certsrv/publish/IPublishRuleSet.java + com/netscape/certsrv/publish/ILdapExpression.java + com/netscape/certsrv/publish/ILdapCertMapper.java + com/netscape/certsrv/publish/ILdapMapper.java + com/netscape/certsrv/publish/PublisherPlugin.java + com/netscape/certsrv/publish/ERulePluginNotFound.java + com/netscape/certsrv/publish/MapperProxy.java + com/netscape/certsrv/publish/ILdapCrlMapper.java + com/netscape/certsrv/util/IStatsSubsystem.java + com/netscape/certsrv/util/HttpInput.java + com/netscape/certsrv/util/StatsEvent.java + com/netscape/certsrv/policy/IGeneralNameUtil.java + com/netscape/certsrv/policy/IGeneralNamesAsConstraintsConfig.java + com/netscape/certsrv/policy/IExpression.java + com/netscape/certsrv/policy/EPolicyException.java + com/netscape/certsrv/policy/PolicyResources.java + com/netscape/certsrv/policy/IGeneralNamesConfig.java + com/netscape/certsrv/policy/IPolicySet.java + com/netscape/certsrv/policy/IPolicyProcessor.java + com/netscape/certsrv/policy/IKeyRecoveryPolicy.java + com/netscape/certsrv/policy/IGeneralNameConfig.java + com/netscape/certsrv/policy/IPolicyPredicateParser.java + com/netscape/certsrv/policy/IKeyArchivalPolicy.java + com/netscape/certsrv/policy/IRevocationPolicy.java + com/netscape/certsrv/policy/ISubjAltNameConfig.java + com/netscape/certsrv/policy/IGeneralNameAsConstraintsConfig.java + com/netscape/certsrv/policy/IEnrollmentPolicy.java + com/netscape/certsrv/policy/IRenewalPolicy.java + com/netscape/certsrv/policy/IPolicyRule.java + com/netscape/certsrv/acls/IACL.java + com/netscape/certsrv/acls/ACLsResources.java + com/netscape/certsrv/acls/EACLsException.java + com/netscape/certsrv/acls/ACL.java + com/netscape/certsrv/acls/IACLEntry.java + com/netscape/certsrv/acls/ACLEntry.java + com/netscape/certsrv/cert/ICrossCertPairSubsystem.java + com/netscape/certsrv/registry/IPluginInfo.java + com/netscape/certsrv/registry/ERegistryException.java + com/netscape/certsrv/registry/IPluginRegistry.java + com/netscape/certsrv/base/EPropertyNotDefined.java + com/netscape/certsrv/base/MessageFormatter.java + com/netscape/certsrv/base/MetaInfo.java + com/netscape/certsrv/base/ITimeSource.java + com/netscape/certsrv/base/AttributeNameHelper.java + com/netscape/certsrv/base/ISourceConfigStore.java + com/netscape/certsrv/base/PasswordResources.java + com/netscape/certsrv/base/ASubsystem.java + com/netscape/certsrv/base/IArgBlock.java + com/netscape/certsrv/base/SessionContext.java + com/netscape/certsrv/base/IExtPrettyPrint.java + com/netscape/certsrv/base/IConfigStoreEventListener.java + com/netscape/certsrv/base/Plugin.java + com/netscape/certsrv/base/IConfigStore.java + com/netscape/certsrv/base/EPropertyNotFound.java + com/netscape/certsrv/base/ISubsystem.java + com/netscape/certsrv/base/ISubsystemSource.java + com/netscape/certsrv/base/IPrettyPrintFormat.java + com/netscape/certsrv/base/MetaAttributeDef.java + com/netscape/certsrv/base/IAuthInfo.java + com/netscape/certsrv/base/ExtendedPluginInfo.java + com/netscape/certsrv/base/EBaseException.java + com/netscape/certsrv/base/Nonces.java + com/netscape/certsrv/base/ISecurityDomainSessionTable.java + com/netscape/certsrv/base/IExtendedPluginInfo.java + com/netscape/certsrv/base/KeyGenInfo.java + com/netscape/certsrv/base/BaseResources.java + com/netscape/certsrv/base/IPluginImpl.java + com/netscape/certsrv/base/IAttrSet.java + com/netscape/certsrv/base/ICRLPrettyPrint.java + com/netscape/certsrv/base/ICertPrettyPrint.java + com/netscape/certsrv/dbs/IDBRegistry.java + com/netscape/certsrv/dbs/IDBAttrMapper.java + com/netscape/certsrv/dbs/IElementProcessor.java + com/netscape/certsrv/dbs/Modification.java + com/netscape/certsrv/dbs/EDBNotAvailException.java + com/netscape/certsrv/dbs/IDBVirtualList.java + com/netscape/certsrv/dbs/keydb/KeyId.java + com/netscape/certsrv/dbs/keydb/KeyIdAdapter.java + com/netscape/certsrv/dbs/keydb/KeyState.java + com/netscape/certsrv/dbs/keydb/IKeyRecord.java + com/netscape/certsrv/dbs/keydb/IKeyRecordList.java + com/netscape/certsrv/dbs/keydb/IKeyRepository.java + com/netscape/certsrv/dbs/crldb/ICRLRepository.java + com/netscape/certsrv/dbs/crldb/ICRLIssuingPointRecord.java + com/netscape/certsrv/dbs/EDBException.java + com/netscape/certsrv/dbs/certdb/ICertRecordList.java + com/netscape/certsrv/dbs/certdb/ICertificateRepository.java + com/netscape/certsrv/dbs/certdb/IRevocationInfo.java + com/netscape/certsrv/dbs/certdb/ICertRecord.java + com/netscape/certsrv/dbs/DBResources.java + com/netscape/certsrv/dbs/IDBSearchResults.java + com/netscape/certsrv/dbs/IFilterConverter.java + com/netscape/certsrv/dbs/ModificationSet.java + com/netscape/certsrv/dbs/IDBDynAttrMapper.java + com/netscape/certsrv/dbs/IDBSubsystem.java + com/netscape/certsrv/dbs/repository/IRepository.java + com/netscape/certsrv/dbs/repository/IRepositoryRecord.java + com/netscape/certsrv/dbs/IDBObj.java + com/netscape/certsrv/dbs/EDBRecordNotFoundException.java + com/netscape/certsrv/dbs/IDBSSession.java + com/netscape/certsrv/dbs/replicadb/IReplicaIDRepository.java + com/netscape/certsrv/kra/IShare.java + com/netscape/certsrv/kra/EKRAException.java + com/netscape/certsrv/kra/ProofOfArchival.java + com/netscape/certsrv/kra/IKeyService.java + com/netscape/certsrv/kra/IJoinShares.java + com/netscape/certsrv/kra/IKeyRecoveryAuthority.java + com/netscape/certsrv/kra/IProofOfArchival.java + com/netscape/certsrv/kra/KRAResources.java + com/netscape/certsrv/authentication/ISharedToken.java + com/netscape/certsrv/authentication/AuthMgrPlugin.java + com/netscape/certsrv/authentication/EInvalidCredentials.java + com/netscape/certsrv/authentication/EAuthMgrNotFound.java + com/netscape/certsrv/authentication/ECompSyntaxErr.java + com/netscape/certsrv/authentication/EAuthUserError.java + com/netscape/certsrv/authentication/IAuthToken.java + com/netscape/certsrv/authentication/EAuthInternalError.java + com/netscape/certsrv/authentication/IAuthManager.java + com/netscape/certsrv/authentication/AuthManagerProxy.java + com/netscape/certsrv/authentication/AuthToken.java + com/netscape/certsrv/authentication/AuthCredentials.java + com/netscape/certsrv/authentication/EAuthMgrPluginNotFound.java + com/netscape/certsrv/authentication/ISSLClientCertProvider.java + com/netscape/certsrv/authentication/EMissingCredential.java + com/netscape/certsrv/authentication/EAuthException.java + com/netscape/certsrv/authentication/IAuthSubsystem.java + com/netscape/certsrv/authentication/IAuthCredentials.java + com/netscape/certsrv/authentication/AuthResources.java + com/netscape/certsrv/authentication/EFormSubjectDN.java + com/netscape/certsrv/authorization/AuthzManagerProxy.java + com/netscape/certsrv/authorization/IAuthzManager.java + com/netscape/certsrv/authorization/EAuthzUnknownProtectedRes.java + com/netscape/certsrv/authorization/AuthzMgrPlugin.java + com/netscape/certsrv/authorization/AuthzToken.java + com/netscape/certsrv/authorization/IAuthzSubsystem.java + com/netscape/certsrv/authorization/AuthzResources.java + com/netscape/certsrv/authorization/EAuthzUnknownOperation.java + com/netscape/certsrv/authorization/EAuthzAccessDenied.java + com/netscape/certsrv/authorization/EAuthzException.java + com/netscape/certsrv/authorization/EAuthzMgrNotFound.java + com/netscape/certsrv/authorization/EAuthzInternalError.java + com/netscape/certsrv/authorization/EAuthzMgrPluginNotFound.java + com/netscape/certsrv/extensions/ICMSExtension.java + com/netscape/certsrv/extensions/ExtensionsResources.java + com/netscape/certsrv/extensions/EExtensionsException.java + com/netscape/certsrv/authority/ICertAuthority.java + com/netscape/certsrv/authority/IAuthority.java + com/netscape/certsrv/template/IArgValue.java + com/netscape/certsrv/template/ArgString.java + com/netscape/certsrv/template/ArgSet.java + com/netscape/certsrv/template/ArgList.java + com/netscape/certsrv/ra/IRAService.java + com/netscape/certsrv/ra/IRegistrationAuthority.java + com/netscape/certsrv/password/IPasswordCheck.java + com/netscape/certsrv/password/IConfigPasswordCheck.java + com/netscape/certsrv/password/EPasswordCheckException.java + com/netscape/certsrv/jobs/JobPlugin.java + com/netscape/certsrv/jobs/IJob.java + com/netscape/certsrv/jobs/EJobsException.java + com/netscape/certsrv/jobs/IJobCron.java + com/netscape/certsrv/jobs/JobsResources.java + com/netscape/certsrv/jobs/IJobsScheduler.java + com/netscape/certsrv/selftests/ESelfTestException.java + com/netscape/certsrv/selftests/EMissingSelfTestException.java + com/netscape/certsrv/selftests/EInvalidSelfTestException.java + com/netscape/certsrv/selftests/ISelfTest.java + com/netscape/certsrv/selftests/SelfTestResources.java + com/netscape/certsrv/selftests/ISelfTestSubsystem.java + com/netscape/certsrv/selftests/EDuplicateSelfTestException.java + com/netscape/certsrv/request/ldap/IRequestMod.java + com/netscape/certsrv/request/IRequestNotifier.java + com/netscape/certsrv/request/IRequestSubsystem.java + com/netscape/certsrv/request/PolicyResult.java + com/netscape/certsrv/request/INotify.java + com/netscape/certsrv/request/IRequestList.java + com/netscape/certsrv/request/IEnrollmentRequest.java + com/netscape/certsrv/request/AgentApprovals.java + com/netscape/certsrv/request/IRequestRecord.java + com/netscape/certsrv/request/RequestId.java + com/netscape/certsrv/request/RequestIdAdapter.java + com/netscape/certsrv/request/IService.java + com/netscape/certsrv/request/IRequestListener.java + com/netscape/certsrv/request/AgentApproval.java + com/netscape/certsrv/request/RequestStatus.java + com/netscape/certsrv/request/IRequestScheduler.java + com/netscape/certsrv/request/IRequest.java + com/netscape/certsrv/request/IRequestQueue.java + com/netscape/certsrv/request/ARequestNotifier.java + com/netscape/certsrv/request/PolicyMessage.java + com/netscape/certsrv/request/IPolicy.java + com/netscape/certsrv/request/IRequestVirtualList.java + com/netscape/certsrv/evaluators/IAccessEvaluator.java + com/netscape/certsrv/tks/ITKSAuthority.java + com/netscape/certsrv/property/EPropertyException.java + com/netscape/certsrv/property/PropertySet.java + com/netscape/certsrv/property/IConfigTemplate.java + com/netscape/certsrv/property/IDescriptor.java + com/netscape/certsrv/property/Descriptor.java + com/netscape/certsrv/logging/LogResources.java + com/netscape/certsrv/logging/ConsoleError.java + com/netscape/certsrv/logging/ILogEventFactory.java + com/netscape/certsrv/logging/SignedAuditEvent.java + com/netscape/certsrv/logging/SystemEvent.java + com/netscape/certsrv/logging/AuditFormat.java + com/netscape/certsrv/logging/AuditEvent.java + com/netscape/certsrv/logging/ELogNotFound.java + com/netscape/certsrv/logging/ILogEvent.java + com/netscape/certsrv/logging/ELogException.java + com/netscape/certsrv/logging/ConsoleLog.java + com/netscape/certsrv/logging/LogPlugin.java + com/netscape/certsrv/logging/ILogSubsystem.java + com/netscape/certsrv/logging/IBundleLogEvent.java + com/netscape/certsrv/logging/ELogPluginNotFound.java + com/netscape/certsrv/logging/ILogger.java + com/netscape/certsrv/logging/ILogQueue.java + com/netscape/certsrv/logging/ILogEventListener.java + com/netscape/certsrv/ca/ICMSCRLExtensions.java + com/netscape/certsrv/ca/ICertificateAuthority.java + com/netscape/certsrv/ca/EErrorPublishCRL.java + com/netscape/certsrv/ca/ICAService.java + com/netscape/certsrv/ca/ECAException.java + com/netscape/certsrv/ca/ICMSCRLExtension.java + com/netscape/certsrv/ca/ICRLIssuingPoint.java + com/netscape/certsrv/ca/CAResources.java + com/netscape/certsrv/connector/IConnector.java + com/netscape/certsrv/connector/IHttpConnFactory.java + com/netscape/certsrv/connector/IPKIMessage.java + com/netscape/certsrv/connector/IRequestEncoder.java + com/netscape/certsrv/connector/IResender.java + com/netscape/certsrv/connector/IHttpPKIMessage.java + com/netscape/certsrv/connector/IHttpConnection.java + com/netscape/certsrv/connector/IRemoteAuthority.java + com/netscape/certsrv/security/IStorageKeyUnit.java + com/netscape/certsrv/security/IEncryptionUnit.java + com/netscape/certsrv/security/KeyCertData.java + com/netscape/certsrv/security/ICryptoSubsystem.java + com/netscape/certsrv/security/ITransportKeyUnit.java + com/netscape/certsrv/security/IToken.java + com/netscape/certsrv/security/ISigningUnit.java + com/netscape/certsrv/security/Credential.java + com/netscape/certsrv/client/connection/IAuthenticator.java + com/netscape/certsrv/client/connection/IConnectionFactory.java + com/netscape/certsrv/client/connection/IConnection.java + com/netscape/certsrv/client/IDataProcessor.java + com/netscape/certsrv/ocsp/IOCSPService.java + com/netscape/certsrv/ocsp/IOCSPStore.java + com/netscape/certsrv/ocsp/IDefStore.java + com/netscape/certsrv/ocsp/IOCSPAuthority.java + com/netscape/certsrv/notification/IEmailFormProcessor.java + com/netscape/certsrv/notification/IMailNotification.java + com/netscape/certsrv/notification/IEmailTemplate.java + com/netscape/certsrv/notification/IEmailResolver.java + com/netscape/certsrv/notification/IEmailResolverKeys.java + com/netscape/certsrv/notification/ENotificationException.java + com/netscape/certsrv/notification/NotificationResources.java + com/netscape/certsrv/profile/IProfileEx.java + com/netscape/certsrv/profile/ERejectException.java + com/netscape/certsrv/profile/ICertInfoPolicyDefault.java + com/netscape/certsrv/profile/IPolicyConstraint.java + com/netscape/certsrv/profile/IProfileInput.java + com/netscape/certsrv/profile/IProfileAuthenticator.java + com/netscape/certsrv/profile/IProfile.java + com/netscape/certsrv/profile/IProfileOutput.java + com/netscape/certsrv/profile/IProfileContext.java + com/netscape/certsrv/profile/EDeferException.java + com/netscape/certsrv/profile/EProfileException.java + com/netscape/certsrv/profile/CertInfoProfile.java + com/netscape/certsrv/profile/IPolicyDefault.java + com/netscape/certsrv/profile/IEnrollProfile.java + com/netscape/certsrv/profile/IProfileSubsystem.java + com/netscape/certsrv/profile/IProfileUpdater.java + com/netscape/certsrv/profile/IProfilePolicy.java +) + +set(pki-cms_java_SRCS + com/netscape/cms/listeners/PinRemovalListener.java + com/netscape/cms/listeners/RequestInQListener.java + com/netscape/cms/listeners/CertificateIssuedListener.java + com/netscape/cms/listeners/CertificateRevokedListener.java + com/netscape/cms/publish/mappers/LdapCertSubjMap.java + com/netscape/cms/publish/mappers/MapRDNPattern.java + com/netscape/cms/publish/mappers/NoMap.java + com/netscape/cms/publish/mappers/LdapEnhancedMap.java + com/netscape/cms/publish/mappers/MapDNPattern.java + com/netscape/cms/publish/mappers/LdapCertCompsMap.java + com/netscape/cms/publish/mappers/AVAPattern.java + com/netscape/cms/publish/mappers/LdapCaSimpleMap.java + com/netscape/cms/publish/mappers/LdapCertExactMap.java + com/netscape/cms/publish/mappers/MapAVAPattern.java + com/netscape/cms/publish/mappers/LdapCrlIssuerCompsMap.java + com/netscape/cms/publish/mappers/LdapDNCompsMap.java + com/netscape/cms/publish/mappers/LdapSimpleMap.java + com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java + com/netscape/cms/publish/publishers/LdapUserCertPublisher.java + com/netscape/cms/publish/publishers/LdapCaCertPublisher.java + com/netscape/cms/publish/publishers/FileBasedPublisher.java + com/netscape/cms/publish/publishers/LdapCrlPublisher.java + com/netscape/cms/publish/publishers/LdapCertificatePairPublisher.java + com/netscape/cms/publish/publishers/PublisherUtils.java + com/netscape/cms/publish/publishers/OCSPPublisher.java + com/netscape/cms/publish/publishers/LdapCertSubjPublisher.java + com/netscape/cms/policy/constraints/UniqueSubjectNameConstraints.java + com/netscape/cms/policy/constraints/AgentPolicy.java + com/netscape/cms/policy/constraints/KeyAlgorithmConstraints.java + com/netscape/cms/policy/constraints/IssuerConstraints.java + com/netscape/cms/policy/constraints/RevocationConstraints.java + com/netscape/cms/policy/constraints/DefaultRevocation.java + com/netscape/cms/policy/constraints/RSAKeyConstraints.java + com/netscape/cms/policy/constraints/DSAKeyConstraints.java + com/netscape/cms/policy/constraints/UniqueSubjectName.java + com/netscape/cms/policy/constraints/ManualAuthentication.java + com/netscape/cms/policy/constraints/RenewalValidityConstraints.java + com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java + com/netscape/cms/policy/constraints/AttributePresentConstraints.java + com/netscape/cms/policy/constraints/ValidityConstraints.java + com/netscape/cms/policy/constraints/RenewalConstraints.java + com/netscape/cms/policy/constraints/SubCANameConstraints.java + com/netscape/cms/policy/APolicyRule.java + com/netscape/cms/policy/extensions/OCSPNoCheckExt.java + com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java + com/netscape/cms/policy/extensions/CertificatePoliciesExt.java + com/netscape/cms/policy/extensions/SubjAltNameExt.java + com/netscape/cms/policy/extensions/RemoveBasicConstraintsExt.java + com/netscape/cms/policy/extensions/CertificateScopeOfUseExt.java + com/netscape/cms/policy/extensions/GenericASN1Ext.java + com/netscape/cms/policy/extensions/ExtendedKeyUsageExt.java + com/netscape/cms/policy/extensions/SubjectDirectoryAttributesExt.java + com/netscape/cms/policy/extensions/AuthInfoAccessExt.java + com/netscape/cms/policy/extensions/NameConstraintsExt.java + com/netscape/cms/policy/extensions/PolicyConstraintsExt.java + com/netscape/cms/policy/extensions/PresenceExt.java + com/netscape/cms/policy/extensions/NSCCommentExt.java + com/netscape/cms/policy/extensions/BasicConstraintsExt.java + com/netscape/cms/policy/extensions/IssuerAltNameExt.java + com/netscape/cms/policy/extensions/PolicyMappingsExt.java + com/netscape/cms/policy/extensions/SubjectAltNameExt.java + com/netscape/cms/policy/extensions/CRLDistributionPointsExt.java + com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java + com/netscape/cms/policy/extensions/CertificateRenewalWindowExt.java + com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java + com/netscape/cms/policy/extensions/KeyUsageExt.java + com/netscape/cms/policy/extensions/NSCertTypeExt.java + com/netscape/cms/servlet/filter/AdminRequestFilter.java + com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java + com/netscape/cms/servlet/filter/EERequestFilter.java + com/netscape/cms/servlet/filter/AgentRequestFilter.java + com/netscape/cms/servlet/common/GenRejectedTemplateFiller.java + com/netscape/cms/servlet/common/ICMSTemplateFiller.java + com/netscape/cms/servlet/common/IndexTemplateFiller.java + com/netscape/cms/servlet/common/GenSuccessTemplateFiller.java + com/netscape/cms/servlet/common/ECMSGWException.java + com/netscape/cms/servlet/common/CMSTemplate.java + com/netscape/cms/servlet/common/GenErrorTemplateFiller.java + com/netscape/cms/servlet/common/AuthCredentials.java + com/netscape/cms/servlet/common/CMSLoadTemplate.java + com/netscape/cms/servlet/common/CMSFileLoader.java + com/netscape/cms/servlet/common/RawJS.java + com/netscape/cms/servlet/common/GenSvcPendingTemplateFiller.java + com/netscape/cms/servlet/common/CMSTemplateParams.java + com/netscape/cms/servlet/common/GenUnauthorizedTemplateFiller.java + com/netscape/cms/servlet/common/CMCOutputTemplate.java + com/netscape/cms/servlet/common/CMSGateway.java + com/netscape/cms/servlet/common/CMSRequest.java + com/netscape/cms/servlet/common/CMSFile.java + com/netscape/cms/servlet/common/IRawJS.java + com/netscape/cms/servlet/common/ServletUtils.java + com/netscape/cms/servlet/common/GenPendingTemplateFiller.java + com/netscape/cms/servlet/common/CMSGWResources.java + com/netscape/cms/servlet/common/GenUnexpectedErrorTemplateFiller.java + com/netscape/cms/servlet/cert/UpdateCRL.java + com/netscape/cms/servlet/cert/GetInfo.java + com/netscape/cms/servlet/cert/RevocationSuccessTemplateFiller.java + com/netscape/cms/servlet/cert/DoUnrevoke.java + com/netscape/cms/servlet/cert/DisplayBySerial.java + com/netscape/cms/servlet/cert/GetCertFromRequest.java + com/netscape/cms/servlet/cert/HashEnrollServlet.java + com/netscape/cms/servlet/cert/UpdateDir.java + com/netscape/cms/servlet/cert/scep/ExtensionsRequested.java + com/netscape/cms/servlet/cert/scep/CRSEnrollment.java + com/netscape/cms/servlet/cert/scep/ChallengePassword.java + com/netscape/cms/servlet/cert/EnrollServlet.java + com/netscape/cms/servlet/cert/DisableEnrollResult.java + com/netscape/cms/servlet/cert/GetEnableStatus.java + com/netscape/cms/servlet/cert/DisplayHashUserEnroll.java + com/netscape/cms/servlet/cert/DoRevoke.java + com/netscape/cms/servlet/cert/ChallengeRevocationServlet1.java + com/netscape/cms/servlet/cert/CloneRedirect.java + com/netscape/cms/servlet/cert/EnableEnrollResult.java + com/netscape/cms/servlet/cert/ImportCertsTemplateFiller.java + com/netscape/cms/servlet/cert/GetCAChain.java + com/netscape/cms/servlet/cert/SrchCerts.java + com/netscape/cms/servlet/cert/Monitor.java + com/netscape/cms/servlet/cert/GetCRL.java + com/netscape/cms/servlet/cert/ReasonToRevoke.java + com/netscape/cms/servlet/cert/ListCerts.java + com/netscape/cms/servlet/cert/RenewalServlet.java + com/netscape/cms/servlet/cert/DoRevokeTPS.java + com/netscape/cms/servlet/cert/DirAuthServlet.java + com/netscape/cms/servlet/cert/RemoteAuthConfig.java + com/netscape/cms/servlet/cert/DoUnrevokeTPS.java + com/netscape/cms/servlet/cert/RevocationServlet.java + com/netscape/cms/servlet/cert/CMCRevReqServlet.java + com/netscape/cms/servlet/cert/GetBySerial.java + com/netscape/cms/servlet/cert/DisplayCRL.java + com/netscape/cms/servlet/cert/model/CertificateData.java + com/netscape/cms/servlet/admin/OCSPAdminServlet.java + com/netscape/cms/servlet/admin/CMSAdminServlet.java + com/netscape/cms/servlet/admin/JobsAdminServlet.java + com/netscape/cms/servlet/admin/PublisherAdminServlet.java + com/netscape/cms/servlet/admin/ProfileAdminServlet.java + com/netscape/cms/servlet/admin/ACLAdminServlet.java + com/netscape/cms/servlet/admin/AuthCredentials.java + com/netscape/cms/servlet/admin/CAAdminServlet.java + com/netscape/cms/servlet/admin/PolicyAdminServlet.java + com/netscape/cms/servlet/admin/RegistryAdminServlet.java + com/netscape/cms/servlet/admin/AuthAdminServlet.java + com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java + com/netscape/cms/servlet/admin/AdminServlet.java + com/netscape/cms/servlet/admin/KRAAdminServlet.java + com/netscape/cms/servlet/admin/LogAdminServlet.java + com/netscape/cms/servlet/admin/RAAdminServlet.java + com/netscape/cms/servlet/admin/AdminResources.java + com/netscape/cms/servlet/admin/SystemCertificateResource.java + com/netscape/cms/servlet/admin/SystemCertificateResourceService.java + com/netscape/cms/servlet/key/DisplayBySerial.java + com/netscape/cms/servlet/key/SrchKey.java + com/netscape/cms/servlet/key/DisplayTransport.java + com/netscape/cms/servlet/key/GrantRecovery.java + com/netscape/cms/servlet/key/SrchKeyForRecovery.java + com/netscape/cms/servlet/key/GrantAsyncRecovery.java + com/netscape/cms/servlet/key/GetApprovalStatus.java + com/netscape/cms/servlet/key/ConfirmRecoverBySerial.java + com/netscape/cms/servlet/key/ExamineRecovery.java + com/netscape/cms/servlet/key/GetPk12.java + com/netscape/cms/servlet/key/GetAsyncPk12.java + com/netscape/cms/servlet/key/RecoverBySerial.java + com/netscape/cms/servlet/key/KeyRecordParser.java + com/netscape/cms/servlet/key/DisplayBySerialForRecovery.java + com/netscape/cms/servlet/key/KeyResource.java + com/netscape/cms/servlet/key/KeyResourceService.java + com/netscape/cms/servlet/key/KeysResource.java + com/netscape/cms/servlet/key/KeysResourceService.java + com/netscape/cms/servlet/key/model/KeyDAO.java + com/netscape/cms/servlet/key/model/KeyDataInfo.java + com/netscape/cms/servlet/key/model/KeyDataInfos.java + com/netscape/cms/servlet/key/model/KeyData.java + com/netscape/cms/servlet/base/IndexServlet.java + com/netscape/cms/servlet/base/UserInfo.java + com/netscape/cms/servlet/base/PortsServlet.java + com/netscape/cms/servlet/base/CMSResourceService.java + com/netscape/cms/servlet/base/CMSServlet.java + com/netscape/cms/servlet/base/CMSStartServlet.java + com/netscape/cms/servlet/base/ProxyServlet.java + com/netscape/cms/servlet/base/DynamicVariablesServlet.java + com/netscape/cms/servlet/base/GetStats.java + com/netscape/cms/servlet/base/SystemInfoServlet.java + com/netscape/cms/servlet/base/DisplayHtmlServlet.java + com/netscape/cms/servlet/base/model/Link.java + com/netscape/cms/servlet/csadmin/BaseServlet.java + com/netscape/cms/servlet/csadmin/ConfigCertReqServlet.java + com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java + com/netscape/cms/servlet/csadmin/ConfigHSMLoginPanel.java + com/netscape/cms/servlet/csadmin/SizePanel.java + com/netscape/cms/servlet/csadmin/Cert.java + com/netscape/cms/servlet/csadmin/UpdateConnector.java + com/netscape/cms/servlet/csadmin/DonePanel.java + com/netscape/cms/servlet/csadmin/GetTokenInfo.java + com/netscape/cms/servlet/csadmin/WizardPanelBase.java + com/netscape/cms/servlet/csadmin/CheckIdentity.java + com/netscape/cms/servlet/csadmin/UpdateNumberRange.java + com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java + com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java + com/netscape/cms/servlet/csadmin/ConfigRootCAServlet.java + com/netscape/cms/servlet/csadmin/ConfigJoinServlet.java + com/netscape/cms/servlet/csadmin/AuthenticatePanel.java + com/netscape/cms/servlet/csadmin/ConfigCloneServlet.java + com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java + com/netscape/cms/servlet/csadmin/DisplayServlet.java + com/netscape/cms/servlet/csadmin/DatabasePanel.java + com/netscape/cms/servlet/csadmin/WelcomePanel.java + com/netscape/cms/servlet/csadmin/DatabaseServlet.java + com/netscape/cms/servlet/csadmin/CAInfoPanel.java + com/netscape/cms/servlet/csadmin/GetTransportCert.java + com/netscape/cms/servlet/csadmin/ImportTransportCert.java + com/netscape/cms/servlet/csadmin/SessionTimer.java + com/netscape/cms/servlet/csadmin/ModulePanel.java + com/netscape/cms/servlet/csadmin/GetConfigEntries.java + com/netscape/cms/servlet/csadmin/UpdateDomainXML.java + com/netscape/cms/servlet/csadmin/GetStatus.java + com/netscape/cms/servlet/csadmin/BackupKeyCertPanel.java + com/netscape/cms/servlet/csadmin/TokenAuthenticate.java + com/netscape/cms/servlet/csadmin/SecurityDomainLogin.java + com/netscape/cms/servlet/csadmin/ConfigDatabaseServlet.java + com/netscape/cms/servlet/csadmin/ConfigBaseServlet.java + com/netscape/cms/servlet/csadmin/CertUtil.java + com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java + com/netscape/cms/servlet/csadmin/ConfigImportCertServlet.java + com/netscape/cms/servlet/csadmin/SecurityDomainSessionTable.java + com/netscape/cms/servlet/csadmin/GetCertChain.java + com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java + com/netscape/cms/servlet/csadmin/DisplayCertChainPanel.java + com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java + com/netscape/cms/servlet/csadmin/GetDomainXML.java + com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java + com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java + com/netscape/cms/servlet/csadmin/ModuleServlet.java + com/netscape/cms/servlet/csadmin/GetCookie.java + com/netscape/cms/servlet/csadmin/CertRequestPanel.java + com/netscape/cms/servlet/csadmin/RegisterUser.java + com/netscape/cms/servlet/csadmin/GetSubsystemCert.java + com/netscape/cms/servlet/csadmin/CertPrettyPrintPanel.java + com/netscape/cms/servlet/csadmin/WelcomeServlet.java + com/netscape/cms/servlet/csadmin/LoginServlet.java + com/netscape/cms/servlet/csadmin/AdminPanel.java + com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java + com/netscape/cms/servlet/csadmin/ConfigHSMServlet.java + com/netscape/cms/servlet/csadmin/MainPageServlet.java + com/netscape/cms/servlet/csadmin/HierarchyPanel.java + com/netscape/cms/servlet/csadmin/DownloadPKCS12.java + com/netscape/cms/servlet/csadmin/SavePKCS12Panel.java + com/netscape/cms/servlet/csadmin/NamePanel.java + com/netscape/cms/servlet/wizard/WizardServlet.java + com/netscape/cms/servlet/wizard/IWizardPanel.java + com/netscape/cms/servlet/processors/PKCS10Processor.java + com/netscape/cms/servlet/processors/PKIProcessor.java + com/netscape/cms/servlet/processors/KeyGenProcessor.java + com/netscape/cms/servlet/processors/CRMFProcessor.java + com/netscape/cms/servlet/processors/IPKIProcessor.java + com/netscape/cms/servlet/processors/CMCProcessor.java + com/netscape/cms/servlet/request/ProcessReq.java + com/netscape/cms/servlet/request/CheckRequest.java + com/netscape/cms/servlet/request/IReqParser.java + com/netscape/cms/servlet/request/ReqParser.java + com/netscape/cms/servlet/request/QueryReq.java + com/netscape/cms/servlet/request/SearchReqs.java + com/netscape/cms/servlet/request/ProcessCertReq.java + com/netscape/cms/servlet/request/CertReqParser.java + com/netscape/cms/servlet/request/KeyReqParser.java + com/netscape/cms/servlet/request/KeyRequestResource.java + com/netscape/cms/servlet/request/KeyRequestResourceService.java + com/netscape/cms/servlet/request/KeyRequestsResource.java + com/netscape/cms/servlet/request/KeyRequestsResourceService.java + com/netscape/cms/servlet/request/model/ArchivalRequestData.java + com/netscape/cms/servlet/request/model/KeyRequestDAO.java + com/netscape/cms/servlet/request/model/KeyRequestInfo.java + com/netscape/cms/servlet/request/model/KeyRequestInfos.java + com/netscape/cms/servlet/request/model/RecoveryRequestData.java + com/netscape/cms/servlet/tks/TokenServlet.java + com/netscape/cms/servlet/connector/CloneServlet.java + com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java + com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java + com/netscape/cms/servlet/connector/ConnectorServlet.java + com/netscape/cms/servlet/ocsp/OCSPServlet.java + com/netscape/cms/servlet/ocsp/ListCAServlet.java + com/netscape/cms/servlet/ocsp/AddCRLServlet.java + com/netscape/cms/servlet/ocsp/CheckCertServlet.java + com/netscape/cms/servlet/ocsp/RemoveCAServlet.java + com/netscape/cms/servlet/ocsp/GetOCSPInfo.java + com/netscape/cms/servlet/ocsp/AddCAServlet.java + com/netscape/cms/servlet/profile/ProfileSubmitServlet.java + com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java + com/netscape/cms/servlet/profile/ProfileSelectServlet.java + com/netscape/cms/servlet/profile/ProfileProcessServlet.java + com/netscape/cms/servlet/profile/ProfileListServlet.java + com/netscape/cms/servlet/profile/ProfileApproveServlet.java + com/netscape/cms/servlet/profile/ProfileReviewServlet.java + com/netscape/cms/servlet/profile/SSLClientCertProvider.java + com/netscape/cms/servlet/profile/ProfileServlet.java + com/netscape/cms/authentication/AgentCertAuthentication.java + com/netscape/cms/authentication/PortalEnroll.java + com/netscape/cms/authentication/UdnPwdDirAuthentication.java + com/netscape/cms/authentication/TokenAuthentication.java + com/netscape/cms/authentication/Crypt.java + com/netscape/cms/authentication/CMCAuth.java + com/netscape/cms/authentication/HashAuthData.java + com/netscape/cms/authentication/SharedSecret.java + com/netscape/cms/authentication/FlatFileAuth.java + com/netscape/cms/authentication/AVAPattern.java + com/netscape/cms/authentication/RDNPattern.java + com/netscape/cms/authentication/DNPattern.java + com/netscape/cms/authentication/DirBasedAuthentication.java + com/netscape/cms/authentication/HashAuthentication.java + com/netscape/cms/authentication/UidPwdPinDirAuthentication.java + com/netscape/cms/authentication/SSLclientCertAuthentication.java + com/netscape/cms/authentication/UidPwdDirAuthentication.java + com/netscape/cms/authorization/BasicAclAuthz.java + com/netscape/cms/authorization/AAclAuthz.java + com/netscape/cms/authorization/DirAclAuthz.java + com/netscape/cms/shares/OldJoinShares.java + com/netscape/cms/shares/OldShare.java + com/netscape/cms/password/PasswordChecker.java + com/netscape/cms/jobs/UnpublishExpiredJob.java + com/netscape/cms/jobs/RenewalNotificationJob.java + com/netscape/cms/jobs/RequestInQueueJob.java + com/netscape/cms/jobs/AJobBase.java + com/netscape/cms/jobs/PublishCertsJob.java + com/netscape/cms/selftests/ASelfTest.java + com/netscape/cms/selftests/kra/KRAPresence.java + com/netscape/cms/selftests/ra/RAPresence.java + com/netscape/cms/selftests/tks/TKSKnownSessionKey.java + com/netscape/cms/selftests/ca/CAPresence.java + com/netscape/cms/selftests/ca/CAValidity.java + com/netscape/cms/selftests/common/SystemCertsVerification.java + com/netscape/cms/selftests/ocsp/OCSPValidity.java + com/netscape/cms/selftests/ocsp/OCSPPresence.java + com/netscape/cms/request/RequestScheduler.java + com/netscape/cms/crl/CMSIssuingDistributionPointExtension.java + com/netscape/cms/crl/CMSAuthInfoAccessExtension.java + com/netscape/cms/crl/CMSCRLReasonExtension.java + com/netscape/cms/crl/CMSDeltaCRLIndicatorExtension.java + com/netscape/cms/crl/CMSCertificateIssuerExtension.java + com/netscape/cms/crl/CMSHoldInstructionExtension.java + com/netscape/cms/crl/CMSCRLNumberExtension.java + com/netscape/cms/crl/CMSIssuerAlternativeNameExtension.java + com/netscape/cms/crl/CMSFreshestCRLExtension.java + com/netscape/cms/crl/CMSAuthorityKeyIdentifierExtension.java + com/netscape/cms/crl/CMSInvalidityDateExtension.java + com/netscape/cms/evaluators/IPAddressAccessEvaluator.java + com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java + com/netscape/cms/evaluators/GroupAccessEvaluator.java + com/netscape/cms/evaluators/UserAccessEvaluator.java + com/netscape/cms/logging/LogEntry.java + com/netscape/cms/logging/LogFile.java + com/netscape/cms/logging/RollingLogFile.java + com/netscape/cms/ocsp/DefStore.java + com/netscape/cms/ocsp/LDAPStore.java + com/netscape/cms/notification/MailNotification.java + com/netscape/cms/profile/common/CACertCAEnrollProfile.java + com/netscape/cms/profile/common/ProfilePolicy.java + com/netscape/cms/profile/common/EnrollProfile.java + com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java + com/netscape/cms/profile/common/CAEnrollProfile.java + com/netscape/cms/profile/common/RAEnrollProfile.java + com/netscape/cms/profile/common/ProfileContext.java + com/netscape/cms/profile/common/EnrollProfileContext.java + com/netscape/cms/profile/common/BasicProfile.java + com/netscape/cms/profile/common/UserCertCAEnrollProfile.java + com/netscape/cms/profile/def/UserSubjectNameDefault.java + com/netscape/cms/profile/def/AutoAssignDefault.java + com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java + com/netscape/cms/profile/def/CRLDistributionPointsExtDefault.java + com/netscape/cms/profile/def/SubjectAltNameExtDefault.java + com/netscape/cms/profile/def/IssuerAltNameExtDefault.java + com/netscape/cms/profile/def/CAEnrollDefault.java + com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java + com/netscape/cms/profile/def/SubjectNameDefault.java + com/netscape/cms/profile/def/NoDefault.java + com/netscape/cms/profile/def/SubjectInfoAccessExtDefault.java + com/netscape/cms/profile/def/PolicyConstraintsExtDefault.java + com/netscape/cms/profile/def/InhibitAnyPolicyExtDefault.java + com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java + com/netscape/cms/profile/def/EnrollDefault.java + com/netscape/cms/profile/def/OCSPNoCheckExtDefault.java + com/netscape/cms/profile/def/BasicConstraintsExtDefault.java + com/netscape/cms/profile/def/SigningAlgDefault.java + com/netscape/cms/profile/def/GenericExtDefault.java + com/netscape/cms/profile/def/nsNKeySubjectNameDefault.java + com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java + com/netscape/cms/profile/def/UserKeyDefault.java + com/netscape/cms/profile/def/NSCCommentExtDefault.java + com/netscape/cms/profile/def/CertificateVersionDefault.java + com/netscape/cms/profile/def/ValidityDefault.java + com/netscape/cms/profile/def/ImageDefault.java + com/netscape/cms/profile/def/PolicyMappingsExtDefault.java + com/netscape/cms/profile/def/NSCertTypeExtDefault.java + com/netscape/cms/profile/def/CAValidityDefault.java + com/netscape/cms/profile/def/UserSigningAlgDefault.java + com/netscape/cms/profile/def/SubjectDirAttributesExtDefault.java + com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java + com/netscape/cms/profile/def/UserValidityDefault.java + com/netscape/cms/profile/def/EnrollExtDefault.java + com/netscape/cms/profile/def/nsTokenDeviceKeySubjectNameDefault.java + com/netscape/cms/profile/def/KeyUsageExtDefault.java + com/netscape/cms/profile/def/FreshestCRLExtDefault.java + com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java + com/netscape/cms/profile/def/nsHKeySubjectNameDefault.java + com/netscape/cms/profile/def/UserExtensionDefault.java + com/netscape/cms/profile/def/NameConstraintsExtDefault.java + com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java + com/netscape/cms/profile/def/CertificatePoliciesExtDefault.java + com/netscape/cms/profile/input/SubjectDNInput.java + com/netscape/cms/profile/input/SerialNumRenewInput.java + com/netscape/cms/profile/input/SubjectNameInput.java + com/netscape/cms/profile/input/KeyGenInput.java + com/netscape/cms/profile/input/SigningKeyGenInput.java + com/netscape/cms/profile/input/EncryptionKeyGenInput.java + com/netscape/cms/profile/input/ImageInput.java + com/netscape/cms/profile/input/EnrollInput.java + com/netscape/cms/profile/input/nsNKeyCertReqInput.java + com/netscape/cms/profile/input/FileSigningInput.java + com/netscape/cms/profile/input/nsHKeyCertReqInput.java + com/netscape/cms/profile/input/CertReqInput.java + com/netscape/cms/profile/input/SubmitterInfoInput.java + com/netscape/cms/profile/input/GenericInput.java + com/netscape/cms/profile/input/DualKeyGenInput.java + com/netscape/cms/profile/input/CMCCertReqInput.java + com/netscape/cms/profile/constraint/KeyConstraint.java + com/netscape/cms/profile/constraint/KeyUsageExtConstraint.java + com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java + com/netscape/cms/profile/constraint/EnrollConstraint.java + com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java + com/netscape/cms/profile/constraint/ExtensionConstraint.java + com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java + com/netscape/cms/profile/constraint/NoConstraint.java + com/netscape/cms/profile/constraint/SubjectNameConstraint.java + com/netscape/cms/profile/constraint/ExtendedKeyUsageExtConstraint.java + com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java + com/netscape/cms/profile/constraint/CAEnrollConstraint.java + com/netscape/cms/profile/constraint/SigningAlgConstraint.java + com/netscape/cms/profile/constraint/ValidityConstraint.java + com/netscape/cms/profile/constraint/UniqueKeyConstraint.java + com/netscape/cms/profile/constraint/CAValidityConstraint.java + com/netscape/cms/profile/updater/SubsystemGroupUpdater.java + com/netscape/cms/profile/output/CertOutput.java + com/netscape/cms/profile/output/EnrollOutput.java + com/netscape/cms/profile/output/nsNKeyOutput.java + com/netscape/cms/profile/output/PKCS7Output.java + com/netscape/cms/profile/output/CMMFOutput.java +) + +set(pki-cmscore_java_SRCS + com/netscape/cmscore/apps/PKIServerEvent.java + com/netscape/cmscore/apps/Upgrade.java + com/netscape/cmscore/apps/PKIServerListener.java + com/netscape/cmscore/apps/CommandQueue.java + com/netscape/cmscore/apps/CMSEngine.java + com/netscape/cmscore/apps/Setup.java + com/netscape/cmscore/ldap/LdapSimpleExpression.java + com/netscape/cmscore/ldap/LdapAndExpression.java + com/netscape/cmscore/ldap/LdapPublishModule.java + com/netscape/cmscore/ldap/LdapPredicateParser.java + com/netscape/cmscore/ldap/LdapRequestListener.java + com/netscape/cmscore/ldap/LdapConnModule.java + com/netscape/cmscore/ldap/LdapOrExpression.java + com/netscape/cmscore/ldap/PublishObject.java + com/netscape/cmscore/ldap/PublisherProcessor.java + com/netscape/cmscore/ldap/LdapRule.java + com/netscape/cmscore/listeners/ListenerPlugin.java + com/netscape/cmscore/usrgrp/CertDNCertUserLocator.java + com/netscape/cmscore/usrgrp/Group.java + com/netscape/cmscore/usrgrp/ExactMatchCertUserLocator.java + com/netscape/cmscore/usrgrp/UGSubsystem.java + com/netscape/cmscore/usrgrp/User.java + com/netscape/cmscore/crmf/CRMFParser.java + com/netscape/cmscore/crmf/PKIArchiveOptionsContainer.java + com/netscape/cmscore/util/AssertionException.java + com/netscape/cmscore/util/ProfileSubsystem.java + com/netscape/cmscore/util/FileAsString.java + com/netscape/cmscore/util/Assert.java + com/netscape/cmscore/util/UtilMessage.java + com/netscape/cmscore/util/PFXUtils.java + com/netscape/cmscore/util/ExceptionFormatter.java + com/netscape/cmscore/util/StatsSubsystem.java + com/netscape/cmscore/util/FileDialogFilter.java + com/netscape/cmscore/util/Debug.java + com/netscape/cmscore/util/UtilResources.java + com/netscape/cmscore/policy/JavaScriptRequestProxy.java + com/netscape/cmscore/policy/SimpleExpression.java + com/netscape/cmscore/policy/GeneralNameUtil.java + com/netscape/cmscore/policy/PolicyPredicateParser.java + com/netscape/cmscore/policy/AndExpression.java + com/netscape/cmscore/policy/PolicySet.java + com/netscape/cmscore/policy/GenericPolicyProcessor.java + com/netscape/cmscore/policy/OrExpression.java + com/netscape/cmscore/cert/CertificatePair.java + com/netscape/cmscore/cert/X500NameSubsystem.java + com/netscape/cmscore/cert/CertUtils.java + com/netscape/cmscore/cert/ExtPrettyPrint.java + com/netscape/cmscore/cert/OidLoaderSubsystem.java + com/netscape/cmscore/cert/CrlPrettyPrint.java + com/netscape/cmscore/cert/CertPrettyPrint.java + com/netscape/cmscore/cert/PrettyPrintResources.java + com/netscape/cmscore/cert/PrettyPrintFormat.java + com/netscape/cmscore/cert/CrossCertPairSubsystem.java + com/netscape/cmscore/cert/CertDateCompare.java + com/netscape/cmscore/cert/PubKeyPrettyPrint.java + com/netscape/cmscore/cert/CrlCachePrettyPrint.java + com/netscape/cmscore/registry/PluginInfo.java + com/netscape/cmscore/registry/PluginRegistry.java + com/netscape/cmscore/base/ArgBlock.java + com/netscape/cmscore/base/FileConfigStore.java + com/netscape/cmscore/base/SimpleProperties.java + com/netscape/cmscore/base/SourceConfigStore.java + com/netscape/cmscore/base/PropConfigStore.java + com/netscape/cmscore/base/JDialogPasswordCallback.java + com/netscape/cmscore/base/SubsystemRegistry.java + com/netscape/cmscore/base/SubsystemLoader.java + com/netscape/cmscore/dbs/CRLRepository.java + com/netscape/cmscore/dbs/CertRecord.java + com/netscape/cmscore/dbs/RevocationInfoMapper.java + com/netscape/cmscore/dbs/BigIntegerMapper.java + com/netscape/cmscore/dbs/X509CertImplMapper.java + com/netscape/cmscore/dbs/KeyRecord.java + com/netscape/cmscore/dbs/KeyStateMapper.java + com/netscape/cmscore/dbs/StringVectorMapper.java + com/netscape/cmscore/dbs/DBSSession.java + com/netscape/cmscore/dbs/DBSubsystem.java + com/netscape/cmscore/dbs/StringMapper.java + com/netscape/cmscore/dbs/LongMapper.java + com/netscape/cmscore/dbs/CertRecordList.java + com/netscape/cmscore/dbs/MetaInfoMapper.java + com/netscape/cmscore/dbs/RepositorySchema.java + com/netscape/cmscore/dbs/PublicKeyMapper.java + com/netscape/cmscore/dbs/KeyDBSchema.java + com/netscape/cmscore/dbs/LdapFilterConverter.java + com/netscape/cmscore/dbs/ObjectStreamMapper.java + com/netscape/cmscore/dbs/Repository.java + com/netscape/cmscore/dbs/CertificateRepository.java + com/netscape/cmscore/dbs/DBVirtualList.java + com/netscape/cmscore/dbs/KeyRecordList.java + com/netscape/cmscore/dbs/RepositoryRecord.java + com/netscape/cmscore/dbs/CRLIssuingPointRecord.java + com/netscape/cmscore/dbs/DBRegistry.java + com/netscape/cmscore/dbs/CRLDBSchema.java + com/netscape/cmscore/dbs/CertDBSchema.java + com/netscape/cmscore/dbs/DateMapper.java + com/netscape/cmscore/dbs/ByteArrayMapper.java + com/netscape/cmscore/dbs/CertRecordMapper.java + com/netscape/cmscore/dbs/DBSearchResults.java + com/netscape/cmscore/dbs/IntegerMapper.java + com/netscape/cmscore/dbs/RevocationInfo.java + com/netscape/cmscore/dbs/DBSUtil.java + com/netscape/cmscore/dbs/X500NameMapper.java + com/netscape/cmscore/dbs/KeyRepository.java + com/netscape/cmscore/dbs/ReplicaIDRepository.java + com/netscape/cmscore/dbs/DateArrayMapper.java + com/netscape/cmscore/dbs/KeyRecordMapper.java + com/netscape/cmscore/authentication/PasswdUserDBAuthentication.java + com/netscape/cmscore/authentication/NullAuthentication.java + com/netscape/cmscore/authentication/SSLClientCertAuthentication.java + com/netscape/cmscore/authentication/AuthSubsystem.java + com/netscape/cmscore/authentication/CertUserDBAuthentication.java + com/netscape/cmscore/authentication/VerifiedCert.java + com/netscape/cmscore/authentication/VerifiedCerts.java + com/netscape/cmscore/authentication/ChallengePhraseAuthentication.java + com/netscape/cmscore/authorization/AuthzSubsystem.java + com/netscape/cmscore/extensions/CMSExtensionsMap.java + com/netscape/cmscore/extensions/KeyUsage.java + com/netscape/cmscore/jobs/CronRange.java + com/netscape/cmscore/jobs/JobsScheduler.java + com/netscape/cmscore/jobs/CronItem.java + com/netscape/cmscore/jobs/JobCron.java + com/netscape/cmscore/selftests/SelfTestOrderedInstance.java + com/netscape/cmscore/selftests/SelfTestSubsystem.java + com/netscape/cmscore/request/ExtDataHashtable.java + com/netscape/cmscore/request/RequestAttr.java + com/netscape/cmscore/request/RequestQueue.java + com/netscape/cmscore/request/Schema.java + com/netscape/cmscore/request/RequestRepository.java + com/netscape/cmscore/request/ARequestRecord.java + com/netscape/cmscore/request/ARequestQueue.java + com/netscape/cmscore/request/CertRequestConstants.java + com/netscape/cmscore/request/RequestRecord.java + com/netscape/cmscore/request/RequestSubsystem.java + com/netscape/cmscore/ldapconn/LdapBoundConnection.java + com/netscape/cmscore/ldapconn/LdapConnInfo.java + com/netscape/cmscore/ldapconn/LdapAuthInfo.java + com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java + com/netscape/cmscore/ldapconn/LdapAnonConnFactory.java + com/netscape/cmscore/ldapconn/LdapBoundConnFactory.java + com/netscape/cmscore/ldapconn/LdapAnonConnection.java + com/netscape/cmscore/logging/AuditEventFactory.java + com/netscape/cmscore/logging/LogQueue.java + com/netscape/cmscore/logging/LogSubsystem.java + com/netscape/cmscore/logging/AuditFormat.java + com/netscape/cmscore/logging/Logger.java + com/netscape/cmscore/logging/SignedAuditEventFactory.java + com/netscape/cmscore/logging/SignedAuditLogger.java + com/netscape/cmscore/logging/SystemEventFactory.java + com/netscape/cmscore/connector/LocalConnector.java + com/netscape/cmscore/connector/HttpConnection.java + com/netscape/cmscore/connector/RequestTransfer.java + com/netscape/cmscore/connector/RemoteAuthority.java + com/netscape/cmscore/connector/HttpPKIMessage.java + com/netscape/cmscore/connector/HttpConnector.java + com/netscape/cmscore/connector/HttpConnFactory.java + com/netscape/cmscore/connector/HttpRequestEncoder.java + com/netscape/cmscore/connector/Resender.java + com/netscape/cmscore/security/OCSPSigningCert.java + com/netscape/cmscore/security/Provider.java + com/netscape/cmscore/security/KeyCertUtil.java + com/netscape/cmscore/security/KRATransportCert.java + com/netscape/cmscore/security/SSLCert.java + com/netscape/cmscore/security/SSLSelfSignedCert.java + com/netscape/cmscore/security/JssSubsystem.java + com/netscape/cmscore/security/SubsystemCert.java + com/netscape/cmscore/security/PWsdrCache.java + com/netscape/cmscore/security/CertificateInfo.java + com/netscape/cmscore/security/PWCBsdr.java + com/netscape/cmscore/security/PWUtil.java + com/netscape/cmscore/security/CASigningCert.java + com/netscape/cmscore/security/RASigningCert.java + com/netscape/cmscore/notification/ReqCertSANameEmailResolver.java + com/netscape/cmscore/notification/EmailResolverKeys.java + com/netscape/cmscore/notification/EmailTemplate.java + com/netscape/cmscore/notification/EmailFormProcessor.java + com/netscape/cmscore/notification/ReqCertEmailResolver.java + com/netscape/cmscore/profile/ProfileSubsystem.java + com/netscape/cmscore/time/SimpleTimeSource.java +) + +set(pki-jndi-realm_SRCS + com/netscape/cmscore/realm/PKIJNDIRealm.java + com/netscape/cmscore/realm/ACLEntry.java + com/netscape/cmscore/realm/ACL.java +) + +set(pki-cmsbundle_RCS + LogMessages.properties + UserMessages.properties +) + +set(CMAKE_JAVA_INCLUDE_PATH + ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR} + ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR} + ${JSS_JAR} ${COMMONS_CODEC_JAR} ${TOMCAT_CATALINA_JAR} ${SYMKEY_JAR} ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR}) + +set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) + +# build pki-certsrv +set(CMAKE_JAR_CLASSES_PREFIX com/netscape/certsrv) +add_jar(pki-certsrv ${pki-certsrv_java_SRCS}) +add_dependencies(pki-certsrv pki-nsutil pki-cmsutil) +install_jar(pki-certsrv ${JAVA_JAR_INSTALL_DIR}/pki) +set(PKI_CERTSRV_JAR ${pki-certsrv_JAR_FILE} CACHE INTERNAL "pki-certsrv jar file") + +# build pki-cms +set(CMAKE_JAR_CLASSES_PREFIX com/netscape/cms) +add_jar(pki-cms ${pki-cms_java_SRCS}) +add_dependencies(pki-cms pki-nsutil pki-cmsutil pki-certsrv) +install_jar(pki-cms ${JAVA_JAR_INSTALL_DIR}/pki) +set(PKI_CMS_JAR ${pki-cms_JAR_FILE} CACHE INTERNAL "pki-cms jar file") + +create_javadoc(pki-common-${APPLICATION_VERSION} + FILES ${pki-cms_java_SRCS} ${pki-certsrv_java_SRCS} + CLASSPATH ${CMAKE_JAVA_INCLUDE_PATH} ${pki-certsrv_JAR_FILE} + WINDOWTITLE "pki-common" + DOCTITLE "

pki-common

" + AUTHOR TRUE + USE TRUE + VERSION TRUE +) +add_dependencies(pki-common-${APPLICATION_VERSION}_javadoc pki-cms pki-certsrv) + +# build pki-cmscore +set(CMAKE_JAR_CLASSES_PREFIX com/netscape/cmscore) +add_jar(pki-cmscore ${pki-cmscore_java_SRCS}) +add_dependencies(pki-cmscore pki-nsutil pki-cmsutil pki-certsrv pki-cms) +install_jar(pki-cmscore ${JAVA_JAR_INSTALL_DIR}/pki) +set(PKI_CMSCORE_JAR ${pki-cmscore_JAR_FILE} CACHE INTERNAL "pki-cmscore jar file") + +# build pki-cmsbundle +add_jar(pki-cmsbundle ${pki-cmsbundle_RCS}) +add_dependencies(pki-cmsbundle pki-nsutil pki-cmsutil pki-certsrv pki-cms pki-cmscore) +install_jar(pki-cmsbundle ${JAVA_JAR_INSTALL_DIR}/pki) +set(PKI_CMSBUNDLE_JAR ${pki-cmsbundle_JAR_FILE} CACHE INTERNAL "pki-cmsbundle jar file") + +# build pki jndi realm +set(CMAKE_JAR_CLASSES_PREFIX com/netscape/cmscore/realm) +add_jar(pki-jndi-realm ${pki-jndi-realm_SRCS}) +install_jar(pki-jndi-realm ${JAVA_JAR_INSTALL_DIR}/pki) +set(PKI_JNDI_REALM_JAR ${pki-jndi-realm_JAR_FILE} CACHE INTERNAL "pki-jndi-realm jar file") + diff --git a/base/common/src/LogMessages.properties b/base/common/src/LogMessages.properties new file mode 100644 index 000000000..bd108bf80 --- /dev/null +++ b/base/common/src/LogMessages.properties @@ -0,0 +1,2475 @@ +# +# Log Messages for CS Administrators, not for end-users +# +################################################################## +# General Common Errors +################################################################## +SERVER_STARTUP=Server is started. +SERVER_SHUTDOWN=Shutting down. +SERVER_STARTUP_WARNING=CS Warning: {0} +SERVER_SHUTDOWN_ERROR=Error Starting CS: {0} +INVALID_HOST=Invalid Host - {0} +INVALID_PORT=Invalid Port - {0} +INVALID_LDAP_HOST=Invalid LDAP Host - {0} +INVALID_LDAP_PORT=Invalid LDAP Port - {0} +CANNOT_CONNECT_LDAP=Couldn't get LDAP connection - {0} +INVALID_ATTR=Invalid Attribute +INVALID_DN=Invalid DN +LDAP_ERROR=LDAP Error - {0} +ENTRY_ALREADY_EXIST=Entry already exists - {0} +LDAP_SERVER_DOWN=LDAP Server is Down +OPERATION_ERROR=Operation Error - {0} +READ_FILE_ERROR=Error reading file {0} - {1} +RENAME_FILE_ERROR=Error renaming file {0} to {1} +FILE_ERROR=File operation error: {0} +USER_NOT_EXIST=User {0} does not exist +INIT_DONE={0} initialization done. +################################################################## +# For com.netscape.cmscore.apps +################################################################## +CMSCORE_SDR_ADD_ERROR=sdr PWsdrCache addEntry failed +################################################################## +# For com.netscape.cms.authentication +################################################################## +CMS_AUTH_INIT_DONE=Initialization Done +CMS_AUTH_SHUTDOWN_ERROR=Shutdown Error - {0} +CMS_AUTH_NO_ATTR_ERROR=Could not get LDAP attributes. No entry or attributes returned. +CMS_AUTH_NO_DN_ERROR=Could not form DN - {0} +CMS_AUTH_NO_AUTH_ATTR_ERROR=Cannot get auth attributes. LDAP server is down. +CMS_AUTH_NO_USER_ENTRY_ERROR=User Entry {0} no longer exists in the directory. +CMS_AUTH_CREATE_SUBJECT_ERROR=Could not create subject name for {0}. Error - {1} +CMS_AUTH_CREATE_CERTINFO_ERROR=Could not create certinfo for {0}. Error - {1} +CMS_AUTH_READ_ENTRIES=Read entries from password file - {0} +CMS_AUTH_USER_NOT_FOUND=User not found in password file. +CMS_AUTH_INVALID_FINGER_PRINT=Invalid fingerprint. +CMS_AUTH_INVALID_NIS_SERVER=Invalid NIS Server - {0} +CMS_AUTH_INVALID_NIS_SERVER_NAME=Invalid NIS Server Name - {0} +CMS_AUTH_INVALID_DOMAIN=Invalid Domain Name - {0} +CMS_AUTH_EMPTY_PASSWORD=UID {0} attempted a login with an empty password. +CMS_AUTH_EMPTY_PIN=UID {0} attempted a login with an empty pin. +CMS_AUTH_BAD_PASSWORD=UID {0} attempted a login with a bad password. +CMS_AUTH_AUTHENTICATED=UID {0} authenticated. +CMS_AUTH_USER_NOT_EXIST=UID {0} does not exist in the LDAP server. +CMS_AUTH_PORTAL_INIT=my portal enroll initialization is done +CMS_AUTH_ADD_USER_ERROR=User cannot be added to LDAP server host {0} and port {1} +CMS_AUTH_MAKE_DN_ERROR=Couldn't make DN. Error - {0} +CMS_AUTH_REGISTRATION_DONE=Registration Done. +CMS_AUTH_CANT_GET_OBJECTCLASS=Couldn't get object class. +CMS_AUTH_NO_ENTRY_RETURNED=UID {0} search for entry {1} returned no entries. +CMS_AUTH_NO_PIN_FOUND=UID {0} does not have a PIN attribute in the LDAP server. +CMS_AUTH_CANT_REMOVE_PIN=could not remove pin for {0} +CMS_AUTH_UKNOWN_ENCODING_TYPE={0} has an unknown encoding type (first byte is not 0 (sha1) or 1 (md5) or '-' (none). It is {1} for user: {2} +CMS_AUTH_LENGTH_NOT_MATCHED=UID {0} Pin authentication: Hashed pin lengths do not match. +################################################################## +# For com.netscape.cmscore.authentication +################################################################## +CMSCORE_AUTH_INIT_AUTH=Auth manager {0} initialized. +CMSCORE_AUTH_MISSING_UID=missing UID in authCred for authenticate() +CMSCORE_AUTH_ADMIN_EMPTY_PW=Admin login attempted with UID {0} and a null pwd. +CMSCORE_AUTH_ADMIN_NULL_PW=Admin login attempted with UID {0} and an empty pwd. +CMSCORE_AUTH_ADMIN_NOT_FOUND=Admin login attempted with UID {0} UID not found +CMSCORE_AUTH_AUTH_FAILED=Failed to authenticate as admin UID={0}. Error: {1} +CMSCORE_AUTH_UID_NOT_FOUND=UID {0} is not a user in the internal usr/grp database. Error {1} +CMSCORE_AUTH_MISSING_CERT=Agent authentication missing certificate credential. +CMSCORE_AUTH_NO_CERT=No Client Certificate Found +CMSCORE_AUTH_REVOKED_CERT=Cannot authenticate agent. Agent certificate has been revoked. +CMSCORE_AUTH_AGENT_AUTH_FAILED=Cannot authenticate agent with certificate Serial 0x{0} Subject DN {1}. Error: {2} +CMSCORE_AUTH_CANNOT_AGENT_AUTH=Cannot authenticate agent. LDAP Error: {0} +CMSCORE_AUTH_AGENT_USER_NOT_FOUND=Cannot authenticate agent. Could not find a user for the agent cert. Check errors from UGSubsystem. +CMSCORE_AUTH_AGENT_CERT_REPO=Agent authentication cannot get access to the certificate repository +CMSCORE_AUTH_AGENT_REQUEST_QUEUE=Agent authentication cannot get access to the request queue. +CMSCORE_AUTH_AGENT_REVO_STATUS=Agent authentication cannot evaluate the revocation status. +CMSCORE_AUTH_AGENT_PROCESS_CHECKING=Agent authentication failed to process the request checking revocation status. +CMSCORE_AUTH_CANT_FIND_PLUGIN=Can't find auth manager plugin {0} +CMSCORE_AUTH_ADD_AUTH_INSTANCE=auths manager instance {0} added +CMSCORE_AUTH_AUTHSUB_ERROR=AuthSubsystem: init() - {0} +CMSCORE_AUTH_AUTH_INIT_ERROR=auths instance {0} initialization failed and skipped. error={1} +CMSCORE_AUTH_PLUGIN_NOT_FOUND=Auth Manager plugin {0} not found. +CMSCORE_AUTH_INSTANCE_NOT_CREATED=Could not create new authenticaiton manager instance {0} +CMSCORE_AUTH_INSTANCE_SHUTDOWN=Shutting down auths manager instance {0} +CMSCORE_AUTH_REVO_ATTEMPT=revocation attempted with an empty challenge for certificate serial number {0} +CMSCORE_AUTH_INCOMPLETE_REQUEST=Failed to complete the request for an authenticating challenge phrase password +CMSCORE_AUTH_FAILED_GET_QUEUE=Failed to get the queue +################################################################## +# For com.netscape.cmscore.authorization +################################################################## +CMSCORE_AUTHZ_PLUGIN_NOT_FOUND=Can't find authz manager plugin {0} +CMSCORE_AUTHZ_PLUGIN_FOUND=Found authz manager plugin {0} +CMSCORE_AUTHZ_INSTANCE_ADDED=authz manager instance {0} added +CMSCORE_AUTHZ_PLUGIN_INIT_FAILED=authz instance {0} initialization failed and skipped, error={1} +CMSCORE_AUTHZ_PLUGIN_NOT_CREATED=Could not create a new authorization manager instance {0} +################################################################## +# For com.netscape.cmscore.ca +################################################################## +CMSCORE_CA_START_CONNECTOR=starting CLAConnector +CMSCORE_CA_LOAD_CONNECTOR=failed to load external connector {0} - {1} +CMSCORE_CA_AUTHORITY_NOT_FOUND=local authority {0} not found. +CMSCORE_CA_INVALID_REQUEST_TYPE=Unrecognized request type {0} +CMSCORE_CA_MISSING_ATTR=Certificate Info missing validity, subject, or key in certificate issuing request +CMSCORE_CA_PAST_VALIDITY=requested Certificate validity is past CA's validity. +CMSCORE_CA_PAST_NOT_AFTER=requested Certificate validity is past CA's validity. Set notAfter to CA's notAfter +CMSCORE_CA_BAD_FIELD=Cannot get certain certificate fields {0} +CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED=signing certificate - algorithm {0} not supported in CA. +CMSCORE_CA_NULL_SERIAL_NUMBER=Certificate serial number is null for renewal request. +CMSCORE_CA_NO_ORG_SERIAL=No original serial number in certinfo for renewal request {0} +CMSCORE_CA_SIGN_SERIAL=CA is going to sign certificate serial number 0x{0} +CMSCORE_CA_NO_NEXT_SERIAL=Could not get next serial number - {0} +CMSCORE_CA_SET_SERIAL=Failed Setting serial number. {0} +CMSCORE_CA_SET_ISSUER=Failed Setting issuer name. {0} +CMSCORE_CA_SET_SUBJECT=Failed Setting subject name. {0} +CMSCORE_CA_STORE_SERIAL=CA stored signed certificate serial number 0x{0} +CMSCORE_CA_MARK_SERIAL=CA marked certificate serial number 0x{0} as renewed with serial number 0x{1} +CMSCORE_CA_NO_STORE_SERIAL=Could not store certificate serial number 0x{0} +CMSCORE_CA_CERT_NOT_FOUND=Cannot find certificate serial number 0x{0} +CMSCORE_CA_CERT_REVOKED=Revoked certificate serial number 0x{0} +CMSCORE_CA_ERROR_REVOCATION=Error revoking certificate {0}. Error {1} +CMSCORE_CA_CERT_ON_HOLD=Certificate {0} has to be on-hold. +CMSCORE_CA_CERT_UNREVOKED=Unrevoked certificate serial number 0x{0} +CMSCORE_CA_CERT_ERROR_UNREVOKE=Error unrevoking certificate 0x{0} +CMSCORE_CA_CERT_REQUEST_NOT_FOUND=No certificates found in issuing request ID {0} +CMSCORE_CA_ISSUE_ERROR=Error issuing certificate {0} in request ID {1}. Error {2} +CMSCORE_CA_STORE_ERROR=Error storing certificate {0} in request ID {1}. Error {2} +CMSCORE_CA_DELETE_CERT_ERROR=Could not delete certificate record for {0} after an error was encountered. Ignored Error: {1} +CMSCORE_CA_ERROR_GET_CERT=Error getting Certificate serial number for renewal request. Error {0} +CMSCORE_CA_NOT_FROM_CA=renewal certificate serial {0} is not from this CA. +CMSCORE_CA_RENEW_REVOKED=Cannot renew revoked certificate serial {0} +CMSCORE_CA_MISSING_RENEWED=Previously renewed certificate serial {0} missing from database. +CMSCORE_CA_CANNOT_RENEW=Cannot issue {0}th certificate in renewal request {1} +CMSCORE_CA_NO_RENEW=One or more certificates could not be renewed in request {0} +CMSCORE_CA_CRL_NOT_FOUND=No CRL entries found in revocation request ID {0} +CMSCORE_CA_CANNOT_REVOKE=Cannot revoke {0}th certificate in revocation request {1}. Error: {2} +CMSCORE_CA_CLONE_READ_REVOKED=Clone CA about to read revoked certificates for sending +CMSCORE_CA_CLONE_READ_ERROR=Clone CA Cannot retrieve revoked certificate for serialID: {0} +CMSCORE_CA_CLONE_READ_REVOKED_CONNECTOR=Clone CA about to send revoked certificate via CLAConnector +CMSCORE_CA_UNREVOKE_MISSING_SERIAL=Missing or invalid serial number +CMSCORE_CA_UNREVOKE_FAILED=Cannot unrevoke certificate {0} in unrevocation request {1} +CMSCORE_CA_GETCRL_FIND_CRL=Could not find CRL issuing record +CMSCORE_CA_GETCRL_INST_CRL=Could not instantiate CRL from CRL issuing point {0} +CMSCORE_CA_GETCRL_NO_ISSUING_REC=Could not find CRL issuing record +CMSCORE_CA_CERT4CRL_NO_ENTRY=No CRL entries found in cert4crl request ID {0} +CMSCORE_CA_CERT4CRL_NO_REC=Cannot record {0}th revoked certificate in cert4crl request {1} Error: {2} +CMSCORE_CA_CRLEXTS_SAVE_CONF=Cannot save changes to the configuration file {0} +CMSCORE_CA_CRLEXTS_NO_ENABLE=Missing enable property for CRL extension {0} set to {1} +CMSCORE_CA_CRLEXTS_UNDEFINE_ENABLE=Undefined enable property for CRL extension {0} set to {1} +CMSCORE_CA_CRLEXTS_INVALID_ENABLE=Invalid enable property for CRL extension {0} set to {1} +CMSCORE_CA_CRLEXTS_NO_CRITICAL=Missing critical property for CRL extension {0} set to {1} +CMSCORE_CA_CRLEXTS_UNDEFINE_CRITICAL=Undefined critical property for CRL extension {0} set to {1} +CMSCORE_CA_CRLEXTS_INVALID_CRITICAL=Invalid critical property for CRL extension {0} set to {1} +CMSCORE_CA_CRLEXTS_INVALID_EXT=Invalid type property for CRL extension {0} set to {1} +CMSCORE_CA_CRLEXTS_UNDEFINE_EXT=Undefined type property for CRL extension {0} +CMSCORE_CA_CRLEXTS_MISSING_EXT=Missing type property for CRL extension {0} +CMSCORE_CA_CRLEXTS_CLASS_NOT_FOUND=Failed to find CRL extension plugin class {0} Error: {1} +CMSCORE_CA_CRLEXTS_CLASS_NOT_INST=Failed CRL extension plugin class instantiation {0} Error: {1} +CMSCORE_CA_CRLEXTS_CLASS_NOT_ACCESS=Failed to access CRL extension plugin class {0} Error: {1} +CMSCORE_CA_CRLEXTS_CLASS_NOT_DEFINED=Undefined class property for CRL extension {0} +CMSCORE_CA_CRLEXTS_CLASS_MISSING=Missing class property for CRL extension {0} +CMSCORE_CA_CRLEXTS_CLASS_INVALID=Invalid class property for CRL extension {0} +CMSCORE_CA_CRLEXTS_CLASS_ADD=Failed to add extension {0} to CRL. Error: {1} +CMSCORE_CA_ISSUING_DECODE_CRL=Failed to decode CRL in the DB at CRL init. Error {0}. Creating a new CRL. +CMSCORE_CA_ISSUING_INST_CRL=Cannot initialize CRL from the internaldb. The internaldb is down. Error {0} +CMSCORE_CA_ISSUING_CREATE_CRL=Cannot create or store the first CRL in the internaldb. The internaldb could be down. Error {0} +CMSCORE_CA_ISSUING_START_CRL=started automatic CRL update thread CRLIssuingPoint-{0} +CMSCORE_CA_ISSUING_CRL=Cannot {0}. Error: {1} +CMSCORE_CA_ISSUING_STORE_REVOKED_CERT=Failed to store revoked certificate's cache for {0}. Error {1} +CMSCORE_CA_ISSUING_STORE_UNREVOKED_CERT=Failed to store unrevoked certificate's cache for {0}. Error {1} +CMSCORE_CA_ISSUING_STORE_EXPIRED_CERT=Failed to store expired certificate's cache for {0}. Error {1} +CMSCORE_CA_ISSUING_STORE_CRL_CACHE=Cannot store the CRL cache in the internaldb. Error {0} +CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA=Failed to sign or store delta-CRL {0} +CMSCORE_CA_ISSUING_SIGN_DELTA=Failed to sign delta-CRL {0} +CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL=Failed to sign or store CRL {0} +CMSCORE_CA_ISSUING_SIGN_CRL=Failed to sign CRL {0} +CMSCORE_CA_ISSUING_PUBLISH_DELTA=Failed to publish delta-CRL #{0}. Error {1} +CMSCORE_CA_ISSUING_PUBLISH_CRL=Failed to publish CRL #{0}. Error {1} +CMSCORE_CA_ISSUING_UPDATE_CRL=update CRL returned {0} +CMSCORE_CA_CA_CRL_UPDATE_STARTED=CRL update started. CRL ID: {0} CRL Number: {1} Delta CRL Enabled: {2} CRL Cache Enabled: {3} Cache Recovery Enabled: {4} Cache Cleared: {5} Cache: {6} +CMSCORE_CA_CA_CRL_UPDATED=CRL Update completed. CRL ID: {0} CRL Number: {1} last update time: {2} next update time: {3} Number of entries in the CRL: {4} time: {5} CRL time: {6} delta CRL time: {7} +CMSCORE_CA_CA_DELTA_CRL_UPDATED=Delta-CRL update completed. CRL ID: {0} Delta CRL NUmber: {1} Against CRL Number: {2} last update time: {3} next update time: {4} Number of entries in the delta-CRL: {5} time: {6} +CMSCORE_CA_CA_NO_PUBLISHER=No publisher enabled {0} +CMSCORE_CA_CA_SIGN_CRL=Failed to sign CRL {0}:{1} +CMSCORE_CA_CA_NO_CERTINFO=sign cert, certInfo NULL! +CMSCORE_CA_CA_SIGN_CERT=Failed to sign certificate {0}:{1} +CMSCORE_CA_CA_OCSP_SIGNING=Crypto manager not initialized {0} +CMSCORE_CA_CA_OCSP_CHAIN=Cannot build CA chain. Error {0} +CMSCORE_CA_CA_PUBLISH=Could not publish CA signing certificate at startup. {0} +CMSCORE_CA_CA_NO_PUBLISH=No CA Publishing Module configuration found +CMSCORE_CA_CA_ERROR_PUBLISH_MODULE=CA's Publishing Module failed with {0} +CMSCORE_CA_CA_ERROR_LISTENER=Can't find listener plugin {0} +CMSCORE_CA_CA_INIT_LISTENER=failed to initialize listener instance {0} {1} +CMSCORE_CA_CA_FAILED_LISTENER=Initialization of listener plugins failed {0} +CMSCORE_CA_CA_REGISTER_LISTENER=Failed to register Certificate Issued Listener {0} +CMSCORE_CA_CA_REGISTER_REQ_LISTENER=Failed to register Request In Queue Listener {0} +CMSCORE_CA_CA_NOTIFY_NONE=No CA notification Module configuration found +CMSCORE_CA_CA_NOTIFY_FAILED=CA notification Module initialization failure +CMSCORE_CA_CA_QUEUE_FAILED=Cannot create request queue {0} +CMSCORE_CA_CA_NO_MASTER_CRL=No configuration for Master CRL found. +CMSCORE_CA_CA_NO_MASTER_CRL_SUBSTORE=No configuration for Master CRL found. Missing substores. +CMSCORE_CA_CA_NO_FULL_CRL=No configuration for full CRL. Missing CRL issuing point {0} +CMSCORE_CA_CA_OCSP_REQUEST=request processing failure {0} +CMSCORE_CA_CA_OCSP_SIGN=sign OCSP response {0} +CMSCORE_CA_SIGNING_CA_CERT=Cannot convert CA certificate to X509CertImpl {0} +CMSCORE_CA_SIGNING_TOKEN_INIT=CryptoManager not initialized. Error {0} +CMSCORE_CA_SIGNING_WRONG_PWD=Incorrect password for CA signing unit. Exception {0} +CMSCORE_CA_SIGNING_TOKEN_NOT_FOUND=Token {0} Not found. Error {1} +CMSCORE_CA_SIGNING_CERT_NOT_FOUND=Object certificate not found. Error {0} +CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED=Signing Algorithm {0} not supported - {1} +CMSCORE_CA_INVALID_TIME_LIST=Daily updates are DISABLED because time list has invalid format. +CMSCORE_CA_INVALID_PROFILE_LIST=CRL generation according to profile list is DISABLED because profile list has invalid format. +################################################################## +# For com.netscape.cmscore.cert +################################################################## +CMSCORE_CERT_DIR_STRING={0} must be a list of DER tag names seperated by commas. +CMSCORE_CERT_UNKNOWN_TAG={0} unknown DER tag - {1}. +################################################################## +# For com.netscape.cmscore.connector +################################################################## +CMSCORE_CONNECTOR_REQUEST_NOT_COMPLETED=remote request for {0} not completed. Queing for resend. +CMSCORE_CONNECTOR_SEND_REQUEST=Could not send request {0} to remote {1} : {2} +CMSCORE_CONNECTOR_RESENDER_INTERRUPTED=Resender thread was interrupted to resend. +CMSCORE_CONNECTOR_REQUEST_NOT_FOUND=Resend: Cannot find {0} in request queue +CMSCORE_CONNECTOR_REQUEST_COMPLETED=resent request {0} completed. +CMSCORE_CONNECTOR_REQUEST_ERROR=sending request {0} got error {1} +CMSCORE_CONNECTOR_DOWN=The connection is down. Resend all pending requests later. +CMSCORE_CONNECTOR_RESEND_ERROR=error in resending request {0} - {1} +################################################################## +# For com.netscape.cmscore.dbs +################################################################## +CMSCORE_DBS_START_VALID_SEARCH=Start Valid Certificates Search +CMSCORE_DBS_FINISH_VALID_SEARCH=Finish Valid Certificates Search +CMSCORE_DBS_START_EXPIRED_SEARCH=Start Expired Certificates Search +CMSCORE_DBS_FINISH_EXPIRED_SEARCH=Finish Expired Certificates Search +CMSCORE_DBS_START_REVOKED_EXPIRED_SEARCH=Start Revoked & Expired Certificates Search +CMSCORE_DBS_FINISH_REVOKED_EXPIRED_SEARCH=Finish Revoked & Expired Certificates Search +CMSCORE_DBS_TRANSIT_INVALID_TO_VALID=Transit Certificate #{0} from INVALID to VALID status +CMSCORE_DBS_TRANSIT_INCONSISTENCY=Inconsistency Detected: Transit Certificate #{0} ({1}) from INVALID to VALID status at - {2} +CMSCORE_DBS_TRANSIT_VALID_TO_EXPIRED=Transit Certificate #{0} from INVALID to VALID status +CMSCORE_DBS_TRANSIT_INCONSISTENCY_VALID_TO_EXPIRED=Inconsistency Detected: Transit Certificate #{0} ({1}) from VALID to EXPIRED status at - {2} +CMSCORE_DBS_TRANSIT_REVOKED_TO_REVOKED_EXPIRED=Transit Certificate #{0} from REVOKED to REVOKED_EXPIRED status +CMSCORE_DBS_TRANSIT_INCONSISTENCY_REVOKED_TO_REVOKED_EXPIRED=Inconsistency Detected: Transit Certificate #{0} ({1}) from REVOKED to REVOKED EXPIRED status at - {2} +CMSCORE_DBS_ATTR_NOT_REGISTER=attribute {0} is not registered +CMSCORE_DBS_CONN_ERROR=Failed to get a connection to the LDAP server. Error {0} +CMSCORE_DBS_SCHEMA_ERROR=Failed to add a schema entry. Error {0} +CMSCORE_DBS_CONF_ERROR=Failed to retrieve configuration parameters. Error {0} +CMSCORE_DBS_VL_ADD=Virtual List Add Element {0} +CMSCORE_DBS_VL_CORRUPTED_ENTRIES=database with {0} corrupted entries - unrecoverable +CMSCORE_DBS_VL_NULL_RESPONSE=Null response control +CMSCORE_DBS_KEYRECORD_MAPPER_ERROR=Key Mapper Error {0} +CMSCORE_DBS_OBJECTSTREAM_MAPPER_ERROR=Object Stream Mapper Error {0} +CMSCORE_DBS_PUBLICKEY_MAPPER_ERROR=Public Key Mapper Error {0} +CMSCORE_DBS_X500NAME_MAPPER_ERROR=X500Name Mapper Error {0} +################################################################## +# For com.netscape.cmscore.jobs +################################################################## +CMSCORE_JOBS_INVALID_TOKEN={0} invalid format - {1} +CMSCORE_JOBS_INVALID_RANGE=invalid range - {0} +CMSCORE_JOBS_INVALID_MIN_MAX_RANGE=invalid range - {0} - {1} +CMSCORE_JOBS_INVALID_MIN=Invalid minute - {0} +CMSCORE_JOBS_INVALID_HOUR=Invalid hour - {0} +CMSCORE_JOBS_INVALID_MONTH=Invalid month of year - {0} +CMSCORE_JOBS_INVALID_DAY_OF_WEEK=Invalid day of week - {0} +CMSCORE_JOBS_INVALID_DAY_OF_MONTH=Invalid day of month - {0} +CMSCORE_JOBS_CLASS_NOT_FOUND=Can't find job plugin {0} +CMSCORE_JOBS_INIT_ERROR=Initialization Error {0} +CMSCORE_JOBS_CREATE_NEW=Could not create new job instance {0} +################################################################## +# For com.netscape.cmscore.kra +################################################################## +CMSCORE_KRA_ENCRYPTION_INTERNAL=EncryptionUnit::encryptInternalPrivate {0} +CMSCORE_KRA_ENCRYPTION_WRAP=EncryptionUnit::wrap {0} +CMSCORE_KRA_ENCRYPTION_EXTERNAL=EncryptionUnit::decryptExternalPrivate {0} +CMSCORE_KRA_ENCRYPTION_UNWRAP=EncryptionUnit::unwrap {0} +CMSCORE_KRA_ENCRYPTION_DECRYPT=EncryptionUnit::decryptInternalPrivate {0} +CMSCORE_KRA_UNWRAP_USER_KEY=Unwrap user key failed +CMSCORE_KRA_PUBLIC_NOT_FOUND=Public Key Not Found +CMSCORE_KRA_OWNER_NAME_NOT_FOUND=Owner Name Not Found +CMSCORE_KRA_WRAP_USER_KEY=Wrap user key failed +CMSCORE_KRA_INVALID_SERIAL_NUMBER=Invalid Serial Number {0} +CMSCORE_KRA_GET_NEXT_SERIAL=get next serial number failed +CMSCORE_KRA_GET_PUBLIC_KEY=retrieve x509 public key failed {0} +CMSCORE_KRA_GET_OWNER_NAME=retrieve owner name failed {0} +CMSCORE_KRA_REGISTER_LISTENER=Failed to register Request In Queue Listener {0} +CMSCORE_KRA_NOTIFY_ERROR=KRA notification Module initialization failure {0} +CMSCORE_KRA_INVALID_RA_NAME=Invalid RA name {0} - {1} +CMSCORE_KRA_INVALID_RA_SETUP=No properly configured accepted RAs {0} +CMSCORE_KRA_PUBLIC_KEY_LEN=public key length not matched +CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND=private key data not found +CMSCORE_KRA_CONSTRUCT_P12=construct PKCS #12 failed {0} +CMSCORE_KRA_CREAT_KEY_ID=create key ID failed {0} +CMSCORE_KRA_CREAT_KEY_BAG=create key bag failed {0} +CMSCORE_KRA_STORAGE_INIT=initialization failed - {0} +CMSCORE_KRA_LOCATE_CERT=locate certificate in hardware failed {0} +CMSCORE_KRA_STORAGE_READ_CERT=read storage certificate failed {0} +CMSCORE_KRA_STORAGE_IMPORT_CERT=import certificate failed {0} +CMSCORE_KRA_STORAGE_READ_PRIVATE=read storage private key failed {0} +CMSCORE_KRA_STORAGE_READ_MN=read MN file failed {0} +CMSCORE_KRA_STORAGE_LOGIN=login failed {0} +CMSCORE_KRA_STORAGE_LOGOUT=logout failed {0} +CMSCORE_KRA_STORAGE_CHANGE_MN=change MN failed {0} +CMSCORE_KRA_STORAGE_RECONSTRUCT=reconstruct password failed {0} +CMSCORE_KRA_ENTROPY_COLLECTION_DISABLED=DRM Entropy collection disabled +CMSCORE_KRA_ENTROPY_COLLECTION_ENABLED=DRM Entropy collection enabled +CMSCORE_KRA_ENTROPY_BLOCKED_WARNING=DRM Entropy collection blocked for {0}ms. Suggest increasing warning duration (kra.entropy.blockwarnms) or decreasing number of entropy bits collected (kra.entropy.bitsperkeypair) +CMSCORE_KRA_ENTROPY_ERROR=Error collecting DRM entropy: {0} +################################################################## +# For com.netscape.cmscore.ldap +################################################################## +CMSCORE_LDAP_FIND_CLASS=Could not find class {0} +CMSCORE_LDAP_INST_CLASS=could not instantiate class {0} under type {1} +CMSCORE_LDAP_INSUFFICIENT_CREDENTIALS=insufficient credentials to instantiate class {0} for type {1} +CMSCORE_LDAP_INIT_ERROR=Failed initialization of type {0}. Error {1} +CMSCORE_LDAP_PUBLISH_NOT_MATCH=certificate serial 0x{0} subject name {1} does not match any entry in the directory. +CMSCORE_LDAP_CRL_NOT_MATCH=CRL did not map to any DN +CMSCORE_LDAP_CERT_NOT_PUBLISH=Could not publish certificate serial number 0x{0}. Error {1} +CMSCORE_LDAP_CERT_NOT_UNPUBLISH=Could not unpublish certificate serial number 0x{0}. Error {1} +CMSCORE_LDAP_CERT_NOT_FIND=Could not find certificate to unpublish. serial number 0x{0}. Error {1} +CMSCORE_LDAP_GET_CERT_RECORD=Error getting certificate record to revoke 0x{0}. Error {1} +CMSCORE_LDAP_RULE_NOT_FOUND=Can't find publishing rule plugin {0} +CMSCORE_LDAP_INIT_FAILED=LdapSubsystem::init() - {0} +CMSCORE_LDAP_RULE_NOT_MATCH=No matched rule for request {0} +CMSCORE_LDAP_RULE_UNEXPECTED_ERROR=Rule {0} encountered unexpected error {1} +CMSCORE_LDAP_PLUGIN_NOT_FIND=Can't find publisher plugin {0} +CMSCORE_LDAP_PUBLISHER_INIT_FAILED=PublisherProcessor::init() - {0} +CMSCORE_LDAP_SKIP_PUBLISHER=publisher instance {0} initialization failed and skipped. error={1} +CMSCORE_LDAP_MAPPER_NOT_FIND=Can't find mapper plugin {0} +CMSCORE_LDAP_SKIP_MAPPER=mapper instance {0} initialization failed and skipped. error={1} +CMSCORE_LDAP_RULE_NOT_FIND=Can't find rule plugin {0} +CMSCORE_LDAP_SKIP_RULE=rule instance {0} initialization failed and skipped. error={1} +CMSCORE_LDAP_NO_NEW_MAPPER=Could not create new mapper instance {0} +CMSCORE_LDAP_NO_NEW_PUBLISHER=Could not create new publisher instance {0} +CMSCORE_LDAP_NO_NEW_RULE=Could not create new rule instance {0} +CMSCORE_LDAP_NO_RULE_FOUND=No rule can be found for publishing: {0} +CMSCORE_LDAP_NO_UNPUBLISHING_RULE_FOUND=No rule can be found for unpublishing: {0} +CMSCORE_LDAP_NO_RULE_FOUND_FOR_REQUEST=No rule can be found for publishing: {0} request {1} +CMSCORE_LDAP_NO_UNPUBLISHING_RULE_FOUND_FOR_REQUEST=No rule can be found for unpublishing: {0} request {1} +CMSCORE_LDAP_NO_RULE_FOR_CRL=No rule can be found for publishing CRL +CMSCORE_LDAP_MAPPER_NOT_MAP=mapper {0} did not map to any DN +################################################################## +# For com.netscape.cmscore.ldapconn +################################################################## +CMSCORE_LDAPCONN_MIN_CONN=The parameter for min connections is not an integer +CMSCORE_LDAPCONN_MAX_CONN=The parameter for max connections is not an integer +CMSCORE_LDAPCONN_CONNECT_SERVER=Cannot connect to LDAP server. Error: LDAP Server host {0} port {1} is unavailable +CMSCORE_LDAPCONN_FAILED_SERVER=Cannot connect to LDAP server. Error: {0} +CMSCORE_LDAPCONN_CANNOT_RESET=Cannot reset conn factory: {0} +CMSCORE_LDAPCONN_UNKNOWN_HOST=Unknown Host creating JSS SSL Socket +CMSCORE_LDAPCONN_IO_ERROR=I/O Error creating JSS SSL Socket {0} +################################################################## +# For com.netscape.cmscore.notification +################################################################## +CMSCORE_NOTIFY_TEMPLATE_NULL=template null +CMSCORE_NOTIFY_TOKEN_NULL=Token2vals null +CMSCORE_NOTIFY_TEMPLATE_NOT_EXIST=Template: {0} does not exist or is invalid +CMSCORE_NOTIFY_TEMPLATE_NOT_FOUND=Template: {0} not found +CMSCORE_NOTIFY_TEMPLATE_LOAD_ERROR=Template: Error loading file into string +CMSCORE_NOTIFY_TEMPLATE_LOADING=Template: Error loading file +CMSCORE_NOTIFY_NO_EMAIL=no email resolved for {0} +CMSCORE_NOTIFY_NO_EMAIL_ID=no email resolved for request ID={0} +CMSCORE_NOTIFY_NO_EMAIL_REQUEST=no email resolved. No request ID or certificate info found +CMSCORE_NOTIFY_NO_CERTINFO=Error getting certinfo from certificate +CMSCORE_NOTIFY_GET_EXT=Error getting extensions: {0} +CMSCORE_NOTIFY_SUBJECTALTNAME=get subjectalternatename extension failed +################################################################## +# For com.netscape.cmscore.ocsp +################################################################## +CMSCORE_OCSP_SIGNING_UNIT=Signing Unit init() {0} +CMSCORE_OCSP_CLASSPATH=ClassPath ID={0} {1} +CMSCORE_OCSP_RETRIEVE_KEY=retrieve public key failure {0} +CMSCORE_OCSP_SIGNING=Crypto manager not initialized {0} +CMSCORE_OCSP_CHAIN=Cannot build CA chain. Error {0} +CMSCORE_OCSP_SIGN_RESPONSE=Sign OCSP Response {0} +CMSCORE_OCSP_CONVERT_X509=Cannot convert OCSP certificate to X509CertImpl {0} +CMSCORE_OCSP_INCORRECT_PWD=Incorrect password for OCSP signing unit. Exception {0} +CMSCORE_OCSP_TOKEN_NOT_FOUND=Token {0} Not found. Error {1} +CMSCORE_OCSP_OBJECT_NOT_FOUND=Object Not found. Error {0} +CMSCORE_OCSP_SIGN_ALG_NOT_SUPPORTED=Signing Algorithm {0} not supported. +CMSCORE_OCSP_INVALID_ENCODING=Invalid encoding in OCSP signing key. +################################################################## +# For com.netscape.cmscore.policy +################################################################## +CMSCORE_POLICY_INIT_FAILED=policy {0} initialization failed and skipped. exception={1} +CMSCORE_POLICY_DEF_CREATE=Cannot create default policy Error {0} +CMSCORE_POLICY_EVAULATOR_ERROR=Javascript Evaluator error: {0} +CMSCORE_POLICY_REJECT_RESULT=policy: Request {0} - Result of applying rule: {1} is : rejected +CMSCORE_POLICY_DEFER_RESULT=policy: Request {0} - Result of applying rule: {1} is : deferred +CMSCORE_POLICY_ERROR_RESULT=policy: Request {0} - Result of applying rule: {1} has : encountered unexpected error {2} +################################################################## +# For com.netscape.cmscore.ra +################################################################## +CMSCORE_RA_GET_CA_CERT=Could not get CA certificate chain. Error {0} +CMSCORE_RA_REGISTER_CERT_LISTENER=Failed to register Certificate Issued Listener {0} +CMSCORE_RA_REGISTER_REQ_LISTENER=Failed to register Request In Queue Listener {0} +CMSCORE_RA_NO_NOTIFY=No RA notification Module configuration found +CMSCORE_RA_NOTIFY_INIT=RA notification Module initialization failure +CMSCORE_RA_UNREC_REQUEST=Unrecognized request type {0} in RA listener +CMSCORE_RA_NO_CHAIN=CA Chain listener - no chain from listener! +CMSCORE_RA_CANNOT_CONVERT=Could not convert CA to X509CertImpl! Error {0} +CMSCORE_RA_NO_CA=No CA: RA cannot operate without a CA +CMSCORE_RA_LOAD_CONNECTOR=failed to load external connector {0} {1} +################################################################## +# For com.netscape.cmscore.security +################################################################## +CMSCORE_SECURITY_INCORRECT_PWD=password incorrect +CMSCORE_SECURITY_TOKEN_ERROR=token error {0} +CMSCORE_SECURITY_KEY_DB_ERROR=Key Database Error {0} +CMSCORE_SECURITY_CERT_DB_ERROR=Certificate Database Error {0} +CMSCORE_SECURITY_CRYPTO_ERROR=Crypto Initialization Error {0} +CMSCORE_SECURITY_GENERAL_ERROR=General Security Error {0} +CMSCORE_SECURITY_INSTALL_PROVIDER=Unable to install CS provider. +CMSCORE_SECURITY_INVALID_CIPHER=Invalid SSL cipher preferences value {0} +CMSCORE_SECURITY_TOKEN_LOGGED_IN=Token logged in {0} +CMSCORE_SECURITY_SUBJECT_NAME=Certificate subject name {0} +CMSCORE_SECURITY_ALG=Signature Algorithm error {0} +CMSCORE_SECURITY_KEY_PAIR=Generate Key Pair Error {0} +CMSCORE_SECURITY_X500_NAME=X500 Name {0} +CMSCORE_SECURITY_CERT_REQUEST=Certificate Request Error {0} +CMSCORE_SECURITY_IMPORT_CERT=Import certificate {0} +CMSCORE_SECURITY_CERT_INFO=Certificate Info {0} +CMSCORE_SECURITY_GET_ALL_CERT=Get all certificates to manage {0} +CMSCORE_SECURITY_GET_CA_CERT=Get CA Certificates {0} +CMSCORE_SECURITY_GET_CA_CERT_FOR=Get CA Certificates for {0} : {1} +CMSCORE_SECURITY_TRUST_CERT=Trust Certificate {0} +CMSCORE_SECURITY_DELETE_CA_CERT=Delete CA Certificate {0} +CMSCORE_SECURITY_DELETE_CERT=Delete Certificate {0} +CMSCORE_SECURITY_GET_SUBJECT_NAME=Get Subject Name {0} +CMSCORE_SECURITY_PRINT_CERT=Print CERT {0} +CMSCORE_SECURITY_SIGN_CERT=Sign Certificate {0} +CMSCORE_SECURITY_IS_CA_CERT=isCACert {0} +CMSCORE_SECURITY_GET_EXTENSIONS=Get Extensions {0} +CMSCORE_SECURITY_GET_CONFIG=failed at CMS.getConfigStore() for pwCache +CMSCORE_SECURITY_THROW_CALLBACK=throwing PasswordCallback.GiveUpException() +CMSCORE_SECURITY_PW_FILE=failure for file {0} {1} +CMSCORE_SECURITY_PW_DECRYPT=password cache decrypt failed {0} +CMSCORE_SECURITY_PW_ENCRYPT=password cache encrypt failed {0} +CMSCORE_SECURITY_PW_CACHE=sdrPWcache: Error {0} +CMSCORE_SECURITY_PW_READ=failed readPWcache() {0} +CMSCORE_SECURITY_PW_TAG=getEntry did not get password for tag={0} +CMSCORE_SECURITY_NO_ENTROPY_STREAM=No o/s entropy stream available +################################################################## +# For com.netscape.cmscore.selftests +################################################################## +CMSCORE_SELFTESTS_INITIALIZATION_NOTIFICATION=SelfTestSubsystem: Initializing self test plugins: +CMSCORE_SELFTESTS_PROPERTY_NAME_IS_NULL=SelfTestSubsystem: the self test property name is null +CMSCORE_SELFTESTS_PROPERTY_DUPLICATE_NAME=SelfTestSubsystem: the self test property name {0} is a duplicate +CMSCORE_SELFTESTS_PROPERTY_INVALID_INSTANCE=SelfTestSubsystem: the self test property name {0} with a value of {1} specifies an invalid instance +CMSCORE_SELFTESTS_PROPERTY_MISSING_NAME=SelfTestSubsystem: the self test property name {0} does not exist +CMSCORE_SELFTESTS_PROPERTY_MISSING_VALUES=SelfTestSubsystem: the self test property name {0} contained no value(s) +CMSCORE_SELFTESTS_PROPERTY_THREW_EBASEEXCEPTION=SelfTestSubsystem: the self test property name {0} with a value of {1} threw an EBaseException +CMSCORE_SELFTESTS_PROPERTY_THREW_EXCEPTION=SelfTestSubsystem: the self test property name {0} with a value of {1} threw an Exception +CMSCORE_SELFTESTS_LOAD_LOGGER_PARAMETERS=SelfTestSubsystem: loading all self test plugin logger parameters +CMSCORE_SELFTESTS_DONT_LOAD_LOGGER_PARAMETERS=SelfTestSubsystem: there are NO self test plugin logger parameters to load +CMSCORE_SELFTESTS_LOAD_PLUGINS=SelfTestSubsystem: loading all self test plugin instances +CMSCORE_SELFTESTS_DONT_LOAD_PLUGINS=SelfTestSubsystem: there are NO self test plugin instances to load +CMSCORE_SELFTESTS_LOAD_PLUGIN_PARAMETERS=SelfTestSubsystem: loading all self test plugin instance parameters +CMSCORE_SELFTESTS_PLUGIN_DUPLICATE_PARAMETER=SelfTestSubsystem: the self test plugin instance {0} contains the duplicate parameter {1} +CMSCORE_SELFTESTS_PLUGIN_MISSING_PARAMETER=SelfTestSubsystem: the self test plugin instance {0} is missing the mandatory parameter {1} +CMSCORE_SELFTESTS_PLUGIN_INVALID_PARAMETER=SelfTestSubsystem: the self test plugin instance {0} contains the invalid parameter {1} +CMSCORE_SELFTESTS_LOAD_PLUGINS_ON_DEMAND=SelfTestSubsystem: loading self test plugins in on-demand order +CMSCORE_SELFTESTS_DONT_LOAD_PLUGINS_ON_DEMAND=SelfTestSubsystem: there are NO self test plugins to load in on-demand order +CMSCORE_SELFTESTS_MISSING_ON_DEMAND_VALUES=SelfTestSubsystem: self test plugins on-demand order property name {0} contained no values +CMSCORE_SELFTESTS_LOAD_PLUGINS_AT_STARTUP=SelfTestSubsystem: loading self test plugins in startup order +CMSCORE_SELFTESTS_DONT_LOAD_PLUGINS_AT_STARTUP=SelfTestSubsystem: there are NO self test plugins to load in startup order +CMSCORE_SELFTESTS_MISSING_STARTUP_VALUES=SelfTestSubsystem: self test plugins startup order property name {0} contained no values +CMSCORE_SELFTESTS_PLUGINS_LOADED=SelfTestSubsystem: Self test plugins have been successfully loaded! +CMSCORE_SELFTESTS_PLUGINS_NONE_LOADED=SelfTestSubsystem: There were NO self test plugins to be loaded! +CMSCORE_SELFTESTS_RUN_ON_DEMAND=SelfTestSubsystem: Running self test plugins specified to be executed on-demand: +CMSCORE_SELFTESTS_NOT_RUN_ON_DEMAND=SelfTestSubsystem: There were NO self test plugins specified to be run on-demand! +CMSCORE_SELFTESTS_RUN_ON_DEMAND_SUCCEEDED=SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY on-demand! +CMSCORE_SELFTESTS_RUN_ON_DEMAND_FAILED=SelfTestSubsystem: The CRITICAL self test plugin called {0} running on-demand FAILED! +CMSCORE_SELFTESTS_RUN_AT_STARTUP=SelfTestSubsystem: Running self test plugins specified to be executed at startup: +CMSCORE_SELFTESTS_NOT_RUN_AT_STARTUP=SelfTestSubsystem: There were NO self test plugins specified to be run at startup! +CMSCORE_SELFTESTS_RUN_AT_STARTUP_SUCCEEDED=SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at startup! +CMSCORE_SELFTESTS_RUN_AT_STARTUP_FAILED=SelfTestSubsystem: The CRITICAL self test plugin called {0} running at startup FAILED! +################################################################## +# For com.netscape.cmscore.usrgrp +################################################################## +CMSCORE_USRGRP_LDAP_SHUT=LDAP Shutdown Error {0} +CMSCORE_USRGRP_GET_USER=Get User Error {0} +CMSCORE_USRGRP_FIND_USER=Find User Error {0} +CMSCORE_USRGRP_INTERNAL_DB=find User: Could not get connection to internaldb. Error {0} +CMSCORE_USRGRP_FIND_USER_BY_CERT=Find User By Certificate Error {0} +CMSCORE_USRGRP_FIND_USERS=Find Users Error {0} +CMSCORE_USRGRP_LIST_USERS=List Users Error {0} +CMSCORE_USRGRP_BUILD_USER=DN not found {0} +CMSCORE_USRGRP_ADD_USER=add User: Could not get connection to internaldb. Error {0} +CMSCORE_USRGRP_ADD_USER_CERT=add User Certificate {0} +CMSCORE_USRGRP_REMOVE_USER=remove User {0} +CMSCORE_USRGRP_REMOVE_USER_FROM_GROUP=remove User From Group {0} +CMSCORE_USRGRP_FIND_GROUPS=Find Group {0} +CMSCORE_USRGRP_LIST_GROUPS=List Group {0} +CMSCORE_USRGRP_BUILD_GROUP=Build Group {0} +CMSCORE_USRGRP_BAD_GROUP_MEMBER=Build Group Error: {0} group did not accept malformed uniquemember attribute: {1} +CMSCORE_USRGRP_GET_GROUP=Get Group {0} +CMSCORE_USRGRP_IS_GROUP_PRESENT=Is Group Present {0} +CMSCORE_USRGRP_ADD_GROUP=Add Group {0} +CMSCORE_USRGRP_REMOVE_GROUP=Remove Group {0} +CMSCORE_USRGRP_MODIFY_GROUP=Modify Group {0} +CMSCORE_USRGRP_CONVERT_UID=ConvertUID To DN {0} +################################################################## +# For com.netscape.certsetup.base +################################################################## +CERTSETUP_CREATE_DB_FAILED=Failed to create internal database +CERTSETUP_RESTART_DB_FAILED=Failed to restart internal database +CERTSETUP_DELETE_FILE_FAILED=Failed to delete file: {0} +CERTSETUP_INSTALL_DB_FAILED=Failed to install internal database +CERTSETUP_CONNECT_DB_FAILED=Failed to connect to internal database +CERTSETUP_ADD_ENTRY_FAILED=Failed to add entry to database: {0} +CERTSETUP_CREATE_ENTRY_FAILED=Failed to create entry to database. Please check if appropriate suffix is setup in the directory server: {0}. +CERTSETUP_PORT_USED=Port {0} has already been used +CERTSETUP_INSTANCE_EXISTED=Internal database already exists +CERTSETUP_INSTANCE_NAME_USED=Instance name {0} has been used. Re-enter another name +CERTSETUP_INVALID_PARAMS=Invalid parameters - {0} +CERTSETUP_INTERRUPTED=The process was interrupted +CERTSETUP_INVALID_PARAMS=Invalid parameters - {0} +CERTSETUP_GENERATE_PQG_FAILED=Failed to generate PQG parameters +CERTSETUP_INCORRECT_SIE_SETUP=The SIE is not setup correctly +CERTSETUP_MISSING_O_ATTR=Missing O (organization) attribute +CERTSETUP_MISSING_C_ATTR=Missing C (country) attribute +CERTSETUP_INVALID_C_ATTR=Invalid C (country) attribute value which should not contain more than 2 characters +CERTSETUP_INVALID_CREDENTIALS=Invalid Credentials +CERTSETUP_RSA_NOT_SUPPORTED=RSA is not supported +CERTSETUP_DSA_NOT_SUPPORTED=DSA is not supported +CERTSETUP_KEY_LENGTH_NOT_SUPPORTED=Key length {0} is not supported +CERTSETUP_INCORRECT_PASSWORD=Incorrect password +CERTSETUP_INVALID_NOT_AFTER=End date should not go beyond the end date of the CA signing certificate +CERTSETUP_INVALID_FILE_PATH=Invalid file pathname +CERTSETUP_TOKEN_ERROR=Token Error +CERTSETUP_CERT_NOT_FOUND=Certificate not found +CERTSETUP_USERCERT_CONFLICT=User certificate has conflict +CERTSETUP_NICKNAME_CONFLICT=Nickname conflict +CERTSETUP_CERT_ENCODE_ERROR=Certificate encoding error +CERTSETUP_NOT_TOKEN_CERT=Not a token certificate +CERTSETUP_NO_SUCH_TOKEN=No such token +CERTSETUP_INCORRECT_TOKEN_PASSWD=Incorrect token password +CERTSETUP_CERT_ALREADY_EXISTED=A certificate with the given nickname ({0}) already resides on the token. You need to clean up the token before proceeding. +CERTSETUP_CHMOD_FAILED=Failed to change file permissions. +CERTSETUP_CREATE_WEBSERVER_FAILED=Failed to create a web server instance. +################################################################## +# For com.netscape.certsrv.acls +################################################################## +ACLS_FAILED_TO_CONNECT_LDAP_1=Failed to connect to LDAP server: {0} +ACLS_FAIL_CLASS_LOAD_1=Failed to load class: {0} +ACLS_SRVLT_NO_CLASS=class not found +ACLS_NO_PERMISSION_2={0} does not have permission to {1} +ACLS_NO_PERMISSION=no permission +ACLS_SRVLT_RESOURCE_NOT_FOUND=ACLs resource not found +ACLS_SRVLT_FAIL_RS_UPDATE=failed to update resource ACLs +ACLS_FAIL_ACL_UPDATE=failed to update ACLs on LDAP +ACLS_ACL_METHOD_NOT_IMPLD=ACL method not implemented +ACLS_SRVLT_ILL_CLASS=class must extend IAccessEvaluator +ACLS_SRVLT_FAIL_COMMIT=Failed to save changes to the configuration file +ACLS_FAIL_ACL_PARSE=failed to parse ACLs +ACLS_SRVLT_EVAL_NOT_FOUND=evaluator not found +ACLS_SRVLT_FAIL_INST_CLASS=failed to instantiate class +ACLS_ACL_NULL_VALUE_1={0} value can not be null +ACLS_ACL_PARSING_ERROR_2=ACL parsing error for {0}: {1} +################################################################## +# For com.netscape.certsrv.authentication +################################################################## +AUTH_INVALID_CREDENTIALS=Invalid Credentials +AUTH_MISSING_CREDENTIAL_1=Missing required credential {0} +AUTH_FAIL_LOAD_CLASS_1=Could not load authentication manager class {0} +AUTH_AUTH_MGR_NOT_FOUND_1=Authentication {0} not found +AUTH_AUTH_MGR_PLUGIN_NOT_FOUND_1=Authentication manager plugin name {0} not found +AUTH_MISSING_REQUIRED_AUTHMGR_1=Missing system required auth manager instance of {0} +AUTH_AUTH_INTERNAL_ERROR=Authentication subsystem encountered an internal error +AUTH_AUTH_INTERNAL_ERROR_1=Authentication encountered an internal error. Detailed msg: {0} +AUTH_ERROR_FORM_SUBJECTDN=Error formulating the Subject Name. See logs for more details. +AUTH_NO_LDAP_ATTRS_FOUND=no LDAP Attributes found. +AUTH_NO_LDAP_ATTRS_FOUND=no LDAP Attributes found. +AUTH_COMPONENT_SYNTAX_1=DN pattern syntax error: {0} +AUTH_INVALID_VALUE=Invalid attribute error: {0} +AUTH_SRVLT_ILL_MGR_PLUGIN_ID=Another Auth manager plugin ID already exists +AUTH_SRVLT_NULL_CLASS=Authentication manager plugin classname is null +AUTH_SRVLT_NO_CLASS=Authentication manager plugin class not found +AUTH_SRVLT_ILL_CLASS=Auth manager plugin class is not an instance of IAuthManager +AUTH_SRVLT_ILL_MGR_INST_ID=An Authentication Instance with this ID already exists. Please choose a different ID. +AUTH_SRVLT_CANNOT_FIND_MGR_IMPL=Cannot modify auth manager plugin. Cannot locate Auth Manager Implementation. +AUTH_SRVLT_ADD_MISSING_PARAMS=Auth manager instance is missing an implementation parameter +AUTH_SRVLT_FAIL_AUTH_MGRI_INIT=Authentication manager initialization Failed. Error {0} +AUTH_SRVLT_MGR_IN_USE=An auth manager of this implementation is still in use. +AUTH_EMPTY_DN_FORMED_1=Empty DN formed in Authentication Manager {0}. +################################################################## +# For com.netscape.certsrv.authorization +################################################################## +AUTHZ_INVALID_CREDENTIALS=Invalid Credentials +AUTHZ_MISSING_CREDENTIAL_1=Missing required credential {0} +AUTHZ_FAIL_LOAD_CLASS_1=Could not load authorization manager class {0} +AUTHZ_AUTHZ_MGR_NOT_FOUND_1=Authorization {0} not found +AUTHZ_AUTHZ_MGR_PLUGIN_NOT_FOUND_1=Authorization manager plugin name {0} not found +AUTHZ_MISSING_REQUIRED_AUTHZMGR_1=Missing system required authz manager instance of {0} +AUTHZ_AUTHZ_INTERNAL_ERROR=Authorization subsystem encountered an internal error +AUTHZ_AUTHZ_INTERNAL_ERROR_1=Authorization encountered an internal error. Detailed msg: {0} +AUTHZ_AUTHZ_ACCESS_DENIED_2=authorization failed on resource: {0}, operation: {1} +AUTHZ_UNKNOWN_PROTECTED_RESOURCE_1=unknown protected resource specified: {0} +AUTHZ_UNKNOWN_OPERATION_1=unknown operation specified: {0} +AUTHZ_ILLEGAL_FORMAT=Illegal Format +AUTHZ_SRVLT_ILL_MGR_PLUGIN_ID=Another Authz manager plugin ID already exists +AUTHZ_SRVLT_NULL_CLASS=Authorization manager plugin classname is null +AUTHZ_SRVLT_NO_CLASS=Authorization manager plugin class not found +AUTHZ_SRVLT_ILL_CLASS=Authz manager plugin class is not an instance of IAuthzManager +AUTHZ_SRVLT_ILL_MGR_INST_ID=An Authorization Instance with this ID already exists. Please choose a different ID. +AUTHZ_SRVLT_CANNOT_FIND_MGR_IMPL=Cannot modify authz manager plugin. Cannot locate Authz Manager Implementation. +AUTHZ_SRVLT_ADD_MISSING_PARAMS=Authz manager instance is missing an implementation parameter +AUTHZ_SRVLT_FAIL_AUTHZ_MGRI_INIT=Authorization manager initialization Failed. Error {0} +AUTHZ_SRVLT_MGR_IN_USE=An authz manager of this implementation is still in use. +AUTHZ_EMPTY_DN_FORMED_1=Empty DN formed in Authorization Manager {0}. +################################################################## +# For com.netscape.certsrv.base +################################################################## +BASE_UNKNOWN_HOST_1=invalid host name {0} +BASE_INVALID_REQUEST_TYPE_1=invalid request type {0} +BASE_PID_EXIST=logs/pid exist, server may already be running. +BASE_AUTHENTICATE_FAILED_1=Failed to Authenticate - {0} +BASE_INTERNAL_ERROR_1=Internal Error: {0} +BASE_MUST_USE_SSL=Must use SSL +BASE_INVALID_OPERATION=Invalid operation +BASE_NO_CONFIG_FILE=Cannot find config file: {0} +BASE_BAD_PERMISSION_FORMAT=Bad permissions format +BASE_CREATE_SERVICE_FAILED_2=Failed to create {0} service: {1} +BASE_GET_PROPERTY_FAILED_1=Property {0} missing value +BASE_GET_PROPERTY_NOVALUE_1=Property {0} missing value +BASE_INVALID_PROPERTY_1=Cannot convert property {0} +BASE_INVALID_PROPERTY_3=Cannot convert value of property {0} to a {1}. Expected format is {2} +BASE_CREATE_LOG_FAILED_1=Failed to create log: {0} +BASE_LOAD_FAILED_1=Failed to load {0} +BASE_LOAD_FAILED_2=Failed to load {0}. Error {1} +BASE_PERMISSION_DENIED=Permission denied +BASE_PRINCIPAL_ALREADY_EXISTS_1=Principal {0} already exists +BASE_UNKNOWN_PRINCIPAL_1=Unknown principal {0} +BASE_SYSTEM_EXCEPTION_1=Caught system exception {0} +BASE_INVALID_ATTRIBUTE_1=Invalid attribute {0} +BASE_REQUEST_IN_BAD_STATE=Request is in a bad state +BASE_ATTRIBUTE_NAME_CAN_NOT_BE_RESOLVED=Attribute name can not be resolved : {0} +BASE_ARGUMENT_TYPE_MISMATCH=Attribute [{0}] with values of type [{1}] can not be assigned values of type [{2}] +BASE_BAD_THREAD_SHUTDOWN_1=Forced shutdown of thread: {0} +BASE_INVALID_PROTOCOL=Invalid Protocol +BASE_INVALID_RESOURCE_PATH=Invalid Resource Path: {0} +BASE_ERROR_READING_FILE=Error Reading File: {0} +BASE_NO_TEMPLATE_TAG=No template tag in file: {0} +BASE_NO_DOC_ROOT=No Document Root specified +BASE_INVALID_UI_INFO=Invalid information from UI +BASE_UTF8_NOT_SUPPORTED=Internal Error: UTF8 encoding not supported. Check your classpath or installation. +BASE_INVALID_UI_INFO=Invalid information from UI +BASE_BASE64DECODE_ERROR_1=Error decoding the value as a base-64 encoded blob. System error: {0}. +BASE_INVALID_UI_INFO=Invalid information from UI +BASE_INVALID_NUMBER_FORMAT=Invalid number format. +BASE_INVALID_NUMBER_FORMAT_1=Invalid number format: {0} +BASE_INVALID_KEYSIZE_PARAMS_1=The key size {0} is outside the bounds described by the DSA key pair generation algorithm. +BASE_PQG_GEN_FAILED=Failed to generate the PQG parameters +BASE_ALG_NOT_SUPPORTED_1=The {0} is not supported +BASE_ALG_NOT_ALLOWED_1=The {0} is not allowed +BASE_KEY_GEN_FAILED=Failed to generate the key pair +BASE_TOKEN_NOT_FOUND_1={0} token not found +BASE_INVALID_X500_NAME_1={0} does not conform to X500 +BASE_ALG_NOT_SUPPORTED=The algorithm is not supported +BASE_PROVIDER_NOT_SUPPORTED=The provider is not supported +BASE_PROVIDER_NOT_SUPPORTED_1=The crypto provider is not supported: {0} +BASE_INVALID_KEY=Invalid key +BASE_CERT_REQ_FAILED=Failed to generate certificate request +BASE_INVALID_CERT=Invalid certificate information: {0} +BASE_INVALID_SIGNATURE=Invalid signature +BASE_DECODE_CERT_FAILED=Failed to decode certificate +BASE_DECODE_CERT_FAILED_1=Failed to decode certificate. Error {0} +BASE_CRYPTOMANAGER_UNINITIALIZED=Crypto manager has not been initialized +BASE_TOKEN_NOT_FOUND=Token was not found +BASE_USERCERT_CONFLICT=Certificate conflict with an existing certificate on token. If this is a Subject DN conflict, go back to the Subject Name panel to re-enter the DN. If this is a clone CA, make sure its serial number range begins with a number greater than that of all the certificates existing on the master's DB. +BASE_NICKNAME_CONFLICT=Nickname has conflict +BASE_ITEM_NOT_FOUND_ON_TOKEN=Item was not found on token +BASE_GET_SERIALNO_FAILED=Failed to get certificate serial number +BASE_LDAP_ERROR=LDAP Error: {0} +BASE_SIGNED_FAILED=Signed Error: {0} +BASE_ALG_NOT_SUPPORTED_2=Algorithm not supported: {0} +BASE_TOKEN_ERROR=Token Error: {0} +BASE_SIGNED_FAILED=Signed Failed: {0} +BASE_INVALID_KEY_1=Invalid key: {0} +BASE_CERT_ERROR=Certificate Error: {0} +BASE_DB_FAILED=Internal database operation failed +BASE_ENCODE_CERT_FAILED=Encode certificate failed +BASE_CA_SIGNINGCERT_NOT_FOUND=CA signing certificate not found +BASE_CERT_NOT_FOUND=Certificate not found +BASE_INVALID_PASSWORD_1=Invalid Password - +BASE_INVALID_CREDENTIALS=Invalid Credentials +BASE_CREDENTIALS_EXIST=Credentials Exist +BASE_ATTRIBUTE_NOT_FOUND_1=Attribute Not Found {0} +BASE_INVALID_ATTR_TYPE_2=Invalid type for attribute {0}, error: {1} +BASE_INVALID_ATTR_VALUE_2=Invalid value for attribute {0}, error: {1} +BASE_MISSING_PKCS10_HEADER=Missing PKCS #10 header +BASE_MISSING_PKCS10_TRAILER=Missing PKCS #10 trailer +BASE_UNKNOWN_ERROR=Unknown Error +BASE_LOGIN_ALREADY=Already logged in to the token +BASE_LOGIN_FAILED=Failed to login to the token: incorrect password +BASE_CONN_FAILED_1=connection failed {0} +BASE_RSA_NOT_SUPPORTED=RSA is not supported +BASE_DSA_NOT_SUPPORTED=DSA is not supported +BASE_KEY_LENGTH_NOT_SUPPORTED=Key length {0} is not supported +BASE_MUST_BE_POSITIVE_NUMBER_1={0} must be a positive number greater than 0. +BASE_MUST_BE_ZEROPOSITIVE_NUMBER_1={0} must be a positive number greater than or equal to 0. +BASE_A_GREATER_THAN_B_2={0} must be greater than {1}. +BASE_A_GREATER_THAN_EQUAL_B_2={0} must be greater than or equal to {1}. +BASE_REMOTE_AUTHORITY_ERROR=Backend server rejected or cancelled the request. +BASE_INVALID_CERT_EXTENSION=Invalid certificate extension. +BASE_EXTENSION_ERROR=Extension error encountered. Error {0}. +BASE_NO_EMPTY_CIPHERPREFS=Blank cipher preferences are not allowed +BASE_NOT_TOKEN_CERT=The certificate being deleted is not a token certificate +BASE_INVALID_CERT_FORMAT=Invalid certificate content +BASE_TOKEN_ERROR_0=Token Error +BASE_FILE_NOT_FOUND=File not found +BASE_OPEN_FILE_FAILED=Failed to open file +BASE_INVALID_FILE_PATH=Invalid file path +BASE_REVOCATION_CHALLENGE_QUEUE=Failed to get the queue for challenge phrase authentication +BASE_REQUIRED_PARAMETER={0} is a required parameter +BASE_FAIL_LOAD_CLASS_2=Failed to load class {0}. Error: {1} +BASE_INVALID_VALUE_FOR_TYPE_2=Invalid value for type {0}. Error: {1} +BASE_BAD_REQUEST_VERSION_2=Cannot process request from a previous version of CS (version {0}). Expected version is {1}. +BASE_NOT_CA_CERT=The selected certificate for the Certificate Manager CA Signing Certificate is not a CA signing certificate. +BASE_INVALID_IP_ADDR_1=Invalid IP Address {0}. +BASE_NO_USER_CERT=Client did not present an SSL client cert. +BASE_FAIL_IMPORT_CERT=import certificate failed +BASE_IO_ERROR=I/O error encountered. Error {0}. +BASE_UNKNOWN_EXCEPTION=Unknown Exception encountered. {0}. +################################################################## +# For com.netscape.certsrv.base +################################################################## +PASSWORD_EMPTY_PASSWORD=The password is empty +PASSWORD_INVALID_LEN_1=The password must be at least {0} characters +PASSWORD_NON_ALPHANUMERIC=The password contains non-alphanumeric characters +PASSWORD_MISSING_NUMERIC_1=The password requires at least {0} numeric digit(s) +PASSWORD_MISSING_UPPER_CASE_1=The password requires at least {0} upper case letter(s) +PASSWORD_MISSING_LOWER_CASE_1=The password requires at least {0} lower case letter(s) +################################################################## +# For com.netscape.certsrv.ca +################################################################## +CA_SYSTEM_EXCEPTION_ADMIN=System exception occurred : {0} +CA_SYSTEM_EXCEPTION_USER=System exception occurred while processing request, contact your administrator +CA_ADD_CERT_FAILED=failed to add certificate +CA_CONNECT_DIR_FAILED=failed to connect directory server +CA_CREATE_SESSION_FAILED=failed to create session +CA_GET_NAME_FAILED_1=failed to get name {0} +CA_GET_ISSUER_NAME_FAILED=failed to get issuer name +CA_GET_ATTRIBUTE_FAILED=failed to get attribute +CA_CREATE_CERT_FAILED=failed to create certificate +CA_NO_SUCH_ATTRIBUTE=no such attribute +CA_REQUEST_IN_BAD_STATE=request is in a bad state +CA_REQUEST_STARTED=request started +CA_REQUEST_AFTER_VALIDATION=request after validation +CA_REQUEST_COMPLETED=request completed +CA_ATTRIBUTE_NAME_CAN_NOT_BE_RESOLVED=attribute name can not be resolved : {0} +CA_ARGUMENT_TYPE_MISMATCH=attribute [{0}] with values of type [{1}] can not be assigned values of type [{2}] +CA_GET_CA_CERT_FAILED=error reading CA certificate +CA_RULE_INITIALIZATION_FAILURE=rule [{0}] failed to initialize : {1} +CA_BAD_POLICY_RESULT_ADMIN=policy rule [{0}] returned invalid state : {1} +CA_BAD_POLICY_RESULT_USER=policy rule returned invalid result +CA_INCONSISTENT_CERTIFICATE_VERSION=certificate version requested is inconsistent with certificate content +CA_POLICY_DID_NOT_SET_STATE_ADMIN=policy rule [{0}] did not set state +CA_NO_CERTIFICATE_FOUND_1=certificate #{0} was not found +CA_CERTIFICATE_ALREADY_EXPIRED_1=certificate #{0} has already expired +CA_CERTIFICATE_ALREADY_REVOKED_1=certificate #{0} has already been revoked +CA_FAILED_CONSTRUCTING_CRL_1=failed constructing CRL : {0} initialization of CRL issuing point {1} failed : {2} Contains Port number currently being used by other server. +FAILED_REMOVING_CRL_IP=Failed removing CRL issuing point {0}: {1}. +CA_SEND_KRA_REQUEST=Sending DRM request failed +CA_SEND_CLA_REQUEST=Sending CLA request failed +CA_NUMBER_FORMAT_ERROR=Non-numeric data in numeric field +CA_CRL_FREQ_RANGE_ERROR=CRL publishing frequency must between 1 and 7 days +CA_CRL_SIGNING_ALG_MISCONFIG_1=CRL signing algorithm configuration error : {0} +CA_SIGNING_ALGOR_NOT_SUPPORTED_1=Signing Algorithm {0} is not supported for the CA signing token. +CA_INIT_PUBLISH_MODULE_FAILED=Failed initializing publishing module. +CA_INIT_LDAP_PUBLISH_MODULE_FAILED=Failed initializing LDAP publishing module. +CA_INVALID_CERT_IN_REQUEST_1=Invalid CertInfo in issuing request {0}. +CA_COULD_NOT_FORMULATE_CRL_EXT_1=Could not formulate CRL Extension for serial number {0} +CA_CERT_ALREADY_REVOKED_1=Certificate Serial Number {0} is already revoked +CA_MISSING_SERIALNO_ON_REVOKE=Missing Serial Number in revocation request +CA_MISSING_REQD_FIELDS_IN_CERTISSUE=Missing required fields in certificate info of certificate issuing request +CA_NO_CERTINFO_IN_ISSUE_REQUEST=Missing certificate info in certificate issuing request +CA_UNRECOGNIZED_REQUEST_TYPE_1=Unrecogized request type {0} +CA_ERROR_GETTING_FIELDS_IN_ISSUE=Error Getting certificate info fields in issuing request. +CA_CRL_ISSUEPT_NOT_FOUND_1=CRL Issue Point {0} not found in CRL repository. +CA_CRL_ISSUEPT_NOGOOD_1=CRL in CRL Issue Point {0} is malformed. Cannot instantiate CRL. +CA_CRL_ISSUEPT_EXT_NOGOOD_1=CRL in CRL Issue Point {0} has malformed extensions. Cannot instantiate CRL. +CA_FAILED_SET_CERTFIELDS=Error setting Certificate serial number or issuer name. +CA_FAILED_SET_CERTFIELDS_1= Error setting certain Certificate Fields. {0} +CA_FAILED_SET_ISSUER=Request {0} was completed with errors.\nError setting Certificate issuer name. +CA_FAILED_SET_SERIALNO=Request {0} was completed with errors.\nError setting Certificate Serial number. +CA_FAILED_NOSERIALNO=Request {0} was completed with errors.\nCA has exausted all available serial numbers. +CA_FAILED_SIGNING_CRL_1=Failed signing CRL. Error {0} +CA_FAILED_SIGNING_CERT_1=Failed signing certificate. Error {0} +CA_MISSING_INFO_IN_ISSUEREQ=Missing certificate info in issuing request +CA_MISSING_INFO_IN_RENEWREQ=Missing certificate info in renewal request. +CA_MISSING_INFO_IN_RENEWREQ_1=Missing certificate info in renewal request. {0}. +CA_MISSING_INFO_IN_REVREQ=Missing revocation info in revocation request +CA_MISSING_INFO_IN_CLAREQ=Missing CLA certificate info in cert4CRL request +CA_REVOKE_FAILED=One or more certificates could not be revoked +CA_CERT4CRL_FAILED=One or more revoked certificates could not be recorded by CLA +CA_UNCERT4CRL_FAILED=One or more revoked certificates could not be removed by CLA +CA_RENEW_FAILED=One or more certificates could not be renewed +CA_CANT_FIND_CERT_SERIAL_1=Cannot find certificate with serial number {0} +CA_NO_CONFIG_FOR_MASTER_CRL=Configuration for Master CRL not found. +CA_TOKEN_NOT_FOUND_1=Token {0} not found. +CA_CERT_OBJECT_NOT_FOUND=Certificate object not found. +CA_INVALID_PASSWORD=Invalid Password. +CA_TOKEN_ERROR=Token Error. +CA_CRYPTO_NOT_INITIALIZED=Crypto Layer has not been initialized. +CA_SIGNING_ALGOR_NOT_SUPPORTED_FOR_KEY_1=Algorithm {0} is not supported for the signing token and key. +CA_CANNOT_BUILD_CA_CHAIN_1=Could not get or build CA chain. Error {0} +CA_NO_PUBLISH_CONFIG_FOUND=No Publishing configuration found. +CA_NO_LDAP_PUBLISH_CONFIG_FOUND=No LDAP Publishing configuration found. +CA_X509CERT_VERSION_NOT_SUPPORTED=Certificate Version in the configuration is not supported. +CA_CERT_BEGIN_AFTER_CA_VALIDITY=Certificate validity cannot begin past the CA certificate's validity. +CA_EXPORT_POLICY_VIOLATION=Signature Algorithm {0} is not allowed by export policy. +CA_MISSING_SERIAL_NUMBER=Missing or invalid serial number +CA_UNREVOKE_FAILED=One or more certificates could not be unrevoked +CA_IS_NOT_ON_HOLD=Certificate {0} has to be on-hold to perform this operation. +CA_CRL_PERIODIC_UPDATE=The CRL is updated periodically. +CA_CANNOT_RENEW_REVOKED_CERT_1=Certificate serial number {0} to be renewed is revoked. Cannot renew a revoked certificate. +CA_ERROR_GETTING_RENEWED_CERT_2=Error getting renewed certificate {0} for certificate {1}. +CA_CRL_DECODE_FAILED_1=Could not decode CRL {0} in the internaldb. +CA_ERROR_PUBLISH_CRL_2=Error publishing CRL {0}: {1}. +CA_CANT_FIND_MANAGER=Can't find Certificate Manager. +CA_UNKNOWN_ALT_KEY_ID_TYPE=Unknown alternate CA Key ID type. {0}. +CA_CERT_INFO_ERROR=Certificate Info Error encountered. {0}. +CA_UNKNOWN_NAME_TYPE=Unknown name type {0}. +CA_UNKNOWN_REASON=Unknown reason {0}. +################################################################## +# For com.netscape.certsrv.dbs +################################################################## +DB_FAILED_TO_CONNECT_LDAP_1=Failed to connect LDAP server {0} +DB_FAILED_TO_SERIALIZE_1=Failed to serialize attribute {0} +DB_FAILED_TO_DESERIALIZE_1=Failed to de-serialize attribute {0} +DB_INVALID_ATTRS=Invalid attributes +DB_INVALID_CLASS_NAME_1=Invalid class name {0} +DB_INVALID_FILTER_ITEM_1=Invalid filter item {0} +DB_LDAP_OP_FAILURE_1=LDAP operation failure - {0} +DB_NO_MAPPER_FOUND_1=No mapper found for {0} +DB_INTERNAL_DIR_UNAVAILABLE=Internal database is unavailable. +DB_INTERNAL_DIR_ERROR=Internal Database Error encountered: {0}. +DB_ADD_ENTRY_FAILED=Failed to add the schema entry. +DB_INIT_CACHE_1=Init serial number cache failed: {0}. +DB_LIMIT_REACHED_1=All serial numbers are used. +DB_SETBACK_SERIAL_1=The serial number is already in use.\n +DB_SETBACK_MAXSERIAL_1=The serial number is already in use.\n +################################################################## +# For com.netscape.certsrv.extensions +################################################################## +EXTENSIONS_CLASS_NOT_FOUND_1=Class {0} was not found. +EXTENSIONS_ERROR_INSTANTIATE_2=Could not create an instance of {0}. Error {1}. +EXTENSIONS_INVALID_IMPL_1=Class {0} does not implement the ICMSTemplate interface. +EXTENSIONS_INCORRECT_IMPL_1=Class {0} must return non-null for the extension name and OID. +EXTENSIONS_ERROR_CREATING_EXT_1=Error creating a {0} extension. +################################################################## +# For com.netscape.certsrv.jobs +################################################################## +JOBS_FAIL_LOAD_CLASS_1=Could not load Job class {0} for the Jobs Scheduler +JOBS_PLUGIN_NOT_FOUND_1=Could not find plugin {0} for the Jobs Scheduler +JOBS_SRVLT_ILL_JOB_PLUGIN_ID=Another job plugin ID already exists +JOBS_SRVLT_JOB_PLUGIN_NOT_FOUND_1=job plugin {0} not found +JOBS_SRVLT_JOB_NOT_FOUND_1=job {0} not found +JOBS_SRVLT_NULL_CLASS=job plugin classname is null +JOBS_SRVLT_NO_CLASS=job plugin class not found +JOBS_SRVLT_ILL_CLASS=job plugin class is not an instance of IJob +JOBS_SRVLT_ILL_JOB_INST_ID=job plugin ID already exists +JOBS_SRVLT_ADD_MISSING_PARAMS=job instance is missing an implementation parameter +JOBS_SRVLT_MISSING_INST_PARAM_VAL_1=job instance missing value for parameter: {0} +JOBS_SRVLT_FAIL_JOBI_INIT=job initialization Failed. Error {0} +JOBS_SRVLT_JOB_IN_USE=A job of this implementation is still in use. +################################################################## +# For com.netscape.certsrv.kra +################################################################## +KRA_PUBLIC_KEY_NOT_MATCHED=Public Key does not match +KRA_INVALID_KEYRECORD=Invalid Key record +KRA_INVALID_OWNER_NAME=Invalid Owner Name +KRA_INVALID_PUBLIC_KEY=Invalid Public Key +KRA_INVALID_PRIVATE_KEY=Invalid Private Key +KRA_INVALID_STATE=Invalid State +KRA_INVALID_M=Invalid M +KRA_INVALID_N=Invalid N +KRA_INVALID_PASSWORD=Invalid Password +KRA_POA_DECODE_FAILED_1=Failed to decode Proof-of-Archival {0} +KRA_POA_ENCODE_FAILED_1=Failed to encode Proof-of-Archival {0} +KRA_INVALID_KRA_NAME=Invalid KRA Name +KRA_RECOVERY_FAILED_1=Recovery Failed {0} +KRA_PKCS12_FAILED_1=PKCS #12 Creation Failed {0} +KRA_KEYID_FAILED_1=Key Identifier Creation Failed {0} +KRA_KEYBAG_FAILED_1=Key Bag Creation Failed {0} +KRA_UNKNOWN_KEY_ID_TYPE=Unknown Key Identifier type. {0}. +################################################################## +# For com.netscape.certsrv.ldap +################################################################## +LDAP_BAD_LDAP_EXPRESSION=Malformed publishing rule predicate expression: {0} publishing subsystem encountered an internal error publishing. Detailed msg: {0} Error formulating the Subject Name. See logs for more details. No LDAP Attributes found. DN pattern syntax error: {0} Failed to publish using rule: {0} Failed to unpublish using rule: {0} Attribute: {0} is not supported in dnPatternAnother plugin ID already exists. Plugin classname is null. Plugin class not found. Plugin class is not an instance of {0}. Plugin instance ID already exists. Instance missing implementation parameter. Instance initialization Failed. Error {0}. An instance of this implementation is still in use. +LDAP_INIT_LDAP_PUBLISH_MODULE_FAILED=Failed initializing LDAP publishing module. +LDAP_NO_LDAP_PUBLISH_CONFIG_FOUND=No LDAP Publishing configuration found. +LDAP_INVALID_DN_OR_PASSWORD=Invalid DN or Password +LDAP_NOT_YET_IMPLEMENTED=This feature is not yet implemented +LDAP_NON_UNIQUE_LDAP_ENTRY_FOUND=Could not find a unique match in the LDAP server for the certificate or CRL +LDAP_CONNECT_TO_LDAP_SERVER_FAILED_3=Could not connect to the LDAP server host {0} port {1} Error {2} +LDAP_UNKNOWN_ATTR_IN_DN_FILTER_COMPS=Unrecognized attribute {0} in DN or Filter comps +LDAP_MISSING_DN_OR_FILTER_COMPS_IN_CONFIG=Missing DN or filter components in the configuration +LDAP_GET_ISSUER_FROM_CRL_FAILED=Cannot get the Issuer name from the CRL {0} +LDAP_GET_LDAP_DN_STRING_FAILED=Cannot get the LDAP DN String from the subject DN {0} +LDAP_GET_CERT_SUBJECT_DN_FAILED=Cannot get the Subject DN from the Certificate {0} +LDAP_NO_COMPONENTS_IN_DN=No components in the subject name {0} to form the LDAP DN +LDAP_DECODING_CERT_FAILED=Could not parse a DER encoded certificate from the LDAP server. {0} +LDAP_GET_DER_ENCODED_CERT_FAILED=Error getting the DER encoding of the certificate for {0} +LDAP_GET_DER_ENCODED_CRL_FAILED=Error getting the DER encoding of the CRL. {0} +LDAP_ERROR_PUBLISH_CACERT=Error publishing CA Certificate {0} +LDAP_ERROR_PUBLISH_CACERT_1=Error publishing CA Certificate {0}. Error {1}. +LDAP_ERROR_PUBLISH_CRL=Error publishing CRL {0} +LDAP_ERROR_UNPUBLISH_CRL=Error unpublishing CRL {0} +LDAP_ERROR_PUBLISH_USERCERT=Error publishing User Certificate {0} +LDAP_ERROR_UNPUBLISH_USERCERT=Error unpublishing User Certificate {0} +LDAP_ERROR_UNPUBLISH_CACERT=Error unpublishing CA Certificate {0} +LDAP_ERROR_UNPUBLISH_CERT=Error unpublishing Certificate {0}. Error {1}. +LDAP_NO_MATCH_FOUND=Cannot find a match in the LDAP server for the certificate. {0} +LDAP_OTHER_LDAP_EXCEPTION=LDAPException caught from the operation. {0} +LDAP_GET_OID_FOR_ATTR_FAILED=Cannot get OID for attr {0} {1} +LDAP_LDAP_SERVER_DOWN=Cannot publish to the LDAP server, the server is down. {0} +LDAP_LDAP_MODIFY_FAILED=Cannot modify entry {0} in the LDAP server. {1} +LDAP_NO_DN_MATCH_1=No DN matched for {0} +LDAP_NO_DN_AND_FILTER_COMPS=No components to form the DN or the filter for {0} +LDAP_NO_DN_COMPS_AND_BASEDN=No base DN and no components to form the DN for {0} +LDAP_MORE_THAN_ONE_ENTRY=Certificate {0} mapped to more than one entry +LDAP_CANNOT_RESET_CONNFAC=Cannot reset the LDAP connection factory because some connections are still outstanding. +LDAP_MAPPER_PLUGIN_NOT_FOUND_1=Mapper plugin not found named: {0} +LDAP_NO_MAPPER_INSTANCE=No Mapper instance can be found. +LDAP_NO_MAPPER_MATCHED_1=No Mapper instance is matched for request {0}. +LDAP_PUBLISHER_PLUGIN_NOT_FOUND_1=Publisher plugin not found named: {0} +LDAP_NO_PUBLISHER_INSTANCE=No Publisher instance can be found. +LDAP_NO_PUBLISHER_MATCHED_1=No Publisher instance is matched for request {0}. +LDAP_RULE_PLUGIN_NOT_FOUND_1=Rule plugin not found named: {0} +LDAP_NO_RULE_INSTANCE=No Rule instance can be found. +LDAP_NO_RULE_MATCHED_1=No Rule instance is matched for request {0}. +LDAP_CLASS_NOT_FOUND_1=Class not found for {0} +LDAP_FAIL_LOAD_CLASS_1=Failed to load class {0} +LDAP_FAILURE_INSTANTIATING_CLASS_1=Cannot instantiate class {0} +LDAP_INSUFFICIENT_CREDENTIALS_1=Insufficient credentials to instantiate the class for {0} +LDAP_NO_MATCH_1=certificate or CRL {0} did not map to an entry in the directory +LDAP_FORM_DN_COMPS_FAILED=Failed to form DN components from the subject name +LDAP_LDAP_SERVER_UNAVAILABLE_2=The LDAP server on host {0} port {1} is unavailable. +LDAP_UNKNOWN_RETURNED_CONN=the connection returned is not from this factory. +LDAP_BAD_RETURNED_CONN=the connection returned has already been returned. +LDAP_UNEXPECTED_LDAP_ERROR_2=Plugin: {0} - Unexpected error: {1}. +LDAP_INVALID_NUMCONN_PARAMETERS=Invalid value for minConn or maxConn parameters. minConn and maxConn must be greater than 0 and minConn must be less than maxConn. +LDAP_ALREADY_PUBLISHED_1=certificate {0} is already published. +LDAP_ALREADY_UNPUBLISHED_1=certificate {0} is already unpublished. +LDAP_NO_REQUEST_2=No request associated with the cert. Can not get request {0} to form LDAP DN component {1}. +LDAP_FAIL_CREATE_CA_1=Failed to create the CA entry with the DN: {0}. There may be entries in the directory hierarchy which do not exist. Please create them manually. +LDAP_FAIL_CREATE_ENTRY_1=Failed to create an entry with the DN: {0}. There may be entries in the directory hierarchy which do not exist. Please create them manually. +################################################################## +# For com.netscape.certsrv.logging +################################################################## +LOG_DEBUG_STRING_1={0} +LOG_LOGSUBSYSTEM_INIT_0=LogSubsystem already initialized! +LOG_LOG_THREAD_INTERRUPT_1=log {0} thread interupted +LOG_ROTATE_LOG_FAILED_2=failed to rotate log \"{0}\", error: {1} +LOG_WRITE_FAILED_3=failed to write in file: \"{0}\", entry: {1}, error: {2} +LOG_FLUSH_LOG_FAILED_2=failed to flush log \"{0}\", error: {1} +LOG_EXPIRE_LOG_FAILED_1=can't expire log files, error: {0} +LOG_LOG_EVENT_FAILED_2=failed to log event \"{0}\", error: {1} +LOG_LOGFILE_CLOSED_2=attempt to log message \"{0}\" to closed log file {1} +LOG_EXPIRATION_TIME_ZERO=log expiration time must be greater than 0 +LOG_DIRECTORY_LIST_FAILED_2=unable to list directory {0} with filter {1} +LOG_NO_SUCH_ALGORITHM_1=can't find MessageDigest algorithm for {0}. Tamper evident log disabled +LOG_NO_SUCH_ALGORITHM_0=can't find algorithm. Tamper evident log disabled +LOG_DIGEST_NOT_CLONABLE_1=MessageDigest algorithm for {0} is not clonable. Tamper evident log disabled +LOG_DIGEST_IOERROR_1=caught {0} while writing digest. Tamper evident log disabled +LOG_INVALID_FILE_NAME_1=attempt to initialize log with an invalid filename: \"{0}\" +LOG_UNEXPECTED_EXCEPTION_1=caught unexpected exception: {0} +LOG_UNEXPECTED_EXCEPTION_0=caught unexpected exception +LOG_ILLEGALARGUMENT_1=illegal argument when opening: {0} +LOG_CLOSE_FAILED_2=failed to close file \"{0}\", error: {1} +LOG_INVALID_LOG_TYPE_1=attempt to initialize log with an invalid log type: \"{0}\" +LOG_INVALID_LOG_LEVEL_1=log level: {0} is invalid, should be 0-6 +LOG_LOG_NOT_FOUND_1=Log instance not found named: {0} +LOG_LOG_PLUGIN_NOT_FOUND_1=Log plugin not found named: {0} +LOG_FAIL_LOAD_CLASS_1=Failed to load class {0} +LOG_SIGNED_AUDIT_EXCEPTION_1=caught signed audit log exception: {0} +LOG_SIGNING_OP_FAILED=signature operation failed +LOG_SIGNING_CERT_NOT_FOUND=log-signing certificate not found +################################################################## +# For com.netscape.certsrv.notification +################################################################## +NOTIFICATION_SMTP_SEND_FAILED_1=Failed to send mail to {0} +NOTIFICATION_EMAIL_RESOLVE_FAILED_1=Failed to resolve email for {0} +NOTIFICATION_NO_SMTP_SENDER=email sender not found +NOTIFICATION_NO_SMTP_RECEIVER=email receiver not found +################################################################## +# For com.netscape.certsrv.policy +################################################################## +POLICY_NO_SUBJECT_NAME_1=Policy Rule: {0} - Internal Error: No Subject Name Found. +POLICY_SUBJECT_NAME_EXIST_1=Policy Rule: {0} - Subject Name Exist. +POLICY_NO_CERT_INFO=Policy Rule: {0} - Internal Error: No Certificate info set on the request. +POLICY_NO_OLD_CERT=Policy Rule: {0} - Internal Error: The certificate(s) being renewed are not set on the request. +POLICY_LONG_RENEWAL_LEAD_TIME=Policy Rule: {0} - Certificate(s) can be renewed only within {1} days before expiry. +POLICY_MISMATCHED_CERTINFO=Policy Rule: {0} - Internal Error: The number of certificates input for renewal are incorrect. +POLICY_NO_PIN_AUTH=Policy Rule: {0} - OTP (or Pin) authentication is required. Please use the correct enrollment form. +POLICY_NO_DIR_AUTH=Policy Rule: {0} - Directory authentication is required. Please use the correct enrollment form. +POLICY_MORE_THAN_ONE_CERT=Policy Rule: {0} - Internal Error: Legacy enrollment is for one certificate only. +POLICY_KEY_SIZE_VIOLATION=Policy Rule: {0} - Key Size Violation occurred: Actual: {1}, Constraints (Min: {2}, Max: {3}). +POLICY_KEY_SIZE_VIOLATION_5=Policy Rule: {0} - Key Size Violation occurred: Actual: {1}, Constraints (Min: {2}, Max: {3}, Increment: {4}). +POLICY_EXPONENT_VIOLATION=Policy Rule: {0} - The given exponent: {1} is not in the configured list: {2}."}, {NO_KEY_PARAMS, "Policy Rule: {0} - Could not parse key parameters in key number {1}. +POLICY_AUTH_ERROR=Policy Rule: {0} - Authentication failure in: {1}. +POLICY_KEY_ALG_VIOLATION=Policy Rule: {0} - Key algorithm: {1} is not allowed by the policy. +POLICY_INVALID_BEGIN_TIME=Policy Rule: {0} - Begin time cannot be after current time. +POLICY_MORE_THAN_MAX_VALIDITY=Requested validity ({1} day(s)) is longer than the maximum allowed ({2} day(s)) in the {0} policy. +POLICY_LESS_THAN_MIN_VALIDITY=Requested validity ({1} day(s)) is shorter than the minimum allowed ({2} days) in the {0} policy. +POLICY_SIGNING_ALG_VIOLATION=Policy Rule: {0} - Signing algorithm: {1} is not allowed by the policy. +POLICY_MISSING_RDN=Policy Rule: {0} - Subject name constraints violation - component: {1} is not present. +POLICY_MISMATCHED_RDN=Policy Rule: {0} - Subject name constraints violation - value {1} for {2} does not match the configured value {3}. +POLICY_NAME_CONSTRAINTS_ERROR=Policy Rule: {0} - Subject name constraints error: {1}. +POLICY_NO_RDNS=Policy Rule: {0} - No RDNS in request to formulate subject Name. +POLICY_MIS_MATCHED_PATTERN=Policy Rule: {0} - Mismatched pattern in subject name: given name: {1}, configured pattern: {2}. +POLICY_EXISTING_CERT_DETAILS=Policy Rule: {0} - Your most recent certificate details are : {1}. +POLICY_UNEXPECTED_POLICY_ERROR=Policy Rule: {0} - Unexpected error: {1}. +POLICY_INVALID_ISSUER=Invalid Issuer DN +POLICY_CLIENT_ISSUER_NOT_FOUND=issuer of client certificate not found +POLICY_INVALID_POLICY=Invalid Policy. Policy {0} can only be used in a CA. +POLICY_INVALID_POLICY_CLASS=Policy rule: {0} - Invalid policy class: {1}. +POLICY_ERROR_LOADING_POLICY=Policy rule: {0} - Error loading policy class: {1}. +POLICY_UNSUPPORTED_KEY_ALG=Policy rule: {0} - Key algorithm: {1} is not supported. +POLICY_INVALID_CONFIG_PARAM=Policy rule: {0} - Invalid configuration value: {1} for parameter: {2}. +POLICY_INVALID_X500NAME_COMPONENT=Policy rule: {0} - {1} is not a supported X500Name component. +POLICY_MISSING_POLICY_CONFIG=Policy rule: {0} - Missing configuration info. +POLICY_INVALID_POLICY_CONFIG=Policy rule: {0} - Error in configuration: {1}. +POLICY_UNSUPPORTED_SIGNING_ALG=Policy rule: {0} - Signing algorithm: {1} is not supported. +POLICY_PARAM_CONFIG_ERROR=Policy rule: {0} - Unexpected error: {1} in configuring parameter: {2}. +POLICY_BAD_POLICY_EXPRESSION=Malformed Policy Expression: {0} +POLICY_INVALID_ATTR_VALUE=Invalid value type: {0} for policy attribute +POLICY_MISSING_PERSISTENT_RULE=Persistent rule: {0} is missing in the configuration. +POLICY_PERSISTENT_RULE_INACTIVE=Persistent rule: {0} should not be disabled. +POLICY_PERSISTENT_RULE_MISCONFIG=Persistent rule: {0} is configured with a different predicate: default: {1}, actual: {2}. +POLICY_CANT_DELETE_PERSISTENT_POLICY=Persistent rule: {0} can't be deleted. +POLICY_INVALID_POLICY_OPCODE=Invalid operation code: {0} in predicate +POLICY_NO_POLICY_CONF=No policy rule configuration for rule: {0} +POLICY_POLICY_ERROR=Uexpected policy error: {0} +POLICY_NO_POLICY_IMPL=No policy implementation exists for: {0} +POLICY_INVALID_POLICY_INSTANCE=No policy instance exists for: {0} +POLICY_ACTIVE_POLICY_RULES_EXIST=Active policy rule instances exist for implementation: {0} +POLICY_ACTIVE_POLICY_RULE=Policy instance: {0} is active and can't be deleted +POLICY_ERROR_DELETING_POLICY=Error deleting policy {0}: {1} +POLICY_DUPLICATE_IMPL_ID=A Policy implementation with ID: {0} already exists +POLICY_ERROR_ADDING_POLICY=Error adding policy {0}: {1} +POLICY_INVALID_POLICY_IMPL=Invalid policy implementation: {0}. Policy class must implement one or more of IEnrollmentPolicy, IRenewalPolicy, IRevocationPolicy, IKeyRecoveryPolicy or IKeyArchivalPolicy. +POLICY_DUPLICATE_INST_ID=A Policy rule with ID: {0} already exists +POLICY_POLICY_ORDER_ERROR=Error changing policy ordering: {0} +POLICY_POLICY_IMPLCHANGE_ERROR=Can't change the implementation while modifying policy instance: {0} +POLICY_ERROR_MODIFYING_POLICY=Error modifying policy instance: {0} +POLICY_NO_RULES_CONFIGURED=Configuration Error: No policy rules configured for {0} request. +POLICY_SYSTEM_POLICY_CONFIG_ERROR=System policy: {0} is not configurable. +POLICY_INVALID_IMPL_IN_RULE_3=Could not instantiate class {0} for implementation {1} in policy rule {2}. +POLICY_IMPL_CLASS_NOT_FOUND_3=Class {0} for implementation {1} in policy instance {2} was not found. +POLICY_IMPL_NOT_FOUND_2=Policy implementation {0} configured for instance {1} was not found. +POLICY_POLICY_INIT_ERROR_2=Could not initialize policy rule instnace {0}. Error {1} +POLICY_NO_POLICY_ORDERING=No policy ordering is configured +POLICY_INVALID_RENEWAL_INTERVAL=Policy Rule: {0} - Renewal interval: {1} days cannot be more than maximum validity: {2} days. +POLICY_INVALID_RENEWAL_MIN_MAX=Policy Rule: {0} - Renewal minimum validity: {1} days cannot be bigger than maximum validity: {2} days. +POLICY_MAXPATHLEN_TOO_BIG_3=In policy rule {0}, the subordinate CA basic constraints extension path length ({1}) cannot be greater than or equal to the maxPathLen configuration value ({2}). +POLICY_INVALID_MAXPATHLEN=Policy Max PathLen is invalid. +POLICY_MAXPATHLEN_TOO_BIG_4=In policy rule {0}, the maxPathLen configuration value ({1}) cannot be greater than or equal to the maxPathLen of the CA certificate ({2}). +POLICY_INVALID_MAXPATHLEN_2=In policy rule {0}, the maxPathLen configuration value ({1}) must be 0 if the CA's basic constraints extension path length is 0. +POLICY_INVALID_MAXPATHLEN_4=In policy rule {0}, the maxPathLen configuration value ({1}) must be greater than or equal to 0 or left empty. +POLICY_PATHLEN_TOO_BIG_3=In policy rule {0}, the requested basic constraints extension path length ({1}) cannot be greater than the maximum path length allowed ({2}). +POLICY_PATHLEN_ZERO=The CA's basic constraints path length is 0,indicating that no subordinate CA certificates are allowed under this CA. Be warned that all requests for CA certificates will be rejected by this policy as a result. +POLICY_ERROR_BASIC_CONSTRAINTS_1=In policy rule {0}, could not create a basic constraints extension for the certificate. +POLICY_ERROR_BASIC_CONSTRAINTS_2=Could not create a basic constraints extension for the certificate. Error {0}. +POLICY_INVALID_PATHLEN_FORMAT_2=In policy rule {0}, the requested basic constraints extension path length ({1}) must be an integer. +POLICY_NO_SUB_CA_CERTS_ALLOWED_1=In policy rule {0}, no subordinate CA certificates are allowed since the CA's basic constraints path length is 0. +POLICY_ERROR_AUTHORITY_KEY_ID_1=In policy rule {0}, Error encountered while creating Authority Key Identifier for the CA. +POLICY_MISSING_KEY_1=In policy rule {0}, missing public key in certificate request. +POLICY_ERROR_SUBJECT_KEY_ID_1=In policy rule {0}, failed to create subject key identifier extension for certificate request. +POLICY_CANNOT_RENEW_EXPIRED_CERTS_1=In policy rule {0}, one or more certificates to be renewed has expired. Cannot renew an expired certificate. +POLICY_CANNOT_RENEW_EXPIRED_CERTS_AFTER_ALLOWED_PERIOD=In policy rule {0}, one or more certificates to be renewed has been expired for more than {1} days. Cannot renew an expired certificate. +POLICY_CANNOT_REVOKE_EXPIRED_CERTS_1=In policy rule {0}, one or more certificates to be revoked has expired. Cannot revoke an expired certificate. +POLICY_PIN_UNAUTHORIZED=You are not authorized to make this transaction. +POLICY_ERROR_CERTIFICATE_POLICIES_1=In policy rule {0}, could not create a certificate policies extension for the certificate. +POLICY_UNKNOWN_SIGNING_ALG_2=In policy rule {0}, signing algorithm {1} is unknown to CS. +POLICY_SIGNALG_NOT_MATCH_CAKEY_2=In policy rule {0}, signing algorithm {1} does not match the CA's private key. +POLICY_SIGNALG_NOT_MATCH_CAKEY_1=In policy rule {0}, allowed algorithms do not match the CA's private key. The parameters of this rule need to be updated in the CS.cfg. +POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET=In policy rule {0}, no extension bits are set. +POLICY_NO_ON_HOLD_ALLOWED=Policy Rule: {0} - On-Hold is not allowed. +POLICY_INVALID_OID=Error invalid policy OID {0} for request {1}. Error {2}. +POLICY_INIT_ERROR=INIT Error encountered: +POLICY_COMMENT_FILE_NOT_FOUND=Comment Text file not found : {0}. +POLICY_ERROR_NAME_CONST_EXTENSION=Error processing NameConstraints Extension: {0}. +POLICY_ERROR_CANT_INIT_POLICY_CONST_EXT=Could not init Policy Constraints Extension. Error: {0}. +POLICY_ERROR_CANT_PROCESS_POLICY_CONST_EXT=Could not init Policy Constraints Extension. Error: {0}. +POLICY_ERROR_CREATE_MAP=Error creating Policy Map. {0}. +POLICY_ERROR_CREATE_CERT_POLICY=Error creating Certificate Policy {0} +POLICY_ERROR_PROCESS_POLICYMAP_EXT=Error processing PolicyMappings Extension: {0}. +POLICY_ERROR_CREATE_PRIVATE_KEY_EXT=Error creating Private Key Extension. {0}. +POLICY_ERROR_GET_KEY_FROM_CERT= Policy {0}. Error getting Key from certificate: {1}. +################################################################## +# For com.netscape.certsrv.usrgrp +################################################################## +USRGRP_SERVER_ERROR=internal server error +USRGRP_USR_CERT=user certificate related error +USRGRP_FAIL_GRP_REMOVE=Failed to remove group +USRGRP_FAIL_USR_REMOVE=Failed to remove user +USRGRP_FAIL_GRP_ADD=Failed to add group +USRGRP_FAIL_USR_FIND=User not found +USRGRP_FAIL_GRP_MOD=failed to modify group +USRGRP_ILL_GRP_MOD=Certificate Server administrators group must not be empty +USRGRP_ILL_GRP_REMOVE=Removal of the Certificate Server administrators group is not allowed +USRGRP_CERT_NOT_FOUND=Certificate not found +USRGRP_SRVLT_GROUP_NOT_EXIST=Group Not Found +USRGRP_SRVLT_USER_NOT_EXIST=User Not Found +USRGRP_SRVLT_LOCALE=Problem processing Locale +USRGRP_SRVLT_CERT_ERROR=Certificate exception +USRGRP_SRVLT_CERT_EXPIRED=Certificate expired +USRGRP_SRVLT_CERT_NOT_YET_VALID=Certificate not yet valid +USRGRP_SRVLT_CERT_O_ERROR=Certificate related error +USRGRP_FAIL_USER_ADD=failed to add user +USRGRP_FAIL_USER_MOD=failed to modify user +USRGRP_SRVLT_FAIL_USER_ADD=failed to add user +USRGRP_SRVLT_FAIL_USER_ADD_NEED_UID=failed to add user: UID required +USRGRP_SRVLT_FAIL_USER_ADD_GROUP=added user but failed to add to group +USRGRP_SRVLT_FAIL_USER_CERT_EXISTS=failed to add cert: The certificate you tried to add already exists +USRGRP_SRVLT_FAIL_USER_MOD=failed to modify user +USRGRP_SRVLT_FAIL_USER_RMV=failed to remove user +USRGRP_SRVLT_FAIL_USER_RMV_G=The user you try to delete belongs to one or more groups.\nIf you click yes to continue, then the user will also be deleted \n from all the groups that it belongs to. +USRGRP_SRVLT_FAIL_GROUP_ADD=failed to add group +USRGRP_SRVLT_FAIL_GROUP_MOD=failed to modify group +USRGRP_USR_MOD_ILL_CERT_OP=unknown certificate operation +USRGRP_SRVLT_FAIL_USER_ADD_1=Failed to add user. Missing \"{0}\". +USRGRP_SRVLT_FAIL_USER_MOD_1=Failed to modify user. Missing \"{0}\". +USRGRP_BAD_PASSWD=The given password doesn't pass the password quality checker. +USRGRP_FAIL_LOAD_CLASS_1=Could not load password checker class {0} +################################################################## +# For com.netscape.cms.servlet +################################################################## +CMSGW_MISSING_TEMPLATE_TAG_2=Missing template tag {0} in template {1} +CMSGW_ERROR_LOADING_TEMPLATE=Error encountered while loading output template. +CMSGW_TEMPLATE_NO_CONTENT_1=Template {0} has no content. +CMSGW_ERROR_CLOSING_TEMPLATE_2=Failed to close template {0}. Error {1} +CMSGW_MISSING_KEYGEN_INFO=Missing or malformed KeyGen, PKCS #10 or CRMF request. +CMSGW_MISSING_CERTINFO=Missing CertInfo in AuthToken of authenticated enroll request. +CMSGW_MISSING_CERTINFO_ENCRYPT_CERT=Error getting certinfo from encryption certificate +CMSGW_MISSING_CRL=Missing CRL. +CMSGW_MISSING_CA_CERT=Missing CA Certificate. +CMSGW_MISSING_CERT=Missing Certificate. +CMSGW_MISSING_CERT_HEADER=Missing Certificate Header. +CMSGW_MISSING_CERT_FOOTER=Missing Certificate Footer. +CMSGW_MISSING_CRL_HEADER=Missing CRL Header. +CMSGW_MISSING_CRL_FOOTER=Missing CRL Footer. +CMSGW_MISSING_KEY_IN_KEYGENINFO=Missing or malformed key in KeyGenInfo. +CMSGW_FAILED_FORM_X500NAME_1=Error forming X500Name from subject name {0}. +CMSGW_MISSING_KEY_IN_P10=PKCS #10 request missing subject public key info. +CMSGW_MISSING_SUBJECT_IN_P10=PKCS #10 request missing subject name. +CMSGW_UNEXPECTED_REQUEST_STATUS_2=Unexpected resulting request status {0} for request ID {1} +CMSGW_MISSING_REQUEST=No request was created for this operation. +CMSGW_FAILED_SET_KEY_FROM_KEYGEN_1=Error setting key into certificate info from KeyGen. Error {0}. +CMSGW_NOT_A_CA=Feature available only for CA +CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1=Error setting key into certificate info from certificate based enrollment. Error {0}. +CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_IO= I/O Error setting key into certificate info from certificate based enrollment. Error {0}. +CMSGW_INVALID_CERT_TYPE=SSL client certificate presented for this cert-based enrollment is not a signing only cert. +CMSGW_ENCRYPTION_CERT_NOT_FOUND=Pairing encryption certificate for cert-based dual certificate enrollment not found in the DB +CMSGW_MISSING_SSL_CLIENT_CERT=Missing SSL Client Certificate for certificate based enrollment +CMSGW_INVALID_CERTAUTH_ENROLL_TYPE=Invalid certauthEnrollType +CMSGW_INVALID_CERTAUTH_ENROLL_TYPE_1=Invalid certauthEnrollType {0}. +CMSGW_MISSING_CERTAUTH_ENROLL_TYPE=Missing certauthEnrollType. +CMSGW_FAILED_SET_SUBJECT_FROM_P10=Error setting subject name from PKCS #10 into certificate info . Error {0}. +CMSGW_ERROR_CMC_TO_CERTINFO=An Error was encountered while filling the certificate with the contents of the CMC message. +CMSGW_ERROR_CMC_TO_CERTINFO_1= An Error was encountered while filling the certificate with the contents of the CMC Message {0} +CMSGW_ERROR_CRMF_TO_CERTINFO=An Error was encountered while filling the certificate with the contents of the CRMF message. +CMSGW_ERROR_CRMF_TO_CERTINFO_1=An Error was encountered while filling the certificate with the contents of the CRMF message. For Enrollment {0}. +CMSGW_MISSING_SUBJECT_NAME_FROM_AUTHTOKEN=Missing subject name from authentication. +CMSGW_FAILED_SET_KEY_FROM_P10=Error setting key from PKCS #10 into certificate info . Error {0}. +CMSGW_ERROR_DECODING_CRL=Error encountered while decoding CRL. +CMSGW_ERROR_DECODING_CERT=Error encountered while decoding certificate. +CMSGW_ERROR_OLD_CRL=CRL Sent is older than the current CRL. +CMSGW_ERROR_ENCODING_ISSUED_CERT=Error encountered while encoding certificate. +CMSGW_ERROR_RETURNING_CERT=Error encountered while returning certificate. +CMSGW_ERROR_RETURNING_RESULT=I/O Error encountered while outputting results. +CMSGW_ERROR_GET_RENEWED_CERT=Could not get renewed certificate in the certificate database. +CMSGW_FAILED_FIND_RENEWED_CERT=Could not find renewed certificate in the certificate database. +CMSGW_ERROR_DISPLAY_TEMPLATE=Error encountered while rendering a response. +CMSGE_ERROR_DISPLAY_TEMPLATE_1=Error while displaying template {0}. Error {1}. +CMSGW_UNAUTHORIZED=Request was unauthorized. +CMSGW_ERROR_SET_SUBJECT_NAME=Cannot convert the subject name from a string to an X500 Name. +CMSGW_ERROR_SET_SUBJECT_NAME_1=Unexpected Error setting subject for certificate info. Error {0} +CMSGW_ERROR_SET_SUBJECT_NAME_2=Cannot convert the subject name from a string to an X500 Name. Error {0} Message {1} +CMSGW_ERROR_SET_VALIDITY=An Error was encountered while setting the validity in the cert. +CMSGW_ERROR_SET_VALIDITY_1=An Error was encountered while setting the validity in the cert. Error {0} +CMSGW_ERROR_SET_EXTENSIONS=An Error was encountered while setting the extensions in the cert. +CMSGW_ERROR_SET_EXTENSIONS_1=An Error was encountered while setting the extensions in the cert. Error {0} +CMSGW_UNKNOWN_EXTENSION_IN_CRMF_1=Unknown extension in CRMF request. OID {0} +CMSGW_MISSING_CERTS_RENEW_FROM_AUTHMGR=You have no certificates to be renewed or the certificates are malformed. +CMSGW_MISSING_CERTS_RENEW_FROM_SSL=You did not select a certificate to renew or the certificate you selected is malformed. +CMSGW_MISSING_SERIALNO_FOR_RENEW=Missing or malformed serial number of certificate to renew. +CMSGW_MISSING_SERIALNO_FOR_RENEW_1=Certificate {0} for renewal not found. +CMSGW_MISSING_SERIALNO_FOR_REVOKE=Missing or malformed serial number of certificate to revoke. +CMSGW_RENEWAL_CERT_REVOKED=The cerficate you submitted for renewal is revoked. Cannot renew a revoked certificate. +CMSGW_INVALID_CERT_FOR_RENEWAL=The certificate(s) selected to be renewed is not from this CA. +CMSGW_INVALID_CERT=The certificate is not from this CA. +CMSGW_INVALID_CERT_FOR_REVOCATION=Certificate {0} scheduled for revocation was not found. +CMSGW_ERROR_SETTING_RENEWAL_VALIDITY=An error was encountered while setting the certificate validity. +CMSGW_ERROR_SETTING_RENEWAL_VALIDITY_1=An error was encountered while setting the certificate validity. Error {0}. +CMSGW_ERROR_GETTING_RENEWED_CERT=An error was encountered while getting the renewed certificate from the database. +CMSGW_MISSING_SUBJECT_FROM_FORM=Missing subject name from the form. +CMSGW_MISSING_CERTS_REVOKE_FROM_AUTHMGR=You have no certificates to be revoked or the certificates are malformed. +CMSGW_MISSING_CERTS_REVOKE_FROM_SSL=You did not select a certificate to revoke or the certificate you selected is malformed. +CMSGW_MISSING_SERIALNO_FOR_REVOKE=Missing or malformed serial number of certificate to revoke. +CMSGW_CERT_ALREADY_REVOKED=The certificate has already been revoked.The certificate(s) selected to be revoked is not from this CA. +CMSGW_ERROR_SETTING_CRLREASON=An error was encountered while setting the revocation reason. +CMSGW_NO_OPTIONS_SELECTED=You must select an option from the form. +CMSGW_INVALID_OPTIONS_SELECTED=The option(s) you selected is invalid. This could indicate a flaw in the form you are using. +CMSGW_INVALID_OPTIONS_CA_CHAIN=Invalid options selected to get CA Chain. +CMSGW_ERROR_GETTING_CA_CERT=An error was encountered while getting the CA chain. +CMSGW_ERROR_GETTING_CACERT_ENCODED=Could not get CA certificates encoded. Error {0}. +CMSGW_CA_CHAIN_EMPTY=The CA chain is missing or could not be obtained from the remote Certificate Manager or Registration Manager. The remote server could be down. +CMSGW_ERROR_ENCODING_CA_CHAIN=An error was encountered while encoding the CA chain. +CMSGW_ERROR_ENCODING_CA_CHAIN_1=An error was encountered while encoding the CA chain. {0} +CMSGW_CA_CHAIN_NOT_AVAILABLE=The CA chain is missing or could not be obtained from the remote Certificate Manager or Registration Manager. The remote server could be down. +CMSGW_ERROR_DISPLAYING_CACHAIN=An I/O error was encountered while outputting the CA chain. +CMSGW_ERROR_DISPLAYING_CACHAIN_1=An I/O error was encountered while outputting the CA chain. {0} +CMSGW_NO_CRL_SELECTED=You must specify the CRL issuing point. +CMSGW_NO_CRL_ISSUING_POINT=No CRL issuing point specified. +CMSGW_NO_CRL_ISSUING_POINT_FOUND=CRL issuing point {0} not found. +CMSGW_CRL_NOT_FOUND=The CRL you selected for download was not found. +CMSGW_CRL_NOT_UPDATED=The CRL you selected for download has not been updated. +CMSGW_CRL_NOT_YET_UPDATED_1=The Certificate Revocation List {0} has not been updated. +CMSGW_NOT_YET_IMPLEMENTED=The operation you requested has not yet been implemented. +CMSGW_ERROR_DISPLAYING_CRLINFO=An I/O error was encountered while outputting CRL results. +CMSGW_REQUEST_ID_NOT_FOUND_1=Request ID {0} was not found in the request queue. +CMSGW_ERROR_UPDATE_REQUEST_1=Error updating request ID {0} in the database. +CMSGW_ERROR_FORMING_EXT_1=Error forming a {0} extension. +CMSGW_INVALID_SERIAL_NUMBER=Certificate Serial number is not set or invalid. +CMSGW_CERT_SERIAL_NOT_FOUND_1=Certificate serial number {0} not found +CMSGW_ERROR_FORMING_PKCS7=Error Forming PKCS #7. +CMSGW_ERROR_FORMING_PKCS7_1= Error Forming PKCS #7 for output {0}. +CMSGW_ERROR_READING_REQUEST_ID_1=Cannot find Request ID {0} in the database. +CMSGW_INVALID_REQUEST_ID_1=Invalid Request ID {0}. +CMSGW_CRL_NOT_YET_UPDATED=The Certificate Revocation List has not been updated. +CMSGW_FAILED_DECODE_CRL=Failed to DER decode the Certificate Revocation List. +CMSGW_FAILED_DECODE_CRL_1=Failed to DER decode the Certificate Revocation List. Error {0} +CMSGW_REVOCATION_ERROR_CERT_NOT_FOUND=Attempt to revoke non-existent certificate(s). +CMSGW_ERROR_MARKING_CERT_REVOKED=Error encountered while marking certificate revoked. +CMSGW_ERROR_MARKING_CERT_REVOKED_1=Error encountered while marking certificate revoked . {0} +CMSGW_NO_RECOVERY_TOKEN_FOUND_1=No Recovery Token Found for recovery reference number {0}. +CMSGW_INVALID_AGENT_3=Agent: {0} cannot retrieve PKCS #12 for recovery reference number {2}. Agent: {1} initialized the request. +CMSGW_INVALID_AGENT_ASYNC_3=Agent: {0} cannot retrieve PKCS #12 for recovery request id {2}. Agent: {1} initialized the request. +CMSGW_ERROR_DISPLAY_FILE=I/O Error encountered while outputting file. +CMSGW_FILE_NOT_FOUND=File was not found +CMSGW_NO_CERTS_FROM_CA=Error encountered while issuing certificates. +CMSGW_ERROR_SETTING_CERT_ATTRIBUTES=Error encountered while setting certificate attributes. +CMSGW_ERROR_FORMING_PKCS10=Error encountered while forming a PKCS #10 response. +CMSGW_ERROR_REDIRECTING_ADMINENROLL1=Error encountered while accessing the adminEnroll page.{0} +CMSGW_ERROR_REDIRECTING_PAGE=Error encountered while accessing the {0} page. Error {1}. +CMSGW_NO_LDAP_PUB_MODULE=LDAP publishing module is disabled. +CMSGW_NO_PUB_MODULE=Publishing module is disabled. Make sure valid characters are in the subject name. \nFor example, the email address should only have IA5String characters \nand the country should only have PrintableString characters and have 2 characters exactly. +CMSGW_ERROR_ADDING_ADMIN_CERT_1=An error was encountered while adding the administrator's certificate to its entry in the user groupdatabase. Error {0} +CMSGW_ERROR_ADDING_ADMIN=An error was encountered while adding the administrator to the Certificate Manager Agent Group - Group does not exist. +CMSGW_INSUFFICIENT_PRIVILEGE=You must also be an administrator to grant trusted manager or agent privileges. +CMSGW_MISSING_GRANT_UID=You must specify a user ID for the trusted manager or agent. +CMSGW_ERROR_FIND_GROUP_1=Could not grant privileges. Could not find group {0}. +CMSGW_ERROR_ADDING_USER_1=Could not grant privileges. Error adding user {0}. +CMSGW_ERROR_ADDING_CERT_1=Could not grant privileges. Error adding certificate to user {0}. +CMSGW_ERROR_ADDING_MEMBER_2=Could not grant privileges. Error adding user {0} to group {1}. +CMSGW_ERROR_ADDING_MEMBER_3=Could not grant privileges. Error adding user {0} to group {1} or group {2}. +CMSGW_REQUEST_HAD_NO_CERTS_1=Request ID {0} had no certificates issued as a result. +CMSGW_REQUEST_NOT_COMPLETED_1=Request ID {0} is not completed. +CMSGW_REQUEST_HAD_ERROR_1=Request ID {0} resulted in an error. No certificates were issued. +CMSGW_REQUEST_NOT_ENROLLMENT_1=Request ID {0} is not a certificate enrollment request. +CMSGW_NO_REQUEST_ID_PROVIDED=A Request ID must be provided for this operation. +CMSGW_REQUEST_ID_NOT_FOUND=Request ID {0} not found. +CMSGW_INVALID_REQ_ID_FORMAT=Invalid request ID format. ID {0}. +CMSGW_CERT_NOT_FROM_CRMF_REQUEST_1=Certificate serial number {0} was not issued from a CRMF request and therefore cannot be imported through CMMF. +CMSGW_AUTH_ERROR_2=Error encountered in authentication manager {0}: {1} +CMSGW_MISSING_AUTH_TOKEN=Cannot authorize client: missing authentication token. +CMSGW_AUTHORIZATION_FAILED_1=Authorization of client failed. Authorization required: {0} +CMSGW_NO_PKIDATA=No PKIData in CMC full enrollment request. +CMSGW_ERROR_PKCS101=Error processing PKCS #10 in CMC full enrollment request: {0} +CMSGW_NO_CMC_CONTENT=No PKCS #10 nor CRMF in CMC full enrollment request. +CMSGW_CMC_ERROR1=Unexpected error processing CMC full enrollment request: {0} +CMSGW_ERROR_POP_VERIFY=Proof-of-Possession not Successfully Verified. +CMSGW_ERROR_NO_POP=Proof-of-Possession is required and is not present. +###################### +# begin debug messages +###################### +CMSGW_PROP_UNAUTHORIZED_TEMPLATE=unauthorizedTemplate +CMSGW_UNAUTHORIZED_TEMPLATE=/GenUnauthorized.template +CMSGW_PROP_SUCCESS_TEMPLATE =successTemplate +CMSGW_SUCCESS_TEMPLATE=GenSuccess.template +CMSGW_PROP_PENDING_TEMPLATE=pendingTemplate +CMSGW_PENDING_TEMPLATE=GenPending.template +CMSGW_PROP_SVC_PENDING_TEMPLATE=svcpendingTemplate +CMSGW_SVC_PENDING_TEMPLATE=/GenSvcPending.template +CMSGW_PROP_REJECTED_TEMPLATE=rejectedTemplate +CMSGW_REJECTED_TEMPLATE=/GenRejected.template +CMSGW_PROP_ERROR_TEMPLATE=errorTemplate +CMSGW_ERROR_TEMPLATE=/GenError.template +CMSGW_PROP_EXCEPTION_TEMPLATE=unexpectedErrorTemplate +CMSGW_EXCEPTION_TEMPLATE=/GenUnexpectedError.template +CMSGW_PROP_UNAUTHOR_TEMPLATE_FILLER=unauthorizedTemplateFiller +CMSGW_PROP_SUCCESS_TEMPLATE_FILLER=successTemplateFiller +CMSGW_PROP_ERROR_TEMPLATE_FILLER=errorTemplateFiller +CMSGW_PROP_PENDING_TEMPLATE_FILLER=pendingTemplateFiller +CMSGW_PROP_SVC_PENDING_TEMPLATE_FILLER=svcpendingTemplateFiller +CMSGW_PROP_REJECTED_TEMPLATE_FILLER=rejectedTemplateFiller +CMSGW_PROP_EXCEPTION_TEMPLATE_FILLER=exceptionTemplateFiller +CMSGW_PROP_DONT_SAVE_HTTP_PARAMS=dontSaveHttpParams +#################### +# end debug messages +#################### +CMSGW_TEMP_REND_ERR=Error rendering template {0} Error {1} +CMSGW_TEMP_REND_ERR_1=Error rendering template {0} : {1}. Returning HTTP INTERNAL ERROR. #1 +CMSGW_TEMP_REND_ERR_2=Error rendering template {0} : {1}. Returning HTTP INTERNAL ERROR. #2 +CMSGW_FILE_ACCESS_DENIED=File access denied: {0} +CMSGW_ACCESS_DENIED=CGI Access denied: {0} +CMSGW_SSL_CLIENT_BAD_PORT=Cannot get SSL Client certificate from a non-SSL port. +########### +# debugging +########### +CMSGW_GETTING=getting {0} +CMSGW_INDEXING=indexing {0} +CMSGW_REDIRECTING=redirecting {0} to {1} +############### +# end debugging +############### +CMSGW_BAD_CONFIG_PARAM=CMSGateway: Failed to get config parameter. +CMSGW_GETTING_CLIENT_CERT=Getting client certificate. +CMSGW_GETTING_SSL_CLIENT_CERT=Getting SSL client certificate. +CMSGW_FAIL_SSL_CLIENT_CERT=Failed to get SSL Client cert. Client did not provide cert. +CMSGW_AUTH_MAN_EXPECTED=Authentication Manager name expected in Servlet Access. +CMSGW_BAD_REQ_STATUS=Invalid status to CMSRequest. +CMSGW_ERR_CONF_TEMP_PARAMS=Unexpected error getting template config params. Error {0} +########### +# debugging +########### +CMSGW_DO_SSL_AUTH=doSslAuth is {0}. +CMSGW_GET_SSL_CLIENT_CERT=Getting SSL client certificate as requested in http. +CMSGW_NO_CLIENT_CERT=Unauthorized client access to servlet {0}. Client failed to provide a cert. +CMSGW_NO_CLIENT_TOK=Unauthorized client access to servlet {0}. Missing client token. +CMSGW_AUTH_MGR_CORRUPT=FATAL ERROR *** AuthMgr instance corrupt!!! +CMSGW_NO_CLIENT_AUTH=Authorization of Client failed in servlet {0} +CMSGW_ERR_OUT_TEMPLATE=Error outputting template {0} . {1}. +CMSGW_AUTHING_CLIENT=authenticating client with {0}. +CMSGW_NO_FIND_AUTH_MGR=Cannot find authentication manager {0}. +CMSGW_AUTH_MGR_FAIL=Auth manager {0} encountered {1}. +CMSGW_AUTH_MGR_REJECT=Missing some required credentials for authentication manager {0}. +CMSGW_AUTH_MGR_REJECT_1=Invalid credentials resulting from {0}. +CMSGW_AUTH_MGR_UNEXPECT=Unexpected error from authentication manager {0}. Error {1}. +CMSGW_SSL_NO_INVALIDATE=Cannot invalidate socket session. Socket not SSL. +CMSGW_SSL_CL_CERT_FAIL=Failed to get SSL Client cert. Client did not provide a cert. +CMSGW_SSL_CL_CERT_FAIL_ENCODE=Failed encoding SSL Client cert. Error {0}. +CMSGW_SSL_CL_CERT_FAIL_DECODE=Failed decoding SSL Client cert. Error {0}. +CMSGW_NO_FIND_TEMPLATE=Cannot locate template {0}. +CMSGW_NO_CONFIG_VALUE=Impossible Error getting config variable {0}. Ignoring Error {1}. +CMSGW_NON_CERT_AUTH=Trying to get a certificate from a non-certificate authority. +CMSGW_CERT_DB_NULL=Certificate DB is null for {0}. +CMSGW_NO_CERT_REC=Error getting certRecord for serialNo 0x{0}. Error {1}. +CMSGW_NOT_CERT_AUTH=Cannot get certificate - authority not a CA. +CMSGW_CANT_LOAD_FILLER=Couldn't load filler class name {0}. Error {1}. Using default. +CMSGW_IMP_INIT_SERV_ERR=**** FATAL ERROR *** Impossible error {0} encountered while initializing servlet. {1} Ignored. +CMSGW_RET_CERT_IMPORT_ERR=Error when returning certificate to import. {0}. +CMSGW_NO_ENCODED_IMP_CERT=Could not get certificate in encoded form for import. {0}. +CMSGW_ERR_CRL_REASON=Error setting CRL reason {0}. Error {1}. +CMSGW_BAD_CERT_SER_NUM=certificate serial {0} is not from this CA. +CMSGW_START_USE_CONFIG=CMS: Starting CS using configuration file {0}. +CMSGW_CMS_START_CONFIG_ERR=CMS: {0}. +CMSGW_CANT_LOAD_TEMPLATE=Could not load template {0} error {1}. +CMSGW_TEMPLATE_EMPTY=template {0} has no content. +CMSGW_TEMPLATE_MISSING=template {0} missing {1} tag. +CMSGW_ERR_CLOSE_TEMPL_FILE=Error closing file {0} : {1}. +CMSGW_FILE_NO_ACCESS=File Access denied: {0}. +CMSGW_GROUP_AUTH_FAILED=CMSgateway: Group Authorization failed. User {0} is missing or null in the Auth token. +CMSGW_GRP_AUTH_FAIL_NO_USER="CMSgateway: Group Authorization failed. User {0} was not found in user group database. +CMSGW_GRP_AUTH_FAIL_NO_MEM_GRP=CMSgateway: Group Authorization failed. User {0} is not a member of group {1}. +CMSGW_GRP_AUTH_SUCCESS=CMSgateway: Group Authorization success. User {0} is a member of group {1}. +CMSGW_GRP_AUTH_FAIL_NO_GRP=CMSgateway: Group Authorization failed. User {0} is not a member of any group in {1}. +CMSGW_GRP_AUTH_FAIL_USER_GRP_ERR=CMSgateway: Group Authorization failed. User group error {0}. +CMSGW_FAIL_REDIRECT_ADMIN_ENROLL=Failed to redirect to admin enroll page. Error {0}. +CMSGW_FAIL_REDIRECT_PAGE=Failed to redirect html page {0}. Error {1}. +CMSGW_FAIL_RENDER_TEMPLATE=Failed to render template {0}. Error {1}. +CMSGW_ERR_BAD_SERV_OUT_STREAM=Error getting servlet output stream when rendering {0} template. Error {1}. +CMSGW_ERR_DISP_BY_SERIAL=Error encountered in DisplayBySerial. Error {0}. +CMSGW_ERROR_PARSING_EXTENS=Error certificate parsing extensions. Error {0}. +CMSGW_ERR_DIGESTING_CERT=Error digesting certificate. Error {0}. +CMSGW_ERR_ENCODE_CERT=Error encoding certificate. Error {0}. +CMSGW_ERR_DECODE_CRL=Failed to decode CRL. Error {0}. +CMSGW_ERR_UPDATE_CRL=Error updating CRL. Error {0}. +CMSGW_ERR_NO_DELTA_CRL=Delta CRL is not available for {0} issuing point. +CMSGW_ERR_NO_DELTA_CRL_1=Delta CRL is not available. +CMSGW_ERR_DECODE_DELTA_CRL=Failed to decode Delta CRL. Error {0}. +CMSGW_ERR_PUBLISH_DELTA_CRL=Failed to publish Delta CRL. Error {0}. +CMSGW_ERR_OUT_STREAM_TEMPLATE=Error getting servlet output stream for rendering template. Error {0}. +CMSGW_REQ_AUTH_REVOKED_CERT=Revocation request was authenticated by a revoked certificate. +CMSGW_REV_CERTS_ZERO=number of revocation certificates is zero. +CMSGW_INVALID_SERIAL_NUM_FORMAT=Invalid Serial number format. +CMSGW_CA_FROM_RA_NOT_IMP=getting a CRL from the RA is not implemented yet. +CMSGW_ERR_GET_TEMPLATE=Error getting template {0} Error {1}. +CMSGW_ERR_GET_TEMPLATE_1=Error getting template. Missing template name. +CMSGW_ERR_GET_TEMPLATE_2=Error getting template. Missing template name. Error {0}. +CMSGW_ERR_STREAM_TEMPLATE=Error getting servlet output stream for rendering template. Error {0}. +CMSGW_ERR_PROCESS_ENROLL_NO_AUTH=Could not process enrollment request. Bulk-generated certificate auth failed authentication. +CMSGW_CANT_PROCESS_ENROLL_REQ=Could not process enrollment request. +CMSGW_CANT_GET_CERT_SUBJ_AUDITING=failed to retrieve certificate subject for auditing {0}. +CMSGW_REQ_ILLEGAL_CHARACTERS=Check to make sure request has no illegal characters, e. g. - email is an IA5String and Country is a Printable String. +CMSGW_ERROR_LISTCERTS=Error in listCerts. Error {0}. +CMSGW_INVALID_RECORD_COUNT_FORMAT=Invalid total record count format. +CMSGW_ERR_GET_CRL_RECORD=Error getting CRL record. Error {0}. +CMSGW_FAIL_GET_ICERT_RECORD=Failed getting ICertRecord.ATTR_META_INFO for certificate serial number {0}. It may be a certificate added at installation time. +CMSGW_FAIL_PUBLISH_CERT=Failed to publish Certificate {0}. +CMSGW_CANT_FIND_AUTHORITY=Cannot find authority {0}. +CMSGW_ERROR_SENDING_DER_ENCODE_CERT=Failed sending DER encoded cert: {0}. +CMSGW_ERROR_CREATE_ENTRY_FROM_CEP=Tried to create an entry from the CEP servlet, but cannot because Publishing is not running. +CMSGW_FAIL_CREAT_ENTRY_EXISTS=Failed creating entry for : {0} : Entry already exists? +CMSGW_ENROLL_FAIL_NO_AUTH=Enrollment failed: user failed to authenticate. +CMSGW_ENROLL_FAIL_NO_SUBJ_ALT_NAME=CRS enrollment - Could not create subjectAltName. Error {0}. +CMSGW_ENROLL_FAIL_DUP_TRANS_ID=Enrollment failed: user used duplicate transaction ID. +CMSGW_ENROLL_FAIL_NO_DECRYPT_PKCS10=CRS enrollment failed: Could not decrypt PKCS #10 request. Error {0}. +CMSGW_ERNOLL_FAIL_NO_NEW_REQUEST_POSTED=CRS enrollment failed: Could not post new request. Error {0}. +##### +# new +##### +CMSGW_HAS_NO_CLIENT_CERT=Remote Authority has no client certificate. +CMSGW_NOT_TRUSTED_REMOTE_RA=Remote Authority {0} not authorized as a trusted RA. +CMSGW_IO_ERROR_REMOTE_REQUEST=I/O Error processing remote request. Error {0}. +CMSGW_REMOTE_AUTHORITY_AUTH_FAILURE=Remote Authority auth failure. {0}. +CMSGW_ERROR_PROCESS_NETSCAPE_EXTENSION=Error while processing Netscape Certificate Type extension {0}. +CMSGW_ERROR_PROCESS_CONSTRAINTS_EXTENSION=Error while processing Basic Constraints extension. {0}. +CMSGW_ERROR_DISPLAY_TEMPLATE=Error encountered while rendering a response. +################################################################## +# For com.netscape.cms.servlet.admin +################################################################## +ADMIN_SRVLT_FAIL_AUTHS=Authentication failed +ADMIN_SRVLT_FAIL_AUTHZ=AUTHZ permission check failed +ADMIN_SRVLT_INVALID_OP_TYPE_1=Invalid OP_TYPE {0} +ADMIN_SRVLT_INVALID_OP_SCOPE=Invalid OP_SCOPE +ADMIN_SRVLT_INVALID_PROTOCOL=Invalid protocol: OP_TYPE must be specified +ADMIN_SRVLT_INVALID_PARAM=Invalid parameter +ADMIN_SRVLT_INVALID_PATH=Invalid Content Template path +ADMIN_SRVLT_NULL_RS_ID=Resource ID (RS_ID) can not be null +ADMIN_SRVLT_RS_ID_BS=Resource ID (RS_ID) can not contain backslashes +ADMIN_SRVLT_SPECIAL_ID=Not allowed to create this special user: {0} +ADMIN_SRVLT_FAIL_COMMIT=Failed to save changes to the configuration file +ADMIN_SRVLT_FAIL_PERFORM_1=Failed to perform 1 +ADMIN_SRVLT_FAIL_PERFORM_2=Failed to perform 2 +ADMIN_SRVLT_FAIL_PERFORM_3=Failed to perform 3 +ADMIN_SRVLT_FAIL_COMMIT=Failed to save changes to the configuration file +####### +# debug +####### +ADMIN_SRVLT_SERVICE_DENIED=service(): service denied. +ADMIN_SRVLT_REP_EXIST_TYPE=replacing existing type {0}. +ADMIN_SRVLT_CLASS_NOT_FOUND=class {0} not found. +ADMIN_SRVLT_CLASS_NOT_EVAL=class is not com.netscape.certsrv.acls.IAccessEvaluator {0}. +ADMIN_SRVLT_EVAL_NOT_FOUND=Evaluator attempted to be removed was not found. +ADMIN_SRVLT_FAIL_SRC_TYPE=Failed on getting authz.sourceType, assuming authz info will be LDAP based. +####### +# debug +####### +ADMIN_SRVLT_AUTHZ_INITED=authz is to be initialized for servlet: {0} from XML +ADMIN_SRVLT_AUTHZ_MGR_INIT_FAIL=AuthzMgrAccessInit failed. +####### +# debug +####### +ADMIN_SRVLT_AUTHZ_MGR_INIT_DONE=authzmgrAccessInit for servlet: {0} from XML done +ADMIN_SRVLT_PROP_ACL_NOT_SPEC={0} not specified in XML for servlet: {1}, use default authz mgr: {2}. +ADMIN_SRVLT_AUTH_LDAP_NOT_XML=according to ccMode, authorization for servlet: {0} is LDAP based, not XML {1}, use default authz mgr: {2}. +####### +# debug +####### +ADMIN_SRVLT_ABOUT_AUTH=about authenticate() for servlet: {0}. +ADMIN_SRVLT_AUTH_FOR_SRVLT=authenticated for servlet: {0}. +ADMIN_SRVLT_AUTH_FAIL=authenticate(): {0} {1} {2}. +ADMIN_SRVLT_NO_AUTH_TOKEN=AdminServlet: authenticate: User {0} is missing or null in the Auth token. +ADMIN_SRVLT_USER_NOT_FOUND=AdminServlet: User {0} not found in user group database. +ADMIN_SRVLT_USR_GRP_ERR=AdminServlet: User group error {0}. +ADMIN_SRVLT_ERROR=AdminServlet: error {0}. +####### +# debug +####### +ADMIN_SRVLT_CHECK_AUTHZ_AUTH=About to check AuthzSubsystem authorization for servlet: {0}. +ADMIN_SRVLT_AUTH_SUCCEED=authorization succeeded for servlet: {0} +ADMIN_SRVLT_AUTH_FAILURE=Failed to authorize: {0}. +ADMIN_SRVLT_GRP_AUTHZ_FAIL=CMSgateway: Group Authorization failed. User {0} was missing or null in the Auth token. +ADMIN_SRVLT_USER_NOT_IN_DB=CMSgateway: Group Authorization failed. User {0} was not found in the user group database. +ADMIN_SRVLT_USER_NOT_IN_GRP=CMSgateway: Group Authorization failed. User {0} was not a member of group {1}. +ADMIN_SRVLT_GRP_AUTH_SUCC_USER=Group Authorization success. User {0} is a member of group {1}. +ADMIN_SRVLT_USER_NOT_ANY_GRP="CMSgateway: Group Authorization failed. User {0} was not a member of any group in {1}. +####### +# debug +####### +ADMIN_SRVLT_PLUGIN_ADD=authManager plugin {0} added through console. +ADMIN_SRVLT_AUTH_MGR_ADD=authManager instance {0} added through console. +ADMIN_SRVLT_AUTH_MGR_REPL=authManager instance {0} replaced through console. +ADMIN_SRVLT_BASIC_CONSTRAIN_NULL=MSAdminServlet: basic constraints extension is null. +ADMIN_SRVLT_CERT_NO_EXT=CMSAdminServlet: This certificate doesn't have extensions. +ADMIN_SRVLT_JS_PLUGIN_ADD=Job Scheduler plugin {0} added through console. +ADMIN_SRVLT_JOB_INST_ADD=job instance {0} added through console. +ADMIN_SRVLT_JOB_INST_REP=Job Scheduler job instance {0} replaced through console. +ADMIN_SRVLT_FAIL_RES_LDAP=Failed to restart LDAP publishing: {0}. +ADMIN_SRVLT_PUB_CA_CERT=Published CA cert. +ADMIN_SRVLT_NO_PUB_CA_CERT=Could not publish CA's certificate {0}. +####### +# debug +####### +ADMIN_SRVLT_PUB_CRL=published CRL +ADMIN_SRVLT_NO_PUB_CRL=Could not publish CRL {0}. +####### +# debug +####### +ADMIN_SRVLT_MAPPER_ADDED=mapper plugin {0} added through console. +ADMIN_SRVLT_MAPPER_INST_ADDED=mapper instance {0} added through console. +ADMIN_SRVLT_MAPPER_REPLACED=mapper {0} replaced through console. +ADMIN_SRVLT_RULE_PLUG_ADDED=rule plugin {0} added through console. +ADMIN_SRVLT_RULE_INST_ADDED=rule instance {0} added through console. +ADMIN_SRVLT_RULE_INST_REP=rule instance {0} replaced through console. +ADMIN_SRVLT_PUB_PLUG_ADDED=publisher plugin {0} added through console. +ADMIN_SRVLT_PUB_INST_ADDED=publisher instance {0} added through console. +ADMIN_SRVLT_PUB_INST_REP=publisher instance {0} replaced through console. +ADMIN_SRVLT_CHECK_AUTHZ_SUB=about to check AuthzSubsystem authorization. +ADMIN_SRVLT_AUTH_CALL_FAIL=authorize call: {0} +ADMIN_SRVLT_ADD_USER_FAIL=addUser() failed {0} +ADMIN_SRVLT_IS_PK_BLOB=is PKCS #7 blob? +ADMIN_SRVLT_SINGLE_CERT_IMPORT=single self-signed certificate to import +ADMIN_SRVLT_CERT_CHAIN_ACEND_ORD=certificate chain is in ascending order +ADMIN_SRVLT_CERT_CHAIN_DESC_ORD=certificate chain is in descending order +ADMIN_SRVLT_CERT_BAD_CHAIN=certificate chain is in random order or is an illegal certificate chain +ADMIN_SRVLT_CHAIN_STORED_DB=user certificate from certificate chain is stored in the internaldb; certificate length={0} +ADMIN_SRVLT_CERT_IN_CHAIN=certificate in certificate chain: {0} : {1} +ADMIN_SRVLT_LEAF_CERT_NULL=importCACertPackage returns leaf certificate null +ADMIN_SRVLT_LEAF_CERT_NON_NULL=got non-null leafCert +ADMIN_SRVLT_NOT_INTERNAL_CERT=certificate not an instance of InternalCertificate: {0} +ADMIN_SRVLT_PKS7_IGNORED=PKCS #7? {0} ignored +ADMIN_SRVLT_BEFORE_VALIDITY=addUserCert(): before checkValidity() +ADMIN_SRVLT_ADD_CERT_EXPIRED=addUserCert(): certificate expired: {0}. +ADMIN_SRVLT_AIM_OUTPUT_FAIL=Output failed {0}. +####### +# debug +####### +ADMIN_SRVLT_AIM_ENROLL=AIMEnroll: process. +ADMIN_SRVLT_ENROLL_ACCESS_AFTER_SETUP=Attempt to access adminEnroll after already setup. +ADMIN_SRVLT_FAIL_GET_CERT_CHALL_PWRD=Failed to complete the request for getting certificates based on the challenge phrase password. +ADMIN_SRVLT_ERR_STREAM_TEMPLATE=Error getting servlet output stream for rendering template. Error {0}. +####### +# debug +####### +ADMIN_SRVLT_ADDING_HEADER=adding header {0} yes +ADMIN_SRVLT_ADDING_HEADER_NO=adding header {0} no +ADMIN_SRVLT_ADD_MASTER_URL=adding masterURL = {0} +ADMIN_SRVLT_CA_FROM_RA_NOT_IMP=getting a CRL from the RA is not implemented yet. +ADMIN_SRVLT_ERR_GET_TEMPLATE=Error getting template {0} Error {1}. +################################################################## +# For com.netscape.cmscore.cert.prettyprint +################################################################## +PRETTYPRINT_TOKEN_CERTIFICATE=Certificate: +PRETTYPRINT_TOKEN_DATA=Data: +PRETTYPRINT_TOKEN_VERSION=Version: +PRETTYPRINT_TOKEN_SERIAL=Serial Number: +PRETTYPRINT_TOKEN_SIGALG=Signature Algorithm: +PRETTYPRINT_TOKEN_ISSUER=Issuer: +PRETTYPRINT_TOKEN_VALIDITY=Validity: +PRETTYPRINT_TOKEN_NOT_BEFORE=Not Before: +PRETTYPRINT_TOKEN_NOT_AFTER=Not After: +PRETTYPRINT_TOKEN_SUBJECT=Subject: +PRETTYPRINT_TOKEN_SPKI=Subject Public Key Info: +PRETTYPRINT_TOKEN_ALGORITHM=Algorithm: +PRETTYPRINT_TOKEN_PUBLIC_KEY=Public Key: +PRETTYPRINT_TOKEN_PUBLIC_KEY_MODULUS=Public Key Modulus: +PRETTYPRINT_TOKEN_PUBLIC_KEY_EXPONENT=Exponent: +PRETTYPRINT_TOKEN_EXTENSIONS=Extensions: +PRETTYPRINT_TOKEN_SIGNATURE=Signature: +PRETTYPRINT_TOKEN_YES=yes +PRETTYPRINT_TOKEN_NO=no +PRETTYPRINT_TOKEN_IDENTIFIER=Identifier: +PRETTYPRINT_TOKEN_CRITICAL=Critical: +PRETTYPRINT_TOKEN_VALUE=Value: +PRETTYPRINT_TOKEN_KEY_TYPE=Key Type +PRETTYPRINT_TOKEN_CERT_TYPE=Netscape Certificate Type +PRETTYPRINT_TOKEN_SKI=Subject Key Identifier +PRETTYPRINT_TOKEN_AKI=Authority Key Identifier +PRETTYPRINT_TOKEN_ACCESS_DESC=Access Description: +PRETTYPRINT_TOKEN_OCSP_NOCHECK=OCSP NoCheck: +PRETTYPRINT_TOKEN_EXTENDED_KEY_USAGE=Extended Key Usage: +PRETTYPRINT_TOKEN_PRIVATE_KEY_USAGE=Private Key Usage: +PRETTYPRINT_TOKEN_PRESENCE_SERVER=Presence Server: +PRETTYPRINT_TOKEN_AIA=Authority Info Access: +PRETTYPRINT_TOKEN_KEY_USAGE=Key Usage: +PRETTYPRINT_TOKEN_CERT_USAGE=Certificate Usage: +PRETTYPRINT_TOKEN_KEY_ID=Key Identifier: +PRETTYPRINT_TOKEN_AUTH_NAME=Authority Name: +PRETTYPRINT_TOKEN_CRL=Certificate Revocation List: +PRETTYPRINT_TOKEN_THIS_UPDATE=This Update: +PRETTYPRINT_TOKEN_NEXT_UPDATE=Next Update: +PRETTYPRINT_TOKEN_REVOKED_CERTIFICATES=Revoked Certificates: +PRETTYPRINT_TOKEN_REVOCATION_DATE=Revocation Date: +PRETTYPRINT_TOKEN_REVOCATION_REASON=Revocation Reason +PRETTYPRINT_TOKEN_REASON=Reason: +PRETTYPRINT_TOKEN_BASIC_CONSTRAINTS=Basic Constraints +PRETTYPRINT_TOKEN_NAME_CONSTRAINTS=Name Constraints +PRETTYPRINT_TOKEN_NSC_COMMENT=Netscape Comment +PRETTYPRINT_TOKEN_IS_CA=Is CA: +PRETTYPRINT_TOKEN_PATH_LEN=Path Length Constraint: +PRETTYPRINT_TOKEN_PATH_LEN_UNLIMITED=UNLIMITED +PRETTYPRINT_TOKEN_PATH_LEN_UNDEFINED=UNDEFINED +PRETTYPRINT_TOKEN_PATH_LEN_INVALID=INVALID +PRETTYPRINT_TOKEN_CRL_NUMBER=CRL Number +PRETTYPRINT_TOKEN_NUMBER=Number: +PRETTYPRINT_TOKEN_DELTA_CRL_INDICATOR=Delta CRL Indicator +PRETTYPRINT_TOKEN_BASE_CRL_NUMBER=Base CRL Number: +PRETTYPRINT_TOKEN_CERT_SCOPE_OF_USE=Certificate Scope of Use +PRETTYPRINT_TOKEN_SCOPE_OF_USE=Scope of Use: +PRETTYPRINT_TOKEN_PORT=Port: +PRETTYPRINT_TOKEN_ISSUER_ALT_NAME=Issuer Alternative Name +PRETTYPRINT_TOKEN_ISSUER_NAMES=Issuer Names: +PRETTYPRINT_TOKEN_SUBJECT_ALT_NAME=Subject Alternative Name +PRETTYPRINT_TOKEN_DECODING_ERROR=Decoding Error +PRETTYPRINT_TOKEN_FRESHEST_CRL_EXT=Freshest CRL +PRETTYPRINT_TOKEN_CRL_DP_EXT=CRL Distribution Points +PRETTYPRINT_TOKEN_CRLDP_NUMPOINTS=Number of Points: +PRETTYPRINT_TOKEN_CRLDP_POINTN=Point +PRETTYPRINT_TOKEN_CRLDP_DISTPOINT=Distribution Point: +PRETTYPRINT_TOKEN_CRLDP_REASONS=Reason Flags: +PRETTYPRINT_TOKEN_CRLDP_CRLISSUER=CRL Issuer: +PRETTYPRINT_TOKEN_ISSUING_DIST_POINT=Issuing Distribution Point +PRETTYPRINT_TOKEN_DIST_POINT_NAME=Distribution Point: +PRETTYPRINT_TOKEN_FULL_NAME=Full Name: +PRETTYPRINT_TOKEN_RELATIVE_NAME=Name Relative To CRL Issuer: +PRETTYPRINT_TOKEN_ONLY_USER_CERTS=Only Contains User Certificates: +PRETTYPRINT_TOKEN_ONLY_CA_CERTS=Only Contains CA Certificates: +PRETTYPRINT_TOKEN_ONLY_SOME_REASONS=Only Some Reasons: +PRETTYPRINT_TOKEN_INDIRECT_CRL=Indirect CRL: +PRETTYPRINT_TOKEN_INVALIDITY_DATE=Invalidity Date +PRETTYPRINT_TOKEN_DATE_OF_INVALIDITY=Invalidity Date: +PRETTYPRINT_TOKEN_CERTIFICATE_ISSUER=Certificate Issuer +PRETTYPRINT_TOKEN_HOLD_INSTRUCTION=Hold Instruction Code +PRETTYPRINT_TOKEN_HOLD_INSTRUCTION_CODE=Hold Instruction Code: +PRETTYPRINT_TOKEN_POLICY_CONSTRAINTS=Policy Constraints +PRETTYPRINT_TOKEN_INHIBIT_POLICY_MAPPING=Inhibit Policy Mapping: +PRETTYPRINT_TOKEN_REQUIRE_EXPLICIT_POLICY=Require Explicit Policy: +PRETTYPRINT_TOKEN_POLICY_MAPPINGS=Policy Mappings +PRETTYPRINT_TOKEN_MAPPINGS=Mappings: +PRETTYPRINT_TOKEN_MAP=Map +PRETTYPRINT_TOKEN_ISSUER_DOMAIN_POLICY=Issuer Domain Policy: +PRETTYPRINT_TOKEN_SUBJECT_DOMAIN_POLICY=Subject Domain Policy: +PRETTYPRINT_TOKEN_SUBJECT_DIR_ATTR=Subject Directory Attributes +PRETTYPRINT_TOKEN_ATTRIBUTES=Attributes: +PRETTYPRINT_TOKEN_ATTRIBUTE=Attribute +PRETTYPRINT_TOKEN_VALUES=Values: +PRETTYPRINT_TOKEN_NOT_SET=not set +PRETTYPRINT_TOKEN_NONE=none +PRETTYPRINT_TOKEN_CACHE_NOT_AVAILABLE=CRL cache is not available +PRETTYPRINT_KeyUsageExtension.DIGITAL_SIGNATURE=Digital Signature +PRETTYPRINT_KeyUsageExtension.NON_REPUDIATION=Non-Repudiation +PRETTYPRINT_KeyUsageExtension.KEY_ENCIPHERMENT=Key Encipherment +PRETTYPRINT_KeyUsageExtension.DATA_ENCIPHERMENT=Data Encipherment +PRETTYPRINT_KeyUsageExtension.KEY_AGREEMENT=Key Agreement +PRETTYPRINT_KeyUsageExtension.KEY_CERTSIGN=Key CertSign +PRETTYPRINT_KeyUsageExtension.CRL_SIGN=CRL Sign +PRETTYPRINT_KeyUsageExtension.ENCIPHER_ONLY=Encipher Only +PRETTYPRINT_KeyUsageExtension.DECIPHER_ONLY=Decipher Only +PRETTYPRINT_NSCertTypeExtension.SSL_CLIENT=SSL Client +PRETTYPRINT_NSCertTypeExtension.SSL_SERVER=SSL Server +PRETTYPRINT_NSCertTypeExtension.EMAIL=Secure Email +PRETTYPRINT_NSCertTypeExtension.OBJECT_SIGNING=Object Signing +PRETTYPRINT_NSCertTypeExtension.SSL_CA=SSL CA +PRETTYPRINT_NSCertTypeExtension.EMAIL_CA=Secure Email CA +PRETTYPRINT_NSCertTypeExtension.OBJECT_SIGNING_CA=ObjectSigning CA +################################################################## +# For com.netscape.cmscore.listeners +################################################################## +LISTENERS_NO_NOTIFY_SENDER_EMAIL_CONFIG_FOUND=No notify sender email found in the configuration. +LISTENERS_NO_NOTIFY_RECVR_EMAIL_CONFIG_FOUND=No notify recipient email found in the configuration. +################################################################## +# For com.netscape.cms.util +################################################################## +UTIL_HASH_FILE_CHECK_USAGE=usage: HashFileCheck +UTIL_BAD_ARG_COUNT=incorrect number of arguments +UTIL_NO_SUCH_FILE_1=can't find file {0} +UTIL_FILE_TRUNCATED=Log file has been truncated. +UTIL_DIGEST_MATCH_1=Hash digest matches log file. {0} OK +UTIL_DIGEST_DONT_MATCH_1=Hash digest does NOT match log file. {0} and/or hash file is corrupt or the password is incorrect. +UTIL_EXCEPTION_1=Caught unexpected exception {0} +UTIL_LOG_PASSWORD=Please enter the log file hash digest password: +UTIL_NO_USERID=No user ID in config file. Running as {0} +UTIL_NO_SUCH_USER_2=No such user as {0}. Running as {1} +UTIL_NO_UID_PERMISSION_2=Can't change process UID to {0}. Running as {1} +UTIL_SHUTDOWN_SIG=Received shutdown signal +UTIL_RESTART_SIG=Received restart signal +################################################################## +# For com.netscape.cms.authorization +################################################################## +AUTHZ_EVALUATOR_NULL=access evaluator {0} is null +AUTHZ_EVALUATOR_NOT_FOUND=access evaluator {0} not found +AUTHZ_OP_NOT_SUPPORTED=operator {0} not supported +AUTHZ_EVALUATOR_ACCESS_DENIED=checkPermission(): permission denied for the resource {0} on operation {1} +AUTHZ_EVALUATOR_AUTHORIZATION_FAILED=Authorization Failed +AUTHZ_EVALUATOR_FLUSH_RESOURCES=updateACLs: failed to flushResourceACLs(): {0} +AUTHZ_EVALUATOR_INIT_ERROR=init() - {0} +AUTHZ_EVALUATOR_FLUSH_ERROR=Shutdown Flush Error - {0} +AUTHZ_EVALUATOR_LDAP_ERROR=LDAP Connection Shutdown Error - {0} +################################################################## +# For com.netscape.cms.crl +################################################################## +CRL_CREATE_AKI_EXT=Cannot create AuthorityKeyIdentifier extension - {0} +CRL_CERT_PARSING_ERROR=Error parsing certificate - {0} +CRL_CERT_CERT_EXCEPTION=certificate exception - {0} +CRL_CREATE_CRL_NUMBER_EXT=Cannot create CRLNumber extension - {0} +CRL_CREATE_CRL_REASON_EXT=Cannot create CRLReason extension - {0} +CRL_CREATE_CERT_ISSUER_EXT=Cannot create CertificateIssuer extension - {0} +CRL_CREATE_INVALID_NUM_NAMES=Invalid numNames property for CRL CertificateIssuer extension - {0} +CRL_CREATE_UNDEFINED_TYPE=Undefined nameType {0} property for CRL CertificateIssuer extension - {1} +CRL_CREATE_INVALID_TYPE=Invalid nameType {0} property for CRL CertificateIssuer extension - {1} +CRL_CREATE_INVALID_500NAME=Invalid X500name - {0} +CRL_CREATE_INVALID_NAME_TYPE=Invalid nameType {0} property for CertificateIssuer +CRL_CREATE_DELTA_CRL_EXT=Cannot create DeltaCRLIndicator extension - {0} +CRL_CREATE_HOLD_INSTR_EXT=Cannot create HoldInstruction extension - {0} +CRL_CREATE_HOLD_UNDEFINED=Undefined instruction property for CRL HoldInstruction extension set to none - {0} +CRL_CREATE_HOLD_INVALID=Invalid instruction property for CRL HoldInstruction extension set to none - {0} +CRL_CREATE_INVALIDITY_DATE_EXT=Cannot create InvalidityDate extension - {0} +CRL_CREATE_ISSUER_ALT_NAME_EXT=Cannot create IssuerAlternativeName extension - {0} +CRL_CREATE_ISSUER_INVALID_NUM_NAMES=Invalid numNames property for IssuerAlternativeName extension - {0} +CRL_CREATE_ISSUER_UNDEFINED_TYPE=Undefined nameType {0} property for CRL IssuerAlternativeName extension - {1} +CRL_CREATE_ISSUER_INVALID_TYPE=Invalid nameType {0} property for CRL IssuerAlternativeName extension - {1} +CRL_INVALID_OTHER_NAME=Invalid OtherName - {0} +CRL_CREATE_DIST_POINT_UNDEFINED=Undefined pointType property for CRL IssuingDistributionPoint extension - {0} +CRL_CREATE_DIST_POINT_INVALID=Invalid pointType property for CRL IssuingDistributionPoint extension - {0} +CRL_CREATE_RDN=Error creating RDN - {0} +CRL_INVALID_POTINT_TYPE=Invalid pointType {0} property for IssuingDistributionPoint +CRL_CANNOT_SET_NAME=Cannot set general names in IssuingDistributionPoint - {0} +CRL_INVALID_PROPERTY=Invalid {0} property for IssuingDistributionPoint - {1} +CRL_CREATE_AIA_INVALID_NUM_ADS=Invalid number of AccessDescriptions in AuthorityInformationAccess extension - {0} +CRL_CREATE_AIA_AD_AM_UNDEFINED=Undefined accessMethod property in AuthorityInformationAccess extension - {0} +CRL_CREATE_AIA_AD_AM_INVALID=Invalid accessMethod property in AuthorityInformationAccess extension - {0} +CRL_CREATE_AIA_AD_ALT_UNDEFINED=Undefined accessLocationType property in AuthorityInformationAccess extension - {0} +CRL_CREATE_AIA_AD_ALT_INVALID=Invalid accessLocationType property in AuthorityInformationAccess extension - {0} +CRL_CREATE_AIA_AD_AL_UNDEFINED=Undefined accessLocation property in AuthorityInformationAccess extension - {0} +CRL_CREATE_AIA_AD_AL_INVALID=Invalid accessLocation property in AuthorityInformationAccess extension - {0} +################################################################## +# For com.netscape.cms.evaluator +################################################################## +EVALUTOR_UG_NULL=UsrGrp subsystem is null +EVALUTOR_UID_NULL=evaluate(): GroupAccessEvaluator.evaluate(): UID in authToken is null +EVALUTOR_UID_IS_NULL=evaluate(): UserAccessEvaluator.evaluate(): UID in authToken is null +EVALUATOR_IPADDRESS_NULL=evaluate(): IPAddressEvaluator.evaluate(): IPAdress in session context is null +################################################################## +# For com.netscape.cms.jobs +################################################################## +JOBS_TEMPLATE_INIT_ERROR=template init not successful +JOBS_SEND_NOTIFICATION=Send Notification Error {0} +JOBS_FAILED_PROCESS=Failed to process {0} +JOBS_SUMMARY_CONTENT_NULL=summary content null +JOBS_EXCEPTION_IN_RUN=Exception caught in run() {0} +JOBS_GET_CERT_ERROR=failed getting CertRecord.ATTR_META_INFO REQUEST_ID for certificate serial number 0x{0} +JOBS_META_INFO_ERROR=certificate serial number 0x{0} Error - getting CertRecord.ATTR_META_INFO: {1} +JOBS_META_REQUEST_ERROR=certificate serial number 0x{0} Error - getting CertRecord.META_REQUEST_ID: {1} +JOBS_FIND_REQUEST_ERROR=certificate serial number 0x{0} Error - RequestQueue.findRequest(): {1} +JOBS_UNPUBLISH_ERROR=certificate serial number 0x{0} Error - unpublish(): {1} +JOBS_PUBLISH_ERROR=certificate serial number 0x{0} Error - publish(): {1} +################################################################## +# For com.netscape.cms.listeners +################################################################## +LISTENERS_CERT_ISSUED_SET_RESOLVER=Error setting EmailResolverKeys: {0} +LISTENERS_CERT_ISSUED_EXCEPTION=Exception caught in accept() {0} +LISTENERS_CERT_ISSUED_NOTIFY_ERROR=failed to resolve email for notification: Serial Number={0}; Request ID={1} +LISTENERS_CERT_ISSUED_TEMPLATE_ERROR=template null, serial number and requst ID sent to user: Serial Number={0}; Request ID={1} +LISTENERS_CERT_ISSUED_REJECTION=CertIssued rejection file null +LISTENERS_CERT_ISSUED_REJECTION_NOTIFICATION=failed to resolve email for rejection notification: Request ID={0} +LISTENERS_CERT_ISSUED_SET=set(): invalid param name +LISTENERS_REQUEST_PORT_NOT_FOUND=agent port not found +LISTENERS_TEMPLATE_NOT_INIT=template init not successful +LISTENERS_TEMPLATE_NOT_GET=Template not retrievable for Request in Queue notification +LISTENERS_SEND_FAILED=Send failed: {0} +################################################################## +# For com.netscape.cms.logging +################################################################## +LOGGING_READ_ERROR=logging: {0}: read error at line {1} +LOGGING_FILE_NOT_FOUND=logging: {0} not found +# +####################### SIGNED AUDIT EVENTS ############################# +# The following are signedAudit events. They are required by CIMC PP. +# Please consult cfu before adding/deleting/modifying the following events +# +# signedAudit messages common fields: +# Outcome must be "success" or "failure" +# SubjectID must be the UID of the user responsible for the operation +# "$System$" if system-initiated operation (e.g. log signing) +# +# LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP +# - used at audit function startup +# +LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup +# +# LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN +# - used at audit function shutdown +# +LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown +# +# LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION +# - used for verifying CIMC system certificates +# - CertNickName is the cert nickname +# +LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CIMC certificate verification +# +# LOGGING_SIGNED_AUDIT_ROLE_ASSUME +# - used when user assumes a role (in current CS that's when one accesses a +# role port) +# Role must be be one of the valid roles, by default: "Administrators", +# "Certificate Manager Agents", and "Auditors" +# note that customized role names can be used once configured +# +LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3=:[AuditEvent=ROLE_ASSUME][SubjectID={0}][Outcome={1}][Role={2}] assume privileged role +# +# LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY +# - used when configuring certificate policy constraints and extensions +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# +LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=:[AuditEvent=CONFIG_CERT_POLICY][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate policy constraint or extension configuration parameter(s) change +# +# LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE +# - used when configuring certificate profile +# (general settings and certificate profile) +# (extensions and constraints policies are to be obsoleted but do it anyway) +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# +LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=:[AuditEvent=CONFIG_CERT_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate profile configuration parameter(s) change +# +# LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE +# - used when configuring CRL profile +# (extensions, frequency, CRL format) +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# +LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=:[AuditEvent=CONFIG_CRL_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] CRL profile configuration parameter(s) change +# +# LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE +# - used when configuring OCSP profile +# (everything under Online Certificate Status Manager) +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# +LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=:[AuditEvent=CONFIG_OCSP_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] OCSP profile configuration parameter(s) change +# +# LOGGING_SIGNED_AUDIT_CONFIG_AUTH +# - used when configuring authentication +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# --- Password MUST NOT be logged --- +# +LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=:[AuditEvent=CONFIG_AUTH][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] authentication configuration parameter(s) change +# +# LOGGING_SIGNED_AUDIT_CONFIG_ROLE +# - used when configuring role information (anything under users/groups) +# add/remove/edit a role, etc) +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# +LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3=:[AuditEvent=CONFIG_ROLE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] role configuration parameter(s) change +# +# LOGGING_SIGNED_AUDIT_CONFIG_ACL +# - used when configuring ACL information +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# +LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=:[AuditEvent=CONFIG_ACL][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] ACL configuration parameter(s) change +# +# LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT +# - used when configuring signedAudit +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# +LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3=:[AuditEvent=CONFIG_SIGNED_AUDIT][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] signed audit configuration parameter(s) change +# +# LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION +# - used when configuring encryption (cert settings and SSL cipher preferences) +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# +LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=:[AuditEvent=CONFIG_ENCRYPTION][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] encryption configuration parameter(s) change +# +# LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY +# - used when +# 1. "Manage Certificate" is used to edit the trustness of certificates +# and deletion of certificates +# 2. "Certificate Setup Wizard" is used to import CA certificates into the +# certificate database (Although CrossCertificatePairs are stored +# within internaldb, audit them as well) +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# +LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3=:[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate database configuration +# +# LOGGING_SIGNED_AUDIT_CONFIG_DRM +# - used when configuring DRM +# (Key recovery scheme, change of any secret component) +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# --- secret component (password) MUST NOT be logged --- +# +LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=:[AuditEvent=CONFIG_DRM][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] DRM configuration parameter(s) change +# +# LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION +# - used when self tests are run +# +LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details) +# +# LOGGING_SIGNED_AUDIT_LOG_DELETE +# - used AFTER audit log gets expired (authz should not allow, +# but in case authz gets compromised. Make sure it is written +# AFTER the log expiration happens) +# LogFile must be the complete name (including the path) of the +# signedAudit log that is attempted to be deleted +# +LOGGING_SIGNED_AUDIT_LOG_DELETE_3=:[AuditEvent=AUDIT_LOG_DELETE][SubjectID={0}][Outcome={1}][LogFile={2}] signedAudit log deletion +# +# LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE +# - used when log file name (including any path changes) for any of +# audit, system, transaction, or other customized log file +# change is attempted (authz should not allow, but make sure it's +# written after the attempt) +# LogType must be "System", "Transaction", or "SignedAudit" +# toLogFile must be the name (including any path changes) that the user is +# attempting to change to +# +LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PATH_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][toLogFile={3}] log path change attempt +# +# LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE +# - used when log expiration time change is attempted (authz should not +# allow, but make sure it's written after the attempt) +# LogType must be "System", "Transaction", or "SignedAudit" +# ExpirationTime must be the amount of time (in seconds) that is +# attempted to be changed to +# +# -- feature disabled -- +#LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt +# +# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST +# - used when user private key archive request is made +# this is an option in a certificate enrollment request detected by RA or CA +# so should be seen logged right following the certificate request, if selected +# ReqID must be the certificate enrollment request ID associated with the +# CA archive option (even if the request was originally submitted via +# an RA) (this field is set to the "EntityID" in caase of server-side key gen) +# ArchiveID must be the DRM request ID associated with the enrollment ID, +# ReqID (this field will be "N/A" when logged by the CA) +# +LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4=:[AuditEvent=PRIVATE_KEY_ARCHIVE_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ArchiveID={3}] private key archive request +# +# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED +# - used when user private key archive request is processed +# this is when DRM receives and processed the request +# PubKey must be the base-64 encoded public key associated with +# the private key to be archived +# +LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3=:[AuditEvent=PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][PubKey={2}] private key archive request processed +# +# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS +# - used when user private key export request is made and processed with success +# - this is used in case of server-side keygen when keys generated on the server +# need to be transported back to the client +# EntityID must be the id that represents the client +# PubKey must be the base-64 encoded public key associated with +# the private key to be archived +# +LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4=:[AuditEvent=PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][EntityID={2}][PubKey={3}] private key export request processed with success +# +# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE +# - used when user private key export request is made and processed with failure +# - this is used in case of server-side keygen when keys generated on the server +# need to be transported back to the client +# EntityID must be the id that represents the client +# PubKey must be the base-64 encoded public key associated with +# the private key to be archived +# +LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4=:[AuditEvent=PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][EntityID={2}][PubKey={3}] private key export request processed with failure +# +# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST +# - used when server-side key generation request is made +# This is for tokenkeys +# EntityID must be the representation of the subject that will be on the certificate when issued +LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST][SubjectID={0}][Outcome={1}][EntityID={2}] server-side key generation request processed +# +# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS +# - used when server-side key generation request has been processed with success +# This is for tokenkeys +# EntityID must be the representation of the subject that will be on the certificate when issued +# PubKey must be the base-64 encoded public key associated with +# the private key to be archived +LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][EntityID={2}][PubKey={3}] server-side key generation request processed with success +# +# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE +# - used when server-side key generation request has been processed with failure +# This is for tokenkeys +# EntityID must be the representation of the subject that will be on the certificate when issued +LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][EntityID={2}] server-side key generation request processed with failure +# +# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST +# - used when key recovery request is made +# RecoveryID must be the recovery request ID +# PubKey must be the base-64 encoded public key associated with +# the private key to be recovered +# +LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made +# +# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC +# - used when asynchronous key recovery request is made +# RequestID must be the recovery request ID +# PubKey must be the base-64 encoded public key associated with +# the private key to be recovered +# +LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4=:[AuditEvent=KEY_RECOVERY_REQUEST_ASYNC][SubjectID={0}][Outcome={1}][RequestID={2}][PubKey={3}] asynchronous key recovery request made +# +# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN +# - used when DRM agents login as recovery agents to approve +# key recovery requests +# RecoveryID must be the recovery request ID +# RecoveryAgent must be the recovery agent the DRM agent is +# logging in with +# +LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login +# +# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED +# - used when key recovery request is processed +# RecoveryID must be the recovery request ID +# RecoveryAgents must be a comma-separated list of +# UIDs of the recovery agents approving this request +# +LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4=:[AuditEvent=KEY_RECOVERY_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgents={3}] key recovery request processed +# +# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC +# - used when key recovery request is processed +# RequestID must be the recovery request ID +# RecoveryAgents must be a comma-separated list of +# UIDs of the recovery agents approving this request +# +LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4=:[AuditEvent=KEY_RECOVERY_REQUEST_PROCESSED_ASYNC][SubjectID={0}][Outcome={1}][RequestID={2}][RecoveryAgents={3}] asynchronous key recovery request processed +# +# LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC +# - used when asymmetric keys are generated +# (like when CA certificate requests are generated - +# e.g. CA certificate change over, renewal with new key, etc.) +# PubKey must be the base-64 encoded public key material +# +LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation +# +# LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST +# - used when a non-profile certificate request is made (before approval process) +# SubjectID must be the UID of user that triggered this event +# (if CMC enrollment requests signed by an agent, SubjectID should +# be that of the agent), while +# CertSubject must be the certificate subject name of the certificate request +# ReqID must be the certificate request ID +# ServiceID must be the identity of the servlet that submitted the original +# request +# +LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=:[AuditEvent=NON_PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ServiceID={3}][CertSubject={4}] certificate request made without certificate profiles +# +# LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST +# - used when a profile certificate request is made (before approval process) +# SubjectID must be the UID of user that triggered this event +# (if CMC enrollment requests signed by an agent, SubjectID should +# be that of the agent), while +# CertSubject must be the certificate subject name of the certificate request +# ReqID must be the certificate request ID +# ProfileID must be one of the certificate profiles defined by the +# administrator +# +LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=:[AuditEvent=PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ProfileID={3}][CertSubject={4}] certificate request made with certificate profiles +# +# LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED +# - used when certificate request has just been through the approval process +# SubjectID must be the UID of the agent who approves, rejects, or cancels +# the certificate request +# ReqID must be the request ID +# InfoName must be value "certificate" (in case of approval), "rejectReason" +# (in case of reject), or "cancelReason" (in case of cancel) +# InfoValue must contain the certificate (in case of success), a reject reason in +# text, or a cancel reason in text +# +LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5=:[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ReqID={2}][InfoName={3}][InfoValue={4}] certificate request processed +# +# LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST +# - used when a certificate status change request (e.g. revocation) +# is made (before approval process) +# ReqID must be the request ID +# CertSerialNum must be the serial number (in hex) of the certificate to be revoked +# RequestType must be "revoke", "on-hold", "off-hold" +# +LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5=:[AuditEvent=CERT_STATUS_CHANGE_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][CertSerialNum={3}][RequestType={4}] certificate revocation/unrevocation request made +# +# LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED +# - used when certificate status is changed (revoked, expired, on-hold, +# off-hold) +# SubjectID must be the UID of the agent that processed the request +# ReqID must be the request ID +# RequestType must be "revoke", "on-hold", "off-hold" +# Approval must be "complete", "rejected", or "canceled" +# (note that "complete" means "approved") +# CertSerialNum must be the serial number (in hex) +# RevokeReasonNum must contain one of the following number: +# reason number reason +# -------------------------------------- +# 0 Unspecified +# 1 Key compromised +# 2 CA key compromised (should not be used) +# 3 Affiliation changed +# 4 Certificate superceded +# 5 Cessation of operation +# 6 Certificate is on-hold +# +LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7=:[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ReqID={2}][CertSerialNum={3}][RequestType={4}][RevokeReasonNum={5}][Approval={6}] certificate status change request processed +# +# LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS +# - used when authorization is successful +# Outcome must be success for this event +# aclResource must be the ACL resource ID as defined in ACL resource list +# Op must be one of the operations as defined with the ACL statement +# e.g. "read" for an ACL statement containing "(read,write)" +# +LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4=:[AuditEvent=AUTHZ_SUCCESS][SubjectID={0}][Outcome={1}][aclResource={2}][Op={3}] authorization success +# +# LOGGING_SIGNED_AUDIT_AUTHZ_FAIL +# - used when authorization has failed +# Outcome must be failure for this event +# aclResource must be the ACL resource ID as defined in ACL resource list +# Op must be one of the operations as defined with the ACL statement +# e.g. "read" for an ACL statement containing "(read,write)" +# +LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4=:[AuditEvent=AUTHZ_FAIL][SubjectID={0}][Outcome={1}][aclResource={2}][Op={3}] authorization failure +# +# LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS +# - used when inter-CIMC_Boundary data transfer is successful +# (this is used when data does not need to be captured) +# ProtectionMethod must be one of the following: "SSL", or "unknown" +# ReqType must be the request type +# ReqID must be the request ID +# +LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=:[AuditEvent=INTER_BOUNDARY][SubjectID={0}][Outcome={1}][ProtectionMethod={2}][ReqType={3}][ReqID={4}] inter-CIMC_Boundary communication (data exchange) success +# +# LOGGING_SIGNED_AUDIT_AUTH_FAIL +# - used when authentication fails (in case of SSL-client auth, +# only webserver env can pick up the SSL violation; +# CS authMgr can pick up certificate mis-match, so this event is used) +# Outcome should always be "failure" in this event +# (obviously, if authentication failed, you won't have a valid SubjectID, so +# in this case, SubjectID should be $Unidentified$) +# AuthMgr must be the authentication manager instance name that did +# this authentication +# AttemptedCred must be the credential attempted and failed +# +LOGGING_SIGNED_AUDIT_AUTH_FAIL_4=:[AuditEvent=AUTH_FAIL][SubjectID={0}][Outcome={1}][AuthMgr={2}][AttemptedCred={3}] authentication failure +# +# LOGGING_SIGNED_AUDIT_AUTH_SUCCESS +# - used when authentication succeeded +# Outcome should always be "success" in this event +# AuthMgr must be the authentication manager instance name that did +# this authentication +# +LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3=:[AuditEvent=AUTH_SUCCESS][SubjectID={0}][Outcome={1}][AuthMgr={2}] authentication success +# +# LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL +# - used when an agent approves/disapproves a certificate profile set by the +# administrator for automatic approval +# ProfileID must be one of the profiles defined by the administrator +# and to be approved by an agent +# Op must be "approve" or "disapprove" +# +LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate approval +# +# LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION +# - used when proof of possession is checked during certificate enrollment +# +LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2=:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}] checking proof of possession +# +# LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL +# - used when CRLs are retrieved by the OCSP Responder +# Outcome is "success" when CRL is retrieved successfully, "failure" otherwise +# CRLnum is the CRL number that identifies the CRL +# +LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=:[AuditEvent=CRL_RETRIEVAL][SubjectID={0}][Outcome={1}][CRLnum={2}] CRL retrieval +# +# LOGGING_SIGNED_AUDIT_CRL_VALIDATION +# - used when CRL is retrieved and validation process occurs +# +LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation +# +# LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST +# - used when a CA is attempted to be added to the OCSP Responder +# Outcome is "success" as the request is made +# CA must be the base-64 encoded PKCS7 certificate (or chain) +LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_3=:[AuditEvent=OCSP_ADD_CA_REQUEST][SubjectID={0}][Outcome={1}][CA={2}] request to add a CA for OCSP Responder +# +# LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED +# - used when an add CA request to the OCSP Responder is processed +# Outcome is "success" when CA is added successfully, "failure" otherwise +# CASubjectDN is the subject DN of the leaf CA cert in the chain +LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED_3=:[AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][CASubjectDN={2}] Add CA for OCSP Responder +# +# LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST +# - used when a CA is attempted to be removed from the OCSP Responder +# Outcome is "success" as the request is made +# CA must be the DN id of the CA +LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_3=:[AuditEvent=OCSP_REMOVE_CA_REQUEST][SubjectID={0}][Outcome={1}][CA={2}] request to remove a CA from OCSP Responder +# +# LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED_SUCCESS +# - used when a remove CA request to the OCSP Responder is processed successfully +# Outcome is "success" when CA is removed successfully, "failure" otherwise +# CASubjectDN is the subject DN of the leaf CA cert in the chain +LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS_3=:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][CASubjectDN={2}] Remove CA for OCSP Responder is successful +# +# LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE +# - used when a remove CA request to the OCSP Responder is processed and failed +# Outcome is "failure" +# CASubjectDN is DN ID of the CA +LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3=:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][CASubjectDN={2}] Remove CA for OCSP Responder has failed +# +# LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY +# - used when CMC (agent-pre-signed) certificate requests or revocation requests +# are submitted and signature is verified +# ReqType must be the request type (enrollment, or revocation) +# CertSubject must be the certificate subject name of the certificate request +# SignerInfo must be a unique String representation for the signer +# +LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5=:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] agent pre-approved CMC request signature verification + +# LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST +# - used for TPS to TKS to get random challenge data +# AgentID must be the trusted agent id used to make the request +LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request + +# LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS +# - used for TPS to TKS to get random challenge data +# Outcome is SUCCESS or FAILURE +# Status is 0 for no error. +# AgentID must be the trusted agent id used to make the request +LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS_3=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS][Outcome={0}][Status={1}][AgentID={2}] TKS Compute random data request processed successfully + +# LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE +# - used for TPS to TKS to get random challenge data +# Outcome is SUCCESS or FAILURE +# Status is 0 for no error. +# Error gives the error message +# AgentID must be the trusted agent id used to make the request +LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE_4=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCCESED_FAILURE][Outcome={0}][Status={1}][AgentID={2}][Error={3}] TKS Compute random data request failed + +# +# +# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST +# - used for TPS to TKS to get a sessoin key for secure channel setup +# SubjectID must be the CUID of the token establishing the secure channel +# AgentID must be the trusted agent id used to make the request +LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_3=:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST][SubjectID={0}][Outcome={1}][AgentID={2}] TKS Compute session key request +# +# +# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS +# - request for TPS to TKS to get a sessoin key for secure channel processed +# SubjectID must be the CUID of the token establishing the secure channel +# AgentID must be the trusted agent id used to make the request +# Outcome is SUCCESS or FAILURE +# Status is 0 for no error. +# IsCryptoValidate tells if the card cryptogram is to be validated +# IsServerSideKeygen tells if the keys are to be generated on server +# SelectedToken is the cryptographic token performing key operations +# KeyNickName is the number keyset ex: #01#01 +# +LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_8=:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][IsCryptoValidate={4}][IsServerSideKeygen={5}][SelectedToken={6}][KeyNickName={7}] TKS Compute session key request processed successfully +# +# +# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE +# - request for TPS to TKS to get a sessoin key for secure channel processed +# SubjectID must be the CUID of the token establishing the secure channel +# Outcome is SUCCESS or FAILURE +# Status is error code or 0 for no error. +# AgentID must be the trusted agent id used to make the request +# status is 0 for success, non-zero for various errors +# IsCryptoValidate tells if the card cryptogram is to be validated +# IsServerSideKeygen tells if the keys are to be generated on server +# SelectedToken is the cryptographic token performing key operations +# KeyNickName is the numeric keyset ex: #01#01 +# Error gives the error message +LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_9=:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][IsCryptoValidate={4}][IsServerSideKeygen={5}][SelectedToken={7}][KeyNickName={7}][Error={8}] TKS Compute session key request failed +# + +# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST +# - request for TPS to TKS to do key change over +# SubjectID must be the CUID of the token requesting key change over +# AgentID must be the trusted agent id used to make the request +# status is 0 for success, non-zero for various errors +# oldMasterKeyName is the old master key name +# newMasterKeyName is the new master key name +LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_5=:[AuditEvent=DIVERSIFY_KEY_REQUEST][SubjectID={0}][Outcome={1}][AgentID={2}][oldMasterKeyName={3}][newMasterKeyName={4}] TKS Key Change Over request +# +########################### +# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS +# - request for TPS to TKS to do key change over request processed +# SubjectID must be the CUID of the token requesting key change over +# AgentID must be the trusted agent id used to make the request +# Outcome is SUCCESS or FAILURE +# status is 0 for success, non-zero for various errors +# oldMasterKeyName is the old master key name +# newMasterKeyName is the new master key name +LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_6=:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][oldMasterKeyName={4}][newMasterKeyName={5}] TKS Key Change Over request processed successfully +# +# +########################### +# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE +# - request for TPS to TKS to do key change over request processed +# SubjectID must be the CUID of the token requesting key change over +# AgentID must be the trusted agent id used to make the request +# Outcome is SUCCESS or FAILURE +# status is 0 for success, non-zero for various errors +# oldMasterKeyName is the old master key name +# newMasterKeyName is the new master key name +# Error gives the error message +LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_7=:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][oldMasterKeyName={4}][newMasterKeyName={5}][Error={6}] TKS Key Change Over request failed +# + +# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST +# - request from TPS to TKS to encrypt data +# (or generate random data and encrypt) +# SubjectID must be the CUID of the token requesting encrypt data +# AgentID must be the trusted agent id used to make the request +# status is 0 for success, non-zero for various errors +# isRandom tells if the data is randomly generated on TKS +LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3}] TKS encrypt data request +# +# +# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS +# - request from TPS to TKS to encrypt data +# (or generate random data and encrypt) +# SubjectID must be the CUID of the token requesting encrypt data +# AgentID must be the trusted agent id used to make the request +# Outcome is SUCCESS or FAILURE +# status is 0 for success, non-zero for various errors +# isRandom tells if the data is randomly generated on TKS +# SelectedToken is the cryptographic token performing key operations +# KeyNickName is the numeric keyset ex: #01#01 +LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_7=:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][isRandom={4}][SelectedToken={5}][KeyNickName={6}] TKS encrypt data request processed successfully +# +# +# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE +# - request from TPS to TKS to encrypt data +# (or generate random data and encrypt) +# SubjectID must be the CUID of the token requesting encrypt data +# AgentID must be the trusted agent id used to make the request +# Outocme is SUCCESS or FAILURE +# status is 0 for success, non-zero for various errors +# isRandom tells if the data is randomly generated on TKS +# SelectedToken is the cryptographic token performing key operations +# KeyNickName is the numeric keyset ex: #01#01 +# Error gives the error message +LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_8=:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][isRandom={4}][SelectedToken={5}][KeyNickName={6}][Error={7}] TKS encrypt data request failed +# +# +# +# LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE +# - used when updating contents of security domain +# (add/remove a subsystem) +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# +LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=:[AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] security domain update +# +# +# +# LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER +# - used when configuring serial number ranges +# (when requesting a serial number range when cloning, for example) +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# +LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=:[AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] serial number range update + + +########################### +#Unselectable signedAudit Events +# +# LOGGING_SIGNED_AUDIT_SIGNING +# - used when a signature on the audit log is generated (same as "flush" time) +# SubjectID is predefined to be "$System$" because this operation +# associates with no user +# sig must be the base-64 encoded signature of the buffer just flushed +# +LOGGING_SIGNED_AUDIT_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2} +################################################################## +# For com.netscape.cms.ocsp +################################################################## +OCSP_REQUEST_FAILURE=request processing failure {0} +OCSP_DECODE_CERT=failed to decode certificate data e={0} +OCSP_DECODE_CRL=failed to decode CRL data e={0} +OCSP_LOCATE_CA=Failed to locate CA Certificate {0} +OCSP_LOCATE_CRL=Failed to locate CRL {0} +################################################################## +# For com.netscape.cms.publish +################################################################## +PUBLISH_DN_PATTERN_INIT=Can't init the dnPattern: {0} - {1} +PUBLISH_DN_NOT_FORMED=No DN formed +PUBLISH_MORE_THAN_ONE_ENTRY=More than one entry {0} returned for {1} +PUBLISH_ENTRY_NOT_FOUND=No entry {0} found for {1} +PUBLISH_NO_LDAP_SERVER=Cannot connect to LDAP server. Error: LDAP Server is unavailable. +PUBLISH_DN_MAP_EXCEPTION={0} exception in map {1} +PUBLISH_CA_ENTRY_NOT_CREATED=CA entry is not created. This may be because of the UID uniqueness plugin setting in your slapd.ldbm.conf and the possibility that there is an entry with the same UID that already exists. See release notes for details. +PUBLISH_CA_ENTRY_NOT_CREATED1=CA entry was not created. This may be because there are entries in the directory hierarchy that do not exist. +PUBLISH_EXCEPTION_CAUGHT=EBasexception caught: {0} +PUBLISH_CANT_GET_EXT=can't get ext {0} +PUBLISH_PUBLISH_OBJ_NOT_SUPPORTED=No support for publish object {0} +PUBLISH_CANT_FORM_DN=Can't form DN for request: {0} {1} +PUBLISH_CANT_DECODE_CERT=Cannot decode cert: {0} +PUBLISH_CANT_DECODE_CRL=Cannot decode CRL: {0} +PUBLISH_NOT_SUPPORTED_OBJECT=No support for this publish object +PUBLISH_CANT_GET_SUBJECT=Cannot get subject name in map: {0} +PUBLISH_NO_BASE=No base and no DN formed +PUBLISH_FROM_SUBJ_TO_DN=from subjname to DN comps failed: {0} +PUBLISH_FILE_PUBLISHER_ERROR=FileBasedPublisher: {0} +PUBLISH_PUBLISHER_EXCEPTION={0} exception in publisher {1} +PUBLISH_UNPUBLISH_ERROR=Error unpublishing: {0} +PUBLISH_PUBLISH_ERROR=Error publishing: {0} +PUBLISH_CHECK_FAILED=Check failed: {0} +PUBLISH_SET_CRL_REASON=Error setting CRL reason {0}. Error {1} +PUBLISH_OCSP_PUBLISHER_ERROR=OCSPPublisher: {0} +################################################################## +# For com.netscape.cms.selftests +################################################################## +SELFTESTS_PARAMETER_WAS_NULL={0}: a self test parameter was null +SELFTESTS_MISSING_NAME={0}: the self test property name {1} does not exist +SELFTESTS_MISSING_VALUES={0}: the self test property name {1} contained no value(s) +SELFTESTS_INVALID_VALUES={0}: the self test property name {1} contained invalid value(s) +SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_FAILURE={0}: system certs verification failure +SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_SUCCESS={0}: system certs verification success +SELFTESTS_CA_IS_NOT_PRESENT={0}: CA is NOT present +SELFTESTS_CA_IS_NOT_INITIALIZED={0}: CA is NOT yet initialized +SELFTESTS_CA_IS_CORRUPT={0}: CA public key is corrupt +SELFTESTS_CA_IS_PRESENT={0}: CA is present +SELFTESTS_CA_IS_NOT_YET_VALID={0}: CA is not yet valid +SELFTESTS_CA_IS_EXPIRED={0}: CA is expired +SELFTESTS_CA_IS_VALID={0}: CA is valid +SELFTESTS_OCSP_IS_NOT_PRESENT={0}: OCSP is NOT present +SELFTESTS_OCSP_IS_NOT_INITIALIZED={0}: OCSP is NOT yet initialized +SELFTESTS_OCSP_IS_CORRUPT={0}: OCSP public key is corrupt +SELFTESTS_OCSP_IS_PRESENT={0}: OCSP is present +SELFTESTS_OCSP_IS_NOT_YET_VALID={0}: OCSP is not yet valid +SELFTESTS_OCSP_IS_EXPIRED={0}: OCSP is expired +SELFTESTS_OCSP_IS_VALID={0}: OCSP is valid +SELFTESTS_KRA_IS_NOT_PRESENT={0}: KRA is NOT present +SELFTESTS_KRA_IS_NOT_INITIALIZED={0}: KRA is NOT yet initialized +SELFTESTS_KRA_IS_CORRUPT={0}: KRA public key is corrupt +SELFTESTS_KRA_IS_PRESENT={0}: KRA is present +SELFTESTS_RA_IS_NOT_PRESENT={0}: RA is NOT present +SELFTESTS_RA_IS_NOT_INITIALIZED={0}: RA is NOT yet initialized +SELFTESTS_RA_IS_CORRUPT={0}: RA public key is corrupt +SELFTESTS_RA_IS_PRESENT={0}: RA is present +SELFTESTS_TKS_FAILED={0}: TKS self test called {1} FAILED! +SELFTESTS_TKS_SUCCEEDED={0}: TKS self test called {1} ran SUCCESSFULLY +SELFTESTS_RUN_ON_DEMAND_REQUEST={0}: the passed in request parameter {1}, used to invoke running self tests on-demand, was missing +SELFTESTS_RUN_ON_DEMAND={0}: Running self test plugins specified to be executed on-demand: +SELFTESTS_NOT_RUN_ON_DEMAND={0}: There were NO self test plugins specified to be run on-demand! +SELFTESTS_RUN_ON_DEMAND_FAILED={0}: The CRITICAL self test plugin called {1} running on-demand FAILED! +SELFTESTS_RUN_ON_DEMAND_SUCCEEDED={0}: All CRITICAL self test plugins ran SUCCESSFULLY on-demand! +################################################################## +# For com.netscape.certsrv.listeners +################################################################## +NO_NOTIFY_SENDER_EMAIL_CONFIG_FOUND=No sender email notification found in the configuration. +NO_NOTIFY_RECVR_EMAIL_CONFIG_FOUND=No recipient email notification found in the configuration. diff --git a/base/common/src/UserMessages.properties b/base/common/src/UserMessages.properties new file mode 100644 index 000000000..1c78c98ce --- /dev/null +++ b/base/common/src/UserMessages.properties @@ -0,0 +1,1133 @@ +# +# User Messages +# +####################################################### +# General +# +# Servlets which display these messages +# +# +# ProfileApproveServlet +# ProfileProcessServlet +# ProfileReviewServlet +# ProfileSelectServlet +# ProfileSubmitServlet +# +####################################################### +CMS_AUTHENTICATION_ERROR=Authentication Error +CMS_AUTHORIZATION_ERROR=Authorization Error +CMS_INTERNAL_ERROR=Server Internal Error +CMS_REQUEST_ID_NOT_FOUND=Request ID Not Found +CMS_PROFILE_ID_NOT_FOUND=Profile ID Not Found +CMS_PROFILE_ID_NOT_ENABLED=Profile ID Not Enabled +CMS_OP_NOT_FOUND=Operation Not Found +CMS_REQUEST_NOT_FOUND=Request {0} Not Found +CMS_REQUEST_NOT_PENDING=Request Not In Pending State +CMS_AUTHENTICATION_MANAGER_NOT_FOUND=Authentication Manager {0} Not Found +CMS_INVALID_PROPERTY=Invalid Property {0} +CMS_INVALID_OPERATION=Invalid operation +####################################################### +# Base +# +# Servlets which display these messages +# +# AuthAdminServlet +# ImportCertsTemplateFiler servlet +# DoUnrevoke servlet +# GetCertFromRequest servlet +# UsrGrpAdminServlet +# ListCerts servlet +# ReasonToRevoke servlet +# SrchCerts servlet +# DisplayBySerialForRecovery servlet +# ExamineRecovery servlet +# GetPk12 servlet +# GrantRecovery servlet +# RecoverBySerial servlet +# SrchKey servlet +# SrchKeyForRecovery servlet +# CheckRequest servlet +# ProcessCertReq servlet +# ProcessReq servelt +####################################################### +CMS_BASE_CERT_NOT_FOUND=Certificate not found +CMS_BASE_ENCODE_CERT_FAILED=Failed to encode certificate +CMS_BASE_NOT_TOKEN_CERT=The certificate being deleted is not a token certificate +CMS_BASE_CERT_ERROR=Certificate Error: {0} +CMS_BASE_INVALID_CERT_FORMAT=Invalid certificate content +CMS_BASE_CONN_FAILED=Connection failed {0} +CMS_BASE_REMOTE_AUTHORITY_ERROR=Backend server rejected or cancelled the request. +CMS_BASE_INVALID_JOB_CRON=Invalid cron job +CMS_BASE_ATTRIBUTE_NOT_FOUND=Attribute not found {0} +CMS_BASE_INVALID_ATTR_TYPE=Invalid type for attribute {0}, error: {1} +CMS_BASE_INVALID_ATTR_VALUE=Invalid value for attribute {0}, error: {1} +CMS_BASE_MUST_BE_POSITIVE_NUMBER={0} must be a positive number greater than 0 +CMS_BASE_A_GREATER_THAN_EQUAL_B={0} must be greater than {1} +CMS_BASE_MISSING_PKCS10_HEADER=Missing PKCS #10 header +CMS_BASE_MISSING_PKCS10_TRAILER=Missing PKCS #10 trailer +CMS_BASE_UNKNOWN_HOST=Invalid host name {0} +CMS_BASE_INVALID_REQUEST_TYPE=Invalid request type {0} +CMS_BASE_PID_EXIST=pid exists in the logs directory, server may already be running +CMS_BASE_AUTHENTICATE_FAILED=Failed to authenticate - {0} +CMS_BASE_INTERNAL_ERROR=Internal Error: {0} +CMS_BASE_INVALID_OPERATION=Invalid operation +CMS_BASE_NO_CONFIG_FILE=Cannot find config file: {0} +CMS_BASE_CREATE_SERVICE_FAILED=Failed to create {0} service: {1} +CMS_BASE_GET_PROPERTY_FAILED=Property {0} missing value +CMS_BASE_GET_PROPERTY_NOVALUE=Property {0} missing value +CMS_BASE_INVALID_PROPERTY=Cannot convert property {0} +CMS_BASE_INVALID_PROPERTY_1=Cannot convert value of property {0} to a {1}. Expected format is {2} +CMS_BASE_LOAD_FAILED=Failed to load {0} +CMS_BASE_LOAD_FAILED_1=Failed to load {0}. Error {1} +CMS_BASE_PERMISSION_DENIED=Permission denied +CMS_BASE_INVALID_ATTRIBUTE=Invalid attribute {0} +CMS_BASE_REQUEST_IN_BAD_STATE=Request is in a bad state +CMS_BASE_ATTRIBUTE_NAME_CAN_NOT_BE_RESOLVED=Attribute name can not be resolved : {0} +CMS_BASE_UTF8_NOT_SUPPORTED=Internal Error: UTF8 encoding not supported. Check your classpath or installation +CMS_BASE_CA_SIGNINGCERT_NOT_FOUND=CA signing certificate not found +CMS_BASE_INVALID_NUMBER_FORMAT=Invalid number format +CMS_BASE_INVALID_NUMBER_FORMAT_1=Invalid number format: {0} +CMS_BASE_INVALID_CERT_EXTENSION=Invalid certificate extension +CMS_BASE_INVALID_ECC_CURVE_NAME=Invalid ECC Curve Name +CMS_BASE_NO_EMPTY_CIPHERPREFS=Blank cipher preferences are not allowed +CMS_BASE_LOGIN_FAILED=Failed to login to the token: incorrect password +CMS_BASE_INVALID_KEYSIZE_PARAMS=The key size {0} is outside the bounds described by the DSA key pair generation algorithm. +CMS_BASE_PQG_GEN_FAILED=Failed to generate the PQG parameters +CMS_BASE_ALG_NOT_SUPPORTED=The algorithm {0} is not supported +CMS_BASE_KEY_GEN_FAILED=Failed to generate the key pair +CMS_BASE_TOKEN_NOT_FOUND=Token {0} not found +CMS_BASE_INVALID_X500_NAME={0} does not conform to X500 +CMS_BASE_PROVIDER_NOT_SUPPORTED=The provider is not supported +CMS_BASE_INVALID_KEY=Invalid key +CMS_BASE_INVALID_KEY_1=Invalid key: {0} +CMS_BASE_CERT_REQ_FAILED=Failed to generate a certificate request +CMS_BASE_INVALID_CERT=Invalid certificate information: {0} +CMS_BASE_INVALID_SIGNATURE=Invalid signature +CMS_BASE_DECODE_CERT_FAILED=Failed to decode certificate +CMS_BASE_CRYPTOMANAGER_UNINITIALIZED=Crypto manager has not been initialized +CMS_BASE_USERCERT_CONFLICT=Certificate conflicts with an existing certificate on the token. If it is a Subject DN conflict, go back to the Subject Name panel to re-enter the DN. If this is a clone CA, make sure its serial number range begins with a number greater than that of all the certificates existing on the master's DB. +CMS_BASE_NICKNAME_CONFLICT=Nickname has a conflict +CMS_BASE_ITEM_NOT_FOUND_ON_TOKEN=Item was not found on the token +CMS_BASE_SIGNED_FAILED=Signed Error: {0} +CMS_BASE_TOKEN_ERROR=Token Error +CMS_BASE_TOKEN_ERROR_1=Token Error: {0} +CMS_BASE_REVOCATION_CHALLENGE_QUEUE_FAILED=Failed to get the queue for challenge phrase authentication +CMS_BASE_GET_QUEUE_FAILED=Failed to get the request queue +CMS_BASE_REQUIRED_PARAMETER={0} is a required parameter +CMS_BASE_LOAD_CLASS_FAILED=Failed to load class {0}. Error: {1} +CMS_BASE_INVALID_VALUE_FOR_TYPE=Invalid value for type {0}. Error: {1} +CMS_BASE_INVALID_IP_ADDR=Invalid IP Address {0}. +CMS_BASE_IMPORT_CERT_FAILED=Failed to import the certificate. +CMS_BASE_INVALID_ISSUER_NAME=The client certificate was not issued from this CA +CMS_BASE_INVALID_CERT_STATUS=Invalid certificate status: {0} +CMS_BASE_DUPLICATE_ROLES=User {0} cannot be added to this group because he/she already belonged to some other groups +CMS_BASE_NO_SUCH_ALGORITHM=No such algorithm +####################################################### +# CS gateway +# Servlets which display these messages +# +# CMCRevReqServlet +# ImportCertsTemplateFiller servlet +# DisableEnrollResult servlet +# DisplayCRL servlet +# DisplayHashUserEnroll servlet +# DoUnrevoke servlet +# EnableEnrollResult servlet +# EnrollServlet +# GetBySerial servlet +# GetCAChain servlet +# GetCRL servlet +# GetUserCertFromRequest servlet +# GetEnableStatus servlet +# GetInfo servlet +# GetOCSPInfo servlet +# HashEnrolServlet +# ListCerts servlet +# Monitor servlet +# ReasonToRevoke servlet +# RemotAuthConfig servlet +# RenewalServlet +# RevocationServlet +# SrchCerts servlet +# UpdateCRL servlet +# UpdateDir servlet +# DisplayBySerialForRecovery servlet +# ConfirmRecoverBySerial servlet +# DisaplayBySerial servlet +# DisplayTransport servlet +# ExamineRecovery servlet +# GetApprovalStatus servlet +# GetPk12 servlet +# GrantRecovery servlet +# RecoverBySerial servlet +# SrchKey servlet +# SrchKeyForRecovery servlet +# AddCAServlet +# AddCRLServlet +# CheckCertServlet +# ListCAServlet +# CheckRequest servlet +# ProcessCertReq servlet +# ProcessReq servlet +# QueryReq servlet +####################################################### +CMS_GW_MISSING_KEYGEN_INFO=Missing or malformed KeyGen, PKCS #10 or CRMF request. +CMS_GW_MISSING_CERTINFO=Missing CertInfo in AuthToken of authenticated enrollment request. +CMS_GW_MISSING_CA_CERT=Missing CA Certificate. +CMS_GW_MISSING_CA_ID=Missing CA DN Id. +CMS_GW_MISSING_CERT_HEADER=Missing Certificate Header. +CMS_GW_MISSING_CERT_FOOTER=Missing Certificate Footer. +CMS_GW_MISSING_CRL_=Missing CRL. +CMS_GW_MISSING_CRL_HEADER=Missing CRL Header. +CMS_GW_MISSING_CRL_FOOTER=Missing CRL Footer. +CMS_GW_MISSING_KEY_IN_KEYGENINFO=Missing or malformed key in KeyGenInfo. +CMS_GW_MISSING_KEY_IN_P10=PKCS #10 request is missing subject public key info. +CMS_GW_MISSING_SUBJECT_IN_P10=PKCS #10 request is missing a subject name. +CMS_GW_SET_KEY_FROM_KEYGEN_FAILED=Error setting key into certificate info from KeyGen. Error {0}. +CMS_GW_NOT_A_CA=Feature available only for CA +CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED=Error setting key into certificate info from certificate based enrollment. Error {0}. +CMS_GW_INVALID_CERT_TYPE=SSL client certificate presented for this cert-based enrollment is not a signing only cert. +CMS_GW_ENCRYPTION_CERT_NOT_FOUND=Pairing encryption certificate for cert-based dual certificate enrollment was not found in DB +CMS_GW_MISSING_SSL_CLIENT_CERT=Missing SSL Client Certificate for certificate based enrollment +CMS_GW_INVALID_CERTAUTH_ENROLL_TYPE=Invalid certAuthEnrollType +CMS_GW_MISSING_CERTAUTH_ENROLL_TYPE=Missing certAuthEnrollType +CMS_GW_SET_SUBJECT_FROM_P10_FAILED=Error setting subject name from PKCS #10 into certificate info . Error {0}. +CMS_GW_CMC_TO_CERTINFO_ERROR=An Error was encountered while filling the certificate with the contents of the CMC message. +CMS_GW_CRMF_TO_CERTINFO_ERROR=An Error was encountered while filling the certificate with the contents of the CRMF message. +CMS_GW_MISSING_SUBJECT_NAME_FROM_AUTHTOKEN=Missing subject name from authentication. +CMS_GW_SET_KEY_FROM_P10_FAILED=Error setting key from PKCS #10 into certificate info . Error {0}. +CMS_GW_DECODING_CRL_ERROR=Error encountered while decoding CRL. +CMS_GW_DECODING_CERT_ERROR=Error encountered while decoding certificate. +CMS_GW_OLD_CRL_ERROR=CRL sent is older than the current CRL. +CMS_GW_DELTA_CRL_NOT_SUPPORTED=Delta CRLs are not supported. +CMS_GW_ENCODING_ISSUED_CERT_ERROR=Error encountered while encoding a certificate. +CMS_GW_RETURNING_RESULT_ERROR=I/O Error encountered while outputting results. +CMS_GW_DISPLAY_TEMPLATE_ERROR=Error encountered while rendering a response. +CMS_GW_SET_SUBJECT_NAME_ERROR=Cannot convert the subject name from a string to an X500 Name. +CMS_GW_SET_VALIDITY_ERROR=An Error was encountered while setting the validity in a cert. +CMS_GW_SET_EXTENSIONS_ERROR=An Error was encountered while setting the extensions in a cert. +CMS_GW_MISSING_CERTS_RENEW_FROM_AUTHMGR=You have no certificates to be renewed or the certificates are malformed. +CMS_GW_MISSING_SERIALNO_FOR_RENEW=Missing or malformed serial number of certificate to renew. +CMS_GW_INVALID_CERT_FOR_RENEWAL=The certificate(s) selected to be renewed is not from this CA. +CMS_GW_SETTING_RENEWAL_VALIDITY_ERROR=An error was encountered while setting the certificate validity. +CMS_GW_MISSING_SUBJECT_FROM_FORM=Missing subject name from the form. +CMS_GW_MISSING_CERTS_REVOKE_FROM_AUTHMGR=You have no certificates to be revoked or the certificates are malformed. +CMS_GW_MISSING_CERTS_REVOKE_FROM_SSL=You did not select a certificate to revoke or the certificate you selected is malformed. +CMS_GW_MISSING_SERIALNO_FOR_REVOKE=Missing or malformed serial number of certificate to revoke. +CMS_GW_CERT_ALREADY_REVOKED=The certificate has already been revoked. +CMS_GW_INVALID_CERT_FOR_REVOCATION=The certificate(s) selected to be revoked is not from this CA. +CMS_GW_NO_OPTIONS_SELECTED=You must select an option from the form. +CMS_GW_INVALID_OPTIONS_SELECTED=The option(s) you selected is invalid. This could indicate a flaw in the form you are using. +CMS_GW_GETTING_CA_CERT_ERROR=An error was encountered while getting the CA chain. +CMS_GW_CA_CHAIN_EMPTY=The CA chain is missing or could not be obtained from the remote Certificate Manager or Registration Manager. The remote server could be down. +CMS_GW_ENCODING_CA_CHAIN_ERROR=An error was encountered while encoding the CA chain. +CMS_GW_CA_CHAIN_NOT_AVAILABLE=The CA chain is missing or could not be obtained from the remote Certificate Manager or Registration Manager. The remote server could be down. +CMS_GW_DISPLAYING_CACHAIN_ERROR=An I/O error was encountered while outputting the CA chain. +CMS_GW_NO_CRL_SELECTED=You must specify the CRL issuing point. +CMS_GW_CRL_NOT_FOUND=The CRL you selected for download was not found. +CMS_GW_CRL_NOT_UPDATED=The CRL you selected for download has not been updated. +CMS_GW_NOT_YET_IMPLEMENTED=The operation you requested has not yet been implemented. +CMS_GW_DISPLAYING_CRLINFO_ERROR=An I/O error was encountered while outputting the CRL result. +CMS_GW_REQUEST_ID_NOT_FOUND=Request ID {0} was not found in the request queue. +CMS_GW_INVALID_SERIAL_NUMBER=Certificate Serial number is not set or invalid. +CMS_GW_FORMING_PKCS7_ERROR=Error Forming PKCS #7 +CMS_GW_INVALID_REQUEST_ID=Invalid Request ID {0}. +CMS_GW_CRL_NOT_YET_UPDATED=The Certificate Revocation List has not been updated. +CMS_GW_DECODE_CRL_FAILED=Failed to DER decode the Certificate Revocation List. +CMS_GW_CERT_SERIAL_NOT_FOUND=Certificate Serial Number {0} not found +CMS_GW_NO_RECOVERY_TOKEN_FOUND=No Recovery Token Found for recovery reference number {0}. +CMS_GW_INVALID_AGENT=Agent: {0} cannot retrieve PKCS #12 for recovery reference number {2}. Agent: {1} initialized the request. +CMS_GW_INVALID_AGENT_ASYNC=Agent: {0} cannot retrieve PKCS #12 for recovery request id {2}. Agent: {1} initialized the request. +CMS_GW_REDIRECTING_ADMINENROLL_ERROR=Error encountered while accessing the adminEnroll page.{0} +CMS_GW_NO_PUB_MODULE=Publishing module is disabled. +CMS_GW_CONVERT_DN_TO_X500NAME_ERROR=Cannot convert the subject name from a String to an X500 Name form. \nCheck to make sure valid characters are in the subject name. \nFor example, the email address should only have IA5String characters\nand the country should only have PrintableString characters and have 2 characters exactly. +CMS_GW_ADDING_ADMIN_CERT_ERROR=An error was encountered while adding the administrator's certificate to its entry in the user group database. Error {0} +CMS_GW_ADDING_ADMIN_ERROR=An error was encountered while adding the administrator to the Certificate Manager Agent Group - the Group does not exist. +CMS_GW_MISSING_GRANT_UID=You must specify a user ID for the trusted manager or agent. +CMS_GW_FIND_GROUP_ERROR=Could not grant privilege. Could not find group {0}. +CMS_GW_ADDING_USER_ERROR=Could not grant privilege. Error adding user {0}. +CMS_GW_ADDING_CERT_ERROR=Could not grant privilege. Error adding the certificate to user {0}. +CMS_GW_ADDING_MEMBER=Could not grant privilege. Error adding user {0} to group {1}. +CMS_GW_ADDING_MEMBER_1=Could not grant privilege. Error adding user {0} to group {1} or group {2}. +CMS_GW_REQUEST_HAD_NO_CERTS=Request ID {0} had no certificates issued as a result. +CMS_GW_REQUEST_NOT_COMPLETED=Request ID {0} was not completed. +CMS_GW_REQUEST_HAD_ERROR=Request ID {0} resulted in an error. No certificates were issued. +CMS_GW_REQUEST_NOT_ENROLLMENT=Request ID {0} is not a certificate enrollment request. +CMS_GW_NO_REQUEST_ID_PROVIDED=A Request ID must be provided for this operation. +CMS_GW_NO_PKIDATA=No PKIData in the CMC full enrollment request. +CMS_GW_PKCS10_ERROR=Error processing PKCS #10 in CMC full enrollment request: {0} +CMS_GW_NO_CMC_CONTENT=No PKCS #10 nor CRMF in the CMC full enrollment request. +CMS_GW_CMC_ERROR=Unexpected error processing the CMC full enrollment request: {0} +CMS_GW_UNAUTHORIZED_CREATE_GROUP=Unauthorized to create group: {0} +CMS_GW_CRL_CACHE_IS_NOT_ENABLED=CRL cache is not enabled for {0} issuing point. +CMS_GW_CRL_CACHE_IS_EMPTY=CRL cache for {0} issuing point is empty. +####################################################### +# Admin Servlets +# +# Servlets which display these messages +# +# ACLAdminServlet +# AuthAdminServlet +# CAAdminServlet +# CMSAdminServlet +# JobsAdminServlet +# KRAAdminServlet +# LogAdminServlet +# OCSPAdminServlet +# PolicyAdminServlet +# ProfileAdminServlet +# PublisherAdminServlet +# RAAdminServlet +# RegistryAdminServlet +# UsrGrpAdminServlet +####################################################### +CMS_ADMIN_SRVLT_AUTHS_FAILED=Authentication failed +CMS_ADMIN_SRVLT_AUTHZ_FAILED=You are not authorized to perform this operation. +CMS_ADMIN_SRVLT_INVALID_OP_TYPE=Invalid OP_TYPE {0} +CMS_ADMIN_SRVLT_INVALID_OP_SCOPE=Invalid OP_SCOPE +CMS_ADMIN_SRVLT_INVALID_PROTOCOL=Invalid protocol: OP_TYPE must be specified +CMS_ADMIN_SRVLT_INVALID_PATH=Invalid Content Template path +CMS_ADMIN_SRVLT_NULL_RS_ID=Resource ID (RS_ID) can not be null +CMS_ADMIN_SRVLT_RS_ID_BS=Resource ID (RS_ID) can not contain backslashes +CMS_ADMIN_SRVLT_SPECIAL_ID=Not allowed to create this special user: {0} +CMS_ADMIN_SRVLT_COMMIT_FAILED=Failed to save changes to the configuration file +CMS_ADMIN_SRVLT_PERFORM_FAILED=Failed to perform +CMS_ADMIN_SRVLT_CERT_VALIDATE_FAILED=Imported cert has not been verified to be valid. Please review the usual validity properties of this certificate before using it as part of the system. +####################################################### +# Authentication +# +# Servlets which display these messages +# +# AuthAdminServlet +# ProfileApproveServlet +# ProfileProcessServlet +# ProfileReviewServlet +# ProfileSelectServlet +# ProfileSubmitServlet +####################################################### +CMS_POP_VERIFICATION_ERROR=Proof-of-Possession Verification Failed +CMS_AUTHENTICATION_NIS_NAME=NIS Authentication +CMS_AUTHENTICATION_NIS_TEXT=This plugin authenticates a user using NIS. +CMS_AUTHENTICATION_AGENT_NAME=Agent Authentication +CMS_AUTHENTICATION_AGENT_TEXT=This plugin authenticates agents using a certificate. +CMS_AUTHENTICATION_SSL_CLIENT_NAME=SSL Client Authentication +CMS_AUTHENTICATION_SSL_CLIENT_TEXT=This plugin authenticates users using a certificate. +CMS_AUTHENTICATION_CMC_SIGN_NAME=CMC Agent Signature Authentication +CMS_AUTHENTICATION_CMC_SIGN_TEXT=This plugin authenticates the signature in the CMC request against the CS internal database. +CMS_AUTHENTICATION_LDAP_UID_PIN_NAME=LDAP UID & Password & Pin Authentication +CMS_AUTHENTICATION_LDAP_UID_PIN_TEXT=This plugin authenticates the username and password provided by the user against an LDAP directory. It works with the Dir-Based Enrollment HTML form. +CMS_AUTHENTICATION_LDAP_UID_NAME=LDAP UID & Password Authentication +CMS_AUTHENTICATION_LDAP_UID_TEXT=This plugin authenticates the username and password provided by the user against an LDAP directory. It works with the Dir-Based Enrollment HTML form. +CMS_AUTHENTICATION_CMS_SIGN_NAME=CMC Authentication +CMS_AUTHENTICATION_CMS_SIGN_TEXT=This plugin does the authentication by checking the signature of the signed CMC request. +CMS_AUTHENTICATION_LDAP_UID=LDAP User ID +CMS_AUTHENTICATION_LDAP_PWD=LDAP User Password +CMS_AUTHENTICATION_LDAP_PIN=LDAP Pin +CMS_AUTHENTICATION_NULL_CREDENTIAL=Authentication credential for {0} is null. +CMS_AUTHENTICATION_NO_CERT=No Client Certificate Found +CMS_AUTHENTICATION_INVALID_CREDENTIAL=Invalid Credential. +CMS_AUTHENTICATION_INTERNAL_ERROR=Authentication encountered an internal error. Detailed msg: {0}. +CMS_AUTHENTICATION_AUTHMGR_NOT_FOUND=Authentication {0} not found. +CMS_AUTHENTICATION_FORM_SUBJECTDN_ERROR=Error formulating the Subject Name. See logs for more details. +CMS_AUTHENTICATION_COMPONENT_SYNTAX=DN pattern syntax error: {0}. +CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE=Invalid attribute error: {0} +CMS_AUTHENTICATION_LDAPATTRIBUTES_NOT_FOUND=No LDAP attributes found. +CMS_AUTHENTICATION_EMPTY_DN_FORMED=Empty DN formed in Authentication Manager {0}. +CMS_AUTHENTICATION_DUP_MGR_PLUGIN_ID=Another Auth manager plugin ID already exists: {0} +CMS_AUTHENTICATION_NULL_AUTHMGR_CLASSNAME=Authentication manager plugin classname is null +CMS_AUTHENTICATION_AUTHMGR_PLUGIN_NOT_FOUND=Authentication manager plugin class not found +CMS_AUTHENTICATION_ILL_CLASS=Auth manager plugin class is not an instance of IAuthManager +CMS_AUTHENTICATION_ILL_MGR_INST_ID=An Authentication Instance with this ID already exists. Please choose a different ID. +CMS_AUTHENTICATION_MISSING_PARAMS=Auth manager instance is missing implementation parameters +CMS_AUTHENTICATION_LOAD_CLASS_FAIL=Could not load authentication manager class {0} +CMS_AUTHENTICATION_MGR_IN_USE=An authentication manager of this implementation is still in use. +CMS_AUTHENTICATION_MGR_IMPL_NOT_FOUND=Cannot modify the auth manager plugin. Cannot locate the Auth Manager Implementation. +####################################################### +# Authorization +# +# Servlets which display these messages +# ProfileApproveServlet +# ProfileListServlet +# ProfileProcessServlet +# ProfileReviewServlet +# ProfileSelectServlet +# +####################################################### +CMS_AUTHORIZATION_INTERNAL_ERROR=Authorization encountered an internal error. Detailed msg: {0} +CMS_AUTHORIZATION_AUTHZMGR_NOT_FOUND=Authorization {0} not found +CMS_AUTHORIZATION_AUTHZMGR_PLUGIN_NOT_FOUND=Authorization manager plugin name {0} not found +CMS_AUTHORIZATION_UNKNOWN_PROTECTED_RESOURCE=Unknown protected resource specified: {0} +CMS_AUTHORIZATION_UNKNOWN_OPERATION=Unknown operation specified: {0} +CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED=Authorization failed on resource: {0}, operation: {1} +CMS_AUTHORIZATION_LOAD_CLASS_FAIL=Could not load authorization manager class {0} +####################################################### +# CA +# +# Servlets which display these messages +# +# None +####################################################### +CMS_CA_ERROR_PUBLISH_CRL=Error publishing CRL {0}: {1} +CMS_CA_FAILED_CONSTRUCTING_CRL=Failed constructing CRL : {0} +CMS_CA_CRL_ISSUING_POINT_INIT_FAILED=Initialization of CRL issuing point {0} failed : {1} +CMS_CA_SEND_KRA_REQUEST=Sending DRM request failed +CMS_CA_SEND_CLA_REQUEST=Sending CLA request failed +CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED=Signing Algorithm {0} is not supported for the CA signing token +CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED_FOR_KEY=Algorithm {0} is not supported for the signing token and key +CMS_CA_INIT_PUBLISH_MODULE_FAILED=Failed initializing the publishing module +CMS_CA_CERT_ALREADY_REVOKED=Certificate Serial Number {0} is already revoked +CMS_CA_MISSING_REQD_FIELDS_IN_CERTISSUE=Missing required fields in certificate info of certificate issuing request +CMS_CA_UNRECOGNIZED_REQUEST_TYPE=Unrecogized request type {0} +CMS_CA_ERROR_GETTING_FIELDS_IN_ISSUE=Error Getting certificate info fields in issuing request +CMS_CA_CRL_ISSUEPT_NOT_FOUND=CRL Issuing Point {0} not found in CRL repository +CMS_CA_CRL_ISSUEPT_NOGOOD=CRL in CRL Issuing Point {0} is malformed. Cannot instantiate CRL +CMS_CA_CRL_ISSUEPT_EXT_NOGOOD=CRL in CRL Issuing Point {0} has malformed extensions. Cannot instantiate CRL +CMS_CA_SET_ISSUER_FAILED=Request {0} was completed with errors.\nError setting certificate issuer name +CMS_CA_SET_SERIALNO_FAILED=Request {0} was completed with errors.\nError setting certificate serial number +CMS_CA_NOSERIALNO=Request {0} was completed with errors.\nCA has exausted all available serial numbers +CMS_CA_SIGNING_CRL_FAILED=Failed signing CRL. Error {0} +CMS_CA_SIGNING_CERT_FAILED=Failed signing certificate. Error {0} +CMS_CA_MISSING_INFO_IN_ISSUEREQ=Missing certificate info in issuing request +CMS_CA_MISSING_INFO_IN_REVREQ=Missing revocation info in revocation request +CMS_CA_MISSING_INFO_IN_CLAREQ=Missing CLA certificate info in cert4crl request +CMS_CA_MISSING_INFO_IN_RENEWREQ=Missing certificate info in renewal request +CMS_CA_REVOKE_FAILED=One or more certificates could not be revoked +CMS_CA_UNREVOKE_FAILED=One or more certificates could not be unrevoked +CMS_CA_CERT4CRL_FAILED=One or more revoked certificates could not be recorded by the CLA +CMS_CA_UNCERT4CRL_FAILED=One or more revoked certificates could not be removed by the CLA +CMS_CA_RENEW_FAILED=One or more certificates could not be renewed +CMS_CA_CANT_FIND_CERT_SERIAL=Cannot find certificate with serial number {0} +CMS_CA_TOKEN_NOT_FOUND=Token {0} not found +CMS_CA_CERT_OBJECT_NOT_FOUND=Certificate object not found +CMS_CA_TOKEN_ERROR=Token Error +CMS_CA_CRYPTO_NOT_INITIALIZED=Crypto Layer has not been initialized +CMS_CA_INVALID_PASSWORD=Invalid Password +CMS_CA_BUILD_CA_CHAIN_FAILED=Could not get or build CA chain. Error {0} +CMS_CA_X509CERT_VERSION_NOT_SUPPORTED=Certificate Version in the configuration is not supported +CMS_CA_CERT_BEGIN_AFTER_CA_VALIDITY=Certificate validity cannot begin past the CA certificate's validity +CMS_CA_MISSING_SERIAL_NUMBER=Missing or invalid serial number +CMS_CA_IS_NOT_ON_HOLD=Certificate {0} has to be on-hold to perform this operation +CMS_CA_CANNOT_RENEW_REVOKED_CERT=Certificate serial number {0} to be renewed is revoked. Cannot renew a revoked certificate +CMS_CA_ERROR_GETTING_RENEWED_CERT=Error getting renewed certificate {0} for certificate {1} +####################################################### +# KRA +# +# Servlets which display these messages +# +# None +####################################################### +CMS_KRA_PUBLIC_KEY_NOT_MATCHED=Public Key does not match +CMS_KRA_INVALID_KEYRECORD=Invalid Key record +CMS_KRA_INVALID_OWNER_NAME=Invalid Owner Name +CMS_KRA_INVALID_PUBLIC_KEY=Invalid Public Key +CMS_KRA_INVALID_PRIVATE_KEY=Invalid Private Key +CMS_KRA_INVALID_STATE=Invalid State +CMS_KRA_INVALID_M=Invalid M +CMS_KRA_INVALID_N=Invalid N +CMS_KRA_INVALID_PASSWORD=Invalid Password +CMS_KRA_CREDENTIALS_EXIST=Credentials Exist +CMS_KRA_CREDENTIALS_NOT_EXIST=Credentials Not Exist +CMS_KRA_POA_DECODE_FAILED_1=Failed to decode Proof-of-Archival {0} +CMS_KRA_POA_ENCODE_FAILED_1=Failed to encode Proof-of-Archival {0} +CMS_KRA_INVALID_KRA_NAME=Invalid KRA Name +CMS_KRA_RECOVERY_FAILED_1=Recovery Failed {0} +CMS_KRA_PKCS12_FAILED_1=PKCS #12 Creation Failed {0} +CMS_KRA_KEYID_FAILED_1=Key Identifier Creation Failed {0} +CMS_KRA_KEYBAG_FAILED_1=Key Bag Creation Failed {0} +####################################################### +# DBS +# +# Servlets which display these messages +# +# None +# +####################################################### +CMS_DBS_INTERNAL_DIR_UNAVAILABLE=Internal database is unavailable +CMS_DBS_CONNECT_LDAP_FAILED=Failed to connect LDAP server {0} +CMS_DBS_SERIALIZE_FAILED=Failed to serialize attribute {0} +CMS_DBS_DESERIALIZE_FAILED=Failed to de-serialize attribute {0} +CMS_DBS_INVALID_ATTRS=Invalid attributes +CMS_DBS_INVALID_CLASS_NAME=Invalid class name {0} +CMS_DBS_INVALID_FILTER_ITEM=Invalid filter item {0} +CMS_DBS_LDAP_OP_FAILURE=LDAP operation failure - {0} +CMS_DBS_NO_MAPPER_FOUND=No mapper found for {0} +CMS_DBS_INTERNAL_DIR_ERROR=Internal Database Error encountered: {0} +CMS_DBS_ADD_ENTRY_FAILED=Failed to add the schema entry: {0} +CMS_DBS_LIMIT_REACHED=All serial numbers are used. The max serial number is 0x{0} +CMS_DBS_SETBACK_SERIAL=The serial number is already in use.\nYou can only set the serial number greater than 0x{0} +CMS_DBS_SETBACK_MAXSERIAL=The serial number is already in use.\nYou can only set the end serial number greater than 0x{0} +CMS_DBS_LDIF_FAILED=Failed to create ldif file: {0} +CMS_DBS_COPY_LDIF_FAILED=Failed to copy ldif file: {0} +CMS_DBS_RECORD_NOT_FOUND=Record not found +####################################################### +# Jobs +# +# Servlets which display these messages +# +# JobsAdminServlet +# +####################################################### +CMS_JOB_LOAD_CLASS_FAILED=Could not load Job class {0} for the Jobs Scheduler +CMS_JOB_PLUGIN_NOT_FOUND=Could not find plugin {0} for the Jobs Scheduler +CMS_JOB_SRVLT_ILL_JOB_PLUGIN_ID=Another job plugin ID already exists {0} +CMS_JOB_SRVLT_JOB_PLUGIN_NOT_FOUND=Job plugin {0} not found +CMS_JOB_SRVLT_JOB_NOT_FOUND=Job {0} not found +CMS_JOB_SRVLT_NULL_CLASS=Job plugin classname is null +CMS_JOB_SRVLT_NO_CLASS=Job plugin class not found +CMS_JOB_SRVLT_ILL_CLASS=Job plugin class is not an instance of IJob +CMS_JOB_SRVLT_ILL_JOB_INST_ID=Job plugin ID already exists +CMS_JOB_SRVLT_ADD_MISSING_PARAMS=Job instance is missing an implementation parameter +CMS_JOB_SRVLT_MISSING_INST_PARAM_VAL=Job instance is missing a value for this parameter: {0} +CMS_JOB_SRVLT_JOB_IN_USE=A job of this implementation is still in use +####################################################### +# Logging +# +# Servlets which display these messages +# +# LogAdminServlet +# +####################################################### +CMS_LOG_INSTANCE_NOT_FOUND=Log instance not found named: {0) +CMS_LOG_PLUGIN_NOT_FOUND=Log plugin not found named: {0} +CMS_LOG_THREAD_INTERRUPT=Log {0} thread interrupted +CMS_LOG_ROTATE_LOG_FAILED=Failed to rotate log \"{0}\", error: {1} +CMS_LOG_WRITE_FAILED=Failed to write in file: \"{0}\", entry: {1}, error: {2} +CMS_LOG_FLUSH_LOG_FAILED=Failed to flush log \"{0}\", error: {1} +CMS_LOG_EXPIRE_LOG_FAILED=Can't expire log files, error:{0} +CMS_LOG_EVENT_FAILED=Failed to log event \"{0}\", error: {1} +CMS_LOG_LOGFILE_CLOSED=Attempt to log message \"{0}\" to closed log file {1} +CMS_LOG_EXPIRATION_TIME_ZERO=Log expiration time must be greater than 0 +CMS_LOG_DIRECTORY_LIST_FAILED=Unable to list directory {0} with filter {1} +CMS_LOG_NO_SUCH_ALGORITHM=Can't find MessageDigest algorithm for {0}. Tamper evident log disabled +CMS_LOG_INVALID_FILE_NAME=Attempt to initialize log with an invalid filename: \"{0}\" +CMS_LOG_UNEXPECTED_EXCEPTION=Caught unexpected exception: {0} +CMS_LOG_ILLEGALARGUMENT=Illegal argument when opening: {0} +CMS_LOG_CLOSE_FAILED=Failed to close file \"{0}\", error: {1} +CMS_LOG_INVALID_LOG_TYPE=Attempt to initialize log with an invalid log type: \"{0}\" +CMS_LOG_SRVLT_ILL_PLUGIN_ID=Another plugin ID already exists {0} +CMS_LOG_SRVLT_NULL_CLASS=Plugin classname is null +CMS_LOG_SRVLT_NO_CLASS=Plugin class not found +CMS_LOG_SRVLT_ILL_CLASS=Plugin class is not an instance of {0} +CMS_LOG_SRVLT_ILL_INST_ID=Plugin instance ID already exists +CMS_LOG_SRVLT_ADD_MISSING_PARAMS=Instance is missing an implementation parameter +CMS_LOG_SRVLT_IN_USE=An instance of this implementation is still in use +CMS_LOG_LOAD_CLASS_FAIL=Failed to load class {0} +####################################################### +# Notification +# +# Servlets which display these messages +# +# None +# +####################################################### +CMS_NOTIFICATION_SMTP_SEND_FAILED=Failed to send mail to {0} +CMS_NOTIFICATION_EMAIL_RESOLVE_FAILED=Failed to resolve email for {0} +CMS_NOTIFICATION_NO_SMTP_SENDER=Email sender not found +CMS_NOTIFICATION_NO_SMTP_RECEIVER=Email receiver not found +####################################################### +# Extensions +# +# Servlets which display these messages +# +# None +# +####################################################### +CMS_EXTENSION_CLASS_NOT_FOUND=Class {0} was not found +CMS_EXTENSION_INSTANTIATE_ERROR=Could not create an instance of {0}. Error {1} +CMS_EXTENSION_INVALID_IMPL=Class {0} does not implement the ICMSTemplate interface +CMS_EXTENSION_INCORRECT_IMPL=Class {0} must return non-null for the extension name and OID +CMS_EXTENSION_CREATING_EXT_ERROR=Error creating a {0} extension +####################################################### +# Users and Groups +# +# Servlets which display these messages +# +# UsrGrpAdminServlet +# +####################################################### +CMS_USRGRP_SRVLT_GROUP_NOT_EXIST=Group Not Found +CMS_USRGRP_SRVLT_USER_NOT_EXIST=User Not Found +CMS_USRGRP_SRVLT_CERT_ERROR=Certificate exception +CMS_USRGRP_SRVLT_CERT_EXPIRED=Certificate expired +CMS_USRGRP_SRVLT_CERT_NOT_YET_VALID=Certificate not yet valid +CMS_USRGRP_SRVLT_CERT_O_ERROR=Certificate related error +CMS_USRGRP_USER_ADD_FAILED=Failed to add user +CMS_USRGRP_USER_ADD_FAILED_1=Failed to add user. Missing \"{0}\" +CMS_USRGRP_USER_MOD_FAILED=Failed to modify user. +CMS_USRGRP_USER_MOD_FAILED_1=Failed to modify user. Missing \"{0}\" +CMS_USRGRP_SRVLT_USER_CERT_EXISTS=Failed to add cert: The certificate you tried to add already exists +CMS_USRGRP_SRVLT_FAIL_USER_RMV=Failed to remove user +CMS_USRGRP_SRVLT_FAIL_USER_RMV_G=The user you tryed to delete belongs to one or more groups.\nIf you click yes to continue, then the user will also be deleted\nfrom all the groups that it belongs to. +CMS_USRGRP_GROUP_ADD_FAILED=Failed to add group +CMS_USRGRP_GROUP_MODIFY_FAILED=Failed to modify group +####################################################### +# Password checker +# +# Servlets which display these messages +# +# None +# +####################################################### +CMS_PASSWORD_EMPTY_PASSWORD=The password is empty +CMS_PASSWORD_INVALID_LEN=The password must be at least {0} characters +CMS_PASSWORD_INVALID_LEN_1=The password must be at least {0} characters +CMS_PASSWORD_NON_ALPHANUMERIC=The password contains non-alphanumeric characters +CMS_PASSWORD_MISSING_NUMERIC_1=The password requires at least {0} numeric digit(s) +CMS_PASSWORD_MISSING_UPPER_CASE_1=The password requires at least {0} upper case letter(s) +CMS_PASSWORD_MISSING_LOWER_CASE_1=The password requires at least {0} lower case letter(s) +####################################################### +# Policy +# +# Servlets which display these messages +# +# None +# +####################################################### +CMS_POLICY_NO_SUBJECT_NAME=Policy Rule: {0} - Internal Error: No Subject Name Found +CMS_POLICY_SUBJECT_NAME_EXIST=Policy Rule: {0} - Subject Name Exists +CMS_POLICY_NO_CERT_INFO=Policy Rule: {0} - Internal Error: No Certificate info set on the request +CMS_POLICY_NO_OLD_CERT=Policy Rule: {0} - Internal Error: The certificate(s) being renewed are not set on the request +CMS_POLICY_LONG_RENEWAL_LEAD_TIME=Policy Rule: {0} - Certificate(s) can be renewed only within {1} days before expiry +CMS_POLICY_MISMATCHED_CERTINFO=Policy Rule: {0} - Internal Error: The number of certificates input for renewal are incorrect +CMS_POLICY_KEY_SIZE_VIOLATION=Policy Rule: {0} - Key Size Violation occurred: Actual: {1}, Constraints (Min: {2}, Max: {3}) +CMS_POLICY_KEY_SIZE_VIOLATION_1=Policy Rule: {0} - Key Size Violation occurred: Actual: {1}, Constraints (Min: {2}, Max: {3}, Increment: {4}) +CMS_POLICY_EXPONENT_VIOLATION=Policy Rule: {0} - The given exponent: {1} was not in the configured list: {2} +CMS_POLICY_NO_KEY_PARAMS=Policy Rule: {0} - Could not parse key parameters in key number {1} +CMS_POLICY_KEY_ALG_VIOLATION=Policy Rule: {0} - Key algorithm: {1} is not allowed by the policy +CMS_POLICY_INVALID_BEGIN_TIME=Policy Rule: {0} - Begin time cannot be after current time +CMS_POLICY_MORE_THAN_MAX_VALIDITY=Requested validity ({1} day(s)) is longer than the maximum allowed ({2} day(s)) in the {0} policy +CMS_POLICY_LESS_THAN_MIN_VALIDITY=Requested validity ({1} day(s)) is shorter than the minimum allowed ({2} days) in the {0} policy +CMS_POLICY_SIGNING_ALG_VIOLATION=Policy Rule: {0} - Signing algorithm: {1} is not allowed by the policy +CMS_POLICY_EXISTING_CERT_DETAILS=Policy Rule: {0} - Your most recent certificate details are : {1} +CMS_POLICY_UNEXPECTED_POLICY_ERROR=Policy Rule: {0} - Unexpected error: {1} +CMS_POLICY_INVALID_ISSUER=Invalid Issuer DN +CMS_POLICY_CLIENT_ISSUER_NOT_FOUND=Issuer of client certificate not found +CMS_POLICY_INVALID_POLICY_CLASS=Policy rule: {0} - Invalid policy class: {1} +CMS_POLICY_LOADING_POLICY_ERROR=Policy rule: {0} - Error loading policy class: {1} +CMS_POLICY_UNSUPPORTED_KEY_ALG=Policy rule: {0} - Key algorithm: {1} is not supported +CMS_POLICY_INVALID_CONFIG_PARAM=Policy rule: {0} - Invalid configuration value: {1} for parameter: {2} +CMS_POLICY_MISSING_POLICY_CONFIG=Policy rule: {0} - Missing configuration info +CMS_POLICY_INVALID_POLICY_CONFIG=Policy rule: {0} - Error in configuration: {1} +CMS_POLICY_PARAM_CONFIG_ERROR=Policy rule: {0} - Unexpected error: {1} in configuring parameter: {2} +CMS_POLICY_BAD_POLICY_EXPRESSION=Malformed Policy Expression: {0} +CMS_POLICY_INVALID_ATTR_VALUE=Invalid value type: {0} for policy attribute +CMS_POLICY_PERSISTENT_RULE_MISCONFIG=Persistent rule: {0} is configured with a different predicate: default: {1}, actual: {2} +CMS_POLICY_MISSING_PERSISTENT_RULE=Persistent rule: {0} is missing in the configuration. +CMS_POLICY_CANT_DELETE_PERSISTENT_POLICY=Persistent rule: {0} can't be deleted. +CMS_POLICY_PERSISTENT_RULE_INACTIVE=Persistent rule: {0} should not be disabled. +CMS_POLICY_NO_POLICY_CONFIG=No policy rule configuration for rule: {0} +CMS_POLICY_NO_POLICY_IMPL=No policy implementation exists for: {0} +CMS_POLICY_INVALID_POLICY_INSTANCE=No policy instance exists for: {0} +CMS_POLICY_ACTIVE_POLICY_RULES_EXIST=Active policy rule instances exist for implementation: {0} +CMS_POLICY_DELETING_POLICY_ERROR=Error deleting policy {0}: {1} +CMS_POLICY_DUPLICATE_IMPL_ID=A Policy implementation with ID: {0} already exists +CMS_POLICY_ADDING_POLICY_ERROR=Error adding policy {0}: {1} +CMS_POLICY_INVALID_POLICY_IMPL=Invalid policy implementation: {0}. Policy class must implement one or more of IEnrollmentPolicy, IRenewalPolicy, IRevocationPolicy, IKeyRecoveryPolicy or IKeyArchivalPolicy +CMS_POLICY_DUPLICATE_INST_ID=A Policy rule with ID: {0} already exists +CMS_POLICY_ORDER_ERROR=Error changing policy ordering: {0} +CMS_POLICY_IMPLCHANGE_ERROR=Can't change the implementation while modifying the policy instance: {0} +CMS_POLICY_SYSTEM_POLICY_CONFIG_ERROR=System policy: {0} is not configurable +CMS_POLICY_IMPL_NOT_FOUND=Policy implementation {0} configured for instance {1} was not found +CMS_POLICY_INVALID_RENEWAL_INTERVAL=Policy Rule: {0} - Renewal interval: {1} days cannot be more than maximum validity: {2} days +CMS_POLICY_INVALID_RENEWAL_MIN_MAX=Policy Rule: {0} - Renewal minimum validity: {1} days cannot be bigger than maximum validity: {2} days +CMS_POLICY_MAXPATHLEN_TOO_BIG=In policy rule {0}, the subordinate CA basic constraints extension path length ({1}) cannot be greater than or equal to the maxPathLen configuration value ({2}) +CMS_POLICY_MAXPATHLEN_TOO_BIG_1=In policy rule {0}, the maxPathLen configuration value ({1}) cannot be greater than or equal to the maxPathLen of the CA certificate ({2}) +CMS_POLICY_INVALID_MAXPATHLEN=In policy rule {0}, the maxPathLen configuration value ({1}) must be 0 if the CA's basic constraints extension path length is 0 +CMS_POLICY_INVALID_MAXPATHLEN_1=In policy rule {0}, the maxPathLen configuration value ({1}) must be greater than or equal to 0 or left empty +CMS_POLICY_PATHLEN_TOO_BIG=In policy rule {0}, the requested basic constraints extension path length ({1}) cannot be greater than the maximum path length allowed ({2}) +CMS_POLICY_BASIC_CONSTRAINTS_ERROR=In policy rule {0}, could not create a basic constraints extension for the certificate +CMS_POLICY_INVALID_PATHLEN_FORMAT=In policy rule {0}, the requested basic constraints extension path length ({1}) must be an integer +CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED=In policy rule {0}, no subordinate CA certificates are allowed since the CA's basic constraints path length is 0 +CMS_POLICY_MISSING_KEY=In policy rule {0}, missing public key in certificate request +CMS_POLICY_SUBJECT_KEY_ID_ERROR=In policy rule {0}, failed to create subject key identifier extension for certificate request +CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS=In policy rule {0}, one or more certificates to be renewed has expired. Cannot renew an expired certificate +CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS_AFTER_ALLOWED_PERIOD=In policy rule {0}, one or more certificates to be renewed has been expired for more than {1} days. Cannot renew an expired certificate +CMS_POLICY_CANNOT_REVOKE_EXPIRED_CERTS=In policy rule {0}, one or more certificates to be revoked has expired. Cannot revoke an expired certificate +CMS_POLICY_PIN_UNAUTHORIZED=You are not authorized to make this transaction +CMS_POLICY_CERTIFICATE_POLICIES_ERROR=In policy rule {0}, could not create a certificate policies extension for the certificate +CMS_POLICY_UNKNOWN_SIGNING_ALG=In policy rule {0}, signing algorithm {1} is unknown to CS +CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY_1=In policy rule {0}, signing algorithm {1} is unknown to CS. +CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY=In policy rule {0}, allowed algorithms do not match the CA's private key. The parameters of this rule need to be updated in the CS.cfg. +CMS_POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET=In policy rule {0}, no extension bits are set. +CMS_POLICY_NO_ON_HOLD_ALLOWED=Policy Rule: {0} - On-Hold is not allowed. +####################################################### +# LDAP +# +# Servlets which display these messages +# +# PublisherAdminServlet +# +####################################################### +CMS_LDAP_BAD_LDAP_EXPRESSION=Malformed publishing rule predicate expression: {0} +CMS_LDAP_INTERNAL_ERROR=Publishing encountered an internal error. Detailed msg: {0} +CMS_LDAP_COMPONENT_SYNTAX_ERROR=DN pattern syntax error: {0} +CMS_LDAP_PUBLISH_FAILED=Failed to publish using rule: {0} +CMS_LDAP_UNPUBLISH_FAILED=Failed to unpublish using rule: {0} +CMS_LDAP_INVALID_ATTR_VALUE=Attribute: {0} is not supported in dnPattern +CMS_LDAP_SRVLT_ILL_PLUGIN_ID=Another plugin ID already exists {0} +CMS_LDAP_SRVLT_NULL_CLASS=Plugin classname is null +CMS_LDAP_SRVLT_NO_CLASS=Plugin class not found +CMS_LDAP_SRVLT_ILL_CLASS=Plugin class is not an instance of {0} +CMS_LDAP_SRVLT_ILL_INST_ID=Plugin instance ID already exists {0} +CMS_LDAP_SRVLT_ADD_MISSING_PARAMS=Instance missing implementation parameter +CMS_LDAP_SRVLT_IN_USE=An instance of this implementation is still in use +CMS_LDAP_INIT_LDAP_PUBLISH_MODULE_FAILED=Failed initializing LDAP publishing module +CMS_LDAP_NO_LDAP_PUBLISH_CONFIG_FOUND=No LDAP Publishing configuration found +CMS_LDAP_CONNECT_TO_LDAP_SERVER_FAILED=Could not connect to LDAP server host {0} port {1} Error {2} +CMS_LDAP_UNKNOWN_ATTR_IN_DN_FILTER_COMPS=Unrecognized attribute {0} in DN or Filter comps +CMS_LDAP_GET_ISSUER_FROM_CRL_FAILED=Cannot get Issuer name from Crl {0} +CMS_LDAP_DECODING_CERT_FAILED=Could not parse a DER encoded certificate from the LDAP server. {0} +CMS_LDAP_GET_DER_ENCODED_CERT_FAILED=Error getting DER encoding of certificate for {0} +CMS_LDAP_GET_DER_ENCODED_CRL_FAILED=Error getting DER encoding of CRL. {0} +CMS_LDAP_PUBLISH_CACERT_ERROR=Error publishing CA Certificate {0} +CMS_LDAP_PUBLISH_CRL_ERROR=Error publishing CRL {0} +CMS_LDAP_UNPUBLISH_CRL_ERROR=Error unpublishing CRL {0} +CMS_LDAP_PUBLISH_USERCERT_ERROR=Error publishing User Certificate {0} +CMS_LDAP_UNPUBLISH_USERCERT_ERROR=Error unpublishing User Certificate {0} +CMS_LDAP_UNPUBLISH_CACERT_ERROR=Error unpublishing CA Certificate {0} +CMS_LDAP_NO_MATCH_FOUND=Cannot find a match in the LDAP server for certificate. {0} +CMS_LDAP_OTHER_LDAP_EXCEPTION=LDAPException caught from operation. {0} +CMS_LDAP_NO_DN_MATCH=No DN matched for {0} +CMS_LDAP_NO_DN_COMPS_AND_BASEDN=No base DN and no components to form DN for {0} +CMS_LDAP_MORE_THAN_ONE_ENTRY=Certificate {0} mapped to more than one entry +CMS_LDAP_CANNOT_RESET_CONNFAC=Cannot reset LDAP connection factory because some connections are still outstanding. +CMS_LDAP_MAPPER_PLUGIN_NOT_FOUND=Mapper plugin not found named: {0} +CMS_LDAP_PUBLISHER_PLUGIN_NOT_FOUND=Publisher plugin not found named: {0} +CMS_LDAP_RULE_PLUGIN_NOT_FOUND=Rule plugin not found named: {0} +CMS_LDAP_NO_RULE_INSTANCE=No Rule instance is found. +CMS_LDAP_NO_RULE_MATCHED=No Rule instance is matched for request {0}. +CMS_LDAP_CLASS_NOT_FOUND=Class not found for {0} +CMS_LDAP_FAIL_LOAD_CLASS=Failed to load class {0} +CMS_LDAP_INSTANTIATING_CLASS_FAILED=Cannot instantiate class {0} +CMS_LDAP_INSUFFICIENT_CREDENTIALS=Insufficient credentials to instantiate class for {0} +CMS_LDAP_NO_MATCH=certificate or CRL {0} did not map to an entry in the directory +CMS_LDAP_FORM_DN_COMPS_FAILED=Failed to form DN components from the subject name +CMS_LDAP_SERVER_UNAVAILABLE=LDAP server on host {0} port {1} is unavailable +CMS_LDAP_UNKNOWN_RETURNED_CONN=Connection returned is not from this factory +CMS_LDAP_BAD_RETURNED_CONN=Connection returned has already been returned +CMS_LDAP_INVALID_NUMCONN_PARAMETERS=Invalid value for minConn or maxConn parameters. minConn and maxConn must be greater than 0 and minConn must be less than maxConn. +CMS_LDAP_NO_REQUEST=No request associated with the cert. Can not get request {0} to form LDAP DN component {1}. +CMS_LDAP_CREATE_CA_FAILED=Failed to create CA entry with DN: {0}. There may be entries in the directory hierarchy which do not exist. Please create them manually. +CMS_LDAP_CREATE_ENTRY=Failed to create entry with DN: {0}. There may be entries in the directory hierarchy which do not exist. Please create them manually. +CMS_LDAP_MAPPER_NOT_FOUND=Mapper not found {0} +CMS_LDAP_PUBLISHER_NOT_FOUND=Publisher not found {0} +CMS_LDAP_RULE_NOT_FOUND=Missing rule which links a publisher and mapper {0} +####################################################### +# OCSP Store Plugins +# +# Servlets which display these messages +# +# None +# +####################################################### +CMS_OCSP_DEFSTORE_PROP_NOT_FOUND_GOOD=Return GOOD if the requested serial number was not found. +CMS_OCSP_DEFSTORE_PROP_BY_NAME=Use the OCSP authority subject name as the responder ID or not. If false, the OCSP authority signing signing key hash will be used. +CMS_OCSP_DEFSTORE_PROP_INCLUDE_NEXT_UPDATE=Include the next update of the CRL in the OCSP response. +CMS_OCSP_DEFSTORE_DESC=Default OCSP Store where revocation information is stored +CMS_OCSP_LDAPSTORE_PROP_NOT_FOUND_GOOD=Return GOOD if the requested serial number was not found. +CMS_OCSP_LDAPSTORE_PROP_BY_NAME=Use the OCSP authority subject name as the responder ID or not. If false, the OCSP authority signing signing key hash will be used. +CMS_OCSP_LDAPSTORE_PROP_INCLUDE_NEXT_UPDATE=Include the next update of the CRL in the OCSP response. +CMS_OCSP_LDAPSTORE_PROP_NUM_CONNS=The total number of LDAP connections. +CMS_OCSP_LDAPSTORE_PROP_CRL_ATTR=CRL attribute name. +CMS_OCSP_LDAPSTORE_PROP_CA_CERT_ATTR=CA Certificate attribute name. +CMS_OCSP_LDAPSTORE_DESC=LDAP-based OCSP store. The OCSP server makes a validation decision based upon the CRL information on the LDAP server. +####################################################### +# Profile +# +# Servlets which display these messages +# +# ProfileAdminServlet +# ProfileApproveServlet +# ProfileProcessServlet +# ProfileReviewServlet +# ProfileSelectServlet +# ProfileSubmitServlet +# +####################################################### +CMS_PROFILE_DUPLICATE_KEY=Public key duplication detected +CMS_PROFILE_ENCODING_ERROR=Error in BER encoding +CMS_PROFILE_REVOKE_DUPKEY_CERT=Revoke certificate with duplicate key +CMS_PROFILE_CONFIG_ALLOW_SAME_KEY_RENEWAL=Allow renewal of certification with same keys +CMS_PROFILE_CONFIG_KEY_USAGE_EXTENSION_CHECKING=Allow duplicate subject names with different key usage for agent approved requests +CMS_PROFILE_INTERNAL_ERROR=Profile internal error: {0} +CMS_PROFILE_DENY_OPERATION=Not authorized to do this operation. +CMS_PROFILE_DELETE_ENABLEPROFILE=Cannot delete enabled profile: {0} +CMS_PROFILE_INVALID_REQUEST=Invalid Request +CMS_PROFILE_EMPTY_REQUEST_TYPE=Request type is not specified. Check your profile input. +CMS_PROFILE_CREATE_POLICY_FAILED=Failed to create profile policy: {0} +CMS_PROFILE_CREATE_INPUT_FAILED=Failed to create profile input: {0} +CMS_PROFILE_CREATE_OUTPUT_FAILED=Failed to create profile output: {0} +CMS_PROFILE_EMPTY_KEY=Key is missing in the request. Check your profile policy. +CMS_PROFILE_POINT_TYPE=Point Type +CMS_PROFILE_POINT_NAME=Point Name +CMS_PROFILE_REASONS=Reasons +CMS_PROFILE_ISSUER_TYPE=Issuer Type +CMS_PROFILE_ISSUER_NAME=Issuer Name +CMS_PROFILE_PERMITTED_MIN_VAL=Permitted Min Value +CMS_PROFILE_PERMITTED_MAX_VAL=Permitted Max Value +CMS_PROFILE_PERMITTED_NAME_CHOICE=Permitted Name Choice +CMS_PROFILE_PERMITTED_NAME_VAL=Permitted Name Value +CMS_PROFILE_EXCLUDED_MIN_VAL=Excluded Min Value +CMS_PROFILE_EXCLUDED_MAX_VAL=Excluded Max Value +CMS_PROFILE_EXCLUDED_NAME_CHOICE=Excluded Name Choice +CMS_PROFILE_EXCLUDED_NAME_VAL=Excluded Name Value +CMS_PROFILE_ENABLE=Enable +CMS_PROFILE_ISSUER_DOMAIN_POLICY=Issuer Domain Policy +CMS_PROFILE_SUBJECT_DOMAIN_POLICY=Subject Domain Policy +CMS_PROFILE_DOMAINS=Domains +CMS_PROFILE_REQUIRED_EXPLICIT_POLICY=Required Explicit Policy +CMS_PROFILE_INHIBIT_POLICY_MAPPING=Inhibit Policy Mapping +CMS_PROFILE_PERMITTED_SUBTREES=Permitted Subtrees +CMS_PROFILE_EXCLUDED_SUBTREES=Excluded Subtrees +CMS_PROFILE_COMMENT=Comment +CMS_PROFILE_DURATION=Duration +CMS_PROFILE_VERSION=Version +CMS_PROFILE_NUM_POLICIES=Number of Policies +CMS_PROFILE_NUM_DIST_POINTS=Number of CRL Distribution Points +CMS_PROFILE_NUM_EXCLUDED_SUBTREES=Number of Excluded Subtrees +CMS_PROFILE_NUM_PERMITTED_SUBTREES=Number of Permitted Subtrees +CMS_PROFILE_NUM_POLICY_MAPPINGS=Number of Policy Mappings +CMS_PROFILE_NUM_GNS=Number of Subject Alt Name entities +CMS_PROFILE_PROPERTY_ERROR=Property Error - {0} +CMS_PROFILE_NUM_ATTRS=Number of Attributes +CMS_PROFILE_ATTR_NAME=Attribute Name +CMS_PROFILE_ATTR_VALUE=Attribute Value +CMS_PROFILE_SUBJDIR_ATTRS=Subject Directory Attributes +CMS_PROFILE_SUBJDIR_EMPTY_ATTRNAME=Attribute name should not be empty +CMS_PROFILE_SUBJDIR_EMPTY_ATTRVAL=Attribute value should not be empty +CMS_PROFILE_CRL_DISTRIBUTION_POINTS=CRL Distribution Points +CMS_PROFILE_REJECTED=Request Rejected - {0} +CMS_PROFILE_DEFERRED=Request Deferred - {0} +CMS_PROFILE_KEY_ID=Key ID +CMS_PROFILE_NOT_OWNER=Not Profile Owner +CMS_PROFILE_NOT_FOUND=Profile {0} Not Found +CMS_PROFILE_SIGNING_ALGORITHM=Signing Algorithm +CMS_PROFILE_SIGNING_ALGORITHM_LIST=Signing Algorithm List +CMS_PROFILE_ISSUER_ALT_NAME_TYPE=Name Type +CMS_PROFILE_ISSUER_ALT_NAME_PATTERN=Name Pattern +CMS_PROFILE_SUBJECT_ALT_NAME_TYPE=Name Type +CMS_PROFILE_SUBJECT_ALT_NAME_PATTERN=Name Pattern +CMS_PROFILE_SKIP_CERTS=Skip Certificates +CMS_PROFILE_GN_ENABLE=Enable +CMS_PROFILE_POLICY_ID_NOT_FOUND=Profile ID Not Found +CMS_PROFILE_NUM_ADS=Number of Access Descriptors +CMS_PROFILE_AD_METHOD=Access Method +CMS_PROFILE_AD_LOCATIONTYPE=Location Type +CMS_PROFILE_AD_LOCATION=Location +CMS_PROFILE_AD_ENABLE=Enable +CMS_PROFILE_AD_METHOD_0=Access Method (0) +CMS_PROFILE_AD_LOCATIONTYPE_0=Location Type (0) +CMS_PROFILE_AD_LOCATION_0=Location (0) +CMS_PROFILE_AD_METHOD_1=Access Method (1) +CMS_PROFILE_AD_LOCATIONTYPE_1=Location Type (1) +CMS_PROFILE_AD_LOCATION_1=Location (1) +CMS_PROFILE_AD_METHOD_2=Access Method (2) +CMS_PROFILE_AD_LOCATIONTYPE_2=Location Type (2) +CMS_PROFILE_AD_LOCATION_2=Location (2) +CMS_PROFILE_CRITICAL=Criticality +CMS_PROFILE_INVALID_GENERAL_NAME=Invalid General Name +CMS_PROFILE_GENERAL_NAME_NOT_FOUND=General Name Not Found +CMS_PROFILE_GENERAL_NAMES=General Names +CMS_PROFILE_VALIDITY_CHECK_NOT_BEFORE=Check Not Before against current time +CMS_PROFILE_VALIDITY_CHECK_NOT_AFTER=Check Not After against Not Before +CMS_PROFILE_VALIDITY_NOT_BEFORE_GRACE_PERIOD=Grace period for Not Before being set in the future (in seconds). +CMS_PROFILE_VALIDITY_RANGE=Validity Range (in days) +CMS_PROFILE_VALIDITY_START_TIME=Relative Start Time (in seconds) +CMS_PROFILE_BYPASS_CA_NOTAFTER=Bypass CA notAfter constraint +CMS_PROFILE_VALIDITY_OUT_OF_RANGE=Validity Out of Range {0} days +CMS_PROFILE_RENEW_GRACE_BEFORE=Renewal Grace Period Before +CMS_PROFILE_RENEW_GRACE_AFTER=Renewal Grace Period After +CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD=Outside of Renewal Grace Period: {0} +CMS_PROFILE_RENEW_ORIG_EXP_NOT_FOUND=Renewal: Original Cert Expiration Date Not Found. Cannot validate. +CMS_PROFILE_INVALID_VALIDITY=Invalid Validity +CMS_PROFILE_NOT_BEFORE_AFTER_CURRENT=Not Before is later than current time +CMS_PROFILE_NOT_AFTER_BEFORE_CURRENT=Not After is earlier than current time +CMS_PROFILE_NOT_AFTER_BEFORE_NOT_BEFORE=Not After is earlier than Not Before +CMS_PROFILE_TOKENKEY_LDAP_ENABLE=Enable/Disable ldap data feed +CMS_PROFILE_TOKENKEY_LDAP_SEARCH_NAME=LDAP attribute name used for searching +CMS_PROFILE_TOKENKEY_LDAP_STRING_ATTRS=LDAP String Attributes to be retrieved +CMS_PROFILE_TOKENKEY_LDAP_MIN_CONN=LDAP Minimum Number Connections +CMS_PROFILE_TOKENKEY_LDAP_MAX_CONN=LDAP Maximum Number Connections +CMS_PROFILE_TOKENKEY_LDAP_HOST_NAME=Host Name +CMS_PROFILE_TOKENKEY_LDAP_PORT_NUMBER=Port Number +CMS_PROFILE_TOKENKEY_LDAP_VERSION=LDAP Version +CMS_PROFILE_TOKENKEY_LDAP_BASEDN=BaseDN +CMS_PROFILE_TOKENKEY_LDAP_SECURE_CONN=Secure Connection +CMS_PROFILE_SUBJECT_NAME=Subject Name +CMS_PROFILE_SUBJECT_NAME_PATTERN=Subject Name Pattern +CMS_PROFILE_INVALID_SUBJECT_NAME=Invalid Subject Name {0} +CMS_PROFILE_SUBJECT_NAME_NOT_FOUND=Subject Name Not Found +CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED=Subject Name Not Matched {0} +CMS_PROFILE_SUBJECT_NAME_NOT_UNIQUE=Subject Name Not Unique {0} +CMS_PROFILE_SIGNING_ALGORITHMS_ALLOWED=Allowed Signing Algorithms +CMS_PROFILE_SIGNING_ALGORITHM_NOT_MATCHED=Signing Algorithm Not Matched {0} +CMS_PROFILE_SIGNING_ALGORITHM_NOT_FOUND=Signing Algorithm Not Found +CMS_PROFILE_OIDS=Comma-Separated list of Object Identifiers +CMS_PROFILE_SSL_CLIENT=SSL Client +CMS_PROFILE_SSL_SERVER=SSL Server +CMS_PROFILE_EMAIL=Email +CMS_PROFILE_OBJECT_SIGNING=Object Signing +CMS_PROFILE_SSL_CA=SSL CA +CMS_PROFILE_EMAIL_CA=Email CA +CMS_PROFILE_OBJECT_SIGNING_CA=Object Signing CA +CMS_PROFILE_SSL_CLIENT_NOT_MATCHED=SSL Client Not Matched {0} +CMS_PROFILE_SSL_SERVER_NOT_MATCHED=SSL Server Not Matched {0} +CMS_PROFILE_EMAIL_NOT_MATCHED=Email Not Matched {0} +CMS_PROFILE_OBJECT_SIGNING_NOT_MATCHED=Object Signing Not Matched {0} +CMS_PROFILE_SSL_CA_NOT_MATCHED=SSL CA Not Matched {0} +CMS_PROFILE_EMAIL_CA_NOT_MATCHED=Email CA Not Matched {0} +CMS_PROFILE_OBJECT_SIGNING_CA_NOT_MATCHED=Object Signing CA Not Matched {0} +CMS_PROFILE_DIGITAL_SIGNATURE=Digital Signature +CMS_PROFILE_NON_REPUDIATION=Non-Repudiation +CMS_PROFILE_KEY_ENCIPHERMENT=Key Encipherment +CMS_PROFILE_DATA_ENCIPHERMENT=Data Encipherment +CMS_PROFILE_KEY_AGREEMENT=Key Agreement +CMS_PROFILE_KEY_CERTSIGN=Key CertSign +CMS_PROFILE_CRL_SIGN=CRL Sign +CMS_PROFILE_ENCIPHER_ONLY=Encipher Only +CMS_PROFILE_DECIPHER_ONLY=Decipher Only +CMS_PROFILE_DIGITAL_SIGNATURE_NOT_MATCHED=Digital Signature Not Matched {0} +CMS_PROFILE_NON_REPUDIATION_NOT_MATCHED=Non-Repudiation Not Matched {0} +CMS_PROFILE_KEY_ENCIPHERMENT_NOT_MATCHED=Key Encipherment Not Matched {0} +CMS_PROFILE_DATA_ENCIPHERMENT_NOT_MATCHED=Data Encipherment Not Matched {0} +CMS_PROFILE_KEY_AGREEMENT_NOT_MATCHED=Key Agreement Not Matched {0} +CMS_PROFILE_KEY_CERTSIGN_NOT_MATCHED=Key CertSign Not Matched {0} +CMS_PROFILE_CRL_SIGN_NOT_MATCHED=CRL Sign Not Matched {0} +CMS_PROFILE_ENCIPHER_ONLY_NOT_MATCHED=Encipher Only Not Matched {0} +CMS_PROFILE_DECIPHER_ONLY_NOT_MATCHED=Decipher Only Not Matched {0} +CMS_PROFILE_OID=Object Identifier +CMS_PROFILE_EXT_VALUE=Extension Value +CMS_PROFILE_KEY=Key +CMS_PROFILE_KEY_LEN=Key Length +CMS_PROFILE_KEY_TYPE=Key Type +CMS_PROFILE_KEY_MIN_LEN=Min Key Length +CMS_PROFILE_KEY_MAX_LEN=Max Key Length +CMS_PROFILE_KEY_PARAMETERS=Key Lengths or Curves. For EC use comma separated list of curves, otherise use list of key sizes. Ex: 1024,2048,4096,8192 or: nistp256,nistp384,nistp521,sect163k1,nistk163 for EC. +CMS_PROFILE_IS_CA=Is CA +CMS_PROFILE_PATH_LEN=Path Length +CMS_PROFILE_MIN_PATH_LEN=Min Path Length +CMS_PROFILE_MAX_PATH_LEN=Max Path Length +CMS_PROFILE_EXTENSION_NOT_FOUND=Extension {0} Not Found +CMS_PROFILE_DUPLICATE_EXTENSION=Duplicate extension [ {0} ] found. Please contact the administrator in case of a misconfigured Certificate Profile +CMS_PROFILE_VALIDITY_NOT_FOUND=Validity Not Found +CMS_PROFILE_KEY_NOT_FOUND=Key Not Found +CMS_PROFILE_NOT_BEFORE=Not Before +CMS_PROFILE_NOT_AFTER=Not After +CMS_PROFILE_NO_POLICY_SET_FOUND=Policy Set Not Found +CMS_PROFILE_INVALID_NOT_BEFORE=Not Before Invalid +CMS_PROFILE_INVALID_NOT_AFTER=Not After Invalid +CMS_PROFILE_INVALID_KEY_TYPE=Invalid Key Type {0} +CMS_PROFILE_KEY_TYPE_NOT_MATCHED=Key Type {0} Not Matched +CMS_PROFILE_KEY_MIN_LEN_NOT_MATCHED=Key Min Length {0} Not Matched +CMS_PROFILE_KEY_MAX_LEN_NOT_MATCHED=Key Max Length {0} Not Matched +CMS_PROFILE_KEY_PARAMS_NOT_MATCHED=Key Parameters {0} Not Matched +CMS_PROFILE_OID_NOT_MATCHED=OID {0} Not Matched +CMS_PROFILE_CRITICAL_NOT_MATCHED=Criticality Not Matched +CMS_PROFILE_CONSTRAINT_NO_CONSTRAINT=No Constraint +CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_TEXT=This constraint accepts the Basic Constraint extension, if present, only when Criticality={0}, Is CA={1}, Min Path Length={2}, Max Path Length={3} +CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_IS_CA=Is CA Not Matched +CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_MIN_PATH=Min Path Length not matched +CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_MAX_PATH=Max Path Length not matched +CMS_PROFILE_CONSTRAINT_CA_VALIDITY_CONSTRAINT_TEXT=This constraint rejects the validity that is not between {0} (now) and {1} (Certificate Authority's notAfter) +CMS_PROFILE_CONSTRAINT_EXTENDED_KEY_EXT_TEXT=This constraint accepts the Extended Key Usage extension, if present, only when Criticality={0}, OIDs={1} +CMS_PROFILE_CONSTRAINT_EXTENSION_TEXT=This constraint accepts the extension only when Criticality={0}, OID={1} +CMS_PROFILE_CONSTRAINT_KEY_TEXT=This constraint accepts the key only if Key Type={0}, Key Parameters ={1} +CMS_PROFILE_CONSTRAINT_ALLOW_SAME_KEY_RENEWAL_TEXT = This constraint allows certificate requests with same keys when key uniqueness is enforced +CMS_PROFILE_CONSTRAINT_KEY_USAGE_EXT_TEXT=This constraint accepts the Key Usage extension, if present, only when Criticality={0}, Digital Signature={1}, Non-Repudiation={2}, Key Encipherment={3}, Data Encipherment={4}, Key Agreement={5}, Key Certificate Sign={6}, Key CRL Sign={7}, Encipher Only={8}, Decipher Only={9} +CMS_PROFILE_CONSTRAINT_NS_CERT_EXT_TEXT=This constraint accepts the NS Certificate Type extension, if present, only when Criticality={0}, SSL Client={1}, SSL Server={2}, Email={3}, Object Signing={4}, SSL CA={5}, Email CA={6}, Object Signing CA={7} +CMS_PROFILE_CONSTRAINT_NO_CONSTRAINT_TEXT=No Constraint +CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT=This constraint accepts only the Signing Algorithms of {0} +CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT=This constraint accepts the subject name that matches {0} +CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT=This constraint accepts unique subject name only +CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT=This constraint rejects the validity that is not between {0} days. +CMS_PROFILE_CONSTRAINT_RENEWAL_GRACE_PERIOD_TEXT=This constraint rejects the renewal requests that are outside of the grace period {0} +CMS_PROFILE_CONSTRAINT_VALIDITY_RENEWAL_TEXT=This constraint rejects the validity that is not between {0} days. If renewal, grace period is {1} days before and {2} days after the expiration date of the original certificate. +CMS_PROFILE_DEF_SIA_TEXT=This default populates a Subject Info Access Extension (1.3.6.1.5.5.7.1.11) to the request. The default values are Criticality={0}, {1} +CMS_PROFILE_DEF_AIA_TEXT=This default populates a Authority Info Access Extension (1.3.6.1.5.5.7.1.1) to the request. The default values are Criticality={0}, {1} +CMS_PROFILE_DEF_IMAGE=This default populates the image from the user. +CMS_PROFILE_DEF_AUTHTOKEN_SUBJECT_NAME=This default populates the authenticated name in the authentication token to the Certificate Subject Name of the request. +CMS_PROFILE_DEF_AKI_EXT=This default populates an Authority Key Identifier Extension (2.5.29.35) to the request. +CMS_PROFILE_DEF_SIA_OID=Invalid input parameter for method: {0}. The value should be in OID format, 1.3.6.1.5.5.7.48.1 for OCSP and 1.3.6.1.5.5.7.48.2 for CA Issuers +CMS_PROFILE_DEF_AIA_OID=Invalid input parameter for method: {0}. The value should be in OID format, 1.3.6.1.5.5.7.48.1 for OCSP and 1.3.6.1.5.5.7.48.2 for CA Issuers +CMS_PROFILE_DEF_BASIC_CONSTRAINTS_EXT=This default populates a Basic Constraints Extension (2.5.29.19) to the request. The default values are Criticality={0}, Is CA={1}, Path Length={2} +CMS_PROFILE_DEF_FRESHEST_CRL_EXT=This default populates a Freshest CRL Extension (2.5.29.46) to the request. The default values are Criticality={0}, {1} +CMS_PROFILE_DEF_CRL_DIST_POINTS_EXT=This default populates a CRL Distribution Points Extension (2.5.29.31) to the request. The default values are Criticality={0}, {1} +CMS_PROFILE_DEF_SUBJECT_DIR_ATTR_EXT=This default populates a Subject Directory Attributes Extension () to the request. The default values are Criticality={0}, {1} +CMS_PROFILE_DEF_EXTENDED_KEY_EXT=This default populates an Extended Key Usage Extension () to the request. The default values are Criticality={0}, OIDs={1} +CMS_PROFILE_DEF_KEY_USAGE_EXT=This default populates a Key Usage Extension (2.5.29.15) to the request. The default values are Criticality={0}, Digital Signature={1}, Non-Repudiation={2}, Key Encipherment={3}, Data Encipherment={4}, Key Agreement={5}, Key Certificate Sign={6}, Key CRL Sign={7}, Encipher Only={8}, Decipher Only={9} +CMS_PROFILE_DEF_PRIVATE_KEY_EXT=This default populates a Private Key Usage Period Extension (2.5.29.16) to the request. The default values are Criticality={0}, Start Time={1}, Duration={2} +CMS_PROFILE_DEF_GENERIC_EXT=This default populates a Generic Extension to the request. The default values are Criticality={0}, OID={1}, Value={2} +CMS_PROFILE_DEF_NS_COMMENT_EXT=This default populates a Netscape Comment Extension (2.16.840.1.113730.1.13) to the request. The default values are Criticality={0}, Comment={1} +CMS_PROFILE_DEF_CERT_VERSION=This default populates a Certificate Version to the request. The default value is Version={0} +CMS_PROFILE_DEF_NS_CERT_TYPE_EXT=This default populates a Netscape Certificate Type Extension (2.16.840.1.113730.1.1) to the request. The default values are Criticality={0}, SSL Client={1}, SSL Server={2}, Email={3}, Object Signing={4}, SSL CA={5}, Email CA={6}, Object Signing CA={7} +CMS_PROFILE_DEF_NAME_CONSTRAINTS_EXT=This default populates a Name Constraints Extension (2.5.29.30) to the request. The default values are Criticality={0}, {1} +CMS_PROFILE_DEF_NO_DEFAULT=No Default +CMS_PROFILE_DEF_OCSP_NO_CHECK_EXT=This default populates an OCSP No Check Extension (1.3.6.1.5.5.7.48.1.5) to the request. The default values are Criticality={0} +CMS_PROFILE_DEF_POLICY_CONSTRAINTS_EXT=This default populates a Policy Constraints Extension () to the request. The default values are Criticality={0}, Required Explicit Policy={1}, Inhibit Policy Mapping={2} +CMS_PROFILE_DEF_CERTIFICATE_POLICIES_EXT=This default populates a Certificate Policies Extension to the request. The default values are Criticality={0}, {1} +CMS_PROFILE_DEF_POLICY_MAPPINGS_EXT=This default populates a Policy Mappings Extension () to the request. The default values are Criticality={0}, {1} +CMS_PROFILE_DEF_SIGNING_ALGORITHM=This default populates the Certificate Signing Algorithm. The default values are Algorithm={0} +CMS_PROFILE_DEF_ISSUER_ALT_NAME_EXT=This default populates a Issuer Alternative Name Extension (2.5.29.18) to the request. The default values are Criticality={0}, Pattern={1}, Pattern Type={2} +CMS_PROFILE_DEF_SUBJECT_ALT_NAME_EXT=This default populates a Subject Alternative Name Extension (2.5.29.17) to the request. The default values are Criticality={0}, {1} +CMS_PROFILE_DEF_SUBJECT_KEY_ID_EXT=This default populates a Subject Key Identifier Extension (2.5.29.14) to the request. +CMS_PROFILE_AUTO_ASSIGN=Agent UID +CMS_PROFILE_DEF_AUTO_ASSIGN=This default assigns this request to Agent={0} automatically +CMS_PROFILE_DEF_SUBJECT_NAME=This default populates a Certificate Subject Name to the request. The default values are Subject Name={0} +CMS_PROFILE_DEF_INHIBIT_ANY_POLICY_EXT=This default populates an Inhibit Any-Policy Extension (2.25.29.54) to the request. The default values are Critically={0}, {1} +CMS_PROFILE_INHIBIT_ANY_POLICY_WRONG_SKIP_CERTS=The value for skipped certificates must be an integer. +CMS_PROFILE_DEF_USER_EXT=This default populates a User-Supplied Extension ({0}) to the request. +CMS_PROFILE_DEF_USER_KEY=This default populates a User-Supplied Certificate Key to the request. +CMS_PROFILE_DEF_USER_SIGNING_ALGORITHM=This default populates a User-Supplied Certificate Signing Algorithm to the request. +CMS_PROFILE_DEF_USER_SUBJECT_NAME=This default populates a User-Supplied Certificate Subject Name to the request. +CMS_PROFILE_DEF_USER_VALIDITY=This default populates a User-Supplied Certificate Validity to the request. +CMS_PROFILE_DEF_VALIDITY=This default populates a Certificate Validity to the request. The default values are Range={0} in days +CMS_PROFILE_CERTIFICATE_POLICIES_ID=Certificate Policies ID +CMS_PROFILE_CERTIFICATE_POLICY_ENABLE=True if this certificate policy qualifier is enabled; false otherwise +CMS_PROFILE_POLICY_ID=Policy ID +CMS_PROFILE_POLICY_QUALIFIER_CPSURI_ENABLE=True if this certificate policy qualifier type is CPSuri; false otherwise +CMS_PROFILE_POLICY_QUALIFIER_USERNOTICE_ENABLE=True if this certificate policy qualifier type is UserNotice; false otherwise +CMS_PROFILE_POLICY_USERNOTICE_REF_ORG=Organization for notice reference +CMS_PROFILE_POLICY_USERNOTICE_REF_NUMBERS=Notice numbers for notice reference +CMS_PROFILE_POLICY_USERNOTICE_EXPLICIT_TEXT=Explicit Text for user notice +CMS_PROFILE_POLICY_CPSURI=CPSUri +CMS_PROFILE_POLICY_QUALIFIERS=Certificate Policy Qualifier +CMS_PROFILE_POLICY_QUALIFIER_NUM=Number of Certificate Policy Qualifiers +CMS_PROFILE_CERTIFICATE_POLICIES_POLICYID_ERROR=Wrong format policy ID: {0} +CMS_PROFILE_CERTIFICATE_POLICIES_EMPTY_POLICYID=Empty certificate policies ID +CMS_PROFILE_CERTIFICATE_POLICIES_EMPTY_CPSURI=Empty CPSuri +####################################################### +# Profile Inputs and outputs +# The same servlets as last section display these messages +# +####################################################### +CMS_PROFILE_REQUESTOR_NAME=Requestor Name +CMS_PROFILE_REQUESTOR_EMAIL=Requestor Email +CMS_PROFILE_REQUESTOR_PHONE=Requestor Phone +CMS_PROFILE_SN_UID=UID +CMS_PROFILE_SN_EMAIL=Email +CMS_PROFILE_SN_CN=Common Name +CMS_PROFILE_SN_OU=Organizational Unit +CMS_PROFILE_SN_O=Organization +CMS_PROFILE_SN_C=Country +CMS_PROFILE_NO_CERT_REQ=Certificate Request Not Found +CMS_PROFILE_UNKNOWN_SEQ_NUM=Unknown Sequence Number +CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE=Unknown Certificate Request Type {0} +CMS_PROFILE_FILE_NOT_FOUND=Cannot locate file +CMS_PROFILE_INPUT_CERT_REQ_TYPE=Certificate Request Type +CMS_PROFILE_INPUT_CERT_REQ=Certificate Request +CMS_PROFILE_INPUT_KEYGEN_REQ=Key Generation Request +CMS_PROFILE_INPUT_KEYGEN_REQ_TYPE=Key Generation Request Type +CMS_PROFILE_INPUT_FILE_SIGNING_NAME=File Signing Input +CMS_PROFILE_INPUT_FILE_SIGNING_TEXT=File Signing Input +CMS_PROFILE_INPUT_FILE_SIGNING_URL=URL Of File Being Signed +CMS_PROFILE_INPUT_FILE_SIGNING_TEXT=Text Being Signed +CMS_PROFILE_IMAGE=Image +CMS_PROFILE_INPUT_IMAGE_NAME=Image +CMS_PROFILE_INPUT_IMAGE_TEXT=Image +CMS_PROFILE_INPUT_IMAGE_URL=Image URL +CMS_PROFILE_INPUT_SERIAL_NUM_NAME=Serial Number of Certificate to Renew +CMS_PROFILE_INPUT_SERIAL_NUM_TEXT=Serial Number of Certificate to Renew +CMS_PROFILE_INPUT_SUBMITTER_NAME=Requestor Information +CMS_PROFILE_INPUT_SUBMITTER_TEXT=Requestor Information +CMS_PROFILE_INPUT_GENERIC_NAME_NAME=Generic Input +CMS_PROFILE_INPUT_GENERIC_NAME_TEXT=Generic Input +CMS_PROFILE_GI_PARAM_NAME=Parameter Name +CMS_PROFILE_GI_SYNTAX=Syntax +CMS_PROFILE_GI_DISPLAY_NAME=Display Name +CMS_PROFILE_GI_ENABLE=Enable +CMS_PROFILE_INPUT_SUBJECT_NAME_NAME=Subject Name +CMS_PROFILE_INPUT_SUBJECT_NAME_TEXT=Subject Name +CMS_PROFILE_INPUT_KEY_GEN_NAME=Key Generation +CMS_PROFILE_INPUT_KEY_GEN_TEXT=Key Generation +CMS_PROFILE_INPUT_ENC_KEY_GEN_NAME=Encryption Key Generation +CMS_PROFILE_INPUT_ENC_KEY_GEN_TEXT=Encryption Key Generation +CMS_PROFILE_INPUT_SIGN_KEY_GEN_NAME=Signing Key Generation +CMS_PROFILE_INPUT_SIGN_KEY_GEN_TEXT=Signing Key Generation +CMS_PROFILE_INPUT_DUAL_KEY_NAME=Dual Key Generation +CMS_PROFILE_INPUT_DUAL_KEY_TEXT=Dual Key Generation +CMS_PROFILE_UPDATER_SUBSYSTEM_NAME=Updater for Subsystem Group +CMS_PROFILE_UPDATER_SUBSYSTEM_TEXT=Updater for Subsystem Group +CMS_PROFILE_INPUT_CERT_REQ_NAME=Certificate Request Input +CMS_PROFILE_INPUT_CERT_REQ_TEXT=Certificate Request Input +CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_NAME=Token Key Certificate Request Input +CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_TEXT=Token Key Certificate Request Input +CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_UID=Token Key User ID +CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_PK=Token Key User Public Key +CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_TOKEN_CUID=Token Key CUID +CMS_PROFILE_TOKENKEY_NO_TOKENCUID=Missing valid token CUID +CMS_PROFILE_TOKENKEY_NO_ID=Token Key input ID not found +CMS_PROFILE_TOKENKEY_NO_PUBLIC_KEY=Token Key input publickey not found +CMS_PROFILE_OUTPUT_CERT_TOKENKEY_NAME=Token Key Certificate Output +CMS_PROFILE_OUTPUT_CERT_TOKENKEY_TEXT=Token Key Certificate Output +CMS_PROFILE_OUTPUT_CERT_NAME=Certificate Output +CMS_PROFILE_OUTPUT_FINGER_PRINTS=Finger Prints +CMS_PROFILE_OUTPUT_CERT_TEXT=Certificate Output +CMS_PROFILE_OUTPUT_CERT_PP=Certificate Pretty Print +CMS_PROFILE_OUTPUT_CERT_B64=Certificate Base-64 Encoded +CMS_PROFILE_OUTPUT_CMMF_B64=CMMF Base-64 Encoded +CMS_PROFILE_OUTPUT_PKCS7_B64=PKCS #7 Base-64 Encoded +CMS_PROFILE_OUTPUT_DER_B64=DER Base 64 Encoded +####################################################### +# Self Tests +# +# Servlets which display these messages +# +# None +# +####################################################### +CMS_SELFTESTS_SYSTEM_CERTS_VERIFICATION_DESCRIPTION=This self test is used to verify all system certificates +CMS_SELFTESTS_CA_PRESENCE_DESCRIPTION=This self test is used to check whether or not the CA is present. +CMS_SELFTESTS_CA_VALIDITY_DESCRIPTION=This self test is used to check whether or not the CA is valid. +CMS_SELFTESTS_OCSP_PRESENCE_DESCRIPTION=This self test is used to check whether or not the OCSP is present. +CMS_SELFTESTS_OCSP_VALIDITY_DESCRIPTION=This self test is used to check whether or not the OCSP is valid. +CMS_SELFTESTS_RA_PRESENCE_DESCRIPTION=This self test is used to check whether or not the RA is present. +CMS_SELFTESTS_KRA_PRESENCE_DESCRIPTION=This self test is used to check whether or not the KRA is present. +CMS_SELFTESTS_TKS_PRESENCE_DESCRIPTION=This self test is used to check whether or not the TKS is present. +####################################################### +# ACL +# +# Servlets which display these messages +# +# ACLAdminServlet +# +####################################################### +CMS_ACL_NULL_VALUE={0} value can not be null +CMS_ACL_PARSING_ERROR=ACL parsing error for {0}: {1} +CMS_ACL_CLASS_LOAD_FAIL=Failed to load class: {0} +CMS_ACL_PERMISSION_DENIED=Permission denied +CMS_ACL_NO_PERMISSION={0} does not have permission to {1} +CMS_ACL_PARSING_ERROR_0=Failed to parse ACLs +CMS_ACL_UPDATE_FAIL=Failed to update ACLs. +CMS_ACL_METHOD_NOT_IMPLEMENTED=ACL method not implemented +CMS_ACL_CONNECT_LDAP_FAIL=Failed to connect LDAP server: {0} +CMS_ACL_RESOURCE_NOT_FOUND=ACLs resource not found +CMS_ACL_ILL_CLASS=Class must extend IAccessEvaluator +CMS_ACL_COMMIT_FAIL=Failed to save changes to the configuration file +CMS_ACL_INST_CLASS_FAIL=Failed to instantiate class +CMS_ACL_EVAL_NOT_FOUND=Evaluator not found +####################################################### +# User/group +# +# Servlets which display these messages +# +# UserGrpAdminServlet +# +####################################################### +CMS_USRGRP_USER_NOT_FOUND=User not found +CMS_USRGRP_ADD_USER_FAIL=Failed to add user +CMS_USRGRP_ADD_USER_FAIL_NO_UID=Failed to add user: UID required +CMS_USRGRP_MOD_USER_FAIL=Failed to modify user +CMS_USRGRP_CERT_NOT_FOUND=Certificate not found +CMS_USRGRP_REMOVE_USER_FAIL=Failed to remove user +CMS_USRGRP_ADD_GROUP_FAIL=Failed to add group +CMS_USRGRP_REMOVE_GROUP_FAIL=Failed to remove group +CMS_USRGRP_ILL_GRP_MOD=Certificate Server administrators group must not be empty +CMS_USRGRP_MOD_GROUP_FAIL=Failed to modify group +CMS_USRGRP_USR_CERT_ERROR=User certificate related error +####################################################### +# +# DBSubsystem +# +####################################################### +CMS_DB_ADD_ATTRIBUTE_FAILED=Failed to add attribute. +CMS_DB_ADD_OBJECTCLASS_FAILED=Failed to add objectclass. diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java new file mode 100644 index 000000000..508793ddf --- /dev/null +++ b/base/common/src/com/netscape/certsrv/acls/ACL.java @@ -0,0 +1,194 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.acls; + +import java.util.Enumeration; +import java.util.Vector; + +/** + * A class represents an access control list (ACL). An ACL + * is associated with an protected resources. The policy + * enforcer can verify the ACLs with the current + * context to see if the corresponding resource is accessible. + *

+ * An ACL may contain one or more ACLEntry. However, in case of multiple ACLEntry + * , a subject must pass ALL of the ACLEntry evaluation for permission to be granted + *

+ * + * @version $Revision$, $Date$ + */ +public class ACL implements IACL, java.io.Serializable { + + /** + * + */ + private static final long serialVersionUID = -1867465948611161868L; + + protected Vector mEntries = new Vector(); // ACL entries + protected Vector mRights = null; // possible rights entries + protected String mResourceACLs = null; // exact resourceACLs string on ldap server + protected String mName = null; // resource name + protected String mDescription = null; // resource description + + /** + * Class constructor. + */ + public ACL() { + } + + /** + * Class constructor. + * Constructs an access control list associated + * with a resource name + * + * @param name resource name + * @param rights applicable rights defined for this resource + * @param resourceACLs the entire ACL specification. For example: + * "certServer.log.configuration:read,modify: + * allow (read,modify) + * group=\"Administrators\": + * Allow administrators to read and modify log + * configuration" + */ + public ACL(String name, Vector rights, String resourceACLs) { + setName(name); + if (rights != null) { + mRights = rights; + } else { + mRights = new Vector(); + } + mResourceACLs = resourceACLs; + + } + + /** + * Sets the name of the resource governed by this + * access control. + * + * @param name name of the resource + */ + public void setName(String name) { + mName = name; + } + + /** + * Retrieves the name of the resource governed by + * this access control. + * + * @return name of the resource + */ + public String getName() { + return mName; + } + + /** + * Retrieves the exact string of the resourceACLs + * + * @return resource's acl + */ + public String getResourceACLs() { + return mResourceACLs; + } + + /** + * Sets the description of the resource governed by this + * access control. + * + * @param description Description of the protected resource + */ + public void setDescription(String description) { + mDescription = description; + } + + /** + * Retrieves the description of the resource governed by + * this access control. + * + * @return Description of the protected resource + */ + public String getDescription() { + return mDescription; + } + + /** + * Adds an ACL entry to this list. + * + * @param entry the ACLEntry to be added to this resource + */ + public void addEntry(ACLEntry entry) { + mEntries.addElement(entry); + } + + /** + * Returns ACL entries. + * + * @return enumeration for the ACLEntry vector + */ + public Enumeration entries() { + return mEntries.elements(); + } + + /** + * Returns the string reprsentation. + * + * @return the string representation of the ACL entries in the + * following format: + * [,,...] + */ + public String toString() { + String entries = ""; + Enumeration e = entries(); + + for (; e.hasMoreElements();) { + ACLEntry entry = (ACLEntry) e.nextElement(); + + entries += entry.toString(); + if (e.hasMoreElements()) + entries += ","; + } + return getName() + "[" + entries + "]"; + } + + /** + * Adds an rights entry to this list. + * + * @param right The right to be added for this ACL + */ + public void addRight(String right) { + mRights.addElement(right); + } + + /** + * Tells if the permission is one of the defined "rights" + * + * @param permission permission to be checked + * @return true if it's one of the "rights"; false otherwise + */ + public boolean checkRight(String permission) { + return (mRights.contains((Object) permission)); + } + + /** + * Returns rights entries. + * + * @return enumeration of rights defined for this ACL + */ + public Enumeration rights() { + return mRights.elements(); + } +} diff --git a/base/common/src/com/netscape/certsrv/acls/ACLEntry.java b/base/common/src/com/netscape/certsrv/acls/ACLEntry.java new file mode 100644 index 000000000..2c1b7c3ea --- /dev/null +++ b/base/common/src/com/netscape/certsrv/acls/ACLEntry.java @@ -0,0 +1,245 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.acls; + +import java.util.Enumeration; +import java.util.Hashtable; +import java.util.StringTokenizer; + +/** + * A class represents an ACI entry of an access control list. + *

+ * + * @version $Revision$, $Date$ + */ +public class ACLEntry implements IACLEntry, java.io.Serializable { + /** + * + */ + private static final long serialVersionUID = 422656406529200393L; + + protected Hashtable mPerms = new Hashtable(); + protected String mExpressions = null; + protected boolean mNegative = false; + protected String mACLEntryString = null; + + /** + * Class Constructor + */ + public ACLEntry() { + } + + /** + * Checks if this ACL entry is set to negative. + * + * @return true if this ACL entry expression is for "deny"; + * false if this ACL entry expression is for "allow" + */ + public boolean isNegative() { + return mNegative; + } + + /** + * Sets this ACL entry negative. This ACL entry expression is for "deny". + */ + public void setNegative() { + mNegative = true; + } + + /** + * Sets the ACL entry string + * + * @param s string in the following format: + * + * 

+     *   allow|deny (right[,right...]) attribute_expression
+     *
+ */ + public void setACLEntryString(String s) { + mACLEntryString = s; + } + + /** + * Gets the ACL Entry String + * + * @return ACL Entry string in the following format: + * + * 
+     *   allow|deny (right[,right...]) attribute_expression
+     *
+ */ + public String getACLEntryString() { + return mACLEntryString; + } + + /** + * Adds permission to this entry. Permission must be one of the + * "rights" defined for each protected resource in its ACL + * + * @param acl the acl instance that this aclEntry is associated with + * @param permission one of the "rights" defined for each + * protected resource in its ACL + */ + public void addPermission(IACL acl, String permission) { + if (acl.checkRight(permission) == true) { + mPerms.put(permission, permission); + } else { + // not a valid right...log it later + } + } + + /** + * Returns a list of permissions associated with + * this entry. + * + * @return a list of permissions for this ACL entry + */ + public Enumeration permissions() { + return mPerms.elements(); + } + + /** + * Sets the expression associated with this entry. + * + * @param expressions the evaluator expressions. For example, + * group="Administrators" + */ + public void setAttributeExpressions(String expressions) { + mExpressions = expressions; + } + + /** + * Retrieves the expression associated with this entry. + * + * @return the evaluator expressions. For example, + * group="Administrators" + */ + public String getAttributeExpressions() { + return mExpressions; + } + + /** + * Checks to see if this ACLEntry contains a + * particular permission + * + * @param permission one of the "rights" defined for each + * protected resource in its ACL + * @return true if permission contained in the permission list + * for this ACLEntry; false otherwise. + */ + public boolean containPermission(String permission) { + return (mPerms.get(permission) != null); + } + + /** + * Checks if this entry has the given permission. + * + * @param permission one of the "rights" defined for each + * protected resource in its ACL + * @return true if the permission is allowed; false if the + * permission is denied. If a permission is not + * recognized by this ACL, it is considered denied + */ + public boolean checkPermission(String permission) { + // default - if we dont know about the requested permission, + // don't grant permission + if (mPerms.get(permission) == null) + return false; + if (isNegative()) { + return false; + } else { + return true; + } + } + + /** + * Parse string in the following format: + * + * 
+     *   allow|deny (right[,right...]) attribute_expression
+     *
+ * + * into an instance of the ACLEntry class + * + * @param acl the acl instance associated with this aclentry + * @param aclEntryString aclEntryString in the specified format + * @return an instance of the ACLEntry class + */ + public static ACLEntry parseACLEntry(IACL acl, String aclEntryString) { + if (aclEntryString == null) { + return null; + } + + String te = aclEntryString.trim(); + + // locate first space + int i = te.indexOf(' '); + // prefix should be "allowed" or "deny" + String prefix = te.substring(0, i); + String suffix = te.substring(i + 1).trim(); + ACLEntry entry = new ACLEntry(); + + if (prefix.equals("allow")) { + // do nothing + } else if (prefix.equals("deny")) { + entry.setNegative(); + } else { + return null; + } + // locate the second space + i = suffix.indexOf(' '); + // this prefix should be rights list, delimited by "," + prefix = suffix.substring(1, i - 1); + // the suffix is the rest, which is the "expressions" + suffix = suffix.substring(i + 1).trim(); + + StringTokenizer st = new StringTokenizer(prefix, ","); + + for (; st.hasMoreTokens();) { + entry.addPermission(acl, st.nextToken()); + } + entry.setAttributeExpressions(suffix); + return entry; + } + + /** + * Returns the string representation of this ACLEntry + * + * @return string representation of this ACLEntry + */ + public String toString() { + String entry = ""; + + if (isNegative()) { + entry += "deny ("; + } else { + entry += "allow ("; + } + Enumeration e = permissions(); + + for (; e.hasMoreElements();) { + String p = e.nextElement(); + + entry += p; + if (e.hasMoreElements()) + entry += ","; + } + entry += ") " + getAttributeExpressions(); + return entry; + } +} diff --git a/base/common/src/com/netscape/certsrv/acls/ACLsResources.java b/base/common/src/com/netscape/certsrv/acls/ACLsResources.java new file mode 100644 index 000000000..bf3ea4a28 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/acls/ACLsResources.java @@ -0,0 +1,45 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.acls; + +import java.util.ListResourceBundle; + +/** + * A class represents a resource bundle for the entire ACL component. + * system. + *

+ * + * @deprecated + * @version $Revision$, $Date$ + */ +public class ACLsResources extends ListResourceBundle { + + /** + * Returns the content of this resource. + * + * @return the content of this resource. + */ + public Object[][] getContents() { + return contents; + } + + /** + * A set of constants for localized error messages. + */ + static final Object[][] contents = {}; +} diff --git a/base/common/src/com/netscape/certsrv/acls/EACLsException.java b/base/common/src/com/netscape/certsrv/acls/EACLsException.java new file mode 100644 index 000000000..8d204091e --- /dev/null +++ b/base/common/src/com/netscape/certsrv/acls/EACLsException.java @@ -0,0 +1,148 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.acls; + +import java.util.Locale; + +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.MessageFormatter; + +/** + * A class represents an acls exception. Note that this is + * an Runtime exception so that methods used AccessManager + * do not have to explicity declare this exception. This + * allows AccessManager to be easily integrated into any + * existing code. + *

+ * + * @version $Revision$, $Date$ + */ +public class EACLsException extends EBaseException { + + /** + * + */ + private static final long serialVersionUID = 5471535135648315104L; + /** + * resource class name + */ + private static final String ACL_RESOURCES = ACLsResources.class.getName(); + + /** + * Constructs an acls exception. + *

+ * + * @param msgFormat exception details + */ + public EACLsException(String msgFormat) { + super(msgFormat); + mParams = null; + } + + /** + * Constructs a base exception with a parameter. For example, + * + * 

+     * new EACLsException("failed to load {0}", fileName);
+     *
+ *

+ * + * @param msgFormat exception details in message string format + * @param param message string parameter + */ + public EACLsException(String msgFormat, String param) { + super(msgFormat); + mParams = new String[1]; + mParams[0] = param; + } + + /** + * Constructs a base exception. It can be used to carry + * a system exception that may contain information about + * the context. For example, + * + * 

+     * 		try {
+     *  		...
+     * 		} catch (IOExeption e) {
+     * 		 	throw new EACLsException("Encountered System Error {0}", e);
+     *      }
+     *
+ *

+ * + * @param msgFormat exception details in message string format + * @param param system exception + */ + public EACLsException(String msgFormat, Exception param) { + super(msgFormat); + mParams = new Exception[1]; + mParams[0] = param; + } + + /** + * Constructs a base exception with a list of parameters + * that will be substituted into the message format. + *

+ * + * @param msgFormat exception details in message string format + * @param params list of message format parameters + */ + public EACLsException(String msgFormat, Object params[]) { + super(msgFormat); + mParams = params; + } + + /** + * Returns a list of parameters. + *

+ * + * @return list of message format parameters + */ + public Object[] getParameters() { + return mParams; + } + + /** + * String representation for the corresponding exception. + * + * @return String representation for the corresponding exception. + */ + public String toString() { + return toString(Locale.getDefault()); + } + + /** + * Returns string representation for the corresponding exception. + * + * @param locale client specified locale for string representation. + * @return String representation for the corresponding exception. + */ + public String toString(Locale locale) { + return MessageFormatter.getLocalizedString(locale, getBundleName(), + super.getMessage(), mParams); + } + + /** + * Return the class name of the resource bundle. + * + * @return class name of the resource bundle. + */ + protected String getBundleName() { + return ACL_RESOURCES; + } +} diff --git a/base/common/src/com/netscape/certsrv/acls/IACL.java b/base/common/src/com/netscape/certsrv/acls/IACL.java new file mode 100644 index 000000000..aad733722 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/acls/IACL.java @@ -0,0 +1,68 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.acls; + +import java.util.Enumeration; + +/** + * A class represents an access control list (ACL). An ACL + * is associated with a protected resource. The policy + * enforcer can verify the ACLs with the current + * context to see if the corresponding resource is accessible. + *

+ * + * @version $Revision$, $Date$ + */ +public interface IACL { + + /** + * Returns the name of the current ACL. + * + * @return the name of the current ACL. + */ + public String getName(); + + /** + * Returns the description of the current ACL. + * + * @return the description of the current ACL. + */ + public String getDescription(); + + /** + * Returns a list of access rights of the current ACL. + * + * @return a list of access rights + */ + public Enumeration rights(); + + /** + * Returns a list of entries of the current ACL. + * + * @return a list of entries + */ + public Enumeration entries(); + + /** + * Verifies if permission is granted. + * + * @param permission one of the applicable rights + * @return true if the given permission is one of the applicable rights; false otherwise. + */ + public boolean checkRight(String permission); +} diff --git a/base/common/src/com/netscape/certsrv/acls/IACLEntry.java b/base/common/src/com/netscape/certsrv/acls/IACLEntry.java new file mode 100644 index 000000000..ff806f155 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/acls/IACLEntry.java @@ -0,0 +1,34 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.acls; + +/** + * A class represents an entry of access control list. + *

+ * + * @version $Revision$, $Date$ + */ +public interface IACLEntry { + + /** + * Returns the ACL entry string of the entry. + * + * @return the ACL entry string of the entry. + */ + public String getACLEntryString(); +} diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java new file mode 100644 index 000000000..3a36c71bc --- /dev/null +++ b/base/common/src/com/netscape/certsrv/apps/CMS.java @@ -0,0 +1,1649 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.apps; + +import java.io.ByteArrayOutputStream; +import java.io.PrintStream; +import java.math.BigInteger; +import java.security.NoSuchAlgorithmException; +import java.security.cert.Certificate; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509CRL; +import java.security.cert.X509Certificate; +import java.util.Date; +import java.util.Enumeration; +import java.util.Hashtable; +import java.util.Locale; +import java.util.Vector; + +import netscape.ldap.LDAPConnection; +import netscape.ldap.LDAPException; +import netscape.ldap.LDAPSSLSocketFactoryExt; +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.Extension; +import netscape.security.x509.GeneralName; +import netscape.security.x509.X509CertInfo; + +import org.mozilla.jss.CryptoManager.CertificateUsage; +import org.mozilla.jss.util.PasswordCallback; + +import com.netscape.certsrv.acls.EACLsException; +import com.netscape.certsrv.acls.IACL; +import com.netscape.certsrv.authentication.IAuthSubsystem; +import com.netscape.certsrv.authority.IAuthority; +import com.netscape.certsrv.authorization.IAuthzSubsystem; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IArgBlock; +import com.netscape.certsrv.base.ICRLPrettyPrint; +import com.netscape.certsrv.base.ICertPrettyPrint; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.IExtPrettyPrint; +import com.netscape.certsrv.base.IPrettyPrintFormat; +import com.netscape.certsrv.base.ISecurityDomainSessionTable; +import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.ca.ICRLIssuingPoint; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.common.Constants; +import com.netscape.certsrv.connector.IHttpConnection; +import com.netscape.certsrv.connector.IPKIMessage; +import com.netscape.certsrv.connector.IRemoteAuthority; +import com.netscape.certsrv.connector.IRequestEncoder; +import com.netscape.certsrv.connector.IResender; +import com.netscape.certsrv.dbs.IDBSubsystem; +import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; +import com.netscape.certsrv.dbs.repository.IRepositoryRecord; +import com.netscape.certsrv.jobs.IJobsScheduler; +import com.netscape.certsrv.kra.IKeyRecoveryAuthority; +import com.netscape.certsrv.ldap.ELdapException; +import com.netscape.certsrv.ldap.ILdapAuthInfo; +import com.netscape.certsrv.ldap.ILdapConnFactory; +import com.netscape.certsrv.ldap.ILdapConnInfo; +import com.netscape.certsrv.logging.ILogSubsystem; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.notification.IEmailFormProcessor; +import com.netscape.certsrv.notification.IEmailResolver; +import com.netscape.certsrv.notification.IEmailResolverKeys; +import com.netscape.certsrv.notification.IEmailTemplate; +import com.netscape.certsrv.notification.IMailNotification; +import com.netscape.certsrv.ocsp.IOCSPAuthority; +import com.netscape.certsrv.password.IPasswordCheck; +import com.netscape.certsrv.policy.IGeneralNameAsConstraintsConfig; +import com.netscape.certsrv.policy.IGeneralNamesAsConstraintsConfig; +import com.netscape.certsrv.policy.IGeneralNamesConfig; +import com.netscape.certsrv.policy.ISubjAltNameConfig; +import com.netscape.certsrv.profile.IProfileSubsystem; +import com.netscape.certsrv.ra.IRegistrationAuthority; +import com.netscape.certsrv.registry.IPluginRegistry; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.security.ICryptoSubsystem; +import com.netscape.certsrv.selftests.ISelfTestSubsystem; +import com.netscape.certsrv.tks.ITKSAuthority; +import com.netscape.certsrv.usrgrp.IUGSubsystem; +import com.netscape.cmsutil.net.ISocketFactory; +import com.netscape.cmsutil.password.IPasswordStore; + +/** + * This represents the CMS server. Plugins can access other + * public objects such as subsystems via this inteface. + * This object also include a set of utility functions. + * + * This object does not include the actual implementation. + * It acts as a public interface for plugins, and the + * actual implementation is in the CMS engine + * (com.netscape.cmscore.apps.CMSEngine) that implements + * ICMSEngine interface. + * + * @version $Revision$, $Date$ + */ +public final class CMS { + + public static final int DEBUG_OBNOXIOUS = 10; + public static final int DEBUG_VERBOSE = 5; + public static final int DEBUG_INFORM = 1; + + private static final String CONFIG_FILE = "CS.cfg"; + private static ICMSEngine _engine = null; + + public static final String SUBSYSTEM_LOG = ILogSubsystem.ID; + public static final String SUBSYSTEM_CRYPTO = ICryptoSubsystem.ID; + public static final String SUBSYSTEM_DBS = IDBSubsystem.SUB_ID; + public static final String SUBSYSTEM_CA = ICertificateAuthority.ID; + public static final String SUBSYSTEM_RA = IRegistrationAuthority.ID; + public static final String SUBSYSTEM_KRA = IKeyRecoveryAuthority.ID; + public static final String SUBSYSTEM_OCSP = IOCSPAuthority.ID; + public static final String SUBSYSTEM_TKS = ITKSAuthority.ID; + public static final String SUBSYSTEM_UG = IUGSubsystem.ID; + public static final String SUBSYSTEM_AUTH = IAuthSubsystem.ID; + public static final String SUBSYSTEM_AUTHZ = IAuthzSubsystem.ID; + public static final String SUBSYSTEM_REGISTRY = IPluginRegistry.ID; + public static final String SUBSYSTEM_PROFILE = IProfileSubsystem.ID; + public static final String SUBSYSTEM_JOBS = IJobsScheduler.ID; + public static final String SUBSYSTEM_SELFTESTS = ISelfTestSubsystem.ID; + public static final int PRE_OP_MODE = 0; + public static final int RUNNING_MODE = 1; + + /** + * Private constructor. + * + * @param engine CMS engine implementation + */ + private CMS(ICMSEngine engine) { + _engine = engine; + } + + /** + * This method is used for unit tests. It allows the underlying _engine + * to be stubbed out. + * + * @param engine The stub engine to set, for testing. + */ + public static void setCMSEngine(ICMSEngine engine) { + _engine = engine; + } + + /** + * Gets this ID . + * + * @return CMS engine identifier + */ + public static String getId() { + return _engine.getId(); + } + + /** + * Sets the identifier of this subsystem. Should never be called. + * Returns error. + * + * @param id CMS engine identifier + */ + public static void setId(String id) throws EBaseException { + _engine.setId(id); + } + + /** + * Initialize all static, dynamic and final static subsystems. + * + * @param owner null + * @param config main config store. + * @exception EBaseException if any error occur in subsystems during + * initialization. + */ + public static void init(ISubsystem owner, IConfigStore config) + throws EBaseException { + _engine.init(owner, config); + } + + public static void reinit(String id) throws EBaseException { + _engine.reinit(id); + } + + /** + * Starts up all subsystems. subsystems must be initialized. + * + * @exception EBaseException if any subsystem fails to startup. + */ + public static void startup() throws EBaseException { + _engine.startup(); + } + + /** + * Blocks all new incoming requests. + */ + public static void disableRequests() { + _engine.disableRequests(); + } + + /** + * Terminates all requests that are currently in process. + */ + public static void terminateRequests() { + _engine.terminateRequests(); + } + + /** + * Checks to ensure that all new incoming requests have been blocked. + * This method is used for reentrancy protection. + *

+ * + * @return true or false + */ + public static boolean areRequestsDisabled() { + return _engine.areRequestsDisabled(); + } + + /** + * Shuts down subsystems in backwards order + * exceptions are ignored. process exists at end to force exit. + */ + public static void shutdown() { + _engine.shutdown(); + } + + /** + * Shuts down subsystems in backwards order + * exceptions are ignored. process exists at end to force exit. + */ + + public static void forceShutdown() { + + _engine.forceShutdown(); + } + + /** + * mode = 0 (pre-operational) + * mode = 1 (running) + */ + public static void setCSState(int mode) { + _engine.setCSState(mode); + } + + public static int getCSState() { + return _engine.getCSState(); + } + + public static boolean isPreOpMode() { + return _engine.isPreOpMode(); + } + + public static boolean isRunningMode() { + return _engine.isRunningMode(); + } + + /** + * Is the server in running state. After server startup, the + * server will be initialization state first. After the + * initialization state, the server will be in the running + * state. + * + * @return true if the server is in the running state + */ + public static boolean isInRunningState() { + return _engine.isInRunningState(); + } + + /** + * Returns the logger of the current server. The logger can + * be used to log critical informational or critical error + * messages. + * + * @return logger + */ + public static ILogger getLogger() { + return _engine.getLogger(); + } + + /** + * Returns the signed audit logger of the current server. This logger can + * be used to log critical informational or critical error + * messages. + * + * @return signed audit logger + */ + public static ILogger getSignedAuditLogger() { + return _engine.getSignedAuditLogger(); + } + + /** + * Creates a repository record in the internal database. + * + * @return repository record + */ + public static IRepositoryRecord createRepositoryRecord() { + return _engine.createRepositoryRecord(); + } + + /** + * Parse ACL resource attributes + * + * @param resACLs same format as the resourceACLs attribute: + * + * 

+     *     ::
+     *      () 
+     *
+ * @exception EACLsException ACL related parsing errors for resACLs + * @return an ACL instance built from the parsed resACLs + */ + public static IACL parseACL(String resACLs) throws EACLsException { + return _engine.parseACL(resACLs); + } + + /** + * Creates an issuing poing record. + * + * @return issuing record + */ + public static ICRLIssuingPointRecord createCRLIssuingPointRecord(String id, BigInteger crlNumber, Long crlSize, + Date thisUpdate, Date nextUpdate) { + return _engine.createCRLIssuingPointRecord(id, crlNumber, crlSize, thisUpdate, nextUpdate); + } + + /** + * Retrieves the default CRL issuing point record name. + * + * @return CRL issuing point record name + */ + public static String getCRLIssuingPointRecordName() { + return _engine.getCRLIssuingPointRecordName(); + } + + /** + * Retrieves the process id of this server. + * + * @return process id of the server + */ + public static int getPID() { + return _engine.getPID(); + } + + /** + * Retrieves the instance roort path of this server. + * + * @return instance directory path name + */ + public static String getInstanceDir() { + return _engine.getInstanceDir(); + } + + /** + * Returns a server wide system time. Plugins should call + * this method to retrieve system time. + * + * @return current time + */ + public static Date getCurrentDate() { + if (_engine == null) + return new Date(); + return _engine.getCurrentDate(); + } + + /** + * Puts data of an byte array into the debug file. + * + * @param data byte array to be recorded in the debug file + */ + public static void debug(byte data[]) { + if (_engine != null) + _engine.debug(data); + } + + /** + * Puts a message into the debug file. + * + * @param msg debugging message + */ + public static void debug(String msg) { + if (_engine != null) + _engine.debug(msg); + } + + /** + * Puts a message into the debug file. + * + * @param level 0-10 (0 is less detail, 10 is more detail) + * @param msg debugging message + */ + public static void debug(int level, String msg) { + if (_engine != null) + _engine.debug(level, msg); + } + + /** + * Puts an exception into the debug file. + * + * @param e exception + */ + public static void debug(Throwable e) { + if (_engine != null) + _engine.debug(e); + } + + /** + * Checks if the debug mode is on or not. + * + * @return true if debug mode is on + */ + public static boolean debugOn() { + if (_engine != null) + return _engine.debugOn(); + return false; + } + + /** + * Puts the current stack trace in the debug file. + */ + public static void debugStackTrace() { + if (_engine != null) + _engine.debugStackTrace(); + } + + /* + * If debugging for the particular realm is enabled, output name/value + * pair info to the debug file. This is useful to dump out what hidden + * config variables the server is looking at, or what HTTP variables it + * is expecting to find, or what database attributes it is looking for. + * @param type indicates what the source of key/val is. For example, + * this could be 'CS.cfg', or something else. In the debug + * subsystem, there is a mechanism to filter this so only the types + * you care about are listed + * @param key the 'key' of the hashtable which is being accessed. + * This could be the name of the config parameter, or the http param + * name. + * @param val the value of the parameter + * @param default the default value if the param is not found + */ + + public static void traceHashKey(String type, String key) { + if (_engine != null) { + _engine.traceHashKey(type, key); + } + } + + public static void traceHashKey(String type, String key, String val) { + if (_engine != null) { + _engine.traceHashKey(type, key, val); + } + } + + public static void traceHashKey(String type, String key, String val, String def) { + if (_engine != null) { + _engine.traceHashKey(type, key, val, def); + } + } + + /** + * Returns the names of all the registered subsystems. + * + * @return a list of string-based subsystem names + */ + public static Enumeration getSubsystemNames() { + return _engine.getSubsystemNames(); + } + + public static byte[] getPKCS7(Locale locale, IRequest req) { + return _engine.getPKCS7(locale, req); + } + + /** + * Returns all the registered subsystems. + * + * @return a list of ISubsystem-based subsystems + */ + public static Enumeration getSubsystems() { + return _engine.getSubsystems(); + } + + /** + * Retrieves the registered subsytem with the given name. + * + * @param name subsystem name + * @return subsystem of the given name + */ + public static ISubsystem getSubsystem(String name) { + return _engine.getSubsystem(name); + } + + /** + * Retrieves the localized user message from UserMessages.properties. + * + * @param msgID message id defined in UserMessages.properties + * @return localized user message + */ + public static String getUserMessage(String msgID) { + if (_engine == null) + return msgID; + return _engine.getUserMessage(null /* from session context */, msgID); + } + + /** + * Retrieves the localized user message from UserMessages.properties. + * + * @param locale end-user locale + * @param msgID message id defined in UserMessages.properties + * @return localized user message + */ + public static String getUserMessage(Locale locale, String msgID) { + if (_engine == null) + return msgID; + return _engine.getUserMessage(locale, msgID); + } + + /** + * Retrieves the localized user message from UserMessages.properties. + * + * @param msgID message id defined in UserMessages.properties + * @param p1 1st parameter + * @return localized user message + */ + public static String getUserMessage(String msgID, String p1) { + if (_engine == null) + return msgID; + return _engine.getUserMessage(null /* from session context */, msgID, p1); + } + + /** + * Retrieves the localized user message from UserMessages.properties. + * + * @param locale end-user locale + * @param msgID message id defined in UserMessages.properties + * @param p1 1st parameter + * @return localized user message + */ + public static String getUserMessage(Locale locale, String msgID, String p1) { + if (_engine == null) + return msgID; + return _engine.getUserMessage(locale, msgID, p1); + } + + /** + * Retrieves the localized user message from UserMessages.properties. + * + * @param msgID message id defined in UserMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @return localized user message + */ + public static String getUserMessage(String msgID, String p1, String p2) { + if (_engine == null) + return msgID; + return _engine.getUserMessage(null /* from session context */, msgID, p1, p2); + } + + /** + * Retrieves the localized user message from UserMessages.properties. + * + * @param locale end-user locale + * @param msgID message id defined in UserMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @return localized user message + */ + public static String getUserMessage(Locale locale, String msgID, String p1, String p2) { + if (_engine == null) + return msgID; + return _engine.getUserMessage(locale, msgID, p1, p2); + } + + /** + * Retrieves the localized user message from UserMessages.properties. + * + * @param msgID message id defined in UserMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @return localized user message + */ + public static String getUserMessage(String msgID, String p1, String p2, String p3) { + if (_engine == null) + return msgID; + return _engine.getUserMessage(null /* from session context */, msgID, p1, p2, p3); + } + + public static LDAPConnection getBoundConnection(String host, int port, + int version, LDAPSSLSocketFactoryExt fac, String bindDN, + String bindPW) throws LDAPException { + return _engine.getBoundConnection(host, port, version, fac, + bindDN, bindPW); + } + + /** + * Retrieves the localized user message from UserMessages.properties. + * + * @param locale end-user locale + * @param msgID message id defined in UserMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @return localized user message + */ + public static String getUserMessage(Locale locale, String msgID, String p1, String p2, String p3) { + if (_engine == null) + return msgID; + return _engine.getUserMessage(locale, msgID, p1, p2, p3); + } + + /** + * Retrieves the localized user message from UserMessages.properties. + * + * @param msgID message id defined in UserMessages.properties + * @param p an array of parameters + * @return localized user message + */ + public static String getUserMessage(String msgID, String p[]) { + if (_engine == null) + return msgID; + return _engine.getUserMessage(null /* from session context */, msgID, p); + } + + /** + * Retrieves the localized user message from UserMessages.properties. + * + * @param locale end-user locale + * @param msgID message id defined in UserMessages.properties + * @param p an array of parameters + * @return localized user message + */ + public static String getUserMessage(Locale locale, String msgID, String p[]) { + if (_engine == null) + return msgID; + return _engine.getUserMessage(locale, msgID, p); + } + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @return localized log message + */ + public static String getLogMessage(String msgID) { + return _engine.getLogMessage(msgID); + } + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p an array of parameters + * @return localized log message + */ + public static String getLogMessage(String msgID, String p[]) { + return _engine.getLogMessage(msgID, p); + } + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @return localized log message + */ + public static String getLogMessage(String msgID, String p1) { + return _engine.getLogMessage(msgID, p1); + } + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @return localized log message + */ + public static String getLogMessage(String msgID, String p1, String p2) { + return _engine.getLogMessage(msgID, p1, p2); + } + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @return localized log message + */ + public static String getLogMessage(String msgID, String p1, String p2, String p3) { + return _engine.getLogMessage(msgID, p1, p2, p3); + } + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @param p4 4th parameter + * @return localized log message + */ + public static String getLogMessage(String msgID, String p1, String p2, String p3, String p4) { + return _engine.getLogMessage(msgID, p1, p2, p3, p4); + } + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @param p4 4th parameter + * @param p5 5th parameter + * @return localized log message + */ + public static String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5) { + return _engine.getLogMessage(msgID, p1, p2, p3, p4, p5); + } + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @param p4 4th parameter + * @param p5 5th parameter + * @param p6 6th parameter + * @return localized log message + */ + public static String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6) { + return _engine.getLogMessage(msgID, p1, p2, p3, p4, p5, p6); + } + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @param p4 4th parameter + * @param p5 5th parameter + * @param p6 6th parameter + * @param p7 7th parameter + * @return localized log message + */ + public static String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6, + String p7) { + return _engine.getLogMessage(msgID, p1, p2, p3, p4, p5, p6, p7); + } + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @param p4 4th parameter + * @param p5 5th parameter + * @param p6 6th parameter + * @param p7 7th parameter + * @param p8 8th parameter + * @return localized log message + */ + public static String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6, + String p7, String p8) { + return _engine.getLogMessage(msgID, p1, p2, p3, p4, p5, p6, p7, p8); + } + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @param p4 4th parameter + * @param p5 5th parameter + * @param p6 6th parameter + * @param p7 7th parameter + * @param p8 8th parameter + * @param p9 9th parameter + * @return localized log message + */ + public static String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6, + String p7, String p8, String p9) { + return _engine.getLogMessage(msgID, p1, p2, p3, p4, p5, p6, p7, p8, p9); + } + + /** + * Returns the main config store. It is a handle to CMS.cfg. + * + * @return configuration store + */ + public static IConfigStore getConfigStore() { + return _engine.getConfigStore(); + } + + /** + * Retrieves time server started up. + * + * @return last startup time + */ + public static long getStartupTime() { + return _engine.getStartupTime(); + } + + /** + * Retrieves the HTTP Connection for use with connector. + * + * @param authority remote authority + * @param factory socket factory + * @return http connection to the remote authority + */ + public static IHttpConnection getHttpConnection(IRemoteAuthority authority, + ISocketFactory factory) { + return _engine.getHttpConnection(authority, factory); + } + + /** + * Retrieves the HTTP Connection for use with connector. + * + * @param authority remote authority + * @param factory socket factory + * @param timeout return error if connection cannot be established within + * the timeout period + * @return http connection to the remote authority + */ + public static IHttpConnection getHttpConnection(IRemoteAuthority authority, + ISocketFactory factory, int timeout) { + return _engine.getHttpConnection(authority, factory, timeout); + } + + /** + * Retrieves the request sender for use with connector. + * + * @param authority local authority + * @param nickname nickname of the client certificate + * @param remote remote authority + * @param interval timeout interval + * @return resender + */ + public static IResender getResender(IAuthority authority, String nickname, + IRemoteAuthority remote, int interval) { + return _engine.getResender(authority, nickname, remote, interval); + } + + /** + * Retrieves the nickname of the server's server certificate. + * + * @return nickname of the server certificate + */ + public static String getServerCertNickname() { + return _engine.getServerCertNickname(); + } + + /** + * Sets the nickname of the server's server certificate. + * + * @param tokenName name of token where the certificate is located + * @param nickName name of server certificate + */ + public static void setServerCertNickname(String tokenName, String nickName) { + _engine.setServerCertNickname(tokenName, nickName); + } + + /** + * Sets the nickname of the server's server certificate. + * + * @param newName new nickname of server certificate + */ + public static void setServerCertNickname(String newName) { + _engine.setServerCertNickname(newName); + } + + /** + * Retrieves the host name of the server's secure end entity service. + * + * @return host name of end-entity service + */ + public static String getEEHost() { + return _engine.getEEHost(); + } + + /** + * Retrieves the host name of the server's non-secure end entity service. + * + * @return host name of end-entity non-secure service + */ + public static String getEENonSSLHost() { + return _engine.getEENonSSLHost(); + } + + /** + * Retrieves the IP address of the server's non-secure end entity service. + * + * @return ip address of end-entity non-secure service + */ + public static String getEENonSSLIP() { + return _engine.getEENonSSLIP(); + } + + /** + * Retrieves the port number of the server's non-secure end entity service. + * + * @return port of end-entity non-secure service + */ + public static String getEENonSSLPort() { + return _engine.getEENonSSLPort(); + } + + /** + * Retrieves the host name of the server's secure end entity service. + * + * @return port of end-entity secure service + */ + public static String getEESSLHost() { + return _engine.getEESSLHost(); + } + + /** + * Retrieves the host name of the server's secure end entity service. + * + * @return port of end-entity secure service + */ + public static String getEEClientAuthSSLPort() { + return _engine.getEEClientAuthSSLPort(); + } + + /** + * Retrieves the IP address of the server's secure end entity service. + * + * @return ip address of end-entity secure service + */ + public static String getEESSLIP() { + return _engine.getEESSLIP(); + } + + /** + * Retrieves the port number of the server's secure end entity service. + * + * @return port of end-entity secure service + */ + public static String getEESSLPort() { + return _engine.getEESSLPort(); + } + + /** + * Retrieves the host name of the server's agent service. + * + * @return host name of agent service + */ + public static String getAgentHost() { + return _engine.getAgentHost(); + } + + /** + * Retrieves the IP address of the server's agent service. + * + * @return ip address of agent service + */ + public static String getAgentIP() { + return _engine.getAgentIP(); + } + + /** + * Retrieves the port number of the server's agent service. + * + * @return port of agent service + */ + public static String getAgentPort() { + return _engine.getAgentPort(); + } + + /** + * Retrieves the host name of the server's administration service. + * + * @return host name of administration service + */ + public static String getAdminHost() { + return _engine.getAdminHost(); + } + + /** + * Retrieves the IP address of the server's administration service. + * + * @return ip address of administration service + */ + public static String getAdminIP() { + return _engine.getAdminIP(); + } + + /** + * Retrieves the port number of the server's administration service. + * + * @return port of administration service + */ + public static String getAdminPort() { + return _engine.getAdminPort(); + } + + /** + * Creates a general name constraints. + * + * @param generalNameChoice type of general name + * @param value general name string + * @return general name object + * @exception EBaseException failed to create general name constraint + */ + public static GeneralName form_GeneralNameAsConstraints(String generalNameChoice, String value) + throws EBaseException { + return _engine.form_GeneralName(generalNameChoice, value); + } + + /** + * Creates a general name. + * + * @param generalNameChoice type of general name + * @param value general name string + * @return general name object + * @exception EBaseException failed to create general name + */ + public static GeneralName form_GeneralName(String generalNameChoice, + String value) throws EBaseException { + return _engine.form_GeneralName(generalNameChoice, value); + } + + /** + * Get default parameters for subject alt name configuration. + * + * @param name configuration name + * @param params configuration parameters + */ + public static void getSubjAltNameConfigDefaultParams(String name, + Vector params) { + _engine.getSubjAltNameConfigDefaultParams(name, params); + } + + /** + * Get extended plugin info for subject alt name configuration. + * + * @param name configuration name + * @param params configuration parameters + */ + public static void getSubjAltNameConfigExtendedPluginInfo(String name, + Vector params) { + _engine.getSubjAltNameConfigExtendedPluginInfo(name, params); + } + + /** + * Creates subject alt name configuration. + * + * @param name configuration name + * @param config configuration store + * @param isValueConfigured true if value is configured + * @exception EBaseException failed to create subject alt name configuration + */ + public static ISubjAltNameConfig createSubjAltNameConfig(String name, IConfigStore config, boolean isValueConfigured) + throws EBaseException { + return _engine.createSubjAltNameConfig( + name, config, isValueConfigured); + } + + /** + * Retrieves default general name configuration. + * + * @param name configuration name + * @param isValueConfigured true if value is configured + * @param params configuration parameters + * @exception EBaseException failed to create subject alt name configuration + */ + public static void getGeneralNameConfigDefaultParams(String name, + boolean isValueConfigured, Vector params) { + _engine.getGeneralNameConfigDefaultParams(name, + isValueConfigured, params); + } + + /** + * Retrieves default general names configuration. + * + * @param name configuration name + * @param isValueConfigured true if value is configured + * @param params configuration parameters + * @exception EBaseException failed to create subject alt name configuration + */ + public static void getGeneralNamesConfigDefaultParams(String name, + boolean isValueConfigured, Vector params) { + _engine.getGeneralNamesConfigDefaultParams(name, + isValueConfigured, params); + } + + /** + * Retrieves extended plugin info for general name configuration. + * + * @param name configuration name + * @param isValueConfigured true if value is configured + * @param info configuration parameters + * @exception EBaseException failed to create subject alt name configuration + */ + public static void getGeneralNameConfigExtendedPluginInfo(String name, + boolean isValueConfigured, Vector info) { + _engine.getGeneralNameConfigExtendedPluginInfo(name, + isValueConfigured, info); + } + + /** + * Retrieves extended plugin info for general name configuration. + * + * @param name configuration name + * @param isValueConfigured true if value is configured + * @param info configuration parameters + * @exception EBaseException failed to create subject alt name configuration + */ + public static void getGeneralNamesConfigExtendedPluginInfo(String name, + boolean isValueConfigured, Vector info) { + _engine.getGeneralNamesConfigExtendedPluginInfo(name, + isValueConfigured, info); + } + + /** + * Created general names configuration. + * + * @param name configuration name + * @param config configuration store + * @param isValueConfigured true if value is configured + * @param isPolicyEnabled true if policy is enabled + * @exception EBaseException failed to create subject alt name configuration + */ + public static IGeneralNamesConfig createGeneralNamesConfig(String name, + IConfigStore config, boolean isValueConfigured, + boolean isPolicyEnabled) throws EBaseException { + return _engine.createGeneralNamesConfig(name, config, isValueConfigured, + isPolicyEnabled); + } + + /** + * Created general name constraints configuration. + * + * @param name configuration name + * @param config configuration store + * @param isValueConfigured true if value is configured + * @param isPolicyEnabled true if policy is enabled + * @exception EBaseException failed to create subject alt name configuration + */ + public static IGeneralNameAsConstraintsConfig createGeneralNameAsConstraintsConfig(String name, + IConfigStore config, boolean isValueConfigured, + boolean isPolicyEnabled) throws EBaseException { + return _engine.createGeneralNameAsConstraintsConfig( + name, config, isValueConfigured, isPolicyEnabled); + } + + /** + * Created general name constraints configuration. + * + * @param name configuration name + * @param config configuration store + * @param isValueConfigured true if value is configured + * @param isPolicyEnabled true if policy is enabled + * @exception EBaseException failed to create subject alt name configuration + */ + public static IGeneralNamesAsConstraintsConfig createGeneralNamesAsConstraintsConfig(String name, + IConfigStore config, boolean isValueConfigured, + boolean isPolicyEnabled) throws EBaseException { + return _engine.createGeneralNamesAsConstraintsConfig( + name, config, isValueConfigured, isPolicyEnabled); + } + + /** + * Returns the finger print of the given certificate. + * + * @param cert certificate + * @return finger print of certificate + */ + public static String getFingerPrint(Certificate cert) + throws CertificateEncodingException, NoSuchAlgorithmException { + return _engine.getFingerPrint(cert); + } + + /** + * Returns the finger print of the given certificate. + * + * @param certDer DER byte array of the certificate + * @return finger print of certificate + */ + public static String getFingerPrints(byte[] certDer) + throws NoSuchAlgorithmException { + return _engine.getFingerPrints(certDer); + } + + /** + * Returns the finger print of the given certificate. + * + * @param cert certificate + * @return finger print of certificate + */ + public static String getFingerPrints(Certificate cert) + throws NoSuchAlgorithmException, CertificateEncodingException { + return _engine.getFingerPrints(cert); + } + + /** + * Creates a HTTP PKI Message that can be sent to a remote + * authority. + * + * @return a new PKI Message for remote authority + */ + public static IPKIMessage getHttpPKIMessage() { + return _engine.getHttpPKIMessage(); + } + + /** + * Creates a request encoder. A request cannot be sent to + * the remote authority in its regular format. + * + * @return a request encoder + */ + public static IRequestEncoder getHttpRequestEncoder() { + return _engine.getHttpRequestEncoder(); + } + + /** + * Converts a BER-encoded byte array into a MIME-64 encoded string. + * + * @param data data in byte array format + * @return base-64 encoding for the data + */ + public static String BtoA(byte data[]) { + return _engine.BtoA(data); + } + + /** + * Converts a MIME-64 encoded string into a BER-encoded byte array. + * + * @param data base-64 encoding for the data + * @return data data in byte array format + */ + public static byte[] AtoB(String data) { + return _engine.AtoB(data); + } + + /** + * Retrieves the ldap connection information from the configuration + * store. + * + * @param config configuration parameters of ldap connection + * @return a LDAP connection info + */ + public static ILdapConnInfo getLdapConnInfo(IConfigStore config) + throws EBaseException, ELdapException { + return _engine.getLdapConnInfo(config); + } + + /** + * Creates a LDAP SSL socket with the given nickname. The + * certificate associated with the nickname will be used + * for client authentication. + * + * @param certNickname nickname of client certificate + * @return LDAP SSL socket factory + */ + public static LDAPSSLSocketFactoryExt getLdapJssSSLSocketFactory( + String certNickname) { + return _engine.getLdapJssSSLSocketFactory(certNickname); + } + + /** + * Creates a LDAP SSL socket. + * + * @return LDAP SSL socket factory + */ + public static LDAPSSLSocketFactoryExt getLdapJssSSLSocketFactory() { + return _engine.getLdapJssSSLSocketFactory(); + } + + /** + * Creates a LDAP Auth Info object. + * + * @return LDAP authentication info + */ + public static ILdapAuthInfo getLdapAuthInfo() { + return _engine.getLdapAuthInfo(); + } + + /** + * Retrieves the LDAP connection factory. + * + * @return bound LDAP connection pool + */ + public static ILdapConnFactory getLdapBoundConnFactory() + throws ELdapException { + return _engine.getLdapBoundConnFactory(); + } + + /** + * Retrieves the LDAP connection factory. + * + * @return anonymous LDAP connection pool + */ + public static ILdapConnFactory getLdapAnonConnFactory() + throws ELdapException { + return _engine.getLdapAnonConnFactory(); + } + + /** + * Retrieves the default X.509 certificate template. + * + * @return default certificate template + */ + public static X509CertInfo getDefaultX509CertInfo() { + return _engine.getDefaultX509CertInfo(); + } + + /** + * Retrieves the certifcate in MIME-64 encoded format + * with header and footer. + * + * @param cert certificate + * @return base-64 format certificate + */ + public static String getEncodedCert(X509Certificate cert) { + return _engine.getEncodedCert(cert); + } + + /** + * Verifies all system certs + * with tags defined in .cert.list + */ + public static boolean verifySystemCerts() { + return _engine.verifySystemCerts(); + } + + /** + * Verify a system cert by tag name + * with tags defined in .cert.list + */ + public static boolean verifySystemCertByTag(String tag) { + return _engine.verifySystemCertByTag(tag); + } + + /** + * Verify a system cert by certificate nickname + */ + public static boolean verifySystemCertByNickname(String nickname, String certificateUsage) { + return _engine.verifySystemCertByNickname(nickname, certificateUsage); + } + + /** + * get the CertificateUsage as defined in JSS CryptoManager + */ + public static CertificateUsage getCertificateUsage(String certusage) { + return _engine.getCertificateUsage(certusage); + } + + /** + * Checks if the given certificate is a signing certificate. + * + * @param cert certificate + * @return true if the given certificate is a signing certificate + */ + public static boolean isSigningCert(X509Certificate cert) { + return _engine.isSigningCert(cert); + } + + /** + * Checks if the given certificate is an encryption certificate. + * + * @param cert certificate + * @return true if the given certificate is an encryption certificate + */ + public static boolean isEncryptionCert(X509Certificate cert) { + return _engine.isEncryptionCert(cert); + } + + /** + * Retrieves the email form processor. + * + * @return email form processor + */ + public static IEmailFormProcessor getEmailFormProcessor() { + return _engine.getEmailFormProcessor(); + } + + /** + * Retrieves the email form template. + * + * @return email template + */ + public static IEmailTemplate getEmailTemplate(String path) { + return _engine.getEmailTemplate(path); + } + + /** + * Retrieves the email notification handler. + * + * @return email notification + */ + public static IMailNotification getMailNotification() { + return _engine.getMailNotification(); + } + + /** + * Retrieves the email key resolver. + * + * @return email key resolver + */ + public static IEmailResolverKeys getEmailResolverKeys() { + return _engine.getEmailResolverKeys(); + } + + /** + * Checks if the given OID is valid. + * + * @param attrName attribute name + * @param value attribute value + * @return object identifier of the given attrName + */ + public static ObjectIdentifier checkOID(String attrName, String value) + throws EBaseException { + return _engine.checkOID(attrName, value); + } + + /** + * Retrieves the email resolver that checks for subjectAlternateName. + * + * @return email key resolver + */ + public static IEmailResolver getReqCertSANameEmailResolver() { + return _engine.getReqCertSANameEmailResolver(); + } + + /** + * Retrieves the extension pretty print handler. + * + * @param e extension + * @param indent indentation + * @return extension pretty print handler + */ + public static IExtPrettyPrint getExtPrettyPrint(Extension e, int indent) { + return _engine.getExtPrettyPrint(e, indent); + } + + /** + * Retrieves the certificate pretty print handler. + * + * @param delimiter delimiter + * @return certificate pretty print handler + */ + public static IPrettyPrintFormat getPrettyPrintFormat(String delimiter) { + return _engine.getPrettyPrintFormat(delimiter); + } + + /** + * Retrieves the CRL pretty print handler. + * + * @param crl CRL + * @return CRL pretty print handler + */ + public static ICRLPrettyPrint getCRLPrettyPrint(X509CRL crl) { + return _engine.getCRLPrettyPrint(crl); + } + + /** + * Retrieves the CRL cache pretty print handler. + * + * @param ip CRL issuing point + * @return CRL pretty print handler + */ + public static ICRLPrettyPrint getCRLCachePrettyPrint(ICRLIssuingPoint ip) { + return _engine.getCRLCachePrettyPrint(ip); + } + + /** + * Retrieves the certificate pretty print handler. + * + * @param cert certificate + * @return certificate pretty print handler + */ + public static ICertPrettyPrint getCertPrettyPrint(X509Certificate cert) { + return _engine.getCertPrettyPrint(cert); + } + + public static String getConfigSDSessionId() { + return _engine.getConfigSDSessionId(); + } + + public static void setConfigSDSessionId(String val) { + _engine.setConfigSDSessionId(val); + } + + /** + * Retrieves the password check. + * + * @return default password checker + */ + public static IPasswordCheck getPasswordChecker() { + return _engine.getPasswordChecker(); + } + + /** + * Puts a password entry into the single-sign on cache. + * + * @param tag password tag + * @param pw password + */ + public static void putPasswordCache(String tag, String pw) { + _engine.putPasswordCache(tag, pw); + } + + /** + * Retrieves the password callback. + * + * @return default password callback + */ + public static PasswordCallback getPasswordCallback() { + return _engine.getPasswordCallback(); + } + + /** + * Retrieves command queue + * + * @return command queue + */ + public static ICommandQueue getCommandQueue() { + return _engine.getCommandQueue(); + } + + /** + * Loads the configuration file and starts CMS's core implementation. + * + * @param path path to configuration file (CMS.cfg) + * @exception EBaseException failed to start CMS + */ + public static void start(String path) throws EBaseException { + //FileConfigStore mainConfig = null; + /* + try { + mainConfig = new FileConfigStore(path); + } catch (EBaseException e) { + e.printStackTrace(); + System.out.println( + "Error: The Server is not fully configured.\n" + + "Finish configuring server using Configure Setup Wizard in " + + "the Certificate Server Console."); + System.out.println(e.toString()); + System.exit(0); + } + */ + + String classname = "com.netscape.cmscore.apps.CMSEngine"; + + try { + ICMSEngine engine = (ICMSEngine) + Class.forName(classname).newInstance(); + + CMS.setCMSEngine(engine); + IConfigStore mainConfig = createFileConfigStore(path); + CMS.init(null, mainConfig); + CMS.startup(); + + } catch (EBaseException e) { // catch everything here purposely + CMS.debug("CMS:Caught EBaseException"); + CMS.debug(e); + + // Raidzilla Bug #57592: Always print error message to stdout. + System.out.println(e.toString()); + + shutdown(); + throw e; + } catch (Exception e) { // catch everything here purposely + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + PrintStream ps = new PrintStream(bos); + + e.printStackTrace(ps); + System.out.println(Constants.SERVER_SHUTDOWN_MESSAGE); + throw new EBaseException(bos.toString()); + // cms.shutdown(); + } + } + + public static IConfigStore createFileConfigStore(String path) throws EBaseException { + return _engine.createFileConfigStore(path); + } + + public static IArgBlock createArgBlock() { + return _engine.createArgBlock(); + } + + public static IArgBlock createArgBlock(String realm, Hashtable httpReq) { + return _engine.createArgBlock(realm, httpReq); + } + + public static IArgBlock createArgBlock(Hashtable httpReq) { + return _engine.createArgBlock(httpReq); + } + + public static boolean isRevoked(X509Certificate[] certificates) { + return _engine.isRevoked(certificates); + } + + public static void setListOfVerifiedCerts(int size, long interval, long unknownStateInterval) { + _engine.setListOfVerifiedCerts(size, interval, unknownStateInterval); + } + + public static IPasswordStore getPasswordStore() { + return _engine.getPasswordStore(); + } + + public static ISecurityDomainSessionTable getSecurityDomainSessionTable() { + return _engine.getSecurityDomainSessionTable(); + } + + /** + * Main driver to start CMS. + */ + public static void main(String[] args) { + String path = CONFIG_FILE; + + for (int i = 0; i < args.length; i++) { + String arg = args[i]; + + if (arg.equals("-f")) { + path = args[++i]; + } else { + // ignore unknown arguments since we + // have no real way to report them + } + } + try { + start(path); + } catch (EBaseException e) { + } + } +} diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java new file mode 100644 index 000000000..ba9731867 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java @@ -0,0 +1,1126 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.apps; + +import java.math.BigInteger; +import java.security.NoSuchAlgorithmException; +import java.security.cert.Certificate; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509CRL; +import java.security.cert.X509Certificate; +import java.util.Date; +import java.util.Enumeration; +import java.util.Hashtable; +import java.util.Locale; +import java.util.Vector; + +import netscape.ldap.LDAPConnection; +import netscape.ldap.LDAPException; +import netscape.ldap.LDAPSSLSocketFactoryExt; +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.Extension; +import netscape.security.x509.GeneralName; +import netscape.security.x509.X509CertInfo; + +import org.mozilla.jss.CryptoManager.CertificateUsage; +import org.mozilla.jss.util.PasswordCallback; + +import com.netscape.certsrv.acls.EACLsException; +import com.netscape.certsrv.acls.IACL; +import com.netscape.certsrv.authority.IAuthority; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IArgBlock; +import com.netscape.certsrv.base.ICRLPrettyPrint; +import com.netscape.certsrv.base.ICertPrettyPrint; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.IExtPrettyPrint; +import com.netscape.certsrv.base.IPrettyPrintFormat; +import com.netscape.certsrv.base.ISecurityDomainSessionTable; +import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.ca.ICRLIssuingPoint; +import com.netscape.certsrv.connector.IHttpConnection; +import com.netscape.certsrv.connector.IPKIMessage; +import com.netscape.certsrv.connector.IRemoteAuthority; +import com.netscape.certsrv.connector.IRequestEncoder; +import com.netscape.certsrv.connector.IResender; +import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; +import com.netscape.certsrv.dbs.repository.IRepositoryRecord; +import com.netscape.certsrv.ldap.ELdapException; +import com.netscape.certsrv.ldap.ILdapAuthInfo; +import com.netscape.certsrv.ldap.ILdapConnFactory; +import com.netscape.certsrv.ldap.ILdapConnInfo; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.notification.IEmailFormProcessor; +import com.netscape.certsrv.notification.IEmailResolver; +import com.netscape.certsrv.notification.IEmailResolverKeys; +import com.netscape.certsrv.notification.IEmailTemplate; +import com.netscape.certsrv.notification.IMailNotification; +import com.netscape.certsrv.password.IPasswordCheck; +import com.netscape.certsrv.policy.IGeneralNameAsConstraintsConfig; +import com.netscape.certsrv.policy.IGeneralNamesAsConstraintsConfig; +import com.netscape.certsrv.policy.IGeneralNamesConfig; +import com.netscape.certsrv.policy.ISubjAltNameConfig; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cmsutil.net.ISocketFactory; +import com.netscape.cmsutil.password.IPasswordStore; + +/** + * This interface represents the CMS core framework. The + * framework contains a set of services that provide + * the foundation of a security application. + *

+ * The engine implementation is loaded by CMS at startup. It is responsible for starting up all the related subsystems. + *

+ * + * @version $Revision$, $Date$ + */ +public interface ICMSEngine extends ISubsystem { + + /** + * Gets this ID . + * + * @return CMS engine identifier + */ + public String getId(); + + /** + * Sets the identifier of this subsystem. Should never be called. + * Returns error. + * + * @param id CMS engine identifier + */ + public void setId(String id) throws EBaseException; + + /** + * Retrieves the process id of this server. + * + * @return process id of the server + */ + public int getPID(); + + public void reinit(String id) throws EBaseException; + + public int getCSState(); + + public void setCSState(int mode); + + public boolean isPreOpMode(); + + public boolean isRunningMode(); + + /** + * Retrieves the instance roort path of this server. + * + * @return instance directory path name + */ + public String getInstanceDir(); + + /** + * Returns a server wide system time. Plugins should call + * this method to retrieve system time. + * + * @return current time + */ + public Date getCurrentDate(); + + /** + * Retrieves time server started up. + * + * @return last startup time + */ + public long getStartupTime(); + + /** + * Is the server in running state. After server startup, the + * server will be initialization state first. After the + * initialization state, the server will be in the running + * state. + * + * @return true if the server is in the running state + */ + public boolean isInRunningState(); + + /** + * Returns the names of all the registered subsystems. + * + * @return a list of string-based subsystem names + */ + public Enumeration getSubsystemNames(); + + /** + * Returns all the registered subsystems. + * + * @return a list of ISubsystem-based subsystems + */ + public Enumeration getSubsystems(); + + /** + * Retrieves the registered subsytem with the given name. + * + * @param name subsystem name + * @return subsystem of the given name + */ + public ISubsystem getSubsystem(String name); + + /** + * Returns the logger of the current server. The logger can + * be used to log critical informational or critical error + * messages. + * + * @return logger + */ + public ILogger getLogger(); + + /** + * Returns the signed audit logger of the current server. This logger can + * be used to log critical informational or critical error + * messages. + * + * @return signed audit logger + */ + public ILogger getSignedAuditLogger(); + + /** + * Puts data of an byte array into the debug file. + * + * @param data byte array to be recorded in the debug file + */ + public void debug(byte data[]); + + /** + * Puts a message into the debug file. + * + * @param msg debugging message + */ + public void debug(String msg); + + /** + * Puts a message into the debug file. + * + * @param level 0-10 + * @param msg debugging message + */ + public void debug(int level, String msg); + + /** + * Puts an exception into the debug file. + * + * @param e exception + */ + public void debug(Throwable e); + + /** + * Checks if the debug mode is on or not. + * + * @return true if debug mode is on + */ + public boolean debugOn(); + + /** + * Puts the current stack trace in the debug file. + */ + public void debugStackTrace(); + + /** + * Dump name/value pair debug information to debug file + */ + public void traceHashKey(String type, String key); + + public void traceHashKey(String type, String key, String val); + + public void traceHashKey(String type, String key, String val, String def); + + public byte[] getPKCS7(Locale locale, IRequest req); + + /** + * Retrieves the localized user message from UserMessages.properties. + * + * @param locale end-user locale + * @param msgID message id defined in UserMessages.properties + * @return localized user message + */ + public String getUserMessage(Locale locale, String msgID); + + /** + * Retrieves the localized user message from UserMessages.properties. + * + * @param locale end-user locale + * @param msgID message id defined in UserMessages.properties + * @param p an array of parameters + * @return localized user message + */ + public String getUserMessage(Locale locale, String msgID, String p[]); + + /** + * Retrieves the localized user message from UserMessages.properties. + * + * @param locale end-user locale + * @param msgID message id defined in UserMessages.properties + * @param p1 1st parameter + * @return localized user message + */ + public String getUserMessage(Locale locale, String msgID, String p1); + + /** + * Retrieves the localized user message from UserMessages.properties. + * + * @param locale end-user locale + * @param msgID message id defined in UserMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @return localized user message + */ + public String getUserMessage(Locale locale, String msgID, String p1, String p2); + + /** + * Retrieves the localized user message from UserMessages.properties. + * + * @param locale end-user locale + * @param msgID message id defined in UserMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @return localized user message + */ + public String getUserMessage(Locale locale, String msgID, String p1, String p2, String p3); + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @return localized log message + */ + public String getLogMessage(String msgID); + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p an array of parameters + * @return localized log message + */ + public String getLogMessage(String msgID, String p[]); + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @return localized log message + */ + public String getLogMessage(String msgID, String p1); + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @return localized log message + */ + public String getLogMessage(String msgID, String p1, String p2); + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @return localized log message + */ + public String getLogMessage(String msgID, String p1, String p2, String p3); + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @param p4 4th parameter + * @return localized log message + */ + public String getLogMessage(String msgID, String p1, String p2, String p3, String p4); + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @param p4 4th parameter + * @param p5 5th parameter + * @return localized log message + */ + public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5); + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @param p4 4th parameter + * @param p5 5th parameter + * @param p6 6th parameter + * @return localized log message + */ + public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6); + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @param p4 4th parameter + * @param p5 5th parameter + * @param p6 6th parameter + * @param p7 7th parameter + * @return localized log message + */ + public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6, + String p7); + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @param p4 4th parameter + * @param p5 5th parameter + * @param p6 6th parameter + * @param p7 7th parameter + * @param p8 8th parameter + * @return localized log message + */ + public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6, + String p7, String p8); + + /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @param p4 4th parameter + * @param p5 5th parameter + * @param p6 6th parameter + * @param p7 7th parameter + * @param p8 8th parameter + * @param p9 9th parameter + * @return localized log message + */ + public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6, + String p7, String p8, String p9); + + /** + * Parse ACL resource attributes + * + * @param resACLs same format as the resourceACLs attribute: + * + * 

+     *     ::
+     *      () 
+     *
+ * @exception EACLsException ACL related parsing errors for resACLs + * @return an ACL instance built from the parsed resACLs + */ + public IACL parseACL(String resACLs) throws EACLsException; + + /** + * Creates an issuing poing record. + * + * @return issuing record + */ + public ICRLIssuingPointRecord createCRLIssuingPointRecord(String id, BigInteger crlNumber, Long crlSize, + Date thisUpdate, Date nextUpdate); + + /** + * Retrieves the default CRL issuing point record name. + * + * @return CRL issuing point record name + */ + public String getCRLIssuingPointRecordName(); + + /** + * Returns the finger print of the given certificate. + * + * @param cert certificate + * @return finger print of certificate + */ + public String getFingerPrint(Certificate cert) + throws CertificateEncodingException, NoSuchAlgorithmException; + + /** + * Returns the finger print of the given certificate. + * + * @param cert certificate + * @return finger print of certificate + */ + public String getFingerPrints(Certificate cert) + throws NoSuchAlgorithmException, CertificateEncodingException; + + /* + * Returns the finger print of the given certificate. + * + * @param certDer DER byte array of certificate + * @return finger print of certificate + */ + public String getFingerPrints(byte[] certDer) + throws NoSuchAlgorithmException; + + /** + * Creates a repository record in the internal database. + * + * @return repository record + */ + public IRepositoryRecord createRepositoryRecord(); + + /** + * Creates a HTTP PKI Message that can be sent to a remote + * authority. + * + * @return a new PKI Message for remote authority + */ + public IPKIMessage getHttpPKIMessage(); + + /** + * Creates a request encoder. A request cannot be sent to + * the remote authority in its regular format. + * + * @return a request encoder + */ + public IRequestEncoder getHttpRequestEncoder(); + + /** + * Converts a BER-encoded byte array into a MIME-64 encoded string. + * + * @param data data in byte array format + * @return base-64 encoding for the data + */ + public String BtoA(byte data[]); + + /** + * Converts a MIME-64 encoded string into a BER-encoded byte array. + * + * @param data base-64 encoding for the data + * @return data data in byte array format + */ + public byte[] AtoB(String data); + + /** + * Retrieves the certifcate in MIME-64 encoded format + * with header and footer. + * + * @param cert certificate + * @return base-64 format certificate + */ + public String getEncodedCert(X509Certificate cert); + + /** + * Retrieves the certificate pretty print handler. + * + * @param delimiter delimiter + * @return certificate pretty print handler + */ + public IPrettyPrintFormat getPrettyPrintFormat(String delimiter); + + /** + * Retrieves the extension pretty print handler. + * + * @param e extension + * @param indent indentation + * @return extension pretty print handler + */ + public IExtPrettyPrint getExtPrettyPrint(Extension e, int indent); + + /** + * Retrieves the certificate pretty print handler. + * + * @param cert certificate + * @return certificate pretty print handler + */ + public ICertPrettyPrint getCertPrettyPrint(X509Certificate cert); + + /** + * Retrieves the CRL pretty print handler. + * + * @param crl CRL + * @return CRL pretty print handler + */ + public ICRLPrettyPrint getCRLPrettyPrint(X509CRL crl); + + /** + * Retrieves the CRL cache pretty print handler. + * + * @param ip CRL issuing point + * @return CRL pretty print handler + */ + public ICRLPrettyPrint getCRLCachePrettyPrint(ICRLIssuingPoint ip); + + /** + * Retrieves the ldap connection information from the configuration + * store. + * + * @param config configuration parameters of ldap connection + * @return a LDAP connection info + */ + public ILdapConnInfo getLdapConnInfo(IConfigStore config) + throws EBaseException, ELdapException; + + /** + * Creates a LDAP SSL socket with the given nickname. The + * certificate associated with the nickname will be used + * for client authentication. + * + * @param certNickname nickname of client certificate + * @return LDAP SSL socket factory + */ + public LDAPSSLSocketFactoryExt getLdapJssSSLSocketFactory( + String certNickname); + + /** + * Creates a LDAP SSL socket. + * + * @return LDAP SSL socket factory + */ + public LDAPSSLSocketFactoryExt getLdapJssSSLSocketFactory(); + + /** + * Creates a LDAP Auth Info object. + * + * @return LDAP authentication info + */ + public ILdapAuthInfo getLdapAuthInfo(); + + /** + * Retrieves the LDAP connection factory. + * + * @return bound LDAP connection pool + */ + public ILdapConnFactory getLdapBoundConnFactory() throws ELdapException; + + public LDAPConnection getBoundConnection(String host, int port, + int version, LDAPSSLSocketFactoryExt fac, String bindDN, + String bindPW) throws LDAPException; + + /** + * Retrieves the LDAP connection factory. + * + * @return anonymous LDAP connection pool + */ + public ILdapConnFactory getLdapAnonConnFactory() throws ELdapException; + + /** + * Retrieves the password check. + * + * @return default password checker + */ + public IPasswordCheck getPasswordChecker(); + + /** + * Puts a password entry into the single-sign on cache. + * + * @param tag password tag + * @param pw password + */ + public void putPasswordCache(String tag, String pw); + + /** + * Retrieves the password callback. + * + * @return default password callback + */ + public PasswordCallback getPasswordCallback(); + + /** + * Retrieves the nickname of the server's server certificate. + * + * @return nickname of the server certificate + */ + public String getServerCertNickname(); + + /** + * Sets the nickname of the server's server certificate. + * + * @param tokenName name of token where the certificate is located + * @param nickName name of server certificate + */ + public void setServerCertNickname(String tokenName, String nickName); + + /** + * Sets the nickname of the server's server certificate. + * + * @param newName new nickname of server certificate + */ + public void setServerCertNickname(String newName); + + /** + * Retrieves the host name of the server's secure end entity service. + * + * @return host name of end-entity service + */ + public String getEEHost(); + + /** + * Retrieves the host name of the server's non-secure end entity service. + * + * @return host name of end-entity non-secure service + */ + public String getEENonSSLHost(); + + /** + * Retrieves the IP address of the server's non-secure end entity service. + * + * @return ip address of end-entity non-secure service + */ + public String getEENonSSLIP(); + + /** + * Retrieves the port number of the server's non-secure end entity service. + * + * @return port of end-entity non-secure service + */ + public String getEENonSSLPort(); + + /** + * Retrieves the host name of the server's secure end entity service. + * + * @return port of end-entity secure service + */ + public String getEESSLHost(); + + /** + * Retrieves the IP address of the server's secure end entity service. + * + * @return ip address of end-entity secure service + */ + public String getEESSLIP(); + + /** + * Retrieves the port number of the server's secure end entity service. + * + * @return port of end-entity secure service + */ + public String getEESSLPort(); + + /** + * Retrieves the port number of the server's client auth secure end entity service. + * + * @return port of end-entity client auth secure service + */ + public String getEEClientAuthSSLPort(); + + /** + * Retrieves the host name of the server's agent service. + * + * @return host name of agent service + */ + public String getAgentHost(); + + /** + * Retrieves the IP address of the server's agent service. + * + * @return ip address of agent service + */ + public String getAgentIP(); + + /** + * Retrieves the port number of the server's agent service. + * + * @return port of agent service + */ + public String getAgentPort(); + + /** + * Retrieves the host name of the server's administration service. + * + * @return host name of administration service + */ + public String getAdminHost(); + + /** + * Retrieves the IP address of the server's administration service. + * + * @return ip address of administration service + */ + public String getAdminIP(); + + /** + * Retrieves the port number of the server's administration service. + * + * @return port of administration service + */ + public String getAdminPort(); + + /** + * Verifies all system certificates + * + * @return true if all passed, false otherwise + */ + public boolean verifySystemCerts(); + + /** + * Verifies a system certificate by its tag name + * as defined in .cert.list + * + * @return true if passed, false otherwise + */ + public boolean verifySystemCertByTag(String tag); + + /** + * Verifies a system certificate by its nickname + * + * @return true if passed, false otherwise + */ + public boolean verifySystemCertByNickname(String nickname, String certificateUsage); + + /** + * get the CertificateUsage as defined in JSS CryptoManager + * + * @return CertificateUsage as defined in JSS CryptoManager + */ + public CertificateUsage getCertificateUsage(String certusage); + + /** + * Checks if the given certificate is a signing certificate. + * + * @param cert certificate + * @return true if the given certificate is a signing certificate + */ + public boolean isSigningCert(X509Certificate cert); + + /** + * Checks if the given certificate is an encryption certificate. + * + * @param cert certificate + * @return true if the given certificate is an encryption certificate + */ + public boolean isEncryptionCert(X509Certificate cert); + + /** + * Retrieves the default X.509 certificate template. + * + * @return default certificate template + */ + public X509CertInfo getDefaultX509CertInfo(); + + /** + * Retrieves the email form processor. + * + * @return email form processor + */ + public IEmailFormProcessor getEmailFormProcessor(); + + /** + * Retrieves the email form template. + * + * @return email template + */ + public IEmailTemplate getEmailTemplate(String path); + + /** + * Retrieves the email notification handler. + * + * @return email notification + */ + public IMailNotification getMailNotification(); + + /** + * Retrieves the email key resolver. + * + * @return email key resolver + */ + public IEmailResolverKeys getEmailResolverKeys(); + + /** + * Retrieves the email resolver that checks for subjectAlternateName. + * + * @return email key resolver + */ + public IEmailResolver getReqCertSANameEmailResolver(); + + /** + * Checks if the given OID is valid. + * + * @param attrName attribute name + * @param value attribute value + * @return object identifier of the given attrName + */ + public ObjectIdentifier checkOID(String attrName, String value) + throws EBaseException; + + /** + * Creates a general name constraints. + * + * @param generalNameChoice type of general name + * @param value general name string + * @return general name object + * @exception EBaseException failed to create general name constraint + */ + public GeneralName form_GeneralNameAsConstraints(String generalNameChoice, String value) throws EBaseException; + + /** + * Creates a general name. + * + * @param generalNameChoice type of general name + * @param value general name string + * @return general name object + * @exception EBaseException failed to create general name + */ + public GeneralName form_GeneralName(String generalNameChoice, + String value) throws EBaseException; + + /** + * Retrieves default general name configuration. + * + * @param name configuration name + * @param isValueConfigured true if value is configured + * @param params configuration parameters + * @exception EBaseException failed to create subject alt name configuration + */ + public void getGeneralNameConfigDefaultParams(String name, + boolean isValueConfigured, Vector params); + + /** + * Retrieves default general names configuration. + * + * @param name configuration name + * @param isValueConfigured true if value is configured + * @param params configuration parameters + * @exception EBaseException failed to create subject alt name configuration + */ + public void getGeneralNamesConfigDefaultParams(String name, + boolean isValueConfigured, Vector params); + + /** + * Retrieves extended plugin info for general name configuration. + * + * @param name configuration name + * @param isValueConfigured true if value is configured + * @param info configuration parameters + * @exception EBaseException failed to create subject alt name configuration + */ + public void getGeneralNameConfigExtendedPluginInfo(String name, + boolean isValueConfigured, Vector info); + + /** + * Retrieves extended plugin info for general name configuration. + * + * @param name configuration name + * @param isValueConfigured true if value is configured + * @param info configuration parameters + * @exception EBaseException failed to create subject alt name configuration + */ + public void getGeneralNamesConfigExtendedPluginInfo(String name, + boolean isValueConfigured, Vector info); + + /** + * Created general names configuration. + * + * @param name configuration name + * @param config configuration store + * @param isValueConfigured true if value is configured + * @param isPolicyEnabled true if policy is enabled + * @exception EBaseException failed to create subject alt name configuration + */ + public IGeneralNamesConfig createGeneralNamesConfig(String name, + IConfigStore config, boolean isValueConfigured, + boolean isPolicyEnabled) throws EBaseException; + + /** + * Created general name constraints configuration. + * + * @param name configuration name + * @param config configuration store + * @param isValueConfigured true if value is configured + * @param isPolicyEnabled true if policy is enabled + * @exception EBaseException failed to create subject alt name configuration + */ + public IGeneralNameAsConstraintsConfig createGeneralNameAsConstraintsConfig(String name, IConfigStore config, + boolean isValueConfigured, + boolean isPolicyEnabled) throws EBaseException; + + /** + * Created general name constraints configuration. + * + * @param name configuration name + * @param config configuration store + * @param isValueConfigured true if value is configured + * @param isPolicyEnabled true if policy is enabled + * @exception EBaseException failed to create subject alt name configuration + */ + public IGeneralNamesAsConstraintsConfig createGeneralNamesAsConstraintsConfig(String name, IConfigStore config, + boolean isValueConfigured, + boolean isPolicyEnabled) throws EBaseException; + + /** + * Get default parameters for subject alt name configuration. + * + * @param name configuration name + * @param params configuration parameters + */ + public void getSubjAltNameConfigDefaultParams(String name, Vector params); + + /** + * Get extended plugin info for subject alt name configuration. + * + * @param name configuration name + * @param params configuration parameters + */ + public void getSubjAltNameConfigExtendedPluginInfo(String name, Vector params); + + /** + * Creates subject alt name configuration. + * + * @param name configuration name + * @param config configuration store + * @param isValueConfigured true if value is configured + * @exception EBaseException failed to create subject alt name configuration + */ + public ISubjAltNameConfig createSubjAltNameConfig(String name, IConfigStore config, boolean isValueConfigured) + throws EBaseException; + + /** + * Retrieves the HTTP Connection for use with connector. + * + * @param authority remote authority + * @param factory socket factory + * @return http connection to the remote authority + */ + public IHttpConnection getHttpConnection(IRemoteAuthority authority, + ISocketFactory factory); + + /** + * Retrieves the HTTP Connection for use with connector. + * + * @param authority remote authority + * @param factory socket factory + * @param timeout return error if connection cannot be established within + * the timeout period + * @return http connection to the remote authority + */ + public IHttpConnection getHttpConnection(IRemoteAuthority authority, + ISocketFactory factory, int timeout); + + /** + * Retrieves the request sender for use with connector. + * + * @param authority local authority + * @param nickname nickname of the client certificate + * @param remote remote authority + * @param interval timeout interval + * @return resender + */ + public IResender getResender(IAuthority authority, String nickname, + IRemoteAuthority remote, int interval); + + /** + * Retrieves command queue + * + * @return command queue + */ + public ICommandQueue getCommandQueue(); + + /** + * Blocks all new incoming requests. + */ + public void disableRequests(); + + /** + * Terminates all requests that are currently in process. + */ + public void terminateRequests(); + + /** + * Checks to ensure that all new incoming requests have been blocked. + * This method is used for reentrancy protection. + *

+ * + * @return true or false + */ + public boolean areRequestsDisabled(); + + /** + * Create configuration file. + * + * @param path configuration path + * @return configuration store + * @exception EBaseException failed to create file + */ + public IConfigStore createFileConfigStore(String path) throws EBaseException; + + /** + * Creates argument block. + */ + public IArgBlock createArgBlock(); + + /** + * Creates argument block. + */ + public IArgBlock createArgBlock(String realm, Hashtable httpReq); + + /** + * Creates argument block. + */ + public IArgBlock createArgBlock(Hashtable httpReq); + + /** + * Checks against the local certificate repository to see + * if the certificates are revoked. + * + * @param certificates certificates + * @return true if certificate is revoked in the local + * certificate repository + */ + public boolean isRevoked(X509Certificate[] certificates); + + /** + * Sets list of verified certificates + * + * @param size size of verified certificates list + * @param interval interval in which certificate is not recheck + * against local certificate repository + * @param unknownStateInterval interval in which certificate + * may not recheck against local certificate repository + */ + public void setListOfVerifiedCerts(int size, long interval, long unknownStateInterval); + + /** + * Performs graceful shutdown of CMS. + * Subsystems are shutdown in reverse order. + * Exceptions are ignored. + */ + public void forceShutdown(); + + public IPasswordStore getPasswordStore(); + + public ISecurityDomainSessionTable getSecurityDomainSessionTable(); + + public void setConfigSDSessionId(String id); + + public String getConfigSDSessionId(); +} diff --git a/base/common/src/com/netscape/certsrv/apps/ICommandQueue.java b/base/common/src/com/netscape/certsrv/apps/ICommandQueue.java new file mode 100644 index 000000000..a165ab461 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/apps/ICommandQueue.java @@ -0,0 +1,48 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.apps; + +import javax.servlet.Servlet; + +import com.netscape.cms.servlet.common.CMSRequest; + +/** + * This interface represents a command queue for registeration + * and unregisteration proccess for clean shutdown + * + * @version $Revision$, $Date$ + */ +public interface ICommandQueue { + + /** + * Registers a thread into the command queue. + * + * @param currentRequest request object + * @param currentServlet servlet that serves the request object + */ + public boolean registerProcess(CMSRequest currentRequest, Servlet currentServlet); + + /** + * UnRegisters a thread from the command queue. + * + * @param currentRequest request object + * @param currentServlet servlet that serves the request object + */ + public void unRegisterProccess(Object currentRequest, Object currentServlet); + +} // CommandQueue diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthCredentials.java b/base/common/src/com/netscape/certsrv/authentication/AuthCredentials.java new file mode 100644 index 000000000..5a0cdd3b8 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/AuthCredentials.java @@ -0,0 +1,105 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +import java.util.Enumeration; +import java.util.Hashtable; + +import com.netscape.certsrv.base.IArgBlock; + +/** + * Authentication Credentials as input to the authMgr. It contains all the + * information required for authentication in the authMgr. + *

+ * + * @version $Revision$, $Date$ + */ +public class AuthCredentials implements IAuthCredentials { + + private static final long serialVersionUID = 5862936214648594328L; + private Hashtable authCreds = null; + private IArgBlock argblk = null; + + /** + * Constructor + */ + public AuthCredentials() { + authCreds = new Hashtable(); + } + + /** + * Sets an authentication credential with credential name and the credential object + * + * @param name credential name + * @param cred credential object + */ + public void set(String name, Object cred) { + if (name != null && cred != null) + authCreds.put(name, cred); + } + + /** + * Returns the credential to which the specified name is mapped in this + * credential set + * + * @param name credential name + * @return the authentication credential for the given name + */ + public Object get(String name) { + return authCreds.get(name); + } + + /** + * Removes the name and its corresponding credential from this + * credential set. This method does nothing if the named + * credential is not in the credential set. + * + * @param name credential name + */ + public void delete(String name) { + authCreds.remove(name); + } + + /** + * Returns an enumeration of the credential names in this credential + * set. Use the Enumeration methods on the returned object to + * fetch the elements sequentially. + * + * @return an enumeration of the names in this credential set + */ + public Enumeration getElements() { + return authCreds.keys(); + } + + /** + * Set the given argblock + * i * @param blk the given argblock. + */ + public void setArgBlock(IArgBlock blk) { + argblk = blk; + } + + /** + * Returns the argblock. + * + * @return the argblock. + */ + public IArgBlock getArgBlock() { + return argblk; + } +} diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthManagerProxy.java b/base/common/src/com/netscape/certsrv/authentication/AuthManagerProxy.java new file mode 100644 index 000000000..76161e803 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/AuthManagerProxy.java @@ -0,0 +1,59 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +/** + * A class represents an authentication manager. It contains an + * authentication manager instance and its state (enable or not). + * + * @version $Revision$, $Date$ + */ +public class AuthManagerProxy { + private boolean mEnable; + private IAuthManager mMgr; + + /** + * Constructor + * + * @param enable true if the authMgr is enabled; false otherwise + * @param mgr authentication manager instance + */ + public AuthManagerProxy(boolean enable, IAuthManager mgr) { + mEnable = enable; + mMgr = mgr; + } + + /** + * Returns the state of the authentication manager instance + * + * @return true if the state of the authentication manager instance is + * enabled; false otherwise. + */ + public boolean isEnable() { + return mEnable; + } + + /** + * Returns an authentication manager instance. + * + * @return an authentication manager instance + */ + public IAuthManager getAuthManager() { + return mMgr; + } +} diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthMgrPlugin.java b/base/common/src/com/netscape/certsrv/authentication/AuthMgrPlugin.java new file mode 100644 index 000000000..4226fd83c --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/AuthMgrPlugin.java @@ -0,0 +1,82 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +/** + * This class represents a registered authentication manager plugin. + *

+ * + * @version $Revision$, $Date$ + */ +public class AuthMgrPlugin { + protected String mId = null; + protected String mClassPath = null; + protected boolean mVisible = true; + + /** + * Constructs a AuthManager plugin. + * + * @param id auth manager implementation name + * @param classPath class path + */ + public AuthMgrPlugin(String id, String classPath) { + + /* + if (id == null || classPath == null) + throw new AssertionException("Authentication Manager id or classpath can't be null"); + */ + mId = id; + mClassPath = classPath; + } + + /** + * Returns an auth manager implementation name + * + * @return an auth manager implementation name + */ + public String getId() { + return mId; + } + + /** + * Returns a classpath of a AuthManager plugin + * + * @return a classpath of a AuthManager plugin + */ + public String getClassPath() { + return mClassPath; + } + + /** + * Returns a visibility of the plugin + * + * @return a visibility of the plugin + */ + public boolean isVisible() { + return mVisible; + } + + /** + * Sets visibility of the plugin + * + * @param visibility visibility of the plugin + */ + public void setVisible(boolean visibility) { + mVisible = visibility; + } +} diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthResources.java b/base/common/src/com/netscape/certsrv/authentication/AuthResources.java new file mode 100644 index 000000000..35e810112 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/AuthResources.java @@ -0,0 +1,44 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +import java.util.ListResourceBundle; + +/** + * A class represents a resource bundle for the authentication component. + *

+ * + * @deprecated + * @version $Revision$, $Date$ + */ +public class AuthResources extends ListResourceBundle { + + /** + * Returns the content of this resource. + * + * @return the contents of this resource + */ + public Object[][] getContents() { + return contents; + } + + /** + * A set of constants for localized error messages. + */ + static final Object[][] contents = {}; +} diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthToken.java b/base/common/src/com/netscape/certsrv/authentication/AuthToken.java new file mode 100644 index 000000000..0a2b1f0a2 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/AuthToken.java @@ -0,0 +1,451 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.math.BigInteger; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.Date; +import java.util.Enumeration; +import java.util.Hashtable; + +import netscape.security.util.DerInputStream; +import netscape.security.util.DerOutputStream; +import netscape.security.util.DerValue; +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.X509CertImpl; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.usrgrp.Certificates; + +/** + * Authentication token returned by Authentication Managers. + * Upon return, it contains authentication/identification information + * as well as information retrieved from the database where the + * authentication was done against. Each authentication manager has + * its own list of such information. See individual authenticaiton + * manager for more details. + *

+ * + * @version $Revision$, $Date$ + */ +public class AuthToken implements IAuthToken { + protected Hashtable mAttrs = null; + + /* Subject name of the certificate in the authenticating entry */ + public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject"; + + /* NotBefore value of the certificate in the authenticating entry */ + public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore"; + + /* NotAfter value of the certificate in the authenticating entry */ + public static final String TOKEN_CERT_NOTAFTER = "tokenCertNotAfter"; + + /* Cert Extentions value of the certificate in the authenticating entry */ + public static final String TOKEN_CERT_EXTENSIONS = "tokenCertExts"; + + /* Serial number of the certificate in the authenticating entry */ + public static final String TOKEN_CERT_SERIALNUM = "certSerial"; + + /** + * Certificate to be renewed + */ + public static final String TOKEN_CERT = "tokenCert"; + + /* Certificate to be revoked */ + public static final String TOKEN_CERT_TO_REVOKE = "tokenCertToRevoke"; + + /** + * Plugin name of the authentication manager that created the + * AuthToken as a string. + */ + public static final String TOKEN_AUTHMGR_IMPL_NAME = "authMgrImplName"; + + /** + * Name of the authentication manager that created the AuthToken + * as a string. + */ + public static final String TOKEN_AUTHMGR_INST_NAME = "authMgrInstName"; + + /** + * Time of authentication as a java.util.Date + */ + public static final String TOKEN_AUTHTIME = "authTime"; + + /** + * Constructs an instance of a authentication token. + * The token by default contains the following attributes:
+ * + * 

+     * 	"authMgrInstName" - The authentication manager instance name.
+     * 	"authMgrImplName" - The authentication manager plugin name.
+     * 	"authTime" - The - The time of authentication.
+     *
+ * + * @param authMgr The authentication manager that created this Token. + */ + public AuthToken(IAuthManager authMgr) { + mAttrs = new Hashtable(); + if (authMgr != null) { + set(TOKEN_AUTHMGR_INST_NAME, authMgr.getName()); + set(TOKEN_AUTHMGR_IMPL_NAME, authMgr.getImplName()); + } + set(TOKEN_AUTHTIME, new Date()); + } + + public String getInString(String attrName) { + return (String) mAttrs.get(attrName); + } + + public boolean set(String attrName, String value) { + if (value == null) { + return false; + } + mAttrs.put(attrName, value); + return true; + } + + /** + * Removes an attribute in the AuthToken + * + * @param attrName The name of the attribute to remove. + */ + public void delete(String attrName) { + mAttrs.remove(attrName); + } + + /** + * Enumerate all attribute names in the AuthToken. + * + * @return Enumeration of all attribute names in this AuthToken. + */ + public Enumeration getElements() { + return (mAttrs.keys()); + } + + public byte[] getInByteArray(String name) { + String value = getInString(name); + if (value == null) { + return null; + } + return CMS.AtoB(value); + } + + public boolean set(String name, byte[] value) { + if (value == null) { + return false; + } + return set(name, CMS.BtoA(value)); + } + + public Integer getInInteger(String name) { + String strVal = getInString(name); + if (strVal == null) { + return null; + } + try { + return Integer.valueOf(strVal); + } catch (NumberFormatException e) { + return null; + } + } + + public boolean set(String name, Integer value) { + if (value == null) { + return false; + } + return set(name, value.toString()); + } + + public BigInteger[] getInBigIntegerArray(String name) { + String value = getInString(name); + if (value == null) { + return null; + } + String[] values = value.split(","); + if (values.length == 0) { + return null; + } + BigInteger[] result = new BigInteger[values.length]; + for (int i = 0; i < values.length; i++) { + try { + result[i] = new BigInteger(values[i]); + } catch (NumberFormatException e) { + return null; + } + } + return result; + } + + public boolean set(String name, BigInteger[] value) { + if (value == null) { + return false; + } + StringBuffer buffer = new StringBuffer(); + for (int i = 0; i < value.length; i++) { + if (i != 0) { + buffer.append(","); + } + buffer.append(value[i].toString()); + } + return set(name, buffer.toString()); + } + + public Date getInDate(String name) { + String value = getInString(name); + if (value == null) { + return null; + } + try { + return new Date(Long.parseLong(value)); + } catch (NumberFormatException e) { + return null; + } + } + + public boolean set(String name, Date value) { + if (value == null) { + return false; + } + return set(name, String.valueOf(value.getTime())); + } + + public String[] getInStringArray(String name) { + String[] stringValues; + + byte[] byteValue = getInByteArray(name); + if (byteValue == null) { + return null; + } + try { + DerInputStream in = new DerInputStream(byteValue); + DerValue[] derValues = in.getSequence(5); + stringValues = new String[derValues.length]; + for (int i = 0; i < derValues.length; i++) { + stringValues[i] = derValues[i].getAsString(); + } + } catch (IOException e) { + return null; + } + return stringValues; + } + + public boolean set(String name, String[] value) { + if (value == null) { + return false; + } + DerOutputStream out = new DerOutputStream(); + DerValue[] derValues = new DerValue[value.length]; + try { + for (int i = 0; i < value.length; i++) { + derValues[i] = new DerValue(value[i]); + } + out.putSequence(derValues); + return set(name, out.toByteArray()); + } catch (IOException e) { + return false; + } + } + + public X509CertImpl getInCert(String name) { + byte[] data = getInByteArray(name); + if (data == null) { + return null; + } + try { + return new X509CertImpl(data); + } catch (CertificateException e) { + return null; + } + } + + public boolean set(String name, X509CertImpl value) { + if (value == null) { + return false; + } + ByteArrayOutputStream out = new ByteArrayOutputStream(); + try { + value.encode(out); + } catch (CertificateEncodingException e) { + return false; + } + return set(name, out.toByteArray()); + } + + public CertificateExtensions getInCertExts(String name) { + CertificateExtensions exts = null; + byte[] data = getInByteArray(name); + if (data != null) { + try { + exts = new CertificateExtensions(); + // exts.decode() doesn't work for empty CertExts + exts.decodeEx(new ByteArrayInputStream(data)); + } catch (IOException e) { + return null; + } + } + return exts; + } + + public boolean set(String name, CertificateExtensions value) { + if (value == null) { + return false; + } + ByteArrayOutputStream out = new ByteArrayOutputStream(); + try { + value.encode(out); + } catch (IOException e) { + return false; + } catch (CertificateException e) { + return false; + } + return set(name, out.toByteArray()); + } + + public Certificates getInCertificates(String name) { + X509CertImpl[] certArray; + + byte[] byteValue = getInByteArray(name); + if (byteValue == null) { + return null; + } + + try { + DerInputStream in = new DerInputStream(byteValue); + DerValue[] derValues = in.getSequence(5); + certArray = new X509CertImpl[derValues.length]; + for (int i = 0; i < derValues.length; i++) { + byte[] certData = derValues[i].toByteArray(); + certArray[i] = new X509CertImpl(certData); + } + } catch (IOException e) { + return null; + } catch (CertificateException e) { + return null; + } + return new Certificates(certArray); + } + + public boolean set(String name, Certificates value) { + if (value == null) { + return false; + } + DerOutputStream derStream = new DerOutputStream(); + X509Certificate[] certArray = value.getCertificates(); + DerValue[] derValues = new DerValue[certArray.length]; + try { + for (int i = 0; i < certArray.length; i++) { + ByteArrayOutputStream byteStream = new ByteArrayOutputStream(); + try { + X509CertImpl certImpl = (X509CertImpl) certArray[i]; + certImpl.encode(byteStream); + derValues[i] = new DerValue(byteStream.toByteArray()); + } catch (CertificateEncodingException e) { + return false; + } catch (ClassCastException e) { + return false; + } + } + derStream.putSequence(derValues); + return set(name, derStream.toByteArray()); + } catch (IOException e) { + return false; + } + } + + public byte[][] getInByteArrayArray(String name) { + byte[][] retval; + + byte[] byteValue = getInByteArray(name); + if (byteValue == null) { + return null; + } + try { + DerInputStream in = new DerInputStream(byteValue); + DerValue[] derValues = in.getSequence(5); + retval = new byte[derValues.length][]; + for (int i = 0; i < derValues.length; i++) { + retval[i] = derValues[i].getOctetString(); + } + } catch (IOException e) { + return null; + } + return retval; + } + + public boolean set(String name, byte[][] value) { + if (value == null) { + return false; + } + DerOutputStream out = new DerOutputStream(); + DerValue[] derValues = new DerValue[value.length]; + try { + for (int i = 0; i < value.length; i++) { + derValues[i] = new DerValue(DerValue.tag_OctetString, value[i]); + } + out.putSequence(derValues); + return set(name, out.toByteArray()); + } catch (IOException e) { + return false; + } + } + + /** + * Enumerate all attribute values in the AuthToken. + * + * @return Enumeration of all attribute names in this AuthToken. + */ + public Enumeration getVals() { + return (mAttrs.elements()); + } + + /** + * Gets the name of the authentication manager instance that created + * this token. + * + * @return The name of the authentication manager instance that created + * this token. + */ + public String getAuthManagerInstName() { + return ((String) mAttrs.get(TOKEN_AUTHMGR_INST_NAME)); + } + + /** + * Gets the plugin name of the authentication manager that created this + * token. + * + * @return The plugin name of the authentication manager that created this + * token. + */ + public String getAuthManagerImplName() { + return ((String) mAttrs.get(TOKEN_AUTHMGR_IMPL_NAME)); + } + + /** + * Gets the time of authentication. + * + * @return The time of authentication + */ + public Date getAuthTime() { + return ((Date) mAttrs.get(TOKEN_AUTHTIME)); + } +} diff --git a/base/common/src/com/netscape/certsrv/authentication/EAuthException.java b/base/common/src/com/netscape/certsrv/authentication/EAuthException.java new file mode 100644 index 000000000..c79c3e9a7 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/EAuthException.java @@ -0,0 +1,91 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +import com.netscape.certsrv.base.EBaseException; + +/** + * This class represents authentication exceptions. + *

+ * + * @version $Revision$, $Date$ + */ +public class EAuthException extends EBaseException { + + /** + * + */ + private static final long serialVersionUID = -2763649418082002427L; + /** + * Resource class name + */ + private static final String AUTH_RESOURCES = AuthResources.class.getName(); + + /** + * Constructs an authentication exception + *

+ * + * @param msgFormat exception details + */ + public EAuthException(String msgFormat) { + super(msgFormat); + } + + /** + * Constructs an authentication exception with a parameter. + *

+ * + * @param msgFormat exception details in message string format + * @param param message string parameter + */ + public EAuthException(String msgFormat, String param) { + super(msgFormat, param); + } + + /** + * Constructs a auth exception with a exception parameter. + *

+ * + * @param msgFormat exception details in message string format + * @param exception system exception + */ + public EAuthException(String msgFormat, Exception exception) { + super(msgFormat, exception); + } + + /** + * Constructs a auth exception with a list of parameters. + *

+ * + * @param msgFormat the message format. + * @param params list of message format parameters + */ + public EAuthException(String msgFormat, Object params[]) { + super(msgFormat, params); + } + + /** + * Returns the resource bundle name + * + * @return resource bundle name. + */ + protected String getBundleName() { + return AUTH_RESOURCES; + } + +} diff --git a/base/common/src/com/netscape/certsrv/authentication/EAuthInternalError.java b/base/common/src/com/netscape/certsrv/authentication/EAuthInternalError.java new file mode 100644 index 000000000..52688f922 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/EAuthInternalError.java @@ -0,0 +1,39 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +/** + * An exception for authentication internal error. + */ +public class EAuthInternalError extends EAuthException { + + /** + * + */ + private static final long serialVersionUID = -4020816090107820450L; + + /** + * Constructs an authentication internal error exception + * with a detailed message. + * + * @param errorString Detailed error message. + */ + public EAuthInternalError(String errorString) { + super(errorString); + } +} diff --git a/base/common/src/com/netscape/certsrv/authentication/EAuthMgrNotFound.java b/base/common/src/com/netscape/certsrv/authentication/EAuthMgrNotFound.java new file mode 100644 index 000000000..925aaabf0 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/EAuthMgrNotFound.java @@ -0,0 +1,38 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +/** + * Exception for authentication manager not found. + */ +public class EAuthMgrNotFound extends EAuthException { + + /** + * + */ + private static final long serialVersionUID = 3102946146034004983L; + + /** + * Constructs a exception for a missing authentication manager + * + * @param errorString error string for missing authentication manager + */ + public EAuthMgrNotFound(String errorString) { + super(errorString); + } +} diff --git a/base/common/src/com/netscape/certsrv/authentication/EAuthMgrPluginNotFound.java b/base/common/src/com/netscape/certsrv/authentication/EAuthMgrPluginNotFound.java new file mode 100644 index 000000000..2ca90e3c8 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/EAuthMgrPluginNotFound.java @@ -0,0 +1,38 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +/** + * Exception for authentication manager not found. + */ +public class EAuthMgrPluginNotFound extends EAuthException { + + /** + * + */ + private static final long serialVersionUID = 7422356574227925974L; + + /** + * Constructs a exception for a missing authentication manager plugin + * + * @param errorString error for a missing authentication manager plugin + */ + public EAuthMgrPluginNotFound(String errorString) { + super(errorString); + } +} diff --git a/base/common/src/com/netscape/certsrv/authentication/EAuthUserError.java b/base/common/src/com/netscape/certsrv/authentication/EAuthUserError.java new file mode 100644 index 000000000..f816c35e8 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/EAuthUserError.java @@ -0,0 +1,38 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +/** + * Exception for invalid attribute value + */ +public class EAuthUserError extends EAuthException { + + /** + * + */ + private static final long serialVersionUID = 287839079094761375L; + + /** + * Constructs a exception for a Invalid attribute value + * + * @param errorString Detailed error message. + */ + public EAuthUserError(String errorString) { + super(errorString); + } +} diff --git a/base/common/src/com/netscape/certsrv/authentication/ECompSyntaxErr.java b/base/common/src/com/netscape/certsrv/authentication/ECompSyntaxErr.java new file mode 100644 index 000000000..84725bb96 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/ECompSyntaxErr.java @@ -0,0 +1,38 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +/** + * An exception for DN component syntax error. + */ +public class ECompSyntaxErr extends EAuthException { + + /** + * + */ + private static final long serialVersionUID = 5434000917203952218L; + + /** + * Constructs an component syntax error + * + * @param errorString Detailed error message. + */ + public ECompSyntaxErr(String errorString) { + super(errorString); + } +} diff --git a/base/common/src/com/netscape/certsrv/authentication/EFormSubjectDN.java b/base/common/src/com/netscape/certsrv/authentication/EFormSubjectDN.java new file mode 100644 index 000000000..952824481 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/EFormSubjectDN.java @@ -0,0 +1,38 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +/** + * An exception for Error formulating the subject name (X500Name) + */ +public class EFormSubjectDN extends EAuthException { + + /** + * + */ + private static final long serialVersionUID = 4052335779095200482L; + + /** + * Constructs an Error on formulating the subject dn. + * + * @param errorString Detailed error message. + */ + public EFormSubjectDN(String errorString) { + super(errorString); + } +} diff --git a/base/common/src/com/netscape/certsrv/authentication/EInvalidCredentials.java b/base/common/src/com/netscape/certsrv/authentication/EInvalidCredentials.java new file mode 100644 index 000000000..3e4daaf0d --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/EInvalidCredentials.java @@ -0,0 +1,38 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +/** + * An exception for invalid credentials. + */ +public class EInvalidCredentials extends EAuthException { + + /** + * + */ + private static final long serialVersionUID = -5695804026210904331L; + + /** + * Constructs an Invalid Credentials exception. + * + * @param errorString Detailed error message. + */ + public EInvalidCredentials(String errorString) { + super(errorString); + } +} diff --git a/base/common/src/com/netscape/certsrv/authentication/EMissingCredential.java b/base/common/src/com/netscape/certsrv/authentication/EMissingCredential.java new file mode 100644 index 000000000..5de73aa0d --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/EMissingCredential.java @@ -0,0 +1,38 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +/** + * Exception for missing a required authentication credential. + */ +public class EMissingCredential extends EAuthException { + + /** + * + */ + private static final long serialVersionUID = 1252384491944341767L; + + /** + * Constructs a exception for a missing required authentication credential + * + * @param errorString Detailed error message. + */ + public EMissingCredential(String errorString) { + super(errorString); + } +} diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthCredentials.java b/base/common/src/com/netscape/certsrv/authentication/IAuthCredentials.java new file mode 100644 index 000000000..cd8434433 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/IAuthCredentials.java @@ -0,0 +1,45 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +import com.netscape.certsrv.base.IArgBlock; +import com.netscape.certsrv.base.IAttrSet; + +/** + * An interface represents authentication credentials: + * e.g. uid/pwd, uid/pin, certificate, etc. + *

+ * + * @version $Revision$, $Date$ + */ +public interface IAuthCredentials extends IAttrSet { + + /** + * Set argblock. + * + * @param blk argblock + */ + public void setArgBlock(IArgBlock blk); + + /** + * Returns argblock. + * + * @return Argblock. + */ + public IArgBlock getArgBlock(); +} diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java b/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java new file mode 100644 index 000000000..1ff46af7d --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java @@ -0,0 +1,112 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; + +/** + * Authentication Manager interface. + *

+ * + * @version $Revision$, $Date$ + */ +public interface IAuthManager { + + /* standard credential for client cert from ssl client auth */ + public static final String CRED_SSL_CLIENT_CERT = "sslClientCert"; + + /** + * Standard credential for client cert's serial number from revocation. + */ + public static final String CRED_CERT_SERIAL_TO_REVOKE = "certSerialToRevoke"; + public static final String CRED_SESSION_ID = "sessionID"; + public static final String CRED_HOST_NAME = "hostname"; + + /** + * Get the name of this authentication manager instance. + *

+ * + * @return the name of this authentication manager. + */ + public String getName(); + + /** + * Get name of authentication manager plugin. + *

+ * + * @return the name of the authentication manager plugin. + */ + public String getImplName(); + + /** + * Authenticate the given credentials. + * + * @param authCred The authentication credentials + * @return authentication token + * @exception EMissingCredential If a required credential for this + * authentication manager is missing. + * @exception EInvalidCredentials If credentials cannot be authenticated. + * @exception EBaseException If an internal error occurred. + */ + public IAuthToken authenticate(IAuthCredentials authCred) + throws EMissingCredential, EInvalidCredentials, EBaseException; + + /** + * Initialize this authentication manager. + * + * @param name The name of this authentication manager instance. + * @param implName The name of the authentication manager plugin. + * @param config The configuration store for this authentication manager. + * @exception EBaseException If an initialization error occurred. + */ + public void init(String name, String implName, IConfigStore config) + throws EBaseException; + + /** + * Prepare this authentication manager for a shutdown. + * Called when the server is exiting for any cleanup needed. + */ + public void shutdown(); + + /** + * Gets a list of the required credentials for this authentication manager. + * + * @return The required credential attributes. + */ + public String[] getRequiredCreds(); + + /** + * Get configuration parameters for this implementation. + * The configuration parameters returned is passed to the + * configuration console so configuration for instances of this + * implementation can be made through the console. + * + * @return a list of configuration parameters. + * @exception EBaseException If an internal error occurred + */ + public String[] getConfigParams() + throws EBaseException; + + /** + * Get the configuration store for this authentication manager. + * + * @return The configuration store of this authentication manager. + */ + public IConfigStore getConfigStore(); +} diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java b/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java new file mode 100644 index 000000000..329b6802e --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java @@ -0,0 +1,239 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +import java.util.Enumeration; +import java.util.Hashtable; + +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.ISubsystem; + +/** + * An interface that represents an authentication component + *

+ * + * @version $Revision$, $Date$ + */ +public interface IAuthSubsystem extends ISubsystem { + + /** + * Constant for auths. + */ + public static final String ID = "auths"; + + /** + * Constant for class. + */ + public static final String PROP_CLASS = "class"; + + /** + * Constant for impl + */ + public static final String PROP_IMPL = "impl"; + + /** + * Constant for pluginName. + */ + public static final String PROP_PLUGIN = "pluginName"; + + /** + * Constant for instance. + */ + public static final String PROP_INSTANCE = "instance"; + + /* XXX should not be here */ + + /** + * Constant for password based authentication plugin ID. + */ + public static final String PASSWDUSERDB_PLUGIN_ID = "passwdUserDBAuthPlugin"; + + /** + * Constant for certificate based authentication plugin ID. + */ + public static final String CERTUSERDB_PLUGIN_ID = "certUserDBAuthPlugin"; + + /** + * Constant for challenge based authentication plugin ID. + */ + public static final String CHALLENGE_PLUGIN_ID = "challengeAuthPlugin"; + + /** + * Constant for null authentication plugin ID. + */ + public static final String NULL_PLUGIN_ID = "nullAuthPlugin"; + + /** + * Constant for ssl client authentication plugin ID. + */ + public static final String SSLCLIENTCERT_PLUGIN_ID = "sslClientCertAuthPlugin"; + + /** + * Constant for password based authentication manager ID. + */ + public static final String PASSWDUSERDB_AUTHMGR_ID = "passwdUserDBAuthMgr"; + + /** + * Constant for certificate based authentication manager ID. + */ + public static final String CERTUSERDB_AUTHMGR_ID = "certUserDBAuthMgr"; + + /** + * Constant for challenge based authentication manager ID. + */ + public static final String CHALLENGE_AUTHMGR_ID = "challengeAuthMgr"; + + /** + * Constant for null authentication manager ID. + */ + public static final String NULL_AUTHMGR_ID = "nullAuthMgr"; + + /** + * Constant for ssl client authentication manager ID. + */ + public static final String SSLCLIENTCERT_AUTHMGR_ID = "sslClientCertAuthMgr"; + + /** + * Constant for CMC authentication plugin ID. + */ + public static final String CMCAUTH_PLUGIN_ID = "CMCAuth"; + + /** + * Constant for CMC authentication manager ID. + */ + public static final String CMCAUTH_AUTHMGR_ID = "CMCAuth"; + + /** + * Authenticate the given credentials using the given manager name. + * + * @param authCred The authentication credentials + * @param authMgrName The authentication manager name + * @return a authentication token. + * @exception EMissingCredential when missing credential during authentication + * @exception EInvalidCredentials when the credential is invalid + * @exception EBaseException If an error occurs during authentication. + */ + public IAuthToken authenticate(IAuthCredentials authCred, String authMgrName) + throws EMissingCredential, EInvalidCredentials, EBaseException; + + /** + * Gets the required credential attributes for the given authentication + * manager. + * + * @param authMgrName The authentication manager name + * @return a Vector of required credential attribute names. + * @exception EBaseException If the required credential is missing + */ + public String[] getRequiredCreds(String authMgrName) throws EBaseException; + + /** + * Adds (registers) the given authentication manager. + * + * @param name The authentication manager name + * @param authMgr The authentication manager instance. + */ + public void add(String name, IAuthManager authMgr); + + /** + * Deletes (deregisters) the given authentication manager. + * + * @param name The authentication manager name to delete. + */ + public void delete(String name); + + /** + * Gets the Authentication manager instance of the specified name. + * + * @param name The authentication manager's name. + * @exception EBaseException when internal error occurs. + */ + public IAuthManager getAuthManager(String name) throws EBaseException; + + /** + * Gets an enumeration of authentication managers registered to the + * authentication subsystem. + * + * @return a list of authentication managers + */ + public Enumeration getAuthManagers(); + + /** + * Gets an enumeration of authentication manager plugins. + * + * @return a list of authentication plugins + */ + public Enumeration getAuthManagerPlugins(); + + /** + * Gets a single authentication manager plugin implementation + * + * @param name given authentication plugin name + * @return the given authentication plugin + */ + public IAuthManager getAuthManagerPlugin(String name); + + /** + * Get configuration parameters for a authentication mgr plugin. + * + * @param implName The plugin name. + * @return configuration parameters for the given authentication manager plugin + * @exception EAuthMgrPluginNotFound If the authentication manager + * plugin is not found. + * @exception EBaseException If an internal error occurred. + */ + public String[] getConfigParams(String implName) + throws EAuthMgrPluginNotFound, EBaseException; + + /** + * Log error message. + * + * @param level log level + * @param msg error message + */ + public void log(int level, String msg); + + /** + * Get a hashtable containing all authentication plugins. + * + * @return all authentication plugins. + */ + public Hashtable getPlugins(); + + /** + * Get a hashtable containing all authentication instances. + * + * @return all authentication instances. + */ + public Hashtable getInstances(); + + /** + * Get an authentication manager interface for the given name. + * + * @param name given authentication manager name. + * @return an authentication manager for the given manager name. + */ + public IAuthManager get(String name); + + /** + * Get an authentication manager plugin impl for the given name. + * + * @param name given authentication manager name. + * @return an authentication manager plugin + */ + public AuthMgrPlugin getAuthManagerPluginImpl(String name); +} diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java new file mode 100644 index 000000000..f46ee3ca1 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java @@ -0,0 +1,225 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +import java.math.BigInteger; +import java.util.Date; +import java.util.Enumeration; + +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.X509CertImpl; + +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.usrgrp.Certificates; + +/** + * AuthToken interface. + */ +public interface IAuthToken { + + /** + * Constant for userid. + */ + public static final String USER_ID = "userid"; + + /** + * Sets an attribute value within this AttrSet. + * + * @param name the name of the attribute + * @param value the attribute object. + * @return false on an error + */ + public boolean set(String name, String value); + + /** + * Gets an attribute value. + * + * @param name the name of the attribute to return. + * @exception EBaseException on attribute handling errors. + * @return the attribute value + */ + public String getInString(String name); + + /** + * Returns an enumeration of the names of the attributes existing within + * this AttrSet. + * + * @return an enumeration of the attribute names. + */ + public Enumeration getElements(); + + /************ + * Helpers for non-string sets and gets. + * These are needed because AuthToken is stored in IRequest (which can + * only store string values + */ + + /** + * Retrieves the byte array value for name. The value should have been + * previously stored as a byte array (it will be CMS.AtoB decoded). + * + * @param name The attribute name. + * @return The byte array or null on error. + */ + public byte[] getInByteArray(String name); + + /** + * Stores the byte array with the associated key. + * + * @param name The attribute name. + * @param value The value to store + * @return false on an error + */ + public boolean set(String name, byte[] value); + + /** + * Retrieves the Integer value for name. + * + * @param name The attribute name. + * @return The Integer or null on error. + */ + public Integer getInInteger(String name); + + /** + * Stores the Integer with the associated key. + * + * @param name The attribute name. + * @param value The value to store + * @return false on an error + */ + public boolean set(String name, Integer value); + + /** + * Retrieves the BigInteger array value for name. + * + * @param name The attribute name. + * @return The value or null on error. + */ + public BigInteger[] getInBigIntegerArray(String name); + + /** + * Stores the BigInteger array with the associated key. + * + * @param name The attribute name. + * @param value The value to store + * @return false on an error + */ + public boolean set(String name, BigInteger[] value); + + /** + * Retrieves the Date value for name. + * + * @param name The attribute name. + * @return The value or null on error. + */ + public Date getInDate(String name); + + /** + * Stores the Date with the associated key. + * + * @param name The attribute name. + * @param value The value to store + * @return false on an error + */ + public boolean set(String name, Date value); + + /** + * Retrieves the String array value for name. + * + * @param name The attribute name. + * @return The value or null on error. + */ + public String[] getInStringArray(String name); + + /** + * Stores the String array with the associated key. + * + * @param name The attribute name. + * @param value The value to store + * @return False on error. + */ + public boolean set(String name, String[] value); + + /** + * Retrieves the X509CertImpl value for name. + * + * @param name The attribute name. + * @return The value or null on error. + */ + public X509CertImpl getInCert(String name); + + /** + * Stores the X509CertImpl with the associated key. + * + * @param name The attribute name. + * @param value The value to store + * @return false on error + */ + public boolean set(String name, X509CertImpl value); + + /** + * Retrieves the CertificateExtensions value for name. + * + * @param name The attribute name. + * @return The value or null on error. + */ + public CertificateExtensions getInCertExts(String name); + + /** + * Stores the CertificateExtensions with the associated key. + * + * @param name The attribute name. + * @param value The value to store + * @return false on error + */ + public boolean set(String name, CertificateExtensions value); + + /** + * Retrieves the Certificates value for name. + * + * @param name The attribute name. + * @return The value or null on error. + */ + public Certificates getInCertificates(String name); + + /** + * Stores the Certificates with the associated key. + * + * @param name The attribute name. + * @param value The value to store + * @return false on error + */ + public boolean set(String name, Certificates value); + + /** + * Retrieves the byte[][] value for name. + * + * @param name The attribute name. + * @return The value or null on error. + */ + public byte[][] getInByteArrayArray(String name); + + /** + * Stores the byte[][] with the associated key. + * + * @param name The attribute name. + * @param value The value to store + * @return false on error + */ + public boolean set(String name, byte[][] value); +} diff --git a/base/common/src/com/netscape/certsrv/authentication/ISSLClientCertProvider.java b/base/common/src/com/netscape/certsrv/authentication/ISSLClientCertProvider.java new file mode 100644 index 000000000..6932decc0 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/ISSLClientCertProvider.java @@ -0,0 +1,42 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +import java.security.cert.X509Certificate; + +/** + * This interface represents an object that captures the + * SSL client certificate in a SSL session. Normally, this + * object is a servlet. + *

+ * + * This interface is used to avoid the internal imeplemtnation to have servlet (protocol handler) dependency. + *

+ * + * @version $Revision$, $Date$ + */ +public interface ISSLClientCertProvider { + + /** + * Retrieves the SSL client certificate chain. + * + * @return certificate chain + */ + public X509Certificate[] getClientCertificateChain(); + +} diff --git a/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java b/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java new file mode 100644 index 000000000..830c8866e --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java @@ -0,0 +1,32 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +import java.math.BigInteger; + +import org.mozilla.jss.pkix.cmc.PKIData; + +/** + * Shared Token interface. + */ +public interface ISharedToken { + + public String getSharedToken(PKIData cmcData); + + public String getSharedToken(BigInteger serialnum); +} diff --git a/base/common/src/com/netscape/certsrv/authority/IAuthority.java b/base/common/src/com/netscape/certsrv/authority/IAuthority.java new file mode 100644 index 000000000..2875e4dd1 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authority/IAuthority.java @@ -0,0 +1,64 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authority; + +import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.request.IRequestListener; +import com.netscape.certsrv.request.IRequestQueue; + +/** + * Authority interface. + * + * @version $Revision$ $Date$ + */ +public interface IAuthority extends ISubsystem { + + /** + * Retrieves the request queue for the Authority. + *

+ * + * @return the request queue. + */ + public IRequestQueue getRequestQueue(); + + /** + * Registers request completed class. + */ + public void registerRequestListener(IRequestListener listener); + + /** + * Registers pending request class. + */ + public void registerPendingListener(IRequestListener listener); + + /** + * log interface + */ + public void log(int level, String msg); + + /** + * nickname of signing (id) cert + */ + public String getNickname(); + + /** + * return official product name. + */ + public String getOfficialName(); + +} diff --git a/base/common/src/com/netscape/certsrv/authority/ICertAuthority.java b/base/common/src/com/netscape/certsrv/authority/ICertAuthority.java new file mode 100644 index 000000000..c2f2c91ec --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authority/ICertAuthority.java @@ -0,0 +1,101 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authority; + +import netscape.security.x509.CertificateChain; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertImpl; + +import com.netscape.certsrv.dbs.certdb.ICertificateRepository; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.publish.IPublisherProcessor; +import com.netscape.certsrv.request.IRequestListener; + +/** + * Authority that handles certificates needed by the cert registration + * servlets. + *

+ * + * @version $Revision$ $Date$ + */ +public interface ICertAuthority extends IAuthority { + + /** + * Retrieves the certificate repository for this authority. + *

+ * + * @return the certificate repository. + */ + public ICertificateRepository getCertificateRepository(); + + /** + * Returns CA's certificate chain. + *

+ * + * @return the Certificate Chain for the CA. + */ + public CertificateChain getCACertChain(); + + /** + * Returns CA's certificate implementaion. + *

+ * + * @return CA's certificate. + */ + public X509CertImpl getCACert(); + + /** + * Returns signing algorithms supported by the CA. + * Dependent on CA's key type and algorithms supported by security lib. + */ + public String[] getCASigningAlgorithms(); + + /** + * Returns authority's X500 Name. - XXX what's this for ?? + */ + public X500Name getX500Name(); + + /** + * Register a request listener + */ + public void registerRequestListener(IRequestListener l); + + /** + * Remove a request listener + */ + public void removeRequestListener(IRequestListener l); + + /** + * Register a pending listener + */ + public void registerPendingListener(IRequestListener l); + + /** + * get authority's publishing module if any. + */ + public IPublisherProcessor getPublisherProcessor(); + + /** + * Returns the logging interface for this authority. + * Using this interface both System and Audit events can be + * logged. + * + */ + public ILogger getLogger(); + +} diff --git a/base/common/src/com/netscape/certsrv/authorization/AuthzManagerProxy.java b/base/common/src/com/netscape/certsrv/authorization/AuthzManagerProxy.java new file mode 100644 index 000000000..58a5264ba --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authorization/AuthzManagerProxy.java @@ -0,0 +1,59 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authorization; + +/** + * A class represents an authorization manager. It contains an + * authorization manager instance and its state (enable or not). + * + * @version $Revision$, $Date$ + */ +public class AuthzManagerProxy { + private boolean mEnable; + private IAuthzManager mMgr; + + /** + * Constructor + * + * @param enable true if the authzMgr is enabled; false otherwise + * @param mgr authorization manager instance + */ + public AuthzManagerProxy(boolean enable, IAuthzManager mgr) { + mEnable = enable; + mMgr = mgr; + } + + /** + * Returns the state of the authorization manager instance + * + * @return true if the state of the authorization manager instance is + * enabled; false otherwise. + */ + public boolean isEnable() { + return mEnable; + } + + /** + * Returns an authorization manager instance. + * + * @return an authorization manager instance + */ + public IAuthzManager getAuthzManager() { + return mMgr; + } +} diff --git a/base/common/src/com/netscape/certsrv/authorization/AuthzMgrPlugin.java b/base/common/src/com/netscape/certsrv/authorization/AuthzMgrPlugin.java new file mode 100644 index 000000000..e47e58171 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authorization/AuthzMgrPlugin.java @@ -0,0 +1,77 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authorization; + +/** + * This class represents a registered authorization manager plugin. + *

+ * + * @version $Revision$, $Date$ + */ +public class AuthzMgrPlugin { + protected String mId = null; + protected String mClassPath = null; + protected boolean mVisible = true; + + /** + * Constructs a AuthzManager plugin. + * + * @param id authz manager implementation name + * @param classPath class path + */ + public AuthzMgrPlugin(String id, String classPath) { + mId = id; + mClassPath = classPath; + } + + /** + * Returns an authorization manager implementation name + * + * @return an authorization manager implementation name + */ + public String getId() { + return mId; + } + + /** + * Returns a classpath of a AuthzManager plugin + * + * @return a classpath of a AuthzManager plugin + */ + public String getClassPath() { + return mClassPath; + } + + /** + * Returns a visibility of the plugin + * + * @return a visibility of the plugin + */ + public boolean isVisible() { + return mVisible; + } + + /** + * Sets visibility of the plugin + * + * @param visibility visibility of the plugin + */ + public void setVisible(boolean visibility) { + mVisible = visibility; + } +} diff --git a/base/common/src/com/netscape/certsrv/authorization/AuthzResources.java b/base/common/src/com/netscape/certsrv/authorization/AuthzResources.java new file mode 100644 index 000000000..13d33c212 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authorization/AuthzResources.java @@ -0,0 +1,44 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authorization; + +import java.util.ListResourceBundle; + +/** + * A class represents a resource bundle for the authorization subsystem + *

+ * + * @deprecated + * @version $Revision$, $Date$ + */ +public class AuthzResources extends ListResourceBundle { + + /** + * Returns the content of this resource. + * + * @return the content of this resource + */ + public Object[][] getContents() { + return contents; + } + + /** + * A set of constants for localized error messages. + */ + static final Object[][] contents = {}; +} diff --git a/base/common/src/com/netscape/certsrv/authorization/AuthzToken.java b/base/common/src/com/netscape/certsrv/authorization/AuthzToken.java new file mode 100644 index 000000000..262902e62 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authorization/AuthzToken.java @@ -0,0 +1,174 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authorization; + +import java.util.Date; +import java.util.Enumeration; +import java.util.Hashtable; + +import com.netscape.certsrv.base.IAttrSet; + +/** + * Authorization token returned by Authorization Managers. + * Upon return, it contains the name of the authorization manager that create + * the AuthzToken, the plugin name of the authorization manager, time of + * authorization happened, name of the resource, type of operation performed + * on the resource. + *

+ * + * @version $Revision$, $Date$ + */ +public class AuthzToken implements IAttrSet { + private static final long serialVersionUID = 4716145610877112054L; + private Hashtable mAttrs = null; + + /** + * Plugin name of the authorization manager that created the + * AuthzToken as a string. + */ + public static final String TOKEN_AUTHZMGR_IMPL_NAME = "authzMgrImplName"; + + /** + * Name of the authorization manager that created the AuthzToken + * as a string. + */ + public static final String TOKEN_AUTHZMGR_INST_NAME = "authzMgrInstName"; + + /** + * Time of authorization as a java.util.Date + */ + public static final String TOKEN_AUTHZTIME = "authzTime"; + + /** + * name of the resource + */ + public static final String TOKEN_AUTHZ_RESOURCE = "authzRes"; + + /** + * name of the operation + */ + public static final String TOKEN_AUTHZ_OPERATION = "authzOp"; + + /* + * Status of the authorization evaluation + */ + public static final String TOKEN_AUTHZ_STATUS = "status"; + + /** + * Constant for the success status of the authorization evaluation. + */ + public static final String AUTHZ_STATUS_SUCCESS = "statusSuccess"; + + /** + * Constructs an instance of a authorization token. + * The token by default contains the following attributes:
+ * + * 

+     * 	"authzMgrInstName" - The authorization manager instance name.
+     * 	"authzMgrImplName" - The authorization manager plugin name.
+     * 	"authzTime" - The - The time of authorization.
+     *
+ * + * @param authzMgr The authorization manager that created this Token. + */ + public AuthzToken(IAuthzManager authzMgr) { + mAttrs = new Hashtable(); + mAttrs.put(TOKEN_AUTHZMGR_INST_NAME, authzMgr.getName()); + mAttrs.put(TOKEN_AUTHZMGR_IMPL_NAME, authzMgr.getImplName()); + mAttrs.put(TOKEN_AUTHZTIME, new Date()); + } + + /** + * Get the value of an attribute in the AuthzToken + * + * @param attrName The attribute name + * @return The value of attrName if any. + */ + public Object get(String attrName) { + return mAttrs.get(attrName); + } + + /** + * Used by an Authorization manager to set an attribute and value + * in the AuthzToken. + * + * @param attrName The name of the attribute + * @param value The value of the attribute to set. + */ + public void set(String attrName, Object value) { + mAttrs.put(attrName, value); + } + + /** + * Removes an attribute in the AuthzToken + * + * @param attrName The name of the attribute to remove. + */ + public void delete(String attrName) { + mAttrs.remove(attrName); + } + + /** + * Enumerate all attribute names in the AuthzToken. + * + * @return Enumeration of all attribute names in this AuthzToken. + */ + public Enumeration getElements() { + return mAttrs.keys(); + } + + /** + * Enumerate all attribute values in the AuthzToken. + * + * @return Enumeration of all attribute names in this AuthzToken. + */ + public Enumeration getVals() { + return mAttrs.elements(); + } + + /** + * Gets the name of the authorization manager instance that created + * this token. + * + * @return The name of the authorization manager instance that created + * this token. + */ + public String getAuthzManagerInstName() { + return (String) mAttrs.get(TOKEN_AUTHZMGR_INST_NAME); + } + + /** + * Gets the plugin name of the authorization manager that created this + * token. + * + * @return The plugin name of the authorization manager that created this + * token. + */ + public String getAuthzManagerImplName() { + return (String) mAttrs.get(TOKEN_AUTHZMGR_IMPL_NAME); + } + + /** + * Gets the time of authorization. + * + * @return The time of authorization + */ + public Date getAuthzTime() { + return (Date) mAttrs.get(TOKEN_AUTHZTIME); + } +} diff --git a/base/common/src/com/netscape/certsrv/authorization/EAuthzAccessDenied.java b/base/common/src/com/netscape/certsrv/authorization/EAuthzAccessDenied.java new file mode 100644 index 000000000..9fc7777c7 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authorization/EAuthzAccessDenied.java @@ -0,0 +1,38 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authorization; + +/** + * Exception for authorization failure + */ +public class EAuthzAccessDenied extends EAuthzException { + + /** + * + */ + private static final long serialVersionUID = 603324526695263260L; + + /** + * Constructs a exception for access denied by Authz manager + * + * @param errorString Detailed error message. + */ + public EAuthzAccessDenied(String errorString) { + super(errorString); + } +} diff --git a/base/common/src/com/netscape/certsrv/authorization/EAuthzException.java b/base/common/src/com/netscape/certsrv/authorization/EAuthzException.java new file mode 100644 index 000000000..65d95a571 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authorization/EAuthzException.java @@ -0,0 +1,91 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authorization; + +import com.netscape.certsrv.base.EBaseException; + +/** + * This class represents authorization exceptions. + *

+ * + * @version $Revision$, $Date$ + */ +public class EAuthzException extends EBaseException { + + /** + * + */ + private static final long serialVersionUID = 6265731237976616272L; + /** + * Resource class name. + */ + private static final String AUTHZ_RESOURCES = AuthzResources.class.getName(); + + /** + * Constructs a authz exception + *

+ * + * @param msgFormat exception details + */ + public EAuthzException(String msgFormat) { + super(msgFormat); + } + + /** + * Constructs a authz exception with a parameter. + *

+ * + * @param msgFormat exception details in message string format + * @param param message string parameter + */ + public EAuthzException(String msgFormat, String param) { + super(msgFormat, param); + } + + /** + * Constructs a authz exception with a exception parameter. + *

+ * + * @param msgFormat exception details in message string format + * @param param system exception + */ + public EAuthzException(String msgFormat, Exception param) { + super(msgFormat, param); + } + + /** + * Constructs a authz exception with a list of parameters. + *

+ * + * @param msgFormat the message format. + * @param params list of message format parameters + */ + public EAuthzException(String msgFormat, Object params[]) { + super(msgFormat, params); + } + + /** + * Returns the resource bundle name + * + * @return resource bundle name + */ + protected String getBundleName() { + return AUTHZ_RESOURCES; + } + +} diff --git a/base/common/src/com/netscape/certsrv/authorization/EAuthzInternalError.java b/base/common/src/com/netscape/certsrv/authorization/EAuthzInternalError.java new file mode 100644 index 000000000..2afe2c747 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authorization/EAuthzInternalError.java @@ -0,0 +1,38 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authorization; + +/** + * An exception for internal error for authorization. + */ +public class EAuthzInternalError extends EAuthzException { + + /** + * + */ + private static final long serialVersionUID = -2954801841027751903L; + + /** + * Constructs an authorization internal error exception + * + * @param errorString error with a detailed message. + */ + public EAuthzInternalError(String errorString) { + super(errorString); + } +} diff --git a/base/common/src/com/netscape/certsrv/authorization/EAuthzMgrNotFound.java b/base/common/src/com/netscape/certsrv/authorization/EAuthzMgrNotFound.java new file mode 100644 index 000000000..a920d37ac --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authorization/EAuthzMgrNotFound.java @@ -0,0 +1,38 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authorization; + +/** + * Exception for authorization manager not found. + */ +public class EAuthzMgrNotFound extends EAuthzException { + + /** + * + */ + private static final long serialVersionUID = 858647841945772328L; + + /** + * Constructs a exception for a missing required authorization manager + * + * @param errorString Detailed error message. + */ + public EAuthzMgrNotFound(String errorString) { + super(errorString); + } +} diff --git a/base/common/src/com/netscape/certsrv/authorization/EAuthzMgrPluginNotFound.java b/base/common/src/com/netscape/certsrv/authorization/EAuthzMgrPluginNotFound.java new file mode 100644 index 000000000..43ae6edcd --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authorization/EAuthzMgrPluginNotFound.java @@ -0,0 +1,38 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authorization; + +/** + * Exception for authorization manager plugin not found. + */ +public class EAuthzMgrPluginNotFound extends EAuthzException { + + /** + * + */ + private static final long serialVersionUID = -2647973726997526429L; + + /** + * Constructs a exception for a missing authorization plugin + * + * @param errorString Detailed error message. + */ + public EAuthzMgrPluginNotFound(String errorString) { + super(errorString); + } +} diff --git a/base/common/src/com/netscape/certsrv/authorization/EAuthzUnknownOperation.java b/base/common/src/com/netscape/certsrv/authorization/EAuthzUnknownOperation.java new file mode 100644 index 000000000..ce061ddd2 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authorization/EAuthzUnknownOperation.java @@ -0,0 +1,38 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authorization; + +/** + * Exception for operation unknown to the authorization manager + */ +public class EAuthzUnknownOperation extends EAuthzException { + + /** + * + */ + private static final long serialVersionUID = 4344508835702220953L; + + /** + * Constructs a exception for an operation unknown to the authorization manager + * + * @param errorString Detailed error message. + */ + public EAuthzUnknownOperation(String errorString) { + super(errorString); + } +} diff --git a/base/common/src/com/netscape/certsrv/authorization/EAuthzUnknownProtectedRes.java b/base/common/src/com/netscape/certsrv/authorization/EAuthzUnknownProtectedRes.java new file mode 100644 index 000000000..5cb2d7276 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authorization/EAuthzUnknownProtectedRes.java @@ -0,0 +1,38 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authorization; + +/** + * Exception for protected resource unknown to the authorization manager + */ +public class EAuthzUnknownProtectedRes extends EAuthzException { + + /** + * + */ + private static final long serialVersionUID = 444663701711532889L; + + /** + * Constructs a exception for a protected resource unknown to the authorization manager + * + * @param errorString Detailed error message. + */ + public EAuthzUnknownProtectedRes(String errorString) { + super(errorString); + } +} diff --git a/base/common/src/com/netscape/certsrv/authorization/IAuthzManager.java b/base/common/src/com/netscape/certsrv/authorization/IAuthzManager.java new file mode 100644 index 000000000..8b52b3928 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authorization/IAuthzManager.java @@ -0,0 +1,182 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authorization; + +import java.util.Enumeration; +import java.util.Hashtable; + +import com.netscape.certsrv.acls.ACL; +import com.netscape.certsrv.acls.EACLsException; +import com.netscape.certsrv.acls.IACL; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.evaluators.IAccessEvaluator; + +/** + * Authorization Manager interface needs to be implemented by all + * authorization managers. + *

+ * + * @version $Revision$, $Date$ + */ +public interface IAuthzManager { + + /** + * Get the name of this authorization manager instance. + *

+ * + * @return String the name of this authorization manager. + */ + public String getName(); + + /** + * Get implementation name of authorization manager plugin. + *

+ * An example of an implementation name will be: + * + * 

+     * com.netscape.cms.BasicAclAuthz
+     *
+ *

+ * + * @return The name of the authorization manager plugin. + */ + public String getImplName(); + + /** + * accessInit is for servlets who want to initialize their + * own authorization information before full operation. It is supposed + * to be called from the authzMgrAccessInit() method of the AuthzSubsystem. + *

+ * The accessInfo format is determined by each individual authzmgr. For example, for BasicAclAuthz, The accessInfo + * is the resACLs, whose format should conform to the following: + * + * 

+     *    :right-1[,right-n]:[allow,deny](right(s))=:
+     * 

+     * Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties
+     * 
+     * @param accessInfo the access info string in the format specified in the authorization manager
+     * @exception EBaseException error parsing the accessInfo
+     */
+    public void accessInit(String accessInfo) throws EBaseException;
+
+    /**
+     * Check if the user is authorized to perform the given operation on the
+     * given resource.
+     * 
+     * @param authToken the authToken associated with a user.
+     * @param resource - the protected resource name
+     * @param operation - the protected resource operation name
+     * @return authzToken if the user is authorized
+     * @exception EAuthzInternalError if an internal error occurred.
+     * @exception EAuthzAccessDenied if access denied
+     */
+    public AuthzToken authorize(IAuthToken authToken, String resource, String operation)
+            throws EAuthzInternalError, EAuthzAccessDenied;
+
+    public AuthzToken authorize(IAuthToken authToken, String expression)
+            throws EAuthzInternalError, EAuthzAccessDenied;
+
+    /**
+     * Initialize this authorization manager.
+     * 
+     * @param name The name of this authorization manager instance.
+     * @param implName The name of the authorization manager plugin.
+     * @param config The configuration store for this authorization manager.
+     * @exception EBaseException If an initialization error occurred.
+     */
+    public void init(String name, String implName, IConfigStore config)
+            throws EBaseException;
+
+    /**
+     * Prepare this authorization manager for a graceful shutdown.
+     * Called when the server is exiting for any cleanup needed.
+     */
+    public void shutdown();
+
+    /**
+     * Get configuration parameters for this implementation.
+     * The configuration parameters returned is passed to the
+     * console so configuration for instances of this
+     * implementation can be made through the console.
+     * 
+     * @return a list of names for configuration parameters.
+     * @exception EBaseException If an internal error occurred
+     */
+    public String[] getConfigParams()
+            throws EBaseException;
+
+    /**
+     * Get the configuration store for this authorization manager.
+     * 
+     * @return The configuration store of this authorization manager.
+     */
+    public IConfigStore getConfigStore();
+
+    /**
+     * Get ACL entries
+     * 
+     * @return enumeration of ACL entries.
+     */
+    public Enumeration getACLs();
+
+    /**
+     * Get individual ACL entry for the given name of entry.
+     * 
+     * @param target The name of the ACL entry
+     * @return The ACL entry.
+     */
+    public IACL getACL(String target);
+
+    /**
+     * Update ACLs in the database
+     * 
+     * @param id The name of the ACL entry (ie, resource id)
+     * @param rights The allowable rights for this resource
+     * @param strACLs The value of the ACL entry
+     * @param desc The description for this resource
+     * @exception EACLsException when update fails.
+     */
+    public void updateACLs(String id, String rights, String strACLs,
+            String desc) throws EACLsException;
+
+    /**
+     * Get all registered evaluators.
+     * 
+     * @return All registered evaluators.
+     */
+    public Enumeration aclEvaluatorElements();
+
+    /**
+     * Register new evaluator
+     * 
+     * @param type Type of evaluator
+     * @param evaluator Value of evaluator
+     */
+    public void registerEvaluator(String type, IAccessEvaluator evaluator);
+
+    /**
+     * Return a table of evaluators
+     * 
+     * @return A table of evaluators
+     */
+    public Hashtable getAccessEvaluators();
+}
diff --git a/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java b/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
new file mode 100644
index 000000000..d8ccc8a83
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
@@ -0,0 +1,162 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.authorization;
+
+import java.util.Enumeration;
+import java.util.Hashtable;
+
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * An interface that represents an authorization component
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IAuthzSubsystem extends ISubsystem {
+
+    /**
+     * Constant for auths.
+     */
+    public static final String ID = "authz";
+
+    /**
+     * Constant for class.
+     */
+    public static final String PROP_CLASS = "class";
+
+    /**
+     * Constant for impl
+     */
+    public static final String PROP_IMPL = "impl";
+
+    /**
+     * Constant for pluginName.
+     */
+    public static final String PROP_PLUGIN = "pluginName";
+
+    /**
+     * Constant for instance.
+     */
+    public static final String PROP_INSTANCE = "instance";
+
+    /**
+     * authorize the user associated with the given authToken for a given
+     * operation with the given authorization manager name
+     * 
+     * @param authzMgrName The authorization manager name
+     * @param authToken the authenticaton token associated with a user
+     * @param resource the resource protected by the authorization system
+     * @param operation the operation for resource protected by the authorization system
+     * @return a authorization token.
+     * @exception EBaseException If an error occurs during authorization.
+     */
+    public AuthzToken authorize(String authzMgrName, IAuthToken authToken,
+            String resource, String operation)
+            throws EBaseException;
+
+    public AuthzToken authorize(String authzMgrName, IAuthToken authToken,
+            String exp) throws EBaseException;
+
+    /**
+     * Adds (registers) the given authorization manager.
+     * 
+     * @param name The authorization manager name
+     * @param authzMgr The authorization manager instance.
+     */
+    public void add(String name, IAuthzManager authzMgr);
+
+    /**
+     * Deletes (deregisters) the given authorization manager.
+     * 
+     * @param name The authorization manager name to delete.
+     */
+    public void delete(String name);
+
+    /**
+     * Gets the Authorization manager instance of the specified name.
+     * 
+     * @param name The authorization manager's name.
+     * @return an authorization manager interface
+     */
+    public IAuthzManager getAuthzManager(String name) throws EBaseException;
+
+    /**
+     * Gets an enumeration of authorization managers registered to the
+     * authorization component.
+     * 
+     * @return a list of authorization managers
+     */
+    public Enumeration getAuthzManagers();
+
+    /**
+     * Initialize authz info - usually used for BasicAclAuthz
+     * 
+     * @param authzMgrName name of the authorization manager
+     * @param accessInfo string representation of the ACL
+     * @exception EBaseException if authorization manager is not found
+     */
+    public void authzMgrAccessInit(String authzMgrName, String accessInfo) throws EBaseException;
+
+    /**
+     * Gets an enumeration of authorization manager plugins.
+     * 
+     * @return list of authorization manager plugins
+     */
+    public Enumeration getAuthzManagerPlugins();
+
+    /**
+     * Gets a single authorization manager plugin implementation
+     * 
+     * @param name given authorization plugin name
+     * @return authorization manager plugin
+     */
+    public IAuthzManager getAuthzManagerPlugin(String name);
+
+    /**
+     * Log error message.
+     * 
+     * @param level log level
+     * @param msg error message
+     */
+    public void log(int level, String msg);
+
+    /**
+     * Get a hashtable containing all authentication plugins.
+     * 
+     * @return all authentication plugins.
+     */
+    public Hashtable getPlugins();
+
+    /**
+     * Get a hashtable containing all authentication instances.
+     * 
+     * @return all authentication instances.
+     */
+    public Hashtable getInstances();
+
+    /**
+     * Get an authorization manager interface for the given name.
+     * 
+     * @param name given authorization manager name.
+     * @return an authorization manager interface
+     */
+    public IAuthzManager get(String name);
+}
diff --git a/base/common/src/com/netscape/certsrv/base/ASubsystem.java b/base/common/src/com/netscape/certsrv/base/ASubsystem.java
new file mode 100644
index 000000000..2b4c6d15a
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/ASubsystem.java
@@ -0,0 +1,70 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+/**
+ * This class represents a basic subsystem. Each basic
+ * subsystem is named with an identifier and has a
+ * configuration store.
+ * 
+ * @version $Revision$, $Date$
+ */
+public abstract class ASubsystem implements ISubsystem {
+
+    private ISubsystem mParent;
+    private IConfigStore mCfg;
+    private String mId;
+
+    /**
+     * Initializes this subsystem.
+     * 
+     * @param parent parent subsystem
+     * @param cfg configuration store
+     */
+    public void init(ISubsystem parent, IConfigStore cfg) {
+        mParent = parent;
+        mCfg = cfg;
+    }
+
+    /**
+     * Retrieves the configuration store.
+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore() {
+        return mCfg;
+    }
+
+    /**
+     * Sets the identifier of this subsystem.
+     * 
+     * @param id subsystem identifier
+     */
+    public void setId(String id) {
+        mId = id;
+    }
+
+    /**
+     * Retrieves the subsystem identifier.
+     * 
+     * @return subsystem identifier
+     */
+    public String getId() {
+        return mId;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/base/AttributeNameHelper.java b/base/common/src/com/netscape/certsrv/base/AttributeNameHelper.java
new file mode 100644
index 000000000..5b6db131e
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/AttributeNameHelper.java
@@ -0,0 +1,68 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+/**
+ * AttributeNameHelper. This Helper class used to decompose
+ * dot-separated attribute name into prefix and suffix.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class AttributeNameHelper {
+    // Public members
+    private static final char SEPARATOR = '.';
+
+    // Private data members
+    private String prefix = null;
+    private String suffix = null;
+
+    /**
+     * Default constructor for the class. Name is of the form
+     * "proofOfPosession.type".
+     * 
+     * @param name the attribute name.
+     */
+    public AttributeNameHelper(String name) {
+        int i = name.indexOf(SEPARATOR);
+
+        if (i == (-1)) {
+            prefix = name;
+        } else {
+            prefix = name.substring(0, i);
+            suffix = name.substring(i + 1);
+        }
+    }
+
+    /**
+     * Return the prefix of the name.
+     * 
+     * @return attribute prefix
+     */
+    public String getPrefix() {
+        return (prefix);
+    }
+
+    /**
+     * Return the suffix of the name.
+     * 
+     * @return attribute suffix
+     */
+    public String getSuffix() {
+        return (suffix);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/base/BaseResources.java b/base/common/src/com/netscape/certsrv/base/BaseResources.java
new file mode 100644
index 000000000..41159481f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/BaseResources.java
@@ -0,0 +1,45 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.util.ListResourceBundle;
+
+/**
+ * A class represents a resource bundle for the entire
+ * system.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ * @see java.util.ListResourceBundle
+ */
+public class BaseResources extends ListResourceBundle {
+
+    /**
+     * Returns the content of this resource.
+     */
+    public Object[][] getContents() {
+        return contents;
+    }
+
+    /*
+     * Constants. The suffix represents the number of
+     * possible parameters.
+     */
+
+    static final Object[][] contents = {};
+}
diff --git a/base/common/src/com/netscape/certsrv/base/EBaseException.java b/base/common/src/com/netscape/certsrv/base/EBaseException.java
new file mode 100644
index 000000000..26def60f5
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/EBaseException.java
@@ -0,0 +1,159 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.util.Locale;
+
+/**
+ * An exception with localizable error messages. It is the
+ * base class for all exceptions in certificate server.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ * @see java.text.MessageFormat
+ * @see com.netscape.certsrv.base.BaseResources
+ */
+public class EBaseException extends Exception {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 8213021692117483973L;
+
+    /**
+     * The resource bundle to use for error messages.
+     * Subclasses can override to use its own resource bundle.
+     */
+    private static final String BASE_RESOURCES = BaseResources.class.getName();
+
+    /**
+     * Parameters to the exception error message.
+     */
+    public Object mParams[] = null;
+
+    /**
+     * Constructs an instance of this exception with the given resource key.
+     * If resource key is not found in the resource bundle, the resource key
+     * specified is used as the error message.
+     * 
+     * 
+     * new EBaseException(BaseResources.PERMISSION_DENIED);
+     * new EBaseException("An plain error message");
+     * 

+     * @param msgFormat The error message resource key.
+     */
+    public EBaseException(String msgFormat) {
+        super(msgFormat);
+        mParams = null;
+    }
+
+    /**
+     * Constructs an instance of this exception with the given resource key
+     * and a parameter as a string.
+     * 
+     * 
+     * new EBaseException(BaseResource.NO_CONFIG_FILE, fileName);
+     * 

+     * 

+     * 
+     * @param msgFormat exception details in message string format
+     * @param param message string parameter
+     */
+    public EBaseException(String msgFormat, String param) {
+        super(msgFormat);
+        mParams = new String[1];
+        mParams[0] = param;
+    }
+
+    /**
+     * Constructs an instance of the exception given the resource key and
+     * a exception parameter.
+     * 
+     * 
+     * 		try {
+     *  		...
+     * 		} catch (IOExeption e) {
+     * 		 	throw new EBaseException(BaseResources.INTERNAL_ERROR_1, e);
+     *      }
+     * 

+     * 

+     * 
+     * @param msgFormat The resource key
+     * @param param The parameter as an exception
+     */
+    public EBaseException(String msgFormat, Exception param) {
+        super(msgFormat);
+        mParams = new Exception[1];
+        mParams[0] = param;
+    }
+
+    /**
+     * Constructs an instance of this exception given the resource key and
+     * an array of parameters.
+     * 

+     * 
+     * @param msgFormat The resource key
+     * @param params Array of params
+     */
+    public EBaseException(String msgFormat, Object params[]) {
+        super(msgFormat);
+        mParams = params;
+    }
+
+    /**
+     * Returns the list of parameters.
+     * 

+     * 
+     * @return List of parameters.
+     */
+    public Object[] getParameters() {
+        return mParams;
+    }
+
+    /**
+     * Returns the exception string in the default locale.
+     * 

+     * 
+     * @return The exception string in the default locale.
+     */
+    public String toString() {
+        return toString(Locale.getDefault());
+    }
+
+    /**
+     * Returns the exception string in the given locale.
+     * 

+     * 
+     * @param locale The locale
+     * @return The exception string in the given locale.
+     */
+    public String toString(Locale locale) {
+        return MessageFormatter.getLocalizedString(locale, getBundleName(),
+                super.getMessage(), mParams);
+    }
+
+    /**
+     * Returns the given resource bundle name.
+     * 
+     * @return the name of the resource bundle for this class.
+     */
+    protected String getBundleName() {
+        return BASE_RESOURCES;
+    }
+
+}
diff --git a/base/common/src/com/netscape/certsrv/base/EPropertyNotDefined.java b/base/common/src/com/netscape/certsrv/base/EPropertyNotDefined.java
new file mode 100644
index 000000000..466306582
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/EPropertyNotDefined.java
@@ -0,0 +1,46 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+/**
+ * This class represents an exception thrown when a
+ * property is not defined (empty string) the configuration store.
+ * It extends EBaseException and uses the same resource bundle.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ * @see com.netscape.certsrv.base.EBaseException
+ */
+public class EPropertyNotDefined extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -7986464387187170352L;
+
+    /**
+     * Constructs an instance of this exception given the name of the
+     * property that's not found.
+     * 

+     * 
+     * @param errorString Detailed error message.
+     */
+    public EPropertyNotDefined(String errorString) {
+        super(errorString);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/base/EPropertyNotFound.java b/base/common/src/com/netscape/certsrv/base/EPropertyNotFound.java
new file mode 100644
index 000000000..5a8a9550f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/EPropertyNotFound.java
@@ -0,0 +1,46 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+/**
+ * This class represents an exception thrown when a
+ * property is not found in the configuration store.
+ * It extends EBaseException and uses the same resource bundle.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ * @see com.netscape.certsrv.base.EBaseException
+ */
+public class EPropertyNotFound extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 2701966082697733003L;
+
+    /**
+     * Constructs an instance of this exception given the name of the
+     * property that's not found.
+     * 

+     * 
+     * @param errorString Detailed error message.
+     */
+    public EPropertyNotFound(String errorString) {
+        super(errorString);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/base/ExtendedPluginInfo.java b/base/common/src/com/netscape/certsrv/base/ExtendedPluginInfo.java
new file mode 100644
index 000000000..86f5999d9
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/ExtendedPluginInfo.java
@@ -0,0 +1,88 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.util.Locale;
+
+/**
+ * Plugin which can return extended information to console
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class ExtendedPluginInfo implements IExtendedPluginInfo {
+
+    private String _epi[] = null;
+
+    /**
+     * Constructs an extended plugin info object.
+     * 
+     * @param epi plugin info list
+     */
+    public ExtendedPluginInfo(String epi[]) {
+        _epi = epi;
+    }
+
+    /**
+     * This method returns an array of strings. Each element of the
+     * array represents a configurable parameter, or some other
+     * meta-info (such as help-token)
+     * 
+     * there is an entry indexed on that parameter name
+     * ;[,required];;...
+     * 
+     * Where:
+     * 
+     * type_info is either 'string', 'number', 'boolean', 'password' or
+     * 'choice(ch1,ch2,ch3,...)'
+     * 
+     * If the marker 'required' is included after the type_info,
+     * the parameter will has some visually distinctive marking in
+     * the UI.
+     * 
+     * 'description' is a short sentence describing the parameter
+     * 'choice' is rendered as a drop-down list. The first parameter in the
+     * list will be activated by default
+     * 'boolean' is rendered as a checkbox. The resulting parameter will be
+     * either 'true' or 'false'
+     * 'string' allows any characters
+     * 'number' allows only numbers
+     * 'password' is rendered as a password field (the characters are replaced
+     * with *'s when being types. This parameter is not passed through to
+     * the plugin. It is instead inserted directly into the password cache
+     * keyed on the instance name. The value of the parameter
+     * 'bindPWPrompt' (see example below) is set to the key.
+     * 
+     * In addition to the configurable parameters, the following magic parameters
+     * may be defined:
+     * 
+     * HELP_TOKEN;helptoken - a pointer to the online manual section for this plugin
+     * HELP_TEXT;helptext - a general help string describing the plugin
+     * 
+     * For example:
+     * "username;string;The username you wish to login as"
+     * "bindPWPrompt;password;Enter password to bind as above user with"
+     * "algorithm;choice(RSA,DSA);Which algorithm do you want to use"
+     * "enable;boolean;Do you want to run this plugin"
+     * "port;number;Which port number do you want to use"
+     * 
+     */
+    public String[] getExtendedPluginInfo(Locale locale) {
+        return _epi;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/base/IArgBlock.java b/base/common/src/com/netscape/certsrv/base/IArgBlock.java
new file mode 100644
index 000000000..adddccba6
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/IArgBlock.java
@@ -0,0 +1,283 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.io.Serializable;
+import java.math.BigInteger;
+import java.util.Enumeration;
+
+import netscape.security.pkcs.PKCS10;
+
+/**
+ * This interface defines the abstraction for the generic collection
+ * of attributes indexed by string names.
+ * Set of cooperating implementations of this interface may exploit
+ * dot-separated attribute names to provide seamless access to the
+ * attributes of attribute value which also implements AttrSet
+ * interface as if it was direct attribute of the container
+ * E.g., ((AttrSet)container.get("x")).get("y") is equivalent to
+ * container.get("x.y");
+ * 

+ * 
+ * @version $Revision$, $Date$
+ **/
+public interface IArgBlock extends Serializable {
+
+    /**
+     * Checks if this argument block contains the given key.
+     * 
+     * @param n key
+     * @return true if key is present
+     */
+    public boolean isValuePresent(String n);
+
+    /**
+     * Adds string-based value into this argument block.
+     * 
+     * @param n key
+     * @param v value
+     * @return value
+     */
+    public Object addStringValue(String n, String v);
+
+    /**
+     * Retrieves argument value as string.
+     * 
+     * @param n key
+     * @return argument value as string
+     * @exception EBaseException failed to retrieve value
+     */
+    public String getValueAsString(String n) throws EBaseException;
+
+    /**
+     * Retrieves argument value as string.
+     * 
+     * @param n key
+     * @param def default value to be returned if key is not present
+     * @return argument value as string
+     */
+    public String getValueAsString(String n, String def);
+
+    /**
+     * Retrieves argument value as integer.
+     * 
+     * @param n key
+     * @return argument value as int
+     * @exception EBaseException failed to retrieve value
+     */
+    public int getValueAsInt(String n) throws EBaseException;
+
+    /**
+     * Retrieves argument value as integer.
+     * 
+     * @param n key
+     * @param def default value to be returned if key is not present
+     * @return argument value as int
+     */
+    public int getValueAsInt(String n, int def);
+
+    /**
+     * Retrieves argument value as big integer.
+     * 
+     * @param n key
+     * @return argument value as big integer
+     * @exception EBaseException failed to retrieve value
+     */
+    public BigInteger getValueAsBigInteger(String n) throws EBaseException;
+
+    /**
+     * Retrieves argument value as big integer.
+     * 
+     * @param n key
+     * @param def default value to be returned if key is not present
+     * @return argument value as big integer
+     */
+    public BigInteger getValueAsBigInteger(String n, BigInteger def);
+
+    /**
+     * Retrieves argument value as object
+     * 
+     * @param n key
+     * @return argument value as object
+     * @exception EBaseException failed to retrieve value
+     */
+    public Object getValue(Object n) throws EBaseException;
+
+    /**
+     * Retrieves argument value as object
+     * 
+     * @param n key
+     * @param def default value to be returned if key is not present
+     * @return argument value as object
+     */
+    public Object getValue(Object n, Object def);
+
+    /**
+     * Gets boolean value. They should be "true" or "false".
+     * 
+     * @param name name of the input type
+     * @return boolean type: true or false
+     * @exception EBaseException failed to retrieve value
+     */
+    public boolean getValueAsBoolean(String name) throws EBaseException;
+
+    /**
+     * Gets boolean value. They should be "true" or "false".
+     * 
+     * @param name name of the input type
+     * @param def Default value to return.
+     * @return boolean type: true or false
+     */
+    public boolean getValueAsBoolean(String name, boolean def);
+
+    /**
+     * Gets KeyGenInfo
+     * 
+     * @param name name of the input type
+     * @param def default value to return
+     * @exception EBaseException On error.
+     * @return KeyGenInfo object
+     */
+    public KeyGenInfo getValueAsKeyGenInfo(String name, KeyGenInfo def) throws EBaseException;
+
+    /**
+     * Gets PKCS10 request. This pkcs10 attribute does not
+     * contain header information.
+     * 
+     * @param name name of the input type
+     * @return pkcs10 request
+     * @exception EBaseException failed to retrieve value
+     */
+    public PKCS10 getValueAsRawPKCS10(String name) throws EBaseException;
+
+    /**
+     * Gets PKCS10 request. This pkcs10 attribute does not
+     * contain header information.
+     * 
+     * @param name name of the input type
+     * @param def default PKCS10
+     * @return pkcs10 request
+     * @exception EBaseException failed to retrieve value
+     */
+    public PKCS10 getValueAsRawPKCS10(String name, PKCS10 def) throws EBaseException;
+
+    /**
+     * Retrieves PKCS10
+     * 
+     * @param name name of the input type
+     * @param checkheader true if header must be present
+     * @return PKCS10 object
+     * @exception EBaseException failed to retrieve value
+     */
+    public PKCS10 getValueAsPKCS10(String name, boolean checkheader) throws EBaseException;
+
+    /**
+     * Retrieves PKCS10
+     * 
+     * @param name name of the input type
+     * @param checkheader true if header must be present
+     * @param def default PKCS10
+     * @return PKCS10 object
+     * @exception EBaseException on error
+     */
+    public PKCS10 getValueAsPKCS10(String name, boolean checkheader, PKCS10 def) throws EBaseException;
+
+    /**
+     * Retrieves PKCS10
+     * 
+     * @param name name of the input type
+     * @param def default PKCS10
+     * @return PKCS10 object
+     * @exception EBaseException on error
+     */
+    public PKCS10 getValuePKCS10(String name, PKCS10 def) throws EBaseException;
+
+    /**
+     * Retrieves a list of argument keys.
+     * 
+     * @return a list of string-based keys
+     */
+    public Enumeration elements();
+
+    /**
+     * Adds long-type arguments to this block.
+     * 
+     * @param n key
+     * @param v value
+     * @return value
+     */
+    public Object addLongValue(String n, long v);
+
+    /**
+     * Adds integer-type arguments to this block.
+     * 
+     * @param n key
+     * @param v value
+     * @return value
+     */
+    public Object addIntegerValue(String n, int v);
+
+    /**
+     * Adds boolean-type arguments to this block.
+     * 
+     * @param n key
+     * @param v value
+     * @return value
+     */
+    public Object addBooleanValue(String n, boolean v);
+
+    /**
+     * Adds integer-type arguments to this block.
+     * 
+     * @param n key
+     * @param v value
+     * @param radix radix
+     * @return value
+     */
+    public Object addBigIntegerValue(String n, BigInteger v, int radix);
+
+    /**
+     * Sets argument into this block.
+     * 
+     * @param name key
+     * @param obj value
+     */
+    public void set(String name, Object obj);
+
+    /**
+     * Retrieves argument.
+     * 
+     * @param name key
+     * @return object value
+     */
+    public Object get(String name);
+
+    /**
+     * Deletes argument by the given key.
+     * 
+     * @param name key
+     */
+    public void delete(String name);
+
+    /**
+     * Retrieves a list of argument keys.
+     * 
+     * @return a list of string-based keys
+     */
+    public Enumeration getElements();
+}
diff --git a/base/common/src/com/netscape/certsrv/base/IAttrSet.java b/base/common/src/com/netscape/certsrv/base/IAttrSet.java
new file mode 100644
index 000000000..e396b072a
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/IAttrSet.java
@@ -0,0 +1,70 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.io.Serializable;
+import java.util.Enumeration;
+
+/**
+ * This interface defines the abstraction for the generic collection
+ * of attributes indexed by string names.
+ * Set of cooperating implementations of this interface may exploit
+ * dot-separated attribute names to provide seamless access to the
+ * attributes of attribute value which also implements AttrSet
+ * interface as if it was direct attribute of the container
+ * E.g., ((AttrSet)container.get("x")).get("y") is equivalent to
+ * container.get("x.y");
+ * 

+ * 
+ * @version $Revision$, $Date$
+ **/
+public interface IAttrSet extends Serializable {
+
+    /**
+     * Sets an attribute value within this AttrSet.
+     * 
+     * @param name the name of the attribute
+     * @param obj the attribute object.
+     * @exception EBaseException on attribute handling errors.
+     */
+    public void set(String name, Object obj) throws EBaseException;
+
+    /**
+     * Gets an attribute value.
+     * 
+     * @param name the name of the attribute to return.
+     * @exception EBaseException on attribute handling errors.
+     */
+    public Object get(String name) throws EBaseException;
+
+    /**
+     * Deletes an attribute value from this AttrSet.
+     * 
+     * @param name the name of the attribute to delete.
+     * @exception EBaseException on attribute handling errors.
+     */
+    public void delete(String name) throws EBaseException;
+
+    /**
+     * Returns an enumeration of the names of the attributes existing within
+     * this AttrSet.
+     * 
+     * @return an enumeration of the attribute names.
+     */
+    public Enumeration getElements();
+}
diff --git a/base/common/src/com/netscape/certsrv/base/IAuthInfo.java b/base/common/src/com/netscape/certsrv/base/IAuthInfo.java
new file mode 100644
index 000000000..4806a94c0
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/IAuthInfo.java
@@ -0,0 +1,31 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+/**
+ * An interface represents an authentication context. This
+ * is an entity that encapsulates the authentication
+ * information of a service requestor. For example, CMS
+ * user needs to authenticate to CMS using SSL. The
+ * client certificate is expressed in authenticated context.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IAuthInfo {
+}
diff --git a/base/common/src/com/netscape/certsrv/base/ICRLPrettyPrint.java b/base/common/src/com/netscape/certsrv/base/ICRLPrettyPrint.java
new file mode 100644
index 000000000..d111063a7
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/ICRLPrettyPrint.java
@@ -0,0 +1,48 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.util.Locale;
+
+/**
+ * This interface represents a CRL pretty print handler.
+ * It converts a CRL object into a printable CRL string.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ICRLPrettyPrint {
+
+    /**
+     * Retrieves the printable CRL string.
+     * 
+     * @param clientLocale end user clocale
+     * @param crlSize CRL size
+     * @param pageStart starting page number
+     * @param pageSize page size in rows
+     * @return printable CRL string
+     */
+    public String toString(Locale clientLocale, long crlSize, long pageStart, long pageSize);
+
+    /**
+     * Retrieves the printable CRL string.
+     * 
+     * @param clientLocale end user clocale
+     * @return printable CRL string
+     */
+    public String toString(Locale clientLocale);
+}
diff --git a/base/common/src/com/netscape/certsrv/base/ICertPrettyPrint.java b/base/common/src/com/netscape/certsrv/base/ICertPrettyPrint.java
new file mode 100644
index 000000000..e991d5a11
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/ICertPrettyPrint.java
@@ -0,0 +1,38 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.util.Locale;
+
+/**
+ * This interface represents a certificate pretty print
+ * handler. This handler converts certificate object into
+ * a printable certificate string.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ICertPrettyPrint {
+
+    /**
+     * Returns printable certificate string.
+     * 
+     * @param clientLocale end user locale
+     * @return printable certificate string
+     */
+    public String toString(Locale clientLocale);
+}
diff --git a/base/common/src/com/netscape/certsrv/base/IConfigStore.java b/base/common/src/com/netscape/certsrv/base/IConfigStore.java
new file mode 100644
index 000000000..d12265e83
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/IConfigStore.java
@@ -0,0 +1,297 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.math.BigInteger;
+import java.util.Enumeration;
+
+/**
+ * An interface represents a configuration store.
+ * A configuration store is an abstraction of a hierarchical store
+ * to keep arbitrary data indexed by string names.
+ * 

+ * In the following example:
+ * 
+ * 
+ *      param1=value1
+ *      configStore1.param11=value11
+ *      configStore1.param12=value12
+ *      configStore1.subStore1.param111=value111
+ *      configStore1.subStore1.param112=value112
+ *      configStore2.param21=value21
+ * 

+ * 
+ * The top config store has parameters param1 and sub-stores configStore1 and configStore2. 

+ * The following illustrates how a config store is used.
+ * 
+ * 
+ * // the top config store is passed to the following method. 
+ * public void init(IConfigStore config) throws EBaseException {
+ *     IConfigStore store = config;
+ *     String valx = config.getString("param1");
+ *     // valx is "value1" <p>
+ * 
+ *     IConfigStore substore1 = config.getSubstore("configStore1");
+ *     String valy = substore1.getString("param11");
+ *     // valy is "value11" <p>
+ * 
+ *     IConfigStore substore2 = config.getSubstore("configStore2");
+ *     String valz = substore2.getString("param21");
+ *     // valz is "value21" <p>
+ * }
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IConfigStore extends ISourceConfigStore {
+
+    /**
+     * Gets the name of this Configuration Store.
+     * 

+     * 
+     * @return The name of this Configuration store
+     */
+    public String getName();
+
+    /**
+     * Retrieves the value of the given property as a string.
+     * 

+     * 
+     * @param name The name of the property to get
+     * @return The value of the property as a String
+     * @exception EPropertyNotFound If the property is not present
+     * @exception EBaseException If an internal error occurred
+     */
+    public String getString(String name)
+            throws EPropertyNotFound, EBaseException;
+
+    /**
+     * Retrieves the value of a given property as a string or the
+     * given default value if the property is not present.
+     * 

+     * 
+     * @param name The property to retrive
+     * @param defval The default value to return if the property is not present
+     * @return The roperty value as a string
+     * @exception EBaseException If an internal error occurred
+     */
+    public String getString(String name, String defval)
+            throws EBaseException;
+
+    /**
+     * Stores a property and its value as a string.
+     * 

+     * 
+     * @param name The name of the property
+     * @param value The value as a string
+     */
+    public void putString(String name, String value);
+
+    /**
+     * Retrieves the value of a property as a byte array.
+     * 

+     * 
+     * @param name The property name
+     * @return The property value as a byte array
+     * @exception EPropertyNotFound If the property is not present
+     * @exception EBaseException If an internal error occurred
+     */
+    public byte[] getByteArray(String name)
+            throws EPropertyNotFound, EBaseException;
+
+    /**
+     * Retrieves the value of a property as a byte array, using the
+     * given default value if property is not present.
+     * 

+     * 
+     * @param name The name of the property
+     * @param defval The default value if the property is not present.
+     * @return The property value as a byte array.
+     * @exception EBaseException If an internal error occurred
+     */
+    public byte[] getByteArray(String name, byte defval[])
+            throws EBaseException;
+
+    /**
+     * Stores the given property and value as a byte array.
+     * 

+     * 
+     * @param name The property name
+     * @param value The value as a byte array to store
+     */
+    public void putByteArray(String name, byte value[]);
+
+    /**
+     * Retrieves the given property as a boolean.
+     * 

+     * 
+     * @param name The name of the property as a string.
+     * @return The value of the property as a boolean.
+     * @exception EPropertyNotFound If the property is not present
+     * @exception EBaseException If an internal error occurred
+     */
+    public boolean getBoolean(String name)
+            throws EPropertyNotFound, EBaseException;
+
+    /**
+     * Retrieves the given property as a boolean.
+     * 

+     * 
+     * @param name The name of the property
+     * @param defval The default value to turn as a boolean if
+     *            property is not present
+     * @return The value of the property as a boolean.
+     * @exception EBaseException If an internal error occurred
+     */
+    public boolean getBoolean(String name, boolean defval)
+            throws EBaseException;
+
+    /**
+     * Stores the given property and its value as a boolean.
+     * 

+     * 
+     * @param name The property name
+     * @param value The value as a boolean
+     */
+    public void putBoolean(String name, boolean value);
+
+    /**
+     * Retrieves the given property as an integer.
+     * 

+     * 
+     * @param name The property name
+     * @return The property value as an integer
+     * @exception EPropertyNotFound If property is not found
+     * @exception EBaseException If an internal error occurred
+     */
+    public int getInteger(String name)
+            throws EPropertyNotFound, EBaseException;
+
+    /**
+     * Retrieves the given property as an integer.
+     * 

+     * 
+     * @param name The property name
+     * @return int The default value to return as an integer
+     * @exception EBaseException If the value cannot be converted to a
+     *                integer
+     */
+    public int getInteger(String name, int defval)
+            throws EBaseException;
+
+    /**
+     * Sets a property and its value as an integer.
+     * 

+     * 
+     * @param name parameter name
+     * @param value integer value
+     */
+    public void putInteger(String name, int value);
+
+    /**
+     * Retrieves the given property as a big integer.
+     * 

+     * 
+     * @param name The property name
+     * @return The property value as a big integer
+     * @exception EPropertyNotFound If property is not found
+     * @exception EBaseException If an internal error occurred
+     */
+    public BigInteger getBigInteger(String name)
+            throws EPropertyNotFound, EBaseException;
+
+    /**
+     * Retrieves the given property as a big integer.
+     * 

+     * 
+     * @param name The property name
+     * @return int The default value to return as a big integer
+     * @exception EBaseException If the value cannot be converted to a
+     *                integer
+     */
+    public BigInteger getBigInteger(String name, BigInteger defval)
+            throws EBaseException;
+
+    /**
+     * Sets a property and its value as an integer.
+     * 

+     * 
+     * @param name parameter name
+     * @param value big integer value
+     */
+    public void putBigInteger(String name, BigInteger value);
+
+    /**
+     * Creates a nested sub-store with the specified name.
+     * 

+     * 
+     * @param name The name of the sub-store
+     * @return The sub-store created
+     */
+    public IConfigStore makeSubStore(String name);
+
+    /**
+     * Retrieves the given sub-store.
+     * 

+     * 
+     * @param name The name of the sub-store
+     * @return The sub-store
+     */
+    public IConfigStore getSubStore(String name);
+
+    /**
+     * Removes sub-store with the given name.
+     * (Removes all properties and sub-stores under this sub-store.)
+     * 

+     * 
+     * @param name The name of the sub-store to remove
+     */
+    public void removeSubStore(String name);
+
+    public void remove(String name);
+
+    /**
+     * Retrives and enumeration of all properties in this config-store.
+     * 
+     * @return An enumeration of all properties in this config-store
+     */
+    public Enumeration getPropertyNames();
+
+    /**
+     * Returns an enumeration of the names of the substores of
+     * this config-store.
+     * 

+     * 
+     * @return An enumeration of the names of the sub-stores of this
+     *         config-store
+     */
+    public Enumeration getSubStoreNames();
+
+    /**
+     * Commits all the data into file immediately.
+     * 
+     * @param createBackup true if a backup file should be created
+     * @exception EBaseException failed to commit
+     */
+    public void commit(boolean createBackup) throws EBaseException;
+
+    /**
+     * Return the number of items in this substore
+     */
+    public int size();
+}
diff --git a/base/common/src/com/netscape/certsrv/base/IConfigStoreEventListener.java b/base/common/src/com/netscape/certsrv/base/IConfigStoreEventListener.java
new file mode 100644
index 000000000..06e7d522a
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/IConfigStoreEventListener.java
@@ -0,0 +1,48 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.util.Hashtable;
+
+/**
+ * ConfigStore Parameters Event Notification.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IConfigStoreEventListener {
+
+    /**
+     * Called to validate the config store parameters that changed
+     * 
+     * @param action action
+     * @param params configuration parameters changed
+     * @exception EBaseException failed to validate
+     */
+    public void validateConfigParams(String action,
+            Hashtable params) throws EBaseException;
+
+    /**
+     * Validates the config store parameters that changed
+     * 
+     * @param action action
+     * @param params configuration parameters changed
+     * @exception EBaseException failed to validate
+     */
+    public void doConfigParams(String action,
+            Hashtable params) throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/base/IExtPrettyPrint.java b/base/common/src/com/netscape/certsrv/base/IExtPrettyPrint.java
new file mode 100644
index 000000000..8d95a40ca
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/IExtPrettyPrint.java
@@ -0,0 +1,34 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+/**
+ * This class will display the certificate content in predefined
+ * format.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IExtPrettyPrint {
+
+    /**
+     * Retrieves the printable extension string.
+     * 
+     * @return printable extension string
+     */
+    public String toString();
+}
diff --git a/base/common/src/com/netscape/certsrv/base/IExtendedPluginInfo.java b/base/common/src/com/netscape/certsrv/base/IExtendedPluginInfo.java
new file mode 100644
index 000000000..aff3daf4d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/IExtendedPluginInfo.java
@@ -0,0 +1,79 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.util.Locale;
+
+/**
+ * Plugin which can return extended information to console
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IExtendedPluginInfo {
+
+    public static final String HELP_TOKEN = "HELP_TOKEN";
+    public static final String HELP_TEXT = "HELP_TEXT";
+
+    /**
+     * This method returns an array of strings. Each element of the
+     * array represents a configurable parameter, or some other
+     * meta-info (such as help-token)
+     * 
+     * there is an entry indexed on that parameter name
+     * ;[,required];;...
+     * 
+     * Where:
+     * 
+     * type_info is either 'string', 'number', 'boolean', 'password' or
+     * 'choice(ch1,ch2,ch3,...)'
+     * 
+     * If the marker 'required' is included after the type_info,
+     * the parameter will has some visually distinctive marking in
+     * the UI.
+     * 
+     * 'description' is a short sentence describing the parameter
+     * 'choice' is rendered as a drop-down list. The first parameter in the
+     * list will be activated by default
+     * 'boolean' is rendered as a checkbox. The resulting parameter will be
+     * either 'true' or 'false'
+     * 'string' allows any characters
+     * 'number' allows only numbers
+     * 'password' is rendered as a password field (the characters are replaced
+     * with *'s when being types. This parameter is not passed through to
+     * the plugin. It is instead inserted directly into the password cache
+     * keyed on the instance name. The value of the parameter
+     * 'bindPWPrompt' (see example below) is set to the key.
+     * 
+     * In addition to the configurable parameters, the following magic parameters
+     * may be defined:
+     * 
+     * HELP_TOKEN;helptoken - a pointer to the online manual section for this plugin
+     * HELP_TEXT;helptext - a general help string describing the plugin
+     * 
+     * For example:
+     * "username;string;The username you wish to login as"
+     * "bindPWPrompt;password;Enter password to bind as above user with"
+     * "algorithm;choice(RSA,DSA);Which algorithm do you want to use"
+     * "enable;boolean;Do you want to run this plugin"
+     * "port;number;Which port number do you want to use"
+     * 
+     */
+    public String[] getExtendedPluginInfo(Locale locale);
+
+}
diff --git a/base/common/src/com/netscape/certsrv/base/IPluginImpl.java b/base/common/src/com/netscape/certsrv/base/IPluginImpl.java
new file mode 100644
index 000000000..a7a0560b5
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/IPluginImpl.java
@@ -0,0 +1,104 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.util.Vector;
+
+/**
+ * This interface represents a plugin instance.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IPluginImpl {
+
+    public static final String PROP_IMPLNAME = "implName";
+
+    /**
+     * Gets the description for this plugin instance.
+     * 

+     * 
+     * @return The Description for this plugin instance.
+     */
+    public String getDescription();
+
+    /**
+     * Returns the name of the plugin class.
+     * 

+     * 
+     * @return The name of the plugin class.
+     */
+    public String getImplName();
+
+    /**
+     * Returns the name of the plugin instance.
+     * 

+     * 
+     * @return The name of the plugin instance. If none is set
+     *         the name of the implementation will be returned.xxxx
+     */
+    public String getInstanceName();
+
+    /**
+     * Initializes this plugin instance.
+     * 
+     * @param sys parent subsystem
+     * @param instanceName instance name of this plugin
+     * @param className class name of this plugin
+     * @param config configuration store
+     * @exception EBaseException failed to initialize
+     */
+    public void init(ISubsystem sys, String instanceName, String className,
+            IConfigStore config)
+            throws EBaseException;
+
+    /**
+     * Shutdowns this plugin.
+     */
+    public void shutdown();
+
+    /**
+     * Retrieves the configuration store.
+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore();
+
+    /**
+     * Return configured parameters for a plugin instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs. Each name/value
+     *         pair is constructed as a String in name=value format.
+     */
+    public Vector getInstanceParams();
+
+    /**
+     * Retrieves a list of configuration parameter names.
+     * 
+     * @return a list of parameter names
+     */
+    public String[] getConfigParams();
+
+    /**
+     * Return default parameters for a plugin implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs. Each name/value
+     *         pair is constructed as a String in name=value.
+     */
+    public Vector getDefaultParams();
+
+}
diff --git a/base/common/src/com/netscape/certsrv/base/IPrettyPrintFormat.java b/base/common/src/com/netscape/certsrv/base/IPrettyPrintFormat.java
new file mode 100644
index 000000000..67c1b01d1
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/IPrettyPrintFormat.java
@@ -0,0 +1,66 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+/**
+ * This class will display the certificate content in predefined
+ * format.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IPrettyPrintFormat {
+
+    /**
+     * Retrieves a pretty print string of the given byte array.
+     * 
+     * @param in byte array
+     * @param indentSize indentation size
+     * @param lineLen length of line
+     * @param separator separator string
+     * @return pretty print string
+     */
+    public String toHexString(byte[] in, int indentSize,
+            int lineLen, String separator);
+
+    /**
+     * Retrieves a pretty print string of the given byte array.
+     * 
+     * @param in byte array
+     * @param indentSize indentation size
+     * @param lineLen length of line
+     * @return pretty print string
+     */
+    public String toHexString(byte[] in, int indentSize, int lineLen);
+
+    /**
+     * Retrieves a pretty print string of the given byte array.
+     * 
+     * @param in byte array
+     * @param indentSize indentation size
+     * @return pretty print string
+     */
+    public String toHexString(byte[] in, int indentSize);
+
+    /**
+     * Retrieves a pretty print string of the given byte array.
+     * 
+     * @param in byte array
+     * @return pretty print string
+     */
+    public String toHexString(byte[] in);
+}
diff --git a/base/common/src/com/netscape/certsrv/base/ISecurityDomainSessionTable.java b/base/common/src/com/netscape/certsrv/base/ISecurityDomainSessionTable.java
new file mode 100644
index 000000000..24c55d086
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/ISecurityDomainSessionTable.java
@@ -0,0 +1,48 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.util.Enumeration;
+
+/**
+ * This interface defines the abstraction for the cookie table.
+ **/
+public interface ISecurityDomainSessionTable {
+    public static final int SUCCESS = 0;
+    public static final int FAILURE = 1;
+
+    public int addEntry(String cookieId, String ip, String uid, String group);
+
+    public int removeEntry(String sessionId);
+
+    public boolean isSessionIdExist(String sessionId);
+
+    public String getIP(String sessionId);
+
+    public String getUID(String sessionId);
+
+    public String getGroup(String sessionId);
+
+    public long getBeginTime(String sessionId);
+
+    public int getSize();
+
+    public long getTimeToLive();
+
+    public Enumeration getSessionIds();
+}
diff --git a/base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java b/base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java
new file mode 100644
index 000000000..eb848c54e
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java
@@ -0,0 +1,81 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.Serializable;
+import java.util.Enumeration;
+
+/**
+ * An interface that represents the source that creates the configuration
+ * store tree. Note that the tree can be built based on the information
+ * from a text file or ldap entries.
+ * 
+ * @see com.netscape.certsrv.base.IConfigStore
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ISourceConfigStore extends Serializable {
+
+    /**
+     * Gets a property.
+     * 

+     * 
+     * @param name The property name
+     * @return property value
+     */
+    public String get(String name);
+
+    /**
+     * Retrieves a property.
+     * 

+     * 
+     * @param name The property name
+     * @param value The property value
+     */
+    public String put(String name, String value);
+
+    /**
+     * Returns an enumeration of the config store's keys.
+     * 

+     * 
+     * @return a list of keys
+     * @see java.util.Hashtable#elements
+     * @see java.util.Enumeration
+     */
+    public Enumeration keys();
+
+    /**
+     * Reads a config store from an input stream.
+     * 
+     * @param in input stream where the properties are located
+     * @exception IOException If an IO error occurs while loading from input.
+     */
+    public void load(InputStream in) throws IOException;
+
+    /**
+     * Stores this config store to the specified output stream.
+     * 
+     * @param out output stream where the properties should be serialized
+     * @param header optional header to be serialized
+     */
+    public void save(OutputStream out, String header);
+
+}
diff --git a/base/common/src/com/netscape/certsrv/base/ISubsystem.java b/base/common/src/com/netscape/certsrv/base/ISubsystem.java
new file mode 100644
index 000000000..7b2a37d7d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/ISubsystem.java
@@ -0,0 +1,78 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+/**
+ * An interface represents a CMS subsystem. CMS is made up of a list
+ * subsystems. Each subsystem is responsible for a set of
+ * speciailized functions.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ISubsystem {
+
+    /**
+     * Retrieves the name of this subsystem.
+     * 
+     * @return subsystem identifier
+     */
+    public String getId();
+
+    /**
+     * Sets specific to this subsystem.
+     * 
+     * @param id subsystem identifier
+     * @exception EBaseException failed to set id
+     */
+    public void setId(String id) throws EBaseException;
+
+    /**
+     * Initializes this subsystem with the given configuration
+     * store.
+     * 

+     * 
+     * @param owner owner of this subsystem
+     * @param config configuration store
+     * @exception EBaseException failed to initialize
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException;
+
+    /**
+     * Notifies this subsystem if owner is in running mode.
+     * 
+     * @exception EBaseException failed to start up
+     */
+    public void startup() throws EBaseException;
+
+    /**
+     * Stops this system. The owner may call shutdown
+     * anytime after initialization.
+     * 

+     */
+    public void shutdown();
+
+    /**
+     * Returns the root configuration storage of this system.
+     * 

+     * 
+     * @return configuration store of this subsystem
+     */
+    public IConfigStore getConfigStore();
+}
diff --git a/base/common/src/com/netscape/certsrv/base/ISubsystemSource.java b/base/common/src/com/netscape/certsrv/base/ISubsystemSource.java
new file mode 100644
index 000000000..f6bb6378b
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/ISubsystemSource.java
@@ -0,0 +1,36 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+/**
+ * An interface represents a subsystem source. A subsystem
+ * source is a container that manages multiple subsystems.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ISubsystemSource {
+
+    /**
+     * Retrieves subsystem from the source.
+     * 
+     * @param sid subsystem identifier
+     * @return subsystem
+     */
+    public ISubsystem getSubsystem(String sid);
+}
diff --git a/base/common/src/com/netscape/certsrv/base/ITimeSource.java b/base/common/src/com/netscape/certsrv/base/ITimeSource.java
new file mode 100644
index 000000000..1e7dd0fb0
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/ITimeSource.java
@@ -0,0 +1,41 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.util.Date;
+
+/**
+ * This interface represents a time source where
+ * current time can be retrieved. CMS is installed
+ * with a default time source that returns
+ * current time based on the system time. It is
+ * possible to register a time source that returns
+ * the current time from a NTP server.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ITimeSource {
+
+    /**
+     * Retrieves current time and date.
+     * 
+     * @return current time and date
+     */
+    public Date getCurrentDate();
+
+}
diff --git a/base/common/src/com/netscape/certsrv/base/KeyGenInfo.java b/base/common/src/com/netscape/certsrv/base/KeyGenInfo.java
new file mode 100644
index 000000000..8c13fca56
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/KeyGenInfo.java
@@ -0,0 +1,229 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.io.IOException;
+
+import com.netscape.cmsutil.util.Utils;
+
+import netscape.security.util.DerInputStream;
+import netscape.security.util.DerValue;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.X509Key;
+
+/**
+ * 
+ * The KeyGenInfo represents the information generated by
+ * the KeyGen tag of the HTML forms. It provides the parsing and accessing
+ * mechanisms.
+ * 

+ * 
+ * 
+ * SignedPublicKeyAndChallenge ::= SEQUENCE {
+ *      publicKeyAndChallenge PublicKeyAndChallenge,
+ *      signatureAlgorithm AlgorithmIdentifier,
+ *      signature BIT STRING
+ * }
+ * 
+ * PublicKeyAndChallenge ::= SEQUENCE {
+ *      spki SubjectPublicKeyInfo,
+ *      challenge IA5STRING
+ * }
+ * 

+ * 
+ * 
+ * @version $Revision$, $Date$
+ */
+
+public class KeyGenInfo {
+
+    /*==========================================================
+     * variables
+     *==========================================================*/
+    private String mSPKACString;
+    private byte mPKAC[];
+    private byte mSPKAC[];
+    private X509Key mSPKI;
+    private DerValue mDerSPKI;
+    private String mChallenge;
+    private DerValue mDerChallenge;
+    private byte mSignature[];
+    private AlgorithmId mAlgId;
+
+    /*==========================================================
+     * constructors
+     *==========================================================*/
+
+    /**
+     * Construct empty KeyGenInfo. Need to call decode function
+     * later to initialize.
+     */
+    public KeyGenInfo() {
+
+    }
+
+    /**
+     * Construct KeyGenInfo using the SignedPublicKeyAndChallenge
+     * string representation.
+     * 
+     * @param spkac SignedPublicKeyAndChallenge string representation
+     */
+    public KeyGenInfo(String spkac)
+            throws IOException {
+        decode(spkac);
+    }
+
+    /*==========================================================
+     * public methods
+     *==========================================================*/
+
+    /**
+     * Initialize using the SPKAC string
+     * 
+     * @param spkac SPKAC string from the end user
+     */
+    public void decode(String spkac) throws IOException {
+        mSPKACString = spkac;
+        mSPKAC = base64Decode(spkac);
+        derDecode(mSPKAC);
+    }
+
+    /**
+     * Der encoded into buffer
+     * 
+     * @return Der encoded buffer
+     */
+    public byte[] encode() {
+        return mSPKAC;
+    }
+
+    /**
+     * Get SPKI in DerValue form
+     * 
+     * @return SPKI in DerValue form
+     */
+    public DerValue getDerSPKI() {
+        return mDerSPKI;
+    }
+
+    /**
+     * Get SPKI as X509Key
+     * 
+     * @return SPKI in X509Key form
+     */
+    public X509Key getSPKI() {
+        return mSPKI;
+    }
+
+    /**
+     * Get Challenge phrase in DerValue form
+     * 
+     * @return Challenge in DerValue form. null if none.
+     */
+    public DerValue getDerChallenge() {
+        return mDerChallenge;
+    }
+
+    /**
+     * Get Challenge phrase in string format
+     * 
+     * @return challenge phrase. null if none.
+     */
+    public String getChallenge() {
+        return mChallenge;
+    }
+
+    /**
+     * Get Signature
+     * 
+     * @return signature
+     */
+    public byte[] getSignature() {
+        return mSignature;
+    }
+
+    /**
+     * Get Algorithm ID
+     * 
+     * @return the algorithm id
+     */
+    public AlgorithmId getAlgorithmId() {
+        return mAlgId;
+    }
+
+    /**
+     * Validate Signature and Challenge Phrase
+     * 
+     * @param challenge phrase; null if none
+     * @return true if validated; otherwise, false
+     */
+    public boolean validateChallenge(String challenge) {
+        if (challenge != null) {
+            if (!challenge.equals(mChallenge)) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    /**
+     * String representation of KenGenInfo
+     * 
+     * @return string representation of KeGenInfo
+     */
+    public String toString() {
+        if (mSPKACString != null)
+            return mSPKACString;
+        return "";
+    }
+
+    /*==========================================================
+     * private methods
+     *==========================================================*/
+
+    private byte[] base64Decode(String spkac)
+            throws IOException {
+
+        return Utils.base64decode(spkac);
+    }
+
+    private void derDecode(byte spkac[])
+            throws IOException {
+        DerInputStream derIn = new DerInputStream(spkac);
+
+        /* get SPKAC Algorithm & Signature */
+        DerValue derSPKACContent[] = derIn.getSequence(3);
+
+        mAlgId = AlgorithmId.parse(derSPKACContent[1]);
+        mSignature = derSPKACContent[2].getBitString();
+
+        /* get PKAC SPKI & Challenge */
+        mPKAC = derSPKACContent[0].toByteArray();
+        derIn = new DerInputStream(mPKAC);
+        DerValue derPKACContent[] = derIn.getSequence(2);
+
+        mDerSPKI = derPKACContent[0];
+        mSPKI = X509Key.parse(derPKACContent[0]);
+
+        mDerChallenge = derPKACContent[1];
+        if (mDerChallenge.length() != 0)
+            mChallenge = derPKACContent[1].getIA5String();
+
+    }
+
+}
diff --git a/base/common/src/com/netscape/certsrv/base/MessageFormatter.java b/base/common/src/com/netscape/certsrv/base/MessageFormatter.java
new file mode 100644
index 000000000..903b534e0
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/MessageFormatter.java
@@ -0,0 +1,155 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.lang.reflect.Method;
+import java.text.MessageFormat;
+import java.util.Date;
+import java.util.Locale;
+import java.util.MissingResourceException;
+import java.util.ResourceBundle;
+
+/**
+ * Factors out common function of formatting internatinalized
+ * messages taking arguments and using java.util.ResourceBundle
+ * and java.text.MessageFormat mechanism.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ * @see java.text.MessageFormat
+ * @see java.util.ResourceBundle
+ */
+public class MessageFormatter {
+
+    private static final Class[] toStringSignature = { Locale.class };
+
+    /**
+     * Retrieves the localized string.
+     * 
+     * @param locale end user locale
+     * @param resourceBundleBaseName resource bundle class name
+     * @param formatString format string
+     * @return localized string
+     */
+    public static String getLocalizedString(
+            Locale locale, String resourceBundleBaseName,
+            String formatString) {
+        return getLocalizedString(locale, resourceBundleBaseName,
+                formatString, null);
+    }
+
+    /**
+     * Retrieves the localized string.
+     * 
+     * @param locale end user locale
+     * @param resourceBundleBaseName resource bundle class name
+     * @param formatString format string
+     * @param params parameters to be substituted
+     * @return localized string
+     */
+    public static String getLocalizedString(
+            Locale locale, String resourceBundleBaseName,
+            String formatString, Object params) {
+        Object o[] = new Object[1];
+
+        o[0] = params;
+        return getLocalizedString(locale, resourceBundleBaseName,
+                formatString, o);
+    }
+
+    /**
+     * Retrieves the localized string.
+     * 
+     * @param locale end user locale
+     * @param resourceBundleBaseName resource bundle class name
+     * @param formatString format string
+     * @param params parameters to be substituted
+     * @return localized string
+     */
+    public static String getLocalizedString(
+            Locale locale, String resourceBundleBaseName,
+            String formatString, Object[] params) {
+
+        String localizedFormat = null;
+
+        try {
+            try {
+                // if you are worried about the efficiency of the
+                // following line, dont worry. ResourceBundle has
+                // an internal cache. So resource bundle wont be
+                // instantiated everytime you call toString().
+
+                localizedFormat = ResourceBundle.getBundle(
+                            resourceBundleBaseName, locale).getString(formatString);
+            } catch (MissingResourceException e) {
+                return formatString;
+
+            }
+            Object[] localizedParams = params;
+            Object[] localeArg = null;
+
+            if (params != null) {
+                for (int i = 0; i < params.length; ++i) {
+                    if (!(params[i] instanceof String) ||
+                            !(params[i] instanceof Date) ||
+                            !(params[i] instanceof Number)) {
+                        if (localizedParams == params) {
+
+                            // only done once
+                            // NB if the following variant of cloning code is used
+                            //         localizedParams = (Object [])mParams.clone();
+                            // it causes ArrayStoreException in
+                            //         localizedParams[i] = params[i].toString();
+                            // below
+
+                            localizedParams = new Object[params.length];
+                            System.arraycopy(params, 0, localizedParams, 0,
+                                    params.length);
+                        }
+                        try {
+                            Method toStringMethod = params[i].getClass().getMethod(
+                                    "toString", toStringSignature);
+
+                            if (localeArg == null) {
+                                // only done once
+                                localeArg = new Object[] { locale };
+                            }
+                            localizedParams[i] = toStringMethod.invoke(
+                                        params[i], localeArg);
+                        } catch (Exception e) {
+                            // no method for localization, fall back
+                            localizedParams[i] = params[i].toString();
+                        }
+                    }
+                }
+            }
+            try {
+                // XXX - runtime exception may be raised by the following function
+                MessageFormat format = new MessageFormat(localizedFormat);
+
+                return format.format(localizedParams);
+            } catch (IllegalArgumentException e) {
+                // XXX - for now, we just print the unformatted message
+                // if the exception is raised
+                return localizedFormat;
+            }
+        } catch (Exception e) {
+            return localizedFormat;
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/base/MetaAttributeDef.java b/base/common/src/com/netscape/certsrv/base/MetaAttributeDef.java
new file mode 100644
index 000000000..3a7bac977
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/MetaAttributeDef.java
@@ -0,0 +1,198 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.util.Enumeration;
+import java.util.Hashtable;
+
+import netscape.security.util.ObjectIdentifier;
+
+/**
+ * A class representing a meta attribute defintion.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class MetaAttributeDef {
+
+    private String mName;
+    private ObjectIdentifier mOid;
+    private Class mValueClass;
+    private static Hashtable mNameToAttrDef = new Hashtable();
+    private static Hashtable mOidToAttrDef =
+            new Hashtable();
+
+    private MetaAttributeDef() {
+    }
+
+    /**
+     * Constructs a MetaAttribute defintion
+     * 

+     * 
+     * @param name attribute name
+     * @param valueClass attribute value class
+     * @param oid attribute object identifier
+     */
+    private MetaAttributeDef(String name, Class valueClass,
+            ObjectIdentifier oid) {
+        mName = name;
+        mValueClass = valueClass;
+        mOid = oid;
+    }
+
+    /**
+     * Gets an attribute OID.
+     * 

+     * 
+     * @return returns attribute OID or null if not defined.
+     */
+    public ObjectIdentifier getOID() {
+        return mOid;
+    }
+
+    /**
+     * Gets an Java class for the attribute values
+     * 

+     * 
+     * @return returns Java class for the attribute values
+     */
+    public Class getValueClass() {
+        return mValueClass;
+    }
+
+    /**
+     * Gets attribute name
+     * 

+     * 
+     * @return returns attribute name
+     */
+    public String getName() {
+        return mName;
+    }
+
+    /**
+     * Registers new MetaAttribute defintion
+     * Attribute is defined by name, Java class for attribute values and
+     * optional object identifier
+     * 

+     * 
+     * @param name attribute name
+     * @param valueClass attribute value class
+     * @param oid attribute object identifier
+     * @exception IllegalArgumentException if name or valueClass are null, or
+     *                conflicting attribute definition already exists
+     */
+    public static MetaAttributeDef register(String name, Class valueClass,
+            ObjectIdentifier oid) {
+        if (name == null) {
+            throw new IllegalArgumentException(
+                    "Attribute name must not be null");
+        }
+        if (valueClass == null) {
+            throw new IllegalArgumentException(
+                    "Attribute value class must not be null");
+        }
+
+        MetaAttributeDef newDef = new MetaAttributeDef(name, valueClass, oid);
+        MetaAttributeDef oldDef;
+
+        if ((oldDef = (MetaAttributeDef) mNameToAttrDef.get(name)) != null &&
+                !oldDef.equals(newDef)) {
+            throw new IllegalArgumentException(
+                    "Attribute \'" + name + "\' is already defined");
+        }
+        if (oid != null &&
+                (oldDef = (MetaAttributeDef) mOidToAttrDef.get(oid)) != null &&
+                !oldDef.equals(newDef)) {
+            throw new IllegalArgumentException(
+                    "OID \'" + oid + "\' is already in use");
+        }
+        mNameToAttrDef.put(name, newDef);
+        if (oid != null) {
+            mOidToAttrDef.put(oid, newDef);
+        }
+        return newDef;
+    }
+
+    /**
+     * Compares this attribute definition with another, for equality.
+     * 

+     * 
+     * @return true iff names, valueClasses and object identifiers
+     *         are identical.
+     */
+    public boolean equals(Object other) {
+        if (other == this)
+            return true;
+
+        if (other instanceof MetaAttributeDef) {
+            MetaAttributeDef otherDef = (MetaAttributeDef) other;
+
+            if ((mOid != null && otherDef.mOid != null &&
+                    !mOid.equals(otherDef.mOid)) ||
+                    (mOid == null && otherDef.mOid != null) ||
+                    !mName.equals(otherDef.mName) ||
+                    !mValueClass.equals(otherDef.mValueClass)) {
+                return false;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Retrieves attribute definition by name
+     * 

+     * 
+     * @param name attribute name
+     * @return attribute definition or null if not found
+     */
+    public static MetaAttributeDef forName(String name) {
+        return (MetaAttributeDef) mNameToAttrDef.get(name);
+    }
+
+    /**
+     * Retrieves attribute definition by object identifier
+     * 

+     * 
+     * @param oid attribute object identifier
+     * @return attribute definition or null if not found
+     */
+    public static MetaAttributeDef forOID(ObjectIdentifier oid) {
+        return (MetaAttributeDef) mOidToAttrDef.get(oid);
+    }
+
+    /**
+     * Returns enumeration of the registered attribute names
+     * 

+     * 
+     * @return returns enumeration of the registered attribute names
+     */
+    public static Enumeration getAttributeNames() {
+        return mNameToAttrDef.keys();
+    }
+
+    /**
+     * Returns enumeration of the registered attribute object identifiers
+     * 

+     * 
+     * @return returns enumeration of the attribute object identifiers
+     */
+    public static Enumeration getAttributeNameOids() {
+        return mOidToAttrDef.keys();
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/base/MetaInfo.java b/base/common/src/com/netscape/certsrv/base/MetaInfo.java
new file mode 100644
index 000000000..8aed6b840
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/MetaInfo.java
@@ -0,0 +1,115 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.util.Enumeration;
+import java.util.Hashtable;
+
+/**
+ * A class represents meta information. A meta information
+ * object is just a generic hashtable that is embedded into
+ * a request object.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class MetaInfo implements IAttrSet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 7722068404789828101L;
+    public static final String REQUEST_ID = "requestId";
+    public static final String IN_LDAP_PUBLISH_DIR = "inLdapPublishDir";
+
+    private Hashtable content = new Hashtable();
+
+    /**
+     * Constructs a meta information.
+     * 

+     */
+    public MetaInfo() {
+    }
+
+    /**
+     * Returns a short string describing this certificate attribute.
+     * 

+     * 
+     * @return information about this certificate attribute.
+     */
+    public String toString() {
+        StringBuffer sb = new StringBuffer();
+
+        sb.append("[\n");
+        sb.append("  Meta information:\n");
+        Enumeration enum1 = content.keys();
+
+        while (enum1.hasMoreElements()) {
+            String key = (String) enum1.nextElement();
+
+            sb.append("  " + key + " : " + content.get(key) + "\n");
+        }
+        sb.append("]\n");
+        return sb.toString();
+    }
+
+    /**
+     * Gets an attribute value.
+     * 

+     * 
+     * @param name the name of the attribute to return.
+     * @exception EBaseException on attribute handling errors.
+     */
+    public Object get(String name) throws EBaseException {
+        return content.get(name);
+    }
+
+    /**
+     * Sets an attribute value.
+     * 
+     * @param name the name of the attribute
+     * @param obj the attribute object.
+     * 
+     * @exception EBaseException on attribute handling errors.
+     */
+    public void set(String name, Object obj) throws EBaseException {
+        content.put(name, obj);
+    }
+
+    /**
+     * Deletes an attribute value from this CertAttrSet.
+     * 

+     * 
+     * @param name the name of the attribute to delete.
+     * @exception EBaseException on attribute handling errors.
+     */
+    public void delete(String name) throws EBaseException {
+        content.remove(name);
+    }
+
+    /**
+     * Returns an enumeration of the names of the attributes existing within
+     * this attribute.
+     * 

+     * 
+     * @return an enumeration of the attribute names.
+     */
+    public Enumeration getElements() {
+        return content.keys();
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/base/Nonces.java b/base/common/src/com/netscape/certsrv/base/Nonces.java
new file mode 100644
index 000000000..cc0231ac3
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/Nonces.java
@@ -0,0 +1,123 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.security.cert.X509Certificate;
+import java.util.Hashtable;
+import java.util.Vector;
+
+/**
+ * This class manages nonces sometimes used to control request state flow.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class Nonces {
+
+    private Hashtable mNonces = new Hashtable();
+    private Vector mNonceList = new Vector();
+    private int mNonceLimit;
+
+    /**
+     * Constructs nonces.
+     */
+    public Nonces() {
+        this(100);
+    }
+
+    public Nonces(int limit) {
+        mNonceLimit = limit;
+    }
+
+    public long addNonce(long nonce, X509Certificate cert) {
+        long i;
+        long k = 0;
+        long n = nonce;
+        long m = (long) ((mNonceLimit / 2) + 1);
+
+        for (i = 0; i < m; i++) {
+            k = n + i;
+            // avoid collisions
+            if (!mNonceList.contains((Object) k)) {
+                break;
+            }
+            k = n - i;
+            // avoid collisions
+            if (!mNonceList.contains((Object) k)) {
+                break;
+            }
+        }
+        if (i < m) {
+            mNonceList.add(k);
+            mNonces.put(k, cert);
+            if (mNonceList.size() > mNonceLimit) {
+                n = ((Long) (mNonceList.firstElement())).longValue();
+                mNonceList.remove(0);
+                mNonces.remove((Object) n);
+            }
+        } else {
+            // failed to resolved collision
+            k = -nonce;
+        }
+        return k;
+    }
+
+    public X509Certificate getCertificate(long nonce) {
+        X509Certificate cert = (X509Certificate) mNonces.get(nonce);
+        return cert;
+    }
+
+    public X509Certificate getCertificate(int index) {
+        X509Certificate cert = null;
+        if (index >= 0 && index < mNonceList.size()) {
+            long nonce = ((Long) (mNonceList.elementAt(index))).longValue();
+            cert = (X509Certificate) mNonces.get(nonce);
+        }
+        return cert;
+    }
+
+    public long getNonce(int index) {
+        long nonce = 0;
+        if (index >= 0 && index < mNonceList.size()) {
+            nonce = ((Long) (mNonceList.elementAt(index))).longValue();
+        }
+        return nonce;
+    }
+
+    public void removeNonce(long nonce) {
+        mNonceList.remove((Object) nonce);
+        mNonces.remove((Object) nonce);
+    }
+
+    public int size() {
+        return mNonceList.size();
+    }
+
+    public int maxSize() {
+        return mNonceLimit;
+    }
+
+    public void clear() {
+        mNonceList.clear();
+        mNonces.clear();
+    }
+
+    public boolean isInSync() {
+        return (mNonceList.size() == mNonces.size());
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/base/PasswordResources.java b/base/common/src/com/netscape/certsrv/base/PasswordResources.java
new file mode 100644
index 000000000..c3309c5fa
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/PasswordResources.java
@@ -0,0 +1,42 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.util.ListResourceBundle;
+
+/**
+ * A class represents a resource bundle for the password checker.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ * @see java.util.ListResourceBundle
+ */
+public class PasswordResources extends ListResourceBundle {
+
+    /**
+     * Returns the content of this resource.
+     */
+    public Object[][] getContents() {
+        return contents;
+    }
+
+    /*
+     * Constants. The suffix represents the number of possible parameters.
+     */
+    static final Object[][] contents = {};
+}
diff --git a/base/common/src/com/netscape/certsrv/base/Plugin.java b/base/common/src/com/netscape/certsrv/base/Plugin.java
new file mode 100644
index 000000000..79fae88ac
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/Plugin.java
@@ -0,0 +1,59 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+/**
+ * This represents a generici CMS plugin.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class Plugin {
+
+    private String mId = null;
+    private String mClassPath = null;
+
+    /**
+     * Constructs a plugin.
+     * 
+     * @param id plugin implementation name
+     * @param classPath class path
+     */
+    public Plugin(String id, String classPath) {
+        mId = id;
+        mClassPath = classPath;
+    }
+
+    /**
+     * Returns the plugin identifier.
+     * 
+     * @return plugin id
+     */
+    public String getId() {
+        return mId;
+    }
+
+    /**
+     * Returns the plugin classpath.
+     * 
+     * @return plugin classpath
+     */
+    public String getClassPath() {
+        return mClassPath;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/base/SessionContext.java b/base/common/src/com/netscape/certsrv/base/SessionContext.java
new file mode 100644
index 000000000..b4ecd1241
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/base/SessionContext.java
@@ -0,0 +1,166 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.base;
+
+import java.util.Hashtable;
+
+/**
+ * This class specifies the context object that includes
+ * authentication environment and connection information.
+ * This object is later used in access control evaluation.
+ * This is a global object that can be accessible
+ * throughout the server. It is useful for passing
+ * global and per-thread infomration in methods.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class SessionContext extends Hashtable {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -3376355842991589505L;
+
+    /**
+     * End user locale of the current processing request in the current thread.
+     */
+    public static final String LOCALE = "locale"; // Locale
+
+    /**
+     * Authentication token in the current thread.
+     */
+    public static final String AUTH_TOKEN = "AuthToken"; // IAuthToken
+
+    /**
+     * ID of the authentication manager in the current thread.
+     */
+    public static final String AUTH_MANAGER_ID = "authManagerId"; // String
+
+    /**
+     * User object of the authenticated user in the current thread.
+     */
+    public static final String USER = "user"; // IUser
+
+    /**
+     * User ID of the authenticated user in the current thread.
+     */
+    public static final String USER_ID = "userid"; // String
+
+    /**
+     * Group ID of the authenticated user in the current thread.
+     */
+    public static final String GROUP_ID = "groupid"; //String
+
+    /**
+     * ID of the processing request in the current thread.
+     */
+    public static final String REQUESTER_ID = "requesterID"; // String
+
+    /**
+     * Recovery ID of a recovery operation in KRA in the current thread.
+     */
+    public static final String RECOVERY_ID = "recoveryID"; // String
+
+    /**
+     * IP Address of the requestor of the request in the current thread.
+     */
+    public static final String IPADDRESS = "ipAddress";
+
+    private static Hashtable mContexts = new Hashtable();
+
+    /**
+     * Constructs a session context.
+     */
+    public SessionContext() {
+        super();
+    }
+
+    /**
+     * Creates a new context and associates it with
+     * the current thread. If the current thread is
+     * also associated with a old context, the old
+     * context will be replaced.
+     */
+    private static SessionContext createContext() {
+        SessionContext sc = new SessionContext();
+
+        setContext(sc);
+        return sc;
+    }
+
+    /**
+     * Sets the current context. This allows the
+     * caller to associate a specific session context
+     * with the current thread.
+     * This methods makes custom session context
+     * possible.
+     * 
+     * @param sc session context
+     */
+    public static void setContext(SessionContext sc) {
+        mContexts.put(Thread.currentThread(), sc);
+    }
+
+    /**
+     * Retrieves the session context associated with
+     * the current thread. If no context is associated,
+     * a context is created.
+     * 
+     * @return sesssion context
+     */
+    public static SessionContext getContext() {
+        SessionContext sc = (SessionContext) mContexts.get(
+                Thread.currentThread());
+
+        if (sc == null) {
+            sc = createContext();
+        }
+        return sc;
+    }
+
+    /**
+     * Retrieves the session context associated with
+     * the current thread. If no context is associated,
+     * null is returned.
+     * 
+     * @return sesssion context
+     */
+    public static SessionContext getExistingContext() {
+        SessionContext sc = (SessionContext)
+                mContexts.get(Thread.currentThread());
+
+        if (sc == null) {
+            return null;
+        }
+
+        return sc;
+    }
+
+    /**
+     * Releases the current session context.
+     */
+    public static void releaseContext() {
+        SessionContext sc = (SessionContext) mContexts.get(
+                Thread.currentThread());
+
+        if (sc != null) {
+            mContexts.remove(Thread.currentThread());
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/ca/CAResources.java b/base/common/src/com/netscape/certsrv/ca/CAResources.java
new file mode 100644
index 000000000..dfb72d57d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ca/CAResources.java
@@ -0,0 +1,42 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ca;
+
+import java.util.ListResourceBundle;
+
+/**
+ * A class represents a resource bundle for CA subsystem.
+ * 

+ * 
+ * @version $Revision$ $Date$
+ */
+public class CAResources extends ListResourceBundle {
+
+    /**
+     * Returns the content of this resource.
+     */
+    public Object[][] getContents() {
+        return contents;
+    }
+
+    /**
+     * Constants. The suffix represents the number of
+     * possible parameters.
+     */
+    static final Object[][] contents = {};
+}
diff --git a/base/common/src/com/netscape/certsrv/ca/ECAException.java b/base/common/src/com/netscape/certsrv/ca/ECAException.java
new file mode 100644
index 000000000..a530b08a5
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ca/ECAException.java
@@ -0,0 +1,91 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ca;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * A class represents a CA exception.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class ECAException extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -2963412888833532478L;
+    /**
+     * CA resource class name.
+     */
+    private static final String CA_RESOURCES = CAResources.class.getName();
+
+    /**
+     * Constructs a CA exception.
+     * 

+     * 
+     * @param msgFormat constant from CAResources.
+     */
+    public ECAException(String msgFormat) {
+        super(msgFormat);
+    }
+
+    /**
+     * Constructs a CA exception.
+     * 

+     * 
+     * @param msgFormat constant from CAResources.
+     * @param param additional parameters to the message.
+     */
+    public ECAException(String msgFormat, String param) {
+        super(msgFormat, param);
+    }
+
+    /**
+     * Constructs a CA exception.
+     * 

+     * 
+     * @param msgFormat constant from CAResources.
+     * @param e embedded exception.
+     */
+    public ECAException(String msgFormat, Exception e) {
+        super(msgFormat, e);
+    }
+
+    /**
+     * Constructs a CA exception.
+     * 

+     * 
+     * @param msgFormat constant from CAResources.
+     * @param params additional parameters to the message.
+     */
+    public ECAException(String msgFormat, Object params[]) {
+        super(msgFormat, params);
+    }
+
+    /**
+     * Returns the bundle file name.
+     * 

+     * 
+     * @return name of bundle class associated with this exception.
+     */
+    protected String getBundleName() {
+        return CA_RESOURCES;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/ca/EErrorPublishCRL.java b/base/common/src/com/netscape/certsrv/ca/EErrorPublishCRL.java
new file mode 100644
index 000000000..b4c10a0c5
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ca/EErrorPublishCRL.java
@@ -0,0 +1,42 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ca;
+
+/**
+ * A class represents a CA exception associated with publishing error.
+ * 

+ * 
+ * @version $Revision$ $Date$
+ */
+public class EErrorPublishCRL extends ECAException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -5773392283237284399L;
+
+    /**
+     * Constructs a CA exception caused by publishing error.
+     * 

+     * 
+     * @param errorString Detailed error message.
+     */
+    public EErrorPublishCRL(String errorString) {
+        super(errorString);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/ca/ICAService.java b/base/common/src/com/netscape/certsrv/ca/ICAService.java
new file mode 100644
index 000000000..1edebcc8b
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ca/ICAService.java
@@ -0,0 +1,90 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ca;
+
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.connector.IConnector;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * An interface representing a CA request services.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ICAService {
+
+    /**
+     * Marks certificate record as revoked by adding revocation information.
+     * Updates CRL cache.
+     * 
+     * @param crlentry revocation information obtained from revocation request
+     * @exception EBaseException failed to mark certificate record as revoked
+     */
+    public void revokeCert(RevokedCertImpl crlentry)
+            throws EBaseException;
+
+    /**
+     * Marks certificate record as revoked by adding revocation information.
+     * Updates CRL cache.
+     * 
+     * @param crlentry revocation information obtained from revocation request
+     * @param requestId revocation request id
+     * @exception EBaseException failed to mark certificate record as revoked
+     */
+    public void revokeCert(RevokedCertImpl crlentry, String requestId)
+            throws EBaseException;
+
+    /**
+     * Issues certificate base on enrollment information,
+     * creates certificate record, and stores all necessary data.
+     * 
+     * @param certi information obtain from revocation request
+     * @exception EBaseException failed to issue certificate or create certificate record
+     */
+    public X509CertImpl issueX509Cert(X509CertInfo certi)
+            throws EBaseException;
+
+    public X509CertImpl issueX509Cert(X509CertInfo certi, String profileId, String rid)
+            throws EBaseException;
+
+    /**
+     * Services profile request.
+     * 
+     * @param request profile enrollment request information
+     * @exception EBaseException failed to service profile enrollment request
+     */
+    public void serviceProfileRequest(IRequest request)
+            throws EBaseException;
+
+    /**
+     * Returns KRA-CA connector.
+     * 
+     * @return KRA-CA connector
+     */
+    public IConnector getKRAConnector();
+
+    public void setKRAConnector(IConnector c);
+
+    public IConnector getConnector(IConfigStore cs) throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/ca/ICMSCRLExtension.java b/base/common/src/com/netscape/certsrv/ca/ICMSCRLExtension.java
new file mode 100644
index 000000000..b3e94d02e
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ca/ICMSCRLExtension.java
@@ -0,0 +1,72 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ca;
+
+import netscape.security.x509.Extension;
+
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.common.NameValuePairs;
+
+/**
+ * An interface representing a CRL extension plugin.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ICMSCRLExtension {
+
+    /**
+     * Returns CRL extension OID string.
+     * 
+     * @return OID of CRL extension
+     */
+    public String getCRLExtOID();
+
+    /**
+     * Sets extension criticality and returns extension
+     * with new criticality.
+     * 
+     * @param ext CRL extension that will change criticality
+     * @param critical new criticality to be assigned to CRL extension
+     * @return extension with new criticality
+     */
+    Extension setCRLExtensionCriticality(Extension ext,
+            boolean critical);
+
+    /**
+     * Builds new CRL extension based on configuration data,
+     * issuing point information, and criticality.
+     * 
+     * @param config configuration store
+     * @param crlIssuingPoint CRL issuing point
+     * @param critical criticality to be assigned to CRL extension
+     * @return extension new CRL extension
+     */
+    Extension getCRLExtension(IConfigStore config,
+            Object crlIssuingPoint,
+            boolean critical);
+
+    /**
+     * Reads configuration data and converts them to name value pairs.
+     * 
+     * @param config configuration store
+     * @param nvp name value pairs obtained from configuration data
+     */
+    public void getConfigParams(IConfigStore config,
+            NameValuePairs nvp);
+}
diff --git a/base/common/src/com/netscape/certsrv/ca/ICMSCRLExtensions.java b/base/common/src/com/netscape/certsrv/ca/ICMSCRLExtensions.java
new file mode 100644
index 000000000..6fa520fbf
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ca/ICMSCRLExtensions.java
@@ -0,0 +1,56 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ca;
+
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.common.NameValuePairs;
+
+/**
+ * An interface representing a list of CRL extensions.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ICMSCRLExtensions {
+
+    /**
+     * Updates configuration store for extension identified by id
+     * with data delivered in name value pairs.
+     * 
+     * @param id extension id
+     * @param nvp name value pairs with new configuration data
+     * @param config configuration store
+     */
+    public void setConfigParams(String id, NameValuePairs nvp, IConfigStore config);
+
+    /**
+     * Reads configuration data and returns them as name value pairs.
+     * 
+     * @param id extension id
+     * @return name value pairs with configuration data
+     */
+    public NameValuePairs getConfigParams(String id);
+
+    /**
+     * Returns class name with its path.
+     * 
+     * @param name extension id
+     * @return class name with its path
+     */
+    public String getClassPath(String name);
+}
diff --git a/base/common/src/com/netscape/certsrv/ca/ICRLIssuingPoint.java b/base/common/src/com/netscape/certsrv/ca/ICRLIssuingPoint.java
new file mode 100644
index 000000000..f317db9b1
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ca/ICRLIssuingPoint.java
@@ -0,0 +1,543 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ca;
+
+import java.math.BigInteger;
+import java.util.Date;
+import java.util.Set;
+import java.util.Vector;
+
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.RevokedCertificate;
+import netscape.security.x509.X509CRLImpl;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.dbs.IElementProcessor;
+
+/**
+ * This class encapsulates CRL issuing mechanism. CertificateAuthority
+ * contains a map of CRLIssuingPoint indexed by string ids. Each issuing
+ * point contains information about CRL issuing and publishing parameters
+ * as well as state information which includes last issued CRL, next CRL
+ * serial number, time of the next update etc.
+ * If autoUpdateInterval is set to non-zero value then worker thread
+ * is created that will perform CRL update at scheduled intervals. Update
+ * can also be triggered by invoking updateCRL method directly. Another
+ * parameter minUpdateInterval can be used to prevent CRL
+ * from being updated too often
+ * 
+ * @version $Revision$, $Date$
+ */
+
+public interface ICRLIssuingPoint {
+
+    public static final String PROP_PUBLISH_DN = "publishDN";
+    public static final String PROP_PUBLISH_ON_START = "publishOnStart";
+    public static final String PROP_MIN_UPDATE_INTERVAL = "minUpdateInterval";
+    public static final String PROP_BEGIN_SERIAL = "crlBeginSerialNo";
+    public static final String PROP_END_SERIAL = "crlEndSerialNo";
+
+    public static final String SC_ISSUING_POINT_ID = "issuingPointId";
+    public static final String SC_IS_DELTA_CRL = "isDeltaCRL";
+    public static final String SC_CRL_COUNT = "crlCount";
+
+    /**
+     * for manual updates - requested by agent
+     */
+    public static final int CRL_UPDATE_DONE = 0;
+    public static final int CRL_UPDATE_STARTED = 1;
+    public static final int CRL_PUBLISHING_STARTED = 2;
+
+    public static final int CRL_IP_NOT_INITIALIZED = 0;
+    public static final int CRL_IP_INITIALIZED = 1;
+    public static final int CRL_IP_INITIALIZATION_FAILED = -1;
+
+    /**
+     * Returns true if CRL issuing point is enabled.
+     * 
+     * @return true if CRL issuing point is enabled
+     */
+    public boolean isCRLIssuingPointEnabled();
+
+    /**
+     * Returns true if CRL generation is enabled.
+     * 
+     * @return true if CRL generation is enabled
+     */
+    public boolean isCRLGenerationEnabled();
+
+    /**
+     * Enables or disables CRL issuing point according to parameter.
+     * 
+     * @param enable if true enables CRL issuing point
+     */
+    public void enableCRLIssuingPoint(boolean enable);
+
+    /**
+     * Returns CRL update status.
+     * 
+     * @return CRL update status
+     */
+    public String getCrlUpdateStatusStr();
+
+    /**
+     * Returns CRL update error.
+     * 
+     * @return CRL update error
+     */
+    public String getCrlUpdateErrorStr();
+
+    /**
+     * Returns CRL publishing status.
+     * 
+     * @return CRL publishing status
+     */
+    public String getCrlPublishStatusStr();
+
+    /**
+     * Returns CRL publishing error.
+     * 
+     * @return CRL publishing error
+     */
+    public String getCrlPublishErrorStr();
+
+    /**
+     * Returns CRL issuing point initialization status.
+     * 
+     * @return status of CRL issuing point initialization
+     */
+    public int isCRLIssuingPointInitialized();
+
+    /**
+     * Checks if manual update is set.
+     * 
+     * @return true if manual update is set
+     */
+    public boolean isManualUpdateSet();
+
+    /**
+     * Checks if expired certificates are included in CRL.
+     * 
+     * @return true if expired certificates are included in CRL
+     */
+    public boolean areExpiredCertsIncluded();
+
+    /**
+     * Checks if CRL includes CA certificates only.
+     * 
+     * @return true if CRL includes CA certificates only
+     */
+    public boolean isCACertsOnly();
+
+    /**
+     * Checks if CRL includes profile certificates only.
+     * 
+     * @return true if CRL includes profile certificates only
+     */
+    public boolean isProfileCertsOnly();
+
+    /**
+     * Checks if CRL issuing point includes this profile.
+     * 
+     * @return true if CRL issuing point includes this profile
+     */
+    public boolean checkCurrentProfile(String id);
+
+    /**
+     * Initializes CRL issuing point.
+     * 
+     * @param ca certificate authority that holds CRL issuing point
+     * @param id CRL issuing point id
+     * @param config configuration sub-store for CRL issuing point
+     * @exception EBaseException thrown if initialization failed
+     */
+    public void init(ISubsystem ca, String id, IConfigStore config)
+            throws EBaseException;
+
+    /**
+     * This method is called during shutdown.
+     * It updates CRL cache and stops thread controlling CRL updates.
+     */
+    public void shutdown();
+
+    /**
+     * Returns internal id of this CRL issuing point.
+     * 
+     * @return internal id of this CRL issuing point
+     */
+    public String getId();
+
+    /**
+     * Returns internal description of this CRL issuing point.
+     * 
+     * @return internal description of this CRL issuing point
+     */
+    public String getDescription();
+
+    /**
+     * Sets internal description of this CRL issuing point.
+     * 
+     * @param description description for this CRL issuing point.
+     */
+    public void setDescription(String description);
+
+    /**
+     * Returns DN of the directory entry where CRLs from this issuing point
+     * are published.
+     * 
+     * @return DN of the directory entry where CRLs are published.
+     */
+    public String getPublishDN();
+
+    /**
+     * Returns signing algorithm.
+     * 
+     * @return signing algorithm
+     */
+    public String getSigningAlgorithm();
+
+    /**
+     * Returns signing algorithm used in last signing operation..
+     * 
+     * @return last signing algorithm
+     */
+    public String getLastSigningAlgorithm();
+
+    /**
+     * Returns current CRL generation schema for this CRL issuing point.
+     * 

+     * 
+     * @return current CRL generation schema for this CRL issuing point
+     */
+    public int getCRLSchema();
+
+    /**
+     * Returns current CRL number of this CRL issuing point.
+     * 
+     * @return current CRL number of this CRL issuing point
+     */
+    public BigInteger getCRLNumber();
+
+    /**
+     * Returns current delta CRL number of this CRL issuing point.
+     * 

+     * 
+     * @return current delta CRL number of this CRL issuing point
+     */
+    public BigInteger getDeltaCRLNumber();
+
+    /**
+     * Returns next CRL number of this CRL issuing point.
+     * 
+     * @return next CRL number of this CRL issuing point
+     */
+    public BigInteger getNextCRLNumber();
+
+    /**
+     * Returns number of entries in the current CRL.
+     * 
+     * @return number of entries in the current CRL
+     */
+    public long getCRLSize();
+
+    /**
+     * Returns number of entries in delta CRL
+     * 
+     * @return number of entries in delta CRL
+     */
+    public long getDeltaCRLSize();
+
+    /**
+     * Returns time of the last update.
+     * 
+     * @return last CRL update time
+     */
+    public Date getLastUpdate();
+
+    /**
+     * Returns time of the next update.
+     * 
+     * @return next CRL update time
+     */
+    public Date getNextUpdate();
+
+    /**
+     * Returns time of the next delta CRL update.
+     * 
+     * @return next delta CRL update time
+     */
+    public Date getNextDeltaUpdate();
+
+    /**
+     * Returns all the revoked certificates from the CRL cache.
+     * 
+     * @param start first requested CRL entry
+     * @param end next after last requested CRL entry
+     * @return set of all the revoked certificates or null if there are none.
+     */
+    public Set getRevokedCertificates(int start, int end);
+
+    /**
+     * Returns certificate authority.
+     * 
+     * @return certificate authority
+     */
+    public ISubsystem getCertificateAuthority();
+
+    /**
+     * Schedules immediate CRL manual-update
+     * and sets signature algorithm to be used for signing.
+     * 
+     * @param signatureAlgorithm signature algorithm to be used for signing
+     */
+    public void setManualUpdate(String signatureAlgorithm);
+
+    /**
+     * Returns auto update interval in milliseconds.
+     * 
+     * @return auto update interval in milliseconds
+     */
+    public long getAutoUpdateInterval();
+
+    /**
+     * Returns true if CRL is updated for every change
+     * of revocation status of any certificate.
+     * 
+     * @return true if CRL update is always triggered by revocation operation
+     */
+    public boolean getAlwaysUpdate();
+
+    /**
+     * Returns next update grace period in minutes.
+     * 
+     * @return next update grace period in minutes
+     */
+    public long getNextUpdateGracePeriod();
+
+    /**
+     * Returns filter used to build CRL based on information stored
+     * in local directory.
+     * 
+     * @return filter used to search local directory
+     */
+    public String getFilter();
+
+    /**
+     * Builds a list of revoked certificates to put them into CRL.
+     * Calls certificate record processor to get necessary data
+     * from certificate records.
+     * This also regenerates CRL cache.
+     * 
+     * @param cp certificate record processor
+     * @exception EBaseException if an error occurred in the database.
+     */
+    public void processRevokedCerts(IElementProcessor cp)
+            throws EBaseException;
+
+    /**
+     * Returns date of revoked certificate or null
+     * if certificated is not listed as revoked.
+     * 
+     * @param serialNumber serial number of certificate to be checked
+     * @param checkDeltaCache true if delta CRL cache suppose to be
+     *            included in checking process
+     * @param includeExpiredCerts true if delta CRL cache with expired
+     *            certificates suppose to be included in checking process
+     * @return date of revoked certificate or null
+     */
+    public Date getRevocationDateFromCache(BigInteger serialNumber,
+                                           boolean checkDeltaCache,
+                                           boolean includeExpiredCerts);
+
+    /**
+     * Returns split times from CRL generation.
+     * 
+     * @return split times from CRL generation in milliseconds
+     */
+    public Vector getSplitTimes();
+
+    /**
+     * Generates CRL now based on cache or local directory if cache
+     * is not available. It also publishes CRL if it is required.
+     * 
+     * @param signingAlgorithm signing algorithm to be used for CRL signing
+     * @exception EBaseException if an error occurred during
+     *                CRL generation or publishing
+     */
+    public void updateCRLNow(String signingAlgorithm)
+            throws EBaseException;
+
+    /**
+     * Clears CRL cache
+     */
+    public void clearCRLCache();
+
+    /**
+     * Clears delta-CRL cache
+     */
+    public void clearDeltaCRLCache();
+
+    /**
+     * Returns number of recently revoked certificates.
+     * 
+     * @return number of recently revoked certificates
+     */
+    public int getNumberOfRecentlyRevokedCerts();
+
+    /**
+     * Returns number of recently unrevoked certificates.
+     * 
+     * @return number of recently unrevoked certificates
+     */
+    public int getNumberOfRecentlyUnrevokedCerts();
+
+    /**
+     * Returns number of recently expired and revoked certificates.
+     * 
+     * @return number of recently expired and revoked certificates
+     */
+    public int getNumberOfRecentlyExpiredCerts();
+
+    /**
+     * Converts list of extensions supplied by revocation request
+     * to list of extensions required to be placed in CRL.
+     * 
+     * @param exts list of extensions supplied by revocation request
+     * @return list of extensions required to be placed in CRL
+     */
+    public CRLExtensions getRequiredEntryExtensions(CRLExtensions exts);
+
+    /**
+     * Adds revoked certificate to delta-CRL cache.
+     * 
+     * @param serialNumber serial number of revoked certificate
+     * @param revokedCert revocation information supplied by revocation request
+     */
+    public void addRevokedCert(BigInteger serialNumber, RevokedCertImpl revokedCert);
+
+    /**
+     * Adds revoked certificate to delta-CRL cache.
+     * 
+     * @param serialNumber serial number of revoked certificate
+     * @param revokedCert revocation information supplied by revocation request
+     * @param requestId revocation request id
+     */
+    public void addRevokedCert(BigInteger serialNumber, RevokedCertImpl revokedCert,
+                               String requestId);
+
+    /**
+     * Adds unrevoked certificate to delta-CRL cache.
+     * 
+     * @param serialNumber serial number of unrevoked certificate
+     */
+    public void addUnrevokedCert(BigInteger serialNumber);
+
+    /**
+     * Adds unrevoked certificate to delta-CRL cache.
+     * 
+     * @param serialNumber serial number of unrevoked certificate
+     * @param requestId unrevocation request id
+     */
+    public void addUnrevokedCert(BigInteger serialNumber, String requestId);
+
+    /**
+     * Adds expired and revoked certificate to delta-CRL cache.
+     * 
+     * @param serialNumber serial number of expired and revoked certificate
+     */
+    public void addExpiredCert(BigInteger serialNumber);
+
+    /**
+     * Updates CRL cache into local directory.
+     */
+    public void updateCRLCacheRepository();
+
+    /**
+     * Updates issuing point configuration according to supplied data
+     * in name value pairs.
+     * 
+     * @param params name value pairs defining new issuing point configuration
+     * @return true if configuration is updated successfully
+     */
+    public boolean updateConfig(NameValuePairs params);
+
+    /**
+     * Returns true if delta-CRL is enabled.
+     * 
+     * @return true if delta-CRL is enabled
+     */
+    public boolean isDeltaCRLEnabled();
+
+    /**
+     * Returns true if CRL cache is enabled.
+     * 
+     * @return true if CRL cache is enabled
+     */
+    public boolean isCRLCacheEnabled();
+
+    /**
+     * Returns true if CRL cache is empty.
+     * 
+     * @return true if CRL cache is empty
+     */
+    public boolean isCRLCacheEmpty();
+
+    /**
+     * Returns true if CRL cache testing is enabled.
+     * 
+     * @return true if CRL cache testing is enabled
+     */
+    public boolean isCRLCacheTestingEnabled();
+
+    /**
+     * Returns true if supplied delta-CRL is matching current delta-CRL.
+     * 
+     * @param deltaCRL delta-CRL to verify against current delta-CRL
+     * @return true if supplied delta-CRL is matching current delta-CRL
+     */
+    public boolean isThisCurrentDeltaCRL(X509CRLImpl deltaCRL);
+
+    /**
+     * Returns status of CRL generation.
+     * 
+     * @return one of the following according to CRL generation status:
+     *         CRL_UPDATE_DONE, CRL_UPDATE_STARTED, and CRL_PUBLISHING_STARTED
+     */
+    public int isCRLUpdateInProgress();
+
+    /**
+     * Generates CRL now based on cache or local directory if cache
+     * is not available. It also publishes CRL if it is required.
+     * CRL is signed by default signing algorithm.
+     * 
+     * @exception EBaseException if an error occurred during
+     *                CRL generation or publishing
+     */
+    public void updateCRLNow() throws EBaseException;
+
+    /**
+     * Returns list of CRL extensions.
+     * 
+     * @return list of CRL extensions
+     */
+    public ICMSCRLExtensions getCRLExtensions();
+}
diff --git a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
new file mode 100644
index 000000000..25bc9cabe
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
@@ -0,0 +1,503 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ca;
+
+import java.util.Enumeration;
+
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CRLImpl;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import org.mozilla.jss.crypto.SignatureAlgorithm;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.base.Nonces;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.dbs.crldb.ICRLRepository;
+import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.publish.IPublisherProcessor;
+import com.netscape.certsrv.request.IRequestListener;
+import com.netscape.certsrv.request.IRequestNotifier;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.certsrv.request.IService;
+import com.netscape.certsrv.security.ISigningUnit;
+
+/**
+ * An interface represents a Certificate Authority that is
+ * responsible for certificate specific operations.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ICertificateAuthority extends ISubsystem {
+
+    public static final String ID = "ca";
+
+    public static final String PROP_CERTDB_INC = "certdbInc";
+    public static final String PROP_CRLDB_INC = "crldbInc";
+    public static final String PROP_REGISTRATION = "Registration";
+    public static final String PROP_POLICY = "Policy";
+    public static final String PROP_GATEWAY = "gateway";
+    public static final String PROP_CLASS = "class";
+    public static final String PROP_TYPE = "type";
+    public static final String PROP_IMPL = "impl";
+    public static final String PROP_PLUGIN = "plugin";
+    public static final String PROP_INSTANCE = "instance";
+    public static final String PROP_LISTENER_SUBSTORE = "listener";
+    public final static String PROP_LDAP_PUBLISH_SUBSTORE = "ldappublish";
+    public final static String PROP_PUBLISH_SUBSTORE = "publish";
+    public final static String PROP_ENABLE_PUBLISH = "enablePublish";
+    public final static String PROP_ENABLE_LDAP_PUBLISH = "enableLdapPublish";
+
+    public final static String PROP_X509CERT_VERSION = "X509CertVersion";
+    public final static String PROP_ENABLE_PAST_CATIME = "enablePastCATime";
+    public final static String PROP_DEF_VALIDITY = "DefaultIssueValidity";
+    public final static String PROP_FAST_SIGNING = "fastSigning";
+    public static final String PROP_ENABLE_ADMIN_ENROLL =
+            "enableAdminEnroll";
+
+    public final static String PROP_CRL_SUBSTORE = "crl";
+    // make this public so agent gateway can access for now.
+    public final static String PROP_CRL_PAGE_SIZE = "pageSize";
+    public final static String PROP_MASTER_CRL = "MasterCRL";
+    public final static String PROP_CRLEXT_SUBSTORE = "extension";
+    public final static String PROP_ISSUING_CLASS =
+            "com.netscape.cmscore.ca.CRLIssuingPoint";
+    public final static String PROP_EXPIREDCERTS_CLASS =
+            "com.netscape.cmscore.ca.CRLWithExpiredCerts";
+
+    public final static String PROP_NOTIFY_SUBSTORE = "notification";
+    public final static String PROP_CERT_ISSUED_SUBSTORE = "certIssued";
+    public final static String PROP_CERT_REVOKED_SUBSTORE = "certRevoked";
+    public final static String PROP_REQ_IN_Q_SUBSTORE = "requestInQ";
+    public final static String PROP_PUB_QUEUE_SUBSTORE = "publishingQueue";
+
+    public final static String PROP_ISSUER_NAME = "name";
+    public final static String PROP_CA_NAMES = "CAs";
+    public final static String PROP_DBS_SUBSTORE = "dbs";
+    public final static String PROP_SIGNING_SUBSTORE = "signing";
+    public final static String PROP_CA_CHAIN_NUM = "certchainNum";
+    public final static String PROP_CA_CHAIN = "certchain";
+    public final static String PROP_CA_CERT = "cert";
+    public final static String PROP_ENABLE_OCSP = "ocsp";
+    public final static String PROP_OCSP_SIGNING_SUBSTORE = "ocsp_signing";
+    public final static String PROP_CRL_SIGNING_SUBSTORE = "crl_signing";
+    public final static String PROP_ID = "id";
+
+    public final static String PROP_CERTDB_TRANS_MAXRECORDS = "transitMaxRecords";
+    public final static String PROP_CERTDB_TRANS_PAGESIZE = "transitRecordPageSize";
+
+    /**
+     * Retrieves the certificate repository where all the locally
+     * issued certificates are kept.
+     * 
+     * @return CA's certificate repository
+     */
+    public ICertificateRepository getCertificateRepository();
+
+    /**
+     * Retrieves the request queue of this certificate authority.
+     * 
+     * @return CA's request queue
+     */
+    public IRequestQueue getRequestQueue();
+
+    /**
+     * Retrieves the policy processor of this certificate authority.
+     * @deprecated
+     * @return CA's policy processor
+     */
+    public IPolicyProcessor getPolicyProcessor();
+
+    public boolean noncesEnabled();
+
+    public Nonces getNonces();
+
+    /**
+     * Retrieves the publishing processor of this certificate authority.
+     * 
+     * @return CA's publishing processor
+     */
+    public IPublisherProcessor getPublisherProcessor();
+
+    /**
+     * Retrieves the next available serial number.
+     * 
+     * @return next available serial number
+     */
+    public String getStartSerial();
+
+    /**
+     * Sets the next available serial number.
+     * 
+     * @param serial next available serial number
+     * @exception EBaseException failed to set next available serial number
+     */
+    public void setStartSerial(String serial) throws EBaseException;
+
+    /**
+     * Retrieves the last serial number that can be used for
+     * certificate issuance in this certificate authority.
+     * 
+     * @return the last serial number
+     */
+    public String getMaxSerial();
+
+    /**
+     * Sets the last serial number that can be used for
+     * certificate issuance in this certificate authority.
+     * 
+     * @param serial the last serial number
+     * @exception EBaseException failed to set the last serial number
+     */
+    public void setMaxSerial(String serial) throws EBaseException;
+
+    /**
+     * Retrieves the default signature algorithm of this certificate authority.
+     * 
+     * @return the default signature algorithm of this CA
+     */
+    public SignatureAlgorithm getDefaultSignatureAlgorithm();
+
+    /**
+     * Retrieves the default signing algorithm of this certificate authority.
+     * 
+     * @return the default signing algorithm of this CA
+     */
+    public String getDefaultAlgorithm();
+
+    /**
+     * Sets the default signing algorithm of this certificate authority.
+     * 
+     * @param algorithm new default signing algorithm
+     * @exception EBaseException failed to set the default signing algorithm
+     */
+    public void setDefaultAlgorithm(String algorithm) throws EBaseException;
+
+    /**
+     * Retrieves the supported signing algorithms of this certificate authority.
+     * 
+     * @return the supported signing algorithms of this CA
+     */
+    public String[] getCASigningAlgorithms();
+
+    /**
+     * Allows certificates to have validities that are longer
+     * than this certificate authority's.
+     * 
+     * @param enableCAPast if equals "true", it allows certificates
+     *            to have validity longer than CA's certificate validity
+     * @exception EBaseException failed to set above option
+     */
+    public void setValidity(String enableCAPast) throws EBaseException;
+
+    /**
+     * Retrieves the default validity period.
+     * 
+     * @return the default validity length in days
+     */
+    public long getDefaultValidity();
+
+    /**
+     * Retrieves all the CRL issuing points.
+     * 
+     * @return enumeration of all the CRL issuing points
+     */
+    public Enumeration getCRLIssuingPoints();
+
+    /**
+     * Retrieves CRL issuing point with the given identifier.
+     * 
+     * @param id CRL issuing point id
+     * @return CRL issuing point with given id
+     */
+    public ICRLIssuingPoint getCRLIssuingPoint(String id);
+
+    /**
+     * Adds CRL issuing point with the given identifier and description.
+     * 
+     * @param crlSubStore sub-store with all CRL issuing points
+     * @param id CRL issuing point id
+     * @param description CRL issuing point description
+     * @return true if CRL issuing point was successfully added
+     */
+    public boolean addCRLIssuingPoint(IConfigStore crlSubStore, String id,
+                                      boolean enable, String description);
+
+    /**
+     * Deletes CRL issuing point with the given identifier.
+     * 
+     * @param crlSubStore sub-store with all CRL issuing points
+     * @param id CRL issuing point id
+     */
+    public void deleteCRLIssuingPoint(IConfigStore crlSubStore, String id);
+
+    /**
+     * Retrieves the CRL repository.
+     * 
+     * @return CA's CRL repository
+     */
+    public ICRLRepository getCRLRepository();
+
+    /**
+     * Retrieves the Replica ID repository.
+     * 
+     * @return CA's Replica ID repository
+     */
+    public IReplicaIDRepository getReplicaRepository();
+
+    /**
+     * Retrieves the request in queue listener.
+     * 
+     * @return the request in queue listener
+     */
+    public IRequestListener getRequestInQListener();
+
+    /**
+     * Retrieves all request listeners.
+     * 
+     * @return name enumeration of all request listeners
+     */
+    public Enumeration getRequestListenerNames();
+
+    /**
+     * Retrieves the request listener for issued certificates.
+     * 
+     * @return the request listener for issued certificates
+     */
+    public IRequestListener getCertIssuedListener();
+
+    /**
+     * Retrieves the request listener for revoked certificates.
+     * 
+     * @return the request listener for revoked certificates
+     */
+    public IRequestListener getCertRevokedListener();
+
+    /**
+     * Retrieves the CA certificate chain.
+     * 
+     * @return the CA certificate chain
+     */
+    public CertificateChain getCACertChain();
+
+    /**
+     * Retrieves the CA certificate.
+     * 
+     * @return the CA certificate
+     */
+    public org.mozilla.jss.crypto.X509Certificate getCaX509Cert();
+
+    /**
+     * Retrieves the CA certificate.
+     * 
+     * @return the CA certificate
+     */
+    public X509CertImpl getCACert();
+
+    /**
+     * Updates the CRL immediately for MasterCRL issuing point if it exists.
+     * 
+     * @exception EBaseException failed to create or publish CRL
+     */
+    public void updateCRLNow() throws EBaseException;
+
+    /**
+     * Publishes the CRL immediately for MasterCRL issuing point if it exists.
+     * 
+     * @exception EBaseException failed to publish CRL
+     */
+    public void publishCRLNow() throws EBaseException;
+
+    /**
+     * Retrieves the signing unit that manages the CA signing key for
+     * signing certificates.
+     * 
+     * @return the CA signing unit for certificates
+     */
+    public ISigningUnit getSigningUnit();
+
+    /**
+     * Retrieves the signing unit that manages the CA signing key for
+     * signing CRL.
+     * 
+     * @return the CA signing unit for CRLs
+     */
+    public ISigningUnit getCRLSigningUnit();
+
+    /**
+     * Retrieves the signing unit that manages the CA signing key for
+     * signing OCSP response.
+     * 
+     * @return the CA signing unit for OCSP responses
+     */
+    public ISigningUnit getOCSPSigningUnit();
+
+    /**
+     * Sets the maximium path length in the basic constraint extension.
+     * 
+     * @param num the maximium path length
+     */
+    public void setBasicConstraintMaxLen(int num);
+
+    /**
+     * Is this a clone CA?
+     * 
+     * @return true if this is a clone CA
+     */
+    public boolean isClone();
+
+    /**
+     * Retrieves the request listener by name.
+     * 
+     * @param name request listener name
+     * @return the request listener
+     */
+    public IRequestListener getRequestListener(String name);
+
+    /**
+     * get request notifier
+     */
+    public IRequestNotifier getRequestNotifier();
+
+    /**
+     * Registers a request listener.
+     * 
+     * @param listener request listener to be registered
+     */
+    public void registerRequestListener(IRequestListener listener);
+
+    /**
+     * Registers a request listener.
+     * 
+     * @param name under request listener is going to be registered
+     * @param listener request listener to be registered
+     */
+    public void registerRequestListener(String name, IRequestListener listener);
+
+    /**
+     * Retrieves the issuer name of this certificate authority.
+     * 
+     * @return the issuer name of this certificate authority
+     */
+    public X500Name getX500Name();
+
+    /**
+     * Retrieves the issuer name of this certificate authority issuing point.
+     * 
+     * @return the issuer name of this certificate authority issuing point
+     */
+    public X500Name getCRLX500Name();
+
+    /**
+     * Signs the given CRL with the specific algorithm.
+     * 
+     * @param crl CRL to be signed
+     * @param algname algorithm used for signing
+     * @return signed CRL
+     * @exception EBaseException failed to sign CRL
+     */
+    public X509CRLImpl sign(X509CRLImpl crl, String algname)
+            throws EBaseException;
+
+    /**
+     * Logs a message to this certificate authority.
+     * 
+     * @param level logging level
+     * @param msg logged message
+     */
+    public void log(int level, String msg);
+
+    /**
+     * Returns the nickname for the CA signing certificate.
+     * 
+     * @return the nickname for the CA signing certificate
+     */
+    public String getNickname();
+
+    /**
+     * Signs a X.509 certificate template.
+     * 
+     * @param certInfo X.509 certificate template
+     * @param algname algorithm used for signing
+     * @return signed certificate
+     * @exception EBaseException failed to sign certificate
+     */
+    public X509CertImpl sign(X509CertInfo certInfo, String algname)
+            throws EBaseException;
+
+    /**
+     * Retrieves the default certificate version.
+     * 
+     * @return the default version certificate
+     */
+    public CertificateVersion getDefaultCertVersion();
+
+    /**
+     * Is this CA allowed to issue certificate that has longer
+     * validty than the CA's.
+     * 
+     * @return true if allows certificates to have validity longer than CA's
+     */
+    public boolean isEnablePastCATime();
+
+    /**
+     * Retrieves the CA service object that is responsible for
+     * processing requests.
+     * 
+     * @return CA service object
+     */
+    public IService getCAService();
+
+    /**
+     * Returns the in-memory count of the processed OCSP requests.
+     * 
+     * @return number of processed OCSP requests in memory
+     */
+    public long getNumOCSPRequest();
+
+    /**
+     * Returns the in-memory time (in mini-second) of
+     * the processed time for OCSP requests.
+     * 
+     * @return processed times for OCSP requests
+     */
+    public long getOCSPRequestTotalTime();
+
+    /**
+     * Returns the in-memory time (in mini-second) of
+     * the signing time for OCSP requests.
+     * 
+     * @return processed times for OCSP requests
+     */
+    public long getOCSPTotalSignTime();
+
+    /**
+     * Returns the total data signed
+     * for OCSP requests.
+     * 
+     * @return processed times for OCSP requests
+     */
+    public long getOCSPTotalData();
+}
diff --git a/base/common/src/com/netscape/certsrv/cert/ICrossCertPairSubsystem.java b/base/common/src/com/netscape/certsrv/cert/ICrossCertPairSubsystem.java
new file mode 100644
index 000000000..c79479dc7
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/cert/ICrossCertPairSubsystem.java
@@ -0,0 +1,62 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.cert;
+
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * Interface for handling cross certs
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ICrossCertPairSubsystem extends ISubsystem {
+
+    /**
+     * "import" the CA cert cross-signed by another CA (potentially a
+     * bridge CA) into internal ldap db.
+     * If publishing is turned on, and
+     * if matches up a pair, then publish to publishing directory
+     * otherwise, leave in internal ldap db and wait for it's matching
+     * pair
+     * 
+     * @param certBytes binary byte array of the cert
+     * @exception EBaseException when certBytes conversion to X509
+     *                certificate fails
+     */
+    public void importCert(byte[] certBytes) throws EBaseException;
+
+    /**
+     * publish all cert pairs, if publisher is on
+     * 
+     * @exception EBaseException when publishing fails
+     */
+    public void publishCertPairs() throws EBaseException;
+
+    /**
+     * convert byte array to X509Certificate
+     * 
+     * @return X509Certificate the X509Certificate class
+     *         representation of the certificate byte array
+     * @exception CertificateException when conversion fails
+     */
+    public X509Certificate byteArray2X509Cert(byte[] certBytes) throws CertificateException;
+}
diff --git a/base/common/src/com/netscape/certsrv/client/IDataProcessor.java b/base/common/src/com/netscape/certsrv/client/IDataProcessor.java
new file mode 100644
index 000000000..b6784b6d2
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/client/IDataProcessor.java
@@ -0,0 +1,36 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.client;
+
+/**
+ * this class represents the callback interface between
+ * the client package and the data storage object (data model)
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IDataProcessor {
+
+    /**
+     * This method will be callby the client package each time
+     * data object arrived from the server side.
+     * 
+     * @param data data object expected by the interface implementor
+     */
+    public void processData(Object data);
+
+}
diff --git a/base/common/src/com/netscape/certsrv/client/connection/IAuthenticator.java b/base/common/src/com/netscape/certsrv/client/connection/IAuthenticator.java
new file mode 100644
index 000000000..0a96ee698
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/client/connection/IAuthenticator.java
@@ -0,0 +1,26 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.client.connection;
+
+/**
+ * An interface represents authentiator.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IAuthenticator {
+}
diff --git a/base/common/src/com/netscape/certsrv/client/connection/IConnection.java b/base/common/src/com/netscape/certsrv/client/connection/IConnection.java
new file mode 100644
index 000000000..4a8166b02
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/client/connection/IConnection.java
@@ -0,0 +1,50 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.client.connection;
+
+import java.io.IOException;
+import java.net.SocketException;
+
+/**
+ * Interface for all connection objects.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IConnection {
+
+    /**
+     * Send request to the server using this connection
+     */
+    public int sendRequest(String req) throws IOException;
+
+    /**
+     * Returns the response in byte array format
+     */
+    public byte[] getResponse();
+
+    /**
+     * Close the connection
+     */
+    public void disconnect();
+
+    /**
+     * SetTimeout
+     */
+    public void setSoTimeout(int timeout) throws SocketException;
+
+}
diff --git a/base/common/src/com/netscape/certsrv/client/connection/IConnectionFactory.java b/base/common/src/com/netscape/certsrv/client/connection/IConnectionFactory.java
new file mode 100644
index 000000000..4506abbfa
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/client/connection/IConnectionFactory.java
@@ -0,0 +1,43 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.client.connection;
+
+import java.io.IOException;
+import java.net.UnknownHostException;
+
+/**
+ * Interface for all connection factory. Primarily act as
+ * the abstraction layer for different kind of connection factory.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IConnectionFactory {
+
+    /**
+     * Creates connection using the host and port
+     * 
+     * @param host The host to connect to
+     * @param port The port to connect to
+     * @return The created connection
+     * @throws IOException On an IO Error
+     * @throws UnknownHostException If the host can't be resolved
+     */
+    public IConnection create(String host, int port)
+            throws IOException, UnknownHostException;
+
+}
diff --git a/base/common/src/com/netscape/certsrv/common/ConfigConstants.java b/base/common/src/com/netscape/certsrv/common/ConfigConstants.java
new file mode 100644
index 000000000..2ea7b7469
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/common/ConfigConstants.java
@@ -0,0 +1,332 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.common;
+
+/**
+ * This interface contains constants that are used
+ * in the protocol between the configuration daemon
+ * and UI configuration wizard.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ConfigConstants {
+
+    public static final String TRUE = "true";
+    public static final String FALSE = "false";
+    public static final String OPTYPE = "opType";
+    public static final String TASKID = "taskID";
+
+    // Stages
+    public static final String STAGES = "stages";
+    public static final String STAGE_INTERNAL_DB = "stageInternalDB";
+    public static final String STAGE_CONNECT_DB = "stageConnectDB";
+    public static final String STAGE_SETUP_PORTS = "stageSetupPorts";
+    public static final String STAGE_SETUP_ADMINISTRATOR = "stageSetupAdmin";
+    public static final String STAGE_SETUP_SUBSYSTEMS = "stageSubsystems";
+    public static final String STAGE_DATA_MIGRATION = "stageDataMigration";
+    public static final String STAGE_CA_SELFSIGNED_CERT = "stageCASelfSignedCert";
+    public static final String STAGE_CA_CERT_REQUEST = "stageCACertRequest";
+    public static final String STAGE_CA_CERT_INSTALL = "stageCACertInstall";
+    public static final String STAGE_RA_LOCAL_CERT = "stageRALocalCert";
+    public static final String STAGE_RA_CERT_REQUEST = "stageRACertRequest";
+    public static final String STAGE_RA_CERT_INSTALL = "stageRACertInstall";
+    public static final String STAGE_KRA_LOCAL_CERT = "stageKRALocalCert";
+    public static final String STAGE_KRA_CERT_REQUEST = "stageKRACertRequest";
+    public static final String STAGE_KRA_CERT_INSTALL = "stageKRACertInstall";
+    public static final String STAGE_SSL_LOCAL_CERT = "stageSSLLocalCert";
+    public static final String STAGE_SSL_CERT_REQUEST = "stageSSLCertRequest";
+    public static final String STAGE_SSL_CERT_INSTALL = "stageSSLCertInstall";
+    public static final String STAGE_OCSP_LOCAL_CERT = "stageOCSPLocalCert";
+    public static final String STAGE_OCSP_CERT_REQUEST = "stageOCSPCertRequest";
+    public static final String STAGE_OCSP_CERT_INSTALL = "stageOCSPCertInstall";
+    public static final String STAGE_CA_CERTCHAIN_IMPORT = "stageCACertChain";
+    public static final String STAGE_RA_CERTCHAIN_IMPORT = "stageRACertChain";
+    public static final String STAGE_OCSP_CERTCHAIN_IMPORT = "stageOCSPCertChain";
+    public static final String STAGE_KRA_CERTCHAIN_IMPORT = "stageKRACertChain";
+    public static final String STAGE_SSL_CERTCHAIN_IMPORT = "stageSSLCertChain";
+    public static final String STAGE_OCSP_SERVICE_ADDED = "stageOCSPService";
+    public static final String STAGE_CONFIG_WEBSERVER = "stageConfigWebserver";
+    public static final String STAGE_REPLICATION_AGREEMENT = "stageReplicationAgreement";
+    public static final String PR_ENABLE_REPLICATION = "enableReplication";
+
+    public static final String CA_CERT_REQUEST = "CACertRequest";
+    public static final String RA_CERT_REQUEST = "RACertRequest";
+    public static final String OCSP_CERT_REQUEST = "OCSPCertRequest";
+    public static final String KRA_CERT_REQUEST = "KRACertRequest";
+    public static final String SSL_CERT_REQUEST = "SSLCertRequest";
+    public static final String STAGE_CA_REQ_SUCCESS = "stageCAReqSuccess";
+    public static final String STAGE_RA_REQ_SUCCESS = "stageRAReqSuccess";
+    public static final String STAGE_KRA_REQ_SUCCESS = "stageKRAReqSuccess";
+    public static final String STAGE_SSL_REQ_SUCCESS = "stageSSLReqSuccess";
+    public static final String STAGE_OCSP_REQ_SUCCESS = "stageOCSPReqSuccess";
+
+    public static final String STAGE_KRA_NM_SCHEME = "stageKRANMScheme";
+    public static final String STAGE_CACLONING = "stageCACloning";
+    public static final String STAGE_RACLONING = "stageRACloning";
+    public static final String STAGE_KRACLONING = "stageKRACloning";
+    public static final String STAGE_TKSCLONING = "stageTKSCloning";
+    public static final String STAGE_SSLCLONING = "stageSSLCloning";
+    public static final String STAGE_OCSPCLONING = "stageOCSPCloning";
+    public static final String STAGE_CLONEMASTER = "stageCloneMaster";
+    public static final String STAGE_UPDATE_DB_INFO = "stageUpdateDBInfo";
+
+    public static final String CA_CERT_REQUEST_BACK = "CACertRequestBack";
+    public static final String RA_CERT_REQUEST_BACK = "RACertRequestBack";
+    public static final String OCSP_CERT_REQUEST_BACK = "OCSPCertRequestBack";
+    public static final String KRA_CERT_REQUEST_BACK = "KRACertRequestBack";
+    public static final String SSL_CERT_REQUEST_BACK = "SSLCertRequestBack";
+
+    // Error messages
+    public static final String PR_ERROR_MESSAGE = "errorMsg";
+
+    // Certificate server instance
+    public static final String PR_CERT_INSTANCE_NAME = "instanceID";
+
+    // Admin server info
+    public static final String PR_HOST = "host";
+    public static final String PR_LDAP_DB_NAME = "ldapServerDB";
+    public static final String PR_SERVER_ROOT = "serverRoot";
+    public static final String PR_SIE_URL = "sieURL";
+    public static final String PR_ADMIN_PASSWD = "AdminUserPassword";
+    public static final String PR_ADMIN_UID = "adminUID";
+    public static final String PR_ADMIN_DOMAIN = "adminDomain";
+    public static final String PR_MACHINE_NAME = "machineName";
+
+    public static final String PR_CA_OCSP_SERVICE = "CAOCSPService";
+
+    // Daemon
+    public static final String PR_DAEMON_PORT = "daemonPort";
+    public static final String PR_DELETE_PASSWD_CONF = "deletePasswdConf";
+
+    // Internal Database
+    public static final String PR_DB_SCHEMA = "db.schema";
+    public static final String PR_DB_MODE = "db.mode";
+    public static final String PR_DB_PORT = "internaldb.ldapconn.port";
+    public static final String PR_DB_HOST = "internaldb.ldapconn.host";
+    public static final String PR_DB_BINDDN = "internaldb.ldapauth.bindDN";
+    public static final String PR_DB_BINDPWD = "internaldb.ldapauth.bindPWPrompt";
+    public static final String PR_DB_PWD = "db.password";
+    public static final String PR_DB_LOCAL = "db.local";
+    public static final String PR_DB_NAME = "db.instanceName";
+    public static final String PR_CLONEDDB_NAME = "db.cloned.instanceName";
+    public static final String PR_IS_DBCREATED = "db.isCreated";
+    public static final String PR_IS_CLONEDDB_CREATED = "db.cloned.isCreated";
+    public static final String PR_NEXT_AVAIL_PORT = "nextAvailPort";
+
+    // Network Ports
+    public static final String PR_ENABLE = "enabled";
+    public static final String PR_EE_PORT = "eeGateway.http.port";
+    public static final String PR_EE_SECURE_PORT = "eeGateway.https.port";
+    public static final String PR_AGENT_PORT = "agentGateway.https.port";
+    public static final String PR_RADM_PORT = "radm.https.port";
+    public static final String PR_RADM_PORT_SETUP = "radm.port";
+    public static final String PR_EE_PORT_ENABLE = "eeGateway.http.enable";
+    public static final String PR_EE_PORTS_ENABLE = "eePortsEnable";
+
+    // Certificate server administrator
+    public static final String PR_CERT_ADMINNAME = "cert.admin.name";
+    public static final String PR_CERT_ADMINUID = "cert.admin.uid";
+    public static final String PR_CERT_ADMINPASSWD = "cert.admin.passwd";
+
+    // Subsystems
+    public static final String PR_SUBSYSTEMS = "subsystems";
+    public static final String PR_CA = "ca";
+    public static final String PR_RA = "ra";
+    public static final String PR_KRA = "kra";
+    public static final String PR_TKS = "tks";
+    public static final String PR_OCSP = "ocsp";
+    public static final String CA_HOST = "caHostname";
+    public static final String CA_PORT = "caPortnum";
+    public static final String CA_TIMEOUT = "caTimeout";
+    public static final String KRA_HOST = "kraHostname";
+    public static final String KRA_PORT = "kraPortnum";
+    public static final String KRA_TIMEOUT = "kraTimeout";
+    public static final String REMOTE_KRA_ENABLED = "remoteKRA";
+
+    // Clone Master (CLA)
+    public static final String CLA_HOST = "claHostname";
+    public static final String CLA_PORT = "claPortnum";
+    public static final String CLA_PORT_EE = "claPortnumEE";
+    public static final String CLA_TIMEOUT = "claTimeout";
+    public static final String CLONE_CA = "cloning";
+    public static final String PR_CLONE_SETTING_DONE = "cloneSettingDone";
+
+    // Data Migration
+    public static final String PR_ENABLE_MIGRATION = "migrationEnable";
+    public static final String PR_OUTPUT_PATH = "outputPath";
+    public static final String PR_ADD_LDIF_PATH = "addLdifPath";
+    public static final String PR_MOD_LDIF_PATH = "modLdifPath";
+    public static final String PR_SIGNING_KEY_MIGRATION_TOKEN =
+            "signingKeyMigrationToken";
+    public static final String PR_SSL_KEY_MIGRATION_TOKEN =
+            "sslKeyMigrationToken";
+    public static final String PR_SIGNING_KEY_MIGRATION_TOKEN_PASSWD =
+            "signingKeyMigrationTokenPasswd";
+    public static final String PR_SIGNING_KEY_MIGRATION_TOKEN_SOPPASSWD =
+            "signingKeyMigrationTokenSOPPasswd";
+    public static final String PR_SSL_KEY_MIGRATION_TOKEN_PASSWD =
+            "sslKeyMigrationTokenPasswd";
+    public static final String PR_SSL_KEY_MIGRATION_TOKEN_SOPPASSWD =
+            "sslKeyMigrationTokenSOPPasswd";
+    public static final String PR_NUM_MIGRATION_WARNINGS =
+            "numMigrationWarnings";
+    public static final String PR_MIGRATION_WARNING = "migrationWarning";
+    public static final String PR_CA_KEY_TYPE = "caKeyType";
+    public static final String PR_LDAP_PASSWORD = "ldapPassword";
+    public static final String PR_MIGRATION_PASSWORD = "migrationPassword";
+
+    // Key and Cert
+    public static final String PR_HARDWARE_SPLIT = "hardwareSplit";
+    public static final String PR_TOKEN_LIST = "tokenList";
+    public static final String PR_TOKEN_NAME = "tokenName";
+    public static final String PR_SUBJECT_NAME = "subjectName";
+    public static final String PR_CA_SUBJECT_NAME = "caSubjectName";
+    public static final String PR_RA_SUBJECT_NAME = "raSubjectName";
+    public static final String PR_OCSP_SUBJECT_NAME = "ocspSubjectName";
+    public static final String PR_KRA_SUBJECT_NAME = "kraSubjectName";
+    public static final String PR_SSL_SUBJECT_NAME = "sslSubjectName";
+    public static final String PR_KEY_TYPE = "keyType";
+    public static final String PR_KEY_LENGTH = "keyLength";
+    public static final String PR_CERT_REQUEST = "certReq";
+    public static final String PR_REQUEST_ID = "ReqID";
+    public static final String PR_REQUEST_FORMAT = "ReqFormat";
+    public static final String PR_REQUEST_PKCS10 = "PKCS10";
+    public static final String PR_REQUEST_CMC = "CMC";
+    public static final String PR_CERTIFICATE_TYPE = "certType";
+    public static final String PR_CACERT_LOCALCA = "ca_isLocalCA";
+    public static final String PR_RACERT_LOCALCA = "ra_isLocalCA";
+    public static final String PR_KRACERT_LOCALCA = "kra_isLocalCA";
+    public static final String PR_SSLCERT_LOCALCA = "ssl_isLocalCA";
+    public static final String PR_OCSPCERT_LOCALCA = "ocsp_isLocalCA";
+    public static final String PR_CERT_CONTENT_ORDER = "contentOrder";
+    public static final String PR_CERTIFICATE_EXTENSION = "certificateExtension";
+    public static final String CA_REQUEST_DISPLAYED = "caReqDisplayed";
+    public static final String RA_REQUEST_DISPLAYED = "raReqDisplayed";
+    public static final String OCSP_REQUEST_DISPLAYED = "ocspReqDisplayed";
+    public static final String KRA_REQUEST_DISPLAYED = "kraReqDisplayed";
+    public static final String SSL_REQUEST_DISPLAYED = "sslReqDisplayed";
+
+    // KRA Storage Key Generation
+    public static final String PR_KEY_LEN = "keyLength";
+    public static final String PR_KEY_ALG = "keyAlg";
+    public static final String PR_STORAGE_TOKEN_PWD = "storageTokenPwd";
+    public static final String PR_STORAGE_HARDWARE = "storageHardware";
+
+    // KRA Agents
+    public static final String PR_AGENT_N = "n";
+    public static final String PR_AGENT_M = "m";
+    public static final String PR_AGENT_UID = "uid";
+    public static final String PR_AGENT_PWD = "pwd";
+
+    // Token Info
+    public static final String PR_TOKEN_NAMES = "tokenNames";
+    public static final String PR_TOKEN_INITIALIZED = "tokenInitialized";
+    public static final String PR_TOKEN_LOGGED_IN = "tokenLoggedIn";
+    public static final String PR_TOKEN_PASSWD = "tokenPasswd";
+    public static final String PR_TOKEN_SOP = "sopPasswd";
+    public static final String PR_CLONE_SUBSYSTEM = "cloneSubsystem";
+    public static final String PR_CLONE_CA_TOKEN_NAME = "cloneCATokenName";
+    public static final String PR_CLONE_OCSP_TOKEN_NAME = "cloneOCSPTokenName";
+    public static final String PR_CLONE_RA_TOKEN_NAME = "cloneRATokenName";
+    public static final String PR_CLONE_KRA_TOKEN_NAME = "cloneKRATokenName";
+    public static final String PR_CLONE_STORAGE_TOKEN_NAME = "cloneStorageTokenName";
+    public static final String PR_CLONE_SSL_TOKEN_NAME = "cloneSSLTokenName";
+    public static final String PR_CLONE_CA_NICKNAME = "cloneCANickname";
+    public static final String PR_CLONE_OCSP_NICKNAME = "cloneOCSPNickname";
+    public static final String PR_CLONE_RA_NICKNAME = "cloneRANickname";
+    public static final String PR_CLONE_KRA_NICKNAME = "cloneKRANickname";
+    public static final String PR_CLONE_STORAGE_NICKNAME = "cloneStorageNickname";
+    public static final String PR_CLONE_SSL_NICKNAME = "cloneSSLNickname";
+    public static final String PR_TOKEN_LOGONLIST = "tokenLogonList";
+    public static final String PR_TOKEN_LOGON_PWDS = "tokenLogonPasswords";
+    public static final String PR_SUBSYSTEM = "subsystem";
+
+    // Single Signon
+    public static final String PR_SINGLE_SIGNON = "singleSignon";
+    public static final String PR_SINGLE_SIGNON_PASSWORD = "singleSignonPwd";
+    public static final String PR_SINGLE_SIGNON_PW_TAGS = "singleSignonPWTags";
+
+    public static final String PR_CERT_CHAIN = "certChain";
+
+    // Token Subsystem Info
+    public static final String PR_CA_TOKEN = "caToken";
+    public static final String PR_RA_TOKEN = "raToken";
+    public static final String PR_KRA_TOKEN = "kraToken";
+    public static final String PR_SSL_TOKEN = "sslToken";
+    //public static final String PR_SUBSYSTEMS = "subsystems";
+
+    // Key Length
+    public static final String PR_RSA_MIN_KEYLENGTH = "RSAMinKeyLength";
+    public static final String PR_CA_KEYTYPE = "ca_keyType";
+    public static final String PR_HASH_TYPE = "hashType";
+    public static final String PR_NOTAFTER = "notAfter";
+    public static final String PR_CA_O_COMPONENT = "caOComponent";
+    public static final String PR_CA_C_COMPONENT = "caCComponent";
+    public static final String PR_RA_O_COMPONENT = "raOComponent";
+    public static final String PR_RA_C_COMPONENT = "raCComponent";
+    public static final String PR_OCSP_O_COMPONENT = "ocspOComponent";
+    public static final String PR_OCSP_C_COMPONENT = "ocspCComponent";
+
+    // Subject DN
+    public static final String PR_OU_COMPONENT = "OU_Component";
+    public static final String PR_O_COMPONENT = "O_Component";
+    public static final String PR_L_COMPONENT = "L_Component";
+    public static final String PR_ST_COMPONENT = "ST_Component";
+    public static final String PR_C_COMPONENT = "C_Component";
+
+    // CA serial number
+    public static final String PR_CA_SERIAL_NUMBER = "caSerialNumber";
+    public static final String PR_CA_ENDSERIAL_NUMBER = "caEndSerialNumber";
+
+    // KRA number
+    public static final String PR_REQUEST_NUMBER = "requestNumber";
+    public static final String PR_ENDREQUEST_NUMBER = "endRequestNumber";
+    public static final String PR_SERIAL_REQUEST_NUMBER = "serialRequestNumber";
+
+    // Cloning
+    public static final String PR_CLONING_INSTANCE = "cloningInstance";
+    public static final String PR_CLONE_CERTIFICATES = "clonedCertificates";
+
+    // Cert request
+    public static final String CA_EEPORT = "caEEPort";
+    public static final String CA_EETYPE = "caEEType";
+
+    // Certificate chain
+    public static final String NOT_IMPORT_CHAIN = "notImportChain";
+
+    public static final String OVERRIDE_VALIDITY = "overrideValidity";
+
+    // request status: should be consistent with RequestStatus.java
+    public static String BEGIN_STRING = "begin";
+    public static String PENDING_STRING = "pending";
+    public static String APPROVED_STRING = "approved";
+    public static String SVC_PENDING_STRING = "svc_pending";
+    public static String CANCELED_STRING = "canceled";
+    public static String REJECTED_STRING = "rejected";
+    public static String COMPLETE_STRING = "complete";
+
+    public static String PR_CMS_SEED = "cmsSeed";
+
+    public static String PR_WEB_SERVERROOT = "webServerRoot";
+    public static String PR_USER_ID = "webUserId";
+
+    public static final String PR_AGREEMENT_NAME_1 = "agreementName1";
+    public static final String PR_REPLICATION_MANAGER_PASSWD_1 = "replicationManagerPwd1";
+    public static final String PR_AGREEMENT_NAME_2 = "agreementName2";
+    public static final String PR_REPLICATION_MANAGER_PASSWD_2 = "replicationManagerPwd2";
+}
diff --git a/base/common/src/com/netscape/certsrv/common/Constants.java b/base/common/src/com/netscape/certsrv/common/Constants.java
new file mode 100644
index 000000000..be9d33b4c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/common/Constants.java
@@ -0,0 +1,731 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.common;
+
+/**
+ * This interface contains constants that are shared
+ * by certificate server and its client SDK.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface Constants {
+
+    /*=======================================================
+     * MESSAGE FORMAT CONSTANTS
+     *=======================================================*/
+    public static final String PASSWORDTYPE = "PasswordField";
+    public static final String TEXTTYPE = "TextField";
+    public static final String CHECKBOXTYPE = "CheckBox";
+    public static final String COMBOTYPE = "ComboBox";
+    public final static String TRUE = "true";
+    public final static String FALSE = "false";
+    public final static String VIEW = "view";
+    public final static String EDIT = "edit";
+
+    public final static String OP_TYPE = "OP_TYPE";
+    public final static String OP_SCOPE = "OP_SCOPE";
+
+    //STATIC RESOURCE IDENTIFIERS
+    public final static String RS_ID = "RS_ID";
+    public final static String RS_ID_CONFIG = "RS_ID_CONFIG";
+    public final static String RS_ID_ORDER = "RS_ID_ORDER";
+
+    //STATIC UI TYPE
+    public final static String TYPE_PASSWORD = "password";
+
+    /**********************************************************
+     * PROPERTY NAME LISTED BELOW
+     **********************************************************/
+
+    /*========================================================
+     * General
+     *========================================================*/
+    public final static String PR_PORT = "port";
+    public final static String PR_SSLPORT = "sslPort";
+
+    /*========================================================
+     * Tasks
+     *========================================================*/
+    public final static String PR_SERVER_START = "start";
+    public final static String PR_SERVER_STOP = "stop";
+    public final static String PR_SERVER_RESTART = "restart";
+
+    /*========================================================
+     * Networks
+     *========================================================*/
+    public final static String PR_ADMIN_S_PORT = "admin.https.port";
+    public final static String PR_AGENT_S_PORT = "agent.https.port";
+    public final static String PR_GATEWAY_S_PORT = "gateway.https.port";
+    public final static String PR_GATEWAY_PORT = "gateway.http.port";
+    public final static String PR_DOC_ROOT = "docroot";
+    public final static String PR_ADMIN_S_BACKLOG = "admin.https.backlog";
+    public final static String PR_AGENT_S_BACKLOG = "agent.https.backlog";
+    public final static String PR_GATEWAY_S_BACKLOG = "gateway.https.backlog";
+    public final static String PR_GATEWAY_BACKLOG = "gateway.http.backlog";
+    public final static String PR_GATEWAY_PORT_ENABLED =
+            "gateway.http.enable";
+    public final static String PR_MASTER_AGENT_PORT = "master.ca.agent.port";
+    public final static String PR_MASTER_AGENT_HOST = "master.ca.agent.host";
+
+    /*========================================================
+     * SMTP
+     *========================================================*/
+    public final static String PR_SERVER_NAME = "server";
+
+    /*========================================================
+     * SNMP
+     *========================================================*/
+    public final static String PR_SNMP_ENABLED = "on";
+    public final static String PR_SNMP_MASTER_HOST = "master.host";
+    public final static String PR_SNMP_MASTER_PORT = "master.port";
+    public final static String PR_SNMP_DESC = "desc";
+    public final static String PR_SNMP_ORGN = "orgn";
+    public final static String PR_SNMP_LOC = "loc";
+    public final static String PR_SNMP_CONTACT = "contact";
+
+    /*========================================================
+     * Self Tests
+     *========================================================*/
+    public final static String PR_RUN_SELFTESTS_ON_DEMAND = "run";
+    public final static String PR_RUN_SELFTESTS_ON_DEMAND_CLASS = "class";
+    public final static String PR_RUN_SELFTESTS_ON_DEMAND_CONTENT = "runContent";
+
+    /*========================================================
+     * Users and Groups
+     *========================================================*/
+
+    //group properties
+    public final static String PR_GROUP_DESC = "desc";
+    public final static String PR_GROUP_USER = "user";
+    public final static String PR_GROUP_GROUP = "group";
+
+    //user properties
+    public final static String PR_USER_FULLNAME = "fullname";
+    public final static String PR_USER_PASSWORD = "password";
+    public final static String PR_USER_EMAIL = "email";
+    public final static String PR_USER_PHONE = "phone";
+    public final static String PR_USER_STATE = "state";
+    public final static String PR_USER_CERT = "cert";
+    public final static String PR_USER_GROUP = "groups";
+    public final static String PR_MULTIROLES = "multiroles";
+
+    /*========================================================
+     * Authentication
+     *========================================================*/
+    public final static String PR_PING = "ping";
+    public final static String PR_AUTH_CLASS = "class";
+    public final static String PR_AUTH_IMPL_NAME = "implName";
+    public final static String PR_AUTH_HOST = "ldapconn.host";
+    public final static String PR_AUTH_PORT = "ldapconn.port";
+    public final static String PR_AUTH_BASEDN = "basedn";
+    public final static String PR_AUTH_ADMIN_DN = "ldapauth.bindDN";
+    public final static String PR_AUTH_ADMIN_PWD = "ldapauth.bindPassword";
+
+    /*========================================================
+     * Job Scheduler
+     *========================================================*/
+    public final static String PR_JOBS_CLASS = "class";
+    public final static String PR_JOBS_IMPL_NAME = "implName";
+    public final static String PR_JOBS_FREQUENCY = "frequency";
+
+    /*========================================================
+     * Notification
+     *========================================================*/
+    public final static String PR_NOTIFICATION_FORM_NAME = "emailTemplate";
+    public final static String PR_NOTIFICATION_SUBJECT =
+            "emailSubject";
+    public final static String PR_NOTIFICATION_SENDER = "senderEmail";
+    public final static String PR_NOTIFICATION_RECEIVER = "recipientEmail";
+
+    /*========================================================
+     * Logs
+     *========================================================*/
+    public static final String PR_LOG_IMPL_NAME = "implName";
+    public static final String PR_EXT_PLUGIN_IMPLTYPE_LOG = "log";
+    public final static String PR_LOG_CLASS = "class";
+    public final static String PR_LOG_INSTANCE = "instanceName";
+    public final static String PR_LOG_ONE = "entry";
+    public final static String PR_LOG_ENTRY = "maxentry";
+    public final static String PR_LOG_SOURCE = "source";
+    public final static String PR_LOG_LEVEL = "level";
+    public final static String PR_LOG_ENABLED = "on";
+    public final static String PR_LOG_BUFFERSIZE = "bufferSize";
+    public final static String PR_LOG_EXPIRED_TIME = "expirationTime";
+    public final static String PR_LOG_FILENAME = "fileName";
+    public final static String PR_LOG_FLUSHINTERVAL = "flushInterval";
+    public final static String PR_LOG_MAXFILESIZE = "maxFileSize";
+    public final static String PR_LOG_ROLLEROVER_INTERVAL = "rolloverInterval";
+    public final static String PR_LOG_TYPE = "type";
+    public static final String PR_LOGSOURCE_KRA = "KRA";
+    public static final String PR_LOGSOURCE_RA = "RA";
+    public static final String PR_LOGSOURCE_CA = "CA";
+    public static final String PR_LOGSOURCE_HTTP = "HTTP";
+    public static final String PR_LOGSOURCE_DB = "DB";
+    public static final String PR_LOGSOURCE_AUTH = "AUTH";
+    public static final String PR_LOGSOURCE_ADMIN = "ADMIN";
+    public static final String PR_LOG_NAME = "logname";
+    public static final String PR_CURRENT_LOG = "current";
+
+    public static final String PR_AUTO_CRL = "auto";
+    public static final String PR_LOG_SIGNED_AUDIT = "SignedAudit";
+    public static final String PR_LOG_TRANSACTIONS = "Transactions";
+    public static final String PR_LOG_SYSTEM = "System";
+
+    public static final String PR_DEBUG_LOG_SHOWCALLER = "debug.showcaller";
+    public static final String PR_DEBUG_LOG_ENABLE = "debug.enabled";
+    public static final String PR_DEBUG_LOG_LEVEL = "debug.level";
+
+    /*========================================================
+     * LDAP Publishing
+     *========================================================*/
+
+    // publishing properties
+    public final static String PR_BASIC_AUTH = "BasicAuth";
+    public final static String PR_SSL_AUTH = "SslClientAuth";
+    public final static String PR_AUTH_TYPE = "ldapauth.authtype";
+    public final static String PR_BINDPWD_PROMPT = "ldapauth.bindPWPrompt";
+    public final static String PR_CERT_NAMES = "ldapauth.nicknames";
+    public final static String PR_LDAP_CLIENT_CERT = "ldapauth.clientCertNickname";
+    public final static String PR_DIRECTORY_MANAGER_PWD = "directoryManagerPwd";
+
+    // crl settings
+    public final static String PR_ENABLE_CRL = "enableCRLUpdates";
+    public final static String PR_UPDATE_SCHEMA = "updateSchema";
+    public final static String PR_EXTENDED_NEXT_UPDATE = "extendedNextUpdate";
+    public final static String PR_UPDATE_ALWAYS = "alwaysUpdate";
+    public final static String PR_ENABLE_DAILY = "enableDailyUpdates";
+    public final static String PR_DAILY_UPDATES = "dailyUpdates";
+    public final static String PR_ENABLE_FREQ = "enableUpdateInterval";
+    public final static String PR_UPDATE_FREQ = "autoUpdateInterval";
+    public final static String PR_GRACE_PERIOD = "nextUpdateGracePeriod";
+    public final static String PR_ENABLE_CACHE = "enableCRLCache";
+    public final static String PR_CACHE_FREQ = "cacheUpdateInterval";
+    public final static String PR_CACHE_RECOVERY = "enableCacheRecovery";
+    public final static String PR_CACHE_TESTING = "enableCacheTesting";
+    public final static String PR_EXTENSIONS = "allowExtensions";
+    public final static String PR_INCLUDE_EXPIREDCERTS = "includeExpiredCerts";
+    public final static String PR_INCLUDE_EXPIREDCERTS_ONEEXTRATIME = "includeExpiredCertsOneExtraTime";
+    public final static String PR_CA_CERTS_ONLY = "caCertsOnly";
+    public final static String PR_PROFILE_CERTS_ONLY = "profileCertsOnly";
+    public final static String PR_PROFILE_LIST = "profileList";
+    public final static String PR_SIGNING_ALGORITHM = "signingAlgorithm";
+    public final static String PR_MD2_RSA = "MD2withRSA";
+    public final static String PR_MD5_RSA = "MD5withRSA";
+    public final static String PR_SHA1_RSA = "SHA1withRSA";
+    public final static String PR_SHA1_DSA = "SHA1withDSA";
+    public final static String PR_DESCRIPTION = "description";
+    public final static String PR_CLASS = "class";
+
+    // ldap settings
+    public final static String PR_ENABLE = "enable";
+    public final static String PR_PUBLISHING_ENABLE = "publishingEnable";
+    public final static String PR_HOST_NAME = "ldapconn.host";
+    public final static String PR_SECURE_PORT_ENABLED = "ldapconn.secureConn";
+    public final static String PR_LDAP_PORT = "ldapconn.port";
+    public final static String PR_LDAP_VERSION = "ldapconn.version";
+    public final static String PR_BIND_DN = "ldapauth.bindDN";
+    public final static String PR_BIND_PASSWD = "ldapauth.bindPassword";
+    public final static String PR_BIND_PASSWD_AGAIN = "bindPasswdAgain";
+    public final static String PR_LDAP_MAX_CONNS = "maxConns";
+    public final static String PR_LDAP_MIN_CONNS = "minConns";
+    public final static String PR_PUBLISHING_QUEUE_ENABLE = "queue.enable";
+    public final static String PR_PUBLISHING_QUEUE_THREADS = "queue.maxNumberOfThreads";
+    public final static String PR_PUBLISHING_QUEUE_PAGE_SIZE = "queue.pageSize";
+    public final static String PR_PUBLISHING_QUEUE_PRIORITY = "queue.priorityLevel";
+    public final static String PR_PUBLISHING_QUEUE_STATUS = "queue.saveStatus";
+
+    public final static String PR_BASE_DN = "baseDN";
+    public final static String PR_DNCOMPS = "dnComps";
+    public final static String PR_FILTERCOMPS = "filterComps";
+
+    // ldap connection test
+    public final static String PR_CONN_INITED = "connInited";
+    public final static String PR_CONN_INIT_FAIL = "connInitFail";
+    public final static String PR_CONN_OK = "connOk";
+    public final static String PR_CONN_FAIL = "connFail";
+    public final static String PR_AUTH_OK = "authOk";
+    public final static String PR_AUTH_FAIL = "authFail";
+    public final static String PR_SAVE_OK = "saveOk";
+    public final static String PR_SAVE_NOT = "saveOrNot";
+
+    /*========================================================
+     * Plugin
+     *========================================================*/
+    public final static String PR_PLUGIN_IMP = "imp";
+    public final static String PR_PLUGIN_INSTANCE = "instance";
+
+    /*========================================================
+     * Policy
+     *========================================================*/
+    public final static String PR_POLICY_CLASS = "class";
+    public final static String PR_POLICY_IMPL_NAME = "implName";
+    public final static String PR_CRLDP_NAME = "crldpName";
+    public final static String PR_POLICY_DESC = "desc";
+    public final static String PR_POLICY_ORDER = "order";
+    public final static String PR_POLICY_ENABLE = "enable";
+    public final static String PR_POLICY_PREDICATE = "predicate";
+
+    /*========================================================
+     * Publish
+     *========================================================*/
+    public final static String PR_PUBLISHER = "publisher";
+    public final static String PR_PUBLISHER_CLASS = "class";
+    public final static String PR_PUBLISHER_IMPL_NAME = "implName";
+    public final static String PR_PUBLISHER_DESC = "desc";
+    public final static String PR_PUBLISHER_ORDER = "order";
+    public final static String PR_PUBLISHER_ENABLE = "enable";
+
+    public final static String PR_MAPPER = "mapper";
+    public final static String PR_MAPPER_CLASS = "class";
+    public final static String PR_MAPPER_IMPL_NAME = "implName";
+    public final static String PR_MAPPER_DESC = "desc";
+    public final static String PR_MAPPER_ORDER = "order";
+    public final static String PR_MAPPER_ENABLE = "enable";
+
+    public final static String PR_RULE = "rule";
+    public final static String PR_RULE_CLASS = "class";
+    public final static String PR_RULE_IMPL_NAME = "implName";
+    public final static String PR_RULE_DESC = "desc";
+    public final static String PR_RULE_ORDER = "order";
+    public final static String PR_RULE_ENABLE = "enable";
+
+    public final static String PR_CRLEXT = "crlExt";
+    public final static String PR_CRLEXT_CLASS = "class";
+    public final static String PR_CRLEXT_IMPL_NAME = "implName";
+    public final static String PR_CRLEXT_DESC = "desc";
+    public final static String PR_CRLEXT_ORDER = "order";
+    public final static String PR_CRLEXT_ENABLE = "enable";
+
+    public final static String PR_OCSPSTORE_IMPL_NAME = "implName";
+
+    /*========================================================
+     * Registration Authority
+     *========================================================*/
+    public final static String PR_EE_ENABLED = "eeEnabled";
+    public final static String PR_OCSP_ENABLED = "ocspEnabled";
+    public final static String PR_RA_ENABLED = "raEnabled";
+    public final static String PR_RENEWAL_ENABLED = "renewal.enabled";
+    public final static String PR_RENEWAL_VALIDITY = "renewal.validity";
+    public final static String PR_RENEWAL_EMAIL = "renewal.email";
+    public final static String PR_RENEWAL_EXPIREDNOTIFIEDENABLED =
+            "renewal.expired.notification.enabled";
+    public final static String PR_RENEWAL_NUMNOTIFICATION =
+            "renewal.numNotification";
+    public final static String PR_RENEWAL_INTERVAL = "renewal.interval";
+    public final static String PR_SERVLET_CLASS = "class";
+    public final static String PR_SERVLET_URI = "uri";
+    public final static String PR_IMPL_NAME = "implName";
+    public final static String PR_LOCAL = "local";
+    public final static String PR_ID = "id";
+    public final static String PR_HOST = "host";
+    public final static String PR_URI = "uri";
+    public final static String PR_ENABLED = "enable";
+
+    /*========================================================
+     * Certificate Authority
+     *========================================================*/
+    public final static String PR_VALIDITY = "validity";
+    public final static String PR_DEFAULT_ALGORITHM = "defaultSigningAlgorithm";
+    public final static String PR_ALL_ALGORITHMS = "allSigningAlgorithms";
+    public final static String PR_SERIAL = "startSerialNumber";
+    public final static String PR_MAXSERIAL = "maxSerialNumber";
+
+    /*========================================================
+     * Access Control
+     *========================================================*/
+    public final static String PR_ACL_OPS = "aclOperations";
+    public final static String PR_ACI = "aci";
+    public final static String PR_ACL_CLASS = "class";
+    public final static String PR_ACL_DESC = "desc";
+    public final static String PR_ACL_RIGHTS = "rights";
+
+    /*========================================================
+     * Key Recovery
+     *========================================================*/
+    public final static String PR_AUTO_RECOVERY_ON = "autoRecoveryOn";
+    public final static String PR_RECOVERY_N = "recoveryN";
+    public final static String PR_RECOVERY_M = "recoveryM";
+    public final static String PR_OLD_RECOVERY_AGENT = "oldRecoveryAgent";
+    public final static String PR_RECOVERY_AGENT = "recoveryAgent";
+    public final static String PR_OLD_AGENT_PWD = "oldAgentPwd";
+    public final static String PR_AGENT_PWD = "agentPwd";
+    public final static String PR_NO_OF_REQUIRED_RECOVERY_AGENTS = "noOfRequiredRecoveryAgents";
+
+    /*========================================================
+     * Status
+     *========================================================*/
+    public final static String PR_STAT_STARTUP = "startup";
+    public final static String PR_STAT_TIME = "time";
+    public final static String PR_STAT_VERSION = "cms.version";
+    public final static String PR_STAT_INSTALLDATE = "installDate";
+    public final static String PR_STAT_INSTANCEID = "instanceId";
+
+    /*========================================================
+     * Server Instance
+     *========================================================*/
+    public final static String PR_INSTALL = "install";
+    public final static String PR_INSTANCES_INSTALL = "instancesInstall";
+    public final static String PR_CA_INSTANCE = "ca";
+    public final static String PR_OCSP_INSTANCE = "ocsp";
+    public final static String PR_RA_INSTANCE = "ra";
+    public final static String PR_KRA_INSTANCE = "kra";
+    public final static String PR_TKS_INSTANCE = "tks";
+
+    /*
+     * Certificate info
+     */
+    public final static String PR_CA_SIGNING_NICKNAME = "caSigningCert";
+    public final static String PR_PKCS10 = "pkcs10";
+    public final static String PR_CERT_SUBJECT_NAME = "certSubjectName";
+    public final static String PR_ISSUER_NAME = "issuerName";
+    public final static String PR_SERIAL_NUMBER = "serialNumber";
+    public final static String PR_BEFORE_VALIDDATE = "beforeValidDate";
+    public final static String PR_AFTER_VALIDDATE = "afterValidDate";
+    public final static String PR_CERT_FINGERPRINT = "certFingerPrint";
+    public final static String PR_SIGNATURE_ALGORITHM = "signatureAlg";
+    public final static String PR_ALGORITHM_ID = "algorithmId";
+    public final static String PR_NICKNAME = "nickname";
+    public final static String PR_ADD_CERT = "addCert";
+    public final static String PR_CERT_CONTENT = "certContent";
+
+    /*
+     * Certificate type
+     */
+    public final static String PR_CERTIFICATE_TYPE = "certType";
+    public final static String PR_CERTIFICATE_SUBTYPE = "certSubType";
+    public final static String PR_CA_SIGNING_CERT = "caSigningCert";
+    public final static String PR_RA_SIGNING_CERT = "raSigningCert";
+    public final static String PR_OCSP_SIGNING_CERT = "ocspSigningCert";
+    public final static String PR_KRA_TRANSPORT_CERT = "kraTransportCert";
+    public final static String PR_SERVER_CERT = "serverCert";
+    public final static String PR_SUBSYSTEM_CERT = "subsystemCert";
+    public final static String PR_SERVER_CERT_RADM = "serverCertRadm";
+    public final static String PR_CROSS_CERT = "crossCert";
+    public final static String PR_OTHER_CERT = "otherCert";
+    public final static String PR_SERVER_CERT_CHAIN = "serverCertChain";
+    public final static String PR_TRUSTED_CA_CERT = "trustedCACert";
+    public final static String PR_TRUSTED_CERT = "trustedCert";
+    public final static String PR_AUDIT_SIGNING_CERT = "auditSigningCert";
+
+    /*
+     * Extensions
+     */
+    public final static String PR_VALIDITY_PERIOD = "validityPeriod";
+    public final static String PR_BEGIN_YEAR = "beginYear";
+    public final static String PR_BEGIN_MONTH = "beginMonth";
+    public final static String PR_BEGIN_DATE = "beginDate";
+    public final static String PR_BEGIN_HOUR = "beginHour";
+    public final static String PR_BEGIN_MIN = "beginMin";
+    public final static String PR_BEGIN_SEC = "beginSec";
+    public final static String PR_AFTER_YEAR = "afterYear";
+    public final static String PR_AFTER_MONTH = "afterMonth";
+    public final static String PR_AFTER_DATE = "afterDate";
+    public final static String PR_AFTER_HOUR = "afterHour";
+    public final static String PR_AFTER_MIN = "afterMin";
+    public final static String PR_AFTER_SEC = "afterSec";
+    public final static String PR_AIA = "aia";
+    public final static String PR_AKI = "aki";
+    public final static String PR_OCSP_SIGNING = "ocspSigning";
+    public final static String PR_OCSP_NOCHECK = "ocspNoCheck";
+    public final static String PR_SKI = "ski";
+    public final static String PR_KEY_USAGE = "keyUsage";
+    public final static String PR_DER_EXTENSION = "derExtension";
+    public final static String PR_IS_CA = "isCA";
+    public final static String PR_CERT_LEN = "certLen";
+    public final static String PR_SSL_CLIENT_BIT = "sslClientBit";
+    public final static String PR_SSL_SERVER_BIT = "sslServerBit";
+    public final static String PR_SSL_MAIL_BIT = "sslMailBit";
+    public final static String PR_SSL_CA_BIT = "sslCABit";
+    public final static String PR_OBJECT_SIGNING_BIT = "objectSigningBit";
+    public final static String PR_MAIL_CA_BIT = "mailCABit";
+    public final static String PR_OBJECT_SIGNING_CA_BIT = "objectSigningCABit";
+    public final static String PR_TIMESTAMPING_BIT = "timeStampingBit";
+    public final static String PR_CA_KEYID = "caKeyid";
+    public final static String PR_CA_KEYPAIR = "caKeyPair";
+
+    /**
+     * Trust database
+     */
+    public final static String PR_TRUST = "trust";
+
+    /*========================================================
+     * Security
+     *========================================================*/
+
+    //functionality 
+    public final static String PR_CERT_SERVER = "SERVER";
+    public final static String PR_CERT_ADMIN = "ADMIN";
+    public final static String PR_CERT_AGENT = "AGENT";
+    public final static String PR_CERT_EE = "EE";
+    public final static String PR_CERT_CA = "CA";
+    public final static String PR_CERT_RA = "RA";
+    public final static String PR_CERT_POA = "POA";
+    public final static String PR_CERT_TRANS = "TRANS";
+
+    // key and certificate management
+    public final static String PR_OPERATION_TYPE = "operationtype";
+    public final static String PR_INSTALL_TYPE = "install";
+    public final static String PR_REQUEST_TYPE = "request";
+    //public final static String PR_CA_SIGNING_CERT = "cacert";
+    //public final static String PR_SERVER_CERT = "servercert";
+    public final static String PR_CLIENT_CERT = "clientcert";
+    public final static String PR_FULL_INTERNAL_TOKEN_NAME = "Internal Key Storage Token";
+    public final static String PR_INTERNAL_TOKEN_NAME =
+            "internal";
+    public final static String PR_TOKEN_NAME = "tokenName";
+    public final static String PR_TOKEN_PASSWD = "tokenPwd";
+    public final static String PR_KEY_LENGTH = "keyLength";
+    public final static String PR_KEY_CURVENAME = "keyCurveName";
+    public static final String PR_SIGNEDBY_TYPE = "signedBy";
+    public final static String PR_KEY_TYPE = "keyType";
+    public final static String PR_PQGPARAMS = "pqgParams";
+    public final static String PR_CERT_REQUEST = "certReq";
+    public final static String PR_CERT_REQUEST_DIR = "certReqDir";
+    public final static String PR_CERT_CONFIG_DIR = "certConfigDir";
+    public final static String PR_IMPORT_CERT = "importCert";
+    public final static String PR_SUBJECT_NAME = "subjectName";
+    public final static String PR_CSR = "csr";
+
+    //encryption
+
+    /* Cipher Version: domestic or export */
+    public final static String PR_CIPHER_VERSION = "cipherversion";
+    public final static String PR_CIPHER_VERSION_DOMESTIC = "cipherdomestic";
+    public final static String PR_CIPHER_VERSION_EXPORT = "cipherexport";
+
+    /* Cipher Fortezza: true, false */
+    public final static String PR_CIPHER_FORTEZZA = "cipherfortezza";
+
+    /* Token and Certificates */
+    public final static String PR_TOKEN_LIST = "tokenlist";
+    public final static String PR_TOKEN_PREFIX = "token_";
+    public final static String PR_INTERNAL_TOKEN = "internal";
+    public final static String PR_KEY_LIST = "keylist";
+
+    /* SSL Cipher Preferences */
+    public final static String PR_CIPHER_PREF = "cipherpref";
+
+    /* SSL EC Type */
+    public final static String PR_ECTYPE = "ectype";
+
+    /* values for SSL cipher preferences */
+    public final static String PR_SSL2_RC4_128_WITH_MD5 = "rc4";
+    public final static String PR_SSL2_RC4_128_EXPORT40_WITH_MD5 = "rc4export";
+    public final static String PR_SSL2_RC2_128_CBC_WITH_MD5 = "rc2";
+    public final static String PR_SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 = "rc2export";
+    public final static String PR_SSL2_DES_64_CBC_WITH_MD5 = "des";
+    public final static String PR_SSL2_DES_192_EDE3_CBC_WITH_MD5 = "desede3";
+    public final static String PR_SSL3_RSA_WITH_NULL_MD5 = "rsa_null_md5";
+    public final static String PR_SSL3_RSA_EXPORT_WITH_RC4_40_MD5 = "rsa_rc4_40_md5";
+    public final static String PR_SSL3_RSA_WITH_RC4_128_MD5 = "rsa_rc4_128_md5";
+    public final static String PR_SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = "rsa_rc2_40_md5";
+    public final static String PR_SSL3_RSA_WITH_DES_CBC_SHA = "rsa_des_sha";
+    public final static String PR_SSL3_RSA_WITH_3DES_EDE_CBC_SHA = "rsa_3des_sha";
+    public final static String PR_SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA = "fortezza";
+    public final static String PR_SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA = "fortezza_rc4_128_sha";
+    public final static String PR_SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = "rsa_fips_3des_sha";
+    public final static String PR_SSL_RSA_FIPS_WITH_DES_CBC_SHA = "rsa_fips_des_sha";
+    public final static String PR_TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = "tls_rsa_rc4_56_sha";
+    public final static String PR_TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = "tls_rsa_des_sha";
+
+    /*========================================================
+     * Watchdog and Server State Messages 
+     *========================================================*/
+
+    public final static String SERVER_STARTUP_WARNING_MESSAGE = "CMS Warning: ";
+    public final static String SERVER_STARTUP_MESSAGE = "Server is started.";
+    public final static String SERVER_SHUTDOWN_MESSAGE = "Shutting down.";
+    public final static String SERVER_SHUTDOWN_ERROR_MESSAGE = "Error Starting CMS: ";
+    public final static String SERVER_SHUTDOWN_EXTENDED_ERROR_MESSAGE = "Extended error information: ";
+
+    /*============================================================
+     * THE FOLLOWING LIST WILL BE REMOVED
+     *============================================================*/
+
+    // parameter types
+    public final static String PT_OP = "op";
+    public final static String PT_MOD_TYPE = "modType";
+    public final static String PT_MOD_OP = "modOp";
+    public final static String MOD_REPLACE = "modOpReplace";
+    public final static String MOD_ADD = "modOpAdd";
+    public final static String MOD_DELETE = "modOpDelete";
+    public final static String PT_MOD_VALUE = "modValue";
+
+    // generic operations
+    public final static String OP_SET = "set";
+    public final static String OP_GET = "get";
+    public final static String OP_LIST = "list";
+
+    // certificate server operations
+    public final static String CERTSRV_ID = "certsrv";
+
+    public final static String PT_PORT = "http.http.port";
+    public final static String PT_SSL_PORT = "http.https.port";
+    public final static String PT_MAPPING = "mapping";
+    public final static String PT_DN = "dn";
+
+    public final static String PV_SYSTEM_ADMINISTRATORS =
+            "SystemAdministrators";
+    public final static String PV_CERTIFICATE_ADMINISTRATORS =
+            "CertificateAdministrators";
+
+    public final static String OP_AUTHENTICATE = "authenticate";
+    public final static String OP_RESTART = "restart";
+    public final static String OP_STOP = "stop";
+
+    // access manager operation
+    public final static String PT_ACLS = "acls";
+    public final static String OP_GET_ACLS = "getACLs";
+
+    // authentication operations
+    public final static String AUTH_ID = "auth";
+    public final static String OP_FIND_USERS = "findUsers";
+    public final static String OP_FIND_GROUPS = "findGroups";
+    public final static String OP_GET_USER = "getUser";
+    public final static String OP_GET_GROUP = "getGroup";
+    public final static String OP_ADD_USER = "addUser";
+    public final static String OP_ADD_GROUP = "addGroup";
+    public final static String OP_MODIFY_USER = "modifyUser";
+    public final static String OP_MODIFY_GROUP = "modifyGroup";
+
+    public final static String PT_USER = "user";
+    public final static String PT_GROUP = "group";
+
+    // common operations
+    public final static String OP_LOCK_REQUEST = "lockRequest";
+    public final static String OP_MODIFY_REQUEST = "modifyRequest";
+    public final static String OP_EXECUTE_REQUEST = "executeRequest";
+    public final static String OP_ACCEPT_REQUEST = "acceptRequest";
+    public final static String OP_REJECT_REQUEST = "rejectRequest";
+    public final static String OP_CANCEL_REQUEST = "cancelRequest";
+
+    // certificate authority operations
+    public final static String PT_PUBLISH_DN = "ldappublish.ldap.admin-dn";
+    public final static String PT_PUBLISH_PWD =
+            "ldappublish.ldap.admin-password";
+    public final static String PT_PUBLISH_FREQ =
+            "crl.crl0.autoUpdateInterval";
+    public final static String PT_SERIALNO = "serialno";
+    public final static String PT_NAMES = "names";
+    public final static String PT_CERTIFICATES = "certificates";
+    public final static String PT_CERT_RECORDS = "certRecords";
+    public final static String PT_REQUESTS = "requests";
+    public final static String PT_REQUEST = "request";
+    public final static String PT_EXTENSIONS = "extensions";
+    public final static String PT_FILTER = "filter";
+    public final static String PT_ATTRS = "attrs";
+    public final static String PT_RESULT_ID = "resultId";
+    public final static String PT_START_NO = "startNo";
+    public final static String PT_END_NO = "endNo";
+    public final static String PT_SIZE = "size";
+    public final static String PT_RELEASE = "release";
+    public final static String PT_CERTREC = "certrec";
+    public final static String PT_COMMENT = "comment";
+    public final static String PT_REASON_NO = "reasonNo";
+
+    public final static String OP_CRL_PUBLISH = "publish_now";
+    public final static String OP_FIND_CERTIFICATES = "findCertificates";
+    public final static String OP_FIND_CERT_RECORDS = "findCertRecords";
+    public final static String OP_FIND_REQUESTS = "findRequests";
+    public final static String OP_LOCK_CERT_RECORD = "lockCertRecord";
+    public final static String OP_MODIFY_CERT_RECORD = "modifyCertRecord";
+    public final static String OP_GET_EXTENSIONS = "getExtensions";
+    public final static String OP_REVOKE_CERT = "revokeCert";
+    public final static String OP_RENEW_CERT = "renewCert";
+    public final static String OP_GET_CACERT_CHAIN = "getCACertChain";
+
+    // escrow authority operations
+    public final static String PT_OLD_PASSWORD = "oldpassword";
+    public final static String PT_NEW_PASSWORD = "newpassword";
+    public final static String PT_KEY_RECORD = "keyRecord";
+
+    public final static String OP_FIND_KEY_RECORDS = "findKeyRecords";
+    public final static String OP_LOCK_KEY_RECORD = "lockKeyRecord";
+    public final static String OP_MODIFY_KEY_RECORD = "modifyKeyRecord";
+    public final static String OP_RECOVER_KEY = "recoverKey";
+
+    // centralized cetificate management operations
+    public final static String PT_NOTIF_EMAIL = "notificationEmail";
+    public final static String PT_NOTIF_ENABLE = "notificationEnable";
+    public final static String PT_NOTIF_EXPIRE = "notificationExpiration";
+    public final static String PT_NOTIF_RENEWAL = "notificationRewnewal";
+    public final static String PT_DIST_STORE = "storeUserPassword";
+    public final static String PT_DIST_EMAIL = "emailUserPassword";
+    public final static String PT_REQUEST_LOG = "requestLog";
+    public final static String PT_ACCESS_LOG = "accessLog";
+    public final static String PT_ERROR_LOG = "errorLog";
+    public final static String PR_NT_EVENT_SOURCE = "NTEventSourceName";
+    public final static String PR_NT_LOG_LEVEL = "level";
+    public final static String PR_NT_LOG_ENABLED = "on";
+
+    public final static String OP_GET_ACCESS_LOG = "getAccessLog";
+    public final static String OP_GET_ERROR_LOG = "getErrorLog";
+    public final static String OP_GET_REQUEST_LOG = "getRequestLog";
+
+    public final static String PR_NICK_NAME = "nickName"; // capital N
+    public final static String PR_LOGGED_IN = "isLoggedIn";
+
+    // User Type
+    public final static String PR_USER_TYPE = "userType";
+    public final static String PR_ADMIN_TYPE = "adminType";
+    public final static String PR_AGENT_TYPE = "agentType";
+    public final static String PR_SUBSYSTEM_TYPE = "subsystemType";
+
+    // Extended plugin information
+    public final static String PR_EXT_PLUGIN_IMPLNAME = "implName";
+    public final static String PR_EXT_PLUGIN_IMPLTYPE = "implType";
+    public final static String PR_EXT_PLUGIN_IMPLTYPE_POLICY = "policy";
+    public final static String PR_EXT_PLUGIN_IMPLTYPE_JOBS = "jobs";
+    public final static String PR_EXT_PLUGIN_IMPLTYPE_AUTH = "auth";
+    public final static String PR_EXT_PLUGIN_IMPLTYPE_LISTENER = "listener";
+    public final static String PR_EXT_PLUGIN_IMPLTYPE_PUBLISHRULE = "publishrule";
+    public final static String PR_EXT_PLUGIN_IMPLTYPE_PUBLISHER = "publisher";
+    public final static String PR_EXT_PLUGIN_IMPLTYPE_MAPPER = "mapperrule";
+    public final static String PR_EXT_PLUGIN_IMPLTYPE_CRLEXTSRULE = "crlExtensions";
+    public final static String PR_EXT_PLUGIN_IMPLTYPE_OCSPSTORESRULE = "ocspStores";
+
+    // Miscellaneous
+    public final static String PR_CERT_FILEPATH = "certFilePath";
+    public final static String PR_SERVER_ROOT = "serverRoot";
+    public final static String PR_SERVER_ID = "serverID";
+    public final static String PR_NT = "NT";
+    public final static String PR_TIMEOUT = "timeout";
+    public final static String PR_ALL_NICKNAMES = "allNicknames";
+
+    // request status
+    public final static String PR_REQUEST_SUCCESS = "2";
+    public final static String PR_REQUEST_PENDING = "3";
+    public final static String PR_REQUEST_SVC_PENDING = "4";
+    public final static String PR_REQUEST_REJECTED = "5";
+
+    //Profile
+    public final static String PR_CONSTRAINTS_LIST = "constraintPolicy";
+
+    //Replication
+    public final static String PR_REPLICATION_ENABLED = "replication.enabled";
+    public final static String PR_REPLICATION_AGREEMENT_NAME_1 = "replication.master1.name";
+    public final static String PR_REPLICATION_HOST_1 = "replication.master1.hostname";
+    public final static String PR_REPLICATION_PORT_1 = "replication.master1.port";
+    public final static String PR_REPLICATION_BINDDN_1 = "replication.master1.binddn";
+    public final static String PR_REPLICATION_CHANGELOGDB_1 = "replication.master1.changelogdb";
+    public final static String PR_REPLICATION_AGREEMENT_NAME_2 = "replication.master2.name";
+    public final static String PR_REPLICATION_HOST_2 = "replication.master2.hostname";
+    public final static String PR_REPLICATION_PORT_2 = "replication.master2.port";
+    public final static String PR_REPLICATION_BINDDN_2 = "replication.master2.binddn";
+    public final static String PR_REPLICATION_CHANGELOGDB_2 = "replication.master2.changelogdb";
+}
diff --git a/base/common/src/com/netscape/certsrv/common/DestDef.java b/base/common/src/com/netscape/certsrv/common/DestDef.java
new file mode 100644
index 000000000..273e6af05
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/common/DestDef.java
@@ -0,0 +1,56 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.common;
+
+/**
+ * This interface defines all the operation destination
+ * used in the administration protocol between the
+ * console and the server.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface DestDef {
+
+    public final static String DEST_CA_ADMIN = "caadmin";
+    public final static String DEST_OCSP_ADMIN = "ocsp";
+    public final static String DEST_RA_ADMIN = "ra";
+    public final static String DEST_KRA_ADMIN = "kra";
+    public final static String DEST_CA_SERVLET_ADMIN = "caservlet";
+    public final static String DEST_KRA_SERVLET_ADMIN = "kraservlet";
+    public final static String DEST_RA_SERVLET_ADMIN = "raservlet";
+    public final static String DEST_REGISTRY_ADMIN = "registry";
+    public final static String DEST_CA_PROFILE_ADMIN = "caprofile";
+    public final static String DEST_RA_PROFILE_ADMIN = "raprofile";
+    public final static String DEST_CA_POLICY_ADMIN = "capolicy";
+    public final static String DEST_RA_POLICY_ADMIN = "rapolicy";
+    public final static String DEST_KRA_POLICY_ADMIN = "krapolicy";
+    public final static String DEST_LOG_ADMIN = "log";
+    public final static String DEST_GROUP_ADMIN = "ug";
+    public final static String DEST_USER_ADMIN = "ug";
+    public final static String DEST_AUTH_ADMIN = "auths";
+    public final static String DEST_JOBS_ADMIN = "jobsScheduler";
+    public final static String DEST_NOTIFICATION_ADMIN = "notification";
+    public final static String DEST_SERVER_ADMIN = "server";
+    public final static String DEST_ACL_ADMIN = "acl";
+    public final static String DEST_CA_PUBLISHER_ADMIN = "capublisher";
+    public final static String DEST_RA_PUBLISHER_ADMIN = "rapublisher";
+    public final static String DEST_CA_MAPPER_ADMIN = "camapper";
+    public final static String DEST_RA_MAPPER_ADMIN = "ramapper";
+    public final static String DEST_CA_RULE_ADMIN = "carule";
+    public final static String DEST_RA_RULE_ADMIN = "rarule";
+}
diff --git a/base/common/src/com/netscape/certsrv/common/NameValuePairs.java b/base/common/src/com/netscape/certsrv/common/NameValuePairs.java
new file mode 100644
index 000000000..0999db7bc
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/common/NameValuePairs.java
@@ -0,0 +1,82 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.common;
+
+import java.util.LinkedHashMap;
+import java.util.StringTokenizer;
+
+/**
+ * A class represents an ordered list of name
+ * value pairs.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class NameValuePairs extends LinkedHashMap {
+
+    private static final long serialVersionUID = 1494507857048437440L;
+
+    /**
+     * Constructs name value pairs.
+     */
+    public NameValuePairs() {
+    }
+
+    /**
+     * Show the content of this name value container as
+     * string representation.
+     * 
+     * @return string representation
+     */
+    public String toString() {
+        StringBuffer buf = new StringBuffer();
+
+        for (String name : keySet()) {
+            String value = get(name);
+
+            buf.append(name + "=" + value);
+            buf.append("\n");
+        }
+
+        return buf.toString();
+    }
+
+    /**
+     * Parses a string into name value pairs.
+     * 
+     * @param s string
+     * @param nvp name value pairs
+     * @return true if successful
+     */
+    public static boolean parseInto(String s, NameValuePairs nvp) {
+        StringTokenizer st = new StringTokenizer(s, "&");
+
+        while (st.hasMoreTokens()) {
+            String t = st.nextToken();
+            int i = t.indexOf("=");
+
+            if (i == -1) {
+                return false;
+            }
+            String n = t.substring(0, i);
+            String v = t.substring(i + 1);
+
+            nvp.put(n, v);
+        }
+        return true;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/common/OpDef.java b/base/common/src/com/netscape/certsrv/common/OpDef.java
new file mode 100644
index 000000000..22a974e12
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/common/OpDef.java
@@ -0,0 +1,38 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.common;
+
+/**
+ * This interface defines all the administration operations
+ * used in the administration protocol between the console
+ * and the server.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface OpDef {
+
+    public final static String OP_ADD = "OP_ADD";
+    public final static String OP_DELETE = "OP_DELETE";
+    public final static String OP_MODIFY = "OP_MODIFY";
+    public final static String OP_READ = "OP_READ";
+    public final static String OP_SEARCH = "OP_SEARCH";
+    public final static String OP_AUTH = "OP_AUTH";
+    public final static String OP_JOBS = "OP_JOBS";
+    public final static String OP_PROCESS = "OP_PROCESS";
+    public final static String OP_VALIDATE = "OP_VALIDATE";
+}
diff --git a/base/common/src/com/netscape/certsrv/common/PrefixDef.java b/base/common/src/com/netscape/certsrv/common/PrefixDef.java
new file mode 100644
index 000000000..833847d05
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/common/PrefixDef.java
@@ -0,0 +1,40 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.common;
+
+/**
+ * This interface defines all the prefix tags
+ * used in the administration protocol between
+ * the console and the server.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface PrefixDef {
+
+    //user and group
+    public final static String PX_GROUP = "group";
+    public final static String PX_USER = "user";
+    public final static String PX_CERT = "cert";
+    public final static String PX_SYS = "SYS_";
+    public final static String PX_DEF = "DEF_";
+    public final static String PX_PP = "CERT_PP";
+
+    //log content
+    public final static String PX_LOG = "log";
+
+}
diff --git a/base/common/src/com/netscape/certsrv/common/ScopeDef.java b/base/common/src/com/netscape/certsrv/common/ScopeDef.java
new file mode 100644
index 000000000..f29067f51
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/common/ScopeDef.java
@@ -0,0 +1,192 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.common;
+
+/**
+ * This interface defines all the operation scope
+ * used in the administration protocol between the
+ * console and the server.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ScopeDef {
+
+    // users and groups
+    public final static String SC_GROUPS = "groups";
+    public final static String SC_USERS = "users";
+    public final static String SC_USER_CERTS = "certs";
+
+    public final static String SC_SNMP = "snmp";
+    public final static String SC_SMTP = "smtp";
+    public final static String SC_SUBSYSTEM = "subsystem";
+    public final static String SC_ENCRYPTION = "encryption";
+    public final static String SC_GATEWAY = "gateway";
+    public final static String SC_ADMIN = "admin";
+    public final static String SC_NETWORK = "network";
+
+    // profile
+    public final static String SC_PROFILE_IMPLS = "profile";
+    public final static String SC_PROFILE_RULES = "rules";
+    public final static String SC_PROFILE_DEFAULT_POLICY = "defaultPolicy";
+    public final static String SC_PROFILE_CONSTRAINT_POLICY = "constraintPolicy";
+    public final static String SC_PROFILE_POLICIES = "policies";
+    public final static String SC_PROFILE_POLICY_CONFIG = "config";
+    public final static String SC_PROFILE_INPUT = "profileInput";
+    public final static String SC_PROFILE_INPUT_CONFIG = "profileInputConfig";
+    public final static String SC_PROFILE_OUTPUT = "profileOutput";
+    public final static String SC_PROFILE_OUTPUT_CONFIG = "profileOutputConfig";
+
+    // policy management
+    public final static String SC_POLICY_RULES = "rules";
+    public final static String SC_POLICY_IMPLS = "impls";
+    public final static String SC_POLICY_CRLDPS = "crldps";
+
+    // publisher management
+    public final static String SC_PUBLISHER_RULES = "publisherRules";
+    public final static String SC_PUBLISHER_IMPLS = "publisherImpls";
+    public final static String SC_MAPPER_RULES = "mapperRules";
+    public final static String SC_MAPPER_IMPLS = "mapperImpls";
+    public final static String SC_RULE_RULES = "ruleRules";
+    public final static String SC_RULE_IMPLS = "ruleImpls";
+
+    // self tests
+    public final static String SC_SELFTESTS = "selftests";
+
+    // log config
+    public final static String SC_AUDITLOG = "transactionsLog";
+    public final static String SC_NTAUDITLOG = "ntTransactionsLog";
+    public final static String SC_ERRORLOG = "errorLog";
+    public final static String SC_SYSTEMLOG = "systemLog";
+    public final static String SC_NTSYSTEMLOG = "ntSystemLog";
+    public final static String SC_LOG_ARCH = "logArch";
+    public final static String SC_LOG_RULES = "logRule";
+    public final static String SC_LOG_IMPLS = "logImpls";
+
+    // log contents
+    public final static String SC_LOG_INSTANCES = "log_instances";
+    public final static String SC_LOG_CONTENT = "log_content";
+    public final static String SC_AUDITLOG_CONTENT = "transactionsLog_content";
+    public final static String SC_ERRORLOG_CONTENT = "errorLog_content";
+    public final static String SC_SYSTEMLOG_CONTENT = "systemLog_content";
+
+    //LDAP publishing
+    public final static String SC_LDAP = "ldap";
+    public final static String SC_CRL = "crl";
+    public final static String SC_USERCERT = "userCert";
+    public final static String SC_CACERT = "caCert";
+    public final static String SC_CAMAPPER = "caMapper";
+    public final static String SC_CAPUBLISHER = "caPublisher";
+    public final static String SC_USERMAPPER = "userMapper";
+    public final static String SC_USERPUBLISHER = "userPublisher";
+
+    // CRL issuing points
+    public final static String SC_CRLIPS = "crlIPs";
+
+    // CRL extensions
+    public final static String SC_CRLEXTS_RULES = "crlExtsRules";
+
+    public final static String SC_OCSPSTORES_RULES = "ocspStoresRules";
+    public final static String SC_OCSPSTORE_DEFAULT = "ocspStoreDef";
+
+    // KRA
+    public final static String SC_AUTO_RECOVERY = "autoRecovery";
+    public final static String SC_RECOVERY = "recovery";
+    public final static String SC_AGENT_PWD = "agentPwd";
+    public final static String SC_MNSCHEME = "mnScheme";
+
+    //stat
+    public final static String SC_STAT = "stat";
+
+    // RA
+    public final static String SC_GENERAL = "general";
+    public final static String SC_CLM = "clm";
+    public final static String SC_PKIGW = "pkigw";
+    public final static String SC_SERVLET = "servlet";
+    public final static String SC_CONNECTOR = "connector";
+
+    //tasks
+    public final static String SC_TASKS = "tasks";
+
+    //authentication
+    public final static String SC_AUTH = "auths";
+    public final static String SC_AUTHTYPE = "authType";
+    public final static String SC_AUTH_IMPLS = "impl";
+    public final static String SC_AUTH_MGR_INSTANCE = "instance";
+
+    //jobs scheduler
+    public final static String SC_JOBS = "jobScheduler";
+    public final static String SC_JOBS_IMPLS = "impl";
+    public final static String SC_JOBS_INSTANCE = "job";
+    public final static String SC_JOBS_RULES = "rules";
+
+    //notification
+    public final static String SC_NOTIFICATION_REQ_COMP = "notificationREQC";
+    public final static String SC_NOTIFICATION_REV_COMP = "notificationREVC";
+    public final static String SC_NOTIFICATION_RIQ = "notificationRIQ";
+
+    // acl
+    public final static String SC_ACL_IMPLS = "impl";
+    public final static String SC_ACL = "acls";
+    public final static String SC_EVALUATOR_TYPES = "evaluatorTypes";
+
+    // token
+    public final static String SC_TOKEN = "token";
+
+    // keycert
+    public final static String SC_CA_SIGNINGCERT = "caSigningCert";
+    public final static String SC_RA_SIGNINGCERT = "raSigningCert";
+    public final static String SC_KRA_TRANSPORTCERT = "kraTransportCert";
+    public final static String SC_SERVER_CERT = "serverCert";
+    public final static String SC_SERVER_CERTCHAIN = "serverCertChain";
+    public final static String SC_TRUSTED_CACERT = "trustedCACert";
+    public final static String SC_TRUSTED_CERT = "trustedCert";
+    public final static String SC_SUBJECT_NAME = "subjectName";
+    public final static String SC_CERTINFO = "certInfo";
+    public final static String SC_CERT_REQUEST = "certRequest";
+    public final static String SC_ISSUE_IMPORT_CERT = "issueImportCert";
+    public final static String SC_INSTALL_CERT = "installCert";
+    public final static String SC_IMPORT_CROSS_CERT = "importXCert";
+    public final static String SC_CA_CERTLIST = "caCertList";
+    public final static String SC_ALL_CERTLIST = "allCertList";
+    public final static String SC_DELETE_CERTS = "deleteCert";
+    public final static String SC_CERT_PRETTY_PRINT = "certPrint";
+    public final static String SC_TRUST = "trust";
+
+    // Key Pair
+    public final static String SC_KEY_LENGTH = "keyLength";
+    public final static String SC_KEY_CURVENAME = "keyCurveName";
+    public final static String SC_CERTIFICATE_EXTENSION = "certificateExt";
+    public final static String SC_TOKEN_STATUS = "tokenStatus";
+    public final static String SC_TOKEN_LOGON = "tokenLogon";
+
+    public final static String SC_EXTENDED_PLUGIN_INFO = "extendedPluginInfo";
+
+    public final static String SC_USER_TYPE = "userType";
+    public final static String SC_PLATFORM = "platform";
+
+    public final static String SC_GET_NICKNAMES = "getNicknames";
+
+    // Profile
+    public final static String SC_SUPPORTED_CONSTRAINTPOLICIES = "supportedConstraintPolicies";
+
+    // Manage certificate admin
+    public final static String SC_USERCERTSLIST = "userCertsList";
+    public final static String SC_TKSKEYSLIST = "tksKeysList";
+    public final static String SC_ROOTCERTSLIST = "rootCertsList";
+    public final static String SC_ROOTCERT_TRUSTBIT = "rootTrustBit";
+}
diff --git a/base/common/src/com/netscape/certsrv/common/TaskId.java b/base/common/src/com/netscape/certsrv/common/TaskId.java
new file mode 100644
index 000000000..01a97b2a1
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/common/TaskId.java
@@ -0,0 +1,129 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.common;
+
+/**
+ * This interface defines all the tasks used in
+ * the configuration protocol between the
+ * configuration wizard and the configuration
+ * daemon.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface TaskId {
+
+    // list out all the previously performed tasks
+    public final static String TASK_LIST_PREVIOUS_STAGES = "listPreviousStages";
+
+    // retrieve all information in the previously performed tasks
+    public final static String TASK_GET_DEFAULT_INFO = "getStagesInfo";
+
+    // retrieve all information to setup the wizardInfo
+    public final static String TASK_SETUP_WIZARDINFO = "setupWizardInfo";
+
+    // services to be installed: ca, kra, ra
+    public final static String TASK_INSTALL_SUBSYSTEMS = "installSubsystems";
+
+    // create the internal database
+    public final static String TASK_CREATE_INTERNALDB = "createInternalDB";
+
+    // configure network ports
+    public final static String TASK_CONFIGURE_NETWORK = "configureNetwork";
+
+    // setup certificate administrator
+    public final static String TASK_SETUP_ADMINISTRATOR = "setupAdmin";
+
+    // select subsystems
+    public final static String TASK_SELECT_SUBSYSTEMS = "selectSubsystems";
+
+    // data migration
+    public final static String TASK_MIGRATION = "migration";
+
+    // create certificate
+    public final static String TASK_CREATE_CERT = "createCert";
+
+    // kra storage key
+    public final static String TASK_STORAGE_KEY = "storageKey";
+
+    // kra agents
+    public final static String TASK_AGENTS = "agents";
+
+    // get information about all cryptotokens
+    public final static String TASK_TOKEN_INFO = "tokenInfo";
+
+    // server get master or clone setting
+    public final static String TASK_MASTER_OR_CLONE = "SetMasterOrClone";
+    // single signon
+    public final static String TASK_SINGLE_SIGNON = "singleSignon";
+
+    // init token
+    public final static String TASK_INIT_TOKEN = "initToken";
+
+    // certificate request
+    public final static String TASK_CERT_REQUEST = "certRequest";
+
+    // certificate request submited successfully
+    public final static String TASK_REQUEST_SUCCESS = "reqSuccess";
+
+    // certificate content
+    public final static String TASK_GET_CERT_CONTENT = "certContent";
+
+    public final static String TASK_IMPORT_CERT_CHAIN = "importCertChain";
+
+    // install certificate
+    public final static String TASK_INSTALL_CERT = "installCert";
+
+    public final static String TASK_CHECK_DN = "checkDN";
+
+    // miscellaneous things
+    public final static String TASK_MISCELLANEOUS = "doMiscStuffs";
+
+    // validate directory manager password
+    public final static String TASK_VALIDATE_DSPASSWD = "validateDSPassword";
+
+    // set CA starting serial number
+    public final static String TASK_SET_CA_SERIAL = "setCASerial";
+
+    // set CA starting serial number
+    public final static String TASK_SET_KRA_NUMBER = "setKRANumber";
+
+    // check key length
+    public final static String TASK_CHECK_KEYLENGTH = "checkKeyLength";
+
+    // check certificate extension
+    public final static String TASK_CHECK_EXTENSION = "checkExtension";
+
+    // check validity period: make sure the notAfterDate of the certificate 
+    // will not go beyond the notAfterDate of the CA cert which signs the certificate.
+    public final static String TASK_VALIDITY_PERIOD = "checkValidityPeriod";
+
+    public final static String TASK_CLONING = "taskCloning";
+    public final static String TASK_CLONE_MASTER = "taskCloneMaster";
+
+    // daemon exit
+    public final static String TASK_EXIT = "exit";
+
+    public final static String TASK_ADD_OCSP_SERVICE = "addOCSPService";
+
+    public final static String TASK_CONFIG_WEB_SERVER = "configWebServer";
+
+    public final static String TASK_CREATE_REPLICATION_AGREEMENT = "createReplAgreement";
+    public final static String TASK_LOGON_ALL_TOKENS = "logonAllTokens";
+    public final static String TASK_UPDATE_DB_INFO = "updateDBInfo";
+    public final static String TASK_ADD_DBSCHEMA_INDEXES = "addDBSchemaIndexes";
+}
diff --git a/base/common/src/com/netscape/certsrv/connector/IConnector.java b/base/common/src/com/netscape/certsrv/connector/IConnector.java
new file mode 100644
index 000000000..202fb0794
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/connector/IConnector.java
@@ -0,0 +1,61 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.connector;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This interface represents a connector that forwards
+ * CMS requests to a remote authority.
+ * 
+ * To register a connector, one can add the following
+ * to the CMS.cfg:
+ * 
+ * 
+ * 
+ *  Example for KRA type connector.
+ * ca.connector.KRA.enable=true
+ * ca.connector.KRA.host=thehost.netscape.com        #Remote host.
+ * ca.connector.KRA.port=1974                        #Remote host port.
+ * ca.connector.KRA.nickName="cert-kra"              #Nickname of connector for identity purposes.
+ * ca.connector.KRA.uri="/kra/connector"             #Uri of the KRA server.
+ * ca.connector.KRA.id="kra"
+ * ca.connector.KRA.minHttpConns=1                   #Min connection pool connections. 
+ * ca.connector.KRA.maxHttpConns=10                  #Max connection pool connections.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IConnector {
+
+    /**
+     * Sends the request to a remote authority.
+     * 
+     * @param req Request to be forwarded to remote authority.
+     * @return true for success, otherwise false.
+     * @exception EBaseException Failure to send request to remote authority.
+     */
+    public boolean send(IRequest req)
+            throws EBaseException;
+
+    /**
+     * Starts this connector.
+     */
+    public void start();
+}
diff --git a/base/common/src/com/netscape/certsrv/connector/IHttpConnFactory.java b/base/common/src/com/netscape/certsrv/connector/IHttpConnFactory.java
new file mode 100644
index 000000000..27a94a57f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/connector/IHttpConnFactory.java
@@ -0,0 +1,51 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.connector;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * Maintains a pool of connections to to a Remote Authority.
+ * Utilized by the IHttpConnector interface.
+ * Multiple threads use this interface to utilize and release
+ * the Ldap connection resources. This factory will maintain a
+ * list of Http type connections to the remote host.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IHttpConnFactory {
+
+    /**
+     * Request access to a Ldap connection from the pool.
+     * 
+     * @exception EBaseException if any error occurs, such as a
+     * @return Ldap connection object.
+     *         connection is not available
+     */
+    public IHttpConnection getConn()
+            throws EBaseException;
+
+    /**
+     * Return connection to the factory. mandatory after a getConn().
+     * 
+     * @param conn Ldap connection object to be returned to the free list of the pool.
+     * @exception EBaseException On any failure to return the connection.
+     */
+    public void returnConn(IHttpConnection conn)
+            throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/connector/IHttpConnection.java b/base/common/src/com/netscape/certsrv/connector/IHttpConnection.java
new file mode 100644
index 000000000..d1652dc90
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/connector/IHttpConnection.java
@@ -0,0 +1,41 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.connector;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * This represents a HTTP connection to a remote authority.
+ * Http connection is used by the connector to send
+ * PKI messages to a remote authority. The remote authority
+ * will reply with a PKI message as well. An example would
+ * be the communication between a CA and a KRA.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IHttpConnection {
+
+    /**
+     * Sends the PKI message to the remote authority.
+     * 
+     * @param tomsg Message to forward to authority.
+     * @exception EBaseException Failed to send message.
+     */
+    public IPKIMessage send(IPKIMessage tomsg)
+            throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/connector/IHttpPKIMessage.java b/base/common/src/com/netscape/certsrv/connector/IHttpPKIMessage.java
new file mode 100644
index 000000000..efa49126e
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/connector/IHttpPKIMessage.java
@@ -0,0 +1,58 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.connector;
+
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This represents a Http PKI message. It contains
+ * simple name/value pair values. Also maintains information
+ * about the status and type of the message.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IHttpPKIMessage extends IPKIMessage {
+
+    /**
+     * Retrieves the request type.
+     * 
+     * @return String with the type of request.
+     */
+    public String getReqType();
+
+    /**
+     * Retrieves the request identifier.
+     * 
+     * @return String of name of request.
+     */
+    public String getReqId();
+
+    /**
+     * Copies contents of request to make a simple name/value message.
+     * 
+     * @param r Instance of IRequest to be copied from.
+     */
+    public void fromRequest(IRequest r);
+
+    /**
+     * Copies contents to request.
+     * 
+     * @param r Instance of IRequest to be copied to.
+     */
+    public void toRequest(IRequest r);
+}
diff --git a/base/common/src/com/netscape/certsrv/connector/IPKIMessage.java b/base/common/src/com/netscape/certsrv/connector/IPKIMessage.java
new file mode 100644
index 000000000..787dd8385
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/connector/IPKIMessage.java
@@ -0,0 +1,71 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.connector;
+
+import java.io.Serializable;
+
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * Messages that are serialized and go over the wire.
+ * It must be serializable, and
+ * later will be inherited by CRMF message.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IPKIMessage extends Serializable {
+
+    /**
+     * 
+     * Returns status of request.
+     * 
+     * @return String of request status.
+     */
+    public String getReqStatus();
+
+    /**
+     * Retrieves the request type.
+     * 
+     * @return String of type of request.
+     */
+    public String getReqType();
+
+    /**
+     * Retrieves the request identifer.
+     * 
+     * @return String of name of request.
+     */
+    public String getReqId();
+
+    /**
+     * Makes a PKIMessage from a request
+     * PKIMessage will be sent to wire.
+     * 
+     * @param r Request to copy from.
+     */
+    public void fromRequest(IRequest r);
+
+    /**
+     * Copies contents of PKIMessage to the request
+     * PKIMessage is from the wire.
+     * 
+     * @param r Request to copy to.
+     */
+    public void toRequest(IRequest r);
+
+}
diff --git a/base/common/src/com/netscape/certsrv/connector/IRemoteAuthority.java b/base/common/src/com/netscape/certsrv/connector/IRemoteAuthority.java
new file mode 100644
index 000000000..50a3aea5f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/connector/IRemoteAuthority.java
@@ -0,0 +1,56 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.connector;
+
+/**
+ * This represents a remote authority that can be
+ * a certificate manager, or key recovery manager or
+ * some other manager.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IRemoteAuthority {
+
+    /**
+     * Retrieves the host name of the remote Authority.
+     * 
+     * @return String with the name of host of remote Authority.
+     */
+    public String getHost();
+
+    /**
+     * Retrieves the port number of the remote Authority.
+     * 
+     * @return Int with port number of remote Authority.
+     */
+    public int getPort();
+
+    /**
+     * Retrieves the URI of the remote Authority.
+     * 
+     * @return String with URI of remote Authority.
+     */
+    public String getURI();
+
+    /**
+     * Retrieves the timeout value for the connection to the remote Authority.
+     * 
+     * @return In with remote Authority timeout value.
+     */
+    public int getTimeout();
+}
diff --git a/base/common/src/com/netscape/certsrv/connector/IRequestEncoder.java b/base/common/src/com/netscape/certsrv/connector/IRequestEncoder.java
new file mode 100644
index 000000000..478af4174
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/connector/IRequestEncoder.java
@@ -0,0 +1,49 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.connector;
+
+import java.io.IOException;
+
+/**
+ * This represents a rquest encoder that serializes and
+ * deserializes a request to a Remote Authority so that it can be sent through
+ * the connector.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IRequestEncoder {
+
+    /**
+     * Encodes a request object.
+     * 
+     * @param r Object to serve as the source of the message.
+     * @return String containing encoded message.
+     * @exception IOException Failure of the encoding operation due to IO error.
+     */
+    String encode(Object r)
+            throws IOException;
+
+    /**
+     * Dncodes a String into an object.
+     * 
+     * @return Object which is the result of the decoded message.
+     * @exception IOException Failure of the decoding operation due to IO error.
+     */
+    Object decode(String s)
+            throws IOException;
+}
diff --git a/base/common/src/com/netscape/certsrv/connector/IResender.java b/base/common/src/com/netscape/certsrv/connector/IResender.java
new file mode 100644
index 000000000..85d3e364c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/connector/IResender.java
@@ -0,0 +1,39 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.connector;
+
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * Resend requests at intervals to the server to ensure completion of requests.
+ * Default interval is 5 minutes. The need to resend a message could arise
+ * due to an error or the fact that the message could not be serviced
+ * immediately.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IResender extends Runnable {
+
+    /**
+     * Adds the request to the resend queue.
+     * 
+     * @param r Request to be placed on the resend queue.
+     */
+    public void addRequest(IRequest r);
+
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/DBResources.java b/base/common/src/com/netscape/certsrv/dbs/DBResources.java
new file mode 100644
index 000000000..a2201b8e6
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/DBResources.java
@@ -0,0 +1,38 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs;
+
+import java.util.ListResourceBundle;
+
+/**
+ * A class represents a resource bundle for DBS subsystem.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class DBResources extends ListResourceBundle {
+
+    /**
+     * Returns the content of this resource.
+     */
+    public Object[][] getContents() {
+        return contents;
+    }
+
+    static final Object[][] contents = {};
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/EDBException.java b/base/common/src/com/netscape/certsrv/dbs/EDBException.java
new file mode 100644
index 000000000..77508dca4
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/EDBException.java
@@ -0,0 +1,85 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * A class represents a database exception.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class EDBException extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -895521374187351529L;
+    /**
+     * Resource class name.
+     */
+    private static final String DB_RESOURCES = DBResources.class.getName();
+
+    /**
+     * Constructs a database exception.
+     * 

+     * 
+     * @param msgFormat message format
+     */
+    public EDBException(String msgFormat) {
+        super(msgFormat);
+    }
+
+    /**
+     * Constructs a database exception.
+     * 

+     * 
+     * @param msgFormat message format
+     * @param param parameter
+     */
+    public EDBException(String msgFormat, String param) {
+        super(msgFormat, param);
+    }
+
+    /**
+     * Constructs a database exception.
+     * 

+     * 
+     * @param msgFormat message format
+     * @param e exception as parameter
+     */
+    public EDBException(String msgFormat, Exception e) {
+        super(msgFormat, e);
+    }
+
+    /**
+     * Constructs a database exception.
+     * 

+     * 
+     * @param msgFormat message format
+     * @param params list of parameters
+     */
+    public EDBException(String msgFormat, Object params[]) {
+        super(msgFormat, params);
+    }
+
+    protected String getBundleName() {
+        return DB_RESOURCES;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/EDBNotAvailException.java b/base/common/src/com/netscape/certsrv/dbs/EDBNotAvailException.java
new file mode 100644
index 000000000..6afb2dcc3
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/EDBNotAvailException.java
@@ -0,0 +1,40 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs;
+
+/**
+ * Indicates internal db is down.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class EDBNotAvailException extends EDBException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 8516095366048215233L;
+
+    /**
+     * Constructs a ldap server down exception with host & port info.
+     * 
+     * @param errorString Detailed error message.
+     */
+    public EDBNotAvailException(String errorString) {
+        super(errorString);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/EDBRecordNotFoundException.java b/base/common/src/com/netscape/certsrv/dbs/EDBRecordNotFoundException.java
new file mode 100644
index 000000000..dd3880c12
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/EDBRecordNotFoundException.java
@@ -0,0 +1,40 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs;
+
+/**
+ * Indicates internal db is down.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class EDBRecordNotFoundException extends EDBException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -3797213848651705426L;
+
+    /**
+     * Constructs a ldap server down exception with host & port info.
+     * 
+     * @param errorString Detailed error message.
+     */
+    public EDBRecordNotFoundException(String errorString) {
+        super(errorString);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/IDBAttrMapper.java b/base/common/src/com/netscape/certsrv/dbs/IDBAttrMapper.java
new file mode 100644
index 000000000..27e15bd7d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/IDBAttrMapper.java
@@ -0,0 +1,80 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs;
+
+import java.util.Enumeration;
+
+import netscape.ldap.LDAPAttributeSet;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * An interface represents an attribute mapper. A mapper
+ * has knowledge on how to convert a db attribute into
+ * zero or more LDAP attribute, and vice versa.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IDBAttrMapper {
+
+    /**
+     * Retrieves a list of LDAP attributes that are used
+     * in the mapper. By having this, the framework can
+     * provide search on selective attributes.
+     * 
+     * @return a list of supported attribute names
+     */
+    public Enumeration getSupportedLDAPAttributeNames();
+
+    /**
+     * Maps object attribute into LDAP attributes.
+     * 
+     * @param parent parent object where the object comes from
+     * @param name name of db attribute
+     * @param obj object itself
+     * @param attrs LDAP attribute set where the result should be stored
+     * @exception EBaseException failed to map object
+     */
+    public void mapObjectToLDAPAttributeSet(IDBObj parent,
+            String name, Object obj, LDAPAttributeSet attrs)
+            throws EBaseException;
+
+    /**
+     * Maps LDAP attributes into object, and puts the object
+     * into 'parent'.
+     * 
+     * @param attrs LDAP attribute set
+     * @param name name of db attribute to be processed
+     * @param parent parent object where the object should be added
+     * @exception EBaseException failed to map object
+     */
+    public void mapLDAPAttributeSetToObject(LDAPAttributeSet attrs,
+            String name, IDBObj parent) throws EBaseException;
+
+    /**
+     * Maps search filters into LDAP search filter.
+     * 
+     * @param name name of db attribute
+     * @param op filte operation (i.e. "=", ">=")
+     * @param value attribute value
+     * @exception EBaseException failed to map filter
+     */
+    public String mapSearchFilter(String name, String op,
+            String value) throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/IDBDynAttrMapper.java b/base/common/src/com/netscape/certsrv/dbs/IDBDynAttrMapper.java
new file mode 100644
index 000000000..5684dd4d7
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/IDBDynAttrMapper.java
@@ -0,0 +1,22 @@
+package com.netscape.certsrv.dbs;
+
+/**
+ * An interface representing a dynamic attribute mapper.
+ * A dynamic mapper has knowledge on how to convert a set of dynamically
+ * assigned db attribute into zero or more dynamically assigned LDAP
+ * attributes, and vice versa.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IDBDynAttrMapper extends IDBAttrMapper {
+
+    /**
+     * Returns true if the LDAP attribute can be mapped by this
+     * dynamic mapper.
+     * 
+     * @param attrName LDAP attribute name to check
+     * @return a list of supported attribute names
+     */
+    public boolean supportsLDAPAttributeName(String attrName);
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/IDBObj.java b/base/common/src/com/netscape/certsrv/dbs/IDBObj.java
new file mode 100644
index 000000000..5c634beeb
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/IDBObj.java
@@ -0,0 +1,41 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs;
+
+import java.util.Enumeration;
+
+import com.netscape.certsrv.base.IAttrSet;
+
+/**
+ * An interface represents a database object
+ * that is serializable.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IDBObj extends IAttrSet {
+
+    /**
+     * Returns a list of serializable attribute
+     * names. This method should return the
+     * attribute name even if there is no attribute
+     * value for the attribute.
+     * 
+     * @return a list of serializable attribute names
+     */
+    public Enumeration getSerializableAttrNames();
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/IDBRegistry.java b/base/common/src/com/netscape/certsrv/dbs/IDBRegistry.java
new file mode 100644
index 000000000..241f3af9f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/IDBRegistry.java
@@ -0,0 +1,171 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs;
+
+import netscape.ldap.LDAPAttributeSet;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * A class represents a registry where all the
+ * schema (object classes and attribute) information
+ * is stored.
+ * 
+ * Attribute mappers can be registered with this
+ * registry.
+ * 
+ * Given the schema information stored, this registry
+ * has knowledge to convert a Java object into a
+ * LDAPAttributeSet or vice versa.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IDBRegistry extends ISubsystem {
+
+    /**
+     * Registers object class.
+     * 
+     * @param className java class to create for the object classes
+     * @param ldapNames a list of LDAP object classes
+     * @exception EDBException failed to register
+     */
+    public void registerObjectClass(String className, String ldapNames[])
+            throws EDBException;
+
+    /**
+     * See if an object class is registered.
+     * 
+     * @param className java class to create
+     * @return true if object class is registered already
+     */
+    public boolean isObjectClassRegistered(String className);
+
+    /**
+     * Registers attribute mapper.
+     * 
+     * @param ufName LDAP attribute name
+     * @param mapper mapper to invoke for the attribute
+     * @exception EDBException failed to register
+     */
+    public void registerAttribute(String ufName, IDBAttrMapper mapper)
+            throws EDBException;
+
+    /**
+     * See if an attribute is registered.
+     * 
+     * @param ufName attribute name
+     * @return true if attribute is registered already
+     */
+    public boolean isAttributeRegistered(String ufName);
+
+    /**
+     * Registers a dynamic attribute mapper.
+     * 
+     * @param mapper The dynamic mapper to register
+     */
+    public void registerDynamicMapper(IDBDynAttrMapper mapper);
+
+    /**
+     * Creates LDAP-based search filters with help of
+     * registered mappers.
+     * Parses filter from filter string specified in RFC1558.
+     * 
+     * 
+     *  ::= '('  ')'
+     *  ::=  |  |  | 
+     *  ::= '&' 
+     *  ::= '|' 
+     *  ::= '!' 
+     *  ::=  |  
+     *  ::=  |  | 
+     *  ::=   
+     *  ::=  |  |  | 
+     *  ::= '='
+     *  ::= '~='
+     *  ::= '>='
+     *  ::= '<='
+     *  ::=  '=*'
+     *  ::=  '='   
+     *  ::= NULL | 
+     *  ::= '*' 
+     *  ::= NULL |  '*' 
+     *  ::= NULL | 
+     * 

+     * 
+     * @param filter CMS-based filter
+     * @return LDAP-based filter string
+     * @exception EBaseException failed to convert filter
+     */
+    public String getFilter(String filter) throws EBaseException;
+
+    /**
+     * Creates LDAP-based search filters with help of
+     * registered mappers.
+     * 
+     * @param filter CMS-based filter
+     * @param c filter converter
+     * @return LDAP-based filter string
+     * @exception EBaseException failed to convert filter
+     */
+    public String getFilter(String filter, IFilterConverter c)
+            throws EBaseException;
+
+    /**
+     * Maps object into LDAP attribute set.
+     * 
+     * @param parent object's parent
+     * @param name name of the object
+     * @param obj object to be mapped
+     * @param attrs LDAP attribute set
+     * @exception EBaseException failed to map object
+     */
+    public void mapObject(IDBObj parent, String name, Object obj,
+            LDAPAttributeSet attrs) throws EBaseException;
+
+    /**
+     * Retrieves a list of LDAP attributes that are associated
+     * with the given attributes.
+     * 
+     * @param attrs attributes
+     * @return LDAP-based attributes
+     * @exception EBaseException failed to map attributes
+     */
+    public String[] getLDAPAttributes(String attrs[])
+            throws EBaseException;
+
+    /**
+     * Creates attribute set from object.
+     * 
+     * @param obj database object
+     * @return LDAP attribute set
+     * @exception EBaseException failed to create set
+     */
+    public LDAPAttributeSet createLDAPAttributeSet(IDBObj obj)
+            throws EBaseException;
+
+    /**
+     * Creates object from attribute set.
+     * 
+     * @param attrs LDAP attribute set
+     * @return database object
+     * @exception EBaseException failed to create object
+     */
+    public IDBObj createObject(LDAPAttributeSet attrs)
+            throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/IDBSSession.java b/base/common/src/com/netscape/certsrv/dbs/IDBSSession.java
new file mode 100644
index 000000000..c186d1145
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/IDBSSession.java
@@ -0,0 +1,213 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs;
+
+import netscape.ldap.LDAPSearchResults;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * An interface represents the database session. Operations
+ * can be performed with a session.
+ * 
+ * Transaction and Caching support can be integrated
+ * into session.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IDBSSession {
+
+    /**
+     * Returns database subsystem.
+     * 
+     * @return subsystem
+     */
+    public ISubsystem getDBSubsystem();
+
+    /**
+     * Closes this session.
+     * 
+     * @exception EDBException failed to close session
+     */
+    public void close() throws EDBException;
+
+    /**
+     * Adds object to backend database. For example,
+     * 
+     * 
+     * session.add("cn=123459,o=certificate repository,o=airius.com",
+     *             certRec);
+     * 

+     * 
+     * @param name name of the object
+     * @param obj object to be added
+     * @exception EDBException failed to add object
+     */
+    public void add(String name, IDBObj obj) throws EBaseException;
+
+    /**
+     * Reads an object from the database.
+     * 
+     * @param name name of the object that is to be read
+     * @return database object
+     * @exception EBaseException failed to read object
+     */
+    public IDBObj read(String name) throws EBaseException;
+
+    /**
+     * Reads an object from the database, and only populates
+     * the selected attributes.
+     * 
+     * @param name name of the object that is to be read
+     * @param attrs selected attributes
+     * @return database object
+     * @exception EBaseException failed to read object
+     */
+    public IDBObj read(String name, String attrs[])
+            throws EBaseException;
+
+    /**
+     * Deletes object from database.
+     * 
+     * @param name name of the object that is to be deleted
+     * @exception EBaseException failed to delete object
+     */
+    public void delete(String name) throws EBaseException;
+
+    /**
+     * Modify an object in the database.
+     * 
+     * @param name name of the object that is to be modified
+     * @param mods modifications
+     * @exception EBaseException failed to modify
+     */
+    public void modify(String name, ModificationSet mods)
+            throws EBaseException;
+
+    /**
+     * Searchs for a list of objects that match the
+     * filter.
+     * 
+     * @param base starting point of the search
+     * @param filter search filter
+     * @return search results
+     * @exception EBaseException failed to search
+     */
+    public IDBSearchResults search(String base, String filter)
+            throws EBaseException;
+
+    /**
+     * Searchs for a list of objects that match the
+     * filter.
+     * 
+     * @param base starting point of the search
+     * @param filter search filter
+     * @param maxSize max number of entries
+     * @return search results
+     * @exception EBaseException failed to search
+     */
+    public IDBSearchResults search(String base, String filter, int maxSize)
+            throws EBaseException;
+
+    /**
+     * Searchs for a list of objects that match the
+     * filter.
+     * 
+     * @param base starting point of the search
+     * @param filter search filter
+     * @param maxSize max number of entries
+     * @param timeLimit timeout limit
+     * @return search results
+     * @exception EBaseException failed to search
+     */
+    public IDBSearchResults search(String base, String filter, int maxSize,
+            int timeLimit) throws EBaseException;
+
+    /**
+     * Retrieves a list of object that satifies the given
+     * filter.
+     * 
+     * @param base starting point of the search
+     * @param filter search filter
+     * @param attrs selected attributes
+     * @return search results
+     * @exception EBaseException failed to search
+     */
+    public IDBSearchResults search(String base, String filter,
+            String attrs[]) throws EBaseException;
+
+    /**
+     * Retrieves a list of objects.
+     * 
+     * @param base starting point of the search
+     * @param filter search filter
+     * @param attrs selected attributes
+     * @return search results in virtual list
+     * @exception EBaseException failed to search
+     */
+    public  IDBVirtualList createVirtualList(String base, String filter,
+            String attrs[]) throws EBaseException;
+
+    /**
+     * Sets persistent search to retrieve modified
+     * certificate records.
+     * 
+     * @param base starting point of the search
+     * @param filter search filter
+     * @param attrs selected attributes
+     * @return LDAP search results
+     * @exception EBaseException failed to search
+     */
+    public LDAPSearchResults persistentSearch(String base, String filter,
+            String attrs[]) throws EBaseException;
+
+    public void abandon(LDAPSearchResults results) throws EBaseException;
+
+    /**
+     * Retrieves a list of objects.
+     * 
+     * @param base starting point of the search
+     * @param filter search filter
+     * @param attrs selected attributes
+     * @param sortKey key used to sort the list
+     * @param pageSize page size in the virtual list
+     * @return search results in virtual list
+     * @exception EBaseException failed to search
+     */
+    public  IDBVirtualList createVirtualList(String base, String filter,
+            String attrs[], String sortKey, int pageSize)
+            throws EBaseException;
+
+    /**
+     * Retrieves a list of objects.
+     * 
+     * @param base starting point of the search
+     * @param filter search filter
+     * @param attrs selected attributes
+     * @param startFrom starting point
+     * @param sortKey key used to sort the list
+     * @param pageSize page size in the virtual list
+     * @return search results in virtual list
+     * @exception EBaseException failed to search
+     */
+    public  IDBVirtualList createVirtualList(String base, String filter,
+            String attrs[], String startFrom,
+            String sortKey, int pageSize)
+            throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/IDBSearchResults.java b/base/common/src/com/netscape/certsrv/dbs/IDBSearchResults.java
new file mode 100644
index 000000000..04736cf32
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/IDBSearchResults.java
@@ -0,0 +1,44 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs;
+
+import java.util.Enumeration;
+
+/**
+ * A class represents the search results. A search
+ * results object contain a enumeration of
+ * Java objects that are just read from the database.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IDBSearchResults extends Enumeration {
+
+    /**
+     * Checks if any element is available.
+     * 
+     * @return true if there is more elements
+     */
+    public boolean hasMoreElements();
+
+    /**
+     * Retrieves next element.
+     * 
+     * @return next element
+     */
+    public Object nextElement();
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java b/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java
new file mode 100644
index 000000000..fec6e6afa
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java
@@ -0,0 +1,212 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs;
+
+import java.math.BigInteger;
+
+import netscape.ldap.LDAPConnection;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * An interface represents certificate server
+ * backend database.
+ * 

+ * This interface separate the database subsystem functionalities from internal implementation.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IDBSubsystem extends ISubsystem {
+
+    public static final String SUB_ID = "dbs";
+
+    // values for repos
+    public static final int CERTS = 0;
+    public static final int REQUESTS = 1;
+    public static final int REPLICA_ID = 2;
+    public static final int NUM_REPOS = 3;
+
+    /**
+     * Retrieves the base DN.
+     * 
+     * @return base DN of the subsystem
+     */
+    public String getBaseDN();
+
+    /**
+     * Retrieves the registry.
+     * 
+     * @return registry
+     */
+    public IDBRegistry getRegistry();
+
+    /**
+     * Creates a database session.
+     * 
+     * @return database session
+     * @exception EDBException failed to create session
+     */
+    public IDBSSession createSession() throws EDBException;
+
+    /**
+     * Avoids losing serial number.
+     * 
+     * @return true if serial number recovery option is enabled
+     */
+    public boolean enableSerialNumberRecovery();
+
+    /**
+     * Records next serial number in config file
+     * 
+     * @param serial next serial number
+     * @exception EBaseException failed to set
+     */
+    public void setNextSerialConfig(BigInteger serial) throws EBaseException;
+
+    /**
+     * Gets the next serial number in config file
+     * 
+     * @return next serial number
+     */
+    public BigInteger getNextSerialConfig();
+
+    /**
+     * Records maximum serial number limit in config file
+     * 
+     * @param serial max serial number
+     * @param repo repo identifier
+     * @exception EBaseException failed to set
+     */
+    public void setMaxSerialConfig(int repo, String serial) throws EBaseException;
+
+    /**
+     * Records minimum serial number limit in config file
+     * 
+     * @param serial min serial number
+     * @param repo repo identifier
+     * @exception EBaseException failed to set
+     */
+    public void setMinSerialConfig(int repo, String serial) throws EBaseException;
+
+    /**
+     * Records maximum serial number limit for the next range in config file
+     * 
+     * @param serial max serial number
+     * @param repo repo identifier
+     * @exception EBaseException failed to set
+     */
+    public void setNextMaxSerialConfig(int repo, String serial) throws EBaseException;
+
+    /**
+     * Records minimum serial number limit for the next range in config file
+     * 
+     * @param serial min serial number
+     * @param repo repo identifier
+     * @exception EBaseException failed to set
+     */
+    public void setNextMinSerialConfig(int repo, String serial) throws EBaseException;
+
+    /**
+     * Gets minimum serial number limit in config file
+     * 
+     * @param repo repo identifier
+     * @return min serial number
+     */
+    public String getMinSerialConfig(int repo);
+
+    /**
+     * Gets the maximum serial number limit in config file
+     * 
+     * @param repo repo identifier
+     * @return max serial number
+     */
+    public String getMaxSerialConfig(int repo);
+
+    /**
+     * Gets the maximum serial number limit for next range in config file
+     * 
+     * @param repo repo identifier
+     * @return max serial number
+     */
+    public String getNextMaxSerialConfig(int repo);
+
+    /**
+     * Gets minimum serial number limit for next range in config file
+     * 
+     * @param repo repo identifier
+     * @return min serial number
+     */
+    public String getNextMinSerialConfig(int repo);
+
+    /**
+     * Gets low water mark limit in config file
+     * 
+     * @param repo repo identifier
+     * @return low water mark
+     */
+    public String getLowWaterMarkConfig(int repo);
+
+    /**
+     * Gets range increment limit for next range in config file
+     * 
+     * @param repo repo identifier
+     * @return range increment
+     */
+    public String getIncrementConfig(int repo);
+
+    /**
+     * Gets number corresponding to start of next range from database
+     * 
+     * @param repo repo identifier
+     * @return start of next range
+     */
+    public String getNextRange(int repo);
+
+    /**
+     * Determines if a range conflict has been observed in database
+     * 
+     * @param repo repo identifier
+     * @return true if range conflict, false otherwise
+     */
+    public boolean hasRangeConflict(int repo);
+
+    /**
+     * Determines if serial number management has been enabled
+     * 
+     * @return true if enabled, false otherwise
+     */
+    public boolean getEnableSerialMgmt();
+
+    /**
+     * Sets whether serial number management is enabled for certs
+     * and requests.
+     * 
+     * @param value true/false
+     * @exception EBaseException failed to set
+     */
+    public void setEnableSerialMgmt(boolean value) throws EBaseException;
+
+    /**
+     * Returns LDAP connection to connection pool.
+     * 
+     * @param conn connection to be returned
+     */
+    public void returnConn(LDAPConnection conn);
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/IDBVirtualList.java b/base/common/src/com/netscape/certsrv/dbs/IDBVirtualList.java
new file mode 100644
index 000000000..919a82efb
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/IDBVirtualList.java
@@ -0,0 +1,144 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * A interface represents a virtual list of search results.
+ * Note that this class must be used with DS4.0.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IDBVirtualList {
+
+    /**
+     * Sets the paging size of this virtual list.
+     * The page size here is just a buffer size. A buffer is kept around
+     * that is three times as large as the number of visible entries.
+     * That way, you can scroll up/down several items(up to a page-full)
+     * without refetching entries from the directory.
+     * 
+     * @param size the page size
+     */
+    public void setPageSize(int size);
+
+    /**
+     * Sets the sort key
+     * 
+     * @param sortKey the attribute to sort by
+     * @exception EBaseException failed to set
+     */
+    public void setSortKey(String sortKey) throws EBaseException;
+
+    /**
+     * Sets the sort key
+     * 
+     * @param sortKeys the attributes to sort by
+     * @exception EBaseException failed to set
+     */
+    public void setSortKey(String[] sortKeys) throws EBaseException;
+
+    /**
+     * Retrieves the size of this virtual list.
+     * Recommend to call getSize() before getElementAt() or getElements()
+     * since you'd better check if the index is out of bound first.
+     * 
+     * @return current size in list
+     */
+    public int getSize();
+
+    /**
+     * Returns current index.
+     * 
+     * @return current index
+     */
+
+    public int getSizeBeforeJumpTo();
+
+    public int getSizeAfterJumpTo();
+
+    public int getCurrentIndex();
+
+    /**
+     * Get a page starting at "first" (although we may also fetch
+     * some preceding entries)
+     * Recommend to call getSize() before getElementAt() or getElements()
+     * since you'd better check if the index is out of bound first.
+     * 
+     * @param first the index of the first entry of the page you want to fetch
+     */
+    public boolean getPage(int first);
+
+    /**
+     * Called by application to scroll the list with initial letters.
+     * Consider text to be an initial substring of the attribute of the
+     * primary sorting key(the first one specified in the sort key array)
+     * of an entry.
+     * If no entries match, the one just before(or after, if none before)
+     * will be returned as mSelectedIndex
+     * 
+     * @param text the prefix of the first entry of the page you want to fetch
+     */
+    public boolean getPage(String text);
+
+    /**
+     * Fetchs data of a single list item
+     * Recommend to call getSize() before getElementAt() or getElements()
+     * since you'd better check if the index is out of bound first.
+     * If the index is out of range of the virtual list, an exception
+     * will be thrown and return null
+     * 
+     * @param index the index of the element to fetch
+     */
+    public E getElementAt(int index);
+
+    /**
+     * Retrieves and jumps to element in the given position.
+     * 
+     * @param i position
+     * @return object
+     */
+    public E getJumpToElementAt(int i);
+
+    /**
+     * Processes elements as soon as it arrives. It is
+     * more memory-efficient.
+     * 
+     * @param startidx starting index
+     * @param endidx ending index
+     * @param ep object to call
+     * @exception EBaseException failed to process elements
+     */
+    public void processElements(int startidx, int endidx, IElementProcessor ep)
+            throws EBaseException;
+
+    /**
+     * Gets the virutal selected index
+     * 
+     * @return selected index
+     */
+    public int getSelectedIndex();
+
+    /**
+     * Gets the top of the buffer
+     * 
+     * @return first index
+     */
+    public int getFirstIndex();
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/IElementProcessor.java b/base/common/src/com/netscape/certsrv/dbs/IElementProcessor.java
new file mode 100644
index 000000000..648a13aef
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/IElementProcessor.java
@@ -0,0 +1,36 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * Processor handles object read from the session.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IElementProcessor {
+
+    /**
+     * Handles object
+     * 
+     * @param o object to be processed
+     * @exception EBaseException failed to process object
+     */
+    public void process(Object o) throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/IFilterConverter.java b/base/common/src/com/netscape/certsrv/dbs/IFilterConverter.java
new file mode 100644
index 000000000..2c0ccb89f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/IFilterConverter.java
@@ -0,0 +1,48 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs;
+
+/**
+ * An interface represents a filter converter
+ * that understands how to convert a attribute
+ * type from one defintion to another.
+ * For example,
+ * 
+ * 
+ * (1) database layer need to convert
+ *     registered attribute type to ldap attribute
+ *     type.
+ * (2) high level subsystem need to convert
+ *     locale specific attribute type to registered
+ *     attribute type.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IFilterConverter {
+
+    /**
+     * Converts attribute into LDAP attribute.
+     * 
+     * @param attr attribute name
+     * @param op attribute operation
+     * @param value attribute value
+     * @return The LDAP attribute
+     */
+    public String convert(String attr, String op, String value);
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/Modification.java b/base/common/src/com/netscape/certsrv/dbs/Modification.java
new file mode 100644
index 000000000..6c61bdb1f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/Modification.java
@@ -0,0 +1,87 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs;
+
+/**
+ * A class represents a modification. This is used by the
+ * database (dbs) framework for modification operations.
+ * It specifices the modification type and values.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class Modification {
+
+    /**
+     * Add new value.
+     */
+    public static final int MOD_ADD = 0;
+
+    /**
+     * Deletes old value.
+     */
+    public static final int MOD_DELETE = 1;
+
+    /**
+     * Replace old value.
+     */
+    public static final int MOD_REPLACE = 2;
+
+    private String mName = null;
+    private int mOp;
+    private Object mValue = null;
+
+    /**
+     * Constructs a role modification.
+     * 
+     * @param name attribute name
+     * @param op attribute operation (i.e. MOD_ADD, MOD_DELETE, or MOD_REPLACE)
+     * @param value attribute value
+     */
+    public Modification(String name, int op, Object value) {
+        mName = name;
+        mOp = op;
+        mValue = value;
+    }
+
+    /**
+     * Retrieves attribute name.
+     * 
+     * @return attribute name
+     */
+    public String getName() {
+        return mName;
+    }
+
+    /**
+     * Retrieves modification operation type.
+     * 
+     * @return modification type
+     */
+    public int getOp() {
+        return mOp;
+    }
+
+    /**
+     * Retrieves attribute value.
+     * 
+     * @return attribute value
+     */
+    public Object getValue() {
+        return mValue;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/ModificationSet.java b/base/common/src/com/netscape/certsrv/dbs/ModificationSet.java
new file mode 100644
index 000000000..70e9b377d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/ModificationSet.java
@@ -0,0 +1,61 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs;
+
+import java.util.Enumeration;
+import java.util.Vector;
+
+/**
+ * A class represents a modification set. A modification
+ * set contains zero or more modifications.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ModificationSet {
+
+    /**
+     * A list of modifications
+     */
+    private Vector mods = new Vector();
+
+    /**
+     * Constructs modification set.
+     */
+    public ModificationSet() {
+    }
+
+    /**
+     * Adds modification to this set.
+     * 
+     * @param name attribute name
+     * @param op modification operation
+     * @param value attribute value
+     */
+    public void add(String name, int op, Object value) {
+        mods.addElement(new Modification(name, op, value));
+    }
+
+    /**
+     * Retrieves a list of modifications.
+     * 
+     * @return a list of Modifications
+     */
+    public Enumeration getModifications() {
+        return mods.elements();
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java
new file mode 100644
index 000000000..d05c9ed5f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java
@@ -0,0 +1,176 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs.certdb;
+
+import java.math.BigInteger;
+import java.util.Date;
+
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.base.MetaInfo;
+import com.netscape.certsrv.dbs.IDBObj;
+
+/**
+ * An interface contains constants for certificate record.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ICertRecord extends IDBObj {
+
+    public final static String ATTR_ID = "certRecordId";
+    public final static String ATTR_META_INFO = "certMetaInfo";
+    public final static String ATTR_REVO_INFO = "certRevoInfo";
+    public final static String ATTR_CERT_STATUS = "certStatus";
+    public final static String ATTR_CREATE_TIME = "certCreateTime";
+    public final static String ATTR_MODIFY_TIME = "certModifyTime";
+    public final static String ATTR_AUTO_RENEW = "certAutoRenew";
+    public final static String ATTR_ISSUED_BY = "certIssuedBy";
+    public final static String ATTR_REVOKED_BY = "certRevokedBy";
+    public final static String ATTR_REVOKED_ON = "certRevokedOn";
+    public final static String ATTR_X509CERT = "x509cert";
+
+    public static final String META_LDAPPUBLISH = "inLdapPublishDir";
+    public static final String META_REQUEST_ID = "requestId";
+    public static final String META_RENEWED_CERT = "renewedCertSerialNo";
+    public static final String META_OLD_CERT = "oldCertSerialNo";
+    public static final String META_CERT_TYPE = "certType";
+    public static final String META_CRMF_REQID = "crmfReqId";
+    public static final String META_CHALLENGE_PHRASE = "challengePhrase";
+    public static final String META_PROFILE_ID = "profileId";
+
+    public final static String STATUS_VALID = "VALID";
+    public final static String STATUS_INVALID = "INVALID";
+    public final static String STATUS_REVOKED = "REVOKED";
+    public final static String STATUS_EXPIRED = "EXPIRED";
+    public final static String STATUS_REVOKED_EXPIRED = "REVOKED_EXPIRED";
+
+    public final static String AUTO_RENEWAL_DISABLED = "DISABLED";
+    public final static String AUTO_RENEWAL_ENABLED = "ENABLED";
+    public final static String AUTO_RENEWAL_DONE = "DONE";
+    public final static String AUTO_RENEWAL_NOTIFIED = "NOTIFIED";
+
+    public final static String X509CERT_NOT_BEFORE = "notBefore";
+    public final static String X509CERT_NOT_AFTER = "notAfter";
+    public final static String X509CERT_DURATION = "duration";
+    public final static String X509CERT_EXTENSION = "extension";
+    public final static String X509CERT_SUBJECT = "subject";
+    public final static String X509CERT_PUBLIC_KEY_DATA = "publicKeyData";
+    public final static String X509CERT_VERSION = "version";
+    public final static String X509CERT_ALGORITHM = "algorithm";
+    public final static String X509CERT_SIGNING_ALGORITHM = "signingAlgorithm";
+    public final static String X509CERT_SERIAL_NUMBER = "serialNumber";
+
+    /* attribute type used the following with search filter */
+    public final static String ATTR_X509CERT_NOT_BEFORE =
+            ATTR_X509CERT + "." + X509CERT_NOT_BEFORE;
+    public final static String ATTR_X509CERT_NOT_AFTER =
+            ATTR_X509CERT + "." + X509CERT_NOT_AFTER;
+    public final static String ATTR_X509CERT_DURATION =
+            ATTR_X509CERT + "." + X509CERT_DURATION;
+    public final static String ATTR_X509CERT_EXTENSION =
+            ATTR_X509CERT + "." + X509CERT_EXTENSION;
+    public final static String ATTR_X509CERT_SUBJECT =
+            ATTR_X509CERT + "." + X509CERT_SUBJECT;
+    public final static String ATTR_X509CERT_VERSION =
+            ATTR_X509CERT + "." + X509CERT_VERSION;
+    public final static String ATTR_X509CERT_ALGORITHM =
+            ATTR_X509CERT + "." + X509CERT_ALGORITHM;
+    public final static String ATTR_X509CERT_SIGNING_ALGORITHM =
+            ATTR_X509CERT + "." + X509CERT_SIGNING_ALGORITHM;
+    public final static String ATTR_X509CERT_SERIAL_NUMBER =
+            ATTR_X509CERT + "." + X509CERT_SERIAL_NUMBER;
+    public final static String ATTR_X509CERT_PUBLIC_KEY_DATA =
+            ATTR_X509CERT + "." + X509CERT_PUBLIC_KEY_DATA;
+
+    /**
+     * Retrieves serial number from stored certificate.
+     * 
+     * @return certificate serial number
+     */
+    public BigInteger getCertificateSerialNumber();
+
+    /**
+     * Retrieves serial number from certificate record.
+     * 
+     * @return certificate serial number
+     */
+    public BigInteger getSerialNumber();
+
+    /**
+     * Retrieves certificate from certificate record.
+     * 
+     * @return certificate
+     */
+    public X509CertImpl getCertificate();
+
+    /**
+     * Retrieves name of who issued this certificate.
+     * 
+     * @return name of who issued this certificate
+     */
+    public String getIssuedBy();
+
+    /**
+     * Retrieves name of who revoked this certificate.
+     * 
+     * @return name of who revoked this certificate
+     */
+    public String getRevokedBy();
+
+    /**
+     * Retrieves date when this certificate was revoked.
+     * 
+     * @return date when this certificate was revoked
+     */
+    public Date getRevokedOn();
+
+    /**
+     * Retrieves meta info.
+     * 
+     * @return meta info
+     */
+    public MetaInfo getMetaInfo();
+
+    /**
+     * Retrieves certificate status.
+     * 
+     * @return certificate status
+     */
+    public String getStatus();
+
+    /**
+     * Retrieves time of creation of this certificate record.
+     * 
+     * @return time of creation of this certificate record
+     */
+    public Date getCreateTime();
+
+    /**
+     * Retrieves time of modification of this certificate record.
+     * 
+     * @return time of modification of this certificate record
+     */
+    public Date getModifyTime();
+
+    /**
+     * Retrieves revocation info.
+     * 
+     * @return revocation info
+     */
+    public IRevocationInfo getRevocationInfo();
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecordList.java b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecordList.java
new file mode 100644
index 000000000..59a826ee2
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecordList.java
@@ -0,0 +1,94 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs.certdb;
+
+import java.util.Enumeration;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.dbs.IElementProcessor;
+
+/**
+ * A class represents a list of certificate records.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ICertRecordList {
+
+    /**
+     * Gets the current index.
+     * 
+     * @return current index
+     */
+    public int getCurrentIndex();
+
+    /**
+     * Retrieves the size of request list.
+     * 
+     * @return size
+     */
+    public int getSize();
+
+    /**
+     * Gets size before jump to index.
+     * 
+     * @return size
+     */
+    public int getSizeBeforeJumpTo();
+
+    /**
+     * Gets size after jump to index.
+     * 
+     * @return size
+     */
+    public int getSizeAfterJumpTo();
+
+    /**
+     * Process certificate record as soon as it is returned.
+     * 
+     * @param startidx starting index
+     * @param endidx ending index
+     * @param ep element processor
+     * @exception EBaseException failed to process cert records
+     */
+    public void processCertRecords(int startidx, int endidx,
+            IElementProcessor ep) throws EBaseException;
+
+    /**
+     * Retrieves requests.
+     * It's no good to call this if you didnt check
+     * if the startidx, endidx are valid.
+     * 
+     * @param startidx starting index
+     * @param endidx ending index
+     * @exception EBaseException failed to retrieve
+     */
+    public Enumeration getCertRecords(int startidx, int endidx)
+            throws EBaseException;
+
+    /**
+     * Gets one single record at a time similar to
+     * processCertRecords but no extra class needed.
+     * 
+     * @param index position of the record to be retrieved
+     * @return object
+     * @exception EBaseException failed to retrieve
+     */
+    public ICertRecord getCertRecord(int index)
+            throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java
new file mode 100644
index 000000000..a8505c2a2
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java
@@ -0,0 +1,528 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs.certdb;
+
+import java.math.BigInteger;
+import java.security.cert.Certificate;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Hashtable;
+
+import netscape.ldap.LDAPEntry;
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.MetaInfo;
+import com.netscape.certsrv.dbs.IElementProcessor;
+import com.netscape.certsrv.dbs.ModificationSet;
+import com.netscape.certsrv.dbs.repository.IRepository;
+import com.netscape.cmscore.dbs.CertificateRepository.RenewableCertificateCollection;
+
+/**
+ * An interface represents a CMS certificate repository.
+ * It stores all the issued certificate.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ICertificateRepository extends IRepository {
+
+    /**
+     * Adds a certificate record to the repository. Each certificate
+     * record contains four parts: certificate, meta-attributes,
+     * issue information and reovcation information.
+     * 

+     * 
+     * @param record X.509 certificate
+     * @exception EBaseException failed to add new certificate to
+     *                the repository
+     */
+    public void addCertificateRecord(ICertRecord record)
+            throws EBaseException;
+
+    /**
+     * Reads the certificate identified by the given serial no.
+     * 
+     * @param serialNo serial number of certificate
+     * @return certificate
+     * @exception EBaseException failed to retrieve certificate
+     */
+    public X509CertImpl getX509Certificate(BigInteger serialNo)
+            throws EBaseException;
+
+    /**
+     * Reads certificate from repository.
+     * 
+     * @param serialNo serial number of certificate
+     * @return certificate record
+     * @exception EBaseException failed to retrieve certificate
+     */
+    public ICertRecord readCertificateRecord(BigInteger serialNo)
+            throws EBaseException;
+
+    /**
+     * Sets certificate status update internal
+     * 
+     * @param requestRepo request repository
+     * @param interval update interval
+     * @param listenToCloneModifications enable listening to clone modifications
+     */
+    public void setCertStatusUpdateInterval(IRepository requestRepo,
+            int interval,
+            boolean listenToCloneModifications);
+
+    /**
+     * Updates certificate status now. This is a blocking method.
+     * 
+     * @exception EBaseException failed to update
+     */
+    public void updateCertStatus() throws EBaseException;
+
+    /**
+     * Modifies certificate record.
+     * 
+     * @param serialNo serial number of record
+     * @param mods modifications
+     * @exception EBaseException failed to modify
+     */
+    public void modifyCertificateRecord(BigInteger serialNo,
+            ModificationSet mods) throws EBaseException;
+
+    /**
+     * Checks if the certificate exists in this repository.
+     * 
+     * @param serialNo serial number of certificate
+     * @return true if it exists
+     * @exception EBaseException failed to check
+     */
+    public boolean containsCertificate(BigInteger serialNo)
+            throws EBaseException;
+
+    /**
+     * Deletes certificate from this repository.
+     * 
+     * @param serialNo serial number of certificate
+     * @exception EBaseException failed to delete
+     */
+    public void deleteCertificateRecord(BigInteger serialNo)
+            throws EBaseException;
+
+    /**
+     * Marks certificate as revoked.
+     * 
+     * @param id serial number
+     * @param info revocation information
+     * @exception EBaseException failed to mark
+     */
+    public void markAsRevoked(BigInteger id, IRevocationInfo info)
+            throws EBaseException;
+
+    /**
+     * Updates certificate status.
+     * 
+     * @param id serial number
+     * @param status certificate status
+     * @exception EBaseException failed to update status
+     */
+    public void updateStatus(BigInteger id, String status)
+            throws EBaseException;
+
+    /**
+     * Marks certificate as renewable.
+     * 
+     * @param record certificate record to modify
+     * @exception EBaseException failed to update
+     */
+    public void markCertificateAsRenewable(ICertRecord record)
+            throws EBaseException;
+
+    /**
+     * Marks certificate as not renewable.
+     * 
+     * @param record certificate record to modify
+     * @exception EBaseException failed to update
+     */
+    public void markCertificateAsNotRenewable(ICertRecord record)
+            throws EBaseException;
+
+    /**
+     * Marks certificate as renewed.
+     * 
+     * @param serialNo certificate record to modify
+     * @exception EBaseException failed to update
+     */
+    public void markCertificateAsRenewed(String serialNo)
+            throws EBaseException;
+
+    /**
+     * Marks certificate as renewed and notified.
+     * 
+     * @param serialNo certificate record to modify
+     * @exception EBaseException failed to update
+     */
+    public void markCertificateAsRenewalNotified(String serialNo)
+            throws EBaseException;
+
+    /**
+     * Finds a list of certificate records that satisifies
+     * the filter.
+     * Here is a list of filter
+     * attribute can be used:
+     * 
+     * 
+     *   certRecordId
+     *   certMetaInfo
+     *   certStatus
+     *   certCreateTime
+     *   certModifyTime
+     *   x509Cert.notBefore
+     *   x509Cert.notAfter
+     *   x509Cert.subject
+     * 

+     * 
+     * The filter should follow RFC1558 LDAP filter syntax.
+     * For example,
+     * 
+     * 
+     *   (&(certRecordId=5)(x509Cert.notBefore=934398398))
+     * 

+     * 
+     * @param filter search filter
+     * @param maxSize max size to return
+     * @return a list of certificates
+     * @exception EBaseException failed to search
+     */
+    public Enumeration searchCertificates(String filter, int maxSize)
+            throws EBaseException;
+
+    /**
+     * Finds a list of certificate records that satisifies
+     * the filter.
+     * 
+     * @param filter search filter
+     * @param maxSize max size to return
+     * @param timeLimit timeout value
+     * @return a list of certificates
+     * @exception EBaseException failed to search
+     */
+    public Enumeration searchCertificates(String filter, int maxSize,
+            int timeLimit) throws EBaseException;
+
+    /**
+     * Finds a list of certificate records that satisifies
+     * the filter.
+     * 
+     * @param filter search filter
+     * @param attrs selected attribute
+     * @param pageSize page size
+     * @return a list of certificates
+     * @exception EBaseException failed to search
+     */
+    public ICertRecordList findCertRecordsInList(String filter,
+            String attrs[], int pageSize) throws EBaseException;
+
+    /**
+     * Finds a list of certificate records that satisifies
+     * the filter.
+     * 
+     * @param filter search filter
+     * @param attrs selected attribute
+     * @param sortKey key to use for sorting the returned elements
+     * @param pageSize page size
+     * @return a list of certificates
+     * @exception EBaseException failed to search
+     */
+    public ICertRecordList findCertRecordsInList(String filter,
+            String attrs[], String sortKey, int pageSize)
+            throws EBaseException;
+
+    /**
+     * Finds a list of certificate records that satisifies
+     * the filter.
+     * 
+     * @param filter search filter
+     * @param attrs selected attribute
+     * @param jumpTo jump to index
+     * @param sortKey key to use for sorting the returned elements
+     * @param pageSize page size
+     * @return a list of certificates
+     * @exception EBaseException failed to search
+     */
+    public ICertRecordList findCertRecordsInList(String filter,
+            String attrs[], String jumpTo, String sortKey, int pageSize)
+            throws EBaseException;
+
+    public ICertRecordList findCertRecordsInList(String filter,
+            String attrs[], String jumpTo, boolean hardJumpTo, String sortKey, int pageSize)
+            throws EBaseException;
+
+    /**
+     * Finds a list of certificate records that satisifies
+     * the filter.
+     * 
+     * @param filter search filter
+     * @param attrs selected attribute
+     * @param jumpTo jump to index
+     * @param sortKey key to use for sorting the returned elements
+     * @param pageSize page size
+     * @return a list of certificates
+     * @exception EBaseException failed to search
+     */
+    public ICertRecordList findCertRecordsInListRawJumpto(String filter,
+            String attrs[], String jumpTo, String sortKey, int pageSize)
+            throws EBaseException;
+
+    public static final int ALL_CERTS = 0;
+    public static final int ALL_VALID_CERTS = 1;
+    public static final int ALL_UNREVOKED_CERTS = 2;
+
+    /**
+     * Gets all valid and unexpired certificates pertaining
+     * to a subject DN.
+     * 
+     * @param subjectDN The distinguished name of the subject.
+     * @param validityType The type of certificatese to retrieve.
+     * @return An array of certificates.
+     * @throws EBaseException on error.
+     */
+    public X509CertImpl[] getX509Certificates(String subjectDN,
+            int validityType) throws EBaseException;
+
+    /**
+     * Retrieves all the revoked certificates that have not expired.
+     * 
+     * @param asOfDate as of date
+     * @return a list of revoked certificates
+     * @exception EBaseException failed to retrieve
+     */
+    public Enumeration getRevokedCertificates(Date asOfDate)
+            throws EBaseException;
+
+    /**
+     * Retrieves all revoked certificates including ones that have expired
+     * or that are not yet valid.
+     * 
+     * @return a list of revoked certificates
+     * @exception EBaseException failed to search
+     */
+    public Enumeration getAllRevokedCertificates()
+            throws EBaseException;
+
+    /**
+     * Retrieves all revoked but not expired certificates.
+     * 
+     * @return a list of revoked certificates
+     * @exception EBaseException failed to search
+     */
+    public Enumeration getAllRevokedNonExpiredCertificates()
+            throws EBaseException;
+
+    /**
+     * Finds all certificates given a filter.
+     * 
+     * @param filter search filter
+     * @return a list of certificates
+     * @exception EBaseException failed to search
+     */
+    public Enumeration findCertificates(String filter)
+            throws EBaseException;
+
+    /**
+     * Finds all certificate records given a filter.
+     * 
+     * @param filter search filter
+     * @return a list of certificates
+     * @exception EBaseException failed to search
+     */
+    public Enumeration findCertRecords(String filter)
+            throws EBaseException;
+
+    /**
+     * Gets Revoked certs orderes by noAfter date, jumps to records
+     * where notAfter date is greater than current.
+     * 
+     * @param date reference date
+     * @param pageSize page size
+     * @return a list of certificate records
+     * @exception EBaseException failed to retrieve
+     */
+    public ICertRecordList getRevokedCertsByNotAfterDate(Date date,
+            int pageSize) throws EBaseException;
+
+    /**
+     * Gets Invalid certs orderes by noAfter date, jumps to records
+     * where notAfter date is greater than current.
+     * 
+     * @param date reference date
+     * @param pageSize page size
+     * @return a list of certificate records
+     * @exception EBaseException failed to retrieve
+     */
+    public ICertRecordList getInvalidCertsByNotBeforeDate(Date date,
+            int pageSize) throws EBaseException;
+
+    /**
+     * Gets valid certs orderes by noAfter date, jumps to records
+     * where notAfter date is greater than current.
+     * 
+     * @param date reference date
+     * @param pageSize page size
+     * @return a list of certificate records
+     * @exception EBaseException failed to retrieve
+     */
+    public ICertRecordList getValidCertsByNotAfterDate(Date date,
+            int pageSize) throws EBaseException;
+
+    /**
+     * Creates certificate record.
+     * 
+     * @param id serial number
+     * @param cert certificate
+     * @param meta meta information
+     * @return certificate record
+     */
+    public ICertRecord createCertRecord(BigInteger id,
+            Certificate cert, MetaInfo meta);
+
+    /**
+     * Finds certificate records.
+     * 
+     * @param filter search filter
+     * @return a list of certificate records
+     * @exception EBaseException failed to retrieve cert records
+     */
+    public Enumeration findCertRecs(String filter)
+            throws EBaseException;
+
+    /**
+     * Retrieves renewable certificates.
+     * 
+     * @param renewalTime renewal time
+     * @return certificates
+     * @exception EBaseException failed to retrieve
+     */
+    public Hashtable getRenewableCertificates(String renewalTime)
+            throws EBaseException;
+
+    /**
+     * Unmark a revoked certificates.
+     * 
+     * @param id serial number
+     * @param info revocation information
+     * @param revokedOn revocation date
+     * @param revokedBy userid
+     * @exception EBaseException failed to unmark
+     */
+    public void unmarkRevoked(BigInteger id, IRevocationInfo info,
+            Date revokedOn, String revokedBy)
+            throws EBaseException;
+
+    /**
+     * Retrieves valid and not published certificates.
+     * 
+     * @param from starting serial number
+     * @param to ending serial number
+     * @return a list of certificates
+     * @exception EBaseException failed to retrieve
+     */
+    public Enumeration getValidNotPublishedCertificates(String from, String to)
+            throws EBaseException;
+
+    /**
+     * Retrieves expired and published certificates.
+     * 
+     * @param from starting serial number
+     * @param to ending serial number
+     * @return a list of certificates
+     * @exception EBaseException failed to retrieve
+     */
+    public Enumeration getExpiredPublishedCertificates(String from, String to)
+            throws EBaseException;
+
+    /**
+     * Retrieves revoked and published certificates.
+     * 
+     * @param from starting serial number
+     * @param to ending serial number
+     * @return a list of certificates
+     * @exception EBaseException failed to retrieve
+     */
+    public Enumeration getRevokedPublishedCertificates(String from, String to)
+            throws EBaseException;
+
+    /**
+     * Retrieves valid certificates.
+     * 
+     * @param from starting serial number
+     * @param to ending serial number
+     * @return a list of certificates
+     * @exception EBaseException failed to retrieve
+     */
+    public Enumeration getValidCertificates(String from, String to)
+            throws EBaseException;
+
+    /**
+     * Retrieves expired certificates.
+     * 
+     * @param from starting serial number
+     * @param to ending serial number
+     * @return a list of certificates
+     * @exception EBaseException failed to retrieve
+     */
+    public Enumeration getExpiredCertificates(String from, String to)
+            throws EBaseException;
+
+    /**
+     * Retrieves revoked certificates.
+     * 
+     * @param from starting serial number
+     * @param to ending serial number
+     * @return a list of certificates
+     * @exception EBaseException failed to retrieve
+     */
+    public Enumeration getRevokedCertificates(String from, String to)
+            throws EBaseException;
+
+    /**
+     * Retrieves modified certificate records.
+     * 
+     * @param entry LDAPEntry with modified data
+     */
+    public void getModifications(LDAPEntry entry);
+
+    /**
+     * Removes certificate records with this repository.
+     * 
+     * @param beginS BigInteger with radix 16
+     * @param endS BigInteger with radix 16
+     */
+    public void removeCertRecords(BigInteger beginS, BigInteger endS) throws EBaseException;
+
+    /**
+     * Builds a list of revoked certificates to put them into CRL.
+     * Calls certificate record processor to get necessary data
+     * from certificate records.
+     * This also regenerates CRL cache.
+     *
+     * @param cp certificate record processor
+     * @exception EBaseException if an error occurred in the database.
+     */
+    public void processRevokedCerts(IElementProcessor cp, String filter, int pageSize) throws EBaseException;
+
+    public void shutdown();
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/certdb/IRevocationInfo.java b/base/common/src/com/netscape/certsrv/dbs/certdb/IRevocationInfo.java
new file mode 100644
index 000000000..fb773576c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/certdb/IRevocationInfo.java
@@ -0,0 +1,47 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs.certdb;
+
+import java.util.Date;
+
+import netscape.security.x509.CRLExtensions;
+
+/**
+ * A class represents a certificate revocation info. This
+ * object is written as an attribute of certificate record
+ * which essentially signifies a revocation act.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IRevocationInfo {
+
+    /**
+     * Retrieves revocation date.
+     * 
+     * @return revocation date
+     */
+    public Date getRevocationDate();
+
+    /**
+     * Retrieves CRL entry extensions.
+     * 
+     * @return CRL entry extensions
+     */
+    public CRLExtensions getCRLEntryExtensions();
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/crldb/ICRLIssuingPointRecord.java b/base/common/src/com/netscape/certsrv/dbs/crldb/ICRLIssuingPointRecord.java
new file mode 100644
index 000000000..b990bbf57
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/crldb/ICRLIssuingPointRecord.java
@@ -0,0 +1,161 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs.crldb;
+
+import java.math.BigInteger;
+import java.util.Date;
+import java.util.Hashtable;
+
+import netscape.security.x509.RevokedCertificate;
+
+import com.netscape.certsrv.dbs.IDBObj;
+
+/**
+ * An interface that defines abilities of
+ * a CRL issuing point record.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ICRLIssuingPointRecord extends IDBObj {
+
+    public static final String ATTR_ID = "id";
+    public static final String ATTR_CRL_NUMBER = "crlNumber";
+    public static final String ATTR_DELTA_NUMBER = "deltaNumber";
+    public static final String ATTR_CRL_SIZE = "crlSize";
+    public static final String ATTR_DELTA_SIZE = "deltaSize";
+    public static final String ATTR_THIS_UPDATE = "thisUpdate";
+    public static final String ATTR_NEXT_UPDATE = "nextUpdate";
+    public static final String ATTR_FIRST_UNSAVED = "firstUnsaved";
+    public static final String ATTR_CRL = "certificaterevocationlist";
+    public static final String ATTR_CRL_CACHE = "crlCache";
+    public static final String ATTR_CA_CERT = "cACertificate";
+    public static final String ATTR_REVOKED_CERTS = "revokedCerts";
+    public static final String ATTR_UNREVOKED_CERTS = "unrevokedCerts";
+    public static final String ATTR_EXPIRED_CERTS = "expiredCerts";
+    public static final String ATTR_DELTA_CRL = "deltaRevocationList";
+
+    public static final String CLEAN_CACHE = "-1";
+    public static final String NEW_CACHE = "-2";
+
+    /**
+     * Retrieve unique CRL identifier.
+     * 
+     * @return unique CRL identifier
+     */
+    public String getId();
+
+    /**
+     * Retrieves current CRL number out of CRL issuing point record.
+     * 
+     * @return current CRL number
+     */
+    public BigInteger getCRLNumber();
+
+    /**
+     * Retrieves CRL size measured by the number of entries.
+     * 
+     * @return CRL size
+     */
+    public Long getCRLSize();
+
+    /**
+     * Retrieves this update time.
+     * 
+     * @return time of this update
+     */
+    public Date getThisUpdate();
+
+    /**
+     * Retrieves next update time.
+     * 
+     * @return time of next update
+     */
+    public Date getNextUpdate();
+
+    /**
+     * Retrieves current delta CRL number out of CRL issuing point record.
+     * 
+     * @return current delta CRL number
+     */
+    public BigInteger getDeltaCRLNumber();
+
+    /**
+     * Retrieves delta CRL size measured by the number of entries.
+     * 
+     * @return delta CRL size
+     */
+    public Long getDeltaCRLSize();
+
+    /**
+     * Retrieve Retrieve reference to the first unsaved data.
+     * 
+     * @return reference to the first unsaved data
+     */
+    public String getFirstUnsaved();
+
+    /**
+     * Retrieves encoded CRL.
+     * 
+     * @return encoded CRL
+     */
+    public byte[] getCRL();
+
+    /**
+     * Retrieves encoded delta CRL.
+     * 
+     * @return encoded delta CRL
+     */
+    public byte[] getDeltaCRL();
+
+    /**
+     * Retrieves encoded CA certificate.
+     * 
+     * @return encoded CA certificate
+     */
+    public byte[] getCACert();
+
+    /**
+     * Retrieves cache information about CRL.
+     * 
+     * @return list of recently revoked certificates
+     */
+    public Hashtable getCRLCacheNoClone();
+
+    public Hashtable getCRLCache();
+
+    /**
+     * Retrieves cache information about revoked certificates.
+     * 
+     * @return list of recently revoked certificates
+     */
+    public Hashtable getRevokedCerts();
+
+    /**
+     * Retrieves cache information about certificates released from hold.
+     * 
+     * @return list of certificates recently released from hold
+     */
+    public Hashtable getUnrevokedCerts();
+
+    /**
+     * Retrieves cache information about expired certificates.
+     * 
+     * @return list of recently expired certificates
+     */
+    public Hashtable getExpiredCerts();
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/crldb/ICRLRepository.java b/base/common/src/com/netscape/certsrv/dbs/crldb/ICRLRepository.java
new file mode 100644
index 000000000..806a2cb19
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/crldb/ICRLRepository.java
@@ -0,0 +1,181 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs.crldb;
+
+import java.math.BigInteger;
+import java.util.Date;
+import java.util.Hashtable;
+import java.util.Vector;
+
+import netscape.security.x509.RevokedCertificate;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.dbs.ModificationSet;
+
+/**
+ * An interface represents a CMS CRL repository. It stores
+ * all the CRL issuing points.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ICRLRepository {
+
+    /**
+     * Adds CRL issuing point record.
+     * 
+     * @param rec issuing point record
+     * @exception EBaseException failed to add new issuing point record
+     */
+    public void addCRLIssuingPointRecord(ICRLIssuingPointRecord rec)
+            throws EBaseException;
+
+    /**
+     * Retrieves all the issuing points' names.
+     * 
+     * @return A list of issuing points' names.
+     * @exception EBaseException failed to retrieve all the issuing points' names.
+     */
+    public Vector getIssuingPointsNames() throws EBaseException;
+
+    /**
+     * Reads issuing point record.
+     * 
+     * @return issuing point record
+     * @exception EBaseException failed to read issuing point record
+     */
+    public ICRLIssuingPointRecord readCRLIssuingPointRecord(String id)
+            throws EBaseException;
+
+    /**
+     * Deletes issuing point record.
+     * 
+     * @param id issuing point record id
+     * @exception EBaseException failed to delete issuing point record
+     */
+    public void deleteCRLIssuingPointRecord(String id)
+            throws EBaseException;
+
+    /**
+     * Modifies issuing point record.
+     * 
+     * @param id issuing point record id
+     * @param mods set of modifications
+     * @exception EBaseException failed to modify issuing point record
+     */
+    public void modifyCRLIssuingPointRecord(String id, ModificationSet mods)
+            throws EBaseException;
+
+    /**
+     * Updates CRL issuing point record.
+     * 
+     * @param id issuing point record id
+     * @param newCRL encoded binary CRL
+     * @param thisUpdate time of this update
+     * @param nextUpdate time of next update
+     * @param crlNumber CRL number
+     * @param crlSize CRL size
+     * @exception EBaseException failed to update issuing point record
+     */
+    public void updateCRLIssuingPointRecord(String id, byte[] newCRL,
+            Date thisUpdate, Date nextUpdate, BigInteger crlNumber, Long crlSize)
+            throws EBaseException;
+
+    /**
+     * Updates CRL issuing point record.
+     * 
+     * @param id issuing point record id
+     * @param newCRL encoded binary CRL
+     * @param thisUpdate time of this update
+     * @param nextUpdate time of next update
+     * @param crlNumber CRL number
+     * @param crlSize CRL size
+     * @param revokedCerts list of revoked certificates
+     * @param unrevokedCerts list of released from hold certificates
+     * @param expiredCerts list of expired certificates
+     * @exception EBaseException failed to update issuing point record
+     */
+    public void updateCRLIssuingPointRecord(String id, byte[] newCRL,
+            Date thisUpdate, Date nextUpdate, BigInteger crlNumber, Long crlSize,
+            Hashtable revokedCerts,
+            Hashtable unrevokedCerts,
+            Hashtable expiredCerts)
+            throws EBaseException;
+
+    /**
+     * Updates CRL issuing point record.
+     * 
+     * @param id issuing point record id
+     * @param revokedCerts list of revoked certificates
+     * @param unrevokedCerts list of released from hold certificates
+     * @exception EBaseException failed to update issuing point record
+     */
+    public void updateRevokedCerts(String id, Hashtable revokedCerts, Hashtable unrevokedCerts)
+            throws EBaseException;
+
+    /**
+     * Updates CRL issuing point record.
+     * 
+     * @param id issuing point record id
+     * @param expiredCerts list of expired certificates
+     * @exception EBaseException failed to update issuing point record
+     */
+    public void updateExpiredCerts(String id, Hashtable expiredCerts)
+            throws EBaseException;
+
+    /**
+     * Updates CRL issuing point record.
+     * 
+     * @param id issuing point record id
+     * @param crlSize CRL size
+     * @param revokedCerts list of revoked certificates
+     * @param unrevokedCerts list of released from hold certificates
+     * @param expiredCerts list of expired certificates
+     * @exception EBaseException failed to update issuing point record
+     */
+    public void updateCRLCache(String id, Long crlSize,
+            Hashtable revokedCerts,
+            Hashtable unrevokedCerts,
+            Hashtable expiredCerts)
+            throws EBaseException;
+
+    /**
+     * Updates CRL issuing point record with delta-CRL.
+     * 
+     * @param id issuing point record id
+     * @param deltaCRLNumber delta CRL number
+     * @param deltaCRLSize delta CRL size
+     * @param nextUpdate time of next update
+     * @param deltaCRL delta CRL in binary form
+     * @exception EBaseException failed to update issuing point record
+     */
+    public void updateDeltaCRL(String id, BigInteger deltaCRLNumber,
+                               Long deltaCRLSize, Date nextUpdate,
+                               byte[] deltaCRL)
+            throws EBaseException;
+
+    /**
+     * Updates CRL issuing point record with reference to the first
+     * unsaved data.
+     * 
+     * @param id issuing point record id
+     * @param firstUnsaved reference to the first unsaved data
+     * @exception EBaseException failed to update issuing point record
+     */
+    public void updateFirstUnsaved(String id, String firstUnsaved)
+            throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
new file mode 100644
index 000000000..7da212469
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
@@ -0,0 +1,153 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs.keydb;
+
+import java.math.BigInteger;
+import java.util.Date;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * An interface contains constants for key record.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IKeyRecord {
+    public static final String ATTR_ID = "keySerialNumber";
+    public static final String ATTR_STATE = "keyState";
+    public static final String ATTR_ALGORITHM = "algorithm";
+    public static final String ATTR_KEY_SIZE = "keySize";
+    public static final String ATTR_OWNER_NAME = "keyOwnerName";
+    public static final String ATTR_PRIVATE_KEY_DATA = "privateKey";
+    public static final String ATTR_PUBLIC_KEY_DATA = "publicKey";
+    public static final String ATTR_DATE_OF_RECOVERY = "dateOfRecovery";
+    public static final String ATTR_CREATE_TIME = "keyCreateTime";
+    public static final String ATTR_MODIFY_TIME = "keyModifyTime";
+    public static final String ATTR_META_INFO = "keyMetaInfo";
+    public static final String ATTR_ARCHIVED_BY = "keyArchivedBy";
+    public static final String ATTR_CLIENT_ID = "clientId";
+    public static final String ATTR_DATA_TYPE = "dataType";
+    public static final String ATTR_STATUS = "status";
+
+
+    // key state
+    public static final String STATUS_ANY = "ANY";
+    public static final String STATUS_VALID = "VALID";
+    public static final String STATUS_INVALID = "INVALID";
+
+    /**
+     * Retrieves the state of the key.
+     * 
+     * @return key state
+     * @exception EBaseException failed to retrieve state of the key
+     */
+    public KeyState getState() throws EBaseException;
+
+    /**
+     * Retrieves key identifier.
+     * 
+     * @return key id
+     * @exception EBaseException failed to retrieve key id
+     */
+    public BigInteger getSerialNumber() throws EBaseException;
+
+    /**
+     * Retrieves key owner name.
+     * 
+     * @return key owner name
+     * @exception EBaseException failed to retrieve key owner name
+     */
+    public String getOwnerName() throws EBaseException;
+
+    /**
+     * Retrieves key algorithm.
+     * 
+     * @return key algorithm
+     */
+    public String getAlgorithm();
+
+    /**
+     * Retrieves key length.
+     * 
+     * @return key length
+     * @exception EBaseException failed to retrieve key length
+     */
+    public Integer getKeySize() throws EBaseException;
+
+    /**
+     * Retrieves client ID.
+     *
+     * @return client id
+     * @exception EBaseException failed to retrieve client id
+     */
+    public String getClientId() throws EBaseException;
+
+    /**
+     * Retrieves key data type.
+     *
+     * @return data type
+     * @exception EBaseException failed to retrieve data type
+     */
+    public String getDataType() throws EBaseException;
+
+    /**
+     * Retrieves key status.
+     *
+     * @return key status
+     * @exception EBaseException failed to retrieve key status
+     */
+    public String getKeyStatus() throws EBaseException;
+
+    /**
+     * Retrieves archiver identifier.
+     * 
+     * @return archiver uid
+     */
+
+    public String getArchivedBy();
+
+    /**
+     * Retrieves creation time.
+     * 
+     * @return creation time
+     */
+    public Date getCreateTime();
+
+    /**
+     * Retrieves last modification time.
+     * 
+     * @return modification time
+     */
+    public Date getModifyTime();
+
+    /**
+     * Retrieves dates of recovery.
+     * 
+     * @return recovery history
+     * @exception EBaseException failed to retrieve recovery history
+     */
+    public Date[] getDateOfRevocation() throws EBaseException;
+
+    /**
+     * Retrieves public key data.
+     * 
+     * @return public key data
+     * @exception EBaseException failed to retrieve public key data
+     */
+    public byte[] getPublicKeyData() throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecordList.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecordList.java
new file mode 100644
index 000000000..75f833892
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecordList.java
@@ -0,0 +1,49 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs.keydb;
+
+import java.util.Enumeration;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * A class represents a list of key records.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IKeyRecordList {
+
+    /**
+     * Retrieves the size of key list.
+     * 
+     * @return size of key list
+     */
+    public int getSize();
+
+    /**
+     * Retrieves key records.
+     * 
+     * @param startidx start index
+     * @param endidx end index
+     * @return key records
+     * @exception EBaseException failed to retrieve key records
+     */
+    public Enumeration getKeyRecords(int startidx, int endidx)
+            throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRepository.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRepository.java
new file mode 100644
index 000000000..627844286
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRepository.java
@@ -0,0 +1,174 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs.keydb;
+
+import java.math.BigInteger;
+import java.security.PublicKey;
+import java.util.Enumeration;
+
+import netscape.security.x509.X500Name;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.dbs.ModificationSet;
+import com.netscape.certsrv.dbs.repository.IRepository;
+
+/**
+ * An interface represents a Key repository. This is the
+ * container of archived keys.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IKeyRepository extends IRepository {
+
+    /**
+     * Archives a key to the repository.
+     * 

+     * 
+     * @param record key record
+     * @exception EBaseException failed to archive key
+     */
+    public void addKeyRecord(IKeyRecord record) throws EBaseException;
+
+    /**
+     * Reads an archived key by serial number.
+     * 

+     * 
+     * @param serialNo serial number
+     * @return key record
+     * @exception EBaseException failed to recover key
+     */
+    public IKeyRecord readKeyRecord(BigInteger serialNo)
+            throws EBaseException;
+
+    /**
+     * Reads an archived key by b64 encoded cert.
+     * 

+     * 
+     * @param cert b64 encoded cert
+     * @return key record
+     * @exception EBaseException failed to recover key
+     */
+    public IKeyRecord readKeyRecord(String cert)
+            throws EBaseException;
+
+    /**
+     * Reads an archived key by owner name.
+     * 

+     * 
+     * @param ownerName owner name
+     * @return key record
+     * @exception EBaseException failed to recover key
+     */
+    public IKeyRecord readKeyRecord(X500Name ownerName)
+            throws EBaseException;
+
+    /**
+     * Reads archived key using public key.
+     * 
+     * @param publicKey public key that is corresponding
+     *            to the private key
+     * @return key record
+     * @exception EBaseException failed to read key
+     */
+    public IKeyRecord readKeyRecord(PublicKey publicKey)
+            throws EBaseException;
+
+    /**
+     * Searches for private keys.
+     * 
+     * @param filter LDAP filter for the search
+     * @param maxSize maximium number of entries to be returned
+     * @return a list of private key records
+     * @exception EBaseException failed to search keys
+     */
+    public Enumeration searchKeys(String filter, int maxSize)
+            throws EBaseException;
+
+    /**
+     * Searches for private keys.
+     * 
+     * @param filter LDAP filter for the search
+     * @param maxSize maximium number of entries to be returned
+     * @param timeLimt timeout value
+     * @return a list of private key records
+     * @exception EBaseException failed to search keys
+     */
+    public Enumeration searchKeys(String filter, int maxSize, int timeLimt)
+            throws EBaseException;
+
+    /**
+     * Deletes a key record.
+     * 
+     * @param serialno key identifier
+     * @exception EBaseException failed to delete key record
+     */
+    public void deleteKeyRecord(BigInteger serialno)
+            throws EBaseException;
+
+    /**
+     * Modifies key record in this repository.
+     * 
+     * @param serialNo key identifier
+     * @param mods modification of key records
+     * @exception EBaseException failed to modify key record
+     */
+    public void modifyKeyRecord(BigInteger serialNo,
+            ModificationSet mods) throws EBaseException;
+
+    /**
+     * Searchs for a list of key records.
+     * Here is a list of supported filter attributes:
+     * 
+     * 
+     *   keySerialNumber
+     *   keyState
+     *   algorithm
+     *   keySize
+     *   keyOwnerName
+     *   privateKey
+     *   publicKey
+     *   dateOfRecovery
+     *   keyCreateTime
+     *   keyModifyTime
+     *   keyMetaInfo
+     * 

+     * 
+     * @param filter search filter
+     * @param attrs list of attributes to be returned
+     * @param pageSize virtual list page size
+     * @return list of key records
+     * @exception EBaseException failed to search key records
+     */
+    public IKeyRecordList findKeyRecordsInList(String filter,
+            String attrs[], int pageSize) throws EBaseException;
+
+    /**
+     * Searchs for a list of key records.
+     * 
+     * @param filter search filter
+     * @param attrs list of attributes to be returned
+     * @param sortKey name of attribute that the list should be sorted by
+     * @param pageSize virtual list page size
+     * @return list of key records
+     * @exception EBaseException failed to search key records
+     */
+    public IKeyRecordList findKeyRecordsInList(String filter,
+            String attrs[], String sortKey, int pageSize)
+            throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/KeyId.java b/base/common/src/com/netscape/certsrv/dbs/keydb/KeyId.java
new file mode 100644
index 000000000..f998bf97a
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/keydb/KeyId.java
@@ -0,0 +1,122 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs.keydb;
+
+import java.math.BigInteger;
+
+/**
+ * The KeyId class represents the identifier for a particular
+ * key record. This identifier may be used to retrieve the key record
+ * from the database.
+ * 

+ *
+ * @author Endi S. Dewata
+ * @version $Revision$ $Date$
+ */
+public class KeyId {
+
+    protected BigInteger value;
+
+    /**
+     * Creates a new KeyId from its string representation.
+     * 

+     *
+     * @param id
+     *            a string containing the decimal or hex value for the identifier.
+     */
+    public KeyId(String id) {
+        if (id != null) {
+            id = id.trim();
+            if (id.startsWith("0x")) { // hex
+                value = new BigInteger(id.substring(2), 16);
+            } else { // decimal
+                value = new BigInteger(id);
+            }
+        }
+    }
+
+    /**
+     * Creates a new KeyId from its BigInteger representation.
+     * 

+     *
+     * @param id
+     *            a BigInteger containing the identifier.
+     */
+    public KeyId(BigInteger id) {
+        value = id;
+    }
+
+    /**
+     * Creates a new KeyId from its integer representation.
+     * 

+     *
+     * @param id
+     *            an integer containing the identifier.
+     */
+    public KeyId(int id) {
+        value = BigInteger.valueOf(id);
+    }
+
+    /**
+     * Converts the KeyId into its BigInteger representation.
+     * 

+     *
+     * @return
+     *         a BigInteger containing the identifier.
+     */
+    public BigInteger toBigInteger() {
+        return value;
+    }
+
+    /**
+     * Converts the KeyId into its string representation. The string
+     * form can be stored in a database (such as the LDAP directory)
+     * 

+     *
+     * @return
+     *         a string containing the decimal (base 10) value for the identifier.
+     */
+    public String toString() {
+        return value.toString();
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 31;
+        int result = 1;
+        result = prime * result + ((value == null) ? 0 : value.hashCode());
+        return result;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (obj == null)
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        KeyId other = (KeyId) obj;
+        if (value == null) {
+            if (other.value != null)
+                return false;
+        } else if (!value.equals(other.value))
+            return false;
+        return true;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/KeyIdAdapter.java b/base/common/src/com/netscape/certsrv/dbs/keydb/KeyIdAdapter.java
new file mode 100644
index 000000000..3232999fd
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/keydb/KeyIdAdapter.java
@@ -0,0 +1,37 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs.keydb;
+
+import javax.xml.bind.annotation.adapters.XmlAdapter;
+
+/**
+ * The KeyIdAdapter class provides custom marshaling for KeyId.
+ *
+ * @author Endi S. Dewata
+ * @version $Revision$ $Date$
+ */
+public class KeyIdAdapter extends XmlAdapter {
+
+    public KeyId unmarshal(String value) throws Exception {
+        return new KeyId(value);
+    }
+
+    public String marshal(KeyId value) throws Exception {
+        return value.toString();
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/KeyState.java b/base/common/src/com/netscape/certsrv/dbs/keydb/KeyState.java
new file mode 100644
index 000000000..fa8a0d768
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/keydb/KeyState.java
@@ -0,0 +1,106 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs.keydb;
+
+import java.io.Serializable;
+
+/**
+ * A class represents key state. This object is to
+ * encapsulate the life cycle of a key.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public final class KeyState implements Serializable {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 5452723730414730579L;
+    private int mStateCode;
+
+    /**
+     * Constructs a key state.
+     */
+    private KeyState(int code) {
+        mStateCode = code;
+    }
+
+    /**
+     * Request state.
+     */
+    public final static KeyState ANY = new KeyState(-1);
+    public final static KeyState VALID = new KeyState(0);
+    public final static KeyState INVALID = new KeyState(1);
+
+    /**
+     * Checks if the given object equals to this object.
+     * 
+     * @param other object to be compared
+     * @return true if both objects are the same
+     */
+    public boolean equals(Object other) {
+        if (this == other)
+            return true;
+        else if (other instanceof KeyState)
+            return ((KeyState) other).mStateCode == mStateCode;
+        else
+            return false;
+    }
+
+    /**
+     * Returns the hash code.
+     * 
+     * @return hash code
+     */
+    public int hashCode() {
+        return mStateCode;
+    }
+
+    /**
+     * Return the string-representation of this object.
+     * 
+     * @return string value
+     */
+    public String toString() {
+        if (mStateCode == -1)
+            return "ANY";
+        if (mStateCode == 0)
+            return "VALID";
+        if (mStateCode == 1)
+            return "INVAILD";
+        return "[UNDEFINED]";
+
+    }
+
+    /**
+     * Converts a string into a key state object.
+     * 
+     * @param state state in string-representation
+     * @return key state object
+     */
+    public static KeyState toKeyState(String state) {
+        if (state.equalsIgnoreCase("ANY"))
+            return ANY;
+        if (state.equalsIgnoreCase("VALID"))
+            return VALID;
+        if (state.equalsIgnoreCase("INVALID"))
+            return INVALID;
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/replicadb/IReplicaIDRepository.java b/base/common/src/com/netscape/certsrv/dbs/replicadb/IReplicaIDRepository.java
new file mode 100644
index 000000000..574adfae9
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/replicadb/IReplicaIDRepository.java
@@ -0,0 +1,30 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs.replicadb;
+
+import com.netscape.certsrv.dbs.repository.IRepository;
+
+/**
+ * An interface represents a ReplicaID Repository.
+ * It provides unique managed replica IDs.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IReplicaIDRepository extends IRepository {
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/repository/IRepository.java b/base/common/src/com/netscape/certsrv/dbs/repository/IRepository.java
new file mode 100644
index 000000000..943d4a686
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/repository/IRepository.java
@@ -0,0 +1,88 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs.repository;
+
+import java.math.BigInteger;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * An interface represents a generic repository. It maintains unique
+ * serial number within repository.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IRepository {
+
+    /**
+     * Retrieves the next serial number, and also increase the
+     * serial number by one.
+     * 
+     * @return serial number
+     * @exception EBaseException failed to retrieve next serial number
+     */
+    public BigInteger getNextSerialNumber() throws EBaseException;
+
+    /**
+     * Resets serial number.
+     */
+    public void resetSerialNumber(BigInteger serial) throws EBaseException;
+
+    /**
+     * Retrieves the next serial number without increasing the serial number.
+     * 
+     * @return serial number
+     * @exception EBaseException failed to retrieve next serial number
+     */
+    public BigInteger getTheSerialNumber() throws EBaseException;
+
+    /**
+     * Set the maximum serial number.
+     * 
+     * @param serial maximum number
+     * @exception EBaseException failed to set maximum serial number
+     */
+    public void setMaxSerial(String serial) throws EBaseException;
+
+    /**
+     * Set the maximum serial number in next range.
+     * 
+     * @param serial maximum number
+     * @exception EBaseException failed to set maximum serial number in next range
+     */
+    public void setNextMaxSerial(String serial) throws EBaseException;
+
+    /**
+     * Checks to see if a new range is needed, or if we have reached the end of the
+     * current range, or if a range conflict has occurred.
+     * 
+     * @exception EBaseException failed to check next range for conflicts
+     */
+    public void checkRanges() throws EBaseException;
+
+    /**
+     * Sets whether serial number management is enabled for certs
+     * and requests.
+     * 
+     * @param value true/false
+     * @exception EBaseException failed to set
+     */
+    public void setEnableSerialMgmt(boolean value) throws EBaseException;
+
+}
diff --git a/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java b/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java
new file mode 100644
index 000000000..c46e8419c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java
@@ -0,0 +1,44 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.dbs.repository;
+
+import java.math.BigInteger;
+
+import com.netscape.certsrv.dbs.IDBObj;
+
+/**
+ * An interface represents a generic repository record.
+ * It maintains unique serial number within repository.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IRepositoryRecord extends IDBObj {
+
+    public final static String ATTR_SERIALNO = "serialNo";
+    public final static String ATTR_PUB_STATUS = "publishingStatus";
+
+    /**
+     * Retrieves serial number.
+     * 
+     * @return serial number
+     */
+    public BigInteger getSerialNumber();
+
+    public String getPublishingStatus();
+}
diff --git a/base/common/src/com/netscape/certsrv/evaluators/IAccessEvaluator.java b/base/common/src/com/netscape/certsrv/evaluators/IAccessEvaluator.java
new file mode 100644
index 000000000..31f8b8c2f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/evaluators/IAccessEvaluator.java
@@ -0,0 +1,89 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.evaluators;
+
+import com.netscape.certsrv.authentication.IAuthToken;
+
+/**
+ * A class represents an evaluator. An evaluator is used to
+ * evaluate an expression. For example, one can write an evaluator to
+ * evaluate if a user belongs to a certain group. An evaluator is
+ * generally used for access control expression evaluation, however, it
+ * can be used for other evaluation-related operations.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IAccessEvaluator {
+
+    /**
+     * Initialize the evaluator
+     */
+    public void init();
+
+    /**
+     * Gets the type of the evaluator. Type is defined by each
+     * evaluator plugin. Each evaluator plugin should have a unique type.
+     * 
+     * @return type of the evaluator
+     */
+    public String getType();
+
+    /**
+     * Gets the description of the evaluator
+     * 
+     * @return a text description for this evaluator
+     */
+    public String getDescription();
+
+    /**
+     * Evaluates if the given value satisfies the access
+     * control in current context.
+     * 
+     * @param type Type of the evaluator, eg, user, group etc
+     * @param op Operator of the evaluator, eg, =, !=
+     * @param value Part of the expression that can be used to
+     *            evaluate, e.g, value can be the name of the group if the
+     *            purpose of the evaluator is to evaluate if the user is a member
+     *            of the group.
+     * @return true if the evaluation expression is matched; false otherwise.
+     */
+    public boolean evaluate(String type, String op, String value);
+
+    /**
+     * Evaluates if the given value satisfies the access
+     * control in authToken obtained from Authentication.
+     * 
+     * @param authToken Authentication token
+     * @param type Type of the evaluator, eg, user, group etc
+     * @param op Operator of the evaluator, eg, =, !=
+     * @param value Part of the expression that can be used to
+     *            evaluate, e.g, value can be the name of the group if the
+     *            purpose of the evaluator is to evaluate if the user is a member
+     *            of the group.
+     * @return true if the evaluation expression is matched; false otherwise.
+     */
+    public boolean evaluate(IAuthToken authToken, String type, String op, String value);
+
+    /**
+     * Get the supported operators for this evaluator
+     * 
+     * @return Supported operators in string array
+     */
+    public String[] getSupportedOperators();
+}
diff --git a/base/common/src/com/netscape/certsrv/extensions/EExtensionsException.java b/base/common/src/com/netscape/certsrv/extensions/EExtensionsException.java
new file mode 100644
index 000000000..40fe80f99
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/extensions/EExtensionsException.java
@@ -0,0 +1,58 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.extensions;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * This represents the extensions exception.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class EExtensionsException extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 6442466262945583489L;
+    /**
+     * Resource class name.
+     */
+    private static final String EXTENSIONS_RESOURCES =
+            ExtensionsResources.class.getName();
+
+    public EExtensionsException(String msgFormat) {
+        super(msgFormat);
+    }
+
+    public EExtensionsException(String msgFormat, String param) {
+        super(msgFormat, param);
+    }
+
+    public EExtensionsException(String msgFormat, Exception e) {
+        super(msgFormat, e);
+    }
+
+    public EExtensionsException(String msgFormat, Object params[]) {
+        super(msgFormat, params);
+    }
+
+    protected String getBundleName() {
+        return EXTENSIONS_RESOURCES;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/extensions/ExtensionsResources.java b/base/common/src/com/netscape/certsrv/extensions/ExtensionsResources.java
new file mode 100644
index 000000000..ca1e4545a
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/extensions/ExtensionsResources.java
@@ -0,0 +1,34 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.extensions;
+
+import java.util.ListResourceBundle;
+
+/**
+ * This represents the resources for extensions.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ExtensionsResources extends ListResourceBundle {
+
+    public Object[][] getContents() {
+        return contents;
+    }
+
+    static final Object[][] contents = {};
+}
diff --git a/base/common/src/com/netscape/certsrv/extensions/ICMSExtension.java b/base/common/src/com/netscape/certsrv/extensions/ICMSExtension.java
new file mode 100644
index 000000000..04086adcf
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/extensions/ICMSExtension.java
@@ -0,0 +1,74 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.extensions;
+
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.Extension;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * CMS extension interface, for creating extensions from http input and
+ * displaying extensions to html forms.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ICMSExtension {
+    public static String EXT_IS_CRITICAL = "isCritical";
+
+    public static String EXT_PREFIX = "ext_";
+
+    /**
+     * initialize from configuration file
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException;
+
+    /**
+     * Get name of this extension.
+     * 
+     * @return the name of this CMS extension, for
+     */
+    public String getName();
+
+    /**
+     * Get object identifier associated with this extension.
+     */
+    public ObjectIdentifier getOID();
+
+    /**
+     * Get an instance of the extension given http input.
+     * 
+     * @return an instance of the extension.
+     */
+    public Extension getExtension(IArgBlock argblock)
+            throws EBaseException;
+
+    /**
+     * Get Javascript name value pairs to put into the request processing
+     * template.
+     * 
+     * @return name value pairs
+     */
+    public IArgBlock getFormParams(Extension extension)
+            throws EBaseException;
+
+}
diff --git a/base/common/src/com/netscape/certsrv/jobs/EJobsException.java b/base/common/src/com/netscape/certsrv/jobs/EJobsException.java
new file mode 100644
index 000000000..cc0923ae7
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/jobs/EJobsException.java
@@ -0,0 +1,77 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.jobs;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * A class represents a jobs exception.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class EJobsException extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 4542243534794168088L;
+    /**
+     * Identity resource class name.
+     */
+    private static final String JOBS_RESOURCES = JobsResources.class.getName();
+
+    /**
+     * Constructs a Job Scheduler exception
+     * 

+     */
+    public EJobsException(String msgFormat) {
+        super(msgFormat);
+    }
+
+    /**
+     * Constructs a Identity exception.
+     * 

+     */
+    public EJobsException(String msgFormat, String param) {
+        super(msgFormat, param);
+    }
+
+    /**
+     * Constructs a Identity exception.
+     * 

+     */
+    public EJobsException(String msgFormat, Exception e) {
+        super(msgFormat, e);
+    }
+
+    /**
+     * Constructs a Identity exception.
+     * 

+     */
+    public EJobsException(String msgFormat, Object params[]) {
+        super(msgFormat, params);
+    }
+
+    /**
+     * Retrieves bundle name.
+     */
+    protected String getBundleName() {
+        return JOBS_RESOURCES;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/jobs/IJob.java b/base/common/src/com/netscape/certsrv/jobs/IJob.java
new file mode 100644
index 000000000..5584d68ff
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/jobs/IJob.java
@@ -0,0 +1,106 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.jobs;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * An interface to be implemented from for a job to be scheduled by
+ * the Jobs Scheduler.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IJob {
+
+    /**
+     * Initialize from the configuration file.
+     * 
+     * @param id String name of this instance
+     * @param implName string name of this implementation
+     * @param config configuration store for this instance
+     * @exception EBaseException any initilization failure
+     */
+    public void init(ISubsystem owner, String id, String implName,
+            IConfigStore config) throws EBaseException;
+
+    /**
+     * tells if the job is enabled
+     * 
+     * @return a boolean value indicating whether the job is enabled
+     *         or not
+     */
+    public boolean isEnabled();
+
+    /**
+     * set instance id.
+     * 
+     * @param id String id of the instance
+     */
+    public void setId(String id);
+
+    /**
+     * get instance id.
+     * 
+     * @return a String identifier
+     */
+    public String getId();
+
+    /**
+     * get cron string associated with this job
+     * 
+     * @return a JobCron object that represents the schedule of this job
+     */
+    public IJobCron getJobCron();
+
+    /**
+     * Returns a list of configuration parameter names.
+     * The list is passed to the configuration console so instances of
+     * this implementation can be configured through the console.
+     * 
+     * @return String array of configuration parameter names.
+     */
+    public String[] getConfigParams();
+
+    /**
+     * gets the plugin name of this job.
+     * 
+     * @return a String that is the name of this implementation
+     */
+    public String getImplName();
+
+    /**
+     * Gets the configuration substore used by this job
+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore();
+
+    /**
+     * Request the job to stop gracefully. The job may not stop immediately.
+     */
+    public void stop();
+
+    /**
+     * Check whether the job has been asked to stop. Long running jobs should call
+     * this method occasionally inside the run() method and exit gracefully if it
+     * returns true.
+     */
+    public boolean isStopped();
+}
diff --git a/base/common/src/com/netscape/certsrv/jobs/IJobCron.java b/base/common/src/com/netscape/certsrv/jobs/IJobCron.java
new file mode 100644
index 000000000..f161b5e8d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/jobs/IJobCron.java
@@ -0,0 +1,42 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.jobs;
+
+/**
+ * class representing one Job cron information
+ * 

+ * here, an "item" refers to one of the 5 fields in a cron string; "element" refers to any comma-deliminated element in
+ * an "item"...which includes both numbers and '-' separated ranges. A cron string in the configuration takes the
+ * following format: minute (0-59), hour (0-23), day of the month (1-31), month of the year (1-12), day of the week
+ * (0-6 with 0=Sunday)
+ * 

+ * e.g. jobsScheduler.job.rnJob1.cron=30 11,23 * * 1-5 In this example, the job "rnJob1" will be executed from Monday
+ * through Friday, at 11:30am and 11:30pm.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IJobCron {
+    /**
+     * constant that represents the configuration parameter
+     * "cron" for the job that this JobCron is associated with. The
+     * value of which should conform to the cron format specified above.
+     */
+    public static final String PROP_CRON = "cron";
+
+}
diff --git a/base/common/src/com/netscape/certsrv/jobs/IJobsScheduler.java b/base/common/src/com/netscape/certsrv/jobs/IJobsScheduler.java
new file mode 100644
index 000000000..f4184853d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/jobs/IJobsScheduler.java
@@ -0,0 +1,162 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.jobs;
+
+import java.util.Hashtable;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * An interface that represents the job scheduler component. A JobScheduler
+ * is a daemon thread that handles scheduled jobs like cron would
+ * do with different jobs. This daemon wakes up at a pre-configured
+ * interval to see
+ * if there is any job to be done, if so, a thread is created to execute
+ * the job(s).
+ * 

+ * The interval jobsScheduler.interval in the configuration is specified as number of minutes. If not set, the
+ * default is 1 minute. Note that the cron specification for each job CAN NOT be finer than the granularity of the
+ * Scheduler daemon interval. For example, if the daemon interval is set to 5 minute, a job cron for every minute at 7am
+ * on each Tuesday (e.g. * 7 * * 2) will result in the execution of the job thread only once every 5 minutes during that
+ * hour. The inteval value is recommended at 1 minute, setting it otherwise has the potential of forever missing the
+ * beat. Use with caution.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IJobsScheduler extends ISubsystem {
+    /**
+     * The ID of this component
+     */
+    public final static String ID = "jobsScheduler";
+
+    /**
+     * constant that represents the configuration parameter
+     * "enabled" for this component in CMS.cfg. The value of which
+     * tells CMS whether the JobsScheduler is enabled or not
+     */
+    public static final String PROP_ENABLED = "enabled";
+
+    /**
+     * constant that represents the configuration parameter
+     * "interval" for this component in CMS.cfg. The value of which
+     * tells CMS the interval that the JobsScheduler thread should
+     * wake up and look for jobs to execute
+     */
+    public static final String PROP_INTERVAL = "interval";
+
+    /**
+     * constant that represents the configuration parameter
+     * "class" for this component in CMS.cfg. The values of which are
+     * the actual implementation classes
+     */
+    public static final String PROP_CLASS = "class";
+
+    /**
+     * constant that represents the configuration parameter
+     * "job" for this component in CMS.cfg. The values of which gives
+     * configuration information specific to one single job instance.
+     * There may be multiple jobs served by the jobsScheduler
+     */
+    public static final String PROP_JOB = "job";
+
+    /**
+     * constant that represents the configuration parameter
+     * "impl" for this component in CMS.cfg. The values of which are
+     * actual plugin implementation(s)
+     */
+    public static final String PROP_IMPL = "impl";
+
+    /**
+     * constant that represents the configuration parameter
+     * "pluginName" for this component in CMS.cfg. The value of which
+     * gives the pluginName for the job it associates with
+     */
+    public static final String PROP_PLUGIN = "pluginName";
+
+    /**
+     * Retrieves all the job implementations.
+     * 
+     * @return a Hashtable of available job plugin implementations
+     */
+    public Hashtable getPlugins();
+
+    /**
+     * Retrieves all the job instances.
+     * 
+     * @return a Hashtable of job instances
+     */
+    public Hashtable getInstances();
+
+    /**
+     * Retrieves the configuration parameters of the given
+     * implementation. It is used to return to the Console for
+     * configuration
+     * 
+     * @param implName the pulubin implementation name
+     * @return a String array of required configuration parameters of
+     *         the given implementation.
+     * @exception EJobsException when job plugin implementation can
+     *                not be found, instantiation is impossible, permission problem
+     *                with the class.
+     */
+    public String[] getConfigParams(String implName)
+            throws EJobsException;
+
+    /**
+     * Writes a message to the system log.
+     * 
+     * @param level an integer representing the log message level.
+     *            Depending on the configuration set by the administrator, this
+     *            value is a determining factor for whether this message will be
+     *            actually logged or not. The lower the level, the higher the
+     *            priority, and the higher chance it will be logged.
+     * @param msg the message to be written. Ideally should call
+     *            CMS.getLogMessage() to get the localizable message
+     *            from the log properties file.
+     */
+    public void log(int level, String msg);
+
+    /**
+     * Sets daemon's wakeup interval.
+     * 
+     * @param minutes time in minutes that is to be the frequency of
+     *            JobsScheduler wakeup call.
+     */
+    public void setInterval(int minutes);
+
+    /**
+     * Starts up the JobsScheduler daemon. Usually called from the
+     * initialization method when it's successfully initialized.
+     */
+    public void startDaemon();
+
+    /**
+     * Creates a job cron. Each job is associated with a "cron" which
+     * specifies the rule of frequency that this job should be
+     * executed (e.g. every Sunday at midnight). This method is
+     * called by each job at initialization time.
+     * 
+     * @param cs the string that represents the cron. See IJobCron
+     *            for detail of the format.
+     * @return IJobCron an IJobCron
+     * @exception EBaseException when the cron string, cs, can not be
+     *                parsed correctly
+     */
+    public IJobCron createJobCron(String cs) throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/jobs/JobPlugin.java b/base/common/src/com/netscape/certsrv/jobs/JobPlugin.java
new file mode 100644
index 000000000..46a1b6d7e
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/jobs/JobPlugin.java
@@ -0,0 +1,72 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.jobs;
+
+/**
+ * This class represents a job plugin registered with the
+ * JobScheduler. A Job plugin can be instantiated into a Job instance
+ * and scheduled by the JobScheduler to run at a scheduled interval
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class JobPlugin {
+    /**
+     * The plugin name of this job
+     */
+    protected String mId = null;
+    /**
+     * The Java class name of this job plugin.
+     * e.g. com.netscape.cms.RenewalNotificationJob
+     */
+    protected String mClassPath = null;
+
+    /*
+     * Seems to be unused, should be removed
+     */
+    //    protected Class mClass = null;
+
+    /**
+     * Constructor for a Job plugin.
+     * 
+     * @param id job plugin name
+     * @param classPath the Java class name of this job plugin
+     */
+    public JobPlugin(String id, String classPath) {
+        mId = id;
+        mClassPath = classPath;
+    }
+
+    /**
+     * get the job plugin name
+     * 
+     * @return the name of this job plugin
+     */
+    public String getId() {
+        return mId;
+    }
+
+    /**
+     * get the Java class name
+     * 
+     * @return the Java class name of this plugin
+     */
+    public String getClassPath() {
+        return mClassPath;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/jobs/JobsResources.java b/base/common/src/com/netscape/certsrv/jobs/JobsResources.java
new file mode 100644
index 000000000..ec33137cf
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/jobs/JobsResources.java
@@ -0,0 +1,43 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.jobs;
+
+import java.util.ListResourceBundle;
+
+/**
+ * A class represents a resource bundle for the
+ * Jobs package
+ * 
+ * @version $Revision$, $Date$
+ */
+public class JobsResources extends ListResourceBundle {
+
+    /**
+     * Returns the content of this resource.
+     */
+    public Object[][] getContents() {
+        return contents;
+    }
+
+    /**
+     * Constants. The suffix represents the number of
+     * possible parameters.
+     */
+
+    static final Object[][] contents = {};
+}
diff --git a/base/common/src/com/netscape/certsrv/kra/EKRAException.java b/base/common/src/com/netscape/certsrv/kra/EKRAException.java
new file mode 100644
index 000000000..3f23bfe78
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/kra/EKRAException.java
@@ -0,0 +1,94 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.kra;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * A class represents a KRA exception. This is the base
+ * exception for all the KRA specific exceptions. It is
+ * associated with KRAResources.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class EKRAException extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -6803576959258754821L;
+    /**
+     * KRA resource class name.
+     * 

+     */
+    private static final String KRA_RESOURCES = KRAResources.class.getName();
+
+    /**
+     * Constructs a KRA exception.
+     * 

+     * 
+     * @param msgFormat constant from KRAResources.
+     */
+    public EKRAException(String msgFormat) {
+        super(msgFormat);
+    }
+
+    /**
+     * Constructs a KRA exception.
+     * 

+     * 
+     * @param msgFormat constant from KRAResources.
+     * @param param additional parameters to the message.
+     */
+    public EKRAException(String msgFormat, String param) {
+        super(msgFormat, param);
+    }
+
+    /**
+     * Constructs a KRA exception.
+     * 

+     * 
+     * @param msgFormat constant from KRAResources.
+     * @param e embedded exception.
+     */
+    public EKRAException(String msgFormat, Exception e) {
+        super(msgFormat, e);
+    }
+
+    /**
+     * Constructs a KRA exception.
+     * 

+     * 
+     * @param msgFormat constant from KRAResources.
+     * @param params additional parameters to the message.
+     */
+    public EKRAException(String msgFormat, Object params[]) {
+        super(msgFormat, params);
+    }
+
+    /**
+     * Returns the bundle file name.
+     * 

+     * 
+     * @return name of bundle class associated with this exception.
+     */
+    protected String getBundleName() {
+        return KRA_RESOURCES;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/kra/IJoinShares.java b/base/common/src/com/netscape/certsrv/kra/IJoinShares.java
new file mode 100644
index 000000000..e9a5ecae5
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/kra/IJoinShares.java
@@ -0,0 +1,36 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.kra;
+
+/**
+ * Use Java's reflection API to leverage CMS's
+ * old Share and JoinShares implementations.
+ * 
+ * @deprecated
+ * @version $Revision$ $Date$
+ */
+public interface IJoinShares {
+
+    public void initialize(int threshold) throws Exception;
+
+    public void addShare(int shareNum, byte[] share);
+
+    public int getShareCount();
+
+    public byte[] recoverSecret();
+}
diff --git a/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java b/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java
new file mode 100644
index 000000000..a7cc40507
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java
@@ -0,0 +1,321 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.kra;
+
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Vector;
+
+import netscape.security.x509.X500Name;
+
+import org.mozilla.jss.crypto.CryptoToken;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.dbs.keydb.IKeyRepository;
+import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.request.IRequestListener;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.certsrv.request.RequestId;
+import com.netscape.certsrv.security.Credential;
+import com.netscape.certsrv.security.IStorageKeyUnit;
+import com.netscape.certsrv.security.ITransportKeyUnit;
+
+/**
+ * An interface represents key recovery authority. The
+ * key recovery authority is responsibile for archiving
+ * and recovering user encryption private keys.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IKeyRecoveryAuthority extends ISubsystem {
+
+    public static final String ID = "kra";
+
+    public final static String PROP_NAME = "name";
+    public final static String PROP_HTTP = "http";
+    public final static String PROP_POLICY = "policy";
+    public final static String PROP_DBS = "dbs";
+    public final static String PROP_TOKEN = "token";
+    public final static String PROP_SHARE = "share";
+    public final static String PROP_PROTECTOR = "protector";
+    public final static String PROP_LOGGING = "logging";
+    public final static String PROP_QUEUE_REQUESTS = "queueRequests";
+    public final static String PROP_STORAGE_KEY = "storageUnit";
+    public final static String PROP_TRANSPORT_KEY = "transportUnit";
+    public static final String PROP_NEW_NICKNAME = "newNickname";
+    public static final String PROP_KEYDB_INC = "keydbInc";
+
+    public final static String PROP_NOTIFY_SUBSTORE = "notification";
+    public final static String PROP_REQ_IN_Q_SUBSTORE = "requestInQ";
+
+    /**
+     * Returns the name of this subsystem.
+     * 

+     * 
+     * @return KRA name
+     */
+    public X500Name getX500Name();
+
+    /**
+     * Retrieves KRA request repository.
+     * 

+     * 
+     * @return request repository
+     */
+    public IRequestQueue getRequestQueue();
+
+    /**
+     * Retrieves the key repository. The key repository
+     * stores archived keys.
+     * 

+     */
+    public IKeyRepository getKeyRepository();
+
+    /**
+     * Retrieves the Replica ID repository.
+     * 
+     * @return KRA's Replica ID repository
+     */
+    public IReplicaIDRepository getReplicaRepository();
+
+    /**
+     * Enables the auto recovery state. Once KRA is in the auto
+     * recovery state, no recovery agents need to be present for
+     * providing credentials. This feature is for enabling
+     * user-based recovery operation.
+     * 

+     * 
+     * @param cs list of agent credentials
+     * @param on true if auto recovery state is on
+     * @return current auto recovery state
+     */
+    public boolean setAutoRecoveryState(Credential cs[], boolean on);
+
+    /**
+     * Returns the current auto recovery state.
+     * 
+     * @return true if auto recvoery state is on
+     */
+    public boolean getAutoRecoveryState();
+
+    /**
+     * Adds credentials to the given authorizated recovery operation.
+     * In distributed recovery mode, recovery agent login to the
+     * agent interface and submit its credential for a particular
+     * recovery operation.
+     * 
+     * @param id authorization identifier
+     * @param creds list of credentials
+     */
+    public void addAutoRecovery(String id, Credential creds[]);
+
+    /**
+     * Removes a particular auto recovery operation.
+     * 
+     * @param id authorization identifier
+     */
+    public void removeAutoRecovery(String id);
+
+    /**
+     * Returns the number of required agents. In M-out-of-N
+     * recovery schema, only M agents are required even there
+     * are N agents. This method returns M.
+     * 
+     * @return number of required agents
+     */
+    public int getNoOfRequiredAgents() throws EBaseException;
+
+    /**
+     * Sets the number of required recovery agents
+     * 
+     * @param number number of agents
+     */
+    public void setNoOfRequiredAgents(int number) throws EBaseException;
+
+    /**
+     * Returns the current recovery identifier.
+     * 
+     * @return recovery identifier
+     */
+    public String getRecoveryID();
+
+    /**
+     * Returns a list of recovery identifiers.
+     * 
+     * @return list of auto recovery identifiers
+     */
+    public Enumeration getAutoRecoveryIDs();
+
+    /**
+     * Returns the storage key unit that manages the
+     * stoarge key.
+     * 
+     * @return storage key unit
+     */
+    public IStorageKeyUnit getStorageKeyUnit();
+
+    /**
+     * Returns the transport key unit that manages the
+     * transport key.
+     * 
+     * @return transport key unit
+     */
+    public ITransportKeyUnit getTransportKeyUnit();
+
+    /**
+     * Returns the token that generates user key pairs for supporting server-side keygen
+     * 
+     * @return keygen token
+     */
+    public CryptoToken getKeygenToken();
+
+    /**
+     * Adds entropy to the token used for supporting server-side keygen
+     * Parameters are set in the config file
+     * 
+     * @param logflag create log messages at info level to report entropy shortage
+     */
+    public void addEntropy(boolean logflag);
+
+    /**
+     * Returns the request listener that listens on
+     * the request completion event.
+     * 
+     * @return request listener
+     */
+    public IRequestListener getRequestInQListener();
+
+    /**
+     * Returns policy processor of the key recovery
+     * authority.
+     * @deprecated
+     * @return policy processor
+     */
+    public IPolicyProcessor getPolicyProcessor();
+
+    /**
+     * Returns the nickname of the transport certificate.
+     * 
+     * @return transport certificate nickname.
+     */
+    public String getNickname();
+
+    /**
+     * Sets the nickname of the transport certificate.
+     * 
+     * @param str nickname
+     */
+    public void setNickname(String str);
+
+    /**
+     * Returns the new nickname of the transport certifiate.
+     * 
+     * @return new nickname
+     */
+    public String getNewNickName() throws EBaseException;
+
+    /**
+     * Sets the new nickname of the transport certifiate.
+     * 
+     * @param name new nickname
+     */
+    public void setNewNickName(String name);
+
+    /**
+     * Logs event into key recovery authority logging.
+     * 
+     * @param level log level
+     * @param msg log message
+     */
+    public void log(int level, String msg);
+
+    /**
+     * Creates a request object to store attributes that
+     * will not be serialized. Currently, request queue
+     * framework will try to serialize all the attribute into
+     * persistent storage. Things like passwords are not
+     * desirable to be stored.
+     * 
+     * @param id request id
+     * @return volatile requests
+     */
+    public Hashtable createVolatileRequest(RequestId id);
+
+    /**
+     * Retrieves the request object.
+     * 
+     * @param id request id
+     * @return volatile requests
+     */
+    public Hashtable getVolatileRequest(RequestId id);
+
+    /**
+     * Destroys the request object.
+     * 
+     * @param id request id
+     */
+    public void destroyVolatileRequest(RequestId id);
+
+    public Vector getAppAgents(
+            String recoveryID) throws EBaseException;
+
+    /**
+     * Creates error for a specific recovery operation.
+     * 
+     * @param recoveryID recovery id
+     * @param error error
+     * @exception EBaseException failed to create error
+     */
+    public void createError(String recoveryID, String error)
+            throws EBaseException;
+
+    /**
+     * Retrieves error by recovery identifier.
+     * 
+     * @param recoveryID recovery id
+     * @return error message
+     */
+    public String getError(String recoveryID)
+            throws EBaseException;
+
+    /**
+     * Retrieves PKCS12 package by recovery identifier.
+     * 
+     * @param recoveryID recovery id
+     * @return pkcs12 package in bytes
+     */
+    public byte[] getPk12(String recoveryID)
+            throws EBaseException;
+
+    /**
+     * Creates PKCS12 package in memory.
+     * 
+     * @param recoveryID recovery id
+     * @param pk12 package in bytes
+     */
+    public void createPk12(String recoveryID, byte[] pk12)
+            throws EBaseException;
+
+    /**
+     * Retrieves the transport certificate.
+     */
+    public org.mozilla.jss.crypto.X509Certificate getTransportCert();
+}
diff --git a/base/common/src/com/netscape/certsrv/kra/IKeyService.java b/base/common/src/com/netscape/certsrv/kra/IKeyService.java
new file mode 100644
index 000000000..13748f2d1
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/kra/IKeyService.java
@@ -0,0 +1,179 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.kra;
+
+import java.math.BigInteger;
+import java.util.Hashtable;
+
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.security.Credential;
+
+/**
+ * An interface representing a recovery service.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IKeyService {
+
+    /**
+     * Retrieves number of agent required to perform
+     * key recovery operation.
+     * 
+     * @return number of required recovery agents
+     * @exception EBaseException failed to retrieve value
+     */
+    public int getNoOfRequiredAgents() throws EBaseException;
+
+    /**
+     * is async recovery request status APPROVED -
+     * i.e. all required # of recovery agents approved
+     * 
+     * @param reqID request id
+     * @return true if # of recovery required agents approved; false otherwise
+     */
+    public boolean isApprovedAsyncKeyRecovery(String reqID)
+            throws EBaseException;
+
+    /**
+     * get async recovery request initiating agent
+     * 
+     * @param reqID request id
+     * @return agentUID
+     */
+    public String getInitAgentAsyncKeyRecovery(String reqID)
+            throws EBaseException;
+
+    /**
+     * Initiate asynchronous key recovery
+     * 
+     * @param kid key identifier
+     * @param cert certificate embedded in PKCS12
+     * @return requestId
+     * @exception EBaseException failed to initiate async recovery
+     */
+    public String initAsyncKeyRecovery(BigInteger kid, X509CertImpl cert, String agent)
+            throws EBaseException;
+
+    /**
+     * add approving agent in asynchronous key recovery
+     * 
+     * @param reqID request id
+     * @param agentID agent id
+     * @exception EBaseException failed to initiate async recovery
+     */
+    public void addAgentAsyncKeyRecovery(String reqID, String agentID)
+            throws EBaseException;
+
+    /**
+     * Performs administrator-initiated key recovery.
+     * 
+     * @param kid key identifier
+     * @param creds list of credentials (id and password)
+     * @param pwd password to protect PKCS12
+     * @param cert certificate embedded in PKCS12
+     * @param delivery delivery mechanism
+     * @return pkcs12
+     * @exception EBaseException failed to perform recovery
+     */
+    public byte[] doKeyRecovery(BigInteger kid,
+            Credential creds[], String pwd, X509CertImpl cert,
+            String delivery, String nickname, String agent) throws EBaseException;
+
+    /**
+     * Async Recovers key for administrators. This method is
+     * invoked by the agent operation of the key recovery servlet.
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST used whenever a user private key recovery request is
+     * made (this is when the DRM receives the request)
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED used whenever a user private key recovery
+     * request is processed (this is when the DRM processes the request)
+     * 

+     * 
+     * @param reqID request id
+     * @param password password of the PKCS12 package
+     *            subsystem
+     * @exception EBaseException failed to recover key
+     * @return a byte array containing the key
+     */
+    public byte[] doKeyRecovery(
+            String reqID,
+            String password)
+            throws EBaseException;
+
+    /**
+     * Retrieves recovery identifier.
+     * 
+     * @return recovery id
+     */
+    public String getRecoveryID();
+
+    /**
+     * Creates recovery parameters for the given recovery operation.
+     * 
+     * @param recoveryID recovery id
+     * @return recovery parameters
+     * @exception EBaseException failed to create
+     */
+    public Hashtable createRecoveryParams(String recoveryID)
+            throws EBaseException;
+
+    /**
+     * Destroys recovery parameters for the given recovery operation.
+     * 
+     * @param recoveryID recovery id
+     * @exception EBaseException failed to destroy
+     */
+    public void destroyRecoveryParams(String recoveryID)
+            throws EBaseException;
+
+    /**
+     * Retrieves recovery parameters for the given recovery operation.
+     * 
+     * @param recoveryID recovery id
+     * @return recovery parameters
+     * @exception EBaseException failed to retrieve
+     */
+    public Hashtable getRecoveryParams(String recoveryID)
+            throws EBaseException;
+
+    /**
+     * Adds password in the distributed recovery operation.
+     * 
+     * @param recoveryID recovery id
+     * @param uid agent uid
+     * @param pwd agent password
+     * @exception EBaseException failed to add
+     */
+    public void addDistributedCredential(String recoveryID,
+            String uid, String pwd) throws EBaseException;
+
+    /**
+     * Retrieves credentials in the distributed recovery operation.
+     * 
+     * @param recoveryID recovery id
+     * @return agent's credentials
+     * @exception EBaseException failed to retrieve
+     */
+    public Credential[] getDistributedCredentials(String recoveryID)
+            throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/kra/IProofOfArchival.java b/base/common/src/com/netscape/certsrv/kra/IProofOfArchival.java
new file mode 100644
index 000000000..20ac336e5
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/kra/IProofOfArchival.java
@@ -0,0 +1,80 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.kra;
+
+import java.math.BigInteger;
+import java.util.Date;
+
+/**
+ * An interface represents a proof of archival.
+ * 

+ * Here is the ASN1 definition of a proof of escrow:
+ * 
+ * 
+ * ProofOfArchival ::= SIGNED {
+ *   SEQUENCE {
+ *     version [0] Version DEFAULT v1,
+ *     serialNumber INTEGER,
+ *     subjectName Name,
+ *     issuerName Name,
+ *     dateOfArchival Time,
+ *     extensions [1] Extensions OPTIONAL
+ *   }
+ * }
+ * 

+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IProofOfArchival {
+
+    /**
+     * Retrieves version of this proof.
+     * 
+     * @return version
+     */
+    public BigInteger getVersion();
+
+    /**
+     * Retrieves the serial number.
+     * 
+     * @return serial number
+     */
+    public BigInteger getSerialNumber();
+
+    /**
+     * Retrieves the subject name.
+     * 
+     * @return subject name
+     */
+    public String getSubjectName();
+
+    /**
+     * Retrieves the issuer name.
+     * 
+     * @return issuer name
+     */
+    public String getIssuerName();
+
+    /**
+     * Returns the beginning of the escrowed perioid.
+     * 
+     * @return date of archival
+     */
+    public Date getDateOfArchival();
+}
diff --git a/base/common/src/com/netscape/certsrv/kra/IShare.java b/base/common/src/com/netscape/certsrv/kra/IShare.java
new file mode 100644
index 000000000..19e7d7ce2
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/kra/IShare.java
@@ -0,0 +1,33 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.kra;
+
+/**
+ * Use Java's reflection API to leverage CMS's
+ * old Share and JoinShares implementations.
+ * 
+ * @deprecated
+ * @version $Revision$ $Date$
+ */
+public interface IShare {
+
+    public void initialize(byte[] secret, int threshold) throws Exception;
+
+    public byte[] createShare(int sharenumber);
+
+}
diff --git a/base/common/src/com/netscape/certsrv/kra/KRAResources.java b/base/common/src/com/netscape/certsrv/kra/KRAResources.java
new file mode 100644
index 000000000..14b686e63
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/kra/KRAResources.java
@@ -0,0 +1,39 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.kra;
+
+import java.util.ListResourceBundle;
+
+/**
+ * A class represents a resource bundle for KRA subsystem.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class KRAResources extends ListResourceBundle {
+
+    /**
+     * Returns the content of this resource.
+     */
+    public Object[][] getContents() {
+        return contents;
+    }
+
+    static final Object[][] contents = {
+        };
+}
diff --git a/base/common/src/com/netscape/certsrv/kra/ProofOfArchival.java b/base/common/src/com/netscape/certsrv/kra/ProofOfArchival.java
new file mode 100644
index 000000000..df05c882f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/kra/ProofOfArchival.java
@@ -0,0 +1,463 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.kra;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Serializable;
+import java.math.BigInteger;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Vector;
+
+import netscape.security.util.BigInt;
+import netscape.security.util.DerOutputStream;
+import netscape.security.util.DerValue;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.X500Name;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.dbs.IDBObj;
+
+/**
+ * A class represents a proof of escrow. It indicates a key
+ * pairs have been escrowed by appropriate authority. The
+ * structure of this object is very similar (if not exact) to
+ * X.509 certificate. A proof of escrow is signed by an escrow
+ * authority. It is possible to have a CMS policy to reject
+ * the certificate issuance request if proof of escrow is not
+ * presented.
+ * 

+ * Here is the ASN1 definition of a proof of escrow:
+ * 
+ * 
+ * ProofOfEscrow ::= SIGNED {
+ *   SEQUENCE {
+ *     version [0] Version DEFAULT v1,
+ *     serialNumber INTEGER,
+ *     subjectName Name,
+ *     issuerName Name,
+ *     dateOfArchival Time,
+ *     extensions [1] Extensions OPTIONAL
+ *   }
+ * }
+ * 

+ * 

+ * 
+ * @author thomask
+ * @version $Revision$, $Date$
+ */
+public class ProofOfArchival implements IDBObj, IProofOfArchival, Serializable {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -2533562170977678799L;
+
+    /**
+     * Constants
+     */
+    public static final BigInteger DEFAULT_VERSION = new BigInteger("1");
+
+    public static final String ATTR_VERSION = "pofVersion";
+    public static final String ATTR_SERIALNO = "pofSerialNo";
+    public static final String ATTR_SUBJECT = "pofSubject";
+    public static final String ATTR_ISSUER = "pofIssuer";
+    public static final String ATTR_DATE_OF_ARCHIVAL = "pofDateOfArchival";
+
+    protected BigInteger mSerialNo = null;
+    protected BigInteger mVersion = null;
+    protected String mSubject = null;
+    protected String mIssuer = null;
+    protected Date mDateOfArchival = null;
+
+    protected static Vector mNames = new Vector();
+    static {
+        mNames.addElement(ATTR_VERSION);
+        mNames.addElement(ATTR_SERIALNO);
+        mNames.addElement(ATTR_SUBJECT);
+        mNames.addElement(ATTR_ISSUER);
+        mNames.addElement(ATTR_DATE_OF_ARCHIVAL);
+    }
+
+    /**
+     * Constructs a proof of escrow.
+     * 

+     * 
+     * @param serialNo serial number of proof
+     * @param subject subject name
+     * @param issuer issuer name
+     * @param dateOfArchival date of archival
+     */
+    public ProofOfArchival(BigInteger serialNo, String subject,
+            String issuer, Date dateOfArchival) {
+        mVersion = DEFAULT_VERSION;
+        mSerialNo = serialNo;
+        mSubject = subject;
+        mIssuer = issuer;
+        mDateOfArchival = dateOfArchival;
+    }
+
+    /**
+     * Constructs proof of escrow from input stream.
+     * 

+     * 
+     * @param in encoding source
+     * @exception EBaseException failed to decode
+     */
+    public ProofOfArchival(InputStream in) throws EBaseException {
+        decode(in);
+    }
+
+    /**
+     * Sets an attribute value.
+     * 

+     * 
+     * @param name attribute name
+     * @param obj attribute value
+     * @exception EBaseException failed to set attribute
+     */
+    public void set(String name, Object obj) throws EBaseException {
+        if (name.equals(ATTR_VERSION)) {
+            mVersion = (BigInteger) obj;
+        } else if (name.equals(ATTR_SERIALNO)) {
+            mSerialNo = (BigInteger) obj;
+        } else if (name.equals(ATTR_SUBJECT)) {
+            mSubject = (String) obj;
+        } else if (name.equals(ATTR_ISSUER)) {
+            mIssuer = (String) obj;
+        } else if (name.equals(ATTR_DATE_OF_ARCHIVAL)) {
+            mDateOfArchival = (Date) obj;
+        } else {
+            throw new EBaseException(
+                    CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name));
+        }
+    }
+
+    /**
+     * Retrieves the value of an named attribute.
+     * 

+     * 
+     * @param name attribute name
+     * @return attribute value
+     * @exception EBaseException failed to get attribute
+     */
+    public Object get(String name) throws EBaseException {
+        if (name.equals(ATTR_VERSION)) {
+            return mVersion;
+        } else if (name.equals(ATTR_SERIALNO)) {
+            return mSerialNo;
+        } else if (name.equals(ATTR_SUBJECT)) {
+            return mSubject;
+        } else if (name.equals(ATTR_ISSUER)) {
+            return mIssuer;
+        } else if (name.equals(ATTR_DATE_OF_ARCHIVAL)) {
+            return mDateOfArchival;
+        } else {
+            throw new EBaseException(
+                    CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name));
+        }
+    }
+
+    /**
+     * Deletes an attribute.
+     * 

+     * 
+     * @param name attribute name
+     * @exception EBaseException failed to get attribute
+     */
+    public void delete(String name) throws EBaseException {
+        throw new EBaseException(
+                CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name));
+    }
+
+    /**
+     * Retrieves a list of possible attribute names.
+     * 

+     * 
+     * @return a list of names
+     */
+    public Enumeration getElements() {
+        return mNames.elements();
+    }
+
+    /**
+     * Retrieves serializable attribute names.
+     * 
+     * @return a list of serializable attribute names
+     */
+    public Enumeration getSerializableAttrNames() {
+        return mNames.elements();
+    }
+
+    /**
+     * Retrieves version of this proof.
+     * 

+     * 
+     * @return version
+     */
+    public BigInteger getVersion() {
+        return mVersion;
+    }
+
+    /**
+     * Retrieves the serial number.
+     * 

+     * 
+     * @return serial number
+     */
+    public BigInteger getSerialNumber() {
+        return mSerialNo;
+    }
+
+    /**
+     * Retrieves the subject name.
+     * 

+     * 
+     * @return subject name
+     */
+    public String getSubjectName() {
+        return mSubject;
+    }
+
+    /**
+     * Retrieves the issuer name.
+     * 

+     * 
+     * @return issuer name
+     */
+    public String getIssuerName() {
+        return mIssuer;
+    }
+
+    /**
+     * Returns the beginning of the escrowed perioid.
+     * 

+     * 
+     * @return date of archival
+     */
+    public Date getDateOfArchival() {
+        return mDateOfArchival;
+    }
+
+    /**
+     * Encodes this proof of escrow into the given
+     * output stream.
+     * 

+     */
+    public void encode(DerOutputStream out) throws EBaseException {
+        try {
+            DerOutputStream seq = new DerOutputStream();
+
+            // version (OPTIONAL)
+            if (!mVersion.equals(DEFAULT_VERSION)) {
+                DerOutputStream version = new DerOutputStream();
+
+                version.putInteger(new BigInt(mVersion));
+                seq.write(DerValue.createTag(
+                        DerValue.TAG_CONTEXT, true, (byte) 0),
+                        version);
+            }
+
+            // serial number
+            seq.putInteger(new BigInt(mSerialNo));
+
+            // subject name
+            new X500Name(mSubject).encode(seq);
+
+            // issuer name
+            new X500Name(mIssuer).encode(seq);
+
+            // issue date
+            seq.putUTCTime(mDateOfArchival);
+            out.write(DerValue.tag_Sequence, seq);
+
+        } catch (IOException e) {
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED", e.toString()));
+        }
+    }
+
+    /**
+     * Encodes and signs this proof of escrow.
+     * 

+     */
+    public void encodeAndSign(PrivateKey key, String algorithm,
+            String provider, DerOutputStream out)
+            throws EBaseException {
+
+        try {
+            Signature sigEngine = null;
+
+            if (provider == null) {
+                sigEngine = Signature.getInstance(algorithm);
+            } else {
+                sigEngine = Signature.getInstance(algorithm,
+                            provider);
+            }
+
+            sigEngine.initSign(key);
+            DerOutputStream tmp = new DerOutputStream();
+
+            encode(tmp);
+
+            AlgorithmId sigAlgId = AlgorithmId.get(
+                    sigEngine.getAlgorithm());
+
+            sigAlgId.encode(tmp);
+            byte dataToSign[] = tmp.toByteArray();
+
+            sigEngine.update(dataToSign, 0, dataToSign.length);
+            byte signature[] = sigEngine.sign();
+
+            tmp.putBitString(signature);
+            out.write(DerValue.tag_Sequence, tmp);
+            return;
+        } catch (NoSuchAlgorithmException e) {
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString()));
+        } catch (NoSuchProviderException e) {
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString()));
+        } catch (InvalidKeyException e) {
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString()));
+        } catch (SignatureException e) {
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString()));
+        } catch (IOException e) {
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString()));
+        }
+    }
+
+    /**
+     * Decodes the input stream.
+     * 

+     */
+    public void decode(InputStream in) throws EBaseException {
+        try {
+            // POA is a SIGNED ASN.1 macro, a three element sequence:
+            // - Data to be signed (ToBeSigned) -- the "raw" data
+            // - Signature algorithm (SigAlgId)
+            // - The Signature bits
+
+            DerValue val = new DerValue(in);
+
+            DerValue seq[] = new DerValue[3];
+
+            seq[0] = val.data.getDerValue();
+            if (seq[0].tag == DerValue.tag_Sequence) {
+                // with signature
+                seq[1] = val.data.getDerValue();
+                seq[2] = val.data.getDerValue();
+                if (seq[1].data.available() != 0) {
+                    throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1",
+                                "no algorithm found"));
+                }
+
+                if (seq[2].data.available() != 0) {
+                    throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1",
+                                "no signature found"));
+                }
+
+                @SuppressWarnings("unused")
+                AlgorithmId algid = AlgorithmId.parse(seq[1]); // consume algid
+
+                @SuppressWarnings("unused")
+                byte signature[] = seq[2].getBitString(); // consume signature
+
+                decodePOA(val, null);
+            } else {
+                // without signature
+                decodePOA(val, seq[0]);
+            }
+        } catch (IOException e) {
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1", e.toString()));
+        }
+    }
+
+    /**
+     * Decodes proof of escrow.
+     * 

+     */
+    private void decodePOA(DerValue val, DerValue preprocessed)
+            throws EBaseException {
+        try {
+            DerValue tmp = null;
+
+            if (preprocessed == null) {
+                if (val.tag != DerValue.tag_Sequence) {
+                    throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1",
+                                "not start with sequence"));
+                }
+                tmp = val.data.getDerValue();
+            } else {
+                tmp = preprocessed;
+            }
+
+            // version
+            if (tmp.isContextSpecific((byte) 0)) {
+                if (tmp.isConstructed() && tmp.isContextSpecific()) {
+                    DerValue version = tmp.data.getDerValue();
+                    BigInt ver = version.getInteger();
+
+                    mVersion = ver.toBigInteger();
+                    tmp = val.data.getDerValue();
+                }
+            } else {
+                mVersion = DEFAULT_VERSION;
+            }
+
+            // serial number
+            DerValue serialno = tmp;
+
+            mSerialNo = serialno.getInteger().toBigInteger();
+
+            // subject
+            DerValue subject = val.data.getDerValue();
+
+            // mSubject = new X500Name(subject); // doesnt work
+            mSubject = new String(subject.toByteArray());
+
+            // issuer
+            DerValue issuer = val.data.getDerValue();
+
+            mIssuer = new String(issuer.toByteArray());
+
+            // date of archival
+            mDateOfArchival = val.data.getUTCTime();
+        } catch (IOException e) {
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1", e.toString()));
+        }
+    }
+
+    /**
+     * Retrieves the string reprensetation of this
+     * proof of archival.
+     */
+    public String toString() {
+        return "Version: " + mVersion.toString() + "\n" +
+                "SerialNo: " + mSerialNo.toString() + "\n" +
+                "Subject: " + mSubject + "\n" +
+                "Issuer: " + mIssuer + "\n" +
+                "DateOfArchival: " + mDateOfArchival.toString();
+    }
+
+}
diff --git a/base/common/src/com/netscape/certsrv/ldap/ELdapException.java b/base/common/src/com/netscape/certsrv/ldap/ELdapException.java
new file mode 100644
index 000000000..8c1d2d4a5
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ldap/ELdapException.java
@@ -0,0 +1,93 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ldap;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * A class that represents a Ldap exception. Various
+ * errors can occur when interacting with a Ldap directory server.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class ELdapException extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -4345538974758823452L;
+    /**
+     * Ldap resource class name.
+     */
+    private static final String LDAP_RESOURCES = LdapResources.class.getName();
+
+    /**
+     * Constructs a Ldap exception.
+     * 
+     * @param msgFormat Resource Key, if key not present, serves as the message.
+     *            

+     */
+    public ELdapException(String msgFormat) {
+        super(msgFormat);
+    }
+
+    /**
+     * Constructs a Ldap exception.
+     * 
+     * @param msgFormat Resource Key, if key not present, serves as the message.
+     *            Include a message string parameter for variable content.
+     * @param param Message string parameter.
+     *            

+     */
+    public ELdapException(String msgFormat, String param) {
+        super(msgFormat, param);
+    }
+
+    /**
+     * Constructs a Ldap exception.
+     * 
+     * @param msgFormat Resource Key, if key not present, serves as the message.
+     * @param e Common exception.
+     *            

+     */
+    public ELdapException(String msgFormat, Exception e) {
+        super(msgFormat, e);
+    }
+
+    /**
+     * Constructs a Ldap exception.
+     * 
+     * @param msgFormat Resource Key, if key not present, serves as the message.
+     * @param params Array of Message string parameters.
+     *            

+     */
+    public ELdapException(String msgFormat, Object params[]) {
+        super(msgFormat, params);
+    }
+
+    /**
+     * Gets the resource bundle name
+     * 
+     * @return Name of the Ldap Exception resource bundle name.
+     *         

+     */
+    protected String getBundleName() {
+        return LDAP_RESOURCES;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/ldap/ELdapServerDownException.java b/base/common/src/com/netscape/certsrv/ldap/ELdapServerDownException.java
new file mode 100644
index 000000000..f347b1714
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ldap/ELdapServerDownException.java
@@ -0,0 +1,40 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ldap;
+
+/**
+ * This represents exception which indicates Ldap server is down.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ELdapServerDownException extends ELdapException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -21440748379854829L;
+
+    /**
+     * Constructs a ldap server down exception with host & port info.
+     * 
+     * @param errorString Detailed error message.
+     */
+    public ELdapServerDownException(String errorString) {
+        super(errorString);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/ldap/ILdapAuthInfo.java b/base/common/src/com/netscape/certsrv/ldap/ILdapAuthInfo.java
new file mode 100644
index 000000000..4325f077c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ldap/ILdapAuthInfo.java
@@ -0,0 +1,100 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ldap;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+
+/**
+ * Class for obtaining ldap authentication info from the configuration store.
+ * Two types of authentication is basic and SSL client authentication.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ILdapAuthInfo {
+    static public final String PROP_LDAPAUTHTYPE = "authtype";
+    static public final String PROP_CLIENTCERTNICKNAME = "clientCertNickname";
+    static public final String PROP_BINDDN = "bindDN";
+    static public final String PROP_BINDPW = "bindPassword";
+    static public final String PROP_BINDPW_PROMPT = "bindPWPrompt";
+    static public final String PROP_BINDDN_DEFAULT = "cn=Directory Manager";
+
+    static public final String LDAP_BASICAUTH_STR = "BasicAuth";
+    static public final String LDAP_SSLCLIENTAUTH_STR = "SslClientAuth";
+
+    static public final int LDAP_AUTHTYPE_NONE = 0; // illegal
+    static public final int LDAP_AUTHTYPE_BASICAUTH = 1;
+    static public final int LDAP_AUTHTYPE_SSLCLIENTAUTH = 2;
+
+    /**
+     * Initialize this class from the config store.
+     * 
+     * @param config The config store from which to initialize.
+     * @exception EBaseException Due to failure of the initialization process.
+     * 
+     */
+    public void init(IConfigStore config) throws EBaseException;
+
+    /**
+     * Initialize this class from the config store.
+     * Based on host, port, and secure boolean info.
+     * which allows an actual attempt on the server to verify credentials.
+     * 
+     * @param config The config store from which to initialize.
+     * @exception EBaseException Due to failure of the initialization process.
+     * 
+     */
+    public void init(IConfigStore config, String host, int port, boolean secure)
+            throws EBaseException;
+
+    /**
+     * Reset the connection to the host
+     */
+    public void reset();
+
+    /**
+     * Get authentication type.
+     * 
+     * @return one of: 

+     *         LdapAuthInfo.LDAP_AUTHTYPE_BASICAUTH or
+     *         LdapAuthInfo.LDAP_AUTHTYPE_SSLCLIENTAUTH
+     */
+    public int getAuthType();
+
+    /**
+     * Get params for authentication.
+     * 
+     * @return array of parameters for this authentication as an array of Strings.
+     */
+    public String[] getParms();
+
+    /**
+     * Add password to private password data structure.
+     * 
+     * @param prompt Password prompt.
+     * @param pw Password itself.
+     */
+    public void addPassword(String prompt, String pw);
+
+    /**
+     * Remove password from private password data structure.
+     * 
+     * @param prompt Identify password to remove with prompt.
+     */
+    public void removePassword(String prompt);
+}
diff --git a/base/common/src/com/netscape/certsrv/ldap/ILdapBoundConnFactory.java b/base/common/src/com/netscape/certsrv/ldap/ILdapBoundConnFactory.java
new file mode 100644
index 000000000..846f51749
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ldap/ILdapBoundConnFactory.java
@@ -0,0 +1,38 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ldap;
+
+/**
+ * Maintains a pool of connections to the LDAP server.
+ * CMS requests are processed on a multi threaded basis.
+ * A pool of connections then must be be maintained so this
+ * access to the Ldap server can be easily managed. The min and
+ * max size of this connection pool should be configurable. Once
+ * the maximum limit of connections is exceeded, the factory
+ * should provide proper synchronization to resolve contention issues.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ILdapBoundConnFactory extends ILdapConnFactory {
+
+    public static final String PROP_MINCONNS = "minConns";
+    public static final String PROP_MAXCONNS = "maxConns";
+    public static final String PROP_LDAPCONNINFO = "ldapconn";
+    public static final String PROP_LDAPAUTHINFO = "ldapauth";
+
+}
diff --git a/base/common/src/com/netscape/certsrv/ldap/ILdapConnFactory.java b/base/common/src/com/netscape/certsrv/ldap/ILdapConnFactory.java
new file mode 100644
index 000000000..738f5832d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ldap/ILdapConnFactory.java
@@ -0,0 +1,97 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ldap;
+
+import netscape.ldap.LDAPConnection;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+
+/**
+ * Maintains a pool of connections to the LDAP server.
+ * Multiple threads use this interface to utilize and release
+ * the Ldap connection resources.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ILdapConnFactory {
+
+    /**
+     * Initialize the poll from the config store.
+     * 
+     * @param config The configuration substore.
+     * @exception EBaseException On configuration error.
+     * @exception ELdapException On all other errors.
+     */
+    public void init(IConfigStore config)
+            throws EBaseException, ELdapException;
+
+    /**
+     * 
+     * Used for disconnecting all connections.
+     * Used just before a subsystem
+     * shutdown or process exit.
+     * 
+     * @exception EldapException on Ldap failure when closing connections.
+     */
+    public void reset()
+            throws ELdapException;
+
+    /**
+     * Returns the number of free connections available from this pool.
+     * 
+     * @return Integer number of free connections.
+     */
+
+    public int freeConn();
+
+    /**
+     * Returns the number of total connections available from this pool.
+     * Includes sum of free and in use connections.
+     * 
+     * @return Integer number of total connections.
+     */
+    public int totalConn();
+
+    /**
+     * Returns the maximum number of connections available from this pool.
+     * 
+     * @return Integer maximum number of connections.
+     */
+    public int maxConn();
+
+    /**
+     * Request access to a Ldap connection from the pool.
+     * 
+     * @exception ELdapException if any error occurs, such as a
+     * @return Ldap connection object.
+     *         connection is not available
+     */
+    public LDAPConnection getConn()
+            throws ELdapException;
+
+    /**
+     * Return connection to the factory. mandatory after a getConn().
+     * 
+     * @param conn Ldap connection object to be returned to the free list of the pool.
+     * @exception ELdapException On any failure to return the connection.
+     */
+    public void returnConn(LDAPConnection conn)
+            throws ELdapException;
+
+}
diff --git a/base/common/src/com/netscape/certsrv/ldap/ILdapConnInfo.java b/base/common/src/com/netscape/certsrv/ldap/ILdapConnInfo.java
new file mode 100644
index 000000000..aa5b388a3
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ldap/ILdapConnInfo.java
@@ -0,0 +1,80 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ldap;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+
+/**
+ * Class for reading ldap connection information from the config store.
+ * Ldap connection info: host name, port number,whether of not it is a secure connection.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ILdapConnInfo {
+    public static final String PROP_HOST = "host";
+    public static final String PROP_PORT = "port";
+    public static final String PROP_SECURE = "secureConn";
+    public static final String PROP_PROTOCOL = "version";
+    public static final String PROP_FOLLOW_REFERRALS = "followReferrals";
+    public static final String PROP_HOST_DEFAULT = "localhost";
+    public static final String PROP_PORT_DEFAULT = "389";
+
+    public static final int LDAP_VERSION_2 = 2;
+    public static final int LDAP_VERSION_3 = 3;
+
+    /**
+     * Initializes an instance from a config store.
+     * 
+     * @param config Configuration store.
+     * @exception ELdapException Ldap related error found.
+     * @exception EBaseException Other errors and errors with params included in the config store.
+     */
+    public void init(IConfigStore config) throws EBaseException, ELdapException;
+
+    /**
+     * Return the name of the Host.
+     * 
+     */
+
+    public String getHost();
+
+    /**
+     * Return the port number of the host.
+     * 
+     */
+    public int getPort();
+
+    /**
+     * Return the Ldap version number of the Ldap server.
+     */
+
+    public int getVersion();
+
+    /**
+     * Return whether or not the connection is secure.
+     */
+    public boolean getSecure();
+
+    /**
+     * Return whether or not the server is to follow referrals
+     * to other servers when servicing a query.
+     */
+    public boolean getFollowReferrals();
+
+}
diff --git a/base/common/src/com/netscape/certsrv/ldap/ILdapConnModule.java b/base/common/src/com/netscape/certsrv/ldap/ILdapConnModule.java
new file mode 100644
index 000000000..efa1c271e
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ldap/ILdapConnModule.java
@@ -0,0 +1,59 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ldap;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * Class on behalf of the Publishing system that controls an instance of an ILdapConnFactory.
+ * Allows a factory to be intialized and grants access
+ * to the factory to other interested parties.
+ * 
+ * @version $Revision$, $Date$
+ */
+
+public interface ILdapConnModule {
+
+    /**
+     * Initialize ldap publishing module with config store.
+     * 
+     * @param owner Entity that is interested in this instance of Publishing.
+     * @param config Config store containing the info needed to set up Publishing.
+     * @exception ELdapException Due to Ldap error.
+     * @exception EBaseException Due to config value errors and all other errors.
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException, ELdapException;
+
+    /**
+     * Returns the internal ldap connection factory.
+     * This can be useful to get a ldap connection to the
+     * ldap publishing directory without having to get it again from the
+     * config file. Note that this means sharing a ldap connection pool
+     * with the ldap publishing module so be sure to return connections to pool.
+     * Use ILdapConnFactory.getConn() to get a Ldap connection to the ldap
+     * publishing directory.
+     * Use ILdapConnFactory.returnConn() to return the connection.
+     * 
+     * @return Instance of ILdapConnFactory.
+     */
+
+    public ILdapConnFactory getLdapConnFactory();
+}
diff --git a/base/common/src/com/netscape/certsrv/ldap/LdapResources.java b/base/common/src/com/netscape/certsrv/ldap/LdapResources.java
new file mode 100644
index 000000000..332fcaddf
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ldap/LdapResources.java
@@ -0,0 +1,42 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ldap;
+
+import java.util.ListResourceBundle;
+
+/**
+ * A resource bundle for ldap subsystem.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LdapResources extends ListResourceBundle {
+
+    /**
+     * Returns the content of this resource.
+     */
+    public Object[][] getContents() {
+        return contents;
+    }
+
+    /**
+     * Constants. The suffix represents the number of
+     * possible parameters.
+     */
+
+    static final Object[][] contents = {};
+}
diff --git a/base/common/src/com/netscape/certsrv/listeners/EListenersException.java b/base/common/src/com/netscape/certsrv/listeners/EListenersException.java
new file mode 100644
index 000000000..6aee21ff4
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/listeners/EListenersException.java
@@ -0,0 +1,91 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.listeners;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * A class represents a listener exception.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class EListenersException extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 8895858413292894796L;
+    /**
+     * CA resource class name.
+     */
+    private static final String LISTENERS_RESOURCES = ListenersResources.class.getName();
+
+    /**
+     * Constructs a listeners exception.
+     * 

+     * 
+     * @param msgFormat The error message resource key.
+     */
+    public EListenersException(String msgFormat) {
+        super(msgFormat);
+    }
+
+    /**
+     * Constructs a listeners exception.
+     * 

+     * 
+     * @param msgFormat exception details in message string format.
+     * @param param message string parameter.
+     */
+    public EListenersException(String msgFormat, String param) {
+        super(msgFormat, param);
+    }
+
+    /**
+     * Constructs a Listeners exception.
+     * 

+     * 
+     * @param msgFormat The resource key.
+     * @param e The parameter as an exception.
+     */
+    public EListenersException(String msgFormat, Exception e) {
+        super(msgFormat, e);
+    }
+
+    /**
+     * Constructs a Listeners exception.
+     * 

+     * 
+     * @param msgFormat The resource key.
+     * @param params Array of params.
+     */
+    public EListenersException(String msgFormat, Object params[]) {
+        super(msgFormat, params);
+    }
+
+    /**
+     * get the listener resource class name.
+     * 

+     * 
+     * @return the class name of the resource.
+     */
+    protected String getBundleName() {
+        return LISTENERS_RESOURCES;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/listeners/IRequestListenerPlugin.java b/base/common/src/com/netscape/certsrv/listeners/IRequestListenerPlugin.java
new file mode 100644
index 000000000..c615586db
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/listeners/IRequestListenerPlugin.java
@@ -0,0 +1,86 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.listeners;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+
+/**
+ * This interface represents a plug-in listener. Implement this class to
+ * add the listener to an ARequestNotifier of a subsystem.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IRequestListenerPlugin {
+
+    /**
+     * get the registered class name set in the init() method.
+     * 

+     * 
+     * @return the Name.
+     */
+    public String getName();
+
+    /**
+     * get the plugin implementaion name set in the init() method.
+     * 

+     * 
+     * @return the plugin implementation name.
+     */
+    public String getImplName();
+
+    /**
+     * the subsystem call this method to initialize the plug-in.
+     * 

+     * 
+     * @param name the registered class name of the plug-in.
+     * @param implName the implemetnation name of the plug-in.
+     * @param config the configuration store where the.
+     *            properties of the plug-in are stored.
+     * @exception EBaseException throws base exception in the certificate server.
+     */
+    public void init(String name, String implName, IConfigStore config)
+            throws EBaseException;
+
+    /**
+     * shutdown the plugin.
+     */
+    public void shutdown();
+
+    /**
+     * get the configuration parameters of the plug-in.
+     * 

+     * 
+     * @return the configuration parameters.
+     * @exception EBaseException throws base exception in the certificate server.
+     */
+    public String[] getConfigParams()
+            throws EBaseException;
+
+    /**
+     * get the configuration store of the plugin where the
+     * configuration parameters of the plug-in are stored.
+     * 

+     * 
+     * @return the configuration store.
+     */
+
+    public IConfigStore getConfigStore();
+
+}
diff --git a/base/common/src/com/netscape/certsrv/listeners/ListenersResources.java b/base/common/src/com/netscape/certsrv/listeners/ListenersResources.java
new file mode 100644
index 000000000..9eaf41371
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/listeners/ListenersResources.java
@@ -0,0 +1,42 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.listeners;
+
+import java.util.ListResourceBundle;
+
+/**
+ * A class represents a resource bundle for the
+ * listeners package.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ListenersResources extends ListResourceBundle {
+
+    /**
+     * get the content of the resource.
+     * 

+     * 
+     * @return the content of this resource is a value pairs array of keys and values.
+     */
+    public Object[][] getContents() {
+        return contents;
+    }
+
+    static final Object[][] contents = {
+        };
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
new file mode 100644
index 000000000..aa0077b06
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -0,0 +1,347 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+import java.text.MessageFormat;
+import java.util.Locale;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.MessageFormatter;
+
+/**
+ * The log event object that carries message detail of a log event
+ * that goes into the Transaction log. Note that the name of this
+ * class "AuditEvent" is legacy and has nothing to do with the signed
+ * audit log events, whcih are represented by SignedAuditEvent.
+ * 
+ * @version $Revision$, $Date$
+ * @see java.text.MessageFormat
+ * @see com.netscape.certsrv.logging.LogResources
+ */
+public class AuditEvent implements IBundleLogEvent {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -844306657733902324L;
+
+    protected Object mParams[] = null;
+
+    private String mEventType = null;
+    private String mMessage = null;
+    private int mLevel = -1;
+    private int mNTEventType = -1;
+    private int mSource = -1;
+    private boolean mMultiline = false;
+    private long mTimeStamp = System.currentTimeMillis();
+
+    /**
+     * The bundle name for this event.
+     */
+    private String mBundleName = LogResources.class.getName();
+    private static final String INVALID_LOG_LEVEL = "log level: {0} is invalid, should be 0-6";
+
+    /**
+     * Constructs a message event
+     * 

+     * 
+     * @param msgFormat the message string
+     */
+    public AuditEvent(String msgFormat) {
+        mMessage = msgFormat;
+        mParams = null;
+    }
+
+    /**
+     * Constructs a message with a parameter. For example,
+     * 
+     * 
+     * new AuditEvent("failed to load {0}", fileName);
+     * 

+     * 

+     * 
+     * @param msgFormat details in message string format
+     * @param param message string parameter
+     */
+    public AuditEvent(String msgFormat, String param) {
+        this(msgFormat);
+        mParams = new String[1];
+        mParams[0] = param;
+    }
+
+    /**
+     * Constructs a message from an exception. It can be used to carry
+     * a system exception that may contain information about
+     * the context. For example,
+     * 
+     * 
+     *         try {
+     *          ...
+     *         } catch (IOExeption e) {
+     *              logHandler.log(new AuditEvent("Encountered System Error {0}", e);
+     *      }
+     * 

+     * 

+     * 
+     * @param msgFormat exception details in message string format
+     * @param exception system exception
+     */
+    public AuditEvent(String msgFormat, Exception exception) {
+        this(msgFormat);
+        mParams = new Exception[1];
+        mParams[0] = exception;
+    }
+
+    /**
+     * Constructs a message from a base exception. This will use the msgFormat
+     * from the exception itself.
+     * 
+     * 
+     *         try {
+     *          ...
+     *         } catch (Exception e) {
+     *              logHandler.log(new AuditEvent(e));
+     *      }
+     * 

+     * 

+     * 
+     * @param e CMS exception
+     */
+    public AuditEvent(Exception e) {
+        this(e.getMessage());
+        if (e instanceof EBaseException) {
+            mParams = ((EBaseException) e).getParameters();
+        } else {
+            mParams = new Exception[1];
+            mParams[0] = e;
+        }
+    }
+
+    /**
+     * Constructs a message event with a list of parameters
+     * that will be substituted into the message format.
+     * 

+     * 
+     * @param msgFormat message string format
+     * @param params list of message format parameters
+     */
+    public AuditEvent(String msgFormat, Object params[]) {
+        this(msgFormat);
+        mParams = params;
+    }
+
+    /**
+     * Returns the current message format string.
+     * 

+     * 
+     * @return details message
+     */
+    public String getMessage() {
+        return mMessage;
+    }
+
+    /**
+     * Returns a list of parameters.
+     * 

+     * 
+     * @return list of message format parameters
+     */
+    public Object[] getParameters() {
+        return mParams;
+    }
+
+    /**
+     * Returns localized message string. This method should
+     * only be called if a localized string is necessary.
+     * 

+     * 
+     * @return details message
+     */
+    public String toContent() {
+        return toContent(Locale.getDefault());
+    }
+
+    /**
+     * Returns the string based on the given locale.
+     * 

+     * 
+     * @param locale locale
+     * @return details message
+     */
+    public String toContent(Locale locale) {
+        return MessageFormatter.getLocalizedString(locale, getBundleName(),
+                getMessage(),
+                getParameters());
+    }
+
+    /**
+     * Gets the resource bundle name for this class instance. This should
+     * be overridden by subclasses who have their own resource bundles.
+     * 
+     * @param bundle String that represents the resource bundle name to be set
+     */
+    public void setBundleName(String bundle) {
+        mBundleName = bundle;
+    }
+
+    /**
+     * Retrieves bundle name.
+     * 
+     * @return a String that represents the resource bundle name
+     */
+    protected String getBundleName() {
+        return mBundleName;
+    }
+
+    /**
+     * Retrieves log source.
+     * 
+     * @return an integer that indicates the component source
+     *         where this message event was triggered
+     */
+    public int getSource() {
+        return mSource;
+    }
+
+    /**
+     * Sets log source.
+     * 
+     * @param source an integer that represents the component source
+     *            where this message event was triggered
+     */
+    public void setSource(int source) {
+        mSource = source;
+    }
+
+    /**
+     * Retrieves log level.
+     * The log level of an event represents its relative importance
+     * or severity within CMS.
+     * 
+     * @return Integer log level value.
+     */
+    public int getLevel() {
+        return mLevel;
+    }
+
+    /**
+     * Retrieves NT specific log event type.
+     * 
+     * @return Integer NTEventType value.
+     */
+    public int getNTEventType() {
+        return mNTEventType;
+    }
+
+    /**
+     * Sets log level, NT log event type.
+     * For certain log levels the NT log event type gets
+     * set as well.
+     * 
+     * @param level Integer log level value.
+     */
+    public void setLevel(int level) {
+        mLevel = level;
+        switch (level) {
+        case ILogger.LL_DEBUG:
+        case ILogger.LL_INFO:
+            mNTEventType = ILogger.NT_INFO;
+            break;
+
+        case ILogger.LL_WARN:
+            mNTEventType = ILogger.NT_WARN;
+            break;
+
+        case ILogger.LL_FAILURE:
+        case ILogger.LL_MISCONF:
+        case ILogger.LL_CATASTRPHE:
+        case ILogger.LL_SECURITY:
+            mNTEventType = ILogger.NT_ERROR;
+            break;
+
+        default:
+            ConsoleError.send(new SystemEvent(INVALID_LOG_LEVEL,
+                    Integer.toString(level)));
+            break;
+        }
+    }
+
+    /**
+     * Retrieves log multiline attribute.
+     * 
+     * @return Boolean whether or not this event is multiline.
+     *         A multiline message simply consists of more than one line.
+     */
+    public boolean getMultiline() {
+        return mMultiline;
+    }
+
+    /**
+     * Sets log multiline attribute. A multiline message consists of
+     * more than one line.
+     * 
+     * @param multiline Boolean multiline value.
+     */
+    public void setMultiline(boolean multiline) {
+        mMultiline = multiline;
+    }
+
+    /**
+     * Retrieves event time stamp.
+     * 
+     * @return Long integer of the time the event was created.
+     */
+    public long getTimeStamp() {
+        return mTimeStamp;
+    }
+
+    /**
+     * Retrieves log event type. Each type of event
+     * has an associated String type value.
+     * 
+     * @return String containing the type of event.
+     */
+    public String getEventType() {
+        return mEventType;
+    }
+
+    /**
+     * Sets log event type. Each type of event
+     * has an associated String type value.
+     * 
+     * @param eventType String containing the type of event.
+     */
+    public void setEventType(String eventType) {
+        mEventType = eventType;
+    }
+
+    /**
+     * Return string representation of log message.
+     * 
+     * @return String containing log message.
+     */
+    public String toString() {
+        if (getBundleName() == null) {
+            MessageFormat detailMessage = new MessageFormat(mMessage);
+
+            return detailMessage.format(mParams);
+            //return getMessage();
+        } else
+            return toContent();
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFormat.java b/base/common/src/com/netscape/certsrv/logging/AuditFormat.java
new file mode 100644
index 000000000..e5f8726f7
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/AuditFormat.java
@@ -0,0 +1,114 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+/**
+ * Define audit log message format. Note that the name of this
+ * class "AuditFormat" is legacy and has nothing to do with the signed
+ * audit log events format
+ * 
+ * @version $Revision$, $Date$
+ */
+public class AuditFormat {
+
+    /**
+     * default log level for writing audit log
+     */
+    public static final int LEVEL = ILogger.LL_INFO;
+
+    /**
+     * initiative: the event is from EE
+     */
+    public static final String FROMUSER = "fromUser";
+
+    /**
+     * initiative: the event is from agent
+     */
+    public static final String FROMAGENT = "fromAgent";
+
+    /**
+     * initiative: the event is from router
+     */
+    public static final String FROMROUTER = "fromRouter";
+
+    /**
+     * initiative: the event is from remote authority
+     */
+    public static final String FROMRA = "fromRemoteAuthority";
+
+    /**
+     * authentication module: no Authentication manager
+     */
+    public static final String NOAUTH = "noAuthManager";
+
+    // for ProcessCertReq.java ,kra
+    /**
+     * 0: request type
+     * 1: request ID
+     * 2: initiative
+     * 3: auth module
+     * 4: status
+     * 5: cert dn
+     * 6: other info. eg cert serial number, violation policies
+     */
+    public static final String FORMAT =
+            "{0} reqID {1} {2} authenticated by {3} is {4} DN requested: {5} {6}";
+    public static final String NODNFORMAT =
+            "{0} reqID {1} {2} authenticated by {3} is {4}";
+
+    public static final String ENROLLMENTFORMAT =
+            "Enrollment request reqID {0} {1} authenticated by {2} is {3}. DN requested: {4} {5}";
+    public static final String RENEWALFORMAT =
+            "Renewal request reqID {0} {1} authenticated by {2} is {3}. DN requested: {4} old serial number: 0x{5} {6}";
+    public static final String REVOCATIONFORMAT =
+            "Revocation request reqID {0} {1} authenticated by {2} is {3}. DN requested: {4} serial number: 0x{5} revocation reason: {6} {7}";
+
+    // 1: fromAgent AgentID: xxx authenticated by xxx
+    public static final String DOREVOKEFORMAT =
+            "Revocation request reqID {0} {1} is {2}. DN requested: {3} serial number: 0x{4} revocation reason: {5}";
+    // 1: fromAgent AgentID: xxx authenticated by xxx
+    public static final String DOUNREVOKEFORMAT =
+            "Unrevocation request reqID {0} {1} is {2}. DN requested: {3} serial number: 0x{4}";
+
+    // 0:initiative
+    public static final String CRLUPDATEFORMAT =
+            "CRLUpdate request {0} authenticated by {1} is {2}. Id: {3}\ncrl Number: {4} last update time: {5} next update time: {6} number of entries in the CRL: {7}";
+
+    // audit user/group
+    public static final String ADDUSERFORMAT =
+            "Admin UID: {0} added User UID: {1}";
+    public static final String REMOVEUSERFORMAT =
+            "Admin UID: {0} removed User UID: {1} ";
+    public static final String MODIFYUSERFORMAT =
+            "Admin UID: {0} modified User UID: {1}";
+    public static final String ADDUSERCERTFORMAT =
+            "Admin UID: {0} added cert for User UID: {1}. cert DN: {2} serial number: 0x{3}";
+    public static final String REMOVEUSERCERTFORMAT =
+            "Admin UID: {0} removed cert of User UID: {1}. cert DN: {2} serial number: 0x{3}";
+    public static final String ADDUSERGROUPFORMAT =
+            "Admin UID: {0} added User UID: {1} to group: {2}";
+    public static final String REMOVEUSERGROUPFORMAT =
+            "Admin UID: {0} removed User UID: {1} from group: {2}";
+    public static final String ADDCERTSUBJECTDNFORMAT =
+            "Admin UID: {0} added cert subject DN for User UID: {1}. cert DN: {2}";
+
+    // LDAP publishing
+    public static final String LDAP_PUBLISHED_FORMAT =
+            "{0} successfully published serial number: 0x{1} with DN: {2}";
+
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/ConsoleError.java b/base/common/src/com/netscape/certsrv/logging/ConsoleError.java
new file mode 100644
index 000000000..13e0f3d45
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/ConsoleError.java
@@ -0,0 +1,38 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+/**
+ * A static class to log error messages to the Console
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ConsoleError {
+    private static final ConsoleLog console = new ConsoleLog();
+
+    /**
+     * Send the given event to the Console.
+     * 
+     * @param ev log event to be sent to the console
+     */
+    public static void send(ILogEvent ev) {
+        console.log(ev);
+        console.flush();
+    }
+
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/ConsoleLog.java b/base/common/src/com/netscape/certsrv/logging/ConsoleLog.java
new file mode 100644
index 000000000..2e87fc92c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/ConsoleLog.java
@@ -0,0 +1,124 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+import java.io.IOException;
+import java.util.Hashtable;
+import java.util.Vector;
+
+import javax.servlet.ServletException;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.common.NameValuePairs;
+
+/**
+ * A log event listener which sends all log events to the system console/tty
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ConsoleLog implements ILogEventListener {
+
+    /**
+     * Log the given event. Usually called from a log manager.
+     * 
+     * @param ev log event
+     */
+    public void log(ILogEvent ev) {
+        System.err.println(Thread.currentThread().getName() + ": " + ev);
+    }
+
+    /**
+     * Flush the system output stream.
+     * 
+     */
+    public void flush() {
+        System.err.flush();
+    }
+
+    /**
+     * All operations need to be cleaned up for shutdown are done here
+     */
+    public void shutdown() {
+    }
+
+    /**
+     * get the configuration store that is associated with this
+     * log listener
+     * 
+     * @return the configuration store that is associated with this
+     *         log listener
+     */
+    public IConfigStore getConfigStore() {
+        return null;
+    }
+
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+    }
+
+    public void startup() throws EBaseException {
+    }
+
+    /**
+     * Retrieve last "maxLine" number of system log with log lever >"level"
+     * and from source "source". If the parameter is omitted. All entries
+     * are sent back.
+     * 
+     * @param req a Hashtable containing the required information such as
+     *            log entry, log level, log source, and log name
+     * @return the content of the log that match the criteria in req
+     * @exception servletException
+     * @exception IOException
+     * @exception EBaseException
+     */
+    public synchronized NameValuePairs retrieveLogContent(Hashtable req) throws ServletException,
+            IOException, EBaseException {
+        return null;
+    }
+
+    /**
+     * Retrieve log file list. 

+     * unimplemented
+     */
+    public synchronized NameValuePairs retrieveLogList(Hashtable req) throws ServletException,
+            IOException, EBaseException {
+        return null;
+    }
+
+    public String getImplName() {
+        return "ConsoleLog";
+    }
+
+    public String getDescription() {
+        return "ConsoleLog";
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+
+        return v;
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+
+        return v;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/ELogException.java b/base/common/src/com/netscape/certsrv/logging/ELogException.java
new file mode 100644
index 000000000..717dbdfe2
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/ELogException.java
@@ -0,0 +1,152 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+import java.util.Locale;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.MessageFormatter;
+
+/**
+ * This class implements a Log exception. LogExceptions
+ * should be caught by LogSubsystem managers.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ * @see java.text.MessageFormat
+ */
+public class ELogException extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -8903703675126348145L;
+    /**
+     * Resource bundle class name.
+     */
+    private static final String LOG_RESOURCES = LogResources.class.getName();
+
+    /**
+     * Constructs a log exception.
+     * 

+     * 
+     * @param msgFormat Exception details.
+     */
+    public ELogException(String msgFormat) {
+        super(msgFormat);
+        mParams = null;
+    }
+
+    /**
+     * Constructs a log exception with a parameter. For example,
+     * 
+     * 
+     * new ELogException("failed to load {0}", fileName);
+     * 

+     * 

+     * 
+     * @param msgFormat Exception details in message string format.
+     * @param param Message string parameter.
+     */
+    public ELogException(String msgFormat, String param) {
+        super(msgFormat);
+        mParams = new String[1];
+        mParams[0] = param;
+    }
+
+    /**
+     * Constructs a log exception. It can be used to carry
+     * a system exception that may contain information about
+     * the context. For example,
+     * 
+     * 
+     * 		try {
+     *  		...
+     * 		} catch (IOExeption e) {
+     * 		 	throw new ELogException("Encountered System Error {0}", e);
+     *      }
+     * 

+     * 

+     * 
+     * @param msgFormat Exception details in message string format.
+     * @param param System exception.
+     */
+    public ELogException(String msgFormat, Exception param) {
+        super(msgFormat);
+        mParams = new Exception[1];
+        mParams[0] = param;
+    }
+
+    /**
+     * Constructs a log exception with a list of parameters
+     * that will be substituted into the message format.
+     * 

+     * 
+     * @param msgFormat Exception details in message string format.
+     * @param params List of message format parameters.
+     */
+    public ELogException(String msgFormat, Object params[]) {
+        super(msgFormat);
+        mParams = params;
+    }
+
+    /**
+     * Returns a list of parameters.
+     * 

+     * 
+     * @return list of message format parameters.
+     */
+    public Object[] getParameters() {
+        return mParams;
+    }
+
+    /**
+     * Returns localized exception string. This method should
+     * only be called if a localized string is necessary.
+     * 

+     * 
+     * @return Details message.
+     */
+    public String toString() {
+        return toString(Locale.getDefault());
+    }
+
+    /**
+     * Returns the string based on the given locale.
+     * 

+     * 
+     * @param locale Locale.
+     * @return Details message.
+     */
+    public String toString(Locale locale) {
+        return MessageFormatter.getLocalizedString(locale, getBundleName(),
+                super.getMessage(), mParams);
+    }
+
+    /**
+     * Retrieves resource bundle name.
+     * Subclasses should override this as necessary
+     * 
+     * @return String containing name of resource bundle.
+     */
+
+    protected String getBundleName() {
+        return LOG_RESOURCES;
+    }
+
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/ELogNotFound.java b/base/common/src/com/netscape/certsrv/logging/ELogNotFound.java
new file mode 100644
index 000000000..7de84733c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/ELogNotFound.java
@@ -0,0 +1,40 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+/**
+ * Exception for log not found.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ELogNotFound extends ELogException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 7970168133875460127L;
+
+    /**
+     * Constructs a exception for a missing required log.
+     * 
+     * @param errorString Detailed error message.
+     */
+    public ELogNotFound(String errorString) {
+        super(errorString);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/ELogPluginNotFound.java b/base/common/src/com/netscape/certsrv/logging/ELogPluginNotFound.java
new file mode 100644
index 000000000..6c434aff9
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/ELogPluginNotFound.java
@@ -0,0 +1,40 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+/**
+ * Exception for log plugin not found.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ELogPluginNotFound extends ELogException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 256873523074609116L;
+
+    /**
+     * Constructs a exception for a missing log plugin.
+     * 
+     * @param errorString Detailed error message.
+     */
+    public ELogPluginNotFound(String errorString) {
+        super(errorString);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/IBundleLogEvent.java b/base/common/src/com/netscape/certsrv/logging/IBundleLogEvent.java
new file mode 100644
index 000000000..9dd8595cf
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/IBundleLogEvent.java
@@ -0,0 +1,37 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+/**
+ * An interface which all loggable events must implement.
+ * See ILogEvent class.
+ * This class maintains a resource bundle name for given
+ * event type.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IBundleLogEvent extends ILogEvent {
+
+    /**
+     * Sets the name of the resource bundle to be associated
+     * with this event type.
+     * 
+     * @param bundle name of resource bundle.
+     */
+    public void setBundleName(String bundle);
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/ILogEvent.java b/base/common/src/com/netscape/certsrv/logging/ILogEvent.java
new file mode 100644
index 000000000..423918983
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/ILogEvent.java
@@ -0,0 +1,108 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+import java.io.Serializable;
+import java.util.Locale;
+
+/**
+ * An interface which all loggable events must implement. CMS comes
+ * with a limited set of ILogEvent types to implement: audit, system, and
+ * signed audit. This is the base class of all the subsequent implemented types.
+ * A log event represents a certain kind of log message designed for a specific purpose.
+ * For instance, an audit type event represents messages having to do with auditable CMS
+ * actions. The resulting message will ultimately appear into a specific log file.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ILogEvent extends Serializable {
+
+    /**
+     * Retrieves event time stamp.
+     * 
+     * @return Long integer of the time the event was created.
+     */
+    public long getTimeStamp();
+
+    /**
+     * Retrieves log source.
+     * This is an id of the subsystem responsible
+     * for creating the log event.
+     * 
+     * @return Integer source id.
+     */
+    public int getSource();
+
+    /**
+     * Retrieves log level.
+     * The log level of an event represents its relative importance
+     * or severity within CMS.
+     * 
+     * @return Integer log level value.
+     */
+    public int getLevel();
+
+    /**
+     * Retrieves NT specific log event type.
+     * 
+     * @return Integer NTEventType value.
+     */
+    public int getNTEventType();
+
+    /**
+     * Retrieves multiline attribute.
+     * Does this message consiste of more than one line.
+     * 
+     * @return Boolean of multiline status.
+     */
+    public boolean getMultiline();
+
+    /**
+     * Retrieves log event type. Each type of event
+     * has an associated String type value.
+     * 
+     * @return String containing the type of event.
+     */
+    public String getEventType();
+
+    /**
+     * Sets log event type. Each type of event
+     * has an associated String type value.
+     * 
+     * @param eventType String containing the type of event.
+     */
+    public void setEventType(String eventType);
+
+    /**
+     * Returns localized message string. This method should
+     * only be called if a localized string is necessary.
+     * 

+     * 
+     * @return Details message.
+     */
+    public String toContent();
+
+    /**
+     * Returns the string based on the given locale.
+     * 

+     * 
+     * @param locale locale
+     * @return Details message.
+     */
+    public String toContent(Locale locale);
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/ILogEventFactory.java b/base/common/src/com/netscape/certsrv/logging/ILogEventFactory.java
new file mode 100644
index 000000000..bfd5be930
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/ILogEventFactory.java
@@ -0,0 +1,52 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+import java.util.Properties;
+
+/**
+ * An interface represents a log event factory. This
+ * factory will be responsible for creating and returning ILogEvent objects
+ * on demand.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ILogEventFactory {
+
+    /**
+     * Creates an event of a particular event type/class.
+     * 
+     * @param evtClass The event type.
+     * @param prop The resource bundle.
+     * @param source The subsystem ID who creates the log event.
+     * @param level The severity of the log event.
+     * @param multiline The log message has more than one line or not.
+     * @param msg The detail message of the log.
+     * @param params The parameters in the detail log message.
+     * @return The created ILogEvent object.
+     */
+    public ILogEvent create(int evtClass, Properties prop, int source,
+            int level, boolean multiline, String msg, Object params[]);
+
+    /**
+     * Releases previously created event.
+     * 
+     * @param event The log event.
+     */
+    public void release(ILogEvent event);
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/ILogEventListener.java b/base/common/src/com/netscape/certsrv/logging/ILogEventListener.java
new file mode 100644
index 000000000..15ff08ad5
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/ILogEventListener.java
@@ -0,0 +1,135 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+import java.io.IOException;
+import java.util.EventListener;
+import java.util.Hashtable;
+import java.util.Vector;
+
+import javax.servlet.ServletException;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.common.NameValuePairs;
+
+/**
+ * An interface represents a log event listener.
+ * A ILogEventListener is registered to a specific
+ * ILogQueue to be notified of created ILogEvents.
+ * the log queue will notify all its registered listeners
+ * of the logged event. The listener will then proceed to
+ * process the event accordingly which will result in a log
+ * message existing in some file.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ILogEventListener extends EventListener {
+
+    /**
+     * The event notification method: Logs event.
+     * 
+     * @param event The log event to be processed.
+     */
+    public void log(ILogEvent event) throws ELogException;
+
+    /**
+     * Flushes the log buffers (if any). Will result in the messages
+     * being actually written to their destination.
+     */
+    public void flush();
+
+    /**
+     * Closes the log file and destroys any associated threads.
+     */
+    public void shutdown();
+
+    /**
+     * Get the configuration store for the log event listener.
+     * 
+     * @return The configuration store of this log event listener.
+     */
+    public IConfigStore getConfigStore();
+
+    /**
+     * Initialize this log listener
+     * 
+     * @param owner The subsystem.
+     * @param config Configuration store for this log listener.
+     * @exception initialization error.
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException;
+
+    /**
+     * Startup the instance.
+     */
+    public void startup()
+            throws EBaseException;
+
+    /**
+     * Retrieve last "maxLine" number of system logs with log level >"level"
+     * and from source "source". If the parameter is omitted. All entries
+     * are sent back.
+     * 
+     * @param req a Hashtable containing the required information such as
+     *            log entry, log level, log source, and log name.
+     * @return NameValue pair list of log messages.
+     * @exception ServletException For Servelet errros.
+     * @exception IOException For input/output problems.
+     * @exception EBaseException For other problems.
+     */
+    public NameValuePairs retrieveLogContent(Hashtable req) throws ServletException,
+            IOException, EBaseException;
+
+    /**
+     * Retrieve list of log files.
+     * 
+     */
+    public NameValuePairs retrieveLogList(Hashtable req) throws ServletException,
+            IOException, EBaseException;
+
+    /**
+     * Returns implementation name.
+     * 
+     * @return String name of event listener implementation.
+     */
+    public String getImplName();
+
+    /**
+     * Returns the description of this log event listener.
+     * 
+     * @return String with listener description.
+     */
+    public String getDescription();
+
+    /**
+     * Return list of default config parameters for this log event listener.
+     * 
+     * @return Vector of default parameters.
+     */
+    public Vector getDefaultParams();
+
+    /**
+     * Return list of instance config parameters for this log event listener.
+     * 
+     * @return Vector of instance parameters.
+     */
+    public Vector getInstanceParams();
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/ILogQueue.java b/base/common/src/com/netscape/certsrv/logging/ILogQueue.java
new file mode 100644
index 000000000..bca7a93df
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/ILogQueue.java
@@ -0,0 +1,70 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+/**
+ * An interface represents a log queue. A log queue
+ * is a queue of pending log events to be dispatched
+ * to a set of registered ILogEventListeners.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ILogQueue {
+
+    /**
+     * Dispatch the log event to all registered log event listeners.
+     * 
+     * @param evt the log event
+     */
+    public void log(ILogEvent evt);
+
+    /**
+     * Flushes log queue, flushes all registered listeners.
+     * Messages should be written to their destination.
+     */
+    public void flush();
+
+    /**
+     * Registers an event listener.
+     * 
+     * @param listener The log event listener to be registered
+     *            to this queue.
+     */
+    public void addLogEventListener(ILogEventListener listener);
+
+    /**
+     * Removes an event listener.
+     * 
+     * @param listener The log event listener to be removed from this queue.
+     */
+    public void removeLogEventListener(ILogEventListener listener);
+
+    /**
+     * Initializes the log queue.
+     * 

+     * 
+     */
+    public void init();
+
+    /**
+     * Stops this log queue:shuts down all registered log event listeners.
+     * 

+     */
+    public void shutdown();
+
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/ILogSubsystem.java b/base/common/src/com/netscape/certsrv/logging/ILogSubsystem.java
new file mode 100644
index 000000000..ce317a5b8
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/ILogSubsystem.java
@@ -0,0 +1,108 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+import java.util.Hashtable;
+import java.util.Vector;
+
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * An interface that represents a logging component. The logging
+ * component is a framework that handles different types of log types,
+ * each represented by an ILogEventListener, and each implements a log
+ * plugin. CMS comes
+ * with three standard log types: "signedAudit", "system", and
+ * "transaction". Each log plugin can be instantiated into log
+ * instances. Each log instance can be individually configured and is
+ * associated with its own configuration entries in the configuration file.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ILogSubsystem extends ISubsystem {
+
+    /**
+     * The ID of this component
+     */
+    public static final String ID = "log";
+
+    /**
+     * Retrieve plugin name (implementation name) of the log event
+     * listener. If no plug name found, an empty string is returned
+     * 
+     * @param log the log event listener
+     * @return the log event listener's plugin name
+     */
+    public String getLogPluginName(ILogEventListener log);
+
+    /**
+     * Retrieve the log event listener by instance name
+     * 
+     * @param insName the log instance name in String
+     * @return the log instance in ILogEventListener
+     */
+    public ILogEventListener getLogInstance(String insName);
+
+    /**
+     * get the list of log plugins that are available
+     * 
+     * @return log plugins in a Hashtable. Each entry in the
+     *         Hashtable contains the name/value pair of pluginName/LogPlugin
+     * @see LogPlugin
+     */
+    public Hashtable getLogPlugins();
+
+    /**
+     * get the list of log instances that are available
+     * 
+     * @return log instances in a Hashtable. Each entry in the
+     *         Hashtable contains the name/value pair of instName/ILogEventListener
+     * @see LogPlugin
+     */
+    public Hashtable getLogInsts();
+
+    /**
+     * Get the default configuration parameter names associated with a
+     * plugin. It is used by
+     * administration servlet to handle log configuration when a new
+     * log instance is added.
+     * 
+     * @param implName The implementation name for which the
+     *            configuration parameters are to be configured
+     * @return a Vector of default configuration paramter names
+     *         associated with this log plugin
+     * @exception ELogException when instantiation of the plugin
+     *                implementation fails.
+     */
+    public Vector getLogDefaultParams(String implName) throws
+            ELogException;
+
+    /**
+     * Get the default configuration parameter names associated with a
+     * log instance. It is used by administration servlet to handle
+     * log instance configuration.
+     * 
+     * @param insName The instance name for which the configuration
+     *            parameters are to be configured
+     * @return a Vector of default configuration paramter names
+     *         associated with this log instance.
+     */
+    public Vector getLogInstanceParams(String insName)
+            throws ELogException;
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/ILogger.java b/base/common/src/com/netscape/certsrv/logging/ILogger.java
new file mode 100644
index 000000000..4cdb4b80f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/ILogger.java
@@ -0,0 +1,492 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+import java.util.Properties;
+
+/**
+ * An interface represents a logger for certificate server. This object is used to
+ * issue log messages for the various types of logging event types. A log message results
+ * in a ILogEvent being created. This event is then placed on a ILogQueue to be ultimately
+ * written to the destination log file. This object also maintains a collection of ILogFactory objects
+ * which are used to create the supported types of ILogEvents. CMS comes out of the box with three event
+ * types: "signedAudit", "system", and "audit".
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ILogger {
+
+    //List of defined log classes.
+    /**
+     * log class: audit event.
+     */
+    public static final int EV_AUDIT = 0;
+    public static final String PROP_AUDIT = "transaction";
+
+    /**
+     * log class: system event.
+     * System event with log level >= LL_FAILURE will also be logged in error log
+     */
+    public static final int EV_SYSTEM = 1;
+    public static final String PROP_SYSTEM = "system";
+
+    /**
+     * log class: SignedAudit event.
+     */
+    public static final int EV_SIGNED_AUDIT = 2;
+    public static final String PROP_SIGNED_AUDIT = "signedAudit";
+
+    //List of defined log sources.
+
+    /**
+     * log source: used by servlet to retrieve all logs
+     */
+    public static final int S_ALL = 0; //used by servlet only
+
+    /**
+     * log source: identify the log entry is from KRA
+     */
+    public static final int S_KRA = 1;
+
+    /**
+     * log source: identify the log entry is from RA
+     */
+    public static final int S_RA = 2;
+
+    /**
+     * log source: identify the log entry is from CA
+     */
+    public static final int S_CA = 3;
+
+    /**
+     * log source: identify the log entry is from http subsystem
+     */
+    public static final int S_HTTP = 4;
+
+    /**
+     * log source: identify the log entry is from database subsystem
+     */
+    public static final int S_DB = 5;
+
+    /**
+     * log source: identify the log entry is from authentication subsystem
+     */
+    public static final int S_AUTHENTICATION = 6;
+
+    /**
+     * log source: identify the log entry is from admin subsystem
+     */
+    public static final int S_ADMIN = 7;
+
+    /**
+     * log source: identify the log entry is from ldap subsystem
+     */
+    public static final int S_LDAP = 8;
+
+    /**
+     * log source: identify the log entry is from request queue subsystem
+     */
+    public static final int S_REQQUEUE = 9;
+
+    /**
+     * log source: identify the log entry is from acl subsystem
+     */
+    public static final int S_ACLS = 10;
+
+    /**
+     * log source: identify the log entry is from usergrp subsystem
+     */
+    public static final int S_USRGRP = 11;
+    public static final int S_OCSP = 12;
+
+    /**
+     * log source: identify the log entry is from authorization subsystem
+     */
+    public static final int S_AUTHORIZATION = 13;
+
+    /**
+     * log source: identify the log entry is from signed audit
+     */
+    public static final int S_SIGNED_AUDIT = 14;
+
+    /**
+     * log source: identify the log entry is from CrossCertPair subsystem
+     */
+    public static final int S_XCERT = 15;
+
+    /**
+     * log source: identify the log entry is from CrossCertPair subsystem
+     */
+
+    public static final int S_TKS = 16;
+
+    /**
+     * log source: identify the log entry is from other subsystem
+     * eg. policy, security, connector,registration
+     */
+    public static final int S_OTHER = 20;
+
+    // List of defined log levels.
+    /**
+     * log level: used by servlet to retrieve all level logs
+     */
+    public static final int LL_ALL = -1; //used by servlet only
+    public static final String LL_ALL_STRING = "All"; //used by servlet only
+
+    /**
+     * log level: indicate this log entry is debug info
+     */
+
+    /**
+     * Debug level is depreciated since CMS6.1. Please use
+     * CMS.debug() to output messages to debugging file.
+     */
+    public static final int LL_DEBUG = 0; // depreciated
+    public static final String LL_DEBUG_STRING = "Debug";
+
+    /**
+     * log level: indicate this log entry is for info note
+     */
+    public static final int LL_INFO = 1;
+    public static final String LL_INFO_STRING = "Information";
+
+    /**
+     * log level: indicate this log entry is warning info
+     */
+    public static final int LL_WARN = 2;
+    public static final String LL_WARN_STRING = "Warning";
+
+    /**
+     * log level: indicate this log entry is fail/error info
+     */
+    public static final int LL_FAILURE = 3;
+    public static final String LL_FAILURE_STRING = "Failure";
+
+    /**
+     * log level: indicate this log entry is about misconfiguration
+     */
+    public static final int LL_MISCONF = 4;
+    public static final String LL_MISCONF_STRING = "Misconfiguration";
+
+    /**
+     * log level: indicate this log entry is catastrphe info
+     */
+    public static final int LL_CATASTRPHE = 5;
+    public static final String LL_CATASTRPHE_STRING = "Catastrophe";
+
+    /**
+     * log level: indicate this log entry is security info
+     */
+    public static final int LL_SECURITY = 6;
+    public static final String LL_SECURITY_STRING = "Security";
+
+    /**
+     * "SubjectID" for system-initiated events logged
+     * in signed audit log messages
+     */
+    public static final String SYSTEM_UID = "$System$";
+
+    /**
+     * A constant string value used to denote a single "unknown" identity
+     * in signed audit log messages
+     */
+    public static final String UNIDENTIFIED = "$Unidentified$";
+
+    /**
+     * A constant string value used to denote a single "non-role" identity
+     * in signed audit log messages
+     */
+    public static final String NONROLEUSER = "$NonRoleUser$";
+
+    /**
+     * "Outcome" for events logged in signed audit log messages
+     */
+    public static final String SUCCESS = "Success";
+    public static final String FAILURE = "Failure";
+
+    /**
+     * A constant string value used to denote a "non-applicable"
+     * data value in signed audit log messages
+     */
+    public final static String SIGNED_AUDIT_NON_APPLICABLE = "N/A";
+
+    /**
+     * A constant string value used to denote an "empty", or "null",
+     * data value in signed audit log messages
+     */
+    public final static String SIGNED_AUDIT_EMPTY_VALUE = "";
+
+    /**
+     * Constant string values associated with the type of certificate
+     * processing stored in the "InfoName" field in certain signed
+     * audit log messages
+     */
+    public final static String SIGNED_AUDIT_ACCEPTANCE = "certificate";
+    public final static String SIGNED_AUDIT_CANCELLATION = "cancelReason";
+    public final static String SIGNED_AUDIT_REJECTION = "rejectReason";
+
+    // List of all NT event type
+    /**
+     * NT event type: correspond to log level LL_DEBUG or LL_INFO
+     */
+    public static final int NT_INFO = 4;
+
+    /**
+     * NT event type: correspond to log level LL_WARNING
+     */
+    public static final int NT_WARN = 2;
+
+    /**
+     * NT event type: correspont to log level LL_FAILURE and above
+     */
+    public static final int NT_ERROR = 1;
+
+    // List of defined log multiline attribute.
+    /**
+     * indicate the log message has more than one line
+     */
+    public static final boolean L_MULTILINE = true;
+
+    /**
+     * indicate the log message has one line
+     */
+    public static final boolean L_SINGLELINE = false;
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param source The source of the log event.
+     * @param msg The detail message to be logged.
+     */
+    public void log(int evtClass, int source, String msg);
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param props The resource bundle used for the detailed message.
+     * @param source The source of the log event.
+     * @param msg The detail message to be logged.
+     */
+    public void log(int evtClass, Properties props, int source, String msg);
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param source The source of the log event.
+     * @param level The level of the log event.
+     * @param msg The detail message to be logged.
+     */
+    public void log(int evtClass, int source, int level, String msg);
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param props The resource bundle used for the detailed message.
+     * @param source The source of the log event.
+     * @param level The level of the log event.
+     * @param msg The detail message to be logged.
+     */
+    public void log(int evtClass, Properties props, int source, int level, String msg);
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param source The source of the log event.
+     * @param level The level of the log event.
+     * @param msg The detail message to be logged.
+     * @param param The parameter in the detail message.
+     */
+    public void log(int evtClass, int source, int level, String msg, Object param);
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param source The source of the log event.
+     * @param level The level of the log event.
+     * @param msg The detail message to be logged.
+     * @param params The parameters in the detail message.
+     */
+    public void log(int evtClass, int source, int level, String msg, Object params[]);
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param props The resource bundle used for the detailed message.
+     * @param source The source of the log event.
+     * @param msg The detail message to be logged.
+     * @param param The parameters in the detail message.
+     */
+    public void log(int evtClass, Properties props, int source, String msg, Object param);
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param props The resource bundle used for the detailed message.
+     * @param source The source of the log event.
+     * @param level The level of the log event.
+     * @param msg The detail message to be logged.
+     * @param param The parameter in the detail message.
+     */
+    public void log(int evtClass, Properties props, int source, int level, String msg,
+            Object param);
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param prop The resource bundle used for the detailed message.
+     * @param source The source of the log event.
+     * @param level The level of the log event.
+     * @param msg The detail message to be logged.
+     * @param params The parameters in the detail message.
+     */
+    public void log(int evtClass, Properties prop, int source, int level, String msg,
+            Object params[]);
+
+    //multiline log
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param source The source of the log event.
+     * @param msg The detail message to be logged.
+     * @param multiline true If the message has more than one line, otherwise false.
+     */
+    public void log(int evtClass, int source, String msg, boolean multiline);
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param props The resource bundle used for the detailed message.
+     * @param source The source of the log event.
+     * @param msg The detail message to be logged.
+     * @param multiline True if the message has more than one line, otherwise false.
+     */
+    public void log(int evtClass, Properties props, int source, String msg, boolean multiline);
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param source The source of the log event.
+     * @param level The level of the log event.
+     * @param msg The detail message to be logged.
+     * @param multiline True if the message has more than one line, otherwise false.
+     */
+    public void log(int evtClass, int source, int level, String msg, boolean multiline);
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param props The resource bundle used for the detailed message.
+     * @param source The source of the log event.
+     * @param level The level of the log event.
+     * @param msg The detail message to be logged.
+     * @param multiline True if the message has more than one line, otherwise false.
+     */
+    public void log(int evtClass, Properties props, int source, int level, String msg, boolean multiline);
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param source The source of the log event.
+     * @param level The level of the log event.
+     * @param msg The detail message to be logged.
+     * @param param The parameter in the detail message.
+     * @param multiline True if the message has more than one line, otherwise false.
+     */
+    public void log(int evtClass, int source, int level, String msg, Object param, boolean multiline);
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param props The resource bundle used for the detailed message.
+     * @param source TTTTsource of the log event.
+     * @param msg The detail message to be logged.
+     * @param param The parameter in the detail message.
+     * @param multiline True if the message has more than one line, otherwise false.
+     */
+    public void log(int evtClass, Properties props, int source, String msg, Object param, boolean multiline);
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param props The resource bundle used for the detailed message.
+     * @param source The source of the log event.
+     * @param level The level of the log event.
+     * @param msg The detail message to be logged.
+     * @param param The parameter in the detail message.
+     * @param multiline True if the message has more than one line, otherwise false.
+     */
+    public void log(int evtClass, Properties props, int source, int level, String msg,
+            Object param, boolean multiline);
+
+    /**
+     * Logs an event to the log queue.
+     * 
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param prop The resource bundle used for the detailed message.
+     * @param source The source of the log event.
+     * @param level The level of the log event.
+     * @param msg The detail message to be logged.
+     * @param params The parameters in the detail message.
+     * @param multiline True if the message has more than one line, otherwise false.
+     */
+    public void log(int evtClass, Properties prop, int source, int level, String msg,
+            Object params[], boolean multiline);
+
+    /*
+     * Generates an ILogEvent
+     * @param evtClass What kind of event it is: EV_AUDIT or EV_SYSTEM or EV_SIGNED_AUDIT.
+     * @param props The resource bundle used for the detailed message.
+     * @param source The source of the log event.
+     * @param level The level of the log event.
+     * @param msg The detail message to be logged.
+     * @param params The parameters in the detail message.
+     * @param multiline True if the message has more than one line, otherwise false.
+     * @return ILogEvent, a log event.
+     */
+    public ILogEvent create(int evtClass, Properties prop, int source, int level,
+            String msg, Object params[], boolean multiline);
+
+    /**
+     * Register a log event factory. Which will create the desired ILogEvents.
+     */
+    public void register(int evtClass, ILogEventFactory f);
+
+    /**
+     * Retrieves the associated log queue. The log queue is where issued log events
+     * are collected for later processing.
+     */
+    public ILogQueue getLogQueue();
+
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/LogPlugin.java b/base/common/src/com/netscape/certsrv/logging/LogPlugin.java
new file mode 100644
index 000000000..9d7a5cc45
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/LogPlugin.java
@@ -0,0 +1,32 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+import com.netscape.certsrv.base.Plugin;
+
+/**
+ * This class represents a registered logger plugin.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class LogPlugin extends Plugin {
+    public LogPlugin(String id, String path) {
+        super(id, path);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/LogResources.java b/base/common/src/com/netscape/certsrv/logging/LogResources.java
new file mode 100644
index 000000000..899bf1893
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/LogResources.java
@@ -0,0 +1,60 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+import java.util.ListResourceBundle;
+import java.util.ResourceBundle;
+
+import com.netscape.certsrv.base.BaseResources;
+
+/**
+ * This is the fallback resource bundle for all log events.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ * @see java.util.ListResourceBundle
+ */
+public class LogResources extends ListResourceBundle {
+    public static final String BASE_RESOURCES = BaseResources.class.getName();
+
+    /**
+     * Contructs a log resource bundle and sets it's parent to the base
+     * resource bundle.
+     * 
+     * @see com.netscape.certsrv.base.BaseResources
+     */
+    public LogResources() {
+        super();
+        setParent(ResourceBundle.getBundle(BASE_RESOURCES));
+    }
+
+    /**
+     * Returns the content of this resource.
+     * 
+     * @return Array of objects making up the contents of this resource.
+     */
+    public Object[][] getContents() {
+        return contents;
+    }
+
+    /*
+     * Contents.
+     */
+
+    static final Object[][] contents = {};
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/SignedAuditEvent.java b/base/common/src/com/netscape/certsrv/logging/SignedAuditEvent.java
new file mode 100644
index 000000000..8541eda34
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/SignedAuditEvent.java
@@ -0,0 +1,349 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+import java.text.MessageFormat;
+import java.util.Locale;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.MessageFormatter;
+
+/**
+ * The log event object that carries message detail of a log event
+ * that goes into the Signed Audit Event log. This log has the
+ * property of being digitally signed for security considerations.
+ * 
+ * 
+ * @version $Revision$, $Date$
+ * @see java.text.MessageFormat
+ * @see com.netscape.certsrv.logging.LogResources
+ */
+public class SignedAuditEvent implements IBundleLogEvent {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 4287822756516673931L;
+
+    protected Object mParams[] = null;
+
+    private String mEventType = null;
+    private String mMessage = null;
+    private int mLevel = -1;
+    private int mNTEventType = -1;
+    private int mSource = -1;
+    private boolean mMultiline = false;
+    private long mTimeStamp = System.currentTimeMillis();
+
+    private static final String INVALID_LOG_LEVEL = "log level: {0} is invalid, should be 0-6";
+
+    /**
+     * The bundle name for this event.
+     * ....not anymore...keep for now and clean up later
+     */
+    private String mBundleName = LogResources.class.getName();
+
+    /**
+     * Constructs a SignedAuditEvent message event.
+     * 

+     * 
+     * @param msgFormat The message string.
+     */
+    public SignedAuditEvent(String msgFormat) {
+        mMessage = msgFormat;
+        mParams = null;
+    }
+
+    /**
+     * Constructs a message with a parameter. For example,
+     * 
+     * 
+     * new SignedAuditEvent("failed to load {0}", fileName);
+     * 

+     * 

+     * 
+     * @param msgFormat Details in message string format.
+     * @param param Message string parameter.
+     */
+    public SignedAuditEvent(String msgFormat, String param) {
+        this(msgFormat);
+        mParams = new String[1];
+        mParams[0] = param;
+    }
+
+    /**
+     * Constructs a message from an exception. It can be used to carry
+     * a signed audit exception that may contain information about
+     * the context. For example,
+     * 
+     * 
+     * 		try {
+     *  		...
+     * 		} catch (IOExeption e) {
+     * 		 	logHandler.log(new SignedAuditEvent("Encountered Signed Audit Error {0}", e);
+     *      }
+     * 

+     * 

+     * 
+     * @param msgFormat Exception details in message string format.
+     * @param exception System exception.
+     */
+    public SignedAuditEvent(String msgFormat, Exception exception) {
+        this(msgFormat);
+        mParams = new Exception[1];
+        mParams[0] = exception;
+    }
+
+    /**
+     * Constructs a message from a base exception. This will use the msgFormat
+     * from the exception itself.
+     * 
+     * 
+     * 		try {
+     *  		...
+     * 		} catch (Exception e) {
+     * 		 	logHandler.log(new SignedAuditEvent(e));
+     *      }
+     * 

+     * 

+     * 
+     * @param e CMS exception.
+     */
+    public SignedAuditEvent(Exception e) {
+        this(e.getMessage());
+        if (e instanceof EBaseException) {
+            mParams = ((EBaseException) e).getParameters();
+        } else {
+            mParams = new Exception[1];
+            mParams[0] = e;
+        }
+    }
+
+    /**
+     * Constructs a message event with a list of parameters
+     * that will be substituted into the message format.
+     * 

+     * 
+     * @param msgFormat Message string format.
+     * @param params List of message format parameters.
+     */
+    public SignedAuditEvent(String msgFormat, Object params[]) {
+        this(msgFormat);
+        mParams = params;
+    }
+
+    /**
+     * Returns the current message format string.
+     * 

+     * 
+     * @return Details message.
+     */
+    public String getMessage() {
+        return mMessage;
+    }
+
+    /**
+     * Returns a list of parameters. These parameters can be
+     * used to assist in formatting the message.
+     * 

+     * 
+     * @return List of message format parameters.
+     */
+    public Object[] getParameters() {
+        return mParams;
+    }
+
+    /**
+     * Returns localized message string. This method should
+     * only be called if a localized string is necessary.
+     * 

+     * 
+     * @return Details message.
+     */
+    public String toContent() {
+        return toContent(Locale.getDefault());
+    }
+
+    /**
+     * Returns the string based on the given locale.
+     * 

+     * 
+     * @param locale Locale.
+     * @return Details message.
+     */
+    public String toContent(Locale locale) {
+        return MessageFormatter.getLocalizedString(locale, getBundleName(),
+                getMessage(),
+                getParameters());
+    }
+
+    /**
+     * Sets the resource bundle name for this class instance. This should
+     * be overridden by subclasses who have their own resource bundles.
+     * 
+     * @param bundle String with name of resource bundle.
+     */
+    public void setBundleName(String bundle) {
+        mBundleName = bundle;
+    }
+
+    /**
+     * Retrieves bundle name.
+     * 
+     * @return String with name of resource bundle.
+     */
+    protected String getBundleName() {
+        return mBundleName;
+    }
+
+    /**
+     * Retrieves log source.
+     * This is an id of the subsystem responsible
+     * for creating the log event.
+     * 
+     * @return Integer source id.
+     */
+    public int getSource() {
+        return mSource;
+    }
+
+    /**
+     * Sets log source.
+     * 
+     * @param source Integer id of log source.
+     */
+    public void setSource(int source) {
+        mSource = source;
+    }
+
+    /**
+     * Retrieves log level.
+     * The log level of an event represents its relative importance
+     * or severity within CMS.
+     * 
+     * @return Integer log level value.
+     */
+    public int getLevel() {
+        return mLevel;
+    }
+
+    /**
+     * Retrieves NT specific log event type.
+     * 
+     * @return Integer NTEventType value.
+     */
+    public int getNTEventType() {
+        return mNTEventType;
+    }
+
+    /**
+     * Sets log level, NT log event type.
+     * For certain log levels the NT log event type gets
+     * set as well.
+     * 
+     * @param level Integer log level value.
+     */
+    public void setLevel(int level) {
+        mLevel = level;
+        switch (level) {
+        case ILogger.LL_DEBUG:
+        case ILogger.LL_INFO:
+            mNTEventType = ILogger.NT_INFO;
+            break;
+
+        case ILogger.LL_WARN:
+            mNTEventType = ILogger.NT_WARN;
+            break;
+
+        case ILogger.LL_FAILURE:
+        case ILogger.LL_MISCONF:
+        case ILogger.LL_CATASTRPHE:
+        case ILogger.LL_SECURITY:
+            mNTEventType = ILogger.NT_ERROR;
+            break;
+
+        default:
+            ConsoleError.send(new SignedAuditEvent(INVALID_LOG_LEVEL,
+                    Integer.toString(level)));
+            break;
+        }
+    }
+
+    /**
+     * Retrieves log multiline attribute.
+     * 
+     * @return Boolean whether or not this event is multiline.
+     *         A multiline message simply consists of more than one line.
+     */
+    public boolean getMultiline() {
+        return mMultiline;
+    }
+
+    /**
+     * Sets log multiline attribute. A multiline message consists of
+     * more than one line.
+     * 
+     * @param multiline Boolean multiline value.
+     */
+    public void setMultiline(boolean multiline) {
+        mMultiline = multiline;
+    }
+
+    /**
+     * Retrieves event time stamp.
+     * 
+     * @return Long integer of the time the event was created.
+     */
+    public long getTimeStamp() {
+        return mTimeStamp;
+    }
+
+    /**
+     * Retrieves log event type. Each type of event
+     * has an associated String type value.
+     * 
+     * @return String containing the type of event.
+     */
+    public String getEventType() {
+        return mEventType;
+    }
+
+    /**
+     * Sets log event type. Each type of event
+     * has an associated String type value.
+     * 
+     * @param eventType String containing the type of event.
+     */
+    public void setEventType(String eventType) {
+        mEventType = eventType;
+    }
+
+    /**
+     * Return string representation of log message.
+     * 
+     * @return String containing log message.
+     */
+    public String toString() {
+        if (getBundleName() == null) {
+            MessageFormat detailMessage = new MessageFormat(mMessage);
+
+            return detailMessage.format(mParams);
+        } else
+            return toContent();
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/SystemEvent.java b/base/common/src/com/netscape/certsrv/logging/SystemEvent.java
new file mode 100644
index 000000000..9f625cdfd
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/SystemEvent.java
@@ -0,0 +1,348 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging;
+
+import java.text.MessageFormat;
+import java.util.Locale;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.MessageFormatter;
+
+/**
+ * The log event object that carries a log message.
+ * This class represents System events which are CMS events
+ * which need to be logged to a log file.
+ * 
+ * @version $Revision$, $Date$
+ * @see java.text.MessageFormat
+ * @see com.netscape.certsrv.logging.LogResources
+ */
+public class SystemEvent implements IBundleLogEvent {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 7160410535724580752L;
+
+    protected Object mParams[] = null;
+
+    private String mEventType = null;
+    private String mMessage = null;
+    private int mLevel = -1;
+    private int mNTEventType = -1;
+    private int mSource = -1;
+    private boolean mMultiline = false;
+    private long mTimeStamp = System.currentTimeMillis();
+
+    /**
+     * The bundle name for this event.
+     */
+    private String mBundleName = LogResources.class.getName();
+
+    private static final String INVALID_LOG_LEVEL = "log level: {0} is invalid, should be 0-6";
+
+    /**
+     * Constructs a SystemEvent message event.
+     * 

+     * 
+     * @param msgFormat The message string.
+     */
+    public SystemEvent(String msgFormat) {
+        mMessage = msgFormat;
+        mParams = null;
+    }
+
+    /**
+     * Constructs a SystemEvent message with a parameter. For example,
+     * 
+     * 
+     * new SystemEvent("failed to load {0}", fileName);
+     * 

+     * 

+     * 
+     * @param msgFormat Details in message string format.
+     * @param param Message string parameter.
+     */
+    public SystemEvent(String msgFormat, String param) {
+        this(msgFormat);
+        mParams = new String[1];
+        mParams[0] = param;
+    }
+
+    /**
+     * Constructs a SystemEvent message from an exception. It can be used to carry
+     * a system exception that may contain information about
+     * the context. For example,
+     * 
+     * 
+     * 		try {
+     *  		...
+     * 		} catch (IOExeption e) {
+     * 		 	logHandler.log(new SystemEvent("Encountered System Error {0}", e);
+     *      }
+     * 

+     * 

+     * 
+     * @param msgFormat Exception details in message string format.
+     * @param exception System exception.
+     */
+    public SystemEvent(String msgFormat, Exception exception) {
+        this(msgFormat);
+        mParams = new Exception[1];
+        mParams[0] = exception;
+    }
+
+    /**
+     * Constructs a SystemEvent message from a base exception. This will use the msgFormat
+     * from the exception itself.
+     * 
+     * 
+     * 		try {
+     *  		...
+     * 		} catch (Exception e) {
+     * 		 	logHandler.log(new SystemEvent(e));
+     *      }
+     * 

+     * 

+     * 
+     * @param e CMS exception.
+     */
+    public SystemEvent(Exception e) {
+        this(e.getMessage());
+        if (e instanceof EBaseException) {
+            mParams = ((EBaseException) e).getParameters();
+        } else {
+            mParams = new Exception[1];
+            mParams[0] = e;
+        }
+    }
+
+    /**
+     * Constructs a SystemEvent message event with a list of parameters
+     * that will be substituted into the message format.
+     * 

+     * 
+     * @param msgFormat Message string format.
+     * @param params List of message format parameters.
+     */
+    public SystemEvent(String msgFormat, Object params[]) {
+        this(msgFormat);
+        mParams = params;
+    }
+
+    /**
+     * Returns the current message format string.
+     * 

+     * 
+     * @return Details message.
+     */
+    public String getMessage() {
+        return mMessage;
+    }
+
+    /**
+     * Returns a list of parameters. These parameters can be
+     * used to assist in formatting the message.
+     * 

+     * 
+     * @return List of message format parameters.
+     */
+    public Object[] getParameters() {
+        return mParams;
+    }
+
+    /**
+     * Returns localized message string. This method should
+     * only be called if a localized string is necessary.
+     * 

+     * 
+     * @return Details message.
+     */
+    public String toContent() {
+        return toContent(Locale.getDefault());
+    }
+
+    /**
+     * Returns the string based on the given locale.
+     * 

+     * 
+     * @param locale Locale.
+     * @return Details message.
+     */
+    public String toContent(Locale locale) {
+        return MessageFormatter.getLocalizedString(locale, getBundleName(),
+                getMessage(),
+                getParameters());
+    }
+
+    /**
+     * Sets the resource bundle name for this class instance. This should
+     * be overridden by subclasses who have their own resource bundles.
+     * 
+     * @param bundle String with the name of resource bundle.
+     */
+    public void setBundleName(String bundle) {
+        mBundleName = bundle;
+    }
+
+    /**
+     * Retrieves bundle name.
+     * 
+     * @return String with name of resource bundle.
+     */
+    protected String getBundleName() {
+        return mBundleName;
+    }
+
+    /**
+     * Retrieves log source.
+     * This is an id of the subsystem responsible
+     * for creating the log event.
+     * 
+     * @return Integer source id.
+     */
+    public int getSource() {
+        return mSource;
+    }
+
+    /**
+     * Sets log source.
+     * Sets the id of the subsystem issuing the event.
+     * 
+     * @param source Integer source id.
+     */
+    public void setSource(int source) {
+        mSource = source;
+    }
+
+    /**
+     * Retrieves log level.
+     * The log level of an event represents its relative importance
+     * or severity within CMS.
+     * 
+     * @return Integer log level value.
+     */
+    public int getLevel() {
+        return mLevel;
+    }
+
+    /**
+     * Retrieves NT specific log event type.
+     * 
+     * @return Integer NTEventType value.
+     */
+    public int getNTEventType() {
+        return mNTEventType;
+    }
+
+    /**
+     * Sets log level, NT log event type.
+     * For certain log levels the NT log event type gets
+     * set as well.
+     * 
+     * @param level Integer log level value.
+     */
+    public void setLevel(int level) {
+        mLevel = level;
+        switch (level) {
+        case ILogger.LL_DEBUG:
+        case ILogger.LL_INFO:
+            mNTEventType = ILogger.NT_INFO;
+            break;
+
+        case ILogger.LL_WARN:
+            mNTEventType = ILogger.NT_WARN;
+            break;
+
+        case ILogger.LL_FAILURE:
+        case ILogger.LL_MISCONF:
+        case ILogger.LL_CATASTRPHE:
+        case ILogger.LL_SECURITY:
+            mNTEventType = ILogger.NT_ERROR;
+            break;
+
+        default:
+            ConsoleError.send(new SystemEvent(INVALID_LOG_LEVEL,
+                    Integer.toString(level)));
+            break;
+        }
+    }
+
+    /**
+     * Retrieves log multiline attribute.
+     * 
+     * @return Boolean whether or not this event is multiline.
+     *         A multiline message simply consists of more than one line.
+     */
+    public boolean getMultiline() {
+        return mMultiline;
+    }
+
+    /**
+     * Sets log multiline attribute. A multiline message consists of
+     * more than one line.
+     * 
+     * @param multiline Boolean multiline value.
+     */
+    public void setMultiline(boolean multiline) {
+        mMultiline = multiline;
+    }
+
+    /**
+     * Retrieves event time stamp.
+     * 
+     * @return Long integer of the time the event was created.
+     */
+    public long getTimeStamp() {
+        return mTimeStamp;
+    }
+
+    /**
+     * Retrieves log event type. Each type of event
+     * has an associated String type value.
+     * 
+     * @return String containing the type of event.
+     */
+    public String getEventType() {
+        return mEventType;
+    }
+
+    /**
+     * Sets log event type. Each type of event
+     * has an associated String type value.
+     * 
+     * @param eventType String containing the type of event.
+     */
+    public void setEventType(String eventType) {
+        mEventType = eventType;
+    }
+
+    /**
+     * Return string representation of log message.
+     * 
+     * @return String containing log message.
+     */
+    public String toString() {
+        if (getBundleName() == null) {
+            MessageFormat detailMessage = new MessageFormat(mMessage);
+
+            return detailMessage.format(mParams);
+        } else
+            return toContent();
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/notification/ENotificationException.java b/base/common/src/com/netscape/certsrv/notification/ENotificationException.java
new file mode 100644
index 000000000..fffc8edeb
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/notification/ENotificationException.java
@@ -0,0 +1,77 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.notification;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * A class represents a notification exception.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class ENotificationException extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 2101529206306996303L;
+    /**
+     * Identity resource class name.
+     */
+    private static final String NOTIFICATION_RESOURCES = NotificationResources.class.getName();
+
+    /**
+     * Constructs a notification exception
+     * 

+     */
+    public ENotificationException(String msgFormat) {
+        super(msgFormat);
+    }
+
+    /**
+     * Constructs a Identity exception.
+     * 

+     */
+    public ENotificationException(String msgFormat, String param) {
+        super(msgFormat, param);
+    }
+
+    /**
+     * Constructs a Identity exception.
+     * 

+     */
+    public ENotificationException(String msgFormat, Exception e) {
+        super(msgFormat, e);
+    }
+
+    /**
+     * Constructs a Identity exception.
+     * 

+     */
+    public ENotificationException(String msgFormat, Object params[]) {
+        super(msgFormat, params);
+    }
+
+    /**
+     * Retrieves bundle name.
+     */
+    protected String getBundleName() {
+        return NOTIFICATION_RESOURCES;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/notification/IEmailFormProcessor.java b/base/common/src/com/netscape/certsrv/notification/IEmailFormProcessor.java
new file mode 100644
index 000000000..40114bd1e
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/notification/IEmailFormProcessor.java
@@ -0,0 +1,79 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.notification;
+
+import java.util.Hashtable;
+import java.util.Vector;
+
+/**
+ * formulates the final email. Escape character '\' is understood.
+ * '$' is used preceeding a token name. A token name should not be a
+ * substring of any other token name
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IEmailFormProcessor {
+
+    // list of token names
+    public final static String TOKEN_ID = "InstanceID";
+    public final static String TOKEN_SERIAL_NUM = "SerialNumber";
+    public final static String TOKEN_HEX_SERIAL_NUM = "HexSerialNumber";
+    public final static String TOKEN_REQUEST_ID = "RequestId";
+    public final static String TOKEN_HTTP_HOST = "HttpHost";
+    public final static String TOKEN_HTTP_PORT = "HttpPort";
+    public final static String TOKEN_ISSUER_DN = "IssuerDN";
+    public final static String TOKEN_SUBJECT_DN = "SubjectDN";
+    public final static String TOKEN_REQUESTOR_EMAIL = "RequestorEmail";
+    public final static String TOKEN_CERT_TYPE = "CertType";
+    public final static String TOKEN_REQUEST_TYPE = "RequestType";
+    public final static String TOKEN_STATUS = "Status";
+    public final static String TOKEN_NOT_AFTER = "NotAfter";
+    public final static String TOKEN_NOT_BEFORE = "NotBefore";
+    public final static String TOKEN_SENDER_EMAIL = "SenderEmail";
+    public final static String TOKEN_RECIPIENT_EMAIL = "RecipientEmail";
+    public final static String TOKEN_SUMMARY_ITEM_LIST = "SummaryItemList";
+    public final static String TOKEN_SUMMARY_TOTAL_NUM = "SummaryTotalNum";
+    public final static String TOKEN_SUMMARY_SUCCESS_NUM = "SummaryTotalSuccess";
+    public final static String TOKEN_SUMMARY_FAILURE_NUM = "SummaryTotalFailure";
+    public final static String TOKEN_EXECUTION_TIME = "ExecutionTime";
+
+    public final static String TOKEN_REVOCATION_DATE = "RevocationDate";
+
+    /*
+     * takes the form template, parse and replace all $tokens with the
+     *		 right values.  It handles escape character '\'
+     * @param form The locale specific form template,
+     * @param tok2vals a hashtable containing one to one mapping
+     *	 from $tokens used by the admins in the form template to the real
+     *	 values corresponding to the $tokens
+     * @return mail content
+     */
+    public String getEmailContent(String form,
+            Hashtable tok2vals);
+
+    /**
+     * takes a vector of strings and concatenate them
+     */
+    public String formContent(Vector vec);
+
+    /**
+     * logs an entry in the log file.
+     */
+    public void log(int level, String msg);
+}
diff --git a/base/common/src/com/netscape/certsrv/notification/IEmailResolver.java b/base/common/src/com/netscape/certsrv/notification/IEmailResolver.java
new file mode 100644
index 000000000..39e5bed37
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/notification/IEmailResolver.java
@@ -0,0 +1,40 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.notification;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * An email resolver that first checks the request email, if none,
+ * then follows by checking the subjectDN of the certificate
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IEmailResolver {
+
+    /**
+     * returns an email address by using the resolver keys. The
+     * return value can possibly be null
+     * 
+     * @param keys list of keys used for resolving the email address
+     */
+    public String getEmail(IEmailResolverKeys keys)
+            throws EBaseException, ENotificationException;
+
+}
diff --git a/base/common/src/com/netscape/certsrv/notification/IEmailResolverKeys.java b/base/common/src/com/netscape/certsrv/notification/IEmailResolverKeys.java
new file mode 100644
index 000000000..1363a9e09
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/notification/IEmailResolverKeys.java
@@ -0,0 +1,35 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.notification;
+
+import com.netscape.certsrv.base.IAttrSet;
+
+/**
+ * An interface represents email resolver (ordered) keys for resolving
+ * emails
+ * e.g. request/cert, cert/request, request, request/cert/subjectalternatename etc.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IEmailResolverKeys extends IAttrSet {
+
+    public static final String KEY_REQUEST = "request";
+    public static final String KEY_CERT = "cert";
+
+}
diff --git a/base/common/src/com/netscape/certsrv/notification/IEmailTemplate.java b/base/common/src/com/netscape/certsrv/notification/IEmailTemplate.java
new file mode 100644
index 000000000..cbdea8436
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/notification/IEmailTemplate.java
@@ -0,0 +1,48 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.notification;
+
+/**
+ * Files to be processed and returned to the requested parties. It
+ * is a template with $tokens to be used by the form/template processor.
+ * 
+ * @version $Revision$, $Date$
+ */
+
+public interface IEmailTemplate {
+
+    public boolean init();
+
+    /**
+     * @return Template Name in string form
+     */
+    public String getTemplateName();
+
+    /**
+     * @return true if template is an html file, false otherwise
+     */
+    public boolean isHTML();
+
+    /**
+     * @return Content of the template
+     */
+    public String toString();
+
+    public int length();
+
+}
diff --git a/base/common/src/com/netscape/certsrv/notification/IMailNotification.java b/base/common/src/com/netscape/certsrv/notification/IMailNotification.java
new file mode 100644
index 000000000..356a6bba3
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/notification/IMailNotification.java
@@ -0,0 +1,80 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.notification;
+
+import java.io.IOException;
+import java.util.Vector;
+
+/**
+ * This class handles mail notification via SMTP.
+ * This class uses smtp.host in the configuration for smtp
+ * host. The port default (25) is used. If no smtp specified, local
+ * host is used
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IMailNotification {
+
+    /**
+     * send one message to one or more addressees
+     */
+    public void sendNotification() throws IOException, ENotificationException;
+
+    /**
+     * sets the "From" field
+     * 
+     * @param from email address of the sender
+     */
+    public void setFrom(String from);
+
+    /**
+     * sets the "Subject" field
+     * 
+     * @param subject subject of the email
+     */
+    public void setSubject(String subject);
+
+    /**
+     * sets the "Content-Type" field
+     * 
+     * @param contentType content type of the email
+     */
+    public void setContentType(String contentType);
+
+    /**
+     * sets the content of the email
+     * 
+     * @param content the message content
+     */
+    public void setContent(String content);
+
+    /**
+     * sets the recipients' email addresses
+     * 
+     * @param addresses a list of email addresses of the recipients
+     */
+    public void setTo(Vector addresses);
+
+    /**
+     * sets the recipient's email address
+     * 
+     * @param to address of the recipient email address
+     */
+    public void setTo(String to);
+
+}
diff --git a/base/common/src/com/netscape/certsrv/notification/NotificationResources.java b/base/common/src/com/netscape/certsrv/notification/NotificationResources.java
new file mode 100644
index 000000000..b81443999
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/notification/NotificationResources.java
@@ -0,0 +1,43 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.notification;
+
+import java.util.ListResourceBundle;
+
+/**
+ * A class represents a resource bundle for the
+ * Mail Notification package
+ * 
+ * @version $Revision$, $Date$
+ */
+public class NotificationResources extends ListResourceBundle {
+
+    /**
+     * Returns the content of this resource.
+     */
+    public Object[][] getContents() {
+        return contents;
+    }
+
+    /**
+     * Constants. The suffix represents the number of
+     * possible parameters.
+     */
+
+    static final Object[][] contents = {};
+}
diff --git a/base/common/src/com/netscape/certsrv/ocsp/IDefStore.java b/base/common/src/com/netscape/certsrv/ocsp/IDefStore.java
new file mode 100644
index 000000000..ee4c76a08
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ocsp/IDefStore.java
@@ -0,0 +1,177 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ocsp;
+
+import java.math.BigInteger;
+import java.security.cert.X509CRL;
+import java.util.Date;
+import java.util.Enumeration;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord;
+import com.netscape.certsrv.dbs.repository.IRepositoryRecord;
+
+/**
+ * This class defines an Online Certificate Status Protocol (OCSP) store which
+ * has been extended to provide information from the internal database.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IDefStore extends IOCSPStore {
+    /**
+     * This method retrieves the number of CRL updates since startup.
+     * 

+     * 
+     * @return count the number of OCSP default stores
+     */
+    public int getStateCount();
+
+    /**
+     * This method retrieves the number of OCSP requests since startup.
+     * 

+     * 
+     * @param id a string associated with an OCSP request
+     * @return count the number of this type of OCSP requests
+     */
+    public long getReqCount(String id);
+
+    /**
+     * This method creates a an OCSP default store repository record.
+     * 

+     * 
+     * @return IRepositoryRecord an instance of the repository record object
+     */
+    public IRepositoryRecord createRepositoryRecord();
+
+    /**
+     * This method adds a request to the default OCSP store repository.
+     * 

+     * 
+     * @param name a string representing the name of this request
+     * @param thisUpdate the current request
+     * @param rec an instance of the repository record object
+     * @exception EBaseException occurs when there is an error attempting to
+     *                add this request to the repository
+     */
+    public void addRepository(String name, String thisUpdate,
+            IRepositoryRecord rec)
+            throws EBaseException;
+
+    /**
+     * This method specifies whether or not to wait for the Certificate
+     * Revocation List (CRL) to be updated.
+     * 

+     * 
+     * @return boolean true or false
+     */
+    public boolean waitOnCRLUpdate();
+
+    /**
+     * This method updates the specified CRL.
+     * 

+     * 
+     * @param crl the CRL to be updated
+     * @exception EBaseException occurs when the CRL cannot be updated
+     */
+    public void updateCRL(X509CRL crl) throws EBaseException;
+
+    /**
+     * This method attempts to read the CRL issuing point.
+     * 

+     * 
+     * @param name the name of the CRL to be read
+     * @return ICRLIssuingPointRecord the CRL issuing point
+     * @exception EBaseException occurs when the specified CRL cannot be located
+     */
+    public ICRLIssuingPointRecord readCRLIssuingPoint(String name)
+            throws EBaseException;
+
+    /**
+     * This method searches all CRL issuing points.
+     * 

+     * 
+     * @param maxSize specifies the largest number of hits from the search
+     * @return Enumeration a list of the CRL issuing points
+     * @exception EBaseException occurs when no CRL issuing point exists
+     */
+    public Enumeration searchAllCRLIssuingPointRecord(
+            int maxSize)
+            throws EBaseException;
+
+    /**
+     * This method searches all CRL issuing points constrained by the specified
+     * filtering mechanism.
+     * 

+     * 
+     * @param filter a string which constrains the search
+     * @param maxSize specifies the largest number of hits from the search
+     * @return Enumeration a list of the CRL issuing points
+     * @exception EBaseException occurs when no CRL issuing point exists
+     */
+    public Enumeration searchCRLIssuingPointRecord(String filter,
+            int maxSize)
+            throws EBaseException;
+
+    /**
+     * This method creates a CRL issuing point record.
+     * 

+     * 
+     * @param name a string representation of this CRL issuing point record
+     * @param crlNumber the number of this CRL issuing point record
+     * @param crlSize the size of this CRL issuing point record
+     * @param thisUpdate the time for this CRL issuing point record
+     * @param nextUpdate the time for the next CRL issuing point record
+     * @return ICRLIssuingPointRecord this CRL issuing point record
+     */
+    public ICRLIssuingPointRecord createCRLIssuingPointRecord(
+            String name, BigInteger crlNumber,
+            Long crlSize, Date thisUpdate, Date nextUpdate);
+
+    /**
+     * This method adds a CRL issuing point
+     * 

+     * 
+     * @param name a string representation of this CRL issuing point record
+     * @param rec this CRL issuing point record
+     * @exception EBaseException occurs when the specified CRL issuing point
+     *                record cannot be added
+     */
+    public void addCRLIssuingPoint(String name, ICRLIssuingPointRecord rec)
+            throws EBaseException;
+
+    /**
+     * This method deletes a CRL issuing point record
+     * 

+     * 
+     * @param id a string representation of this CRL issuing point record
+     * @exception EBaseException occurs when the specified CRL issuing point
+     *                record cannot be deleted
+     */
+    public void deleteCRLIssuingPointRecord(String id)
+            throws EBaseException;
+
+    /**
+     * This method checks to see if the OCSP response should return good
+     * when the certificate is not found.
+     * 

+     * 
+     * @return boolean true or false
+     */
+    public boolean isNotFoundGood();
+}
diff --git a/base/common/src/com/netscape/certsrv/ocsp/IOCSPAuthority.java b/base/common/src/com/netscape/certsrv/ocsp/IOCSPAuthority.java
new file mode 100644
index 000000000..0219d357d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ocsp/IOCSPAuthority.java
@@ -0,0 +1,184 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ocsp;
+
+import netscape.security.x509.X500Name;
+
+import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
+import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.security.ISigningUnit;
+import com.netscape.cmsutil.ocsp.BasicOCSPResponse;
+import com.netscape.cmsutil.ocsp.ResponderID;
+import com.netscape.cmsutil.ocsp.ResponseData;
+
+/**
+ * This class represents the primary interface for the Online Certificate
+ * Status Protocol (OCSP) server.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IOCSPAuthority extends ISubsystem {
+    public static final String ID = "ocsp";
+
+    public final static OBJECT_IDENTIFIER OCSP_NONCE = new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.48.1.2");
+
+    public final static String PROP_DEF_STORE_ID = "storeId";
+    public final static String PROP_STORE = "store";
+    public final static String PROP_SIGNING_SUBSTORE = "signing";
+    public static final String PROP_NICKNAME = "certNickname";
+    public final static String PROP_NEW_NICKNAME = "newNickname";
+
+    /**
+     * This method retrieves the OCSP store given its name.
+     * 

+     * 
+     * @param id the string representation of an OCSP store
+     * @return IOCSPStore an instance of an OCSP store object
+     */
+    public IOCSPStore getOCSPStore(String id);
+
+    /**
+     * This method retrieves the signing unit.
+     * 

+     * 
+     * @return ISigningUnit an instance of a signing unit object
+     */
+    public ISigningUnit getSigningUnit();
+
+    /**
+     * This method retrieves the responder ID by its name.
+     * 

+     * 
+     * @return ResponderID an instance of a responder ID
+     */
+    public ResponderID getResponderIDByName();
+
+    /**
+     * This method retrieves the responder ID by its hash.
+     * 

+     * 
+     * @return ResponderID an instance of a responder ID
+     */
+    public ResponderID getResponderIDByHash();
+
+    /**
+     * This method retrieves the default OCSP store
+     * (i. e. - information from the internal database).
+     * 

+     * 
+     * @return IDefStore an instance of the default OCSP store
+     */
+    public IDefStore getDefaultStore();
+
+    /**
+     * This method sets the supplied algorithm as the default signing algorithm.
+     * 

+     * 
+     * @param algorithm a string representing the requested algorithm
+     * @exception EBaseException if the algorithm is unknown or disallowed
+     */
+    public void setDefaultAlgorithm(String algorithm)
+            throws EBaseException;
+
+    /**
+     * This method retrieves the default signing algorithm.
+     * 

+     * 
+     * @return String the name of the default signing algorithm
+     */
+    public String getDefaultAlgorithm();
+
+    /**
+     * This method retrieves all potential OCSP signing algorithms.
+     * 

+     * 
+     * @return String[] the names of all potential OCSP signing algorithms
+     */
+    public String[] getOCSPSigningAlgorithms();
+
+    /**
+     * This method logs the specified message at the specified level.
+     * 

+     * 
+     * @param level the log level
+     * @param msg the log message
+     */
+    public void log(int level, String msg);
+
+    /**
+     * This method logs the specified message at the specified level given
+     * the specified event.
+     * 

+     * 
+     * @param event the log event
+     * @param level the log message
+     * @param msg the log message
+     */
+    public void log(int event, int level, String msg);
+
+    /**
+     * This method retrieves the X500Name of an OCSP server instance.
+     * 

+     * 
+     * @return X500Name an instance of the X500 name object
+     */
+    public X500Name getName();
+
+    /**
+     * This method retrieves an OCSP server instance digest name as a string.
+     * 

+     * 
+     * @param alg the signing algorithm
+     * @return String the digest name of the related OCSP server
+     */
+    public String getDigestName(AlgorithmIdentifier alg);
+
+    /**
+     * This method signs the basic OCSP response data provided as a parameter.
+     * 

+     * 
+     * @param rd response data
+     * @return BasicOCSPResponse signed response data
+     * @exception EBaseException error associated with an inability to sign
+     *                the specified response data
+     */
+    public BasicOCSPResponse sign(ResponseData rd)
+            throws EBaseException;
+
+    /**
+     * This method compares two byte arrays to see if they are equivalent.
+     * 

+     * 
+     * @param bytes the first byte array
+     * @param ints the second byte array
+     * @return boolean true or false
+     */
+    public boolean arraysEqual(byte[] bytes, byte[] ints);
+
+    public void incTotalTime(long inc);
+
+    public void incSignTime(long inc);
+
+    public void incLookupTime(long inc);
+
+    public void incNumOCSPRequest(long inc);
+}
diff --git a/base/common/src/com/netscape/certsrv/ocsp/IOCSPService.java b/base/common/src/com/netscape/certsrv/ocsp/IOCSPService.java
new file mode 100644
index 000000000..574289c29
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ocsp/IOCSPService.java
@@ -0,0 +1,77 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ocsp;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.cmsutil.ocsp.OCSPRequest;
+import com.netscape.cmsutil.ocsp.OCSPResponse;
+
+/**
+ * This class represents the servlet that serves the Online Certificate
+ * Status Protocol (OCSP) requests.
+ * 
+ * @version $Revision$ $Date$
+ */
+public interface IOCSPService {
+    /**
+     * This method validates the information associated with the specified
+     * OCSP request and returns an OCSP response.
+     * 

+     * 
+     * @param r an OCSP request
+     * @return OCSPResponse the OCSP response associated with the specified
+     *         OCSP request
+     * @exception EBaseException an error associated with the inability to
+     *                process the supplied OCSP request
+     */
+    public OCSPResponse validate(OCSPRequest r)
+            throws EBaseException;
+
+    /**
+     * Returns the in-memory count of the processed OCSP requests.
+     * 
+     * @return number of processed OCSP requests in memory
+     */
+    public long getNumOCSPRequest();
+
+    /**
+     * Returns the in-memory time (in mini-second) of
+     * the processed time for OCSP requests.
+     * 
+     * @return processed times for OCSP requests
+     */
+    public long getOCSPRequestTotalTime();
+
+    /**
+     * Returns the in-memory time (in mini-second) of
+     * the signing time for OCSP requests.
+     * 
+     * @return processed times for OCSP requests
+     */
+    public long getOCSPTotalSignTime();
+
+    public long getOCSPTotalLookupTime();
+
+    /**
+     * Returns the total data signed
+     * for OCSP requests.
+     * 
+     * @return processed times for OCSP requests
+     */
+    public long getOCSPTotalData();
+}
diff --git a/base/common/src/com/netscape/certsrv/ocsp/IOCSPStore.java b/base/common/src/com/netscape/certsrv/ocsp/IOCSPStore.java
new file mode 100644
index 000000000..676122105
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ocsp/IOCSPStore.java
@@ -0,0 +1,71 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ocsp;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.cmsutil.ocsp.OCSPRequest;
+import com.netscape.cmsutil.ocsp.OCSPResponse;
+
+/**
+ * This class represents the generic interface for an Online Certificate
+ * Status Protocol (OCSP) store. Users can plugin different OCSP stores
+ * by extending this class. For example, imagine that if a user wants to
+ * use the corporate LDAP server for revocation checking, then the user
+ * would merely create a new class that extends this class (e. g. -
+ * "public interface ICorporateLDAPStore extends IOCSPStore").
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IOCSPStore extends ISubsystem {
+    /**
+     * This method validates the information associated with the specified
+     * OCSP request and returns an OCSP response.
+     * 

+     * 
+     * @param req an OCSP request
+     * @return OCSPResponse the OCSP response associated with the specified
+     *         OCSP request
+     * @exception EBaseException an error associated with the inability to
+     *                process the supplied OCSP request
+     */
+    public OCSPResponse validate(OCSPRequest req)
+            throws EBaseException;
+
+    /**
+     * This method retrieves the configuration parameters associated with this
+     * OCSP store.
+     * 

+     * 
+     * @return NameValuePairs all configuration items
+     */
+    public NameValuePairs getConfigParameters();
+
+    /**
+     * This method stores the configuration parameters specified by the
+     * passed-in Name Value pairs object.
+     * 

+     * 
+     * @param pairs a name-value pair object
+     * @exception EBaseException an illegal name-value pair
+     */
+    public void setConfigParameters(NameValuePairs pairs)
+            throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/password/EPasswordCheckException.java b/base/common/src/com/netscape/certsrv/password/EPasswordCheckException.java
new file mode 100644
index 000000000..3dc028ffb
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/password/EPasswordCheckException.java
@@ -0,0 +1,91 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.password;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.PasswordResources;
+
+/**
+ * A class represents a password checker exception.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class EPasswordCheckException extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 6274695122717026554L;
+    /**
+     * Resource class name.
+     */
+    private static final String PASSWORD_CHECK_RESOURCES = PasswordResources.class.getName();
+
+    /**
+     * Constructs a password checker exception
+     * 

+     * 
+     * @param msgFormat exception details
+     */
+    public EPasswordCheckException(String msgFormat) {
+        super(msgFormat);
+    }
+
+    /**
+     * Constructs a password checker exception.
+     * 

+     * 
+     * @param msgFormat exception details in message string format
+     * @param param message string parameter
+     */
+    public EPasswordCheckException(String msgFormat, String param) {
+        super(msgFormat, param);
+    }
+
+    /**
+     * Constructs a password checker exception.
+     * 

+     * 
+     * @param msgFormat exception details in message string format
+     * @param exception system exception
+     */
+    public EPasswordCheckException(String msgFormat, Exception exception) {
+        super(msgFormat, exception);
+    }
+
+    /**
+     * Constructs a password checker exception.
+     * 

+     * 
+     * @param msgFormat the message format.
+     * @param params list of message format parameters
+     */
+    public EPasswordCheckException(String msgFormat, Object params[]) {
+        super(msgFormat, params);
+    }
+
+    /**
+     * Retrieves bundle name.
+     * 
+     * @return resource bundle name.
+     */
+    protected String getBundleName() {
+        return PASSWORD_CHECK_RESOURCES;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/password/IConfigPasswordCheck.java b/base/common/src/com/netscape/certsrv/password/IConfigPasswordCheck.java
new file mode 100644
index 000000000..8b23fa513
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/password/IConfigPasswordCheck.java
@@ -0,0 +1,43 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.password;
+
+/**
+ * Configuration Wizard Password quality checker interface.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IConfigPasswordCheck {
+
+    /**
+     * Check if the password meets the quality requirement
+     * 
+     * @param pwd the given password
+     * @return true if the password meets the quality requirement; otherwise false
+     */
+    public boolean isGoodConfigPassword(String pwd);
+
+    /**
+     * Returns a reason if the password doesnt meet the quality requirement.
+     * 
+     * @param pwd the given password
+     * @return a reason if the password quality requirement is not met.
+     */
+    public String getConfigReason(String pwd);
+}
diff --git a/base/common/src/com/netscape/certsrv/password/IPasswordCheck.java b/base/common/src/com/netscape/certsrv/password/IPasswordCheck.java
new file mode 100644
index 000000000..d885d3fce
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/password/IPasswordCheck.java
@@ -0,0 +1,43 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.password;
+
+/**
+ * Password quality checker interface.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IPasswordCheck {
+
+    /**
+     * Check if the password meets the quality requirement
+     * 
+     * @param pwd the given password
+     * @return true if the password meets the quality requirement; otherwise false
+     */
+    public boolean isGoodPassword(String pwd);
+
+    /**
+     * Returns a reason if the password doesnt meet the quality requirement.
+     * 
+     * @param pwd the given password
+     * @return a reason if the password quality requirement is not met.
+     */
+    public String getReason(String pwd);
+}
diff --git a/base/common/src/com/netscape/certsrv/pattern/AttrSetCollection.java b/base/common/src/com/netscape/certsrv/pattern/AttrSetCollection.java
new file mode 100644
index 000000000..5f73fc257
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/pattern/AttrSetCollection.java
@@ -0,0 +1,63 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.pattern;
+
+import java.util.Hashtable;
+
+import com.netscape.certsrv.base.IAttrSet;
+
+/**
+ * This class represents a collection of attribute
+ * sets.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class AttrSetCollection extends Hashtable {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -8499028375092730021L;
+
+    /**
+     * Constructs a collection.
+     */
+    public AttrSetCollection() {
+        super();
+    }
+
+    /**
+     * Retrieves a attribute set from this collection.
+     * 
+     * @param name name of the attribute set
+     * @return attribute set
+     */
+    public IAttrSet getAttrSet(String name) {
+        return (IAttrSet) get(name);
+    }
+
+    /**
+     * Sets attribute set in this collection.
+     * 
+     * @param name set of the attribute set
+     * @param set attribute set
+     */
+    public void putAttrSet(String name, IAttrSet set) {
+        put(name, set);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/pattern/Pattern.java b/base/common/src/com/netscape/certsrv/pattern/Pattern.java
new file mode 100644
index 000000000..bce3a426b
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/pattern/Pattern.java
@@ -0,0 +1,162 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.pattern;
+
+import java.util.Enumeration;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IAttrSet;
+
+/**
+ * This is a generic pattern subtitution engine. The
+ * pattern format should be:
+ * 

+ * $[attribute set key].[attribute name]$
+ * 

+ * For example,
+ * 

+ * $request.requestor_email$ $ctx.user_id$
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class Pattern {
+
+    private String mS = null;
+
+    /**
+     * Constructs a pattern object with the given string.
+     * 
+     * @param s string with pattern (i.e. $request.requestor_email$)
+     */
+    public Pattern(String s) {
+        mS = s;
+    }
+
+    /**
+     * Subtitutes this pattern with the given attribute set.
+     * 
+     * @param key key name of the given attribute set
+     * @param attrSet attribute set
+     * @return substituted string
+     */
+    public String substitute(String key, IAttrSet attrSet) {
+        return substitute2(key, attrSet);
+    }
+
+    /**
+     * Subtitutes this pattern with the given attribute set.
+     * 
+     * @param attrSetCollection attribute set collection
+     * @return substituted string
+     */
+    public String substitute(AttrSetCollection attrSetCollection) {
+        String temp = mS;
+        Enumeration keys = attrSetCollection.keys();
+
+        while (keys.hasMoreElements()) {
+            String key = (String) keys.nextElement();
+            Pattern p = new Pattern(temp);
+
+            temp = p.substitute(key,
+                        attrSetCollection.getAttrSet(key));
+
+        }
+        return temp;
+    }
+
+    /**
+     * Subtitutes this pattern with the given attribute set.
+     * 
+     * This is an extended version of the substitute() method.
+     * It takes a more flexible pattern format that could have
+     * non-token ($...$) format. e.g.
+     * $request.screenname$@redhat.com
+     * where "@redhat.com" is not in token pattern format, and will be
+     * literally put in place. e.g.
+     * TomRiddle@redhat.com
+     * 
+     * @param key key name of the given attribute set
+     * @param attrSet attribute set
+     * @return substituted string
+     */
+    public String substitute2(String key, IAttrSet attrSet) {
+        StringBuffer sb = new StringBuffer();
+
+        int startPos = 0;
+        int lastPos;
+
+        do {
+            // from startPos to right before '$' or end of string
+            // need to be copied over
+
+            lastPos = mS.indexOf('$', startPos);
+
+            // if no '$', return the entire string
+            if (lastPos == -1 && startPos == 0)
+                return mS;
+
+            // no more '$' found, copy the rest of chars, done
+            if (lastPos == -1) {
+                sb.append(mS.substring(startPos)); //
+                return sb.toString(); //
+                //                continue;
+            }
+
+            // found '$'
+            if (startPos < lastPos) {
+                sb.append(mS.substring(startPos, lastPos));
+            }
+
+            // look for the ending '$'
+            int endPos = mS.indexOf('$', lastPos + 1);
+            String token = mS.substring(lastPos + 1, endPos);
+            int dotPos = token.indexOf('.');
+
+            // it's assuming there's always a '.'
+            String attrKey = token.substring(0, dotPos);
+            String attrName = token.substring(dotPos + 1);
+
+            if (!key.equals(attrKey)) {
+                startPos = endPos + 1;
+                sb.append("$" + attrKey + "." + attrName + "$");
+                continue;
+            }
+
+            try {
+                Object o = attrSet.get(attrName);
+
+                if (!(o instanceof String)) {
+                    startPos = endPos + 1;
+                    // if no such attrName, copy the token pattern over
+                    sb.append("$" + attrKey + "." + attrName + "$");
+                    continue;
+                }
+                String val = (String) o;
+
+                sb.append(val);
+            } catch (EBaseException e) {
+                sb.append("$" + attrKey + "." + attrName + "$");
+            }
+            startPos = endPos + 1;
+        } while (lastPos != -1);
+
+        return sb.toString();
+    }
+
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/EPolicyException.java b/base/common/src/com/netscape/certsrv/policy/EPolicyException.java
new file mode 100644
index 000000000..f32f4f64f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/EPolicyException.java
@@ -0,0 +1,169 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+import java.util.Locale;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.MessageFormatter;
+
+/**
+ * This class represents Exceptions used by the policy package.
+ * The policies themselves do not raise exceptions but use them
+ * to format error messages.
+ * 
+ * Adapted from EBasException
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ * @see java.text.MessageFormat
+ */
+public class EPolicyException extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -1969940775036388085L;
+    /**
+     * Resource class name.
+     */
+    private static final String POLICY_RESOURCES = PolicyResources.class.getName();
+
+    /**
+     * Constructs a base exception.
+     * 

+     * 
+     * @param msgFormat exception details
+     */
+    public EPolicyException(String msgFormat) {
+        super(msgFormat);
+        mParams = null;
+    }
+
+    /**
+     * Constructs a base exception with a parameter. For example,
+     * 
+     * 
+     * new EPolicyException("failed to load {0}", fileName);
+     * 

+     * 

+     * 
+     * @param msgFormat exception details in message string format
+     * @param param message string parameter
+     */
+    public EPolicyException(String msgFormat, String param) {
+        super(msgFormat);
+        mParams = new String[1];
+        mParams[0] = param;
+    }
+
+    /**
+     * Constructs a base exception with two String parameters. For example,
+     * 

+     * 
+     * @param msgFormat exception details in message string format
+     * @param param1 message string parameter
+     * @param param2 message string parameter
+     */
+    public EPolicyException(String msgFormat, String param1, String param2) {
+        super(msgFormat);
+        mParams = new String[2];
+        mParams[0] = param1;
+        mParams[1] = param2;
+    }
+
+    /**
+     * Constructs a base exception. It can be used to carry
+     * a system exception that may contain information about
+     * the context. For example,
+     * 
+     * 
+     * 		try {
+     *  		...
+     * 		} catch (IOExeption e) {
+     * 		 	throw new EPolicyException("Encountered System Error {0}", e);
+     *      }
+     * 

+     * 

+     * 
+     * @param msgFormat exception details in message string format
+     * @param param system exception
+     */
+    public EPolicyException(String msgFormat, Exception param) {
+        super(msgFormat);
+        mParams = new Exception[1];
+        mParams[0] = param;
+    }
+
+    /**
+     * Constructs a base exception with a list of parameters
+     * that will be substituted into the message format.
+     * 

+     * 
+     * @param msgFormat exception details in message string format
+     * @param params list of message format parameters
+     */
+    public EPolicyException(String msgFormat, Object params[]) {
+        super(msgFormat);
+        mParams = params;
+    }
+
+    /**
+     * Returns a list of parameters.
+     * 

+     * 
+     * @return list of message format parameters
+     */
+    public Object[] getParameters() {
+        return mParams;
+    }
+
+    /**
+     * Returns localized exception string. This method should
+     * only be called if a localized string is necessary.
+     * 

+     * 
+     * @return details message
+     */
+    public String toString() {
+        return toString(Locale.getDefault());
+    }
+
+    /**
+     * Returns the string based on the given locale.
+     * 

+     * 
+     * @param locale locale
+     * @return details message
+     */
+    public String toString(Locale locale) {
+        return MessageFormatter.getLocalizedString(locale, getBundleName(),
+                super.getMessage(), mParams);
+    }
+
+    protected String getBundleName() {
+        return POLICY_RESOURCES;
+    }
+
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/IEnrollmentPolicy.java b/base/common/src/com/netscape/certsrv/policy/IEnrollmentPolicy.java
new file mode 100644
index 000000000..7c789932a
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/IEnrollmentPolicy.java
@@ -0,0 +1,35 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+/**
+ * Interface for an enrollment policy rule. This provides general
+ * typing for rules so that a policy processor can group rules
+ * based on a particular type.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public interface IEnrollmentPolicy extends IPolicyRule {
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/IExpression.java b/base/common/src/com/netscape/certsrv/policy/IExpression.java
new file mode 100644
index 000000000..4075e8683
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/IExpression.java
@@ -0,0 +1,61 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * Interface for a policy expression.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public interface IExpression {
+    public static final int OP_EQUAL = 1;
+    public static final int OP_NEQUAL = 2;
+    public static final int OP_GT = 3;
+    public static final int OP_LT = 4;
+    public static final int OP_GE = 5;
+    public static final int OP_LE = 6;
+    public static final String EQUAL_STR = "==";
+    public static final String NEQUAL_STR = "!=";
+    public static final String GT_STR = ">";
+    public static final String GE_STR = ">=";
+    public static final String LT_STR = "<";
+    public static final String LE_STR = "<=";
+
+    /**
+     * Evaluate the Expression.
+     * 
+     * @param req The PKIRequest on which we are applying the condition.
+     * @return The return value.
+     */
+    boolean evaluate(IRequest req)
+            throws EPolicyException;
+
+    /**
+     * Convert to a string.
+     */
+    public String toString();
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/IGeneralNameAsConstraintsConfig.java b/base/common/src/com/netscape/certsrv/policy/IGeneralNameAsConstraintsConfig.java
new file mode 100644
index 000000000..78ec31198
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/IGeneralNameAsConstraintsConfig.java
@@ -0,0 +1,53 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+import java.util.Vector;
+
+import netscape.security.x509.GeneralName;
+
+/**
+ * Class that can be used to form general names from configuration file.
+ * Used by policies and extension commands.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public interface IGeneralNameAsConstraintsConfig {
+
+    /**
+     * Retrieves instance parameters.
+     * 
+     * @param params parameters
+     */
+    public void getInstanceParams(Vector params);
+
+    /**
+     * Retrieves the general name.
+     * 
+     * @return general name
+     */
+    public GeneralName getGeneralName();
+
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/IGeneralNameConfig.java b/base/common/src/com/netscape/certsrv/policy/IGeneralNameConfig.java
new file mode 100644
index 000000000..193269bbd
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/IGeneralNameConfig.java
@@ -0,0 +1,67 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+import java.util.Vector;
+
+import netscape.security.x509.GeneralName;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * Class that can be used to form general names from configuration file.
+ * Used by policies and extension commands.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public interface IGeneralNameConfig {
+
+    /**
+     * Forms a general name from string.
+     * 
+     * @param value general name in string
+     * @return general name object
+     * @exception EBaseException failed to form general name
+     */
+    public GeneralName formGeneralName(String value)
+            throws EBaseException;
+
+    /**
+     * Forms general names from the given value.
+     * 
+     * @param value general name in string
+     * @return a vector of general names
+     * @exception EBaseException failed to form general name
+     */
+    public Vector formGeneralNames(Object value)
+            throws EBaseException;
+
+    /**
+     * Retrieves the instance parameters.
+     * 
+     * @param params parameters
+     */
+    public void getInstanceParams(Vector params);
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/IGeneralNameUtil.java b/base/common/src/com/netscape/certsrv/policy/IGeneralNameUtil.java
new file mode 100644
index 000000000..102b25ccd
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/IGeneralNameUtil.java
@@ -0,0 +1,77 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+/**
+ * Class that can be used to form general names from configuration file.
+ * Used by policies and extension commands.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public interface IGeneralNameUtil {
+
+    public static final String PROP_NUM_GENERALNAMES = "numGeneralNames";
+    public static final String PROP_GENERALNAME = "generalName";
+    public static final String PROP_GENNAME_CHOICE = "generalNameChoice";
+    public static final String PROP_GENNAME_VALUE = "generalNameValue";
+    public static final String GENNAME_CHOICE_RFC822NAME = "rfc822Name";
+    public static final String GENNAME_CHOICE_DIRECTORYNAME = "directoryName";
+    public static final String GENNAME_CHOICE_DNSNAME = "dNSName";
+    public static final String GENNAME_CHOICE_X400ADDRESS = "x400Address";
+    public static final String GENNAME_CHOICE_EDIPARTYNAME = "ediPartyName";
+    public static final String GENNAME_CHOICE_URL = "URL";
+    public static final String GENNAME_CHOICE_IPADDRESS = "iPAddress";
+    public static final String GENNAME_CHOICE_REGISTEREDID = "OID";
+    public static final String GENNAME_CHOICE_OTHERNAME = "otherName";
+
+    /**
+     * Default number of general names.
+     */
+    public static final int DEF_NUM_GENERALNAMES = 8;
+
+    /**
+     * Default extended plugin info.
+     */
+    public static String NUM_GENERALNAMES_INFO =
+            "number;The total number of alternative names or identities permitted in the extension.";
+    public static String GENNAME_CHOICE_INFO =
+            "choice(" +
+                    IGeneralNameUtil.GENNAME_CHOICE_RFC822NAME + "," +
+                    IGeneralNameUtil.GENNAME_CHOICE_DIRECTORYNAME + "," +
+                    IGeneralNameUtil.GENNAME_CHOICE_DNSNAME + "," +
+                    IGeneralNameUtil.GENNAME_CHOICE_EDIPARTYNAME + "," +
+                    IGeneralNameUtil.GENNAME_CHOICE_URL + "," +
+                    IGeneralNameUtil.GENNAME_CHOICE_IPADDRESS + "," +
+                    IGeneralNameUtil.GENNAME_CHOICE_REGISTEREDID + "," +
+                    IGeneralNameUtil.GENNAME_CHOICE_OTHERNAME + ");" +
+                    "GeneralName choice. See RFC 2459 appendix B2 on GeneralName.";
+    public static String GENNAME_VALUE_INFO =
+            "string;Value according to the GeneralName choice.";
+
+    public static String PROP_NUM_GENERALNAMES_INFO = PROP_NUM_GENERALNAMES + ";" + NUM_GENERALNAMES_INFO;
+    public static String PROP_GENNAME_CHOICE_INFO = PROP_GENNAME_CHOICE + ";" + GENNAME_CHOICE_INFO;
+    public static String PROP_GENNAME_VALUE_INFO = PROP_GENNAME_VALUE + ";" + GENNAME_VALUE_INFO;
+
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/IGeneralNamesAsConstraintsConfig.java b/base/common/src/com/netscape/certsrv/policy/IGeneralNamesAsConstraintsConfig.java
new file mode 100644
index 000000000..aeb7867e3
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/IGeneralNamesAsConstraintsConfig.java
@@ -0,0 +1,53 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+import java.util.Vector;
+
+import netscape.security.x509.GeneralNames;
+
+/**
+ * Class that can be used to form general names from configuration file.
+ * Used by policies and extension commands.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public interface IGeneralNamesAsConstraintsConfig {
+
+    /**
+     * Retrieves a list of configured general names.
+     * 
+     * @return a list of general names
+     */
+    public GeneralNames getGeneralNames();
+
+    /**
+     * Retrieves instance parameters.
+     * 
+     * @param params instance parameters
+     */
+    public void getInstanceParams(Vector params);
+
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/IGeneralNamesConfig.java b/base/common/src/com/netscape/certsrv/policy/IGeneralNamesConfig.java
new file mode 100644
index 000000000..2074b9d19
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/IGeneralNamesConfig.java
@@ -0,0 +1,52 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+import java.util.Vector;
+
+import netscape.security.x509.GeneralNames;
+
+/**
+ * Class that can be used to form general names from configuration file.
+ * Used by policies and extension commands.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public interface IGeneralNamesConfig {
+
+    /**
+     * Retrieves a list of configured general names.
+     * 
+     * @return general names
+     */
+    public GeneralNames getGeneralNames();
+
+    /**
+     * Retrieves the instance parameters.
+     * 
+     * @param params instance parameters
+     */
+    public void getInstanceParams(Vector params);
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/IKeyArchivalPolicy.java b/base/common/src/com/netscape/certsrv/policy/IKeyArchivalPolicy.java
new file mode 100644
index 000000000..14a29256f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/IKeyArchivalPolicy.java
@@ -0,0 +1,33 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+/**
+ * Interface for a key recovery policy rule.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public interface IKeyArchivalPolicy extends IPolicyRule {
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/IKeyRecoveryPolicy.java b/base/common/src/com/netscape/certsrv/policy/IKeyRecoveryPolicy.java
new file mode 100644
index 000000000..6de615673
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/IKeyRecoveryPolicy.java
@@ -0,0 +1,33 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+/**
+ * Interface for a key recovery policy rule.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public interface IKeyRecoveryPolicy extends IPolicyRule {
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/IPolicyPredicateParser.java b/base/common/src/com/netscape/certsrv/policy/IPolicyPredicateParser.java
new file mode 100644
index 000000000..0992beaeb
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/IPolicyPredicateParser.java
@@ -0,0 +1,43 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+/**
+ * Interface for policy predicate parsers.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public interface IPolicyPredicateParser {
+
+    /**
+     * Parse the predicate expression and return a vector of expressions.
+     * 
+     * @param predicateExpression The predicate expression as read from the
+     *            config file.
+     * @return expVector The vector of expressions.
+     */
+    IExpression parse(String predicateExpression)
+            throws EPolicyException;
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/IPolicyProcessor.java b/base/common/src/com/netscape/certsrv/policy/IPolicyProcessor.java
new file mode 100644
index 000000000..11927a03f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/IPolicyProcessor.java
@@ -0,0 +1,196 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Vector;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * A generic interface for a policy processor. By making a processor
+ * extend the policy interface, we make even the processor a rule -
+ * which makes sense because a processor may be based on some rule
+ * such as evaluate all policies before returning the final result or
+ * return as soon as one of the policies return a failure and so on.
+ * 
+ * By making both processor and policy rules implement a common
+ * interface, one can write rules that are processors as well.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public interface IPolicyProcessor extends ISubsystem,
+        com.netscape.certsrv.request.IPolicy {
+
+    public final static String PROP_DEF_POLICIES = "systemPolicies";
+    public final static String PROP_UNDELETABLE_POLICIES = "undeletablePolicies";
+    public final static String PROP_ENABLE = "enable";
+    public final static String PROP_RULE = "rule";
+    public final static String PROP_CLASS = "class";
+    public final static String PROP_IMPL_NAME = "implName";
+    public final static String PROP_PREDICATE = "predicate";
+    public final static String PROP_IMPL = "impl";
+    public final static String PROP_ORDER = "order";
+
+    public ISubsystem getAuthority();
+
+    /**
+     * Returns the policy substore id.
+     * 
+     * @return storeID The policy store id used by this processor.
+     */
+    String getPolicySubstoreId();
+
+    /**
+     * Returns information on Policy impls.
+     * 
+     * @return An enumeration of strings describing the information
+     *         about policy implementations. Currently only the
+     *         the implementation id is expected.
+     */
+    Enumeration getPolicyImplsInfo();
+
+    /**
+     * Returns the rule implementations registered with this processor.
+     * 
+     * @return An Enumeration of uninitialized IPolicyRule
+     *         objects.
+     */
+    Enumeration getPolicyImpls();
+
+    /**
+     * Returns an implementation identified by a given id.
+     * 
+     * @param id The implementation id.
+     * @return The uninitialized instance of the policy rule.
+     */
+    IPolicyRule getPolicyImpl(String id);
+
+    /**
+     * Returns configuration for an implmentation.
+     * 
+     * @param id The implementation id.
+     * @return A vector of name/value pairs in the form of
+     *         name=value.
+     */
+    Vector getPolicyImplConfig(String id);
+
+    /**
+     * Deletes a policy implementation identified by an impl id.
+     * 
+     * 
+     * @param id The impl id of the policy to be deleted.
+     *            There shouldn't be any active instance for this
+     *            implementation.
+     * @exception EBaseException is thrown if an error occurs in deletion.
+     */
+    void deletePolicyImpl(String id)
+            throws EBaseException;
+
+    /**
+     * Adds a policy implementation identified by an impl id.
+     * 
+     * @param id The impl id of the policy to be added.
+     *            The id should be unique.
+     * @param classPath The fully qualified path for the implementation.
+     * @exception EBaseException is thrown if an error occurs in addition.
+     */
+    void addPolicyImpl(String id, String classPath)
+            throws EBaseException;
+
+    /**
+     * Returns information on Policy instances.
+     * 
+     * @return An Enumeration of Strings describing the information
+     *         about policy rule instances.
+     */
+    Enumeration getPolicyInstancesInfo();
+
+    /**
+     * Returns policy instances registered with this processor.
+     * 
+     * @return An Enumeration of policy instances.
+     */
+    Enumeration getPolicyInstances();
+
+    /**
+     * Returns instance configuration for a given instance id.
+     * 
+     * @param id The rule id.
+     * @return A vector of name/value pairs in the form of
+     *         name=value.
+     */
+    Vector getPolicyInstanceConfig(String id);
+
+    /**
+     * Returns instance configuration for a given instance id.
+     * 
+     * @param id The rule id.
+     * @return the policy instance identified by the id.
+     */
+    IPolicyRule getPolicyInstance(String id);
+
+    /**
+     * Deletes a policy instance identified by an instance id.
+     * 
+     * @param id The instance id of the policy to be deleted.
+     * @exception EBaseException is thrown if an error occurs in deletion.
+     */
+    void deletePolicyInstance(String id)
+            throws EBaseException;
+
+    /**
+     * Adds a policy instance
+     * 
+     * @param id The impl id of the policy to be added.
+     *            The id should be unique.
+     * @param ht a Hashtable of config params.
+     * @exception EBaseException is thrown if an error occurs in addition.
+     */
+    void addPolicyInstance(String id, Hashtable ht)
+            throws EBaseException;
+
+    /**
+     * Modifies a policy instance
+     * 
+     * @param id The impl id of the policy to be modified.
+     *            The policy instance with this id should be present.
+     * @param ht a Hashtable of config params.
+     * @exception EBaseException is thrown if an error occurs in addition.
+     */
+    void modifyPolicyInstance(String id, Hashtable ht)
+            throws EBaseException;
+
+    /**
+     * Modifies policy ordering.
+     * 
+     * @param policyOrderStr The comma separated list of instance ids.
+     * 
+     */
+    void changePolicyInstanceOrdering(String policyOrderStr)
+            throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/IPolicyRule.java b/base/common/src/com/netscape/certsrv/policy/IPolicyRule.java
new file mode 100644
index 000000000..7f7f888f6
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/IPolicyRule.java
@@ -0,0 +1,128 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+import java.util.Vector;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+
+/**
+ * Interface for a policy rule.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public interface IPolicyRule
+        extends com.netscape.certsrv.request.IPolicy {
+    public static final String PROP_ENABLE = "enable";
+    public static final String PROP_PREDICATE = "predicate";
+    public static final String PROP_IMPLNAME = "implName";
+
+    /**
+     * Initializes the policy rule.
+     * 

+     * 
+     * @param config The config store reference
+     */
+    void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException;
+
+    /**
+     * Gets the description for this policy rule.
+     * 

+     * 
+     * @return The Description for this rule.
+     */
+    String getDescription();
+
+    /**
+     * Returns the name of the policy rule class.
+     * 

+     * 
+     * @return The name of the policy class.
+     */
+    String getName();
+
+    /**
+     * Returns the name of the policy rule instance.
+     * 

+     * 
+     * @return The name of the policy rule instance. If none
+     *         is set the name of the implementation will be returned.
+     * 
+     */
+    String getInstanceName();
+
+    /**
+     * Sets a predicate expression for rule matching.
+     * 

+     * 
+     * @param exp The predicate expression for the rule.
+     */
+    void setPredicate(IExpression exp);
+
+    /**
+     * Returns the predicate expression for the rule.
+     * 

+     * 
+     * @return The predicate expression for the rule.
+     */
+    IExpression getPredicate();
+
+    /**
+     * Applies the policy on the given Request. This may modify
+     * the request appropriately.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The PolicyResult object.
+     */
+    PolicyResult apply(IRequest req);
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs. Each name/value
+     *         pair is constructed as a String in name=value format.
+     */
+    public Vector getInstanceParams();
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs. Each name/value
+     *         pair is constructed as a String in name=value.
+     */
+    public Vector getDefaultParams();
+
+    public void setError(IRequest req, String format, Object[] params);
+
+    public void setInstanceName(String instanceName);
+
+    public void setPolicyException(IRequest req, EBaseException ex);
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/IPolicySet.java b/base/common/src/com/netscape/certsrv/policy/IPolicySet.java
new file mode 100644
index 000000000..a9fb6a2d2
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/IPolicySet.java
@@ -0,0 +1,105 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+import java.util.Enumeration;
+
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+
+/**
+ * Represents a set of policy rules. Policy rules are ordered from
+ * lowest priority to highest priority. The priority assignment for rules
+ * is not enforced by this interface. Various implementation may
+ * use different mechanisms such as a linear ordering of rules
+ * in a configuration file or explicit assignment of priority levels ..etc.
+ * The policy system initialization needs to deal with reading the rules, sorting
+ * them in increasing order of priority and presenting an ordered vector of rules
+ * via the IPolicySet interface.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public interface IPolicySet {
+
+    /**
+     * Returns the name of the rule set.
+     * 

+     * 
+     * @return The name of the rule set.
+     */
+    String getName();
+
+    /**
+     * Returns the no of rules in a set.
+     * 

+     * 
+     * @return the no of rules.
+     */
+    int count();
+
+    /**
+     * Add a policy rule.
+     * 

+     * 
+     * @param ruleName The name of the rule to be added.
+     * @param rule The rule to be added.
+     */
+    void addRule(String ruleName, IPolicyRule rule);
+
+    /**
+     * Removes a policy rule identified by the given name.
+     * 
+     * @param ruleName The name of the rule to be removed.
+     */
+    void removeRule(String ruleName);
+
+    /**
+     * Returns the rule identified by a given name.
+     * 

+     * 
+     * @param ruleName The name of the rule to be return.
+     * @return The rule identified by the given name or null if none exists.
+     */
+    IPolicyRule getRule(String ruleName);
+
+    /**
+     * Returns an enumeration of rules.
+     * 

+     * 
+     * @return An enumeration of rules.
+     */
+    Enumeration getRules();
+
+    /**
+     * Apply policy rules on a request. This call may modify
+     * the request content.
+     * 
+     * @param req The request to apply policies on.
+     * 
+     *            

+     * @return The policy result.
+     */
+    PolicyResult apply(IRequest req);
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/IRenewalPolicy.java b/base/common/src/com/netscape/certsrv/policy/IRenewalPolicy.java
new file mode 100644
index 000000000..28f56fe73
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/IRenewalPolicy.java
@@ -0,0 +1,33 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+/**
+ * Interface for a renewal policy rule.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public interface IRenewalPolicy extends IPolicyRule {
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/IRevocationPolicy.java b/base/common/src/com/netscape/certsrv/policy/IRevocationPolicy.java
new file mode 100644
index 000000000..7e6084c76
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/IRevocationPolicy.java
@@ -0,0 +1,33 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+/**
+ * Interface for a revocation policy rule.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public interface IRevocationPolicy extends IPolicyRule {
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/ISubjAltNameConfig.java b/base/common/src/com/netscape/certsrv/policy/ISubjAltNameConfig.java
new file mode 100644
index 000000000..0fee01be2
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/ISubjAltNameConfig.java
@@ -0,0 +1,48 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+/**
+ * Class that can be used to form general names from configuration file.
+ * Used by policies and extension commands.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public interface ISubjAltNameConfig extends IGeneralNameConfig {
+
+    /**
+     * Retrieves configuration prefix.
+     * 
+     * @return prefix
+     */
+    public String getPfx();
+
+    /**
+     * Retrieves configuration attribute.
+     * 
+     * @return attribute
+     */
+    public String getAttr();
+}
diff --git a/base/common/src/com/netscape/certsrv/policy/PolicyResources.java b/base/common/src/com/netscape/certsrv/policy/PolicyResources.java
new file mode 100644
index 000000000..d330b719f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/policy/PolicyResources.java
@@ -0,0 +1,45 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.policy;
+
+import java.util.ListResourceBundle;
+
+/**
+ * Error messages for Policies.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ * @see java.util.ListResourceBundle
+ */
+public class PolicyResources extends ListResourceBundle {
+
+    /**
+     * Returns the content of this resource.
+     */
+    public Object[][] getContents() {
+        return contents;
+    }
+
+    static final Object[][] contents = {};
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/CertInfoProfile.java b/base/common/src/com/netscape/certsrv/profile/CertInfoProfile.java
new file mode 100644
index 000000000..5c192e9cd
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/CertInfoProfile.java
@@ -0,0 +1,102 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+import java.util.Enumeration;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+
+public class CertInfoProfile {
+    private Vector mDefaults = new Vector();
+    private String mName = null;
+    private String mID = null;
+    private String mDescription = null;
+    private String mProfileIDMapping = null;
+    private String mProfileSetIDMapping = null;
+
+    public CertInfoProfile(String cfg) throws Exception {
+        IConfigStore config = CMS.createFileConfigStore(cfg);
+        mID = config.getString("id");
+        mName = config.getString("name");
+        mDescription = config.getString("description");
+        mProfileIDMapping = config.getString("profileIDMapping");
+        mProfileSetIDMapping = config.getString("profileSetIDMapping");
+        StringTokenizer st = new StringTokenizer(config.getString("list"), ",");
+        while (st.hasMoreTokens()) {
+            String id = (String) st.nextToken();
+            String c = config.getString(id + ".default.class");
+            try {
+                /* load defaults */
+                ICertInfoPolicyDefault def = (ICertInfoPolicyDefault)
+                        Class.forName(c).newInstance();
+                init(config.getSubStore(id + ".default"), def);
+                mDefaults.addElement(def);
+            } catch (Exception e) {
+                CMS.debug("CertInfoProfile: " + e.toString());
+            }
+        }
+    }
+
+    private void init(IConfigStore config, ICertInfoPolicyDefault def)
+            throws Exception {
+        try {
+            def.init(null, config);
+        } catch (Exception e) {
+            CMS.debug("CertInfoProfile.init: " + e.toString());
+        }
+    }
+
+    public String getID() {
+        return mID;
+    }
+
+    public String getName() {
+        return mName;
+    }
+
+    public String getDescription() {
+        return mDescription;
+    }
+
+    public String getProfileIDMapping() {
+        return mProfileIDMapping;
+    }
+
+    public String getProfileSetIDMapping() {
+        return mProfileSetIDMapping;
+    }
+
+    public void populate(X509CertInfo info) {
+        Enumeration e1 = mDefaults.elements();
+        while (e1.hasMoreElements()) {
+            ICertInfoPolicyDefault def =
+                    (ICertInfoPolicyDefault) e1.nextElement();
+            try {
+                def.populate(null /* request */, info);
+            } catch (Exception e) {
+                CMS.debug(e);
+                CMS.debug("CertInfoProfile.populate: " + e.toString());
+            }
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/EDeferException.java b/base/common/src/com/netscape/certsrv/profile/EDeferException.java
new file mode 100644
index 000000000..c92630b97
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/EDeferException.java
@@ -0,0 +1,48 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+/**
+ * This represents a profile specific exception. The
+ * framework raises this exception when a request is
+ * deferred.
+ * 

+ * A deferred request will not be processed immediately. Manual approval is required for processing the request again.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class EDeferException extends EProfileException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -8267140233153746034L;
+
+    /**
+     * Creates a defer exception.
+     * 
+     * @param msg localized message that will be
+     *            displayed to end user. This message
+     *            should indicate the reason why a request
+     *            is deferred.
+     */
+    public EDeferException(String msg) {
+        super(msg);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/EProfileException.java b/base/common/src/com/netscape/certsrv/profile/EProfileException.java
new file mode 100644
index 000000000..37f968a67
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/EProfileException.java
@@ -0,0 +1,47 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * This represents a generic profile exception.
+ * 

+ * This is the base class for all profile-specific exception.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class EProfileException extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -4259647804183018757L;
+
+    /**
+     * Creates a profile exception.
+     * 
+     * @param msg additional message for the handler
+     *            of the exception. The message may
+     *            or may not be localized.
+     */
+    public EProfileException(String msg) {
+        super(msg);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/ERejectException.java b/base/common/src/com/netscape/certsrv/profile/ERejectException.java
new file mode 100644
index 000000000..59b35bcdb
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/ERejectException.java
@@ -0,0 +1,46 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+/**
+ * This represents a profile specific exception. This
+ * exception is raised when a request is rejected.
+ * 

+ * A rejected request cannot be reprocessed. Rejected request is considered as a request in its terminal state.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class ERejectException extends EProfileException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -542393641391361342L;
+
+    /**
+     * Creates a rejection exception.
+     * 
+     * @param msg localized message that indicates
+     *            the reason why a request is
+     *            rejected.
+     */
+    public ERejectException(String msg) {
+        super(msg);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/ICertInfoPolicyDefault.java b/base/common/src/com/netscape/certsrv/profile/ICertInfoPolicyDefault.java
new file mode 100644
index 000000000..698791296
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/ICertInfoPolicyDefault.java
@@ -0,0 +1,32 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.request.IRequest;
+
+public interface ICertInfoPolicyDefault extends IPolicyDefault {
+
+    /**
+     * Populates certificate info directly.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+              throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java b/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java
new file mode 100644
index 000000000..189530f7a
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java
@@ -0,0 +1,157 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This interface represents an enrollment profile.
+ * 

+ * An enrollment profile contains a list of enrollment specific input plugins, default policies, constriant policies and
+ * output plugins.
+ * 

+ * This interface also defines a set of enrollment specific attribute names that can be used to retrieve values from an
+ * enrollment request.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IEnrollProfile extends IProfile {
+
+    /**
+     * Name of request attribute that stores the User
+     * Supplied Certificate Request Type.
+     */
+    public static final String CTX_CERT_REQUEST_TYPE = "cert_request_type";
+
+    /**
+     * Name of request attribute that stores the User
+     * Supplied Certificate Request.
+     */
+    public static final String CTX_CERT_REQUEST = "cert_request";
+
+    /**
+     * Possible values for CTX_CERT_REQUEST_TYPE attribute.
+     */
+    public static final String REQ_TYPE_PKCS10 = "pkcs10";
+    public static final String REQ_TYPE_CRMF = "crmf";
+    public static final String REQ_TYPE_CMC = "cmc";
+    public static final String REQ_TYPE_KEYGEN = "keygen";
+
+    /**
+     * Name of request attribute that stores the End-User Locale.
+     * 

+     * The value is of type java.util.Locale.
+     */
+    public static final String REQUEST_LOCALE = "req_locale";
+
+    /**
+     * Name of request attribute that stores the sequence number. Consider
+     * a CRMF request that may contain multiple certificate request.
+     * The first sub certificate certificate request has a sequence
+     * number of 0, the next one has a sequence of 1, and so on.
+     * 

+     * The value is of type java.lang.Integer.
+     */
+    public static final String REQUEST_SEQ_NUM = "req_seq_num";
+
+    /**
+     * Name of the request attribute that stores the sequence number for a
+     * renewal request. Only one request at a time is permitted for a renewal.
+     * This value corresponds to the sequence number (and hence the appropriate
+     * certificate) of the original request
+     */
+    public static final String CTX_RENEWAL_SEQ_NUM = "renewal_seq_num";
+
+    /**
+     * Name of request attribute to indicate if this is a renewal
+     */
+    public static final String CTX_RENEWAL = "renewal";
+
+    /**
+     * Name of request attribute that stores the End-User Supplied
+     * Key.
+     * 

+     * The value is of type netscape.security.x509.CertificateX509Key
+     */
+    public static final String REQUEST_KEY = "req_key";
+
+    /**
+     * Name of request attribute that stores the End-User Supplied
+     * Subject Name.
+     * 

+     * The value is of type netscape.security.x509.CertificateSubjectName
+     */
+    public static final String REQUEST_SUBJECT_NAME = "req_subject_name";
+
+    /**
+     * Name of request attribute that stores the End-User Supplied
+     * Validity.
+     * 

+     * The value is of type netscape.security.x509.CertificateValidity
+     */
+    public static final String REQUEST_VALIDITY = "req_validity";
+
+    /**
+     * Name of request attribute that stores the End-User Supplied
+     * Signing Algorithm.
+     * 

+     * The value is of type netscape.security.x509.CertificateAlgorithmId
+     */
+    public static final String REQUEST_SIGNING_ALGORITHM = "req_signing_alg";
+
+    /**
+     * Name of request attribute that stores the End-User Supplied
+     * Extensions.
+     * 

+     * The value is of type netscape.security.x509.CertificateExtensions
+     */
+    public static final String REQUEST_EXTENSIONS = "req_extensions";
+
+    /**
+     * Name of request attribute that stores the End-User Supplied
+     * PKI Archive Option extension. This extension is extracted
+     * from a CRMF request that has the user-provided private key.
+     * 

+     * The value is of type byte []
+     */
+    public static final String REQUEST_ARCHIVE_OPTIONS = "req_archive_options";
+
+    /**
+     * Name of request attribute that stores the certificate template
+     * that will be signed and then become a certificate.
+     * 

+     * The value is of type netscape.security.x509.X509CertInfo
+     */
+    public static final String REQUEST_CERTINFO = "req_x509info";
+
+    /**
+     * Name of request attribute that stores the issued certificate.
+     * 

+     * The value is of type netscape.security.x509.X509CertImpl
+     */
+    public static final String REQUEST_ISSUED_CERT = "req_issued_cert";
+
+    /**
+     * Set Default X509CertInfo in the request.
+     * 
+     * @param request profile-based certificate request.
+     * @exception EProfileException failed to set the X509CertInfo.
+     */
+    public void setDefaultCertInfo(IRequest request) throws EProfileException;
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/IPolicyConstraint.java b/base/common/src/com/netscape/certsrv/profile/IPolicyConstraint.java
new file mode 100644
index 000000000..bf2374652
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/IPolicyConstraint.java
@@ -0,0 +1,89 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+import java.util.Locale;
+
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.property.IConfigTemplate;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This represents a constraint policy. A constraint policy
+ * validates if the given request conforms to the set
+ * rules.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IPolicyConstraint extends IConfigTemplate {
+
+    /**
+     * Initializes this constraint policy.
+     * 
+     * @param profile owner of this policy
+     * @param config configuration store for this constraint
+     * @exception EProfileException failed to initialize
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException;
+
+    /**
+     * Returns the corresponding configuration store
+     * of this constraint policy.
+     * 
+     * @return config store of this constraint
+     */
+    public IConfigStore getConfigStore();
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     * 
+     * @param request request to be validated
+     * @exception ERejectException reject the given request
+     */
+    public void validate(IRequest request)
+            throws ERejectException;
+
+    /**
+     * Returns localized description of this constraint.
+     * 
+     * @param locale locale of the end-user
+     * @return localized description of this constraint
+     */
+    public String getText(Locale locale);
+
+    /**
+     * Returns localized name of this constraint.
+     * 
+     * @param locale locale of the end-user
+     * @return localized name of this constraint
+     */
+    public String getName(Locale locale);
+
+    /**
+     * Checks if this constraint is applicable to the
+     * given default policy.
+     * 
+     * @param def default policy to be checked
+     * @return true if this constraint can be applied to
+     *         the given default policy
+     */
+    public boolean isApplicable(IPolicyDefault def);
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/IPolicyDefault.java b/base/common/src/com/netscape/certsrv/profile/IPolicyDefault.java
new file mode 100644
index 000000000..469d6dded
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/IPolicyDefault.java
@@ -0,0 +1,136 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+import java.util.Enumeration;
+import java.util.Locale;
+
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IConfigTemplate;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This represents a default policy that populates
+ * the request with additional values.
+ * 

+ * 
+ * During request submission process, a default policy is invoked to populate the default values in the request. The
+ * default values will later on be used for execution. The default values are like the parameters for the request.
+ * 

+ * 
+ * This policy is called in 2 places. For automated enrollment request, this policy is invoked to populate the HTTP
+ * parameters into the request. For request that cannot be executed immediately, this policy will be invoked again right
+ * after the agent's approval.
+ * 

+ * 
+ * Each default policy may contain zero or more properties that describe the default value. For example, a X509 Key can
+ * be described by its key type, key length, and key data. The properties help to describe the default value into human
+ * readable values.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IPolicyDefault extends IConfigTemplate {
+
+    /**
+     * Initializes this default policy.
+     * 
+     * @param profile owner of this default policy
+     * @param config configuration store for this default
+     * @exception EProfileException failed to initialize
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException;
+
+    /**
+     * Retrieves the configuration store of this default.
+     * 
+     * @return configuration store of this default policy
+     */
+    public IConfigStore getConfigStore();
+
+    /**
+     * Populates the request with this policy default.
+     * 
+     * @param request request to be populated
+     * @exception EProfileException failed to populate
+     */
+    public void populate(IRequest request)
+            throws EProfileException;
+
+    /**
+     * Retrieves the localizable name of this policy.
+     * 
+     * @param locale locale of the end user
+     * @return localized name of this default policy
+     */
+    public String getName(Locale locale);
+
+    /**
+     * Retrieves the localizable description of this policy.
+     * 
+     * @param locale locale of the end user
+     * @return localized description of this default policy
+     */
+    public String getText(Locale locale);
+
+    /**
+     * Retrieves a list of names of the property.
+     * 
+     * @return a list of property names. The values are
+     *         of type java.lang.String
+     */
+    public Enumeration getValueNames();
+
+    /**
+     * Retrieves the descriptor of the given property
+     * by name. The descriptor contains syntax
+     * information.
+     * 
+     * @param locale locale of the end user
+     * @param name name of property
+     * @return descriptor of the property
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name);
+
+    /**
+     * Sets the value of the given value property by name.
+     * 
+     * @param name name of property
+     * @param locale locale of the end user
+     * @param request request
+     * @param value value to be set in the given request
+     * @exception EPropertyException failed to set property
+     */
+    public void setValue(String name, Locale locale, IRequest request,
+            String value) throws EPropertyException;
+
+    /**
+     * Retrieves the value of the given value
+     * property by name.
+     * 
+     * @param name name of property
+     * @param locale locale of the end user
+     * @param request request
+     * @exception EPropertyException failed to get property
+     */
+    public String getValue(String name, Locale locale, IRequest request)
+            throws EPropertyException;
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/IProfile.java b/base/common/src/com/netscape/certsrv/profile/IProfile.java
new file mode 100644
index 000000000..0cd39c091
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/IProfile.java
@@ -0,0 +1,408 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+import java.util.Enumeration;
+import java.util.Locale;
+
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.cms.profile.common.ProfilePolicy;
+
+/**
+ * This interface represents a profile. A profile contains
+ * a list of input policies, default policies, constraint
+ * policies and output policies.
+ * 

+ * 
+ * The input policy is for building the enrollment page.
+ * 

+ * 
+ * The default policy is for populating user-supplied and system-supplied values into the request.
+ * 

+ * 
+ * The constraint policy is for validating the request before processing.
+ * 

+ * 
+ * The output policy is for building the result page.
+ * 

+ * 
+ * Each profile can have multiple policy set. Each set is composed of zero or more default policies and zero or more
+ * constraint policies.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IProfile {
+
+    /**
+     * Initializes this profile.
+     * 
+     * @param owner profile subsystem
+     * @param config configuration store for this profile
+     * @exception EBaseException failed to initialize
+     */
+    public void init(IProfileSubsystem owner, IConfigStore config)
+            throws EBaseException;
+
+    /**
+     * Retrieves the request queue that is associated with
+     * this profile. The request queue is for creating
+     * new requests.
+     * 
+     * @return request queue
+     */
+    public IRequestQueue getRequestQueue();
+
+    /**
+     * Sets id of this profile.
+     * 
+     * @param id profile identifier
+     */
+    public void setId(String id);
+
+    /**
+     * Returns the identifier of this profile.
+     * 
+     * @return profile id
+     */
+    public String getId();
+
+    /**
+     * Retrieves a localized string that represents
+     * requestor's distinguished name. This string
+     * displayed in the request listing user interface.
+     * 
+     * @param request request
+     * @return distringuished name of the request owner
+     */
+    public String getRequestorDN(IRequest request);
+
+    /**
+     * Retrieves the configuration store of this profile.
+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore();
+
+    /**
+     * Retrieves the instance id of the authenticator for this profile.
+     * 
+     * @return authenticator instance id
+     */
+    public String getAuthenticatorId();
+
+    public String getAuthzAcl();
+
+    /**
+     * Sets the instance id of the authenticator for this profile.
+     * 
+     * @param id authenticator instance id
+     */
+    public void setAuthenticatorId(String id);
+
+    /**
+     * Retrieves the associated authenticator instance.
+     * 
+     * @return profile authenticator instance.
+     *         if no associated authenticator, null is returned
+     * @exception EProfileException failed to retrieve
+     */
+    public IProfileAuthenticator getAuthenticator()
+            throws EProfileException;
+
+    /**
+     * Retrieves a list of input policy IDs.
+     * 
+     * @return input policy id list
+     */
+    public Enumeration getProfileInputIds();
+
+    /**
+     * Retrieves input policy by id.
+     * 
+     * @param id input policy id
+     * @return input policy instance
+     */
+    public IProfileInput getProfileInput(String id);
+
+    /**
+     * Retrieves a list of output policy IDs.
+     * 
+     * @return output policy id list
+     */
+    public Enumeration getProfileOutputIds();
+
+    /**
+     * Retrieves output policy by id.
+     * 
+     * @param id output policy id
+     * @return output policy instance
+     */
+    public IProfileOutput getProfileOutput(String id);
+
+    /**
+     * Checks if this profile is end-user profile or not.
+     * End-user profile will be displayed to the end user.
+     * Non end-user profile mainly is for registration
+     * manager.
+     * 
+     * @return end-user profile or not
+     */
+    public boolean isVisible();
+
+    /**
+     * Sets this profile end-user profile or not.
+     * 
+     * @param v end-user profile or not
+     */
+    public void setVisible(boolean v);
+
+    /**
+     * Retrieves the user id of the person who
+     * approves this profile.
+     * 
+     * @return user id of the approver of this profile
+     */
+    public String getApprovedBy();
+
+    /*
+     * Is this a renewal profile
+     */
+    public String isRenewal();
+
+    /*
+     * is output going to be in xml?
+     */
+    public String isXmlOutput();
+
+    /**
+     * Returns the profile name.
+     * 
+     * @param locale end-user locale
+     * @param name profile name
+     */
+    public void setName(Locale locale, String name);
+
+    /**
+     * Retrieves the profile name.
+     * 
+     * @param locale end-user locale
+     * @return localized profile name
+     */
+    public String getName(Locale locale);
+
+    /**
+     * Returns the profile description.
+     * 
+     * @param locale end-user locale
+     * @param desc profile description
+     */
+    public void setDescription(Locale locale, String desc);
+
+    /**
+     * Retrieves the profile description.
+     * 
+     * @param locale end-user locale
+     * @return localized profile description
+     */
+    public String getDescription(Locale locale);
+
+    /**
+     * Retrieves profile context. The context stores
+     * information about the requestor before the
+     * actual request is created.
+     * 
+     * @return profile context.
+     */
+    public IProfileContext createContext();
+
+    /**
+     * Returns the profile policy set identifiers.
+     * 
+     * @return a list of policy set id
+     */
+    public Enumeration getProfilePolicySetIds();
+
+    /**
+     * Creates a profile policy.
+     * 
+     * @param setId id of the policy set that owns this policy
+     * @param id policy id
+     * @param defaultClassId id of the registered default implementation
+     * @param constraintClassId id of the registered constraint implementation
+     * @exception EProfileException failed to create policy
+     * @return profile policy instance
+     */
+    public IProfilePolicy createProfilePolicy(String setId, String id,
+            String defaultClassId, String constraintClassId)
+            throws EProfileException;
+
+    /**
+     * Deletes input policy by id.
+     * 
+     * @param inputId id of the input policy
+     * @exception EProfileException failed to delete
+     */
+    public void deleteProfileInput(String inputId) throws EProfileException;
+
+    /**
+     * Deletes output policy by id.
+     * 
+     * @param outputId id of the output policy
+     * @exception EProfileException failed to delete
+     */
+    public void deleteProfileOutput(String outputId) throws EProfileException;
+
+    /**
+     * Creates a input policy.
+     * 
+     * @param id input policy id
+     * @param inputClassId id of the registered input implementation
+     * @param nvp default parameters
+     * @return input policy
+     * @exception EProfileException failed to create
+     */
+    public IProfileInput createProfileInput(String id, String inputClassId,
+            NameValuePairs nvp)
+            throws EProfileException;
+
+    /**
+     * Creates a output policy.
+     * 
+     * @param id output policy id
+     * @param outputClassId id of the registered output implementation
+     * @param nvp default parameters
+     * @return output policy
+     * @exception EProfileException failed to create
+     */
+    public IProfileOutput createProfileOutput(String id, String outputClassId,
+            NameValuePairs nvp) throws EProfileException;
+
+    /**
+     * Deletes a policy.
+     * 
+     * @param setId id of the policy set
+     * @param policyId id of policy to delete
+     * @exception EProfileException failed to delete
+     */
+    public void deleteProfilePolicy(String setId, String policyId)
+            throws EProfileException;
+
+    /**
+     * Retrieves a policy.
+     * 
+     * @param setId set id
+     * @param id policy id
+     * @return profile policy
+     */
+    public IProfilePolicy getProfilePolicy(String setId, String id);
+
+    /**
+     * Retrieves all the policy id within a set.
+     * 
+     * @param setId set id
+     * @return a list of policy id
+     */
+    public Enumeration getProfilePolicyIds(String setId);
+
+    /**
+     * Retrieves a default set id for the given request.
+     * It is the profile's responsibility to return
+     * an appropriate set id for the request.
+     * 
+     * @param req request
+     * @return policy set id
+     */
+    public String getPolicySetId(IRequest req);
+
+    /**
+     * Returns a list of profile policies.
+     * 
+     * @param setId set id
+     * @return a list of policies
+     */
+    public Enumeration getProfilePolicies(String setId);
+
+    /**
+     * Creates one or more requests. Normally, only one request will
+     * be created. In case of CRMF request, multiple requests may be
+     * created for one submission.
+     * 
+     * @param ctx profile context
+     * @param locale user locale
+     * @return a list of requests
+     * @exception EProfileException failed to create requests
+     */
+    public IRequest[] createRequests(IProfileContext ctx, Locale locale)
+            throws EProfileException;
+
+    /**
+     * Populates user-supplied input values into the requests.
+     * 
+     * @param ctx profile context
+     * @param request request
+     * @exception EProfileException failed to populate
+     */
+    public void populateInput(IProfileContext ctx, IRequest request)
+            throws EProfileException;
+
+    /**
+     * Passes the request to the set of default policies that
+     * populate the profile information against the profile.
+     * 
+     * @param request request
+     * @exception EProfileException failed to populate default values
+     */
+    public void populate(IRequest request)
+            throws EProfileException;
+
+    /**
+     * Passes the request to the set of constraint policies
+     * that validate the request against the profile.
+     * 
+     * @param request request
+     * @exception ERejectException validation violation
+     */
+    public void validate(IRequest request)
+            throws ERejectException;
+
+    /**
+     * Process a request after validation.
+     * 
+     * @param request request to be processed
+     * @exception EProfileException failed to process
+     */
+    public void execute(IRequest request)
+            throws EProfileException;
+
+    /**
+     * Handles end-user request submission.
+     * 
+     * @param token authentication token
+     * @param request request to be processed
+     * @exception EDeferException defer request
+     * @exception EProfileException failed to submit
+     */
+    public void submit(IAuthToken token, IRequest request)
+            throws EDeferException, EProfileException;
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/IProfileAuthenticator.java b/base/common/src/com/netscape/certsrv/profile/IProfileAuthenticator.java
new file mode 100644
index 000000000..98546c601
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/IProfileAuthenticator.java
@@ -0,0 +1,120 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+import java.util.Enumeration;
+import java.util.Locale;
+
+import com.netscape.certsrv.authentication.IAuthManager;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This interface represents an authenticator for profile.
+ * An authenticator is responsibile for authenting
+ * the end-user. If authentication is successful, request
+ * can be processed immediately. Otherwise, the request will
+ * be defered and manual approval is then required.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IProfileAuthenticator extends IAuthManager {
+
+    public static final String AUTHENTICATED_NAME = "authenticatedName";
+
+    /**
+     * Initializes this default policy.
+     * 
+     * @param profile owner of this authenticator
+     * @param config configuration store
+     * @exception EProfileException failed to initialize
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException;
+
+    /**
+     * Retrieves the configuration store.
+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore();
+
+    /**
+     * Populates authentication specific information into the
+     * request for auditing purposes.
+     * 
+     * @param token authentication token
+     * @param request request
+     * @exception EProfileException failed to populate
+     */
+    public void populate(IAuthToken token, IRequest request)
+            throws EProfileException;
+
+    /**
+     * Retrieves the localizable name of this policy.
+     * 
+     * @param locale end user locale
+     * @return localized authenticator name
+     */
+    public String getName(Locale locale);
+
+    /**
+     * Retrieves the localizable description of this policy.
+     * 
+     * @param locale end user locale
+     * @return localized authenticator description
+     */
+    public String getText(Locale locale);
+
+    /**
+     * Retrieves a list of names of the property.
+     * 
+     * @return a list of property names
+     */
+    public Enumeration getValueNames();
+
+    /**
+     * Checks if the value of the given property should be
+     * serializable into the request. Passsword or other
+     * security-related value may not be desirable for
+     * storage.
+     * 
+     * @param name property name
+     * @return true if the property is not security related
+     */
+    public boolean isValueWriteable(String name);
+
+    /**
+     * Retrieves the descriptor of the given value
+     * property by name.
+     * 
+     * @param locale user locale
+     * @param name property name
+     * @return descriptor of the requested property
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name);
+
+    /**
+     * Checks if this authenticator requires SSL client authentication.
+     * 
+     * @return client authentication required or not
+     */
+    public boolean isSSLClientRequired();
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/IProfileContext.java b/base/common/src/com/netscape/certsrv/profile/IProfileContext.java
new file mode 100644
index 000000000..b3c27d040
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/IProfileContext.java
@@ -0,0 +1,44 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+/**
+ * This interface represents a profile context which
+ * stores system-wide and user-provided information for
+ * assisting request creation.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IProfileContext {
+
+    /**
+     * Sets a value into the context.
+     * 
+     * @param name property name
+     * @param value property value
+     */
+    public void set(String name, String value);
+
+    /**
+     * Retrieves a value from the context.
+     * 
+     * @param name property name
+     * @return property value
+     */
+    public String get(String name);
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/IProfileEx.java b/base/common/src/com/netscape/certsrv/profile/IProfileEx.java
new file mode 100644
index 000000000..79e4f4175
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/IProfileEx.java
@@ -0,0 +1,36 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * This interface represents the extension version of
+ * profile.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IProfileEx extends IProfile {
+
+    /**
+     * Called after initialization. It populates default
+     * policies, inputs, and outputs.
+     */
+    public void populate() throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/IProfileInput.java b/base/common/src/com/netscape/certsrv/profile/IProfileInput.java
new file mode 100644
index 000000000..4ef598698
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/IProfileInput.java
@@ -0,0 +1,120 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+import java.util.Enumeration;
+import java.util.Locale;
+
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IConfigTemplate;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This interface represents a input policy which
+ * provides information on how to create the
+ * end-user enrollment page.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IProfileInput extends IConfigTemplate {
+
+    /**
+     * Initializes this default policy.
+     * 
+     * @param profile owner of this input
+     * @param config configuration store
+     * @exception EProfileException failed to initialize
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException;
+
+    /**
+     * Returns configuration store.
+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore();
+
+    /**
+     * Populates the request with this policy default.
+     * 
+     * @param ctx profile context
+     * @param request request
+     * @exception EProfileException failed to populate
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException;
+
+    /**
+     * Retrieves the localizable name of this policy.
+     * 
+     * @param locale user locale
+     * @return localized input name
+     */
+    public String getName(Locale locale);
+
+    /**
+     * Retrieves the localizable description of this policy.
+     * 
+     * @param locale user locale
+     * @return localized input description
+     */
+    public String getText(Locale locale);
+
+    /**
+     * Retrieves a list of names of the property.
+     * 
+     * @return a list of property names
+     */
+    public Enumeration getValueNames();
+
+    /**
+     * Retrieves the descriptor of the given value
+     * property by name.
+     * 
+     * @param locale user locale
+     * @param name property name
+     * @return descriptor of the property
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name);
+
+    /**
+     * Retrieves value from the request.
+     * 
+     * @param name property name
+     * @param locale user locale
+     * @param request request
+     * @exception EProfileException failed to get value
+     */
+    public String getValue(String name, Locale locale, IRequest request)
+            throws EProfileException;
+
+    /**
+     * Sets the value of the given property by name.
+     * 
+     * @param name property name
+     * @param locale user locale
+     * @param request request
+     * @param value value
+     * @exception EProfileException failed to get value
+     */
+    public void setValue(String name, Locale locale, IRequest request,
+            String value) throws EPropertyException;
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/IProfileOutput.java b/base/common/src/com/netscape/certsrv/profile/IProfileOutput.java
new file mode 100644
index 000000000..b60e4475b
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/IProfileOutput.java
@@ -0,0 +1,121 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+import java.util.Enumeration;
+import java.util.Locale;
+
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IConfigTemplate;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This interface represents a output policy which
+ * provides information on how to build the result
+ * page for the enrollment.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IProfileOutput extends IConfigTemplate {
+
+    /**
+     * Initializes this default policy.
+     * 
+     * @param profile owner of this policy
+     * @param config configuration store
+     * @exception EProfileException failed to initialize
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException;
+
+    /**
+     * Retrieves configuration store.
+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore();
+
+    /**
+     * Populates the request with this policy default.
+     * 
+     * @param ctx profile context
+     * @param request request
+     * @exception EProfileException failed to populate
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException;
+
+    /**
+     * Retrieves the localizable name of this policy.
+     * 
+     * @param locale user locale
+     * @return output policy name
+     */
+    public String getName(Locale locale);
+
+    /**
+     * Retrieves the localizable description of this policy.
+     * 
+     * @param locale user locale
+     * @return output policy description
+     */
+    public String getText(Locale locale);
+
+    /**
+     * Retrieves a list of names of the value parameter.
+     * 
+     * @return a list of property names
+     */
+    public Enumeration getValueNames();
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     * 
+     * @param locale user locale
+     * @param name property name
+     * @return property descriptor
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name);
+
+    /**
+     * Retrieves the value of the given value parameter by name.
+     * 
+     * @param name property name
+     * @param locale user locale
+     * @param request request
+     * @return property value
+     * @exception EProfileException failed to retrieve value
+     */
+    public String getValue(String name, Locale locale, IRequest request)
+            throws EProfileException;
+
+    /**
+     * Sets the value of the given value parameter by name.
+     * 
+     * @param name property name
+     * @param locale user locale
+     * @param request request
+     * @param value property value
+     * @exception EProfileException failed to retrieve value
+     */
+    public void setValue(String name, Locale locale, IRequest request,
+            String value) throws EPropertyException;
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/IProfilePolicy.java b/base/common/src/com/netscape/certsrv/profile/IProfilePolicy.java
new file mode 100644
index 000000000..d231f8d55
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/IProfilePolicy.java
@@ -0,0 +1,49 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+/**
+ * This interface represents a profile policy
+ * which consists a default policy and a
+ * constraint policy.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IProfilePolicy {
+
+    /**
+     * Retrieves the policy id
+     * 
+     * @return policy id
+     */
+    public String getId();
+
+    /**
+     * Retrieves the default policy.
+     * 
+     * @return default policy
+     */
+    public IPolicyDefault getDefault();
+
+    /**
+     * Retrieves the constraint policy.
+     * 
+     * @return constraint policy
+     */
+    public IPolicyConstraint getConstraint();
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/IProfileSubsystem.java b/base/common/src/com/netscape/certsrv/profile/IProfileSubsystem.java
new file mode 100644
index 000000000..b7a68445b
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/IProfileSubsystem.java
@@ -0,0 +1,134 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+import java.util.Enumeration;
+
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * This represents the profile subsystem that manages
+ * a list of profiles.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IProfileSubsystem extends ISubsystem {
+    public static final String ID = "profile";
+
+    /**
+     * Retrieves a profile by id.
+     * 
+     * @return profile
+     * @exception EProfileException failed to retrieve
+     */
+    public IProfile getProfile(String id)
+            throws EProfileException;
+
+    /**
+     * Checks if a profile is approved by an agent or not.
+     * 
+     * @param id profile id
+     * @return true if profile is approved
+     */
+    public boolean isProfileEnable(String id);
+
+    /**
+     * Retrieves the approver of the given profile.
+     * 
+     * @param id profile id
+     * @return user id of the agent who has approved the profile
+     */
+    public String getProfileEnableBy(String id);
+
+    /**
+     * Creates new profile.
+     * 
+     * @param id profile id
+     * @param classid implementation id
+     * @param className class Name
+     * @param configFile configuration file
+     * @exception EProfileException failed to create profile
+     */
+    public IProfile createProfile(String id, String classid,
+            String className, String configFile)
+            throws EProfileException;
+
+    /**
+     * Deletes profile.
+     * 
+     * @param id profile id
+     * @param configFile configuration file
+     * @exception EProfileException failed to delete profile
+     */
+    public void deleteProfile(String id, String configFile)
+            throws EProfileException;
+
+    /**
+     * Creates a new profile configuration file.
+     * 
+     * @param id profile id
+     * @param classId implementation id
+     * @param configPath location to create the configuration file
+     * @exception failed to create profile
+     */
+    public void createProfileConfig(String id, String classId,
+            String configPath) throws EProfileException;
+
+    /**
+     * Enables a profile.
+     * 
+     * @param id profile id
+     * @param enableBy agent's user id
+     * @exception EProfileException failed to enable profile
+     */
+    public void enableProfile(String id, String enableBy)
+            throws EProfileException;
+
+    /**
+     * Disables a profile.
+     * 
+     * @param id profile id
+     * @exception EProfileException failed to disable
+     */
+    public void disableProfile(String id)
+            throws EProfileException;
+
+    /**
+     * Retrieves the id of the implementation of the given profile.
+     * 
+     * @param id profile id
+     * @return implementation id managed by the registry
+     */
+    public String getProfileClassId(String id);
+
+    /**
+     * Retrieves a list of profile ids. The return
+     * list is of type String.
+     * 
+     * @return a list of profile ids
+     */
+    public Enumeration getProfileIds();
+
+    /**
+     * Checks if owner id should be enforced during profile approval.
+     * 
+     * @return true if approval should be checked
+     */
+    public boolean checkOwner();
+
+}
diff --git a/base/common/src/com/netscape/certsrv/profile/IProfileUpdater.java b/base/common/src/com/netscape/certsrv/profile/IProfileUpdater.java
new file mode 100644
index 000000000..3749cd1d2
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/profile/IProfileUpdater.java
@@ -0,0 +1,77 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.profile;
+
+import java.util.Locale;
+
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.property.IConfigTemplate;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.RequestStatus;
+
+/**
+ * This interface represents an updater that will be
+ * called when the request's state changes.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IProfileUpdater extends IConfigTemplate {
+
+    /**
+     * Initializes this default policy.
+     * 
+     * @param profile owner of this policy
+     * @param config configuration store
+     * @exception EProfileException failed to initialize
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException;
+
+    /**
+     * Retrieves configuration store.
+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore();
+
+    /**
+     * Notifies of state change.
+     * 
+     * @param req request
+     * @param status The status to check for.
+     * @exception EProfileException failed to populate
+     */
+    public void update(IRequest req, RequestStatus status)
+            throws EProfileException;
+
+    /**
+     * Retrieves the localizable name of this policy.
+     * 
+     * @param locale user locale
+     * @return output policy name
+     */
+    public String getName(Locale locale);
+
+    /**
+     * Retrieves the localizable description of this policy.
+     * 
+     * @param locale user locale
+     * @return output policy description
+     */
+    public String getText(Locale locale);
+}
diff --git a/base/common/src/com/netscape/certsrv/property/Descriptor.java b/base/common/src/com/netscape/certsrv/property/Descriptor.java
new file mode 100644
index 000000000..bd2b56340
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/property/Descriptor.java
@@ -0,0 +1,93 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.property;
+
+import java.util.Locale;
+
+/**
+ * This interface represents a property descriptor. A descriptor
+ * includes information that describe a property.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class Descriptor implements IDescriptor {
+
+    protected String mSyntax = null;
+    protected String mConstraint = null;
+    protected String mDescription = null;
+    protected String mDef = null;
+
+    /**
+     * Constructs a descriptor.
+     * 
+     * @param syntax syntax
+     * @param constraint constraint
+     * @param defValue default value
+     * @param description description
+     */
+    public Descriptor(String syntax, String constraint, String defValue, String description) {
+        mSyntax = syntax;
+        mConstraint = constraint;
+        mDef = defValue;
+        mDescription = description;
+    }
+
+    /**
+     * Returns the syntax of the property.
+     * 
+     * @return syntax
+     */
+    public String getSyntax() {
+        return mSyntax;
+    }
+
+    /**
+     * Returns the default value of the property.
+     * 
+     * @return default value
+     */
+    public String getDefaultValue() {
+        return mDef;
+    }
+
+    /**
+     * Constraint for the given syntax. For example,
+     * 

+     * - number(1-5): 1-5 is the constraint, and it indicates that the number must be in the range of 1 to 5.
+     * 

+     * - choice(cert,crl): cert,crl is the constraint for choice
+     * 

+     * If null, no constraint shall be enforced.
+     * 

+     * 
+     * @return constraint
+     */
+    public String getConstraint() {
+        return mConstraint;
+    }
+
+    /**
+     * Retrieves the description of the property.
+     * 
+     * @param locale user locale
+     * @return description
+     */
+    public String getDescription(Locale locale) {
+        return mDescription;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/property/EPropertyException.java b/base/common/src/com/netscape/certsrv/property/EPropertyException.java
new file mode 100644
index 000000000..23f59a25f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/property/EPropertyException.java
@@ -0,0 +1,42 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.property;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * This is the base exception for property handling.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class EPropertyException extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -6100285768016343010L;
+
+    /**
+     * Constructs property exception
+     * 
+     * @param msg exception message
+     */
+    public EPropertyException(String msg) {
+        super(msg);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/property/IConfigTemplate.java b/base/common/src/com/netscape/certsrv/property/IConfigTemplate.java
new file mode 100644
index 000000000..431c90de9
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/property/IConfigTemplate.java
@@ -0,0 +1,68 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.property;
+
+import java.util.Enumeration;
+import java.util.Locale;
+
+/**
+ * This interface provides a standard way to describe
+ * a set of configuration parameters and its associated syntax.
+ * It provides programmatic methods for querying
+ * template description.
+ * 

+ * A plugin, for example, can be described as a property template.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IConfigTemplate {
+
+    /**
+     * Returns a list of configuration parameter names.
+     * 
+     * @return parameter names
+     */
+    public Enumeration getConfigNames();
+
+    /**
+     * Returns the descriptors of configuration parameter.
+     * 
+     * @param locale user locale
+     * @param name configuration parameter name
+     * @return descriptor
+     */
+    public IDescriptor getConfigDescriptor(Locale locale, String name);
+
+    /**
+     * Sets configuration parameter.
+     * 
+     * @param name parameter name
+     * @param value parameter value
+     * @exception EPropertyException failed to set parameter
+     */
+    public void setConfig(String name, String value)
+            throws EPropertyException;
+
+    /**
+     * Retrieves configuration parameter by name.
+     * 
+     * @return parameter
+     */
+    public String getConfig(String name);
+}
diff --git a/base/common/src/com/netscape/certsrv/property/IDescriptor.java b/base/common/src/com/netscape/certsrv/property/IDescriptor.java
new file mode 100644
index 000000000..727c1130d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/property/IDescriptor.java
@@ -0,0 +1,90 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.property;
+
+import java.util.Locale;
+
+/**
+ * This interface represents a property descriptor.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IDescriptor {
+
+    // syntax
+    public static String DATE = "date";
+    public static String PASSWORD = "password";
+    public static String PRETTY_PRINT = "pretty_print";
+    public static String IMAGE_URL = "image_url";
+    public static String INTEGER = "integer";
+    public static String BOOLEAN = "boolean";
+    public static String STRING = "string";
+    public static String STRING_LIST = "string_list";
+    public static String KEYGEN_REQUEST = "keygen_request";
+    public static String KEYGEN_REQUEST_TYPE = "keygen_request_type";
+    public static String ENC_KEYGEN_REQUEST = "enc_keygen_request";
+    public static String ENC_KEYGEN_REQUEST_TYPE = "enc_keygen_request_type";
+    public static String SIGN_KEYGEN_REQUEST = "sign_keygen_request";
+    public static String SIGN_KEYGEN_REQUEST_TYPE = "sign_keygen_request_type";
+    public static String DUAL_KEYGEN_REQUEST = "dual_keygen_request";
+    public static String DUAL_KEYGEN_REQUEST_TYPE = "dual_keygen_request_type";
+    public static String CERT_REQUEST = "cert_request";
+    public static String CERT_REQUEST_TYPE = "cert_request_type";
+    public static String CHOICE = "choice"; // choice of strings
+    public static String DN = "dn";
+    public static String IP = "ip";
+    public static String EMAIL = "email";
+
+    // constraint
+    public static String READONLY = "readonly";
+    public static String HIDDEN = "hidden";
+
+    /**
+     * Returns the syntax of the property.
+     * 
+     * @return syntax
+     */
+    public String getSyntax();
+
+    /**
+     * Constraint for the given syntax. For example,
+     * - number(1-5): 1-5 is the constraint, and it indicates
+     * that the number must be in the range of 1 to 5.
+     * - choice(cert,crl): cert,crl is the constraint
+     * for choice
+     * If null, no constraint shall be enforced.
+     * 
+     * @return constraint
+     */
+    public String getConstraint();
+
+    /**
+     * Retrieves the description of the property.
+     * 
+     * @param locale user locale
+     * @return localized description
+     */
+    public String getDescription(Locale locale);
+
+    /**
+     * Retrieves the default value of the property.
+     * 
+     * @return default value
+     */
+    public String getDefaultValue();
+}
diff --git a/base/common/src/com/netscape/certsrv/property/PropertySet.java b/base/common/src/com/netscape/certsrv/property/PropertySet.java
new file mode 100644
index 000000000..dc839deb1
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/property/PropertySet.java
@@ -0,0 +1,52 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.property;
+
+import java.util.Enumeration;
+import java.util.Hashtable;
+
+/**
+ * A set of properties.
+ */
+public class PropertySet {
+
+    private Hashtable mProperties = new Hashtable();
+
+    public PropertySet() {
+    }
+
+    public void add(String name, IDescriptor desc) {
+        mProperties.put(name, desc);
+    }
+
+    public Enumeration getNames() {
+        return mProperties.keys();
+    }
+
+    public IDescriptor getDescriptor(String name) {
+        return (IDescriptor) mProperties.get(name);
+    }
+
+    public void remove(String name) {
+        mProperties.remove(name);
+    }
+
+    public int size() {
+        return mProperties.size();
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/ECompSyntaxErr.java b/base/common/src/com/netscape/certsrv/publish/ECompSyntaxErr.java
new file mode 100644
index 000000000..a3a109900
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/ECompSyntaxErr.java
@@ -0,0 +1,46 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import com.netscape.certsrv.ldap.ELdapException;
+
+/**
+ * This type of exception is thrown in cases where an parsing
+ * error is found while evaluating a PKI component. An example
+ * would be in trying to evaluate a PKI authentication message and
+ * the parsing operation fails due to a missing token.
+ * 
+ * @version $Revision$ $Date$
+ */
+public class ECompSyntaxErr extends ELdapException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -2224290038321971845L;
+
+    /**
+     * Construct a ECompSyntaxErr
+     * 
+     * @param errorString The descriptive error condition.
+     */
+
+    public ECompSyntaxErr(String errorString) {
+        super(errorString);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/EMapperNotFound.java b/base/common/src/com/netscape/certsrv/publish/EMapperNotFound.java
new file mode 100644
index 000000000..fdf4a1b9f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/EMapperNotFound.java
@@ -0,0 +1,42 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import com.netscape.certsrv.ldap.ELdapException;
+
+/**
+ * Exception for Publish Mapper not found.
+ * 
+ * @version $Revision$ $Date$
+ */
+public class EMapperNotFound extends ELdapException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -2222814261042222152L;
+
+    /**
+     * Constructs a exception for a missing required mapper
+     * 
+     * @param errorString Detailed error message.
+     */
+    public EMapperNotFound(String errorString) {
+        super(errorString);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/EMapperPluginNotFound.java b/base/common/src/com/netscape/certsrv/publish/EMapperPluginNotFound.java
new file mode 100644
index 000000000..f8f18c5ff
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/EMapperPluginNotFound.java
@@ -0,0 +1,42 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import com.netscape.certsrv.ldap.ELdapException;
+
+/**
+ * Exception for Mapper Plugin not found.
+ * 
+ * @version $Revision$ $Date$
+ */
+public class EMapperPluginNotFound extends ELdapException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 3564854656103487939L;
+
+    /**
+     * Constructs a exception for a missing mapper plugin
+     * 
+     * @param errorString Detailed error message.
+     */
+    public EMapperPluginNotFound(String errorString) {
+        super(errorString);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/EPublisherNotFound.java b/base/common/src/com/netscape/certsrv/publish/EPublisherNotFound.java
new file mode 100644
index 000000000..176001e99
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/EPublisherNotFound.java
@@ -0,0 +1,42 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import com.netscape.certsrv.ldap.ELdapException;
+
+/**
+ * Exception for Publisher not found. Required for successful publishing.
+ * 
+ * @version $Revision$ $Date$
+ */
+public class EPublisherNotFound extends ELdapException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 6159885167931517580L;
+
+    /**
+     * Constructs a exception for a missing required publisher.
+     * 
+     * @param errorString Detailed error message.
+     */
+    public EPublisherNotFound(String errorString) {
+        super(errorString);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/EPublisherPluginNotFound.java b/base/common/src/com/netscape/certsrv/publish/EPublisherPluginNotFound.java
new file mode 100644
index 000000000..56076863a
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/EPublisherPluginNotFound.java
@@ -0,0 +1,42 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import com.netscape.certsrv.ldap.ELdapException;
+
+/**
+ * Exception for Publisher Plugin not found. Plugin implementation is required to actually publish.
+ * 
+ * @version $Revision$ $Date$
+ */
+public class EPublisherPluginNotFound extends ELdapException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -8626436244270286308L;
+
+    /**
+     * Constructs a exception for a missing publisher plugin.
+     * 
+     * @param errorString Detailed error message.
+     */
+    public EPublisherPluginNotFound(String errorString) {
+        super(errorString);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/ERuleNotFound.java b/base/common/src/com/netscape/certsrv/publish/ERuleNotFound.java
new file mode 100644
index 000000000..01c9897eb
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/ERuleNotFound.java
@@ -0,0 +1,42 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import com.netscape.certsrv.ldap.ELdapException;
+
+/**
+ * Exception for Ldap Publishing Rule not found.
+ * 
+ * @version $Revision$ $Date$
+ */
+public class ERuleNotFound extends ELdapException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 8442034769483263745L;
+
+    /**
+     * Constructs a exception for a missing required rule, which links a publisher and mapper.
+     * 
+     * @param errorString Detailed error message.
+     */
+    public ERuleNotFound(String errorString) {
+        super(errorString);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/ERulePluginNotFound.java b/base/common/src/com/netscape/certsrv/publish/ERulePluginNotFound.java
new file mode 100644
index 000000000..f619e7f4a
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/ERulePluginNotFound.java
@@ -0,0 +1,42 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import com.netscape.certsrv.ldap.ELdapException;
+
+/**
+ * Exception for Publisher Rule plugin not found. Plugin required to implement Ldap Rule.
+ * 
+ * @version $Revision$ $Date$
+ */
+public class ERulePluginNotFound extends ELdapException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 4056965992924762809L;
+
+    /**
+     * Constructs a exception for a missing rule plugin.
+     * 
+     * @param errorString Detailed error message.
+     */
+    public ERulePluginNotFound(String errorString) {
+        super(errorString);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/ICRLPublisher.java b/base/common/src/com/netscape/certsrv/publish/ICRLPublisher.java
new file mode 100644
index 000000000..cd5763cdb
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/ICRLPublisher.java
@@ -0,0 +1,107 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import netscape.security.x509.X509CRLImpl;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * This interface represents a CRL publisher that is
+ * invoked when CRL publishing is requested by CMS.
+ * Note that CMS, by default, shipped with a LDAP-based
+ * CRL publisher that can be configured via
+ * Certificiate Manager/LDAP Publishing panel. This
+ * interface provides administrator additional capability
+ * of publishing CRL to different destinations.
+ * 
+ * The CRL publishing frequency is configured via
+ * Netscape Certificate Server Console's
+ * Certificate Manager/Revocation List panel.
+ * The CRL publishing may occur either everytime a
+ * certificate is revoked or at a pre-defined interval.
+ * 
+ * To try out this new CRL publisher mechanism, do
+ * the following:
+ * (1) Write a sample CRL publisher class that implements
+ * ICRLPublisher interface. For example,
+ * 
+ * 
+ * public class CRLPublisher implements ICRLPublisher
+ * {
+ * 	public void init(ISubsystem owner, IConfigStore config) 
+ * 		throws EBaseException
+ * 	{
+ * 		log(ILogger.LL_DEBUG, "CRLPublisher: Initialized");
+ * 	}
+ * 
+ * 	public void publish(String issuingPointId, X509CRLImpl crl) 
+ * 		throws EBaseException 
+ *      {
+ * 		log(ILogger.LL_DEBUG, "CRLPublisher: " + issuingPointId + 
+ *                " crl=" + crl);
+ * 	}
+ * 
+ *      public void log(int level, String msg)
+ *      {
+ *              Logger.getLogger().log(ILogger.EV_SYSTEM, 
+ *                      null, ILogger.S_OTHER, level,
+ *                      msg);
+ *      }
+ * }
+ * 
+ * 
+ * (2) Compile the class and place the class into
+ * \bin\cert\classes directory.
+ * (3) Add the following parameter to CMS.cfg
+ * ca.crlPublisher.class=
+ * For example,
+ * ca.crlPublisher.class=myCRLPublisher
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ICRLPublisher {
+
+    /**
+     * Initializes this CRL publisher.
+     * 
+     * @param owner parent of the publisher. An object of type
+     *            CertificateAuthority.
+     * @param config config store for this publisher. If this
+     *            publisher requires configuration parameters for
+     *            initialization, the parameters should be placed
+     *            in CMS.cfg as ca.crlPublisher.=
+     * @exception EBaseException failed to initialize this publisher
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException;
+
+    /**
+     * Publishes CRL. This method is invoked by CMS based
+     * on the configured CRL publishing frequency.
+     * 
+     * @param issuingPointId CRL issuing point identifier
+     *            (i.e. MasterCRL)
+     * @param crl CRL that is publishing
+     * @exception EBaseException failed to publish
+     */
+    public void publish(String issuingPointId, X509CRLImpl crl)
+            throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/ILdapCertMapper.java b/base/common/src/com/netscape/certsrv/publish/ILdapCertMapper.java
new file mode 100644
index 000000000..3acaeb580
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/ILdapCertMapper.java
@@ -0,0 +1,70 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import java.security.cert.X509Certificate;
+import java.util.Vector;
+
+import netscape.ldap.LDAPConnection;
+
+import com.netscape.certsrv.ldap.ELdapException;
+
+/**
+ * Interface for mapping a X509 certificate to a LDAP entry.
+ * 
+ * @version $Revision$ $Date$
+ */
+public interface ILdapCertMapper extends ILdapPlugin {
+
+    /**
+     * Returns implementation name.
+     */
+    public String getImplName();
+
+    /**
+     * Returns the description of this mapper.
+     */
+    public String getDescription();
+
+    /**
+     * Returns the default parameters.
+     */
+    public Vector getDefaultParams();
+
+    /**
+     * Returns the instance parameters.
+     */
+    public Vector getInstanceParams();
+
+    /**
+     * maps a certificate to a LDAP entry.
+     * returns dn of the mapped LDAP entry.
+     * 
+     * @param conn the LDAP connection
+     * @param cert the certificate to map
+     * @param checkForCert whether to check for the presence of the cert
+     * @exception ELdapException Failed to map.
+     * @return LdapCertMapResult indicates whether a mapping was successful
+     *         and whether a certificate was found if checkForCert was true.
+     *         If checkForCert was not set the hasCert method in LdapCertMapResult
+     *         should be ignored.
+     */
+    public LdapCertMapResult map(LDAPConnection conn,
+            X509Certificate cert, boolean checkForCert)
+            throws ELdapException;
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/ILdapCrlMapper.java b/base/common/src/com/netscape/certsrv/publish/ILdapCrlMapper.java
new file mode 100644
index 000000000..252a09ec3
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/ILdapCrlMapper.java
@@ -0,0 +1,60 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import netscape.ldap.LDAPConnection;
+import netscape.security.x509.X509CRLImpl;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.ldap.ELdapException;
+
+/**
+ * Interface for mapping a CRL to a LDAP entry.
+ * 
+ * @version $Revision$ $Date$
+ */
+public interface ILdapCrlMapper {
+
+    /**
+     * maps a crl to a LDAP entry.
+     * returns dn of the mapped LDAP entry.
+     * 
+     * @param conn the LDAP connection
+     * @param crl the CRL to map
+     * @param checkForCrl whether to check for the presence of the CRL
+     * @exception ELdapException Failed to map CRL to entry.
+     * @return LdapCertMapResult indicates whether a mapping was successful
+     *         and whether a certificate was found if checkForCert was true.
+     *         If checkForCert was not set the hasCert method in LdapCertMapResult
+     *         should be ignored.
+     */
+    public LdapCertMapResult
+            map(LDAPConnection conn, X509CRLImpl crl, boolean checkForCrl)
+                    throws ELdapException;
+
+    /**
+     * initialize from config store.
+     * 
+     * @param config the configuration store to initialize from.
+     * @exception ELdapException Initialization failed due to Ldap error.
+     * @exception EBaseException Initialization failed.
+     */
+    public void init(IConfigStore config)
+            throws ELdapException, EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/ILdapExpression.java b/base/common/src/com/netscape/certsrv/publish/ILdapExpression.java
new file mode 100644
index 000000000..4537636c1
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/ILdapExpression.java
@@ -0,0 +1,69 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * Interface for a Ldap predicate expression.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ILdapExpression {
+    public static final int OP_EQUAL = 1;
+    public static final int OP_NEQUAL = 2;
+    public static final int OP_GT = 3;
+    public static final int OP_LT = 4;
+    public static final int OP_GE = 5;
+    public static final int OP_LE = 6;
+    public static final String EQUAL_STR = "==";
+    public static final String NEQUAL_STR = "!=";
+    public static final String GT_STR = ">";
+    public static final String GE_STR = ">=";
+    public static final String LT_STR = "<";
+    public static final String LE_STR = "<=";
+
+    /**
+     * Evaluate the Expression.
+     * 
+     * @param sc The SessionContext on which we are applying the condition.
+     * @return The return value.
+     * @exception ELdapExeption Failed to evaluate expression.
+     */
+    boolean evaluate(SessionContext sc)
+            throws ELdapException;
+
+    /**
+     * Evaluate the Expression.
+     * 
+     * @param req The PKIRequest on which we are applying the condition.
+     * @return The return value.
+     * @exception ELdapExeption Failed to evaluate expression.
+     */
+    boolean evaluate(IRequest req)
+            throws ELdapException;
+
+    /**
+     * Convert to a string.
+     * 
+     * @return String representation of expression.
+     */
+    public String toString();
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/ILdapMapper.java b/base/common/src/com/netscape/certsrv/publish/ILdapMapper.java
new file mode 100644
index 000000000..09238421f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/ILdapMapper.java
@@ -0,0 +1,80 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import java.util.Vector;
+
+import netscape.ldap.LDAPConnection;
+
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * Interface for mapping a X509 certificate to a LDAP entry.
+ * 
+ * @version $Revision$ $Date$
+ */
+public interface ILdapMapper extends ILdapPlugin {
+
+    /**
+     * Returns implementation name.
+     */
+    public String getImplName();
+
+    /**
+     * Returns the description of this mapper.
+     */
+    public String getDescription();
+
+    /**
+     * Returns the initial default parameters.
+     */
+    public Vector getDefaultParams();
+
+    /**
+     * Returns the current instance parameters.
+     */
+    public Vector getInstanceParams();
+
+    /**
+     * maps a certificate to a LDAP entry.
+     * returns dn of the mapped LDAP entry.
+     * 
+     * @param conn the LDAP connection
+     * @param obj the object to map
+     * @return dn indicates whether a mapping was successful
+     * @exception ELdapException Map operation failed.
+     */
+    public String
+            map(LDAPConnection conn, Object obj)
+                    throws ELdapException;
+
+    /**
+     * maps a certificate to a LDAP entry.
+     * returns dn of the mapped LDAP entry.
+     * 
+     * @param conn the LDAP connection
+     * @param r the request to map
+     * @param obj the object to map
+     * @return dn indicates whether a mapping was successful
+     * @exception ELdapException Map operation failed.
+     */
+    public String
+            map(LDAPConnection conn, IRequest r, Object obj)
+                    throws ELdapException;
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/ILdapPlugin.java b/base/common/src/com/netscape/certsrv/publish/ILdapPlugin.java
new file mode 100644
index 000000000..b0a9fe73b
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/ILdapPlugin.java
@@ -0,0 +1,45 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.ldap.ELdapException;
+
+/**
+ * Interface for any Ldap plugin.
+ * 
+ * @version $Revision$ $Date$
+ */
+public interface ILdapPlugin {
+
+    /**
+     * Initialize from config store.
+     * 
+     * @param config the configuration store to initialize from.
+     * @exception ELdapException initialization failed due to Ldap error.
+     * @exception EBaseException initialization failed.
+     */
+    public void init(IConfigStore config)
+            throws EBaseException, ELdapException;
+
+    /**
+     * Return config store.
+     */
+    public IConfigStore getConfigStore();
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/ILdapPluginImpl.java b/base/common/src/com/netscape/certsrv/publish/ILdapPluginImpl.java
new file mode 100644
index 000000000..db52a9106
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/ILdapPluginImpl.java
@@ -0,0 +1,53 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IPluginImpl;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.ldap.ELdapException;
+
+/**
+ * Interface for any ldap plugin. Plugin implementation is defined here.
+ * 
+ * @version $Revision$ $Date$
+ */
+public interface ILdapPluginImpl extends IPluginImpl {
+
+    /**
+     * initialize from config store.
+     * 
+     * @param config the configuration store to initialize from.
+     * @exception ELdapException initializtion failed due to Ldap error.
+     * @exception EBaseException initialization failed.
+     */
+    public void init(ISubsystem sys, IConfigStore config)
+            throws EBaseException, ELdapException;
+
+    /**
+     * initialize from config store and Isubsystem.
+     * 
+     * @param config the configuration store to initialize from.
+     * @exception ELdapException initializtion failed due to Ldap error.
+     * @exception EBaseException initialization failed.
+     */
+    public void init(IConfigStore config)
+            throws EBaseException, ELdapException;
+
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/ILdapPublishModule.java b/base/common/src/com/netscape/certsrv/publish/ILdapPublishModule.java
new file mode 100644
index 000000000..81e5be952
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/ILdapPublishModule.java
@@ -0,0 +1,43 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestListener;
+
+/**
+ * Handles requests to perform Ldap publishing.
+ * 
+ * @version $Revision$ $Date$
+ */
+public interface ILdapPublishModule extends IRequestListener {
+
+    /**
+     * initialize ldap publishing module with config store
+     */
+    //	public void init(ICertAuthority owner, IConfigStore config) 
+    //		throws EBaseException, ELdapException;
+
+    /**
+     * Accepts completed requests from an authority and
+     * performs ldap publishing.
+     * 
+     * @param request The publishing request.
+     */
+    public void accept(IRequest request);
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/ILdapPublisher.java b/base/common/src/com/netscape/certsrv/publish/ILdapPublisher.java
new file mode 100644
index 000000000..398d86453
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/ILdapPublisher.java
@@ -0,0 +1,84 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import java.util.Vector;
+
+import netscape.ldap.LDAPConnection;
+
+import com.netscape.certsrv.ldap.ELdapException;
+
+/**
+ * Interface for publishing certificate or crl to database store.
+ * 
+ * @version $Revision$ $Date$
+ */
+public interface ILdapPublisher extends ILdapPlugin {
+    public static final String PROP_PREDICATE = "predicate";
+    public static final String PROP_ENABLE = "enable";
+    public static final String PROP_IMPLNAME = "implName";
+
+    /**
+     * Returns the implementation name.
+     */
+    public String getImplName();
+
+    /**
+     * Returns the description of the publisher.
+     */
+    public String getDescription();
+
+    /**
+     * Returns the current instance parameters.
+     */
+    public Vector getInstanceParams();
+
+    /**
+     * Returns the initial default parameters.
+     */
+    public Vector getDefaultParams();
+
+    /**
+     * Publish an object.
+     * 
+     * @param conn a Ldap connection
+     *            (null for non-LDAP publishing)
+     * @param dn dn of the ldap entry to publish cert
+     *            (null for non-LDAP publishing)
+     * @param object object to publish
+     *            (java.security.cert.X509Certificate or,
+     *            java.security.cert.X509CRL)
+     * @exception ELdapException publish failed.
+     */
+    public void publish(LDAPConnection conn, String dn, Object object)
+            throws ELdapException;
+
+    /**
+     * Unpublish an object.
+     * 
+     * @param conn the Ldap connection
+     *            (null for non-LDAP publishing)
+     * @param dn dn of the ldap entry to unpublish cert
+     *            (null for non-LDAP publishing)
+     * @param object object to unpublish
+     *            (java.security.cert.X509Certificate)
+     * @exception ELdapException unpublish failed.
+     */
+    public void unpublish(LDAPConnection conn, String dn, Object object)
+            throws ELdapException;
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/ILdapRule.java b/base/common/src/com/netscape/certsrv/publish/ILdapRule.java
new file mode 100644
index 000000000..7bf19b070
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/ILdapRule.java
@@ -0,0 +1,77 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import java.util.Vector;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+
+/**
+ * Interface for publishing rule which associates a Publisher with a Mapper.
+ * 
+ * @version $Revision$ $Date$
+ */
+public interface ILdapRule extends ILdapPlugin {
+    public static final String PROP_PREDICATE = "predicate";
+    public static final String PROP_ENABLE = "enable";
+    public static final String PROP_IMPLNAME = "implName";
+
+    /**
+     * Initialize the plugin.
+     * 
+     * @exception EBaseException Initialization failed.
+     */
+    public void init(IPublisherProcessor processor, IConfigStore
+            config) throws EBaseException;
+
+    /**
+     * Returns the implementation name.
+     */
+    public String getImplName();
+
+    /**
+     * Returns the description of the ldap publisher.
+     */
+    public String getDescription();
+
+    /**
+     * Sets the instance name.
+     */
+    public void setInstanceName(String name);
+
+    /**
+     * Returns the instance name.
+     */
+    public String getInstanceName();
+
+    /**
+     * Returns the current instance parameters.
+     */
+    public Vector getInstanceParams();
+
+    /**
+     * Returns the initial default parameters.
+     */
+    public Vector getDefaultParams();
+
+    /**
+     * Returns true if the rule is enabled, false if it's disabled.
+     */
+    public boolean enabled();
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/IPublishRuleSet.java b/base/common/src/com/netscape/certsrv/publish/IPublishRuleSet.java
new file mode 100644
index 000000000..911d4e132
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/IPublishRuleSet.java
@@ -0,0 +1,122 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import java.util.Enumeration;
+
+import netscape.ldap.LDAPConnection;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * Represents a set of publishing rules. Publishing rules are ordered from
+ * lowest priority to highest priority. The priority assignment for publishing
+ * rules is not enforced by this interface. Various implementation may
+ * use different mechanisms such as a linear ordering of publishing rules
+ * in a configuration file or explicit assignment of priority levels ..etc.
+ * The publishing rule initialization needs to deal with reading the
+ * publishing rules, sorting them in increasing order of priority and
+ * presenting an ordered vector of publishing rules via the IPublishRuleSet
+ * interface.
+ * When a request comes, the predicates of the publishing rules will be
+ * checked in the order to find the first matched publishing rule as the
+ * mapping rule to (un)publish the object.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IPublishRuleSet {
+    void init(ISubsystem sys, IConfigStore conf) throws EBaseException;
+
+    /**
+     * Returns the name of the publishing rule set.
+     * 

+     * 
+     * @return The name of the publishing rule set.
+     */
+    String getName();
+
+    /**
+     * Returns the no of publishing rules in a set.
+     * 

+     * 
+     * @return the no of publishing rules.
+     */
+    int count();
+
+    /**
+     * Add a publishing rule
+     * 

+     * 
+     * @param aliasName The name of the publishing rule to be added.
+     * @param rule rule The publishing rule to be added.
+     */
+    void addRule(String aliasName, ILdapRule rule);
+
+    /**
+     * Removes a publishing rule identified by the given name.
+     * 
+     * @param ruleName The name of the publishing rule to be removed.
+     */
+    void removeRule(String ruleName);
+
+    /**
+     * Get the publishing rule identified by a given name.
+     * 

+     * 
+     * @param ruleName The name of the publishing rule to be return.
+     * @return The publishing rule identified by the given name or null if none exists.
+     */
+    ILdapRule getRule(String ruleName);
+
+    /**
+     * Get the publishing rule identified by a corresponding request.
+     * 

+     * 
+     * @param req The request from which rule will be identified.
+     * @return The publishing rule or null if none exists.
+     */
+    ILdapRule getRule(IRequest req);
+
+    /**
+     * Get an enumeration of publishing rules.
+     * 

+     * 
+     * @return An enumeration of publishing rules.
+     */
+    Enumeration getRules();
+
+    /**
+     * Apply publishing rules on a request.
+     * The predicates of the publishing rules will be checked in the order
+     * to find the first matched publishing rule.
+     * Use the mapper to find the dn of the LDAP entry and use the publisher
+     * to publish the object in the request.
+     * 

+     * 
+     * @param conn The Ldap connection
+     * @param req The request to apply policies on.
+     * @exception ELdapException publish failed due to Ldap error.
+     */
+    public void publish(LDAPConnection conn, IRequest req)
+            throws ELdapException;
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/IPublisherProcessor.java b/base/common/src/com/netscape/certsrv/publish/IPublisherProcessor.java
new file mode 100644
index 000000000..3ed985403
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/IPublisherProcessor.java
@@ -0,0 +1,360 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import java.math.BigInteger;
+import java.security.cert.X509CRL;
+import java.security.cert.X509Certificate;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Vector;
+
+import netscape.security.x509.X509CRLImpl;
+
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ILdapConnModule;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * Controls the publishing process from the top level. Maintains
+ * a collection of Publishers , Mappers, and Publish Rules.
+ * 
+ * @version $Revision$ $Date$
+ */
+
+public interface IPublisherProcessor extends ISubsystem {
+
+    public final static String PROP_PUBLISH_SUBSTORE = "publish";
+    public final static String PROP_LDAP_PUBLISH_SUBSTORE = "ldappublish";
+    public final static String PROP_QUEUE_PUBLISH_SUBSTORE = "queue";
+
+    public static final String PROP_LOCAL_CA = "cacert";
+    public static final String PROP_LOCAL_CRL = "crl";
+    public static final String PROP_CERTS = "certs";
+    public static final String PROP_XCERT = "xcert";
+
+    public static final String PROP_CLASS = "class";
+    public static final String PROP_IMPL = "impl";
+    public static final String PROP_PLUGIN = "pluginName";
+    public static final String PROP_INSTANCE = "instance";
+
+    public static final String PROP_PREDICATE = "predicate";
+    public static final String PROP_ENABLE = "enable";
+    public static final String PROP_LDAP = "ldap";
+    public static final String PROP_MAPPER = "mapper";
+    public static final String PROP_PUBLISHER = "publisher";
+    public static final String PROP_TYPE = "type";
+
+    /**
+     * 
+     * Returns Hashtable of rule plugins.
+     */
+
+    public Hashtable getRulePlugins();
+
+    /**
+     * 
+     * Returns Hashtable of rule instances.
+     */
+
+    public Hashtable getRuleInsts();
+
+    /**
+     * 
+     * Returns Hashtable of mapper plugins.
+     */
+
+    public Hashtable getMapperPlugins();
+
+    /**
+     * 
+     * Returns Hashtable of publisher plugins.
+     */
+    public Hashtable getPublisherPlugins();
+
+    /**
+     * 
+     * Returns Hashtable of rule mapper instances.
+     */
+    public Hashtable getMapperInsts();
+
+    /**
+     * 
+     * Returns Hashtable of rule publisher instances.
+     */
+    public Hashtable getPublisherInsts();
+
+    /**
+     * 
+     * Returns list of rules based on publishing type.
+     * 
+     * @param publishingType Type for which to retrieve rule list.
+     */
+
+    public Enumeration getRules(String publishingType);
+
+    /**
+     * 
+     * Returns list of rules based on publishing type and publishing request.
+     * 
+     * @param publishingType Type for which to retrieve rule list.
+     * @param req Corresponding publish request.
+     */
+    public Enumeration getRules(String publishingType, IRequest req);
+
+    /**
+     * 
+     * Returns mapper initial default parameters.
+     * 
+     * @param implName name of MapperPlugin.
+     */
+
+    public Vector getMapperDefaultParams(String implName) throws
+            ELdapException;
+
+    /**
+     * 
+     * Returns mapper current instance parameters.
+     * 
+     * @param insName name of MapperProxy.
+     * @exception ELdapException failed due to Ldap error.
+     */
+
+    public Vector getMapperInstanceParams(String insName) throws
+            ELdapException;
+
+    /**
+     * 
+     * Returns publisher initial default parameters.
+     * 
+     * @param implName name of PublisherPlugin.
+     * @exception ELdapException failed due to Ldap error.
+     */
+    public Vector getPublisherDefaultParams(String implName) throws
+            ELdapException;
+
+    /**
+     * 
+     * Returns true if MapperInstance is enabled.
+     * 
+     * @param insName name of MapperProxy.
+     * @return true if enabled. false if disabled.
+     */
+
+    public boolean isMapperInstanceEnable(String insName);
+
+    /**
+     * 
+     * Returns ILdapMapper instance that is currently active.
+     * 
+     * @param insName name of MapperProxy.
+     * @return instance of ILdapMapper.
+     */
+    public ILdapMapper getActiveMapperInstance(String insName);
+
+    /**
+     * 
+     * Returns ILdapMapper instance based on name of MapperProxy.
+     * 
+     * @param insName name of MapperProxy.
+     * @return instance of ILdapMapper.
+     */
+    public ILdapMapper getMapperInstance(String insName);
+
+    /**
+     * 
+     * Returns true publisher instance is currently enabled.
+     * 
+     * @param insName name of PublisherProxy.
+     * @return true if enabled.
+     */
+    public boolean isPublisherInstanceEnable(String insName);
+
+    /**
+     * 
+     * Returns ILdapPublisher instance that is currently active.
+     * 
+     * @param insName name of PublisherProxy.
+     * @return instance of ILdapPublisher.
+     */
+    public ILdapPublisher getActivePublisherInstance(String insName);
+
+    /**
+     * 
+     * Returns ILdapPublisher instance.
+     * 
+     * @param insName name of PublisherProxy.
+     * @return instance of ILdapPublisher.
+     */
+    public ILdapPublisher getPublisherInstance(String insName);
+
+    /**
+     * 
+     * Returns Vector of PublisherIntance's current instance parameters.
+     * 
+     * @param insName name of PublisherProxy.
+     * @return Vector of current instance parameters.
+     */
+    public Vector getPublisherInstanceParams(String insName) throws
+            ELdapException;
+
+    /**
+     * 
+     * Returns Vector of RulePlugin's initial default parameters.
+     * 
+     * @param implName name of RulePlugin.
+     * @return Vector of initial default parameters.
+     * @exception ELdapException failed due to Ldap error.
+     */
+    public Vector getRuleDefaultParams(String implName) throws
+            ELdapException;
+
+    /**
+     * 
+     * Returns Vector of RulePlugin's current instance parameters.
+     * 
+     * @param implName name of RulePlugin.
+     * @return Vector of current instance parameters.
+     * @exception ELdapException failed due to Ldap error.
+     */
+    public Vector getRuleInstanceParams(String implName) throws
+            ELdapException;
+
+    /**
+     * Set published flag - true when published, false when unpublished.
+     * Not exist means not published.
+     * 
+     * @param serialNo serial number of publishable object.
+     * @param published true for published, false for not.
+     */
+    public void setPublishedFlag(BigInteger serialNo, boolean published);
+
+    /**
+     * Publish ca cert, UpdateDir.java, jobs, request listeners
+     * 
+     * @param cert X509 certificate to be published.
+     * @exception ELdapException publish failed due to Ldap error.
+     */
+    public void publishCACert(X509Certificate cert)
+            throws ELdapException;
+
+    /**
+     * This function is never called. CMS does not unpublish
+     * CA certificate.
+     */
+    public void unpublishCACert(X509Certificate cert)
+            throws ELdapException;
+
+    /**
+     * Publishs regular user certificate based on the criteria
+     * set in the request.
+     * 
+     * @param cert X509 certificate to be published.
+     * @param req request which provides the criteria
+     * @exception ELdapException publish failed due to Ldap error.
+     */
+    public void publishCert(X509Certificate cert, IRequest req)
+            throws ELdapException;
+
+    /**
+     * Unpublish user certificate. This is used by
+     * UnpublishExpiredJob.
+     * 
+     * @param cert X509 certificate to be unpublished.
+     * @param req request which provides the criteria
+     * @exception ELdapException unpublish failed due to Ldap error.
+     */
+    public void unpublishCert(X509Certificate cert, IRequest req)
+            throws ELdapException;
+
+    /**
+     * publishes a crl by mapping the issuer name in the crl to an entry
+     * and publishing it there. entry must be a certificate authority.
+     * Note that this is used by cmsgateway/cert/UpdateDir.java
+     * 
+     * @param crl Certificate Revocation List
+     * @param crlIssuingPointId name of the issuing point.
+     * @exception ELdapException publish failed due to Ldap error.
+     */
+    public void publishCRL(X509CRLImpl crl, String crlIssuingPointId)
+            throws ELdapException;
+
+    /**
+     * publishes a crl by mapping the issuer name in the crl to an entry
+     * and publishing it there. entry must be a certificate authority.
+     * 
+     * @param dn Distinguished name to publish.
+     * @param crl Certificate Revocation List
+     * @exception ELdapException publish failed due to Ldap error.
+     */
+    public void publishCRL(String dn, X509CRL crl)
+            throws ELdapException;
+
+    /**
+     * 
+     * Return true if Ldap is enabled.
+     * 
+     * @return true if Ldap is enabled,otherwise false.
+     */
+
+    public boolean ldapEnabled();
+
+    /**
+     * 
+     * Return true of PublisherProcessor is enabled.
+     * 
+     * @return true if is enabled, otherwise false.
+     * 
+     */
+    public boolean enabled();
+
+    /**
+     * 
+     * Return Authority for which this Processor operates.
+     * 
+     * @return Authority.
+     */
+
+    public ISubsystem getAuthority();
+
+    /**
+     * 
+     * Perform logging function for this Processor.
+     * 
+     * @param level Log level to be used for this message
+     * @param msg Message to be logged.
+     */
+
+    public void log(int level, String msg);
+
+    /**
+     * 
+     * Returns LdapConnModule belonging to this Processor.
+     * 
+     * @return LdapConnModule.
+     */
+    public ILdapConnModule getLdapConnModule();
+
+    /**
+     * Sets the LdapConnModule belonging to this Processor.
+     * 
+     * @param m ILdapConnModule.
+     */
+    public void setLdapConnModule(ILdapConnModule m);
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/IXcertPublisherProcessor.java b/base/common/src/com/netscape/certsrv/publish/IXcertPublisherProcessor.java
new file mode 100644
index 000000000..b70a0626d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/IXcertPublisherProcessor.java
@@ -0,0 +1,38 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import com.netscape.certsrv.ldap.ELdapException;
+
+/**
+ * Interface for a publisher that has the capability of publishing
+ * cross certs
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IXcertPublisherProcessor extends IPublisherProcessor {
+
+    /**
+     * Publish crossCertificatePair.
+     * 
+     * @param pair Byte array representing cert pair.
+     * @exception EldapException publish failed due to Ldap error.
+     */
+    public void publishXCertPair(byte[] pair)
+            throws ELdapException;
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/LdapCertMapResult.java b/base/common/src/com/netscape/certsrv/publish/LdapCertMapResult.java
new file mode 100644
index 000000000..84a866095
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/LdapCertMapResult.java
@@ -0,0 +1,56 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+/**
+ * Class that represents the result of a Ldap Mapping operation.
+ * certificate map result:
+ * Represented by a mapped entry as a DN and whether entry has the certificate.
+ * 
+ * @version $Revision$ $Date$
+ */
+public class LdapCertMapResult {
+    private String mDn;
+    private boolean mHasCert;
+
+    /**
+     * Constructs ldap cert map result with a dn and hasCert boolean.
+     */
+    public LdapCertMapResult(String dn, boolean hasCert) {
+        mDn = dn;
+        mHasCert = hasCert;
+    }
+
+    /**
+     * Gets DN from the result.
+     * 
+     * @return Distinguished Name.
+     */
+    public String getDn() {
+        return mDn;
+    }
+
+    /**
+     * Gets whether the ldap entry had a certificate from result.
+     * 
+     * @return true if cert is present, false otherwise.
+     */
+    public boolean hasCert() {
+        return mHasCert;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/MapperPlugin.java b/base/common/src/com/netscape/certsrv/publish/MapperPlugin.java
new file mode 100644
index 000000000..b193e1b5f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/MapperPlugin.java
@@ -0,0 +1,39 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import com.netscape.certsrv.base.Plugin;
+
+/**
+ * This class represents a registered mapper plugin.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class MapperPlugin extends Plugin {
+
+    /**
+     * Constructs a MapperPlugin based on a name and a path.
+     * 
+     * @param id Name of plugin.
+     * @param path Classpath of plugin.
+     */
+    public MapperPlugin(String id, String path) {
+        super(id, path);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/MapperProxy.java b/base/common/src/com/netscape/certsrv/publish/MapperProxy.java
new file mode 100644
index 000000000..95dc98d9c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/MapperProxy.java
@@ -0,0 +1,62 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+/**
+ * 
+ * Class representing a LdapMapper.
+ * 
+ * @version $Revision$ $Date$
+ */
+
+public class MapperProxy {
+    private boolean mEnable;
+    private ILdapMapper mMapper;
+
+    /**
+     * 
+     * Contructs MapperProxy .
+     * 
+     * @param enable Enabled or not.
+     * @param mapper Corresponding ILdapMapper object.
+     */
+    public MapperProxy(boolean enable, ILdapMapper mapper) {
+        mEnable = enable;
+        mMapper = mapper;
+    }
+
+    /**
+     * 
+     * Returns if enabled.
+     * 
+     * @return true if enabled, otherwise false.
+     */
+    public boolean isEnable() {
+        return mEnable;
+    }
+
+    /**
+     * 
+     * Returns ILdapMapper object.
+     * 
+     * @return Intance of ILdapMapper object.
+     */
+    public ILdapMapper getMapper() {
+        return mMapper;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/PublisherPlugin.java b/base/common/src/com/netscape/certsrv/publish/PublisherPlugin.java
new file mode 100644
index 000000000..5a163b80c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/PublisherPlugin.java
@@ -0,0 +1,40 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import com.netscape.certsrv.base.Plugin;
+
+/**
+ * This class represents a registered publisher plugin.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class PublisherPlugin extends Plugin {
+
+    /**
+     * 
+     * Constructs a PublisherPlugin based on name and classpath.
+     * 
+     * @param id name of plugin.
+     * @param path Classpath of plugin.
+     */
+    public PublisherPlugin(String id, String path) {
+        super(id, path);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/PublisherProxy.java b/base/common/src/com/netscape/certsrv/publish/PublisherProxy.java
new file mode 100644
index 000000000..eb71f3e56
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/PublisherProxy.java
@@ -0,0 +1,60 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+/**
+ * 
+ * Class representing a proxy for a ILdapPublisher.
+ * 
+ * @version $Revision$ $Date$
+ */
+
+public class PublisherProxy {
+    private boolean mEnable;
+    private ILdapPublisher mPublisher;
+
+    /**
+     * 
+     * Constructs a PublisherProxy based on a ILdapPublisher object and enabled boolean.
+     * 
+     * @param enable Proxy is enabled or not.
+     * @param publisher Corresponding ILdapPublisher object.
+     */
+    public PublisherProxy(boolean enable, ILdapPublisher publisher) {
+        mEnable = enable;
+        mPublisher = publisher;
+    }
+
+    /**
+     * Return if enabled or not.
+     * 
+     * @return true if enabled, otherwise false.
+     */
+    public boolean isEnable() {
+        return mEnable;
+    }
+
+    /**
+     * Return ILdapPublisher object.
+     * 
+     * @return Instance of ILdapPublisher.
+     */
+    public ILdapPublisher getPublisher() {
+        return mPublisher;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/publish/RulePlugin.java b/base/common/src/com/netscape/certsrv/publish/RulePlugin.java
new file mode 100644
index 000000000..b37a24d51
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/publish/RulePlugin.java
@@ -0,0 +1,40 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.publish;
+
+import com.netscape.certsrv.base.Plugin;
+
+/**
+ * This class represents a registered Publishing Rule plugin.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class RulePlugin extends Plugin {
+
+    /**
+     * 
+     * Constructs a RulePlugin based on name and classpath.
+     * 
+     * @param id name of RulePlugin.
+     * @param path Classpath of RulePlugin.
+     */
+    public RulePlugin(String id, String path) {
+        super(id, path);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/ra/IRAService.java b/base/common/src/com/netscape/certsrv/ra/IRAService.java
new file mode 100644
index 000000000..4bab4745c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ra/IRAService.java
@@ -0,0 +1,62 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ra;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.connector.IConnector;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IService;
+
+/**
+ * An interface representing a RA request services.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IRAService extends IService {
+
+    /**
+     * Services request.
+     * 
+     * @param req request data
+     */
+    public boolean serviceRequest(IRequest req);
+
+    /**
+     * Services profile request.
+     * 
+     * @param request profile enrollment request information
+     * @exception EBaseException failed to service profile enrollment request
+     */
+    public void serviceProfileRequest(IRequest request)
+            throws EBaseException;
+
+    /**
+     * Returns CA connector.
+     * 
+     * @return CA connector
+     */
+    public IConnector getCAConnector();
+
+    /**
+     * Returns KRA connector.
+     * 
+     * @return KRA connector
+     */
+    public IConnector getKRAConnector();
+}
diff --git a/base/common/src/com/netscape/certsrv/ra/IRegistrationAuthority.java b/base/common/src/com/netscape/certsrv/ra/IRegistrationAuthority.java
new file mode 100644
index 000000000..8302e2d23
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ra/IRegistrationAuthority.java
@@ -0,0 +1,170 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.ra;
+
+import java.util.Enumeration;
+
+import netscape.security.x509.X500Name;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.publish.IPublisherProcessor;
+import com.netscape.certsrv.request.IRequestListener;
+import com.netscape.certsrv.request.IRequestQueue;
+
+/**
+ * An interface represents a Registration Authority that is
+ * responsible for certificate enrollment operations.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IRegistrationAuthority extends ISubsystem {
+    public static final String ID = "ra";
+
+    public static final String PROP_POLICY = "Policy";
+    public static final String PROP_REGISTRATION = "Registration";
+    public static final String PROP_GATEWAY = "gateway";
+    public static final String PROP_NICKNAME = "certNickname";
+    //public final static String PROP_PUBLISH_SUBSTORE = "publish";
+    //public final static String PROP_LDAP_PUBLISH_SUBSTORE = "ldappublish";
+    public final static String PROP_CONNECTOR = "connector";
+    public final static String PROP_NEW_NICKNAME = "newNickname";
+
+    // for the notification listeners
+    public final static String PROP_NOTIFY_SUBSTORE = "notification";
+    public final static String PROP_CERT_ISSUED_SUBSTORE = "certIssued";
+    public final static String PROP_CERT_REVOKED_SUBSTORE = "certRevoked";
+    public final static String PROP_REQ_IN_Q_SUBSTORE = "requestInQ";
+
+    /**
+     * Retrieves the request queue of this registration authority.
+     * 
+     * @return RA's request queue
+     */
+    public IRequestQueue getRequestQueue();
+
+    /**
+     * Retrieves the publishing processor of this registration authority.
+     * 
+     * @return RA's publishing processor
+     */
+    public IPublisherProcessor getPublisherProcessor();
+
+    /**
+     * Retrieves the policy processor of this registration authority.
+     * @deprecated
+     * @return RA's policy processor
+     */
+    public IPolicyProcessor getPolicyProcessor();
+
+    /**
+     * Retrieves the RA certificate.
+     * 
+     * @return the RA certificate
+     */
+    public org.mozilla.jss.crypto.X509Certificate getRACert();
+
+    /**
+     * Retrieves the request in queue listener.
+     * 
+     * @return the request in queue listener
+     */
+    public IRequestListener getRequestInQListener();
+
+    /**
+     * Retrieves the request listener for issued certificates.
+     * 
+     * @return the request listener for issued certificates
+     */
+    public IRequestListener getCertIssuedListener();
+
+    /**
+     * Retrieves the request listener for revoked certificates.
+     * 
+     * @return the request listener for revoked certificates
+     */
+    public IRequestListener getCertRevokedListener();
+
+    /**
+     * Returns the nickname of the RA certificate.
+     * 
+     * @return the nickname of the RA certificate
+     */
+    public String getNickname();
+
+    /**
+     * Retrieves the nickname of the RA certificate from configuration store.
+     * 
+     * @return the nickname of the RA certificate
+     * @exception EBaseException failed to get nickname
+     */
+    public String getNewNickName() throws EBaseException;
+
+    /**
+     * Sets the new nickname of the RA certifiate.
+     * 
+     * @param name new nickname
+     */
+    public void setNewNickName(String name);
+
+    /**
+     * Sets the nickname of the RA certifiate.
+     * 
+     * @param str nickname
+     */
+    public void setNickname(String str);
+
+    /**
+     * Retrieves the default validity period.
+     * 
+     * @return the default validity length in days
+     */
+    public long getDefaultValidity();
+
+    /**
+     * Retrieves the issuer name of this registration authority.
+     * 
+     * @return the issuer name of this registration authority
+     */
+    public X500Name getX500Name();
+
+    /**
+     * Retrieves the RA service object that is responsible for
+     * processing requests.
+     * 
+     * @return RA service object
+     */
+    public IRAService getRAService();
+
+    /**
+     * Retrieves the request listener by name.
+     * 
+     * @param name request listener name
+     * @return the request listener
+     */
+    public IRequestListener getRequestListener(String name);
+
+    /**
+     * Retrieves all request listeners.
+     * 
+     * @return name enumeration of all request listeners
+     */
+    public Enumeration getRequestListenerNames();
+}
diff --git a/base/common/src/com/netscape/certsrv/registry/ERegistryException.java b/base/common/src/com/netscape/certsrv/registry/ERegistryException.java
new file mode 100644
index 000000000..5d2e2c91c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/registry/ERegistryException.java
@@ -0,0 +1,42 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.registry;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * This represents a registry exception.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ERegistryException extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 8977050444820190765L;
+
+    /**
+     * Constructs a registry exception.
+     * 
+     * @param msg message carried along with the exception
+     */
+    public ERegistryException(String msg) {
+        super(msg);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/registry/IPluginInfo.java b/base/common/src/com/netscape/certsrv/registry/IPluginInfo.java
new file mode 100644
index 000000000..8e6a87365
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/registry/IPluginInfo.java
@@ -0,0 +1,61 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.registry;
+
+import java.util.Locale;
+
+/**
+ * The plugin information includes name,
+ * class name, and description. The localizable
+ * name and description are information
+ * for end-users.
+ * 

+ * 
+ * The class name can be used to create an instance of the plugin.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IPluginInfo {
+
+    /**
+     * Retrieves the localized plugin name.
+     * 
+     * @param locale end-user locale
+     * @return plugin name
+     */
+    public String getName(Locale locale);
+
+    /**
+     * Retrieves the localized plugin description.
+     * 
+     * @param locale end-user locale
+     * @return plugin description
+     */
+    public String getDescription(Locale locale);
+
+    /**
+     * Retrieves the class name of the plugin.
+     * Instance of plugin can be created with
+     * 

+     * Class.forName(info.getClassName());
+     * 
+     * @return java class name
+     */
+    public String getClassName();
+}
diff --git a/base/common/src/com/netscape/certsrv/registry/IPluginRegistry.java b/base/common/src/com/netscape/certsrv/registry/IPluginRegistry.java
new file mode 100644
index 000000000..1c85aeba9
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/registry/IPluginRegistry.java
@@ -0,0 +1,91 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.registry;
+
+import java.util.Enumeration;
+
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * This represents the registry subsystem that manages
+ * mulitple types of plugin information.
+ * 
+ * The plugin information includes id, name,
+ * classname, and description.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IPluginRegistry extends ISubsystem {
+
+    public static final String ID = "registry";
+
+    /**
+     * Returns handle to the registry configuration file.
+     * 
+     * @return configuration store of registry subsystem
+     */
+    public IConfigStore getFileConfigStore();
+
+    /**
+     * Returns all type names.
+     * 
+     * @return a list of String-based names
+     */
+    public Enumeration getTypeNames();
+
+    /**
+     * Returns a list of plugin identifiers of the given type.
+     * 
+     * @param type plugin type
+     * @return a list of plugin IDs
+     */
+    public Enumeration getIds(String type);
+
+    /**
+     * Retrieves the plugin information.
+     * 
+     * @param type plugin type
+     * @param id plugin id
+     * @return plugin info
+     */
+    public IPluginInfo getPluginInfo(String type, String id);
+
+    /**
+     * Adds plugin info.
+     * 
+     * @param type plugin type
+     * @param id plugin id
+     * @param info plugin info
+     * @exception ERegistryException failed to add plugin
+     */
+    public void addPluginInfo(String type, String id, IPluginInfo info)
+            throws ERegistryException;
+
+    /**
+     * Removes plugin info.
+     */
+    public void removePluginInfo(String type, String id)
+            throws ERegistryException;
+
+    /**
+     * Creates a pluginInfo
+     */
+    public IPluginInfo createPluginInfo(String name, String desc,
+            String classPath);
+}
diff --git a/base/common/src/com/netscape/certsrv/request/ARequestNotifier.java b/base/common/src/com/netscape/certsrv/request/ARequestNotifier.java
new file mode 100644
index 000000000..a50996f2b
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/ARequestNotifier.java
@@ -0,0 +1,546 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+import java.math.BigInteger;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Vector;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.ldap.ILdapConnFactory;
+import com.netscape.certsrv.ldap.ILdapConnModule;
+import com.netscape.certsrv.publish.IPublisherProcessor;
+
+/**
+ * The ARequestNotifier class implements the IRequestNotifier interface,
+ * which notifies all registered request listeners.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ARequestNotifier implements IRequestNotifier {
+    private Hashtable mListeners = new Hashtable();
+    private Vector mNotifierThreads = new Vector();
+    private Vector mRequests = new Vector();
+    private int mMaxRequests = 100;
+    private boolean mSearchForRequests = false;
+    private int mMaxThreads = 1;
+    private ICertificateAuthority mCA = null;
+    private boolean mIsPublishingQueueEnabled = false;
+    private int mPublishingQueuePriority = 0;
+    private int mMaxPublishingQueuePageSize = 1;
+    private IRequestQueue mRequestQueue = null;
+    private String mPublishingStatus = null;
+    private int mSavePublishingStatus = 0;
+    private int mSavePublishingCounter = 0;
+
+    public ARequestNotifier() {
+        mPublishingQueuePriority = Thread.currentThread().getPriority();
+    }
+
+    public ARequestNotifier(ICertificateAuthority ca) {
+        mCA = ca;
+        if (mCA != null)
+            mRequestQueue = mCA.getRequestQueue();
+    }
+
+    public void setPublishingQueue(boolean isPublishingQueueEnabled,
+                                    int publishingQueuePriorityLevel,
+                                    int maxNumberOfPublishingThreads,
+                                    int publishingQueuePageSize,
+                                    int savePublishingStatus) {
+        CMS.debug("setPublishingQueue:  Publishing Queue Enabled: " + isPublishingQueueEnabled +
+                  "  Priority Level: " + publishingQueuePriorityLevel +
+                  "  Maximum Number of Threads: " + maxNumberOfPublishingThreads +
+                  "  Page Size: " + publishingQueuePageSize);
+        mIsPublishingQueueEnabled = isPublishingQueueEnabled;
+        mMaxThreads = maxNumberOfPublishingThreads;
+        mMaxRequests = publishingQueuePageSize;
+        mSavePublishingStatus = savePublishingStatus;
+
+        // Publishing Queue Priority Levels:  2 - maximum, 1 - higher, 0 - normal, -1 - lower, -2 - minimum
+        if (publishingQueuePriorityLevel > 1) {
+            mPublishingQueuePriority = Thread.MAX_PRIORITY;
+        } else if (publishingQueuePriorityLevel > 0) {
+            mPublishingQueuePriority = (Thread.currentThread().getPriority() + Thread.MAX_PRIORITY) / 2;
+        } else if (publishingQueuePriorityLevel < -1) {
+            mPublishingQueuePriority = Thread.MIN_PRIORITY;
+        } else if (publishingQueuePriorityLevel < 0) {
+            mPublishingQueuePriority = (Thread.currentThread().getPriority() + Thread.MIN_PRIORITY) / 2;
+        } else {
+            mPublishingQueuePriority = Thread.currentThread().getPriority();
+        }
+
+        if (mCA != null && mRequestQueue == null)
+            mRequestQueue = mCA.getRequestQueue();
+        if (mIsPublishingQueueEnabled && mSavePublishingStatus > 0 && mRequestQueue != null) {
+            mPublishingStatus = mRequestQueue.getPublishingStatus();
+            BigInteger status = new BigInteger("-2");
+            try {
+                status = new BigInteger(mPublishingStatus);
+                if (status.compareTo(BigInteger.ZERO) > -1) {
+                    recoverPublishingQueue(mPublishingStatus);
+                }
+            } catch (Exception e) {
+            }
+        }
+
+    }
+
+    /**
+     * Registers a request listener.
+     * 
+     * @param listener listener to be registered
+     */
+    public void registerListener(IRequestListener listener) {
+        // XXX should check for duplicates here or allow listeners
+        // to register twice and call twice ? 
+        mListeners.put(listener.getClass().getName(), listener);
+    }
+
+    /**
+     * Registers a request listener.
+     * 
+     * @param name listener name
+     * @param listener listener to be registered
+     */
+    public void registerListener(String name, IRequestListener listener) {
+        mListeners.put(name, listener);
+    }
+
+    /**
+     * Removes listener from the list of registered listeners.
+     * 
+     * @param listener listener to be removed from the list
+     */
+    public void removeListener(IRequestListener listener) {
+        // XXX should check for duplicates here or allow listeners
+        // to register twice and call twice ? 
+        mListeners.remove(listener.getClass().getName());
+    }
+
+    /**
+     * Gets list of listener names.
+     * 
+     * @return enumeration of listener names
+     */
+    public Enumeration getListenerNames() {
+        return mListeners.keys();
+    }
+
+    /**
+     * Removes listener from the list of registered listeners.
+     * 
+     * @param name listener name to be removed from the list
+     */
+    public void removeListener(String name) {
+        mListeners.remove(name);
+    }
+
+    /**
+     * Gets listener from the list of registered listeners.
+     * 
+     * @param name listener name
+     * @return listener
+     */
+    public IRequestListener getListener(String name) {
+        return (IRequestListener) mListeners.get(name);
+    }
+
+    /**
+     * Gets list of listeners.
+     * 
+     * @return enumeration of listeners
+     */
+    public Enumeration getListeners() {
+        return mListeners.elements();
+    }
+
+    private Object publishingCounterMonitor = new Object();
+
+    public void updatePublishingStatus(String id) {
+        if (mRequestQueue != null) {
+            synchronized (publishingCounterMonitor) {
+                if (mSavePublishingCounter == 0) {
+                    CMS.debug("updatePublishingStatus  requestId: " + id);
+                    mRequestQueue.setPublishingStatus(id);
+                }
+                mSavePublishingCounter++;
+                CMS.debug("updatePublishingStatus  mSavePublishingCounter: " + mSavePublishingCounter +
+                          " mSavePublishingStatus: " + mSavePublishingStatus);
+                if (mSavePublishingCounter >= mSavePublishingStatus) {
+                    mSavePublishingCounter = 0;
+                }
+            }
+        } else {
+            CMS.debug("updatePublishingStatus  mRequestQueue == null");
+        }
+    }
+
+    /**
+     * Gets request from publishing queue.
+     * 
+     * @return request
+     */
+    public synchronized IRequest getRequest() {
+        IRequest r = null;
+        String id = null;
+
+        CMS.debug("getRequest  mRequests=" + mRequests.size() + "  mSearchForRequests=" + mSearchForRequests);
+        if (mSearchForRequests && mRequests.size() == 1) {
+            id = (String) mRequests.elementAt(0);
+            if (mCA != null && mRequestQueue == null)
+                mRequestQueue = mCA.getRequestQueue();
+            if (id != null && mRequestQueue != null) {
+                CMS.debug("getRequest  request id=" + id);
+                IRequestVirtualList list = mRequestQueue.getPagedRequestsByFilter(
+                                               new RequestId(id),
+                                               "(requeststate=complete)", mMaxRequests, "requestId");
+                int s = list.getSize() - list.getCurrentIndex();
+                CMS.debug("getRequest  list size: " + s);
+                for (int i = 0; i < s; i++) {
+                    r = null;
+                    try {
+                        r = list.getElementAt(i);
+                    } catch (Exception e) {
+                        // handled below
+                    }
+                    if (r == null) {
+                        continue;
+                    }
+                    String requestType = r.getRequestType();
+                    if (requestType == null) {
+                        continue;
+                    }
+                    if (!(requestType.equals(IRequest.ENROLLMENT_REQUEST) ||
+                            requestType.equals(IRequest.RENEWAL_REQUEST) ||
+                            requestType.equals(IRequest.REVOCATION_REQUEST) ||
+                            requestType.equals(IRequest.CMCREVOKE_REQUEST) || 
+                            requestType.equals(IRequest.UNREVOCATION_REQUEST))) {
+                        continue;
+                    }
+                    if (i == 0 && id.equals(r.getRequestId().toString())) {
+                        if (s == 1) {
+                            break;
+                        } else {
+                            continue;
+                        }
+                    }
+                    if (mRequests.size() < mMaxRequests) {
+                        mRequests.addElement(r.getRequestId().toString());
+                        CMS.debug("getRequest  added "
+                                + r.getRequestType() + " request " + r.getRequestId().toString() +
+                                  " to mRequests: " + mRequests.size() + " (" + mMaxRequests + ")");
+                    } else {
+                        break;
+                    }
+                }
+                CMS.debug("getRequest  done with adding requests to mRequests: " + mRequests.size());
+            } else {
+                CMS.debug("getRequest  has no access to the request queue");
+            }
+        }
+        if (mRequests.size() > 0) {
+            id = (String) mRequests.elementAt(0);
+            if (id != null) {
+                CMS.debug("getRequest  getting request: " + id);
+                if (mCA != null && mRequestQueue == null)
+                    mRequestQueue = mCA.getRequestQueue();
+                if (mRequestQueue != null) {
+                    try {
+                        r = mRequestQueue.findRequest(new RequestId(id));
+                        mRequests.remove(0);
+                        CMS.debug("getRequest  request " + id + ((r != null) ? " found" : " not found"));
+                        //updatePublishingStatus(id);
+                    } catch (EBaseException e) {
+                        CMS.debug("getRequest  EBaseException " + e.toString());
+                    }
+                } else {
+                    CMS.debug("getRequest  has no access to the request queue");
+                }
+            }
+            if (mRequests.size() == 0) {
+                mSearchForRequests = false;
+            }
+        }
+        CMS.debug("getRequest  mRequests=" + mRequests.size() + "  mSearchForRequests=" + mSearchForRequests + " done");
+
+        return r;
+    }
+
+    /**
+     * Gets number of requests in publishing queue.
+     * 
+     * @return number of requests in publishing queue
+     */
+    public int getNumberOfRequests() {
+        return mRequests.size();
+    }
+
+    /**
+     * Checks if publishing queue is enabled.
+     * 
+     * @return true if publishing queue is enabled, false otherwise
+     */
+    public boolean isPublishingQueueEnabled() {
+        return mIsPublishingQueueEnabled;
+    }
+
+    /**
+     * Removes a notifier thread from the pool of publishing queue threads.
+     * 
+     * @param notifierThread Thread
+     */
+    public void removeNotifierThread(Thread notifierThread) {
+        if (mNotifierThreads.size() > 0) {
+            mNotifierThreads.remove(notifierThread);
+            if (mNotifierThreads.size() == 0) {
+                mRequestQueue.setPublishingStatus("-1");
+            }
+        }
+        CMS.debug("Number of publishing threads: " + mNotifierThreads.size());
+    }
+
+    /**
+     * Notifies all registered listeners about request.
+     * 
+     * @param r request
+     */
+    public void notify(IRequest r) {
+        CMS.debug("ARequestNotifier  notify mIsPublishingQueueEnabled=" + mIsPublishingQueueEnabled +
+                  " mMaxThreads=" + mMaxThreads);
+        if (mIsPublishingQueueEnabled) {
+            addToNotify(r);
+        } else if (mMaxThreads == 0) {
+            Enumeration listeners = mListeners.elements();
+            if (listeners != null && r != null) {
+                while (listeners.hasMoreElements()) {
+                    IRequestListener l = (IRequestListener) listeners.nextElement();
+                    CMS.debug("RunListeners: IRequestListener = " + l.getClass().getName());
+                    l.accept(r);
+                }
+            }
+        } else {
+            // spawn a seperate thread to call the listeners and return.
+            try {
+                new Thread(new RunListeners(r, mListeners.elements())).start();
+            } catch (Throwable e) {
+
+                /*
+                 CMS.getLogger().log(
+                 ILogger.EV_SYSTEM, ILogger.S_REQQUEUE, ILogger.LL_FAILURE, 
+                 "Could not run listeners for request " + r.getRequestId() +
+                 ". Error " + e + ";" + e.getMessage());
+                 */
+            }
+        }
+    }
+
+    /**
+     * Checks for available publishing connections
+     * 
+     * @return true if there are available publishing connections, false otherwise
+     */
+    private boolean checkAvailablePublishingConnections() {
+        boolean availableConnections = false;
+
+        IPublisherProcessor pp = null;
+        if (mCA != null)
+            pp = mCA.getPublisherProcessor();
+        if (pp != null && pp.enabled()) {
+            ILdapConnModule ldapConnModule = pp.getLdapConnModule();
+            if (ldapConnModule != null) {
+                ILdapConnFactory ldapConnFactory = ldapConnModule.getLdapConnFactory();
+                if (ldapConnFactory != null) {
+                    CMS.debug("checkAvailablePublishingConnections  maxConn: " + ldapConnFactory.maxConn() +
+                                                               "  totalConn: " + ldapConnFactory.totalConn());
+                    if (ldapConnFactory.maxConn() > ldapConnFactory.totalConn()) {
+                        availableConnections = true;
+                    }
+                } else {
+                    CMS.debug("checkAvailablePublishingConnections  ldapConnFactory is not accessible");
+                }
+            } else {
+                CMS.debug("checkAvailablePublishingConnections  ldapConnModule is not accessible");
+            }
+        } else {
+            CMS.debug("checkAvailablePublishingConnections  PublisherProcessor is not " +
+                      ((pp != null) ? "enabled" : "accessible"));
+        }
+
+        return availableConnections;
+    }
+
+    /**
+     * Checks if more publishing threads can be added.
+     * 
+     * @return true if more publishing threads can be added, false otherwise
+     */
+    private boolean morePublishingThreads() {
+        boolean moreThreads = false;
+
+        if (mNotifierThreads.size() == 0) {
+            moreThreads = true;
+        } else if (mNotifierThreads.size() < mMaxThreads) {
+            CMS.debug("morePublishingThreads  (" + mRequests.size() + ">" +
+                      ((mMaxRequests * mNotifierThreads.size()) / mMaxThreads) +
+                      " " + "(" + mMaxRequests + "*" + mNotifierThreads.size() + "):" + mMaxThreads);
+            // gradually add new publishing threads
+            if (mRequests.size() > ((mMaxRequests * mNotifierThreads.size()) / mMaxThreads)) {
+                // check for available publishing connections
+                if (checkAvailablePublishingConnections()) {
+                    moreThreads = true;
+                }
+            }
+        }
+        CMS.debug("morePublishingThreads  moreThreads: " + moreThreads);
+
+        return moreThreads;
+    }
+
+    /**
+     * Notifies all registered listeners about request.
+     * 
+     * @param r request
+     */
+    public synchronized void addToNotify(IRequest r) {
+        if (!mSearchForRequests) {
+            if (mRequests.size() < mMaxRequests) {
+                mRequests.addElement(r.getRequestId().toString());
+                CMS.debug("addToNotify  extended buffer to " + mRequests.size() + "(" + mMaxRequests + ")" +
+                          " requests by adding request " + r.getRequestId().toString());
+                if (morePublishingThreads()) {
+                    try {
+                        Thread notifierThread = new Thread(new RunListeners((IRequestNotifier) this));
+                        if (notifierThread != null) {
+                            mNotifierThreads.addElement(notifierThread);
+                            CMS.debug("Number of publishing threads: " + mNotifierThreads.size());
+                            if (mPublishingQueuePriority > 0) {
+                                notifierThread.setPriority(mPublishingQueuePriority);
+                            }
+                            notifierThread.start();
+                        }
+                    } catch (Throwable e) {
+                        CMS.debug("addToNotify  exception: " + e.toString());
+                    }
+                }
+            } else {
+                mSearchForRequests = true;
+            }
+        }
+    }
+
+    /**
+     * Recovers publishing queue.
+     * 
+     * @param id request request
+     */
+    public void recoverPublishingQueue(String id) {
+        CMS.debug("recoverPublishingQueue  mRequests.size()=" + mRequests.size() + "(" + mMaxRequests + ")" +
+                      " requests by adding request " + id);
+        if (mRequests.size() == 0) {
+            mRequests.addElement(id);
+            CMS.debug("recoverPublishingQueue  extended buffer to " + mRequests.size() + "(" + mMaxRequests + ")" +
+                      " requests by adding request " + id);
+            if (morePublishingThreads()) {
+                mSearchForRequests = true;
+                try {
+                    Thread notifierThread = new Thread(new RunListeners((IRequestNotifier) this));
+                    if (notifierThread != null) {
+                        mNotifierThreads.addElement(notifierThread);
+                        CMS.debug("Number of publishing threads: " + mNotifierThreads.size());
+                        if (mPublishingQueuePriority > 0) {
+                            notifierThread.setPriority(mPublishingQueuePriority);
+                        }
+                        notifierThread.start();
+                    }
+                } catch (Throwable e) {
+                    CMS.debug("recoverPublishingQueue  exception: " + e.toString());
+                }
+            }
+        }
+    }
+}
+
+/**
+ * The RunListeners class implements Runnable interface.
+ * This class executes notification of registered listeners.
+ */
+class RunListeners implements Runnable {
+    IRequest mRequest = null;
+    Enumeration mListeners = null;
+    IRequestNotifier mRequestNotifier = null;
+
+    /**
+     * RunListeners class constructor.
+     * 
+     * @param r request
+     * @param listeners list of listeners
+     */
+    public RunListeners(IRequest r, Enumeration listeners) {
+        mRequest = r;
+        mListeners = listeners;
+    }
+
+    /**
+     * RunListeners class constructor.
+     * 
+     * @param r request
+     * @param listeners list of listeners
+     */
+    public RunListeners(IRequestNotifier requestNotifier) {
+        mRequestNotifier = requestNotifier;
+        mListeners = mRequestNotifier.getListeners();
+    }
+
+    /**
+     * RunListeners thread implementation.
+     */
+    public void run() {
+        CMS.debug("RunListeners::"
+                + ((mRequestNotifier != null && mRequestNotifier.getNumberOfRequests() > 0) ? " Queue: "
+                        + mRequestNotifier.getNumberOfRequests() : " noQueue") +
+                  " " + ((mRequest != null) ? " SingleRequest" : " noSingleRequest"));
+        do {
+            if (mRequestNotifier != null)
+                mRequest = (IRequest) mRequestNotifier.getRequest();
+            if (mListeners != null && mRequest != null) {
+                while (mListeners.hasMoreElements()) {
+                    IRequestListener l = (IRequestListener) mListeners.nextElement();
+                    CMS.debug("RunListeners: IRequestListener = " + l.getClass().getName());
+                    l.accept(mRequest);
+                }
+                if (mRequestNotifier != null) {
+                    CMS.debug("RunListeners: mRequest = " + mRequest.getRequestId().toString());
+                    mRequestNotifier.updatePublishingStatus(mRequest.getRequestId().toString());
+                }
+            }
+            CMS.debug("RunListeners: "
+                    + ((mRequestNotifier != null && mRequestNotifier.getNumberOfRequests() > 0) ? " Queue: "
+                            + mRequestNotifier.getNumberOfRequests() : " noQueue") +
+                      " " + ((mRequest != null) ? " SingleRequest" : " noSingleRequest"));
+            if (mRequestNotifier != null)
+                mListeners = mRequestNotifier.getListeners();
+        } while (mRequestNotifier != null && mRequestNotifier.getNumberOfRequests() > 0);
+
+        if (mRequestNotifier != null)
+            mRequestNotifier.removeNotifierThread(Thread.currentThread());
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/request/AgentApproval.java b/base/common/src/com/netscape/certsrv/request/AgentApproval.java
new file mode 100644
index 000000000..eb3ca06a8
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/AgentApproval.java
@@ -0,0 +1,66 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+import java.io.Serializable;
+import java.util.Date;
+
+/**
+ * The AgentApproval class contains the record of a
+ * single agent approval.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class AgentApproval
+        implements Serializable {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -3444654917454805225L;
+
+    /**
+     * Returns the approving agent's user name.
+     * 
+     * @return an identifier for the agent
+     */
+    public String getUserName() {
+        return mUserName;
+    }
+
+    /**
+     * Returns the date of the approval
+     * 
+     * @return date and time of the approval
+     */
+    public Date getDate() {
+        return mDate;
+    }
+
+    /**
+     * AgentApproval class constructor
+     * 
+     * @param userName user name of the approving agent
+     */
+    AgentApproval(String userName) {
+        mUserName = userName;
+    }
+
+    String mUserName;
+    Date mDate = new Date(); /* CMS.getCurrentDate(); */
+}
diff --git a/base/common/src/com/netscape/certsrv/request/AgentApprovals.java b/base/common/src/com/netscape/certsrv/request/AgentApprovals.java
new file mode 100644
index 000000000..d6fa41b8f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/AgentApprovals.java
@@ -0,0 +1,159 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+import java.io.Serializable;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Vector;
+
+/**
+ * A collection of AgentApproval objects.
+ * 
+ * 
+ * @version $Revision$, $Date$
+ */
+public class AgentApprovals
+        implements Serializable {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -3827259076159153561L;
+
+    /**
+     * Adds an approval to approval's list.
+     * 

+     * If an approval is already present for this user, it is updated with a new date. Otherwise a new value is
+     * inserted.
+     * 
+     * @param userName user name of the approving agent
+     */
+    public void addApproval(String userName) {
+        AgentApproval a = findApproval(userName);
+
+        // update existing approval
+        if (a != null) {
+            a.mDate = new Date(); /* CMS.getCurrentDate(); */
+            return;
+        }
+
+        a = new AgentApproval(userName);
+        mVector.addElement(a);
+    }
+
+    /**
+     * Removes an approval from approval's list.
+     * 

+     * If there is no approval for this userName, this call does nothing.
+     * 
+     * @param userName user name of the approving agent
+     */
+    public void removeApproval(String userName) {
+        AgentApproval a = findApproval(userName);
+
+        if (a != null)
+            mVector.removeElement(a);
+    }
+
+    /**
+     * Finds an existing AgentApproval for the named user.
+     * 
+     * @param userName user name of the approving agent
+     * @return an AgentApproval object
+     */
+    public AgentApproval findApproval(String userName) {
+        AgentApproval a = null;
+
+        // search
+        for (int i = 0; i < mVector.size(); i++) {
+            a = mVector.elementAt(i);
+
+            if (a.mUserName.equals(userName))
+                break;
+        }
+
+        return a;
+    }
+
+    /**
+     * Returns an enumeration of the agent approvals
+     * 
+     * @return an enumeration of the agent approvals
+     */
+    public Enumeration elements() {
+        return mVector.elements();
+    }
+
+    /**
+     * Returns the AgentApprovals as a Vector of strings.
+     * Each entry in the vector is of the format:
+     * epoch;username
+     * where epoch is the date.getTime()
+     * 

+     * This is used for serialization in Request.setExtData().
+     * 
+     * @return The string vector.
+     */
+    public Vector toStringVector() {
+        Vector retval = new Vector(mVector.size());
+        for (int i = 0; i < mVector.size(); i++) {
+            AgentApproval a = (AgentApproval) mVector.elementAt(i);
+            retval.add(a.getDate().getTime() + ";" + a.getUserName());
+        }
+
+        return retval;
+    }
+
+    /**
+     * Recreates an AgentApprovals instance from a Vector of strings that
+     * was created by toStringVector().
+     * 
+     * @param stringVector The vector of strings to translate
+     * @return the AgentApprovals instance or null if it can't be translated.
+     */
+    public static AgentApprovals fromStringVector(Vector stringVector) {
+        if (stringVector == null) {
+            return null;
+        }
+        AgentApprovals approvals = new AgentApprovals();
+        for (int i = 0; i < stringVector.size(); i++) {
+            try {
+                String approvalString = stringVector.get(i);
+                String[] parts = approvalString.split(";", 2);
+                if (parts.length != 2) {
+                    return null;
+                }
+                Long epoch = new Long(parts[0]);
+                Date date = new Date(epoch.longValue());
+
+                AgentApproval approval = new AgentApproval(parts[1]);
+                approval.mDate = date;
+
+                approvals.mVector.add(approval);
+            } catch (ClassCastException e) {
+                return null;
+            } catch (NumberFormatException e) {
+                return null;
+            }
+        }
+        return approvals;
+    }
+
+    protected Vector mVector = new Vector();
+}
diff --git a/base/common/src/com/netscape/certsrv/request/IEnrollmentRequest.java b/base/common/src/com/netscape/certsrv/request/IEnrollmentRequest.java
new file mode 100644
index 000000000..32c3f53a9
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/IEnrollmentRequest.java
@@ -0,0 +1,30 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+/**
+ * An example of a more specialized request interface.
+ * This version (currently) doesn't supply any additional
+ * data, but is implementated only for testing and
+ * demonstration purposes.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IEnrollmentRequest
+        extends IRequest {
+}
diff --git a/base/common/src/com/netscape/certsrv/request/INotify.java b/base/common/src/com/netscape/certsrv/request/INotify.java
new file mode 100644
index 000000000..938cd855b
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/INotify.java
@@ -0,0 +1,40 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+/**
+ * The INotify interface defines operations that are invoked
+ * when a request is completely processed. A class implementing
+ * this interface may be registered with a IRequestQueue.
+ * The interface will be invoked when a request is completely
+ * serviced by the IService object.
+ * 
+ * @version $Revision$ $Date$
+ */
+public interface INotify {
+
+    /**
+     * Provides notification that a request has been completed.
+     * The implementation may use values stored in the IRequest
+     * object, and may implement any type publishing (such as email
+     * or writing values into a directory)
+     * 
+     * @param request the request that is completed.
+     */
+    public void notify(IRequest request);
+}
diff --git a/base/common/src/com/netscape/certsrv/request/IPolicy.java b/base/common/src/com/netscape/certsrv/request/IPolicy.java
new file mode 100644
index 000000000..9998abee7
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/IPolicy.java
@@ -0,0 +1,53 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+/**
+ * Interface to a policy. The policy evaluates the request for
+ * correctness and completeness. It may change or add to values
+ * stored in the request. The policy object also decides
+ * whether a request should be queue to await approval by
+ * an agent.
+ * FUTURE: In this case, the policy should set the
+ * 'agentGroup' entry in the request to indicate the group
+ * of agents allowed to perform further processing. If none
+ * is set, a default value ("defaultAgentGroup") will be
+ * set instead.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IPolicy {
+
+    /**
+     * Applies the policy check to the request. The policy should
+     * determine whether the request can be processed immediately,
+     * or should be held pending manual approval.
+     * 

+     * The policy can update fields in the request, to add additional values or to restrict the values to pre-determined
+     * ranges.
+     * 

+     * 
+     * @param request
+     *            the request to check
+     * @return
+     *         a result code indicating the result of the evaluation. The
+     *         processor will determine the next request processing step based
+     *         on this value
+     */
+    PolicyResult apply(IRequest request);
+}
diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java b/base/common/src/com/netscape/certsrv/request/IRequest.java
new file mode 100644
index 000000000..e43856e2d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/IRequest.java
@@ -0,0 +1,764 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+//import java.io.Serializable;
+
+import java.math.BigInteger;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.IAttrSet;
+
+/**
+ * An interface that defines abilities of request objects,
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IRequest {
+
+    public static final String REQ_VERSION = "requestVersion";
+
+    public static final String REQ_STATUS = "requestStatus";
+    public static final String REQ_TYPE = "requestType";
+    public static final String REQ_FORMAT = "requestFormat";
+
+    // request type values.
+    public static final String ENROLLMENT_REQUEST = "enrollment";
+    public static final String RENEWAL_REQUEST = "renewal";
+    public static final String REVOCATION_REQUEST = "revocation";
+    public static final String CMCREVOKE_REQUEST = "CMCRevReq";
+    public static final String UNREVOCATION_REQUEST = "unrevocation";
+    public static final String KEYARCHIVAL_REQUEST = "archival";
+    public static final String KEYRECOVERY_REQUEST = "recovery";
+    public static final String KEY_RECOVERY_REQUEST = "keyRecovery";
+    public static final String KEY_ARCHIVAL_REQUEST = "keyArchival";
+    public static final String GETCACHAIN_REQUEST = "getCAChain";
+    public static final String GETREVOCATIONINFO_REQUEST = "getRevocationInfo";
+    public static final String GETCRL_REQUEST = "getCRL";
+    public static final String GETCERTS_REQUEST = "getCertificates";
+    public static final String REVOCATION_CHECK_CHALLENGE_REQUEST = "revocationChallenge";
+    public static final String GETCERT_STATUS_REQUEST = "getCertStatus";
+    public static final String GETCERTS_FOR_CHALLENGE_REQUEST = "getCertsForChallenge";
+    public static final String CLA_CERT4CRL_REQUEST = "cert4crl";
+    public static final String CLA_UNCERT4CRL_REQUEST = "uncert4crl";
+    public static final String NETKEY_KEYGEN_REQUEST = "netkeyKeygen";
+    public static final String NETKEY_KEYRECOVERY_REQUEST = "netkeyKeyRecovery";
+
+    public static final String REQUESTOR_NAME = "csrRequestorName";
+    public static final String REQUESTOR_PHONE = "csrRequestorPhone";
+    public static final String REQUESTOR_EMAIL = "csrRequestorEmail";
+    public static final String REQUESTOR_COMMENTS = "csrRequestorComments";
+
+    // request attributes for all 
+    public static final String AUTH_TOKEN = "AUTH_TOKEN";
+    public static final String HTTP_PARAMS = "HTTP_PARAMS";
+    public static final String HTTP_HEADERS = "HTTP_HEADERS";
+    // Params added by agents on agent approval page
+    public static final String AGENT_PARAMS = "AGENT_PARAMS";
+    // server attributes: attributes generated by server modules.
+    public static final String SERVER_ATTRS = "SERVER_ATTRS";
+
+    public static final String RESULT = "Result"; // service result.
+    public static final Integer RES_SUCCESS = Integer.valueOf(1); // result value
+    public static final Integer RES_ERROR = Integer.valueOf(2); // result value
+    public static final String REMOTE_SERVICE_AUTHORITY = "RemServiceAuthority";
+    public static final String SVCERRORS = "serviceErrors";
+    public static final String REMOTE_STATUS = "remoteStatus";
+    public static final String REMOTE_REQID = "remoteReqID";
+    public static final String CERT_STATUS = "certStatus";
+
+    // enrollment request attributes (from http request)
+    public static final String CERT_TYPE = "certType";
+    public static final String CRMF_REQID = "crmfReqId";
+    public static final String PKCS10_REQID = "pkcs10ReqId";
+    // CMC request attributes
+    public static final String CMC_REQIDS = "cmcReqIds";
+    public static final String CMC_TRANSID = "transactionId";
+    public static final String CMC_SENDERNONCE = "senderNonce";
+    public static final String CMC_RECIPIENTNONCE = "recipientNonce";
+    public static final String CMC_REGINFO = "regInfo";
+
+    // enrollment request attributes (generated internally)
+    // also used for renewal
+    public static final String CERT_INFO = "CERT_INFO";
+    public static final String ISSUED_CERTS = "issuedCerts";
+    public static final String REQUEST_TRUSTEDMGR_PRIVILEGE = "requestTrustedManagerPrivilege";
+    public static final String FINGERPRINTS = "fingerprints";
+
+    // enrollment request values 
+    public static final String SERVER_CERT = "server";
+    public static final String CLIENT_CERT = "client";
+    public static final String CA_CERT = "ca";
+    public static final String RA_CERT = "ra";
+    public static final String OCSP_CERT = "ocsp";
+    public static final String OBJECT_SIGNING_CERT = "objSignClient";
+    public static final String OTHER_CERT = "other";
+    public static final String ROUTER_CERT = "router"; // deprecated
+    public static final String CEP_CERT = "CEP-Request";
+
+    // renewal request attributes. (internally set)
+    // also used for revocation
+    public static final String OLD_CERTS = "OLD_CERTS";
+    public static final String OLD_SERIALS = "OLD_SERIALS";
+    public static final String ISSUERDN = "issuerDN";
+
+    // revocation request attributes (internally set)
+    public static final String REVOKED_CERTS = "revokedCerts";
+    public static final String REVOKED_REASON = "revocationReason";
+    // CCA -> CLA request attributes
+    public static final String REVOKED_CERT_RECORDS = "revokedCertRecs";
+    // crl update status after a revocation.
+    public final static String CRL_UPDATE_STATUS = "crlUpdateStatus";
+    public final static String CRL_UPDATE_ERROR = "crlUpdateError";
+    public final static String CRL_PUBLISH_STATUS = "crlPublishStatus";
+    public final static String CRL_PUBLISH_ERROR = "crlPublishError";
+    public static final String REQUESTOR_TYPE = "requestorType";
+
+    // Netkey request attributes
+    public final static String NETKEY_ATTR_CUID = "CUID";
+    public final static String NETKEY_ATTR_USERID = "USERID";
+    public final static String NETKEY_ATTR_DRMTRANS_DES_KEY = "drm_trans_desKey";
+    public final static String NETKEY_ATTR_ARCHIVE_FLAG = "archive";
+    public final static String NETKEY_ATTR_SERVERSIDE_MUSCLE_FLAG = "serverSideMuscle";
+    public final static String NETKEY_ATTR_ENC_PRIVKEY_FLAG = "encryptPrivKey";
+    public final static String NETKEY_ATTR_USER_CERT = "cert";
+    public final static String NETKEY_ATTR_KEY_SIZE = "keysize";
+
+    //Security Data request attributes
+    public static final String SECURITY_DATA_ENROLLMENT_REQUEST = "securityDataEnrollment";
+    public static final String SECURITY_DATA_RECOVERY_REQUEST = "securityDataRecovery";
+    public static final String SECURITY_DATA_CLIENT_ID = "clientID";
+    public static final String SECURITY_DATA_TYPE = "dataType";
+    public static final String SECURITY_DATA_STATUS = "status";
+    public static final String SECURITY_DATA_TRANS_SESS_KEY = "transWrappedSessionKey";
+    public static final String SECURITY_DATA_SESS_PASS_PHRASE = "sessionWrappedPassphrase";
+    public static final String SECURITY_DATA_IV_STRING_IN = "iv_in";
+    public static final String SECURITY_DATA_IV_STRING_OUT = "iv_out";
+    public static final String SECURITY_DATA_SESS_WRAPPED_DATA = "sessWrappedSecData";
+    public static final String SECURITY_DATA_PASS_WRAPPED_DATA = "passPhraseWrappedData";
+
+
+    // requestor type values.
+    public static final String REQUESTOR_EE = "EE";
+    public static final String REQUESTOR_RA = "RA";
+    public static final String REQUESTOR_NETKEY_RA = "NETKEY_RA";
+    public static final String REQUESTOR_KRA = "KRA";
+    public static final String REQUESTOR_AGENT = "Agent";
+
+    // others  (internally set)
+    public final static String CACERTCHAIN = "CACertChain";
+    public final static String CRL = "CRL";
+    public final static String DOGETCACHAIN = "doGetCAChain";
+    public final static String CERT_FILTER = "certFilter";
+
+    // used by policy
+    public static final String ERRORS = "errors";
+    public static final String SMIME = "SMIME";
+    public static final String OBJECT_SIGNING = "ObjectSigning";
+    public static final String SSL_CLIENT = "SSLClient";
+
+    /**
+     * Gets the primary identifier for this request.
+     * 
+     * @return request id
+     */
+    RequestId getRequestId();
+
+    /**
+     * Gets the current state of this request.
+     * 
+     * @return request status
+     */
+    RequestStatus getRequestStatus();
+
+    /**
+     * Gets the "sourceId" for the request. The sourceId is
+     * assigned by the originator of the request (for example,
+     * the EE servlet or the RA servlet.
+     * 

+     * The sourceId should be unique so that it can be used to retrieve request later without knowing the locally
+     * assigned primary id (RequestID)
+     * 

+     * 
+     * @return
+     *         the sourceId value (or null if none has been set)
+     */
+    public String getSourceId();
+
+    /**
+     * Sets the "sourceId" for this request. The request must be updated
+     * in the database for this change to take effect. This can be done
+     * by calling IRequestQueue.update() or by performing one of the
+     * other operations like processRequest or approveRequest.
+     * 
+     * @param id source id for this request
+     */
+    public void setSourceId(String id);
+
+    /**
+     * Gets the current owner of this request.
+     * 
+     * @return request owner
+     */
+    public String getRequestOwner();
+
+    /**
+     * Sets the current owner of this request.
+     * 
+     * @param owner
+     *            The new owner of this request. If this value is set to null
+     *            there will be no current owner
+     */
+    public void setRequestOwner(String owner);
+
+    /**
+     * Gets the type of this request.
+     * 
+     * @return request type
+     */
+    public String getRequestType();
+
+    /**
+     * Sets the type or this request.
+     * 
+     * @param type request type
+     */
+    public void setRequestType(String type);
+
+    /**
+     * Gets the version of this request.
+     * 
+     * @return request version
+     */
+    public String getRequestVersion();
+
+    /**
+     * Gets the time this request was created.
+     * 
+     * @return request creation time
+     */
+    Date getCreationTime();
+
+    /**
+     * Gets the time this request was last modified (defined
+     * as updated in the queue) (See IRequestQueue.update)
+     * 
+     * @return request last modification time
+     */
+    Date getModificationTime();
+
+    /*
+     * Attribute names for performing searches.
+     */
+    public final static String ATTR_REQUEST_OWNER = "requestOwner";
+    public final static String ATTR_REQUEST_STATUS = "requestStatus";
+    public final static String ATTR_SOURCE_ID = "requestSourceId";
+    public final static String ATTR_REQUEST_TYPE = "requestType";
+
+    /*
+     * Other attributes stored in the attribute set
+     */
+    public final static String UPDATED_BY = "updatedBy";
+    // String error messages
+    public static final String ERROR = "Error";
+
+    /**
+     * Copies meta attributes (excluding request Id, etc.) of another request
+     * to this request.
+     * 
+     * @param req another request
+     */
+    public void copyContents(IRequest req);
+
+    /**
+     * Gets context of this request.
+     * 
+     * @return request context
+     */
+    public String getContext();
+
+    /**
+     * Sets context of this request.
+     * 
+     * @param ctx request context
+     */
+    public void setContext(String ctx);
+
+    /**
+     * Sets status of this request.
+     * 
+     * @param s request status
+     */
+    public void setRequestStatus(RequestStatus s);
+
+    /**
+     * Gets status of connector transfer.
+     * 
+     * @return status of connector transfer
+     */
+    public boolean isSuccess();
+
+    /**
+     * Gets localized error message from connector transfer.
+     * 
+     * @param locale request locale
+     * @return error message from connector transfer
+     */
+    public String getError(Locale locale);
+
+    /**************************************************************
+     * ExtData data methods:
+     * 
+     * These methods should be used in place of the mAttrData methods
+     * deprecated above.
+     * 
+     * These methods all store Strings in LDAP. This means they can no longer
+     * be used as a garbage dump for all sorts of objects. A limited number
+     * of helper methods are provided for Vectors/Arrays/Hashtables but the
+     * keys and values for all of these should be Strings.
+     * 
+     * The keys are used in the LDAP attribute names, and so much obey LDAP
+     * key syntax rules: A-Za-z0-9 and hyphen.
+     */
+
+    /**
+     * Sets an Extended Data string-key string-value pair.
+     * All keys are lower cased because LDAP does not preserve case.
+     * 
+     * @param key The extended data key
+     * @param value The extended data value
+     * @return false if key is invalid.
+     */
+    public boolean setExtData(String key, String value);
+
+    /**
+     * Sets an Extended Data string-key string-value pair.
+     * The key and hashtable keys are all lowercased because LDAP does not
+     * preserve case.
+     * 
+     * @param key The extended data key
+     * @param value The extended data value
+     *            the Hashtable contains an illegal key.
+     * @return false if the key or hashtable keys are invalid
+     */
+    public boolean setExtData(String key, Hashtable value);
+
+    /**
+     * Checks whether the key is storing a simple String value, or a complex
+     * (Vector/hashtable) structure.
+     * 
+     * @param key The key to check for.
+     * @return True if the key maps to a string. False if it maps to a
+     *         hashtable.
+     */
+    public boolean isSimpleExtDataValue(String key);
+
+    /**
+     * Returns the String value stored for the String key. Returns null
+     * if not found. Throws exception if key stores a complex data structure
+     * (Vector/Hashtable).
+     * 
+     * @param key The key to lookup (case-insensitive)
+     * @return The value associated with the key. null if not found or if the
+     *         key is associated with a non-string value.
+     */
+    public String getExtDataInString(String key);
+
+    /**
+     * Returns the Hashtable value for the String key. Returns null if not
+     * found. Throws exception if the key stores a String value.
+     * 
+     * The Hashtable returned is actually a subclass of Hashtable that
+     * lowercases all keys used to access the hashtable. Its purpose is to
+     * to make lookups seemless, but be aware it is not a normal hashtable and
+     * might behave strangely in some cases (e.g., iterating keys)
+     * 
+     * @param key The key to lookup (case-insensitive)
+     * @return The hashtable value associated with the key. null if not found
+     *         or if the key is associated with a string-value.
+     */
+    public Hashtable getExtDataInHashtable(String key);
+
+    /**
+     * Returns all the keys stored in ExtData
+     * 
+     * @return Enumeration of all the keys.
+     */
+    public Enumeration getExtDataKeys();
+
+    /**
+     * Stores an array of Strings in ExtData.
+     * The indices of the array are used as subkeys.
+     * 
+     * @param key the ExtData key
+     * @param values the array of string values to store
+     * @return False if the key is invalid
+     */
+    public boolean setExtData(String key, String[] values);
+
+    /**
+     * Retrieves an array of Strings stored with the key.
+     * This only works if the data was stored as an array. If the data
+     * is not correct, this method will return null.
+     * 
+     * @param key The ExtData key
+     * @return The value. Null if not found or the data isn't an array.
+     */
+    public String[] getExtDataInStringArray(String key);
+
+    /**
+     * Removes the value of an extdata attribute.
+     * 
+     * @param type key to delete
+     */
+    void deleteExtData(String type);
+
+    /*****************************
+     * Helper methods for ExtData
+     ****************************/
+
+    /**
+     * Helper method to add subkey/value pair to a ExtData hashtable.
+     * If the hashtable it exists, the subkey/value are added to it. Otherwise
+     * a new hashtable is created.
+     * 
+     * The key and subkey are lowercased because LDAP does not preserve case.
+     * 
+     * @param key The top level key
+     * @param subkey The hashtable data key
+     * @param value The hashtable value
+     * @return False if the key or subkey are invalid
+     */
+    public boolean setExtData(String key, String subkey, String value);
+
+    /**
+     * Helper method to retrieve an individual value from a Hashtable value.
+     * 
+     * @param key the ExtData key
+     * @param subkey the key in the Hashtable value (case insensitive)
+     * @return the value corresponding to the key/subkey
+     */
+    public String getExtDataInString(String key, String subkey);
+
+    /**
+     * Helper method to store an Integer value. It converts the integer value
+     * to a String and stores it.
+     * 
+     * @param key the ExtData key
+     * @param value the Integer to store (as a String)
+     * @return False if the key or value are invalid
+     */
+    public boolean setExtData(String key, Integer value);
+
+    /**
+     * Retrieves an integer value. Returns null if not found or
+     * the value can't be represented as an Integer.
+     * 
+     * @param key The ExtData key to lookup
+     * @return The integer value or null if not possible.
+     */
+    public Integer getExtDataInInteger(String key);
+
+    /**
+     * Stores an array of Integers
+     * 
+     * @param key The extdata key
+     * @param values The array of Integers to store
+     * @return false if the key is invalid
+     */
+    public boolean setExtData(String key, Integer[] values);
+
+    /**
+     * Retrieves an array of Integers
+     * 
+     * @param key The extdata key
+     * @return The array of Integers or null on error.
+     */
+    public Integer[] getExtDataInIntegerArray(String key);
+
+    /**
+     * Helper method to store a BigInteger value. It converts the integer value
+     * to a String and stores it.
+     * 
+     * @param key the ExtData key
+     * @param value the BigInteger to store (as a String)
+     * @return False if the key or value are invalid
+     */
+    public boolean setExtData(String key, BigInteger value);
+
+    /**
+     * Retrieves a BigInteger value. Returns null if not found or
+     * the value can't be represented as a BigInteger.
+     * 
+     * @param key The ExtData key to lookup
+     * @return The integer value or null if not possible.
+     */
+    public BigInteger getExtDataInBigInteger(String key);
+
+    /**
+     * Stores an array of BigIntegers
+     * 
+     * @param key The extdata key
+     * @param values The array of BigIntegers to store
+     * @return false if the key is invalid
+     */
+    public boolean setExtData(String key, BigInteger[] values);
+
+    /**
+     * Retrieves an array of BigIntegers
+     * 
+     * @param key The extdata key
+     * @return The array of BigIntegers or null on error.
+     */
+    public BigInteger[] getExtDataInBigIntegerArray(String key);
+
+    /**
+     * Helper method to store an exception.
+     * It actually stores the e.toString() value.
+     * 
+     * @param key The ExtData key to store under
+     * @param e The throwable to store
+     * @return False if the key is invalid.
+     */
+    public boolean setExtData(String key, Throwable e);
+
+    /**
+     * Stores a byte array as base64 encoded text
+     * 
+     * @param key The ExtData key
+     * @param data The byte array to store
+     * @return False if the key is invalid.
+     */
+    public boolean setExtData(String key, byte[] data);
+
+    /**
+     * Retrieves the data, which should be base64 encoded as a byte array.
+     * 
+     * @param key The ExtData key
+     * @return The data, or null if an error occurs.
+     */
+    public byte[] getExtDataInByteArray(String key);
+
+    /**
+     * Stores a X509CertImpl as base64 encoded text using the getEncode()
+     * method.
+     * 
+     * @param key The ExtData key
+     * @param data certificate
+     * @return False if the key is invalid.
+     */
+    public boolean setExtData(String key, X509CertImpl data);
+
+    /**
+     * Retrieves the data, which should be base64 encoded as a byte array.
+     * 
+     * @param key The ExtData key
+     * @return The data, or null if an error occurs.
+     */
+    public X509CertImpl getExtDataInCert(String key);
+
+    /**
+     * Stores an array of X509CertImpls as a base64 encoded text.
+     * 
+     * @param key The ExtData key
+     * @param data The array of certs to store
+     * @return False if the key or data is invalid.
+     */
+    public boolean setExtData(String key, X509CertImpl[] data);
+
+    /**
+     * Retrieves an array of X509CertImpl.
+     * 
+     * @param key The ExtData key
+     * @return Array of certs, or null if not found or invalid data.
+     */
+    public X509CertImpl[] getExtDataInCertArray(String key);
+
+    /**
+     * Stores a X509CertInfo as base64 encoded text using the getEncodedInfo()
+     * method.
+     * 
+     * @param key The ExtData key
+     * @param data certificate
+     * @return False if the key is invalid.
+     */
+    public boolean setExtData(String key, X509CertInfo data);
+
+    /**
+     * Retrieves the data, which should be base64 encoded as a byte array.
+     * 
+     * @param key The ExtData key
+     * @return The data, or null if an error occurs.
+     */
+    public X509CertInfo getExtDataInCertInfo(String key);
+
+    /**
+     * Stores an array of X509CertInfos as a base64 encoded text.
+     * 
+     * @param key The ExtData key
+     * @param data The array of cert infos to store
+     * @return False if the key or data is invalid.
+     */
+    public boolean setExtData(String key, X509CertInfo[] data);
+
+    /**
+     * Retrieves an array of X509CertInfo.
+     * 
+     * @param key The ExtData key
+     * @return Array of cert infos, or null if not found or invalid data.
+     */
+    public X509CertInfo[] getExtDataInCertInfoArray(String key);
+
+    /**
+     * Stores an array of RevokedCertImpls as a base64 encoded text.
+     * 
+     * @param key The ExtData key
+     * @param data The array of cert infos to store
+     * @return False if the key or data is invalid.
+     */
+    public boolean setExtData(String key, RevokedCertImpl[] data);
+
+    /**
+     * Retrieves an array of RevokedCertImpl.
+     * 
+     * @param key The ExtData key
+     * @return Array of cert infos, or null if not found or invalid data.
+     */
+    public RevokedCertImpl[] getExtDataInRevokedCertArray(String key);
+
+    /**
+     * Stores the contents of the String Vector in ExtData.
+     * TODO - as soon as we're allowed to use JDK5 this should be changed
+     * to use Vector data.
+     * 
+     * Note that modifications to the Vector are not automatically reflected
+     * after it is stored. You must call set() again to make the changes.
+     * 
+     * @param key The extdata key to store
+     * @param data A vector of Strings to store
+     * @return False on key error or invalid data.
+     */
+    public boolean setExtData(String key, Vector data);
+
+    /**
+     * Returns a vector of strings for the key.
+     * Note that the returned vector, if modified, does not make changes
+     * in ExtData. You must call setExtData() to propogate changes back
+     * into ExtData.
+     * 
+     * @param key The extdata key
+     * @return A Vector of strings, or null on error.
+     */
+    public Vector getExtDataInStringVector(String key);
+
+    /**
+     * Gets boolean value for given type or default value
+     * if attribute is absent.
+     * 
+     * @param type attribute type
+     * @param defVal default attribute value
+     * @return attribute value
+     */
+    boolean getExtDataInBoolean(String type, boolean defVal);
+
+    /**
+     * Gets extdata boolean value for given type or default value
+     * if attribute is absent for this request with this prefix.
+     * 
+     * @param prefix request prefix
+     * @param type attribute type
+     * @param defVal default attribute value
+     * @return attribute value
+     */
+    public boolean getExtDataInBoolean(String prefix, String type, boolean defVal);
+
+    /**
+     * Stores an AuthToken the same as a Hashtable.
+     * 
+     * @param key The ExtData key
+     * @param data The authtoken to store
+     * @return False if the key or data is invalid.
+     */
+    public boolean setExtData(String key, IAuthToken data);
+
+    /**
+     * Retrieves an authtoken.
+     * 
+     * @param key The ExtData key
+     * @return AuthToken, or null if not found or invalid data.
+     */
+    public IAuthToken getExtDataInAuthToken(String key);
+
+    /**
+     * Stores a CertificateExtensions in extdata.
+     * 
+     * @param key The ExtData key
+     * @param data The CertificateExtensions to store
+     * @return False if the key or data is invalid.
+     */
+    public boolean setExtData(String key, CertificateExtensions data);
+
+    /**
+     * Retrieves the CertificateExtensions associated with the key.
+     * 
+     * @param key The ExtData key
+     * @return the object, or null if not found or invalid data.
+     */
+    public CertificateExtensions getExtDataInCertExts(String key);
+
+    /**
+     * Stores a CertificateSubjectName in extdata.
+     * 
+     * @param key The ExtData key
+     * @param data The CertificateSubjectName to store
+     * @return False if the key or data is invalid.
+     */
+    public boolean setExtData(String key, CertificateSubjectName data);
+
+    /**
+     * Retrieves the CertificateSubjectName associated with the key.
+     * 
+     * @param key The ExtData key
+     * @return the object, or null if not found or invalid data.
+     */
+    public CertificateSubjectName getExtDataInCertSubjectName(String key);
+
+    /**
+     * This method returns an IAttrSet wrapper for the IRequest.
+     * Use of this method is strongly discouraged. It provides extremely
+     * limited functionality, and is only provided for the two places IRequest
+     * is being used as such in the code. If you are considering using this
+     * method, please don't.
+     * 
+     * @return IAttrSet wrapper with basic "get" functionality.
+     * @deprecated
+     */
+    public IAttrSet asIAttrSet();
+
+}
diff --git a/base/common/src/com/netscape/certsrv/request/IRequestList.java b/base/common/src/com/netscape/certsrv/request/IRequestList.java
new file mode 100644
index 000000000..5f265941a
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/IRequestList.java
@@ -0,0 +1,56 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+import java.util.Enumeration;
+
+/**
+ * An interface providing a list of RequestIds that match
+ * some criteria. It could be a list of all elements in a
+ * queue, or just some defined sub-set.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IRequestList
+        extends Enumeration {
+
+    /**
+     * Gets the next RequestId from this list. null is
+     * returned when there are no more elements in the list.
+     * 

+     * Callers should be sure there is another element in the list by calling hasMoreElements first.
+     * 

+     * 
+     * @return next request id
+     */
+    RequestId nextRequestId();
+
+    /**
+     * Gets next request from the list.
+     * 
+     * @return next request
+     */
+    public Object nextRequest();
+
+    /**
+     * Gets next request Object from the list.
+     * 
+     * @return next request
+     */
+    public IRequest nextRequestObject();
+}
diff --git a/base/common/src/com/netscape/certsrv/request/IRequestListener.java b/base/common/src/com/netscape/certsrv/request/IRequestListener.java
new file mode 100644
index 000000000..8dc8a42a9
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/IRequestListener.java
@@ -0,0 +1,54 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * An interface that defines abilities of request listener,
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IRequestListener {
+
+    /**
+     * Initializes request listener for the specific subsystem
+     * and configuration store.
+     * 
+     * @param sub subsystem
+     * @param config configuration store
+     */
+    public void init(ISubsystem sub, IConfigStore config) throws EBaseException;
+
+    /**
+     * Accepts request.
+     * 
+     * @param request request
+     */
+    public void accept(IRequest request);
+
+    /**
+     * Sets attribute.
+     * 
+     * @param name attribute name
+     * @param val attribute value
+     */
+    public void set(String name, String val);
+}
diff --git a/base/common/src/com/netscape/certsrv/request/IRequestNotifier.java b/base/common/src/com/netscape/certsrv/request/IRequestNotifier.java
new file mode 100644
index 000000000..66bd35432
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/IRequestNotifier.java
@@ -0,0 +1,130 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+import java.util.Enumeration;
+
+/**
+ * IRequestNotifier interface defines methods to register listeners,
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IRequestNotifier extends INotify {
+
+    /**
+     * Registers a request listener.
+     * 
+     * @param listener listener to be registered
+     */
+    public void registerListener(IRequestListener listener);
+
+    /**
+     * Registers a request listener.
+     * 
+     * @param name listener name
+     * @param listener listener to be registered
+     */
+    public void registerListener(String name, IRequestListener listener);
+
+    /**
+     * Removes listener from the list of registered listeners.
+     * 
+     * @param listener listener to be removed from the list
+     */
+    public void removeListener(IRequestListener listener);
+
+    /**
+     * Removes listener from the list of registered listeners.
+     * 
+     * @param name listener name to be removed from the list
+     */
+    public void removeListener(String name);
+
+    /**
+     * Gets list of listener names.
+     * 
+     * @return enumeration of listener names
+     */
+    public Enumeration getListenerNames();
+
+    /**
+     * Gets listener from the list of registered listeners.
+     * 
+     * @param name listener name
+     * @return listener
+     */
+    public IRequestListener getListener(String name);
+
+    /**
+     * Gets list of listeners.
+     * 
+     * @return enumeration of listeners
+     */
+    public Enumeration getListeners();
+
+    /**
+     * Gets request from publishing queue.
+     * 
+     * @return request
+     */
+    public IRequest getRequest();
+
+    /**
+     * Gets number of requests in publishing queue.
+     * 
+     * @return number of requests in publishing queue
+     */
+    public int getNumberOfRequests();
+
+    /**
+     * Checks if publishing queue is enabled.
+     * 
+     * @return true if publishing queue is enabled, false otherwise
+     */
+    public boolean isPublishingQueueEnabled();
+
+    /**
+     * Removes a notifier thread from the pool of publishing queue threads.
+     * 
+     * @param notifierThread Thread
+     */
+    public void removeNotifierThread(Thread notifierThread);
+
+    /**
+     * Notifies all registered listeners about request.
+     * 
+     * @param r request
+     */
+    public void addToNotify(IRequest r);
+
+    /**
+     * Sets publishing queue parameters.
+     * 
+     * @param isPublishingQueueEnabled publishing queue switch
+     * @param publishingQueuePriorityLevel publishing queue priority level
+     * @param maxNumberOfPublishingThreads maximum number of publishing threads
+     * @param publishingQueuePageSize publishing queue page size
+     */
+    public void setPublishingQueue(boolean isPublishingQueueEnabled,
+                                    int publishingQueuePriorityLevel,
+                                    int maxNumberOfPublishingThreads,
+                                    int publishingQueuePageSize,
+                                    int savePublishingStatus);
+
+    public void updatePublishingStatus(String id);
+}
diff --git a/base/common/src/com/netscape/certsrv/request/IRequestQueue.java b/base/common/src/com/netscape/certsrv/request/IRequestQueue.java
new file mode 100644
index 000000000..a8f5f7332
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/IRequestQueue.java
@@ -0,0 +1,403 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+import java.math.BigInteger;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.dbs.repository.IRepository;
+
+/**
+ * The IRequestQueue interface defines the operations on
+ * a collection of requests within the certificate server.
+ * There are may several collections, such as KRA, RA and CA
+ * requests. Each of these request collection has a defined
+ * set of policies, a notification service (for request
+ * completion) and a service routine. The request queue
+ * provides an interface for creating and viewing requests,
+ * as well as performing operations on them.
+ * 

+ * 
+ * @version $Revision$ $Date$
+ */
+public interface IRequestQueue {
+
+    /**
+     * Creates a new request object. A request id is
+     * assigned to it - see IRequest.getRequestId, and
+     * the status is set to RequestStatus.BEGIN
+     * 

+     * The request is LOCKED. The caller MUST release the request object by calling releaseRequest().
+     * 

+     * TODO: provide other required values (such as type and sourceId)
+     * 
+     * @param requestType request type
+     * @return new request
+     * @exception EBaseException failed to create new request
+     */
+    public IRequest newRequest(String requestType)
+            throws EBaseException;
+
+    /**
+     * Clones a request object. A new request id is assigned
+     * and all attributes of the request is copied to cloned request,
+     * except for the sourceID of the original request
+     * (remote authority's request Id).
+     * 

+     * The cloned request that is returned is LOCKED. The caller MUST release the request object by calling
+     * releaseRequest().
+     * 
+     * @param r request to be cloned
+     * @return cloned request
+     * @exception EBaseException failed to clone request
+     */
+    public IRequest cloneRequest(IRequest r)
+            throws EBaseException;
+
+    /**
+     * Gets the Request corresponding to id.
+     * Returns null if the id does not correspond
+     * to a valid request id.
+     * 

+     * Errors may be generated for other conditions.
+     * 
+     * @param id request id
+     * @return found request
+     * @exception EBaseException failed to access request queue
+     */
+    public IRequest findRequest(RequestId id)
+            throws EBaseException;
+
+    /**
+     * Begins processing for this request. This call
+     * is valid only on requests with status BEGIN
+     * An error is generated for other cases.
+     * 
+     * @param req request to be processed
+     * @exception EBaseException failed to process request
+     */
+    public void processRequest(IRequest req)
+            throws EBaseException;
+
+    /**
+     * Sets request scheduler.
+     * 
+     * @param scheduler request scheduler
+     */
+    public void setRequestScheduler(IRequestScheduler scheduler);
+
+    /**
+     * Gets request scheduler.
+     * 
+     * @return request scheduler
+     */
+    public IRequestScheduler getRequestScheduler();
+
+    /**
+     * Puts a new request into the PENDING state. This call is
+     * only valid for requests with status BEGIN. An error is
+     * generated for other cases.
+     * 

+     * This call might be used by agent servlets that want to copy a previous request, and resubmit it. By putting it
+     * into PENDING state, the normal agent screens can be used for further processing.
+     * 
+     * @param req
+     *            the request to mark PENDING
+     * @exception EBaseException failed to mark request as pending
+     */
+    public void markRequestPending(IRequest req)
+            throws EBaseException;
+
+    /**
+     * Clones a request object and mark it pending. A new request id is assigned
+     * and all attributes of the request is copied to cloned request,
+     * except for the sourceID of the original request
+     * (remote authority's request Id).
+     * 

+     * The cloned request that is returned is LOCKED. The caller MUST release the request object by calling
+     * releaseRequest().
+     * 
+     * @param r request to be cloned
+     * @return cloned request mark PENDING
+     * @exception EBaseException failed to clone or mark request
+     */
+    public IRequest cloneAndMarkPending(IRequest r)
+            throws EBaseException;
+
+    /**
+     * Approves a request. The request must be locked.
+     * 

+     * This call will fail if: the request is not in PENDING state the policy modules do not accept the request
+     * 

+     * If the policy modules reject the request, then the request will remain in the PENDING state. Messages from the
+     * policy module can be display to the agent to indicate the source of the problem.
+     * 

+     * The request processing code adds an AgentApproval to this request that contains the authentication id of the
+     * agent. This data is retrieved from the Session object (qv).
+     * 
+     * @param request
+     *            the request that is being approved
+     * @exception EBaseException failed to approve request
+     */
+    public void approveRequest(IRequest request)
+            throws EBaseException;
+
+    /**
+     * Rejects a request. The request must be locked.
+     * 

+     * This call will fail if: the request is not in PENDING state
+     * 

+     * The agent servlet (or other application) may wish to store AgentMessage values to indicate the reason for the
+     * action
+     * 
+     * @param request
+     *            the request that is being rejected
+     * @exception EBaseException failed to reject request
+     */
+    public void rejectRequest(IRequest request)
+            throws EBaseException;
+
+    /**
+     * Cancels a request. The request must be locked.
+     * 

+     * This call will fail if: the request is not in PENDING state
+     * 

+     * The agent servlet (or other application) may wish to store AgentMessage values to indicate the reason for the
+     * action
+     * 
+     * @param request
+     *            the request that is being canceled
+     * @exception EBaseException failed to cancel request
+     */
+    public void cancelRequest(IRequest request)
+            throws EBaseException;
+
+    /**
+     * Updates the request in the permanent data store.
+     * 

+     * This call can be made after changing a value like source id or owner, to force the new value to be written.
+     * 

+     * The request must be locked to make this call.
+     * 
+     * @param request
+     *            the request that is being updated
+     * @exception EBaseException failed to update request
+     */
+    public void updateRequest(IRequest request)
+            throws EBaseException;
+
+    /**
+     * Returns an enumerator that lists all RequestIds in the
+     * queue. The caller should use the RequestIds to locate
+     * each request by calling findRequest().
+     * 

+     * NOTE: This interface will not be useful for large databases. This needs to be replace by a VLV (paged) search
+     * object.
+     * 
+     * @return request list
+     */
+    public IRequestList listRequests();
+
+    /**
+     * Returns an enumerator that lists all RequestIds for requests
+     * that are in the given status. For example, all the PENDING
+     * requests could be listed by specifying RequestStatus.PENDING
+     * as the status argument
+     * 

+     * NOTE: This interface will not be useful for large databases. This needs to be replace by a VLV (paged) search
+     * object.
+     * 
+     * @param status request status
+     * @return request list
+     */
+    public IRequestList listRequestsByStatus(RequestStatus status);
+
+    /**
+     * Returns an enumerator that lists all RequestIds for requests
+     * that match the filter.
+     * 

+     * NOTE: This interface will not be useful for large databases. This needs to be replace by a VLV (paged) search
+     * object.
+     * 
+     * @param filter search filter
+     * @return request list
+     */
+    public IRequestList listRequestsByFilter(String filter);
+
+    /**
+     * Returns an enumerator that lists all RequestIds for requests
+     * that match the filter.
+     * 

+     * NOTE: This interface will not be useful for large databases. This needs to be replace by a VLV (paged) search
+     * object.
+     * 
+     * @param filter search filter
+     * @param maxSize max size to return
+     * @return request list
+     */
+    public IRequestList listRequestsByFilter(String filter, int maxSize);
+
+    /**
+     * Returns an enumerator that lists all RequestIds for requests
+     * that match the filter.
+     * 

+     * NOTE: This interface will not be useful for large databases. This needs to be replace by a VLV (paged) search
+     * object.
+     * 
+     * @param filter search filter
+     * @param maxSize max size to return
+     * @param timeLimit timeout value for the search
+     * @return request list
+     */
+    public IRequestList listRequestsByFilter(String filter, int maxSize, int timeLimit);
+
+    /**
+     * Gets requests that are pending on handling by the service
+     * 

+     * 
+     * @return list of pending requests
+     */
+    // public IRequestList listServicePendingRequests();
+
+    /**
+     * Locates a request from the SourceId.
+     * 
+     * @param id
+     *            a unique identifier for the record that is based on the source
+     *            of the request, and possibly an identify assigned by the source.
+     * @return
+     *         The requestid corresponding to this source id. null is
+     *         returned if the source id does not exist.
+     */
+    public RequestId findRequestBySourceId(String id);
+
+    /**
+     * Locates all requests with a particular SourceId.
+     * 

+     * 
+     * @param id
+     *            an identifier for the record that is based on the source
+     *            of the request
+     * @return
+     *         A list of requests corresponding to this source id. null is
+     *         returned if the source id does not exist.
+     */
+    public IRequestList findRequestsBySourceId(String id);
+
+    /**
+     * Releases the LOCK on a request obtained from findRequest() or
+     * newRequest()
+     * 

+     * 
+     * @param r request
+     */
+    public void releaseRequest(IRequest r);
+
+    /**
+     * Marks as serviced after destination authority has serviced request.
+     * Used by connector.
+     * 
+     * @param r request
+     */
+    public void markAsServiced(IRequest r);
+
+    /**
+     * Resends requests
+     */
+    public void recover();
+
+    /**
+     * Gets a pageable list of IRequest entries in this queue.
+     * 
+     * @param pageSize page size
+     * @return request list
+     */
+    public IRequestVirtualList getPagedRequests(int pageSize);
+
+    /**
+     * Gets a pageable list of IRequest entries in this queue.
+     * 
+     * @param filter search filter
+     * @param pageSize page size
+     * @param sortKey the attributes to sort by
+     * @return request list
+     */
+    public IRequestVirtualList getPagedRequestsByFilter(String filter,
+                                                        int pageSize,
+                                                        String sortKey);
+
+    /**
+     * Gets a pageable list of IRequest entries in this queue.
+     * 
+     * @param fromId request id to start with
+     * @param filter search filter
+     * @param pageSize page size
+     * @param sortKey the attributes to sort by
+     * @return request list
+     */
+    public IRequestVirtualList getPagedRequestsByFilter(RequestId fromId,
+                                                        String filter,
+                                                        int pageSize,
+                                                        String sortKey);
+
+    /**
+     * Gets a pageable list of IRequest entries in this queue. This
+     * jumps right to the end of the list
+     * 
+     * @param fromId request id to start with
+     * @param jumpToEnd jump to end of list (set fromId to null)
+     * @param filter search filter
+     * @param pageSize page size
+     * @param sortKey the attributes to sort by
+     * @return request list
+     */
+    public IRequestVirtualList getPagedRequestsByFilter(RequestId fromId,
+                                   boolean jumpToEnd, String filter,
+                                   int pageSize,
+                                   String sortKey);
+
+    /**
+     * Retrieves the notifier for pending request.
+     * 
+     * @return notifier for pending request
+     */
+    public INotify getPendingNotify();
+
+    public BigInteger getLastRequestIdInRange(BigInteger reqId_low_bound, BigInteger reqId_upper_bound);
+
+    /**
+     * Resets serial number.
+     */
+    public void resetSerialNumber(BigInteger serial) throws EBaseException;
+
+    /**
+     * Removes all objects with this repository.
+     */
+    public void removeAllObjects() throws EBaseException;
+
+    /**
+     * Gets request repository.
+     * 
+     * @return request repository
+     */
+    public IRepository getRequestRepository();
+
+    public String getPublishingStatus();
+
+    public void setPublishingStatus(String status);
+}
diff --git a/base/common/src/com/netscape/certsrv/request/IRequestRecord.java b/base/common/src/com/netscape/certsrv/request/IRequestRecord.java
new file mode 100644
index 000000000..53531b133
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/IRequestRecord.java
@@ -0,0 +1,112 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+import java.util.Enumeration;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.dbs.IDBObj;
+
+/**
+ * A request record is the stored version of a request.
+ * It has a set of attributes that are mapped into LDAP
+ * attributes for actual directory operations.
+ * 

+ * 
+ * @version $Revision$ $Date$
+ */
+public interface IRequestRecord
+        extends IDBObj {
+    //
+    // The names of the attributes stored in this record
+    //
+
+    // RequestId - identifies the record
+    public final static String ATTR_REQUEST_ID = "requestId";
+
+    // RequestStatus - indicates the current state
+    public final static String ATTR_REQUEST_STATE = "requestState";
+
+    // CreateTime - indicates the current state
+    public final static String ATTR_CREATE_TIME = "requestCreateTime";
+
+    // ModifyTime - indicates the current state
+    public final static String ATTR_MODIFY_TIME = "requestModifyTime";
+
+    // SourceId - indicates the current state
+    public final static String ATTR_SOURCE_ID = "requestSourceId";
+
+    // SourceId - indicates the current state
+    public final static String ATTR_REQUEST_OWNER = "requestOwner";
+
+    public final static String ATTR_REQUEST_TYPE = "requestType";
+
+    // Placeholder for ExtAttr data.  this attribute is not in LDAP, but
+    // is used to trigger the ExtAttrDynMapper during conversion between LDAP
+    // and the RequestRecord.
+    public final static String ATTR_EXT_DATA = "requestExtData";
+
+    /**
+     * Gets the request id.
+     * 
+     * @return request id
+     */
+    public RequestId getRequestId();
+
+    /**
+     * Gets attribute names of the request.
+     * 
+     * @return list of attribute names
+     */
+    public Enumeration getAttrNames();
+
+    /**
+     * Gets the request attribute value by the name.
+     * 
+     * @param name attribute name
+     * @return attribute value
+     */
+    public Object get(String name);
+
+    /**
+     * Sets new attribute for the request.
+     * 
+     * @param name attribute name
+     * @param o attribute value
+     */
+    public void set(String name, Object o);
+
+    /**
+     * Removes attribute from the request.
+     * 
+     * @param name attribute name
+     */
+    public void delete(String name)
+            throws EBaseException;
+
+    /**
+     * Gets attribute list of the request.
+     * 
+     * @return attribute list
+     */
+    public Enumeration getElements();
+
+    // IDBObj.getSerializableAttrNames
+    //public Enumeration getSerializableAttrNames();
+
+}
diff --git a/base/common/src/com/netscape/certsrv/request/IRequestScheduler.java b/base/common/src/com/netscape/certsrv/request/IRequestScheduler.java
new file mode 100644
index 000000000..5012f5b0c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/IRequestScheduler.java
@@ -0,0 +1,45 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+//import java.io.Serializable;
+
+/**
+ * This is an interface to a request scheduler that prioritizes
+ * the threads based on the request processing order.
+ * The request that enters the request queue first should
+ * be processed first.
+ * 
+ * @version $Revision$ $Date$
+ */
+public interface IRequestScheduler {
+
+    /**
+     * Request entered the request queue processing.
+     * 
+     * @param r request
+     */
+    public void requestIn(IRequest r);
+
+    /**
+     * Request exited the request queue processing.
+     * 
+     * @param r request
+     */
+    public void requestOut(IRequest r);
+}
diff --git a/base/common/src/com/netscape/certsrv/request/IRequestSubsystem.java b/base/common/src/com/netscape/certsrv/request/IRequestSubsystem.java
new file mode 100644
index 000000000..164e84a37
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/IRequestSubsystem.java
@@ -0,0 +1,105 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * This interface defines storage of request objects
+ * in the local database.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IRequestSubsystem {
+    public static final String SUB_ID = "request";
+
+    /**
+     * Creates a new request queue.
+     * (Currently unimplemented. Just use getRequestQueue to create
+     * an in-memory queue.)
+     * 

+     * 
+     * @param name The name of the queue object. This name can be used
+     *            in getRequestQueue to retrieve the queue later.
+     * @exception EBaseException failed to create request queue
+     */
+    public void createRequestQueue(String name)
+            throws EBaseException;
+
+    /**
+     * Retrieves a request queue. This operation should only be done
+     * once on each queue. For example, the RA subsystem should retrieve
+     * its queue, and store it somewhere for use by related services, and
+     * servlets.
+     * 

+     * WARNING: retrieving the same queue twice with result in multi-thread race conditions.
+     * 

+     * 
+     * @param name
+     *            the name of the request queue. (Ex: "ca" "ra")
+     * @param p
+     *            A policy enforcement module. This object is called to make
+     *            adjustments to the request, and decide whether it needs agent
+     *            approval.
+     * @param s
+     *            The service object. This object actually performs the request
+     *            after it is finalized and approved.
+     * @param n
+     *            A notifier object (optional). The notify() method of this object
+     *            is invoked when the request is completed (COMPLETE, REJECTED or
+     *            CANCELED states).
+     * @exception EBaseException failed to retrieve request queue
+     */
+    public IRequestQueue
+            getRequestQueue(String name, int increment, IPolicy p, IService s, INotify n)
+                    throws EBaseException;
+
+    /**
+     * Retrieves a request queue. This operation should only be done
+     * once on each queue. For example, the RA subsystem should retrieve
+     * its queue, and store it somewhere for use by related services, and
+     * servlets.
+     * 

+     * WARNING: retrieving the same queue twice with result in multi-thread race conditions.
+     * 

+     * 
+     * @param name
+     *            the name of the request queue. (Ex: "ca" "ra")
+     * @param p
+     *            A policy enforcement module. This object is called to make
+     *            adjustments to the request, and decide whether it needs agent
+     *            approval.
+     * @param s
+     *            The service object. This object actually performs the request
+     *            after it is finalized and approved.
+     * @param n
+     *            A notifier object (optional). The notify() method of this object
+     *            is invoked when the request is completed (COMPLETE, REJECTED or
+     *            CANCELED states).
+     * @param pendingNotifier
+     *            A notifier object (optional). Like the 'n' argument, except the
+     *            notification happens if the request is made PENDING. May be the
+     *            same as the 'n' argument if desired.
+     * @exception EBaseException failed to retrieve request queue
+     */
+    public IRequestQueue
+            getRequestQueue(String name, int increment, IPolicy p, IService s, INotify n,
+                    INotify pendingNotifier)
+                    throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/request/IRequestVirtualList.java b/base/common/src/com/netscape/certsrv/request/IRequestVirtualList.java
new file mode 100644
index 000000000..540ec679c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/IRequestVirtualList.java
@@ -0,0 +1,50 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+/**
+ * This interface defines access to request virtual list.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IRequestVirtualList {
+
+    /**
+     * Gets the total size of the result set. Elements of the
+     * list are numbered from 0..(size-1)
+     * 
+     * @return size of the result set
+     */
+    int getSize();
+
+    /**
+     * Gets the element at the specified index
+     * 
+     * @param index index of the element
+     * @return specified request
+     */
+    IRequest getElementAt(int index);
+
+    /**
+     * Gets the current index
+     * 
+     * @return current index
+     */
+    int getCurrentIndex();
+}
diff --git a/base/common/src/com/netscape/certsrv/request/IService.java b/base/common/src/com/netscape/certsrv/request/IService.java
new file mode 100644
index 000000000..adf2c5095
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/IService.java
@@ -0,0 +1,48 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * This interface defines how requests are serviced.
+ * This covers certificate generation, revocation, renewals,
+ * revocation checking, and much more.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IService {
+
+    /**
+     * Performs the service (such as certificate generation)
+     * represented by this request.
+     * 

+     * 
+     * @param request
+     *            The request that needs service. The service may use
+     *            attributes stored in the request, and may update the
+     *            values, or store new ones.
+     * @return
+     *         an indication of whether this request is still pending.
+     *         'false' means the request will wait for further notification.
+     * @exception EBaseException indicates major processing failure.
+     */
+    boolean serviceRequest(IRequest request)
+            throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/request/PolicyMessage.java b/base/common/src/com/netscape/certsrv/request/PolicyMessage.java
new file mode 100644
index 000000000..c21b8ca4d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/PolicyMessage.java
@@ -0,0 +1,46 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * A (localizable) message recorded by a policy module that describes
+ * the reason for rejecting a request.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class PolicyMessage
+        extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -8129371562473386912L;
+
+    /**
+     * Class constructor that registers policy message.
+     * 

+     * 
+     * @param message message string
+     */
+    public PolicyMessage(String message) {
+        super(message);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/request/PolicyResult.java b/base/common/src/com/netscape/certsrv/request/PolicyResult.java
new file mode 100644
index 000000000..c7cad94f2
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/PolicyResult.java
@@ -0,0 +1,35 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+/**
+ * This class defines results for policy actions.
+ * 
+ * @version $Revision$, $Date$
+ */
+public final class PolicyResult {
+    public final static PolicyResult REJECTED = new PolicyResult();
+    public final static PolicyResult DEFERRED = new PolicyResult();
+    public final static PolicyResult ACCEPTED = new PolicyResult();
+
+    /**
+     * Class constructor.
+     */
+    private PolicyResult() {
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/request/RequestId.java b/base/common/src/com/netscape/certsrv/request/RequestId.java
new file mode 100644
index 000000000..da61f2bc0
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/RequestId.java
@@ -0,0 +1,121 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+import java.math.BigInteger;
+
+/**
+ * The RequestId class represents the identifier for a particular
+ * request within a request queue. This identifier may be used to
+ * retrieve the request object itself from the request queue.
+ * 

+ * 
+ * @version $Revision$ $Date$
+ */
+public class RequestId {
+
+    protected BigInteger value;
+
+    /**
+     * Creates a new RequestId from its string representation.
+     * 

+     * 
+     * @param id
+     *            a string containing the decimal or hex value for the identifier.
+     */
+    public RequestId(String id) {
+        if (id != null) {
+            id = id.trim();
+            if (id.startsWith("0x")) { // hex
+                value = new BigInteger(id.substring(2), 16);
+            } else { // decimal
+                value = new BigInteger(id);
+            }
+        }
+    }
+
+    /**
+     * Creates a new RequestId from its BigInteger representation.
+     * 

+     *
+     * @param id
+     *            a BigInteger containing the identifier.
+     */
+    public RequestId(BigInteger id) {
+        value = id;
+    }
+
+    /**
+     * Creates a new RequestId from its integer representation.
+     * 

+     *
+     * @param id
+     *            an integer containing the identifier.
+     */
+    public RequestId(int id) {
+        value = BigInteger.valueOf(id);
+    }
+
+    /**
+     * Converts the RequestId into its BigInteger representation.
+     * 

+     *
+     * @return
+     *         a BigInteger containing the identifier.
+     */
+    public BigInteger toBigInteger() {
+        return value;
+    }
+
+    /**
+     * Converts the RequestId into its string representation. The string
+     * form can be stored in a database (such as the LDAP directory)
+     * 

+     * 
+     * @return
+     *         a string containing the decimal (base 10) value for the identifier.
+     */
+    public String toString() {
+        return value.toString();
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 31;
+        int result = 1;
+        result = prime * result + ((value == null) ? 0 : value.hashCode());
+        return result;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (obj == null)
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        RequestId other = (RequestId) obj;
+        if (value == null) {
+            if (other.value != null)
+                return false;
+        } else if (!value.equals(other.value))
+            return false;
+        return true;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/request/RequestIdAdapter.java b/base/common/src/com/netscape/certsrv/request/RequestIdAdapter.java
new file mode 100644
index 000000000..1780bc337
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/RequestIdAdapter.java
@@ -0,0 +1,37 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+import javax.xml.bind.annotation.adapters.XmlAdapter;
+
+/**
+ * The RequestIdAdapter class provides custom marshaling for RequestId.
+ *
+ * @author Endi S. Dewata
+ * @version $Revision$ $Date$
+ */
+public class RequestIdAdapter extends XmlAdapter {
+
+    public RequestId unmarshal(String value) throws Exception {
+        return new RequestId(value);
+    }
+
+    public String marshal(RequestId value) throws Exception {
+        return value.toString();
+    }
+}
\ No newline at end of file
diff --git a/base/common/src/com/netscape/certsrv/request/RequestStatus.java b/base/common/src/com/netscape/certsrv/request/RequestStatus.java
new file mode 100644
index 000000000..f58a568d8
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/RequestStatus.java
@@ -0,0 +1,182 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request;
+
+/**
+ * The RequestStatus class represents the current state of a request
+ * in a request queue. The state of the request changes as actions
+ * are performed on it.
+ * 
+ * The request is created in the BEGIN state, then general progresses
+ * through the PENDING, APPROVED, SVC_PENDING, and COMPLETE states.
+ * Some requests may bypass the PENDING state if no agent action is
+ * required.
+ * 
+ * Requests may be CANCELED (not implemented) or REJECTED. These are
+ * error conditions, and usually result because the request was invalid
+ * or was not approved by an agent.
+ * 
+ * @version $Revision$ $Date$
+ */
+public final class RequestStatus {
+    public static String BEGIN_STRING = "begin";
+    public static String PENDING_STRING = "pending";
+    public static String APPROVED_STRING = "approved";
+    public static String SVC_PENDING_STRING = "svc_pending";
+    public static String CANCELED_STRING = "canceled";
+    public static String REJECTED_STRING = "rejected";
+    public static String COMPLETE_STRING = "complete";
+
+    /**
+     * The initial state of a request. Requests in this state have not
+     * been review by policy.
+     * 
+     * While in this state the source of the request (usually the servlet,
+     * but it could be some other protocol module, such as email)
+     * should populate the request with data need to service it.
+     */
+    public static RequestStatus BEGIN = new RequestStatus(BEGIN_STRING);
+
+    /**
+     * The state of a request that is waiting for action by an agent.
+     * When the agent approves or rejects the request, process will
+     * continue as appropriate.
+     * 
+     * In this state there may be PolicyMessages present that indicate
+     * the reason for the pending status.
+     */
+    public static RequestStatus PENDING = new RequestStatus(PENDING_STRING);
+
+    /**
+     * The state of a request that has been approved by an agent, or
+     * automatically by the policy engine, but have not been successfully
+     * transmitted to the service module.
+     * 
+     * These requests are resent to the service during the recovery
+     * process that runs at server startup.
+     */
+    public static RequestStatus APPROVED = new RequestStatus(APPROVED_STRING);
+
+    /**
+     * The state of a request that has been sent to the service, but
+     * has not been fully processed. The service will invoke the
+     * serviceComplete() method to cause processing to continue.
+     */
+    public static RequestStatus SVC_PENDING =
+            new RequestStatus(SVC_PENDING_STRING);
+
+    /**
+     * Not implemented. This is intended to be a final state that is
+     * reached when a request is removed from the processing queue without
+     * normal notification occurring. (see REJECTED)
+     */
+    public static RequestStatus CANCELED = new RequestStatus(CANCELED_STRING);
+
+    /**
+     * The state of a request after it is rejected. When a request is
+     * rejected, the notifier is called prior to making the finl status
+     * change.
+     * 
+     * Rejected requests may have PolicyMessages indicating the reason for
+     * the rejection, or AgentMessages, which allow the agent to give
+     * reasons for the action.
+     */
+    public static RequestStatus REJECTED = new RequestStatus(REJECTED_STRING);
+
+    /**
+     * The normal final state of a request. The completion status attribute
+     * gives other information about the request. The request is not
+     * necessarily successful, but may indicated that service processing
+     * did not succeed.
+     */
+    public static RequestStatus COMPLETE = new RequestStatus(COMPLETE_STRING);
+
+    /**
+     * Converts a string name for a request status into the
+     * request status enum object.
+     * 

+     * 
+     * @param s
+     *            The string representation of the state.
+     * @return
+     *         request status
+     */
+    public static RequestStatus fromString(String s) {
+        if (s.equals(BEGIN_STRING))
+            return BEGIN;
+        if (s.equals(PENDING_STRING))
+            return PENDING;
+        if (s.equals(APPROVED_STRING))
+            return APPROVED;
+        if (s.equals(SVC_PENDING_STRING))
+            return SVC_PENDING;
+        if (s.equals(CANCELED_STRING))
+            return CANCELED;
+        if (s.equals(REJECTED_STRING))
+            return REJECTED;
+        if (s.equals(COMPLETE_STRING))
+            return COMPLETE;
+
+        return null;
+    }
+
+    /**
+     * Returns the string form of the RequestStatus, which may be used
+     * to record the status in a database.
+     * 
+     * @return request status
+     */
+    public String toString() {
+        return mString;
+    }
+
+    /**
+     * Class constructor. Creates request status from the string.
+     * 
+     * @param string string describing request status
+     */
+    private RequestStatus(String string) {
+        mString = string;
+    }
+
+    private String mString;
+
+    /**
+     * Compares request status with specified string.
+     * 
+     * @param string string describing request status
+     */
+    public boolean equals(String string) {
+        if (string.equals(mString))
+            return true;
+        else
+            return false;
+    }
+
+    /**
+     * Compares current request status with request status.
+     * 
+     * @param rs request status
+     */
+    public boolean equals(RequestStatus rs) {
+        if (mString.equals(rs.mString))
+            return true;
+        else
+            return false;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/request/ldap/IRequestMod.java b/base/common/src/com/netscape/certsrv/request/ldap/IRequestMod.java
new file mode 100644
index 000000000..c1e153a81
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/request/ldap/IRequestMod.java
@@ -0,0 +1,55 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.request.ldap;
+
+import java.util.Date;
+
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.RequestStatus;
+
+/**
+ * This interface defines how to update request record.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IRequestMod {
+    /**
+     * Modifies request status.
+     * 
+     * @param r request
+     * @param s request status
+     */
+    void modRequestStatus(IRequest r, RequestStatus s);
+
+    /**
+     * Modifies request creation time.
+     * 
+     * @param r request
+     * @param d date
+     */
+    void modCreationTime(IRequest r, Date d);
+
+    /**
+     * Modifies request modification time.
+     * 
+     * @param r request
+     * @param d date
+     */
+    void modModificationTime(IRequest r, Date d);
+}
diff --git a/base/common/src/com/netscape/certsrv/security/Credential.java b/base/common/src/com/netscape/certsrv/security/Credential.java
new file mode 100644
index 000000000..48038a40b
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/security/Credential.java
@@ -0,0 +1,64 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.security;
+
+/**
+ * A class represents a credential. A credential contains
+ * information that identifies a user. In this case,
+ * identifier and password are used.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class Credential implements java.io.Serializable {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -7810193228062824943L;
+    private String mId = null;
+    private String mPassword = null;
+
+    /**
+     * Constructs credential object.
+     * 
+     * @param id user id
+     * @param password user password
+     */
+    public Credential(String id, String password) {
+        mId = id;
+        mPassword = password;
+    }
+
+    /**
+     * Retrieves identifier.
+     * 
+     * @return user id
+     */
+    public String getIdentifier() {
+        return mId;
+    }
+
+    /**
+     * Retrieves password.
+     * 
+     * @return user password
+     */
+    public String getPassword() {
+        return mPassword;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/security/ICryptoSubsystem.java b/base/common/src/com/netscape/certsrv/security/ICryptoSubsystem.java
new file mode 100644
index 000000000..3d26d6f3a
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/security/ICryptoSubsystem.java
@@ -0,0 +1,472 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.security;
+
+import java.io.IOException;
+import java.security.KeyPair;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X509CertImpl;
+
+import org.mozilla.jss.CryptoManager.NotInitializedException;
+import org.mozilla.jss.crypto.ObjectNotFoundException;
+import org.mozilla.jss.crypto.PQGParams;
+import org.mozilla.jss.crypto.TokenException;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.common.NameValuePairs;
+
+/**
+ * This interface represents the cryptographics subsystem
+ * that provides all the security related functions.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ICryptoSubsystem extends ISubsystem {
+
+    public static final String ID = "jss";
+
+    /**
+     * Retrieves a list of nicknames of certificates that are
+     * in the installed tokens.
+     * 
+     * @return a list of comma-separated nicknames
+     * @exception EBaseException failed to retrieve nicknames
+     */
+    public String getAllCerts() throws EBaseException;
+
+    /**
+     * Retrieves certificate in pretty-print format by the nickname.
+     * 
+     * @param nickname nickname of certificate
+     * @param date not after of the returned certificate must be date
+     * @param locale user locale
+     * @return certificate in pretty-print format
+     * @exception EBaseException failed to retrieve certificate
+     */
+    public String getCertPrettyPrint(String nickname, String date,
+            Locale locale) throws EBaseException;
+
+    public String getRootCertTrustBit(String nickname, String serialno,
+            String issuerName) throws EBaseException;
+
+    public String getCertPrettyPrint(String nickname, String serialno,
+            String issuername, Locale locale) throws EBaseException;
+
+    public String getCertPrettyPrintAndFingerPrint(String nickname, String serialno,
+            String issuername, Locale locale) throws EBaseException;
+
+    /**
+     * Retrieves the certificate in the pretty print format.
+     * 
+     * @param b64E certificate in mime-64 encoded format
+     * @param locale end user locale
+     * @return certificate in pretty-print format
+     * @exception EBaseException failed to retrieve certificate
+     */
+    public String getCertPrettyPrint(String b64E, Locale locale)
+            throws EBaseException;
+
+    /**
+     * Imports certificate into the server.
+     * 
+     * @param b64E certificate in mime-64 encoded format
+     * @param nickname nickname for the importing certificate
+     * @param certType certificate type
+     * @exception EBaseException failed to import certificate
+     */
+    public void importCert(String b64E, String nickname, String certType)
+            throws EBaseException;
+
+    /**
+     * Imports certificate into the server.
+     * 
+     * @param signedCert certificate
+     * @param nickname nickname for the importing certificate
+     * @param certType certificate type
+     * @exception EBaseException failed to import certificate
+     */
+    public void importCert(X509CertImpl signedCert, String nickname,
+            String certType) throws EBaseException;
+
+    /**
+     * Generates a key pair based on the given parameters.
+     * 
+     * @param properties key parameters
+     * @return key pair
+     * @exception EBaseException failed to generate key pair
+     */
+    public KeyPair getKeyPair(KeyCertData properties) throws EBaseException;
+
+    /**
+     * Retrieves the key pair based on the given nickname.
+     * 
+     * @param nickname nickname of the public key
+     * @exception EBaseException failed to retrieve key pair
+     */
+    public KeyPair getKeyPair(String nickname) throws EBaseException;
+
+    /**
+     * Generates a key pair based on the given parameters.
+     * 
+     * @param tokenName name of token where key is generated
+     * @param alg key algorithm
+     * @param keySize key size
+     * @return key pair
+     * @exception EBaseException failed to generate key pair
+     */
+    public KeyPair getKeyPair(String tokenName, String alg,
+            int keySize) throws EBaseException;
+
+    /**
+     * Generates a key pair based on the given parameters.
+     * 
+     * @param tokenName name of token where key is generated
+     * @param alg key algorithm
+     * @param keySize key size
+     * @param pqg pqg parameters if DSA key, otherwise null
+     * @return key pair
+     * @exception EBaseException failed to generate key pair
+     */
+    public KeyPair getKeyPair(String tokenName, String alg,
+            int keySize, PQGParams pqg) throws EBaseException;
+
+    /**
+     * Generates an ECC key pair based on the given parameters.
+     * 
+     * @param properties key parameters
+     * @return key pair
+     * @exception EBaseException failed to generate key pair
+     */
+    public KeyPair getECCKeyPair(KeyCertData properties) throws EBaseException;
+
+    /**
+     * Generates an ECC key pair based on the given parameters.
+     * 
+     * @param token token name
+     * @param curveName curve name
+     * @param certType type of cert(sslserver etc..)
+     * @return key pair
+     * @exception EBaseException failed to generate key pair
+     */
+    public KeyPair getECCKeyPair(String token, String curveName, String certType) throws EBaseException;
+
+    /**
+     * Retrieves the signature algorithm of the certificate named
+     * by the given nickname.
+     * 
+     * @param nickname nickname of the certificate
+     * @return signature algorithm
+     * @exception EBaseException failed to retrieve signature
+     */
+    public String getSignatureAlgorithm(String nickname) throws EBaseException;
+
+    /**
+     * Checks if the given dn is a valid distinguished name.
+     * 
+     * @param dn distinguished name
+     * @exception EBaseException failed to check
+     */
+    public void isX500DN(String dn) throws EBaseException;
+
+    /**
+     * Retrieves CA's signing algorithm id. If it is DSA algorithm,
+     * algorithm is constructed by reading the parameters
+     * ca.dsaP, ca.dsaQ, ca.dsaG.
+     * 
+     * @param algname DSA or RSA
+     * @param store configuration store.
+     * @return algorithm id
+     * @exception EBaseException failed to retrieve algorithm id
+     */
+    public AlgorithmId getAlgorithmId(String algname, IConfigStore store) throws EBaseException;
+
+    /**
+     * Retrieves subject name of the certificate that is identified by
+     * the given nickname.
+     * 
+     * @param tokenname name of token where the nickname is valid
+     * @param nickname nickname of the certificate
+     * @return subject name
+     * @exception EBaseException failed to get subject name
+     */
+    public String getCertSubjectName(String tokenname, String nickname)
+            throws EBaseException;
+
+    /**
+     * Retrieves extensions of the certificate that is identified by
+     * the given nickname.
+     * 
+     * @param tokenname name of token where the nickname is valid
+     * @param nickname nickname of the certificate
+     * @return certificate extensions
+     * @exception EBaseException failed to get extensions
+     */
+    public CertificateExtensions getExtensions(String tokenname, String nickname
+            )
+                    throws EBaseException;
+
+    /**
+     * Deletes certificate of the given nickname.
+     * 
+     * @param nickname nickname of the certificate
+     * @param pathname path where a copy of the deleted certificate is stored
+     * @exception EBaseException failed to delete certificate
+     */
+    public void deleteTokenCertificate(String nickname, String pathname)
+            throws EBaseException;
+
+    /**
+     * Delete certificate of the given nickname.
+     * 
+     * @param nickname nickname of the certificate
+     * @param notAfterTime The notAfter of the certificate. It
+     *            is possible to ge t multiple certificates under
+     *            the same nickname. If one of the certificates match
+     *            the notAfterTime, then the certificate will get
+     *            deleted. The format of the notAfterTime has to be
+     *            in "MMMMM dd, yyyy HH:mm:ss" format.
+     * @exception EBaseException failed to delete certificate
+     */
+    public void deleteCert(String nickname, String notAfterTime)
+            throws EBaseException;
+
+    /**
+     * Retrieves the subject DN of the certificate identified by
+     * the nickname.
+     * 
+     * @param nickname nickname of the certificate
+     * @return subject distinguished name
+     * @exception EBaseException failed to retrieve subject DN
+     */
+    public String getSubjectDN(String nickname) throws EBaseException;
+
+    /**
+     * Trusts a certificate for all available purposes.
+     * 
+     * @param nickname nickname of the certificate
+     * @param date certificate's not before
+     * @param trust "Trust" or other
+     * @exception EBaseException failed to trust certificate
+     */
+    public void trustCert(String nickname, String date, String trust)
+            throws EBaseException;
+
+    /**
+     * Checks if the given base-64 encoded string contains an extension
+     * or a sequence of extensions.
+     * 
+     * @param ext extension or sequence of extension encoded in base-64
+     * @exception EBaseException failed to check encoding
+     */
+    public void checkCertificateExt(String ext) throws EBaseException;
+
+    /**
+     * Gets all certificates on all tokens for Certificate Database Management.
+     * 
+     * @return all certificates
+     * @exception EBaseException failed to retrieve certificates
+     */
+    public NameValuePairs getAllCertsManage() throws EBaseException;
+
+    public NameValuePairs getUserCerts() throws EBaseException;
+
+    /**
+     * Gets all CA certificates on all tokens.
+     * 
+     * @return all CA certificates
+     * @exception EBaseException failed to retrieve certificates
+     */
+    public NameValuePairs getCACerts() throws EBaseException;
+
+    public NameValuePairs getRootCerts() throws EBaseException;
+
+    public void setRootCertTrust(String nickname, String serialno,
+            String issuername, String trust) throws EBaseException;
+
+    public void deleteRootCert(String nickname, String serialno,
+            String issuername) throws EBaseException;
+
+    public void deleteUserCert(String nickname, String serialno,
+            String issuername) throws EBaseException;
+
+    /**
+     * Retrieves PQG parameters based on key size.
+     * 
+     * @param keysize key size
+     * @return pqg parameters
+     */
+    public PQGParams getPQG(int keysize);
+
+    /**
+     * Retrieves PQG parameters based on key size.
+     * 
+     * @param keysize key size
+     * @param store configuration store
+     * @return pqg parameters
+     */
+    public PQGParams getCAPQG(int keysize, IConfigStore store)
+            throws EBaseException;
+
+    /**
+     * Retrieves extensions of the certificate that is identified by
+     * the given nickname.
+     * 
+     * @param tokenname token name
+     * @param nickname nickname
+     * @return certificate extensions
+     */
+    public CertificateExtensions getCertExtensions(String tokenname, String nickname
+            )
+                    throws NotInitializedException, TokenException, ObjectNotFoundException,
+
+                    IOException, CertificateException;
+
+    /**
+     * Checks if the given token is logged in.
+     * 
+     * @param name token name
+     * @return true if token is logged in
+     * @exception EBaseException failed to login
+     */
+    public boolean isTokenLoggedIn(String name) throws EBaseException;
+
+    /**
+     * Logs into token.
+     * 
+     * @param tokenName name of the token
+     * @param pwd token password
+     * @exception EBaseException failed to login
+     */
+    public void loggedInToken(String tokenName, String pwd)
+            throws EBaseException;
+
+    /**
+     * Generates certificate request from the given key pair.
+     * 
+     * @param subjectName subject name to use in the request
+     * @param kp key pair that contains public key material
+     * @return certificate request in base-64 encoded format
+     * @exception EBaseException failed to generate request
+     */
+    public String getCertRequest(String subjectName, KeyPair kp)
+            throws EBaseException;
+
+    /**
+     * Checks if fortezza is enabled.
+     * 
+     * @return "true" if fortezza is enabled
+     */
+    public String isCipherFortezza() throws EBaseException;
+
+    /**
+     * Retrieves the SSL cipher version.
+     * 
+     * @return cipher version (i.e. "cipherdomestic")
+     */
+    public String getCipherVersion() throws EBaseException;
+
+    /**
+     * Retrieves the cipher preferences.
+     * 
+     * @return cipher preferences (i.e. "rc4export,rc2export,...")
+     */
+    public String getCipherPreferences() throws EBaseException;
+
+    /**
+     * Sets the current SSL cipher preferences.
+     * 
+     * @param cipherPrefs cipher preferences (i.e. "rc4export,rc2export,...")
+     * @exception EBaseException failed to set cipher preferences
+     */
+    public void setCipherPreferences(String cipherPrefs)
+            throws EBaseException;
+
+    /**
+     * Retrieves a list of currently registered token names.
+     * 
+     * @return list of token names
+     * @exception EBaseException failed to retrieve token list
+     */
+    public String getTokenList() throws EBaseException;
+
+    /**
+     * Retrieves all certificates. The result list will not
+     * contain the token tag.
+     * 
+     * @param name token name
+     * @return list of certificates without token tag
+     * @exception EBaseException failed to retrieve
+     */
+    public String getCertListWithoutTokenName(String name) throws EBaseException;
+
+    /**
+     * Retrieves the token name of the internal (software) token.
+     * 
+     * @return the token name
+     * @exception EBaseException failed to retrieve token name
+     */
+    public String getInternalTokenName() throws EBaseException;
+
+    /**
+     * Checks to see if the certificate of the given nickname is a
+     * CA certificate.
+     * 
+     * @param fullNickname nickname of the certificate to check
+     * @return true if it is a CA certificate
+     * @exception EBaseException failed to check
+     */
+    public boolean isCACert(String fullNickname) throws EBaseException;
+
+    /**
+     * Adds the specified number of bits of entropy from the system
+     * entropy generator to the RNG of the default PKCS#11 RNG token.
+     * The default token is set using the modutil command.
+     * Note that the system entropy generator (usually /dev/random)
+     * will block until sufficient entropy is collected.
+     * 
+     * @param bits number of bits of entropy
+     * @exception org.mozilla.jss.util.NotImplementedException If the Crypto device does not support
+     *                adding entropy
+     * @exception TokenException If there was some other problem with the Crypto device
+     * @exception IOException If there was a problem reading from the /dev/random
+     */
+
+    public void addEntropy(int bits)
+            throws org.mozilla.jss.util.NotImplementedException,
+            IOException,
+            TokenException;
+
+    /**
+     * Signs the certificate template into the given data and returns
+     * a signed certificate.
+     * 
+     * @param data data that contains certificate template
+     * @param certType certificate type
+     * @param priKey CA signing key
+     * @return certificate
+     * @exception EBaseException failed to sign certificate template
+     */
+    public X509CertImpl getSignedCert(KeyCertData data, String certType, java.security.PrivateKey priKey)
+            throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
new file mode 100644
index 000000000..0a526e582
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
@@ -0,0 +1,175 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.security;
+
+import java.security.PublicKey;
+
+import org.mozilla.jss.crypto.PrivateKey;
+import org.mozilla.jss.crypto.SymmetricKey;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * An interface represents a encryption unit.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IEncryptionUnit extends IToken {
+
+    /**
+     * Retrieves the public key in this unit.
+     * 
+     * @return public key
+     */
+    public PublicKey getPublicKey();
+
+    /**
+     * Wraps data. The given key will be wrapped by the
+     * private key in this unit.
+     * 
+     * @param priKey private key to be wrapped
+     * @return wrapped data
+     * @exception EBaseException failed to wrap
+     */
+    public byte[] wrap(PrivateKey priKey) throws EBaseException;
+
+    /**
+     * Wraps data. The given key will be wrapped by the
+     * private key in this unit.
+     *
+     * @param symKey symmetric key to be wrapped
+     * @return wrapped data
+     * @exception EBaseException failed to wrap
+     */
+    public byte[] wrap(SymmetricKey symKey) throws EBaseException;
+
+    /**
+     * Verifies the given key pair.
+     * 
+     * @param publicKey public key
+     * @param privateKey private key
+     */
+    public void verify(PublicKey publicKey, PrivateKey privateKey) throws
+            EBaseException;
+
+    /**
+     * Unwraps data. This method rebuilds the private key by
+     * unwrapping the private key data.
+     * 
+     * @param sessionKey session key that unwrap the private key
+     * @param symmAlgOID symmetric algorithm
+     * @param symmAlgParams symmetric algorithm parameters
+     * @param privateKey private key data
+     * @param pubKey public key
+     * @return private key object
+     * @exception EBaseException failed to unwrap
+     */
+    public PrivateKey unwrap(byte sessionKey[], String symmAlgOID,
+            byte symmAlgParams[], byte privateKey[],
+            PublicKey pubKey)
+            throws EBaseException;
+
+    /**
+     * Unwraps symmetric key data. This method rebuilds the symmetric key by
+     * unwrapping the private data blob.
+     *
+     * @param wrappedKeyData symmetric key data wrapped up with session key
+     * @return Symmetric key object
+     * @exception EBaseException failed to unwrap
+     */
+
+    public SymmetricKey unwrap(byte wrappedKeyData[])
+            throws EBaseException;
+
+    /**
+     * Unwraps symmetric key . This method
+     * unwraps the symmetric key.
+     *
+     * @param sessionKey session key that unwrap the symmetric key
+     * @param symmAlgOID symmetric algorithm
+     * @param symmAlgParams symmetric algorithm parameters
+     * @param symmetricKey  symmetric key data
+     * @return Symmetric key object
+     * @exception EBaseException failed to unwrap
+     */
+
+    public SymmetricKey unwrap_symmetric(byte sessionKey[], String symmAlgOID,
+            byte symmAlgParams[], byte symmetricKey[])
+            throws EBaseException;
+
+    /**
+     * Unwraps symmetric key . This method
+     * unwraps the symmetric key.
+     *
+     * @param encSymmKey wrapped symmetric key to be unwrapped
+     * @return Symmetric key object
+     * @exception EBaseException failed to unwrap
+     */
+
+    public SymmetricKey unwrap_sym(byte encSymmKey[],
+            SymmetricKey.Usage usage);
+
+    /**
+     * Unwraps data. This method rebuilds the private key by
+     * unwrapping the private key data.
+     * 
+     * @param privateKey private key data
+     * @param pubKey public key object
+     * @return private key object
+     * @exception EBaseException failed to unwrap
+     */
+    public PrivateKey unwrap(byte privateKey[], PublicKey pubKey)
+            throws EBaseException;
+
+    /**
+     * Encrypts the internal private key (private key to the KRA's
+     * internal storage).
+     * 
+     * @param rawPrivate user's private key (key to be archived)
+     * @return encrypted data
+     * @exception EBaseException failed to encrypt
+     */
+    public byte[] encryptInternalPrivate(byte rawPrivate[])
+            throws EBaseException;
+
+    /**
+     * Decrypts the internal private key (private key from the KRA's
+     * internal storage).
+     * 
+     * @param wrappedPrivateData unwrapped private key data (key to be recovered)
+     * @return raw private key
+     * @exception EBaseException failed to decrypt
+     */
+    public byte[] decryptInternalPrivate(byte wrappedPrivateData[])
+            throws EBaseException;
+
+    /**
+     * Decrypts the external private key (private key from the end-user).
+     * 
+     * @param sessionKey session key that protects the user private
+     * @param symmAlgOID symmetric algorithm
+     * @param symmAlgParams symmetric algorithm parameters
+     * @param privateKey private key data
+     * @return private key data
+     * @exception EBaseException failed to decrypt
+     */
+    public byte[] decryptExternalPrivate(byte sessionKey[],
+            String symmAlgOID,
+            byte symmAlgParams[], byte privateKey[])
+            throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/security/ISigningUnit.java b/base/common/src/com/netscape/certsrv/security/ISigningUnit.java
new file mode 100644
index 000000000..7fbed0b6c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/security/ISigningUnit.java
@@ -0,0 +1,164 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.security;
+
+import java.security.PublicKey;
+
+import netscape.security.x509.X509CertImpl;
+
+import org.mozilla.jss.crypto.SignatureAlgorithm;
+import org.mozilla.jss.crypto.X509Certificate;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * A class represents the signing unit which is
+ * capable of signing data.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ISigningUnit {
+
+    public static final String PROP_DEFAULT_SIGNALG = "defaultSigningAlgorithm";
+    public static final String PROP_CERT_NICKNAME = "cacertnickname";
+    // This signing unit is being used in OCSP and CRL also. So
+    // it is better to have a more generic name
+    public static final String PROP_RENAMED_CERT_NICKNAME = "certnickname";
+    public static final String PROP_TOKEN_NAME = "tokenname";
+    public static final String PROP_NEW_NICKNAME = "newNickname";
+
+    /**
+     * Retrieves the nickname of the signing certificate.
+     */
+    public String getNickname();
+
+    /**
+     * Retrieves the new nickname in the renewal process.
+     * 
+     * @return new nickname
+     * @exception EBaseException failed to get new nickname
+     */
+    public String getNewNickName() throws EBaseException;
+
+    /**
+     * Sets new nickname of the signing certificate.
+     * 
+     * @param name nickname
+     */
+    public void setNewNickName(String name);
+
+    /**
+     * Retrieves the signing certificate.
+     * 
+     * @return signing certificate
+     */
+    public X509Certificate getCert();
+
+    /**
+     * Retrieves the signing certificate.
+     * 
+     * @return signing certificate
+     */
+    public X509CertImpl getCertImpl();
+
+    /**
+     * Signs the given data in specific algorithm.
+     * 
+     * @param data data to be signed
+     * @param algname signing algorithm to be used
+     * @return signed data
+     * @exception EBaseException failed to sign
+     */
+    public byte[] sign(byte[] data, String algname)
+            throws EBaseException;
+
+    /**
+     * Verifies the signed data.
+     * 
+     * @param data signed data
+     * @param signature signature
+     * @param algname signing algorithm
+     * @return true if verification is good
+     * @exception EBaseException failed to verify
+     */
+    public boolean verify(byte[] data, byte[] signature, String algname)
+            throws EBaseException;
+
+    /**
+     * Retrieves the default algorithm.
+     * 
+     * @return default signing algorithm
+     */
+    public SignatureAlgorithm getDefaultSignatureAlgorithm();
+
+    /**
+     * Retrieves the default algorithm name.
+     * 
+     * @return default signing algorithm name
+     */
+    public String getDefaultAlgorithm();
+
+    /**
+     * Set default signing algorithm.
+     * 
+     * @param algorithm signing algorithm
+     * @exception EBaseException failed to set default signing algorithm
+     */
+    public void setDefaultAlgorithm(String algorithm) throws EBaseException;
+
+    /**
+     * Retrieves all supported signing algorithm of this unit.
+     * 
+     * @return a list of signing algorithms
+     * @exception EBaseException failed to list
+     */
+    public String[] getAllAlgorithms() throws EBaseException;
+
+    /**
+     * Retrieves the token name of this unit.
+     * 
+     * @return token name
+     * @exception EBaseException failed to retrieve name
+     */
+    public String getTokenName() throws EBaseException;
+
+    /**
+     * Updates new nickname and tokename in the configuration file.
+     * 
+     * @param nickname new nickname
+     * @param tokenname new tokenname
+     */
+    public void updateConfig(String nickname, String tokenname);
+
+    /**
+     * Checks if the given algorithm name is supported.
+     * 
+     * @param algname algorithm name
+     * @return signing algorithm
+     * @exception EBaseException failed to check signing algorithm
+     */
+    public SignatureAlgorithm checkSigningAlgorithmFromName(String algname)
+            throws EBaseException;
+
+    /**
+     * Retrieves the public key associated in this unit.
+     * 
+     * @return public key
+     */
+    public PublicKey getPublicKey();
+}
diff --git a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java
new file mode 100644
index 000000000..5f3b0ec48
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java
@@ -0,0 +1,99 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.security;
+
+import java.util.Enumeration;
+
+import org.mozilla.jss.crypto.CryptoToken;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * An interface represents a storage key unit. This storage
+ * unit contains a storage key pair that is used for
+ * encrypting the user private key for long term storage.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IStorageKeyUnit extends IEncryptionUnit {
+
+    /**
+     * Retrieves total number of recovery agents.
+     * 
+     * @return total number of recovery agents
+     */
+    public int getNoOfAgents() throws EBaseException;
+
+    /**
+     * Retrieves number of recovery agents required to
+     * perform recovery operation.
+     * 
+     * @return required number of recovery agents for recovery operation
+     */
+    public int getNoOfRequiredAgents() throws EBaseException;
+
+    /**
+     * Sets the numer of required recovery agents
+     * 
+     * @param number number of required agents
+     */
+    public void setNoOfRequiredAgents(int number);
+
+    /**
+     * Retrieves a list of agents in this unit.
+     * 
+     * @return a list of string-based agent identifiers
+     */
+    public Enumeration getAgentIdentifiers();
+
+    /**
+     * Changes agent password.
+     * 
+     * @param id agent id
+     * @param oldpwd old password
+     * @param newpwd new password
+     * @return true if operation successful
+     * @exception EBaseException failed to change password
+     */
+    public boolean changeAgentPassword(String id, String oldpwd,
+            String newpwd) throws EBaseException;
+
+    /**
+     * Changes M-N recovery scheme.
+     * 
+     * @param n total number of agents
+     * @param m required number of agents for recovery operation
+     * @param oldcreds all old credentials
+     * @param newcreds all new credentials
+     * @return true if operation successful
+     * @exception EBaseException failed to change schema
+     */
+    public boolean changeAgentMN(int n, int m, Credential oldcreds[],
+            Credential newcreds[]) throws EBaseException;
+
+    /**
+     * Logins to this unit.
+     * 
+     * @param ac agent's credentials
+     * @exception EBaseException failed to login
+     */
+    public void login(Credential ac[]) throws EBaseException;
+
+    public CryptoToken getToken();
+
+}
diff --git a/base/common/src/com/netscape/certsrv/security/IToken.java b/base/common/src/com/netscape/certsrv/security/IToken.java
new file mode 100644
index 000000000..05aff64f9
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/security/IToken.java
@@ -0,0 +1,41 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.security;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * An interface represents a generic token unit.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IToken {
+
+    /**
+     * Logins to the token unit.
+     * 
+     * @param pin password to access the token
+     * @exception EBaseException failed to login to this token
+     */
+    public void login(String pin) throws EBaseException;
+
+    /**
+     * Logouts token.
+     */
+    public void logout();
+}
diff --git a/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java b/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java
new file mode 100644
index 000000000..6e1c7ab4a
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java
@@ -0,0 +1,111 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.security;
+
+import java.security.PublicKey;
+
+import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.crypto.PrivateKey;
+import org.mozilla.jss.crypto.SymmetricKey;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * An interface represents the transport key pair.
+ * This key pair is used to protected EE's private
+ * key in transit.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ITransportKeyUnit extends IEncryptionUnit {
+
+    /**
+     * Retrieves public key.
+     * 
+     * @return certificate
+     */
+    public org.mozilla.jss.crypto.X509Certificate getCertificate();
+
+    /**
+     * Unwraps symmetric key . This method
+     * unwraps the symmetric key.
+     *
+     * @param encSymmKey wrapped symmetric key to be unwrapped
+     * @param usage Key usage for unwrapped key.
+     * @return Symmetric key object
+     * @exception EBaseException failed to unwrap
+     */
+
+    public SymmetricKey unwrap_sym(byte encSymmKey[], SymmetricKey.Usage usage);
+
+    /**
+     * Unwraps symmetric key . This method
+     * unwraps the symmetric key.
+     *
+     * @param encSymmKey wrapped symmetric key to be unwrapped
+     * @return Symmetric key object
+     * @exception EBaseException failed to unwrap
+     */
+
+    public SymmetricKey unwrap_sym(byte encSymmKey[]);
+
+    /**
+     * Unwraps symmetric key for encrypton . This method
+     * unwraps the symmetric key.
+     *
+     * @param encSymmKey wrapped symmetric key to be unwrapped
+     * @return Symmetric key object
+     * @exception EBaseException failed to unwrap
+     */
+
+    public SymmetricKey unwrap_encrypt_sym(byte encSymmKey[]);
+
+    /**
+     * Unwraps temporary private key . This method
+     * unwraps the temporary private key.
+     *
+     * @param wrappedKeyData wrapped private key to be unwrapped
+     * @param pubKey public key
+     * @return Private key object
+     * @exception EBaseException failed to unwrap
+     */
+
+    public PrivateKey unwrap_temp(byte wrappedKeyData[], PublicKey
+            pubKey) throws EBaseException;
+    /**
+     * Returns this Unit's crypto token object.
+     * @return CryptoToken object.
+     */
+
+    public CryptoToken getToken();
+
+    /**
+     * Returns this Unit's signing algorithm in String format.
+     * @return String of signing algorithm
+     * @throws EBaseException
+     */
+
+    public String getSigningAlgorithm() throws EBaseException;
+
+    /**
+     * Sets this Unit's signing algorithm.
+     * @param str String of signing algorithm to set.
+     * @throws EBaseException
+     */
+    public void setSigningAlgorithm(String str) throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/security/KeyCertData.java b/base/common/src/com/netscape/certsrv/security/KeyCertData.java
new file mode 100644
index 000000000..dbcc0118f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/security/KeyCertData.java
@@ -0,0 +1,821 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.security;
+
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.util.Properties;
+
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CertificateExtensions;
+
+import org.mozilla.jss.crypto.SignatureAlgorithm;
+
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.common.ConfigConstants;
+import com.netscape.certsrv.common.Constants;
+
+/**
+ * This class represents a container for storaging
+ * data in the security package.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class KeyCertData extends Properties {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -9084106429445432037L;
+
+    /**
+     * Constructs a key certificate data.
+     */
+    public KeyCertData() {
+        super();
+    }
+
+    /**
+     * Retrieves the key pair from this container.
+     * 
+     * @return key pair
+     */
+    public KeyPair getKeyPair() {
+        return (KeyPair) get("keypair");
+    }
+
+    /**
+     * Sets key pair into this container.
+     * 
+     * @param keypair key pair
+     */
+    public void setKeyPair(KeyPair keypair) {
+        put("keypair", keypair);
+    }
+
+    /**
+     * Retrieves the issuer name from this container.
+     * 
+     * @return issuer name
+     */
+    public String getIssuerName() {
+        return (String) get(Constants.PR_ISSUER_NAME);
+    }
+
+    /**
+     * Sets the issuer name in this container.
+     * 
+     * @param name issuer name
+     */
+    public void setIssuerName(String name) {
+        put(Constants.PR_ISSUER_NAME, name);
+    }
+
+    /**
+     * Retrieves certificate server instance name.
+     * 
+     * @return instance name
+     */
+    public String getCertInstanceName() {
+        return (String) get(ConfigConstants.PR_CERT_INSTANCE_NAME);
+    }
+
+    /**
+     * Sets certificate server instance name.
+     * 
+     * @param name instance name
+     */
+    public void setCertInstanceName(String name) {
+        put(ConfigConstants.PR_CERT_INSTANCE_NAME, name);
+    }
+
+    /**
+     * Retrieves certificate nickname.
+     * 
+     * @return certificate nickname
+     */
+    public String getCertNickname() {
+        return (String) get(Constants.PR_NICKNAME);
+    }
+
+    /**
+     * Sets certificate nickname.
+     * 
+     * @param nickname certificate nickname
+     */
+    public void setCertNickname(String nickname) {
+        put(Constants.PR_NICKNAME, nickname);
+    }
+
+    /**
+     * Retrieves key length.
+     * 
+     * @return key length
+     */
+    public String getKeyLength() {
+        return (String) get(Constants.PR_KEY_LENGTH);
+    }
+
+    /**
+     * Sets key length.
+     * 
+     * @param len key length
+     */
+    public void setKeyLength(String len) {
+        put(Constants.PR_KEY_LENGTH, len);
+    }
+
+    /**
+     * Retrieves key type.
+     * 
+     * @return key type
+     */
+    public String getKeyType() {
+        return (String) get(Constants.PR_KEY_TYPE);
+    }
+
+    /**
+     * Sets key type.
+     * 
+     * @param type key type
+     */
+    public void setKeyType(String type) {
+        put(Constants.PR_KEY_TYPE, type);
+    }
+
+    /**
+     * Retrieves key curve name.
+     * 
+     * @return key curve name
+     */
+    public String getKeyCurveName() {
+        return (String) get(Constants.PR_KEY_CURVENAME);
+    }
+
+    /**
+     * Sets key curvename.
+     * 
+     * @param len key curvename
+     */
+    public void setKeyCurveName(String len) {
+        put(Constants.PR_KEY_CURVENAME, len);
+    }
+
+    /**
+     * Retrieves signature algorithm.
+     * 
+     * @return signature algorithm
+     */
+    public SignatureAlgorithm getSignatureAlgorithm() {
+        return (SignatureAlgorithm) get(Constants.PR_SIGNATURE_ALGORITHM);
+    }
+
+    /**
+     * Sets signature algorithm
+     * 
+     * @param alg signature algorithm
+     */
+    public void setSignatureAlgorithm(SignatureAlgorithm alg) {
+        put(Constants.PR_SIGNATURE_ALGORITHM, alg);
+    }
+
+    /**
+     * Retrieves algorithm used to sign the root CA Cert.
+     * 
+     * @return signature algorithm
+     */
+    public String getSignedBy() {
+        return (String) get(Constants.PR_SIGNEDBY_TYPE);
+    }
+
+    /**
+     * Sets signature algorithm used to sign root CA cert
+     * 
+     * @param alg signature algorithm
+     */
+    public void setSignedBy(String alg) {
+        put(Constants.PR_SIGNEDBY_TYPE, alg);
+    }
+
+    /**
+     * Retrieves signature algorithm.
+     * 
+     * @return signature algorithm
+     */
+    public AlgorithmId getAlgorithmId() {
+        return (AlgorithmId) get(Constants.PR_ALGORITHM_ID);
+    }
+
+    /**
+     * Sets algorithm identifier
+     * 
+     * @param id signature algorithm
+     */
+    public void setAlgorithmId(AlgorithmId id) {
+        put(Constants.PR_ALGORITHM_ID, id);
+    }
+
+    /**
+     * Retrieves serial number.
+     * 
+     * @return serial number
+     */
+    public BigInteger getSerialNumber() {
+        return (BigInteger) get("serialno");
+    }
+
+    /**
+     * Sets serial number.
+     * 
+     * @param num serial number
+     */
+    public void setSerialNumber(BigInteger num) {
+        put("serialno", num);
+    }
+
+    /**
+     * Retrieves configuration file.
+     * 
+     * @return configuration file
+     */
+    public IConfigStore getConfigFile() {
+        return (IConfigStore) (get("cmsFile"));
+    }
+
+    /**
+     * Sets configuration file.
+     * 
+     * @param file configuration file
+     */
+    public void setConfigFile(IConfigStore file) {
+        put("cmsFile", file);
+    }
+
+    /**
+     * Retrieves begining year of validity.
+     * 
+     * @return begining year
+     */
+    public String getBeginYear() {
+        return (String) get(Constants.PR_BEGIN_YEAR);
+    }
+
+    /**
+     * Sets begining year of validity.
+     * 
+     * @param year begining year
+     */
+    public void setBeginYear(String year) {
+        put(Constants.PR_BEGIN_YEAR, year);
+    }
+
+    /**
+     * Retrieves ending year of validity.
+     * 
+     * @return ending year
+     */
+    public String getAfterYear() {
+        return (String) get(Constants.PR_AFTER_YEAR);
+    }
+
+    /**
+     * Sets ending year of validity.
+     * 
+     * @param year ending year
+     */
+    public void setAfterYear(String year) {
+        put(Constants.PR_AFTER_YEAR, year);
+    }
+
+    /**
+     * Retrieves begining month of validity.
+     * 
+     * @return begining month
+     */
+    public String getBeginMonth() {
+        return (String) get(Constants.PR_BEGIN_MONTH);
+    }
+
+    /**
+     * Sets begining month of validity.
+     * 
+     * @param month begining month
+     */
+    public void setBeginMonth(String month) {
+        put(Constants.PR_BEGIN_MONTH, month);
+    }
+
+    /**
+     * Retrieves ending month of validity.
+     * 
+     * @return ending month
+     */
+    public String getAfterMonth() {
+        return (String) get(Constants.PR_AFTER_MONTH);
+    }
+
+    /**
+     * Sets ending month of validity.
+     * 
+     * @param month ending month
+     */
+    public void setAfterMonth(String month) {
+        put(Constants.PR_AFTER_MONTH, month);
+    }
+
+    /**
+     * Retrieves begining date of validity.
+     * 
+     * @return begining date
+     */
+    public String getBeginDate() {
+        return (String) get(Constants.PR_BEGIN_DATE);
+    }
+
+    /**
+     * Sets begining date of validity.
+     * 
+     * @param date begining date
+     */
+    public void setBeginDate(String date) {
+        put(Constants.PR_BEGIN_DATE, date);
+    }
+
+    /**
+     * Retrieves ending date of validity.
+     * 
+     * @return ending date
+     */
+    public String getAfterDate() {
+        return (String) get(Constants.PR_AFTER_DATE);
+    }
+
+    /**
+     * Sets ending date of validity.
+     * 
+     * @param date ending date
+     */
+    public void setAfterDate(String date) {
+        put(Constants.PR_AFTER_DATE, date);
+    }
+
+    /**
+     * Retrieves starting hour of validity.
+     * 
+     * @return starting hour
+     */
+    public String getBeginHour() {
+        return (String) get(Constants.PR_BEGIN_HOUR);
+    }
+
+    /**
+     * Sets starting hour of validity.
+     * 
+     * @param hour starting hour
+     */
+    public void setBeginHour(String hour) {
+        put(Constants.PR_BEGIN_HOUR, hour);
+    }
+
+    /**
+     * Retrieves ending hour of validity.
+     * 
+     * @return ending hour
+     */
+    public String getAfterHour() {
+        return (String) get(Constants.PR_AFTER_HOUR);
+    }
+
+    /**
+     * Sets ending hour of validity.
+     * 
+     * @param hour ending hour
+     */
+    public void setAfterHour(String hour) {
+        put(Constants.PR_AFTER_HOUR, hour);
+    }
+
+    /**
+     * Retrieves starting minute of validity.
+     * 
+     * @return starting minute
+     */
+    public String getBeginMin() {
+        return (String) get(Constants.PR_BEGIN_MIN);
+    }
+
+    /**
+     * Sets starting minute of validity.
+     * 
+     * @param min starting minute
+     */
+    public void setBeginMin(String min) {
+        put(Constants.PR_BEGIN_MIN, min);
+    }
+
+    /**
+     * Retrieves ending minute of validity.
+     * 
+     * @return ending minute
+     */
+    public String getAfterMin() {
+        return (String) get(Constants.PR_AFTER_MIN);
+    }
+
+    /**
+     * Sets ending minute of validity.
+     * 
+     * @param min ending minute
+     */
+    public void setAfterMin(String min) {
+        put(Constants.PR_AFTER_MIN, min);
+    }
+
+    /**
+     * Retrieves starting second of validity.
+     * 
+     * @return starting second
+     */
+    public String getBeginSec() {
+        return (String) get(Constants.PR_BEGIN_SEC);
+    }
+
+    /**
+     * Sets starting second of validity.
+     * 
+     * @param sec starting second
+     */
+    public void setBeginSec(String sec) {
+        put(Constants.PR_BEGIN_SEC, sec);
+    }
+
+    /**
+     * Retrieves ending second of validity.
+     * 
+     * @return ending second
+     */
+    public String getAfterSec() {
+        return (String) get(Constants.PR_AFTER_SEC);
+    }
+
+    /**
+     * Sets ending second of validity.
+     * 
+     * @param sec ending second
+     */
+    public void setAfterSec(String sec) {
+        put(Constants.PR_AFTER_SEC, sec);
+    }
+
+    /**
+     * Retrieves CA key pair
+     * 
+     * @return CA key pair
+     */
+    public KeyPair getCAKeyPair() {
+        return (KeyPair) get(Constants.PR_CA_KEYPAIR);
+    }
+
+    /**
+     * Sets CA key pair
+     * 
+     * @param keypair key pair
+     */
+    public void setCAKeyPair(KeyPair keypair) {
+        put(Constants.PR_CA_KEYPAIR, keypair);
+    }
+
+    /**
+     * Retrieves extensions
+     * 
+     * @return extensions
+     */
+    public String getDerExtension() {
+        return (String) get(Constants.PR_DER_EXTENSION);
+    }
+
+    /**
+     * Sets extensions
+     * 
+     * @param ext extensions
+     */
+    public void setDerExtension(String ext) {
+        put(Constants.PR_DER_EXTENSION, ext);
+    }
+
+    /**
+     * Retrieves isCA
+     * 
+     * @return "true" if it is CA
+     */
+    public String isCA() {
+        return (String) get(Constants.PR_IS_CA);
+    }
+
+    /**
+     * Sets isCA
+     * 
+     * @param ext "true" if it is CA
+     */
+    public void setCA(String ext) {
+        put(Constants.PR_IS_CA, ext);
+    }
+
+    /**
+     * Retrieves key length
+     * 
+     * @return certificate's key length
+     */
+    public String getCertLen() {
+        return (String) get(Constants.PR_CERT_LEN);
+    }
+
+    /**
+     * Sets key length
+     * 
+     * @param len certificate's key length
+     */
+    public void setCertLen(String len) {
+        put(Constants.PR_CERT_LEN, len);
+    }
+
+    /**
+     * Retrieves SSL Client bit
+     * 
+     * @return SSL Client bit
+     */
+    public String getSSLClientBit() {
+        return (String) get(Constants.PR_SSL_CLIENT_BIT);
+    }
+
+    /**
+     * Sets SSL Client bit
+     * 
+     * @param sslClientBit SSL Client bit
+     */
+    public void setSSLClientBit(String sslClientBit) {
+        put(Constants.PR_SSL_CLIENT_BIT, sslClientBit);
+    }
+
+    /**
+     * Retrieves SSL Server bit
+     * 
+     * @return SSL Server bit
+     */
+    public String getSSLServerBit() {
+        return (String) get(Constants.PR_SSL_SERVER_BIT);
+    }
+
+    /**
+     * Sets SSL Server bit
+     * 
+     * @param sslServerBit SSL Server bit
+     */
+    public void setSSLServerBit(String sslServerBit) {
+        put(Constants.PR_SSL_SERVER_BIT, sslServerBit);
+    }
+
+    /**
+     * Retrieves SSL Mail bit
+     * 
+     * @return SSL Mail bit
+     */
+    public String getSSLMailBit() {
+        return (String) get(Constants.PR_SSL_MAIL_BIT);
+    }
+
+    /**
+     * Sets SSL Mail bit
+     * 
+     * @param sslMailBit SSL Mail bit
+     */
+    public void setSSLMailBit(String sslMailBit) {
+        put(Constants.PR_SSL_MAIL_BIT, sslMailBit);
+    }
+
+    /**
+     * Retrieves SSL CA bit
+     * 
+     * @return SSL CA bit
+     */
+    public String getSSLCABit() {
+        return (String) get(Constants.PR_SSL_CA_BIT);
+    }
+
+    /**
+     * Sets SSL CA bit
+     * 
+     * @param cabit SSL CA bit
+     */
+    public void setSSLCABit(String cabit) {
+        put(Constants.PR_SSL_CA_BIT, cabit);
+    }
+
+    /**
+     * Retrieves SSL Signing bit
+     * 
+     * @return SSL Signing bit
+     */
+    public String getObjectSigningBit() {
+        return (String) get(Constants.PR_OBJECT_SIGNING_BIT);
+    }
+
+    /**
+     * Retrieves Time Stamping bit
+     * 
+     * @return Time Stamping bit
+     */
+    public String getTimeStampingBit() {
+        return (String) get(Constants.PR_TIMESTAMPING_BIT);
+    }
+
+    /**
+     * Sets SSL Signing bit
+     * 
+     * @param objectSigningBit SSL Signing bit
+     */
+    public void setObjectSigningBit(String objectSigningBit) {
+        put(Constants.PR_OBJECT_SIGNING_BIT, objectSigningBit);
+    }
+
+    /**
+     * Retrieves SSL Mail CA bit
+     * 
+     * @return SSL Mail CA bit
+     */
+    public String getMailCABit() {
+        return (String) get(Constants.PR_MAIL_CA_BIT);
+    }
+
+    /**
+     * Sets SSL Mail CA bit
+     * 
+     * @param mailCABit SSL Mail CA bit
+     */
+    public void setMailCABit(String mailCABit) {
+        put(Constants.PR_MAIL_CA_BIT, mailCABit);
+    }
+
+    /**
+     * Retrieves SSL Object Signing bit
+     * 
+     * @return SSL Object Signing bit
+     */
+    public String getObjectSigningCABit() {
+        return (String) get(Constants.PR_OBJECT_SIGNING_CA_BIT);
+    }
+
+    /**
+     * Sets SSL Object Signing bit
+     * 
+     * @param bit SSL Object Signing bit
+     */
+    public void setObjectSigningCABit(String bit) {
+        put(Constants.PR_OBJECT_SIGNING_CA_BIT, bit);
+    }
+
+    /**
+     * Retrieves OCSP Signing flag
+     * 
+     * @return OCSP Signing flag
+     */
+    public String getOCSPSigning() {
+        return (String) get(Constants.PR_OCSP_SIGNING);
+    }
+
+    /**
+     * Sets OCSP Signing flag
+     * 
+     * @param aki OCSP Signing flag
+     */
+    public void setOCSPSigning(String aki) {
+        put(Constants.PR_OCSP_SIGNING, aki);
+    }
+
+    /**
+     * Retrieves OCSP No Check flag
+     * 
+     * @return OCSP No Check flag
+     */
+    public String getOCSPNoCheck() {
+        return (String) get(Constants.PR_OCSP_NOCHECK);
+    }
+
+    /**
+     * Sets OCSP No Check flag
+     * 
+     * @param noCheck OCSP No Check flag
+     */
+    public void setOCSPNoCheck(String noCheck) {
+        put(Constants.PR_OCSP_NOCHECK, noCheck);
+    }
+
+    /**
+     * Retrieves Authority Information Access flag
+     * 
+     * @return Authority Information Access flag
+     */
+    public String getAIA() {
+        return (String) get(Constants.PR_AIA);
+    }
+
+    /**
+     * Sets Authority Information Access flag
+     * 
+     * @param aia Authority Information Access flag
+     */
+    public void setAIA(String aia) {
+        put(Constants.PR_AIA, aia);
+    }
+
+    /**
+     * Retrieves Authority Key Identifier flag
+     * 
+     * @return Authority Key Identifier flag
+     */
+    public String getAKI() {
+        return (String) get(Constants.PR_AKI);
+    }
+
+    /**
+     * Sets Authority Key Identifier flag
+     * 
+     * @param aki Authority Key Identifier flag
+     */
+    public void setAKI(String aki) {
+        put(Constants.PR_AKI, aki);
+    }
+
+    /**
+     * Retrieves Subject Key Identifier flag
+     * 
+     * @return Subject Key Identifier flag
+     */
+    public String getSKI() {
+        return (String) get(Constants.PR_SKI);
+    }
+
+    /**
+     * Sets Subject Key Identifier flag
+     * 
+     * @param ski Subject Key Identifier flag
+     */
+    public void setSKI(String ski) {
+        put(Constants.PR_SKI, ski);
+    }
+
+    /**
+     * Retrieves key usage extension
+     * 
+     * @return true if key usage extension set
+     */
+    public boolean getKeyUsageExtension() {
+        String str = (String) get(Constants.PR_KEY_USAGE);
+
+        if (str == null || str.equals(ConfigConstants.FALSE))
+            return false;
+        return true;
+    }
+
+    /**
+     * Sets CA extensions
+     * 
+     * @param ext CA extensions
+     */
+    public void setCAExtensions(CertificateExtensions ext) {
+        put("CAEXTENSIONS", ext);
+    }
+
+    /**
+     * Retrieves CA extensions
+     * 
+     * @return CA extensions
+     */
+    public CertificateExtensions getCAExtensions() {
+        return (CertificateExtensions) get("CAEXTENSIONS");
+    }
+
+    /**
+     * Retrieves hash type
+     * 
+     * @return hash type
+     */
+    public String getHashType() {
+        return (String) get(ConfigConstants.PR_HASH_TYPE);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/selftests/EDuplicateSelfTestException.java b/base/common/src/com/netscape/certsrv/selftests/EDuplicateSelfTestException.java
new file mode 100644
index 000000000..958919e1e
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/selftests/EDuplicateSelfTestException.java
@@ -0,0 +1,216 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.certsrv.selftests;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * This class implements a duplicate self test exception.
+ * EDuplicateSelfTestExceptions are derived from ESelfTestExceptions
+ * in order to allow users to easily do self tests without try-catch clauses.
+ * 
+ * EDuplicateSelfTestExceptions should be caught by SelfTestSubsystem managers.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class EDuplicateSelfTestException
+        extends ESelfTestException {
+    ////////////////////////
+    // default parameters //
+    ////////////////////////
+
+    ///////////////////////
+    // helper parameters //
+    ///////////////////////
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -7484729117186395701L;
+    private String mInstanceName = null;
+    private String mInstanceStore = null;
+    private String mInstanceParameter = null;
+    private String mInstanceValue = null;
+
+    ////////////////////////////////////////////
+    // EDuplicateSelfTestException parameters //
+    ////////////////////////////////////////////
+
+    ///////////////////////////////////////////////
+    // ESelfTestException parameters (inherited) //
+    ///////////////////////////////////////////////
+
+    /////////////////////
+    // default methods //
+    /////////////////////
+
+    /**
+     * Constructs a "duplicate" self test exception.
+     * 

+     * 
+     * @param instanceName duplicate "instanceName" exception details
+     */
+    public EDuplicateSelfTestException(String instanceName) {
+        super("The self test plugin property named "
+                + instanceName
+                + " already exists.");
+
+        // strip preceding/trailing whitespace
+        // from passed-in String parameters
+        if (instanceName != null) {
+            instanceName = instanceName.trim();
+        }
+
+        // store passed-in parameters for use by helper methods
+        mInstanceName = instanceName;
+    }
+
+    /**
+     * Constructs a "duplicate" self test exception where the value is always
+     * a duplicate from a name/value pair
+     * 

+     * 
+     * @param instanceName duplicate "instanceName" exception details
+     * @param instanceValue duplicate "instanceValue" exception details
+     */
+    public EDuplicateSelfTestException(String instanceName,
+            String instanceValue) {
+        super("The self test plugin property named "
+                + instanceName
+                + " contains a value of "
+                + instanceValue
+                + " which already exists.");
+
+        // strip preceding/trailing whitespace
+        // from passed-in String parameters
+        if (instanceName != null) {
+            instanceName = instanceName.trim();
+        }
+        if (instanceValue != null) {
+            instanceValue = instanceValue.trim();
+        }
+
+        // store passed-in parameters for use by helper methods
+        mInstanceName = instanceName;
+        mInstanceValue = instanceValue;
+    }
+
+    /**
+     * Constructs a "duplicate" self test exception where the parameter is a
+     * duplicate from a substore.parameter/value pair; (the value passed in may
+     * be null).
+     * 

+     * 
+     * @param instanceStore duplicate "instanceStore" exception details
+     * @param instanceParameter duplicate "instanceParameter" exception details
+     * @param instanceValue duplicate "instanceValue" exception details
+     *            (may be null)
+     */
+    public EDuplicateSelfTestException(String instanceStore,
+            String instanceParameter,
+            String instanceValue) {
+        super("The self test plugin property named "
+                + instanceStore + "." + instanceParameter
+                + " is a duplicate.");
+
+        // strip preceding/trailing whitespace
+        // from passed-in String parameters
+        if (instanceStore != null) {
+            instanceStore = instanceStore.trim();
+        }
+        if (instanceParameter != null) {
+            instanceParameter = instanceParameter.trim();
+        }
+        if (instanceValue != null) {
+            instanceValue = instanceValue.trim();
+        }
+
+        // store passed-in parameters for use by helper methods
+        mInstanceStore = instanceStore;
+        mInstanceParameter = instanceParameter;
+        mInstanceValue = instanceValue;
+    }
+
+    ////////////////////
+    // helper methods //
+    ////////////////////
+
+    /**
+     * Returns the instance name associated with this self test.
+     * 

+     * 
+     * @return name portion of the name/value pair
+     */
+    public String getInstanceName() {
+        return mInstanceName;
+    }
+
+    /**
+     * Returns the store associated with this self test.
+     * 

+     * 
+     * @return substore portion of the substore.parameter/value pair
+     */
+    public String getInstanceStore() {
+        return mInstanceStore;
+    }
+
+    /**
+     * Returns the parameter associated with this self test.
+     * 

+     * 
+     * @return parameter portion of the substore.parameter/value pair
+     */
+    public String getInstanceParameter() {
+        return mInstanceParameter;
+    }
+
+    /**
+     * Returns the value associated with this self test.
+     * 

+     * 
+     * @return value portion of the name/value pair
+     */
+    public String getInstanceValue() {
+        return mInstanceValue;
+    }
+
+    /////////////////////////////////////////
+    // EDuplicateSelfTestException methods //
+    /////////////////////////////////////////
+
+    ////////////////////////////////////////////
+    // ESelfTestException methods (inherited) //
+    ////////////////////////////////////////////
+
+    /* Note that all of the following ESelfTestException methods
+     * are inherited from the ESelfTestException class:
+     *
+     * public ESelfTestException( String msg );
+     */
+}
diff --git a/base/common/src/com/netscape/certsrv/selftests/EInvalidSelfTestException.java b/base/common/src/com/netscape/certsrv/selftests/EInvalidSelfTestException.java
new file mode 100644
index 000000000..58592b89b
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/selftests/EInvalidSelfTestException.java
@@ -0,0 +1,216 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.certsrv.selftests;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * This class implements an invalid self test exception.
+ * EInvalidSelfTestExceptions are derived from ESelfTestExceptions
+ * in order to allow users to easily do self tests without try-catch clauses.
+ * 
+ * EInvalidSelfTestExceptions should be caught by SelfTestSubsystem managers.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class EInvalidSelfTestException
+        extends ESelfTestException {
+    ////////////////////////
+    // default parameters //
+    ////////////////////////
+
+    ///////////////////////
+    // helper parameters //
+    ///////////////////////
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 942550656371185199L;
+    private String mInstanceName = null;
+    private String mInstanceStore = null;
+    private String mInstanceParameter = null;
+    private String mInstanceValue = null;
+
+    //////////////////////////////////////////
+    // EInvalidSelfTestException parameters //
+    //////////////////////////////////////////
+
+    ///////////////////////////////////////////////
+    // ESelfTestException parameters (inherited) //
+    ///////////////////////////////////////////////
+
+    /////////////////////
+    // default methods //
+    /////////////////////
+
+    /**
+     * Constructs an "invalid" self test exception.
+     * 

+     * 
+     * @param instanceName invalid "instanceName" exception details
+     */
+    public EInvalidSelfTestException(String instanceName) {
+        super("The self test plugin named "
+                + instanceName
+                + " is invalid.");
+
+        // strip preceding/trailing whitespace
+        // from passed-in String parameters
+        if (instanceName != null) {
+            instanceName = instanceName.trim();
+        }
+
+        // store passed-in parameters for use by helper methods
+        mInstanceName = instanceName;
+    }
+
+    /**
+     * Constructs a "invalid" self test exception where the value is always
+     * invalid from a name/value pair
+     * 

+     * 
+     * @param instanceName invalid "instanceName" exception details
+     * @param instanceValue invalid "instanceValue" exception details
+     */
+    public EInvalidSelfTestException(String instanceName,
+            String instanceValue) {
+        super("The self test plugin named "
+                + instanceName
+                + " contains a value "
+                + instanceValue
+                + " which is invalid.");
+
+        // strip preceding/trailing whitespace
+        // from passed-in String parameters
+        if (instanceName != null) {
+            instanceName = instanceName.trim();
+        }
+        if (instanceValue != null) {
+            instanceValue = instanceValue.trim();
+        }
+
+        // store passed-in parameters for use by helper methods
+        mInstanceName = instanceName;
+        mInstanceValue = instanceValue;
+    }
+
+    /**
+     * Constructs an "invalid" self test exception where the parameter is always
+     * invalid from a substore.parameter/value pair; (the value passed in may
+     * be null).
+     * 

+     * 
+     * @param instanceStore invalid "instanceStore" exception details
+     * @param instanceParameter invalid "instanceParameter" exception details
+     * @param instanceValue invalid "instanceValue" exception details
+     *            (may be null)
+     */
+    public EInvalidSelfTestException(String instanceStore,
+            String instanceParameter,
+            String instanceValue) {
+        super("The self test plugin parameter named "
+                + instanceStore + "." + instanceParameter
+                + " is invalid.");
+
+        // strip preceding/trailing whitespace
+        // from passed-in String parameters
+        if (instanceStore != null) {
+            instanceStore = instanceStore.trim();
+        }
+        if (instanceParameter != null) {
+            instanceParameter = instanceParameter.trim();
+        }
+        if (instanceValue != null) {
+            instanceValue = instanceValue.trim();
+        }
+
+        // store passed-in parameters for use by helper methods
+        mInstanceStore = instanceStore;
+        mInstanceParameter = instanceParameter;
+        mInstanceValue = instanceValue;
+    }
+
+    ////////////////////
+    // helper methods //
+    ////////////////////
+
+    /**
+     * Returns the instance name associated with this self test.
+     * 

+     * 
+     * @return name portion of the name/value pair
+     */
+    public String getInstanceName() {
+        return mInstanceName;
+    }
+
+    /**
+     * Returns the store associated with this self test.
+     * 

+     * 
+     * @return substore portion of the substore.parameter/value pair
+     */
+    public String getInstanceStore() {
+        return mInstanceStore;
+    }
+
+    /**
+     * Returns the parameter associated with this self test.
+     * 

+     * 
+     * @return parameter portion of the substore.parameter/value pair
+     */
+    public String getInstanceParameter() {
+        return mInstanceParameter;
+    }
+
+    /**
+     * Returns the value associated with this self test.
+     * 

+     * 
+     * @return value portion of the name/value pair
+     */
+    public String getInstanceValue() {
+        return mInstanceValue;
+    }
+
+    ///////////////////////////////////////
+    // EInvalidSelfTestException methods //
+    ///////////////////////////////////////
+
+    ////////////////////////////////////////////
+    // ESelfTestException methods (inherited) //
+    ////////////////////////////////////////////
+
+    /* Note that all of the following ESelfTestException methods
+     * are inherited from the ESelfTestException class:
+     *
+     * public ESelfTestException( String msg );
+     */
+}
diff --git a/base/common/src/com/netscape/certsrv/selftests/EMissingSelfTestException.java b/base/common/src/com/netscape/certsrv/selftests/EMissingSelfTestException.java
new file mode 100644
index 000000000..c15852f4f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/selftests/EMissingSelfTestException.java
@@ -0,0 +1,225 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.certsrv.selftests;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * This class implements a missing self test exception.
+ * EMissingSelfTestExceptions are derived from ESelfTestExceptions
+ * in order to allow users to easily do self tests without try-catch clauses.
+ * 
+ * EMissingSelfTestExceptions should be caught by SelfTestSubsystem managers.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class EMissingSelfTestException
+        extends ESelfTestException {
+    ////////////////////////
+    // default parameters //
+    ////////////////////////
+
+    ///////////////////////
+    // helper parameters //
+    ///////////////////////
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -2969459432517671352L;
+    private String mInstanceName = null;
+    private String mInstanceStore = null;
+    private String mInstanceParameter = null;
+    private String mInstanceValue = null;
+
+    //////////////////////////////////////////
+    // EMissingSelfTestException parameters //
+    //////////////////////////////////////////
+
+    ///////////////////////////////////////////////
+    // ESelfTestException parameters (inherited) //
+    ///////////////////////////////////////////////
+
+    /////////////////////
+    // default methods //
+    /////////////////////
+
+    /**
+     * Constructs a "missing" self test exception where the name is null
+     * 

+     * 
+     */
+    public EMissingSelfTestException() {
+        super("The self test plugin property name is null.");
+    }
+
+    /**
+     * Constructs a "missing" self test exception where the name is always
+     * missing from a name/value pair.
+     * 

+     * 
+     * @param instanceName missing "instanceName" exception details
+     */
+    public EMissingSelfTestException(String instanceName) {
+        super("The self test plugin property named "
+                + instanceName
+                + " does not exist.");
+
+        // strip preceding/trailing whitespace
+        // from passed-in String parameters
+        if (instanceName != null) {
+            instanceName = instanceName.trim();
+        }
+
+        // store passed-in parameters for use by helper methods
+        mInstanceName = instanceName;
+    }
+
+    /**
+     * Constructs a "missing" self test exception where the value is always
+     * missing from a name/value pair; (the value passed in is always null).
+     * 

+     * 
+     * @param instanceName missing "instanceName" exception details
+     * @param instanceValue missing "instanceValue" exception details
+     *            (always null)
+     */
+    public EMissingSelfTestException(String instanceName,
+            String instanceValue) {
+        super("The self test plugin property named "
+                + instanceName
+                + " contains no values.");
+
+        // strip preceding/trailing whitespace
+        // from passed-in String parameters
+        if (instanceName != null) {
+            instanceName = instanceName.trim();
+        }
+        if (instanceValue != null) {
+            instanceValue = instanceValue.trim();
+        }
+
+        // store passed-in parameters for use by helper methods
+        mInstanceName = instanceName;
+        mInstanceValue = instanceValue;
+    }
+
+    /**
+     * Constructs a "missing" self test exception where the parameter is always
+     * missing from a substore.parameter/value pair; (the value passed in may
+     * be null).
+     * 

+     * 
+     * @param instanceStore missing "instanceStore" exception details
+     * @param instanceParameter missing "instanceParameter" exception details
+     * @param instanceValue missing "instanceValue" exception details
+     *            (may be null)
+     */
+    public EMissingSelfTestException(String instanceStore,
+            String instanceParameter,
+            String instanceValue) {
+        super("The self test plugin property named "
+                + instanceStore + "." + instanceParameter
+                + " is missing.");
+
+        // strip preceding/trailing whitespace
+        // from passed-in String parameters
+        if (instanceStore != null) {
+            instanceStore = instanceStore.trim();
+        }
+        if (instanceParameter != null) {
+            instanceParameter = instanceParameter.trim();
+        }
+        if (instanceValue != null) {
+            instanceValue = instanceValue.trim();
+        }
+
+        // store passed-in parameters for use by helper methods
+        mInstanceStore = instanceStore;
+        mInstanceParameter = instanceParameter;
+        mInstanceValue = instanceValue;
+    }
+
+    ////////////////////
+    // helper methods //
+    ////////////////////
+
+    /**
+     * Returns the instance name associated with this self test.
+     * 

+     * 
+     * @return name portion of the name/value pair
+     */
+    public String getInstanceName() {
+        return mInstanceName;
+    }
+
+    /**
+     * Returns the store associated with this self test.
+     * 

+     * 
+     * @return substore portion of the substore.parameter/value pair
+     */
+    public String getInstanceStore() {
+        return mInstanceStore;
+    }
+
+    /**
+     * Returns the parameter associated with this self test.
+     * 

+     * 
+     * @return parameter portion of the substore.parameter/value pair
+     */
+    public String getInstanceParameter() {
+        return mInstanceParameter;
+    }
+
+    /**
+     * Returns the value associated with this self test.
+     * 

+     * 
+     * @return value portion of the name/value pair
+     */
+    public String getInstanceValue() {
+        return mInstanceValue;
+    }
+
+    ///////////////////////////////////////
+    // EMissingSelfTestException methods //
+    ///////////////////////////////////////
+
+    ////////////////////////////////////////////
+    // ESelfTestException methods (inherited) //
+    ////////////////////////////////////////////
+
+    /* Note that all of the following ESelfTestException methods
+     * are inherited from the ESelfTestException class:
+     *
+     * public ESelfTestException( String msg );
+     */
+}
diff --git a/base/common/src/com/netscape/certsrv/selftests/ESelfTestException.java b/base/common/src/com/netscape/certsrv/selftests/ESelfTestException.java
new file mode 100644
index 000000000..6c4f6bf2f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/selftests/ESelfTestException.java
@@ -0,0 +1,118 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.certsrv.selftests;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+import com.netscape.certsrv.base.EBaseException;
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * This class implements a self test exception. ESelfTestExceptions
+ * are derived from EBaseExceptions in order to allow users
+ * to easily do self tests without try-catch clauses.
+ * 
+ * ESelfTestExceptions should be caught by SelfTestSubsystem managers.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class ESelfTestException
+        extends EBaseException {
+    ////////////////////////
+    // default parameters //
+    ////////////////////////
+
+    ///////////////////////////////////
+    // ESelfTestException parameters //
+    ///////////////////////////////////
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -8001373369705595891L;
+    private static final String SELFTEST_RESOURCES = SelfTestResources.class.getName();
+
+    ///////////////////////////////////////////
+    // EBaseException parameters (inherited) //
+    ///////////////////////////////////////////
+
+    /* Note that all of the following EBaseException parameters
+     * are inherited from the EBaseException class:
+     *
+     * public Object mParams[];
+     */
+
+    /////////////////////
+    // default methods //
+    /////////////////////
+
+    /**
+     * Constructs a self test exception.
+     * 

+     * 
+     * @param msg exception details
+     */
+    public ESelfTestException(String msg) {
+        super(msg);
+    }
+
+    ////////////////////////////////
+    // ESelfTestException methods //
+    ////////////////////////////////
+
+    /**
+     * Returns the bundle file name.
+     * 

+     * 
+     * @return name of bundle class associated with this exception.
+     */
+    protected String getBundleName() {
+        return SELFTEST_RESOURCES;
+    }
+
+    ////////////////////////////////////////
+    // EBaseException methods (inherited) //
+    ////////////////////////////////////////
+
+    /* Note that all of the following EBaseException methods
+     * are inherited from the EBaseException class:
+     *
+     * public EBaseException( String msgFormat );
+     *
+     * public EBaseException( String msgFormat, String param );
+     *
+     * public EBaseException( String msgFormat, Exception param );
+     *
+     * public EBaseException( String msgFormat, Object params[] );
+     *
+     * public Object[] getParameters();
+     *
+     * public String toString();
+     *
+     * public String toString( Locale locale );
+     */
+}
diff --git a/base/common/src/com/netscape/certsrv/selftests/ISelfTest.java b/base/common/src/com/netscape/certsrv/selftests/ISelfTest.java
new file mode 100644
index 000000000..04285a9dc
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/selftests/ISelfTest.java
@@ -0,0 +1,133 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.certsrv.selftests;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+import java.util.Locale;
+
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.logging.ILogEventListener;
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * This class defines the interface of an individual self test.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ISelfTest {
+    ////////////////////////
+    // default parameters //
+    ////////////////////////
+
+    //////////////////////////
+    // ISelfTest parameters //
+    //////////////////////////
+
+    public static final String PROP_PLUGIN = "plugin";
+
+    /////////////////////
+    // default methods //
+    /////////////////////
+
+    ///////////////////////
+    // ISelfTest methods //
+    ///////////////////////
+
+    /**
+     * Initializes this subsystem with the configuration store
+     * associated with this instance name.
+     * 

+     * 
+     * @param subsystem the associated subsystem
+     * @param instanceName the name of this self test instance
+     * @param parameters configuration store (self test parameters)
+     * @exception EDuplicateSelfTestException subsystem has duplicate name/value
+     * @exception EInvalidSelfTestException subsystem has invalid name/value
+     * @exception EMissingSelfTestException subsystem has missing name/value
+     */
+    public void initSelfTest(ISelfTestSubsystem subsystem,
+            String instanceName,
+            IConfigStore parameters)
+            throws EDuplicateSelfTestException,
+            EInvalidSelfTestException,
+            EMissingSelfTestException;
+
+    /**
+     * Notifies this subsystem if it is in execution mode.
+     * 

+     * 
+     * @exception ESelfTestException failed to start
+     */
+    public void startupSelfTest()
+            throws ESelfTestException;
+
+    /**
+     * Stops this subsystem. The subsystem may call shutdownSelfTest
+     * anytime after initialization.
+     * 

+     */
+    public void shutdownSelfTest();
+
+    /**
+     * Returns the name associated with this self test. This method may
+     * return null if the self test has not been intialized.
+     * 

+     * 
+     * @return instanceName of this self test
+     */
+    public String getSelfTestName();
+
+    /**
+     * Returns the root configuration storage (self test parameters)
+     * associated with this subsystem.
+     * 

+     * 
+     * @return configuration store (self test parameters) of this subsystem
+     */
+    public IConfigStore getSelfTestConfigStore();
+
+    /**
+     * Retrieves description associated with an individual self test.
+     * This method may return null.
+     * 

+     * 
+     * @param locale locale of the client that requests the description
+     * @return description of self test
+     */
+    public String getSelfTestDescription(Locale locale);
+
+    /**
+     * Execute an individual self test.
+     * 

+     * 
+     * @param logger specifies logging subsystem
+     * @exception ESelfTestException self test exception
+     */
+    public void runSelfTest(ILogEventListener logger)
+            throws ESelfTestException;
+}
diff --git a/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java b/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
new file mode 100644
index 000000000..d16627ab5
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
@@ -0,0 +1,338 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.certsrv.selftests;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogEventListener;
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * This class defines the interface of a container for self tests.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ISelfTestSubsystem
+        extends ISubsystem {
+    ////////////////////////
+    // default parameters //
+    ////////////////////////
+
+    //////////////////////////////////
+    // ISelfTestSubsystem constants //
+    //////////////////////////////////
+
+    public static final String ID = "selftests";
+    public static final String PROP_CONTAINER = "container";
+    public static final String PROP_INSTANCE = "instance";
+    public static final String PROP_LOGGER = "logger";
+    public static final String PROP_LOGGER_CLASS = "class";
+    public static final String PROP_ORDER = "order";
+    public static final String PROP_ON_DEMAND = "onDemand";
+    public static final String PROP_STARTUP = "startup";
+
+    ///////////////////////////////////////
+    // ISubsystem parameters (inherited) //
+    ///////////////////////////////////////
+
+    /////////////////////
+    // default methods //
+    /////////////////////
+
+    ////////////////////////////////
+    // ISelfTestSubsystem methods //
+    ////////////////////////////////
+
+    //
+    // methods associated with the list of on demand self tests
+    //
+
+    /**
+     * List the instance names of all the self tests enabled to run on demand
+     * (in execution order); may return null.
+     * 

+     * 
+     * @return list of self test instance names run on demand
+     */
+    public String[] listSelfTestsEnabledOnDemand();
+
+    /**
+     * Enable the specified self test to be executed on demand.
+     * 

+     * 
+     * @param instanceName instance name of self test
+     * @param isCritical isCritical is either a critical failure (true) or
+     *            a non-critical failure (false)
+     * @exception EInvalidSelfTestException subsystem has invalid name/value
+     * @exception EMissingSelfTestException subsystem has missing name/value
+     */
+    //  public void enableSelfTestOnDemand( String instanceName,
+    //                                      boolean isCritical )
+    //  throws EInvalidSelfTestException, EMissingSelfTestException;
+
+    /**
+     * Disable the specified self test from being able to be executed on demand.
+     * 

+     * 
+     * @param instanceName instance name of self test
+     * @exception EMissingSelfTestException subsystem has missing name
+     */
+    //  public void disableSelfTestOnDemand( String instanceName )
+    //  throws EMissingSelfTestException;
+
+    /**
+     * Determine if the specified self test is enabled to be executed on demand.
+     * 

+     * 
+     * @param instanceName instance name of self test
+     * @return true if the specified self test is enabled on demand
+     * @exception EMissingSelfTestException subsystem has missing name
+     */
+    public boolean isSelfTestEnabledOnDemand(String instanceName)
+            throws EMissingSelfTestException;
+
+    /**
+     * Determine if failure of the specified self test is fatal when
+     * it is executed on demand.
+     * 

+     * 
+     * @param instanceName instance name of self test
+     * @return true if failure of the specified self test is fatal when
+     *         it is executed on demand
+     * @exception EMissingSelfTestException subsystem has missing name
+     */
+    public boolean isSelfTestCriticalOnDemand(String instanceName)
+            throws EMissingSelfTestException;
+
+    /**
+     * Execute all self tests specified to be run on demand.
+     * 

+     * 
+     * @exception EMissingSelfTestException subsystem has missing name
+     * @exception ESelfTestException self test exception
+     */
+    public void runSelfTestsOnDemand()
+            throws EMissingSelfTestException, ESelfTestException;
+
+    //
+    // methods associated with the list of startup self tests
+    //
+
+    /**
+     * List the instance names of all the self tests enabled to run
+     * at server startup (in execution order); may return null.
+     * 

+     * 
+     * @return list of self test instance names run at server startup
+     */
+    public String[] listSelfTestsEnabledAtStartup();
+
+    /**
+     * Enable the specified self test at server startup.
+     * 

+     * 
+     * @param instanceName instance name of self test
+     * @param isCritical isCritical is either a critical failure (true) or
+     *            a non-critical failure (false)
+     * @exception EInvalidSelfTestException subsystem has invalid name/value
+     * @exception EMissingSelfTestException subsystem has missing name/value
+     */
+    //  public void enableSelfTestAtStartup( String instanceName,
+    //                                       boolean isCritical )
+    //  throws EInvalidSelfTestException, EMissingSelfTestException;
+
+    /**
+     * Disable the specified self test at server startup.
+     * 

+     * 
+     * @param instanceName instance name of self test
+     * @exception EMissingSelfTestException subsystem has missing name
+     */
+    //  public void disableSelfTestAtStartup( String instanceName )
+    //  throws EMissingSelfTestException;
+
+    /**
+     * Determine if the specified self test is executed automatically
+     * at server startup.
+     * 

+     * 
+     * @param instanceName instance name of self test
+     * @return true if the specified self test is executed at server startup
+     * @exception EMissingSelfTestException subsystem has missing name
+     */
+    public boolean isSelfTestEnabledAtStartup(String instanceName)
+            throws EMissingSelfTestException;
+
+    /**
+     * Determine if failure of the specified self test is fatal to
+     * server startup.
+     * 

+     * 
+     * @param instanceName instance name of self test
+     * @return true if failure of the specified self test is fatal to
+     *         server startup
+     * @exception EMissingSelfTestException subsystem has missing name
+     */
+    public boolean isSelfTestCriticalAtStartup(String instanceName)
+            throws EMissingSelfTestException;
+
+    /**
+     * Execute all self tests specified to be run at server startup.
+     * 

+     * 
+     * @exception EMissingSelfTestException subsystem has missing name
+     * @exception ESelfTestException self test exception
+     */
+    public void runSelfTestsAtStartup()
+            throws EMissingSelfTestException, ESelfTestException;
+
+    //
+    // methods associated with the list of self test instances
+    //
+
+    /**
+     * Retrieve an individual self test from the instances list
+     * given its instance name.
+     * 

+     * 
+     * @param instanceName instance name of self test
+     * @return individual self test
+     */
+    public ISelfTest getSelfTest(String instanceName);
+
+    //
+    // methods associated with multiple self test lists
+    //
+
+    /**
+     * Returns the ILogEventListener of this subsystem.
+     * This method may return null.
+     * 

+     * 
+     * @return ILogEventListener of this subsystem
+     */
+    public ILogEventListener getSelfTestLogger();
+
+    /**
+     * This method represents the log interface for the self test subsystem.
+     * 

+     * 
+     * @param logger log event listener
+     * @param msg self test log message
+     */
+    public void log(ILogEventListener logger, String msg);
+
+    /**
+     * Register an individual self test on the instances list AND
+     * on the "on demand" list (note that the specified self test
+     * will be appended to the end of each list).
+     * 

+     * 
+     * @param instanceName instance name of self test
+     * @param isCritical isCritical is either a critical failure (true) or
+     *            a non-critical failure (false)
+     * @param instance individual self test
+     * @exception EDuplicateSelfTestException subsystem has duplicate name
+     * @exception EInvalidSelfTestException subsystem has invalid name/value
+     * @exception EMissingSelfTestException subsystem has missing name/value
+     */
+    //  public void registerSelfTestOnDemand( String instanceName,
+    //                                        boolean isCritical,
+    //                                        ISelfTest instance )
+    //  throws EDuplicateSelfTestException,
+    //         EInvalidSelfTestException,
+    //         EMissingSelfTestException;
+
+    /**
+     * Deregister an individual self test on the instances list AND
+     * on the "on demand" list (note that the specified self test
+     * will be removed from each list).
+     * 

+     * 
+     * @param instanceName instance name of self test
+     * @exception EMissingSelfTestException subsystem has missing name
+     */
+    //  public void deregisterSelfTestOnDemand( String instanceName )
+    //  throws EMissingSelfTestException;
+
+    /**
+     * Register an individual self test on the instances list AND
+     * on the "startup" list (note that the specified self test
+     * will be appended to the end of each list).
+     * 

+     * 
+     * @param instanceName instance name of self test
+     * @param isCritical isCritical is either a critical failure (true) or
+     *            a non-critical failure (false)
+     * @param instance individual self test
+     * @exception EDuplicateSelfTestException subsystem has duplicate name
+     * @exception EInvalidSelfTestException subsystem has invalid name/value
+     * @exception EMissingSelfTestException subsystem has missing name/value
+     */
+    //  public void registerSelfTestAtStartup( String instanceName,
+    //                                         boolean isCritical,
+    //                                         ISelfTest instance )
+    //  throws EDuplicateSelfTestException,
+    //         EInvalidSelfTestException,
+    //         EMissingSelfTestException;
+
+    /**
+     * Deregister an individual self test on the instances list AND
+     * on the "startup" list (note that the specified self test
+     * will be removed from each list).
+     * 

+     * 
+     * @param instanceName instance name of self test
+     * @exception EMissingSelfTestException subsystem has missing name
+     */
+    //  public void deregisterSelfTestAtStartup( String instanceName )
+    //  throws EMissingSelfTestException;
+
+    ////////////////////////////////////
+    // ISubsystem methods (inherited) //
+    ////////////////////////////////////
+
+    /* Note that all of the following ISubsystem methods
+     * are inherited from the ISubsystem class:
+     *
+     *    public String getId();
+     *
+     *    public void setId( String id )
+     *    throws EBaseException;
+     *
+     *    public void init( ISubsystem owner, IConfigStore config )
+     *    throws EBaseException;
+     *
+     *    public void startup()
+     *    throws EBaseException;
+     *
+     *    public void shutdown();
+     *
+     *    public IConfigStore getConfigStore();
+     */
+}
diff --git a/base/common/src/com/netscape/certsrv/selftests/SelfTestResources.java b/base/common/src/com/netscape/certsrv/selftests/SelfTestResources.java
new file mode 100644
index 000000000..c7c4d372d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/selftests/SelfTestResources.java
@@ -0,0 +1,39 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.selftests;
+
+import java.util.ListResourceBundle;
+
+/**
+ * A class represents a resource bundle for Self Tests.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class SelfTestResources extends ListResourceBundle {
+
+    /**
+     * Returns the content of this resource.
+     */
+    public Object[][] getContents() {
+        return contents;
+    }
+
+    static final Object[][] contents = {
+        };
+}
diff --git a/base/common/src/com/netscape/certsrv/template/ArgList.java b/base/common/src/com/netscape/certsrv/template/ArgList.java
new file mode 100644
index 000000000..586bf7663
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/template/ArgList.java
@@ -0,0 +1,68 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.template;
+
+import java.util.Vector;
+
+/**
+ * This class represents a list of arguments
+ * that will be returned to the end-user via
+ * the template framework.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class ArgList implements IArgValue {
+
+    private Vector mList = new Vector();
+
+    /**
+     * Constructs a argument list object.
+     */
+    public ArgList() {
+    }
+
+    /**
+     * Adds an argument to the list.
+     * 
+     * @param arg argument to be added
+     */
+    public void add(IArgValue arg) {
+        mList.addElement(arg);
+    }
+
+    /**
+     * Returns the number of arguments in the list.
+     * 
+     * @return size of the list
+     */
+    public int size() {
+        return mList.size();
+    }
+
+    /**
+     * Returns the argument at the given position
+     * Position starts from 0.
+     * 
+     * @param pos position
+     * @return argument
+     */
+    public IArgValue get(int pos) {
+        return (IArgValue) mList.elementAt(pos);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/template/ArgSet.java b/base/common/src/com/netscape/certsrv/template/ArgSet.java
new file mode 100644
index 000000000..333a51e50
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/template/ArgSet.java
@@ -0,0 +1,74 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.template;
+
+import java.util.Enumeration;
+import java.util.Hashtable;
+
+/**
+ * This class represents a set of arguments.
+ * Unlike ArgList, this set of arguments is
+ * not ordered.
+ * 

+ * Each argument in the set is tagged with a name (key).
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class ArgSet implements IArgValue {
+    private Hashtable mArgs = new Hashtable();
+
+    /**
+     * Returns a list of argument names.
+     * 
+     * @return list of argument names
+     */
+    public Enumeration getNames() {
+        return mArgs.keys();
+    }
+
+    /**
+     * Sets string argument into the set with the given name.
+     * 
+     * @param name argument name
+     * @param arg argument in string
+     */
+    public void set(String name, String arg) {
+        mArgs.put(name, new ArgString(arg));
+    }
+
+    /**
+     * Sets argument into the set with the given name.
+     * 
+     * @param name argument name
+     * @param arg argument value
+     */
+    public void set(String name, IArgValue arg) {
+        mArgs.put(name, arg);
+    }
+
+    /**
+     * Retrieves argument from the set.
+     * 
+     * @param name argument name
+     * @return argument value
+     */
+    public IArgValue get(String name) {
+        return (IArgValue) mArgs.get(name);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/template/ArgString.java b/base/common/src/com/netscape/certsrv/template/ArgString.java
new file mode 100644
index 000000000..4fb982eb6
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/template/ArgString.java
@@ -0,0 +1,45 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.template;
+
+/**
+ * This class represents a string-based argument.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ArgString implements IArgValue {
+    private String mValue = null;
+
+    /**
+     * Constructs a string-based argument value.
+     * 
+     * @param value argument value
+     */
+    public ArgString(String value) {
+        mValue = value;
+    }
+
+    /**
+     * Returns the argument value.
+     * 
+     * @return argument value
+     */
+    public String getValue() {
+        return mValue;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/template/IArgValue.java b/base/common/src/com/netscape/certsrv/template/IArgValue.java
new file mode 100644
index 000000000..e820ce69f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/template/IArgValue.java
@@ -0,0 +1,28 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.template;
+
+/**
+ * This interface presents a generic argument value.
+ * Argument value can be in string, in a list, or
+ * in a set.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IArgValue {
+}
diff --git a/base/common/src/com/netscape/certsrv/tks/ITKSAuthority.java b/base/common/src/com/netscape/certsrv/tks/ITKSAuthority.java
new file mode 100644
index 000000000..0a045a6fb
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/tks/ITKSAuthority.java
@@ -0,0 +1,56 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.tks;
+
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.request.IRequestQueue;
+
+/**
+ * An interface represents a Registration Authority that is
+ * responsible for certificate enrollment operations.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ITKSAuthority extends ISubsystem {
+    public static final String ID = "tks";
+
+    public static final String PROP_POLICY = "Policy";
+    public static final String PROP_REGISTRATION = "Registration";
+    public static final String PROP_GATEWAY = "gateway";
+    public static final String PROP_NICKNAME = "certNickname";
+    //public final static String PROP_PUBLISH_SUBSTORE = "publish";
+    //public final static String PROP_LDAP_PUBLISH_SUBSTORE = "ldappublish";
+    public final static String PROP_CONNECTOR = "connector";
+    public final static String PROP_NEW_NICKNAME = "newNickname";
+
+    /**
+     * Retrieves the request queue of this registration authority.
+     * 
+     * @return RA's request queue
+     */
+    public IRequestQueue getRequestQueue();
+
+    /**
+     * Returns the nickname of the RA certificate.
+     * 
+     * @return the nickname of the RA certificate
+     */
+    public String getNickname();
+
+}
diff --git a/base/common/src/com/netscape/certsrv/usrgrp/Certificates.java b/base/common/src/com/netscape/certsrv/usrgrp/Certificates.java
new file mode 100644
index 000000000..fdfa3cd38
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/usrgrp/Certificates.java
@@ -0,0 +1,49 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.usrgrp;
+
+import java.security.cert.X509Certificate;
+
+/**
+ * This class defines the strong authentication basic elements,
+ * the X509 certificates.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class Certificates {
+
+    private X509Certificate mCerts[] = null;
+
+    /**
+     * Constructs strong authenticator.
+     * 
+     * @param certs a list of X509Certificates
+     */
+    public Certificates(X509Certificate certs[]) {
+        mCerts = certs;
+    }
+
+    /**
+     * Retrieves certificates.
+     * 
+     * @return a list of X509Certificates
+     */
+    public X509Certificate[] getCertificates() {
+        return mCerts;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/usrgrp/EUsrGrpException.java b/base/common/src/com/netscape/certsrv/usrgrp/EUsrGrpException.java
new file mode 100644
index 000000000..a25a1a6b3
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/usrgrp/EUsrGrpException.java
@@ -0,0 +1,87 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.usrgrp;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * A class represents a Identity exception.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class EUsrGrpException extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 5549165292376270875L;
+    /**
+     * Identity resource class name.
+     */
+    private static final String USRGRP_RESOURCES = UsrGrpResources.class.getName();
+
+    /**
+     * Constructs a usr/grp management exception
+     * 
+     * @param msgFormat exception details in message string format
+     *            

+     */
+    public EUsrGrpException(String msgFormat) {
+        super(msgFormat);
+    }
+
+    /**
+     * Constructs a Identity exception.
+     * 
+     * @param msgFormat exception details in message string format
+     * @param param message string parameter
+     *            

+     */
+    public EUsrGrpException(String msgFormat, String param) {
+        super(msgFormat, param);
+    }
+
+    /**
+     * Constructs a Identity exception.
+     * 
+     * @param e system exception
+     *            

+     */
+    public EUsrGrpException(String msgFormat, Exception e) {
+        super(msgFormat, e);
+    }
+
+    /**
+     * Constructs a Identity exception.
+     * 
+     * @param msgFormat exception details in message string format
+     * @param params list of message format parameters
+     *            

+     */
+    public EUsrGrpException(String msgFormat, Object params[]) {
+        super(msgFormat, params);
+    }
+
+    /**
+     * Retrieves bundle name.
+     */
+    protected String getBundleName() {
+        return USRGRP_RESOURCES;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/usrgrp/ICertUserLocator.java b/base/common/src/com/netscape/certsrv/usrgrp/ICertUserLocator.java
new file mode 100644
index 000000000..dbbd068c4
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/usrgrp/ICertUserLocator.java
@@ -0,0 +1,49 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.usrgrp;
+
+import netscape.ldap.LDAPException;
+
+import com.netscape.certsrv.ldap.ELdapException;
+
+/**
+ * This interface defines a certificate mapping strategy to locate
+ * a user
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface ICertUserLocator {
+
+    /**
+     * Returns a user whose certificates match with the given certificates
+     * 
+     * @return an user interface
+     * @exception EUsrGrpException thrown when failed to build user
+     * @exception LDAPException thrown when LDAP internal database is not available
+     * @exception ELdapException thrown when the LDAP search failed
+     */
+    public IUser locateUser(Certificates certs) throws
+            EUsrGrpException, LDAPException, ELdapException;
+
+    /**
+     * Retrieves description.
+     * 
+     * @return description
+     */
+    public String getDescription();
+}
diff --git a/base/common/src/com/netscape/certsrv/usrgrp/IGroup.java b/base/common/src/com/netscape/certsrv/usrgrp/IGroup.java
new file mode 100644
index 000000000..522d0fc89
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/usrgrp/IGroup.java
@@ -0,0 +1,74 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.usrgrp;
+
+import java.util.Enumeration;
+
+import com.netscape.certsrv.base.IAttrSet;
+
+/**
+ * This interface defines the basic interfaces for
+ * an identity group. (get/set methods for a group entry attributes)
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IGroup extends IAttrSet, IGroupConstants {
+
+    /**
+     * Retrieves the group name.
+     * 
+     * @return the group name
+     */
+    public String getName();
+
+    /**
+     * Retrieves group identifier.
+     * 
+     * @return the group id
+     */
+    public String getGroupID();
+
+    /**
+     * Retrieves group description.
+     * 
+     * @return description
+     */
+    public String getDescription();
+
+    /**
+     * Checks if the given name is member of this group.
+     * 
+     * @param name the given name
+     * @return true if the given name is the member of this group; otherwise false.
+     */
+    public boolean isMember(String name);
+
+    /**
+     * Adds new member.
+     * 
+     * @param name the given name.
+     */
+    public void addMemberName(String name);
+
+    /**
+     * Retrieves a list of member names.
+     * 
+     * @return a list of member names for this group.
+     */
+    public Enumeration getMemberNames();
+}
diff --git a/base/common/src/com/netscape/certsrv/usrgrp/IGroupConstants.java b/base/common/src/com/netscape/certsrv/usrgrp/IGroupConstants.java
new file mode 100644
index 000000000..22d89455c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/usrgrp/IGroupConstants.java
@@ -0,0 +1,46 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.usrgrp;
+
+/**
+ * This interface defines the attribute names for a group entry
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IGroupConstants {
+
+    /**
+     * Contant for groupName
+     */
+    public static final String ATTR_NAME = "groupName";
+
+    /**
+     * Constant for dn
+     */
+    public static final String ATTR_ID = "dn";
+
+    /**
+     * Constant for description
+     */
+    public static final String ATTR_DESCRIPTION = "description";
+
+    /**
+     * Constant for uniquemember
+     */
+    public static final String ATTR_MEMBERS = "uniquemember";
+}
diff --git a/base/common/src/com/netscape/certsrv/usrgrp/IIdEvaluator.java b/base/common/src/com/netscape/certsrv/usrgrp/IIdEvaluator.java
new file mode 100644
index 000000000..41209b4b9
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/usrgrp/IIdEvaluator.java
@@ -0,0 +1,39 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.usrgrp;
+
+/**
+ * A class represents an ID evaluator.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IIdEvaluator {
+
+    /**
+     * Evaluates if the given value satisfies the ID evaluation:
+     * is a user a member of a group
+     * 
+     * @param type the type of evaluator, in this case, it is group
+     * @param id the user id for the given user
+     * @param op operator, only "=" and "!=" are supported
+     * @param value the name of the group, eg, "Certificate Manager Agents"
+     * @return true if the given user is a member of the group
+     */
+    public boolean evaluate(String type, IUser id, String op, String value);
+}
diff --git a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
new file mode 100644
index 000000000..282d672f1
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
@@ -0,0 +1,260 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.usrgrp;
+
+import java.security.cert.X509Certificate;
+import java.util.Enumeration;
+
+import netscape.ldap.LDAPException;
+
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * This class defines low-level LDAP usr/grp management
+ * usr/grp information is located remotely on another
+ * LDAP server.
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IUGSubsystem extends ISubsystem, IUsrGrp {
+
+    /**
+     * Constant for ID
+     */
+    public static final String ID = "usrgrp";
+
+    /**
+     * Constant for super administrators
+     */
+    public static final String SUPER_CERT_ADMINS = "Administrators";
+
+    /**
+     * Retrieves a user from LDAP
+     * 
+     * @param userid the given user id
+     * @exception EUsrGrpException thrown when failed to find the user
+     */
+    public IUser getUser(String userid) throws EUsrGrpException;
+
+    /**
+     * Searches for users that matches the filter.
+     * 
+     * @param filter search filter for efficiency
+     * @return list of users
+     * @exception EUsrGrpException thrown when any internal error occurs
+     */
+    public Enumeration listUsers(String filter) throws EUsrGrpException;
+
+    /**
+     * Adds the given user to the internal database
+     * 
+     * @param identity the given user
+     * @exception EUsrGrpException thrown when failed to add user to the group
+     * @exception LDAPException thrown when the LDAP internal database is not available
+     */
+    public void addUser(IUser identity) throws EUsrGrpException, LDAPException;
+
+    /**
+     * Adds a user certificate to user
+     * 
+     * @param identity user interface
+     * @exception EUsrGrpException thrown when failed to add the user certificate to the given user
+     * @exception LDAPException thrown when the LDAP internal database is not available
+     */
+    public void addUserCert(IUser identity) throws EUsrGrpException,
+            LDAPException;
+
+    /**
+     * Add a certSubjectDN field to the user
+     * @param identity
+     * @throws EUsrGrpException
+     * @throws LDAPException
+     */
+    public void addCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException;
+
+    /**
+     * Removes a user certificate for a user entry
+     * given a user certificate DN (actually, a combination of version,
+     * serialNumber, issuerDN, and SubjectDN), and it gets removed
+     * 
+     * @param identity the given user whose user certificate is going to be
+     *            be removed.
+     * @exception EUsrGrpException thrown when failed to remove user certificate
+     */
+    public void removeUserCert(IUser identity) throws EUsrGrpException;
+
+    /**
+     * Removes identity.
+     * 
+     * @param userid the given user id
+     * @exception EUsrGrpException thrown when failed to remove user
+     */
+    public void removeUser(String userid) throws EUsrGrpException;
+
+    /**
+     * Modifies user attributes. Certs are handled separately
+     * 
+     * @param identity the given identity which contains all the user
+     *            attributes being modified
+     * @exception EUsrGrpException thrown when modification failed
+     */
+    public void modifyUser(IUser identity) throws EUsrGrpException;
+
+    /**
+     * Finds groups that match the filter.
+     * 
+     * @param filter the search filter
+     * @return a list of groups that match the given search filter
+     */
+    public Enumeration findGroups(String filter);
+
+    /**
+     * Find a group for the given name
+     * 
+     * @param name the given name
+     * @return a group that matched the given name
+     */
+    public IGroup findGroup(String name);
+
+    /**
+     * List groups. This method is more efficient than findGroups because
+     * this method retrieves group names and description only. Each
+     * retrieved group just contains group name and description.
+     * 
+     * @param filter the search filter
+     * @return a list of groups, each group just contains group name and
+     *         its description.
+     * @exception EUsrGrpException thrown when failed to list groups
+     */
+    public Enumeration listGroups(String filter) throws EUsrGrpException;
+
+    /**
+     * Retrieves a group from LDAP for the given group name
+     * 
+     * @param name the given group name
+     * @return a group interface
+     */
+    public IGroup getGroupFromName(String name);
+
+    /**
+     * Retrieves a group from LDAP for the given DN.
+     * 
+     * @param DN the given DN
+     * @return a group interface for the given DN.
+     */
+    public IGroup getGroup(String DN);
+
+    /**
+     * Checks if the given group exists.
+     * 
+     * @param name the given group name
+     * @return true if the given group exists in the internal database; otherwise false.
+     */
+    public boolean isGroupPresent(String name);
+
+    /**
+     * Checks if the given context is a member of the given group
+     * 
+     * @param uid the given user id
+     * @param name the given group name
+     * @return true if the user with the given user id is a member of the given
+     *         group
+     */
+    public boolean isMemberOf(String uid, String name);
+
+    public boolean isMemberOf(IUser id, String name);
+
+    /**
+     * Adds a group of identities.
+     * 
+     * @param group the given group
+     * @exception EUsrGrpException thrown when failed to add group.
+     */
+    public void addGroup(IGroup group) throws EUsrGrpException;
+
+    /**
+     * Removes a group. Can't remove SUPER_CERT_ADMINS
+     * 
+     * @param name the given group name
+     * @exception EUsrGrpException thrown when the given group failed to remove
+     */
+    public void removeGroup(String name) throws EUsrGrpException;
+
+    /**
+     * Modifies a group.
+     * 
+     * @param group the given group which contain all group attributes being
+     *            modified.
+     * @exception EUsrGrpException thrown when failed to modify group.
+     */
+    public void modifyGroup(IGroup group) throws EUsrGrpException;
+
+    /**
+     * Removes the user with the given id from the given group
+     * 
+     * @param grp the given group
+     * @param userid the given user id
+     * @exception EUsrGrpException thrown when failed to remove the user from
+     *                the given group
+     */
+    public void removeUserFromGroup(IGroup grp, String userid)
+            throws EUsrGrpException;
+
+    /**
+     * Create user with the given id.
+     * 
+     * @param id the user with the given id.
+     * @return a new user
+     */
+    public IUser createUser(String id);
+
+    /**
+     * Create group with the given id.
+     * 
+     * @param id the group with the given id.
+     * @return a new group
+     */
+    public IGroup createGroup(String id);
+
+    /**
+     * Get string representation of the given certificate
+     * 
+     * @param cert given certificate
+     * @return the string representation of the given certificate
+     */
+    public String getCertificateString(X509Certificate cert);
+
+    /**
+     * Searchs for identities that matches the certificate locater
+     * generated filter.
+     * 
+     * @param filter search filter
+     * @return an user
+     * @exception EUsrGrpException thrown when failed to find user
+     * @exception LDAPException thrown when the internal database is not available
+     */
+    public IUser findUsersByCert(String filter) throws
+            EUsrGrpException, LDAPException;
+
+    /**
+     * Get user locator which does the mapping between the user and the certificate.
+     * 
+     * @return CertUserLocator
+     */
+    public ICertUserLocator getCertUserLocator();
+}
diff --git a/base/common/src/com/netscape/certsrv/usrgrp/IUser.java b/base/common/src/com/netscape/certsrv/usrgrp/IUser.java
new file mode 100644
index 000000000..9370a6718
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/usrgrp/IUser.java
@@ -0,0 +1,171 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.usrgrp;
+
+import java.security.cert.X509Certificate;
+
+import com.netscape.certsrv.base.IAttrSet;
+
+/**
+ * This interface defines the basic interfaces for
+ * a user identity. (get/set methods for a user entry attributes)
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IUser extends IAttrSet, IUserConstants {
+
+    /**
+     * Retrieves name.
+     * 
+     * @return user name
+     */
+    public String getName();
+
+    /**
+     * Retrieves user identifier.
+     * 
+     * @return user id
+     */
+    public String getUserID();
+
+    /**
+     * Retrieves user full name.
+     * 
+     * @return user fullname
+     */
+    public String getFullName();
+
+    /**
+     * Retrieves user phonenumber.
+     * 
+     * @return user phonenumber
+     */
+    public String getPhone();
+
+    /**
+     * Retrieves user state
+     * 
+     * @return user state
+     */
+    public String getState();
+
+    /**
+     * Sets user full name.
+     * 
+     * @param name the given full name
+     */
+    public void setFullName(String name);
+
+    /**
+     * Sets user ldap DN.
+     * 
+     * @param userdn the given user DN
+     */
+    public void setUserDN(String userdn);
+
+    /**
+     * Gets user ldap dn
+     * 
+     * @return user DN
+     */
+    public String getUserDN();
+
+    /**
+     * Retrieves user password.
+     * 
+     * @return user password
+     */
+    public String getPassword();
+
+    /**
+     * Sets user password.
+     * 
+     * @param p the given password
+     */
+    public void setPassword(String p);
+
+    /**
+     * Sets user phonenumber
+     * 
+     * @param p user phonenumber
+     */
+    public void setPhone(String p);
+
+    /**
+     * Sets user state
+     * 
+     * @param p the given user state
+     */
+    public void setState(String p);
+
+    /**
+     * Sets user type
+     * 
+     * @param userType the given user type
+     */
+    public void setUserType(String userType);
+
+    /**
+     * Gets user email address.
+     * 
+     * @return email address
+     */
+    public String getEmail();
+
+    /**
+     * Sets user email address.
+     * 
+     * @param email the given email address
+     */
+    public void setEmail(String email);
+
+    /**
+     * Gets list of certificates from this user
+     * 
+     * @return list of certificates
+     */
+    public X509Certificate[] getX509Certificates();
+
+    /**
+     * Sets list of certificates in this user
+     * 
+     * @param certs list of certificates
+     */
+    public void setX509Certificates(X509Certificate certs[]);
+
+    /**
+     * Get certificate DN
+     * 
+     * @return certificate DN
+     */
+    public String getCertDN();
+
+    /**
+     * Set certificate DN
+     * 
+     * @param userdn the given DN
+     */
+    public void setCertDN(String userdn);
+
+    /**
+     * Get user type
+     * 
+     * @return user type.
+     */
+    public String getUserType();
+}
diff --git a/base/common/src/com/netscape/certsrv/usrgrp/IUserConstants.java b/base/common/src/com/netscape/certsrv/usrgrp/IUserConstants.java
new file mode 100644
index 000000000..f66f01c73
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/usrgrp/IUserConstants.java
@@ -0,0 +1,66 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.usrgrp;
+
+/**
+ * This interface defines the attribute names for a user entry
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IUserConstants {
+
+    /**
+     * Constant for userScope
+     */
+    public static final String ATTR_SCOPE = "userScope";
+
+    /**
+     * Constant for userName
+     */
+    public static final String ATTR_NAME = "userName";
+
+    /**
+     * Constant for userId
+     */
+    public static final String ATTR_ID = "userId";
+
+    /**
+     * Constant for userFullName
+     */
+    public static final String ATTR_FULLNAME = "userFullName";
+
+    /**
+     * Constant for userPassword
+     */
+    public static final String ATTR_PASSWORD = "userPassword";
+
+    /**
+     * Constant for userState
+     */
+    public static final String ATTR_STATE = "userstate";
+
+    /**
+     * Constant for userEmail
+     */
+    public static final String ATTR_EMAIL = "userEmail";
+
+    /**
+     * Constant for usertype
+     */
+    public static final String ATTR_USERTYPE = "usertype";
+}
diff --git a/base/common/src/com/netscape/certsrv/usrgrp/IUsrGrp.java b/base/common/src/com/netscape/certsrv/usrgrp/IUsrGrp.java
new file mode 100644
index 000000000..f6cef0d46
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/usrgrp/IUsrGrp.java
@@ -0,0 +1,117 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.usrgrp;
+
+import netscape.ldap.LDAPException;
+
+/**
+ * This interface defines the basic capabilities of
+ * a usr/group manager. (get/add/modify/remove users or groups)
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IUsrGrp extends IIdEvaluator {
+
+    /**
+     * Retrieves usr/grp manager identifier.
+     * 
+     * @return id
+     */
+    public String getId();
+
+    /**
+     * Retrieves the description
+     * 
+     * @return description
+     */
+    public String getDescription();
+
+    /**
+     * Retrieves an identity
+     * 
+     * @param userid the user id for the given user
+     * @return user interface
+     */
+    public IUser getUser(String userid) throws EUsrGrpException;
+
+    /**
+     * Adds a user identity to the LDAP server. For example, 
+     *   User user = new User("joe");
+     *   user.setFullName("joe doe");
+     *   user.setPassword("secret");
+     *   usrgrp.addUser(user);
+     * 
+     * 
+     * @param user an user interface
+     * @exception EUsrGrpException thrown when some of the user attribute values
+     *                are null
+     * @exception LDAPException thrown when the LDAP internal database is not
+     *                available, or the add operation failed
+     */
+    public void addUser(IUser user) throws EUsrGrpException, LDAPException;
+
+    /**
+     * Removes a user.
+     * 
+     * @param userid the user id for the given user
+     * @exception EUsrGrpException thrown when failed to remove user
+     */
+    public void removeUser(String userid) throws EUsrGrpException;
+
+    /**
+     * Modifies user.
+     * 
+     * @param user the user interface which contains the modified information
+     * @exception EUsrGrpException thrown when failed to modify user
+     */
+    public void modifyUser(IUser user) throws EUsrGrpException;
+
+    /**
+     * Retrieves an identity group
+     * 
+     * @param groupid the given group id.
+     * @return the group interface
+     */
+    public IGroup getGroup(String groupid);
+
+    /**
+     * Adds a group
+     * 
+     * @param group the given group
+     * @exception EUsrGrpException thrown when failed to add the group.
+     */
+    public void addGroup(IGroup group) throws EUsrGrpException;
+
+    /**
+     * Modifies a group
+     * 
+     * @param group the given group contains the new information for modification.
+     * @exception EUsrGrpException thrown when failed to modify the group.
+     */
+    public void modifyGroup(IGroup group) throws EUsrGrpException;
+
+    /**
+     * Removes a group
+     * 
+     * @param name the group name
+     * @exception EUsrGrpException thrown when failed to remove the given
+     *                group.
+     */
+    public void removeGroup(String name) throws EUsrGrpException;
+
+}
diff --git a/base/common/src/com/netscape/certsrv/usrgrp/UsrGrpResources.java b/base/common/src/com/netscape/certsrv/usrgrp/UsrGrpResources.java
new file mode 100644
index 000000000..11a3da23b
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/usrgrp/UsrGrpResources.java
@@ -0,0 +1,46 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.usrgrp;
+
+import java.util.ListResourceBundle;
+
+/**
+ * A class represents a resource bundle for the
+ * user/group manager
+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class UsrGrpResources extends ListResourceBundle {
+
+    /**
+     * Returns the content of this resource.
+     * 
+     * @return the content of this resource.
+     */
+    public Object[][] getContents() {
+        return contents;
+    }
+
+    /**
+     * Constants. The suffix represents the number of
+     * possible parameters.
+     */
+
+    static final Object[][] contents = {};
+}
diff --git a/base/common/src/com/netscape/certsrv/util/HttpInput.java b/base/common/src/com/netscape/certsrv/util/HttpInput.java
new file mode 100644
index 000000000..7e7fe7c4a
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/util/HttpInput.java
@@ -0,0 +1,258 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.util;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import javax.servlet.http.HttpServletRequest;
+
+import netscape.ldap.LDAPDN;
+
+public class HttpInput {
+    public static int getPortNumberInInt(HttpServletRequest request, String name)
+            throws IOException {
+        String val = request.getParameter(name);
+        int p = Integer.parseInt(val);
+        return p;
+    }
+
+    public static String getBoolean(HttpServletRequest request, String name)
+            throws IOException {
+        String val = request.getParameter(name);
+        if (val.equals("true") || val.equals("false")) {
+            return val;
+        }
+        throw new IOException("Invalid boolean value '" + val + "'");
+    }
+
+    public static String getCheckbox(HttpServletRequest request, String name)
+            throws IOException {
+        String val = request.getParameter(name);
+        if (val == null || val.equals("")) {
+            return "off";
+        } else if (val.equals("on") || val.equals("off")) {
+            return val;
+        }
+        throw new IOException("Invalid checkbox value '" + val + "'");
+    }
+
+    public static String getInteger(HttpServletRequest request, String name)
+            throws IOException {
+        String val = request.getParameter(name);
+        int p = 0;
+        try {
+            p = Integer.parseInt(val);
+        } catch (NumberFormatException e) {
+            throw new IOException("Input '" + val + "' is not an integer");
+        }
+
+        if (!val.equals(Integer.toString(p))) {
+            throw new IOException("Input '" + val + "' is not an integer");
+        }
+        return val;
+    }
+
+    public static String getInteger(HttpServletRequest request, String name,
+            int min, int max) throws IOException {
+        String val = getInteger(request, name);
+        int p = Integer.parseInt(val);
+        if (p < min || p > max) {
+            throw new IOException("Input '" + val + "' is out of range");
+        }
+        return val;
+    }
+
+    public static String getPortNumber(HttpServletRequest request, String name)
+            throws IOException {
+        String v = getInteger(request, name);
+        return v;
+    }
+
+    public static String getString(HttpServletRequest request, String name) {
+        String val = request.getParameter(name);
+        return val;
+    }
+
+    public static String getString(HttpServletRequest request, String name,
+            int minlen, int maxlen) throws IOException {
+        String val = request.getParameter(name);
+        if (val.length() < minlen || val.length() > maxlen) {
+            throw new IOException("String length of '" + val +
+                    "' is out of range");
+        }
+        return val;
+    }
+
+    public static String getLdapDatabase(HttpServletRequest request, String name) {
+        return getString(request, name);
+    }
+
+    public static String getURL(HttpServletRequest request, String name)
+            throws IOException {
+        String v = getString(request, name);
+        try {
+            new URL(v); // throw exception on error
+        } catch (Exception e) {
+            throw new IOException("Invalid URL " + v);
+        }
+        return v;
+    }
+
+    public static String getUID(HttpServletRequest request, String name) {
+        return getString(request, name);
+    }
+
+    public static String getPassword(HttpServletRequest request, String name) {
+        return getString(request, name);
+    }
+
+    public static String getKeyType(HttpServletRequest request, String name)
+            throws IOException {
+        String v = getString(request, name);
+        if (v.equals("rsa")) {
+            return v;
+        }
+        if (v.equals("ecc")) {
+            return v;
+        }
+        throw new IOException("Invalid key type '" + v + "' not supported.");
+    }
+
+    public static String getKeySize(HttpServletRequest request, String name)
+            throws IOException {
+        String i = getInteger(request, name);
+        if (i.equals("256") || i.equals("512") || i.equals("1024") ||
+                i.equals("2048") || i.equals("4096")) {
+            return i;
+        }
+        throw new IOException("Invalid key length '"
+                + i + "'. Currently supported key lengths are 256, 512, 1024, 2048, 4096.");
+    }
+
+    public static String getKeySize(HttpServletRequest request, String name, String keyType)
+            throws IOException {
+        String i = getInteger(request, name);
+        if (keyType.equals("rsa")) {
+            if (i.equals("256") || i.equals("512") || i.equals("1024") ||
+                    i.equals("2048") || i.equals("4096")) {
+                return i;
+            } else {
+                throw new IOException("Invalid key length '"
+                        + i + "'. Currently supported RSA key lengths are 256, 512, 1024, 2048, 4096.");
+            }
+        }
+        if (keyType.equals("ecc")) {
+            int p = 0;
+            try {
+                p = Integer.parseInt(i);
+            } catch (NumberFormatException e) {
+                throw new IOException("Input '" + i + "' is not an integer");
+            }
+            if ((p >= 112) && (p <= 571))
+                return i;
+            else {
+                throw new IOException(
+                        "Invalid key length '" + i
+                        + "'. Please consult your security officer for a proper length, or take the default value. Here are examples of some commonly used key lengths: 256, 384, 521.");
+            }
+            /*
+
+                      if (i.equals("256") || i.equals("384") || i.equals("521")) { 
+                        return i;
+                      } else {
+                        throw new IOException("Invalid key length '" + i + "'. Currently supported ECC key lengths are 256, 384, 521.");
+                      }
+            */
+        }
+        throw new IOException("Invalid key type '" + keyType + "'");
+    }
+
+    public static String getDN(HttpServletRequest request, String name)
+            throws IOException {
+        String v = getString(request, name);
+        String dn[] = LDAPDN.explodeDN(v, true);
+        if (dn == null || dn.length <= 0) {
+            throw new IOException("Invalid DN " + v + " in " + name);
+        }
+        return v;
+    }
+
+    public static String getID(HttpServletRequest request, String name) {
+        return getString(request, name);
+    }
+
+    public static String getName(HttpServletRequest request, String name) {
+        return getString(request, name);
+    }
+
+    public static String getCertRequest(HttpServletRequest request, String name) {
+        return getString(request, name);
+    }
+
+    public static String getCertChain(HttpServletRequest request, String name) {
+        return getString(request, name);
+    }
+
+    public static String getCert(HttpServletRequest request, String name) {
+        return getString(request, name);
+    }
+
+    public static String getNickname(HttpServletRequest request, String name) {
+        return getString(request, name);
+    }
+
+    public static String getHostname(HttpServletRequest request, String name) {
+        return getString(request, name);
+    }
+
+    public static String getTokenName(HttpServletRequest request, String name) {
+        return getString(request, name);
+    }
+
+    public static String getReplicationAgreementName(HttpServletRequest request, String name) {
+        return getString(request, name);
+    }
+
+    public static String getEmail(HttpServletRequest request, String name)
+            throws IOException {
+        String v = getString(request, name);
+        if (v.indexOf('@') == -1) {
+            throw new IOException("Invalid email " + v);
+        }
+        return v;
+    }
+
+    public static String getDomainName(HttpServletRequest request, String name) {
+        return getString(request, name);
+    }
+
+    public static String getSecurityDomainName(HttpServletRequest request, String name)
+            throws IOException {
+        String v = getName(request, name);
+        Pattern p = Pattern.compile("[A-Za-z0-9]+[A-Za-z0-9 -]*");
+        Matcher m = p.matcher(v);
+        if (!m.matches()) {
+            throw new IOException("Invalid characters found in Security Domain Name "
+                    + v + ". Valid characters are A-Z, a-z, 0-9, dash and space");
+        }
+        return v;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/util/IStatsSubsystem.java b/base/common/src/com/netscape/certsrv/util/IStatsSubsystem.java
new file mode 100644
index 000000000..989d7a4a1
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/util/IStatsSubsystem.java
@@ -0,0 +1,61 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.util;
+
+import java.util.Date;
+
+import com.netscape.certsrv.base.ISubsystem;
+
+/**
+ * A class represents a internal subsystem. This subsystem
+ * can be loaded into cert server kernel to perform
+ * statistics collection.
+ * 

+ * 
+ * @author thomask
+ * @version $Revision$, $Date$
+ */
+public interface IStatsSubsystem extends ISubsystem {
+    /**
+     * Retrieves the start time since startup or
+     * clearing of statistics.
+     */
+    public Date getStartTime();
+
+    /**
+     * Starts timing of a operation.
+     */
+    public void startTiming(String id);
+
+    public void startTiming(String id, boolean main);
+
+    /**
+     * Stops timing of a operation.
+     */
+    public void endTiming(String id);
+
+    /**
+     * Resets counters.
+     */
+    public void resetCounters();
+
+    /**
+     * Resets all internal counters.
+     */
+    public StatsEvent getMainStatsEvent();
+}
diff --git a/base/common/src/com/netscape/certsrv/util/StatsEvent.java b/base/common/src/com/netscape/certsrv/util/StatsEvent.java
new file mode 100644
index 000000000..eafd90d05
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/util/StatsEvent.java
@@ -0,0 +1,175 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.util;
+
+import java.util.Enumeration;
+import java.util.Vector;
+
+/**
+ * A statistics transaction.
+ * 

+ * 
+ * @author thomask
+ * @version $Revision$, $Date$
+ */
+public class StatsEvent {
+    private String mName = null;
+    private long mMin = -1;
+    private long mMax = -1;
+    private long mTimeTaken = 0;
+    private long mTimeTakenSqSum = 0;
+    private long mNoOfOperations = 0;
+    private Vector mSubEvents = new Vector();
+    private StatsEvent mParent = null;
+
+    public StatsEvent(StatsEvent parent) {
+        mParent = parent;
+    }
+
+    public void setName(String name) {
+        mName = name;
+    }
+
+    /**
+     * Retrieves Transaction name.
+     */
+    public String getName() {
+        return mName;
+    }
+
+    public void addSubEvent(StatsEvent st) {
+        mSubEvents.addElement(st);
+    }
+
+    /**
+     * Retrieves a list of sub transaction names.
+     */
+    public Enumeration getSubEventNames() {
+        Vector names = new Vector();
+        Enumeration e = mSubEvents.elements();
+        while (e.hasMoreElements()) {
+            StatsEvent st = e.nextElement();
+            names.addElement(st.getName());
+        }
+        return names.elements();
+    }
+
+    /**
+     * Retrieves a sub transaction.
+     */
+    public StatsEvent getSubEvent(String name) {
+        Enumeration e = mSubEvents.elements();
+        while (e.hasMoreElements()) {
+            StatsEvent st = e.nextElement();
+            if (st.getName().equals(name)) {
+                return st;
+            }
+        }
+        return null;
+    }
+
+    public void resetCounters() {
+        mMin = -1;
+        mMax = -1;
+        mNoOfOperations = 0;
+        mTimeTaken = 0;
+        mTimeTakenSqSum = 0;
+        Enumeration e = getSubEventNames();
+        while (e.hasMoreElements()) {
+            String n = e.nextElement();
+            StatsEvent c = getSubEvent(n);
+            c.resetCounters();
+        }
+    }
+
+    public long getMax() {
+        return mMax;
+    }
+
+    public long getMin() {
+        return mMin;
+    }
+
+    public void incNoOfOperations(long c) {
+        mNoOfOperations += c;
+    }
+
+    public long getTimeTakenSqSum() {
+        return mTimeTakenSqSum;
+    }
+
+    public long getPercentage() {
+        if (mParent == null || mParent.getTimeTaken() == 0) {
+            return 100;
+        } else {
+            return (mTimeTaken * 100 / mParent.getTimeTaken());
+        }
+    }
+
+    public long getStdDev() {
+        if (getNoOfOperations() == 0) {
+            return 0;
+        } else {
+            long a = getTimeTakenSqSum();
+            long b = (-2 * getAvg() * getTimeTaken());
+            long c = getAvg() * getAvg() * getNoOfOperations();
+            return (long) Math.sqrt((a + b + c) / getNoOfOperations());
+        }
+    }
+
+    public long getAvg() {
+        if (mNoOfOperations == 0) {
+            return -1;
+        } else {
+            return mTimeTaken / mNoOfOperations;
+        }
+    }
+
+    /**
+     * Retrieves number of operations performed.
+     */
+    public long getNoOfOperations() {
+        return mNoOfOperations;
+    }
+
+    public void incTimeTaken(long c) {
+        if (mMin == -1) {
+            mMin = c;
+        } else {
+            if (c < mMin) {
+                mMin = c;
+            }
+        }
+        if (mMax == -1) {
+            mMax = c;
+        } else {
+            if (c > mMax) {
+                mMax = c;
+            }
+        }
+        mTimeTaken += c;
+        mTimeTakenSqSum += (c * c);
+    }
+
+    /**
+     * Retrieves total time token in msec.
+     */
+    public long getTimeTaken() {
+        return mTimeTaken;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authentication/AVAPattern.java b/base/common/src/com/netscape/cms/authentication/AVAPattern.java
new file mode 100644
index 000000000..6a8bbcbf2
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/AVAPattern.java
@@ -0,0 +1,559 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+import java.io.IOException;
+import java.io.PushbackReader;
+import java.io.StringReader;
+import java.util.Enumeration;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPDN;
+import netscape.ldap.LDAPEntry;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.AVA;
+import netscape.security.x509.LdapV3DNStrConverter;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.EAuthException;
+import com.netscape.certsrv.authentication.ECompSyntaxErr;
+
+/**
+ * class for parsing a DN pattern used to construct a certificate
+ * subject name from ldap attributes and dn.
+ * 

+ * 
+ * dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If
+ * empty or not set, the ldap entry DN will be used as the certificate subject name.
+ * 

+ * 
+ * The syntax is
+ * 
+ * 
+ * 	dnPattern := rdnPattern *[ "," rdnPattern ]
+ * 	rdnPattern := avaPattern *[ "+" avaPattern ]
+ * 		avaPattern := name "=" value | 
+ * 			      name "=" "$attr" "." attrName [ "." attrNumber ] | 
+ * 			      name "=" "$dn" "." attrName [ "." attrNumber ] | 
+ * 			 	  "$dn" "." "$rdn" "." number
+ * 

+ * 
+ * 
+ * Example1: E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US 
+ * Ldap entry: dn:  UID=jjames, OU=IS, OU=people, O=acme.org
+ * Ldap attributes: cn: Jesse James 
+ * Ldap attributes: mail: jjames@acme.org
+ * 

+ * The subject name formulated will be : 

+ *     E=jjames@acme.org, CN=Jesse James, OU=people, O=acme.org, C=US
+ * 
	
+ *     E = the first 'mail' ldap attribute value in user's entry. 

+ *     CN = the (first) 'cn' ldap attribute value in the user's entry. 

+ *     OU = the second 'ou' value in the user's entry DN. 

+ *     O = the (first) 'o' value in the user's entry DN. 

+ *     C = the string "US" 
+ * 

+ * Example2: E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US
+ * Ldap entry: dn:  UID=jjames, OU=IS+OU=people, O=acme.org
+ * Ldap attributes: cn: Jesse James 
+ * Ldap attributes: mail: jjames@acme.org
+ * 

+ * The subject name formulated will be : 

+ *     E=jjames@acme.org, CN=Jesse James, OU=people, O=acme.org, C=US
+ * 
	
+ *     E = the first 'mail' ldap attribute value in user's entry. 

+ *     CN = the (first) 'cn' ldap attribute value in the user's entry. 

+ *     OU = the second 'ou' value in the user's entry DN. note multiple AVAs
+ * 	    in a RDN in this example. 

+ *     O = the (first) 'o' value in the user's entry DN. 

+ *     C = the string "US"
+ * 

+ * 

+ * 
+ * 
+ * Example3: CN=$attr.cn, $rdn.2, O=$dn.o, C=US
+ * Ldap entry: dn:  UID=jjames, OU=IS+OU=people, O=acme.org
+ * Ldap attributes: cn: Jesse James 
+ * Ldap attributes: mail: jjames@acme.org
+ * 

+ * The subject name formulated will be : 

+ *     CN=Jesse James, OU=IS+OU=people, O=acme.org, C=US
+ * 
	
+ *     CN = the (first) 'cn' ldap attribute value in the user's entry. 

+ *     followed by the second RDN in the user's entry DN. 

+ *     O = the (first) 'o' value in the user's entry DN. 

+ *     C = the string "US" 
+ * 

+ * Example4: CN=$attr.cn, OU=$dn.ou.2+OU=$dn.ou.1, O=$dn.o, C=US
+ * Ldap entry: dn:  UID=jjames, OU=IS+OU=people, O=acme.org
+ * Ldap attributes: cn: Jesse James 
+ * Ldap attributes: mail: jjames@acme.org
+ * 

+ * The subject name formulated will be : 

+ *     CN=Jesse James, OU=people+OU=IS, O=acme.org, C=US
+ * 
	
+ *     CN = the (first) 'cn' ldap attribute value in the user's entry. 

+ *     OU = the second 'ou' value in the user's entry DN followed by the 
+ * 		first 'ou' value in the user's entry. note multiple AVAs
+ * 	    in a RDN in this example. 

+ *     O = the (first) 'o' value in the user's entry DN. 

+ *     C = the string "US"
+ * 

+ * 

+ * 
+ * If an attribute or subject DN component does not exist the attribute is skipped.
+ * 
+ * @version $Revision$, $Date$
+ */
+class AVAPattern {
+
+    /* the value type of the dn component */
+    public static final String TYPE_ATTR = "$attr";
+    public static final String TYPE_DN = "$dn";
+    public static final String TYPE_RDN = "$rdn";
+    public static final String TYPE_CONSTANT = "constant";
+
+    private static final char[] endChars = new char[] { '+', ',' };
+
+    private static final LdapV3DNStrConverter mLdapDNStrConverter =
+            new LdapV3DNStrConverter();
+
+    /* ldap attributes needed by this AVA (to retrieve from ldap) */
+    protected String[] mLdapAttrs = null;
+
+    /* value type */
+    protected String mType = null;
+
+    /* the attribute in the AVA pair */
+    protected String mAttr = null;
+
+    /* value - could be name of an ldap attribute or entry dn attribute. */
+    protected String mValue = null;
+
+    /* nth value of the ldap or dn attribute */
+    protected int mElement = 0;
+
+    protected String mTestDN = null;
+
+    public AVAPattern(String component)
+            throws EAuthException {
+        if (component == null || component.length() == 0)
+            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", component));
+        parse(new PushbackReader(new StringReader(component)));
+    }
+
+    public AVAPattern(PushbackReader in)
+            throws EAuthException {
+        parse(in);
+    }
+
+    private void parse(PushbackReader in)
+            throws EAuthException {
+        int c;
+
+        // mark ava beginning.
+
+        // skip spaces
+        //System.out.println("============ AVAPattern Begin ===========");
+        //System.out.println("skip spaces");
+
+        try {
+            while ((c = in.read()) == ' ' || c == '\t') {//System.out.println("spaces read "+(char)c);
+                ;
+            }
+        } catch (IOException e) {
+            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank"));
+        }
+        if (c == -1)
+            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank"));
+
+        // $rdn "." number syntax. 
+
+        if (c == '$') {
+            //System.out.println("$rdn syntax");
+            mType = TYPE_RDN;
+            try {
+                if (in.read() != 'r' ||
+                        in.read() != 'd' ||
+                        in.read() != 'n' ||
+                        in.read() != '.')
+                    throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                            "Invalid $ syntax, expecting $rdn"));
+            } catch (IOException e) {
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                        "Invalid $ syntax, expecting $rdn"));
+            }
+
+            StringBuffer rdnNumberBuf = new StringBuffer();
+
+            try {
+                while ((c = in.read()) != ',' && c != -1 && c != '+') {
+                    //System.out.println("rdnNumber read "+(char)c);
+                    rdnNumberBuf.append((char) c);
+                }
+                if (c != -1) // either ',' or '+'
+                    in.unread(c);
+            } catch (IOException e) {
+                throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString()));
+            }
+
+            String rdnNumber = rdnNumberBuf.toString().trim();
+
+            if (rdnNumber.length() == 0)
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                        "$rdn number not set in ava pattern"));
+            try {
+                mElement = Integer.parseInt(rdnNumber) - 1;
+            } catch (NumberFormatException e) {
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                        "Invalid $rdn number in ava pattern"));
+            }
+            return;
+        }
+
+        // name "=" ... syntax. 
+
+        // read name 
+        //System.out.println("reading name");
+
+        StringBuffer attrBuf = new StringBuffer();
+
+        try {
+            while (c != '=' && c != -1 && c != ',' && c != '+') {
+                attrBuf.append((char) c);
+                c = in.read();
+                //System.out.println("name read "+(char)c);
+            }
+            if (c == ',' || c == '+')
+                in.unread(c);
+        } catch (IOException e) {
+            throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString()));
+        }
+        if (c != '=')
+            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                    "Missing \"=\" in ava pattern"));
+
+        // read value 
+        //System.out.println("reading value");
+
+        // skip spaces 
+        //System.out.println("skip spaces for value");
+        try {
+            while ((c = in.read()) == ' ' || c == '\t') {//System.out.println("spaces2 read "+(char)c);
+                ;
+            }
+        } catch (IOException e) {
+            throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString()));
+        }
+        if (c == -1)
+            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                    "no value after = in ava pattern"));
+
+        if (c == '$') {
+            // check for $dn or $attr 
+            try {
+                c = in.read();
+                //System.out.println("check $dn or $attr read "+(char)c);
+            } catch (IOException e) {
+                throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString()));
+            }
+            if (c == -1)
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                            "expecting $dn or $attr in ava pattern"));
+            if (c == 'a') {
+                try {
+                    if (in.read() != 't' ||
+                            in.read() != 't' ||
+                            in.read() != 'r' ||
+                            in.read() != '.')
+                        throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                    "expecting $attr in ava pattern"));
+                } catch (IOException e) {
+                    throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString()));
+                }
+                mType = TYPE_ATTR;
+                //System.out.println("---- mtype $attr");
+            } else if (c == 'd') {
+                try {
+                    if (in.read() != 'n' ||
+                            in.read() != '.')
+                        throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                    "expecting $dn in ava pattern"));
+                } catch (IOException e) {
+                    throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString()));
+                }
+                mType = TYPE_DN;
+                //System.out.println("----- mtype $dn");
+            } else {
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                            "unknown keyword. expecting $dn or $attr."));
+            }
+
+            // get attr name of dn pattern from above. 
+            String attrName = attrBuf.toString().trim();
+
+            //System.out.println("----- attrName "+attrName);
+            if (attrName.length() == 0)
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                        "attribute name expected"));
+            try {
+                ObjectIdentifier attrOid =
+                        mLdapDNStrConverter.parseAVAKeyword(attrName);
+
+                mAttr = mLdapDNStrConverter.encodeOID(attrOid);
+                //System.out.println("----- mAttr "+mAttr);
+            } catch (IOException e) {
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage()));
+            }
+
+            // get dn or attribute from ldap search.
+            StringBuffer valueBuf = new StringBuffer();
+
+            try {
+                while ((c = in.read()) != ',' &&
+                        c != -1 && c != '.' && c != '+') {
+                    //System.out.println("mValue read "+(char)c);
+                    valueBuf.append((char) c);
+                }
+                if (c == '+' || c == ',') // either ',' or '+'
+                    in.unread(c); // pushback last , or + 
+            } catch (IOException e) {
+                throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString()));
+            }
+
+            mValue = valueBuf.toString().trim();
+            if (mValue.length() == 0)
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                            "$dn or $attr attribute name expected"));
+            //System.out.println("----- mValue "+mValue);
+
+            // get nth dn or attribute from ldap search.
+            if (c == '.') {
+                StringBuffer attrNumberBuf = new StringBuffer();
+
+                try {
+                    while ((c = in.read()) != ',' && c != -1 && c != '+') {
+                        //System.out.println("mElement read "+(char)c);
+                        attrNumberBuf.append((char) c);
+                    }
+                    if (c != -1) // either ',' or '+'
+                        in.unread(c); // pushback last , or +
+                } catch (IOException e) {
+                    throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString()));
+                }
+                String attrNumber = attrNumberBuf.toString().trim();
+
+                if (attrNumber.length() == 0)
+                    throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                "nth element $dn or $attr expected"));
+                try {
+                    mElement = Integer.parseInt(attrNumber) - 1;
+                } catch (NumberFormatException e) {
+                    throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                "Invalid format in nth element $dn or $attr"));
+                }
+            }
+            //System.out.println("----- mElement "+mElement);
+        } else {
+            // value is constant. treat as regular ava.
+            mType = TYPE_CONSTANT;
+            //System.out.println("----- mType constant");
+            // parse ava value. 
+            StringBuffer valueBuf = new StringBuffer();
+
+            valueBuf.append((char) c);
+            try {
+                while ((c = in.read()) != ',' &&
+                        c != -1) {
+                    valueBuf.append((char) c);
+                }
+                if (c == '+' || c == ',') { // either ',' or '+'
+                    in.unread(c); // pushback last , or +
+                }
+            } catch (IOException e) {
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage()));
+            }
+            try {
+                AVA ava = mLdapDNStrConverter.parseAVA(attrBuf + "=" + valueBuf);
+
+                mValue = ava.toLdapDNString();
+                //System.out.println("----- mValue "+mValue);
+            } catch (IOException e) {
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage()));
+            }
+        }
+    }
+
+    public String formAVA(LDAPEntry entry)
+            throws EAuthException {
+        if (mType == TYPE_CONSTANT)
+            return mValue;
+
+        if (mType == TYPE_RDN) {
+            String dn = entry.getDN();
+
+            if (mTestDN != null)
+                dn = mTestDN;
+            //System.out.println("AVAPattern Using dn "+mTestDN);
+            String[] rdns = LDAPDN.explodeDN(dn, false);
+
+            if (mElement >= rdns.length)
+                return null;
+            return rdns[mElement];
+        }
+
+        if (mType == TYPE_DN) {
+            String dn = entry.getDN();
+
+            if (mTestDN != null)
+                dn = mTestDN;
+            //System.out.println("AVAPattern Using dn "+mTestDN);
+            String[] rdns = LDAPDN.explodeDN(dn, false);
+            String value = null;
+            int nFound = -1;
+
+            for (int i = 0; i < rdns.length; i++) {
+                String[] avas = explodeRDN(rdns[i]);
+
+                for (int j = 0; j < avas.length; j++) {
+                    String[] exploded = explodeAVA(avas[j]);
+
+                    if (exploded[0].equalsIgnoreCase(mValue) &&
+                            ++nFound == mElement) {
+                        value = exploded[1];
+                        break;
+                    }
+                }
+            }
+            if (value == null)
+                return null;
+            return mAttr + "=" + value;
+        }
+
+        if (mType == TYPE_ATTR) {
+            LDAPAttribute ldapAttr = entry.getAttribute(mValue);
+
+            if (ldapAttr == null)
+                return null;
+            String value = null;
+            @SuppressWarnings("unchecked")
+            Enumeration ldapValues = ldapAttr.getStringValues();
+
+            for (int i = 0; ldapValues.hasMoreElements(); i++) {
+                String val = (String) ldapValues.nextElement();
+
+                if (i == mElement) {
+                    value = val;
+                    break;
+                }
+            }
+            if (value == null)
+                return null;
+            String v = escapeLdapString(value);
+
+            return mAttr + "=" + v;
+        }
+
+        return null;
+    }
+
+    private String escapeLdapString(String value) {
+        int len = value.length();
+        char[] c = new char[len];
+        char[] newc = new char[len * 2];
+
+        value.getChars(0, len, c, 0);
+        int j = 0;
+
+        for (int i = 0; i < c.length; i++) {
+            // escape special characters that directory does not.
+            if ((c[i] == ',' || c[i] == '=' || c[i] == '+' || c[i] == '<' ||
+                    c[i] == '>' || c[i] == '#' || c[i] == ';')) {
+                if (i == 0 || c[i - 1] != '\\') {
+                    newc[j++] = '\\';
+                    newc[j++] = c[i];
+                }
+            } // escape "\"
+            else if (c[i] == '\\') {
+                int k = i + 1;
+
+                if (i == len - 1 ||
+                        (c[k] == ',' || c[k] == '=' || c[k] == '+' || c[k] == '<' ||
+                                c[k] == '>' || c[k] == '#' || c[k] == ';')) {
+                    newc[j++] = '\\';
+                    newc[j++] = c[i];
+                }
+            } // escape QUOTATION
+            else if (c[i] == '"') {
+                if ((i == 0 && c[len - 1] != '"') ||
+                        (i == len - 1 && c[0] != '"') ||
+                        (i > 0 && i < len - 1)) {
+                    newc[j++] = '\\';
+                    newc[j++] = c[i];
+                }
+            } else
+                newc[j++] = c[i];
+        }
+        return new String(newc, 0, j);
+    }
+
+    public String getLdapAttr() {
+        if (mType == TYPE_ATTR)
+            return mValue;
+        else
+            return null;
+    }
+
+    /**
+     * Explode RDN into AVAs.
+     * Does not handle escaped '+'
+     * Java ldap library does not yet support multiple avas per rdn.
+     * If RDN is malformed returns empty array.
+     */
+    public static String[] explodeRDN(String rdn) {
+        int plus = rdn.indexOf('+');
+
+        if (plus == -1)
+            return new String[] { rdn };
+        Vector avas = new Vector();
+        StringTokenizer token = new StringTokenizer(rdn, "+");
+
+        while (token.hasMoreTokens())
+            avas.addElement(token.nextToken());
+        String[] theAvas = new String[avas.size()];
+
+        avas.copyInto(theAvas);
+        return theAvas;
+    }
+
+    /**
+     * Explode AVA into name and value.
+     * Does not handle escaped '='
+     * If AVA is malformed empty array is returned.
+     */
+    public static String[] explodeAVA(String ava) {
+        int equals = ava.indexOf('=');
+
+        if (equals == -1)
+            return null;
+        return new String[] {
+                ava.substring(0, equals).trim(), ava.substring(equals + 1).trim() };
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java b/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java
new file mode 100644
index 000000000..65ef434a9
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java
@@ -0,0 +1,332 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Enumeration;
+import java.util.Locale;
+
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.EInvalidCredentials;
+import com.netscape.certsrv.authentication.EMissingCredential;
+import com.netscape.certsrv.authentication.IAuthCredentials;
+import com.netscape.certsrv.authentication.IAuthManager;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authentication.ISSLClientCertProvider;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileAuthenticator;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.usrgrp.Certificates;
+import com.netscape.certsrv.usrgrp.EUsrGrpException;
+import com.netscape.certsrv.usrgrp.ICertUserLocator;
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
+import com.netscape.certsrv.usrgrp.IUser;
+
+/**
+ * Certificate server agent authentication.
+ * Maps a SSL client authenticate certificate to a user (agent) entry in the
+ * internal database.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class AgentCertAuthentication implements IAuthManager,
+        IProfileAuthenticator {
+
+    /* result auth token attributes */
+    public static final String TOKEN_USERDN = "user";
+    public static final String TOKEN_USER_DN = "userdn";
+    public static final String TOKEN_USERID = "userid";
+    public static final String TOKEN_UID = "uid";
+    public static final String TOKEN_GROUP = "group";
+
+    /* required credentials */
+    public static final String CRED_CERT = IAuthManager.CRED_SSL_CLIENT_CERT;
+    protected String[] mRequiredCreds = { CRED_CERT };
+
+    /* config parameters to pass to console (none) */
+    protected static String[] mConfigParams = null;
+
+    private String mName = null;
+    private String mImplName = null;
+    private IConfigStore mConfig = null;
+
+    private IUGSubsystem mUGSub = null;
+    private ICertUserLocator mCULocator = null;
+    private ILogger mLogger = CMS.getLogger();
+
+    private IConfigStore mRevocationChecking = null;
+    private String mRequestor = null;
+
+    public AgentCertAuthentication() {
+    }
+
+    /**
+     * initializes the CertUserDBAuthentication auth manager
+     * 

+     * called by AuthSubsystem init() method, when initializing all available authentication managers.
+     * 
+     * @param name The name of this authentication manager instance.
+     * @param implName The name of the authentication manager plugin.
+     * @param config The configuration store for this authentication manager.
+     */
+    public void init(String name, String implName, IConfigStore config)
+            throws EBaseException {
+        mName = name;
+        mImplName = implName;
+        mConfig = config;
+
+        mUGSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+        mCULocator = mUGSub.getCertUserLocator();
+    }
+
+    /**
+     * Gets the name of this authentication manager.
+     */
+    public String getName() {
+        return mName;
+    }
+
+    /**
+     * Gets the plugin name of authentication manager.
+     */
+    public String getImplName() {
+        return mImplName;
+    }
+
+    public boolean isSSLClientRequired() {
+        return true;
+    }
+
+    /**
+     * authenticates user(agent) by certificate
+     * 

+     * called by other subsystems or their servlets to authenticate users (agents)
+     * 
+     * @param authCred - authentication credential that contains
+     *            an usrgrp.Certificates of the user (agent)
+     * @return the authentication token that contains the following
+     * 
+     * @exception EMissingCredential If a required credential for this
+     *                authentication manager is missing.
+     * @exception EInvalidCredentials If credentials cannot be authenticated.
+     * @exception EBaseException If an internal error occurred.
+     * @see com.netscape.certsrv.authentication.AuthToken
+     * @see com.netscape.certsrv.usrgrp.Certificates
+     */
+    public IAuthToken authenticate(IAuthCredentials authCred)
+            throws EMissingCredential, EInvalidCredentials, EBaseException {
+
+        CMS.debug("AgentCertAuthentication: start");
+        CMS.debug("authenticator instance name is " + getName());
+
+        // force SSL handshake
+        SessionContext context = SessionContext.getExistingContext();
+        ISSLClientCertProvider provider = (ISSLClientCertProvider)
+                context.get("sslClientCertProvider");
+
+        if (provider == null) {
+            CMS.debug("AgentCertAuthentication: No SSL Client Cert Provider Found");
+            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+        }
+        CMS.debug("AgentCertAuthenticator: got provider");
+        CMS.debug("AgentCertAuthenticator: retrieving client certificate");
+        X509Certificate[] allCerts = provider.getClientCertificateChain();
+
+        if (allCerts == null) {
+            CMS.debug("AgentCertAuthentication: No SSL Client Certs Found");
+            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+        }
+        CMS.debug("AgentCertAuthenticator: got certificates");
+
+        // retreive certificate from socket
+        AuthToken authToken = new AuthToken(this);
+        X509Certificate[] x509Certs = allCerts;
+
+        // default certificate default has bugs in version
+        // version(3) is returned as 3, which should be 2
+        X509CertImpl ci[] = new X509CertImpl[x509Certs.length];
+
+        try {
+            for (int i = 0; i < x509Certs.length; i++) {
+                ci[i] = new X509CertImpl(x509Certs[i].getEncoded());
+            }
+        } catch (CertificateException e) {
+            CMS.debug(e.toString());
+        }
+
+        // check if certificate(s) is revoked
+        boolean checkRevocation = true;
+        try {
+            checkRevocation = mConfig.getBoolean("checkRevocation", true);
+        } catch (EBaseException e) {
+            // do nothing; default to true
+        }
+        if (checkRevocation) {
+            if (CMS.isRevoked(ci)) {
+                CMS.debug("AgentCertAuthentication: certificate revoked");
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+            }
+        }
+
+        // map cert to user
+        IUser user = null;
+        Certificates certs = new Certificates(ci);
+
+        try {
+            user = (IUser) mCULocator.locateUser(certs);
+        } catch (EUsrGrpException e) {
+            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+        } catch (netscape.ldap.LDAPException e) {
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+                        e.toString()));
+        }
+
+        // any unexpected error occurs like internal db down, 
+        // UGSubsystem only returns null for user.
+        if (user == null) {
+            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+        }
+
+        // get group name from configuration file
+        IConfigStore sconfig = CMS.getConfigStore();
+        String groupname = "";
+        try {
+            groupname = sconfig.getString("auths.instance." + getName() + ".agentGroup",
+                    "");
+        } catch (EBaseException ee) {
+        }
+
+        if (!groupname.equals("")) {
+            CMS.debug("check if " + user.getUserID() + " is  in group " + groupname);
+            IUGSubsystem uggroup = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+            if (!uggroup.isMemberOf(user, groupname)) {
+                CMS.debug(user.getUserID() + " is not in this group " + groupname);
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHORIZATION_ERROR"));
+            }
+        }
+        authToken.set(TOKEN_USERDN, user.getUserDN());
+        authToken.set(TOKEN_USER_DN, user.getUserDN());
+        authToken.set(TOKEN_USERID, user.getUserID());
+        authToken.set(TOKEN_UID, user.getUserID());
+        authToken.set(TOKEN_GROUP, groupname);
+        authToken.set(CRED_CERT, certs);
+
+        CMS.debug("AgentCertAuthentication: authenticated " + user.getUserDN());
+
+        return authToken;
+    }
+
+    /**
+     * get the list of authentication credential attribute names
+     * required by this authentication manager. Generally used by
+     * the servlets that handle agent operations to authenticate its
+     * users. It calls this method to know which are the
+     * required credentials from the user (e.g. Javascript form data)
+     * 
+     * @return attribute names in Vector
+     */
+    public String[] getRequiredCreds() {
+        return (mRequiredCreds);
+    }
+
+    /**
+     * get the list of configuration parameter names
+     * required by this authentication manager. Generally used by
+     * the Certificate Server Console to display the table for
+     * configuration purposes. CertUserDBAuthentication is currently not
+     * exposed in this case, so this method is not to be used.
+     * 
+     * @return configuration parameter names in Hashtable of Vectors
+     *         where each hashtable entry's key is the substore name, value is a
+     *         Vector of parameter names. If no substore, the parameter name
+     *         is the Hashtable key itself, with value same as key.
+     */
+    public String[] getConfigParams() {
+        return (mConfigParams);
+    }
+
+    /**
+     * prepare this authentication manager for shutdown.
+     */
+    public void shutdown() {
+    }
+
+    /**
+     * gets the configuretion substore used by this authentication
+     * manager
+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    // Profile-related methods
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_TEXT");
+    }
+
+    /**
+     * Retrieves a list of names of the value parameter.
+     */
+    public Enumeration getValueNames() {
+        return null;
+    }
+
+    public boolean isValueWriteable(String name) {
+        return false;
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public void populate(IAuthToken token, IRequest request)
+            throws EProfileException {
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authentication/CMCAuth.java b/base/common/src/com/netscape/cms/authentication/CMCAuth.java
new file mode 100644
index 000000000..06d4eaa0f
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/CMCAuth.java
@@ -0,0 +1,1038 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.cms.authentication;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+/* cert server imports */
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.math.BigInteger;
+import java.security.MessageDigest;
+import java.security.PublicKey;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.pkcs.PKCS10;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.asn1.ASN1Util;
+import org.mozilla.jss.asn1.INTEGER;
+import org.mozilla.jss.asn1.InvalidBERException;
+import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
+import org.mozilla.jss.asn1.OCTET_STRING;
+import org.mozilla.jss.asn1.SEQUENCE;
+import org.mozilla.jss.asn1.SET;
+import org.mozilla.jss.crypto.DigestAlgorithm;
+import org.mozilla.jss.crypto.PrivateKey;
+import org.mozilla.jss.pkcs10.CertificationRequest;
+import org.mozilla.jss.pkcs11.PK11PubKey;
+import org.mozilla.jss.pkix.cert.Certificate;
+import org.mozilla.jss.pkix.cert.CertificateInfo;
+import org.mozilla.jss.pkix.cmc.PKIData;
+import org.mozilla.jss.pkix.cmc.TaggedAttribute;
+import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest;
+import org.mozilla.jss.pkix.cmc.TaggedRequest;
+import org.mozilla.jss.pkix.cms.EncapsulatedContentInfo;
+import org.mozilla.jss.pkix.cms.IssuerAndSerialNumber;
+import org.mozilla.jss.pkix.cms.SignedData;
+import org.mozilla.jss.pkix.cms.SignerIdentifier;
+import org.mozilla.jss.pkix.crmf.CertReqMsg;
+import org.mozilla.jss.pkix.crmf.CertRequest;
+import org.mozilla.jss.pkix.crmf.CertTemplate;
+import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier;
+import org.mozilla.jss.pkix.primitive.Name;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.EInvalidCredentials;
+import com.netscape.certsrv.authentication.EMissingCredential;
+import com.netscape.certsrv.authentication.IAuthCredentials;
+import com.netscape.certsrv.authentication.IAuthManager;
+import com.netscape.certsrv.authentication.IAuthSubsystem;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileAuthenticator;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cmsutil.util.Utils;
+
+//import com.netscape.cmscore.util.*;
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * UID/CMC authentication plug-in
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+        IProfileAuthenticator {
+
+    ////////////////////////
+    // default parameters //
+    ////////////////////////
+
+    /////////////////////////////
+    // IAuthManager parameters //
+    /////////////////////////////
+
+    /* authentication plug-in configuration store */
+    private IConfigStore mConfig;
+    private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----";
+    private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----";
+    public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke";
+    public static final String REASON_CODE = "reasonCode";
+    /* authentication plug-in name */
+    private String mImplName = null;
+
+    /* authentication plug-in instance name */
+    private String mName = null;
+
+    /* authentication plug-in fields */
+
+    /* Holds authentication plug-in fields accepted by this implementation.
+     * This list is passed to the configuration console so configuration
+     * for instances of this implementation can be configured through the
+     * console.
+     */
+    protected static String[] mConfigParams =
+            new String[] {};
+
+    /* authentication plug-in values */
+
+    /* authentication plug-in properties */
+
+    /* required credentials to authenticate. UID and CMC are strings. */
+    public static final String CRED_CMC = "cmcRequest";
+
+    protected static String[] mRequiredCreds = {};
+
+    ////////////////////////////////////
+    // IExtendedPluginInfo parameters //
+    ////////////////////////////////////
+
+    /* Vector of extendedPluginInfo strings */
+    protected static Vector mExtendedPluginInfo = null;
+    //public static final String AGENT_AUTHMGR_ID = "agentAuthMgr";
+    //public static final String AGENT_PLUGIN_ID = "agentAuthPlugin";
+
+    /* actual help messages */
+    static {
+        mExtendedPluginInfo = new Vector();
+
+        mExtendedPluginInfo
+                .add(IExtendedPluginInfo.HELP_TEXT +
+                    ";Authenticate the CMC request. The signer must be an agent. The \"Authentication Instance ID\" must be named \"CMCAuth\"");
+        mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN +
+                ";configuration-authentication");
+    }
+
+    ///////////////////////
+    // Logger parameters //
+    ///////////////////////
+
+    /* the system's logger */
+    private ILogger mLogger = CMS.getLogger();
+
+    /* signed audit parameters */
+    private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+    private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE =
+            "enrollment";
+    private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE =
+            "revocation";
+    private final static String LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY =
+            "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5";
+
+    /////////////////////
+    // default methods //
+    /////////////////////
+
+    /**
+     * Default constructor, initialization must follow.
+     */
+    public CMCAuth() {
+    }
+
+    //////////////////////////
+    // IAuthManager methods //
+    //////////////////////////
+
+    /**
+     * Initializes the CMCAuth authentication plug-in.
+     * 

+     * 
+     * @param name The name for this authentication plug-in instance.
+     * @param implName The name of the authentication plug-in.
+     * @param config - The configuration store for this instance.
+     * @exception EBaseException If an error occurs during initialization.
+     */
+    public void init(String name, String implName, IConfigStore config)
+            throws EBaseException {
+        mName = name;
+        mImplName = implName;
+        mConfig = config;
+
+        log(ILogger.LL_INFO, "Initialization complete!");
+    }
+
+    /**
+     * Authenticates user by their CMC;
+     * resulting AuthToken sets a TOKEN_SUBJECT for the subject name.
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY used when CMC (agent-pre-signed) cert
+     * requests or revocation requests are submitted and signature is verified
+     * 

+     * 
+     * @param authCred Authentication credentials, CRED_UID and CRED_CMC.
+     * @return an AuthToken
+     * @exception com.netscape.certsrv.authentication.EMissingCredential
+     *                If a required authentication credential is missing.
+     * @exception com.netscape.certsrv.authentication.EInvalidCredentials
+     *                If credentials failed authentication.
+     * @exception com.netscape.certsrv.base.EBaseException
+     *                If an internal error occurred.
+     * @see com.netscape.certsrv.authentication.AuthToken
+     */
+    public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials,
+            EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+        String auditReqType = ILogger.UNIDENTIFIED;
+        String auditCertSubject = ILogger.UNIDENTIFIED;
+        String auditSignerInfo = ILogger.UNIDENTIFIED;
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            // get the CMC.
+
+            Object argblock = (Object) (authCred.getArgBlock());
+            Object returnVal = null;
+            if (argblock == null) {
+                returnVal = authCred.get("cert_request");
+                if (returnVal == null)
+                    returnVal = authCred.get(CRED_CMC);
+            } else {
+                returnVal = authCred.get("cert_request");
+                if (returnVal == null)
+                    returnVal = authCred.getArgBlock().get(CRED_CMC);
+            }
+            String cmc = (String) returnVal;
+            if (cmc == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditReqType,
+                        auditCertSubject,
+                        auditSignerInfo);
+
+                audit(auditMessage);
+
+                throw new EMissingCredential(CMS.getUserMessage(
+                        "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CMC));
+            }
+
+            if (cmc.equals("")) {
+                log(ILogger.LL_FAILURE,
+                        "cmc : attempted login with empty CMC.");
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditReqType,
+                        auditCertSubject,
+                        auditSignerInfo);
+
+                audit(auditMessage);
+
+                throw new EInvalidCredentials(CMS.getUserMessage(
+                        "CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+            }
+
+            // authenticate by checking CMC.
+
+            // everything OK.
+            // now formulate the certificate info.
+            // set the subject name at a minimum.
+            // set anything else like version, extensions, etc.
+            // if nothing except subject name is set the rest of
+            // cert info will be filled in by policies and CA defaults.
+
+            AuthToken authToken = new AuthToken(this);
+
+            try {
+                String asciiBASE64Blob;
+
+                int startIndex = cmc.indexOf(HEADER);
+                int endIndex = cmc.indexOf(TRAILER);
+                if (startIndex != -1 && endIndex != -1) {
+                    startIndex = startIndex + HEADER.length();
+                    asciiBASE64Blob = cmc.substring(startIndex, endIndex);
+                } else
+                    asciiBASE64Blob = cmc;
+
+                byte[] cmcBlob = CMS.AtoB(asciiBASE64Blob);
+                ByteArrayInputStream cmcBlobIn = new
+                                                 ByteArrayInputStream(cmcBlob);
+
+                org.mozilla.jss.pkix.cms.ContentInfo cmcReq =
+                        (org.mozilla.jss.pkix.cms.ContentInfo)
+                        org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode(
+                                cmcBlobIn);
+
+                if (!cmcReq.getContentType().equals(
+                        org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) ||
+                        !cmcReq.hasContent()) {
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditReqType,
+                            auditCertSubject,
+                            auditSignerInfo);
+
+                    audit(auditMessage);
+
+                    // throw new ECMSGWException(CMSGWResources.NO_CMC_CONTENT);
+
+                    throw new EBaseException("NO_CMC_CONTENT");
+                }
+
+                SignedData cmcFullReq = (SignedData)
+                                        cmcReq.getInterpretedContent();
+
+                IConfigStore cmc_config = CMS.getConfigStore();
+                boolean checkSignerInfo =
+                        cmc_config.getBoolean("cmc.signerInfo.verify", true);
+                String userid = "defUser";
+                String uid = "defUser";
+                if (checkSignerInfo) {
+                    IAuthToken agentToken = verifySignerInfo(authToken, cmcFullReq);
+                    userid = agentToken.getInString("userid");
+                    uid = agentToken.getInString("cn");
+                } else {
+                    CMS.debug("CMCAuth: authenticate() signerInfo verification bypassed");
+                }
+                // reset value of auditSignerInfo
+                if (uid != null) {
+                    auditSignerInfo = uid.trim();
+                }
+
+                EncapsulatedContentInfo ci = cmcFullReq.getContentInfo();
+
+                OBJECT_IDENTIFIER id = ci.getContentType();
+
+                if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) ||
+                        !ci.hasContent()) {
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditReqType,
+                            auditCertSubject,
+                            auditSignerInfo);
+
+                    audit(auditMessage);
+
+                    //  throw new ECMSGWException(
+                    // CMSGWResources.NO_PKIDATA);
+
+                    throw new EBaseException("NO_PKIDATA");
+                }
+
+                OCTET_STRING content = ci.getContent();
+
+                ByteArrayInputStream s = new
+                        ByteArrayInputStream(content.toByteArray());
+                PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s);
+
+                SEQUENCE reqSequence = pkiData.getReqSequence();
+
+                int numReqs = reqSequence.size();
+
+                if (numReqs == 0) {
+                    // revocation request
+
+                    // reset value of auditReqType
+                    auditReqType = SIGNED_AUDIT_REVOCATION_REQUEST_TYPE;
+
+                    SEQUENCE controlSequence = pkiData.getControlSequence();
+                    int controlSize = controlSequence.size();
+
+                    if (controlSize > 0) {
+                        for (int i = 0; i < controlSize; i++) {
+                            TaggedAttribute taggedAttribute =
+                                    (TaggedAttribute) controlSequence.elementAt(i);
+                            OBJECT_IDENTIFIER type = taggedAttribute.getType();
+
+                            if (type.equals(
+                                    OBJECT_IDENTIFIER.id_cmc_revokeRequest)) {
+                                // if( i ==1 ) {
+                                //     taggedAttribute.getType() ==
+                                //       OBJECT_IDENTIFIER.id_cmc_revokeRequest
+                                // }
+
+                                SET values = taggedAttribute.getValues();
+                                int numVals = values.size();
+                                BigInteger[] bigIntArray = null;
+
+                                bigIntArray = new BigInteger[numVals];
+                                for (int j = 0; j < numVals; j++) {
+                                    // serialNumber    INTEGER
+
+                                    // SEQUENCE RevRequest = (SEQUENCE)
+                                    //     values.elementAt(j);
+                                    byte[] encoded = ASN1Util.encode(
+                                            values.elementAt(j));
+                                    org.mozilla.jss.asn1.ASN1Template template = new
+                                            org.mozilla.jss.pkix.cmmf.RevRequest.Template();
+                                    org.mozilla.jss.pkix.cmmf.RevRequest revRequest =
+                                            (org.mozilla.jss.pkix.cmmf.RevRequest)
+                                            ASN1Util.decode(template, encoded);
+
+                                    // SEQUENCE RevRequest = (SEQUENCE)
+                                    //     ASN1Util.decode(
+                                    //         SEQUENCE.getTemplate(),
+                                    //         ASN1Util.encode(
+                                    //         values.elementAt(j)));
+
+                                    // SEQUENCE RevRequest =
+                                    //     values.elementAt(j);
+                                    // int revReqSize = RevRequest.size();
+                                    // if( revReqSize > 3 ) {
+                                    //     INTEGER serialNumber =
+                                    //         new INTEGER((long)0);
+                                    // }
+
+                                    INTEGER temp = revRequest.getSerialNumber();
+
+                                    bigIntArray[j] = temp;
+                                    authToken.set(TOKEN_CERT_SERIAL, bigIntArray);
+
+                                    long reasonCode = revRequest.getReason().getValue();
+                                    Integer IntObject = Integer.valueOf((int) reasonCode);
+                                    authToken.set(REASON_CODE, IntObject);
+
+                                    authToken.set("uid", uid);
+                                    authToken.set("userid", userid);
+                                }
+                            }
+                        }
+
+                    }
+                } else {
+                    // enrollment request
+
+                    // reset value of auditReqType
+                    auditReqType = SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE;
+
+                    X509CertInfo[] certInfoArray = new X509CertInfo[numReqs];
+                    String[] reqIdArray = new String[numReqs];
+
+                    for (int i = 0; i < numReqs; i++) {
+                        // decode message.
+                        TaggedRequest taggedRequest =
+                                (TaggedRequest) reqSequence.elementAt(i);
+
+                        TaggedRequest.Type type = taggedRequest.getType();
+
+                        if (type.equals(TaggedRequest.PKCS10)) {
+                            CMS.debug("CMCAuth: in PKCS10");
+                            TaggedCertificationRequest tcr =
+                                    taggedRequest.getTcr();
+                            int p10Id = tcr.getBodyPartID().intValue();
+
+                            reqIdArray[i] = String.valueOf(p10Id);
+
+                            CertificationRequest p10 =
+                                    tcr.getCertificationRequest();
+
+                            // transfer to sun class
+                            ByteArrayOutputStream ostream =
+                                    new ByteArrayOutputStream();
+
+                            p10.encode(ostream);
+                            try {
+                                PKCS10 pkcs10 =
+                                        new PKCS10(ostream.toByteArray());
+
+                                // xxx do we need to do anything else?
+                                X509CertInfo certInfo =
+                                        CMS.getDefaultX509CertInfo();
+
+                                // fillPKCS10(certInfo,pkcs10,authToken,null);
+
+                                // authToken.set(
+                                //     pkcs10.getSubjectPublicKeyInfo());
+
+                                X500Name tempName = pkcs10.getSubjectName();
+
+                                // reset value of auditCertSubject
+                                if (tempName != null) {
+                                    auditCertSubject =
+                                            tempName.toString().trim();
+                                    if (auditCertSubject.equals("")) {
+                                        auditCertSubject =
+                                                ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+                                    }
+                                    authToken.set(AuthToken.TOKEN_CERT_SUBJECT,
+                                              tempName.toString());
+                                }
+
+                                authToken.set("uid", uid);
+                                authToken.set("userid", userid);
+
+                                certInfoArray[i] = certInfo;
+                            } catch (Exception e) {
+                                // store a message in the signed audit log file
+                                auditMessage = CMS.getLogMessage(
+                                        LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                                        auditSubjectID,
+                                        ILogger.FAILURE,
+                                        auditReqType,
+                                        auditCertSubject,
+                                        auditSignerInfo);
+
+                                audit(auditMessage);
+
+                                //throw new ECMSGWException(
+                                //CMSGWResources.ERROR_PKCS101, e.toString());
+
+                                e.printStackTrace();
+                                throw new EBaseException(e.toString());
+                            }
+                        } else if (type.equals(TaggedRequest.CRMF)) {
+
+                            CMS.debug("CMCAuth: in CRMF");
+                            try {
+                                CertReqMsg crm =
+                                        taggedRequest.getCrm();
+                                CertRequest certReq = crm.getCertReq();
+                                INTEGER reqID = certReq.getCertReqId();
+                                reqIdArray[i] = reqID.toString();
+                                CertTemplate template = certReq.getCertTemplate();
+                                Name name = template.getSubject();
+
+                                // xxx do we need to do anything else?
+                                X509CertInfo certInfo =
+                                        CMS.getDefaultX509CertInfo();
+
+                                // reset value of auditCertSubject
+                                if (name != null) {
+                                    String ss = name.getRFC1485();
+
+                                    auditCertSubject = ss;
+                                    if (auditCertSubject.equals("")) {
+                                        auditCertSubject =
+                                                ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+                                    }
+
+                                    authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss);
+                                    authToken.set("uid", uid);
+                                    authToken.set("userid", userid);
+                                }
+                                certInfoArray[i] = certInfo;
+                            } catch (Exception e) {
+                                // store a message in the signed audit log file
+                                auditMessage = CMS.getLogMessage(
+                                        LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                                        auditSubjectID,
+                                        ILogger.FAILURE,
+                                        auditReqType,
+                                        auditCertSubject,
+                                        auditSignerInfo);
+
+                                audit(auditMessage);
+
+                                //throw new ECMSGWException(
+                                //CMSGWResources.ERROR_PKCS101, e.toString());
+
+                                e.printStackTrace();
+                                throw new EBaseException(e.toString());
+                            }
+                        }
+
+                        // authToken.set(AgentAuthentication.CRED_CERT, new
+                        //     com.netscape.certsrv.usrgrp.Certificates(
+                        //     x509Certs));
+                    }
+                }
+            } catch (Exception e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditReqType,
+                        auditCertSubject,
+                        auditSignerInfo);
+
+                audit(auditMessage);
+
+                //Debug.printStackTrace(e);
+                throw new EInvalidCredentials(CMS.getUserMessage(
+                        "CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+            }
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                    LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                    auditSubjectID,
+                    ILogger.SUCCESS,
+                    auditReqType,
+                    auditCertSubject,
+                    auditSignerInfo);
+
+            audit(auditMessage);
+
+            return authToken;
+        } catch (EMissingCredential eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                    LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                    auditSubjectID,
+                    ILogger.FAILURE,
+                    auditReqType,
+                    auditCertSubject,
+                    auditSignerInfo);
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (EInvalidCredentials eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                    LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                    auditSubjectID,
+                    ILogger.FAILURE,
+                    auditReqType,
+                    auditCertSubject,
+                    auditSignerInfo);
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+        } catch (EBaseException eAudit3) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                    LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                    auditSubjectID,
+                    ILogger.FAILURE,
+                    auditReqType,
+                    auditCertSubject,
+                    auditSignerInfo);
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit3;
+        }
+    }
+
+    /**
+     * Returns a list of configuration parameter names.
+     * The list is passed to the configuration console so instances of
+     * this implementation can be configured through the console.
+     * 

+     * 
+     * @return String array of configuration parameter names.
+     */
+    public String[] getConfigParams() {
+        return (mConfigParams);
+    }
+
+    /**
+     * gets the configuration substore used by this authentication
+     * plug-in
+     * 

+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    /**
+     * gets the plug-in name of this authentication plug-in.
+     */
+    public String getImplName() {
+        return mImplName;
+    }
+
+    /**
+     * gets the name of this authentication plug-in instance
+     */
+    public String getName() {
+        return mName;
+    }
+
+    /**
+     * get the list of required credentials.
+     * 

+     * 
+     * @return list of required credentials as strings.
+     */
+    public String[] getRequiredCreds() {
+        return (mRequiredCreds);
+    }
+
+    /**
+     * prepares for shutdown.
+     */
+    public void shutdown() {
+    }
+
+    /////////////////////////////////
+    // IExtendedPluginInfo methods //
+    /////////////////////////////////
+
+    /**
+     * Activate the help system.
+     * 

+     * 
+     * @return help messages
+     */
+    public String[] getExtendedPluginInfo() {
+        CMS.debug("CMCAuth: getExtendedPluginInfo()");
+        String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo);
+
+        CMS.debug("CMCAuth: s.length = " + s.length);
+        for (int i = 0; i < s.length; i++) {
+            CMS.debug("" + i + " " + s[i]);
+        }
+        return s;
+    }
+
+    ////////////////////
+    // Logger methods //
+    ////////////////////
+
+    /**
+     * Logs a message for this class in the system log file.
+     * 

+     * 
+     * @param level The log level.
+     * @param msg The message to log.
+     * @see com.netscape.certsrv.logging.ILogger
+     */
+    protected void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION,
+                level, "CMC Authentication: " + msg);
+    }
+
+    protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EInvalidCredentials {
+
+        EncapsulatedContentInfo ci = cmcFullReq.getContentInfo();
+        OBJECT_IDENTIFIER id = ci.getContentType();
+        OCTET_STRING content = ci.getContent();
+
+        try {
+            ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray());
+            PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s);
+
+            SET dais = cmcFullReq.getDigestAlgorithmIdentifiers();
+            int numDig = dais.size();
+            Hashtable digs = new Hashtable();
+
+            //if request key is used for signing, there MUST be only one signerInfo
+            //object in the signedData object.
+            for (int i = 0; i < numDig; i++) {
+                AlgorithmIdentifier dai =
+                        (AlgorithmIdentifier) dais.elementAt(i);
+                String name =
+                        DigestAlgorithm.fromOID(dai.getOID()).toString();
+
+                MessageDigest md =
+                        MessageDigest.getInstance(name);
+
+                byte[] digest = md.digest(content.toByteArray());
+
+                digs.put(name, digest);
+            }
+
+            SET sis = cmcFullReq.getSignerInfos();
+            int numSis = sis.size();
+
+            for (int i = 0; i < numSis; i++) {
+                org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i);
+
+                String name = si.getDigestAlgorithm().toString();
+                byte[] digest = (byte[]) digs.get(name);
+
+                if (digest == null) {
+                    MessageDigest md = MessageDigest.getInstance(name);
+                    ByteArrayOutputStream ostream = new ByteArrayOutputStream();
+
+                    pkiData.encode((OutputStream) ostream);
+                    digest = md.digest(ostream.toByteArray());
+
+                }
+                // signed  by  previously certified signature key
+                SignerIdentifier sid = si.getSignerIdentifier();
+
+                if (sid.getType().equals(SignerIdentifier.ISSUER_AND_SERIALNUMBER)) {
+                    IssuerAndSerialNumber issuerAndSerialNumber = sid.getIssuerAndSerialNumber();
+                    // find from the certs in the signedData
+                    java.security.cert.X509Certificate cert = null;
+
+                    if (cmcFullReq.hasCertificates()) {
+                        SET certs = cmcFullReq.getCertificates();
+                        int numCerts = certs.size();
+                        java.security.cert.X509Certificate[] x509Certs = new java.security.cert.X509Certificate[1];
+                        byte[] certByteArray = new byte[0];
+                        for (int j = 0; j < numCerts; j++) {
+                            Certificate certJss = (Certificate) certs.elementAt(j);
+                            CertificateInfo certI = certJss.getInfo();
+                            Name issuer = certI.getIssuer();
+
+                            byte[] issuerB = ASN1Util.encode(issuer);
+                            INTEGER sn = certI.getSerialNumber();
+                            // if this cert is the signer cert, not a cert in the chain
+                            if (new String(issuerB).equals(new String(
+                                    ASN1Util.encode(issuerAndSerialNumber.getIssuer())))
+                                    && sn.toString().equals(issuerAndSerialNumber.getSerialNumber().toString())) {
+                                ByteArrayOutputStream os = new
+                                        ByteArrayOutputStream();
+
+                                certJss.encode(os);
+                                certByteArray = os.toByteArray();
+
+                                X509CertImpl tempcert = new X509CertImpl(os.toByteArray());
+
+                                cert = tempcert;
+                                x509Certs[0] = cert;
+                                // xxx validate the cert length
+
+                            }
+                        }
+                        CMS.debug("CMCAuth: start checking signature");
+                        if (cert == null) {
+                            // find from certDB
+                            CMS.debug("CMCAuth: verifying signature");
+                            si.verify(digest, id);
+                        } else {
+                            PublicKey signKey = cert.getPublicKey();
+                            PrivateKey.Type keyType = null;
+                            String alg = signKey.getAlgorithm();
+
+                            if (alg.equals("RSA")) {
+                                keyType = PrivateKey.RSA;
+                            } else if (alg.equals("DSA")) {
+                                keyType = PrivateKey.DSA;
+                            }
+                            PK11PubKey pubK = PK11PubKey.fromRaw(keyType, ((X509Key) signKey).getKey());
+
+                            CMS.debug("CMCAuth: verifying signature with public key");
+                            si.verify(digest, id, pubK);
+                        }
+                        CMS.debug("CMCAuth: finished checking signature");
+                        // verify signer's certificate using the revocator
+                        CryptoManager cm = CryptoManager.getInstance();
+                        if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient))
+                            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+
+                        // authenticate signer's certificate using the userdb
+                        IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
+
+                        IAuthManager agentAuth = authSS.getAuthManager(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID);//AGENT_AUTHMGR_ID);
+                        IAuthCredentials agentCred = new com.netscape.certsrv.authentication.AuthCredentials();
+
+                        agentCred.set(IAuthManager.CRED_SSL_CLIENT_CERT, x509Certs);
+
+                        IAuthToken tempToken = agentAuth.authenticate(agentCred);
+                        netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
+                        String CN = (String) tempPrincipal.getCommonName();//tempToken.get("userid");
+
+                        BigInteger agentCertSerial = x509Certs[0].getSerialNumber();
+                        authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT, agentCertSerial.toString());
+                        tempToken.set("cn", CN);
+                        return tempToken;
+
+                    }
+                    // find from internaldb if it's ca. (ra does not have that.)
+                    // find from internaldb usrgrp info
+
+                    // find from certDB
+                    si.verify(digest, id);
+
+                } // 
+            }
+        } catch (InvalidBERException e) {
+            CMS.debug("CMCAuth: " + e.toString());
+        } catch (IOException e) {
+            CMS.debug("CMCAuth: " + e.toString());
+        } catch (Exception e) {
+            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+        }
+        return (IAuthToken) null;
+
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        return null;
+    }
+
+    // Profile-related methods
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_CMS_SIGN_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_CMS_SIGN_TEXT");
+    }
+
+    /**
+     * Retrieves a list of names of the value parameter.
+     */
+    public Enumeration getValueNames() {
+        Vector v = new Vector();
+        v.addElement("cert_request");
+        return v.elements();
+    }
+
+    public boolean isValueWriteable(String name) {
+        return false;
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(CRED_CMC)) {
+            return new Descriptor(IDescriptor.STRING_LIST, null, null,
+                    "CMC request");
+        }
+        return null;
+    }
+
+    public void populate(IAuthToken token, IRequest request)
+            throws EProfileException {
+        request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
+                token.getInString(AuthToken.TOKEN_CERT_SUBJECT));
+    }
+
+    public boolean isSSLClientRequired() {
+        return false;
+    }
+
+    /**
+     * Signed Audit Log
+     * 
+     * This method is called to store messages to the signed audit log.
+     * 

+     * 
+     * @param msg signed audit log message
+     */
+    private void audit(String msg) {
+        // in this case, do NOT strip preceding/trailing whitespace
+        // from passed-in String parameters
+
+        if (mSignedAuditLogger == null) {
+            return;
+        }
+
+        mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
+                null,
+                ILogger.S_SIGNED_AUDIT,
+                ILogger.LL_SECURITY,
+                msg);
+    }
+
+    /**
+     * Signed Audit Log Subject ID
+     * 
+     * This method is called to obtain the "SubjectID" for
+     * a signed audit log message.
+     * 

+     * 
+     * @return id string containing the signed audit log message SubjectID
+     */
+    private String auditSubjectID() {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String subjectID = null;
+
+        // Initialize subjectID
+        SessionContext auditContext = SessionContext.getExistingContext();
+
+        if (auditContext != null) {
+            subjectID = (String)
+                    auditContext.get(SessionContext.USER_ID);
+
+            if (subjectID != null) {
+                subjectID = subjectID.trim();
+            } else {
+                subjectID = ILogger.NONROLEUSER;
+            }
+        } else {
+            subjectID = ILogger.UNIDENTIFIED;
+        }
+
+        return subjectID;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authentication/Crypt.java b/base/common/src/com/netscape/cms/authentication/Crypt.java
new file mode 100644
index 000000000..e6dd7087d
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/Crypt.java
@@ -0,0 +1,438 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+public class Crypt {
+    // Static data:
+    static byte[]
+            IP = // Initial permutation
+            {
+                    58, 50, 42, 34, 26, 18, 10, 2,
+                    60, 52, 44, 36, 28, 20, 12, 4,
+                    62, 54, 46, 38, 30, 22, 14, 6,
+                    64, 56, 48, 40, 32, 24, 16, 8,
+                    57, 49, 41, 33, 25, 17, 9, 1,
+                    59, 51, 43, 35, 27, 19, 11, 3,
+                    61, 53, 45, 37, 29, 21, 13, 5,
+                    63, 55, 47, 39, 31, 23, 15, 7
+        },
+            FP = // Final permutation, FP = IP^(-1)
+            {
+                    40, 8, 48, 16, 56, 24, 64, 32,
+                    39, 7, 47, 15, 55, 23, 63, 31,
+                    38, 6, 46, 14, 54, 22, 62, 30,
+                    37, 5, 45, 13, 53, 21, 61, 29,
+                    36, 4, 44, 12, 52, 20, 60, 28,
+                    35, 3, 43, 11, 51, 19, 59, 27,
+                    34, 2, 42, 10, 50, 18, 58, 26,
+                    33, 1, 41, 9, 49, 17, 57, 25
+        },
+            // Permuted-choice 1 from the key bits to yield C and D.
+            // Note that bits 8,16... are left out:
+            // They are intended for a parity check.
+            PC1_C =
+        {
+                57, 49, 41, 33, 25, 17, 9,
+                1, 58, 50, 42, 34, 26, 18,
+                10, 2, 59, 51, 43, 35, 27,
+                19, 11, 3, 60, 52, 44, 36
+        },
+            PC1_D =
+        {
+                63, 55, 47, 39, 31, 23, 15,
+                7, 62, 54, 46, 38, 30, 22,
+                14, 6, 61, 53, 45, 37, 29,
+                21, 13, 5, 28, 20, 12, 4
+        },
+            shifts = // Sequence of shifts used for the key schedule.
+            {
+                    1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
+        },
+            // Permuted-choice 2, to pick out the bits from
+            // the CD array that generate the key schedule.
+            PC2_C =
+        {
+                14, 17, 11, 24, 1, 5,
+                3, 28, 15, 6, 21, 10,
+                23, 19, 12, 4, 26, 8,
+                16, 7, 27, 20, 13, 2
+        },
+            PC2_D =
+        {
+                41, 52, 31, 37, 47, 55,
+                30, 40, 51, 45, 33, 48,
+                44, 49, 39, 56, 34, 53,
+                46, 42, 50, 36, 29, 32
+        },
+            e2 = // The E-bit selection table. (see E below)
+            {
+                    32, 1, 2, 3, 4, 5,
+                    4, 5, 6, 7, 8, 9,
+                    8, 9, 10, 11, 12, 13,
+                    12, 13, 14, 15, 16, 17,
+                    16, 17, 18, 19, 20, 21,
+                    20, 21, 22, 23, 24, 25,
+                    24, 25, 26, 27, 28, 29,
+                    28, 29, 30, 31, 32, 1
+        },
+            // P is a permutation on the selected combination of
+            // the current L and key.
+            P =
+        {
+                16, 7, 20, 21,
+                29, 12, 28, 17,
+                1, 15, 23, 26,
+                5, 18, 31, 10,
+                2, 8, 24, 14,
+                32, 27, 3, 9,
+                19, 13, 30, 6,
+                22, 11, 4, 25
+        };
+    // The 8 selection functions.  For some reason, they gave a 0-origin
+    // index, unlike everything else.
+    static byte[][] S =
+        {
+                {
+                        14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
+                        0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
+                        4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
+                        15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13
+                }, {
+                        15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
+                        3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
+                        0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
+                        13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9
+                }, {
+                        10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
+                        13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
+                        13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
+                        1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12
+                }, {
+                        7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
+                        13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
+                        10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
+                        3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14
+                }, {
+                        2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
+                        14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
+                        4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
+                        11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3
+                }, {
+                        12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
+                        10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
+                        9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
+                        4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13
+                }, {
+                        4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
+                        13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
+                        1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
+                        6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12
+                }, {
+                        13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
+                        1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
+                        7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
+                        2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11
+                }
+        };
+
+    // Dynamic data:
+    byte[] C = new byte[28], // The C and D arrays used to
+            D = new byte[28], // calculate the key schedule.
+            E = new byte[48], // The E bit-selection table.
+            L = new byte[32], // The current block,
+            R = new byte[32], //  divided into two halves.
+            tempL = new byte[32],
+            f = new byte[32],
+            preS = new byte[48]; // The combination of the key and
+    // the input, before selection.
+    // The key schedule.  Generated from the key.
+    byte[][] KS = new byte[16][48];
+
+    // Object fields:
+    String Passwd, Salt, Encrypt;
+
+    // Public methods:
+    /**
+     * Create Crypt object with no passwd or salt set. Must use setPasswd()
+     * and setSalt() before getEncryptedPasswd().
+     */
+    public Crypt() {
+        Passwd = Salt = Encrypt = "";
+    }
+
+    /**
+     * Create a Crypt object with specified salt. Use setPasswd() before
+     * getEncryptedPasswd().
+     * 
+     * @param salt the salt string for encryption
+     */
+    public Crypt(String salt) {
+        Passwd = "";
+        Salt = salt;
+        Encrypt = crypt();
+    }
+
+    /**
+     * Create a Crypt object with specified passwd and salt (often the
+     * already encypted passwd). Get the encrypted result with
+     * getEncryptedPasswd().
+     * 
+     * @param passwd the passwd to encrypt
+     * @param salt the salt string for encryption
+     */
+    public Crypt(String passwd, String salt) {
+        Passwd = passwd;
+        Salt = salt;
+        Encrypt = crypt();
+    }
+
+    /**
+     * Retrieve the passwd string currently being encrypted.
+     * 
+     * @return the current passwd string
+     */
+    public String getPasswd() {
+        return Passwd;
+    }
+
+    /**
+     * Retrieve the salt string currently being used for encryption.
+     * 
+     * @return the current salt string
+     */
+    public String getSalt() {
+        return Salt;
+    }
+
+    /**
+     * Retrieve the resulting encrypted string from the current passwd and
+     * salt settings.
+     * 
+     * @return the encrypted passwd
+     */
+    public String getEncryptedPasswd() {
+        return Encrypt;
+    }
+
+    /**
+     * Set a new passwd string for encryption. Use getEncryptedPasswd() to
+     * retrieve the new result.
+     * 
+     * @param passwd the new passwd string
+     */
+    public void setPasswd(String passwd) {
+        Passwd = passwd;
+        Encrypt = crypt();
+    }
+
+    /**
+     * Set a new salt string for encryption. Use getEncryptedPasswd() to
+     * retrieve the new result.
+     * 
+     * @param salt the new salt string
+     */
+    public void setSalt(String salt) {
+        Salt = salt;
+        Encrypt = crypt();
+    }
+
+    // Internal crypt methods:
+    String crypt() {
+        if (Salt.length() == 0)
+            return "";
+        int i, j, pwi;
+        byte c, temp;
+        byte[] block = new byte[66], iobuf = new byte[16], salt = new byte[2], pw = Passwd.getBytes(), //jdk1.1
+        saltbytes = Salt.getBytes(); //jdk1.1
+
+        //	  pw = new byte[Passwd.length()],	//jdk1.0.2
+        // saltbytes = new byte[Salt.length()];		//jdk1.0.2
+        //Passwd.getBytes(0,Passwd.length(),pw,0);	//jdk1.0.2
+        //Salt.getBytes(0,Salt.length(),saltbytes,0);	//jdk1.0.2
+
+        salt[0] = saltbytes[0];
+        salt[1] = (saltbytes.length > 1) ? saltbytes[1] : 0;
+
+        for (i = 0; i < 66; i++)
+            block[i] = 0;
+
+        for (i = 0, pwi = 0; (pwi < pw.length) && (i < 64); pwi++, i++) {
+            for (j = 0; j < 7; j++, i++) {
+                block[i] = (byte) ((pw[pwi] >> (6 - j)) & 1);
+            }
+        }
+
+        setkey(block);
+
+        for (i = 0; i < 66; i++)
+            block[i] = 0;
+
+        for (i = 0; i < 2; i++) {
+            c = salt[i];
+            iobuf[i] = c;
+            if (c > 'Z')
+                c -= 6;
+            if (c > '9')
+                c -= 7;
+            c -= '.';
+            for (j = 0; j < 6; j++) {
+                if (((c >> j) & 1) != 0) {
+                    temp = E[6 * i + j];
+                    E[6 * i + j] = E[6 * i + j + 24];
+                    E[6 * i + j + 24] = temp;
+                }
+            }
+        }
+
+        for (i = 0; i < 25; i++) {
+            encrypt(block, 0);
+        }
+
+        for (i = 0; i < 11; i++) {
+            c = 0;
+            for (j = 0; j < 6; j++) {
+                c <<= 1;
+                c |= block[6 * i + j];
+            }
+            c += '.';
+            if (c > '9')
+                c += 7;
+            if (c > 'Z')
+                c += 6;
+            iobuf[i + 2] = c;
+        }
+
+        iobuf[i + 2] = 0;
+        if (iobuf[1] == 0)
+            iobuf[1] = iobuf[0];
+
+        return new String(iobuf); //jdk1.1
+        //return new String(iobuf,0);		//jdk1.0.2
+    }
+
+    void setkey(byte[] key) // Set up the key schedule from the key.
+    {
+        int i, j, k;
+        byte t;
+
+        // First, generate C and D by permuting the key.  The low order bit
+        // of each 8-bit char is not used, so C and D are only 28 bits apiece.
+        for (i = 0; i < 28; i++) {
+            C[i] = key[PC1_C[i] - 1];
+            D[i] = key[PC1_D[i] - 1];
+        }
+
+        // To generate Ki, rotate C and D according to schedule
+        // and pick up a permutation using PC2.
+        for (i = 0; i < 16; i++) {
+            // rotate.
+            for (k = 0; k < shifts[i]; k++) {
+                t = C[0];
+                for (j = 0; j < 27; j++)
+                    C[j] = C[j + 1];
+                C[27] = t;
+                t = D[0];
+                for (j = 0; j < 27; j++)
+                    D[j] = D[j + 1];
+                D[27] = t;
+            }
+
+            // get Ki. Note C and D are concatenated.
+            for (j = 0; j < 24; j++) {
+                KS[i][j] = C[PC2_C[j] - 1];
+                KS[i][j + 24] = D[PC2_D[j] - 29];
+            }
+        }
+
+        for (i = 0; i < 48; i++) {
+            E[i] = e2[i];
+        }
+    }
+
+    // The payoff: encrypt a block.
+    void encrypt(byte[] block, int edflag) {
+        int i, j, ii, t;
+        byte k;
+
+        // First, permute the bits in the input
+        //for (j = 0; j < 64; j++)
+        //{
+        //    L[j] = block[IP[j]-1];
+        //}
+        for (j = 0; j < 32; j++)
+            L[j] = block[IP[j] - 1];
+        for (j = 32; j < 64; j++)
+            R[j - 32] = block[IP[j] - 1];
+
+        // Perform an encryption operation 16 times.
+        for (ii = 0; ii < 16; ii++) {
+            i = ii;
+            // Save the R array, which will be the new L.
+            for (j = 0; j < 32; j++)
+                tempL[j] = R[j];
+            // Expand R to 48 bits using the E selector;
+            //  exclusive-or with the current key bits.
+            for (j = 0; j < 48; j++)
+                preS[j] = (byte) (R[E[j] - 1] ^ KS[i][j]);
+
+            // The pre-select bits are now considered in 8 groups of
+            // 6 bits each.  The 8 selection functions map these 6-bit
+            // quantities into 4-bit quantities and the results permuted
+            // to make an f(R, K).  The indexing into the selection functions
+            // is peculiar; it could be simplified by rewriting the tables.
+            for (j = 0; j < 8; j++) {
+                t = 6 * j;
+                k = S[j][(preS[t] << 5) +
+                        (preS[t + 1] << 3) +
+                        (preS[t + 2] << 2) +
+                        (preS[t + 3] << 1) +
+                        (preS[t + 4]) +
+                        (preS[t + 5] << 4)];
+                t = 4 * j;
+                f[t] = (byte) ((k >> 3) & 1);
+                f[t + 1] = (byte) ((k >> 2) & 1);
+                f[t + 2] = (byte) ((k >> 1) & 1);
+                f[t + 3] = (byte) ((k) & 1);
+            }
+
+            // The new R is L ^ f(R, K).
+            // The f here has to be permuted first, though.
+            for (j = 0; j < 32; j++) {
+                R[j] = (byte) (L[j] ^ f[P[j] - 1]);
+            }
+
+            // Finally, the new L (the original R) is copied back.
+            for (j = 0; j < 32; j++) {
+                L[j] = tempL[j];
+            }
+        }
+
+        // The output L and R are reversed.
+        for (j = 0; j < 32; j++) {
+            k = L[j];
+            L[j] = R[j];
+            R[j] = k;
+        }
+
+        // The final output gets the inverse permutation of the very original.
+        for (j = 0; j < 64; j++) {
+            //block[j] = L[FP[j]-1];
+            block[j] = (FP[j] > 32) ? R[FP[j] - 33] : L[FP[j] - 1];
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authentication/DNPattern.java b/base/common/src/com/netscape/cms/authentication/DNPattern.java
new file mode 100644
index 000000000..480b5b909
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/DNPattern.java
@@ -0,0 +1,216 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+import java.io.IOException;
+import java.io.PushbackReader;
+import java.io.StringReader;
+import java.util.Vector;
+
+import netscape.ldap.LDAPEntry;
+
+import com.netscape.certsrv.authentication.EAuthException;
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * class for parsing a DN pattern used to construct a certificate
+ * subject name from ldap attributes and dn.
+ * 

+ * 
+ * dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If
+ * empty or not set, the ldap entry DN will be used as the certificate subject name.
+ * 

+ * 
+ * The syntax is
+ * 
+ * 
+ * 	dnPattern := rdnPattern *[ "," rdnPattern ]
+ * 	rdnPattern := avaPattern *[ "+" avaPattern ]
+ * 		avaPattern := name "=" value | 
+ * 			      name "=" "$attr" "." attrName [ "." attrNumber ] | 
+ * 			      name "=" "$dn" "." attrName [ "." attrNumber ] | 
+ * 			 	  "$dn" "." "$rdn" "." number
+ * 

+ * 
+ * 
+ * Example1: E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US 
+ * Ldap entry: dn:  UID=jjames, OU=IS, OU=people, O=acme.org
+ * Ldap attributes: cn: Jesse James 
+ * Ldap attributes: mail: jjames@acme.org
+ * 

+ * The subject name formulated will be : 

+ *     E=jjames@acme.org, CN=Jesse James, OU=people, O=acme.org, C=US
+ * 
	
+ *     E = the first 'mail' ldap attribute value in user's entry. 

+ *     CN = the (first) 'cn' ldap attribute value in the user's entry. 

+ *     OU = the second 'ou' value in the user's entry DN. 

+ *     O = the (first) 'o' value in the user's entry DN. 

+ *     C = the string "US" 
+ * 

+ * Example2: E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US
+ * Ldap entry: dn:  UID=jjames, OU=IS+OU=people, O=acme.org
+ * Ldap attributes: cn: Jesse James 
+ * Ldap attributes: mail: jjames@acme.org
+ * 

+ * The subject name formulated will be : 

+ *     E=jjames@acme.org, CN=Jesse James, OU=people, O=acme.org, C=US
+ * 
	
+ *     E = the first 'mail' ldap attribute value in user's entry. 

+ *     CN = the (first) 'cn' ldap attribute value in the user's entry. 

+ *     OU = the second 'ou' value in the user's entry DN. note multiple AVAs
+ * 	    in a RDN in this example. 

+ *     O = the (first) 'o' value in the user's entry DN. 

+ *     C = the string "US"
+ * 

+ * 

+ * 
+ * 
+ * Example3: CN=$attr.cn, $rdn.2, O=$dn.o, C=US
+ * Ldap entry: dn:  UID=jjames, OU=IS+OU=people, O=acme.org
+ * Ldap attributes: cn: Jesse James 
+ * Ldap attributes: mail: jjames@acme.org
+ * 

+ * The subject name formulated will be : 

+ *     CN=Jesse James, OU=IS+OU=people, O=acme.org, C=US
+ * 
	
+ *     CN = the (first) 'cn' ldap attribute value in the user's entry. 

+ *     followed by the second RDN in the user's entry DN. 

+ *     O = the (first) 'o' value in the user's entry DN. 

+ *     C = the string "US" 
+ * 

+ * Example4: CN=$attr.cn, OU=$dn.ou.2+OU=$dn.ou.1, O=$dn.o, C=US
+ * Ldap entry: dn:  UID=jjames, OU=IS+OU=people, O=acme.org
+ * Ldap attributes: cn: Jesse James 
+ * Ldap attributes: mail: jjames@acme.org
+ * 

+ * The subject name formulated will be : 

+ *     CN=Jesse James, OU=people+OU=IS, O=acme.org, C=US
+ * 
	
+ *     CN = the (first) 'cn' ldap attribute value in the user's entry. 

+ *     OU = the second 'ou' value in the user's entry DN followed by the 
+ * 		first 'ou' value in the user's entry. note multiple AVAs
+ * 	    in a RDN in this example. 

+ *     O = the (first) 'o' value in the user's entry DN. 

+ *     C = the string "US"
+ * 

+ * 

+ * 
+ * If an attribute or subject DN component does not exist the attribute is skipped.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class DNPattern {
+
+    /* ldap attributes to retrieve */
+    private String[] mLdapAttrs = null;
+
+    /* rdn patterns */
+    protected RDNPattern[] mRDNPatterns = null;
+
+    /* original pattern string */
+    protected String mPatternString = null;
+
+    protected String mTestDN = null;
+
+    /**
+     * Construct a DN pattern by parsing a pattern string.
+     * 
+     * @param pattern the DN pattern
+     * @exception EBaseException If parsing error occurs.
+     */
+    public DNPattern(String pattern)
+            throws EAuthException {
+        if (pattern == null || pattern.equals("")) {
+            // create an attribute list that is the dn. 
+            mLdapAttrs = new String[] { "dn" };
+        } else {
+            mPatternString = pattern;
+            PushbackReader in = new PushbackReader(new StringReader(pattern));
+
+            parse(in);
+        }
+    }
+
+    public DNPattern(PushbackReader in)
+            throws EAuthException {
+        parse(in);
+    }
+
+    private void parse(PushbackReader in)
+            throws EAuthException {
+        Vector rdnPatterns = new Vector();
+        RDNPattern rdnPattern = null;
+        int lastChar = -1;
+
+        do {
+            rdnPattern = new RDNPattern(in);
+            rdnPatterns.addElement(rdnPattern);
+            try {
+                lastChar = in.read();
+            } catch (IOException e) {
+                throw new EAuthException("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString());
+            }
+        } while (lastChar == ',');
+
+        mRDNPatterns = new RDNPattern[rdnPatterns.size()];
+        rdnPatterns.copyInto(mRDNPatterns);
+
+        Vector ldapAttrs = new Vector();
+
+        for (int i = 0; i < mRDNPatterns.length; i++) {
+            String[] rdnAttrs = mRDNPatterns[i].getLdapAttrs();
+
+            if (rdnAttrs != null && rdnAttrs.length > 0)
+                for (int j = 0; j < rdnAttrs.length; j++)
+                    ldapAttrs.addElement(rdnAttrs[j]);
+        }
+        mLdapAttrs = new String[ldapAttrs.size()];
+        ldapAttrs.copyInto(mLdapAttrs);
+    }
+
+    /**
+     * Form a Ldap v3 DN string from results of a ldap search.
+     * 
+     * @param entry LDAPentry from a ldap search
+     * @return Ldap v3 DN string to use for a subject name.
+     */
+    public String formDN(LDAPEntry entry)
+            throws EAuthException {
+        StringBuffer formedDN = new StringBuffer();
+
+        for (int i = 0; i < mRDNPatterns.length; i++) {
+            if (mTestDN != null)
+                mRDNPatterns[i].mTestDN = mTestDN;
+            String rdn = mRDNPatterns[i].formRDN(entry);
+
+            if (rdn != null) {
+                if (rdn != null && rdn.length() != 0) {
+                    if (formedDN.length() != 0)
+                        formedDN.append(",");
+                    formedDN.append(rdn);
+                }
+            }
+        }
+        //System.out.println("formed DN "+formedDN.toString());
+        return formedDN.toString();
+    }
+
+    public String[] getLdapAttrs() {
+        return (String[]) mLdapAttrs.clone();
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java b/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java
new file mode 100644
index 000000000..da8d5bd51
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java
@@ -0,0 +1,676 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+// ldap java sdk
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.EAuthException;
+import com.netscape.certsrv.authentication.EFormSubjectDN;
+import com.netscape.certsrv.authentication.EInvalidCredentials;
+import com.netscape.certsrv.authentication.EMissingCredential;
+import com.netscape.certsrv.authentication.IAuthCredentials;
+import com.netscape.certsrv.authentication.IAuthManager;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.EPropertyNotFound;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ILdapConnFactory;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * Abstract class for directory based authentication managers
+ * Uses a pattern for formulating subject names.
+ * The pattern is read from configuration file.
+ * Syntax of the pattern is described in the init() method.
+ * 
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public abstract class DirBasedAuthentication
+        implements IAuthManager, IExtendedPluginInfo {
+
+    protected static final String USER_DN = "userDN";
+
+    /* configuration parameter keys */
+    protected static final String PROP_LDAP = "ldap";
+    protected static final String PROP_BASEDN = "basedn";
+    protected static final String PROP_DNPATTERN = "dnpattern";
+    protected static final String PROP_LDAPSTRINGATTRS = "ldapStringAttributes";
+    protected static final String PROP_LDAPBYTEATTRS = "ldapByteAttributes";
+
+    // members 
+
+    /* name of this authentication manager instance */
+    protected String mName = null;
+
+    /* name of the authentication manager plugin */
+    protected String mImplName = null;
+
+    /* configuration store */
+    protected IConfigStore mConfig;
+
+    /* ldap configuration sub-store */
+    protected IConfigStore mLdapConfig;
+
+    /* ldap base dn */
+    protected String mBaseDN = null;
+
+    /* factory of anonymous ldap connections */
+    protected ILdapConnFactory mConnFactory = null;
+
+    /* the system logger */
+    protected ILogger mLogger = CMS.getLogger();
+
+    /* the subject DN pattern */
+    protected DNPattern mPattern = null;
+
+    /* the list of LDAP attributes with string values to retrieve to 
+     * save in the auth token including ones from the dn pattern. */
+    protected String[] mLdapStringAttrs = null;
+
+    /* the list of LDAP attributes with byte[] values to retrive to save 
+     * in authtoken. */
+    protected String[] mLdapByteAttrs = null;
+
+    /* the combined list of LDAP attriubutes to retrieve*/
+    protected String[] mLdapAttrs = null;
+
+    /* default dn pattern if left blank or not set in the config */
+    protected static String DEFAULT_DNPATTERN =
+            "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c";
+
+    /* Vector of extendedPluginInfo strings */
+    protected static Vector mExtendedPluginInfo = null;
+
+    static {
+        mExtendedPluginInfo = new Vector();
+        mExtendedPluginInfo.add(PROP_DNPATTERN + ";string;Template for cert" +
+                " Subject Name. ($dn.xxx - get value from user's LDAP " +
+                "DN.  $attr.yyy - get value from LDAP attributes in " +
+                "user's entry.) Default: " + DEFAULT_DNPATTERN);
+        mExtendedPluginInfo.add(PROP_LDAPSTRINGATTRS + ";string;" +
+                "Comma-separated list of LDAP attributes to copy from " +
+                "the user's LDAP entry into the AuthToken. e.g use " +
+                "'mail' to copy user's email address for subjectAltName");
+        mExtendedPluginInfo.add(PROP_LDAPBYTEATTRS + ";string;" +
+                "Comma-separated list of binary LDAP attributes to copy" +
+                " from the user's LDAP entry into the AuthToken");
+        mExtendedPluginInfo.add("ldap.ldapconn.host;string,required;" +
+                "LDAP host to connect to");
+        mExtendedPluginInfo.add("ldap.ldapconn.port;number,required;" +
+                "LDAP port number (use 389, or 636 if SSL)");
+        mExtendedPluginInfo.add("ldap.ldapconn.secureConn;boolean;" +
+                "Use SSL to connect to directory?");
+        mExtendedPluginInfo.add("ldap.ldapconn.version;choice(3,2);" +
+                "LDAP protocol version");
+        mExtendedPluginInfo.add("ldap.basedn;string,required;Base DN to start searching " +
+                "under. If your user's DN is 'uid=jsmith, o=company', you " +
+                "might want to use 'o=company' here");
+        mExtendedPluginInfo.add("ldap.minConns;number;number of connections " +
+                "to keep open to directory server. Default 5.");
+        mExtendedPluginInfo.add("ldap.maxConns;number;when needed, connection " +
+                "pool can grow to this many (multiplexed) connections. Default 1000.");
+    }
+
+    /**
+     * Default constructor, initialization must follow.
+     */
+    public DirBasedAuthentication() {
+    }
+
+    /**
+     * Initializes the UidPwdDirBasedAuthentication auth manager.
+     * 
+     * Takes the following configuration parameters: 

+     * 
+     * 
+     * 	ldap.basedn             - the ldap base dn.
+     * 	ldap.ldapconn.host      - the ldap host.
+     * 	ldap.ldapconn.port      - the ldap port 
+     * 	ldap.ldapconn.secureConn - whether port should be secure 
+     * 	ldap.minConns           - minimum connections
+     * 	ldap.maxConns           - max connections
+     * 	dnpattern               - dn pattern.
+     * 

+     * 

+     * dnpattern is a string representing a subject name pattern to formulate from the directory
+     * attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name.
+     * 

+     * The syntax is
+     * 
+     * 
+     *     dnpattern = SubjectNameComp *[ "," SubjectNameComp ]
+     * 
+     *     SubjectNameComponent = DnComp | EntryComp | ConstantComp  
+     *     DnComp = CertAttr "=" "$dn" "." DnAttr "." Num
+     *     EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num
+     *     ConstantComp = CertAttr "=" Constant
+     *     DnAttr    =  an attribute in the Ldap entry dn
+     *     EntryAttr =  an attribute in the Ldap entry 
+     *     CertAttr  =  a Component in the Certificate Subject Name
+     *                  (multiple AVA in one RDN not supported) 
+     *     Num       =  the nth value of tha attribute  in the dn or entry.
+     *     Constant  =  Constant String, with any accepted ldap string value.
+     * 
+     * 

+     * 

+     * Example:
+     * 
+     * 
+     * dnpattern: 
+     *     E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US
+     * 

+     * Ldap entry dn: 
+     *     UID=joesmith, OU=people, O=Acme.com
+     * 

+     * Ldap attributes: 
+     *     cn: Joe Smith
+     *     sn: Smith
+     *     mail: joesmith@acme.com
+     *     mail: joesmith@redhat.com
+     *     ou: people
+     *     ou: IS
+     *     etc.
+     * 

+     * 

+     * The subject name formulated in the cert will be : 

+     * 
+     * 
+     *   E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US
+     *   
+     *      E = the first 'mail' ldap attribute value in user's entry - joesmithe@acme.com 
+     *      CN = the (first) 'cn' ldap attribute value in the user's entry - Joe Smith 
+     *      OU = the second 'ou' value in the ldap entry - IS
+     *      O = the (first) 'o' value in the user's entry DN - "Acme.com" 
+     *      C = the constant string "US"
+     * 

+     * 
+     * @param name The name for this authentication manager instance.
+     * @param implName The name of the authentication manager plugin.
+     * @param config - The configuration store for this instance.
+     * @exception EBaseException If an error occurs during initialization.
+     */
+    public void init(String name, String implName, IConfigStore config)
+            throws EBaseException {
+        init(name, implName, config, true);
+    }
+
+    public void init(String name, String implName, IConfigStore config, boolean needBaseDN)
+            throws EBaseException {
+        mName = name;
+        mImplName = implName;
+        mConfig = config;
+
+        /* initialize ldap server configuration */
+        mLdapConfig = mConfig.getSubStore(PROP_LDAP);
+        if (needBaseDN)
+            mBaseDN = mLdapConfig.getString(PROP_BASEDN);
+        if (needBaseDN && ((mBaseDN == null) || (mBaseDN.length() == 0) || (mBaseDN.trim().equals(""))))
+            throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "basedn"));
+        mConnFactory = CMS.getLdapAnonConnFactory();
+        mConnFactory.init(mLdapConfig);
+
+        /* initialize dn pattern */
+        String pattern = mConfig.getString(PROP_DNPATTERN, null);
+
+        if (pattern == null || pattern.length() == 0)
+            pattern = DEFAULT_DNPATTERN;
+        mPattern = new DNPattern(pattern);
+        String[] patternLdapAttrs = mPattern.getLdapAttrs();
+
+        /* initialize ldap string attribute list */
+        String ldapStringAttrs = mConfig.getString(PROP_LDAPSTRINGATTRS, null);
+
+        if (ldapStringAttrs == null) {
+            mLdapStringAttrs = patternLdapAttrs;
+        } else {
+            StringTokenizer pAttrs =
+                    new StringTokenizer(ldapStringAttrs, ",", false);
+            int begin = 0;
+
+            if (patternLdapAttrs != null && patternLdapAttrs.length > 0) {
+                mLdapStringAttrs = new String[
+                        patternLdapAttrs.length + pAttrs.countTokens()];
+                System.arraycopy(patternLdapAttrs, 0,
+                        mLdapStringAttrs, 0, patternLdapAttrs.length);
+                begin = patternLdapAttrs.length;
+            } else {
+                mLdapStringAttrs = new String[pAttrs.countTokens()];
+            }
+            for (int i = begin; i < mLdapStringAttrs.length; i++) {
+                mLdapStringAttrs[i] = ((String) pAttrs.nextElement()).trim();
+            }
+        }
+
+        /* initialize ldap byte[] attribute list */
+        String ldapByteAttrs = mConfig.getString(PROP_LDAPBYTEATTRS, null);
+
+        if (ldapByteAttrs == null) {
+            mLdapByteAttrs = new String[0];
+        } else {
+            StringTokenizer byteAttrs =
+                    new StringTokenizer(ldapByteAttrs, ",", false);
+
+            mLdapByteAttrs = new String[byteAttrs.countTokens()];
+            for (int j = 0; j < mLdapByteAttrs.length; j++) {
+                mLdapByteAttrs[j] = ((String) byteAttrs.nextElement()).trim();
+            }
+        }
+
+        /* make the combined list */
+        mLdapAttrs =
+                new String[mLdapStringAttrs.length + mLdapByteAttrs.length];
+        System.arraycopy(mLdapStringAttrs, 0, mLdapAttrs,
+                0, mLdapStringAttrs.length);
+        System.arraycopy(mLdapByteAttrs, 0, mLdapAttrs,
+                mLdapStringAttrs.length, mLdapByteAttrs.length);
+
+        log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_INIT_DONE"));
+    }
+
+    /**
+     * gets the name of this authentication manager instance
+     */
+    public String getName() {
+        return mName;
+    }
+
+    /**
+     * gets the plugin name of this authentication manager.
+     */
+    public String getImplName() {
+        return mImplName;
+    }
+
+    /**
+     * Authenticates user through LDAP by a set of credentials.
+     * Resulting AuthToken a TOKEN_CERTINFO field of a X509CertInfo
+     * 

+     * 
+     * @param authCred Authentication credentials, CRED_UID and CRED_PWD.
+     * @return A AuthToken with a TOKEN_SUBJECT of X500name type.
+     * @exception com.netscape.certsrv.authentication.EMissingCredential
+     *                If a required authentication credential is missing.
+     * @exception com.netscape.certsrv.authentication.EInvalidCredentials
+     *                If credentials failed authentication.
+     * @exception com.netscape.certsrv.base.EBaseException
+     *                If an internal error occurred.
+     * @see com.netscape.certsrv.authentication.AuthToken
+     */
+    public IAuthToken authenticate(IAuthCredentials authCred)
+            throws EMissingCredential, EInvalidCredentials, EBaseException {
+        String userdn = null;
+        LDAPConnection conn = null;
+        AuthToken authToken = new AuthToken(this);
+
+        try {
+            if (mConnFactory == null) {
+                conn = null;
+            } else {
+                conn = mConnFactory.getConn();
+            }
+
+            // authenticate the user and get a user entry.
+            userdn = authenticate(conn, authCred, authToken);
+            authToken.set(USER_DN, userdn);
+
+            // formulate the cert info.
+            // set each seperatly since otherwise they won't serialize
+            // in the request queue.
+            X509CertInfo certInfo = new X509CertInfo();
+
+            formCertInfo(conn, userdn, certInfo, authToken);
+
+            // set subject name.
+            try {
+                CertificateSubjectName subjectname = (CertificateSubjectName)
+                        certInfo.get(X509CertInfo.SUBJECT);
+
+                if (subjectname != null)
+                    authToken.set(AuthToken.TOKEN_CERT_SUBJECT,
+                            subjectname.toString());
+            } // error means it's not set.
+            catch (CertificateException e) {
+            } catch (IOException e) {
+            }
+
+            // set validity if any 
+            try {
+                CertificateValidity validity = (CertificateValidity)
+                        certInfo.get(X509CertInfo.VALIDITY);
+
+                if (validity != null) {
+                    // the gets throws IOException but only if attribute 
+                    // not recognized. In these cases they are always. 
+                    authToken.set(AuthToken.TOKEN_CERT_NOTBEFORE,
+                            (Date) validity.get(CertificateValidity.NOT_BEFORE));
+                    authToken.set(AuthToken.TOKEN_CERT_NOTAFTER,
+                            (Date) validity.get(CertificateValidity.NOT_AFTER));
+                }
+            } // error means it's not set.
+            catch (CertificateException e) {
+            } catch (IOException e) {
+            }
+
+            // set extensions if any.
+            try {
+                CertificateExtensions extensions = (CertificateExtensions)
+                        certInfo.get(X509CertInfo.EXTENSIONS);
+
+                if (extensions != null)
+                    authToken.set(AuthToken.TOKEN_CERT_EXTENSIONS, extensions);
+            } // error means it's not set.
+            catch (CertificateException e) {
+            } catch (IOException e) {
+            }
+
+        } finally {
+            if (conn != null)
+                mConnFactory.returnConn(conn);
+        }
+
+        return authToken;
+    }
+
+    /**
+     * get the list of required credentials.
+     * 
+     * @return list of required credentials as strings.
+     */
+    public abstract String[] getRequiredCreds();
+
+    /**
+     * Returns a list of configuration parameter names.
+     * The list is passed to the configuration console so instances of
+     * this implementation can be configured through the console.
+     * 
+     * @return String array of configuration parameter names.
+     */
+    public abstract String[] getConfigParams();
+
+    /**
+     * disconnects the ldap connections
+     */
+    public void shutdown() {
+        try {
+            if (mConnFactory != null) {
+                mConnFactory.reset();
+                mConnFactory = null;
+            }
+        } catch (ELdapException e) {
+            // ignore
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_SHUTDOWN_ERROR", e.toString()));
+        }
+    }
+
+    /**
+     * Gets the configuration substore used by this authentication manager
+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    /**
+     * Authenticates a user through directory based a set of credentials.
+     * 
+     * @param authCreds The authentication credentials.
+     * @return The user's ldap entry dn.
+     * @exception EInvalidCredentials If the uid and password are not valid
+     * @exception EBaseException If an internal error occurs.
+     */
+    protected abstract String authenticate(
+            LDAPConnection conn, IAuthCredentials authCreds, AuthToken token)
+            throws EBaseException;
+
+    /**
+     * Formulate the cert info.
+     * 
+     * @param conn A LDAP Connection authenticated to user to use.
+     * @param userdn The user's dn.
+     * @param certinfo A certinfo object to fill.
+     * @param token A authentication token to fill.
+     * @exception EBaseException If an internal error occurs.
+     */
+    protected void formCertInfo(LDAPConnection conn,
+            String userdn,
+            X509CertInfo certinfo,
+            AuthToken token)
+            throws EBaseException {
+        String dn = null;
+        // get ldap attributes to retrieve.
+        String[] attrs = getLdapAttrs();
+
+        // retrieve the attributes. 
+        try {
+            if (conn != null) {
+                LDAPEntry entry = null;
+                LDAPSearchResults results =
+                        conn.search(userdn, LDAPv2.SCOPE_BASE, "objectclass=*",
+                                attrs, false);
+
+                if (!results.hasMoreElements()) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_ATTR_ERROR"));
+                    throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_LDAPATTRIBUTES_NOT_FOUND"));
+                }
+                entry = results.next();
+
+                // formulate the subject dn 
+                try {
+                    dn = formSubjectName(entry);
+                } catch (EBaseException e) {
+                    //e.printStackTrace();
+                    throw e;
+                }
+                // Put selected values from the entry into the token
+                setAuthTokenValues(entry, token);
+            } else {
+                dn = userdn;
+            }
+
+            // add anything else in cert info such as validity, extensions
+            // (nothing now) 
+
+            // pack the dn into X500name and set subject name.
+            if (dn.length() == 0) {
+                EBaseException ex =
+                        new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_EMPTY_DN_FORMED", mName));
+
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_DN_ERROR", ex.toString()));
+                throw ex;
+            }
+            X500Name subjectdn = new X500Name(dn);
+
+            certinfo.set(X509CertInfo.SUBJECT,
+                    new CertificateSubjectName(subjectdn));
+        } catch (LDAPException e) {
+            switch (e.getLDAPResultCode()) {
+            case LDAPException.SERVER_DOWN:
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_AUTH_ATTR_ERROR"));
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort()));
+
+            case LDAPException.NO_SUCH_OBJECT:
+            case LDAPException.LDAP_PARTIAL_RESULTS:
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_USER_ENTRY_ERROR", userdn));
+
+                // fall to below.
+            default:
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.toString()));
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION",
+                                e.errorCodeToString()));
+            }
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_CREATE_SUBJECT_ERROR", userdn, e.getMessage()));
+            throw new EFormSubjectDN(CMS.getUserMessage("CMS_AUTHENTICATION_FORM_SUBJECTDN_ERROR"));
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_CREATE_CERTINFO_ERROR", userdn, e.getMessage()));
+            throw new EFormSubjectDN(CMS.getUserMessage("CMS_AUTHENTICATION_FORM_SUBJECTDN_ERROR"));
+        }
+    }
+
+    /**
+     * Copy values from the LDAPEntry into the AuthToken. The
+     * list of values that should be store this way is given in
+     * a the ldapAttributes configuration parameter.
+     */
+    protected void setAuthTokenValues(LDAPEntry e, AuthToken tok) {
+        for (int i = 0; i < mLdapStringAttrs.length; i++)
+            setAuthTokenStringValue(mLdapStringAttrs[i], e, tok);
+        for (int j = 0; j < mLdapByteAttrs.length; j++)
+            setAuthTokenByteValue(mLdapByteAttrs[j], e, tok);
+    }
+
+    protected void setAuthTokenStringValue(
+            String name, LDAPEntry entry, AuthToken tok) {
+        LDAPAttribute values = entry.getAttribute(name);
+
+        if (values == null)
+            return;
+
+        Vector v = new Vector();
+        @SuppressWarnings("unchecked")
+        Enumeration e = values.getStringValues();
+
+        while (e.hasMoreElements()) {
+            v.addElement(e.nextElement());
+        }
+
+        String a[] = new String[v.size()];
+
+        v.copyInto(a);
+
+        tok.set(name, a);
+    }
+
+    protected void setAuthTokenByteValue(
+            String name, LDAPEntry entry, AuthToken tok) {
+        LDAPAttribute values = entry.getAttribute(name);
+
+        if (values == null)
+            return;
+
+        Vector v = new Vector();
+        @SuppressWarnings("unchecked")
+        Enumeration e = values.getByteValues();
+
+        while (e.hasMoreElements()) {
+            v.addElement(e.nextElement());
+        }
+
+        byte[][] a = new byte[v.size()][];
+
+        v.copyInto(a);
+
+        tok.set(name, a);
+    }
+
+    /**
+     * Return a list of LDAP attributes with String values to retrieve.
+     * Subclasses can override to return any set of attributes.
+     * 
+     * @return Array of LDAP attributes to retrieve from the directory.
+     */
+    protected String[] getLdapAttrs() {
+        return mLdapAttrs;
+    }
+
+    /**
+     * Return a list of LDAP attributes with byte[] values to retrieve.
+     * Subclasses can override to return any set of attributes.
+     * 
+     * @return Array of LDAP attributes to retrieve from the directory.
+     */
+    protected String[] getLdapByteAttrs() {
+        return mLdapByteAttrs;
+    }
+
+    /**
+     * Formulate the subject name
+     * 
+     * @param entry The LDAP entry
+     * @return The subject name string.
+     * @exception EBaseException If an internal error occurs.
+     */
+    protected String formSubjectName(LDAPEntry entry)
+            throws EAuthException {
+        if (mPattern.mPatternString == null)
+            return entry.getDN();
+
+        /*
+         if (mTestDNString != null) {
+         mPattern.mTestDN = mTestDNString;
+         //System.out.println("Set DNPattern.mTestDN to "+mPattern.mTestDN);
+        }
+        */
+
+        String dn = mPattern.formDN(entry);
+
+        CMS.debug("DirBasedAuthentication: formed DN '" + dn + "'");
+        return dn;
+    }
+
+    /**
+     * Logs a message for this class in the system log file.
+     * 
+     * @param level The log level.
+     * @param msg The message to log.
+     * @see com.netscape.certsrv.logging.ILogger
+     */
+    protected void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION,
+                level, msg);
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo);
+
+        return s;
+
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java b/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java
new file mode 100644
index 000000000..f60110b0b
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java
@@ -0,0 +1,686 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+// ldap java sdk
+import java.io.BufferedReader;
+import java.io.BufferedWriter;
+import java.io.File;
+import java.io.FileReader;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.EInvalidCredentials;
+import com.netscape.certsrv.authentication.EMissingCredential;
+import com.netscape.certsrv.authentication.IAuthCredentials;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.EPropertyNotFound;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileAuthenticator;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This represents the authentication manager that authenticates
+ * user against a file where id, and password are stored.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class FlatFileAuth
+        implements IProfileAuthenticator, IExtendedPluginInfo {
+
+    /* configuration parameter keys */
+    protected static final String PROP_FILENAME = "fileName";
+    protected static final String PROP_KEYATTRIBUTES = "keyAttributes";
+    protected static final String PROP_AUTHATTRS = "authAttributes";
+    protected static final String PROP_DEFERONFAILURE = "deferOnFailure";
+
+    protected String mFilename = "config/pwfile";
+    protected long mFileLastRead = 0;
+    protected String mKeyAttributes = "UID";
+    protected String mAuthAttrs = "PWD";
+    protected boolean mDeferOnFailure = true;
+    private static final String DATE_PATTERN = "yyyy-MM-dd-HH-mm-ss";
+    private static SimpleDateFormat mDateFormat = new SimpleDateFormat(DATE_PATTERN);
+
+    protected static String[] mConfigParams =
+            new String[] {
+                    PROP_FILENAME,
+                    PROP_KEYATTRIBUTES,
+                    PROP_AUTHATTRS,
+                    PROP_DEFERONFAILURE
+        };
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String s[] = {
+                PROP_FILENAME + ";string;Pathname of password file",
+                PROP_KEYATTRIBUTES + ";string;Comma-separated list of attributes" +
+                        " which together form a unique identifier for the user",
+                PROP_AUTHATTRS + ";string;Comma-separated list of attributes" +
+                        " which are used for further authentication",
+                PROP_DEFERONFAILURE + ";boolean;if user is not found, defer the " +
+                        "request to the queue for manual-authentication (true), or " +
+                        "simply rejected the request (false)"
+            };
+
+        return s;
+    }
+
+    /** name of this authentication manager instance */
+    protected String mName = null;
+
+    protected String FFAUTH = "FlatFileAuth";
+
+    /** name of the authentication manager plugin */
+    protected String mImplName = null;
+
+    /** configuration store */
+    protected IConfigStore mConfig = null;
+
+    /** system logger */
+    protected ILogger mLogger = CMS.getLogger();
+
+    /**
+     * This array is created as to include all the requested attributes
+     * 
+     */
+    String[] reqCreds = null;
+
+    String[] authAttrs = null;
+    String[] keyAttrs = null;
+
+    /**
+     * Hashtable of entries from Auth File. Hash index is the
+     * concatenation of the attributes from matchAttributes property
+     */
+    protected Hashtable> entries = null;
+
+    /**
+     * Get the named property
+     * If the property is not set, use s as the default, and create
+     * a new value for the property in the config file.
+     * 
+     * @param propertyName Property name
+     * @param s The default value of the property
+     */
+    protected String getPropertyS(String propertyName, String s)
+            throws EBaseException {
+        String p;
+
+        try {
+            p = mConfig.getString(propertyName);
+        } catch (EPropertyNotFound e) {
+            mConfig.put(propertyName, s);
+            p = s;
+        }
+        return p;
+    }
+
+    public boolean isSSLClientRequired() {
+        return false;
+    }
+
+    /**
+     * Get the named property,
+     * If the property is not set, use b as the default, and create
+     * a new value for the property in the config file.
+     * 
+     * @param propertyName Property name
+     * @param b The default value of the property
+     */
+    protected boolean getPropertyB(String propertyName, boolean b)
+            throws EBaseException {
+        boolean p;
+
+        try {
+            p = mConfig.getBoolean(propertyName);
+        } catch (EPropertyNotFound e) {
+            mConfig.put(propertyName, b ? "true" : "false");
+            p = b;
+        }
+        return p;
+    }
+
+    public void init(String name, String implName, IConfigStore config)
+            throws EBaseException {
+        mName = name;
+        mImplName = implName;
+        mConfig = config;
+
+        try {
+            mFilename = getPropertyS(PROP_FILENAME, mFilename);
+            mKeyAttributes = getPropertyS(PROP_KEYATTRIBUTES, mKeyAttributes);
+            mAuthAttrs = getPropertyS(PROP_AUTHATTRS, mAuthAttrs);
+            mDeferOnFailure = getPropertyB(PROP_DEFERONFAILURE, mDeferOnFailure);
+        } catch (EBaseException e) {
+            return;
+        }
+
+        keyAttrs = splitOnComma(mKeyAttributes);
+        authAttrs = splitOnComma(mAuthAttrs);
+
+        String[][] stringArrays = new String[2][];
+
+        stringArrays[0] = keyAttrs;
+        stringArrays[1] = authAttrs;
+        reqCreds = unionOfStrings(stringArrays);
+
+        print("mFilename      = " + mFilename);
+        print("mKeyAttributes = " + mKeyAttributes);
+        print("mAuthAttrs     = " + mAuthAttrs);
+        for (int i = 0; i < stringArrays.length; i++) {
+            for (int j = 0; j < stringArrays[i].length; j++) {
+                print("stringArrays[" + i + "][" + j + "] = " + stringArrays[i][j]);
+            }
+        }
+
+        try {
+            File file = new File(mFilename);
+
+            mFileLastRead = file.lastModified();
+            entries = readFile(file, keyAttrs);
+            CMS.debug("FlatFileAuth: " + CMS.getLogMessage("CMS_AUTH_READ_ENTRIES", mFilename));
+            // printAllEntries();
+        } catch (IOException e) {
+            throw new EBaseException(mName
+                    + " authentication: Could not open file " + mFilename + "   (" + e.getMessage() + ")");
+        } catch (java.lang.StringIndexOutOfBoundsException ee) {
+            CMS.debug("FlatFileAuth: " + CMS.getLogMessage("OPERATION_ERROR", ee.toString()));
+        }
+
+    }
+
+    /**
+     * Log a message.
+     * 
+     * @param level The logging level.
+     * @param msg The message to log.
+     */
+    private void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION,
+                level, msg);
+    }
+
+    void print(String s) {
+        CMS.debug("FlatFileAuth: " + s);
+    }
+
+    /**
+     * Return a string array which is the union of all the string arrays
+     * passed in. The strings are treated as case sensitive
+     */
+
+    public String[] unionOfStrings(String[][] stringArrays) {
+        Hashtable ht = new Hashtable();
+
+        for (int i = 0; i < stringArrays.length; i++) {
+            String[] sa = stringArrays[i];
+
+            for (int j = 0; j < sa.length; j++) {
+                print("unionOfStrings: " + i + "," + j + " = " + sa[j]);
+                ht.put(sa[j], "");
+            }
+        }
+
+        String[] s = new String[ht.size()];
+        Enumeration e = ht.keys();
+
+        for (int i = 0; e.hasMoreElements(); i++) {
+            s[i] = e.nextElement();
+        }
+        return s;
+
+    }
+
+    /**
+     * Split a comma-delimited String into an array of individual
+     * Strings.
+     */
+    private String[] splitOnComma(String s) {
+        print("Splitting String: " + s + " on commas");
+        StringTokenizer st = new StringTokenizer(s, ",", false);
+        String[] sa = new String[st.countTokens()];
+
+        print("   countTokens:" + st.countTokens());
+
+        for (int i = 0; i < sa.length; i++) {
+            String p = st.nextToken().trim();
+
+            print("   token " + i + " = " + p);
+            sa[i] = p;
+        }
+
+        return sa;
+    }
+
+    /**
+     * Join an array of Strings into one string, with
+     * the specified string between each string
+     */
+
+    private String joinStringArray(String[] s, String sep) {
+
+        StringBuffer sb = new StringBuffer();
+        for (int i = 0; i < s.length; i++) {
+            sb.append(s[i]);
+            if (i < (s.length - 1)) {
+                sb.append(sep);
+            }
+        }
+        return sb.toString();
+    }
+
+    private synchronized void updateFile(String key) {
+        try {
+            String name = writeFile(key);
+            if (name != null) {
+                File orgFile = new File(mFilename);
+                long lastModified = orgFile.lastModified();
+                File newFile = new File(name);
+                if (lastModified > mFileLastRead) {
+                    mFileLastRead = lastModified;
+                } else {
+                    mFileLastRead = newFile.lastModified();
+                }
+                if (orgFile.renameTo(new File(name.substring(0, name.length() - 1)))) {
+                    if (!newFile.renameTo(new File(mFilename))) {
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("RENAME_FILE_ERROR", name, mFilename));
+                        File file = new File(name.substring(0, name.length() - 1));
+                        file.renameTo(new File(mFilename));
+                    }
+                } else {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("RENAME_FILE_ERROR", mFilename,
+                                                              name.substring(0, name.length() - 1)));
+                }
+            }
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("FILE_ERROR", e.getMessage()));
+        }
+    }
+
+    private String writeFile(String key) {
+        BufferedReader reader = null;
+        BufferedWriter writer = null;
+        String name = null;
+        boolean commentOutNextLine = false;
+        boolean done = false;
+        String line = null;
+        try {
+            reader = new BufferedReader(new FileReader(mFilename));
+            name = mFilename + "." + mDateFormat.format(new Date()) + "~";
+            writer = new BufferedWriter(new FileWriter(name));
+            if (reader != null && writer != null) {
+                while ((line = reader.readLine()) != null) {
+                    if (commentOutNextLine) {
+                        writer.write("#");
+                        commentOutNextLine = false;
+                    }
+                    if (line.indexOf(key) > -1) {
+                        writer.write("#");
+                        commentOutNextLine = true;
+                    }
+                    writer.write(line);
+                    writer.newLine();
+                }
+                done = true;
+            }
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("FILE_ERROR", e.getMessage()));
+        }
+
+        try {
+            if (reader != null) {
+                reader.close();
+            }
+            if (writer != null) {
+                writer.flush();
+                writer.close();
+            }
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("FILE_ERROR", e.getMessage()));
+        }
+
+        try {
+            if (!done) {
+                long s1 = 0;
+                long s2 = 0;
+                File f1 = new File(mFilename);
+                File f2 = new File(name);
+                if (f1.exists())
+                    s1 = f1.length();
+                if (f2.exists())
+                    s2 = f2.length();
+                if (s1 > 0 && s2 > 0 && s2 > s1) {
+                    done = true;
+                } else {
+                    if (f2.exists())
+                        f2.delete();
+                    name = null;
+                }
+            }
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("FILE_ERROR", e.getMessage()));
+        }
+
+        return name;
+    }
+
+    /**
+     * Read a file with the following format:
+     * 

+     * 
+     * 
+     * param1: valuea
+     * param2: valueb
+     * -blank-line-
+     * param1: valuec
+     * param2: valued
+     * 

+     * 
+     * @param f The file to read
+     * @param keys The parameters to concat together to form the hash
+     *            key
+     * @return a hashtable of hashtables.
+     */
+    protected Hashtable> readFile(File f, String[] keys)
+            throws IOException {
+        log(ILogger.LL_INFO, "Reading file: " + f.getName());
+        BufferedReader file = new BufferedReader(
+                new FileReader(f)
+                );
+
+        String line;
+        Hashtable> allusers = new Hashtable>();
+        Hashtable entry = null;
+        int linenum = 0;
+
+        while ((line = file.readLine()) != null) {
+            linenum++;
+            line = line.trim();
+            if (line.length() > 0 && line.charAt(0) == '#') {
+                continue;
+            }
+            int colon = line.indexOf(':');
+
+            if (entry == null) {
+                entry = new Hashtable();
+            }
+
+            if (colon == -1) { // no colon -> empty line signifies end of record
+                if (!line.trim().equals("")) {
+                    if (file != null) {
+                        file.close();
+                    }
+                    throw new IOException(FFAUTH + ": Parsing error, " +
+                            "colon missing from line " + linenum + " of " + f.getName());
+                }
+                if (entry.size() > 0) {
+                    putEntry(allusers, entry, keys);
+                    entry = null;
+                }
+                continue;
+            }
+
+            String attr = line.substring(0, colon).trim();
+            String val = line.substring(colon + 1).trim();
+
+            entry.put(attr, val);
+        }
+
+        putEntry(allusers, entry, keys);
+        if (file != null) {
+            file.close();
+        }
+        return allusers;
+    }
+
+    private void putEntry(Hashtable> allUsers,
+            Hashtable entry,
+            String[] keys) {
+        if (entry == null) {
+            return;
+        }
+        String key = "";
+
+        print("keys.length = " + keys.length);
+        for (int i = 0; i < keys.length; i++) {
+            String s = entry.get(keys[i]);
+
+            print(" concatenating: " + s);
+            if (s != null) {
+                key = key.concat(s);
+            }
+        }
+        print("putting: key " + key);
+        allUsers.put(key, entry);
+    }
+
+    void printAllEntries() {
+        Enumeration e = entries.keys();
+
+        while (e.hasMoreElements()) {
+            String key = e.nextElement();
+
+            print("* " + key + " *");
+            Hashtable ht = entries.get(key);
+            Enumeration f = ht.keys();
+
+            while (f.hasMoreElements()) {
+                String fkey = f.nextElement();
+
+                print("   " + fkey + " -> " + ht.get(fkey));
+            }
+        }
+    }
+
+    /**
+     * Compare attributes provided by the user with those in
+     * in flat file.
+     * 
+     */
+
+    private IAuthToken doAuthentication(Hashtable user, IAuthCredentials authCred)
+            throws EMissingCredential, EInvalidCredentials, EBaseException {
+        AuthToken authToken = new AuthToken(this);
+
+        for (int i = 0; i < authAttrs.length; i++) {
+            String ffvalue = (String) user.get(authAttrs[i]);
+            String uservalue = (String) authCred.get(authAttrs[i]);
+
+            // print("checking authentication token (" + authAttrs[i] + ": " + uservalue + " against ff value: " + ffvalue);
+            if (!ffvalue.equals(uservalue)) {
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+            }
+        }
+        return authToken;
+    }
+
+    private void reReadPwFile() {
+
+        try {
+            File file = new File(mFilename);
+            long pwfilelastmodified = file.lastModified();
+
+            if (pwfilelastmodified > mFileLastRead) {
+                mFileLastRead = pwfilelastmodified;
+                entries = readFile(file, keyAttrs);
+                // printAllEntries();
+            }
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("READ_FILE_ERROR", mFilename, e.getMessage()));
+        }
+    }
+
+    /**
+     * Authenticate the request
+     * 
+     */
+    public IAuthToken authenticate(IAuthCredentials authCred)
+            throws EMissingCredential, EInvalidCredentials, EBaseException {
+        IAuthToken authToken = null;
+        String keyForUser = "";
+
+        /* First check if hashtable has been modified since we last read it in */
+
+        reReadPwFile();
+
+        /* Find the user in our hashtable */
+
+        for (int i = 0; i < keyAttrs.length; i++) {
+            print("concatenating string i=" + i + "  keyAttrs[" + i + "] = " + keyAttrs[i]);
+            String credential = (String) authCred.get(keyAttrs[i]);
+
+            if (credential == null) {
+                throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", keyAttrs[i]));
+            }
+            keyForUser = keyForUser.concat((String) authCred.get(keyAttrs[i]));
+        }
+        print("authenticating user: finding user from key: " + keyForUser);
+
+        Hashtable user = entries.get(keyForUser);
+
+        try {
+            if (user != null) {
+                authToken = doAuthentication(user, authCred);
+            } else {
+                CMS.debug("FlatFileAuth: " + CMS.getLogMessage("CMS_AUTH_USER_NOT_FOUND"));
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+            }
+        } catch (EInvalidCredentials e) {
+            // If defer on failure is false, then we re-throw the exception
+            // which causes the request to be rejected
+            if (!mDeferOnFailure) {
+                throw e;
+            } else {
+                CMS.debug("FlatFileAuth: Since defering on failure - ignore invalid creds");
+            }
+        }
+
+        // if a dn was specified in the password file for this user, 
+        // replace the requested dn with the one in the pwfile
+        if (user != null) {
+            String dn = (String) user.get("dn");
+
+            if (dn != null && authToken != null) {
+                authToken.set(AuthToken.TOKEN_CERT_SUBJECT, dn);
+            }
+        }
+
+        // If defer on failure is true, and the auth failed, authToken will
+        // be null here, which causes the request to be deferred.
+
+        if (user != null && authToken != null) {
+            entries.remove(keyForUser);
+            updateFile(keyForUser);
+            // printAllEntries();
+        }
+        return authToken;
+    }
+
+    /**
+     * Return a list of HTTP parameters which will be taken from the
+     * request posting and placed into the AuthCredentials block
+     * 
+     * Note that this method will not be called until after the
+     * init() method is called
+     */
+    public String[] getRequiredCreds() {
+        print("getRequiredCreds returning: " + joinStringArray(reqCreds, ","));
+        return reqCreds;
+
+    }
+
+    /**
+     * Returns a list of configuration parameters, so the console
+     * can prompt the user when configuring.
+     */
+    public String[] getConfigParams() {
+        return mConfigParams;
+    }
+
+    /**
+     * Returns the configuration store used by this authentication manager
+     */
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public void shutdown() {
+    }
+
+    public String getName() {
+        return mName;
+    }
+
+    public String getImplName() {
+        return mImplName;
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_NAME");
+    }
+
+    /**
+     * Retrieves a list of names of the value parameter.
+     */
+    public Enumeration getValueNames() {
+        return null;
+    }
+
+    public boolean isValueWriteable(String name) {
+        return false;
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public void populate(IAuthToken token, IRequest request)
+            throws EProfileException {
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_TEXT");
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/authentication/HashAuthData.java b/base/common/src/com/netscape/cms/authentication/HashAuthData.java
new file mode 100644
index 000000000..3a447d282
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/HashAuthData.java
@@ -0,0 +1,118 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+// java sdk imports.
+import java.util.Hashtable;
+import java.util.Vector;
+
+/**
+ * The structure stores the information of which machine is enabled for
+ * the agent-initiated user enrollment, and whom agents enable this feature,
+ * and the value of the timeout.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class HashAuthData extends Hashtable> {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -988354133432275910L;
+    public static final long TIMEOUT = 600000;
+    public static final long LASTLOGIN = 0;
+
+    public HashAuthData() {
+    }
+
+    public String getAgentName(String hostname) {
+        Vector val = get(hostname);
+
+        if (val != null)
+            return (String) val.elementAt(0);
+        return null;
+    }
+
+    public void setAgentName(String hostname, String agentName) {
+        Vector val = get(hostname);
+
+        if (val == null) {
+            val = new Vector();
+            put(hostname, val);
+        }
+        val.setElementAt(agentName, 0);
+    }
+
+    public long getTimeout(String hostname) {
+        Vector val = get(hostname);
+
+        if (val != null) {
+            return ((Long) val.elementAt(1)).longValue();
+        }
+        return TIMEOUT;
+    }
+
+    public void setTimeout(String hostname, long timeout) {
+        Vector val = get(hostname);
+
+        if (val == null) {
+            val = new Vector();
+            put(hostname, val);
+        }
+        val.setElementAt(Long.valueOf(timeout), 1);
+    }
+
+    public String getSecret(String hostname) {
+        Vector val = get(hostname);
+
+        if (val != null) {
+            return (String) val.elementAt(2);
+        }
+        return null;
+    }
+
+    public void setSecret(String hostname, String secret) {
+        Vector val = get(hostname);
+
+        if (val == null) {
+            val = new Vector();
+            put(hostname, val);
+        }
+        val.setElementAt(secret, 2);
+    }
+
+    public long getLastLogin(String hostname) {
+        Vector val = get(hostname);
+
+        if (val != null) {
+            return ((Long) val.elementAt(3)).longValue();
+        }
+        return LASTLOGIN;
+    }
+
+    public void setLastLogin(String hostname, long lastLogin) {
+        Vector val = get(hostname);
+
+        if (val == null) {
+            val = new Vector();
+            put(hostname, val);
+        }
+        val.setElementAt(Long.valueOf(lastLogin), 3);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authentication/HashAuthentication.java b/base/common/src/com/netscape/cms/authentication/HashAuthentication.java
new file mode 100644
index 000000000..2537efa10
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/HashAuthentication.java
@@ -0,0 +1,288 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+// ldap java sdk
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.Vector;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.EAuthException;
+import com.netscape.certsrv.authentication.EInvalidCredentials;
+import com.netscape.certsrv.authentication.IAuthCredentials;
+import com.netscape.certsrv.authentication.IAuthManager;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * Hash uid/pwd directory based authentication manager
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class HashAuthentication implements IAuthManager, IExtendedPluginInfo {
+
+    public static final String SALT = "lala123";
+    public static final String CRED_UID = "uid";
+    public static final String CRED_FINGERPRINT = "fingerprint";
+    public static final String CRED_PAGEID = "pageID";
+    public static final String CRED_HOST = "hostname";
+    protected static String[] mRequiredCreds = { CRED_UID,
+            CRED_PAGEID, CRED_FINGERPRINT, CRED_HOST };
+    public static final long DEFAULT_TIMEOUT = 600000;
+    private boolean mEnable = false;
+    private long mTimeout = DEFAULT_TIMEOUT; // in milliseconds
+    private String mSecret;
+    private int mPageID;
+    private String mHost;
+    private long mLastLogin = 0;
+    private MessageDigest mSHADigest = null;
+    private Hashtable mData = null;
+    private IConfigStore mConfig;
+    private String mName = null;
+    private String mImplName = null;
+    private ILogger mLogger = CMS.getLogger();
+    private static Vector mExtendedPluginInfo = null;
+    private HashAuthData mHosts = null;
+
+    static String[] mConfigParams =
+            new String[] {};
+
+    static {
+        mExtendedPluginInfo = new Vector();
+        mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT +
+                ";Authenticate the username and password provided " +
+                "by the user against an LDAP directory. Works with the " +
+                "Dir Based Enrollment HTML form");
+        mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN +
+                ";configuration-authrules-uidpwddirauth");
+    };
+
+    /**
+     * Default constructor, initialization must follow.
+     */
+    public HashAuthentication() {
+    }
+
+    public void init(String name, String implName, IConfigStore config)
+            throws EBaseException {
+        mName = name;
+        mImplName = implName;
+        mConfig = config;
+        mData = new Hashtable();
+        mHosts = new HashAuthData();
+
+        try {
+            mSHADigest = MessageDigest.getInstance("SHA1");
+        } catch (NoSuchAlgorithmException e) {
+            throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.getMessage()));
+        }
+
+    }
+
+    public IAuthToken getAuthToken(String key) {
+        return mData.remove(key);
+    }
+
+    public void addAuthToken(String pageID, IAuthToken token) {
+        mData.put(pageID, token);
+    }
+
+    public void deleteToken(String pageID) {
+        mData.remove(pageID);
+    }
+
+    public HashAuthData getData() {
+        return mHosts;
+    }
+
+    public void createEntry(String host, String dn, long timeout,
+            String secret, long lastLogin) {
+        Vector v = new Vector();
+
+        v.addElement(dn);
+        v.addElement(Long.valueOf(timeout));
+        v.addElement(secret);
+        v.addElement(Long.valueOf(lastLogin));
+        mHosts.put(host, v);
+    }
+
+    public void disable(String hostname) {
+        mHosts.remove(hostname);
+    }
+
+    public String getAgentName(String hostname) {
+        return mHosts.getAgentName(hostname);
+    }
+
+    public void setAgentName(String hostname, String agentName) {
+        mHosts.setAgentName(hostname, agentName);
+    }
+
+    public boolean isEnable(String hostname) {
+        return mHosts.containsKey(hostname);
+    }
+
+    public long getTimeout(String hostname) {
+        return mHosts.getTimeout(hostname);
+    }
+
+    public void setTimeout(String hostname, long timeout) {
+        mHosts.setTimeout(hostname, timeout);
+    }
+
+    public String getSecret(String hostname) {
+        return mHosts.getSecret(hostname);
+    }
+
+    public void setSecret(String hostname, String secret) {
+        mHosts.setSecret(hostname, secret);
+    }
+
+    public long getLastLogin(String hostname) {
+        return mHosts.getLastLogin(hostname);
+    }
+
+    public void setLastLogin(String hostname, long lastlogin) {
+        mHosts.setLastLogin(hostname, lastlogin);
+    }
+
+    public long getPageID() {
+        Date date = new Date();
+
+        return date.getTime();
+    }
+
+    public void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION,
+                level, msg);
+    }
+
+    public boolean validFingerprint(String host, String pageID, String uid, String fingerprint) {
+        String val = hashFingerprint(host, pageID, uid);
+
+        if (val.equals(fingerprint))
+            return true;
+        return false;
+    }
+
+    public Enumeration getHosts() {
+        return mHosts.keys();
+    }
+
+    public String hashFingerprint(String host, String pageID, String uid) {
+        byte[] hash =
+                mSHADigest.digest((SALT + pageID + getSecret(host) + uid).getBytes());
+        String b64E = Utils.base64encode(hash);
+
+        return "{SHA}" + b64E;
+    }
+
+    public void shutdown() {
+    }
+
+    /**
+     * Authenticates a user based on uid, pwd in the directory.
+     * 
+     * @param authCreds The authentication credentials.
+     * @return The user's ldap entry dn.
+     * @exception EInvalidCredentials If the uid and password are not valid
+     * @exception EBaseException If an internal error occurs.
+     */
+    public IAuthToken authenticate(IAuthCredentials authCreds)
+            throws EBaseException {
+        AuthToken token = new AuthToken(this);
+        String fingerprint = (String) authCreds.get(CRED_FINGERPRINT);
+        String pageID = (String) authCreds.get(CRED_PAGEID);
+        String uid = (String) authCreds.get(CRED_UID);
+        String host = (String) authCreds.get(CRED_HOST);
+
+        if (fingerprint.equals("") ||
+                !validFingerprint(host, pageID, uid, fingerprint)) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_INVALID_FINGER_PRINT"));
+            throw new EAuthException("Invalid Fingerprint");
+        }
+
+        // set uid in the token.
+        token.set(CRED_UID, uid);
+
+        return token;
+    }
+
+    /**
+     * Returns array of required credentials for this authentication manager.
+     * 
+     * @return Array of required credentials.
+     */
+    public String[] getRequiredCreds() {
+        return mRequiredCreds;
+    }
+
+    /**
+     * Gets the configuration substore used by this authentication manager
+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    /**
+     * gets the name of this authentication manager instance
+     */
+    public String getName() {
+        return mName;
+    }
+
+    /**
+     * gets the plugin name of this authentication manager.
+     */
+    public String getImplName() {
+        return mImplName;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo);
+
+        return s;
+
+    }
+
+    /**
+     * Returns a list of configuration parameter names.
+     * The list is passed to the configuration console so instances of
+     * this implementation can be configured through the console.
+     * 
+     * @return String array of configuration parameter names.
+     */
+    public String[] getConfigParams() {
+        return (mConfigParams);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authentication/PortalEnroll.java b/base/common/src/com/netscape/cms/authentication/PortalEnroll.java
new file mode 100644
index 000000000..38a3e6fcf
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/PortalEnroll.java
@@ -0,0 +1,468 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+// ldap java sdk
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPAttributeSet;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPObjectClassSchema;
+import netscape.ldap.LDAPSchema;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.EAuthInternalError;
+import com.netscape.certsrv.authentication.EAuthUserError;
+import com.netscape.certsrv.authentication.EInvalidCredentials;
+import com.netscape.certsrv.authentication.EMissingCredential;
+import com.netscape.certsrv.authentication.IAuthCredentials;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.EPropertyNotFound;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ILdapConnFactory;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * uid/pwd directory based authentication manager
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class PortalEnroll extends DirBasedAuthentication {
+
+    /* configuration parameter keys */
+    protected static final String PROP_LDAPAUTH = "ldapauth";
+    protected static final String PROP_AUTHTYPE = "authtype";
+    protected static final String PROP_BINDDN = "bindDN";
+    protected static final String PROP_BINDPW = "bindPW";
+    protected static final String PROP_LDAPCONN = "ldapconn";
+    protected static final String PROP_HOST = "host";
+    protected static final String PROP_PORT = "port";
+    protected static final String PROP_SECURECONN = "secureConn";
+    protected static final String PROP_VERSION = "version";
+    protected static final String PROP_OBJECTCLASS = "objectclass";
+
+    /* required credentials to authenticate. uid and pwd are strings. */
+    public static final String CRED_UID = "uid";
+    public static final String CRED_PWD = "userPassword";
+    protected static String[] mRequiredCreds = { CRED_UID, CRED_PWD };
+
+    /* ldap configuration sub-store */
+    private IArgBlock argblk = null;
+    private String mObjectClass = null;
+    private String mBindDN = null;
+    private String mBaseDN = null;
+    private ILdapConnFactory mLdapFactory = null;
+    private LDAPConnection mLdapConn = null;
+
+    // contains all nested superiors' required attrs in the form of a
+    //	vector of "required" attributes in Enumeration
+    Vector> mRequiredAttrs = null;
+
+    // contains all nested superiors' optional attrs in the form of a
+    //	vector of "optional" attributes in Enumeration
+    Vector> mOptionalAttrs = null;
+
+    // contains all the objclasses, including superiors and itself
+    Vector mObjClasses = null;
+
+    /* Holds configuration parameters accepted by this implementation.
+     * This list is passed to the configuration console so configuration
+     * for instances of this implementation can be configured through the
+     * console.
+     */
+    protected static String[] mConfigParams =
+            new String[] {
+                    PROP_DNPATTERN,
+                    "ldap.ldapconn.host",
+                    "ldap.ldapconn.port",
+                    "ldap.ldapconn.secureConn",
+                    "ldap.ldapconn.version",
+                    "ldap.ldapauth.bindDN",
+                    "ldap.ldapauth.bindPWPrompt",
+                    "ldap.ldapauth.clientCertNickname",
+                    "ldap.ldapauth.authtype",
+                    "ldap.basedn",
+                    "ldap.objectclass",
+                    "ldap.minConns",
+                    "ldap.maxConns",
+        };
+
+    /**
+     * Default constructor, initialization must follow.
+     */
+    public PortalEnroll()
+            throws EBaseException {
+        super();
+    }
+
+    /**
+     * Initializes the PortalEnrollment auth manager.
+     * 

+     * 
+     * @param name - The name for this authentication manager instance.
+     * @param implName - The name of the authentication manager plugin.
+     * @param config - The configuration store for this instance.
+     * @exception EBaseException If an error occurs during initialization.
+     */
+    public void init(String name, String implName, IConfigStore config)
+            throws EBaseException {
+        super.init(name, implName, config);
+
+        /* Get Bind DN for directory server */
+        mConfig = mLdapConfig.getSubStore(PROP_LDAPAUTH);
+        mBindDN = mConfig.getString(PROP_BINDDN);
+        if ((mBindDN == null) || (mBindDN.length() == 0) || (mBindDN == ""))
+            throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "binddn"));
+
+        /* Get Bind DN for directory server */
+        mBaseDN = mLdapConfig.getString(PROP_BASEDN);
+        if ((mBaseDN == null) || (mBaseDN.length() == 0) || (mBaseDN == ""))
+            throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "basedn"));
+
+        /* Get Object clase name for enrollment */
+        mObjectClass = mLdapConfig.getString(PROP_OBJECTCLASS);
+        if (mObjectClass == null || mObjectClass.length() == 0)
+            throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "objectclass"));
+
+        /* Get connect parameter */
+        mLdapFactory = CMS.getLdapBoundConnFactory();
+        mLdapFactory.init(mLdapConfig);
+        mLdapConn = mLdapFactory.getConn();
+
+        log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_PORTAL_INIT"));
+    }
+
+    /**
+     * Authenticates a user based on uid, pwd in the directory.
+     * 
+     * @param authCreds The authentication credentials.
+     * @return The user's ldap entry dn.
+     * @exception EInvalidCredentials If the uid and password are not valid
+     * @exception EBaseException If an internal error occurs.
+     */
+    protected String authenticate(LDAPConnection conn,
+            IAuthCredentials authCreds,
+            AuthToken token)
+            throws EBaseException {
+        String uid = null;
+        String pwd = null;
+        String dn = null;
+
+        argblk = authCreds.getArgBlock();
+
+        // authenticate by binding to ldap server with password.
+        try {
+            // get the uid.
+            uid = (String) authCreds.get(CRED_UID);
+            if (uid == null) {
+                throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID));
+            }
+
+            // get the password.
+            pwd = (String) authCreds.get(CRED_PWD);
+            if (pwd == null) {
+                throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD));
+            }
+            if (pwd.equals("")) {
+                // anonymous binding not allowed
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+            }
+
+            // get user dn.
+            LDAPSearchResults res = conn.search(mBaseDN,
+                    LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false);
+
+            if (res.hasMoreElements()) {
+                res.nextElement(); // consume the entry
+
+                throw new EAuthUserError(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE",
+                        "UID already exists."));
+            } else {
+                dn = regist(token, uid);
+                if (dn == null)
+                    throw new EAuthUserError(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE",
+                            "Could not add user " + uid + "."));
+            }
+
+            // bind as user dn and pwd - authenticates user with pwd.
+            conn.authenticate(dn, pwd);
+
+            // set uid in the token.
+            token.set(CRED_UID, uid);
+
+            log(ILogger.LL_INFO, "portal authentication is done");
+
+            return dn;
+        } catch (ELdapException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.toString()));
+            throw e;
+        } catch (LDAPException e) {
+            switch (e.getLDAPResultCode()) {
+            case LDAPException.NO_SUCH_OBJECT:
+            case LDAPException.LDAP_PARTIAL_RESULTS:
+                log(ILogger.LL_SECURITY,
+                        CMS.getLogMessage("CMS_AUTH_ADD_USER_ERROR", conn.getHost(), Integer.toString(conn.getPort())));
+                throw new EAuthInternalError(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR",
+                        "Check Configuration detail."));
+
+            case LDAPException.INVALID_CREDENTIALS:
+                log(ILogger.LL_SECURITY,
+                        CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid));
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+
+            case LDAPException.SERVER_DOWN:
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_SERVER_DOWN"));
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort()));
+
+            default:
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage()));
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION",
+                                e.errorCodeToString()));
+            }
+        } catch (EBaseException e) {
+            if (e.getMessage().equalsIgnoreCase(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true)
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_MAKE_DN_ERROR", e.toString()));
+            throw e;
+        }
+    }
+
+    /**
+     * Returns a list of configuration parameter names.
+     * The list is passed to the configuration console so instances of
+     * this implementation can be configured through the console.
+     * 
+     * @return String array of configuration parameter names.
+     */
+    public String[] getConfigParams() {
+        return (mConfigParams);
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] s = {
+                PROP_DNPATTERN + ";string;Template for cert" +
+                        " Subject Name. ($dn.xxx - get value from user's LDAP " +
+                        "DN.  $attr.yyy - get value from LDAP attributes in " +
+                        "user's entry.) Default: " + DEFAULT_DNPATTERN,
+                "ldap.ldapconn.host;string,required;" + "LDAP host to connect to",
+                "ldap.ldapconn.port;number,required;" + "LDAP port number (default 389, or 636 if SSL)",
+                "ldap.objectclass;string,required;SEE DOCUMENTATION for Object Class. "
+                        + "Default is inetOrgPerson.",
+                "ldap.ldapconn.secureConn;boolean;" + "Use SSL to connect to directory?",
+                "ldap.ldapconn.version;choice(3,2);" + "LDAP protocol version",
+                "ldap.ldapauth.bindDN;string,required;DN to bind as for Directory Manager. "
+                        + "For example 'CN=Directory Manager'",
+                "ldap.ldapauth.bindPWPrompt;password;Enter password used to bind as " +
+                        "the above user",
+                "ldap.ldapauth.authtype;choice(BasicAuth,SslClientAuth);"
+                        + "How to bind to the directory (for pin removal only)",
+                "ldap.ldapauth.clientCertNickname;string;If you want to use "
+                        + "SSL client auth to the directory, set the client "
+                        + "cert nickname here",
+                "ldap.basedn;string,required;Base DN to start searching " +
+                        "under. If your user's DN is 'uid=jsmith, o=company', you " +
+                        "might want to use 'o=company' here",
+                "ldap.minConns;number;number of connections " +
+                        "to keep open to directory server",
+                "ldap.maxConns;number;when needed, connection " +
+                        "pool can grow to this many connections",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";This authentication plugin checks to see if a user " +
+                        "exists in the directory. If not, then the user is created " +
+                        "with the requested password.",
+                IExtendedPluginInfo.HELP_TOKEN + ";configuration-authrules-portalauth"
+            };
+
+        return s;
+    }
+
+    /**
+     * Returns array of required credentials for this authentication manager.
+     * 
+     * @return Array of required credentials.
+     */
+    public String[] getRequiredCreds() {
+        return mRequiredCreds;
+    }
+
+    /**
+     * adds a user to the directory.
+     * 
+     * @return dn upon success and null upon failure.
+     * @param token authentication token
+     * @param uid the user's id.
+     */
+    public String regist(AuthToken token, String uid) {
+        String dn = "uid=" + uid + "," + mBaseDN;
+
+        /* Specify the attributes of the entry */
+        Vector objectclass_values = null;
+
+        LDAPAttributeSet attrs = new LDAPAttributeSet();
+        LDAPAttribute attr = new LDAPAttribute("objectclass");
+
+        // initialized to new
+        mRequiredAttrs = new Vector>();
+        mOptionalAttrs = new Vector>();
+        mObjClasses = new Vector();
+
+        LDAPSchema dirSchema = null;
+
+        try {
+
+            /* Construct a new LDAPSchema object to hold
+             the schema that you want to retrieve. */
+            dirSchema = new LDAPSchema();
+
+            /* Get the schema from the Directory. Anonymous access okay. */
+            dirSchema.fetchSchema(mLdapConn);
+        } catch (LDAPException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage()));
+        }
+        // complete mRequiredAttrs, mOptionalAttrs, and mObjClasses
+        initLdapAttrs(dirSchema, mObjectClass);
+
+        objectclass_values = mObjClasses;
+        for (int i = objectclass_values.size() - 1; i >= 0; i--)
+            attr.addValue((String) objectclass_values.elementAt(i));
+        attrs.add(attr);
+
+        Enumeration> objClasses = mRequiredAttrs.elements();
+        Enumeration attrnames = null;
+
+        while (objClasses.hasMoreElements()) {
+            attrnames = objClasses.nextElement();
+            CMS.debug("PortalEnroll: Required attrs:");
+            while (attrnames.hasMoreElements()) {
+                String attrname = attrnames.nextElement();
+                String attrval = null;
+
+                CMS.debug("PortalEnroll: attrname is: " + attrname);
+                if (attrname.equalsIgnoreCase("objectclass") == true)
+                    continue;
+                try {
+                    attrval = (String) argblk.getValueAsString(attrname);
+                } catch (EBaseException e) {
+                    if (e.getMessage().equalsIgnoreCase(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true)
+                        continue;
+                }
+
+                CMS.debug("PortalEnroll: " + attrname + " = " + attrval);
+                attrs.add(new LDAPAttribute(attrname, attrval));
+            }
+
+        }
+
+        objClasses = mOptionalAttrs.elements();
+        attrnames = null;
+
+        while (objClasses.hasMoreElements()) {
+            attrnames = objClasses.nextElement();
+            CMS.debug("PortalEnroll: Optional attrs:");
+            while (attrnames.hasMoreElements()) {
+                String attrname = attrnames.nextElement();
+                String attrval = null;
+
+                CMS.debug("PortalEnroll: attrname is: " + attrname);
+                try {
+                    attrval = (String) argblk.getValueAsString(attrname);
+                } catch (EBaseException e) {
+                    if (e.getMessage().equalsIgnoreCase(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true)
+                        continue;
+                }
+                CMS.debug("PortalEnroll: " + attrname + " = " + attrval);
+                if (attrval != null) {
+                    attrs.add(new LDAPAttribute(attrname, attrval));
+                }
+            }
+        }
+
+        /* Create an entry with this DN and these attributes */
+        LDAPEntry entry = new LDAPEntry(dn, attrs);
+
+        try {
+
+            /* Now add the entry to the directory */
+            mLdapConn.add(entry);
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage()));
+            } else
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage()));
+            return null;
+        }
+
+        log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_REGISTRATION_DONE"));
+
+        return dn;
+    }
+
+    /*
+     *  get the superiors of "inetOrgPerson" so the "required
+     *  attributes", "optional qttributes", and "object classes" are complete;
+     *  should build up
+     *  mRequiredAttrs, mOptionalAttrs, and mObjClasses when returned
+     */
+    @SuppressWarnings("unchecked")
+    public void initLdapAttrs(LDAPSchema dirSchema, String oclass) {
+        CMS.debug("PortalEnroll: in initLdapAttrsAttrs");
+        mObjClasses.addElement(oclass);
+        if (oclass.equalsIgnoreCase("top"))
+            return;
+
+        try {
+
+            /* Get and print the def. of the object class. */
+            LDAPObjectClassSchema objClass = dirSchema.getObjectClass(oclass);
+
+            if (objClass != null) {
+                mRequiredAttrs.add(objClass.getRequiredAttributes());
+                mOptionalAttrs.add(objClass.getOptionalAttributes());
+            } else {
+                return;
+            }
+
+            CMS.debug("PortalEnroll: getting superiors for: " + oclass);
+            String superiors[] = objClass.getSuperiors();
+
+            CMS.debug("PortalEnroll: got superiors, superiors.length=" + superiors.length);
+            if (superiors.length == 0)
+                return;
+            for (int i = 0; i < superiors.length; i++) {
+                CMS.debug("Portalenroll: superior" + i + "=" + superiors[i]);
+                objClass = dirSchema.getObjectClass(superiors[i]);
+                initLdapAttrs(dirSchema, superiors[i]);
+            }
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage()));
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authentication/RDNPattern.java b/base/common/src/com/netscape/cms/authentication/RDNPattern.java
new file mode 100644
index 000000000..722aefbc3
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/RDNPattern.java
@@ -0,0 +1,232 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+import java.io.IOException;
+import java.io.PushbackReader;
+import java.io.StringReader;
+import java.util.Vector;
+
+import netscape.ldap.LDAPEntry;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.EAuthException;
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * class for parsing a DN pattern used to construct a certificate
+ * subject name from ldap attributes and dn.
+ * 

+ * 
+ * dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If
+ * empty or not set, the ldap entry DN will be used as the certificate subject name.
+ * 

+ * 
+ * The syntax is
+ * 
+ * 
+ * 	dnPattern := rdnPattern *[ "," rdnPattern ]
+ * 	rdnPattern := avaPattern *[ "+" avaPattern ]
+ * 		avaPattern := name "=" value | 
+ * 			      name "=" "$attr" "." attrName [ "." attrNumber ] | 
+ * 			      name "=" "$dn" "." attrName [ "." attrNumber ] | 
+ * 			 	  "$dn" "." "$rdn" "." number
+ * 

+ * 
+ * 
+ * Example1: E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US 
+ * Ldap entry: dn:  UID=jjames, OU=IS, OU=people, O=acme.org
+ * Ldap attributes: cn: Jesse James 
+ * Ldap attributes: mail: jjames@acme.org
+ * 

+ * The subject name formulated will be : 

+ *     E=jjames@acme.org, CN=Jesse James, OU=people, O=acme.org, C=US
+ * 
	
+ *     E = the first 'mail' ldap attribute value in user's entry. 

+ *     CN = the (first) 'cn' ldap attribute value in the user's entry. 

+ *     OU = the second 'ou' value in the user's entry DN. 

+ *     O = the (first) 'o' value in the user's entry DN. 

+ *     C = the string "US" 
+ * 

+ * Example2: E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US
+ * Ldap entry: dn:  UID=jjames, OU=IS+OU=people, O=acme.org
+ * Ldap attributes: cn: Jesse James 
+ * Ldap attributes: mail: jjames@acme.org
+ * 

+ * The subject name formulated will be : 

+ *     E=jjames@acme.org, CN=Jesse James, OU=people, O=acme.org, C=US
+ * 
	
+ *     E = the first 'mail' ldap attribute value in user's entry. 

+ *     CN = the (first) 'cn' ldap attribute value in the user's entry. 

+ *     OU = the second 'ou' value in the user's entry DN. note multiple AVAs
+ * 	    in a RDN in this example. 

+ *     O = the (first) 'o' value in the user's entry DN. 

+ *     C = the string "US"
+ * 

+ * 

+ * 
+ * 
+ * Example3: CN=$attr.cn, $rdn.2, O=$dn.o, C=US
+ * Ldap entry: dn:  UID=jjames, OU=IS+OU=people, O=acme.org
+ * Ldap attributes: cn: Jesse James 
+ * Ldap attributes: mail: jjames@acme.org
+ * 

+ * The subject name formulated will be : 

+ *     CN=Jesse James, OU=IS+OU=people, O=acme.org, C=US
+ * 
	
+ *     CN = the (first) 'cn' ldap attribute value in the user's entry. 

+ *     followed by the second RDN in the user's entry DN. 

+ *     O = the (first) 'o' value in the user's entry DN. 

+ *     C = the string "US" 
+ * 

+ * Example4: CN=$attr.cn, OU=$dn.ou.2+OU=$dn.ou.1, O=$dn.o, C=US
+ * Ldap entry: dn:  UID=jjames, OU=IS+OU=people, O=acme.org
+ * Ldap attributes: cn: Jesse James 
+ * Ldap attributes: mail: jjames@acme.org
+ * 

+ * The subject name formulated will be : 

+ *     CN=Jesse James, OU=people+OU=IS, O=acme.org, C=US
+ * 
	
+ *     CN = the (first) 'cn' ldap attribute value in the user's entry. 

+ *     OU = the second 'ou' value in the user's entry DN followed by the 
+ * 		first 'ou' value in the user's entry. note multiple AVAs
+ * 	    in a RDN in this example. 

+ *     O = the (first) 'o' value in the user's entry DN. 

+ *     C = the string "US"
+ * 

+ * 

+ * 
+ * If an attribute or subject DN component does not exist the attribute is skipped.
+ * 
+ * @version $Revision$, $Date$
+ */
+class RDNPattern {
+
+    /* ldap attributes needed by this RDN (to retrieve from ldap) */
+    private String[] mLdapAttrs = null;
+
+    /* AVA patterns */
+    protected AVAPattern[] mAVAPatterns = null;
+
+    /* original pattern string */
+    protected String mPatternString = null;
+
+    protected String mTestDN = null;
+
+    /**
+     * Construct a DN pattern by parsing a pattern string.
+     * 
+     * @param pattenr the DN pattern
+     * @exception EBaseException If parsing error occurs.
+     */
+    public RDNPattern(String pattern)
+            throws EAuthException {
+        if (pattern == null || pattern.equals("")) {
+            // create an attribute list that is the dn. 
+            mLdapAttrs = new String[] { "dn" };
+        } else {
+            mPatternString = pattern;
+            PushbackReader in = new PushbackReader(new StringReader(pattern));
+
+            parse(in);
+        }
+    }
+
+    /**
+     * Construct a DN pattern from a input stream of pattern
+     */
+    public RDNPattern(PushbackReader in)
+            throws EAuthException {
+        parse(in);
+    }
+
+    private void parse(PushbackReader in)
+            throws EAuthException {
+        //System.out.println("_________ begin rdn _________");
+        Vector avaPatterns = new Vector();
+        AVAPattern avaPattern = null;
+        int lastChar;
+
+        do {
+            avaPattern = new AVAPattern(in);
+            avaPatterns.addElement(avaPattern);
+            //System.out.println("added AVAPattern"+
+            //" mType "+avaPattern.mType+
+            //" mAttr "+avaPattern.mAttr+
+            //" mValue "+avaPattern.mValue+
+            //" mElement "+avaPattern.mElement);
+            try {
+                lastChar = in.read();
+            } catch (IOException e) {
+                throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString()));
+            }
+        } while (lastChar == '+');
+
+        if (lastChar != -1) {
+            try {
+                in.unread(lastChar); // pushback last , 
+            } catch (IOException e) {
+                throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString()));
+            }
+        }
+
+        mAVAPatterns = new AVAPattern[avaPatterns.size()];
+        avaPatterns.copyInto(mAVAPatterns);
+
+        Vector ldapAttrs = new Vector();
+
+        for (int i = 0; i < mAVAPatterns.length; i++) {
+            String avaAttr = mAVAPatterns[i].getLdapAttr();
+
+            if (avaAttr == null || avaAttr.length() == 0)
+                continue;
+            ldapAttrs.addElement(avaAttr);
+        }
+        mLdapAttrs = new String[ldapAttrs.size()];
+        ldapAttrs.copyInto(mLdapAttrs);
+    }
+
+    /**
+     * Form a Ldap v3 DN string from results of a ldap search.
+     * 
+     * @param entry LDAPentry from a ldap search
+     * @return Ldap v3 DN string to use for a subject name.
+     */
+    public String formRDN(LDAPEntry entry)
+            throws EAuthException {
+        StringBuffer formedRDN = new StringBuffer();
+
+        for (int i = 0; i < mAVAPatterns.length; i++) {
+            if (mTestDN != null)
+                mAVAPatterns[i].mTestDN = mTestDN;
+            String ava = mAVAPatterns[i].formAVA(entry);
+
+            if (ava != null && ava.length() > 0) {
+                if (formedRDN.length() != 0)
+                    formedRDN.append("+");
+                formedRDN.append(ava);
+            }
+        }
+        //System.out.println("formed RDN "+formedRDN.toString());
+        return formedRDN.toString();
+    }
+
+    public String[] getLdapAttrs() {
+        return (String[]) mLdapAttrs.clone();
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java b/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java
new file mode 100644
index 000000000..35c23bd0f
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java
@@ -0,0 +1,358 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2008 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+import java.security.Principal;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.EInvalidCredentials;
+import com.netscape.certsrv.authentication.EMissingCredential;
+import com.netscape.certsrv.authentication.IAuthCredentials;
+import com.netscape.certsrv.authentication.IAuthManager;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authentication.ISSLClientCertProvider;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileAuthenticator;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.usrgrp.Certificates;
+
+/**
+ * Certificate server SSL client authentication.
+ * 
+ * @author Christina Fu
+ *         

+ * 
+ */
+public class SSLclientCertAuthentication implements IAuthManager,
+        IProfileAuthenticator {
+
+    /* result auth token attributes */
+    public static final String TOKEN_USERDN = "user";
+    public static final String TOKEN_USER_DN = "userdn";
+    public static final String TOKEN_USERID = "userid";
+    public static final String TOKEN_UID = "uid";
+
+    /* required credentials */
+    public static final String CRED_CERT = IAuthManager.CRED_SSL_CLIENT_CERT;
+    protected String[] mRequiredCreds = { CRED_CERT };
+
+    /* config parameters to pass to console (none) */
+    protected static String[] mConfigParams = null;
+
+    private String mName = null;
+    private String mImplName = null;
+    private IConfigStore mConfig = null;
+
+    private ILogger mLogger = CMS.getLogger();
+
+    private IConfigStore mRevocationChecking = null;
+    private String mRequestor = null;
+
+    public SSLclientCertAuthentication() {
+    }
+
+    /**
+     * initializes the SSLClientCertAuthentication auth manager
+     * 

+     * called by AuthSubsystem init() method, when initializing all available authentication managers.
+     * 
+     * @param name The name of this authentication manager instance.
+     * @param implName The name of the authentication manager plugin.
+     * @param config The configuration store for this authentication manager.
+     */
+    public void init(String name, String implName, IConfigStore config)
+            throws EBaseException {
+        mName = name;
+        mImplName = implName;
+        mConfig = config;
+    }
+
+    /**
+     * Gets the name of this authentication manager.
+     */
+    public String getName() {
+        return mName;
+    }
+
+    /**
+     * Gets the plugin name of authentication manager.
+     */
+    public String getImplName() {
+        return mImplName;
+    }
+
+    public boolean isSSLClientRequired() {
+        return true;
+    }
+
+    /**
+     * authenticates user by certificate
+     * 

+     * called by other subsystems or their servlets to authenticate users
+     * 
+     * @param authCred - authentication credential that contains
+     *            an usrgrp.Certificates of the user (agent)
+     * @return the authentication token that contains the following
+     * 
+     * @exception EMissingCredential If a required credential for this
+     *                authentication manager is missing.
+     * @exception EInvalidCredentials If credentials cannot be authenticated.
+     * @exception EBaseException If an internal error occurred.
+     * @see com.netscape.certsrv.authentication.AuthToken
+     * @see com.netscape.certsrv.usrgrp.Certificates
+     */
+    public IAuthToken authenticate(IAuthCredentials authCred)
+            throws EMissingCredential, EInvalidCredentials, EBaseException {
+
+        CMS.debug("SSLclientCertAuthentication: start");
+        CMS.debug("authenticator instance name is " + getName());
+
+        // force SSL handshake
+        SessionContext context = SessionContext.getExistingContext();
+        ISSLClientCertProvider provider = (ISSLClientCertProvider)
+                context.get("sslClientCertProvider");
+
+        if (provider == null) {
+            CMS.debug("SSLclientCertAuthentication: No SSL Client Cert Provider Found");
+            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+        }
+        CMS.debug("SSLclientCertAuthentication: got provider");
+        CMS.debug("SSLclientCertAuthentication: retrieving client certificate");
+        X509Certificate[] allCerts = provider.getClientCertificateChain();
+
+        if (allCerts == null) {
+            CMS.debug("SSLclientCertAuthentication: No SSL Client Certs Found");
+            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+        }
+        CMS.debug("SSLclientCertAuthentication: got certificates");
+
+        // retreive certificate from socket
+        AuthToken authToken = new AuthToken(this);
+        X509Certificate[] x509Certs = allCerts;
+
+        // default certificate default has bugs in version
+        // version(3) is returned as 3, which should be 2
+        X509CertImpl ci[] = new X509CertImpl[x509Certs.length];
+
+        X509Certificate clientCert = null;
+        try {
+            for (int i = 0; i < x509Certs.length; i++) {
+                ci[i] = new X509CertImpl(x509Certs[i].getEncoded());
+                // find out which one is the leaf cert
+                clientCert = ci[i];
+
+                byte[] extBytes = clientCert.getExtensionValue("2.5.29.19");
+                // try to see if this is a leaf cert
+                // look for BasicConstraint extension
+                if (extBytes == null) {
+                    // found leaf cert
+                    CMS.debug("SSLclientCertAuthentication: authenticate: found leaf cert");
+                    break;
+                } else {
+                    CMS.debug("SSLclientCertAuthentication: authenticate: found cert having BasicConstraints ext");
+                    // it's got BasicConstraints extension
+                    // so it's not likely to be a leaf cert,
+                    // however, check the isCA field regardless
+                    try {
+                        BasicConstraintsExtension bce =
+                                new BasicConstraintsExtension(true, extBytes);
+                        if (bce != null) {
+                            if (!(Boolean) bce.get("is_ca")) {
+                                CMS.debug("SSLclientCertAuthentication: authenticate: found CA cert in chain");
+                                break;
+                            } // else found a ca cert, continue
+                        }
+                    } catch (Exception e) {
+                        CMS.debug("SSLclientCertAuthentication: authenticate: exception:" +
+                                 e.toString());
+                        throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+                    }
+                }
+            }
+            if (clientCert == null) {
+                CMS.debug("SSLclientCertAuthentication: authenticate: client cert not found");
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+            }
+        } catch (CertificateException e) {
+            CMS.debug(e.toString());
+            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+        }
+
+        // check if certificate(s) is revoked
+        boolean checkRevocation = true;
+        try {
+            checkRevocation = mConfig.getBoolean("checkRevocation", true);
+        } catch (EBaseException e) {
+            // do nothing; default to true
+        }
+        if (checkRevocation) {
+            if (CMS.isRevoked(ci)) {
+                CMS.debug("SSLclientCertAuthentication: certificate revoked");
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+            }
+        }
+        Certificates certs = new Certificates(ci);
+        Principal p_dn = clientCert.getSubjectDN();
+        authToken.set(TOKEN_USERDN, p_dn.getName());
+        authToken.set("userdn", p_dn.getName());
+        String uid = getUidFromDN(p_dn.getName());
+        if (uid != null) {
+            authToken.set(TOKEN_UID, uid);
+            authToken.set(TOKEN_USERID, uid);
+        }
+        /*
+                authToken.set(TOKEN_USER_DN, user.getUserDN());
+                authToken.set(TOKEN_USERID, user.getUserID());
+                authToken.set(TOKEN_UID, user.getUserID());
+                authToken.set(TOKEN_GROUP, groupname);
+        */
+        authToken.set(CRED_CERT, certs);
+
+        CMS.debug("SSLclientCertAuthentication: authenticated ");
+
+        return authToken;
+    }
+
+    String getUidFromDN(String userdn) {
+        StringTokenizer st = new StringTokenizer(userdn, ",");
+        while (st.hasMoreTokens()) {
+            String t = st.nextToken();
+            int i = t.indexOf("=");
+
+            if (i == -1) {
+                continue;
+            }
+            String n = t.substring(0, i);
+            if (n.equalsIgnoreCase("uid")) {
+                String v = t.substring(i + 1);
+                CMS.debug("SSLclientCertAuthentication: getUidFromDN(): uid found:" + v);
+                return v;
+            } else {
+                continue;
+            }
+        }
+        return null;
+    }
+
+    /**
+     * get the list of authentication credential attribute names
+     * required by this authentication manager. Generally used by
+     * the servlets that handle agent operations to authenticate its
+     * users. It calls this method to know which are the
+     * required credentials from the user (e.g. Javascript form data)
+     * 
+     * @return attribute names in Vector
+     */
+    public String[] getRequiredCreds() {
+        return (mRequiredCreds);
+    }
+
+    /**
+     * get the list of configuration parameter names
+     * required by this authentication manager. Generally used by
+     * the Certificate Server Console to display the table for
+     * configuration purposes. CertUserDBAuthentication is currently not
+     * exposed in this case, so this method is not to be used.
+     * 
+     * @return configuration parameter names in Hashtable of Vectors
+     *         where each hashtable entry's key is the substore name, value is a
+     *         Vector of parameter names. If no substore, the parameter name
+     *         is the Hashtable key itself, with value same as key.
+     */
+    public String[] getConfigParams() {
+        return (mConfigParams);
+    }
+
+    /**
+     * prepare this authentication manager for shutdown.
+     */
+    public void shutdown() {
+    }
+
+    /**
+     * gets the configuretion substore used by this authentication
+     * manager
+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    // Profile-related methods
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_SSL_CLIENT_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_SSL_CLIENT_TEXT");
+    }
+
+    /**
+     * Retrieves a list of names of the value parameter.
+     */
+    public Enumeration getValueNames() {
+        return null;
+    }
+
+    public boolean isValueWriteable(String name) {
+        return false;
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public void populate(IAuthToken token, IRequest request)
+            throws EProfileException {
+        request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
+                token.getInString(TOKEN_USERDN));
+        request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
+                token.getInString("userDN"));
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authentication/SharedSecret.java b/base/common/src/com/netscape/cms/authentication/SharedSecret.java
new file mode 100644
index 000000000..7a0784c53
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/SharedSecret.java
@@ -0,0 +1,38 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+import java.math.BigInteger;
+
+import org.mozilla.jss.pkix.cmc.PKIData;
+
+import com.netscape.certsrv.authentication.ISharedToken;
+
+public class SharedSecret implements ISharedToken {
+
+    public SharedSecret() {
+    }
+
+    public String getSharedToken(PKIData cmcdata) {
+        return "testing";
+    }
+
+    public String getSharedToken(BigInteger serial) {
+        return "testing";
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java b/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
new file mode 100644
index 000000000..f8e0669e9
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
@@ -0,0 +1,304 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+import java.io.ByteArrayInputStream;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.EInvalidCredentials;
+import com.netscape.certsrv.authentication.EMissingCredential;
+import com.netscape.certsrv.authentication.IAuthCredentials;
+import com.netscape.certsrv.authentication.IAuthManager;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileAuthenticator;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
+import com.netscape.cmsutil.http.HttpClient;
+import com.netscape.cmsutil.http.HttpRequest;
+import com.netscape.cmsutil.http.HttpResponse;
+import com.netscape.cmsutil.http.JssSSLSocketFactory;
+import com.netscape.cmsutil.xml.XMLObject;
+
+/**
+ * Token authentication.
+ * Checked if the given token is valid.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class TokenAuthentication implements IAuthManager,
+        IProfileAuthenticator {
+
+    /* result auth token attributes */
+    public static final String TOKEN_UID = "uid";
+    public static final String TOKEN_GID = "gid";
+
+    /* required credentials */
+    public static final String CRED_SESSION_ID = IAuthManager.CRED_SESSION_ID;
+    protected String[] mRequiredCreds = { CRED_SESSION_ID };
+
+    /* config parameters to pass to console (none) */
+    protected static String[] mConfigParams = null;
+
+    private String mName = null;
+    private String mImplName = null;
+    private IConfigStore mConfig = null;
+
+    private IUGSubsystem mUGSub = null;
+    private ILogger mLogger = CMS.getLogger();
+
+    public TokenAuthentication() {
+    }
+
+    /**
+     * initializes the TokenAuthentication auth manager
+     * 

+     * called by AuthSubsystem init() method, when initializing all available authentication managers.
+     * 
+     * @param name The name of this authentication manager instance.
+     * @param implName The name of the authentication manager plugin.
+     * @param config The configuration store for this authentication manager.
+     */
+    public void init(String name, String implName, IConfigStore config)
+            throws EBaseException {
+        mName = name;
+        mImplName = implName;
+        mConfig = config;
+
+        mUGSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+    }
+
+    /**
+     * Gets the name of this authentication manager.
+     */
+    public String getName() {
+        return mName;
+    }
+
+    /**
+     * Gets the plugin name of authentication manager.
+     */
+    public String getImplName() {
+        return mImplName;
+    }
+
+    public boolean isSSLClientRequired() {
+        return false;
+    }
+
+    /**
+     * authenticates user(agent) by certificate
+     * 

+     * called by other subsystems or their servlets to authenticate users (agents)
+     * 
+     * @param authCred - authentication credential that contains
+     *            an usrgrp.Certificates of the user (agent)
+     * @return the authentication token that contains the following
+     * @exception EMissingCredential If a required credential for this
+     *                authentication manager is missing.
+     * @exception EInvalidCredentials If credentials cannot be authenticated.
+     * @exception EBaseException If an internal error occurred.
+     * @see com.netscape.certsrv.authentication.AuthToken
+     * @see com.netscape.certsrv.usrgrp.Certificates
+     */
+    public IAuthToken authenticate(IAuthCredentials authCred)
+            throws EMissingCredential, EInvalidCredentials, EBaseException {
+
+        CMS.debug("TokenAuthentication: start");
+
+        // force SSL handshake
+        SessionContext context = SessionContext.getExistingContext();
+
+        // retreive certificate from socket
+        AuthToken authToken = new AuthToken(this);
+
+        // get group name from configuration file
+        IConfigStore sconfig = CMS.getConfigStore();
+
+        String sessionId = (String) authCred.get(CRED_SESSION_ID);
+        String givenHost = (String) authCred.get("clientHost");
+        String auth_host = sconfig.getString("securitydomain.host");
+        int auth_port = sconfig.getInteger("securitydomain.httpseeport");
+
+        HttpClient httpclient = new HttpClient();
+        String c = null;
+        try {
+            JssSSLSocketFactory factory = new JssSSLSocketFactory();
+            httpclient = new HttpClient(factory);
+            String content = CRED_SESSION_ID + "=" + sessionId + "&hostname=" + givenHost;
+            CMS.debug("TokenAuthentication: content=" + content);
+            httpclient.connect(auth_host, auth_port);
+            HttpRequest httprequest = new HttpRequest();
+            httprequest.setMethod(HttpRequest.POST);
+            httprequest.setURI("/ca/ee/ca/tokenAuthenticate");
+            httprequest.setHeader("user-agent", "HTTPTool/1.0");
+            httprequest.setHeader("content-length", "" + content.length());
+            httprequest.setHeader("content-type",
+                    "application/x-www-form-urlencoded");
+            httprequest.setContent(content);
+            HttpResponse httpresponse = httpclient.send(httprequest);
+
+            c = httpresponse.getContent();
+        } catch (Exception e) {
+            CMS.debug("TokenAuthentication authenticate Exception=" + e.toString());
+        }
+
+        if (c != null) {
+            try {
+                ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes());
+                XMLObject parser = null;
+
+                try {
+                    parser = new XMLObject(bis);
+                } catch (Exception e) {
+                    CMS.debug("TokenAuthentication::authenticate() - "
+                             + "Exception=" + e.toString());
+                    throw new EBaseException(e.toString());
+                }
+                String status = parser.getValue("Status");
+
+                CMS.debug("TokenAuthentication: status=" + status);
+                if (!status.equals("0")) {
+                    String error = parser.getValue("Error");
+                    throw new EBaseException(error);
+                }
+
+                String uid = parser.getValue("uid");
+                String gid = parser.getValue("gid");
+
+                authToken.set(TOKEN_UID, uid);
+                authToken.set(TOKEN_GID, gid);
+
+                if (context != null) {
+                    CMS.debug("SessionContext.USER_ID " + uid + " SessionContext.GROUP_ID " + gid);
+                    context.put(SessionContext.USER_ID, uid);
+                    context.put(SessionContext.GROUP_ID, gid);
+                }
+
+                CMS.debug("TokenAuthentication: authenticated uid=" + uid + ", gid=" + gid);
+            } catch (EBaseException e) {
+                throw e;
+            } catch (Exception e) {
+            }
+        }
+
+        return authToken;
+    }
+
+    /**
+     * get the list of authentication credential attribute names
+     * required by this authentication manager. Generally used by
+     * the servlets that handle agent operations to authenticate its
+     * users. It calls this method to know which are the
+     * required credentials from the user (e.g. Javascript form data)
+     * 
+     * @return attribute names in Vector
+     */
+    public String[] getRequiredCreds() {
+        return (mRequiredCreds);
+    }
+
+    /**
+     * get the list of configuration parameter names
+     * required by this authentication manager. Generally used by
+     * the Certificate Server Console to display the table for
+     * configuration purposes. CertUserDBAuthentication is currently not
+     * exposed in this case, so this method is not to be used.
+     * 
+     * @return configuration parameter names in Hashtable of Vectors
+     *         where each hashtable entry's key is the substore name, value is a
+     *         Vector of parameter names. If no substore, the parameter name
+     *         is the Hashtable key itself, with value same as key.
+     */
+    public String[] getConfigParams() {
+        return (mConfigParams);
+    }
+
+    /**
+     * prepare this authentication manager for shutdown.
+     */
+    public void shutdown() {
+    }
+
+    /**
+     * gets the configuretion substore used by this authentication
+     * manager
+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    // Profile-related methods
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_TEXT");
+    }
+
+    /**
+     * Retrieves a list of names of the value parameter.
+     */
+    public Enumeration getValueNames() {
+        Vector v = new Vector();
+
+        v.addElement(CRED_SESSION_ID);
+        return v.elements();
+    }
+
+    public boolean isValueWriteable(String name) {
+        return false;
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public void populate(IAuthToken token, IRequest request)
+            throws EProfileException {
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java b/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java
new file mode 100644
index 000000000..c9fbbf9ac
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java
@@ -0,0 +1,189 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+// ldap java sdk
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPException;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.EInvalidCredentials;
+import com.netscape.certsrv.authentication.EMissingCredential;
+import com.netscape.certsrv.authentication.IAuthCredentials;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * udn/pwd directory based authentication manager
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class UdnPwdDirAuthentication extends DirBasedAuthentication {
+
+    /* required credentials to authenticate. udn and pwd are strings. */
+    public static final String CRED_UDN = "udn";
+    public static final String CRED_PWD = "pwd";
+    protected static String[] mRequiredCreds = { CRED_UDN, CRED_PWD };
+
+    /* Holds configuration parameters accepted by this implementation.
+     * This list is passed to the configuration console so configuration
+     * for instances of this implementation can be configured through the
+     * console.
+     */
+    protected static String[] mConfigParams =
+            new String[] { PROP_DNPATTERN,
+                    PROP_LDAPSTRINGATTRS,
+                    PROP_LDAPBYTEATTRS,
+                    "ldap.ldapconn.host",
+                    "ldap.ldapconn.port",
+                    "ldap.ldapconn.secureConn",
+                    "ldap.ldapconn.version",
+                    "ldap.minConns",
+                    "ldap.maxConns",
+        };
+
+    static {
+        mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT +
+                ";Authenticate the user distinguished name and password provided " +
+                "by the user against an LDAP directory. Works with the " +
+                "Dir Based Enrollment HTML form");
+        mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN +
+                ";configuration-authentication");
+    };
+
+    /**
+     * Default constructor, initialization must follow.
+     */
+    public UdnPwdDirAuthentication() {
+        super();
+    }
+
+    /**
+     * Initializes the UdnPwdDirAuthentication auth manager.
+     * 

+     * 
+     * @param name - The name for this authentication manager instance.
+     * @param implName - The name of the authentication manager plugin.
+     * @param config - The configuration store for this instance.
+     * @exception EBaseException If an error occurs during initialization.
+     */
+    public void init(String name, String implName, IConfigStore config)
+            throws EBaseException {
+        super.init(name, implName, config, false);
+    }
+
+    /**
+     * Authenticates a user based on udn, pwd in the directory.
+     * 
+     * @param authCreds The authentication credentials.
+     * @return The user's ldap entry dn.
+     * @exception EInvalidCredentials If the udn and password are not valid
+     * @exception EBaseException If an internal error occurs.
+     */
+    protected String authenticate(LDAPConnection conn,
+            IAuthCredentials authCreds,
+            AuthToken token)
+            throws EBaseException {
+        String userdn = null;
+
+        // authenticate by binding to ldap server with password.
+        try {
+            // get the udn.
+            userdn = (String) authCreds.get(CRED_UDN);
+            if (userdn == null) {
+                throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UDN));
+            }
+
+            // get the password.
+            String pwd = (String) authCreds.get(CRED_PWD);
+
+            if (pwd == null) {
+                throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD));
+            }
+            if (pwd.equals("")) {
+                // anonymous binding not allowed
+                log(ILogger.LL_FAILURE,
+                        "user " + userdn + " attempted login with empty password.");
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+            }
+
+            // bind as user dn and pwd - authenticates user with pwd.
+            conn.authenticate(userdn, pwd);
+            // set userdn in the token.
+            token.set(CRED_UDN, userdn);
+
+            return userdn;
+        } catch (ELdapException e) {
+            log(ILogger.LL_FAILURE,
+                    "Couldn't get ldap connection. Error: " + e.toString());
+            throw e;
+        } catch (LDAPException e) {
+            switch (e.getLDAPResultCode()) {
+            case LDAPException.NO_SUCH_OBJECT:
+            case LDAPException.LDAP_PARTIAL_RESULTS:
+                log(ILogger.LL_SECURITY,
+                        "user " + userdn + " does not exist in ldap server host " +
+                                conn.getHost() + ", port " + conn.getPort() + ".");
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+
+            case LDAPException.INVALID_CREDENTIALS:
+                log(ILogger.LL_SECURITY,
+                        "authenticate user " + userdn + " with bad password.");
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+
+            case LDAPException.SERVER_DOWN:
+                log(ILogger.LL_FAILURE, "Ldap server is down.");
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort()));
+
+            default:
+                log(ILogger.LL_FAILURE,
+                        "Ldap error encountered. " + e.getMessage());
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION",
+                                e.errorCodeToString()));
+            }
+        }
+    }
+
+    /**
+     * Returns a list of configuration parameter names.
+     * The list is passed to the configuration console so instances of
+     * this implementation can be configured through the console.
+     * 
+     * @return String array of configuration parameter names.
+     */
+    public String[] getConfigParams() {
+        return (mConfigParams);
+    }
+
+    /**
+     * Returns array of required credentials for this authentication manager.
+     * 
+     * @return Array of required credentials.
+     */
+    public String[] getRequiredCreds() {
+        return mRequiredCreds;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java b/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java
new file mode 100644
index 000000000..d4a9de108
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java
@@ -0,0 +1,269 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+// ldap java sdk
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.EInvalidCredentials;
+import com.netscape.certsrv.authentication.EMissingCredential;
+import com.netscape.certsrv.authentication.IAuthCredentials;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileAuthenticator;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * uid/pwd directory based authentication manager
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class UidPwdDirAuthentication extends DirBasedAuthentication
+        implements IProfileAuthenticator {
+
+    /* required credentials to authenticate. uid and pwd are strings. */
+    public static final String CRED_UID = "uid";
+    public static final String CRED_PWD = "pwd";
+    protected static String[] mRequiredCreds = { CRED_UID, CRED_PWD };
+
+    /* Holds configuration parameters accepted by this implementation.
+     * This list is passed to the configuration console so configuration
+     * for instances of this implementation can be configured through the
+     * console.
+     */
+    protected static String[] mConfigParams =
+            new String[] { PROP_DNPATTERN,
+                    PROP_LDAPSTRINGATTRS,
+                    PROP_LDAPBYTEATTRS,
+                    "ldap.ldapconn.host",
+                    "ldap.ldapconn.port",
+                    "ldap.ldapconn.secureConn",
+                    "ldap.ldapconn.version",
+                    "ldap.basedn",
+                    "ldap.minConns",
+                    "ldap.maxConns",
+        };
+
+    static {
+        mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT +
+                ";Authenticate the username and password provided " +
+                "by the user against an LDAP directory. Works with the " +
+                "Dir Based Enrollment HTML form");
+        mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN +
+                ";configuration-authrules-uidpwddirauth");
+    };
+
+    /**
+     * Default constructor, initialization must follow.
+     */
+    public UidPwdDirAuthentication() {
+        super();
+    }
+
+    /**
+     * Authenticates a user based on uid, pwd in the directory.
+     * 
+     * @param authCreds The authentication credentials.
+     * @return The user's ldap entry dn.
+     * @exception EInvalidCredentials If the uid and password are not valid
+     * @exception EBaseException If an internal error occurs.
+     */
+    protected String authenticate(LDAPConnection conn,
+            IAuthCredentials authCreds,
+            AuthToken token)
+            throws EBaseException {
+        String userdn = null;
+        String uid = null;
+
+        // authenticate by binding to ldap server with password.
+        try {
+            // get the uid.
+            uid = (String) authCreds.get(CRED_UID);
+            CMS.debug("Authenticating UID=" + uid);
+            if (uid == null) {
+                throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID));
+            }
+
+            // get the password.
+            String pwd = (String) authCreds.get(CRED_PWD);
+
+            if (pwd == null) {
+                throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD));
+            }
+            if (pwd.equals("")) {
+                // anonymous binding not allowed
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_EMPTY_PASSWORD", uid));
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+            }
+
+            // get user dn.
+            CMS.debug("Authenticating: Searching for UID=" + uid +
+                      " base DN=" + mBaseDN);
+            LDAPSearchResults res = conn.search(mBaseDN,
+                    LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false);
+
+            if (res.hasMoreElements()) {
+                //LDAPEntry entry = (LDAPEntry)res.nextElement();
+                LDAPEntry entry = res.next();
+
+                userdn = entry.getDN();
+                CMS.debug("Authenticating: Found User DN=" + userdn);
+            } else {
+                log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid));
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+            }
+
+            // bind as user dn and pwd - authenticates user with pwd.
+            conn.authenticate(userdn, pwd);
+            // set uid in the token.
+            token.set(CRED_UID, uid);
+
+            return userdn;
+        } catch (ELdapException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString()));
+            throw e;
+        } catch (LDAPException e) {
+            switch (e.getLDAPResultCode()) {
+            case LDAPException.NO_SUCH_OBJECT:
+            case LDAPException.LDAP_PARTIAL_RESULTS:
+                log(ILogger.LL_SECURITY, CMS.getLogMessage("USER_NOT_EXIST", uid));
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+
+            case LDAPException.INVALID_CREDENTIALS:
+                log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid));
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+
+            case LDAPException.SERVER_DOWN:
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_SERVER_DOWN"));
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort()));
+
+            default:
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.getMessage()));
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION",
+                                e.errorCodeToString()));
+            }
+        }
+    }
+
+    /**
+     * Returns a list of configuration parameter names.
+     * The list is passed to the configuration console so instances of
+     * this implementation can be configured through the console.
+     * 
+     * @return String array of configuration parameter names.
+     */
+    public String[] getConfigParams() {
+        return (mConfigParams);
+    }
+
+    /**
+     * Returns array of required credentials for this authentication manager.
+     * 
+     * @return Array of required credentials.
+     */
+    public String[] getRequiredCreds() {
+        return mRequiredCreds;
+    }
+
+    // Profile-related methods
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID_TEXT");
+    }
+
+    /**
+     * Retrieves a list of names of the value parameter.
+     */
+    public Enumeration getValueNames() {
+        Vector v = new Vector();
+
+        v.addElement(CRED_UID);
+        v.addElement(CRED_PWD);
+        return v.elements();
+    }
+
+    public boolean isValueWriteable(String name) {
+        if (name.equals(CRED_UID)) {
+            return true;
+        } else if (name.equals(CRED_PWD)) {
+            return false;
+        }
+        return false;
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(CRED_UID)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                    CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID"));
+        } else if (name.equals(CRED_PWD)) {
+            return new Descriptor(IDescriptor.PASSWORD, null, null,
+                    CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_PWD"));
+
+        }
+        return null;
+    }
+
+    public void populate(IAuthToken token, IRequest request)
+            throws EProfileException {
+        request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
+                token.getInString(USER_DN));
+    }
+
+    public boolean isSSLClientRequired() {
+        return false;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java b/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java
new file mode 100644
index 000000000..880b7c767
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java
@@ -0,0 +1,464 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+// ldap java sdk
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPModification;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.EAuthException;
+import com.netscape.certsrv.authentication.EInvalidCredentials;
+import com.netscape.certsrv.authentication.EMissingCredential;
+import com.netscape.certsrv.authentication.IAuthCredentials;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ILdapConnFactory;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileAuthenticator;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * uid/pwd/pin directory based authentication manager
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class UidPwdPinDirAuthentication extends DirBasedAuthentication
+        implements IExtendedPluginInfo, IProfileAuthenticator {
+
+    /* required credentials to authenticate. uid and pwd are strings. */
+    public static final String CRED_UID = "uid";
+    public static final String CRED_PWD = "pwd";
+    public static final String CRED_PIN = "pin";
+    protected static String[] mRequiredCreds = { CRED_UID, CRED_PWD, CRED_PIN };
+
+    public static final String PROP_REMOVE_PIN = "removePin";
+    public static final String PROP_PIN_ATTR = "pinAttr";
+
+    public static final boolean DEF_REMOVE_PIN = false;
+    public static final String DEF_PIN_ATTR = "pin";
+
+    protected static final byte SENTINEL_SHA = 0;
+    protected static final byte SENTINEL_MD5 = 1;
+    protected static final byte SENTINEL_NONE = 0x2d;
+
+    /* Holds configuration parameters accepted by this implementation.
+     * This list is passed to the configuration console so configuration
+     * for instances of this implementation can be configured through the
+     * console.
+     */
+    protected static String[] mConfigParams =
+            new String[] { PROP_REMOVE_PIN,
+                    PROP_PIN_ATTR,
+                    PROP_DNPATTERN,
+                    PROP_LDAPSTRINGATTRS,
+                    PROP_LDAPBYTEATTRS,
+                    "ldap.ldapconn.host",
+                    "ldap.ldapconn.port",
+                    "ldap.ldapconn.secureConn",
+                    "ldap.ldapconn.version",
+                    "ldap.ldapauth.bindDN",
+                    "ldap.ldapauth.bindPWPrompt",
+                    "ldap.ldapauth.clientCertNickname",
+                    "ldap.ldapauth.authtype",
+                    "ldap.basedn",
+                    "ldap.minConns",
+                    "ldap.maxConns",
+        };
+
+    static {
+        mExtendedPluginInfo.add(
+                PROP_REMOVE_PIN + ";boolean;SEE DOCUMENTATION for pin removal");
+        mExtendedPluginInfo.add(
+                PROP_PIN_ATTR + ";string;directory attribute to use for pin (default 'pin')");
+        mExtendedPluginInfo.add(
+                "ldap.ldapauth.bindDN;string;DN to bind as for pin removal. "
+                        + "For example 'CN=PinRemoval User'");
+        mExtendedPluginInfo.add(
+                "ldap.ldapauth.bindPWPrompt;password;Enter password used to bind as " +
+                        "the above user");
+        mExtendedPluginInfo.add(
+                "ldap.ldapauth.clientCertNickname;string;If you want to use "
+                        + "SSL client auth to the directory, set the client "
+                        + "cert nickname here");
+        mExtendedPluginInfo.add(
+                "ldap.ldapauth.authtype;choice(BasicAuth,SslClientAuth),required;"
+                        + "How to bind to the directory (for pin removal only)");
+        mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT
+                + ";Authenticate the username, password and pin provided "
+                + "by the user against an LDAP directory. Works with the "
+                + "Dir/Pin Based Enrollment HTML form");
+        mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN +
+                ";configuration-authrules-uidpwdpindirauth");
+
+    }
+
+    protected boolean mRemovePin = DEF_REMOVE_PIN;
+    protected String mPinAttr = DEF_PIN_ATTR;
+    protected MessageDigest mSHADigest = null;
+    protected MessageDigest mMD5Digest = null;
+
+    private String mBindDN = null;
+    private String mBindPassword = null;
+
+    private ILdapConnFactory removePinLdapFactory = null;
+    private LDAPConnection removePinLdapConnection = null;
+    private IConfigStore removePinLdapConfigStore = null;
+
+    /**
+     * Default constructor, initialization must follow.
+     */
+    public UidPwdPinDirAuthentication() {
+        super();
+    }
+
+    public void init(String name, String implName, IConfigStore config)
+            throws EBaseException {
+        super.init(name, implName, config);
+        mRemovePin =
+                config.getBoolean(PROP_REMOVE_PIN, DEF_REMOVE_PIN);
+        mPinAttr =
+                config.getString(PROP_PIN_ATTR, DEF_PIN_ATTR);
+        if (mPinAttr.equals("")) {
+            mPinAttr = DEF_PIN_ATTR;
+        }
+
+        if (mRemovePin) {
+            removePinLdapConfigStore = config.getSubStore("ldap");
+            removePinLdapFactory = CMS.getLdapBoundConnFactory();
+            removePinLdapFactory.init(removePinLdapConfigStore);
+            removePinLdapConnection = removePinLdapFactory.getConn();
+        }
+
+        try {
+            mSHADigest = MessageDigest.getInstance("SHA1");
+            mMD5Digest = MessageDigest.getInstance("MD5");
+        } catch (NoSuchAlgorithmException e) {
+            throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.getMessage()));
+        }
+
+    }
+
+    protected void verifyPassword(String Password) {
+    }
+
+    /**
+     * Authenticates a user based on its uid, pwd, pin in the directory.
+     * 
+     * @param authCreds The authentication credentials with uid, pwd, pin.
+     * @return The user's ldap entry dn.
+     * @exception EInvalidCredentials If the uid and password are not valid
+     * @exception EBaseException If an internal error occurs.
+     */
+    protected String authenticate(LDAPConnection conn,
+            IAuthCredentials authCreds,
+            AuthToken token)
+            throws EBaseException {
+        String userdn = null;
+        String uid = null;
+        String pwd = null;
+        String pin = null;
+
+        try {
+            // get the uid.
+            uid = (String) authCreds.get(CRED_UID);
+            if (uid == null) {
+                throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID));
+            }
+
+            // get the password.
+            pwd = (String) authCreds.get(CRED_PWD);
+            if (pwd == null) {
+                throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD));
+            }
+            if (pwd.equals("")) {
+                // anonymous binding not allowed
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_EMPTY_PASSWORD", uid));
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+            }
+
+            // get the pin.
+            pin = (String) authCreds.get(CRED_PIN);
+            if (pin == null) {
+                throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PIN));
+            }
+            if (pin.equals("")) {
+                // empty pin not allowed
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_EMPTY_PIN", uid));
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+            }
+
+            // get user dn.
+            LDAPSearchResults res = conn.search(mBaseDN,
+                    LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false);
+
+            if (res.hasMoreElements()) {
+                LDAPEntry entry = (LDAPEntry) res.nextElement();
+
+                userdn = entry.getDN();
+            } else {
+                log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid));
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+            }
+
+            // bind as user dn and pwd - authenticates user with pwd.
+            conn.authenticate(userdn, pwd);
+
+            log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_AUTHENTICATED", uid));
+            // log(ILogger.LL_SECURITY, "found user : " + userdn);
+
+            // check pin. 
+            checkpin(conn, userdn, uid, pin);
+
+            // set uid in the token.
+            token.set(CRED_UID, uid);
+
+            return userdn;
+        } catch (ELdapException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString()));
+            throw e;
+        } catch (LDAPException e) {
+            switch (e.getLDAPResultCode()) {
+            case LDAPException.NO_SUCH_OBJECT:
+            case LDAPException.LDAP_PARTIAL_RESULTS:
+                log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid));
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+
+            case LDAPException.INVALID_CREDENTIALS:
+                log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid));
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+
+            case LDAPException.SERVER_DOWN:
+                log(ILogger.LL_SECURITY, CMS.getLogMessage("LDAP_SERVER_DOWN"));
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort()));
+
+            default:
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.getMessage()));
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION",
+                                e.errorCodeToString()));
+            }
+        }
+    }
+
+    protected void checkpin(LDAPConnection conn, String userdn,
+            String uid, String pin)
+            throws EBaseException, LDAPException {
+        LDAPSearchResults res = null;
+        LDAPEntry entry = null;
+
+        // get pin.
+
+        res = conn.search(userdn, LDAPv2.SCOPE_BASE,
+                    "(objectclass=*)", new String[] { mPinAttr }, false);
+        if (res.hasMoreElements()) {
+            entry = (LDAPEntry) res.nextElement();
+        } else {
+            log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_ENTRY_RETURNED", uid, userdn));
+            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+        }
+
+        LDAPAttribute pinAttr = entry.getAttribute(mPinAttr);
+
+        if (pinAttr == null) {
+            log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid));
+            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+        }
+
+        @SuppressWarnings("unchecked")
+        Enumeration pinValues = pinAttr.getByteValues();
+
+        if (!pinValues.hasMoreElements()) {
+            log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid));
+            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+        }
+        byte[] entrypin = pinValues.nextElement();
+
+        // compare value digest.
+
+        if (entrypin == null || entrypin.length < 2) {
+            log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid));
+            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+        }
+
+        byte hashtype = entrypin[0];
+
+        byte[] pinDigest = null;
+        String toBeDigested = userdn + pin;
+
+        if (hashtype == SENTINEL_SHA) {
+
+            pinDigest = mSHADigest.digest(toBeDigested.getBytes());
+        } else if (hashtype == SENTINEL_MD5) {
+            pinDigest = mMD5Digest.digest(toBeDigested.getBytes());
+        } else if (hashtype == SENTINEL_NONE) {
+            pinDigest = toBeDigested.getBytes();
+        } else {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_UKNOWN_ENCODING_TYPE", mPinAttr, "*", userdn));
+            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+        }
+
+        if (pinDigest.length != (entrypin.length - 1)) {
+            log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_LENGTH_NOT_MATCHED", uid));
+            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+        }
+
+        int i;
+
+        for (i = 0; i < (entrypin.length - 1); i++) {
+            if (pinDigest[i] != entrypin[i + 1])
+                break;
+        }
+        if (i != (entrypin.length - 1)) {
+            log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid));
+            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+        }
+
+        // pin ok. remove pin if so configured
+        // Note that this means that a policy may reject this request later,
+        // but the user will not be able to enroll again as his pin is gone.
+
+        // We remove the pin using a different connection which is bound as
+        // a more privileged user.
+
+        if (mRemovePin) {
+
+            try {
+                removePinLdapConnection.modify(userdn,
+                        new LDAPModification(
+                                LDAPModification.DELETE,
+                                new LDAPAttribute(mPinAttr, entrypin)));
+
+            } catch (LDAPException e) {
+                log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_CANT_REMOVE_PIN", userdn));
+            }
+
+        }
+    }
+
+    /**
+     * Returns a list of configuration parameter names.
+     * The list is passed to the configuration console so instances of
+     * this implementation can be configured through the console.
+     * 
+     * @return String array of configuration parameter names.
+     */
+    public String[] getConfigParams() {
+        return (mConfigParams);
+    }
+
+    /**
+     * Returns array of required credentials for this authentication manager.
+     * 
+     * @return Array of required credentials.
+     */
+    public String[] getRequiredCreds() {
+        return mRequiredCreds;
+    }
+
+    // Profile-related methods
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID_PIN_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID_PIN_TEXT");
+    }
+
+    /**
+     * Retrieves a list of names of the value parameter.
+     */
+    public Enumeration getValueNames() {
+        Vector v = new Vector();
+
+        v.addElement(CRED_UID);
+        v.addElement(CRED_PWD);
+        v.addElement(CRED_PIN);
+        return v.elements();
+    }
+
+    public boolean isValueWriteable(String name) {
+        if (name.equals(CRED_UID)) {
+            return true;
+        } else if (name.equals(CRED_PWD)) {
+            return false;
+        }
+        return false;
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(CRED_UID)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                    CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID"));
+        } else if (name.equals(CRED_PWD)) {
+            return new Descriptor(IDescriptor.PASSWORD, null, null,
+                    CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_PWD"));
+        } else if (name.equals(CRED_PIN)) {
+            return new Descriptor(IDescriptor.PASSWORD, null, null,
+                    CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_PIN"));
+
+        }
+        return null;
+    }
+
+    public void populate(IAuthToken token, IRequest request)
+            throws EProfileException {
+        request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
+                token.getInString(USER_DN));
+    }
+
+    public boolean isSSLClientRequired() {
+        return false;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authorization/AAclAuthz.java b/base/common/src/com/netscape/cms/authorization/AAclAuthz.java
new file mode 100644
index 000000000..570fe3a88
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authorization/AAclAuthz.java
@@ -0,0 +1,858 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authorization;
+
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import com.netscape.certsrv.acls.ACL;
+import com.netscape.certsrv.acls.ACLEntry;
+import com.netscape.certsrv.acls.EACLsException;
+import com.netscape.certsrv.acls.IACL;
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.evaluators.IAccessEvaluator;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * An abstract class represents an authorization manager that governs the
+ * access of internal resources such as servlets.
+ * It parses in the ACLs associated with each protected
+ * resources, and provides protected method checkPermission for code that needs to verify access before
+ * performing
+ * actions.
+ * 

+ * Here is a sample resourceACLS for a resource
+ * 
+ * 
+ *   certServer.UsrGrpAdminServlet:
+ *       execute:
+ *           deny (execute) user="tempAdmin";
+ *           allow (execute) group="Administrators";
+ * 

+ * 
+ * To perform permission checking, code call authz mgr authorize() method to verify access. See AuthzMgr for calling
+ * example.
+ * 

+ * default "evaluators" are used to evaluate the "group=.." or "user=.." rules. See evaluator for more info
+ * 
+ * @version $Revision$, $Date$
+ * @see ACL Files
+ */
+public abstract class AAclAuthz {
+
+    protected static final String PROP_CLASS = "class";
+    protected static final String PROP_IMPL = "impl";
+    protected static final String PROP_EVAL = "accessEvaluator";
+
+    protected static final String ACLS_ATTR = "aclResources";
+
+    private IConfigStore mConfig = null;
+
+    private Hashtable mACLs = new Hashtable();
+    private Hashtable mEvaluators = new Hashtable();
+    private ILogger mLogger = null;
+
+    /* Vector of extendedPluginInfo strings */
+    protected static Vector mExtendedPluginInfo = null;
+
+    protected static String[] mConfigParams = null;
+
+    static {
+        mExtendedPluginInfo = new Vector();
+    }
+
+    /**
+     * Constructor
+     */
+    public AAclAuthz() {
+    }
+
+    /**
+     * Initializes
+     */
+    protected void init(IConfigStore config)
+            throws EBaseException {
+
+        mLogger = CMS.getLogger();
+        CMS.debug("AAclAuthz: init begins");
+
+        mConfig = config;
+
+        // load access evaluators specified in the config file
+        IConfigStore mainConfig = CMS.getConfigStore();
+        IConfigStore evalConfig = mainConfig.getSubStore(PROP_EVAL);
+        IConfigStore i = evalConfig.getSubStore(PROP_IMPL);
+
+        IAccessEvaluator evaluator = null;
+        Enumeration mImpls = i.getSubStoreNames();
+
+        while (mImpls.hasMoreElements()) {
+            String type = (String) mImpls.nextElement();
+            String evalClassPath = null;
+
+            try {
+                evalClassPath = i.getString(type + "." + PROP_CLASS);
+            } catch (Exception e) {
+                log(ILogger.LL_MISCONF, "failed to get config class info");
+
+                throw new EBaseException(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED",
+                            type + "." + PROP_CLASS));
+            }
+
+            // instantiate evaluator 
+            try {
+                evaluator =
+                        (IAccessEvaluator) Class.forName(evalClassPath).newInstance();
+            } catch (Exception e) {
+                throw new EACLsException(CMS.getUserMessage("CMS_ACL_CLASS_LOAD_FAIL",
+                            evalClassPath));
+            }
+
+            if (evaluator != null) {
+                evaluator.init();
+                // store evaluator
+                registerEvaluator(type, evaluator);
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_NULL", type));
+            }
+        }
+
+        log(ILogger.LL_INFO, "initialization done");
+    }
+
+    /**
+     * Parse ACL resource attributes, then update the ACLs memory store
+     * This is intended to be used if storing ACLs on ldap is not desired,
+     * and the caller is expected to call this method to add resource
+     * and acl info into acls memory store. The resACLs format should conform
+     * to the following:
+     * :right-1[,right-n]:[allow,deny](right(s))=:
+     * Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties
+     * 
+     * @param resACLs same format as the resourceACLs attribute
+     * @throws EBaseException parsing error from parseACL
+     */
+    public void addACLs(String resACLs) throws EBaseException {
+        ACL acl = (ACL) CMS.parseACL(resACLs);
+
+        if (acl != null) {
+            mACLs.put(acl.getName(), acl);
+        } else {
+            log(ILogger.LL_FAILURE, "parseACL failed");
+        }
+    }
+
+    public void accessInit(String accessInfo) throws EBaseException {
+        addACLs(accessInfo);
+    }
+
+    public IACL getACL(String target) {
+        return (ACL) mACLs.get(target);
+    }
+
+    protected Enumeration getTargetNames() {
+        return mACLs.keys();
+    }
+
+    public Enumeration getACLs() {
+        return mACLs.elements();
+    }
+
+    /**
+     * Returns the configuration store used by this Authz mgr
+     */
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo);
+
+        return s;
+
+    }
+
+    /**
+     * Returns a list of configuration parameter names.
+     * The list is passed to the configuration console so instances of
+     * this implementation can be configured through the console.
+     * 
+     * @return String array of configuration parameter names.
+     */
+    public String[] getConfigParams() {
+        return mConfigParams;
+    }
+
+    /**
+     * graceful shutdown
+     */
+    public abstract void shutdown();
+
+    /**
+     * Registers new handler for the given attribute type
+     * in the expressions.
+     */
+    public void registerEvaluator(String type, IAccessEvaluator evaluator) {
+        mEvaluators.put(type, evaluator);
+        log(ILogger.LL_INFO, type + " evaluator registered");
+    }
+
+    /*******************************************************
+     * with session context
+     *******************************************************/
+
+    /**
+     * Checks if the permission is granted or denied in
+     * the current execution context. If the code is
+     * marked as privileged, this methods will simply
+     * return.
+     * 

+     * note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be
+     * evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any
+     * acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's
+     * considered passed.
+     * 

+     * example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and
+     * there is no need to continue the check. If passed permission check for "certServer", then it's considered passed,
+     * and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for
+     * permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at
+     * the leaf level, no such resource exist, or no acis, it's considered passed.
+     * 

+     * If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks,
+     * will the eventual access be granted.
+     * 
+     * @param name resource name
+     * @param perm permission requested
+     * @exception EACLsException access permission denied
+     */
+    protected synchronized void checkPermission(String name, String perm)
+            throws EACLsException {
+        String resource = "";
+        StringTokenizer st = new StringTokenizer(name, ".");
+
+        while (st.hasMoreTokens()) {
+            String node = st.nextToken();
+
+            if (!"".equals(resource)) {
+                resource = resource + "." + node;
+            } else {
+                resource = node;
+            }
+
+            boolean passed = false;
+
+            try {
+                passed = checkACLs(resource, perm);
+            } catch (EACLsException e) {
+                Object[] params = new Object[2];
+
+                params[0] = name;
+                params[1] = perm;
+
+                log(ILogger.LL_SECURITY, CMS.getLogMessage("AUTHZ_EVALUATOR_ACCESS_DENIED", name, perm));
+
+                throw new EACLsException(CMS.getUserMessage("CMS_ACL_NO_PERMISSION",
+                            (String[]) params));
+            }
+
+            if (passed) {
+                String infoMsg = "checkPermission(): permission granted for the resource " +
+                        name + " on operation " + perm;
+
+                log(ILogger.LL_INFO, infoMsg);
+
+                return;
+            } // else, continue
+        }
+    }
+
+    /**
+     * Checks if the permission is granted or denied in
+     * the current execution context.
+     * 

+     * An ACL may contain one or more ACLEntry. However, in case of multiple
+     * ACLEntry, a subject must pass ALL of the ACLEntry evaluation for permission to be
+     * granted
+     * 

+     * negative ("deny") aclEntries are treated differently than positive ("allow") statements. If a negative aclEntries
+     * fails the acl check, the permission check will return "false" right away; while in the case of a positive
+     * aclEntry, if the the aclEntry fails the acl check, the next aclEntry will be evaluated.
+     * 
+     * @param name resource name
+     * @param perm permission requested
+     * @return true if access allowed
+     *         false if should be passed down to the next node
+     * @exception EACLsException if access disallowed
+     */
+    private boolean checkACLs(String name, String perm)
+            throws EACLsException {
+        ACL acl = (ACL) mACLs.get(name);
+
+        // no such resource, pass it down
+        if (acl == null) {
+            String infoMsg = "checkACLs(): no acl for" +
+                    name + "...pass down to next node";
+
+            log(ILogger.LL_INFO, infoMsg);
+
+            return false;
+        }
+
+        Enumeration e = acl.entries();
+
+        if ((e == null) || (e.hasMoreElements() == false)) {
+            // no acis for node, pass down to next node
+            String infoMsg = " AAclAuthz.checkACLs(): no acis for " +
+                    name + " acl entry...pass down to next node";
+
+            log(ILogger.LL_INFO, infoMsg);
+
+            return false;
+        }
+
+        /**
+         * must pass all ACLEntry
+         */
+        for (; e.hasMoreElements();) {
+            ACLEntry entry = (ACLEntry) e.nextElement();
+
+            // if permission not pertinent, move on to next ACLEntry
+            if (entry.containPermission(perm) == true) {
+                if (evaluateExpressions(entry.getAttributeExpressions())) {
+                    if (entry.checkPermission(perm) == false) {
+                        log(ILogger.LL_SECURITY, " checkACLs(): permission denied");
+                        throw new EACLsException(CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED"));
+                    }
+                } else if (!entry.isNegative()) {
+                    // didn't meet the access expression for "allow", failed
+                    log(ILogger.LL_SECURITY, "checkACLs(): permission denied");
+                    throw new EACLsException(CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED"));
+                }
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Resolves the given expressions.
+     * expression || expression || ...
+     * example:
+     * group="Administrators" || group="Operators"
+     */
+    private boolean evaluateExpressions(String s) {
+        // XXX - just handle "||" (or) among multiple expressions for now
+        // XXX - could use some optimization ... later
+
+        CMS.debug("evaluating expressions: " + s);
+
+        Vector v = new Vector();
+
+        while (s.length() > 0) {
+            int orIndex = s.indexOf("||");
+            int andIndex = s.indexOf("&&");
+
+            // this is the last expression
+            if (orIndex == -1 && andIndex == -1) {
+                boolean passed = evaluateExpression(s.trim());
+
+                v.addElement(Boolean.valueOf(passed));
+                break;
+
+                // || first
+            } else if (andIndex == -1 || (orIndex != -1 && orIndex < andIndex)) {
+                String s1 = s.substring(0, orIndex);
+                boolean passed = evaluateExpression(s1.trim());
+
+                v.addElement(new Boolean(passed));
+                v.addElement("||");
+                s = s.substring(orIndex + 2);
+                // && first
+            } else {
+                String s1 = s.substring(0, andIndex);
+                boolean passed = evaluateExpression(s1.trim());
+
+                v.addElement(new Boolean(passed));
+                v.addElement("&&");
+                s = s.substring(andIndex + 2);
+            }
+        }
+
+        if (v.size() == 1) {
+            Boolean bool = (Boolean) v.remove(0);
+
+            return bool.booleanValue();
+        }
+        boolean left = false;
+        String op = "";
+        boolean right = false;
+
+        while (v.size() > 0) {
+            if (op.equals(""))
+                left = ((Boolean) v.remove(0)).booleanValue();
+            op = (String) v.remove(0);
+            right = ((Boolean) v.remove(0)).booleanValue();
+            left = evaluateExp(left, op, right);
+        }
+
+        return left;
+    }
+
+    /**
+     * Resolves the given expression.
+     */
+    private boolean evaluateExpression(String expression) {
+        // XXX - just recognize "=" for now!!
+        int i = expression.indexOf("=");
+        String type = expression.substring(0, i);
+        String value = expression.substring(i + 1);
+        IAccessEvaluator evaluator = (IAccessEvaluator) mEvaluators.get(type);
+
+        if (evaluator == null) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_NOT_FOUND", type));
+            return false;
+        }
+
+        return evaluator.evaluate(type, "=", value);
+    }
+
+    /*******************************************************
+     * with authToken
+     *******************************************************/
+
+    /**
+     * Checks if the permission is granted or denied with id from authtoken
+     * gotten from authentication that precedes authorization. If the code is
+     * marked as privileged, this methods will simply
+     * return.
+     * 

+     * note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be
+     * evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any
+     * acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's
+     * considered passed.
+     * 

+     * example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and
+     * there is no need to continue the check. If passed permission check for "certServer", then it's considered passed,
+     * and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for
+     * permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at
+     * the leaf level, no such resource exist, or no acis, it's considered passed.
+     * 

+     * If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks,
+     * will the eventual access be granted.
+     * 
+     * @param authToken authentication token gotten from authentication
+     * @param name resource name
+     * @param perm permission requested
+     * @exception EACLsException access permission denied
+     */
+    public synchronized void checkPermission(IAuthToken authToken, String name,
+            String perm)
+            throws EACLsException {
+
+        Vector nodev = getNodes(name);
+        Enumeration nodes = nodev.elements();
+        String order = getOrder();
+        Enumeration entries = null;
+
+        if (order.equals("deny"))
+            entries = getDenyEntries(nodes, perm);
+        else
+            entries = getAllowEntries(nodes, perm);
+
+        boolean permitted = false;
+
+        while (entries.hasMoreElements()) {
+            ACLEntry entry = (ACLEntry) entries.nextElement();
+
+            CMS.debug("checkACLS(): ACLEntry expressions= " +
+                    entry.getAttributeExpressions());
+            if (evaluateExpressions(authToken, entry.getAttributeExpressions())) {
+                log(ILogger.LL_SECURITY,
+                        " checkACLs(): permission denied");
+                throw new EACLsException(CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED"));
+            }
+        }
+
+        nodes = nodev.elements();
+        if (order.equals("deny"))
+            entries = getAllowEntries(nodes, perm);
+        else
+            entries = getDenyEntries(nodes, perm);
+
+        while (entries.hasMoreElements()) {
+            ACLEntry entry = (ACLEntry) entries.nextElement();
+
+            CMS.debug("checkACLS(): ACLEntry expressions= " +
+                    entry.getAttributeExpressions());
+            if (evaluateExpressions(authToken, entry.getAttributeExpressions())) {
+                permitted = true;
+            }
+        }
+
+        nodev = null;
+        if (permitted) {
+            String infoMsg = "checkPermission(): permission granted for the resource " +
+                    name + " on operation " + perm;
+
+            log(ILogger.LL_INFO, infoMsg);
+            return;
+        } else {
+            Object[] params = new Object[2];
+
+            params[0] = name;
+            params[1] = perm;
+
+            log(ILogger.LL_SECURITY,
+                    CMS.getLogMessage("AUTHZ_EVALUATOR_ACCESS_DENIED", name, perm));
+
+            throw new EACLsException(CMS.getUserMessage("CMS_ACL_NO_PERMISSION",
+                        (String[]) params));
+        }
+    }
+
+    protected Enumeration getAllowEntries(Enumeration nodes, String operation) {
+        String name = "";
+        ACL acl = null;
+        Enumeration e = null;
+        Vector v = new Vector();
+
+        while (nodes.hasMoreElements()) {
+            name = (String) nodes.nextElement();
+            acl = (ACL) mACLs.get(name);
+            if (acl == null)
+                continue;
+            e = acl.entries();
+            while (e.hasMoreElements()) {
+                ACLEntry entry = (ACLEntry) e.nextElement();
+
+                if (!entry.isNegative() &&
+                        entry.containPermission(operation)) {
+                    v.addElement(entry);
+                }
+            }
+        }
+
+        return v.elements();
+    }
+
+    protected Enumeration getDenyEntries(Enumeration nodes, String operation) {
+        String name = "";
+        ACL acl = null;
+        Enumeration e = null;
+        Vector v = new Vector();
+
+        while (nodes.hasMoreElements()) {
+            name = (String) nodes.nextElement();
+            acl = (ACL) mACLs.get(name);
+            if (acl == null)
+                continue;
+            e = acl.entries();
+            while (e.hasMoreElements()) {
+                ACLEntry entry = e.nextElement();
+
+                if (entry.isNegative() &&
+                        entry.containPermission(operation)) {
+                    v.addElement(entry);
+                }
+            }
+        }
+
+        return v.elements();
+    }
+
+    /**
+     * Resolves the given expressions.
+     * expression || expression || ...
+     * example:
+     * group="Administrators" || group="Operators"
+     */
+    private boolean evaluateExpressions(IAuthToken authToken, String s) {
+        // XXX - just handle "||" (or) among multiple expressions for now
+        // XXX - could use some optimization ... later
+        CMS.debug("evaluating expressions: " + s);
+
+        Vector v = new Vector();
+
+        while (s.length() > 0) {
+            int orIndex = s.indexOf("||");
+            int andIndex = s.indexOf("&&");
+
+            // this is the last expression
+            if (orIndex == -1 && andIndex == -1) {
+                boolean passed = evaluateExpression(authToken, s.trim());
+
+                CMS.debug("evaluated expression: " + s.trim() + " to be " + passed);
+                v.addElement(Boolean.valueOf(passed));
+                break;
+
+                // || first
+            } else if (andIndex == -1 || (orIndex != -1 && orIndex < andIndex)) {
+                String s1 = s.substring(0, orIndex);
+                boolean passed = evaluateExpression(authToken, s1.trim());
+
+                CMS.debug("evaluated expression: " + s1.trim() + " to be " + passed);
+                v.addElement(new Boolean(passed));
+                v.addElement("||");
+                s = s.substring(orIndex + 2);
+                // && first
+            } else {
+                String s1 = s.substring(0, andIndex);
+                boolean passed = evaluateExpression(authToken, s1.trim());
+
+                CMS.debug("evaluated expression: " + s1.trim() + " to be " + passed);
+                v.addElement(new Boolean(passed));
+                v.addElement("&&");
+                s = s.substring(andIndex + 2);
+            }
+        }
+
+        if (v.size() == 0) {
+            return false;
+        }
+
+        if (v.size() == 1) {
+            Boolean bool = (Boolean) v.remove(0);
+
+            return bool.booleanValue();
+        }
+
+        boolean left = false;
+        String op = "";
+        boolean right = false;
+
+        while (v.size() > 0) {
+            if (op.equals(""))
+                left = ((Boolean) v.remove(0)).booleanValue();
+            op = (String) v.remove(0);
+            right = ((Boolean) v.remove(0)).booleanValue();
+            left = evaluateExp(left, op, right);
+        }
+
+        return left;
+    }
+
+    public Vector getNodes(String resourceID) {
+        Vector v = new Vector();
+
+        if (resourceID != null && !resourceID.equals("")) {
+            v.addElement(resourceID);
+        } else {
+            return v;
+        }
+        int index = resourceID.lastIndexOf(".");
+        String name = resourceID;
+
+        while (index != -1) {
+            name = name.substring(0, index);
+            v.addElement(name);
+            index = name.lastIndexOf(".");
+        }
+
+        return v;
+    }
+
+    /**
+     * Resolves the given expression.
+     */
+    private boolean evaluateExpression(IAuthToken authToken, String expression) {
+        String op = getOp(expression);
+        String type = "";
+        String value = "";
+
+        if (!op.equals("")) {
+            int len = op.length();
+            int i = expression.indexOf(op);
+
+            type = expression.substring(0, i).trim();
+            value = expression.substring(i + len).trim();
+        }
+        IAccessEvaluator evaluator = (IAccessEvaluator) mEvaluators.get(type);
+
+        if (evaluator == null) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_NOT_FOUND", type));
+            return false;
+        }
+
+        return evaluator.evaluate(authToken, type, op, value);
+    }
+
+    private String getOp(String exp) {
+        int i = exp.indexOf("!=");
+
+        if (i == -1) {
+            i = exp.indexOf("=");
+            if (i == -1) {
+                i = exp.indexOf(">");
+                if (i == -1) {
+                    i = exp.indexOf("<");
+                    if (i == -1) {
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_OP_NOT_SUPPORTED", exp));
+                    } else {
+                        return "<";
+                    }
+                } else {
+                    return ">";
+                }
+            } else {
+                return "=";
+            }
+        } else {
+            return "!=";
+        }
+        return "";
+    }
+
+    private boolean evaluateExp(boolean left, String op, boolean right) {
+        if (op.equals("||")) {
+            if (left == false && right == false)
+                return false;
+            return true;
+        } else if (op.equals("&&")) {
+            if (left == true && right == true)
+                return true;
+            return false;
+        }
+        return false;
+    }
+
+    /*******************************************************
+     * end identification differentiation
+     *******************************************************/
+
+    /**
+     * This one only updates the memory. Classes extend this class should
+     * also update to a permanent storage
+     */
+    public void updateACLs(String id, String rights, String strACLs,
+            String desc) throws EACLsException {
+        String resourceACLs = id;
+
+        if (rights != null)
+            resourceACLs = id + ":" + rights + ":" + strACLs + ":" + desc;
+
+        // memory update
+        ACL ac = null;
+
+        try {
+            ac = (ACL) CMS.parseACL(resourceACLs);
+        } catch (EBaseException ex) {
+            throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR_0"));
+        }
+
+        mACLs.put(ac.getName(), ac);
+    }
+
+    /**
+     * gets an enumeration of resources
+     * 
+     * @return an enumeration of resources contained in the ACL table
+     */
+    public Enumeration aclResElements() {
+        return (mACLs.elements());
+    }
+
+    /**
+     * gets an enumeration of access evaluators
+     * 
+     * @return an enumeraton of access evaluators
+     */
+    public Enumeration aclEvaluatorElements() {
+        return (mEvaluators.elements());
+    }
+
+    /**
+     * gets the access evaluators
+     * 
+     * @return handle to the access evaluators table
+     */
+    public Hashtable getAccessEvaluators() {
+        return mEvaluators;
+    }
+
+    /**
+     * is this resource name unique
+     * 
+     * @return true if unique; false otherwise
+     */
+    public boolean isTypeUnique(String type) {
+        if (mACLs.containsKey((Object) type)) {
+            return false;
+        } else {
+            return true;
+        }
+    }
+
+    private void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION,
+                level, msg);
+    }
+
+    /*********************************
+     * abstract methods
+     **********************************/
+
+    /**
+     * update acls. called after memory upate is done to flush to permanent
+     * storage.
+     * 

+     */
+    protected abstract void flushResourceACLs() throws EACLsException;
+
+    /**
+     * an abstract class that enforces implementation of the
+     * authorize() method that will authorize an operation on a
+     * particular resource
+     * 
+     * @param authToken the authToken associated with a user
+     * @param resource - the protected resource name
+     * @param operation - the protected resource operation name
+     * @exception EBaseException If an internal error occurred.
+     * @return authzToken
+     */
+    public abstract AuthzToken authorize(IAuthToken authToken, String resource, String operation) throws EBaseException;
+
+    public String getOrder() {
+        IConfigStore mainConfig = CMS.getConfigStore();
+        String order = "";
+
+        try {
+            order = mainConfig.getString("authz.evaluateOrder", "");
+            if (order.startsWith("allow"))
+                return "allow";
+            else
+                return "deny";
+        } catch (Exception e) {
+        }
+        return "deny";
+    }
+
+    public boolean evaluateACLs(IAuthToken authToken, String exp) {
+        return evaluateExpressions(authToken, exp);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authorization/BasicAclAuthz.java b/base/common/src/com/netscape/cms/authorization/BasicAclAuthz.java
new file mode 100644
index 000000000..f6b1b6713
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authorization/BasicAclAuthz.java
@@ -0,0 +1,217 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authorization;
+
+// cert server imports.
+import com.netscape.certsrv.acls.EACLsException;
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzInternalError;
+import com.netscape.certsrv.authorization.IAuthzManager;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * A class for basic acls authorization manager
+ * 
+ * @version $Revision$, $Date$
+ */
+public class BasicAclAuthz extends AAclAuthz
+        implements IAuthzManager, IExtendedPluginInfo {
+
+    // members
+
+    /* name of this authorization manager instance */
+    private String mName = null;
+
+    /* name of the authorization manager plugin */
+    private String mImplName = null;
+
+    /* configuration store */
+    private IConfigStore mConfig;
+
+    /* the system logger */
+    private ILogger mLogger = null;
+
+    protected static final String PROP_BASEDN = "basedn";
+
+    private static boolean needsFlush = false;
+
+    static {
+        mExtendedPluginInfo.add("nothing for now");
+    }
+
+    /**
+     * Default constructor
+     */
+    public BasicAclAuthz() {
+
+        /* Holds configuration parameters accepted by this implementation.
+         * This list is passed to the configuration console so configuration
+         * for instances of this implementation can be configured through the
+         * console.
+         */
+        mConfigParams =
+                new String[] {
+                    "dummy"
+                };
+    }
+
+    /**
+     *
+     */
+    public void init(String name, String implName, IConfigStore config)
+            throws EBaseException {
+        mName = name;
+        mImplName = implName;
+        mConfig = config;
+        mLogger = CMS.getLogger();
+
+        super.init(config);
+
+        log(ILogger.LL_INFO, "initialization done");
+    }
+
+    /**
+     * gets the name of this authorization manager instance
+     */
+    public String getName() {
+        return mName;
+    }
+
+    /**
+     * gets the plugin name of this authorization manager.
+     */
+    public String getImplName() {
+        return mImplName;
+    }
+
+    /**
+     * check the authorization permission for the user associated with
+     * authToken on operation
+     * 

+     * Example:
+     * 

+     * For example, if UsrGrpAdminServlet needs to authorize the caller it would do be done in the following fashion:
+     * 
+     * 
+     * try {
+     *     authzTok = mAuthz.authorize("DirACLBasedAuthz", authToken, RES_GROUP, "read");
+     * } catch (EBaseException e) {
+     *     log(ILogger.LL_FAILURE, "authorize call: " + e.toString());
+     * }
+     * 

+     * 
+     * @param authToken the authToken associated with a user
+     * @param resource - the protected resource name
+     * @param operation - the protected resource operation name
+     * @exception EAuthzInternalError if an internal error occurred.
+     * @exception EAuthzAccessDenied if access denied
+     * @return authzToken if success
+     */
+    public AuthzToken authorize(IAuthToken authToken, String resource, String operation)
+            throws EAuthzInternalError, EAuthzAccessDenied {
+        AuthzToken authzToken = new AuthzToken(this);
+
+        try {
+            checkPermission(authToken, resource, operation);
+
+            CMS.debug("BasicAclAuthz: authorization passed");
+
+            // compose AuthzToken
+            authzToken.set(AuthzToken.TOKEN_AUTHZ_RESOURCE, resource);
+            authzToken.set(AuthzToken.TOKEN_AUTHZ_OPERATION, operation);
+            authzToken.set(AuthzToken.TOKEN_AUTHZ_STATUS,
+                    AuthzToken.AUTHZ_STATUS_SUCCESS);
+        } catch (EACLsException e) {
+            // audit here later 
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_AUTHORIZATION_FAILED"));
+            String params[] = { resource, operation };
+
+            throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params));
+        }
+
+        return authzToken;
+    }
+
+    public AuthzToken authorize(IAuthToken authToken, String expression)
+            throws EAuthzAccessDenied {
+        if (evaluateACLs(authToken, expression)) {
+            return (new AuthzToken(this));
+        } else {
+            String params[] = { expression };
+            throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params));
+        }
+    }
+
+    /**
+     * This currently does not flush to permanent storage
+     * 
+     * @param id is the resource id
+     * @param strACLs
+     */
+    public void updateACLs(String id, String rights, String strACLs,
+            String desc) throws EACLsException {
+        try {
+            super.updateACLs(id, rights, strACLs, desc);
+            //            flushResourceACLs();
+            needsFlush = false;
+        } catch (EACLsException ex) {
+            // flushing failed, set flag
+            needsFlush = true;
+
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_FLUSH_RESOURCES", ex.toString()));
+
+            throw new EACLsException(CMS.getUserMessage("CMS_ACL_UPDATE_FAIL"));
+        }
+    }
+
+    /**
+     * updates resourceACLs to permanent storage.
+     * currently not implemented for this authzMgr
+     */
+    protected void flushResourceACLs() throws EACLsException {
+        log(ILogger.LL_FAILURE, "flushResourceACL() is not implemented");
+        throw new EACLsException(CMS.getUserMessage("CMS_ACL_METHOD_NOT_IMPLEMENTED"));
+    }
+
+    /**
+     * graceful shutdown
+     */
+    public void shutdown() {
+        log(ILogger.LL_INFO, "shutting down");
+    }
+
+    /**
+     * Logs a message for this class in the system log file.
+     * 
+     * @param level The log level.
+     * @param msg The message to log.
+     * @see com.netscape.certsrv.logging.ILogger
+     */
+    protected void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION,
+                level, msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/authorization/DirAclAuthz.java b/base/common/src/com/netscape/cms/authorization/DirAclAuthz.java
new file mode 100644
index 000000000..acc3ffbb7
--- /dev/null
+++ b/base/common/src/com/netscape/cms/authorization/DirAclAuthz.java
@@ -0,0 +1,366 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authorization;
+
+import java.util.Enumeration;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPModification;
+import netscape.ldap.LDAPModificationSet;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+
+import com.netscape.certsrv.acls.ACL;
+import com.netscape.certsrv.acls.EACLsException;
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzInternalError;
+import com.netscape.certsrv.authorization.IAuthzManager;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ILdapConnFactory;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * A class for ldap acls based authorization manager
+ * The ldap server used for acls is the cms internal ldap db.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class DirAclAuthz extends AAclAuthz
+        implements IAuthzManager, IExtendedPluginInfo {
+
+    // members
+
+    /* name of this authentication manager instance */
+    private String mName = null;
+
+    /* name of the authentication manager plugin */
+    private String mImplName = null;
+
+    /* configuration store */
+    private IConfigStore mConfig;
+
+    /* the system logger */
+    private ILogger mLogger = null;
+
+    protected static final String PROP_BASEDN = "basedn";
+
+    private ILdapConnFactory mLdapConnFactory = null;
+    private String mBaseDN = null;
+    private static boolean needsFlush = false;
+
+    static {
+        mExtendedPluginInfo.add("ldap.ldapconn.host;string,required;" +
+                "LDAP host to connect to");
+        mExtendedPluginInfo.add("ldap.ldapconn.port;number,required;" +
+                "LDAP port number (use 389, or 636 if SSL)");
+        mExtendedPluginInfo.add("ldap.ldapconn.secureConn;boolean;" +
+                "Use SSL to connect to directory?");
+        mExtendedPluginInfo.add("ldap.ldapconn.version;choice(3,2);" +
+                "LDAP protocol version");
+        mExtendedPluginInfo.add("ldap.basedn;string,required;Base DN to start sarching " +
+                "under. If the ACL's DN is 'cn=resourceACL, o=NetscapeCertificateServer' you " +
+                "might want to use 'o=NetscapeCertificateServer' here");
+        mExtendedPluginInfo.add("ldap.minConns;number;number of connections " +
+                "to keep open to directory server. Default 5.");
+        mExtendedPluginInfo.add("ldap.maxConns;number;when needed, connection "
+                +
+                "pool can grow to this many (multiplexed) connections. Default 1000");
+    }
+
+    /**
+     * Default constructor
+     */
+    public DirAclAuthz() {
+
+        /* Holds configuration parameters accepted by this implementation.
+         * This list is passed to the configuration console so configuration
+         * for instances of this implementation can be configured through the
+         * console.
+         */
+        mConfigParams =
+                new String[] {
+                        "ldap.ldapconn.host",
+                        "ldap.ldapconn.port",
+                        "ldap.ldapconn.secureConn",
+                        "ldap.ldapconn.version",
+                        "ldap.basedn",
+                        "ldap.minConns",
+                        "ldap.maxConns",
+                };
+    }
+
+    /**
+     *
+     */
+    public void init(String name, String implName, IConfigStore config)
+            throws EBaseException {
+        mName = name;
+        mImplName = implName;
+        mConfig = config;
+        mLogger = CMS.getLogger();
+
+        super.init(config);
+
+        // initialize LDAP connection factory
+        IConfigStore ldapConfig = mConfig.getSubStore("ldap");
+
+        if (ldapConfig == null) {
+            log(ILogger.LL_MISCONF, "failed to get config ldap info");
+            return;
+        }
+
+        mBaseDN = ldapConfig.getString(PROP_BASEDN, null);
+
+        try {
+            @SuppressWarnings("unused")
+            String hostname = ldapConfig.getString("ldapconn.host"); // check for errors
+        } catch (EBaseException e) {
+            if (CMS.isPreOpMode())
+                return;
+        }
+
+        mLdapConnFactory = CMS.getLdapBoundConnFactory();
+        mLdapConnFactory.init(ldapConfig);
+
+        // retrieve aclResources from the LDAP server and load
+        // into memory
+        LDAPConnection conn = null;
+
+        CMS.debug("DirAclAuthz: about to ldap search aclResources");
+        try {
+            conn = getConn();
+            LDAPSearchResults res = conn.search(mBaseDN, LDAPv2.SCOPE_SUB,
+                    "cn=aclResources", null, false);
+
+            returnConn(conn);
+            if (res.hasMoreElements()) {
+                log(ILogger.LL_INFO, "ldap search found cn=aclResources");
+
+                LDAPEntry entry = (LDAPEntry) res.nextElement();
+                LDAPAttribute aclRes = entry.getAttribute("resourceACLS");
+
+                @SuppressWarnings("unchecked")
+                Enumeration en = (Enumeration) aclRes.getStringValues();
+
+                for (; en != null && en.hasMoreElements();) {
+                    addACLs(en.nextElement());
+                }
+            } else {
+                log(ILogger.LL_INFO, "ldap search found no cn=aclResources");
+            }
+        } catch (LDAPException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_INIT_ERROR", e.toString()));
+            throw new EACLsException(CMS.getUserMessage("CMS_ACL_CONNECT_LDAP_FAIL", mBaseDN));
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_INIT_ERROR", e.toString()));
+        }
+
+        log(ILogger.LL_INFO, "initialization done");
+    }
+
+    /**
+     * gets the name of this authorization manager instance
+     */
+    public String getName() {
+        return mName;
+    }
+
+    /**
+     * gets the plugin name of this authorization manager.
+     */
+    public String getImplName() {
+        return mImplName;
+    }
+
+    /**
+     * check the authorization permission for the user associated with
+     * authToken on operation
+     * 

+     * Example:
+     * 

+     * For example, if UsrGrpAdminServlet needs to authorize the caller it would do be done in the following fashion:
+     * 
+     * 
+     * try {
+     *     authzTok = mAuthz.authorize("DirAclAuthz", authToken, RES_GROUP, "read");
+     * } catch (EBaseException e) {
+     *     log(ILogger.LL_FAILURE, "authorize call: " + e.toString());
+     * }
+     * 

+     * 
+     * @param authToken the authToken associated with a user
+     * @param resource - the protected resource name
+     * @param operation - the protected resource operation name
+     * @exception EBaseException If an internal error occurred.
+     * @return authzToken
+     */
+    public AuthzToken authorize(IAuthToken authToken, String resource, String operation)
+            throws EAuthzInternalError, EAuthzAccessDenied {
+        AuthzToken authzToken = new AuthzToken(this);
+
+        try {
+            checkPermission(authToken, resource, operation);
+            // compose AuthzToken
+            authzToken.set(AuthzToken.TOKEN_AUTHZ_RESOURCE, resource);
+            authzToken.set(AuthzToken.TOKEN_AUTHZ_OPERATION, operation);
+            authzToken.set(AuthzToken.TOKEN_AUTHZ_STATUS, AuthzToken.AUTHZ_STATUS_SUCCESS);
+            CMS.debug("DirAclAuthz: authorization passed");
+        } catch (EACLsException e) {
+            // audit here later 
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_AUTHORIZATION_FAILED"));
+            String params[] = { resource, operation };
+
+            throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params));
+        }
+
+        return authzToken;
+    }
+
+    public AuthzToken authorize(IAuthToken authToken, String expression)
+            throws EAuthzAccessDenied {
+        if (evaluateACLs(authToken, expression)) {
+            return (new AuthzToken(this));
+        } else {
+            String params[] = { expression };
+            throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params));
+        }
+    }
+
+    /**
+     * update acls. when memory update is done, flush to ldap.
+     * 

+     * Currently, it is possible that when the memory is updated successfully, and the ldap isn't, the memory upates
+     * lingers. The result is that the changes will only be done on ldap at the next update, or when the system shuts
+     * down, another flush will be attempted.
+     * 
+     * @param id is the resource id
+     * @param rights The allowable rights for this resource
+     * @param strACLs has the same format as a resourceACLs entry acis
+     *            on the ldap server
+     * @param desc The description for this resource
+     */
+    public void updateACLs(String id, String rights, String strACLs,
+            String desc) throws EACLsException {
+        try {
+            super.updateACLs(id, rights, strACLs, desc);
+            flushResourceACLs();
+            needsFlush = false;
+        } catch (EACLsException ex) {
+            // flushing failed, set flag
+            needsFlush = true;
+
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_FLUSH_RESOURCES", ex.toString()));
+
+            throw new EACLsException(CMS.getUserMessage("CMS_ACL_UPDATE_FAIL"));
+        }
+    }
+
+    /**
+     * updates resourceACLs to ldap.
+     */
+    protected void flushResourceACLs() throws EACLsException {
+        // ldap update
+        LDAPConnection conn = null;
+
+        try {
+            LDAPAttribute attrs = new LDAPAttribute("resourceACLS");
+            LDAPModificationSet mod = new LDAPModificationSet();
+
+            Enumeration en = aclResElements();
+
+            if (en.hasMoreElements() == true) {
+                while (en.hasMoreElements()) {
+                    ACL a = (ACL) en.nextElement();
+                    String resAclString = a.getResourceACLs();
+
+                    attrs.addValue(resAclString);
+                }
+
+                mod.add(LDAPModification.REPLACE, attrs);
+
+                conn = getConn();
+                conn.modify("cn=aclResources," + mBaseDN, mod);
+            }
+        } catch (LDAPException ex) {
+            System.out.println(ex.toString());
+            throw new EACLsException(CMS.getUserMessage("CMS_ACL_UPDATE_FAIL"));
+        } catch (Exception ex) {
+            System.out.println(ex.toString());
+            throw new EACLsException(CMS.getUserMessage("CMS_ACL_UPDATE_FAIL"));
+        } finally {
+            try {
+                returnConn(conn);
+            } catch (ELdapException e) {
+                log(ILogger.LL_FAILURE, "couldn't return conn ?");
+            }
+        }
+    }
+
+    protected LDAPConnection getConn() throws ELdapException {
+        return mLdapConnFactory.getConn();
+    }
+
+    protected void returnConn(LDAPConnection conn) throws ELdapException {
+        mLdapConnFactory.returnConn(conn);
+    }
+
+    /**
+     * graceful shutdown
+     */
+    public void shutdown() {
+        if (needsFlush) {
+            // flush the changes
+            try {
+                flushResourceACLs();
+            } catch (EACLsException e) {
+                // flushing failed again...too bad
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_FLUSH_ERROR", e.toString()));
+            }
+        }
+
+        try {
+            mLdapConnFactory.reset();
+            mLdapConnFactory = null;
+        } catch (ELdapException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_LDAP_ERROR", e.toString()));
+        }
+    }
+
+    /**
+     * Logs a message for this class in the system log file.
+     * 
+     * @param level The log level.
+     * @param msg The message to log.
+     * @see com.netscape.certsrv.logging.ILogger
+     */
+    protected void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION,
+                level, msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/crl/CMSAuthInfoAccessExtension.java b/base/common/src/com/netscape/cms/crl/CMSAuthInfoAccessExtension.java
new file mode 100644
index 000000000..d4cef0148
--- /dev/null
+++ b/base/common/src/com/netscape/cms/crl/CMSAuthInfoAccessExtension.java
@@ -0,0 +1,259 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.crl;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.extensions.AuthInfoAccessExtension;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.Extension;
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.URIName;
+import netscape.security.x509.X500Name;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.EPropertyNotFound;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ca.ICMSCRLExtension;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * This represents a Authority Information Access CRL extension.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CMSAuthInfoAccessExtension
+        implements ICMSCRLExtension, IExtendedPluginInfo {
+    public static final String PROP_NUM_ADS = "numberOfAccessDescriptions";
+    public static final String PROP_ACCESS_METHOD = "accessMethod";
+    public static final String PROP_ACCESS_LOCATION_TYPE = "accessLocationType";
+    public static final String PROP_ACCESS_LOCATION = "accessLocation";
+
+    private static final String PROP_ACCESS_METHOD_OCSP = "ocsp";
+    private static final String PROP_ACCESS_METHOD_CAISSUERS = "caIssuers";
+    private static final String PROP_DIRNAME = "DirectoryName";
+    private static final String PROP_URINAME = "URI";
+
+    private ILogger mLogger = CMS.getLogger();
+
+    public CMSAuthInfoAccessExtension() {
+    }
+
+    public Extension setCRLExtensionCriticality(Extension ext,
+            boolean critical) {
+        AuthInfoAccessExtension authInfoAccessExt = (AuthInfoAccessExtension) ext;
+
+        authInfoAccessExt.setCritical(critical);
+
+        return authInfoAccessExt;
+    }
+
+    public Extension getCRLExtension(IConfigStore config, Object ip,
+            boolean critical) {
+        AuthInfoAccessExtension authInfoAccessExt = new AuthInfoAccessExtension(critical);
+
+        int numberOfAccessDescriptions = 0;
+
+        try {
+            numberOfAccessDescriptions = config.getInteger(PROP_NUM_ADS, 0);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_AIA_INVALID_NUM_ADS", e.toString()));
+        }
+
+        if (numberOfAccessDescriptions > 0) {
+
+            for (int i = 0; i < numberOfAccessDescriptions; i++) {
+                String accessMethod = null;
+                String accessLocationType = null;
+                String accessLocation = null;
+                ObjectIdentifier method = AuthInfoAccessExtension.METHOD_CA_ISSUERS;
+
+                try {
+                    accessMethod = config.getString(PROP_ACCESS_METHOD + i);
+                } catch (EPropertyNotFound e) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_AIA_AD_AM_UNDEFINED", e.toString()));
+                } catch (EBaseException e) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_AIA_AD_AM_INVALID", e.toString()));
+                }
+
+                if (accessMethod != null && accessMethod.equals(PROP_ACCESS_METHOD_OCSP)) {
+                    method = AuthInfoAccessExtension.METHOD_OCSP;
+                }
+
+                try {
+                    accessLocationType = config.getString(PROP_ACCESS_LOCATION_TYPE + i);
+                } catch (EPropertyNotFound e) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_AIA_AD_ALT_UNDEFINED", e.toString()));
+                } catch (EBaseException e) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_AIA_AD_ALT_INVALID", e.toString()));
+                }
+
+                try {
+                    accessLocation = config.getString(PROP_ACCESS_LOCATION + i);
+                } catch (EPropertyNotFound e) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_UNDEFINED", e.toString()));
+                } catch (EBaseException e) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_INVALID", e.toString()));
+                }
+
+                if (accessLocationType != null && accessLocation != null && accessLocation.length() > 0) {
+                    if (accessLocationType.equalsIgnoreCase(PROP_DIRNAME)) {
+                        try {
+                            X500Name dirName = new X500Name(accessLocation);
+                            authInfoAccessExt.addAccessDescription(method, new GeneralName(dirName));
+                        } catch (IOException e) {
+                            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_INVALID_500NAME", e.toString()));
+                        }
+                    } else if (accessLocationType.equalsIgnoreCase(PROP_URINAME)) {
+                        URIName uriName = new URIName(accessLocation);
+                        authInfoAccessExt.addAccessDescription(method, new GeneralName(uriName));
+                    } else {
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_INVALID_POTINT_TYPE", accessLocation));
+                    }
+                } else {
+                    accessLocationType = PROP_URINAME;
+                    String hostname = CMS.getEENonSSLHost();
+                    String port = CMS.getEENonSSLPort();
+                    if (hostname != null && port != null) {
+                        accessLocation = "http://" + hostname + ":" + port + "/ca/ee/ca/getCAChain?op=downloadBIN";
+                    }
+                    URIName uriName = new URIName(accessLocation);
+                    authInfoAccessExt.addAccessDescription(AuthInfoAccessExtension.METHOD_CA_ISSUERS, new GeneralName(
+                            uriName));
+                }
+            }
+        }
+
+        return authInfoAccessExt;
+    }
+
+    public String getCRLExtOID() {
+        return AuthInfoAccessExtension.ID.toString();
+    }
+
+    public void getConfigParams(IConfigStore config, NameValuePairs nvp) {
+
+        int numberOfAccessDescriptions = 0;
+
+        try {
+            numberOfAccessDescriptions = config.getInteger(PROP_NUM_ADS, 0);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_AIA_INVALID_NUM_ADS", e.toString()));
+        }
+        nvp.put(PROP_NUM_ADS, String.valueOf(numberOfAccessDescriptions));
+
+        for (int i = 0; i < numberOfAccessDescriptions; i++) {
+            String accessMethod = null;
+            String accessLocationType = null;
+            String accessLocation = null;
+
+            try {
+                accessMethod = config.getString(PROP_ACCESS_METHOD + i);
+            } catch (EPropertyNotFound e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_AIA_AD_AM_UNDEFINED", e.toString()));
+            } catch (EBaseException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_AIA_AD_AM_INVALID", e.toString()));
+            }
+
+            if (accessMethod != null && accessMethod.length() > 0) {
+                nvp.put(PROP_ACCESS_METHOD + i, accessMethod);
+            } else {
+                nvp.put(PROP_ACCESS_METHOD + i, PROP_ACCESS_METHOD_CAISSUERS);
+            }
+
+            try {
+                accessLocationType = config.getString(PROP_ACCESS_LOCATION_TYPE + i);
+            } catch (EPropertyNotFound e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_AIA_AD_ALT_UNDEFINED", e.toString()));
+            } catch (EBaseException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_AIA_AD_ALT_INVALID", e.toString()));
+            }
+
+            if (accessLocationType != null && accessLocationType.length() > 0) {
+                nvp.put(PROP_ACCESS_LOCATION_TYPE + i, accessLocationType);
+            } else {
+                nvp.put(PROP_ACCESS_LOCATION_TYPE + i, PROP_URINAME);
+            }
+
+            try {
+                accessLocation = config.getString(PROP_ACCESS_LOCATION + i);
+            } catch (EPropertyNotFound e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_AIA_AD_AL_UNDEFINED", e.toString()));
+            } catch (EBaseException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_AIA_AD_AL_INVALID", e.toString()));
+            }
+
+            if (accessLocation != null && accessLocation.length() > 0) {
+                nvp.put(PROP_ACCESS_LOCATION + i, accessLocation);
+            } else {
+                String hostname = CMS.getEENonSSLHost();
+                String port = CMS.getEENonSSLPort();
+                if (hostname != null && port != null) {
+                    accessLocation = "http://" + hostname + ":" + port + "/ca/ee/ca/getCAChain?op=downloadBIN";
+                }
+                nvp.put(PROP_ACCESS_LOCATION + i, accessLocation);
+            }
+        }
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                "enable;boolean;Check to enable Authority Information Access extension.",
+                "critical;boolean;Set criticality for Authority Information Access extension.",
+                PROP_NUM_ADS + ";number;Set number of Access Descriptions.",
+                PROP_ACCESS_METHOD + "0;choice(" + PROP_ACCESS_METHOD_CAISSUERS + "," +
+                        PROP_ACCESS_METHOD_OCSP + ");Select access description method.",
+                PROP_ACCESS_LOCATION_TYPE + "0;choice(" + PROP_URINAME + "," +
+                        PROP_DIRNAME + ");Select access location type.",
+                PROP_ACCESS_LOCATION + "0;string;Enter access location " +
+                        "corresponding to the selected access location type.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ca-edit-crlextension-authorityinformationaccess",
+                PROP_ACCESS_METHOD + "1;choice(" + PROP_ACCESS_METHOD_CAISSUERS + "," +
+                        PROP_ACCESS_METHOD_OCSP + ");Select access description method.",
+                PROP_ACCESS_LOCATION_TYPE + "1;choice(" + PROP_URINAME + "," +
+                        PROP_DIRNAME + ");Select access location type.",
+                PROP_ACCESS_LOCATION + "1;string;Enter access location " +
+                        "corresponding to the selected access location type.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ca-edit-crlextension-authorityinformationaccess",
+                PROP_ACCESS_METHOD + "2;choice(" + PROP_ACCESS_METHOD_CAISSUERS + "," +
+                        PROP_ACCESS_METHOD_OCSP + ");Select access description method.",
+                PROP_ACCESS_LOCATION_TYPE + "2;choice(" + PROP_URINAME + "," +
+                        PROP_DIRNAME + ");Select access location type.",
+                PROP_ACCESS_LOCATION + "2;string;Enter access location " +
+                        "corresponding to the selected access location type.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ca-edit-crlextension-authorityinformationaccess",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";The Freshest CRL is a non critical CRL extension " +
+                        "that identifies the delta CRL distribution points for a particular CRL."
+            };
+
+        return params;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level,
+                "CMSAuthInfoAccessExtension - " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/crl/CMSAuthorityKeyIdentifierExtension.java b/base/common/src/com/netscape/cms/crl/CMSAuthorityKeyIdentifierExtension.java
new file mode 100644
index 000000000..26c8c1d0e
--- /dev/null
+++ b/base/common/src/com/netscape/cms/crl/CMSAuthorityKeyIdentifierExtension.java
@@ -0,0 +1,165 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.crl;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateParsingException;
+import java.util.Locale;
+
+import netscape.security.x509.AuthorityKeyIdentifierExtension;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.Extension;
+import netscape.security.x509.GeneralNames;
+import netscape.security.x509.KeyIdentifier;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.SerialNumber;
+import netscape.security.x509.SubjectKeyIdentifierExtension;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ca.ICMSCRLExtension;
+import com.netscape.certsrv.ca.ICRLIssuingPoint;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * This represents an authority key identifier extension.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CMSAuthorityKeyIdentifierExtension
+        implements ICMSCRLExtension, IExtendedPluginInfo {
+    private ILogger mLogger = CMS.getLogger();
+
+    public CMSAuthorityKeyIdentifierExtension() {
+    }
+
+    public Extension setCRLExtensionCriticality(Extension ext,
+            boolean critical) {
+        AuthorityKeyIdentifierExtension authKeyIdExt = null;
+        KeyIdentifier keyId = null;
+        GeneralNames names = null;
+        SerialNumber sn = null;
+
+        try {
+            keyId = (KeyIdentifier) ((AuthorityKeyIdentifierExtension) ext).get(
+                        AuthorityKeyIdentifierExtension.KEY_ID);
+            names = (GeneralNames) ((AuthorityKeyIdentifierExtension) ext).get(
+                        AuthorityKeyIdentifierExtension.AUTH_NAME);
+            sn = (SerialNumber) ((AuthorityKeyIdentifierExtension) ext).get(
+                        AuthorityKeyIdentifierExtension.SERIAL_NUMBER);
+            authKeyIdExt = new AuthorityKeyIdentifierExtension(critical, keyId, names, sn);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_AKI_EXT", e.toString()));
+        }
+        return authKeyIdExt;
+    }
+
+    public Extension getCRLExtension(IConfigStore config,
+            Object ip,
+            boolean critical) {
+        AuthorityKeyIdentifierExtension authKeyIdExt = null;
+        ICRLIssuingPoint crlIssuingPoint = (ICRLIssuingPoint) ip;
+
+        try {
+            KeyIdentifier keyId = null;
+
+            try {
+                X509CertInfo info = (X509CertInfo)
+                        ((ICertificateAuthority) crlIssuingPoint.getCertificateAuthority()).getCACert().get(
+                                X509CertImpl.NAME + "." + X509CertImpl.INFO);
+
+                if (info != null) {
+                    CertificateExtensions caCertExtensions = (CertificateExtensions)
+                            info.get(X509CertInfo.EXTENSIONS);
+
+                    if (caCertExtensions != null) {
+                        for (int i = 0; i < caCertExtensions.size(); i++) {
+                            Extension caCertExt = (Extension) caCertExtensions.elementAt(i);
+
+                            if (caCertExt instanceof SubjectKeyIdentifierExtension) {
+                                SubjectKeyIdentifierExtension id =
+                                        (SubjectKeyIdentifierExtension) caCertExt;
+
+                                keyId = (KeyIdentifier)
+                                        id.get(SubjectKeyIdentifierExtension.KEY_ID);
+                            }
+                        }
+                    }
+                }
+
+            } catch (CertificateParsingException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CERT_PARSING_ERROR", e.toString()));
+            } catch (CertificateException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CERT_CERT_EXCEPTION", e.toString()));
+            }
+
+            if (keyId != null) {
+                authKeyIdExt = new AuthorityKeyIdentifierExtension(critical, keyId, null, null);
+            } else {
+                GeneralNames gNames = new GeneralNames();
+
+                gNames.addElement(((ICertificateAuthority) crlIssuingPoint.getCertificateAuthority()).getX500Name());
+
+                authKeyIdExt =
+                        new AuthorityKeyIdentifierExtension(critical, null, gNames,
+                                new SerialNumber(((ICertificateAuthority) crlIssuingPoint.getCertificateAuthority())
+                                        .getCACert().getSerialNumber()));
+            }
+
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_AKI_EXT", e.toString()));
+        }
+
+        return authKeyIdExt;
+    }
+
+    public String getCRLExtOID() {
+        return PKIXExtensions.AuthorityKey_Id.toString();
+    }
+
+    public void getConfigParams(IConfigStore config, NameValuePairs nvp) {
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                //"type;choice(CRLExtension,CRLEntryExtension);CRL Extension Type. "+
+                //"This field is not editable.",
+                "enable;boolean;Check to enable Authority Key Identifier CRL extension.",
+                "critical;boolean;Set criticality for Authority Key Identifier CRL extension.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ca-edit-crlextension-authoritykeyidentifier",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";The authority key identifier extension provides a means " +
+                        "of identifying the public key corresponding to the private " +
+                        "key used to sign a CRL."
+            };
+
+        return params;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level,
+                "CMSAuthorityKeyIdentifierExtension - " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/crl/CMSCRLNumberExtension.java b/base/common/src/com/netscape/cms/crl/CMSCRLNumberExtension.java
new file mode 100644
index 000000000..e7f4e7b3f
--- /dev/null
+++ b/base/common/src/com/netscape/cms/crl/CMSCRLNumberExtension.java
@@ -0,0 +1,107 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.crl;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.util.Locale;
+
+import netscape.security.x509.CRLNumberExtension;
+import netscape.security.x509.Extension;
+import netscape.security.x509.PKIXExtensions;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ca.ICMSCRLExtension;
+import com.netscape.certsrv.ca.ICRLIssuingPoint;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * This represents a CRL number extension.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CMSCRLNumberExtension
+        implements ICMSCRLExtension, IExtendedPluginInfo {
+    private ILogger mLogger = CMS.getLogger();
+
+    public CMSCRLNumberExtension() {
+    }
+
+    public Extension setCRLExtensionCriticality(Extension ext,
+            boolean critical) {
+        BigInteger crlNumber = null;
+        CRLNumberExtension crlNumberExt = null;
+
+        try {
+            crlNumber = (BigInteger)
+                    ((CRLNumberExtension) ext).get(CRLNumberExtension.NUMBER);
+            crlNumberExt = new CRLNumberExtension(Boolean.valueOf(critical),
+                        crlNumber);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_CRL_NUMBER_EXT", e.toString()));
+        }
+        return crlNumberExt;
+    }
+
+    public Extension getCRLExtension(IConfigStore config,
+            Object ip,
+            boolean critical) {
+        CRLNumberExtension crlNumberExt = null;
+        ICRLIssuingPoint crlIssuingPoint = (ICRLIssuingPoint) ip;
+
+        try {
+            crlNumberExt = new CRLNumberExtension(Boolean.valueOf(critical),
+                        crlIssuingPoint.getNextCRLNumber());
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_CRL_NUMBER_EXT", e.toString()));
+        }
+        return crlNumberExt;
+    }
+
+    public String getCRLExtOID() {
+        return PKIXExtensions.CRLNumber_Id.toString();
+    }
+
+    public void getConfigParams(IConfigStore config, NameValuePairs nvp) {
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                //"type;choice(CRLExtension,CRLEntryExtension);"+
+                //"CRL Extension type. This field is not editable.",
+                "enable;boolean;Check to enable CRL Number extension.",
+                "critical;boolean;Set criticality for CRL Number extension.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ca-edit-crlextension-crlnumber",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";The CRL number is a non-critical CRL extension " +
+                        "which conveys a monotonically increasing sequence number " +
+                        "for each CRL issued by a CA"
+            };
+
+        return params;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level,
+                "CMSCRLNumberExtension - " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/crl/CMSCRLReasonExtension.java b/base/common/src/com/netscape/cms/crl/CMSCRLReasonExtension.java
new file mode 100644
index 000000000..6ed993d54
--- /dev/null
+++ b/base/common/src/com/netscape/cms/crl/CMSCRLReasonExtension.java
@@ -0,0 +1,96 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.crl;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.Extension;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.RevocationReason;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ca.ICMSCRLExtension;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * This represents a CRL reason extension.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CMSCRLReasonExtension
+        implements ICMSCRLExtension, IExtendedPluginInfo {
+    private ILogger mLogger = CMS.getLogger();
+
+    public CMSCRLReasonExtension() {
+    }
+
+    public Extension setCRLExtensionCriticality(Extension ext,
+            boolean critical) {
+        RevocationReason reason = null;
+        CRLReasonExtension crlReasonExt = null;
+
+        try {
+            reason = (RevocationReason) ((CRLReasonExtension) ext).get(CRLReasonExtension.REASON);
+            crlReasonExt = new CRLReasonExtension(Boolean.valueOf(critical), reason);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_CRL_REASON_EXT", e.toString()));
+        }
+        return crlReasonExt;
+    }
+
+    public Extension getCRLExtension(IConfigStore config,
+            Object crlIssuingPoint,
+            boolean critical) {
+        CRLReasonExtension crlReasonExt = null;
+
+        return crlReasonExt;
+    }
+
+    public String getCRLExtOID() {
+        return PKIXExtensions.ReasonCode_Id.toString();
+    }
+
+    public void getConfigParams(IConfigStore config, NameValuePairs nvp) {
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                //"type;choice(CRLExtension,CRLEntryExtension);"+
+                //"CRL Entry Extension type. This field is not editable.",
+                "enable;boolean;Check to enable reason code CRL entry extension.",
+                "critical;boolean;Set criticality for reason code CRL entry extension.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ca-edit-crlextension-crlreason",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";The CRL reason code is a non-critical CRL entry extension " +
+                        "that identifies the reason for the certificate revocation."
+            };
+
+        return params;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level,
+                "CMSCRLReasonExtension - " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/crl/CMSCertificateIssuerExtension.java b/base/common/src/com/netscape/cms/crl/CMSCertificateIssuerExtension.java
new file mode 100644
index 000000000..b0bf20856
--- /dev/null
+++ b/base/common/src/com/netscape/cms/crl/CMSCertificateIssuerExtension.java
@@ -0,0 +1,224 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.crl;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.x509.CertificateIssuerExtension;
+import netscape.security.x509.Extension;
+import netscape.security.x509.GeneralNames;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.URIName;
+import netscape.security.x509.X500Name;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.EPropertyNotFound;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ca.ICMSCRLExtension;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * This represents a certificate issuer extension.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CMSCertificateIssuerExtension
+        implements ICMSCRLExtension, IExtendedPluginInfo {
+    private ILogger mLogger = CMS.getLogger();
+
+    public CMSCertificateIssuerExtension() {
+    }
+
+    public Extension setCRLExtensionCriticality(Extension ext,
+            boolean critical) {
+        CertificateIssuerExtension certIssuerExt = null;
+        GeneralNames names = null;
+
+        try {
+            names = (GeneralNames) ((CertificateIssuerExtension) ext).get(
+                        CertificateIssuerExtension.CERTIFICATE_ISSUER);
+            certIssuerExt = new CertificateIssuerExtension(Boolean.valueOf(critical),
+                        names);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_CERT_ISSUER_EXT", e.toString()));
+        }
+        return certIssuerExt;
+    }
+
+    public Extension getCRLExtension(IConfigStore config,
+            Object ip,
+            boolean critical) {
+        CertificateIssuerExtension certIssuerExt = null;
+        int numNames = 0;
+
+        try {
+            numNames = config.getInteger("numNames", 0);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_INVALID_NUM_NAMES", e.toString()));
+        }
+        if (numNames > 0) {
+            GeneralNames names = new GeneralNames();
+
+            for (int i = 0; i < numNames; i++) {
+                String nameType = null;
+
+                try {
+                    nameType = config.getString("nameType" + i);
+                } catch (EPropertyNotFound e) {
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("CRL_CREATE_UNDEFINED_TYPE", Integer.toString(i), e.toString()));
+                } catch (EBaseException e) {
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("CRL_CREATE_INVALID_TYPE", Integer.toString(i), e.toString()));
+                }
+
+                if (nameType != null) {
+                    String name = null;
+
+                    try {
+                        name = config.getString("name" + i);
+                    } catch (EPropertyNotFound e) {
+                        log(ILogger.LL_FAILURE,
+                                CMS.getLogMessage("CRL_CREATE_UNDEFINED_TYPE", Integer.toString(i), e.toString()));
+                    } catch (EBaseException e) {
+                        log(ILogger.LL_FAILURE,
+                                CMS.getLogMessage("CRL_CREATE_INVALID_TYPE", Integer.toString(i), e.toString()));
+                    }
+
+                    if (name != null && name.length() > 0) {
+                        if (nameType.equalsIgnoreCase("DirectoryName")) {
+                            try {
+                                X500Name dirName = new X500Name(name);
+
+                                names.addElement(dirName);
+                            } catch (IOException e) {
+                                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_INVALID_500NAME", e.toString()));
+                            }
+                        } else if (nameType.equalsIgnoreCase("URI")) {
+                            URIName uriName = new URIName(name);
+
+                            names.addElement(uriName);
+                        } else {
+                            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_INVALID_NAME_TYPE", nameType));
+                        }
+                    }
+                }
+            }
+
+            if (names.size() > 0) {
+                try {
+                    certIssuerExt = new CertificateIssuerExtension(
+                                Boolean.valueOf(critical), names);
+                } catch (IOException e) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_CERT_ISSUER_EXT", e.toString()));
+                }
+            }
+        }
+
+        return certIssuerExt;
+    }
+
+    public String getCRLExtOID() {
+        return PKIXExtensions.CertificateIssuer_Id.toString();
+    }
+
+    public void getConfigParams(IConfigStore config, NameValuePairs nvp) {
+        int numNames = 0;
+
+        try {
+            numNames = config.getInteger("numNames", 0);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_INVALID_NUM_NAMES", e.toString()));
+        }
+        nvp.put("numNames", String.valueOf(numNames));
+
+        for (int i = 0; i < numNames; i++) {
+            String nameType = null;
+
+            try {
+                nameType = config.getString("nameType" + i);
+            } catch (EPropertyNotFound e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("CRL_CREATE_UNDEFINED_TYPE", Integer.toString(i), e.toString()));
+            } catch (EBaseException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_INVALID_TYPE", Integer.toString(i), e.toString()));
+            }
+
+            if (nameType != null && nameType.length() > 0) {
+                nvp.put("nameType" + i, nameType);
+            } else {
+                nvp.put("nameType" + i, "");
+            }
+
+            String name = null;
+
+            try {
+                name = config.getString("name" + i);
+            } catch (EPropertyNotFound e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("CRL_CREATE_UNDEFINED_TYPE", Integer.toString(i), e.toString()));
+            } catch (EBaseException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_INVALID_TYPE", Integer.toString(i), e.toString()));
+            }
+
+            if (name != null && name.length() > 0) {
+                nvp.put("name" + i, name);
+            } else {
+                nvp.put("name" + i, "");
+            }
+        }
+
+        if (numNames < 3) {
+            for (int i = numNames; i < 3; i++) {
+                nvp.put("nameType" + i, "");
+                nvp.put("name" + i, "");
+            }
+        }
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                //"type;choice(CRLExtension,CRLEntryExtension);CRL Entry Extension type."+
+                //" This field is not editable.",
+                "enable;boolean;Check to enable Certificate Issuer CRL entry extension.",
+                "critical;boolean;Set criticality for Certificate Issuer CRL entry extension.",
+                "numNames;number;Set number of certificate issuer names for the CRL entry.",
+                "nameType0;choice(DirectoryName,URI);Select Certificate Issuer name type.",
+                "name0;string;Enter Certificate Issuer name corresponding to the selected name type.",
+                "nameType1;choice(DirectoryName,URI);Select Certificate Issuer name type.",
+                "name1;string;Enter Certificate Issuer name corresponding to the selected name type.",
+                "nameType2;choice(DirectoryName,URI);Select Certificate Issuer name type.",
+                "name2;string;Enter Certificate Issuer name corresponding to the selected name type.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ca-edit-crlextension-certificateissuer",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";This CRL entry extension identifies the certificate issuer" +
+                        " associated with an entry in an indirect CRL."
+            };
+
+        return params;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level, msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/crl/CMSDeltaCRLIndicatorExtension.java b/base/common/src/com/netscape/cms/crl/CMSDeltaCRLIndicatorExtension.java
new file mode 100644
index 000000000..8672502ab
--- /dev/null
+++ b/base/common/src/com/netscape/cms/crl/CMSDeltaCRLIndicatorExtension.java
@@ -0,0 +1,108 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.crl;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.util.Locale;
+
+import netscape.security.x509.DeltaCRLIndicatorExtension;
+import netscape.security.x509.Extension;
+import netscape.security.x509.PKIXExtensions;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ca.ICMSCRLExtension;
+import com.netscape.certsrv.ca.ICRLIssuingPoint;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * This represents a delta CRL indicator extension.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CMSDeltaCRLIndicatorExtension
+        implements ICMSCRLExtension, IExtendedPluginInfo {
+    private ILogger mLogger = CMS.getLogger();
+
+    public CMSDeltaCRLIndicatorExtension() {
+    }
+
+    public Extension setCRLExtensionCriticality(Extension ext,
+            boolean critical) {
+        BigInteger baseCRLNumber = null;
+        DeltaCRLIndicatorExtension deltaCRLIndicatorExt = null;
+
+        try {
+            baseCRLNumber = (BigInteger)
+                    ((DeltaCRLIndicatorExtension) ext).get(DeltaCRLIndicatorExtension.NUMBER);
+            deltaCRLIndicatorExt = new DeltaCRLIndicatorExtension(
+                        Boolean.valueOf(critical),
+                        baseCRLNumber);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DELTA_CRL_EXT", e.toString()));
+        }
+        return deltaCRLIndicatorExt;
+    }
+
+    public Extension getCRLExtension(IConfigStore config,
+            Object ip,
+            boolean critical) {
+        DeltaCRLIndicatorExtension deltaCRLIndicatorExt = null;
+        ICRLIssuingPoint crlIssuingPoint = (ICRLIssuingPoint) ip;
+
+        try {
+            deltaCRLIndicatorExt = new DeltaCRLIndicatorExtension(
+                        Boolean.valueOf(critical),
+                        crlIssuingPoint.getCRLNumber());
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DELTA_CRL_EXT", e.toString()));
+        }
+        return deltaCRLIndicatorExt;
+    }
+
+    public String getCRLExtOID() {
+        return PKIXExtensions.DeltaCRLIndicator_Id.toString();
+    }
+
+    public void getConfigParams(IConfigStore config, NameValuePairs nvp) {
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                //"type;choice(CRLExtension,CRLEntryExtension);"+
+                //"CRL Extension type. This field is not editable.",
+                "enable;boolean;Check to enable Delta CRL Indicator extension.",
+                "critical;boolean;Set criticality for Delta CRL Indicator extension.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ca-edit-crlextension-crlnumber",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";The Delta CRL Indicator is a critical CRL extension " +
+                        "which identifies a delta-CRL."
+            };
+
+        return params;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level,
+                "CMSDeltaCRLIndicatorExtension - " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/crl/CMSFreshestCRLExtension.java b/base/common/src/com/netscape/cms/crl/CMSFreshestCRLExtension.java
new file mode 100644
index 000000000..72dbe5502
--- /dev/null
+++ b/base/common/src/com/netscape/cms/crl/CMSFreshestCRLExtension.java
@@ -0,0 +1,232 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.crl;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.x509.CRLDistributionPoint;
+import netscape.security.x509.Extension;
+import netscape.security.x509.FreshestCRLExtension;
+import netscape.security.x509.GeneralNames;
+import netscape.security.x509.GeneralNamesException;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.URIName;
+import netscape.security.x509.X500Name;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.EPropertyNotFound;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ca.ICMSCRLExtension;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * This represents a freshest CRL extension.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CMSFreshestCRLExtension
+        implements ICMSCRLExtension, IExtendedPluginInfo {
+    public static final String PROP_NUM_POINTS = "numPoints";
+    public static final String PROP_POINTTYPE = "pointType";
+    public static final String PROP_POINTNAME = "pointName";
+    public static final String PROP_DIRNAME = "DirectoryName";
+    public static final String PROP_URINAME = "URI";
+
+    private ILogger mLogger = CMS.getLogger();
+
+    public CMSFreshestCRLExtension() {
+    }
+
+    public Extension setCRLExtensionCriticality(Extension ext,
+            boolean critical) {
+        FreshestCRLExtension freshestCRLExt = (FreshestCRLExtension) ext;
+
+        freshestCRLExt.setCritical(critical);
+
+        return freshestCRLExt;
+    }
+
+    public Extension getCRLExtension(IConfigStore config, Object ip,
+            boolean critical) {
+        FreshestCRLExtension freshestCRLExt = null;
+
+        int numPoints = 0;
+
+        try {
+            numPoints = config.getInteger("numPoints", 0);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_ISSUER_INVALID_NUM_NAMES", e.toString()));
+        }
+
+        if (numPoints > 0) {
+
+            for (int i = 0; i < numPoints; i++) {
+                CRLDistributionPoint crlDP = new CRLDistributionPoint();
+                GeneralNames names = new GeneralNames();
+                String pointType = null;
+
+                try {
+                    pointType = config.getString(PROP_POINTTYPE + i);
+                } catch (EPropertyNotFound e) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_UNDEFINED", e.toString()));
+                } catch (EBaseException e) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_INVALID", e.toString()));
+                }
+
+                if (pointType != null) {
+                    String pointName = null;
+
+                    try {
+                        pointName = config.getString(PROP_POINTNAME + i);
+                    } catch (EPropertyNotFound e) {
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_UNDEFINED", e.toString()));
+                    } catch (EBaseException e) {
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_INVALID", e.toString()));
+                    }
+
+                    if (pointName != null && pointName.length() > 0) {
+                        if (pointType.equalsIgnoreCase(PROP_DIRNAME)) {
+                            try {
+                                X500Name dirName = new X500Name(pointName);
+
+                                names.addElement(dirName);
+                            } catch (IOException e) {
+                                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_INVALID_500NAME", e.toString()));
+                            }
+                        } else if (pointType.equalsIgnoreCase(PROP_URINAME)) {
+                            URIName uriName = new URIName(pointName);
+
+                            names.addElement(uriName);
+                        } else {
+                            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_INVALID_POTINT_TYPE", pointType));
+                        }
+                    }
+                }
+
+                if (names.size() > 0) {
+                    try {
+                        crlDP.setFullName(names);
+                    } catch (IOException e) {
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CANNOT_SET_NAME", e.toString()));
+                    } catch (GeneralNamesException e) {
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CANNOT_SET_NAME", e.toString()));
+                    }
+                }
+
+                if (i > 0) {
+                    freshestCRLExt.addPoint(crlDP);
+                } else {
+                    freshestCRLExt = new FreshestCRLExtension(crlDP);
+                }
+            }
+        }
+
+        return freshestCRLExt;
+    }
+
+    public String getCRLExtOID() {
+        return PKIXExtensions.FreshestCRL_Id.toString();
+    }
+
+    public void getConfigParams(IConfigStore config, NameValuePairs nvp) {
+
+        int numPoints = 0;
+
+        try {
+            numPoints = config.getInteger(PROP_NUM_POINTS, 0);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, "Invalid numPoints property for CRL " +
+                    "Freshest CRL extension - " + e);
+        }
+        nvp.put(PROP_NUM_POINTS, String.valueOf(numPoints));
+
+        for (int i = 0; i < numPoints; i++) {
+            String pointType = null;
+
+            try {
+                pointType = config.getString(PROP_POINTTYPE + i);
+            } catch (EPropertyNotFound e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_UNDEFINED", e.toString()));
+            } catch (EBaseException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_INVALID", e.toString()));
+            }
+
+            if (pointType != null && pointType.length() > 0) {
+                nvp.put(PROP_POINTTYPE + i, pointType);
+            } else {
+                nvp.put(PROP_POINTTYPE + i, "");
+            }
+
+            String pointName = null;
+
+            try {
+                pointName = config.getString(PROP_POINTNAME + i);
+            } catch (EPropertyNotFound e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_UNDEFINED", e.toString()));
+            } catch (EBaseException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_INVALID", e.toString()));
+            }
+
+            if (pointName != null && pointName.length() > 0) {
+                nvp.put(PROP_POINTNAME + i, pointName);
+            } else {
+                nvp.put(PROP_POINTNAME + i, "");
+            }
+        }
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                "enable;boolean;Check to enable Freshest CRL extension.",
+                "critical;boolean;Set criticality for Freshest CRL extension.",
+                PROP_NUM_POINTS + ";number;Set number of CRL distribution points.",
+                PROP_POINTTYPE + "0;choice(" + PROP_DIRNAME + "," + PROP_URINAME +
+                        ");Select CRL distribution point name type.",
+                PROP_POINTNAME + "0;string;Enter CRL distribution point name " +
+                        "corresponding to the selected point type.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ca-edit-crlextension-issuingdistributionpoint",
+                PROP_POINTTYPE + "1;choice(" + PROP_DIRNAME + "," + PROP_URINAME +
+                        ");Select CRL distribution point name type.",
+                PROP_POINTNAME + "1;string;Enter CRL distribution point name " +
+                        "corresponding to the selected point type.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ca-edit-crlextension-issuingdistributionpoint",
+                PROP_POINTTYPE + "2;choice(" + PROP_DIRNAME + "," + PROP_URINAME +
+                        ");Select CRL distribution point name type.",
+                PROP_POINTNAME + "2;string;Enter CRL distribution point name " +
+                        "corresponding to the selected point type.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ca-edit-crlextension-issuingdistributionpoint",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";The Freshest CRL is a non critical CRL extension " +
+                        "that identifies the delta CRL distribution points for a particular CRL."
+            };
+
+        return params;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level,
+                "CMSFreshestCRLExtension - " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/crl/CMSHoldInstructionExtension.java b/base/common/src/com/netscape/cms/crl/CMSHoldInstructionExtension.java
new file mode 100644
index 000000000..4023e3b2f
--- /dev/null
+++ b/base/common/src/com/netscape/cms/crl/CMSHoldInstructionExtension.java
@@ -0,0 +1,153 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.crl;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.Extension;
+import netscape.security.x509.HoldInstructionExtension;
+import netscape.security.x509.PKIXExtensions;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.EPropertyNotFound;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ca.ICMSCRLExtension;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * This represents a hold instruction extension.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CMSHoldInstructionExtension
+        implements ICMSCRLExtension, IExtendedPluginInfo {
+    public static final String PROP_INSTR = "instruction";
+    public static final String PROP_INSTR_NONE = "none";
+    public static final String PROP_INSTR_CALLISSUER = "callissuer";
+    public static final String PROP_INSTR_REJECT = "reject";
+
+    private ILogger mLogger = CMS.getLogger();
+
+    public CMSHoldInstructionExtension() {
+    }
+
+    public Extension setCRLExtensionCriticality(Extension ext,
+            boolean critical) {
+        HoldInstructionExtension holdInstrExt = null;
+
+        try {
+            ObjectIdentifier holdInstr =
+                    ((HoldInstructionExtension) ext).getHoldInstructionCode();
+
+            holdInstrExt = new HoldInstructionExtension(Boolean.valueOf(critical),
+                        holdInstr);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_HOLD_INSTR_EXT", e.toString()));
+        }
+        return holdInstrExt;
+    }
+
+    public Extension getCRLExtension(IConfigStore config,
+            Object ip,
+            boolean critical) {
+        HoldInstructionExtension holdInstrExt = null;
+        String instruction = null;
+
+        try {
+            instruction = config.getString(PROP_INSTR);
+        } catch (EPropertyNotFound e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_HOLD_UNDEFINED", e.toString()));
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_HOLD_INVALID", e.toString()));
+        }
+
+        ObjectIdentifier holdInstr = HoldInstructionExtension.NONE_HOLD_INSTR_OID;
+
+        if (instruction != null) {
+            if (instruction.equalsIgnoreCase(PROP_INSTR_CALLISSUER)) {
+                holdInstr = HoldInstructionExtension.CALL_ISSUER_HOLD_INSTR_OID;
+            } else if (instruction.equalsIgnoreCase(PROP_INSTR_REJECT)) {
+                holdInstr = HoldInstructionExtension.REJECT_HOLD_INSTR_OID;
+            }
+        }
+        try {
+            holdInstrExt = new HoldInstructionExtension(Boolean.valueOf(critical),
+                        holdInstr);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_HOLD_INSTR_EXT", e.toString()));
+        }
+
+        return holdInstrExt;
+    }
+
+    public String getCRLExtOID() {
+        return PKIXExtensions.HoldInstructionCode_Id.toString();
+    }
+
+    public void getConfigParams(IConfigStore config, NameValuePairs nvp) {
+        String instruction = null;
+
+        try {
+            instruction = config.getString(PROP_INSTR);
+        } catch (EPropertyNotFound e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_HOLD_UNDEFINED", e.toString()));
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_HOLD_INVALID", e.toString()));
+        }
+        if (instruction != null) {
+            if (!(instruction.equalsIgnoreCase(PROP_INSTR_NONE) ||
+                    instruction.equalsIgnoreCase(PROP_INSTR_CALLISSUER) || 
+                    instruction.equalsIgnoreCase(PROP_INSTR_REJECT))) {
+                instruction = PROP_INSTR_NONE;
+            }
+        } else {
+            instruction = PROP_INSTR_NONE;
+        }
+        nvp.put(PROP_INSTR, instruction);
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                //"type;choice(CRLExtension,CRLEntryExtension);"+
+                //"CRL Entry Extension type. This field is not editable.",
+                "enable;boolean;Check to enable Hold Instruction CRL entry extension.",
+                "critical;boolean;Set criticality for Hold Instruction CRL entry extension.",
+                PROP_INSTR + ";choice(" + PROP_INSTR_NONE + "," + PROP_INSTR_CALLISSUER + "," +
+                        PROP_INSTR_REJECT + ");Select hold instruction code.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ca-edit-crlextension-holdinstruction",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";The hold instruction code is a non-critical CRL entry " +
+                        "extension that provides a registered instruction identifier " +
+                        "which indicates the action to be taken after encountering " +
+                        "a certificate that has been placed on hold."
+            };
+
+        return params;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level,
+                "CMSHoldInstructionExtension - " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/crl/CMSInvalidityDateExtension.java b/base/common/src/com/netscape/cms/crl/CMSInvalidityDateExtension.java
new file mode 100644
index 000000000..083873c31
--- /dev/null
+++ b/base/common/src/com/netscape/cms/crl/CMSInvalidityDateExtension.java
@@ -0,0 +1,99 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.crl;
+
+import java.io.IOException;
+import java.util.Date;
+import java.util.Locale;
+
+import netscape.security.x509.Extension;
+import netscape.security.x509.InvalidityDateExtension;
+import netscape.security.x509.PKIXExtensions;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ca.ICMSCRLExtension;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * This represents a invalidity date extension.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CMSInvalidityDateExtension
+        implements ICMSCRLExtension, IExtendedPluginInfo {
+    private ILogger mLogger = CMS.getLogger();
+
+    public CMSInvalidityDateExtension() {
+    }
+
+    public Extension setCRLExtensionCriticality(Extension ext,
+            boolean critical) {
+        InvalidityDateExtension invalidityDateExt = null;
+
+        try {
+            Date invalidityDate = ((InvalidityDateExtension) ext).getInvalidityDate();
+
+            invalidityDateExt = new InvalidityDateExtension(Boolean.valueOf(critical),
+                        invalidityDate);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_INVALIDITY_DATE_EXT", e.toString()));
+        }
+        return invalidityDateExt;
+    }
+
+    public Extension getCRLExtension(IConfigStore config,
+            Object crlIssuingPoint,
+            boolean critical) {
+        InvalidityDateExtension invalidityDateExt = null;
+
+        return invalidityDateExt;
+    }
+
+    public String getCRLExtOID() {
+        return PKIXExtensions.InvalidityDate_Id.toString();
+    }
+
+    public void getConfigParams(IConfigStore config, NameValuePairs nvp) {
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                //"type;choice(CRLExtension,CRLEntryExtension);"+
+                //"CRL Entry Extension type. This field is not editable.",
+                "enable;boolean;Check to enable Invalidity Date CRL entry extension.",
+                "critical;boolean;Set criticality for Invalidity Date CRL entry extension.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ca-edit-crlextension-invaliditydate",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";The invalidity date is a non-critical CRL entry extension " +
+                        "that provides the date on which it is known or suspected " +
+                        "that the private key was compromised or that the certificate" +
+                        " otherwise became invalid."
+            };
+
+        return params;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level,
+                "CMSInvalidityDateExtension - " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/crl/CMSIssuerAlternativeNameExtension.java b/base/common/src/com/netscape/cms/crl/CMSIssuerAlternativeNameExtension.java
new file mode 100644
index 000000000..64252a0b9
--- /dev/null
+++ b/base/common/src/com/netscape/cms/crl/CMSIssuerAlternativeNameExtension.java
@@ -0,0 +1,284 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.crl;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.util.DerValue;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.DNSName;
+import netscape.security.x509.EDIPartyName;
+import netscape.security.x509.Extension;
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.GeneralNames;
+import netscape.security.x509.IPAddressName;
+import netscape.security.x509.IssuerAlternativeNameExtension;
+import netscape.security.x509.OIDName;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.RFC822Name;
+import netscape.security.x509.URIName;
+import netscape.security.x509.X500Name;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.EPropertyNotFound;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ca.ICMSCRLExtension;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * This represents a issuer alternative name extension.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CMSIssuerAlternativeNameExtension
+        implements ICMSCRLExtension, IExtendedPluginInfo {
+    private static final String PROP_RFC822_NAME = "rfc822Name";
+    private static final String PROP_DNS_NAME = "dNSName";
+    private static final String PROP_DIR_NAME = "directoryName";
+    private static final String PROP_EDI_NAME = "ediPartyName";
+    private static final String PROP_URI_NAME = "URI";
+    private static final String PROP_IP_NAME = "iPAddress";
+    private static final String PROP_OID_NAME = "OID";
+    private static final String PROP_OTHER_NAME = "otherName";
+
+    private ILogger mLogger = CMS.getLogger();
+
+    public CMSIssuerAlternativeNameExtension() {
+    }
+
+    public Extension setCRLExtensionCriticality(Extension ext,
+            boolean critical) {
+        IssuerAlternativeNameExtension issuerAltNameExt = null;
+        GeneralNames names = null;
+
+        try {
+            names = (GeneralNames) ((IssuerAlternativeNameExtension) ext)
+                    .get(IssuerAlternativeNameExtension.ISSUER_NAME);
+            issuerAltNameExt = new IssuerAlternativeNameExtension(Boolean.valueOf(critical), names);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_ISSUER_ALT_NAME_EXT", e.toString()));
+        }
+        return issuerAltNameExt;
+    }
+
+    public Extension getCRLExtension(IConfigStore config,
+            Object ip,
+            boolean critical) {
+        IssuerAlternativeNameExtension issuerAltNameExt = null;
+        int numNames = 0;
+
+        try {
+            numNames = config.getInteger("numNames", 0);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_ISSUER_INVALID_NUM_NAMES", e.toString()));
+        }
+        if (numNames > 0) {
+            GeneralNames names = new GeneralNames();
+
+            for (int i = 0; i < numNames; i++) {
+                String nameType = null;
+
+                try {
+                    nameType = config.getString("nameType" + i);
+                } catch (EPropertyNotFound e) {
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("CRL_CREATE_ISSUER_UNDEFINED_TYPE", Integer.toString(i), e.toString()));
+                } catch (EBaseException e) {
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("CRL_CREATE_ISSUER_INVALID_TYPE", Integer.toString(i), e.toString()));
+                }
+
+                if (nameType != null && nameType.length() > 0) {
+                    String name = null;
+
+                    try {
+                        name = config.getString("name" + i);
+                    } catch (EPropertyNotFound e) {
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_ISSUER_UNDEFINED_TYPE",
+                                Integer.toString(i), e.toString()));
+                    } catch (EBaseException e) {
+                        log(ILogger.LL_FAILURE,
+                                CMS.getLogMessage("CRL_CREATE_ISSUER_INVALID_TYPE", Integer.toString(i), e.toString()));
+                    }
+
+                    if (name != null && name.length() > 0) {
+                        if (nameType.equalsIgnoreCase(PROP_DIR_NAME)) {
+                            try {
+                                X500Name dirName = new X500Name(name);
+
+                                names.addElement(dirName);
+                            } catch (IOException e) {
+                                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_INVALID_500NAME", e.toString()));
+                            }
+                        } else if (nameType.equalsIgnoreCase(PROP_RFC822_NAME)) {
+                            RFC822Name rfc822Name = new RFC822Name(name);
+
+                            names.addElement(rfc822Name);
+                        } else if (nameType.equalsIgnoreCase(PROP_DNS_NAME)) {
+                            DNSName dnsName = new DNSName(name);
+
+                            names.addElement(dnsName);
+                        } else if (nameType.equalsIgnoreCase(PROP_EDI_NAME)) {
+                            EDIPartyName ediName = new EDIPartyName(name);
+
+                            names.addElement(ediName);
+                        } else if (nameType.equalsIgnoreCase(PROP_URI_NAME)) {
+                            URIName uriName = new URIName(name);
+
+                            names.addElement(uriName);
+                        } else if (nameType.equalsIgnoreCase(PROP_IP_NAME)) {
+                            IPAddressName ipName = new IPAddressName(name);
+
+                            names.addElement(ipName);
+                        } else if (nameType.equalsIgnoreCase(PROP_OID_NAME)) {
+                            ObjectIdentifier oid = new ObjectIdentifier(name);
+                            OIDName oidNmae = new OIDName(oid);
+
+                            names.addElement(oidNmae);
+                        } else if (nameType.equalsIgnoreCase(PROP_OTHER_NAME)) {
+
+                            try {
+                                byte[] val = Utils.base64decode(name);
+                                DerValue derVal = new DerValue(new ByteArrayInputStream(val));
+                                GeneralName generalName = new GeneralName(derVal);
+
+                                names.addElement(generalName);
+                            } catch (IOException e) {
+                                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_INVALID_OTHER_NAME", e.toString()));
+                            }
+                        } else {
+                            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_ISSUER_INVALID_TYPE", nameType, ""));
+                        }
+                    }
+                }
+            }
+
+            if (names.size() > 0) {
+                try {
+                    issuerAltNameExt = new IssuerAlternativeNameExtension(
+                                Boolean.valueOf(critical), names);
+                } catch (IOException e) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_ISSUER_ALT_NAME_EXT", e.toString()));
+                }
+            }
+        }
+
+        return issuerAltNameExt;
+    }
+
+    public String getCRLExtOID() {
+        return PKIXExtensions.IssuerAlternativeName_Id.toString();
+    }
+
+    public void getConfigParams(IConfigStore config, NameValuePairs nvp) {
+        int numNames = 0;
+
+        try {
+            numNames = config.getInteger("numNames", 0);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, "Invalid numNames property for CRL " +
+                    "IssuerAlternativeName extension - " + e);
+        }
+        nvp.put("numNames", String.valueOf(numNames));
+
+        for (int i = 0; i < numNames; i++) {
+            String nameType = null;
+
+            try {
+                nameType = config.getString("nameType" + i);
+            } catch (EPropertyNotFound e) {
+                log(ILogger.LL_FAILURE, "Undefined nameType" + i + " property for " +
+                        "CRL IssuerAlternativeName extension - " + e);
+            } catch (EBaseException e) {
+                log(ILogger.LL_FAILURE, "Invalid nameType" + i + " property for " +
+                        "CRL IssuerAlternativeName extension - " + e);
+            }
+
+            if (nameType != null && nameType.length() > 0) {
+                nvp.put("nameType" + i, nameType);
+            } else {
+                nvp.put("nameType" + i, "");
+            }
+
+            String name = null;
+
+            try {
+                name = config.getString("name" + i);
+            } catch (EPropertyNotFound e) {
+                log(ILogger.LL_FAILURE, "Undefined name" + i + " property for " +
+                        "CRL IssuerAlternativeName extension - " + e);
+            } catch (EBaseException e) {
+                log(ILogger.LL_FAILURE, "Invalid name" + i + " property for " +
+                        "CRL IssuerAlternativeName extension - " + e);
+            }
+
+            if (name != null && name.length() > 0) {
+                nvp.put("name" + i, name);
+            } else {
+                nvp.put("name" + i, "");
+            }
+        }
+
+        if (numNames < 3) {
+            for (int i = numNames; i < 3; i++) {
+                nvp.put("nameType" + i, "");
+                nvp.put("name" + i, "");
+            }
+        }
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                //"type;choice(CRLExtension,CRLEntryExtension);"+
+                //"CRL Extension type. This field is not editable.",
+                "enable;boolean;Check to enable Issuer Alternative Name CRL extension.",
+                "critical;boolean;Set criticality for Issuer Alternative Name CRL extension.",
+                "numNames;number;Set number of alternative names for the CRL issuer.",
+                "nameType0;choice(" + PROP_RFC822_NAME + "," + PROP_DIR_NAME + "," + PROP_DNS_NAME + "," +
+                        PROP_EDI_NAME + "," + PROP_URI_NAME + "," + PROP_IP_NAME + "," + PROP_OID_NAME + "," +
+                        PROP_OTHER_NAME + ");Select Issuer Alternative Name type.",
+                "name0;string;Enter Issuer Alternative Name corresponding to the selected name type.",
+                "nameType1;choice(" + PROP_RFC822_NAME + "," + PROP_DIR_NAME + "," + PROP_DNS_NAME + "," +
+                        PROP_EDI_NAME + "," + PROP_URI_NAME + "," + PROP_IP_NAME + "," + PROP_OID_NAME + "," +
+                        PROP_OTHER_NAME + ");Select Issuer Alternative Name type.",
+                "name1;string;Enter Issuer Alternative Name corresponding to the selected name type.",
+                "nameType2;choice(" + PROP_RFC822_NAME + "," + PROP_DIR_NAME + "," + PROP_DNS_NAME + "," +
+                        PROP_EDI_NAME + "," + PROP_URI_NAME + "," + PROP_IP_NAME + "," + PROP_OID_NAME + "," +
+                        PROP_OTHER_NAME + ");Select Issuer Alternative Name type.",
+                "name2;string;Enter Issuer Alternative Name corresponding to the selected name type.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ca-edit-crlextension-issueralternativename",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";The issuer alternative names extension allows additional" +
+                        " identities to be associated with the issuer of the CRL."
+            };
+
+        return params;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level,
+                "CMSIssuerAlternativeNameExtension - " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/crl/CMSIssuingDistributionPointExtension.java b/base/common/src/com/netscape/cms/crl/CMSIssuingDistributionPointExtension.java
new file mode 100644
index 000000000..4253584ce
--- /dev/null
+++ b/base/common/src/com/netscape/cms/crl/CMSIssuingDistributionPointExtension.java
@@ -0,0 +1,332 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.crl;
+
+import java.io.IOException;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import netscape.security.util.BitArray;
+import netscape.security.x509.Extension;
+import netscape.security.x509.GeneralNames;
+import netscape.security.x509.GeneralNamesException;
+import netscape.security.x509.IssuingDistributionPoint;
+import netscape.security.x509.IssuingDistributionPointExtension;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.RDN;
+import netscape.security.x509.URIName;
+import netscape.security.x509.X500Name;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.EPropertyNotFound;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ca.ICMSCRLExtension;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * This represents a issuing distribution point extension.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CMSIssuingDistributionPointExtension
+        implements ICMSCRLExtension, IExtendedPluginInfo {
+    public static final String PROP_POINTTYPE = "pointType";
+    public static final String PROP_POINTNAME = "pointName";
+    public static final String PROP_DIRNAME = "DirectoryName";
+    public static final String PROP_URINAME = "URI";
+    public static final String PROP_RDNNAME = "RelativeToIssuer";
+    public static final String PROP_CACERTS = "onlyContainsCACerts";
+    public static final String PROP_USERCERTS = "onlyContainsUserCerts";
+    public static final String PROP_INDIRECT = "indirectCRL";
+    public static final String PROP_REASONS = "onlySomeReasons";
+
+    private static final String[] reasonFlags = { "unused",
+            "keyCompromise",
+            "cACompromise",
+            "affiliationChanged",
+            "superseded",
+            "cessationOfOperation",
+            "certificateHold",
+            "privilegeWithdrawn" };
+
+    private ILogger mLogger = CMS.getLogger();
+
+    public CMSIssuingDistributionPointExtension() {
+    }
+
+    public Extension setCRLExtensionCriticality(Extension ext,
+            boolean critical) {
+        IssuingDistributionPointExtension issuingDPointExt =
+                (IssuingDistributionPointExtension) ext;
+
+        issuingDPointExt.setCritical(critical);
+
+        return issuingDPointExt;
+    }
+
+    public Extension getCRLExtension(IConfigStore config,
+            Object ip,
+            boolean critical) {
+
+        CMS.debug("in CMSIssuingDistributionPointExtension::getCRLExtension.");
+        IssuingDistributionPointExtension issuingDPointExt = null;
+        IssuingDistributionPoint issuingDPoint = new IssuingDistributionPoint();
+
+        GeneralNames names = new GeneralNames();
+        RDN rdnName = null;
+
+        String pointType = null;
+
+        try {
+            pointType = config.getString(PROP_POINTTYPE);
+        } catch (EPropertyNotFound e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_UNDEFINED", e.toString()));
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_INVALID", e.toString()));
+        }
+
+        if (pointType != null) {
+            String pointName = null;
+
+            try {
+                pointName = config.getString(PROP_POINTNAME);
+            } catch (EPropertyNotFound e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_UNDEFINED", e.toString()));
+            } catch (EBaseException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_INVALID", e.toString()));
+            }
+
+            if (pointName != null && pointName.length() > 0) {
+                if (pointType.equalsIgnoreCase(PROP_RDNNAME)) {
+                    try {
+                        rdnName = new RDN(pointName);
+                    } catch (IOException e) {
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_RDN", e.toString()));
+                    }
+                } else if (pointType.equalsIgnoreCase(PROP_DIRNAME)) {
+                    try {
+                        X500Name dirName = new X500Name(pointName);
+
+                        names.addElement(dirName);
+                    } catch (IOException e) {
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_INVALID_500NAME", e.toString()));
+                    }
+                } else if (pointType.equalsIgnoreCase(PROP_URINAME)) {
+                    URIName uriName = new URIName(pointName);
+
+                    names.addElement(uriName);
+                } else {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_INVALID_POTINT_TYPE", pointType));
+                }
+            }
+        }
+
+        if (rdnName != null) {
+            issuingDPoint.setRelativeName(rdnName);
+        } else if (names.size() > 0) {
+            try {
+                issuingDPoint.setFullName(names);
+            } catch (IOException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CANNOT_SET_NAME", e.toString()));
+            } catch (GeneralNamesException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CANNOT_SET_NAME", e.toString()));
+            }
+        }
+
+        String reasons = null;
+
+        try {
+            reasons = config.getString(PROP_REASONS, null);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_INVALID_PROPERTY", PROP_REASONS, e.toString()));
+        }
+        if (reasons != null && reasons.length() > 0) {
+
+            boolean[] bits = { false, false, false, false, false, false, false };
+            int k = 0;
+            StringTokenizer st = new StringTokenizer(reasons, ",");
+
+            while (st.hasMoreTokens()) {
+                String bitName = st.nextToken();
+
+                for (int i = 1; i < reasonFlags.length; i++) {
+                    if (bitName.equalsIgnoreCase(reasonFlags[i])) {
+                        bits[i] = true;
+                        k++;
+                        break;
+                    }
+                }
+            }
+            if (k > 0) {
+                BitArray ba = new BitArray(bits);
+
+                issuingDPoint.setOnlySomeReasons(ba);
+            }
+
+        }
+
+        try {
+            boolean caCertsOnly = config.getBoolean(PROP_CACERTS, false);
+
+            if (caCertsOnly)
+                issuingDPoint.setOnlyContainsCACerts(caCertsOnly);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_INVALID_PROPERTY", "caCertsOnly", e.toString()));
+        }
+        try {
+            boolean userCertsOnly = config.getBoolean(PROP_USERCERTS, false);
+
+            if (userCertsOnly)
+                issuingDPoint.setOnlyContainsUserCerts(userCertsOnly);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_INVALID_PROPERTY", "userCertsOnly", e.toString()));
+        }
+        try {
+            boolean indirectCRL = config.getBoolean(PROP_INDIRECT, false);
+
+            if (indirectCRL)
+                issuingDPoint.setIndirectCRL(indirectCRL);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_INVALID_PROPERTY", "indirectCRL", e.toString()));
+        }
+
+        issuingDPointExt = new IssuingDistributionPointExtension(issuingDPoint);
+        issuingDPointExt.setCritical(critical);
+
+        return issuingDPointExt;
+    }
+
+    public String getCRLExtOID() {
+        return PKIXExtensions.IssuingDistributionPoint_Id.toString();
+    }
+
+    public void getConfigParams(IConfigStore config, NameValuePairs nvp) {
+        String pointType = null;
+
+        try {
+            pointType = config.getString(PROP_POINTTYPE);
+        } catch (EPropertyNotFound e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_UNDEFINED", e.toString()));
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_INVALID", e.toString()));
+        }
+        if (pointType != null && pointType.length() > 0) {
+            nvp.put("pointType", pointType);
+        } else {
+            nvp.put("pointType", "");
+        }
+
+        String pointName = null;
+
+        try {
+            pointName = config.getString(PROP_POINTNAME);
+        } catch (EPropertyNotFound e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_UNDEFINED", e.toString()));
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_CREATE_DIST_POINT_INVALID", e.toString()));
+        }
+        if (pointName != null && pointName.length() > 0) {
+            nvp.put("pointName", pointName);
+        } else {
+            nvp.put("pointName", "");
+        }
+
+        String reasons = null;
+
+        try {
+            reasons = config.getString(PROP_REASONS, null);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_INVALID_PROPERTY", PROP_REASONS, e.toString()));
+        }
+        if (reasons != null && reasons.length() > 0) {
+            nvp.put(PROP_REASONS, reasons);
+        } else {
+            nvp.put(PROP_REASONS, "");
+        }
+
+        try {
+            boolean caCertsOnly = config.getBoolean(PROP_CACERTS, false);
+
+            nvp.put(PROP_CACERTS, String.valueOf(caCertsOnly));
+        } catch (EBaseException e) {
+            nvp.put(PROP_CACERTS, "false");
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_INVALID_PROPERTY", "caCertsOnly", e.toString()));
+        }
+        // Disable these for now unitl we support them fully
+        /*
+                try {
+                    boolean userCertsOnly = config.getBoolean(PROP_USERCERTS, false);
+
+                    nvp.add(PROP_USERCERTS, String.valueOf(userCertsOnly));
+                } catch (EBaseException e) {
+                    nvp.add(PROP_USERCERTS, "false");
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_INVALID_PROPERTY", "userCertsOnly", e.toString()));
+                }
+
+                try {
+                    boolean indirectCRL = config.getBoolean(PROP_INDIRECT, false);
+
+                    nvp.add(PROP_INDIRECT, String.valueOf(indirectCRL));
+                } catch (EBaseException e) {
+                    nvp.add(PROP_INDIRECT, "false");
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CRL_INVALID_PROPERTY", "indirectCRL", e.toString()));
+                }
+        */
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        StringBuffer sb_reasons = new StringBuffer();
+        sb_reasons.append(reasonFlags[1]);
+
+        for (int i = 2; i < reasonFlags.length; i++) {
+            sb_reasons.append(", ");
+            sb_reasons.append(reasonFlags[i]);
+        }
+        String[] params = {
+                //"type;choice(CRLExtension,CRLEntryExtension);"+
+                //"CRL Extension type. This field is not editable.",
+                "enable;boolean;Check to enable Issuing Distribution Point CRL extension.",
+                "critical;boolean;Set criticality for Issuing Distribution Point CRL extension.",
+                PROP_POINTTYPE + ";choice(" + PROP_DIRNAME + "," + PROP_URINAME + "," +
+                        PROP_RDNNAME + ");Select Issuing Distribution Point name type.",
+                PROP_POINTNAME + ";string;Enter Issuing Distribution Point name " +
+                        "corresponding to the selected point type.",
+                PROP_REASONS + ";string;Select any combination of the following reasons: " +
+                        sb_reasons.toString(),
+                PROP_CACERTS + ";boolean;Check if CRL contains CA certificates only",
+                //   Remove these from the UI until they can be supported fully.
+                //   PROP_USERCERTS + ";boolean;Check if CRL contains user certificates only",
+                //   PROP_INDIRECT + ";boolean;Check if CRL is built indirectly.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ca-edit-crlextension-issuingdistributionpoint",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";The issuing distribution point is a critical CRL extension " +
+                        "that identifies the CRL distribution point for a particular CRL."
+            };
+
+        return params;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level,
+                "CMSIssuingDistributionPointExtension - " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/evaluators/GroupAccessEvaluator.java b/base/common/src/com/netscape/cms/evaluators/GroupAccessEvaluator.java
new file mode 100644
index 000000000..530ca9447
--- /dev/null
+++ b/base/common/src/com/netscape/cms/evaluators/GroupAccessEvaluator.java
@@ -0,0 +1,183 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.evaluators;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.evaluators.IAccessEvaluator;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
+import com.netscape.certsrv.usrgrp.IUser;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * A class represents a group acls evaluator.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class GroupAccessEvaluator implements IAccessEvaluator {
+    private String mType = "group";
+    private IUGSubsystem mUG = null;
+    private String mDescription = "group membership evaluator";
+    private ILogger mLogger = CMS.getLogger();
+
+    /**
+     * Class constructor.
+     */
+    public GroupAccessEvaluator() {
+
+        mUG = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+
+        if (mUG == null) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("EVALUTOR_UG_NULL"));
+        }
+    }
+
+    /**
+     * initialization. nothing for now.
+     */
+    public void init() {
+        CMS.debug("GroupAccessEvaluator: init");
+    }
+
+    /**
+     * gets the type name for this acl evaluator
+     * 
+     * @return type for this acl evaluator: "group" or "at_group"
+     */
+    public String getType() {
+        return mType;
+    }
+
+    /**
+     * gets the description for this acl evaluator
+     * 
+     * @return description for this acl evaluator
+     */
+    public String getDescription() {
+        return mDescription;
+    }
+
+    public String[] getSupportedOperators() {
+        String[] s = new String[2];
+
+        s[0] = "=";
+        s[1] = "!=";
+        return s;
+    }
+
+    /**
+     * evaluates uid in AuthToken to see if it has membership in
+     * group value
+     * 
+     * @param authToken authentication token
+     * @param type must be "at_group"
+     * @param op must be "="
+     * @param value the group name
+     * @return true if AuthToken uid belongs to the group value,
+     *         false otherwise
+     */
+    public boolean evaluate(IAuthToken authToken, String type, String op, String value) {
+
+        if (type.equals(mType)) {
+            // should define "uid" at a common place
+            String uid = null;
+
+            uid = authToken.getInString("userid");
+            if (uid == null) {
+                uid = authToken.getInString("uid");
+                if (uid == null) {
+                    CMS.debug("GroupAccessEvaluator: evaluate: uid null");
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("EVALUTOR_UID_NULL"));
+                    return false;
+                }
+            }
+            CMS.debug("GroupAccessEvaluator: evaluate: uid=" + uid + " value=" + value);
+
+            String groupname = authToken.getInString("gid");
+
+            if (groupname != null) {
+                CMS.debug("GroupAccessEvaluator: evaluate: authToken gid=" + groupname);
+                if (op.equals("=")) {
+                    return groupname.equals(Utils.stripQuotes(value));
+                } else if (op.equals("!=")) {
+                    return !groupname.equals(Utils.stripQuotes(value));
+                }
+            } else {
+                CMS.debug("GroupAccessEvaluator: evaluate: no gid in authToken");
+                IUser id = null;
+                try {
+                    id = mUG.getUser(uid);
+                } catch (EBaseException e) {
+                    CMS.debug("GroupAccessEvaluator: " + e.toString());
+                    return false;
+                }
+
+                if (op.equals("=")) {
+                    return mUG.isMemberOf(id, Utils.stripQuotes(value));
+                } else if (op.equals("!=")) {
+                    return !(mUG.isMemberOf(id, Utils.stripQuotes(value)));
+                }
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * evaluates uid in SessionContext to see if it has membership in
+     * group value
+     * 
+     * @param type must be "group"
+     * @param op must be "="
+     * @param value the group name
+     * @return true if SessionContext uid belongs to the group value,
+     *         false otherwise
+     */
+    public boolean evaluate(String type, String op, String value) {
+
+        SessionContext mSC = SessionContext.getContext();
+
+        if (type.equals(mType)) {
+            IUser id = (IUser) mSC.get(SessionContext.USER);
+
+            if (id == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("EVALUTOR_UID_NULL"));
+                return false;
+            }
+            if (op.equals("="))
+                return mUG.isMemberOf(id, Utils.stripQuotes(value));
+            else
+                return !(mUG.isMemberOf(id, Utils.stripQuotes(value)));
+
+        }
+
+        return false;
+    }
+
+    private void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS,
+                level, "GroupAccessEvaluator: " + msg);
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/evaluators/IPAddressAccessEvaluator.java b/base/common/src/com/netscape/cms/evaluators/IPAddressAccessEvaluator.java
new file mode 100644
index 000000000..17d383688
--- /dev/null
+++ b/base/common/src/com/netscape/cms/evaluators/IPAddressAccessEvaluator.java
@@ -0,0 +1,128 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.evaluators;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.evaluators.IAccessEvaluator;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * A class represents a IP address acls evaluator.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class IPAddressAccessEvaluator implements IAccessEvaluator {
+    private String mType = "ipaddress";
+    private String mDescription = "IP Address evaluator";
+    private ILogger mLogger = CMS.getLogger();
+
+    /**
+     * Class constructor.
+     */
+    public IPAddressAccessEvaluator() {
+    }
+
+    /**
+     * initialization. nothing for now.
+     */
+    public void init() {
+    }
+
+    /**
+     * gets the type name for this acl evaluator
+     * 
+     * @return type for this acl evaluator: ipaddress
+     */
+    public String getType() {
+        return mType;
+    }
+
+    /**
+     * gets the description for this acl evaluator
+     * 
+     * @return description for this acl evaluator
+     */
+    public String getDescription() {
+        return mDescription;
+    }
+
+    public String[] getSupportedOperators() {
+        String[] s = new String[2];
+
+        s[0] = "=";
+        s[1] = "!=";
+        return s;
+    }
+
+    /**
+     * Gets the IP address from session context
+     * 
+     * @param authToken authentication token
+     * @param type must be "ipaddress"
+     * @param op must be "=" or "!="
+     * @param value the ipaddress
+     */
+    public boolean evaluate(IAuthToken authToken, String type, String op, String value) {
+
+        return evaluate(type, op, value);
+    }
+
+    /**
+     * evaluates uid in SessionContext to see if it has membership in
+     * group value
+     * 
+     * @param type must be "group"
+     * @param op must be "="
+     * @param value the group name
+     * @return true if SessionContext uid belongs to the group value,
+     *         false otherwise
+     */
+    public boolean evaluate(String type, String op, String value) {
+
+        SessionContext mSC = SessionContext.getContext();
+
+        value = Utils.stripQuotes(value);
+        String ipaddress = (String) mSC.get(SessionContext.IPADDRESS);
+
+        if (type.equals(mType)) {
+            if (ipaddress == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("EVALUATOR_IPADDRESS_NULL"));
+                return false;
+            }
+            if (op.equals("=")) {
+                return ipaddress.matches(value);
+            } else {
+                return !(ipaddress.matches(value));
+            }
+
+        }
+
+        return false;
+    }
+
+    private void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS,
+                level, "GroupAccessEvaluator: " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/evaluators/UserAccessEvaluator.java b/base/common/src/com/netscape/cms/evaluators/UserAccessEvaluator.java
new file mode 100644
index 000000000..bf7727c92
--- /dev/null
+++ b/base/common/src/com/netscape/cms/evaluators/UserAccessEvaluator.java
@@ -0,0 +1,153 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.evaluators;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.evaluators.IAccessEvaluator;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.usrgrp.IUser;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * A class represents a user acls evaluator.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class UserAccessEvaluator implements IAccessEvaluator {
+    private String mType = "user";
+    private String mDescription = "user equivalence evaluator";
+    private ILogger mLogger = CMS.getLogger();
+
+    private final static String ANYBODY = "anybody";
+    private final static String EVERYBODY = "everybody";
+
+    /**
+     * Class constructor.
+     */
+    public UserAccessEvaluator() {
+    }
+
+    /**
+     * initialization. nothing for now.
+     */
+    public void init() {
+        CMS.debug("UserAccessEvaluator: init");
+    }
+
+    /**
+     * gets the type name for this acl evaluator
+     * 
+     * @return type for this acl evaluator: "user" or "at_user"
+     */
+    public String getType() {
+        return mType;
+    }
+
+    /**
+     * gets the description for this acl evaluator
+     * 
+     * @return description for this acl evaluator
+     */
+    public String getDescription() {
+        return mDescription;
+    }
+
+    public String[] getSupportedOperators() {
+        String[] s = new String[2];
+
+        s[0] = "=";
+        s[1] = "!=";
+        return s;
+    }
+
+    /**
+     * Evaluates the user in AuthToken to see if it's equal to value
+     * 
+     * @param authToken AuthToken from authentication
+     * @param type must be "at_user"
+     * @param op must be "="
+     * @param value the user id
+     * @return true if AuthToken uid is same as value, false otherwise
+     */
+    public boolean evaluate(IAuthToken authToken, String type, String op, String value) {
+
+        if (type.equals(mType)) {
+            String s = Utils.stripQuotes(value);
+
+            if ((s.equals(ANYBODY) || s.equals(EVERYBODY)) && op.equals("="))
+                return true;
+
+            // should define "uid" at a common place
+            String uid = null;
+
+            uid = authToken.getInString("uid");
+
+            if (uid == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("EVALUTOR_UID_IS_NULL"));
+                return false;
+            }
+
+            if (op.equals("="))
+                return s.equalsIgnoreCase(uid);
+            else if (op.equals("!="))
+                return !(s.equalsIgnoreCase(uid));
+        }
+
+        return false;
+    }
+
+    /**
+     * Evaluates the user in session context to see if it's equal to value
+     * 
+     * @param type must be "user"
+     * @param op must be "="
+     * @param value the user id
+     * @return true if SessionContext uid is same as value, false otherwise
+     */
+    public boolean evaluate(String type, String op, String value) {
+
+        SessionContext mSC = SessionContext.getContext();
+
+        if (type.equals(mType)) {
+            String s = Utils.stripQuotes(value);
+
+            if (s.equals(ANYBODY) && op.equals("="))
+                return true;
+
+            IUser id = (IUser) mSC.get(SessionContext.USER);
+
+            if (op.equals("="))
+                return s.equalsIgnoreCase(id.getName());
+            else if (op.equals("!="))
+                return !(s.equalsIgnoreCase(id.getName()));
+        }
+
+        return false;
+    }
+
+    private void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS,
+                level, "UserAccessEvaluator: " + msg);
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java b/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java
new file mode 100644
index 000000000..442828e75
--- /dev/null
+++ b/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java
@@ -0,0 +1,165 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2008 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.evaluators;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.evaluators.IAccessEvaluator;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.usrgrp.IUser;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * A class represents a user-origreq uid mapping acls evaluator.
+ * This is primarily used for renewal. During renewal, the orig_req
+ * uid is placed in the SessionContext of the renewal session context
+ * to be evaluated by this evaluator
+ * 

+ * 
+ * @author Christina Fu
+ * @version $Revision$, $Date$
+ */
+public class UserOrigReqAccessEvaluator implements IAccessEvaluator {
+    private String mType = "user_origreq";
+    private String mDescription = "user origreq matching evaluator";
+    private ILogger mLogger = CMS.getLogger();
+
+    private final static String ANYBODY = "anybody";
+    private final static String EVERYBODY = "everybody";
+
+    /**
+     * Class constructor.
+     */
+    public UserOrigReqAccessEvaluator() {
+    }
+
+    /**
+     * initialization. nothing for now.
+     */
+    public void init() {
+        CMS.debug("UserOrigReqAccessEvaluator: init");
+    }
+
+    /**
+     * gets the type name for this acl evaluator
+     * 
+     * @return type for this acl evaluator: "user_origreq" or "at_user_origreq"
+     */
+    public String getType() {
+        return mType;
+    }
+
+    /**
+     * gets the description for this acl evaluator
+     * 
+     * @return description for this acl evaluator
+     */
+    public String getDescription() {
+        return mDescription;
+    }
+
+    public String[] getSupportedOperators() {
+        String[] s = new String[2];
+
+        s[0] = "=";
+        s[1] = "!=";
+        return s;
+    }
+
+    /**
+     * Evaluates the user in AuthToken to see if it's equal to value
+     * 
+     * @param authToken AuthToken from authentication
+     * @param type must be "at_userreq"
+     * @param op must be "="
+     * @param value the request param name
+     * @return true if AuthToken uid is same as value, false otherwise
+     */
+    public boolean evaluate(IAuthToken authToken, String type, String op, String value) {
+        CMS.debug("UserOrigReqAccessEvaluator: evaluate() begins");
+        if (type.equals(mType)) {
+            String s = Utils.stripQuotes(value);
+
+            if ((s.equals(ANYBODY) || s.equals(EVERYBODY)) && op.equals("="))
+                return true;
+
+            // should define "uid" at a common place
+            String uid = null;
+
+            uid = authToken.getInString("uid");
+
+            if (uid == null) {
+                CMS.debug("UserOrigReqAccessEvaluator: evaluate() uid in authtoken null");
+                return false;
+            } else
+                CMS.debug("UserOrigReqAccessEvaluator: evaluate() uid in authtoken =" + uid);
+
+            // find value of param in request
+            SessionContext mSC = SessionContext.getContext();
+            CMS.debug("UserOrigReqAccessEvaluator: evaluate() getting " + "orig_req." + s + " in SessionContext");
+            // "orig_req.auth_token.uid"
+            String orig_id = (String) mSC.get("orig_req." + s);
+
+            if (orig_id == null) {
+                CMS.debug("UserOrigReqAccessEvaluator: evaluate() orig_id null");
+                return false;
+            }
+            CMS.debug("UserOrigReqAccessEvaluator: evaluate() orig_id =" + orig_id);
+            if (op.equals("="))
+                return uid.equalsIgnoreCase(orig_id);
+            else if (op.equals("!="))
+                return !(uid.equalsIgnoreCase(orig_id));
+        }
+
+        return false;
+    }
+
+    /**
+     * Evaluates the user in session context to see if it's equal to value
+     * 
+     * @param type must be "user_origreq"
+     * @param op must be "="
+     * @param value the user id
+     * @return true if SessionContext uid is same as value, false otherwise
+     */
+    public boolean evaluate(String type, String op, String value) {
+
+        SessionContext mSC = SessionContext.getContext();
+
+        if (type.equals(mType)) {
+            // what do I do with s here?
+            String s = Utils.stripQuotes(value);
+
+            if (s.equals(ANYBODY) && op.equals("="))
+                return true;
+
+            IUser id = (IUser) mSC.get(SessionContext.USER);
+            // "orig_req.auth_token.uid"
+            String orig_id = (String) mSC.get("orig_req" + s);
+
+            if (op.equals("="))
+                return id.getName().equalsIgnoreCase(orig_id);
+            else if (op.equals("!="))
+                return !(id.getName().equalsIgnoreCase(orig_id));
+        }
+
+        return false;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/jobs/AJobBase.java b/base/common/src/com/netscape/cms/jobs/AJobBase.java
new file mode 100644
index 000000000..0da5d2028
--- /dev/null
+++ b/base/common/src/com/netscape/cms/jobs/AJobBase.java
@@ -0,0 +1,301 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.jobs;
+
+import java.io.IOException;
+import java.util.Hashtable;
+
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.jobs.IJob;
+import com.netscape.certsrv.jobs.IJobCron;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.notification.ENotificationException;
+import com.netscape.certsrv.notification.IEmailFormProcessor;
+import com.netscape.certsrv.notification.IEmailTemplate;
+import com.netscape.certsrv.notification.IMailNotification;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This abstract class is a base job for real job extentions for the
+ * Jobs Scheduler.
+ * 
+ * @version $Revision$, $Date$
+ * @see com.netscape.certsrv.jobs.IJob
+ */
+public abstract class AJobBase implements IJob, Runnable {
+    // config parameters...
+    protected static final String PROP_SUMMARY = "summary";
+    protected static final String PROP_ENABLED = "enabled";
+    protected static final String PROP_EMAIL_SUBJECT = "emailSubject";
+    protected static final String PROP_EMAIL_TEMPLATE = "emailTemplate";
+    protected static final String PROP_ITEM_TEMPLATE = "itemTemplate";
+    protected static final String PROP_SENDER_EMAIL = "senderEmail";
+    protected static final String PROP_RECEIVER_EMAIL = "recipientEmail";
+
+    protected static final String STATUS_FAILURE = "failed";
+    protected static final String STATUS_SUCCESS = "succeeded";
+
+    // variables used by the Job Scheduler Daemon 
+    protected String mImplName = null;
+    protected IConfigStore mConfig;
+    protected String mId = null;
+    protected String mCron = null;
+    protected IJobCron mJobCron = null;
+
+    protected ILogger mLogger = CMS.getLogger();
+    protected static String[] mConfigParams = null;
+
+    protected String mSummaryMailSubject = null;
+    protected boolean mMailHTML = false;
+    protected String mMailForm = null;
+    protected String mItemForm = null;
+    protected String mSummarySenderEmail = null;
+    protected String mSummaryReceiverEmail = null;
+    protected Hashtable mContentParams = new Hashtable();
+    protected Hashtable mItemParams = new Hashtable();
+
+    boolean stopped;
+
+    public AJobBase() {
+    }
+
+    /**
+     * tells if the job is enabled
+     * 
+     * @return a boolean value indicating whether the job is enabled
+     *         or not
+     */
+    public boolean isEnabled() {
+        boolean enabled = false;
+
+        try {
+            enabled = mConfig.getBoolean(PROP_ENABLED, false);
+        } catch (EBaseException e) {
+        }
+        return enabled;
+    }
+
+    /***********************
+     * abstract methods
+     ***********************/
+    public abstract void init(ISubsystem owner, String id, String implName, IConfigStore
+            config) throws EBaseException;
+
+    public abstract void run();
+
+    /***********************
+     * public methods
+     ***********************/
+
+    /**
+     * get instance id.
+     * 
+     * @return a String identifier
+     */
+    public String getId() {
+        return mId;
+    }
+
+    /**
+     * set instance id.
+     * 
+     * @param id String id of the instance
+     */
+    public void setId(String id) {
+        mId = id;
+    }
+
+    /**
+     * get cron string associated with this job
+     * 
+     * @return a JobCron object that represents the schedule of this job
+     */
+    public IJobCron getJobCron() {
+        return mJobCron;
+    }
+
+    /**
+     * gets the plugin name of this job.
+     * 
+     * @return a String that is the name of this implementation
+     */
+    public String getImplName() {
+        return mImplName;
+    }
+
+    /**
+     * Gets the configuration substore used by this job
+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    /*
+     * get form file content from disk
+     */
+    protected String getTemplateContent(String templatePath) {
+        String templateString = null;
+
+        /*
+         * get template file from disk
+         */
+        IEmailTemplate template = CMS.getEmailTemplate(templatePath);
+
+        if (template != null) {
+            if (!template.init()) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("JOBS_TEMPLATE_INIT_ERROR"));
+                return null;
+            }
+
+            // this should take care of inner tempaltes not being html
+            // we go with the outter template
+            if (template.isHTML()) {
+                mMailHTML = true;
+            }
+            templateString = template.toString();
+        } else {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("JOBS_TEMPLATE_INIT_ERROR"));
+        }
+
+        return templateString;
+    }
+
+    protected void mailSummary(String content) {
+        // no need for email resolver here...
+        IMailNotification mn = CMS.getMailNotification();
+
+        mn.setFrom(mSummarySenderEmail);
+        mn.setTo(mSummaryReceiverEmail);
+        mn.setSubject(mSummaryMailSubject);
+        if (mMailHTML == true) {
+            mn.setContentType("text/html");
+        }
+
+        mn.setContent(content);
+        try {
+            mn.sendNotification();
+        } catch (ENotificationException e) {
+            // already logged, lets audit
+            mLogger.log(ILogger.EV_AUDIT, null,
+                    ILogger.S_OTHER,
+                    ILogger.LL_FAILURE, CMS.getLogMessage("JOBS_SEND_NOTIFICATION", e.toString()));
+        } catch (IOException e) {
+            // already logged, lets audit
+            mLogger.log(ILogger.EV_AUDIT, null,
+                    ILogger.S_OTHER,
+                    ILogger.LL_FAILURE, CMS.getLogMessage("JOBS_SEND_NOTIFICATION", e.toString()));
+        }
+    }
+
+    protected void buildItemParams(X509CertImpl cert) {
+        mItemParams.put(IEmailFormProcessor.TOKEN_SERIAL_NUM,
+                cert.getSerialNumber().toString());
+        mItemParams.put(IEmailFormProcessor.TOKEN_HEX_SERIAL_NUM,
+                cert.getSerialNumber().toString(16));
+        mItemParams.put(IEmailFormProcessor.TOKEN_ISSUER_DN,
+                cert.getIssuerDN().toString());
+        mItemParams.put(IEmailFormProcessor.TOKEN_SUBJECT_DN,
+                cert.getSubjectDN().toString());
+        mItemParams.put(IEmailFormProcessor.TOKEN_NOT_AFTER,
+                cert.getNotAfter().toString());
+        mItemParams.put(IEmailFormProcessor.TOKEN_NOT_BEFORE,
+                cert.getNotBefore().toString());
+        // ... and more
+    }
+
+    protected void buildItemParams(IRequest r) {
+        String re = r.getExtDataInString(IRequest.HTTP_PARAMS, "csrRequestorEmail");
+
+        if (re != null) {
+            mItemParams.put(IEmailFormProcessor.TOKEN_REQUESTOR_EMAIL, re);
+        }
+
+        String ct = r.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE);
+
+        if (ct != null) {
+            mItemParams.put(IEmailFormProcessor.TOKEN_CERT_TYPE, ct);
+        }
+
+        String rt = r.getExtDataInString(IRequest.REQ_TYPE);
+
+        if (rt != null) {
+            mItemParams.put(IEmailFormProcessor.TOKEN_REQUEST_TYPE, rt);
+        }
+    }
+
+    protected void buildItemParams(String name, String val) {
+        if (val != null)
+            mItemParams.put(name, val);
+        else {
+            CMS.debug("AJobBase: buildItemParams: null value for name= " + name);
+            mItemParams.put(name, "");
+        }
+    }
+
+    protected void buildContentParams(String name, String val) {
+        if (val != null)
+            mContentParams.put(name, val);
+        else {
+            CMS.debug("AJobBase: buildContentParams: null value for name= " + name);
+            mContentParams.put(name, "");
+        }
+    }
+
+    /**
+     * logs an entry in the log file. Used by classes extending this class.
+     * 
+     * @param level log level
+     * @param msg log message in String
+     */
+    public void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_OTHER,
+                level, mId + ": " + msg);
+    }
+
+    /**
+     * capable of logging multiline entry in the log file. Used by classes extending this class.
+     * 
+     * @param level log level
+     * @param msg log message in String
+     * @param multiline boolean indicating whether the message is a
+     *            multi-lined message.
+     */
+    public void log(int level, String msg, boolean multiline) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_OTHER,
+                level, mId + ": " + msg, multiline);
+    }
+
+    public void stop() {
+        stopped = true;
+    }
+
+    public boolean isStopped() {
+        return stopped;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/jobs/PublishCertsJob.java b/base/common/src/com/netscape/cms/jobs/PublishCertsJob.java
new file mode 100644
index 000000000..28268dfab
--- /dev/null
+++ b/base/common/src/com/netscape/cms/jobs/PublishCertsJob.java
@@ -0,0 +1,392 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.jobs;
+
+import java.text.DateFormat;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Locale;
+
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.base.MetaInfo;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.jobs.IJob;
+import com.netscape.certsrv.jobs.IJobCron;
+import com.netscape.certsrv.jobs.IJobsScheduler;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.notification.IEmailFormProcessor;
+import com.netscape.certsrv.publish.IPublisherProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.certsrv.request.RequestId;
+
+/**
+ * a job for the Jobs Scheduler. This job checks in the internal ldap
+ * db for valid certs that have not been published to the
+ * publishing directory.
+ * 

+ * the $TOKENS that are available for the this jobs's summary outer form are:

+ * 
    
+ * $Status $InstanceID $SummaryItemList $SummaryTotalNum $SummaryTotalSuccess $SummaryTotalfailure $ExecutionTime
+ * 

+ * and for the inner list items:
+ * 
    
+ * $SerialNumber $IssuerDN $SubjectDN $NotAfter $NotBefore $RequestorEmail $CertType
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class PublishCertsJob extends AJobBase
+        implements IJob, Runnable, IExtendedPluginInfo {
+
+    ICertificateAuthority mCa = null;
+    IRequestQueue mReqQ = null;
+    ICertificateRepository mRepository = null;
+    IPublisherProcessor mPublisherProcessor = null;
+    private boolean mSummary = false;
+
+    /* Holds configuration parameters accepted by this implementation.
+     * This list is passed to the configuration console so configuration
+     * for instances of this implementation can be configured through the
+     * console.
+     */
+    protected static String[] mConfigParams =
+            new String[] {
+                    "enabled",
+                    "cron",
+                    "summary.enabled",
+                    "summary.emailSubject",
+                    "summary.emailTemplate",
+                    "summary.itemTemplate",
+                    "summary.senderEmail",
+                    "summary.recipientEmail"
+        };
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String s[] = {
+                IExtendedPluginInfo.HELP_TEXT +
+                        "; A job that checks for valid certificates in the " +
+                        "database, that have not been published and publish them to " +
+                        "the publishing directory",
+                "cron;string;Format: minute hour dayOfMonth month " +
+                        "dayOfWeek. Use '*' for 'every'. For dayOfWeek, 0 is Sunday",
+                "summary.senderEmail;string;Specify the address to be used " +
+                        "as the email's 'sender'. Bounces go to this address.",
+                "summary.recipientEmail;string;Who should receive summaries",
+                "enabled;boolean;Enable this plugin",
+                "summary.enabled;boolean;Enable the summary. You must enabled " +
+                        "this for the job to work.",
+                "summary.emailSubject;string;Subject of summary email",
+                "summary.emailTemplate;string;Fully qualified pathname of " +
+                        "template file of email to be sent",
+                "summary.itemTemplate;string;Fully qualified pathname of " +
+                        "file containing template for each item",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-jobrules-unpublishexpiredjobs",
+            };
+
+        return s;
+    }
+
+    /**
+     * initialize from the configuration file
+     */
+    public void init(ISubsystem owner, String id, String implName, IConfigStore config) throws
+            EBaseException {
+        mConfig = config;
+        mId = id;
+        mImplName = implName;
+
+        mCa = (ICertificateAuthority)
+                CMS.getSubsystem("ca");
+        if (mCa == null) {
+            return;
+        }
+
+        mReqQ = mCa.getRequestQueue();
+        mRepository = mCa.getCertificateRepository();
+        mPublisherProcessor = mCa.getPublisherProcessor();
+
+        // read from the configuration file
+        mCron = mConfig.getString(IJobCron.PROP_CRON);
+        if (mCron == null) {
+            return;
+        }
+
+        // parse cron string into a JobCron class
+        IJobsScheduler scheduler = (IJobsScheduler) owner;
+
+        mJobCron = scheduler.createJobCron(mCron);
+
+        // initialize the summary related config info
+        IConfigStore sc = mConfig.getSubStore(PROP_SUMMARY);
+
+        if (sc.getBoolean(PROP_ENABLED, false)) {
+            mSummary = true;
+            mSummaryMailSubject = sc.getString(PROP_EMAIL_SUBJECT);
+            mMailForm = sc.getString(PROP_EMAIL_TEMPLATE);
+            mItemForm = sc.getString(PROP_ITEM_TEMPLATE);
+            mSummarySenderEmail = sc.getString(PROP_SENDER_EMAIL);
+            mSummaryReceiverEmail = sc.getString(PROP_RECEIVER_EMAIL);
+        } else {
+            mSummary = false;
+        }
+    }
+
+    /**
+     * look in the internal db for certificateRecords that are
+     * valid but not published
+     * The publish() method should set InLdapPublishDir flag accordingly.
+     * if publish unsuccessfully, log it -- unsuccessful certs should be
+     * picked up and attempted again at the next scheduled run
+     */
+    public void run() {
+        CMS.debug("in PublishCertsJob " +
+                       getId() + " : run()");
+        // get time now..."now" is before the loop
+        Date date = CMS.getCurrentDate();
+        DateFormat dateFormat = DateFormat.getDateTimeInstance();
+        String nowString = dateFormat.format(date);
+
+        // form filter
+        String filter = // might need to use "metaInfo"
+                "(!(certMetainfo=" + ICertRecord.META_LDAPPUBLISH +
+                        ":true))";
+
+        Enumeration unpublishedCerts = null;
+
+        try {
+            unpublishedCerts = mRepository.findCertRecs(filter);
+            // bug 399150
+            /*
+             CertRecordList list = null;
+             list = mRepository.findCertRecordsInList(filter,  null, "serialno", 5);
+             int size = list.getSize();
+             expired = list.getCertRecords(0, size - 1);
+             */
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+        }
+
+        int count = 0; // how many have been published successfully
+        int negCount = 0; // how many have NOT been published successfully
+        String contentForm = null;
+        String itemForm = null;
+        String itemListContent = null;
+
+        if (mSummary == true) {
+            contentForm = getTemplateContent(mMailForm);
+            itemForm = getTemplateContent(mItemForm);
+        }
+
+        // filter out the invalid ones and publish them
+        // publish() will set inLdapPublishDir flag
+        while (unpublishedCerts != null && unpublishedCerts.hasMoreElements()) {
+            ICertRecord rec = (ICertRecord) unpublishedCerts.nextElement();
+
+            if (rec == null)
+                break;
+            X509CertImpl cert = rec.getCertificate();
+            Date notAfter = cert.getNotAfter();
+
+            // skip CA certs
+            if (cert.getBasicConstraintsIsCA() == true)
+                continue;
+
+            // skip the expired certs
+            if (notAfter.before(date))
+                continue;
+
+            if (mSummary == true)
+                buildItemParams(cert);
+
+            // get request id from cert record MetaInfo
+            MetaInfo minfo = null;
+
+            try {
+                minfo = (MetaInfo) rec.get(ICertRecord.ATTR_META_INFO);
+            } catch (EBaseException e) {
+                negCount += 1;
+                if (mSummary == true)
+                    buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                            STATUS_FAILURE);
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("JOBS_META_INFO_ERROR",
+                                cert.getSerialNumber().toString(16) +
+                                        e.toString()));
+            }
+
+            String ridString = null;
+
+            try {
+                if (minfo != null)
+                    ridString = (String) minfo.get(ICertRecord.META_REQUEST_ID);
+            } catch (EBaseException e) {
+                negCount += 1;
+                if (mSummary == true)
+                    buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                            STATUS_FAILURE);
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("JOBS_META_REQUEST_ERROR",
+                                cert.getSerialNumber().toString(16) +
+                                        e.toString()));
+            } catch (NullPointerException e) {
+                // no requestId in MetaInfo...skip to next record
+                negCount += 1;
+                if (mSummary == true)
+                    buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                            STATUS_FAILURE);
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("JOBS_META_REQUEST_ERROR",
+                                cert.getSerialNumber().toString(16) +
+                                        e.toString()));
+            }
+
+            if (ridString != null) {
+                RequestId rid = new RequestId(ridString);
+
+                // get request from request id
+                IRequest req = null;
+
+                try {
+                    req = mReqQ.findRequest(rid);
+                    if (req != null) {
+                        if (mSummary == true)
+                            buildItemParams(req);
+                    }
+                } catch (EBaseException e) {
+                    negCount += 1;
+                    if (mSummary == true)
+                        buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                                STATUS_FAILURE);
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("JOBS_FIND_REQUEST_ERROR",
+                                    cert.getSerialNumber().toString(16) +
+                                            e.toString()));
+                }
+                try {
+                    if ((mPublisherProcessor != null) &&
+                            mPublisherProcessor.enabled()) {
+                        mPublisherProcessor.publishCert(cert, req);
+                        if (mSummary == true)
+                            buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                                    STATUS_SUCCESS);
+                        count += 1;
+                    } else {
+                        negCount += 1;
+                    }
+                } catch (Exception e) {
+                    negCount += 1;
+                    if (mSummary == true)
+                        buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                                STATUS_FAILURE);
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("JOBS_PUBLISH_ERROR",
+                                    cert.getSerialNumber().toString(16) +
+                                            e.toString()));
+                }
+            } // ridString != null
+            else {
+                try {
+                    if ((mPublisherProcessor != null) &&
+                            mPublisherProcessor.enabled()) {
+                        mPublisherProcessor.publishCert(cert, null);
+
+                        if (mSummary == true)
+                            buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                                    STATUS_SUCCESS);
+                        count += 1;
+                    } else {
+                        negCount += 1;
+                    }
+                } catch (Exception e) {
+                    negCount += 1;
+
+                    if (mSummary == true)
+                        buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                                STATUS_FAILURE);
+
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("JOBS_PUBLISH_ERROR",
+                                    cert.getSerialNumber().toString(16) +
+                                            e.toString()));
+                }
+            } // ridString == null
+
+            // inLdapPublishDir flag should have been set by the
+            // publish() method
+
+            // if summary is enabled, form the item content
+            if (mSummary) {
+                IEmailFormProcessor emailItemFormProcessor =
+                        CMS.getEmailFormProcessor();
+                String c = emailItemFormProcessor.getEmailContent(itemForm,
+                        mItemParams);
+
+                // add item content to the item list
+                if (itemListContent == null) {
+                    itemListContent = c;
+                } else {
+                    itemListContent += c;
+                }
+            }
+        }
+
+        // time for summary
+        if (mSummary == true) {
+            buildContentParams(IEmailFormProcessor.TOKEN_ID,
+                    mId);
+            buildContentParams(IEmailFormProcessor.TOKEN_SUMMARY_ITEM_LIST,
+                    itemListContent);
+            buildContentParams(IEmailFormProcessor.TOKEN_SUMMARY_TOTAL_NUM,
+                    String.valueOf(count + negCount));
+            buildContentParams(IEmailFormProcessor.TOKEN_SUMMARY_SUCCESS_NUM,
+                    String.valueOf(count));
+            buildContentParams(IEmailFormProcessor.TOKEN_SUMMARY_FAILURE_NUM,
+                    String.valueOf(negCount));
+            buildContentParams(IEmailFormProcessor.TOKEN_EXECUTION_TIME,
+                    nowString);
+
+            IEmailFormProcessor emailFormProcessor = CMS.getEmailFormProcessor();
+            String mailContent =
+                    emailFormProcessor.getEmailContent(contentForm,
+                            mContentParams);
+
+            mailSummary(mailContent);
+        }
+    }
+
+    /**
+     * Returns a list of configuration parameter names.
+     * The list is passed to the configuration console so instances of
+     * this implementation can be configured through the console.
+     * 
+     * @return String array of configuration parameter names.
+     */
+    public String[] getConfigParams() {
+        return mConfigParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/jobs/RenewalNotificationJob.java b/base/common/src/com/netscape/cms/jobs/RenewalNotificationJob.java
new file mode 100644
index 000000000..5ca581445
--- /dev/null
+++ b/base/common/src/com/netscape/cms/jobs/RenewalNotificationJob.java
@@ -0,0 +1,706 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.jobs;
+
+import java.io.IOException;
+import java.text.DateFormat;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.base.MetaInfo;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.IElementProcessor;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.jobs.IJob;
+import com.netscape.certsrv.jobs.IJobCron;
+import com.netscape.certsrv.jobs.IJobsScheduler;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.notification.ENotificationException;
+import com.netscape.certsrv.notification.IEmailFormProcessor;
+import com.netscape.certsrv.notification.IEmailResolver;
+import com.netscape.certsrv.notification.IEmailResolverKeys;
+import com.netscape.certsrv.notification.IMailNotification;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.RequestId;
+
+/**
+ * A job for the Jobs Scheduler. This job checks in the internal ldap
+ * db for certs about to expire within the next configurable days and
+ * sends email notifications to the appropriate recipients.
+ * 
+ * the $TOKENS that are available for the this jobs's summary outer form are:

+ * 
    
+ * 
  • $Status
+ * 
  • $InstanceID
+ * 
  • $SummaryItemList
+ * 
  • $SummaryTotalNum
+ * 
  • $SummaryTotalSuccess
+ * 
  • $SummaryTotalfailure
+ * 
  • $ExecutionTime
+ * 

+ * and for the inner list items:
+ * 
    
+ * 
  • $SerialNumber
+ * 
  • $IssuerDN
+ * 
  • $SubjectDN
+ * 
  • $NotAfter
+ * 
  • $NotBefore
+ * 
  • $RequestorEmail
+ * 
  • $CertType
+ * 
  • $RequestType
+ * 
  • $HttpHost
+ * 
  • $HttpPort
+ * 

+ * 
+ * @version $Revision$, $Date$
+ * @see com.netscape.certsrv.jobs.IJob
+ * @see com.netscape.cms.jobs.AJobBase
+ */
+public class RenewalNotificationJob
+        extends AJobBase
+        implements IJob, Runnable, IExtendedPluginInfo {
+
+    // config parameters...
+    public static final String PROP_CRON = "cron";
+
+    /**
+     * Profile ID specifies which profile approves the certificate.
+     */
+    public static final String PROP_PROFILE_ID = "profileId";
+
+    /**
+     * This job will send notification at this much time before the
+     * enpiration date
+     */
+    public static final String PROP_NOTIFYTRIGGEROFFSET =
+            "notifyTriggerOffset";
+
+    /**
+     * This job will stop sending notification this much time after
+     * the expiration date
+     */
+    public static final String PROP_NOTIFYENDOFFSET = "notifyEndOffset";
+
+    /**
+     * sender email address as appeared on the notification email
+     */
+    public static final String PROP_SENDEREMAIL =
+            "senderEmail";
+
+    /**
+     * email subject line as appeared on the notification email
+     */
+    public static final String PROP_EMAILSUBJECT =
+            "emailSubject";
+
+    /**
+     * location of the template file used for email notification
+     */
+    public static final String PROP_EMAILTEMPLATE = "emailTemplate";
+    public static final String PROP_MAXNOTIFYCOUNT = "maxNotifyCount";
+
+    /**
+     * sender email as appeared on the notification summary email
+     */
+    public static final String PROP_SUMMARY_SENDEREMAIL = "summary.senderEmail";
+
+    /**
+     * recipient of the notification summary email
+     */
+    public static final String PROP_SUMMARY_RECIPIENTEMAIL = "summary.recipientEmail";
+
+    /**
+     * email subject as appeared on the notification summary email
+     */
+    public static final String PROP_SUMMARY_SUBJECT = "summary.emailSubject";
+
+    /**
+     * location of the email template used for notification summary
+     */
+    public static final String PROP_SUMMARY_TEMPLATE = "summary.emailTemplate";
+
+    /**
+     * location of the template file for each item appeared on the
+     * notification summary
+     */
+    public static final String PROP_SUMMARY_ITEMTEMPLATE = "summary.itemTemplate";
+
+    /*
+     * Holds configuration parameters accepted by this implementation.
+     * This list is passed to the configuration console so configuration
+     * for instances of this implementation can be configured through the
+     * console.
+     */
+    protected static String[] mConfigParams =
+            new String[] {
+                    "enabled",
+                    PROP_CRON,
+                    PROP_PROFILE_ID,
+                    PROP_NOTIFYTRIGGEROFFSET,
+                    PROP_NOTIFYENDOFFSET,
+                    PROP_SENDEREMAIL,
+                    PROP_EMAILSUBJECT,
+                    PROP_EMAILTEMPLATE,
+                    "summary.enabled",
+                    PROP_SUMMARY_RECIPIENTEMAIL,
+                    PROP_SUMMARY_SENDEREMAIL,
+                    PROP_SUMMARY_SUBJECT,
+                    PROP_SUMMARY_ITEMTEMPLATE,
+                    PROP_SUMMARY_TEMPLATE,
+        };
+
+    protected ICertificateRepository mCertDB = null;
+    protected ICertificateAuthority mCA = null;
+    protected boolean mSummary = false;
+    protected String mEmailSender = null;
+    protected String mEmailSubject = null;
+    protected String mEmailTemplateName = null;
+    protected String mSummaryItemTemplateName = null;
+    protected String mSummaryTemplateName = null;
+    protected boolean mSummaryHTML = false;
+    protected boolean mHTML = false;
+
+    protected String mHttpHost = null;
+    protected String mHttpPort = null;
+
+    private int mPreDays = 0;
+    private long mPreMS = 0;
+    private int mPostDays = 0;
+    private long mPostMS = 0;
+    private int mMaxNotifyCount = 1;
+    private String[] mProfileId = null;
+
+    /**
+     * class constructor
+     */
+    public RenewalNotificationJob() {
+    }
+
+    /**
+     * holds help text for this plugin
+     */
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String s[] = {
+                IExtendedPluginInfo.HELP_TEXT +
+                        "; A job that checks for expiring or expired certs" +
+                        "notifyTriggerOffset before and notifyEndOffset after " +
+                        "the expiration date",
+
+                PROP_PROFILE_ID + ";string;Specify the ID of the profile which " +
+                        "approved the certificates that are about to expire. For multiple " +
+                        "profiles, each entry is separated by white space. For example, " +
+                        "if the administrator just wants to give automated notification " +
+                        "when the SSL server certificates are about to expire, then " +
+                        "he should enter \"caServerCert caAgentServerCert\" in the profileId textfield. " +
+                        "Blank field means all profiles.",
+                PROP_NOTIFYTRIGGEROFFSET + ";number,required;How long (in days) before " +
+                        "certificate expiration will the first notification " +
+                        "be sent",
+                PROP_NOTIFYENDOFFSET + ";number,required;How long (in days) after " +
+                        "certificate expiration will notifications " +
+                        "continue to be resent if certificate is not renewed",
+                PROP_CRON + ";string,required;Format: minute hour dayOfMonth Mmonth " +
+                        "dayOfWeek. Use '*' for 'every'. For dayOfWeek, 0 is Sunday",
+                PROP_SENDEREMAIL + ";string,required;Specify the address to be used " +
+                        "as the email's 'sender'. Bounces go to this address.",
+                PROP_EMAILSUBJECT + ";string,required;Email subject",
+                PROP_EMAILTEMPLATE + ";string,required;Fully qualified pathname of " +
+                        "template file of email to be sent",
+                "enabled;boolean;Enable this plugin",
+                "summary.enabled;boolean;Enabled sending of summaries",
+                PROP_SUMMARY_SENDEREMAIL + ";string,required;Sender email address of summary",
+                PROP_SUMMARY_RECIPIENTEMAIL + ";string,required;Who should receive summaries",
+                PROP_SUMMARY_SUBJECT + ";string,required;Subject of summary email",
+                PROP_SUMMARY_TEMPLATE + ";string,required;Fully qualified pathname of " +
+                        "template file of email to be sent",
+                PROP_SUMMARY_ITEMTEMPLATE + ";string,required;Fully qualified pathname of " +
+                        "file with template to be used for each summary item",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-jobrules-renewalnotification",
+            };
+
+        return s;
+    }
+
+    /**
+     * Initialize from the configuration file.
+     * 
+     * @param id String name of this instance
+     * @param implName string name of this implementation
+     * @param config configuration store for this instance
+     * @exception EBaseException
+     */
+    public void init(ISubsystem owner, String id, String implName, IConfigStore config) throws
+            EBaseException {
+        mConfig = config;
+        mId = id;
+        mImplName = implName;
+
+        mCA = (ICertificateAuthority)
+                CMS.getSubsystem("ca");
+        if (mCA == null) {
+            mSummary = false;
+            return;
+        }
+
+        mCertDB = mCA.getCertificateRepository();
+
+        mCron = mConfig.getString(IJobCron.PROP_CRON);
+        if (mCron == null) {
+            return;
+        }
+
+        // parse cron string into a JobCron class
+        IJobsScheduler scheduler = (IJobsScheduler) owner;
+
+        mJobCron = scheduler.createJobCron(mCron);
+    }
+
+    /**
+     * finds out which cert needs notification and notifies the
+     * responsible parties
+     */
+    public void run() {
+        // for forming renewal URL at template
+        mHttpHost = CMS.getEEHost();
+        mHttpPort = CMS.getEESSLPort();
+
+        // read from the configuration file				
+        try {
+            mPreDays = mConfig.getInteger(PROP_NOTIFYTRIGGEROFFSET, 30); // in days
+            mPostDays = mConfig.getInteger(PROP_NOTIFYENDOFFSET, 15); // in days
+
+            mEmailSender = mConfig.getString(PROP_SENDEREMAIL);
+            mEmailSubject = mConfig.getString(PROP_EMAILSUBJECT);
+            mEmailTemplateName = mConfig.getString(PROP_EMAILTEMPLATE);
+
+            // initialize the summary related config info
+            IConfigStore sc = mConfig.getSubStore(PROP_SUMMARY);
+
+            if (sc.getBoolean(PROP_ENABLED, false)) {
+                mSummary = true;
+                mSummaryItemTemplateName =
+                        mConfig.getString(PROP_SUMMARY_ITEMTEMPLATE);
+                mSummarySenderEmail =
+                        mConfig.getString(PROP_SUMMARY_SENDEREMAIL);
+                mSummaryReceiverEmail =
+                        mConfig.getString(PROP_SUMMARY_RECIPIENTEMAIL);
+                mSummaryMailSubject =
+                        mConfig.getString(PROP_SUMMARY_SUBJECT);
+                mSummaryTemplateName =
+                        mConfig.getString(PROP_SUMMARY_TEMPLATE);
+            } else {
+                mSummary = false;
+            }
+
+            long msperday = 86400 * 1000;
+            long mspredays = mPreDays;
+            long mspostdays = mPostDays;
+
+            mPreMS = mspredays * msperday;
+            mPostMS = mspostdays * msperday;
+
+            Date now = CMS.getCurrentDate();
+            DateFormat dateFormat = DateFormat.getDateTimeInstance();
+            String nowString = dateFormat.format(now);
+
+            /*
+             * look in the internal db for certificateRecords that are
+             * 1. within the expiration notification period
+             * 2. has not yet been renewed
+             * 3. notify - use EmailTemplateProcessor to formulate
+             *		 content, then send
+             * if notified successfully, mark "STATUS_SUCCESS",
+             *    else, if notified unsuccessfully, mark "STATUS_FAILURE".
+             */
+
+            /* 1) make target notAfter string */
+
+            Date expiryDate = null;
+            Date stopDate = null;
+
+            /* 2) Assemble ldap Search filter string */
+            // date format: 19991215125306Z
+            long expiryMS = now.getTime() + mPreMS;
+            long stopMS = now.getTime() - mPostMS;
+
+            expiryDate = new Date(expiryMS);
+            stopDate = new Date(stopMS);
+
+            // All cert records which:
+            //   1) expire before the deadline
+            //   2) have not already been renewed
+            // filter format: 
+            // (& (notafter<='time')(!(certAutoRenew=DONE))(!certAutoRenew=DISABLED))
+
+            StringBuffer f = new StringBuffer();
+            String profileId = "";
+            try {
+                profileId = mConfig.getString(PROP_PROFILE_ID, "");
+            } catch (EBaseException ee) {
+            }
+
+            if (profileId != null && profileId.length() > 0) {
+                StringTokenizer tokenizer = new StringTokenizer(profileId);
+                int num = tokenizer.countTokens();
+                mProfileId = new String[num];
+                for (int i = 0; i < num; i++)
+                    mProfileId[i] = tokenizer.nextToken();
+            }
+
+            f.append("(&");
+            if (mProfileId != null) {
+                if (mProfileId.length == 1)
+                    f.append("(" + ICertRecord.ATTR_META_INFO + "=" +
+                            ICertRecord.META_PROFILE_ID + ":" + mProfileId[0] + ")");
+                else {
+                    f.append("(|");
+                    for (int i = 0; i < mProfileId.length; i++) {
+                        f.append("(" + ICertRecord.ATTR_META_INFO + "=" +
+                                ICertRecord.META_PROFILE_ID + ":" + mProfileId[i] + ")");
+                    }
+                    f.append(")");
+                }
+            }
+
+            f.append("(" + ICertRecord.ATTR_X509CERT + ".notAfter" + "<=" + expiryDate.getTime() + ")");
+            f.append("(" + ICertRecord.ATTR_X509CERT + ".notAfter" + ">=" + stopDate.getTime() + ")");
+            f.append("(!(" + ICertRecord.ATTR_AUTO_RENEW + "=" + ICertRecord.AUTO_RENEWAL_DONE + "))");
+            f.append("(!(" + ICertRecord.ATTR_AUTO_RENEW + "=" + ICertRecord.AUTO_RENEWAL_DISABLED + "))");
+            f.append("(!(" + ICertRecord.ATTR_CERT_STATUS + "=" + ICertRecord.STATUS_REVOKED + "))");
+            f.append("(!(" + ICertRecord.ATTR_CERT_STATUS + "=" + ICertRecord.STATUS_REVOKED_EXPIRED + "))");
+            f.append(")");
+            String filter = f.toString();
+
+            String emailTemplate =
+                    getTemplateContent(mEmailTemplateName);
+
+            mHTML = mMailHTML;
+
+            try {
+                String summaryItemTemplate = null;
+
+                if (mSummary == true) {
+                    summaryItemTemplate =
+                            getTemplateContent(mSummaryItemTemplateName);
+                }
+
+                ItemCounter ic = new ItemCounter();
+                CertRecProcessor cp = new CertRecProcessor(this, emailTemplate, summaryItemTemplate, ic);
+                //CertRecordList list = mCertDB.findCertRecordsInList(filter, null, "serialno", 5);
+                //list.processCertRecords(0, list.getSize() - 1, cp);
+
+                Enumeration en = mCertDB.findCertRecs(filter);
+
+                while (en.hasMoreElements()) {
+                    Object element = en.nextElement();
+
+                    try {
+                        cp.process(element);
+                    } catch (Exception e) {
+                        //Don't abort the entire operation. The error should already be logged
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("JOBS_FAILED_PROCESS", e.toString()));
+                    }
+                }
+
+                // Now send the summary
+
+                if (mSummary == true) {
+                    try {
+                        String summaryTemplate =
+                                getTemplateContent(mSummaryTemplateName);
+
+                        mSummaryHTML = mMailHTML;
+
+                        buildContentParams(IEmailFormProcessor.TOKEN_ID,
+                                mId);
+
+                        buildContentParams(IEmailFormProcessor.TOKEN_SUMMARY_ITEM_LIST,
+                                ic.mItemListContent);
+                        buildContentParams(IEmailFormProcessor.TOKEN_SUMMARY_TOTAL_NUM,
+                                String.valueOf(ic.mNumFail + ic.mNumSuccessful));
+                        buildContentParams(IEmailFormProcessor.TOKEN_SUMMARY_SUCCESS_NUM,
+                                String.valueOf(ic.mNumSuccessful));
+                        buildContentParams(IEmailFormProcessor.TOKEN_SUMMARY_FAILURE_NUM,
+                                String.valueOf(ic.mNumFail));
+
+                        buildContentParams(IEmailFormProcessor.TOKEN_EXECUTION_TIME,
+                                nowString);
+
+                        IEmailFormProcessor summaryEmfp = CMS.getEmailFormProcessor();
+
+                        String summaryContent =
+                                summaryEmfp.getEmailContent(summaryTemplate,
+                                        mContentParams);
+
+                        if (summaryContent == null) {
+                            log(ILogger.LL_FAILURE, CMS.getLogMessage("JOBS_SUMMARY_CONTENT_NULL"));
+                            mailSummary(" no summaryContent");
+                        } else {
+                            mMailHTML = mSummaryHTML;
+                            mailSummary(summaryContent);
+                        }
+                    } catch (Exception e) {
+                        // log error
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("JOBS_EXCEPTION_IN_RUN", e.toString()));
+                    }
+                }
+            } catch (EBaseException e) {
+                // log error
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+            }
+        } catch (EBaseException ex) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("Configuration error:", ex.toString()));
+        }
+    }
+
+    /**
+     * get instance id.
+     * 
+     * @return a String identifier
+     */
+    public String getId() {
+        return mId;
+    }
+
+    /**
+     * set instance id.
+     * 
+     * @param id String id of the instance
+     */
+    public void setId(String id) {
+        mId = id;
+    }
+
+    /**
+     * get cron string associated with this job
+     * 
+     * @return a JobCron object that represents the schedule of this job
+     */
+    public IJobCron getJobCron() {
+        return mJobCron;
+    }
+
+    /**
+     * gets the plugin name of this job.
+     * 
+     * @return a String that is the name of this implementation
+     */
+    public String getImplName() {
+        return mImplName;
+    }
+
+    /**
+     * Gets the configuration substore used by this job
+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    protected void mailUser(String subject,
+            String msg,
+            String sender,
+            IRequest req,
+            ICertRecord cr)
+            throws IOException, ENotificationException, EBaseException {
+
+        IMailNotification mn = CMS.getMailNotification();
+
+        String rcp = null;
+        //		boolean sendFailed = false;
+        Exception sendFailedException = null;
+
+        IEmailResolverKeys keys = CMS.getEmailResolverKeys();
+
+        try {
+            if (req != null) {
+                keys.set(IEmailResolverKeys.KEY_REQUEST, req);
+            }
+            if (cr != null) {
+                Object c = cr.getCertificate();
+
+                if (c != null) {
+                    keys.set(IEmailResolverKeys.KEY_CERT, cr.getCertificate());
+                }
+            }
+
+            IEmailResolver er = CMS.getReqCertSANameEmailResolver();
+
+            rcp = er.getEmail(keys);
+
+        } catch (Exception e) {
+            // already logged by the resolver
+            //			sendFailed = true;
+            sendFailedException = e;
+            throw (ENotificationException) sendFailedException;
+        }
+
+        mn.setTo(rcp);
+
+        if (sender != null)
+            mn.setFrom(sender);
+        else
+            mn.setFrom("nobody");
+
+        if (subject != null)
+            mn.setSubject(subject);
+        else
+            mn.setFrom("Important message from Certificate Authority");
+
+        if (mHTML == true)
+            mn.setContentType("text/html");
+
+        mn.setContent(msg);
+
+        mn.sendNotification();
+    }
+
+    /**
+     * Returns a list of configuration parameter names.
+     * The list is passed to the configuration console so instances of
+     * this implementation can be configured through the console.
+     * 
+     * @return String array of configuration parameter names.
+     */
+    public String[] getConfigParams() {
+        return (mConfigParams);
+    }
+}
+
+class CertRecProcessor implements IElementProcessor {
+    protected RenewalNotificationJob mJob;
+    protected String mEmailTemplate;
+    protected String mSummaryItemTemplate;
+    protected ItemCounter mIC;
+
+    public CertRecProcessor(RenewalNotificationJob job, String emailTemplate,
+            String summaryItemTemplate, ItemCounter ic) {
+        mJob = job;
+        mEmailTemplate = emailTemplate;
+        mSummaryItemTemplate = summaryItemTemplate;
+        mIC = ic;
+    }
+
+    public void process(Object o) throws EBaseException {
+
+        // Get each certRecord
+        ICertRecord cr = (ICertRecord) o;
+
+        String ridString = null;
+        boolean numFailCounted = false;
+
+        if (cr != null) {
+            mJob.buildItemParams(cr.getCertificate());
+            mJob.buildItemParams(IEmailFormProcessor.TOKEN_HTTP_HOST,
+                    mJob.mHttpHost);
+            mJob.buildItemParams(IEmailFormProcessor.TOKEN_HTTP_PORT, mJob.mHttpPort);
+
+            MetaInfo metaInfo = null;
+
+            metaInfo = (MetaInfo) cr.get(ICertRecord.ATTR_META_INFO);
+            if (metaInfo == null) {
+                mIC.mNumFail++;
+                numFailCounted = true;
+                if (mJob.mSummary == true)
+                    mJob.buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                            AJobBase.STATUS_FAILURE);
+                mJob.log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("JOBS_GET_CERT_ERROR",
+                                cr.getCertificate().getSerialNumber().toString(16)));
+            } else {
+                ridString = (String) metaInfo.get(ICertRecord.META_REQUEST_ID);
+            }
+        }
+
+        IRequest req = null;
+
+        if (ridString != null) {
+            RequestId rid = new RequestId(ridString);
+
+            try {
+                req = mJob.mCA.getRequestQueue().findRequest(rid);
+            } catch (Exception e) {
+                // it is ok not to be able to get the request. The main reason
+                // to get the request is to retrieve the requestor's email.
+                // We can retrieve the email from the CertRecord.
+                CMS.debug("huh RenewalNotificationJob Exception: " + e.toString());
+            }
+
+            if (req != null)
+                mJob.buildItemParams(req);
+        } // ridString != null
+
+        try {
+            // send mail to user
+
+            IEmailFormProcessor emfp = CMS.getEmailFormProcessor();
+            String message = emfp.getEmailContent(mEmailTemplate,
+                    mJob.mItemParams);
+
+            mJob.mailUser(mJob.mEmailSubject,
+                    message,
+                    mJob.mEmailSender,
+                    req,
+                    cr);
+
+            mJob.buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                    AJobBase.STATUS_SUCCESS);
+
+            mIC.mNumSuccessful++;
+
+        } catch (Exception e) {
+            CMS.debug("RenewalNotificationJob Exception: " + e.toString());
+            mJob.buildItemParams(IEmailFormProcessor.TOKEN_STATUS, AJobBase.STATUS_FAILURE);
+            mJob.log(ILogger.LL_FAILURE, e.toString(), ILogger.L_MULTILINE);
+            if (numFailCounted == false) {
+                mIC.mNumFail++;
+            }
+        }
+
+        if (mJob.mSummary == true) {
+            IEmailFormProcessor summaryItemEmfp =
+                    CMS.getEmailFormProcessor();
+            String c =
+                    summaryItemEmfp.getEmailContent(mSummaryItemTemplate,
+                            mJob.mItemParams);
+
+            if (mIC.mItemListContent == null) {
+                mIC.mItemListContent = c;
+            } else {
+                mIC.mItemListContent += c;
+            }
+        }
+    }
+}
+
+class ItemCounter {
+    public int mNumSuccessful = 0;
+    public int mNumFail = 0;
+    public String mItemListContent = null;
+}
diff --git a/base/common/src/com/netscape/cms/jobs/RequestInQueueJob.java b/base/common/src/com/netscape/cms/jobs/RequestInQueueJob.java
new file mode 100644
index 000000000..b04461941
--- /dev/null
+++ b/base/common/src/com/netscape/cms/jobs/RequestInQueueJob.java
@@ -0,0 +1,217 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.jobs;
+
+import java.text.DateFormat;
+import java.util.Date;
+import java.util.Locale;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.IAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.jobs.IJob;
+import com.netscape.certsrv.jobs.IJobCron;
+import com.netscape.certsrv.jobs.IJobsScheduler;
+import com.netscape.certsrv.notification.IEmailFormProcessor;
+import com.netscape.certsrv.request.IRequestList;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.certsrv.request.RequestStatus;
+
+/**
+ * A job for the Jobs Scheduler. This job checks in the internal ldap
+ * db for requests currently in the request queue and send a summary
+ * report to the administrator
+ * 

+ * the $TOKENS that are available for the this jobs's summary outer form are:

+ * 
    
+ * $InstanceID $SummaryTotalNum $ExecutionTime
+ * 

+ * 
+ * @version $Revision$, $Date$
+ * @see com.netscape.certsrv.jobs.IJob
+ * @see com.netscape.cms.jobs.AJobBase
+ */
+public class RequestInQueueJob extends AJobBase
+        implements IJob, Runnable, IExtendedPluginInfo {
+    protected static final String PROP_SUBSYSTEM_ID = "subsystemId";
+
+    IAuthority mSub = null;
+    IRequestQueue mReqQ = null;
+    private boolean mSummary = false;
+
+    /* Holds configuration parameters accepted by this implementation.
+     * This list is passed to the configuration console so configuration
+     * for instances of this implementation can be configured through the
+     * console.
+     */
+    protected static String[] mConfigParams =
+            new String[] {
+                    "enabled",
+                    "cron",
+                    "subsystemId",
+                    "summary.enabled",
+                    "summary.emailSubject",
+                    "summary.emailTemplate",
+                    "summary.senderEmail",
+                    "summary.recipientEmail"
+        };
+
+    /**
+     * holds help text for this plugin
+     */
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String s[] = {
+                IExtendedPluginInfo.HELP_TEXT +
+                        "; A job that checks for enrollment requests in the " +
+                        "queue, and reports to recipientEmail",
+                "cron;string;Format: minute hour dayOfMonth month " +
+                        "dayOfWeek. Use '*' for 'every'. For dayOfWeek, 0 is Sunday",
+                "summary.senderEmail;string;Specify the address to be used " +
+                        "as the email's 'sender'. Bounces go to this address.",
+                "summary.recipientEmail;string;Who should receive summaries",
+                "enabled;boolean;Enable this plugin",
+                "summary.enabled;boolean;Enable the summary. You must enabled " +
+                        "this for the job to work.",
+                "summary.emailSubject;string;Subject of summary email",
+                "summary.emailTemplate;string;Fully qualified pathname of " +
+                        "template file of email to be sent",
+                "subsystemId;choice(ca,ra);The type of subsystem this job is " +
+                        "for",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-jobrules-requestinqueuejob",
+            };
+
+        return s;
+    }
+
+    /**
+     * initialize from the configuration file
+     * 
+     * @param id String name of this instance
+     * @param implName string name of this implementation
+     * @param config configuration store for this instance
+     * @exception EBaseException
+     */
+    public void init(ISubsystem owner, String id, String implName, IConfigStore config) throws
+            EBaseException {
+        mConfig = config;
+        mId = id;
+        mImplName = implName;
+
+        // read from the configuration file
+        String sub = mConfig.getString(PROP_SUBSYSTEM_ID);
+
+        mSub = (IAuthority)
+                CMS.getSubsystem(sub);
+        if (mSub == null) {
+            // take this as disable
+            mSummary = false;
+            return;
+        }
+
+        mReqQ = mSub.getRequestQueue();
+
+        mCron = mConfig.getString(IJobCron.PROP_CRON);
+        if (mCron == null) {
+            return;
+        }
+
+        // parse cron string into a JobCron class
+        IJobsScheduler scheduler = (IJobsScheduler) owner;
+
+        mJobCron = scheduler.createJobCron(mCron);
+
+        // initialize the summary related config info
+        IConfigStore sc = mConfig.getSubStore(PROP_SUMMARY);
+
+        if (sc.getBoolean(PROP_ENABLED, false)) {
+            mSummary = true;
+            mSummaryMailSubject = sc.getString(PROP_EMAIL_SUBJECT);
+            mMailForm = sc.getString(PROP_EMAIL_TEMPLATE);
+            //		mItemForm = sc.getString(PROP_ITEM_TEMPLATE);
+            mSummarySenderEmail = sc.getString(PROP_SENDER_EMAIL);
+            mSummaryReceiverEmail = sc.getString(PROP_RECEIVER_EMAIL);
+        } else {
+            mSummary = false;
+        }
+    }
+
+    /**
+     * summarize the queue status and mail it
+     */
+    public void run() {
+        if (mSummary == false)
+            return;
+
+        Date date = CMS.getCurrentDate();
+        DateFormat dateFormat = DateFormat.getDateTimeInstance();
+        String nowString = dateFormat.format(date);
+
+        int count = 0;
+        IRequestList list =
+                mReqQ.listRequestsByStatus(RequestStatus.PENDING);
+
+        while (list != null && list.hasMoreElements()) {
+            list.nextRequestId();
+
+            /*  This is way too slow
+             // get request from request id
+             IRequest req = null;
+             try {
+             req = mReqQ.findRequest(rid);
+             } catch (EBaseException e) {
+             System.out.println(e.toString());
+             }
+             */
+            count++;
+        }
+
+        //		if (count == 0) return;
+
+        String contentForm = null;
+
+        contentForm = getTemplateContent(mMailForm);
+
+        buildContentParams(IEmailFormProcessor.TOKEN_ID, mId);
+        buildContentParams(IEmailFormProcessor.TOKEN_SUMMARY_TOTAL_NUM,
+                String.valueOf(count));
+        buildContentParams(IEmailFormProcessor.TOKEN_EXECUTION_TIME,
+                nowString);
+
+        IEmailFormProcessor emailFormProcessor = CMS.getEmailFormProcessor();
+        String mailContent =
+                emailFormProcessor.getEmailContent(contentForm,
+                        mContentParams);
+
+        mailSummary(mailContent);
+    }
+
+    /**
+     * Returns a list of configuration parameter names.
+     * The list is passed to the configuration console so instances of
+     * this implementation can be configured through the console.
+     * 
+     * @return String array of configuration parameter names.
+     */
+    public String[] getConfigParams() {
+        return mConfigParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/jobs/UnpublishExpiredJob.java b/base/common/src/com/netscape/cms/jobs/UnpublishExpiredJob.java
new file mode 100644
index 000000000..2f4a6ad75
--- /dev/null
+++ b/base/common/src/com/netscape/cms/jobs/UnpublishExpiredJob.java
@@ -0,0 +1,385 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.jobs;
+
+import java.security.cert.X509Certificate;
+import java.text.DateFormat;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Locale;
+
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.base.MetaInfo;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.jobs.IJob;
+import com.netscape.certsrv.jobs.IJobCron;
+import com.netscape.certsrv.jobs.IJobsScheduler;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.notification.IEmailFormProcessor;
+import com.netscape.certsrv.publish.IPublisherProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.certsrv.request.RequestId;
+
+/**
+ * a job for the Jobs Scheduler. This job checks in the internal ldap
+ * db for certs that have expired and remove them from the ldap
+ * publishing directory.
+ * 

+ * the $TOKENS that are available for the this jobs's summary outer form are:

+ * 
    
+ * $Status $InstanceID $SummaryItemList $SummaryTotalNum $SummaryTotalSuccess $SummaryTotalfailure $ExecutionTime
+ * 

+ * and for the inner list items:
+ * 
    
+ * $SerialNumber $IssuerDN $SubjectDN $NotAfter $NotBefore $RequestorEmail $CertType
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class UnpublishExpiredJob extends AJobBase
+        implements IJob, Runnable, IExtendedPluginInfo {
+
+    ICertificateAuthority mCa = null;
+    IRequestQueue mReqQ = null;
+    ICertificateRepository mRepository = null;
+    IPublisherProcessor mPublisherProcessor = null;
+    private boolean mSummary = false;
+
+    /* Holds configuration parameters accepted by this implementation.
+     * This list is passed to the configuration console so configuration
+     * for instances of this implementation can be configured through the
+     * console.
+     */
+    protected static String[] mConfigParams =
+            new String[] {
+                    "enabled",
+                    "cron",
+                    "summary.enabled",
+                    "summary.emailSubject",
+                    "summary.emailTemplate",
+                    "summary.itemTemplate",
+                    "summary.senderEmail",
+                    "summary.recipientEmail"
+        };
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String s[] = {
+                IExtendedPluginInfo.HELP_TEXT +
+                        "; A job that checks for expired certificates in the " +
+                        "database, and removes them from the publishing " +
+                        "directory",
+                "cron;string;Format: minute hour dayOfMonth month " +
+                        "dayOfWeek. Use '*' for 'every'. For dayOfWeek, 0 is Sunday",
+                "summary.senderEmail;string;Specify the address to be used " +
+                        "as the email's 'sender'. Bounces go to this address.",
+                "summary.recipientEmail;string;Who should receive summaries",
+                "enabled;boolean;Enable this plugin",
+                "summary.enabled;boolean;Enable the summary. You must enabled " +
+                        "this for the job to work.",
+                "summary.emailSubject;string;Subject of summary email",
+                "summary.emailTemplate;string;Fully qualified pathname of " +
+                        "template file of email to be sent",
+                "summary.itemTemplate;string;Fully qualified pathname of " +
+                        "file containing template for each item",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-jobrules-unpublishexpiredjobs",
+            };
+
+        return s;
+    }
+
+    /**
+     * initialize from the configuration file
+     */
+    public void init(ISubsystem owner, String id, String implName, IConfigStore config) throws
+            EBaseException {
+        mConfig = config;
+        mId = id;
+        mImplName = implName;
+
+        mCa = (ICertificateAuthority)
+                CMS.getSubsystem("ca");
+        if (mCa == null) {
+            return;
+        }
+
+        mReqQ = mCa.getRequestQueue();
+        mRepository = mCa.getCertificateRepository();
+        mPublisherProcessor = mCa.getPublisherProcessor();
+
+        // read from the configuration file
+        mCron = mConfig.getString(IJobCron.PROP_CRON);
+        if (mCron == null) {
+            return;
+        }
+
+        // parse cron string into a JobCron class
+        IJobsScheduler scheduler = (IJobsScheduler) owner;
+
+        mJobCron = scheduler.createJobCron(mCron);
+
+        // initialize the summary related config info
+        IConfigStore sc = mConfig.getSubStore(PROP_SUMMARY);
+
+        if (sc.getBoolean(PROP_ENABLED, false)) {
+            mSummary = true;
+            mSummaryMailSubject = sc.getString(PROP_EMAIL_SUBJECT);
+            mMailForm = sc.getString(PROP_EMAIL_TEMPLATE);
+            mItemForm = sc.getString(PROP_ITEM_TEMPLATE);
+            mSummarySenderEmail = sc.getString(PROP_SENDER_EMAIL);
+            mSummaryReceiverEmail = sc.getString(PROP_RECEIVER_EMAIL);
+        } else {
+            mSummary = false;
+        }
+    }
+
+    /**
+     * look in the internal db for certificateRecords that are
+     * expired.
+     * remove them from ldap publishing directory
+     * if remove successfully, mark false on the
+     * InLdapPublishDir flag,
+     * else, if remove unsuccessfully, log it
+     */
+    public void run() {
+        //		System.out.println("in ExpiredUnpublishJob "+
+        //						   getId()+ " : run()");
+        // get time now..."now" is before the loop
+        Date date = CMS.getCurrentDate();
+        long now = date.getTime();
+        DateFormat dateFormat = DateFormat.getDateTimeInstance();
+        String nowString = dateFormat.format(date);
+
+        // form filter
+        String filter = "(&(x509Cert.notAfter<=" + now +
+                ")(!(x509Cert.notAfter=" + now + "))" +
+                "(" + "certMetainfo=" + ICertRecord.META_LDAPPUBLISH +
+                ":true))";
+        // a test for without CertRecord.META_LDAPPUBLISH
+        //String filter = "(x509Cert.notAfter<="+ now +")";
+
+        Enumeration expired = null;
+
+        try {
+            expired = mRepository.findCertRecs(filter);
+            // bug 399150
+            /*
+             CertRecordList list = null;
+             list = mRepository.findCertRecordsInList(filter,  null, "serialno", 5);
+             int size = list.getSize();
+             expired = list.getCertRecords(0, size - 1);
+             */
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+        }
+
+        int count = 0; // how many have been unpublished successfully
+        int negCount = 0; // how many have NOT been unpublished successfully
+        String contentForm = null;
+        String itemForm = null;
+        String itemListContent = null;
+
+        if (mSummary == true) {
+            contentForm = getTemplateContent(mMailForm);
+            itemForm = getTemplateContent(mItemForm);
+        }
+
+        // unpublish them and unpublish() will set inLdapPublishDir flag
+        while (expired != null && expired.hasMoreElements()) {
+            ICertRecord rec = (ICertRecord) expired.nextElement();
+
+            if (rec == null)
+                break;
+            X509CertImpl cert = rec.getCertificate();
+
+            if (mSummary == true)
+                buildItemParams(cert);
+
+            // get request id from cert record MetaInfo
+            MetaInfo minfo = null;
+
+            try {
+                minfo = (MetaInfo) rec.get(ICertRecord.ATTR_META_INFO);
+            } catch (EBaseException e) {
+                negCount += 1;
+                if (mSummary == true)
+                    buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                            STATUS_FAILURE);
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("JOBS_META_INFO_ERROR",
+                                cert.getSerialNumber().toString(16) +
+                                        e.toString()));
+            }
+
+            String ridString = null;
+
+            try {
+                if (minfo != null)
+                    ridString = (String) minfo.get(ICertRecord.META_REQUEST_ID);
+            } catch (EBaseException e) {
+                negCount += 1;
+                if (mSummary == true)
+                    buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                            STATUS_FAILURE);
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("JOBS_META_REQUEST_ERROR",
+                                cert.getSerialNumber().toString(16) +
+                                        e.toString()));
+            } catch (NullPointerException e) {
+                // no requestId in MetaInfo...skip to next record
+                negCount += 1;
+                if (mSummary == true)
+                    buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                            STATUS_FAILURE);
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("JOBS_META_REQUEST_ERROR",
+                                cert.getSerialNumber().toString(16) +
+                                        e.toString()));
+            }
+
+            if (ridString != null) {
+                RequestId rid = new RequestId(ridString);
+
+                // get request from request id
+                IRequest req = null;
+
+                try {
+                    req = mReqQ.findRequest(rid);
+                    if (req != null) {
+                        if (mSummary == true)
+                            buildItemParams(req);
+                    }
+                } catch (EBaseException e) {
+                    negCount += 1;
+                    if (mSummary == true)
+                        buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                                STATUS_FAILURE);
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("JOBS_FIND_REQUEST_ERROR",
+                                    cert.getSerialNumber().toString(16) +
+                                            e.toString()));
+                }
+                try {
+                    if ((mPublisherProcessor != null) &&
+                            mPublisherProcessor.enabled()) {
+                        mPublisherProcessor.unpublishCert((X509Certificate) cert, req);
+                        if (mSummary == true)
+                            buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                                    STATUS_SUCCESS);
+                        count += 1;
+                    } else {
+                        negCount += 1;
+                    }
+                } catch (Exception e) {
+                    negCount += 1;
+                    if (mSummary == true)
+                        buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                                STATUS_FAILURE);
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("JOBS_UNPUBLISH_ERROR",
+                                    cert.getSerialNumber().toString(16) +
+                                            e.toString()));
+                }
+            } // ridString != null
+            else {
+                try {
+                    if ((mPublisherProcessor != null) &&
+                            mPublisherProcessor.enabled()) {
+                        mPublisherProcessor.unpublishCert((X509Certificate) cert, null);
+                        if (mSummary == true)
+                            buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                                    STATUS_SUCCESS);
+                        count += 1;
+                    } else {
+                        negCount += 1;
+                    }
+                } catch (Exception e) {
+                    negCount += 1;
+                    if (mSummary == true)
+                        buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
+                                STATUS_FAILURE);
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("JOBS_UNPUBLISH_ERROR",
+                                    cert.getSerialNumber().toString(16) +
+                                            e.toString()));
+                }
+            } // ridString == null
+
+            // inLdapPublishDir flag should have been set by the
+            // unpublish() method
+
+            // if summary is enabled, form the item content
+            if (mSummary) {
+                IEmailFormProcessor emailItemFormProcessor =
+                        CMS.getEmailFormProcessor();
+                String c = emailItemFormProcessor.getEmailContent(itemForm,
+                        mItemParams);
+
+                // add item content to the item list
+                if (itemListContent == null) {
+                    itemListContent = c;
+                } else {
+                    itemListContent += c;
+                }
+            }
+        }
+
+        // time for summary
+        if (mSummary == true) {
+            buildContentParams(IEmailFormProcessor.TOKEN_ID,
+                    mId);
+            buildContentParams(IEmailFormProcessor.TOKEN_SUMMARY_ITEM_LIST,
+                    itemListContent);
+            buildContentParams(IEmailFormProcessor.TOKEN_SUMMARY_TOTAL_NUM,
+                    String.valueOf(count + negCount));
+            buildContentParams(IEmailFormProcessor.TOKEN_SUMMARY_SUCCESS_NUM,
+                    String.valueOf(count));
+            buildContentParams(IEmailFormProcessor.TOKEN_SUMMARY_FAILURE_NUM,
+                    String.valueOf(negCount));
+            buildContentParams(IEmailFormProcessor.TOKEN_EXECUTION_TIME,
+                    nowString);
+
+            IEmailFormProcessor emailFormProcessor = CMS.getEmailFormProcessor();
+            String mailContent =
+                    emailFormProcessor.getEmailContent(contentForm,
+                            mContentParams);
+
+            mailSummary(mailContent);
+        }
+    }
+
+    /**
+     * Returns a list of configuration parameter names.
+     * The list is passed to the configuration console so instances of
+     * this implementation can be configured through the console.
+     * 
+     * @return String array of configuration parameter names.
+     */
+    public String[] getConfigParams() {
+        return (mConfigParams);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/listeners/CertificateIssuedListener.java b/base/common/src/com/netscape/cms/listeners/CertificateIssuedListener.java
new file mode 100644
index 000000000..91526d583
--- /dev/null
+++ b/base/common/src/com/netscape/cms/listeners/CertificateIssuedListener.java
@@ -0,0 +1,450 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.listeners;
+
+import java.io.File;
+import java.io.IOException;
+import java.text.DateFormat;
+import java.util.Date;
+import java.util.Hashtable;
+
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.EPropertyNotFound;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.listeners.EListenersException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.notification.ENotificationException;
+import com.netscape.certsrv.notification.IEmailFormProcessor;
+import com.netscape.certsrv.notification.IEmailResolver;
+import com.netscape.certsrv.notification.IEmailResolverKeys;
+import com.netscape.certsrv.notification.IEmailTemplate;
+import com.netscape.certsrv.notification.IMailNotification;
+import com.netscape.certsrv.profile.IEnrollProfile;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestListener;
+import com.netscape.certsrv.request.RequestId;
+
+/**
+ * a listener for every completed enrollment request
+ * 

+ * Here is a list of available $TOKENs for email notification templates if certificate is successfully issued:
+ * 
    
+ * 
  • $InstanceID
+ * 
  • $SerialNumber
+ * 
  • $HexSerialNumber
+ * 
  • $HttpHost
+ * 
  • $HttpPort
+ * 
  • $RequestId
+ * 
  • $IssuerDN
+ * 
  • $SubjectDN
+ * 
  • $NotBefore
+ * 
  • $NotAfter
+ * 
  • $SenderEmail
+ * 
  • $RecipientEmail
+ * 

+ * 

+ * Here is a list of available $TOKENs for email notification templates if certificate request is rejected:
+ * 
    
+ * 
  • $RequestId
+ * 
  • $InstanceID
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class CertificateIssuedListener implements IRequestListener {
+    protected final static String PROP_CERT_ISSUED_SUBSTORE = "certIssued";
+    protected static final String PROP_ENABLED = "enabled";
+    protected final static String PROP_NOTIFY_SUBSTORE = "notification";
+
+    protected final static String PROP_SENDER_EMAIL = "senderEmail";
+    protected final static String PROP_EMAIL_SUBJECT = "emailSubject";
+    public final static String PROP_EMAIL_TEMPLATE = "emailTemplate";
+
+    protected final static String REJECT_FILE_NAME = "certRequestRejected";
+
+    private boolean mEnabled = false;
+    private ILogger mLogger = CMS.getLogger();
+    private String mSenderEmail = null;
+    private String mSubject = null;
+    private String mSubject_Success = null;
+    private String mFormPath = null;
+    private String mRejectPath = null;
+    private Hashtable mContentParams = new Hashtable();
+
+    private IConfigStore mConfig = null;
+    private DateFormat mDateFormat = null;
+    private ICertAuthority mSubsystem = null;
+    private String mHttpHost = null;
+    private String mHttpPort = null;
+    private RequestId mReqId = null;
+
+    public CertificateIssuedListener() {
+    }
+
+    public void init(ISubsystem sub, IConfigStore config)
+            throws EListenersException, EPropertyNotFound, EBaseException {
+        mSubsystem = (ICertAuthority) sub;
+        mConfig = mSubsystem.getConfigStore();
+
+        IConfigStore nc = mConfig.getSubStore(PROP_NOTIFY_SUBSTORE);
+        IConfigStore rc = nc.getSubStore(PROP_CERT_ISSUED_SUBSTORE);
+
+        mEnabled = rc.getBoolean(PROP_ENABLED, false);
+
+        mSenderEmail = rc.getString(PROP_SENDER_EMAIL);
+        if (mSenderEmail == null) {
+            throw new EListenersException(CMS.getLogMessage("NO_NOTIFY_SENDER_EMAIL_CONFIG_FOUND"));
+        }
+
+        mFormPath = rc.getString(PROP_EMAIL_TEMPLATE);
+        String mDir = null;
+
+        // figure out the reject email path: same dir as form path,
+        //		same ending as form path
+        int ridx = mFormPath.lastIndexOf(File.separator);
+
+        if (ridx == -1) {
+            CMS.debug("CertificateIssuedListener: file separator: " + File.separator
+                    +
+                    " not found. Use default /");
+            ridx = mFormPath.lastIndexOf("/");
+            mDir = mFormPath.substring(0, ridx + 1);
+        } else {
+            mDir = mFormPath.substring(0, ridx +
+                            File.separator.length());
+        }
+        CMS.debug("CertificateIssuedListener: template file directory: " + mDir);
+        mRejectPath = mDir + REJECT_FILE_NAME;
+        if (mFormPath.endsWith(".html"))
+            mRejectPath += ".html";
+        else if (mFormPath.endsWith(".HTML"))
+            mRejectPath += ".HTML";
+        else if (mFormPath.endsWith(".htm"))
+            mRejectPath += ".htm";
+        else if (mFormPath.endsWith(".HTM"))
+            mRejectPath += ".HTM";
+
+        CMS.debug("CertificateIssuedListener: Reject file path: " + mRejectPath);
+
+        mDateFormat = DateFormat.getDateTimeInstance();
+
+        mSubject_Success = rc.getString(PROP_EMAIL_SUBJECT,
+                    "Your Certificate Request");
+        mSubject = new String(mSubject_Success);
+
+        // form the cert retrieval URL for the notification
+        mHttpHost = CMS.getEEHost();
+        mHttpPort = CMS.getEESSLPort();
+
+        // register for this event listener
+        mSubsystem.registerRequestListener(this);
+    }
+
+    public void accept(IRequest r) {
+        CMS.debug("CertificateIssuedListener: accept " +
+                r.getRequestId().toString());
+        if (mEnabled != true)
+            return;
+
+        mSubject = mSubject_Success;
+        mReqId = r.getRequestId();
+        // is it rejected?
+        String rs = r.getRequestStatus().toString();
+
+        if (rs.equals("rejected")) {
+            CMS.debug("CertificateIssuedListener: Request status: " + rs);
+            rejected(r);
+            return;
+        }
+
+        CMS.debug("CertificateIssuedListener: accept check status ");
+
+        // check if it is profile request
+        String profileId = r.getExtDataInString("profileId");
+
+        // check if request failed.
+        if (profileId == null) {
+            if (r.getExtDataInInteger(IRequest.RESULT) == null)
+                return;
+            if ((r.getExtDataInInteger(IRequest.RESULT)).equals(IRequest.RES_ERROR)) {
+                CMS.debug("CertificateIssuedListener: Request errored. " +
+                        "No need to email notify for enrollment request id " +
+                        mReqId);
+                return;
+            }
+        }
+        String requestType = r.getRequestType();
+
+        if (requestType.equals(IRequest.ENROLLMENT_REQUEST) ||
+                requestType.equals(IRequest.RENEWAL_REQUEST)) {
+            CMS.debug("accept() enrollment/renewal request...");
+            // Get the certificate from the request
+            X509CertImpl issuedCert[] = null;
+
+            // handle profile-based enrollment's notification
+            if (profileId == null) {
+                issuedCert = r.getExtDataInCertArray(IRequest.ISSUED_CERTS);
+            } else {
+                issuedCert = new X509CertImpl[1];
+                issuedCert[0] =
+                        r.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
+            }
+
+            if (issuedCert != null) {
+                CMS.debug("CertificateIssuedListener: Sending email notification..");
+
+                // do we have an email to send?
+                String mEmail = null;
+                IEmailResolverKeys keys = CMS.getEmailResolverKeys();
+
+                try {
+                    keys.set(IEmailResolverKeys.KEY_REQUEST, r);
+                    keys.set(IEmailResolverKeys.KEY_CERT,
+                            issuedCert[0]);
+                } catch (EBaseException e) {
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("LISTENERS_CERT_ISSUED_SET_RESOLVER", e.toString()));
+                }
+
+                IEmailResolver er = CMS.getReqCertSANameEmailResolver();
+
+                try {
+                    mEmail = er.getEmail(keys);
+                } catch (ENotificationException e) {
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("LISTENERS_CERT_ISSUED_EXCEPTION",
+                                    e.toString()));
+                } catch (EBaseException e) {
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("LISTENERS_CERT_ISSUED_EXCEPTION",
+                                    e.toString()));
+                } catch (Exception e) {
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("LISTENERS_CERT_ISSUED_EXCEPTION",
+                                    e.toString()));
+                }
+
+                // now we can mail
+                if ((mEmail != null) && (!mEmail.equals(""))) {
+                    mailIt(mEmail, issuedCert);
+                } else {
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("LISTENERS_CERT_ISSUED_NOTIFY_ERROR",
+                                    issuedCert[0].getSerialNumber().toString(), mReqId.toString()));
+                    // send failure notification to "sender"
+                    mSubject = "Certificate Issued notification undeliverable";
+                    mailIt(mSenderEmail, issuedCert);
+                }
+            }
+        }
+    }
+
+    private void mailIt(String mEmail, X509CertImpl issuedCert[]) {
+        IMailNotification mn = CMS.getMailNotification();
+
+        mn.setFrom(mSenderEmail);
+        mn.setTo(mEmail);
+        mn.setSubject(mSubject);
+
+        /*
+         * get template file from disk
+         */
+        IEmailTemplate template = CMS.getEmailTemplate(mFormPath);
+
+        /*
+         * parse and process the template
+         */
+        if (template != null) {
+            if (!template.init()) {
+                return;
+            }
+
+            buildContentParams(issuedCert, mEmail);
+            IEmailFormProcessor et = CMS.getEmailFormProcessor();
+            String c = et.getEmailContent(template.toString(), mContentParams);
+
+            if (template.isHTML()) {
+                mn.setContentType("text/html");
+            }
+            mn.setContent(c);
+        } else {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("LISTENERS_CERT_ISSUED_TEMPLATE_ERROR",
+                            issuedCert[0].getSerialNumber().toString(), mReqId.toString()));
+
+            mn.setContent("Serial Number = " +
+                    issuedCert[0].getSerialNumber() +
+                    "; Request ID = " + mReqId);
+        }
+
+        try {
+            mn.sendNotification();
+        } catch (ENotificationException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+        }
+    }
+
+    private void rejected(IRequest r) {
+        // do we have an email to send?
+        String mEmail = null;
+        IEmailResolverKeys keys = CMS.getEmailResolverKeys();
+
+        try {
+            keys.set(IEmailResolverKeys.KEY_REQUEST, r);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("LISTENERS_CERT_ISSUED_SET_RESOLVER", e.toString()));
+        }
+
+        IEmailResolver er = CMS.getReqCertSANameEmailResolver();
+
+        try {
+            mEmail = er.getEmail(keys);
+        } catch (ENotificationException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+        }
+
+        // now we can mail
+        if ((mEmail != null) && !mEmail.equals("")) {
+            IMailNotification mn = CMS.getMailNotification();
+
+            mn.setFrom(mSenderEmail);
+            mn.setTo(mEmail);
+            mn.setSubject(mSubject);
+
+            /*
+             * get rejection file from disk
+             */
+            IEmailTemplate template = CMS.getEmailTemplate(mRejectPath);
+
+            if (template != null) {
+                if (!template.init()) {
+                    return;
+                }
+
+                if (template.isHTML()) {
+                    mn.setContentType("text/html");
+                }
+
+                // build some token data
+                mContentParams.put(IEmailFormProcessor.TOKEN_ID,
+                        mConfig.getName());
+                mReqId = r.getRequestId();
+                mContentParams.put(IEmailFormProcessor.TOKEN_REQUEST_ID,
+                        (Object) mReqId.toString());
+                IEmailFormProcessor et = CMS.getEmailFormProcessor();
+                String c = et.getEmailContent(template.toString(), mContentParams);
+
+                mn.setContent(c);
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("LISTENERS_CERT_ISSUED_REJECTION"));
+                mn.setContent("Your Certificate Request has been rejected.  Please contact your administrator for assistance");
+            }
+
+            try {
+                mn.sendNotification();
+            } catch (ENotificationException e) {
+                // already logged, lets audit
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+
+            } catch (IOException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+            }
+        } else {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("LISTENERS_CERT_ISSUED_REJECTION_NOTIFICATION", mReqId.toString()));
+
+        }
+    }
+
+    private void buildContentParams(X509CertImpl issuedCert[], String mEmail) {
+        mContentParams.put(IEmailFormProcessor.TOKEN_ID,
+                mConfig.getName());
+        mContentParams.put(IEmailFormProcessor.TOKEN_SERIAL_NUM,
+                issuedCert[0].getSerialNumber().toString());
+        mContentParams.put(IEmailFormProcessor.TOKEN_HEX_SERIAL_NUM,
+                Long.toHexString(issuedCert[0].getSerialNumber().longValue()));
+        mContentParams.put(IEmailFormProcessor.TOKEN_REQUEST_ID,
+                mReqId.toString());
+        mContentParams.put(IEmailFormProcessor.TOKEN_HTTP_HOST,
+                mHttpHost);
+        mContentParams.put(IEmailFormProcessor.TOKEN_HTTP_PORT,
+                mHttpPort);
+        mContentParams.put(IEmailFormProcessor.TOKEN_ISSUER_DN,
+                issuedCert[0].getIssuerDN().toString());
+        mContentParams.put(IEmailFormProcessor.TOKEN_SUBJECT_DN,
+                issuedCert[0].getSubjectDN().toString());
+
+        Date date = (Date) issuedCert[0].getNotAfter();
+
+        mContentParams.put(IEmailFormProcessor.TOKEN_NOT_AFTER,
+                mDateFormat.format(date));
+
+        date = (Date) issuedCert[0].getNotBefore();
+        mContentParams.put(IEmailFormProcessor.TOKEN_NOT_BEFORE,
+                mDateFormat.format(date));
+
+        mContentParams.put(IEmailFormProcessor.TOKEN_SENDER_EMAIL,
+                mSenderEmail);
+        mContentParams.put(IEmailFormProcessor.TOKEN_RECIPIENT_EMAIL,
+                mEmail);
+        // ... and more
+    }
+
+    /**
+     * sets the configurable parameters
+     */
+    public void set(String name, String val) {
+        if (name.equalsIgnoreCase(PROP_ENABLED)) {
+            if (val.equalsIgnoreCase("true")) {
+                mEnabled = true;
+            } else {
+                mEnabled = false;
+            }
+        } else if (name.equalsIgnoreCase(PROP_SENDER_EMAIL)) {
+            mSenderEmail = val;
+        } else if (name.equalsIgnoreCase(PROP_EMAIL_SUBJECT)) {
+            mSubject_Success = val;
+            mSubject = mSubject_Success;
+        } else if (name.equalsIgnoreCase(PROP_EMAIL_TEMPLATE)) {
+            mFormPath = val;
+        } else {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("LISTENERS_CERT_ISSUED_SET"));
+        }
+    }
+
+    private void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_OTHER,
+                level, msg);
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/listeners/CertificateRevokedListener.java b/base/common/src/com/netscape/cms/listeners/CertificateRevokedListener.java
new file mode 100644
index 000000000..da041b85d
--- /dev/null
+++ b/base/common/src/com/netscape/cms/listeners/CertificateRevokedListener.java
@@ -0,0 +1,368 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.listeners;
+
+import java.io.File;
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+import java.text.DateFormat;
+import java.util.Date;
+import java.util.Hashtable;
+
+import netscape.security.x509.RevokedCertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.EPropertyNotFound;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.listeners.EListenersException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.notification.ENotificationException;
+import com.netscape.certsrv.notification.IEmailFormProcessor;
+import com.netscape.certsrv.notification.IEmailResolver;
+import com.netscape.certsrv.notification.IEmailResolverKeys;
+import com.netscape.certsrv.notification.IEmailTemplate;
+import com.netscape.certsrv.notification.IMailNotification;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestListener;
+import com.netscape.certsrv.request.RequestId;
+
+/**
+ * a listener for every completed enrollment request
+ * 

+ * Here is a list of available $TOKENs for email notification templates if certificate is successfully issued:
+ * 
    
+ * 
  • $InstanceID
+ * 
  • $SerialNumber
+ * 
  • $HexSerialNumber
+ * 
  • $HttpHost
+ * 
  • $HttpPort
+ * 
  • $RequestId
+ * 
  • $IssuerDN
+ * 
  • $SubjectDN
+ * 
  • $NotBefore
+ * 
  • $NotAfter
+ * 
  • $SenderEmail
+ * 
  • $RecipientEmail
+ * 

+ * 

+ * Here is a list of available $TOKENs for email notification templates if certificate request is revoked:
+ * 
    
+ * 
  • $RequestId
+ * 
  • $InstanceID
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class CertificateRevokedListener implements IRequestListener {
+    protected final static String PROP_CERT_ISSUED_SUBSTORE = "certRevoked";
+    protected static final String PROP_ENABLED = "enabled";
+    protected final static String PROP_NOTIFY_SUBSTORE = "notification";
+
+    protected final static String PROP_SENDER_EMAIL = "senderEmail";
+    protected final static String PROP_EMAIL_SUBJECT = "emailSubject";
+    public final static String PROP_EMAIL_TEMPLATE = "emailTemplate";
+
+    protected final static String REJECT_FILE_NAME = "certRequestRejected";
+
+    private boolean mEnabled = false;
+    private ILogger mLogger = CMS.getLogger();
+    private String mSenderEmail = null;
+    private String mSubject = null;
+    private String mSubject_Success = null;
+    private String mFormPath = null;
+    private String mRejectPath = null;
+    private Hashtable mContentParams = new Hashtable();
+
+    private IConfigStore mConfig = null;
+    private DateFormat mDateFormat = null;
+    private ICertAuthority mSubsystem = null;
+    private String mHttpHost = null;
+    private String mHttpPort = null;
+    private RequestId mReqId = null;
+
+    public CertificateRevokedListener() {
+    }
+
+    public void init(ISubsystem sub, IConfigStore config)
+            throws EListenersException, EPropertyNotFound, EBaseException {
+        mSubsystem = (ICertAuthority) sub;
+        mConfig = mSubsystem.getConfigStore();
+
+        IConfigStore nc = mConfig.getSubStore(PROP_NOTIFY_SUBSTORE);
+        IConfigStore rc = nc.getSubStore(PROP_CERT_ISSUED_SUBSTORE);
+
+        mEnabled = rc.getBoolean(PROP_ENABLED, false);
+
+        mSenderEmail = rc.getString(PROP_SENDER_EMAIL);
+        if (mSenderEmail == null) {
+            throw new EListenersException(CMS.getLogMessage("NO_NOTIFY_SENDER_EMAIL_CONFIG_FOUND"));
+        }
+
+        mFormPath = rc.getString(PROP_EMAIL_TEMPLATE);
+        String mDir = null;
+
+        // figure out the reject email path: same dir as form path,
+        //		same ending as form path
+        int ridx = mFormPath.lastIndexOf(File.separator);
+
+        if (ridx == -1) {
+            CMS.debug("CertificateRevokedListener: file separator: " + File.separator
+                    +
+                    " not found. Use default /");
+            ridx = mFormPath.lastIndexOf("/");
+            mDir = mFormPath.substring(0, ridx + 1);
+        } else {
+            mDir = mFormPath.substring(0, ridx +
+                            File.separator.length());
+        }
+        CMS.debug("CertificateRevokedListener: template file directory: " + mDir);
+        mRejectPath = mDir + REJECT_FILE_NAME;
+        if (mFormPath.endsWith(".html"))
+            mRejectPath += ".html";
+        else if (mFormPath.endsWith(".HTML"))
+            mRejectPath += ".HTML";
+        else if (mFormPath.endsWith(".htm"))
+            mRejectPath += ".htm";
+        else if (mFormPath.endsWith(".HTM"))
+            mRejectPath += ".HTM";
+
+        CMS.debug("CertificateRevokedListener: Reject file path: " + mRejectPath);
+
+        mDateFormat = DateFormat.getDateTimeInstance();
+
+        mSubject_Success = rc.getString(PROP_EMAIL_SUBJECT,
+                    "Your Certificate Request");
+        mSubject = new String(mSubject_Success);
+
+        // form the cert retrieval URL for the notification
+        mHttpHost = CMS.getEEHost();
+        mHttpPort = CMS.getEESSLPort();
+
+        // register for this event listener
+        mSubsystem.registerRequestListener(this);
+    }
+
+    public void accept(IRequest r) {
+        if (mEnabled != true)
+            return;
+
+        mSubject = mSubject_Success;
+        mReqId = r.getRequestId();
+        // is it revoked?
+        String rs = r.getRequestStatus().toString();
+        String requestType = r.getRequestType();
+
+        if (requestType.equals(IRequest.REVOCATION_REQUEST) == false)
+            return;
+        if (rs.equals("complete") == false) {
+            CMS.debug("CertificateRevokedListener: Request status: " + rs);
+            //revoked(r);
+            return;
+        }
+
+        // check if request failed.
+        if (r.getExtDataInInteger(IRequest.RESULT) == null)
+            return;
+
+        if ((r.getExtDataInInteger(IRequest.RESULT)).equals(IRequest.RES_ERROR)) {
+            CMS.debug("CertificateRevokedListener: Request errored. " +
+                    "No need to email notify for enrollment request id " +
+                    mReqId);
+            return;
+        }
+
+        if (requestType.equals(IRequest.REVOCATION_REQUEST)) {
+            CMS.debug("CertificateRevokedListener: accept() revocation request...");
+            // Get the certificate from the request
+            //X509CertImpl issuedCert[] =
+            //    (X509CertImpl[])
+            RevokedCertImpl crlentries[] =
+                    r.getExtDataInRevokedCertArray(IRequest.CERT_INFO);
+
+            if (crlentries != null) {
+                CMS.debug("CertificateRevokedListener: Sending email notification..");
+
+                // do we have an email to send?
+                String mEmail = null;
+                IEmailResolverKeys keys = CMS.getEmailResolverKeys();
+
+                try {
+                    keys.set(IEmailResolverKeys.KEY_REQUEST, r);
+                    keys.set(IEmailResolverKeys.KEY_CERT,
+                            crlentries[0]);
+                } catch (EBaseException e) {
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("LISTENERS_CERT_ISSUED_SET_RESOLVER", e.toString()));
+                }
+
+                IEmailResolver er = CMS.getReqCertSANameEmailResolver();
+
+                try {
+                    mEmail = er.getEmail(keys);
+                } catch (ENotificationException e) {
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("LISTENERS_CERT_ISSUED_EXCEPTION",
+                                    e.toString()));
+                } catch (EBaseException e) {
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("LISTENERS_CERT_ISSUED_EXCEPTION",
+                                    e.toString()));
+                } catch (Exception e) {
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("LISTENERS_CERT_ISSUED_EXCEPTION",
+                                    e.toString()));
+                }
+
+                // now we can mail
+                if ((mEmail != null) && (!mEmail.equals(""))) {
+                    mailIt(mEmail, crlentries);
+                } else {
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("LISTENERS_CERT_ISSUED_NOTIFY_ERROR",
+                                    crlentries[0].getSerialNumber().toString(), mReqId.toString()));
+                    // send failure notification to "sender"
+                    mSubject = "Certificate Issued notification undeliverable";
+                    mailIt(mSenderEmail, crlentries);
+                }
+            }
+        }
+    }
+
+    private void mailIt(String mEmail, RevokedCertImpl crlentries[]) {
+        IMailNotification mn = CMS.getMailNotification();
+
+        mn.setFrom(mSenderEmail);
+        mn.setTo(mEmail);
+        mn.setSubject(mSubject);
+
+        /*
+         * get template file from disk
+         */
+        IEmailTemplate template = CMS.getEmailTemplate(mFormPath);
+
+        /*
+         * parse and process the template
+         */
+        if (template != null) {
+            if (!template.init()) {
+                return;
+            }
+
+            buildContentParams(crlentries, mEmail);
+            IEmailFormProcessor et = CMS.getEmailFormProcessor();
+            String c = et.getEmailContent(template.toString(), mContentParams);
+
+            if (template.isHTML()) {
+                mn.setContentType("text/html");
+            }
+            mn.setContent(c);
+        } else {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("LISTENERS_CERT_ISSUED_TEMPLATE_ERROR",
+                            crlentries[0].getSerialNumber().toString(), mReqId.toString()));
+
+            mn.setContent("Serial Number = " +
+                    crlentries[0].getSerialNumber() +
+                    "; Request ID = " + mReqId);
+        }
+
+        try {
+            mn.sendNotification();
+        } catch (ENotificationException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+        }
+    }
+
+    private void buildContentParams(RevokedCertImpl crlentries[], String mEmail) {
+        mContentParams.put(IEmailFormProcessor.TOKEN_ID,
+                mConfig.getName());
+        mContentParams.put(IEmailFormProcessor.TOKEN_SERIAL_NUM,
+                crlentries[0].getSerialNumber().toString());
+        mContentParams.put(IEmailFormProcessor.TOKEN_HEX_SERIAL_NUM,
+                Long.toHexString(crlentries[0].getSerialNumber().longValue()));
+        mContentParams.put(IEmailFormProcessor.TOKEN_REQUEST_ID,
+                mReqId.toString());
+        mContentParams.put(IEmailFormProcessor.TOKEN_HTTP_HOST,
+                mHttpHost);
+        mContentParams.put(IEmailFormProcessor.TOKEN_HTTP_PORT,
+                mHttpPort);
+
+        try {
+            RevokedCertImpl revCert = (RevokedCertImpl) crlentries[0];
+            ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+            ICertificateRepository certDB = ca.getCertificateRepository();
+            X509Certificate cert = certDB.getX509Certificate(revCert.getSerialNumber());
+
+            mContentParams.put(IEmailFormProcessor.TOKEN_ISSUER_DN,
+                    cert.getIssuerDN().toString());
+            mContentParams.put(IEmailFormProcessor.TOKEN_SUBJECT_DN,
+                    cert.getSubjectDN().toString());
+            Date date = (Date) crlentries[0].getRevocationDate();
+
+            mContentParams.put(IEmailFormProcessor.TOKEN_REVOCATION_DATE,
+                    mDateFormat.format(date));
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("LISTENERS_CERT_ISSUED_SET_RESOLVER", e.toString()));
+        }
+
+        mContentParams.put(IEmailFormProcessor.TOKEN_SENDER_EMAIL,
+                mSenderEmail);
+        mContentParams.put(IEmailFormProcessor.TOKEN_RECIPIENT_EMAIL,
+                mEmail);
+        // ... and more
+    }
+
+    /**
+     * sets the configurable parameters
+     */
+    public void set(String name, String val) {
+        if (name.equalsIgnoreCase(PROP_ENABLED)) {
+            if (val.equalsIgnoreCase("true")) {
+                mEnabled = true;
+            } else {
+                mEnabled = false;
+            }
+        } else if (name.equalsIgnoreCase(PROP_SENDER_EMAIL)) {
+            mSenderEmail = val;
+        } else if (name.equalsIgnoreCase(PROP_EMAIL_SUBJECT)) {
+            mSubject_Success = val;
+            mSubject = mSubject_Success;
+        } else if (name.equalsIgnoreCase(PROP_EMAIL_TEMPLATE)) {
+            mFormPath = val;
+        } else {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("LISTENERS_CERT_ISSUED_SET"));
+        }
+    }
+
+    private void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_OTHER,
+                level, msg);
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/listeners/PinRemovalListener.java b/base/common/src/com/netscape/cms/listeners/PinRemovalListener.java
new file mode 100644
index 000000000..662e762b0
--- /dev/null
+++ b/base/common/src/com/netscape/cms/listeners/PinRemovalListener.java
@@ -0,0 +1,175 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.listeners;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPModification;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.ldap.ILdapConnFactory;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestListener;
+import com.netscape.certsrv.request.RequestId;
+
+/**
+ * This represnets a listener that removes pin from LDAP directory.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class PinRemovalListener implements IRequestListener {
+    protected static final String PROP_ENABLED = "enabled";
+    protected static final String PROP_LDAP = "ldap";
+    protected static final String PROP_BASEDN = "ldap.basedn";
+    protected static final String PROP_PINATTR = "pinAttr";
+
+    protected String mName = null;
+    protected String mImplName = null;
+    protected String mBaseDN = null;
+    protected String mPinAttr = null;
+
+    private boolean mEnabled = false;
+    private ILogger mLogger = CMS.getLogger();
+
+    private IConfigStore mConfig = null;
+    private IConfigStore mLdapConfig = null;
+    private RequestId mReqId = null;
+    private ILdapConnFactory mConnFactory = null;
+    private LDAPConnection mRemovePinLdapConnection = null;
+
+    public PinRemovalListener() {
+    }
+
+    public String getName() {
+        return mName;
+    }
+
+    public String getImplName() {
+        return mImplName;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public void shutdown() {
+    }
+
+    protected String[] configParams = { "a" };
+
+    public String[] getConfigParams()
+            throws EBaseException {
+
+        return configParams;
+    }
+
+    public void init(ISubsystem sub, IConfigStore config) throws EBaseException {
+        init(null, null, config);
+    }
+
+    public void init(String name, String ImplName, IConfigStore config)
+            throws EBaseException {
+        mName = name;
+        mImplName = ImplName;
+        mConfig = config;
+
+        mLdapConfig = mConfig.getSubStore(PROP_LDAP);
+        mConnFactory = CMS.getLdapBoundConnFactory();
+        mConnFactory.init(mLdapConfig);
+        mRemovePinLdapConnection = mConnFactory.getConn();
+
+        mEnabled = mConfig.getBoolean(PROP_ENABLED, false);
+        mBaseDN = mConfig.getString(PROP_BASEDN, "");
+        mPinAttr = mConfig.getString(PROP_PINATTR, "pin");
+
+    }
+
+    public void accept(IRequest r) {
+        if (mEnabled != true)
+            return;
+
+        mReqId = r.getRequestId();
+
+        String rs = r.getRequestStatus().toString();
+
+        CMS.debug("PinRemovalListener: Request status: " + rs);
+        if (!rs.equals("complete")) {
+            CMS.debug("PinRemovalListener: - request not complete - not removing pin");
+            return;
+        }
+        String requestType = r.getRequestType();
+
+        if (requestType.equals(IRequest.ENROLLMENT_REQUEST) ||
+                requestType.equals(IRequest.RENEWAL_REQUEST)) {
+
+            String uid = r.getExtDataInString(
+                    IRequest.HTTP_PARAMS, "uid");
+
+            if (uid == null) {
+                log(ILogger.LL_INFO, "did not find UID parameter in this request");
+                return;
+            }
+
+            String userdn = null;
+
+            try {
+                LDAPSearchResults res = mRemovePinLdapConnection.search(mBaseDN,
+                        LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false);
+
+                if (!res.hasMoreElements()) {
+                    log(ILogger.LL_SECURITY, "uid " + uid + " does not exist in the ldap " +
+                            " server. Could not remove pin");
+                    return;
+                }
+
+                LDAPEntry entry = (LDAPEntry) res.nextElement();
+
+                userdn = entry.getDN();
+
+                mRemovePinLdapConnection.modify(userdn,
+                        new LDAPModification(
+                                LDAPModification.DELETE,
+                                new LDAPAttribute(mPinAttr)));
+
+                log(ILogger.LL_INFO, "Removed pin for user \"" + userdn + "\"");
+
+            } catch (LDAPException e) {
+                log(ILogger.LL_SECURITY, "could not remove pin for " + userdn);
+            }
+
+        }
+    }
+
+    private void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_OTHER,
+                level, "PinRemovalListener: " + msg);
+    }
+
+    public void set(String name, String val) {
+    }
+}
diff --git a/base/common/src/com/netscape/cms/listeners/RequestInQListener.java b/base/common/src/com/netscape/cms/listeners/RequestInQListener.java
new file mode 100644
index 000000000..7ff13db54
--- /dev/null
+++ b/base/common/src/com/netscape/cms/listeners/RequestInQListener.java
@@ -0,0 +1,283 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.listeners;
+
+import java.io.IOException;
+import java.util.Hashtable;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.EPropertyNotFound;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.listeners.EListenersException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.notification.ENotificationException;
+import com.netscape.certsrv.notification.IEmailFormProcessor;
+import com.netscape.certsrv.notification.IEmailTemplate;
+import com.netscape.certsrv.notification.IMailNotification;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestListener;
+import com.netscape.certsrv.request.RequestId;
+import com.netscape.cms.profile.input.SubjectNameInput;
+import com.netscape.cms.profile.input.SubmitterInfoInput;
+
+/**
+ * a listener for every request gets into the request queue.
+ * 

+ * Here is a list of available $TOKENs for email notification templates:
+ * 
    
+ * 
  • $RequestorEmail
+ * 
  • $CertType
+ * 
  • $RequestType
+ * 
  • $RequestId
+ * 
  • $HttpHost
+ * 
  • $HttpPort
+ * 
  • $SenderEmail
+ * 
  • $RecipientEmail
+ * 

+ * 
+ */
+public class RequestInQListener implements IRequestListener {
+    protected static final String PROP_ENABLED = "enabled";
+    protected final static String PROP_SENDER_EMAIL = "senderEmail";
+    protected final static String PROP_RECVR_EMAIL = "recipientEmail";
+    public final static String PROP_EMAIL_TEMPLATE = "emailTemplate";
+    protected static final String PROP_EMAIL_SUBJECT = "emailSubject";
+
+    protected final static String PROP_NOTIFY_SUBSTORE = "notification";
+    protected final static String PROP_REQ_IN_Q_SUBSTORE = "requestInQ";
+
+    private boolean mEnabled = false;
+    private ILogger mLogger = CMS.getLogger();
+    private String mSenderEmail = null;
+    private String mRecipientEmail = null;
+    private String mEmailSubject = null;
+    private String mFormPath = null;
+    private IConfigStore mConfig = null;
+    private Hashtable mContentParams = new Hashtable();
+    private String mId = "RequestInQListener";
+    private ICertAuthority mSubsystem = null;
+    private String mHttpHost = null;
+    private String mAgentPort = null;
+
+    /**
+     * Constructor
+     */
+    public RequestInQListener() {
+    }
+
+    /**
+     * initializes the listener from the configuration
+     */
+    public void init(ISubsystem sub, IConfigStore config)
+            throws EListenersException, EPropertyNotFound, EBaseException {
+
+        mSubsystem = (ICertAuthority) sub;
+        mConfig = mSubsystem.getConfigStore();
+
+        IConfigStore nc = mConfig.getSubStore(PROP_NOTIFY_SUBSTORE);
+        IConfigStore rq = nc.getSubStore(PROP_REQ_IN_Q_SUBSTORE);
+
+        mEnabled = rq.getBoolean(PROP_ENABLED, false);
+
+        mSenderEmail = rq.getString(PROP_SENDER_EMAIL);
+        if (mSenderEmail == null) {
+            throw new EListenersException(CMS.getLogMessage("NO_NOTIFY_SENDER_EMAIL_CONFIG_FOUND"));
+        }
+        mRecipientEmail = rq.getString(PROP_RECVR_EMAIL);
+        if (mRecipientEmail == null) {
+            throw new EListenersException(CMS.getLogMessage("NO_NOTIFY_RECVR_EMAIL_CONFIG_FOUND"));
+        }
+
+        mEmailSubject = rq.getString(PROP_EMAIL_SUBJECT);
+        if (mEmailSubject == null) {
+            mEmailSubject = "Request in Queue";
+        }
+
+        mFormPath = rq.getString(PROP_EMAIL_TEMPLATE);
+
+        // make available http host and port for forming url in templates
+        mHttpHost = CMS.getAgentHost();
+        mAgentPort = CMS.getAgentPort();
+        if (mAgentPort == null)
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("LISTENERS_REQUEST_PORT_NOT_FOUND"));
+        else
+            CMS.debug("RequestInQuListener: agentport = " + mAgentPort);
+
+        // register for this event listener
+        mSubsystem.registerPendingListener(this);
+    }
+
+    /**
+     * carries out the operation when the listener is triggered.
+     * 
+     * @param r IRequest structure holding the request information
+     * @see com.netscape.certsrv.request.IRequest
+     */
+    public void accept(IRequest r) {
+
+        if (mEnabled != true)
+            return;
+
+        // regardless of type of request...notify for everything
+        // no need for email resolver here...
+        IMailNotification mn = CMS.getMailNotification();
+
+        mn.setFrom(mSenderEmail);
+        mn.setTo(mRecipientEmail);
+        mn.setSubject(mEmailSubject + " (request id: " +
+                r.getRequestId() + ")");
+
+        /*
+         * get form file from disk
+         */
+        IEmailTemplate template = CMS.getEmailTemplate(mFormPath);
+
+        /*
+         * parse and process the template
+         */
+        if (template != null) {
+            if (!template.init()) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("LISTENERS_TEMPLATE_NOT_INIT"));
+                return;
+            }
+
+            buildContentParams(r);
+            IEmailFormProcessor et = CMS.getEmailFormProcessor();
+            String c = et.getEmailContent(template.toString(), mContentParams);
+
+            if (template.isHTML()) {
+                mn.setContentType("text/html");
+            }
+            mn.setContent(c);
+        } else {
+            // log and mail
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("LISTENERS_TEMPLATE_NOT_GET"));
+            mn.setContent("Template not retrievable for Request in Queue notification");
+        }
+
+        try {
+            mn.sendNotification();
+        } catch (ENotificationException e) {
+            // already logged, lets audit
+            mLogger.log(ILogger.EV_AUDIT, null,
+                    ILogger.S_OTHER,
+                    ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+
+            mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                    ILogger.LL_FAILURE,
+                    CMS.getLogMessage("LISTENERS_SEND_FAILED", e.toString()));
+
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("LISTENERS_SEND_FAILED", e.toString()));
+        }
+    }
+
+    private void buildContentParams(IRequest r) {
+        mContentParams.clear();
+        mContentParams.put(IEmailFormProcessor.TOKEN_ID,
+                mConfig.getName());
+        Object val = null;
+
+        String profileId = r.getExtDataInString("profileId");
+
+        if (profileId == null) {
+            val = r.getExtDataInString(IRequest.HTTP_PARAMS, "csrRequestorEmail");
+        } else {
+            // use the submitter info if available, otherwise, use the 
+            // subject name input email 
+            val = r.getExtDataInString(SubmitterInfoInput.EMAIL);
+
+            if ((val == null) || (((String) val).compareTo("") == 0)) {
+                val = r.getExtDataInString(SubjectNameInput.VAL_EMAIL);
+            }
+        }
+        if (val != null)
+            mContentParams.put(IEmailFormProcessor.TOKEN_REQUESTOR_EMAIL,
+                    val);
+
+        if (profileId == null) {
+            val = r.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE);
+        } else {
+            val = profileId;
+        }
+        if (val != null) {
+            mContentParams.put(IEmailFormProcessor.TOKEN_CERT_TYPE,
+                    val);
+        }
+
+        RequestId reqId = r.getRequestId();
+
+        mContentParams.put(IEmailFormProcessor.TOKEN_REQUEST_ID,
+                (Object) reqId.toString());
+
+        mContentParams.put(IEmailFormProcessor.TOKEN_ID, mId);
+
+        val = r.getRequestType();
+        if (val != null)
+            mContentParams.put(IEmailFormProcessor.TOKEN_REQUEST_TYPE,
+                    val);
+
+        mContentParams.put(IEmailFormProcessor.TOKEN_HTTP_HOST,
+                (Object) mHttpHost);
+        mContentParams.put(IEmailFormProcessor.TOKEN_HTTP_PORT,
+                (Object) mAgentPort);
+
+        mContentParams.put(IEmailFormProcessor.TOKEN_SENDER_EMAIL,
+                (Object) mSenderEmail);
+        mContentParams.put(IEmailFormProcessor.TOKEN_RECIPIENT_EMAIL,
+                (Object) mRecipientEmail);
+    }
+
+    /**
+     * sets the configurable parameters
+     * 
+     * @param name a String represents the name of the configuration parameter to be set
+     * @param val a String containing the value to be set for name
+     */
+    public void set(String name, String val) {
+        if (name.equalsIgnoreCase(PROP_ENABLED)) {
+            if (val.equalsIgnoreCase("true")) {
+                mEnabled = true;
+            } else {
+                mEnabled = false;
+            }
+        } else if (name.equalsIgnoreCase(PROP_SENDER_EMAIL)) {
+            mSenderEmail = val;
+        } else if (name.equalsIgnoreCase(PROP_RECVR_EMAIL)) {
+            mRecipientEmail = val;
+        } else if (name.equalsIgnoreCase(PROP_EMAIL_SUBJECT)) {
+            mEmailSubject = val;
+        } else if (name.equalsIgnoreCase(PROP_EMAIL_TEMPLATE)) {
+            mFormPath = val;
+        } else {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("LISTENERS_CERT_ISSUED_SET"));
+        }
+    }
+
+    private void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_OTHER,
+                level, msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/logging/LogEntry.java b/base/common/src/com/netscape/cms/logging/LogEntry.java
new file mode 100644
index 000000000..d91bd7406
--- /dev/null
+++ b/base/common/src/com/netscape/cms/logging/LogEntry.java
@@ -0,0 +1,134 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.logging;
+
+import java.text.DateFormat;
+import java.text.ParseException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Vector;
+
+/**
+ * A log entry of LogFile
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LogEntry {
+    private String mEntry;
+    private String mLevel;
+    private String mSource;
+    private String mDetail;
+    private String mDate;
+    private String mTime;
+    private Vector mRow;
+
+    private final String DATE_PATTERN = "dd/MMM/yyyy:HH:mm:ss z";
+
+    /**
+     * Constructor for a LogEntry.
+     * 
+     */
+    public LogEntry(String entry) throws ParseException {
+        mEntry = entry;
+        mRow = parse();
+    }
+
+    /**
+     * parse a log entry
+     * 
+     * return a vector of the segments of the entry
+     */
+
+    public Vector parse() throws ParseException {
+        int x = mEntry.indexOf("[");
+
+        if (x == -1)
+            throw new ParseException(mEntry, 0);
+        String temp = mEntry.substring(x + 1);
+
+        x = temp.indexOf("]");
+        if (x == -1)
+            throw new ParseException(mEntry, 0);
+
+        String dateStr = temp.substring(0, x);
+        SimpleDateFormat format = new SimpleDateFormat(DATE_PATTERN);
+        Date date = format.parse(dateStr);
+
+        mDate = DateFormat.getDateInstance().format(date);
+        mTime = DateFormat.getTimeInstance().format(date);
+
+        temp = temp.substring(x + 2);
+        x = temp.indexOf("]");
+        if (x == -1)
+            throw new ParseException(mEntry, 0);
+        mSource = temp.substring(1, x);
+
+        temp = temp.substring(x + 2);
+        x = temp.indexOf("]");
+        if (x == -1)
+            throw new ParseException(mEntry, 0);
+        mLevel = temp.substring(1, x);
+
+        mDetail = temp.substring(x + 2);
+
+        Vector row = new Vector();
+
+        row.addElement(mSource);
+        row.addElement(mLevel);
+        row.addElement(mDate);
+        row.addElement(mTime);
+        row.addElement(mDetail);
+
+        //System.out.println(mSource +"," + mLevel +","+ mDate+","+mTime+","+mDetail);
+        return row;
+
+    }
+
+    public String getSource() {
+        return mSource;
+    }
+
+    public String getLevel() {
+        return mLevel;
+    }
+
+    public String getDetail() {
+        return mDetail;
+    }
+
+    public String getDate() {
+        return mDate;
+    }
+
+    public String getTime() {
+        return mTime;
+    }
+
+    public Vector getRow() {
+        return mRow;
+    }
+
+    public String getEntry() {
+        return mEntry;
+    }
+
+    public void appendDetail(String msg) {
+        mDetail = mDetail + "\n" + msg;
+        mEntry = mEntry + "\n" + msg;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/logging/LogFile.java b/base/common/src/com/netscape/cms/logging/LogFile.java
new file mode 100644
index 000000000..5144bf16d
--- /dev/null
+++ b/base/common/src/com/netscape/cms/logging/LogFile.java
@@ -0,0 +1,1534 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.logging;
+
+import java.io.BufferedReader;
+import java.io.BufferedWriter;
+import java.io.ByteArrayOutputStream;
+import java.io.CharArrayReader;
+import java.io.CharArrayWriter;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.FileReader;
+import java.io.FileWriter;
+import java.io.FilterOutputStream;
+import java.io.IOException;
+import java.io.LineNumberReader;
+import java.io.PrintStream;
+import java.io.PrintWriter;
+import java.io.RandomAccessFile;
+import java.io.UnsupportedEncodingException;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.Provider;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.interfaces.DSAPrivateKey;
+import java.security.interfaces.RSAPrivateKey;
+import java.text.ParseException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.Properties;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import javax.servlet.ServletException;
+
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.crypto.ObjectNotFoundException;
+import org.mozilla.jss.crypto.TokenException;
+import org.mozilla.jss.crypto.X509Certificate;
+import org.mozilla.jss.util.Base64OutputStream;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.AuditEvent;
+import com.netscape.certsrv.logging.ConsoleError;
+import com.netscape.certsrv.logging.ELogException;
+import com.netscape.certsrv.logging.ILogEvent;
+import com.netscape.certsrv.logging.ILogEventListener;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.SignedAuditEvent;
+import com.netscape.certsrv.logging.SystemEvent;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * A log event listener which write logs to log files
+ * 
+ * @version $Revision$, $Date$
+ **/
+public class LogFile implements ILogEventListener, IExtendedPluginInfo {
+    public static final String PROP_TYPE = "type";
+    public static final String PROP_REGISTER = "register";
+    public static final String PROP_ON = "enable";
+    public static final String PROP_TRACE = "trace";
+    public static final String PROP_SIGNED_AUDIT_LOG_SIGNING = "logSigning";
+    public static final String PROP_SIGNED_AUDIT_CERT_NICKNAME =
+                              "signedAuditCertNickname";
+    public static final String PROP_SIGNED_AUDIT_EVENTS = "events";
+    public static final String PROP_LEVEL = "level";
+    static final String PROP_FILE_NAME = "fileName";
+    static final String PROP_LAST_HASH_FILE_NAME = "lastHashFileName";
+    static final String PROP_BUFFER_SIZE = "bufferSize";
+    static final String PROP_FLUSH_INTERVAL = "flushInterval";
+
+    private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP =
+                               "LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2";
+    private final static String LOGGING_SIGNED_AUDIT_SIGNING =
+                               "LOGGING_SIGNED_AUDIT_SIGNING_3";
+    private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN =
+                               "LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2";
+    private final static String LOG_SIGNED_AUDIT_EXCEPTION =
+                               "LOG_SIGNED_AUDIT_EXCEPTION_1";
+
+    protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+    protected IConfigStore mConfig = null;
+
+    /**
+     * The date string used in the log file name
+     */
+    static final String DATE_PATTERN = "yyyyMMddHHmmss";
+
+    //It may be interesting to make this flexable someday....
+    protected SimpleDateFormat mLogFileDateFormat = new SimpleDateFormat(DATE_PATTERN);
+
+    /**
+     * The default output stream buffer size in bytes
+     */
+    static final int BUFFER_SIZE = 512;
+
+    /**
+     * The default output flush interval in seconds
+     */
+    static final int FLUSH_INTERVAL = 5;
+
+    /**
+     * The log file
+     */
+    protected File mFile = null;
+
+    /**
+     * The log file name
+     */
+    protected String mFileName = null;
+
+    /**
+     * The log file output stream
+     */
+    protected BufferedWriter mLogWriter = null;
+
+    /**
+     * The log date entry format pattern
+     */
+    protected String mDatePattern = "dd/MMM/yyyy:HH:mm:ss z";
+
+    /**
+     * The log date entry format
+     */
+    protected SimpleDateFormat mLogDateFormat = new SimpleDateFormat(mDatePattern);
+
+    /**
+     * The date object used for log entries
+     */
+    protected Date mDate = new Date();
+
+    /**
+     * The number of bytes written to the current log file
+     */
+    protected int mBytesWritten = 0;
+
+    /**
+     * The output buffer size in bytes
+     */
+    protected int mBufferSize = BUFFER_SIZE;
+
+    /**
+     * The output buffer flush interval
+     */
+    protected int mFlushInterval = FLUSH_INTERVAL;
+
+    /**
+     * The number of unflushed bytes
+     */
+    protected int mBytesUnflushed = 0;
+
+    /**
+     * The output buffer flush interval thread
+     */
+    private Thread mFlushThread = null;
+
+    /**
+     * The selected log event types
+     */
+    protected String mSelectedEventsList = null;
+    protected Vector mSelectedEvents = null;
+
+    /**
+     * The eventType that this log is triggered
+     */
+    protected String mType = null;
+
+    /**
+     * The log is turned on/off
+     */
+    protected boolean mOn = false;
+
+    /**
+     * Should this log listener self-register or not
+     */
+    protected boolean mRegister = false;
+
+    protected boolean mTrace = false;
+
+    /**
+     * Log signing is on/off
+     */
+    protected boolean mLogSigning = false;
+
+    /**
+     * Nickname of certificate to use to sign log.
+     */
+    private String mSAuditCertNickName = "";
+
+    /**
+     * The provider used by the KeyGenerator and Mac
+     */
+    static final String CRYPTO_PROVIDER = "Mozilla-JSS";
+
+    /**
+     * The log level threshold
+     * Only logs with level greater or equal than this value will be written
+     */
+    protected long mLevel = 1;
+
+    /**
+     * Constructor for a LogFile.
+     * 
+     */
+    public LogFile() {
+    }
+
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+
+        try {
+            mOn = config.getBoolean(PROP_ON, true);
+        } catch (EBaseException e) {
+            throw new ELogException(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED",
+                    config.getName() + "." + PROP_ON));
+        }
+
+        try {
+            mLogSigning = config.getBoolean(PROP_SIGNED_AUDIT_LOG_SIGNING,
+                                            false);
+        } catch (EBaseException e) {
+            throw new ELogException(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED",
+                    config.getName() + "." + PROP_SIGNED_AUDIT_LOG_SIGNING));
+        }
+
+        if (mOn && mLogSigning) {
+            try {
+                mSAuditCertNickName = config.getString(
+                                          PROP_SIGNED_AUDIT_CERT_NICKNAME);
+                CMS.debug("LogFile: init(): audit log signing enabled. signedAuditCertNickname=" + mSAuditCertNickName);
+            } catch (EBaseException e) {
+                throw new ELogException(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED",
+                        config.getName() + "."
+                                         + PROP_SIGNED_AUDIT_CERT_NICKNAME));
+            }
+            if (mSAuditCertNickName == null ||
+                    mSAuditCertNickName.trim().equals("")) {
+                throw new ELogException(CMS.getUserMessage(
+                        "CMS_BASE_GET_PROPERTY_FAILED",
+                        config.getName() + "."
+                                + PROP_SIGNED_AUDIT_CERT_NICKNAME));
+            }
+        }
+
+        // selective logging
+        mSelectedEventsList = null;
+        try {
+            mSelectedEventsList = config.getString(PROP_SIGNED_AUDIT_EVENTS);
+        } catch (EBaseException e) {
+            // when not specified, ALL are selected by default
+        }
+        mSelectedEvents = string2Vector(mSelectedEventsList);
+
+        try {
+            init(config);
+        } catch (IOException e) {
+            throw new ELogException(CMS.getUserMessage("CMS_LOG_UNEXPECTED_EXCEPTION", e.toString()));
+        }
+    }
+
+    /**
+     * turns a comma-separated String into a Vector
+     */
+    protected Vector string2Vector(String theString) {
+        Vector theVector = new Vector();
+        if (theString == null) {
+            return theVector;
+        }
+
+        StringTokenizer tokens = new StringTokenizer(theString,
+                                                    ",");
+        while (tokens.hasMoreTokens()) {
+            String eventId = tokens.nextToken().trim();
+
+            theVector.addElement(eventId);
+            CMS.debug("LogFile: log event type selected: " + eventId);
+        }
+        return theVector;
+    }
+
+    /**
+     * add the event to the selected events list
+     * 
+     * @param event to be selected
+     */
+    public void selectEvent(String event) {
+        if (!mSelectedEvents.contains(event))
+            mSelectedEvents.addElement(event);
+    }
+
+    /**
+     * remove the event from the selected events list
+     * 
+     * @param event to be de-selected
+     */
+    public void deselectEvent(String event) {
+        if (mSelectedEvents.contains(event))
+            mSelectedEvents.removeElement(event);
+    }
+
+    /**
+     * replace the selected events list
+     * 
+     * @param events comma-separated event list
+     */
+    public void replaceEvents(String events) {
+        Vector v = string2Vector(events);
+        mSelectedEvents.removeAllElements();
+        mSelectedEvents = v;
+    }
+
+    public static String base64Encode(byte[] bytes) throws IOException {
+        // All this streaming is lame, but Base64OutputStream needs a
+        // PrintStream
+        ByteArrayOutputStream output = new ByteArrayOutputStream();
+        Base64OutputStream b64 = new Base64OutputStream(new
+                PrintStream(new
+                        FilterOutputStream(output)
+                )
+                );
+
+        b64.write(bytes);
+        b64.flush();
+
+        // This is internationally safe because Base64 chars are
+        // contained within 8859_1
+        return output.toString("8859_1");
+    }
+
+    private static boolean mInSignedAuditLogFailureMode = false;
+
+    private static synchronized void shutdownCMS() {
+        if (mInSignedAuditLogFailureMode == false) {
+
+            // Set signed audit log failure mode true
+            // No, this isn't a race condition, because the method is
+            // synchronized. We just want to avoid an infinite loop.
+            mInSignedAuditLogFailureMode = true;
+
+            // Block all new incoming requests
+            if (CMS.areRequestsDisabled() == false) {
+                // XXX is this a race condition?
+                CMS.disableRequests();
+            }
+
+            // Terminate all requests in process
+            CMS.terminateRequests();
+
+            // Call graceful shutdown of the CMS server
+            // Call force shutdown to get added functionality of
+            // making sure to kill the web server.
+
+            CMS.forceShutdown();
+        }
+    }
+
+    /**
+     * Initialize and open the log using the parameters from a config store
+     * 
+     * @param config The property config store to find values in
+     */
+    public void init(IConfigStore config) throws IOException,
+            EBaseException {
+        String fileName = null;
+        String defaultFileName = null;
+        String signedAuditDefaultFileName = "";
+
+        mConfig = config;
+
+        try {
+            mTrace = config.getBoolean(PROP_TRACE, false);
+        } catch (EBaseException e) {
+            throw new ELogException(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED",
+                    config.getName() + "." + PROP_TRACE));
+        }
+
+        try {
+            mType = config.getString(PROP_TYPE, "system");
+        } catch (EBaseException e) {
+            throw new ELogException(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED",
+                    config.getName() + "." + PROP_TYPE));
+        }
+
+        try {
+            mRegister = config.getBoolean(PROP_REGISTER, true);
+        } catch (EBaseException e) {
+            throw new ELogException(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED",
+                    config.getName() + "." + PROP_REGISTER));
+        }
+
+        if (mOn) {
+            if (mRegister) {
+                CMS.getLogger().getLogQueue().addLogEventListener(this);
+            }
+        } else {
+            // shutdown the listener, remove the listener
+            if (mRegister) {
+                CMS.getLogger().getLogQueue().removeLogEventListener(this);
+                shutdown();
+            }
+        }
+
+        try {
+            mLevel = config.getInteger(PROP_LEVEL, 3);
+        } catch (EBaseException e) {
+            e.printStackTrace();
+            throw new ELogException(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED",
+                    config.getName() + "." + PROP_LEVEL));
+        }
+
+        try {
+            // retrieve the subsystem
+            String subsystem = "";
+
+            ISubsystem caSubsystem = CMS.getSubsystem("ca");
+            if (caSubsystem != null) {
+                subsystem = "ca";
+            }
+
+            ISubsystem raSubsystem = CMS.getSubsystem("ra");
+            if (raSubsystem != null) {
+                subsystem = "ra";
+            }
+
+            ISubsystem kraSubsystem = CMS.getSubsystem("kra");
+            if (kraSubsystem != null) {
+                subsystem = "kra";
+            }
+
+            ISubsystem ocspSubsystem = CMS.getSubsystem("ocsp");
+            if (ocspSubsystem != null) {
+                subsystem = "ocsp";
+            }
+
+            // retrieve the instance name
+            String instIDPath = CMS.getInstanceDir();
+            int index = instIDPath.lastIndexOf("/");
+            String instID = instIDPath.substring(index + 1);
+
+            // build the default signedAudit file name
+            signedAuditDefaultFileName = subsystem + "_"
+                                       + instID + "_" + "audit";
+
+        } catch (Exception e2) {
+            throw new ELogException(
+                          CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED",
+                                              config.getName() + "." +
+                                                      PROP_FILE_NAME));
+        }
+
+        // the default value is determined by the eventType.
+        if (mType.equals(ILogger.PROP_SIGNED_AUDIT)) {
+            defaultFileName = "logs/signedAudit/" + signedAuditDefaultFileName;
+        } else if (mType.equals(ILogger.PROP_SYSTEM)) {
+            defaultFileName = "logs/system";
+        } else if (mType.equals(ILogger.PROP_AUDIT)) {
+            defaultFileName = "logs/transactions";
+        } else {
+            //wont get here
+            throw new ELogException(CMS.getUserMessage("CMS_LOG_INVALID_LOG_TYPE",
+                    config.getName()));
+        }
+
+        try {
+            fileName = config.getString(PROP_FILE_NAME, defaultFileName);
+        } catch (EBaseException e) {
+            throw new ELogException(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED",
+                    config.getName() + "." + PROP_FILE_NAME));
+        }
+
+        if (mOn) {
+            init(fileName, config.getInteger(PROP_BUFFER_SIZE, BUFFER_SIZE),
+                    config.getInteger(PROP_FLUSH_INTERVAL, FLUSH_INTERVAL));
+        }
+    }
+
+    /**
+     * Initialize and open the log
+     * 
+     * @param bufferSize The buffer size for the output stream in bytes
+     * @param flushInterval The interval in seconds to flush the log
+     */
+    public void init(String fileName, int bufferSize, int flushInterval) throws IOException, ELogException {
+
+        if (fileName == null)
+            throw new ELogException(CMS.getUserMessage("CMS_LOG_INVALID_FILE_NAME", "null"));
+
+        //If we want to reuse the old log files
+        //mFileName = fileName + "." + mLogFileDateFormat.format(mDate);
+        mFileName = fileName;
+        if (!Utils.isNT()) {
+            // Always insure that a physical file exists!
+            Utils.exec("touch " + mFileName);
+            Utils.exec("chmod 00640 " + mFileName);
+        }
+        mFile = new File(mFileName);
+        mBufferSize = bufferSize;
+        setFlushInterval(flushInterval);
+        open();
+    }
+
+    private PrivateKey mSigningKey = null;
+    private Signature mSignature = null;
+
+    private void setupSigning() throws EBaseException {
+        try {
+
+            Provider[] providers = java.security.Security.getProviders();
+            int ps = providers.length;
+            for (int i = 0; i < ps; i++) {
+                CMS.debug("LogFile: provider " + i + "= " + providers[i].getName());
+            }
+
+            CryptoManager cm = CryptoManager.getInstance();
+
+            // find CertServer's private key
+            X509Certificate cert = cm.findCertByNickname(mSAuditCertNickName);
+            if (cert != null) {
+                CMS.debug("LogFile: setupSignig(): found cert:" + mSAuditCertNickName);
+            } else {
+                CMS.debug("LogFile: setupSignig(): cert not found:" + mSAuditCertNickName);
+            }
+            mSigningKey = cm.findPrivKeyByCert(cert);
+
+            String sigAlgorithm;
+            if (mSigningKey instanceof RSAPrivateKey) {
+                sigAlgorithm = "SHA-256/RSA";
+            } else if (mSigningKey instanceof DSAPrivateKey) {
+                sigAlgorithm = "SHA-256/DSA";
+            } else {
+                throw new NoSuchAlgorithmException("Unknown private key type");
+            }
+
+            CryptoToken savedToken = cm.getThreadToken();
+            try {
+                CryptoToken keyToken =
+                        ((org.mozilla.jss.pkcs11.PK11PrivKey) mSigningKey)
+                                .getOwningToken();
+                cm.setThreadToken(keyToken);
+                mSignature = java.security.Signature.getInstance(sigAlgorithm,
+                        CRYPTO_PROVIDER);
+            } finally {
+                cm.setThreadToken(savedToken);
+            }
+
+            mSignature.initSign(mSigningKey);
+
+            // get the last signature from the currently-opened file
+            String entry = getLastSignature(mFile);
+            if (entry != null) {
+                mSignature.update(entry.getBytes("UTF-8"));
+                mSignature.update(LINE_SEP_BYTE);
+            }
+
+            // Always start off with a signature. That way, even if there
+            // were problems with the log file we inherited, we will
+            // get a fresh start with this instance.
+            pushSignature();
+
+        } catch (CryptoManager.NotInitializedException nie) {
+            setupSigningFailure("BASE_CRYPTOMANAGER_UNINITIALIZED", nie);
+        } catch (ObjectNotFoundException onfe) {
+            setupSigningFailure("LOG_SIGNING_CERT_NOT_FOUND", onfe);
+        } catch (TokenException te) {
+            setupSigningFailure("BASE_TOKEN_ERROR_0", te);
+        } catch (NoSuchAlgorithmException nsae) {
+            setupSigningFailure("LOG_NO_SUCH_ALGORITHM_0", nsae);
+        } catch (NoSuchProviderException nspe) {
+            setupSigningFailure("BASE_PROVIDER_NOT_SUPPORTED", nspe);
+        } catch (InvalidKeyException ike) {
+            setupSigningFailure("BASE_INVALID_KEY", ike);
+        } catch (SignatureException se) {
+            setupSigningFailure("LOG_SIGNING_OP_FAILED", se);
+        } catch (UnsupportedEncodingException uee) {
+            setupSigningFailure("LOG_UNEXPECTED_EXCEPTION", uee);
+        } catch (IOException ioe) {
+            setupSigningFailure("LOG_UNEXPECTED_EXCEPTION", ioe);
+        } catch (Exception e) {
+            setupSigningFailure("LOG_UNEXPECTED_EXCEPTION", e);
+        }
+    }
+
+    private static void setupSigningFailure(String logMessageCode, Exception e)
+            throws EBaseException {
+        try {
+            ConsoleError.send(new SystemEvent(
+                    CMS.getLogMessage(logMessageCode)));
+        } catch (Exception e2) {
+            // don't allow an exception while printing to the console
+            // prevent us from running the rest of this function.
+            e2.printStackTrace();
+        }
+        e.printStackTrace();
+        shutdownCMS();
+        throw new EBaseException(e.toString());
+    }
+
+    /**
+     * Startup the instance
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP used at audit function startup
+     * 

+     * 
+     * @exception EBaseException if an internal error occurred
+     */
+    public void startup() throws EBaseException {
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        CMS.debug("LogFile: entering LogFile.startup()");
+        if (mOn && mLogSigning) {
+            try {
+                setupSigning();
+                audit(CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP,
+                        ILogger.SYSTEM_UID,
+                        ILogger.SUCCESS));
+            } catch (EBaseException e) {
+                audit(CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP,
+                        ILogger.SYSTEM_UID,
+                        ILogger.FAILURE));
+                throw e;
+            }
+        }
+
+    }
+
+    /**
+     * Retrieves the eventType this log is triggered.
+     */
+    public String getType() {
+        return mType;
+    }
+
+    /**
+     * Retrieves the log on/off.
+     */
+    public String getOn() {
+        return String.valueOf(mOn);
+    }
+
+    /**
+     * Retrieves the log level threshold.
+     */
+    public long getLevel() {
+        return mLevel;
+    }
+
+    /**
+     * Retrieves the base log file name.
+     */
+    public String getName() {
+        return mFileName;
+    }
+
+    private boolean firstOpen = true;
+
+    /**
+     * Record that the signed audit log has been signed
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_SIGNING used when a signature on the audit log is generated (same as
+     * "flush" time)
+     * 

+     * 
+     * @exception IOException for input/output problems
+     * @exception ELogException when plugin implementation fails
+     * @exception SignatureException when signing fails
+     * @exception InvalidKeyException when an invalid key is utilized
+     */
+    private void pushSignature() throws IOException, ELogException,
+            SignatureException, InvalidKeyException {
+        byte[] sigBytes = null;
+
+        if (mSignature == null) {
+            return;
+        }
+
+        sigBytes = mSignature.sign();
+        mSignature.initSign(mSigningKey);
+
+        Object o[] = new Object[1];
+        o[0] = null;
+
+        // cook up a signed audit log message to record mac
+        // so as to avoid infinite recursiveness of calling
+        // the log() method
+        String auditMessage = CMS.getLogMessage(
+                LOGGING_SIGNED_AUDIT_SIGNING,
+                ILogger.SYSTEM_UID,
+                ILogger.SUCCESS,
+                base64Encode(sigBytes));
+
+        if (mSignedAuditLogger == null) {
+            return;
+        }
+
+        ILogEvent ev = mSignedAuditLogger.create(
+                ILogger.EV_SIGNED_AUDIT,
+                (Properties) null,
+                ILogger.S_SIGNED_AUDIT,
+                ILogger.LL_SECURITY,
+                auditMessage,
+                o,
+                ILogger.L_SINGLELINE);
+
+        String logMesg = logEvt2String(ev);
+        doLog(logMesg, true);
+    }
+
+    private static String getLastSignature(File f) throws IOException {
+        BufferedReader r = new BufferedReader(new FileReader(f));
+        String lastSig = null;
+        String curLine = null;
+        while ((curLine = r.readLine()) != null) {
+            if (curLine.indexOf("AUDIT_LOG_SIGNING") != -1) {
+                lastSig = curLine;
+            }
+        }
+        r.close();
+        return lastSig;
+    }
+
+    /**
+     * Open the log file. This creates the buffered FileWriter
+     * 
+     */
+    protected synchronized void open() throws IOException {
+        RandomAccessFile out;
+
+        try {
+            out = new RandomAccessFile(mFile, "rw");
+            out.seek(out.length());
+            //XXX int or long?
+            mBytesWritten = (int) out.length();
+            if (!Utils.isNT()) {
+                try {
+                    Utils.exec("chmod 00640 " + mFile.getCanonicalPath());
+                } catch (IOException e) {
+                    CMS.debug("Unable to change file permissions on "
+                             + mFile.toString());
+                }
+            }
+            mLogWriter = new BufferedWriter(
+                        new FileWriter(out.getFD()), mBufferSize);
+
+            // The first time we open, mSignature will not have been
+            // initialized yet. That's ok, we will push our first signature
+            // in setupSigning().
+            if (mLogSigning && (mSignature != null)) {
+                try {
+                    pushSignature();
+                } catch (ELogException le) {
+                    ConsoleError.send(
+                            new SystemEvent(CMS.getUserMessage("CMS_LOG_ILLEGALARGUMENT",
+                                    mFileName)));
+                }
+            }
+        } catch (IllegalArgumentException iae) {
+            ConsoleError.send(
+                    new SystemEvent(CMS.getUserMessage("CMS_LOG_ILLEGALARGUMENT",
+                            mFileName)));
+        } catch (GeneralSecurityException gse) {
+            // error with signed audit log, shutdown CMS
+            gse.printStackTrace();
+            shutdownCMS();
+        }
+
+        mBytesUnflushed = 0;
+    }
+
+    /**
+     * Flush the log file. Also update the MAC for hash protected logs
+     * 
+     */
+    public synchronized void flush() {
+        try {
+            if (mLogSigning) {
+                try {
+                    pushSignature();
+                } catch (ELogException le) {
+                    ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_FLUSH_LOG_FAILED", mFileName,
+                            le.toString())));
+                }
+            }
+
+            if (mLogWriter != null) {
+                mLogWriter.flush();
+            }
+        } catch (IOException e) {
+            ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_FLUSH_LOG_FAILED", mFileName, e.toString())));
+            if (mLogSigning) {
+                //error in writing to signed audit log, shut down CMS
+                e.printStackTrace();
+                shutdownCMS();
+            }
+        } catch (GeneralSecurityException gse) {
+            // error with signed audit log, shutdown CMS
+            gse.printStackTrace();
+            shutdownCMS();
+        }
+
+        mBytesUnflushed = 0;
+    }
+
+    /**
+     * Close the log file
+     * 
+     */
+    protected synchronized void close() {
+        try {
+            flush();
+            if (mLogWriter != null) {
+                mLogWriter.close();
+            }
+        } catch (IOException e) {
+            ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_CLOSE_FAILED", mFileName, e.toString())));
+        }
+        mLogWriter = null;
+    }
+
+    /**
+     * Shutdown this log file.
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN used at audit function shutdown
+     * 

+     */
+    public synchronized void shutdown() {
+        String auditMessage = null;
+
+        CMS.debug("LogFile:In log shutdown");
+
+        setFlushInterval(0);
+
+        // log signed audit shutdown success
+        auditMessage = CMS.getLogMessage(
+                           LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN,
+                           ILogger.SYSTEM_UID,
+                           ILogger.SUCCESS);
+
+        audit(auditMessage);
+
+        close();
+    }
+
+    /**
+     * Set the flush interval
+     * 

+     * 
+     * @param flushInterval The amount of time in seconds until the log
+     *            is flush. A value of 0 will disable autoflush. This will also set
+     *            the update period for hash protected logs.
+     **/
+    public synchronized void setFlushInterval(int flushInterval) {
+        mFlushInterval = flushInterval * 1000;
+
+        if ((mFlushThread == null) && (mFlushInterval > 0)) {
+            mFlushThread = new FlushThread();
+            mFlushThread.setDaemon(true);
+            mFlushThread.start();
+        }
+
+        this.notify();
+    }
+
+    /**
+     * Log flush thread. Sleep for the flush interval and flush the
+     * log. Changing flush interval to 0 will cause this thread to exit.
+     */
+    final class FlushThread extends Thread {
+
+        /**
+         * Flush thread constructor including thread name
+         */
+        public FlushThread() {
+            super();
+            super.setName(mFileName + ".flush-" + (Thread.activeCount() + 1));
+        }
+
+        public void run() {
+            while (mFlushInterval > 0) {
+                // Sleep for the interval and then flush the log
+                synchronized (LogFile.this) {
+                    try {
+                        LogFile.this.wait(mFlushInterval);
+                    } catch (InterruptedException e) {
+                        // This shouldn't happen very often
+                        ConsoleError.send(new
+                                SystemEvent(CMS.getUserMessage("CMS_LOG_THREAD_INTERRUPT", "flush")));
+                    }
+                }
+
+                if (mFlushInterval == 0) {
+                    break;
+                }
+
+                if (mBytesUnflushed > 0) {
+                    flush();
+                }
+            }
+            mFlushThread = null;
+        }
+    }
+
+    /**
+     * Synchronized method to write a string to the log file. All I18N
+     * should take place before this call.
+     * 
+     * @param entry The log entry string
+     */
+    protected synchronized void log(String entry) throws ELogException {
+        doLog(entry, false);
+    }
+
+    // Standard line separator byte. We always sign this line separator,
+    // regardless of what we actually write to the file, so that signature
+    // verification is platform-independent.
+    private static final byte LINE_SEP_BYTE = 0x0a;
+
+    /**
+     * This method actually does the logging, and is not overridden
+     * by subclasses, so you can call it and know that it will do exactly
+     * what you see below.
+     */
+    private synchronized void doLog(String entry, boolean noFlush)
+            throws ELogException {
+        if (mLogWriter == null) {
+            String[] params = { mFileName, entry };
+
+            throw new ELogException(CMS.getUserMessage("CMS_LOG_LOGFILE_CLOSED", params));
+        } else {
+            try {
+                mLogWriter.write(entry, 0/*offset*/, entry.length());
+
+                if (mLogSigning == true) {
+                    if (mSignature != null) {
+                        // include newline for calculating MAC
+                        mSignature.update(entry.getBytes("UTF-8"));
+                    } else {
+                        CMS.debug("LogFile: mSignature is not yet ready... null in log()");
+                    }
+                }
+                if (mTrace) {
+                    CharArrayWriter cw = new CharArrayWriter(200);
+                    PrintWriter pw = new PrintWriter(cw);
+                    Exception e = new Exception();
+                    e.printStackTrace(pw);
+                    char[] c = cw.toCharArray();
+                    cw.close();
+                    pw.close();
+
+                    CharArrayReader cr = new CharArrayReader(c);
+                    LineNumberReader lr = new LineNumberReader(cr);
+
+                    String text = null;
+                    String method = null;
+                    String fileAndLine = null;
+                    if (lr.ready()) {
+                        text = lr.readLine();
+                        do {
+                            text = lr.readLine();
+                        } while (text.indexOf("logging") != -1);
+                        int p = text.indexOf("(");
+                        fileAndLine = text.substring(p);
+
+                        String classandmethod = text.substring(0, p);
+                        int q = classandmethod.lastIndexOf(".");
+                        method = classandmethod.substring(q + 1);
+                        mLogWriter.write(fileAndLine, 0/*offset*/, fileAndLine.length());
+                        mLogWriter.write(" ", 0/*offset*/, " ".length());
+                        mLogWriter.write(method, 0/*offset*/, method.length());
+                    }
+                }
+                mLogWriter.newLine();
+
+                if (mLogSigning == true) {
+                    if (mSignature != null) {
+                        mSignature.update(LINE_SEP_BYTE);
+                    } else {
+                        CMS.debug("LogFile: mSignature is null in log() 2");
+                    }
+                }
+            } catch (IOException e) {
+                ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_WRITE_FAILED", mFileName, entry,
+                        e.toString())));
+                if (mLogSigning) {
+                    // Failed to write to audit log, shut down CMS
+                    e.printStackTrace();
+                    shutdownCMS();
+                }
+            } catch (IllegalStateException e) {
+                CMS.debug("LogFile: exception thrown in log(): " + e.toString());
+                ConsoleError.send(new SignedAuditEvent(CMS.getLogMessage(LOG_SIGNED_AUDIT_EXCEPTION, e.toString())));
+            } catch (GeneralSecurityException gse) {
+                // DJN: handle error
+                CMS.debug("LogFile: exception thrown in log(): "
+                        + gse.toString());
+                gse.printStackTrace();
+                ConsoleError.send(new SignedAuditEvent(CMS.getLogMessage(
+                        LOG_SIGNED_AUDIT_EXCEPTION, gse.toString())));
+            }
+
+            // XXX
+            // Although length will be in Unicode dual-bytes, the PrintWriter
+            // will only print out 1 byte per character.  I suppose this could
+            // be dependent on the encoding of your log file, but it ain't that
+            // smart yet.  Also, add one for the newline. (hmm, on NT, CR+LF)
+            int nBytes = entry.length() + 1;
+
+            mBytesWritten += nBytes;
+            mBytesUnflushed += nBytes;
+
+            if (mBufferSize > 0 && mBytesUnflushed > mBufferSize && !noFlush) {
+                flush();
+            }
+        }
+    }
+
+    /**
+     * Write an event to the log file
+     * 
+     * @param ev The event to be logged.
+     */
+    public void log(ILogEvent ev) throws ELogException {
+        if (ev instanceof AuditEvent) {
+            if (!mType.equals("transaction") || (!mOn) || mLevel > ev.getLevel()) {
+                return;
+            }
+        } else if (ev instanceof SystemEvent) {
+            if (!mType.equals("system") || (!mOn) || mLevel > ev.getLevel()) {
+                return;
+            }
+        } else if (ev instanceof SignedAuditEvent) {
+            if (!mType.equals("signedAudit") || (!mOn) || mLevel > ev.getLevel()) {
+                return;
+            }
+        }
+
+        // Is the event type selected?
+        // If no selection specified in configuration, then all are selected
+        // If no type specified in propertity file, then treated as selected
+        if (mSelectedEvents.size() > 0) {
+            String type = ev.getEventType();
+            if (type != null) {
+                if (!mSelectedEvents.contains(type)) {
+                    CMS.debug("LogFile: event type not selected: " + type);
+                    return;
+                }
+            }
+        }
+
+        String entry = logEvt2String(ev);
+
+        log(entry);
+    }
+
+    public String logEvt2String(ILogEvent ev) {
+        String entry = null;
+
+        // Hmm.. multiple threads could hit this and reset the time.
+        // Do we care?
+        mDate.setTime(ev.getTimeStamp());
+
+        // XXX
+        // This should follow the Common Log Format which still needs
+        // some work.
+        if (ev.getMultiline() == ILogger.L_MULTILINE) {
+            entry = CMS.getPID() + "." + Thread.currentThread().getName() + " - ["
+                    + mLogDateFormat.format(mDate) + "] [" +
+                    Integer.toString(ev.getSource()) + "] [" + Integer.toString(ev.getLevel())
+                    + "] " + prepareMultiline(ev.toString());
+        } else {
+            entry = CMS.getPID() + "." + Thread.currentThread().getName() + " - ["
+                    + mLogDateFormat.format(mDate) + "] [" +
+                    Integer.toString(ev.getSource()) + "] [" + Integer.toString(ev.getLevel())
+                    + "] " + ev.toString();
+        }
+
+        return entry;
+    }
+
+    /**
+     * change multi-line log entry by replace "\n" with "\n "
+     * 
+     * @param original The original multi-line log entry.
+     */
+    private String prepareMultiline(String original) {
+        int i, last = 0;
+
+        //NT: \r\n, unix: \n
+        while ((i = original.indexOf("\n", last)) != -1) {
+            last = i + 1;
+            original = original.substring(0, i + 1) + " " + original.substring(i + 1);
+        }
+        return original;
+    }
+
+    /**
+     * Read all entries whose logLevel>=lowLevel && log source = source
+     * to at most maxLine entries(from end)
+     * If the parameter is -1, it's ignored and return all entries
+     * 
+     * @param maxLine The maximum lines to be returned
+     * @param lowLevel The lowest log level to be returned
+     * @param source The particular log source to be returned
+     * @param fName The log file name to be read. If it's null, read the current
+     *            log file
+     */
+    public Vector readEntry(int maxLine, int lowLevel, int source, String fName) {
+        Vector mEntries = new Vector();
+        String fileName = mFileName;
+        BufferedReader fBuffer;
+        int lineNo = 0; // lineNo of the current entry in the log file
+        int line = 0; // line of readed valid entries
+        String firstLine = null; // line buffer
+        String nextLine = null;
+        String entry = null;
+        LogEntry logEntry = null;
+
+        /*
+         this variable is added to accormodate misplaced multiline entries
+         write out buffered log entry when next entry is parsed successfully
+         this implementation is assuming parsing is more time consuming than
+         condition check
+         */
+        LogEntry preLogEntry = null;
+
+        if (fName != null) {
+            fileName = fName;
+        }
+        try {
+            //XXX think about this
+            fBuffer = new BufferedReader(new FileReader(fileName));
+            do {
+                try {
+                    nextLine = fBuffer.readLine();
+                    if (nextLine != null) {
+                        if ((nextLine.length() == 0) || (nextLine.charAt(0) == ' ')) {
+                            // It's a continuous line
+                            entry = null;
+                            if (nextLine.length() > 1)
+                                firstLine = firstLine + "\n" + nextLine.substring(1);
+                            else
+                                firstLine = firstLine + "\n";
+
+                        } else {
+                            // It's a new entry
+                            entry = firstLine;
+                            firstLine = nextLine;
+                        }
+                        // parse the previous entry, the current one is buffered
+                        if (entry != null) {
+                            try {
+                                logEntry = new LogEntry(entry);
+                                // if parse succeed, write out previous entry
+                                if (preLogEntry != null) {
+                                    if ((Integer.parseInt(preLogEntry.getLevel()) >= lowLevel) &&
+                                            ((Integer.parseInt(preLogEntry.getSource()) == source) ||
+                                            (source == ILogger.S_ALL)
+                                            )) {
+                                        mEntries.addElement(preLogEntry);
+                                        if (maxLine == -1) {
+                                            line++;
+                                        } else if (line < maxLine) {
+                                            line++;
+                                        } else {
+                                            mEntries.removeElementAt(0);
+                                        }
+                                    }
+                                }
+                                preLogEntry = logEntry;
+                            } catch (ParseException e) {
+                                if (preLogEntry != null) {
+                                    preLogEntry.appendDetail(entry);
+                                } else {
+                                    firstLine = firstLine + "\n" + nextLine;
+                                }
+                                entry = null;
+                                logEntry = null;
+                            }
+                        }
+                    }
+                    lineNo++;
+
+                } catch (IOException e) {
+                    CMS.getLogger().log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                            ILogger.LL_FAILURE,
+                            CMS.getLogMessage("LOGGING_READ_ERROR", fileName,
+                                    Integer.toString(lineNo)));
+                }
+
+            } while (nextLine != null);
+
+            // need to process the last 2 entries of the file
+            if (firstLine != null) {
+                if (logEntry != null) {
+                    preLogEntry = logEntry;
+                }
+                entry = firstLine;
+                try {
+                    logEntry = new LogEntry(entry);
+
+                    /*  System.out.println(
+                     Integer.toString(Integer.parseInt(logEntry.getLevel()))
+                     +","+Integer.toString(lowLevel)+","+
+                     Integer.toString(Integer.parseInt(logEntry.getSource()))
+                     +","+Integer.toString(source) );
+                     */
+                    if (preLogEntry != null) {
+                        if ((Integer.parseInt(preLogEntry.getLevel()) >= lowLevel) &&
+                                ((Integer.parseInt(preLogEntry.getSource()) == source) ||
+                                (source == ILogger.S_ALL)
+                                )) {
+                            mEntries.addElement(preLogEntry);
+                            if (maxLine == -1) {
+                                line++;
+                            } else if (line < maxLine) {
+                                line++;
+                            } else {
+                                mEntries.removeElementAt(0);
+                            }
+                        }
+                    }
+                    preLogEntry = logEntry;
+                } catch (ParseException e) {
+                    preLogEntry.appendDetail(entry);
+                }
+
+                if (preLogEntry != null) {
+                    if ((Integer.parseInt(preLogEntry.getLevel()) >= lowLevel)
+                            &&
+                            ((Integer.parseInt(preLogEntry.getSource()) == source)
+                            ||
+                            (source == ILogger.S_ALL)
+                            )) {
+                        // parse the entry, pass to UI
+                        mEntries.addElement(preLogEntry);
+                        if (maxLine == -1) {
+                            line++;
+                        } else if (line < maxLine) {
+                            line++;
+                        } else {
+                            mEntries.removeElementAt(0);
+                        }
+                    }
+                }
+
+            }// end: last entry
+
+            try {
+                fBuffer.close();
+            } catch (IOException e) {
+                CMS.getLogger().log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                        ILogger.LL_FAILURE, "logging:" + fileName +
+                                " failed to close for reading");
+            }
+
+        } catch (FileNotFoundException e) {
+            CMS.getLogger().log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                    ILogger.LL_FAILURE,
+                    CMS.getLogMessage("LOGGING_FILE_NOT_FOUND",
+                            fileName));
+        }
+        return mEntries;
+    }
+
+    /**
+     * Retrieves the configuration store of this subsystem.
+     * 

+     * 
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    /**
+     * Retrieve last "maxLine" number of system log with log lever >"level"
+     * and from source "source". If the parameter is omitted. All entries
+     * are sent back.
+     */
+    public synchronized NameValuePairs retrieveLogContent(Hashtable req) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        String tmp, fName = null;
+        int maxLine = -1, level = -1, source = -1;
+        Vector entries = null;
+
+        if ((tmp = (String) req.get(Constants.PR_LOG_ENTRY)) != null) {
+            maxLine = Integer.parseInt(tmp);
+        }
+        if ((tmp = (String) req.get(Constants.PR_LOG_LEVEL)) != null) {
+            level = Integer.parseInt(tmp);
+        }
+        if ((tmp = (String) req.get(Constants.PR_LOG_SOURCE)) != null) {
+            source = Integer.parseInt(tmp);
+        }
+        tmp = (String) req.get(Constants.PR_LOG_NAME);
+        if (!(tmp.equals(Constants.PR_CURRENT_LOG))) {
+            fName = tmp;
+        } else {
+            flush();
+        }
+
+        try {
+            entries = readEntry(maxLine, level, source, fName);
+            for (int i = 0; i < entries.size(); i++) {
+                params.put(Integer.toString(i) +
+                        ((LogEntry) entries.elementAt(i)).getEntry(), "");
+            }
+        } catch (Exception e) {
+            CMS.getLogger().log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                    ILogger.LL_WARN,
+                    "System log parse error");
+        }
+        return params;
+    }
+
+    /**
+     * Retrieve log file list.
+     */
+    public synchronized NameValuePairs retrieveLogList(Hashtable req) throws ServletException,
+            IOException, EBaseException {
+        return null;
+    }
+
+    public String getImplName() {
+        return "LogFile";
+    }
+
+    public String getDescription() {
+        return "LogFile";
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+
+        v.addElement(PROP_TYPE + "=");
+        v.addElement(PROP_ON + "=");
+        v.addElement(PROP_LEVEL + "=");
+        v.addElement(PROP_FILE_NAME + "=");
+        v.addElement(PROP_BUFFER_SIZE + "=");
+        v.addElement(PROP_FLUSH_INTERVAL + "=");
+
+        // needs to find a way to determine what type you want. if this
+        // is not for the signed audit type, then we should not show the
+        // following parameters.
+        //if( mType.equals( ILogger.PROP_SIGNED_AUDIT ) ) {
+        v.addElement(PROP_SIGNED_AUDIT_LOG_SIGNING + "=");
+        v.addElement(PROP_SIGNED_AUDIT_CERT_NICKNAME + "=");
+        v.addElement(PROP_SIGNED_AUDIT_EVENTS + "=");
+        //}
+
+        return v;
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+
+        try {
+
+            if (mType == null) {
+                v.addElement(PROP_TYPE + "=");
+            } else {
+                v.addElement(PROP_TYPE + "=" +
+                        mConfig.getString(PROP_TYPE));
+            }
+            v.addElement(PROP_ON + "=" + String.valueOf(mOn));
+            if (mLevel == 0)
+                v.addElement(PROP_LEVEL + "=" + ILogger.LL_DEBUG_STRING);
+            else if (mLevel == 1)
+                v.addElement(PROP_LEVEL + "=" + ILogger.LL_INFO_STRING);
+            else if (mLevel == 2)
+                v.addElement(PROP_LEVEL + "=" + ILogger.LL_WARN_STRING);
+            else if (mLevel == 3)
+                v.addElement(PROP_LEVEL + "=" + ILogger.LL_FAILURE_STRING);
+            else if (mLevel == 4)
+                v.addElement(PROP_LEVEL + "=" + ILogger.LL_MISCONF_STRING);
+            else if (mLevel == 5)
+                v.addElement(PROP_LEVEL + "=" + ILogger.LL_CATASTRPHE_STRING);
+            else if (mLevel == 6)
+                v.addElement(PROP_LEVEL + "=" + ILogger.LL_SECURITY_STRING);
+
+            if (mFileName == null) {
+                v.addElement(PROP_FILE_NAME + "=");
+            } else {
+                v.addElement(PROP_FILE_NAME + "=" +
+                        mFileName);
+            }
+            v.addElement(PROP_BUFFER_SIZE + "=" + mBufferSize);
+            v.addElement(PROP_FLUSH_INTERVAL + "=" + mFlushInterval / 1000);
+
+            if ((mType != null) && mType.equals(ILogger.PROP_SIGNED_AUDIT)) {
+                v.addElement(PROP_SIGNED_AUDIT_LOG_SIGNING + "="
+                            + String.valueOf(mLogSigning));
+
+                if (mSAuditCertNickName == null) {
+                    v.addElement(PROP_SIGNED_AUDIT_CERT_NICKNAME + "=");
+                } else {
+                    v.addElement(PROP_SIGNED_AUDIT_CERT_NICKNAME + "="
+                                + mSAuditCertNickName);
+                }
+
+                if (mSelectedEventsList == null) {
+                    v.addElement(PROP_SIGNED_AUDIT_EVENTS + "=");
+                } else {
+                    v.addElement(PROP_SIGNED_AUDIT_EVENTS + "="
+                                + mSelectedEventsList);
+                }
+            }
+        } catch (Exception e) {
+        }
+        return v;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        if (mType.equals(ILogger.PROP_SIGNED_AUDIT)) {
+            String[] params = {
+                    PROP_TYPE
+                            + ";choice(transaction,signedAudit,system);The log event type this instance is listening to",
+                    PROP_ON + ";boolean;Turn on the listener",
+                    PROP_LEVEL + ";choice(" + ILogger.LL_DEBUG_STRING + "," +
+                            ILogger.LL_INFO_STRING + "," +
+                            ILogger.LL_WARN_STRING + "," +
+                            ILogger.LL_FAILURE_STRING + "," +
+                            ILogger.LL_MISCONF_STRING + "," +
+                            ILogger.LL_CATASTRPHE_STRING + "," +
+                            ILogger.LL_SECURITY_STRING
+                            + ");Only log message with level higher than this filter will be written by this listener",
+                    PROP_FILE_NAME + ";string;The name of the file the log is written to",
+                    PROP_BUFFER_SIZE + ";integer;The size of the buffer to receive log messages in kilobytes(KB)",
+                    PROP_FLUSH_INTERVAL
+                            + ";integer;The maximum time in seconds before the buffer is flushed to the file",
+                    IExtendedPluginInfo.HELP_TOKEN +
+                            ";configuration-logrules-logfile",
+                    IExtendedPluginInfo.HELP_TEXT +
+                            ";Write the log messages to a file",
+                    PROP_SIGNED_AUDIT_LOG_SIGNING +
+                            ";boolean;Enable audit logs to be signed",
+                    PROP_SIGNED_AUDIT_CERT_NICKNAME +
+                            ";string;The nickname of the certificate to be used to sign audit logs",
+                    PROP_SIGNED_AUDIT_EVENTS +
+                            ";string;A comma-separated list of strings used to specify particular signed audit log events",
+            };
+
+            return params;
+        } else {
+            // mType.equals( ILogger.PROP_AUDIT )  ||
+            // mType.equals( ILogger.PROP_SYSTEM )
+            String[] params = {
+                    PROP_TYPE
+                            + ";choice(transaction,signedAudit,system);The log event type this instance is listening to",
+                    PROP_ON + ";boolean;Turn on the listener",
+                    PROP_LEVEL + ";choice(" + ILogger.LL_DEBUG_STRING + "," +
+                            ILogger.LL_INFO_STRING + "," +
+                            ILogger.LL_WARN_STRING + "," +
+                            ILogger.LL_FAILURE_STRING + "," +
+                            ILogger.LL_MISCONF_STRING + "," +
+                            ILogger.LL_CATASTRPHE_STRING + "," +
+                            ILogger.LL_SECURITY_STRING
+                            + ");Only log message with level higher than this filter will be written by this listener",
+                    PROP_FILE_NAME + ";string;The name of the file the log is written to",
+                    PROP_BUFFER_SIZE + ";integer;The size of the buffer to receive log messages in kilobytes(KB)",
+                    PROP_FLUSH_INTERVAL
+                            + ";integer;The maximum time in seconds before the buffer is flushed to the file",
+                    IExtendedPluginInfo.HELP_TOKEN +
+                            ";configuration-logrules-logfile",
+                    IExtendedPluginInfo.HELP_TEXT +
+                            ";Write the log messages to a file"
+            };
+
+            return params;
+        }
+    }
+
+    /**
+     * Signed Audit Log
+     * 
+     * This method is inherited by all classes that extend this "LogFile"
+     * class, and is called to store messages to the signed audit log.
+     * 

+     * 
+     * @param msg signed audit log message
+     */
+    protected void audit(String msg) {
+        // in this case, do NOT strip preceding/trailing whitespace
+        // from passed-in String parameters
+
+        if (mSignedAuditLogger == null) {
+            return;
+        }
+
+        mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
+                                null,
+                                ILogger.S_SIGNED_AUDIT,
+                                ILogger.LL_SECURITY,
+                                msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/logging/RollingLogFile.java b/base/common/src/com/netscape/cms/logging/RollingLogFile.java
new file mode 100644
index 000000000..93455e9fe
--- /dev/null
+++ b/base/common/src/com/netscape/cms/logging/RollingLogFile.java
@@ -0,0 +1,658 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.logging;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.FilenameFilter;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.Vector;
+
+import javax.servlet.ServletException;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.ConsoleError;
+import com.netscape.certsrv.logging.ELogException;
+import com.netscape.certsrv.logging.ILogEvent;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.SystemEvent;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * A rotating log file for Certificate log events. This class loosely follows
+ * the Netscape Common Log API implementing rollover interval, size and file
+ * naming conventions. It does not yet implement Disk Usage.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class RollingLogFile extends LogFile {
+    public static final String PROP_MAX_FILE_SIZE = "maxFileSize";
+    public static final String PROP_ROLLOVER_INTERVAL = "rolloverInterval";
+    public static final String PROP_EXPIRATION_TIME = "expirationTime";
+
+    /**
+     * The default max file size in bytes
+     */
+    static final int MAX_FILE_SIZE = 100;
+
+    /**
+     * The default rollover interval in seconds
+     */
+    static final String ROLLOVER_INTERVAL = "2592000";
+
+    /**
+     * The default expiration time in seconds
+     */
+    static final String EXPIRATION_TIME = "2592000";
+
+    /**
+     * The maximum file size in bytes
+     */
+    protected int mMaxFileSize = 0;
+
+    /**
+     * The amount of time in miniseconds between log rotations
+     */
+    protected long mRolloverInterval = 0;
+
+    /**
+     * The thread responsible for rotating the log
+     */
+    private Thread mRolloverThread = null;
+
+    /**
+     * The incrementing backup number for the log file names
+     */
+    private int mFileNumber = 1;
+
+    /**
+     * The amount of time before a backed up log is removed in milliseconds
+     */
+    protected long mExpirationTime = 0;
+
+    /**
+     * The thread responsible for removing expired log files
+     */
+    private Thread mExpirationThread = null;
+
+    /**
+     * The object used as a lock for expiration thread synchronization
+     */
+    private Object mExpLock = new Object();
+
+    private final static String LOGGING_SIGNED_AUDIT_LOG_DELETE =
+            "LOGGING_SIGNED_AUDIT_LOG_DELETE_3";
+
+    /**
+     * Construct a RollingLogFile
+     */
+    public RollingLogFile() {
+    }
+
+    /**
+     * Initialize and open a RollingLogFile using the prop config store
+     * 
+     * @param config The property config store to find values in
+     */
+    public void init(IConfigStore config) throws IOException,
+            EBaseException {
+        super.init(config);
+
+        rl_init(config.getInteger(PROP_MAX_FILE_SIZE, MAX_FILE_SIZE),
+                config.getString(PROP_ROLLOVER_INTERVAL, ROLLOVER_INTERVAL),
+                config.getString(PROP_EXPIRATION_TIME, EXPIRATION_TIME));
+    }
+
+    /**
+     * Convenience routine to initialized the RollingLogFile specific
+     * attributes.
+     */
+    protected void rl_init(int maxFileSize, String rolloverInterval,
+            String expirationTime) {
+        mMaxFileSize = maxFileSize * 1024;
+        setRolloverTime(rolloverInterval);
+        setExpirationTime(expirationTime);
+    }
+
+    public void startup() throws EBaseException {
+        super.startup();
+    }
+
+    /**
+     * Shutdown this log file.
+     */
+    public synchronized void shutdown() {
+        setRolloverTime("0");
+        setExpirationTime("0");
+        super.shutdown();
+    }
+
+    /**
+     * Set the rollover interval
+     * 
+     * @param rolloverSeconds The amount of time in seconds until the log
+     *            is rotated. A value of 0 will disable log rollover.
+     **/
+    public synchronized void setRolloverTime(String rolloverSeconds) {
+        mRolloverInterval = Long.valueOf(rolloverSeconds).longValue() * 1000;
+
+        if ((mRolloverThread == null) && (mRolloverInterval > 0)) {
+            mRolloverThread = new RolloverThread();
+            mRolloverThread.setDaemon(true);
+            mRolloverThread.start();
+        }
+
+        this.notify();
+    }
+
+    /**
+     * Get the rollover interval
+     * 
+     * @return The interval in seconds in which the log is rotated
+     **/
+    public synchronized int getRolloverTime() {
+        return (int) (mRolloverInterval / 1000);
+    }
+
+    /**
+     * Set the file expiration time
+     * 
+     * @param expirationSeconds The amount of time in seconds until log files
+     *            are deleted
+     **/
+    public void setExpirationTime(String expirationSeconds) {
+
+        // Need to completely protect changes to mExpiration time
+        // and make sure they only happen while the thread is sleeping
+        synchronized (mExpLock) {
+            mExpirationTime = Long.valueOf(expirationSeconds).longValue() * 1000;
+
+            if (mExpirationThread == null) {
+                if (mExpirationTime > 0) {
+                    mExpirationThread = new ExpirationThread();
+                    mExpirationThread.setDaemon(true);
+                    mExpirationThread.start();
+                }
+            } else {
+                mExpLock.notify();
+            }
+        }
+    }
+
+    /**
+     * Get the expiration time
+     * 
+     * @return The age in seconds in which log files are delete
+     **/
+    public int getExpirationTime() {
+        return (int) (mExpirationTime / 1000);
+    }
+
+    /**
+     * Rotate the log file to a backup file with a incrementing integer
+     * extension
+     **/
+    public synchronized void rotate()
+            throws IOException {
+
+        //File backupFile = new File(mFileName + "." + mFileNumber);
+        File backupFile = new File(mFileName + "." + mLogFileDateFormat.format(mDate));
+
+        // close, backup, and reopen the log file zeroizing its contents
+        super.close();
+        try {
+            if (Utils.isNT()) {
+                // NT is very picky on the path
+                Utils.exec("copy " +
+                            mFile.getCanonicalPath().replace('/', '\\') +
+                            " " +
+                            backupFile.getCanonicalPath().replace('/',
+                                                                   '\\'));
+            } else {
+                // Create a copy of the original file which
+                // preserves the original file permissions.
+                Utils.exec("cp -p " + mFile.getCanonicalPath() + " " +
+                             backupFile.getCanonicalPath());
+            }
+
+            // Zeroize the original file if and only if
+            // the backup copy was successful.
+            if (backupFile.exists()) {
+
+                // Make certain that the backup file has
+                // the correct permissions.
+                if (!Utils.isNT()) {
+                    Utils.exec("chmod 00640 " + backupFile.getCanonicalPath());
+                }
+
+                try {
+                    // Open and close the original file
+                    // to zeroize its contents.
+                    PrintWriter pw = new PrintWriter(mFile);
+                    pw.close();
+
+                    // Make certain that the original file retains
+                    // the correct permissions.
+                    if (!Utils.isNT()) {
+                        Utils.exec("chmod 00640 " + mFile.getCanonicalPath());
+                    }
+                } catch (FileNotFoundException e) {
+                    CMS.debug("Unable to zeroize "
+                             + mFile.toString());
+                }
+            } else {
+                CMS.debug("Unable to backup "
+                         + mFile.toString() + " to "
+                         + backupFile.toString());
+            }
+        } catch (Exception e) {
+            CMS.debug("Unable to backup "
+                     + mFile.toString() + " to "
+                     + backupFile.toString());
+        }
+        super.open(); // will reset mBytesWritten
+        mFileNumber++;
+    }
+
+    /**
+     * Remove any log files which have not been modified in the specified
+     * time
+     * 

+     * 
+     * NOTE: automatic removal of log files is currently NOT supported!
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_LOG_DELETE used AFTER audit log expires (authorization should not allow,
+     * but in case authorization gets compromised make sure it is written AFTER the log expiration happens)
+     * 

+     * 
+     * @param expirationSeconds The number of seconds since the expired files
+     *            have been modified.
+     * @return the time in milliseconds when the next file expires
+     **/
+    public long expire(long expirationSeconds) throws ELogException {
+        String auditMessage = null;
+
+        if (expirationSeconds <= 0)
+            throw new ELogException(CMS.getUserMessage("CMS_LOG_EXPIRATION_TIME_ZERO"));
+
+        long expirationTime = expirationSeconds * 1000;
+        long currentTime = System.currentTimeMillis();
+        long oldestFile = currentTime;
+
+        String dirName = mFile.getParent();
+
+        if (dirName == null)
+            dirName = ".";
+        File dir = new File(dirName);
+
+        // Get just the base name, minus the .date extension
+        //int len = mFile.getName().length() - LogFile.DATE_PATTERN.length() - 1;
+        //String baseName = mFile.getName().substring(0, len);
+        String fileName = mFile.getName();
+        String baseName = null, pathName = null;
+        int index = fileName.lastIndexOf("/");
+
+        if (index != -1) { // "/"  exist in fileName
+            pathName = fileName.substring(0, index);
+            baseName = fileName.substring(index + 1);
+            dirName = dirName.concat("/" + pathName);
+        } else { // "/" NOT exist in fileName
+            baseName = fileName;
+        }
+
+        fileFilter ff = new fileFilter(baseName + ".");
+        String[] filelist = dir.list(ff);
+
+        if (filelist == null) { // Crap!  Something is wrong.
+            throw new ELogException(CMS.getUserMessage("CMS_LOG_DIRECTORY_LIST_FAILED",
+                    dirName, ff.toString()));
+        }
+
+        // Walk through the list of files which match this log file name
+        // and delete the old ones.
+        for (int i = 0; i < filelist.length; i++) {
+            if (pathName != null) {
+                filelist[i] = pathName + "/" + filelist[i];
+            } else {
+                filelist[i] = dirName + "/" + filelist[i];
+            }
+
+            String fullname = dirName + File.separatorChar + filelist[i];
+            File file = new File(fullname);
+            long fileTime = file.lastModified();
+
+            // Java documentation on File says lastModified() should not
+            // be interpeted.  The doc is wrong.  See JavaSoft bug #4094538
+            if ((currentTime - fileTime) > expirationTime) {
+                file.delete();
+
+                if (file.exists()) {
+                    // log failure in deleting an expired signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_LOG_DELETE,
+                                ILogger.SYSTEM_UID,
+                                ILogger.FAILURE,
+                                fullname);
+                } else {
+                    // log success in deleting an expired signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_LOG_DELETE,
+                                ILogger.SYSTEM_UID,
+                                ILogger.SUCCESS,
+                                fullname);
+                }
+
+                audit(auditMessage);
+            } else if (fileTime < oldestFile) {
+                oldestFile = fileTime;
+            }
+        }
+        return oldestFile + expirationTime;
+    }
+
+    //
+    // Rollover and Expiration threads
+    //
+    // At first glance you may think it's a waste of thread resources to have
+    // two threads for every log file, but the truth is that these threads are
+    // sleeping 99% of the time.  NxN thread implementations (Solaris, NT,
+    // IRIX 6.4, Unixware, etc...) will handle these in user space.
+    //
+    // You may be able to join these into one thread, and deal with
+    // multiple wakeup times, but the code would sure look ugly, and the race
+    // conditions are numerous as is. Furthermore, this is what user space
+    // threads will do for you anyways.
+    //
+
+    /**
+     * Log rotation thread. Sleep for the rollover interval and rotate the
+     * log. Changing rollover interval to 0 will cause this thread to exit.
+     */
+    final class RolloverThread extends Thread {
+
+        /**
+         * Rollover thread constructor including thread name
+         */
+        public RolloverThread() {
+            super();
+            super.setName(mFileName + ".rollover-" + (Thread.activeCount() + 1));
+        }
+
+        public void run() {
+            while (mRolloverInterval > 0) {
+                // Sleep for the interval and then rotate the log
+                synchronized (RollingLogFile.this) {
+                    try {
+                        RollingLogFile.this.wait(mRolloverInterval);
+                    } catch (InterruptedException e) {
+                        // This shouldn't happen very often
+                        CMS.getLogger().getLogQueue().log(new
+                                SystemEvent(CMS.getUserMessage("CMS_LOG_THREAD_INTERRUPT", "rollover")));
+                    }
+                }
+
+                if (mRolloverInterval == 0) {
+                    break;
+                }
+
+                if (mBytesWritten > 0) {
+                    try {
+                        rotate();
+                    } catch (IOException e) {
+                        ConsoleError.send(new
+                                SystemEvent(CMS.getUserMessage("CMS_LOG_ROTATE_LOG_FAILED", mFile.getName(),
+                                        e.toString())));
+                        break;
+                    }
+                }
+                // else
+                //   Don't rotate empty logs
+                //   flag in log summary file?
+            }
+            mRolloverThread = null;
+        }
+    }
+
+    /**
+     * Log expiration thread. Sleep for the expiration interval and
+     * delete any files which are too old.
+     * Changing expiration interval to 0 will cause this thread to exit.
+     */
+    final class ExpirationThread extends Thread {
+
+        /**
+         * ExpirationThread thread constructor including thread name
+         */
+        public ExpirationThread() {
+            super();
+            super.setName(mFileName + ".expiration-" + (Thread.activeCount() + 1));
+        }
+
+        public void run() {
+            synchronized (mExpLock) {
+                while (mExpirationTime > 0) {
+                    long wakeupTime = 0;
+                    long sleepTime = 0;
+
+                    // First, remove any old log files and figure out when the
+                    // next one expires
+                    try {
+                        wakeupTime = expire((long) (mExpirationTime / 1000));
+                    } catch (SecurityException e) {
+                        ConsoleError.send(new
+                                SystemEvent(CMS.getUserMessage("CMS_LOG_EXPIRE_LOG_FAILED", e.toString())));
+                        break;
+                    } catch (ELogException e) {
+                        ConsoleError.send(new
+                                SystemEvent(CMS.getUserMessage("CMS_LOG_EXPIRE_LOG_FAILED", e.toString())));
+                        break;
+                    }
+
+                    sleepTime = wakeupTime - System.currentTimeMillis();
+                    //System.out.println("wakeup " + wakeupTime);
+                    //System.out.println("current "+System.currentTimeMillis());
+                    //System.out.println("sleep " + sleepTime);
+                    // Sleep for the interval and then check the directory
+                    // Note: mExpirationTime can only change while we're
+                    // sleeping
+                    if (sleepTime > 0) {
+                        try {
+                            mExpLock.wait(sleepTime);
+                        } catch (InterruptedException e) {
+                            // This shouldn't happen very often
+                            ConsoleError.send(new
+                                    SystemEvent(CMS.getUserMessage("CMS_LOG_THREAD_INTERRUPT", "expiration")));
+                        }
+                    }
+                }
+            }
+            mExpirationThread = null;
+        }
+    }
+
+    /**
+     * Write an event to the log file
+     * 
+     * @param ev The event to be logged.
+     **/
+    public synchronized void log(ILogEvent ev) throws ELogException {
+        //xxx, Shall we log first without checking if it exceed the maximum?
+        super.log(ev); // Will increment mBytesWritten
+
+        if ((0 != mMaxFileSize) && (mBytesWritten > mMaxFileSize)) {
+            flush();
+            try {
+                rotate();
+            } catch (IOException e) {
+                throw new ELogException(CMS.getUserMessage("CMS_LOG_ROTATE_LOG_FAILED", mFile.getName(), e.toString()));
+            }
+        }
+    }
+
+    /**
+     * Retrieve log file list.
+     */
+    public synchronized NameValuePairs retrieveLogList(Hashtable req
+            ) throws ServletException,
+                    IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        String[] files = null;
+
+        files = fileList();
+        for (int i = 0; i < files.length; i++) {
+            params.put(files[i], "");
+        }
+        return params;
+    }
+
+    /**
+     * Get the log file list in the log directory
+     * 
+     * @return an array of filenames with related path to cert server root
+     */
+    protected String[] fileList() {
+        String pathName = null, baseName = null;
+
+        String dirName = mFile.getParent();
+        String fileName = mFile.getName();
+        int index = fileName.lastIndexOf("/");
+
+        if (index != -1) { // "/"  exist in fileName
+            pathName = fileName.substring(0, index);
+            baseName = fileName.substring(index + 1);
+            if (dirName == null) {
+                dirName = pathName;
+            } else {
+                dirName = dirName.concat("/" + pathName);
+            }
+        } else { // "/" NOT exist in fileName
+            baseName = fileName;
+        }
+
+        File dir = new File(dirName);
+
+        fileFilter ff = new fileFilter(baseName + ".");
+        //There are some difference here. both should work
+        //error,logs,logs/error jdk115
+        //logs/system,., logs/system jdk116
+        //System.out.println(mFile.getName()+","+dirName+","+mFile.getPath()); //log/system,.
+
+        String[] filelist = dir.list(ff);
+
+        for (int i = 0; i < filelist.length; i++) {
+            if (pathName != null) {
+                filelist[i] = pathName + "/" + filelist[i];
+            } else {
+                filelist[i] = dirName + "/" + filelist[i];
+            }
+        }
+        return filelist;
+    }
+
+    public String getImplName() {
+        return "RollingLogFile";
+    }
+
+    public String getDescription() {
+        return "RollingLogFile";
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = super.getDefaultParams();
+
+        v.addElement(PROP_MAX_FILE_SIZE + "=");
+        v.addElement(PROP_ROLLOVER_INTERVAL + "=");
+        //v.addElement(PROP_EXPIRATION_TIME + "=");
+        return v;
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = super.getInstanceParams();
+
+        try {
+            v.addElement(PROP_MAX_FILE_SIZE + "=" + mMaxFileSize / 1024);
+            if (mRolloverInterval / 1000 <= 60 * 60)
+                v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Hourly");
+            else if (mRolloverInterval / 1000 <= 60 * 60 * 24)
+                v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Daily");
+            else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 7)
+                v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Weekly");
+            else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 30)
+                v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Monthly");
+            else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 366)
+                v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Yearly");
+
+            //v.addElement(PROP_EXPIRATION_TIME + "=" + mExpirationTime / 1000);
+        } catch (Exception e) {
+        }
+        return v;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] p = super.getExtendedPluginInfo(locale);
+        Vector info = new Vector();
+
+        for (int i = 0; i < p.length; i++) {
+            if (!p[i].startsWith(IExtendedPluginInfo.HELP_TOKEN) && !p[i].startsWith(IExtendedPluginInfo.HELP_TEXT))
+                info.addElement(p[i]);
+        }
+        info.addElement(PROP_MAX_FILE_SIZE
+                + ";integer;If the current log file size if bigger than this parameter in kilobytes(KB), the file will be rotated.");
+        info.addElement(PROP_ROLLOVER_INTERVAL
+                + ";choice(Hourly,Daily,Weekly,Monthly,Yearly);The frequency of the log being rotated.");
+        info.addElement(PROP_EXPIRATION_TIME
+                + ";integer;The amount of time before a backed up log is removed in seconds");
+        info.addElement(IExtendedPluginInfo.HELP_TOKEN +
+                //";configuration-logrules-rollinglogfile");
+                ";configuration-adminbasics");
+        info.addElement(IExtendedPluginInfo.HELP_TEXT +
+                ";Write the log messages to a file which will be rotated automatically.");
+        String[] params = new String[info.size()];
+
+        info.copyInto(params);
+        return params;
+
+    }
+}
+
+/**
+ * A file filter to select the file with a given prefix
+ */
+class fileFilter implements FilenameFilter {
+    String patternToMatch = null;
+
+    public fileFilter(String pattern) {
+        patternToMatch = pattern;
+    }
+
+    public boolean accept(File dir, String name) {
+        if (name.startsWith(patternToMatch))
+            return true;
+        else
+            return false;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/notification/MailNotification.java b/base/common/src/com/netscape/cms/notification/MailNotification.java
new file mode 100644
index 000000000..ef09d8f71
--- /dev/null
+++ b/base/common/src/com/netscape/cms/notification/MailNotification.java
@@ -0,0 +1,197 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.notification;
+
+import java.io.IOException;
+import java.io.PrintStream;
+import java.util.Vector;
+
+import netscape.net.smtp.SmtpClient;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.notification.ENotificationException;
+import com.netscape.certsrv.notification.IMailNotification;
+
+/**
+ * This class handles mail notification via SMTP.
+ * This class uses smtp.host in the configuration for smtp
+ * host. The port default (25) is used. If no smtp specified, local
+ * host is used
+ * 
+ * @version $Revision$, $Date$
+ */
+public class MailNotification implements IMailNotification {
+    private ILogger mLogger = CMS.getLogger();
+    protected final static String PROP_SMTP_SUBSTORE = "smtp";
+    protected final static String PROP_HOST = "host";
+
+    private String mHost = null;
+
+    private String mFrom = null;
+    private String mTo = null;
+    private String mSubject = null;
+    private String mContent = null;
+    private String mContentType = null;
+
+    public MailNotification() {
+        if (mHost == null) {
+            try {
+                IConfigStore mConfig =
+                        CMS.getConfigStore();
+
+                IConfigStore c =
+                        mConfig.getSubStore(PROP_SMTP_SUBSTORE);
+
+                if (c == null) {
+                    return;
+                }
+                mHost = c.getString(PROP_HOST);
+
+                // log it
+                //				if (mHost !=null) {
+                //					String msg =" using external SMTP host: "+mHost;
+                //					CMS.debug("MailNotification: "  + msg);
+                //}
+            } catch (Exception e) {
+                // don't care
+            }
+        }
+    }
+
+    /**
+     * send one message to one or more addressees
+     */
+    public void sendNotification() throws IOException, ENotificationException {
+        // create smtp client
+        SmtpClient sc = null;
+
+        if (!mHost.equals("")) {
+            sc = new SmtpClient(mHost);
+        } else {
+            sc = new SmtpClient();
+        }
+
+        // set "from", message subject
+        if ((mFrom != null) && (!mFrom.equals("")))
+            sc.from(mFrom);
+        else {
+            throw new ENotificationException(
+                    CMS.getUserMessage("CMS_NOTIFICATION_NO_SMTP_SENDER"));
+        }
+
+        // set "to"
+        if ((mTo != null) && (!mTo.equals(""))) {
+            log(ILogger.LL_INFO, "mail to be sent to " + mTo);
+            sc.to(mTo);
+        } else {
+            throw new ENotificationException(
+                    CMS.getUserMessage("CMS_NOTIFICATION_NO_SMTP_RECEIVER"));
+        }
+
+        // set message content
+        PrintStream msgStream = sc.startMessage();
+
+        if (mContentType != null) {
+            msgStream.print("From: " + mFrom + "\n");
+            msgStream.print("MIME-Version: 1.0\n");
+            msgStream.print("To: " + mTo + "\n");
+            msgStream.print(mSubject + "\n");
+            msgStream.print(mContentType + "\n");
+        } else {
+            msgStream.print("From: " + mFrom + "\n");
+            msgStream.print("To: " + mTo + "\n");
+            msgStream.print(mSubject + "\n");
+        }
+        msgStream.print("\r\n");
+        msgStream.print(mContent + "\r\n");
+
+        // send
+        try {
+            sc.closeServer();
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+            throw new ENotificationException(
+                    CMS.getUserMessage("CMS_NOTIFICATION_SMTP_SEND_FAILED", mTo));
+        }
+    }
+
+    /**
+     * sets the "From" field
+     * 
+     * @param from email address of the sender
+     */
+    public void setFrom(String from) {
+        mFrom = from;
+    }
+
+    /**
+     * sets the "Subject" field
+     * 
+     * @param subject subject of the email
+     */
+    public void setSubject(String subject) {
+        mSubject = "Subject: " + subject;
+    }
+
+    /**
+     * sets the "Content-Type" field
+     * 
+     * @param contentType content type of the email
+     */
+    public void setContentType(String contentType) {
+        mContentType = "Content-Type: " + contentType;
+    }
+
+    /**
+     * sets the content of the email
+     * 
+     * @param content the message content
+     */
+    public void setContent(String content) {
+        mContent = content;
+    }
+
+    /**
+     * sets the recipients' email addresses
+     * 
+     * @param addresses a list of email addresses of the recipients
+     */
+    public void setTo(Vector addresses) {
+        // concatenate addresses into comma separated mTo String
+
+    }
+
+    /**
+     * sets the recipient's email address
+     * 
+     * @param to address of the recipient email address
+     */
+    public void setTo(String to) {
+        mTo = to;
+    }
+
+    private void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_OTHER,
+                level, "MailNotification: " + msg);
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/ocsp/DefStore.java b/base/common/src/com/netscape/cms/ocsp/DefStore.java
new file mode 100644
index 000000000..21f7023d8
--- /dev/null
+++ b/base/common/src/com/netscape/cms/ocsp/DefStore.java
@@ -0,0 +1,953 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.ocsp;
+
+import java.math.BigInteger;
+import java.security.MessageDigest;
+import java.security.cert.X509CRL;
+import java.security.cert.X509CRLEntry;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.RevokedCertificate;
+import netscape.security.x509.X509CRLImpl;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509Key;
+
+import org.mozilla.jss.asn1.ASN1Util;
+import org.mozilla.jss.asn1.GeneralizedTime;
+import org.mozilla.jss.asn1.INTEGER;
+import org.mozilla.jss.asn1.OCTET_STRING;
+import org.mozilla.jss.pkix.cert.Extension;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.dbs.IDBSSession;
+import com.netscape.certsrv.dbs.IDBSearchResults;
+import com.netscape.certsrv.dbs.IDBSubsystem;
+import com.netscape.certsrv.dbs.Modification;
+import com.netscape.certsrv.dbs.ModificationSet;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord;
+import com.netscape.certsrv.dbs.repository.IRepositoryRecord;
+import com.netscape.certsrv.logging.AuditFormat;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.ocsp.IDefStore;
+import com.netscape.certsrv.ocsp.IOCSPAuthority;
+import com.netscape.certsrv.util.IStatsSubsystem;
+import com.netscape.cmsutil.ocsp.BasicOCSPResponse;
+import com.netscape.cmsutil.ocsp.CertID;
+import com.netscape.cmsutil.ocsp.CertStatus;
+import com.netscape.cmsutil.ocsp.GoodInfo;
+import com.netscape.cmsutil.ocsp.OCSPRequest;
+import com.netscape.cmsutil.ocsp.OCSPResponse;
+import com.netscape.cmsutil.ocsp.OCSPResponseStatus;
+import com.netscape.cmsutil.ocsp.ResponderID;
+import com.netscape.cmsutil.ocsp.ResponseBytes;
+import com.netscape.cmsutil.ocsp.ResponseData;
+import com.netscape.cmsutil.ocsp.RevokedInfo;
+import com.netscape.cmsutil.ocsp.SingleResponse;
+import com.netscape.cmsutil.ocsp.TBSRequest;
+import com.netscape.cmsutil.ocsp.UnknownInfo;
+
+/**
+ * This is the default OCSP store that stores revocation information
+ * as certificate record (CMS internal data structure).
+ * 
+ * @version $Revision$, $Date$
+ */
+public class DefStore implements IDefStore, IExtendedPluginInfo {
+
+    // refreshInSec is useful in the master-clone situation.
+    // clone does not know that the CRL has been updated in 
+    // the master (by default no refresh)
+    private static final String PROP_USE_CACHE = "useCache";
+
+    private static final String PROP_REFRESH_IN_SEC = "refreshInSec";
+    private static final int DEF_REFRESH_IN_SEC = 0;
+
+    public static final BigInteger BIG_ZERO = new BigInteger("0");
+    public static final Long MINUS_ONE = Long.valueOf(-1);
+
+    private final static String PROP_BY_NAME =
+            "byName";
+    private final static String PROP_WAIT_ON_CRL_UPDATE =
+            "waitOnCRLUpdate";
+    private final static String PROP_NOT_FOUND_GOOD = "notFoundAsGood";
+    private final static String PROP_INCLUDE_NEXT_UPDATE =
+            "includeNextUpdate";
+
+    protected Hashtable mReqCounts = new Hashtable();
+    protected boolean mNotFoundGood = true;
+    protected boolean mUseCache = true;
+    protected boolean mByName = true;
+    protected boolean mIncludeNextUpdate = false;
+    protected Hashtable mCacheCRLIssuingPoints = new Hashtable();
+    private IOCSPAuthority mOCSPAuthority = null;
+    private IConfigStore mConfig = null;
+    private String mId = null;
+    private IDBSubsystem mDBService = null;
+    private int mStateCount = 0;
+
+    /**
+     * Constructs the default store.
+     */
+    public DefStore() {
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        Vector v = new Vector();
+
+        v.addElement(PROP_NOT_FOUND_GOOD
+                + ";boolean; " + CMS.getUserMessage(locale, "CMS_OCSP_DEFSTORE_PROP_NOT_FOUND_GOOD"));
+        v.addElement(PROP_BY_NAME + ";boolean; " + CMS.getUserMessage(locale, "CMS_OCSP_DEFSTORE_PROP_BY_NAME"));
+        v.addElement(PROP_INCLUDE_NEXT_UPDATE
+                + ";boolean; " + CMS.getUserMessage(locale, "CMS_OCSP_DEFSTORE_PROP_INCLUDE_NEXT_UPDATE"));
+        v.addElement(IExtendedPluginInfo.HELP_TEXT + "; " + CMS.getUserMessage(locale, "CMS_OCSP_DEFSTORE_DESC"));
+        v.addElement(IExtendedPluginInfo.HELP_TOKEN + ";configuration-ocspstores-defstore");
+        return com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v);
+    }
+
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mOCSPAuthority = (IOCSPAuthority) owner;
+        mConfig = config;
+
+        mDBService = (IDBSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_DBS);
+
+        // Standalone OCSP server only stores information about revoked
+        // certificates. So there is no way for the OCSP server to
+        // tell if a certificate is good (issued) or not.
+        // When an OCSP client asks the status of a certificate,
+        // the OCSP server by default returns GOOD. If the server
+        // returns UNKNOWN, the OCSP client (browser) will display
+        // a error dialog that confuses the end-user.
+        //
+        // OCSP response can return unknown or good when a certificate
+        // is not revoked.
+        mNotFoundGood = mConfig.getBoolean(PROP_NOT_FOUND_GOOD, true);
+
+        mUseCache = mConfig.getBoolean(PROP_USE_CACHE, true);
+
+        mByName = mConfig.getBoolean(PROP_BY_NAME, true);
+
+        // To include next update in the OCSP response. If included,
+        // PSM (client) will check to see if the revoked information
+        // is too old or not
+        mIncludeNextUpdate = mConfig.getBoolean(PROP_INCLUDE_NEXT_UPDATE,
+                    false);
+
+        // init web gateway.
+        initWebGateway();
+
+        /**
+         * DeleteOldCRLsThread t = new DeleteOldCRLsThread(this);
+         * t.start();
+         **/
+        // deleteOldCRLs();
+    }
+
+    /**
+     * init web gateway - just gets the ee gateway for this CA.
+     */
+    private void initWebGateway()
+            throws EBaseException {
+    }
+
+    public IRepositoryRecord createRepositoryRecord() {
+        return CMS.createRepositoryRecord();
+    }
+
+    /**
+     * Returns to the client once the CRL is received.
+     */
+    public boolean waitOnCRLUpdate() {
+        boolean defaultVal = true;
+
+        try {
+            return mConfig.getBoolean(PROP_WAIT_ON_CRL_UPDATE, defaultVal);
+        } catch (EBaseException e) {
+            return defaultVal;
+        }
+    }
+
+    public boolean includeNextUpdate() {
+        return mIncludeNextUpdate;
+    }
+
+    public boolean isNotFoundGood() {
+        return mNotFoundGood;
+    }
+
+    public long getReqCount(String id) {
+        Long c = (Long) mReqCounts.get(id);
+
+        if (c == null)
+            return 0;
+        else
+            return c.longValue();
+    }
+
+    public void incReqCount(String id) {
+        mReqCounts.put(id, Long.valueOf(getReqCount(id) + 1));
+    }
+
+    /**
+     * This store will not delete the old CRL until the
+     * new one is totally committed.
+     */
+    public void deleteOldCRLs() throws EBaseException {
+        Enumeration recs = searchCRLIssuingPointRecord(
+                "objectclass=" +
+                        CMS.getCRLIssuingPointRecordName(),
+                100);
+        while (recs.hasMoreElements()) {
+            ICRLIssuingPointRecord rec = recs.nextElement();
+            deleteOldCRLsInCA(rec.getId());
+        }
+    }
+
+    public void deleteOldCRLsInCA(String caName) throws EBaseException {
+        IDBSSession s = mDBService.createSession();
+
+        try {
+            ICRLIssuingPointRecord cp = (ICRLIssuingPointRecord)
+                    readCRLIssuingPoint(caName);
+
+            if (cp == null)
+                return; // nothing to do
+            if (cp.getThisUpdate() == null)
+                return; // nothing to do
+            String thisUpdate = Long.toString(
+                    cp.getThisUpdate().getTime());
+            Enumeration e = searchRepository(
+                    caName,
+                    "(!" + IRepositoryRecord.ATTR_SERIALNO + "=" +
+                            thisUpdate + ")");
+
+            while (e != null && e.hasMoreElements()) {
+                IRepositoryRecord r = e.nextElement();
+                Enumeration recs =
+                        searchCertRecord(caName,
+                                r.getSerialNumber().toString(),
+                                ICertRecord.ATTR_ID + "=*");
+
+                log(ILogger.LL_INFO, "remove CRL 0x" +
+                        r.getSerialNumber().toString(16) +
+                        " of " + caName);
+                String rep_dn = "ou=" +
+                        r.getSerialNumber().toString() +
+                        ",cn=" + transformDN(caName) + "," +
+                        getBaseDN();
+
+                while (recs != null && recs.hasMoreElements()) {
+                    ICertRecord rec = (ICertRecord) recs.nextElement();
+                    String cert_dn = "cn=" +
+                            rec.getSerialNumber().toString() + "," + rep_dn;
+
+                    s.delete(cert_dn);
+                }
+                s.delete(rep_dn);
+            }
+        } finally {
+            if (s != null)
+                s.close();
+        }
+    }
+
+    public void log(int event, int level, String msg) {
+        mOCSPAuthority.log(event, level, msg);
+    }
+
+    public void log(int level, String msg) {
+        mOCSPAuthority.log(level, msg);
+    }
+
+    public void startup() throws EBaseException {
+        int refresh = mConfig.getInteger(PROP_REFRESH_IN_SEC,
+                DEF_REFRESH_IN_SEC);
+        if (refresh > 0) {
+            DefStoreCRLUpdater updater =
+                    new DefStoreCRLUpdater(mCacheCRLIssuingPoints, refresh);
+            updater.start();
+        }
+    }
+
+    public void shutdown() {
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public void setId(String id) throws EBaseException {
+        mId = id;
+    }
+
+    public String getId() {
+        return mId;
+    }
+
+    /**
+     * Validate an OCSP request.
+     */
+    public OCSPResponse validate(OCSPRequest request)
+            throws EBaseException {
+
+        IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats");
+
+        mOCSPAuthority.incNumOCSPRequest(1);
+        long startTime = CMS.getCurrentDate().getTime();
+        try {
+            mOCSPAuthority.log(ILogger.LL_INFO, "start OCSP request");
+            TBSRequest tbsReq = request.getTBSRequest();
+
+            // (3) look into database to check the
+            //     certificate's status
+            Vector singleResponses = new Vector();
+            if (statsSub != null) {
+                statsSub.startTiming("lookup");
+            }
+
+            long lookupStartTime = CMS.getCurrentDate().getTime();
+            for (int i = 0; i < tbsReq.getRequestCount(); i++) {
+                com.netscape.cmsutil.ocsp.Request req =
+                        tbsReq.getRequestAt(i);
+                CertID cid = req.getCertID();
+                SingleResponse sr = processRequest(cid);
+
+                singleResponses.addElement(sr);
+            }
+            long lookupEndTime = CMS.getCurrentDate().getTime();
+            if (statsSub != null) {
+                statsSub.endTiming("lookup");
+            }
+            mOCSPAuthority.incLookupTime(lookupEndTime - lookupStartTime);
+
+            if (singleResponses.size() <= 0) {
+                CMS.debug("DefStore: No Request Found");
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_REQUEST_FAILURE", "No Request Found"));
+                return null;
+            }
+            if (statsSub != null) {
+                statsSub.startTiming("build_response");
+            }
+            SingleResponse res[] = new SingleResponse[singleResponses.size()];
+
+            singleResponses.copyInto(res);
+
+            ResponderID rid = null;
+
+            if (mByName) {
+                rid = mOCSPAuthority.getResponderIDByName();
+            } else {
+                rid = mOCSPAuthority.getResponderIDByHash();
+            }
+
+            Extension nonce[] = null;
+
+            for (int j = 0; j < tbsReq.getExtensionsCount(); j++) {
+                Extension thisExt = tbsReq.getRequestExtensionAt(j);
+
+                if (thisExt.getExtnId().equals(IOCSPAuthority.OCSP_NONCE)) {
+                    nonce = new Extension[1];
+                    nonce[0] = thisExt;
+                }
+            }
+
+            ResponseData rd = new ResponseData(rid,
+                    new GeneralizedTime(CMS.getCurrentDate()), res, nonce);
+            if (statsSub != null) {
+                statsSub.endTiming("build_response");
+            }
+
+            if (statsSub != null) {
+                statsSub.startTiming("signing");
+            }
+            long signStartTime = CMS.getCurrentDate().getTime();
+            BasicOCSPResponse basicRes = mOCSPAuthority.sign(rd);
+            long signEndTime = CMS.getCurrentDate().getTime();
+            if (statsSub != null) {
+                statsSub.endTiming("signing");
+            }
+            mOCSPAuthority.incSignTime(signEndTime - signStartTime);
+
+            OCSPResponse response = new OCSPResponse(
+                    OCSPResponseStatus.SUCCESSFUL,
+                    new ResponseBytes(ResponseBytes.OCSP_BASIC,
+                            new OCTET_STRING(ASN1Util.encode(basicRes))));
+
+            log(ILogger.LL_INFO, "done OCSP request");
+            long endTime = CMS.getCurrentDate().getTime();
+            mOCSPAuthority.incTotalTime(endTime - startTime);
+            return response;
+        } catch (Exception e) {
+            CMS.debug("DefStore: validation failed " + e.toString());
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_REQUEST_FAILURE", e.toString()));
+            return null;
+        }
+    }
+
+    /**
+     * Check against the database for status.
+     */
+    private SingleResponse processRequest(CertID cid) {
+        // need to find the right CA
+
+        CMS.debug("DefStore: process request");
+        try {
+            // cache result to speed up the performance
+            X509CertImpl theCert = null;
+            X509CRLImpl theCRL = null;
+            ICRLIssuingPointRecord theRec = null;
+            byte keyhsh[] = cid.getIssuerKeyHash().toByteArray();
+            CRLIPContainer matched = (CRLIPContainer)
+                    mCacheCRLIssuingPoints.get(new String(keyhsh));
+
+            if (matched == null) {
+                Enumeration recs = searchCRLIssuingPointRecord(
+                        "objectclass=" +
+                                CMS.getCRLIssuingPointRecordName(),
+                        100);
+
+                while (recs.hasMoreElements()) {
+                    ICRLIssuingPointRecord rec = recs.nextElement();
+                    byte certdata[] = rec.getCACert();
+                    X509CertImpl cert = null;
+
+                    try {
+                        cert = new X509CertImpl(certdata);
+                    } catch (Exception e) {
+                        // error
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_DECODE_CERT", e.toString()));
+                        return null;
+                    }
+                    MessageDigest md = MessageDigest.getInstance(
+                            mOCSPAuthority.getDigestName(cid.getHashAlgorithm()));
+                    X509Key key = (X509Key) cert.getPublicKey();
+                    byte digest[] = md.digest(key.getKey());
+
+                    if (mOCSPAuthority.arraysEqual(digest, keyhsh)) {
+                        theCert = cert;
+                        theRec = rec;
+                        incReqCount(theRec.getId());
+                        byte crldata[] = rec.getCRL();
+
+                        if (rec.getCRLCache() == null) {
+                            CMS.debug("DefStore: start building x509 crl impl");
+                            try {
+                                theCRL = new X509CRLImpl(crldata);
+                            } catch (Exception e) {
+                                log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_DECODE_CRL", e.toString()));
+                            }
+                            CMS.debug("DefStore: done building x509 crl impl");
+                        } else {
+                            CMS.debug("DefStore: using crl cache");
+                        }
+                        mCacheCRLIssuingPoints.put(new String(digest), new CRLIPContainer(theRec, theCert, theCRL));
+                        break;
+                    }
+                }
+            } else {
+                theCert = matched.getX509CertImpl();
+                theRec = matched.getCRLIssuingPointRecord();
+                theCRL = matched.getX509CRLImpl();
+                incReqCount(theRec.getId());
+            }
+
+            // check the serial number
+            if (theCert != null) {
+                INTEGER serialNo = cid.getSerialNumber();
+
+                log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Checked Status of certificate 0x" + serialNo.toString(16));
+                CMS.debug("DefStore: process request 0x" + serialNo.toString(16));
+                CertStatus certStatus = null;
+                GeneralizedTime thisUpdate = null;
+
+                if (theRec == null) {
+                    thisUpdate = new GeneralizedTime(CMS.getCurrentDate());
+                } else {
+                    thisUpdate = new GeneralizedTime(
+                                theRec.getThisUpdate());
+                }
+                GeneralizedTime nextUpdate = null;
+
+                if (includeNextUpdate()) {
+                    // this is an optional field
+                    if (theRec == null) {
+                        nextUpdate = new GeneralizedTime(CMS.getCurrentDate());
+                    } else {
+                        nextUpdate = new GeneralizedTime(
+                                    theRec.getNextUpdate());
+                    }
+                }
+
+                if (theCRL == null) {
+                    certStatus = new UnknownInfo();
+
+                    // if crl is not available, we can try crl cache
+                    if (theRec != null) {
+                        CMS.debug("DefStore: evaluating crl cache");
+                        Hashtable cache = theRec.getCRLCacheNoClone();
+                        if (cache != null) {
+                            RevokedCertificate rc = (RevokedCertificate)
+                                    cache.get(new BigInteger(serialNo.toString()));
+                            if (rc == null) {
+                                if (isNotFoundGood()) {
+                                    certStatus = new GoodInfo();
+                                } else {
+                                    certStatus = new UnknownInfo();
+                                }
+                            } else {
+
+                                certStatus = new RevokedInfo(
+                                        new GeneralizedTime(
+                                                rc.getRevocationDate()));
+                            }
+                        }
+                    }
+
+                } else {
+                    CMS.debug("DefStore: evaluating x509 crl impl");
+                    X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString()));
+
+                    if (crlentry == null) {
+                        // good or unknown
+                        if (isNotFoundGood()) {
+                            certStatus = new GoodInfo();
+                        } else {
+                            certStatus = new UnknownInfo();
+                        }
+                    } else {
+                        certStatus = new RevokedInfo(new GeneralizedTime(
+                                        crlentry.getRevocationDate()));
+
+                    }
+                }
+                return new SingleResponse(cid, certStatus, thisUpdate,
+                        nextUpdate);
+            }
+        } catch (Exception e) {
+            // error log
+            CMS.debug("DefStore: failed processing request e=" + e);
+        }
+        return null;
+    }
+
+    private String transformDN(String dn) {
+        String newdn = dn;
+
+        newdn = newdn.replace(',', '_');
+        newdn = newdn.replace('=', '-');
+        return newdn;
+    }
+
+    public String getBaseDN() {
+        return mDBService.getBaseDN();
+    }
+
+    public Enumeration searchAllCRLIssuingPointRecord(int maxSize)
+            throws EBaseException {
+        return searchCRLIssuingPointRecord(
+                "objectclass=" +
+                        CMS.getCRLIssuingPointRecordName(),
+                maxSize);
+    }
+
+    public Enumeration searchCRLIssuingPointRecord(String filter,
+            int maxSize)
+            throws EBaseException {
+        IDBSSession s = mDBService.createSession();
+        Vector v = new Vector();
+
+        try {
+            IDBSearchResults sr = s.search(getBaseDN(), filter, maxSize);
+            while (sr.hasMoreElements()) {
+                v.add((ICRLIssuingPointRecord) sr.nextElement());
+            }
+        } finally {
+            if (s != null)
+                s.close();
+        }
+        return v.elements();
+    }
+
+    public synchronized void modifyCRLIssuingPointRecord(String name,
+            ModificationSet mods) throws EBaseException {
+        IDBSSession s = mDBService.createSession();
+
+        try {
+            String dn = "cn=" +
+                    transformDN(name) + "," + getBaseDN();
+
+            s.modify(dn, mods);
+        } catch (EBaseException e) {
+            CMS.debug("modifyCRLIssuingPointRecord: error=" + e);
+            CMS.debug(e);
+            throw e;
+        } finally {
+            if (s != null)
+                s.close();
+        }
+    }
+
+    /**
+     * Returns an issuing point.
+     */
+    public ICRLIssuingPointRecord readCRLIssuingPoint(String name)
+            throws EBaseException {
+        IDBSSession s = mDBService.createSession();
+        ICRLIssuingPointRecord rec = null;
+
+        try {
+            String dn = "cn=" +
+                    transformDN(name) + "," + getBaseDN();
+
+            if (s != null) {
+                rec = (ICRLIssuingPointRecord) s.read(dn);
+            }
+        } finally {
+            if (s != null)
+                s.close();
+        }
+        return rec;
+    }
+
+    public ICRLIssuingPointRecord createCRLIssuingPointRecord(
+            String name, BigInteger crlNumber,
+            Long crlSize, Date thisUpdate, Date nextUpdate) {
+        return CMS.createCRLIssuingPointRecord(
+                name, crlNumber, crlSize, thisUpdate, nextUpdate);
+    }
+
+    public void deleteCRLIssuingPointRecord(String id)
+            throws EBaseException {
+
+        IDBSSession s = null;
+
+        try {
+            s = mDBService.createSession();
+            String name = "cn=" + transformDN(id) + "," + getBaseDN();
+            CMS.debug("DefStore::deleteCRLIssuingPointRecord: Attempting to delete: " + name);
+            if (s != null)
+                s.delete(name);
+        } finally {
+            if (s != null)
+                s.close();
+        }
+    }
+
+    /**
+     * Creates a new issuing point in OCSP.
+     */
+    public void addCRLIssuingPoint(String name, ICRLIssuingPointRecord rec)
+            throws EBaseException {
+        IDBSSession s = mDBService.createSession();
+
+        try {
+            String dn = "cn=" +
+                    transformDN(name) + "," + getBaseDN();
+
+            s.add(dn, (ICRLIssuingPointRecord) rec);
+        } finally {
+            if (s != null)
+                s.close();
+        }
+    }
+
+    public Enumeration searchRepository(String name, String filter)
+            throws EBaseException {
+        IDBSSession s = mDBService.createSession();
+        Vector v = new Vector();
+
+        try {
+            IDBSearchResults sr = s.search("cn=" + transformDN(name) + "," + getBaseDN(),
+                        filter);
+            while (sr.hasMoreElements()) {
+                v.add((IRepositoryRecord) sr.nextElement());
+            }
+        } finally {
+            if (s != null)
+                s.close();
+        }
+        return v.elements();
+    }
+
+    /**
+     * Creates a new issuing point in OCSP.
+     */
+    public void addRepository(String name, String thisUpdate,
+            IRepositoryRecord rec)
+            throws EBaseException {
+        IDBSSession s = mDBService.createSession();
+
+        try {
+            String dn = "ou=" + thisUpdate + ",cn=" +
+                    transformDN(name) + "," + getBaseDN();
+
+            s.add(dn, rec);
+        } finally {
+            if (s != null)
+                s.close();
+        }
+    }
+
+    public void modifyCertRecord(String name, String thisUpdate,
+            String sno,
+            ModificationSet mods) throws EBaseException {
+        IDBSSession s = mDBService.createSession();
+
+        try {
+            String dn = "cn=" + sno + ",ou=" + thisUpdate +
+                    ",cn=" + transformDN(name) + "," + getBaseDN();
+
+            if (s != null)
+                s.modify(dn, mods);
+        } finally {
+            if (s != null)
+                s.close();
+        }
+    }
+
+    public Enumeration searchCertRecord(String name, String thisUpdate,
+            String filter) throws EBaseException {
+        IDBSSession s = mDBService.createSession();
+        Vector v = new Vector();
+
+        try {
+            IDBSearchResults sr = s.search("ou=" + thisUpdate + ",cn=" +
+                        transformDN(name) + "," + getBaseDN(),
+                        filter);
+            while (sr.hasMoreElements()) {
+                v.add((ICertRecord) sr.nextElement());
+            }
+        } finally {
+            if (s != null)
+                s.close();
+        }
+        return v.elements();
+    }
+
+    public ICertRecord readCertRecord(String name, String thisUpdate,
+            String sno)
+            throws EBaseException {
+        IDBSSession s = mDBService.createSession();
+        ICertRecord rec = null;
+
+        try {
+            String dn = "cn=" + sno + ",ou=" + thisUpdate +
+                    ",cn=" + transformDN(name) + "," + getBaseDN();
+
+            if (s != null) {
+                rec = (ICertRecord) s.read(dn);
+            }
+        } finally {
+            if (s != null)
+                s.close();
+        }
+        return rec;
+    }
+
+    /**
+     * Creates a new issuing point in OCSP.
+     */
+    public void addCertRecord(String name, String thisUpdate,
+            String sno, ICertRecord rec)
+            throws EBaseException {
+        IDBSSession s = mDBService.createSession();
+
+        try {
+            String dn = "cn=" + sno + ",ou=" + thisUpdate +
+                    ",cn=" + transformDN(name) + "," + getBaseDN();
+
+            s.add(dn, rec);
+        } finally {
+            if (s != null)
+                s.close();
+        }
+    }
+
+    public NameValuePairs getConfigParameters() {
+        try {
+            NameValuePairs params = new NameValuePairs();
+
+            params.put(Constants.PR_OCSPSTORE_IMPL_NAME,
+                    mConfig.getString("class"));
+            params.put(PROP_NOT_FOUND_GOOD,
+                    mConfig.getString(PROP_NOT_FOUND_GOOD, "true"));
+            params.put(PROP_BY_NAME,
+                    mConfig.getString(PROP_BY_NAME, "true"));
+            params.put(PROP_INCLUDE_NEXT_UPDATE,
+                    mConfig.getString(PROP_INCLUDE_NEXT_UPDATE, "false"));
+            return params;
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+    public void setConfigParameters(NameValuePairs pairs)
+            throws EBaseException {
+
+        for (String key : pairs.keySet()) {
+            mConfig.put(key, pairs.get(key));
+        }
+    }
+
+    public void updateCRL(X509CRL crl) throws EBaseException {
+        try {
+            mStateCount++;
+
+            CMS.debug("DefStore: Ready to update Issuer");
+
+            try {
+                if (!((X509CRLImpl) crl).areEntriesIncluded())
+                    crl = new X509CRLImpl(((X509CRLImpl) crl).getEncoded());
+            } catch (Exception e) {
+                CMS.debug(e);
+            }
+
+            // commit update
+            ModificationSet mods = new ModificationSet();
+
+            if (crl.getThisUpdate() != null)
+                mods.add(ICRLIssuingPointRecord.ATTR_THIS_UPDATE,
+                        Modification.MOD_REPLACE, crl.getThisUpdate());
+            if (crl.getNextUpdate() != null)
+                mods.add(ICRLIssuingPointRecord.ATTR_NEXT_UPDATE,
+                        Modification.MOD_REPLACE, crl.getNextUpdate());
+            if (mUseCache) {
+                if (((X509CRLImpl) crl).getListOfRevokedCertificates() != null) {
+                    mods.add(ICRLIssuingPointRecord.ATTR_CRL_CACHE,
+                            Modification.MOD_REPLACE,
+                            ((X509CRLImpl) crl).getListOfRevokedCertificates());
+                }
+            }
+            if (((X509CRLImpl) crl).getNumberOfRevokedCertificates() < 0) {
+                mods.add(ICRLIssuingPointRecord.ATTR_CRL_SIZE,
+                        Modification.MOD_REPLACE, Long.valueOf(0));
+            } else {
+                mods.add(ICRLIssuingPointRecord.ATTR_CRL_SIZE,
+                        Modification.MOD_REPLACE, Long.valueOf(((X509CRLImpl) crl).getNumberOfRevokedCertificates()));
+            }
+            BigInteger crlNumber = ((X509CRLImpl) crl).getCRLNumber();
+            if (crlNumber == null) {
+                mods.add(ICRLIssuingPointRecord.ATTR_CRL_NUMBER,
+                        Modification.MOD_REPLACE, new BigInteger("-1"));
+            } else {
+                mods.add(ICRLIssuingPointRecord.ATTR_CRL_NUMBER,
+                        Modification.MOD_REPLACE, crlNumber);
+            }
+            try {
+                mods.add(ICRLIssuingPointRecord.ATTR_CRL,
+                        Modification.MOD_REPLACE, crl.getEncoded());
+            } catch (Exception e) {
+                // ignore
+            }
+            CMS.debug("DefStore: ready to CRL update " +
+                    crl.getIssuerDN().getName());
+            modifyCRLIssuingPointRecord(
+                    crl.getIssuerDN().getName(), mods);
+            CMS.debug("DefStore: done CRL update " +
+                    crl.getIssuerDN().getName());
+
+            // update cache
+            mCacheCRLIssuingPoints.clear();
+
+            log(ILogger.LL_INFO, "AddCRLServlet: Finish Committing CRL." +
+                    " thisUpdate=" + crl.getThisUpdate() +
+                    " nextUpdate=" + crl.getNextUpdate());
+
+        } finally {
+            mStateCount--;
+        }
+    }
+
+    public int getStateCount() {
+        return mStateCount;
+    }
+
+}
+
+class DeleteOldCRLsThread extends Thread {
+    private DefStore mDefStore = null;
+
+    public DeleteOldCRLsThread(DefStore defStore) {
+        mDefStore = defStore;
+    }
+
+    public void run() {
+        try {
+            mDefStore.deleteOldCRLs();
+        } catch (EBaseException e) {
+        }
+    }
+}
+
+class CRLIPContainer {
+    private ICRLIssuingPointRecord mRec = null;
+    private X509CertImpl mCert = null;
+    private X509CRLImpl mCRL = null;
+
+    public CRLIPContainer(ICRLIssuingPointRecord rec, X509CertImpl cert, X509CRLImpl crl) {
+        mRec = rec;
+        mCert = cert;
+        mCRL = crl;
+    }
+
+    public ICRLIssuingPointRecord getCRLIssuingPointRecord() {
+        return mRec;
+    }
+
+    public X509CertImpl getX509CertImpl() {
+        return mCert;
+    }
+
+    public X509CRLImpl getX509CRLImpl() {
+        return mCRL;
+    }
+}
+
+class DefStoreCRLUpdater extends Thread {
+    private Hashtable mCache = null;
+    private int mSec = 0;
+
+    public DefStoreCRLUpdater(Hashtable cache, int sec) {
+        mCache = cache;
+        mSec = sec;
+    }
+
+    public void run() {
+        while (true) {
+            try {
+                CMS.debug("DefStore: CRLUpdater invoked");
+                mCache.clear();
+                sleep(mSec * 1000); // turn sec into millis-sec
+            } catch (Exception e) {
+                // ignore
+            }
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/ocsp/LDAPStore.java b/base/common/src/com/netscape/cms/ocsp/LDAPStore.java
new file mode 100644
index 000000000..bca02f4a6
--- /dev/null
+++ b/base/common/src/com/netscape/cms/ocsp/LDAPStore.java
@@ -0,0 +1,750 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.ocsp;
+
+import java.math.BigInteger;
+import java.security.MessageDigest;
+import java.security.cert.X509CRL;
+import java.security.cert.X509CRLEntry;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+import netscape.security.x509.RevokedCertificate;
+import netscape.security.x509.X509CRLImpl;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509Key;
+
+import org.mozilla.jss.asn1.ASN1Util;
+import org.mozilla.jss.asn1.GeneralizedTime;
+import org.mozilla.jss.asn1.OCTET_STRING;
+import org.mozilla.jss.pkix.cert.Extension;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord;
+import com.netscape.certsrv.dbs.repository.IRepositoryRecord;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.ocsp.IDefStore;
+import com.netscape.certsrv.ocsp.IOCSPAuthority;
+import com.netscape.certsrv.util.IStatsSubsystem;
+import com.netscape.cmsutil.ocsp.BasicOCSPResponse;
+import com.netscape.cmsutil.ocsp.CertID;
+import com.netscape.cmsutil.ocsp.CertStatus;
+import com.netscape.cmsutil.ocsp.GoodInfo;
+import com.netscape.cmsutil.ocsp.OCSPRequest;
+import com.netscape.cmsutil.ocsp.OCSPResponse;
+import com.netscape.cmsutil.ocsp.OCSPResponseStatus;
+import com.netscape.cmsutil.ocsp.ResponderID;
+import com.netscape.cmsutil.ocsp.ResponseBytes;
+import com.netscape.cmsutil.ocsp.ResponseData;
+import com.netscape.cmsutil.ocsp.RevokedInfo;
+import com.netscape.cmsutil.ocsp.SingleResponse;
+import com.netscape.cmsutil.ocsp.TBSRequest;
+import com.netscape.cmsutil.ocsp.UnknownInfo;
+
+/**
+ * This is the LDAP OCSP store. It reads CA certificate and
+ * revocation list attributes from the CA entry.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LDAPStore implements IDefStore, IExtendedPluginInfo {
+    private static final String PROP_NUM_CONNS = "numConns";
+    private static final String PROP_REFRESH_IN_SEC = "refreshInSec";
+    private static final int DEF_REFRESH_IN_SEC = 60 * 60 * 24;
+    private static final String PROP_BASE_DN = "baseDN";
+    private static final String PROP_BY_NAME = "byName";
+    private static final String PROP_CONN_INFO = "connInfo";
+    private static final String PROP_CRL_ATTR = "crlAttr";
+    private static final String DEF_CRL_ATTR = "certificateRevocationList;binary";
+    private static final String PROP_CA_CERT_ATTR = "caCertAttr";
+    private static final String DEF_CA_CERT_ATTR = "cACertificate;binary";
+    private static final String PROP_HOST = "host";
+    private static final String PROP_PORT = "port";
+
+    private final static String PROP_NOT_FOUND_GOOD = "notFoundAsGood";
+    private final static String PROP_INCLUDE_NEXT_UPDATE =
+            "includeNextUpdate";
+
+    private IOCSPAuthority mOCSPAuthority = null;
+    private IConfigStore mConfig = null;
+    private String mId = null;
+    private String mCRLAttr = null;
+    private boolean mByName = true;
+    private String mCACertAttr = null;
+    protected Hashtable mReqCounts = new Hashtable();
+    private Hashtable mCRLs = new Hashtable();
+
+    /**
+     * Constructs the default store.
+     */
+    public LDAPStore() {
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        Vector v = new Vector();
+
+        v.addElement(PROP_NOT_FOUND_GOOD
+                + ";boolean; " + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_PROP_NOT_FOUND_GOOD"));
+        v.addElement(PROP_INCLUDE_NEXT_UPDATE
+                + ";boolean; " + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_PROP_INCLUDE_NEXT_UPDATE"));
+        v.addElement(PROP_NUM_CONNS + ";number; " + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_PROP_NUM_CONNS"));
+        v.addElement(PROP_BY_NAME + ";boolean; " + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_PROP_BY_NAME"));
+        v.addElement(PROP_CRL_ATTR + ";string; " + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_PROP_CRL_ATTR"));
+        v.addElement(PROP_CA_CERT_ATTR
+                + ";string; " + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_PROP_CA_CERT_ATTR"));
+        v.addElement(IExtendedPluginInfo.HELP_TEXT + "; " + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_DESC"));
+        v.addElement(IExtendedPluginInfo.HELP_TOKEN + ";configuration-ocspstores-ldapstore");
+        return com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v);
+    }
+
+    /**
+     * Fetch CA certificate and CRL from LDAP server.
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mOCSPAuthority = (IOCSPAuthority) owner;
+        mConfig = config;
+
+        mCRLAttr = mConfig.getString(PROP_CRL_ATTR, DEF_CRL_ATTR);
+        mCACertAttr = mConfig.getString(PROP_CA_CERT_ATTR,
+                    DEF_CA_CERT_ATTR);
+        mByName = mConfig.getBoolean(PROP_BY_NAME, true);
+
+    }
+
+    /**
+     * Locates the CA certificate.
+     */
+    public X509CertImpl locateCACert(LDAPConnection conn, String baseDN)
+            throws EBaseException {
+        try {
+            LDAPSearchResults results = conn.search(baseDN,
+                    LDAPv2.SCOPE_SUB, mCACertAttr + "=*",
+                    null, false);
+
+            if (!results.hasMoreElements()) {
+                throw new EBaseException("error - no entry");
+            }
+            LDAPEntry entry = results.next();
+            LDAPAttribute crls = entry.getAttribute(mCACertAttr);
+            @SuppressWarnings("unchecked")
+            Enumeration vals = crls.getByteValues();
+
+            if (!vals.hasMoreElements()) {
+                throw new EBaseException("error - no values");
+            }
+            byte caCertData[] = vals.nextElement();
+            X509CertImpl caCert = new X509CertImpl(caCertData);
+
+            return caCert;
+        } catch (Exception e) {
+            CMS.debug("LDAPStore: locateCACert " + e.toString());
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("OCSP_LOCATE_CA", e.toString()));
+        }
+        return null;
+    }
+
+    /**
+     * Locates the CRL.
+     */
+    public X509CRLImpl locateCRL(LDAPConnection conn, String baseDN)
+            throws EBaseException {
+        try {
+            LDAPSearchResults results = conn.search(baseDN,
+                    LDAPv2.SCOPE_SUB, mCRLAttr + "=*",
+                    null, false);
+
+            if (!results.hasMoreElements()) {
+                throw new EBaseException("error - no entry");
+            }
+            LDAPEntry entry = results.next();
+            LDAPAttribute crls = entry.getAttribute(mCRLAttr);
+            @SuppressWarnings("unchecked")
+            Enumeration vals = crls.getByteValues();
+
+            if (!vals.hasMoreElements()) {
+                throw new EBaseException("error - no values");
+            }
+            byte crlData[] = vals.nextElement();
+            X509CRLImpl crl = new X509CRLImpl(crlData);
+
+            return crl;
+        } catch (Exception e) {
+            CMS.debug("LDAPStore: locateCRL " + e.toString());
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("OCSP_LOCATE_CRL", e.toString()));
+        }
+        return null;
+    }
+
+    public void updateCRLHash(X509CertImpl caCert, X509CRLImpl crl)
+            throws EBaseException {
+        X509CRLImpl oldCRL = mCRLs.get(caCert);
+
+        if (oldCRL != null) {
+            if (oldCRL.getThisUpdate().getTime() >= crl.getThisUpdate().getTime()) {
+                log(ILogger.LL_INFO,
+                        "LDAPStore: no update, received CRL is older than current CRL");
+                return; // no update
+            }
+        }
+        CMS.debug("Added '" + caCert.getSubjectDN().toString() + "' into CRL hash");
+        mCRLs.put(caCert, crl);
+    }
+
+    public void log(int level, String msg) {
+        mOCSPAuthority.log(level, msg);
+    }
+
+    public void startup() throws EBaseException {
+        int num = mConfig.getInteger(PROP_NUM_CONNS, 0);
+
+        for (int i = 0; i < num; i++) {
+            String host = mConfig.getString(PROP_HOST + Integer.toString(i), null);
+            int port = mConfig.getInteger(PROP_PORT + Integer.toString(i), 0);
+            LDAPConnection c = new LDAPConnection();
+
+            try {
+                c.connect(host, port);
+            } catch (LDAPException e) {
+                throw new EBaseException("LDAP " + e);
+            }
+            String baseDN = mConfig.getString(PROP_BASE_DN + Integer.toString(i), null);
+            CRLUpdater updater = new CRLUpdater(
+                    this, c, baseDN,
+                    mConfig.getInteger(PROP_REFRESH_IN_SEC + Integer.toString(i),
+                            DEF_REFRESH_IN_SEC));
+
+            updater.start();
+        }
+    }
+
+    public void shutdown() {
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public void setId(String id) throws EBaseException {
+        mId = id;
+    }
+
+    public String getId() {
+        return mId;
+    }
+
+    /**
+     * Validate an OCSP request.
+     */
+    public OCSPResponse validate(OCSPRequest request)
+            throws EBaseException {
+
+        IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats");
+
+        mOCSPAuthority.incNumOCSPRequest(1);
+        long startTime = CMS.getCurrentDate().getTime();
+        try {
+            mOCSPAuthority.log(ILogger.LL_INFO, "start OCSP request");
+            TBSRequest tbsReq = request.getTBSRequest();
+
+            Vector singleResponses = new Vector();
+
+            if (statsSub != null) {
+                statsSub.startTiming("lookup");
+            }
+
+            long lookupStartTime = CMS.getCurrentDate().getTime();
+            for (int i = 0; i < tbsReq.getRequestCount(); i++) {
+                com.netscape.cmsutil.ocsp.Request req =
+                        tbsReq.getRequestAt(i);
+                CertID cid = req.getCertID();
+                SingleResponse sr = processRequest(cid);
+
+                singleResponses.addElement(sr);
+            }
+            long lookupEndTime = CMS.getCurrentDate().getTime();
+            if (statsSub != null) {
+                statsSub.endTiming("lookup");
+            }
+            mOCSPAuthority.incLookupTime(lookupEndTime - lookupStartTime);
+
+            if (statsSub != null) {
+                statsSub.startTiming("build_response");
+            }
+            SingleResponse res[] = new SingleResponse[singleResponses.size()];
+
+            singleResponses.copyInto(res);
+
+            ResponderID rid = null;
+
+            if (mByName) {
+                rid = mOCSPAuthority.getResponderIDByName();
+            } else {
+                rid = mOCSPAuthority.getResponderIDByHash();
+            }
+
+            Extension nonce[] = null;
+
+            for (int j = 0; j < tbsReq.getExtensionsCount(); j++) {
+                Extension thisExt = tbsReq.getRequestExtensionAt(j);
+
+                if (thisExt.getExtnId().equals(IOCSPAuthority.OCSP_NONCE)) {
+                    nonce = new Extension[1];
+                    nonce[0] = thisExt;
+                }
+            }
+
+            ResponseData rd = new ResponseData(rid,
+                    new GeneralizedTime(CMS.getCurrentDate()), res, nonce);
+            if (statsSub != null) {
+                statsSub.endTiming("build_response");
+            }
+
+            if (statsSub != null) {
+                statsSub.startTiming("signing");
+            }
+
+            long signStartTime = CMS.getCurrentDate().getTime();
+            BasicOCSPResponse basicRes = mOCSPAuthority.sign(rd);
+            long signEndTime = CMS.getCurrentDate().getTime();
+            mOCSPAuthority.incSignTime(signEndTime - signStartTime);
+            if (statsSub != null) {
+                statsSub.endTiming("signing");
+            }
+
+            OCSPResponse response = new OCSPResponse(
+                    OCSPResponseStatus.SUCCESSFUL,
+                    new ResponseBytes(ResponseBytes.OCSP_BASIC,
+                            new OCTET_STRING(ASN1Util.encode(basicRes))));
+
+            log(ILogger.LL_INFO, "done OCSP request");
+            long endTime = CMS.getCurrentDate().getTime();
+            mOCSPAuthority.incTotalTime(endTime - startTime);
+            return response;
+        } catch (Exception e) {
+            CMS.debug("LDAPStore: validation " + e.toString());
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_REQUEST_FAILURE", e.toString()));
+            return null;
+        }
+    }
+
+    public int getStateCount() {
+        return 0;
+    }
+
+    public long getReqCount(String id) {
+        Long c = mReqCounts.get(id);
+
+        if (c == null)
+            return 0;
+        else
+            return c.longValue();
+    }
+
+    public IRepositoryRecord createRepositoryRecord() {
+        return null;
+    }
+
+    public void addRepository(String name, String thisUpdate,
+            IRepositoryRecord rec)
+            throws EBaseException {
+        throw new EBaseException("NOT SUPPORTED");
+    }
+
+    public boolean waitOnCRLUpdate() {
+        return false;
+    }
+
+    public void updateCRL(X509CRL crl) throws EBaseException {
+        throw new EBaseException("NOT SUPPORTED");
+    }
+
+    public ICRLIssuingPointRecord readCRLIssuingPoint(String name)
+            throws EBaseException {
+        throw new EBaseException("NOT SUPPORTED");
+    }
+
+    public Enumeration searchAllCRLIssuingPointRecord(int maxSize)
+            throws EBaseException {
+        Vector recs = new Vector();
+        Enumeration keys = mCRLs.keys();
+
+        while (keys.hasMoreElements()) {
+            X509CertImpl caCert = keys.nextElement();
+            X509CRLImpl crl = mCRLs.get(caCert);
+
+            recs.addElement(new TempCRLIssuingPointRecord(caCert, crl));
+        }
+        return recs.elements();
+    }
+
+    public Enumeration searchCRLIssuingPointRecord(String filter,
+            int maxSize)
+            throws EBaseException {
+        return null;
+    }
+
+    public ICRLIssuingPointRecord createCRLIssuingPointRecord(
+            String name, BigInteger crlNumber,
+            Long crlSize, Date thisUpdate, Date nextUpdate) {
+        return null;
+    }
+
+    public void addCRLIssuingPoint(String name, ICRLIssuingPointRecord rec)
+            throws EBaseException {
+        throw new EBaseException("NOT SUPPORTED");
+    }
+
+    public void deleteCRLIssuingPointRecord(String id)
+            throws EBaseException {
+        throw new EBaseException("NOT SUPPORTED");
+    }
+
+    public boolean isNotFoundGood() {
+        try {
+            return isNotFoundGood1();
+        } catch (Exception e) {
+            return false;
+        }
+    }
+
+    public boolean includeNextUpdate() throws EBaseException {
+        return mConfig.getBoolean(PROP_INCLUDE_NEXT_UPDATE, false);
+    }
+
+    public boolean isNotFoundGood1() throws EBaseException {
+        return mConfig.getBoolean(PROP_NOT_FOUND_GOOD, true);
+    }
+
+    public void incReqCount(String id) {
+        mReqCounts.put(id, Long.valueOf(getReqCount(id) + 1));
+    }
+
+    /**
+     * Check against the database for status.
+     */
+    private SingleResponse processRequest(CertID cid) throws EBaseException {
+        // locate the right CRL
+        X509CertImpl theCert = null;
+        X509CRLImpl theCRL = null;
+
+        Enumeration caCerts = mCRLs.keys();
+
+        while (caCerts.hasMoreElements()) {
+            X509CertImpl caCert = caCerts.nextElement();
+            MessageDigest md = null;
+
+            try {
+                md = MessageDigest.getInstance(
+                            mOCSPAuthority.getDigestName(cid.getHashAlgorithm()));
+            } catch (Exception e) {
+            }
+            X509Key key = (X509Key) caCert.getPublicKey();
+
+            if (key == null) {
+                System.out.println("LDAPStore::processRequest - key is null!");
+                return null;
+            }
+
+            byte digest[] = md.digest(key.getKey());
+            byte keyhsh[] = cid.getIssuerKeyHash().toByteArray();
+
+            if (mOCSPAuthority.arraysEqual(digest, keyhsh)) {
+                theCert = caCert;
+                incReqCount(caCert.getSubjectDN().toString());
+                theCRL = mCRLs.get(caCert);
+                break;
+            }
+        }
+
+        if (theCert == null) {
+            return null;
+        }
+
+        if (theCRL == null) {
+            return null;
+        }
+
+        GeneralizedTime thisUpdate = new GeneralizedTime(
+                theCRL.getThisUpdate());
+        GeneralizedTime nextUpdate = null;
+
+        if (includeNextUpdate()) {
+            nextUpdate = new GeneralizedTime(
+                        theCRL.getNextUpdate());
+        }
+
+        CertStatus certStatus = null;
+        X509CRLEntry entry = theCRL.getRevokedCertificate(
+                cid.getSerialNumber());
+
+        if (entry == null) {
+            if (isNotFoundGood1()) {
+                certStatus = new GoodInfo();
+            } else {
+                certStatus = new UnknownInfo();
+            }
+        } else {
+            certStatus = new RevokedInfo(new GeneralizedTime(
+                            entry.getRevocationDate()));
+        }
+
+        return new SingleResponse(cid, certStatus, thisUpdate, nextUpdate);
+    }
+
+    /**
+     * Provides configuration parameters.
+     */
+    public NameValuePairs getConfigParameters() {
+        try {
+            NameValuePairs params = new NameValuePairs();
+
+            params.put(Constants.PR_OCSPSTORE_IMPL_NAME,
+                    mConfig.getString("class"));
+            int num = mConfig.getInteger(PROP_NUM_CONNS, 0);
+
+            params.put(PROP_NUM_CONNS, Integer.toString(num));
+            for (int i = 0; i < num; i++) {
+                params.put(PROP_HOST + Integer.toString(i),
+                        mConfig.getString(PROP_HOST +
+                                Integer.toString(i), ""));
+                params.put(PROP_PORT + Integer.toString(i),
+                        mConfig.getString(PROP_PORT +
+                                Integer.toString(i), "389"));
+                params.put(PROP_BASE_DN + Integer.toString(i),
+                        mConfig.getString(PROP_BASE_DN +
+                                Integer.toString(i), ""));
+                params.put(PROP_REFRESH_IN_SEC + Integer.toString(i),
+                        mConfig.getString(PROP_REFRESH_IN_SEC +
+                                Integer.toString(i), Integer.toString(DEF_REFRESH_IN_SEC)));
+            }
+            params.put(PROP_BY_NAME,
+                    mConfig.getString(PROP_BY_NAME, "true"));
+            params.put(PROP_CA_CERT_ATTR,
+                    mConfig.getString(PROP_CA_CERT_ATTR, DEF_CA_CERT_ATTR));
+            params.put(PROP_CRL_ATTR,
+                    mConfig.getString(PROP_CRL_ATTR, DEF_CRL_ATTR));
+            params.put(PROP_NOT_FOUND_GOOD,
+                    mConfig.getString(PROP_NOT_FOUND_GOOD, "true"));
+            params.put(PROP_INCLUDE_NEXT_UPDATE,
+                    mConfig.getString(PROP_INCLUDE_NEXT_UPDATE, "false"));
+            return params;
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+    public void setConfigParameters(NameValuePairs pairs)
+            throws EBaseException {
+
+        for (String key : pairs.keySet()) {
+            mConfig.put(key, pairs.get(key));
+        }
+    }
+}
+
+class CRLUpdater extends Thread {
+    private LDAPConnection mC = null;
+    private String mBaseDN = null;
+    private int mSec = 0;
+    private LDAPStore mStore = null;
+
+    public CRLUpdater(LDAPStore store, LDAPConnection c,
+            String baseDN, int sec) {
+        mC = c;
+        mSec = sec;
+        mBaseDN = baseDN;
+        mStore = store;
+    }
+
+    public void run() {
+        while (true) {
+            try {
+                LDAPConnection conn = mC;
+                CMS.debug("Started CRL Update '" + mBaseDN);
+                X509CertImpl caCert = mStore.locateCACert(conn, mBaseDN);
+                X509CRLImpl crl = mStore.locateCRL(conn, mBaseDN);
+
+                mStore.updateCRLHash(caCert, crl);
+                CMS.debug("Finished CRL Update - '" + mBaseDN);
+                sleep(mSec * 1000); // turn sec into millis-sec
+            } catch (Exception e) {
+                // ignore
+            }
+        }
+    }
+}
+
+class TempCRLIssuingPointRecord implements ICRLIssuingPointRecord {
+    /**
+     *
+     */
+    private static final long serialVersionUID = 5299660983298765746L;
+    private X509CertImpl mCACert = null;
+    private X509CRLImpl mCRL = null;
+
+    TempCRLIssuingPointRecord(X509CertImpl caCert, X509CRLImpl crl) {
+        mCACert = caCert;
+        mCRL = crl;
+    }
+
+    public String getId() {
+        return mCACert.getSubjectDN().toString();
+    }
+
+    /**
+     * Retrieves CRL serial number.
+     */
+    public BigInteger getCRLNumber() {
+        return null;
+    }
+
+    /**
+     * Retrieves delta CRL serial number.
+     */
+    public BigInteger getDeltaCRLNumber() {
+        return null;
+    }
+
+    /**
+     * Retrieves CRL size.
+     */
+    public Long getCRLSize() {
+        return Long.valueOf(mCRL.getNumberOfRevokedCertificates());
+    }
+
+    /**
+     * Retrieves CRL size.
+     */
+    public Long getDeltaCRLSize() {
+        return Long.valueOf(-1);
+    }
+
+    /**
+     * Retrieves this update time.
+     */
+    public Date getThisUpdate() {
+        return mCRL.getThisUpdate();
+    }
+
+    /**
+     * Retrieves next update time.
+     */
+    public Date getNextUpdate() {
+        return mCRL.getNextUpdate();
+    }
+
+    public String getFirstUnsaved() {
+        return null;
+    }
+
+    public Hashtable getCRLCacheNoClone() {
+        return null;
+    }
+
+    public Hashtable getCRLCache() {
+        return null;
+    }
+
+    /**
+     * Retrieves CRL encodings.
+     */
+    public byte[] getCRL() {
+        try {
+            return mCRL.getEncoded();
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+    /**
+     * Retrieves CRL encodings.
+     */
+    public byte[] getDeltaCRL() {
+        return null;
+    }
+
+    public int isCRLIssuingPointInitialized() {
+        return 1;
+    }
+
+    public byte[] getCACert() {
+        try {
+            return mCACert.getEncoded();
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+    /**
+     * Retrieves cache info of revoked certificates.
+     */
+    public Hashtable getRevokedCerts() {
+        return mCRL.getListOfRevokedCertificates();
+    }
+
+    /**
+     * Retrieves cache info of unrevoked certificates.
+     */
+    public Hashtable getUnrevokedCerts() {
+        return null;
+    }
+
+    /**
+     * Retrieves cache info of expired certificates.
+     */
+    public Hashtable getExpiredCerts() {
+        return null;
+    }
+
+    public Enumeration getSerializableAttrNames() {
+        return null;
+    }
+
+    public void set(String name, Object obj) throws EBaseException {
+    }
+
+    public Object get(String name) throws EBaseException {
+        return null;
+    }
+
+    public void delete(String name) throws EBaseException {
+
+    }
+
+    public Enumeration getElements() {
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/password/PasswordChecker.java b/base/common/src/com/netscape/cms/password/PasswordChecker.java
new file mode 100644
index 000000000..847f3a2c1
--- /dev/null
+++ b/base/common/src/com/netscape/cms/password/PasswordChecker.java
@@ -0,0 +1,103 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.password;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.password.EPasswordCheckException;
+import com.netscape.certsrv.password.IConfigPasswordCheck;
+import com.netscape.certsrv.password.IPasswordCheck;
+
+/**
+ * This class checks the given password if it meets the specific requirements.
+ * For example, it can also specify the format of the password which has to
+ * be 8 characters long and must be in alphanumeric.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class PasswordChecker implements IPasswordCheck, IConfigPasswordCheck {
+
+    public static final int MIN_LEN = 8;
+
+    /**
+     * Default constructor.
+     */
+    public PasswordChecker() {
+    }
+
+    public boolean isGoodConfigPassword(String mPassword) {
+        if (mPassword == null || mPassword.length() == 0) {
+            return false;
+        } else if (mPassword.length() < MIN_LEN) {
+            return false;
+        }
+        return true;
+    }
+
+    public String getConfigReason(String mPassword) {
+        if (mPassword == null || mPassword.length() == 0) {
+            EPasswordCheckException e = new EPasswordCheckException(
+                    "Empty Password");
+
+            return e.toString();
+        } else if (mPassword.length() < MIN_LEN) {
+            EPasswordCheckException e = new EPasswordCheckException(
+                    "Minimium Length is " + MIN_LEN);
+
+            return e.toString();
+        }
+        return null;
+    }
+
+    /**
+     * Returns true if the given password meets the quality requirement;
+     * otherwise returns false.
+     * 
+     * @param mPassword The given password being checked.
+     * @return true if the password meets the quality requirement; otherwise
+     *         returns false.
+     */
+    public boolean isGoodPassword(String mPassword) {
+        if (mPassword == null || mPassword.length() == 0) {
+            return false;
+        } else if (mPassword.length() < MIN_LEN) {
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * Returns a reason if the password doesnt meet the quality requirement.
+     * 
+     * @return string as a reason if the password quality requirement is not met.
+     */
+    public String getReason(String mPassword) {
+        if (mPassword == null || mPassword.length() == 0) {
+            EPasswordCheckException e = new EPasswordCheckException(
+                    CMS.getUserMessage("CMS_PASSWORD_EMPTY_PASSWORD"));
+
+            return e.toString();
+        } else if (mPassword.length() < MIN_LEN) {
+            EPasswordCheckException e = new EPasswordCheckException(
+                    CMS.getUserMessage("CMS_PASSWORD_INVALID_LEN", "" + MIN_LEN));
+
+            return e.toString();
+        }
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/APolicyRule.java b/base/common/src/com/netscape/cms/policy/APolicyRule.java
new file mode 100644
index 000000000..0faf7591d
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/APolicyRule.java
@@ -0,0 +1,363 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy;
+
+import java.io.IOException;
+import java.security.InvalidKeyException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.KeyIdentifier;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IExpression;
+import com.netscape.certsrv.policy.IPolicyRule;
+import com.netscape.certsrv.request.AgentApprovals;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+
+/**
+ * The abstract policy rule that concrete implementations will
+ * extend.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public abstract class APolicyRule implements IPolicyRule {
+    protected String NAME = null;
+    protected String DESC = null;
+    protected IExpression mFilterExp = null;
+    protected String mInstanceName = null;
+    protected ILogger mLogger = CMS.getLogger();
+
+    public APolicyRule() {
+    }
+
+    /**
+     * Initializes the policy rule.
+     * 

+     * 
+     * @param config The config store reference
+     */
+    public abstract void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException;
+
+    /**
+     * Gets the description for this policy rule.
+     * 

+     * 
+     * @return The Description for this rule.
+     */
+    public String getDescription() {
+        return DESC;
+    }
+
+    /**
+     * Sets a predicate expression for rule matching.
+     * 

+     * 
+     * @param exp The predicate expression for the rule.
+     */
+    public void setPredicate(IExpression exp) {
+        mFilterExp = exp;
+    }
+
+    /**
+     * Returns the predicate expression for the rule.
+     * 

+     * 
+     * @return The predicate expression for the rule.
+     */
+    public IExpression getPredicate() {
+        return mFilterExp;
+    }
+
+    /**
+     * Returns the name of the policy rule.
+     * 

+     * 
+     * @return The name of the policy class.
+     */
+    public String getName() {
+        return NAME;
+    }
+
+    /**
+     * Sets the instance name for a policy rule.
+     * 

+     * 
+     * @param instanceName The name of the rule instance.
+     */
+    public void setInstanceName(String instanceName) {
+        mInstanceName = instanceName;
+    }
+
+    /**
+     * Returns the name of the policy rule instance.
+     * 

+     * 
+     * @return The name of the policy rule instance if set, else
+     *         the name of the rule class.
+     */
+    public String getInstanceName() {
+        return mInstanceName != null ? mInstanceName : NAME;
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public abstract PolicyResult apply(IRequest req);
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public abstract Vector getInstanceParams();
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public abstract Vector getDefaultParams();
+
+    public void setError(IRequest req, String format, Object[] params) {
+        setPolicyException(req, format, params);
+    }
+
+    public void setError(IRequest req, String format, String arg1,
+            String arg2) {
+        Object[] np = new Object[2];
+
+        np[0] = arg1;
+        np[1] = arg2;
+        setPolicyException(req, format, np);
+    }
+
+    public void setError(IRequest req, String format, String arg) {
+        Object[] np = new Object[1];
+
+        np[0] = arg;
+        setPolicyException(req, format, np);
+    }
+
+    public void setPolicyException(IRequest req, EBaseException ex) {
+        Vector ev = req.getExtDataInStringVector(IRequest.ERRORS);
+        if (ev == null) {
+            ev = new Vector();
+        }
+        ev.addElement(ex.toString());
+        req.setExtData(IRequest.ERRORS, ev);
+
+    }
+
+    /**
+     * determines whether a DEFERRED policy result should be returned
+     * by checking the contents of the AgentApprovals attribute. This
+     * call should be used by policy modules instead of returning
+     * PolicyResult.DEFERRED directly.
+     * 

+     */
+    protected PolicyResult deferred(IRequest req) {
+        // Try to find an agent approval
+        AgentApprovals aa = AgentApprovals.fromStringVector(
+                req.getExtDataInStringVector(AgentApprovals.class.getName()));
+
+        // Any approvals causes success
+        if (aa != null && aa.elements().hasMoreElements()) {
+            return PolicyResult.ACCEPTED;
+        } else {
+            return PolicyResult.DEFERRED;
+        }
+    }
+
+    /**
+     * request has previously been approved by an agent
+     */
+    protected boolean agentApproved(IRequest req) {
+        // Try to find an agent approval
+        AgentApprovals aa = AgentApprovals.fromStringVector(
+                req.getExtDataInStringVector(AgentApprovals.class.getName()));
+
+        // Any approvals causes success
+        if (aa != null && aa.elements().hasMoreElements()) {
+            return true;
+        } else {
+            return false;
+        }
+    }
+
+    public void setPolicyException(IRequest req, String format,
+            Object[] params) {
+        if (format == null)
+            return;
+
+        EPolicyException ex;
+
+        if (params == null)
+            ex = new EPolicyException(format);
+        else
+            ex = new EPolicyException(format, params);
+
+        Vector ev = req.getExtDataInStringVector(IRequest.ERRORS);
+        if (ev == null) {
+            ev = new Vector();
+        }
+        ev.addElement(ex.toString());
+        req.setExtData(IRequest.ERRORS, ev);
+    }
+
+    /**
+     * log a message for this policy rule.
+     */
+    protected void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER, level,
+                "APolicyRule " + NAME + ": " + msg);
+    }
+
+    public static KeyIdentifier createKeyIdentifier(X509Key key)
+            throws NoSuchAlgorithmException, InvalidKeyException {
+        MessageDigest md = MessageDigest.getInstance("SHA-1");
+
+        md.update(key.getEncoded());
+        return new KeyIdentifier(md.digest());
+    }
+
+    /**
+     * Form a byte array of octet string key identifier from the sha-1 hash of
+     * the Subject Public Key INFO. (including algorithm ID, etc.)
+     * 

+     * 
+     * @param certInfo cert info of the certificate.
+     * @return A Key identifier with the sha-1 hash of subject public key.
+     */
+    protected KeyIdentifier formSpkiSHA1KeyId(X509CertInfo certInfo)
+            throws EBaseException {
+        KeyIdentifier keyId = null;
+
+        try {
+            CertificateX509Key certKey =
+                    (CertificateX509Key) certInfo.get(X509CertInfo.KEY);
+
+            if (certKey == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_MISSING_KEY_1", ""));
+                throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_MISSING_KEY", NAME));
+            }
+            X509Key key = (X509Key) certKey.get(CertificateX509Key.KEY);
+
+            if (key == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_MISSING_KEY_1", ""));
+                throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_MISSING_KEY", NAME));
+            }
+            keyId = createKeyIdentifier(key);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_SUBJECT_KEY_ID_1", NAME));
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME));
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_SUBJECT_KEY_ID_1", NAME));
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME));
+        } catch (NoSuchAlgorithmException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_SUBJECT_KEY_ID_1", NAME));
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME));
+        } catch (InvalidKeyException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_SUBJECT_KEY_ID_1", NAME));
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME));
+        }
+        return keyId;
+    }
+
+    /**
+     * Form a byte array of octet string key identifier from the sha-1 hash of
+     * the Subject Public Key BIT STRING.
+     * 

+     * 
+     * @param certInfo cert info of the certificate.
+     * @return A Key identifier with the sha-1 hash of subject public key.
+     */
+    protected KeyIdentifier formSHA1KeyId(X509CertInfo certInfo)
+            throws EBaseException {
+        KeyIdentifier keyId = null;
+
+        try {
+            CertificateX509Key certKey =
+                    (CertificateX509Key) certInfo.get(X509CertInfo.KEY);
+
+            if (certKey == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_MISSING_KEY_1", ""));
+                throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_MISSING_KEY", NAME));
+            }
+            X509Key key = (X509Key) certKey.get(CertificateX509Key.KEY);
+
+            if (key == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_MISSING_KEY_1", ""));
+                throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_MISSING_KEY", NAME));
+            }
+            byte[] rawKey = key.getKey();
+
+            MessageDigest md = MessageDigest.getInstance("SHA-1");
+
+            md.update(rawKey);
+            keyId = new KeyIdentifier(md.digest());
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_SUBJECT_KEY_ID_1", NAME));
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME));
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_SUBJECT_KEY_ID_1", NAME));
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME));
+        } catch (NoSuchAlgorithmException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_SUBJECT_KEY_ID_1", NAME));
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME));
+        }
+        return keyId;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/constraints/AgentPolicy.java b/base/common/src/com/netscape/cms/policy/constraints/AgentPolicy.java
new file mode 100644
index 000000000..b7a24bd65
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/constraints/AgentPolicy.java
@@ -0,0 +1,161 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.constraints;
+
+import java.util.Vector;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.AgentApprovals;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * AgentPolicy is an enrollment policy wraps another policy module.
+ * Requests are sent first to the contained module, but if the
+ * policy indicates that the request should be deferred, a check
+ * for agent approvals is done. If any are found, the request
+ * is approved.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class AgentPolicy extends APolicyRule
+        implements IEnrollmentPolicy {
+    public AgentPolicy() {
+        NAME = "AgentPolicy";
+        DESC = "Agent Approval Policy";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries may be of the form:
+     * 
+     * ra.Policy.rule..implName=AgentPolicy ra.Policy.rule..enable=true
+     * ra.Policy.rule..predicate= ou == engineering AND o == netscape.com ra.Policy.rule..class=xxxx
+     * ra.Policy.rule..params.*
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EPolicyException {
+
+        // Create subordinate object
+        String className = (String) config.get("class");
+
+        System.err.println("Creating agent policy with class " + className);
+        if (className != null) {
+            IConfigStore substore = config.getSubStore("params");
+
+            try {
+                @SuppressWarnings("unchecked")
+                Class c = (Class) Class.forName(className);
+
+                Object o = c.newInstance();
+
+                if (!(o instanceof APolicyRule)) {
+                    throw new EPolicyException(
+                            CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CLASS",
+                                    getInstanceName(), className));
+                }
+
+                APolicyRule pr = (APolicyRule) o;
+
+                pr.init(owner, substore);
+                mPolicy = pr;
+            } catch (EPolicyException e) {
+                System.err.println("Agent Policy Error: " + e);
+                throw e;
+            } catch (Exception e) {
+                System.err.println("Agent Policy Error: " + e);
+                throw new EPolicyException(
+                        CMS.getUserMessage("CMS_POLICY_LOADING_POLICY_ERROR",
+                                getInstanceName(), className));
+            }
+        }
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+
+        // The default is to require manual approval for everything
+        PolicyResult result = PolicyResult.DEFERRED;
+
+        // Give the underlying object a chance
+        if (mPolicy != null) {
+            result = mPolicy.apply(req);
+            System.err.println("Subordinate policy returns " + result);
+        }
+
+        if (result == PolicyResult.DEFERRED) {
+            System.err.println("Checking agent approvals");
+            // Try to find an agent approval
+            AgentApprovals aa = AgentApprovals.fromStringVector(
+                    req.getExtDataInStringVector(AgentApprovals.class.getName()));
+
+            //Object o = req.get("agentApprovals");
+
+            // Any approvals causes success
+            if (aa != null && aa.elements().hasMoreElements()) //if (o != null)
+            {
+                System.err.println("Agent approval found");
+                result = PolicyResult.ACCEPTED;
+            }
+        }
+        System.err.println("Agent policy returns " + result);
+        return result;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        return null;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return null;
+    }
+
+    APolicyRule mPolicy = null;
+}
diff --git a/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java b/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java
new file mode 100644
index 000000000..93327445e
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java
@@ -0,0 +1,406 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.constraints;
+
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.ldap.ILdapConnFactory;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.certsrv.request.RequestId;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * This checks if attribute present.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class AttributePresentConstraints extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    protected static final String PROP_ENABLED = "enabled";
+    protected static final String PROP_LDAP = "ldap";
+
+    protected String mName = null;
+    protected String mImplName = null;
+
+    private boolean mEnabled = false;
+    private ILogger mLogger = CMS.getLogger();
+
+    private ICertAuthority mSub = null;
+    private IConfigStore mConfig = null;
+    private IConfigStore mLdapConfig = null;
+    private RequestId mReqId = null;
+    private ILdapConnFactory mConnFactory = null;
+    private LDAPConnection mCheckAttrLdapConnection = null;
+
+    public AttributePresentConstraints() {
+        DESC = "Rejects request if ldap attribute is not present in the " +
+                "directory.";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String params[] = {
+                PROP_ATTR + ";string,required;Ldap attribute to check presence of (default " +
+                        DEF_ATTR + ")",
+                PROP_VALUE + ";string;if this parameter is non-empty, the attribute must " +
+                        "match this value for the request to proceed ",
+                PROP_LDAP_BASE + ";string,required;Base DN to start searching " +
+                        "under. If your user's DN is 'uid=jsmith, o=company', you " +
+                        "might want to use 'o=company' here",
+                PROP_LDAP_HOST + ";string,required;" +
+                        "LDAP host to connect to",
+                PROP_LDAP_PORT + ";number,required;" +
+                        "LDAP port number (use 389, or 636 if SSL)",
+                PROP_LDAP_SSL + ";boolean;" +
+                        "Use SSL to connect to directory?",
+                PROP_LDAP_VER + ";choice(3,2),required;" +
+                        "LDAP protocol version",
+                PROP_LDAP_BIND + ";string;DN to bind as for attribute checking. " +
+                        "For example 'CN=Pincheck User'",
+                PROP_LDAP_PW + ";password;Enter password used to bind as " +
+                        "the above user",
+                PROP_LDAP_AUTH + ";choice(BasicAuth,SslClientAuth),required;" +
+                        "How to bind to the directory",
+                PROP_LDAP_CERT + ";string;If you want to use " +
+                        "SSL client auth to the directory, set the client " +
+                        "cert nickname here",
+                PROP_LDAP_BASE + ";string,required;Base DN to start searching " +
+                        "under. If your user's DN is 'uid=jsmith, o=company', you " +
+                        "might want to use 'o=company' here",
+                PROP_LDAP_MINC + ";number;number of connections " +
+                        "to keep open to directory server. Default " + DEF_LDAP_MINC,
+                PROP_LDAP_MAXC + ";number;when needed, connection " +
+                        "pool can grow to this many (multiplexed) connections. Default " + DEF_LDAP_MAXC,
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-pinpresent",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";" + DESC + " This plugin can be used to " +
+                        "check the presence (and, optionally, the value) of any LDAP " +
+                        "attribute for the user. "
+            };
+
+        return params;
+    }
+
+    public String getName() {
+        return mName;
+    }
+
+    public String getImplName() {
+        return mImplName;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public void shutdown() {
+    }
+
+    // Parameters
+
+    protected static final String PROP_LDAP_HOST = "ldap.ldapconn.host";
+    protected static final String DEF_LDAP_HOST = "localhost";
+
+    protected static final String PROP_LDAP_PORT = "ldap.ldapconn.port";
+    protected static final Integer DEF_LDAP_PORT = Integer.valueOf(389);
+
+    protected static final String PROP_LDAP_SSL = "ldap.ldapconn.secureConn";
+    protected static final Boolean DEF_LDAP_SSL = Boolean.FALSE;
+
+    protected static final String PROP_LDAP_VER = "ldap.ldapconn.version";
+    protected static final Integer DEF_LDAP_VER = Integer.valueOf(3);
+
+    protected static final String PROP_LDAP_BIND = "ldap.ldapauth.bindDN";
+    protected static final String DEF_LDAP_BIND = "CN=Directory Manager";
+
+    protected static final String PROP_LDAP_PW = "ldap.ldapauth.bindPWPrompt";
+    protected static final String DEF_LDAP_PW = "";
+
+    protected static final String PROP_LDAP_CERT = "ldap.ldapauth.clientCertNickname";
+    protected static final String DEF_LDAP_CERT = "";
+
+    protected static final String PROP_LDAP_AUTH = "ldap.ldapauth.authtype";
+    protected static final String DEF_LDAP_AUTH = "BasicAuth";
+
+    protected static final String PROP_LDAP_BASE = "ldap.ldapconn.basedn";
+    protected static final String DEF_LDAP_BASE = "";
+
+    protected static final String PROP_LDAP_MINC = "ldap.ldapconn.minConns";
+    protected static final Integer DEF_LDAP_MINC = Integer.valueOf(1);
+
+    protected static final String PROP_LDAP_MAXC = "ldap.ldapconn.maxConns";
+    protected static final Integer DEF_LDAP_MAXC = Integer.valueOf(5);
+
+    protected static final String PROP_ATTR = "attribute";
+    protected static final String DEF_ATTR = "pin";
+
+    protected static final String PROP_VALUE = "value";
+    protected static final String DEF_VALUE = "";
+
+    protected static Vector mParamNames;
+    protected static Hashtable mParamDefault;
+    protected Hashtable mParamValue = null;
+
+    static {
+        mParamNames = new Vector();
+        mParamDefault = new Hashtable();
+        addParam(PROP_LDAP_HOST, DEF_LDAP_HOST);
+        addParam(PROP_LDAP_PORT, DEF_LDAP_PORT);
+        addParam(PROP_LDAP_SSL, DEF_LDAP_SSL);
+        addParam(PROP_LDAP_VER, DEF_LDAP_VER);
+        addParam(PROP_LDAP_BIND, DEF_LDAP_BIND);
+        addParam(PROP_LDAP_PW, DEF_LDAP_PW);
+        addParam(PROP_LDAP_CERT, DEF_LDAP_CERT);
+        addParam(PROP_LDAP_AUTH, DEF_LDAP_AUTH);
+        addParam(PROP_LDAP_BASE, DEF_LDAP_BASE);
+        addParam(PROP_LDAP_MINC, DEF_LDAP_MINC);
+        addParam(PROP_LDAP_MAXC, DEF_LDAP_MAXC);
+        addParam(PROP_ATTR, DEF_ATTR);
+        addParam(PROP_VALUE, DEF_VALUE);
+    };
+
+    protected static void addParam(String name, Object value) {
+        mParamNames.addElement(name);
+        mParamDefault.put(name, value);
+    }
+
+    protected void getStringConfigParam(IConfigStore config, String paramName) {
+        try {
+            mParamValue.put(
+                    paramName, config.getString(paramName, (String) mParamDefault.get(paramName))
+                    );
+        } catch (Exception e) {
+        }
+    }
+
+    protected void getIntConfigParam(IConfigStore config, String paramName) {
+        try {
+            mParamValue.put(
+                    paramName, Integer.valueOf(
+                            config.getInteger(paramName,
+                                    ((Integer) mParamDefault.get(paramName)).intValue()
+                                    )
+                            )
+                    );
+        } catch (Exception e) {
+        }
+    }
+
+    protected void getBooleanConfigParam(IConfigStore config, String paramName) {
+        try {
+            mParamValue.put(
+                    paramName, Boolean.valueOf(
+                            config.getBoolean(paramName,
+                                    ((Boolean) mParamDefault.get(paramName)).booleanValue()
+                                    )
+                            )
+                    );
+        } catch (Exception e) {
+        }
+    }
+
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+
+        mParamValue = new Hashtable();
+
+        getStringConfigParam(mConfig, PROP_LDAP_HOST);
+        getIntConfigParam(mConfig, PROP_LDAP_PORT);
+        getBooleanConfigParam(mConfig, PROP_LDAP_SSL);
+        getIntConfigParam(mConfig, PROP_LDAP_VER);
+        getStringConfigParam(mConfig, PROP_LDAP_BIND);
+        getStringConfigParam(mConfig, PROP_LDAP_PW);
+        getStringConfigParam(mConfig, PROP_LDAP_CERT);
+        getStringConfigParam(mConfig, PROP_LDAP_AUTH);
+        getStringConfigParam(mConfig, PROP_LDAP_BASE);
+        getIntConfigParam(mConfig, PROP_LDAP_MINC);
+        getIntConfigParam(mConfig, PROP_LDAP_MAXC);
+        getStringConfigParam(mConfig, PROP_ATTR);
+        getStringConfigParam(mConfig, PROP_VALUE);
+
+        mLdapConfig = mConfig.getSubStore(PROP_LDAP);
+
+        mConnFactory = CMS.getLdapBoundConnFactory();
+        mConnFactory.init(mLdapConfig);
+        mCheckAttrLdapConnection = mConnFactory.getConn();
+
+    }
+
+    public PolicyResult apply(IRequest r) {
+        PolicyResult res = PolicyResult.ACCEPTED;
+
+        mReqId = r.getRequestId();
+
+        String requestType = r.getRequestType();
+
+        if (requestType.equals(IRequest.ENROLLMENT_REQUEST) ||
+                requestType.equals(IRequest.RENEWAL_REQUEST)) {
+
+            String uid = r.getExtDataInString(IRequest.HTTP_PARAMS, "uid");
+
+            if (uid == null) {
+                log(ILogger.LL_INFO, "did not find UID parameter in request " + r.getRequestId());
+                setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), "");
+                return PolicyResult.REJECTED;
+            }
+
+            String userdn = null;
+
+            try {
+                String[] attrs = { (String) mParamValue.get(PROP_ATTR) };
+                LDAPSearchResults searchResult =
+                        mCheckAttrLdapConnection.search((String) mParamValue.get(PROP_LDAP_BASE),
+                                LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", attrs, false);
+
+                if (!searchResult.hasMoreElements()) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid));
+                    setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), "");
+                    return PolicyResult.REJECTED;
+                }
+
+                LDAPEntry entry = (LDAPEntry) searchResult.nextElement();
+
+                userdn = entry.getDN();
+
+                LDAPAttribute attr = entry.getAttribute((String) mParamValue.get(PROP_ATTR));
+
+                /* if attribute not present, reject the request */
+                if (attr == null) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", userdn));
+                    setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), "");
+                    return PolicyResult.REJECTED;
+                }
+                String acceptedValue = ((String) mParamValue.get(PROP_VALUE));
+
+                if (!acceptedValue.equals("")) {
+                    int matches = 0;
+
+                    String[] values = attr.getStringValueArray();
+
+                    for (int i = 0; i < values.length; i++) {
+                        if (values[i].equals(acceptedValue)) {
+                            matches++;
+                        }
+                    }
+                    if (matches == 0) {
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", userdn));
+                        setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), "");
+                        return PolicyResult.REJECTED;
+                    }
+                }
+
+                CMS.debug("AttributePresentConstraints: Attribute is present for user: \"" + userdn + "\"");
+
+            } catch (LDAPException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_PIN_UNAUTHORIZED"));
+                setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), "");
+                return PolicyResult.REJECTED;
+            }
+
+        }
+        return res;
+    }
+
+    public Vector getInstanceParams() {
+        Vector params = new Vector();
+
+        Enumeration e = mParamNames.elements();
+
+        while (e.hasMoreElements()) {
+            try {
+                String paramName = (String) e.nextElement();
+                String paramValue = mParamValue.get(paramName).toString();
+                String temp = paramName + "=" + paramValue;
+
+                params.addElement(temp);
+            } catch (Exception ex) {
+            }
+        }
+
+        return params;
+    }
+
+    public Vector getDefaultParams() {
+        Vector params = new Vector();
+
+        Enumeration e = mParamNames.elements();
+
+        while (e.hasMoreElements()) {
+            try {
+                String paramName = (String) e.nextElement();
+                String paramValue = mParamDefault.get(paramName).toString();
+                String temp = paramName + "=" + paramValue;
+
+                params.addElement(temp);
+            } catch (Exception ex) {
+            }
+        }
+
+        return params;
+
+        /*
+         params.addElement("ldap.ldapconn.host=localhost");
+         params.addElement("ldap.ldapconn.port=389");
+         params.addElement("ldap.ldapconn.secureConn=false");
+         params.addElement("ldap.ldapconn.version=3");
+         params.addElement("ldap.ldapauth.bindDN=CN=Directory Manager");
+         params.addElement("ldap.ldapauth.bindPWPrompt=");
+         params.addElement("ldap.ldapauth.clientCertNickname=");
+         params.addElement("ldap.ldapauth.authtype=BasicAuth");
+         params.addElement("ldap.basedn=");
+         params.addElement("ldap.minConns=1");
+         params.addElement("ldap.maxConns=5");
+         */
+    }
+
+    protected void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_OTHER,
+                level, "AttributePresentConstraints: " + msg);
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/policy/constraints/DSAKeyConstraints.java b/base/common/src/com/netscape/cms/policy/constraints/DSAKeyConstraints.java
new file mode 100644
index 000000000..387b702bf
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/constraints/DSAKeyConstraints.java
@@ -0,0 +1,252 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.constraints;
+
+import java.math.BigInteger;
+import java.security.interfaces.DSAParams;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.provider.DSAPublicKey;
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * DSAKeyConstraints policy enforces min and max size of the key.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class DSAKeyConstraints extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    private int mMinSize;
+    private int mMaxSize;
+
+    private final static int INCREMENT = 64;
+    private final static int DEF_MIN_SIZE = 512;
+    private final static int DEF_MAX_SIZE = 1024;
+
+    private final static String DSA = "DSA";
+    private final static String PROP_MIN_SIZE = "minSize";
+    private final static String PROP_MAX_SIZE = "maxSize";
+
+    private final static Vector defConfParams = new Vector();
+
+    private IConfigStore mConfig = null;
+
+    static {
+        defConfParams.addElement(PROP_MIN_SIZE + "=" + DEF_MIN_SIZE);
+        defConfParams.addElement(PROP_MAX_SIZE + "=" + DEF_MAX_SIZE);
+    }
+
+    public DSAKeyConstraints() {
+        NAME = "DSAKeyConstraints";
+        DESC = "Enforces DSA Key Constraints.";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_MIN_SIZE + ";number;Minimum key size",
+                PROP_MAX_SIZE + ";number;Maximum key size",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-dsakeyconstraints",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Rejects request if DSA key size is out of range"
+            };
+
+        return params;
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries probably are of the form ra.Policy.rule..implName=DSAKeyConstraints
+     * ra.Policy.rule..enable=true ra.Policy.rule..minSize=512
+     * ra.Policy.rule..maxSize=1024 ra.Policy.rule..predicate= ou == engineering AND o ==
+     * netscape.com
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EPolicyException {
+
+        // Get Min and Max sizes
+        mConfig = config;
+
+        try {
+            mMinSize = config.getInteger(PROP_MIN_SIZE, DEF_MIN_SIZE);
+            mMaxSize = config.getInteger(PROP_MAX_SIZE, DEF_MAX_SIZE);
+
+            if (mMaxSize > DEF_MAX_SIZE) {
+                String msg = "cannot be more than " + DEF_MAX_SIZE;
+
+                log(ILogger.LL_FAILURE, PROP_MAX_SIZE + " " + msg);
+                throw new EBaseException(
+                        CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
+                                PROP_MAX_SIZE, msg));
+            }
+            if (mMinSize < DEF_MIN_SIZE) {
+                String msg = "cannot be less than " + DEF_MIN_SIZE;
+
+                log(ILogger.LL_FAILURE, PROP_MIN_SIZE + " " + msg);
+                throw new EBaseException(
+                        CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
+                                PROP_MIN_SIZE, msg));
+            }
+            if (mMaxSize % INCREMENT != 0) {
+                String msg = "must be in increments of " + INCREMENT;
+
+                log(ILogger.LL_FAILURE, PROP_MAX_SIZE + " " + msg);
+                throw new EBaseException(
+                        CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
+                                PROP_MIN_SIZE, msg));
+            }
+            if (mMaxSize % INCREMENT != 0) {
+                String msg = "must be in increments of " + INCREMENT;
+
+                log(ILogger.LL_FAILURE, PROP_MIN_SIZE + " " + msg);
+                throw new EBaseException(
+                        CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
+                                PROP_MIN_SIZE, msg));
+            }
+
+            config.putInteger(PROP_MIN_SIZE, mMinSize);
+            config.putInteger(PROP_MAX_SIZE, mMaxSize);
+
+        } catch (Exception e) {
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", getInstanceName(), e.toString()));
+        }
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+
+        PolicyResult result = PolicyResult.ACCEPTED;
+
+        try {
+            // Get the certificate info from the request
+            X509CertInfo ci[] =
+                    req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+            // There should be a certificate info set.
+            if (ci == null || ci[0] == null) {
+                setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), "");
+                return PolicyResult.REJECTED;
+            }
+
+            // Else check if the key size(s) are within the limit.
+            for (int i = 0; i < ci.length; i++) {
+                CertificateX509Key certKey = (CertificateX509Key)
+                        ci[i].get(X509CertInfo.KEY);
+                X509Key key = (X509Key) certKey.get(CertificateX509Key.KEY);
+                String alg = key.getAlgorithmId().toString();
+
+                if (!alg.equalsIgnoreCase(DSA))
+                    continue;
+
+                // Check DSAKey parameters.
+                // size refers to the p parameter.
+                DSAPublicKey dsaKey = new DSAPublicKey(key.getEncoded());
+                DSAParams keyParams = dsaKey.getParams();
+
+                if (keyParams == null) {
+                    // key parameters could not be parsed.
+                    setError(req,
+                            CMS.getUserMessage("CMS_POLICY_NO_KEY_PARAMS", getInstanceName(), String.valueOf(i + 1)),
+                            "");
+                    return PolicyResult.REJECTED;
+                }
+                BigInteger p = keyParams.getP();
+                int len = p.bitLength();
+
+                if (len < mMinSize || len > mMaxSize ||
+                        (len % INCREMENT) != 0) {
+                    String[] parms = new String[] {
+                            getInstanceName(),
+                            String.valueOf(len),
+                            String.valueOf(mMinSize),
+                            String.valueOf(mMaxSize),
+                            String.valueOf(INCREMENT) };
+
+                    setError(req, CMS.getUserMessage("CMS_POLICY_KEY_SIZE_VIOLATION_1", parms), "");
+                    return PolicyResult.REJECTED;
+                }
+            }
+        } catch (Exception e) {
+            // e.printStackTrace();
+            String[] params = { getInstanceName(), e.toString() };
+
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), "");
+            result = PolicyResult.REJECTED;
+        }
+        return result;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector confParams = new Vector();
+
+        try {
+            confParams.addElement(PROP_MIN_SIZE + "=" + mConfig.getInteger(PROP_MIN_SIZE, DEF_MIN_SIZE));
+            confParams.addElement(PROP_MAX_SIZE + "=" + mConfig.getInteger(PROP_MAX_SIZE, DEF_MAX_SIZE));
+        } catch (EBaseException e) {
+            ;
+        }
+        return confParams;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return defConfParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/constraints/DefaultRevocation.java b/base/common/src/com/netscape/cms/policy/constraints/DefaultRevocation.java
new file mode 100644
index 000000000..2af145475
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/constraints/DefaultRevocation.java
@@ -0,0 +1,104 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.constraints;
+
+import java.util.Locale;
+import java.util.Vector;
+
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IRevocationPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * This is the default revocation policy. Currently this does
+ * nothing. We can later add checks like whether or not to
+ * revoke expired certs ..etc here.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class DefaultRevocation extends APolicyRule
+        implements IRevocationPolicy, IExtendedPluginInfo {
+    public DefaultRevocation() {
+        NAME = "DefaultRevocation";
+        DESC = "Default Revocation Policy";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries may be of the form:
+     * 
+     * ra.Policy.rule..implName=DefaultRevocation ra.Policy.rule..enable=true
+     * ra.Policy.rule..predicate= ou == engineering AND o == netscape.com
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EPolicyException {
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        return PolicyResult.ACCEPTED;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        return null;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return null;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-defaultrevocation"
+            };
+
+        return params;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java b/base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java
new file mode 100644
index 000000000..a08bde78c
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java
@@ -0,0 +1,216 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.constraints;
+
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * IssuerConstraints is a rule for restricting the issuers of the
+ * certificates used for certificate-based enrollments.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$ $Date$
+ */
+public class IssuerConstraints extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    private final static String PROP_ISSUER_DN = "issuerDN";
+    private static final String CLIENT_ISSUER = "clientIssuer";
+    private X500Name mIssuerDN = null;
+    private String mIssuerDNString;
+
+    /**
+     * checks the issuer of the ssl client-auth cert. Only one issuer
+     * is allowed for now
+     */
+    public IssuerConstraints() {
+        NAME = "IssuerConstraints";
+        DESC = "Checks to see if the Issuer is one allowed";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_ISSUER_DN
+                        + ";string;Subject DN of the Issuer. The IssuerDN of the authenticating cert must match what's specified here",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-issuerconstraints",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Rejects the request if the issuer in the certificate is" +
+                        "not of the one specified"
+        };
+
+        return params;
+
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EPolicyException {
+        try {
+            mIssuerDNString = config.getString(PROP_ISSUER_DN, null);
+            if ((mIssuerDNString != null) &&
+                    !mIssuerDNString.equals("")) {
+                mIssuerDN = new X500Name(mIssuerDNString);
+            }
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE,
+                    NAME + CMS.getLogMessage("CA_GET_ISSUER_NAME_FAILED"));
+
+            String[] params = { getInstanceName(), e.toString() };
+
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params));
+        }
+        CMS.debug(
+                NAME + ": init() done");
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        PolicyResult result = PolicyResult.ACCEPTED;
+
+        if (mIssuerDN == null)
+            return result;
+
+        try {
+            String clientIssuerDN = req.getExtDataInString(CLIENT_ISSUER);
+
+            if (clientIssuerDN != null) {
+                X500Name ci_name = new X500Name(clientIssuerDN);
+
+                if (!ci_name.equals(mIssuerDN)) {
+                    setError(req,
+                            CMS.getUserMessage("CMS_POLICY_INVALID_ISSUER",
+                                    getInstanceName()), "");
+                    result = PolicyResult.REJECTED;
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("CA_GET_ISSUER_NAME_FAILED"));
+                    CMS.debug(
+                            NAME + ": apply() - issuerDN mismatch: client issuerDN = " + clientIssuerDN
+                                    + "; expected issuerDN = " + mIssuerDNString);
+                }
+            } else {
+
+                // Get the certificate info from the request
+                X509CertInfo certInfo[] =
+                        req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+                if (certInfo == null) {
+                    log(ILogger.LL_FAILURE,
+                            NAME + ": apply() - missing certInfo");
+                    setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO",
+                            getInstanceName()), "");
+                    return PolicyResult.REJECTED;
+                }
+
+                for (int i = 0; i < certInfo.length; i++) {
+                    String oldIssuer = (String)
+                            certInfo[i].get(X509CertInfo.ISSUER).toString();
+
+                    if (oldIssuer == null) {
+                        setError(req,
+                                CMS.getUserMessage("CMS_POLICY_CLIENT_ISSUER_NOT_FOUND",
+                                        getInstanceName()), "");
+                        result = PolicyResult.REJECTED;
+                        log(ILogger.LL_FAILURE,
+                                NAME + ": apply() - client issuerDN not found");
+                    }
+                    X500Name oi_name = new X500Name(oldIssuer);
+
+                    if (!oi_name.equals(mIssuerDN)) {
+                        setError(req,
+                                CMS.getUserMessage("CMS_POLICY_INVALID_ISSUER",
+                                        getInstanceName()), "");
+                        result = PolicyResult.REJECTED;
+                        log(ILogger.LL_FAILURE,
+                                NAME + ": apply() - cert issuerDN mismatch: client issuerDN = " + oldIssuer
+                                        + "; expected issuerDN = " + mIssuerDNString);
+                    }
+                }
+            }
+        } catch (Exception e) {
+            String params[] = { getInstanceName(), e.toString() };
+
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), "");
+            result = PolicyResult.REJECTED;
+        }
+
+        if (result.equals(PolicyResult.ACCEPTED)) {
+            log(ILogger.LL_INFO,
+                    NAME + ": apply() - accepted");
+        }
+        return result;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector confParams = new Vector();
+
+        confParams.addElement(PROP_ISSUER_DN + "=" +
+                mIssuerDNString);
+        return confParams;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        Vector defParams = new Vector();
+
+        defParams.addElement(PROP_ISSUER_DN + "=");
+        return defParams;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/policy/constraints/KeyAlgorithmConstraints.java b/base/common/src/com/netscape/cms/policy/constraints/KeyAlgorithmConstraints.java
new file mode 100644
index 000000000..3779b16e3
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/constraints/KeyAlgorithmConstraints.java
@@ -0,0 +1,225 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.constraints;
+
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * KeyAlgorithmConstraints enforces a constraint that the RA or a CA
+ * honor only the keys generated using one of the permitted algorithms
+ * such as RSA, DSA or DH.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class KeyAlgorithmConstraints extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    private Vector mAlgorithms;
+    private final static String DEF_KEY_ALGORITHM = "RSA,DSA";
+    private final static String PROP_ALGORITHMS = "algorithms";
+    private final static String[] supportedAlgorithms =
+        { "RSA", "DSA", "DH" };
+
+    private final static Vector defConfParams = new Vector();
+
+    static {
+        defConfParams.addElement(PROP_ALGORITHMS + "=" +
+                DEF_KEY_ALGORITHM);
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String params[] = {
+                "algorithms;choice(RSA\\,DSA,RSA,DSA);Certificate's key can be one of these algorithms",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-keyalgorithmconstraints",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Rejects the request if the key in the certificate is " +
+                        "not of the type specified"
+            };
+
+        return params;
+    }
+
+    public KeyAlgorithmConstraints() {
+        NAME = "KeyAlgorithmConstraints";
+        DESC = "Enforces Key Algorithm Constraints.";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries probably are of the form ra.Policy.rule..implName=KeyAlgorithmConstraints
+     * ra.Policy.rule..algorithms=RSA,DSA ra.Policy.rule..enable=true
+     * ra.Policy.rule..predicate=ou==Sales
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EPolicyException {
+
+        mAlgorithms = new Vector();
+
+        if (config == null || config.size() == 0) {
+            mAlgorithms.addElement(DEF_KEY_ALGORITHM);
+            return;
+        }
+
+        // Get Algorithm names
+        String algNames = null;
+
+        try {
+            algNames = config.getString(PROP_ALGORITHMS, null);
+        } catch (Exception e) {
+            String[] params = { getInstanceName(), e.toString() };
+
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params));
+        }
+
+        if (algNames == null) {
+            mAlgorithms.addElement(DEF_KEY_ALGORITHM);
+            return;
+        }
+        StringTokenizer tok = new StringTokenizer(algNames, ",");
+
+        while (tok.hasMoreTokens()) {
+            String alg = tok.nextToken().trim().toUpperCase();
+
+            if (alg.length() == 0)
+                continue;
+            mAlgorithms.addElement(alg);
+        }
+
+        // Check if configured algorithms are supported.
+        for (Enumeration e = mAlgorithms.elements(); e.hasMoreElements();) {
+            int i;
+            String configuredAlg = e.nextElement();
+
+            // See if it is a supported algorithm.
+            for (i = 0; i < supportedAlgorithms.length; i++) {
+                if (configuredAlg.equals(supportedAlgorithms[i]))
+                    break;
+            }
+
+            // Did we not find it?
+            if (i == supportedAlgorithms.length)
+                throw new EPolicyException(
+                        CMS.getUserMessage("CMS_POLICY_UNSUPPORTED_KEY_ALG",
+                                getInstanceName(), configuredAlg));
+        }
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+
+        PolicyResult result = PolicyResult.ACCEPTED;
+
+        try {
+            // Get the certificate info from the request
+            // X509CertInfo certInfo[] = (X509CertInfo[])
+            //    req.get(IRequest.CERT_INFO);
+            X509CertInfo certInfo[] = req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+            // We need to have a certificate info set
+            if (certInfo == null) {
+                setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO",
+                        getInstanceName()), "");
+                return PolicyResult.REJECTED;
+            }
+
+            // Else check if the key algorithm is supported.
+            for (int i = 0; i < certInfo.length; i++) {
+                CertificateX509Key certKey = (CertificateX509Key)
+                        certInfo[i].get(X509CertInfo.KEY);
+                X509Key key = (X509Key) certKey.get(CertificateX509Key.KEY);
+                String alg = key.getAlgorithmId().getName().toUpperCase();
+
+                if (!mAlgorithms.contains(alg)) {
+                    setError(req, CMS.getUserMessage("CMS_POLICY_KEY_ALG_VIOLATION",
+                            getInstanceName(), alg), "");
+                    result = PolicyResult.REJECTED;
+                }
+            }
+        } catch (Exception e) {
+            String params[] = { getInstanceName(), e.toString() };
+
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR",
+                    params), "");
+            result = PolicyResult.REJECTED;
+        }
+        return result;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+        StringBuffer sb = new StringBuffer();
+
+        for (Enumeration e = mAlgorithms.elements(); e.hasMoreElements();) {
+            sb.append(e.nextElement());
+            sb.append(",");
+        }
+        if (sb.length() > 0)
+            sb.setLength(sb.length() - 1);
+        v.addElement(PROP_ALGORITHMS + "=" + sb.toString());
+        return v;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return defConfParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/constraints/ManualAuthentication.java b/base/common/src/com/netscape/cms/policy/constraints/ManualAuthentication.java
new file mode 100644
index 000000000..3af9e636f
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/constraints/ManualAuthentication.java
@@ -0,0 +1,101 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.constraints;
+
+import java.util.Vector;
+
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * ManualAuthentication is an enrollment policy that queues
+ * all requests for issuing agent's approval if no authentication
+ * is present. The policy rejects a request if any of the auth tokens
+ * indicates authentication failure.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class ManualAuthentication extends APolicyRule
+        implements IEnrollmentPolicy {
+    public ManualAuthentication() {
+        NAME = "ManualAuthentication";
+        DESC = "Manual Authentication Policy";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries may be of the form:
+     * 
+     * ra.Policy.rule..implName=ManualAuthentication ra.Policy.rule..enable=true
+     * ra.Policy.rule..predicate= ou == engineering AND o == netscape.com
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EPolicyException {
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        IAuthToken authToken = req.getExtDataInAuthToken(IRequest.AUTH_TOKEN);
+
+        if (authToken == null)
+            return deferred(req);
+
+        return PolicyResult.ACCEPTED;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        return null;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/constraints/RSAKeyConstraints.java b/base/common/src/com/netscape/cms/policy/constraints/RSAKeyConstraints.java
new file mode 100644
index 000000000..7c53808c5
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/constraints/RSAKeyConstraints.java
@@ -0,0 +1,280 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.constraints;
+
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.security.provider.RSAPublicKey;
+import netscape.security.util.BigInt;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * RSAKeyConstraints policy enforces min and max size of the key.
+ * Optionally checks the exponents.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class RSAKeyConstraints extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    private Vector mExponents;
+    private int mMinSize;
+    private int mMaxSize;
+
+    private final static int DEF_MIN_SIZE = 512;
+    private final static int DEF_MAX_SIZE = 2048;
+    private final static String PROP_MIN_SIZE = "minSize";
+    private final static String PROP_MAX_SIZE = "maxSize";
+    private final static String PROP_EXPONENTS = "exponents";
+    private final static String RSA = "RSA";
+
+    private final static Vector defConfParams = new Vector();
+
+    static {
+        defConfParams.addElement(PROP_MIN_SIZE + "=" + DEF_MIN_SIZE);
+        defConfParams.addElement(PROP_MAX_SIZE + "=" + DEF_MAX_SIZE);
+        defConfParams.addElement(PROP_EXPONENTS + "=" + " ");
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_MIN_SIZE + ";number;Minimum size of user's RSA key (bits)",
+                PROP_MAX_SIZE + ";number;Maximum size of user's RSA key (bits)",
+                PROP_EXPONENTS + ";string;Comma-separated list of permissible exponents",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-rsakeyconstraints",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Reject request if RSA key length is not within the " +
+                        "specified constraints"
+            };
+
+        return params;
+    }
+
+    public RSAKeyConstraints() {
+        NAME = "RSAKeyConstraints";
+        DESC = "Enforces RSA Key Constraints.";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries probably are of the form:
+     * 
+     * ra.Policy.rule..implName=RSAKeyConstraints ra.Policy.rule..enable=true
+     * ra.Policy.rule..minSize=512 ra.Policy.rule..maxSize=2048
+     * ra.Policy.rule..predicate=ou==Marketing
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+
+        if (config == null || config.size() == 0)
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_MISSING_POLICY_CONFIG",
+                            getInstanceName()));
+        String exponents = null;
+
+        // Get Min and Max sizes
+        mMinSize = config.getInteger(PROP_MIN_SIZE, DEF_MIN_SIZE);
+        mMaxSize = config.getInteger(PROP_MAX_SIZE, DEF_MAX_SIZE);
+
+        if (mMinSize <= 0)
+            throw new EBaseException(
+                    CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER", PROP_MIN_SIZE));
+        if (mMaxSize <= 0)
+            throw new EBaseException(
+                    CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER", PROP_MAX_SIZE));
+
+        if (mMinSize > mMaxSize)
+            throw new EBaseException(
+                    CMS.getUserMessage("CMS_BASE_A_GREATER_THAN_EQUAL_B", PROP_MIN_SIZE, PROP_MAX_SIZE));
+
+        mExponents = new Vector();
+
+        // Get exponents
+        exponents = config.getString(PROP_EXPONENTS, null);
+
+        if (exponents != null) {
+            StringTokenizer tok = new StringTokenizer(exponents, ",");
+
+            try {
+                while (tok.hasMoreTokens()) {
+                    String exp = tok.nextToken().trim();
+
+                    mExponents.addElement(new BigInt(Integer.parseInt(exp)));
+                }
+            } catch (Exception e) {
+                // e.printStackTrace();
+                String[] params = { getInstanceName(), exponents,
+                        PROP_EXPONENTS };
+
+                throw new EPolicyException(
+                        CMS.getUserMessage("CMS_POLICY_INVALID_CONFIG_PARAM", params));
+            }
+        }
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+
+        PolicyResult result = PolicyResult.ACCEPTED;
+
+        try {
+            // Get the certificate info from the request
+            X509CertInfo certInfo[] =
+                    req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+            // There should be a certificate info set.
+            if (certInfo == null) {
+                setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO",
+                        getInstanceName()), "");
+                return PolicyResult.REJECTED;
+            }
+
+            // Else check if the key size(s) are within the limit.
+            for (int i = 0; i < certInfo.length; i++) {
+                CertificateX509Key certKey = (CertificateX509Key)
+                        certInfo[i].get(X509CertInfo.KEY);
+                X509Key key = (X509Key) certKey.get(CertificateX509Key.KEY);
+                String alg = key.getAlgorithmId().toString();
+
+                if (!alg.equalsIgnoreCase(RSA))
+                    continue;
+                X509Key newkey = null;
+
+                try {
+                    newkey = new X509Key(AlgorithmId.get("RSA"),
+                                key.getKey());
+                } catch (Exception e) {
+                    CMS.debug("RSAKeyConstraints::apply() - "
+                             + "Exception=" + e.toString());
+                    setError(req,
+                              CMS.getUserMessage("CMS_POLICY_KEY_SIZE_VIOLATION",
+                                                  getInstanceName()),
+                              "");
+                    return PolicyResult.REJECTED;
+                }
+                RSAPublicKey rsaKey = new RSAPublicKey(newkey.getEncoded());
+                int keySize = rsaKey.getKeySize();
+
+                if (keySize < mMinSize || keySize > mMaxSize) {
+                    String[] params = { getInstanceName(),
+                            String.valueOf(keySize),
+                            String.valueOf(mMinSize),
+                            String.valueOf(mMaxSize) };
+
+                    setError(req, CMS.getUserMessage("CMS_POLICY_KEY_SIZE_VIOLATION",
+                            params), "");
+                    result = PolicyResult.REJECTED;
+                }
+
+                // If the exponents are configured, see if the key's
+                // exponent is a configured one.
+                if (mExponents.size() > 0) {
+                    BigInt exp = rsaKey.getPublicExponent();
+
+                    if (!mExponents.contains(exp)) {
+                        StringBuffer sb = new StringBuffer();
+
+                        for (Enumeration e = mExponents.elements(); e.hasMoreElements();) {
+                            BigInt bi = (BigInt) e.nextElement();
+
+                            sb.append(bi.toBigInteger().toString());
+                            sb.append(" ");
+                        }
+                        String[] params = { getInstanceName(),
+                                exp.toBigInteger().toString(), new String(sb) };
+
+                        setError(req, CMS.getUserMessage("CMS_POLICY_EXPONENT_VIOLATION", params), "");
+                        result = PolicyResult.REJECTED;
+                    }
+                }
+            }
+        } catch (Exception e) {
+            // e.printStackTrace();
+            String params[] = { getInstanceName(), e.toString() };
+
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), "");
+            result = PolicyResult.REJECTED;
+        }
+        return result;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector confParams = new Vector();
+
+        confParams.addElement(PROP_MIN_SIZE + "=" + mMinSize);
+        confParams.addElement(PROP_MAX_SIZE + "=" + mMaxSize);
+        StringBuffer sb = new StringBuffer();
+
+        for (Enumeration e = mExponents.elements(); e.hasMoreElements();) {
+            sb.append(e.nextElement().toInt());
+            sb.append(",");
+        }
+        if (sb.length() > 0)
+            sb.setLength(sb.length() - 1);
+        confParams.addElement(PROP_EXPONENTS + "=" + sb.toString());
+        return confParams;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return defConfParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java b/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java
new file mode 100644
index 000000000..f3e5efc9b
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java
@@ -0,0 +1,242 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.constraints;
+
+import java.util.Date;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IRenewalPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Whether to allow renewal of an expired cert.
+ * 
+ * @version $Revision$, $Date$
+ *          

+ * 
+ *          
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ *          

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class RenewalConstraints extends APolicyRule
+        implements IRenewalPolicy, IExtendedPluginInfo {
+
+    private static final String PROP_ALLOW_EXPIRED_CERTS = "allowExpiredCerts";
+    private static final String PROP_RENEWAL_NOT_AFTER = "renewalNotAfter";
+
+    private boolean mAllowExpiredCerts = true;
+    private long mRenewalNotAfter = 0;
+
+    public final static int DEF_RENEWAL_NOT_AFTER = 30;
+    public final static long DAYS_TO_MS_FACTOR = 24L * 3600 * 1000;
+
+    private final static Vector defConfParams = new Vector();
+    static {
+        defConfParams.addElement(PROP_ALLOW_EXPIRED_CERTS + "=" + true);
+        defConfParams.addElement(PROP_RENEWAL_NOT_AFTER + "=" +
+                DEF_RENEWAL_NOT_AFTER);
+    }
+
+    public RenewalConstraints() {
+        NAME = "RenewalConstraints";
+        DESC = "Whether to allow renewal of expired certs.";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_ALLOW_EXPIRED_CERTS + ";boolean;Allow a user to renew an already-expired certificate",
+                PROP_RENEWAL_NOT_AFTER
+                        + ";number;Number of days since certificate expiry after which renewal request would be rejected",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-renewalconstraints",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Permit administrator to decide policy on whether to " +
+                        "permit renewals for already-expired certificates"
+        };
+
+        return params;
+
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries probably are of the form:
+     * 
+     * ra.Policy.rule..implName=ValidityConstraints ra.Policy.rule..enable=true
+     * ra.Policy.rule..allowExpiredCerts=true
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EPolicyException {
+        // Get min and max validity in days and configure them.
+        try {
+            mAllowExpiredCerts =
+                    config.getBoolean(PROP_ALLOW_EXPIRED_CERTS, true);
+            String val = config.getString(PROP_RENEWAL_NOT_AFTER, null);
+
+            if (val == null)
+                mRenewalNotAfter = DEF_RENEWAL_NOT_AFTER * DAYS_TO_MS_FACTOR;
+            else {
+                mRenewalNotAfter = Long.parseLong(val) * DAYS_TO_MS_FACTOR;
+            }
+
+        } catch (EBaseException e) {
+            // never happen.
+        }
+
+        CMS.debug("RenewalConstraints: allow expired certs " + mAllowExpiredCerts);
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        PolicyResult result = PolicyResult.ACCEPTED;
+
+        try {
+            // Get the certificates being renwed.
+            X509CertImpl[] oldCerts =
+                    req.getExtDataInCertArray(IRequest.OLD_CERTS);
+
+            if (oldCerts == null) {
+                setError(req, CMS.getUserMessage("CMS_POLICY_NO_OLD_CERT",
+                        getInstanceName()), "");
+                return PolicyResult.REJECTED;
+            }
+
+            if (mAllowExpiredCerts) {
+                CMS.debug("checking validity of each cert");
+                // check if each cert to be renewed is expired for more than 		    // allowed days.
+                for (int i = 0; i < oldCerts.length; i++) {
+                    X509CertInfo oldCertInfo = (X509CertInfo)
+                            oldCerts[i].get(X509CertImpl.NAME + "." +
+                                    X509CertImpl.INFO);
+                    CertificateValidity oldValidity = (CertificateValidity)
+                            oldCertInfo.get(X509CertInfo.VALIDITY);
+                    Date notAfter = (Date)
+                            oldValidity.get(CertificateValidity.NOT_AFTER);
+
+                    // Is the Certificate eligible for renewal ?
+
+                    Date now = CMS.getCurrentDate();
+
+                    Date renewedNotAfter = new Date(notAfter.getTime() +
+                            mRenewalNotAfter);
+
+                    CMS.debug("RenewalConstraints: cert " + i + " renewedNotAfter " + renewedNotAfter + " now=" + now);
+
+                    if (renewedNotAfter.before(now)) {
+                        CMS.debug(
+                                "One or more certificates is expired for more than "
+                                        + (mRenewalNotAfter / DAYS_TO_MS_FACTOR) + " days");
+                        String params[] = { getInstanceName(), Long.toString(mRenewalNotAfter / DAYS_TO_MS_FACTOR) };
+
+                        setError(req,
+                                CMS.getUserMessage("CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS_AFTER_ALLOWED_PERIOD",
+                                        params), "");
+                        return PolicyResult.REJECTED;
+                    }
+                }
+                return PolicyResult.ACCEPTED;
+            }
+
+            CMS.debug("RenewalConstraints: checking validity of each cert");
+            // check if each cert to be renewed is expired.
+            for (int i = 0; i < oldCerts.length; i++) {
+                X509CertInfo oldCertInfo = (X509CertInfo)
+                        oldCerts[i].get(
+                                X509CertImpl.NAME + "." + X509CertImpl.INFO);
+                CertificateValidity oldValidity = (CertificateValidity)
+                        oldCertInfo.get(X509CertInfo.VALIDITY);
+                Date notAfter = (Date)
+                        oldValidity.get(CertificateValidity.NOT_AFTER);
+
+                // Is the Certificate still valid?
+                Date now = CMS.getCurrentDate();
+
+                CMS.debug("RenewalConstraints: cert " + i + " notAfter " + notAfter + " now=" + now);
+                if (notAfter.before(now)) {
+                    CMS.debug(
+                            "RenewalConstraints: One or more certificates is expired.");
+                    String params[] = { getInstanceName() };
+
+                    setError(req,
+                            CMS.getUserMessage("CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS",
+                                    params), "");
+                    result = PolicyResult.REJECTED;
+                    break;
+                }
+            }
+
+        } catch (Exception e) {
+            String params[] = { getInstanceName(), e.toString() };
+
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), "");
+            result = PolicyResult.REJECTED;
+        }
+        return result;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector confParams = new Vector();
+
+        confParams.addElement(
+                PROP_ALLOW_EXPIRED_CERTS + "=" + mAllowExpiredCerts);
+        confParams.addElement(PROP_RENEWAL_NOT_AFTER + "=" +
+                mRenewalNotAfter / DAYS_TO_MS_FACTOR);
+        return confParams;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return defConfParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java b/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java
new file mode 100644
index 000000000..0265ff855
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java
@@ -0,0 +1,351 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.constraints;
+
+import java.util.Date;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IRenewalPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * RenewalValidityConstraints is a default rule for Certificate
+ * Renewal. This policy enforces the no of days before which a
+ * currently active certificate can be renewed and sets new validity
+ * period for the renewed certificate starting from the the ending
+ * period in the old certificate.
+ * 
+ * The main parameters are:
+ * 
+ * The renewal leadtime in days: - i.e how many days before the
+ * expiry of the current certificate can one request the renewal.
+ * min and max validity duration.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class RenewalValidityConstraints extends APolicyRule
+        implements IRenewalPolicy, IExtendedPluginInfo {
+    private long mMinValidity;
+    private long mMaxValidity;
+    private long mRenewalInterval;
+
+    private final static String PROP_MIN_VALIDITY = "minValidity";
+    private final static String PROP_MAX_VALIDITY = "maxValidity";
+    private final static String PROP_RENEWAL_INTERVAL = "renewalInterval";
+    public final static int DEF_MIN_VALIDITY = 180;
+    public final static int DEF_MAX_VALIDITY = 730;
+    public final static long DEF_RENEWAL_INTERVAL = 15;
+    public final static long DAYS_TO_MS_FACTOR = 24L * 3600 * 1000;
+    public static final String CERT_HEADER = "-----BEGIN CERTIFICATE-----\n";
+    public static final String CERT_TRAILER = "-----END CERTIFICATE-----\n";
+
+    private final static Vector defConfParams = new Vector();
+
+    static {
+        defConfParams.addElement(PROP_MIN_VALIDITY + "=" +
+                DEF_MIN_VALIDITY);
+        defConfParams.addElement(PROP_MAX_VALIDITY + "=" +
+                DEF_MAX_VALIDITY);
+        defConfParams.addElement(PROP_RENEWAL_INTERVAL + "=" +
+                DEF_RENEWAL_INTERVAL);
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_MIN_VALIDITY
+                        + ";number;Specifies the minimum validity period, in days, for renewed certificates.",
+                PROP_MAX_VALIDITY
+                        + ";number;Specifies the maximum validity period, in days, for renewed certificates.",
+                PROP_RENEWAL_INTERVAL
+                        + ";number;Specifies how many days before its expiration that a certificate can be renewed.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-renewalvalidityconstraints",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Reject renewal request if the certificate is too far " +
+                        "before it's expiry date"
+        };
+
+        return params;
+
+    }
+
+    public RenewalValidityConstraints() {
+        NAME = "RenewalValidityConstraints";
+        DESC = "Enforces minimum and maximum validity and renewal interval for certificate renewal.";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries probably are of the form:
+     * 
+     * ra.Policy.rule..implName=ValidityConstraints ra.Policy.rule..enable=true
+     * ra.Policy.rule..minValidity=30 ra.Policy.rule..maxValidity=180
+     * ra.Policy.rule..renewalInterval=15 ra.Policy.rule..predicate=ou==Sales
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EPolicyException {
+
+        // Get min and max validity in days and onfigure them.
+        try {
+            String val = config.getString(PROP_MIN_VALIDITY, null);
+
+            if (val == null)
+                mMinValidity = DEF_MIN_VALIDITY * DAYS_TO_MS_FACTOR;
+            else
+                mMinValidity = Long.parseLong(val) * DAYS_TO_MS_FACTOR;
+
+            val = config.getString(PROP_MAX_VALIDITY, null);
+            if (val == null)
+                mMaxValidity = DEF_MAX_VALIDITY * DAYS_TO_MS_FACTOR;
+            else {
+                mMaxValidity = Long.parseLong(val) * DAYS_TO_MS_FACTOR;
+            }
+            val = config.getString(PROP_RENEWAL_INTERVAL, null);
+            if (val == null)
+                mRenewalInterval = DEF_RENEWAL_INTERVAL * DAYS_TO_MS_FACTOR;
+            else {
+                mRenewalInterval = Long.parseLong(val) * DAYS_TO_MS_FACTOR;
+            }
+
+            // minValidity can't be bigger than maxValidity.
+            if (mMinValidity > mMaxValidity) {
+                String params[] = { getInstanceName(),
+                        String.valueOf(mMinValidity / DAYS_TO_MS_FACTOR),
+                        String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) };
+
+                throw new EPolicyException(
+                        CMS.getUserMessage("CMS_POLICY_INVALID_RENEWAL_MIN_MAX", params));
+            }
+
+            // Renewal interval can't be more than maxValidity.
+            if (mRenewalInterval > mMaxValidity) {
+                String params[] = { getInstanceName(),
+                        String.valueOf(mRenewalInterval / DAYS_TO_MS_FACTOR),
+                        String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) };
+
+                throw new EPolicyException(
+                        CMS.getUserMessage("CMS_POLICY_INVALID_RENEWAL_INTERVAL", params));
+            }
+        } catch (Exception e) {
+            // e.printStackTrace();
+            String[] params = { getInstanceName(), e.toString() };
+
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params));
+        }
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+
+        PolicyResult result = PolicyResult.ACCEPTED;
+
+        if (agentApproved(req))
+            return result;
+
+        try {
+            // Get the certificate info from the request
+            X509CertInfo certInfo[] =
+                    req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+            // Get the certificates being renwed.
+            X509CertImpl currentCerts[] =
+                    req.getExtDataInCertArray(IRequest.OLD_CERTS);
+
+            // Both certificate info and current certs should be set
+            if (certInfo == null) {
+                setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO",
+                        getInstanceName()), "");
+                return PolicyResult.REJECTED;
+            }
+            if (currentCerts == null) {
+                setError(req, CMS.getUserMessage("CMS_POLICY_NO_OLD_CERT",
+                        getInstanceName()), "");
+                return PolicyResult.REJECTED;
+            }
+            if (certInfo.length != currentCerts.length) {
+                setError(req, CMS.getUserMessage("CMS_POLICY_MISMATCHED_CERTINFO",
+                        getInstanceName()), "");
+                return PolicyResult.REJECTED;
+            }
+
+            // Else check if the renewal interval is okay and then
+            // set the validity.
+            for (int i = 0; i < certInfo.length; i++) {
+                X509CertInfo oldCertInfo = (X509CertInfo)
+                        currentCerts[i].get(X509CertImpl.NAME +
+                                "." + X509CertImpl.INFO);
+                CertificateValidity oldValidity = (CertificateValidity)
+                        oldCertInfo.get(X509CertInfo.VALIDITY);
+                Date notAfter = (Date)
+                        oldValidity.get(CertificateValidity.NOT_AFTER);
+
+                // Is the Certificate still valid?
+                Date now = CMS.getCurrentDate();
+
+                if (notAfter.after(now)) {
+                    // Check if the renewal interval is alright.
+                    long interval = notAfter.getTime() - now.getTime();
+
+                    if (interval > mRenewalInterval) {
+                        setError(req,
+                                CMS.getUserMessage("CMS_POLICY_LONG_RENEWAL_LEAD_TIME",
+                                        getInstanceName(),
+                                        String.valueOf(mRenewalInterval / DAYS_TO_MS_FACTOR)), "");
+                        setError(req,
+                                CMS.getUserMessage("CMS_POLICY_EXISTING_CERT_DETAILS",
+                                        getInstanceName(),
+                                        getCertDetails(req, currentCerts[i])), "");
+
+                        result = PolicyResult.REJECTED;
+                        setDummyValidity(certInfo[i]);
+                        continue;
+                    }
+                }
+
+                // Else compute new  validity.
+                Date renewedNotBef = notAfter;
+                Date renewedNotAfter = new Date(notAfter.getTime() +
+                        mMaxValidity);
+
+                // If the new notAfter is within renewal interval days from 
+                // today or already expired, set the notBefore to today.
+                if (renewedNotAfter.before(now) ||
+                        (renewedNotAfter.getTime() - now.getTime()) <=
+                        mRenewalInterval) {
+                    renewedNotBef = now;
+                    renewedNotAfter = new Date(now.getTime() +
+                                mMaxValidity);
+                }
+                CertificateValidity newValidity =
+                        new CertificateValidity(renewedNotBef, renewedNotAfter);
+
+                certInfo[i].set(X509CertInfo.VALIDITY, newValidity);
+            }
+        } catch (Exception e) {
+            String params[] = { getInstanceName(), e.toString() };
+
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), "");
+            result = PolicyResult.REJECTED;
+        }
+        return result;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector confParams = new Vector();
+
+        confParams.addElement(PROP_MIN_VALIDITY + "=" +
+                mMinValidity / DAYS_TO_MS_FACTOR);
+        confParams.addElement(PROP_MAX_VALIDITY + "=" +
+                mMaxValidity / DAYS_TO_MS_FACTOR);
+        confParams.addElement(PROP_RENEWAL_INTERVAL + "=" +
+                mRenewalInterval / DAYS_TO_MS_FACTOR);
+        return confParams;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return defConfParams;
+    }
+
+    // Set dummy validity field so the request will serialize properly
+    private void setDummyValidity(X509CertInfo certInfo) {
+        try {
+            certInfo.set(X509CertInfo.VALIDITY,
+                    new CertificateValidity(CMS.getCurrentDate(), new Date()));
+        } catch (Exception e) {
+        }
+    }
+
+    private String getCertDetails(IRequest req, X509CertImpl cert) {
+        StringBuffer sb = new StringBuffer();
+
+        sb.append("\n");
+        sb.append("Serial No: " + cert.getSerialNumber().toString(16));
+        sb.append("\n");
+        sb.append("Validity: " + cert.getNotBefore().toString() +
+                " - " + cert.getNotAfter().toString());
+        sb.append("\n");
+        String certType = req.getExtDataInString(IRequest.CERT_TYPE);
+
+        if (certType == null)
+            certType = IRequest.SERVER_CERT;
+        if (certType.equals(IRequest.CLIENT_CERT)) {
+
+            /***
+             * Take this our - URL formulation hard to do here.
+             * sb.append("Use the following url with your CA/RA gateway spec to download the certificate.");
+             * sb.append("\n");
+             * sb.append("/query/certImport?op=displayByserial&serialNumber=");
+             * sb.append(cert.getSerialNumber().toString(16));
+             ***/
+            sb.append("\n");
+        } else {
+            sb.append("Certificate Content is as follows:");
+            sb.append("\n");
+            try {
+                byte[] ba = cert.getEncoded();
+                String encodedCert = Utils.base64encode(ba);
+
+                sb.append(CERT_HEADER + encodedCert + CERT_TRAILER);
+            } catch (Exception e) {
+                //throw new AssertionException(e.toString());
+            }
+        }
+        return sb.toString();
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/constraints/RevocationConstraints.java b/base/common/src/com/netscape/cms/policy/constraints/RevocationConstraints.java
new file mode 100644
index 000000000..513e199c4
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/constraints/RevocationConstraints.java
@@ -0,0 +1,215 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.constraints;
+
+import java.util.Date;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IRevocationPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Whether to allow revocation of an expired cert.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class RevocationConstraints extends APolicyRule
+        implements IRevocationPolicy, IExtendedPluginInfo {
+    private static final String PROP_ALLOW_EXPIRED_CERTS = "allowExpiredCerts";
+    private static final String PROP_ALLOW_ON_HOLD = "allowOnHold";
+
+    private boolean mAllowExpiredCerts = true;
+    private boolean mAllowOnHold = true;
+
+    private final static Vector defConfParams = new Vector();
+    static {
+        defConfParams.addElement(PROP_ALLOW_EXPIRED_CERTS + "=" + true);
+        defConfParams.addElement(PROP_ALLOW_ON_HOLD + "=" + true);
+    }
+
+    public RevocationConstraints() {
+        NAME = "RevocationConstraints";
+        DESC = "Whether to allow revocation of expired certs and on-hold.";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_ALLOW_EXPIRED_CERTS + ";boolean;Allow a user to revoke an already-expired certificate",
+                PROP_ALLOW_ON_HOLD + ";boolean;Allow a user to set reason to On-Hold",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-revocationconstraints",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Allow administrator to decide policy on whether to allow " +
+                        "recovation of expired certificates" +
+                        "and set reason to On-Hold"
+
+        };
+
+        return params;
+
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries probably are of the form:
+     * 
+     * ra.Policy.rule..implName=ValidityConstraints ra.Policy.rule..enable=true
+     * ra.Policy.rule..allowExpiredCerts=true
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EPolicyException {
+        // Get min and max validity in days and onfigure them.
+        try {
+            mAllowExpiredCerts =
+                    config.getBoolean(PROP_ALLOW_EXPIRED_CERTS, true);
+            mAllowOnHold =
+                    config.getBoolean(PROP_ALLOW_ON_HOLD, true);
+        } catch (EBaseException e) {
+            // never happen.
+        }
+
+        CMS.debug("RevocationConstraints: allow expired certs " + mAllowExpiredCerts);
+        CMS.debug("RevocationConstraints: allow on hold " + mAllowOnHold);
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        CMS.debug("RevocationConstraints: apply begins");
+        if (req.getExtDataInInteger(IRequest.REVOKED_REASON) == null) {
+            CMS.debug("RevocationConstraints: apply: no revocationReason found in request");
+            return PolicyResult.REJECTED;
+        }
+        RevocationReason rr = RevocationReason.fromInt(
+                req.getExtDataInInteger(IRequest.REVOKED_REASON).intValue());
+
+        if (!mAllowOnHold && (rr != null)) {
+            int reason = rr.toInt();
+
+            if (reason == RevocationReason.CERTIFICATE_HOLD.toInt()) {
+                String params[] = { getInstanceName() };
+
+                setError(req, CMS.getUserMessage("CMS_POLICY_NO_ON_HOLD_ALLOWED", params), "");
+                return PolicyResult.REJECTED;
+            }
+        }
+
+        if (mAllowExpiredCerts)
+            // nothing to check.
+            return PolicyResult.ACCEPTED;
+
+        PolicyResult result = PolicyResult.ACCEPTED;
+
+        try {
+            // Get the certificates being renwed.
+            X509CertImpl[] oldCerts =
+                    req.getExtDataInCertArray(IRequest.OLD_CERTS);
+
+            if (oldCerts == null) {
+                setError(req, CMS.getUserMessage("CMS_POLICY_NO_OLD_CERT"),
+                        getInstanceName());
+                return PolicyResult.REJECTED;
+            }
+
+            // check if each cert to be renewed is expired.
+            for (int i = 0; i < oldCerts.length; i++) {
+                X509CertInfo oldCertInfo = (X509CertInfo)
+                        oldCerts[i].get(
+                                X509CertImpl.NAME + "." + X509CertImpl.INFO);
+                CertificateValidity oldValidity = (CertificateValidity)
+                        oldCertInfo.get(X509CertInfo.VALIDITY);
+                Date notAfter = (Date)
+                        oldValidity.get(CertificateValidity.NOT_AFTER);
+
+                // Is the Certificate still valid?
+                Date now = CMS.getCurrentDate();
+
+                if (notAfter.before(now)) {
+                    String params[] = { getInstanceName() };
+
+                    setError(req,
+                            CMS.getUserMessage("CMS_POLICY_CANNOT_REVOKE_EXPIRED_CERTS",
+                                    params), "");
+                    result = PolicyResult.REJECTED;
+                    break;
+                }
+            }
+
+        } catch (Exception e) {
+            String params[] = { getInstanceName(), e.toString() };
+
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), "");
+            result = PolicyResult.REJECTED;
+        }
+        return result;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector confParams = new Vector();
+
+        confParams.addElement(
+                PROP_ALLOW_EXPIRED_CERTS + "=" + mAllowExpiredCerts);
+        confParams.addElement(
+                PROP_ALLOW_ON_HOLD + "=" + mAllowOnHold);
+        return confParams;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return defConfParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java b/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java
new file mode 100644
index 000000000..8b504eb50
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java
@@ -0,0 +1,449 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.constraints;
+
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CertificateAlgorithmId;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.IAuthority;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * SigningAlgorithmConstraints enforces that only a supported
+ * signing algorithm be requested.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class SigningAlgorithmConstraints extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    private String[] mAllowedAlgs = null; // algs allowed by this policy
+    static String[] mDefaultAllowedAlgs = null; // default algs allowed by this policy based on CA's key
+    private String[] mConfigAlgs = null; // algs listed in config file
+    private boolean winnowedByKey = false;
+    IAuthority mAuthority = null;
+    private final static String PROP_ALGORITHMS = "algorithms";
+
+    private final static Vector defConfParams = new Vector();
+
+    static {
+        StringBuffer sb = new StringBuffer();
+        sb.append(PROP_ALGORITHMS);
+        sb.append("=");
+        int i = 0;
+        boolean first = true;
+
+        mDefaultAllowedAlgs = new String[AlgorithmId.ALL_SIGNING_ALGORITHMS.length];
+        for (i = 0; i < AlgorithmId.ALL_SIGNING_ALGORITHMS.length; i++) {
+            mDefaultAllowedAlgs[i] = AlgorithmId.ALL_SIGNING_ALGORITHMS[i];
+            if (first == true) {
+                sb.append(AlgorithmId.ALL_SIGNING_ALGORITHMS[i]);
+                first = false;
+            } else {
+                sb.append(",");
+                sb.append(AlgorithmId.ALL_SIGNING_ALGORITHMS[i]);
+            }
+        }
+        defConfParams.addElement(sb.toString());
+    }
+
+    public SigningAlgorithmConstraints() {
+        NAME = "SigningAlgorithmConstraints";
+        DESC = "Enforces Signing Algorithm Constraints.";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries probably are of the form ra.Policy.rule..implName=SigningAlgorithmConstraints
+     * ra.Policy.rule..algorithms=SHA-1WithRSA, SHA-1WithDSA ra.Policy.rule..enable=true
+     * ra.Policy.rule..predicate=ou==Sales
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mAuthority = (IAuthority) ((IPolicyProcessor) owner).getAuthority();
+
+        // Get allowed algorithms from config file
+        if (config != null) {
+            String algNames = null;
+
+            try {
+                algNames = config.getString(PROP_ALGORITHMS, null);
+            } catch (Exception e) {
+                String[] params = { getInstanceName(), e.toString(), PROP_ALGORITHMS };
+
+                throw new EPolicyException(
+                        CMS.getUserMessage("CMS_POLICY_PARAM_CONFIG_ERROR", params));
+            }
+
+            if (algNames != null) {
+                // parse alg names into Vector
+                StringTokenizer tok = new StringTokenizer(algNames, ",");
+                Vector algs = new Vector();
+
+                while (tok.hasMoreTokens()) {
+                    algs.addElement(tok.nextToken().trim());
+                }
+
+                // convert to array for speedy traversals during apply()
+                int itemCount = algs.size();
+
+                mAllowedAlgs = new String[itemCount];
+                for (int i = 0; i < itemCount; i++) {
+                    mAllowedAlgs[i] = (String) algs.elementAt(i);
+                }
+
+            }
+
+        }
+
+        // these are the algorithms from the config file
+        mConfigAlgs = mAllowedAlgs;
+        if (mConfigAlgs == null) {
+            mConfigAlgs = new String[0];
+        }
+
+        if (mAllowedAlgs != null) {
+            // winnow out unknown algorithms
+            winnowAlgs(AlgorithmId.ALL_SIGNING_ALGORITHMS,
+                    "CMS_POLICY_UNKNOWN_SIGNING_ALG", true);
+        } else {
+            // if nothing was in the config file, allow all known algs
+            mAllowedAlgs = AlgorithmId.ALL_SIGNING_ALGORITHMS;
+        }
+
+        // winnow out algorithms that don't make sense for the key
+        winnowByKey();
+
+        if (mAllowedAlgs.length == 0) {
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY", NAME));
+        }
+
+    }
+
+    /**
+     * winnow out algorithms that don't make sense for the CA's key
+     */
+    private synchronized void winnowByKey() throws EBaseException {
+        // only do this successfully once
+        if (winnowedByKey) {
+            return;
+        }
+
+        // don't do this ever for DRM
+        if (!(mAuthority instanceof ICertAuthority)) {
+            winnowedByKey = true;
+            return;
+        }
+
+        // get list of algorithms allowed for the key
+        String[] allowedByKey =
+                ((ICertAuthority) mAuthority).getCASigningAlgorithms();
+
+        if (allowedByKey != null) {
+            // don't show algorithms that don't match CA's key in UI.	
+            mDefaultAllowedAlgs = new String[allowedByKey.length];
+            for (int i = 0; i < allowedByKey.length; i++)
+                mDefaultAllowedAlgs[i] = allowedByKey[i];
+            // winnow out algorithms that don't match CA's signing key
+            winnowAlgs(allowedByKey,
+                    "CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY_1", false);
+            winnowedByKey = true;
+        } else {
+            // We don't know the CA's signing algorithms.  Maybe we're
+            // an RA that hasn't talked to the CA yet? Try again later.
+        }
+    }
+
+    /**
+     * Winnows out of mAllowedAlgorithms those algorithms that aren't allowed
+     * for some reason.
+     * 
+     * @param allowed An array of allowed algorithms. Only algorithms in this
+     *            list will survive the winnowing process.
+     * @param reason A string describing the problem with an algorithm
+     *            that is not allowed by this list. Must be a predefined string in PolicyResources.
+     */
+    private void winnowAlgs(String[] allowed, String reason, boolean isError)
+            throws EBaseException {
+        int i, j, goodSize;
+
+        // validate the currently-allowed algorithms
+        Vector goodAlgs = new Vector();
+
+        for (i = 0; i < mAllowedAlgs.length; i++) {
+            for (j = 0; j < allowed.length; j++) {
+                if (mAllowedAlgs[i].equals(allowed[j])) {
+                    goodAlgs.addElement(mAllowedAlgs[i]);
+                    break;
+                }
+            }
+            // if algorithm is not allowed, log a warning
+            if (j == allowed.length) {
+                EPolicyException e = new EPolicyException(CMS.getUserMessage(reason, NAME, mAllowedAlgs[i]));
+
+                if (isError) {
+                    log(ILogger.LL_FAILURE, e.toString());
+                    throw new EPolicyException(CMS.getUserMessage(reason,
+                                NAME, mAllowedAlgs[i]));
+                } else {
+                    log(ILogger.LL_WARN, e.toString());
+                }
+            }
+        }
+
+        // convert back into an array
+        goodSize = goodAlgs.size();
+        if (mAllowedAlgs.length != goodSize) {
+            mAllowedAlgs = new String[goodSize];
+            for (i = 0; i < goodSize; i++) {
+                mAllowedAlgs[i] = (String) goodAlgs.elementAt(i);
+            }
+        }
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        int i, j;
+
+        PolicyResult result = PolicyResult.ACCEPTED;
+
+        try {
+
+            // Get the certificate info from the request
+            //X509CertInfo certInfo[] = (X509CertInfo[])
+            //    req.get(IRequest.CERT_INFO);
+            X509CertInfo certInfo[] = req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+            // We need to have a certificate info set
+            if (certInfo == null) {
+                setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO",
+                        getInstanceName()), "");
+                return PolicyResult.REJECTED;
+            }
+
+            // Else check if the key algorithm is supported.
+            for (i = 0; i < certInfo.length; i++) {
+                // make sure our list of allowed algorithms makes
+                // sense for our key. Do this each time.
+                if (!winnowedByKey) {
+                    winnowByKey();
+                }
+
+                CertificateAlgorithmId certAlgId = (CertificateAlgorithmId)
+                        certInfo[i].get(X509CertInfo.ALGORITHM_ID);
+
+                AlgorithmId algId = (AlgorithmId)
+                        certAlgId.get(CertificateAlgorithmId.ALGORITHM);
+                String alg = algId.getName();
+
+                // test against the list of allowed algorithms
+                for (j = 0; j < mAllowedAlgs.length; j++) {
+                    if (mAllowedAlgs[j].equals(alg)) {
+                        break;
+                    }
+                }
+                if (j == mAllowedAlgs.length) {
+                    // if the algor doesn't match the CA's key replace
+                    // it with one that does.
+                    if (mAllowedAlgs[0].equals("SHA1withDSA") ||
+                            alg.equals("SHA1withDSA")) {
+                        certInfo[i].set(X509CertInfo.ALGORITHM_ID,
+                                new CertificateAlgorithmId(
+                                        AlgorithmId.get(mAllowedAlgs[0])));
+                        return PolicyResult.ACCEPTED;
+                    }
+
+                    // didn't find a match, alg not allowed
+                    setError(req, CMS.getUserMessage("CMS_POLICY_SIGNING_ALG_VIOLATION",
+                            getInstanceName(), alg), "");
+                    result = PolicyResult.REJECTED;
+                }
+            }
+        } catch (Exception e) {
+            // e.printStackTrace();
+            String params[] = { getInstanceName(), e.toString() };
+
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR",
+                    params), "");
+            result = PolicyResult.REJECTED;
+        }
+        return result;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector confParams = new Vector();
+        StringBuffer sb = new StringBuffer();
+
+        for (int i = 0; i < mConfigAlgs.length; i++) {
+            sb.append(mConfigAlgs[i]);
+            sb.append(",");
+        }
+        if (sb.length() > 0)
+            sb.setLength(sb.length() - 1);
+        confParams.addElement(PROP_ALGORITHMS + "=" + sb.toString());
+        return confParams;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        StringBuffer sb = new StringBuffer();
+        sb.append(PROP_ALGORITHMS);
+        sb.append("=");
+        boolean first = true;
+
+        defConfParams.removeAllElements();
+
+        for (int i = 0; i < mDefaultAllowedAlgs.length; i++) {
+            if (first == true) {
+                sb.append(mDefaultAllowedAlgs[i]);
+                first = false;
+            } else {
+                sb.append(",");
+                sb.append(mDefaultAllowedAlgs[i]);
+            }
+        }
+        defConfParams.addElement(sb.toString());
+
+        return defConfParams;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        if (!winnowedByKey) {
+            try {
+                winnowByKey();
+            } catch (Exception e) {
+            }
+        }
+
+        String[] params = null;
+
+        String[] params_BOTH = {
+                PROP_ALGORITHMS
+                        + ";"
+                        + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA256withRSA\\,SHA512withRSA\\,SHA1withDSA,"
+                        +
+                        "MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA1withDSA," +
+                        "MD2withRSA\\,MD5withRSA\\,SHA1withRSA," +
+                        "MD2withRSA\\,SHA1withRSA\\,SHA1withDSA," +
+                        "MD5withRSA\\,SHA1withRSA\\,SHA1withDSA," +
+                        "MD2withRSA\\,MD5withRSA\\,SHA1withDSA," +
+                        "MD2withRSA\\,MD5withRSA," +
+                        "MD2withRSA\\,SHA1withRSA," +
+                        "MD2withRSA\\,SHA1withDSA," +
+                        "MD5withRSA\\,SHA1withRSA," +
+                        "MD5withRSA\\,SHA1withDSA," +
+                        "SHA1withRSA\\,SHA1withDSA," +
+                        "MD2withRSA," +
+                        "MD5withRSA," +
+                        "SHA1withRSA," +
+                        "SHA1withDSA);List of algorithms to restrict the requested signing algorithm " +
+                        "to be one of the algorithms supported by Certificate System",
+                IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Restricts the requested signing algorithm to be one of" +
+                        " the algorithms supported by Certificate System"
+        };
+
+        String[] params_RSA = {
+                PROP_ALGORITHMS + ";" + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA," +
+                        "MD2withRSA\\,MD5withRSA," +
+                        "MD2withRSA\\,SHA1withRSA," +
+                        "MD5withRSA\\,SHA1withRSA," +
+                        "MD2withRSA," +
+                        "MD5withRSA," +
+                        "SHA1withRSA);Restrict the requested signing algorithm to be " +
+                        "one of the algorithms supported by Certificate System",
+                IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Restricts the requested signing algorithm to be one of" +
+                        " the algorithms supported by Certificate System"
+        };
+
+        String[] params_DSA = {
+                PROP_ALGORITHMS + ";" + "choice(SHA1withDSA);Restrict the requested signing " +
+                        "algorithm to be one of the algorithms supported by Certificate " +
+                        "System",
+                IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Restricts the requested signing algorithm to be one of" +
+                        " the algorithms supported by Certificate System"
+        };
+
+        switch (mDefaultAllowedAlgs.length) {
+        case 1:
+            params = params_DSA;
+            break;
+
+        case 3:
+            params = params_RSA;
+            break;
+
+        case 4:
+        default:
+            params = params_BOTH;
+            break;
+
+        }
+
+        return params;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/policy/constraints/SubCANameConstraints.java b/base/common/src/com/netscape/cms/policy/constraints/SubCANameConstraints.java
new file mode 100644
index 000000000..da63f6f24
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/constraints/SubCANameConstraints.java
@@ -0,0 +1,195 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.constraints;
+
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.certsrv.security.ISigningUnit;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * This simple policy checks the subordinate CA CSR to see
+ * if it is the same as the local CA.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class SubCANameConstraints extends APolicyRule implements IEnrollmentPolicy, IExtendedPluginInfo {
+    public ICertificateAuthority mCA = null;
+    public String mIssuerNameStr = null;
+
+    public SubCANameConstraints() {
+        NAME = "SubCANameConstraints";
+        DESC = "Enforces Subordinate CA name.";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-subcanamecheck",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Checks if subordinate CA request matches the local CA. There are no parameters to change"
+            };
+
+        return params;
+
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries probably are of the form ra.Policy.rule..implName=KeyAlgorithmConstraints
+     * ra.Policy.rule..algorithms=RSA,DSA ra.Policy.rule..enable=true
+     * ra.Policy.rule..predicate=ou==Sales
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        // get CA's public key to create authority key id.
+        ICertAuthority certAuthority = (ICertAuthority)
+                ((IPolicyProcessor) owner).getAuthority();
+
+        if (certAuthority == null) {
+            // should never get here.
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER"));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+                        "Cannot find the Certificate Manager"));
+        }
+        if (!(certAuthority instanceof ICertificateAuthority)) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER"));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+                        "Cannot find the Certificate Manager"));
+        }
+        mCA = (ICertificateAuthority) certAuthority;
+        ISigningUnit su = mCA.getSigningUnit();
+        if (su == null || CMS.isPreOpMode()) {
+            return;
+        }
+
+        X509CertImpl cert = su.getCertImpl();
+
+        if (cert == null)
+            return;
+        X500Name issuerName = (X500Name) cert.getSubjectDN();
+
+        if (issuerName == null)
+            return;
+        mIssuerNameStr = issuerName.toString();
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        PolicyResult result = PolicyResult.ACCEPTED;
+
+        try {
+
+            // Get the certificate templates
+            X509CertInfo[] certInfos = req.getExtDataInCertInfoArray(
+                    IRequest.CERT_INFO);
+
+            if (certInfos == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_CERT_INFO", getInstanceName()));
+                setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME + ":" + getInstanceName()), "");
+                return PolicyResult.REJECTED;
+            }
+
+            // retrieve the subject name and check its unqiueness
+            for (int i = 0; i < certInfos.length; i++) {
+                CertificateSubjectName subName = (CertificateSubjectName) certInfos[i].get(X509CertInfo.SUBJECT);
+
+                // if there is no name set, set one here.
+                if (subName == null) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_SUBJECT_NAME_1", getInstanceName()));
+                    setError(req, CMS.getUserMessage("CMS_POLICY_NO_SUBJECT_NAME", NAME + ":" + getInstanceName()), "");
+                    return PolicyResult.REJECTED;
+                }
+                String certSubjectName = subName.toString();
+
+                if (certSubjectName.equalsIgnoreCase(mIssuerNameStr)) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_SUBJECT_NAME_EXIST_1", mIssuerNameStr));
+                    setError(req, 
+                            CMS.getUserMessage("CMS_POLICY_SUBJECT_NAME_EXIST", NAME + ":" + "Same As Issuer Name "
+                                    + mIssuerNameStr), "");
+                    result = PolicyResult.REJECTED;
+                }
+            }
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_SUBJECT_NAME_1", getInstanceName()));
+            String params[] = { getInstanceName(), e.toString() };
+
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR",
+                    params), "");
+            result = PolicyResult.REJECTED;
+        }
+        return result;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+
+        return v;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+
+        return v;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectName.java b/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectName.java
new file mode 100644
index 000000000..9afbf7650
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectName.java
@@ -0,0 +1,33 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.constraints;
+
+/**
+ * This class is used to help migrate CMS4.1 to CMS4.2.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class UniqueSubjectName extends UniqueSubjectNameConstraints {
+}
diff --git a/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectNameConstraints.java b/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectNameConstraints.java
new file mode 100644
index 000000000..8c106800a
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectNameConstraints.java
@@ -0,0 +1,313 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.constraints;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.KeyUsageExtension;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Checks the uniqueness of the subject name. This policy
+ * can only be used (installed) in Certificate Authority
+ * subsystem.
+ * 
+ * This policy can perform pre-agent-approval checking or
+ * post-agent-approval checking based on configuration
+ * setting.
+ * 
+ * In some situations, user may want to have 2 certificates with
+ * the same subject name. For example, one key for encryption,
+ * and one for signing. This policy does not deal with this case
+ * directly. But it can be easily extended to do that.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class UniqueSubjectNameConstraints extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    protected static final String PROP_PRE_AGENT_APPROVAL_CHECKING =
+            "enablePreAgentApprovalChecking";
+    protected static final String PROP_KEY_USAGE_EXTENSION_CHECKING =
+            "enableKeyUsageExtensionChecking";
+
+    public ICertificateAuthority mCA = null;
+
+    public boolean mPreAgentApprovalChecking = false;
+    public boolean mKeyUsageExtensionChecking = true;
+
+    public UniqueSubjectNameConstraints() {
+        NAME = "UniqueSubjectName";
+        DESC = "Ensure the uniqueness of the subject name.";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_PRE_AGENT_APPROVAL_CHECKING
+                        + ";boolean;If checked, check subject name uniqueness BEFORE agent approves, (else checks AFTER approval)",
+                PROP_KEY_USAGE_EXTENSION_CHECKING
+                        + ";boolean;If checked, allow non-unique subject names if Key Usage Extension differs",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-uniquesubjectname",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Rejects a request if there exists an unrevoked, unexpired " +
+                        "certificate with the same subject name"
+        };
+
+        return params;
+
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries probably are of the form:
+     * 
+     * ca.Policy.rule..implName=UniqueSubjectName ca.Policy.rule..enable=true
+     * ca.Policy.rule..enable=true ca.Policy.rule..enablePreAgentApprovalChecking=true
+     * ca.Policy.rule..enableKeyUsageExtensionChecking=true
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        // get CA's public key to create authority key id.
+        ICertAuthority certAuthority = (ICertAuthority)
+                ((IPolicyProcessor) owner).getAuthority();
+
+        if (certAuthority == null) {
+            // should never get here.
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER"));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+                    "Cannot find the Certificate Manager or Registration Manager"));
+        }
+        if (!(certAuthority instanceof ICertificateAuthority)) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER"));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+                    "Cannot find the Certificate Manager"));
+        }
+
+        mCA = (ICertificateAuthority) certAuthority;
+        try {
+            mPreAgentApprovalChecking =
+                    config.getBoolean(PROP_PRE_AGENT_APPROVAL_CHECKING, false);
+        } catch (EBaseException e) {
+        }
+        try {
+            mKeyUsageExtensionChecking =
+                    config.getBoolean(PROP_KEY_USAGE_EXTENSION_CHECKING, true);
+        } catch (EBaseException e) {
+        }
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        if (!mPreAgentApprovalChecking) {
+            // post agent approval checking
+            if (!agentApproved(req))
+                return PolicyResult.ACCEPTED;
+        }
+        PolicyResult result = PolicyResult.ACCEPTED;
+
+        try {
+
+            // Get the certificate templates
+            X509CertInfo[] certInfos = req.getExtDataInCertInfoArray(
+                    IRequest.CERT_INFO);
+
+            if (certInfos == null) {
+                setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO",
+                        getInstanceName()), "");
+                return PolicyResult.REJECTED;
+            }
+
+            // retrieve the subject name and check its unqiueness
+            for (int i = 0; i < certInfos.length; i++) {
+                CertificateSubjectName subName = (CertificateSubjectName)
+                        certInfos[i].get(X509CertInfo.SUBJECT);
+
+                // if there is no name set, set one here.
+                if (subName == null) {
+                    setError(req, CMS.getUserMessage("CMS_POLICY_NO_SUBJECT_NAME",
+                            getInstanceName()), "");
+                    return PolicyResult.REJECTED;
+                }
+                String certSubjectName = subName.toString();
+                String filter = "x509Cert.subject=" + certSubjectName;
+                // subject name is indexed, so we only use subject name
+                // in the filter
+                Enumeration matched =
+                        mCA.getCertificateRepository().findCertRecords(filter);
+
+                while (matched.hasMoreElements()) {
+                    ICertRecord rec = matched.nextElement();
+                    String status = rec.getStatus();
+
+                    if (status.equals(ICertRecord.STATUS_REVOKED)
+                            || status.equals(ICertRecord.STATUS_EXPIRED)
+                            || status.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) {
+                        // accept this only if we have a REVOKED, 
+                        // EXPIRED or REVOKED_EXPIRED certificate
+                        continue;
+
+                    }
+                    // you already have an VALID or INVALID (not yet valid) certificate
+                    if (mKeyUsageExtensionChecking && agentApproved(req)) {
+                        // This request is agent approved which 
+                        // means all requested extensions are finalized 
+                        // to the request,
+                        // We will accept duplicated subject name with
+                        // different keyUsage extension if
+                        // keyUsageExtension is different.
+                        if (!sameKeyUsageExtension(rec, certInfos[i])) {
+                            continue;
+                        }
+                    }
+
+                    setError(req, CMS.getUserMessage("CMS_POLICY_SUBJECT_NAME_EXIST",
+                            getInstanceName() + " " + certSubjectName), "");
+                    return PolicyResult.REJECTED;
+                }
+            }
+        } catch (Exception e) {
+            String params[] = { getInstanceName(), e.toString() };
+
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR",
+                    params), "");
+            result = PolicyResult.REJECTED;
+        }
+        return result;
+    }
+
+    /**
+     * Checks if the key extension in the issued certificate
+     * is the same as the one in the certificate template.
+     */
+    private boolean sameKeyUsageExtension(ICertRecord rec,
+            X509CertInfo certInfo) {
+        X509CertImpl impl = rec.getCertificate();
+        boolean bits[] = impl.getKeyUsage();
+
+        CertificateExtensions extensions = null;
+
+        try {
+            extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+        } catch (IOException e) {
+        } catch (java.security.cert.CertificateException e) {
+        }
+        KeyUsageExtension ext = null;
+
+        if (extensions == null) {
+            if (bits != null)
+                return false;
+        } else {
+            try {
+                ext = (KeyUsageExtension) extensions.get(
+                            KeyUsageExtension.NAME);
+            } catch (IOException e) {
+                // extension isn't there.
+            }
+
+            if (ext == null) {
+                if (bits != null)
+                    return false;
+            } else {
+                boolean[] InfoBits = ext.getBits();
+
+                if (InfoBits == null) {
+                    if (bits != null)
+                        return false;
+                } else {
+                    if (bits == null)
+                        return false;
+                    if (InfoBits.length != bits.length) {
+                        return false;
+                    }
+                    for (int i = 0; i < InfoBits.length; i++) {
+                        if (InfoBits[i] != bits[i])
+                            return false;
+                    }
+                }
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector confParams = new Vector();
+
+        confParams.addElement(PROP_PRE_AGENT_APPROVAL_CHECKING +
+                "=" + mPreAgentApprovalChecking);
+        confParams.addElement(PROP_KEY_USAGE_EXTENSION_CHECKING +
+                "=" + mKeyUsageExtensionChecking);
+        return confParams;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        Vector defParams = new Vector();
+
+        defParams.addElement(PROP_PRE_AGENT_APPROVAL_CHECKING + "=");
+        defParams.addElement(PROP_KEY_USAGE_EXTENSION_CHECKING + "=");
+        return defParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java b/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java
new file mode 100644
index 000000000..0409f3c33
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java
@@ -0,0 +1,317 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.constraints;
+
+import java.util.Date;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * ValidityConstraints is a default rule for Enrollment and
+ * Renewal that enforces minimum and maximum validity periods
+ * and changes them if not met.
+ * 
+ * Optionally the lead and lag times - i.e how far back into the
+ * front or back the notBefore date could go in minutes can also
+ * be specified.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class ValidityConstraints extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    protected long mMinValidity;
+    protected long mMaxValidity;
+    protected long mLeadTime;
+    protected long mLagTime;
+    protected long mNotBeforeSkew;
+
+    private final static String PROP_MIN_VALIDITY = "minValidity";
+    private final static String PROP_MAX_VALIDITY = "maxValidity";
+    private final static String PROP_LEAD_TIME = "leadTime";
+    private final static String PROP_LAG_TIME = "lagTime";
+    private final static String PROP_NOT_BEFORE_SKEW = "notBeforeSkew";
+    public final static int DEF_MIN_VALIDITY = 180;
+    public final static int DEF_MAX_VALIDITY = 730;
+    public final static int DEF_LEAD_TIME = 10;
+    public final static int DEF_LAG_TIME = 10;
+    public final static int DEF_NOT_BEFORE_SKEW = 5;
+    public final static long DAYS_TO_MS_FACTOR = 24L * 3600 * 1000;
+    public final static long MINS_TO_MS_FACTOR = 60L * 1000;
+
+    private final static Vector defConfParams = new Vector();
+
+    static {
+        defConfParams.addElement(PROP_MIN_VALIDITY + "=" +
+                DEF_MIN_VALIDITY);
+        defConfParams.addElement(PROP_MAX_VALIDITY + "=" +
+                DEF_MAX_VALIDITY);
+        defConfParams.addElement(PROP_LEAD_TIME + "=" +
+                DEF_LEAD_TIME);
+        defConfParams.addElement(PROP_LAG_TIME + "=" +
+                DEF_LAG_TIME);
+        defConfParams.addElement(PROP_NOT_BEFORE_SKEW + "=" +
+                DEF_NOT_BEFORE_SKEW);
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_MIN_VALIDITY + ";number;Minimum Validity time, in days",
+                PROP_MAX_VALIDITY + ";number;Maximum Validity time, in days",
+                PROP_LEAD_TIME + ";number;Number of minutes in the future a request's notBefore can be",
+                PROP_LAG_TIME + ";number;NOT CURRENTLY IN USE",
+                PROP_NOT_BEFORE_SKEW + ";number;Number of minutes a cert's notBefore should be in the past",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-validityconstraints",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Ensures that the user's requested validity period is " +
+                        "acceptable. If not specified, as is usually the case, " +
+                        "this policy will set the validity. See RFC 2459."
+            };
+
+        return params;
+
+    }
+
+    public ValidityConstraints() {
+        NAME = "ValidityConstraints";
+        DESC = "Enforces minimum and maximum validity constraints.";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries probably are of the form:
+     * 
+     * ra.Policy.rule..implName=ValidityConstraints ra.Policy.rule..enable=true
+     * ra.Policy.rule..minValidity=30 ra.Policy.rule..maxValidity=180
+     * ra.Policy.rule..predicate=ou==Sales
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EPolicyException {
+
+        // Get min and max validity in days and configure them.
+        try {
+            String val = config.getString(PROP_MIN_VALIDITY, null);
+
+            if (val == null)
+                mMinValidity = DEF_MIN_VALIDITY * DAYS_TO_MS_FACTOR;
+            else
+                mMinValidity = Long.parseLong(val) * DAYS_TO_MS_FACTOR;
+
+            val = config.getString(PROP_MAX_VALIDITY, null);
+            if (val == null)
+                mMaxValidity = DEF_MAX_VALIDITY * DAYS_TO_MS_FACTOR;
+            else
+                mMaxValidity = Long.parseLong(val) * DAYS_TO_MS_FACTOR;
+
+            val = config.getString(PROP_LEAD_TIME, null);
+            if (val != null)
+                mLeadTime = Long.parseLong(val) * MINS_TO_MS_FACTOR;
+            else
+                mLeadTime = DEF_LEAD_TIME * MINS_TO_MS_FACTOR;
+
+            val = config.getString(PROP_LAG_TIME, null);
+            if (val != null)
+                mLagTime = Long.parseLong(val) * MINS_TO_MS_FACTOR;
+            else
+                mLagTime = DEF_LAG_TIME * MINS_TO_MS_FACTOR;
+
+            val = config.getString(PROP_NOT_BEFORE_SKEW, null);
+            if (val != null)
+                mNotBeforeSkew = Long.parseLong(val) * MINS_TO_MS_FACTOR;
+            else
+                mNotBeforeSkew = DEF_NOT_BEFORE_SKEW * MINS_TO_MS_FACTOR;
+        } catch (Exception e) {
+            // e.printStackTrace();
+            String[] params = { getInstanceName(), e.toString() };
+
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params));
+        }
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+
+        PolicyResult result = PolicyResult.ACCEPTED;
+
+        try {
+            // Get the certificate info from the request
+            //X509CertInfo certInfo[] = (X509CertInfo[])
+            //    req.get(IRequest.CERT_INFO);
+            X509CertInfo certInfo[] = req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+            // There should be a certificate info set.
+            if (certInfo == null) {
+                setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO",
+                        getInstanceName()), "");
+                return PolicyResult.REJECTED;
+            }
+
+            // Else check if validity is within the limit
+            for (int i = 0; i < certInfo.length; i++) {
+                CertificateValidity validity = (CertificateValidity)
+                        certInfo[i].get(X509CertInfo.VALIDITY);
+
+                Date notBefore = null, notAfter = null;
+
+                if (validity != null) {
+                    notBefore = (Date)
+                            validity.get(CertificateValidity.NOT_BEFORE);
+                    notAfter = (Date)
+                            validity.get(CertificateValidity.NOT_AFTER);
+                }
+
+                // If no validity is supplied yet, make one.  The default
+                // validity is supposed to pass the following checks, so
+                // bypass further checking.
+                // (date = 0 is hack for serialization)
+
+                if (validity == null ||
+                        (notBefore.getTime() == 0 && notAfter.getTime() == 0)) {
+                    certInfo[i].set(X509CertInfo.VALIDITY,
+                            makeDefaultValidity(req));
+                    continue;
+                }
+
+                Date now = CMS.getCurrentDate();
+
+                if (notBefore.getTime() > (now.getTime() + mLeadTime)) {
+                    setError(req, CMS.getUserMessage("CMS_POLICY_INVALID_BEGIN_TIME",
+                            getInstanceName()), "");
+                    result = PolicyResult.REJECTED;
+                }
+                if ((notAfter.getTime() - notBefore.getTime()) > mMaxValidity) {
+                    String params[] = { getInstanceName(),
+                            String.valueOf(
+                                    ((notAfter.getTime() - notBefore.getTime()) / DAYS_TO_MS_FACTOR)),
+                            String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) };
+
+                    setError(req, CMS.getUserMessage("CMS_POLICY_MORE_THAN_MAX_VALIDITY", params), "");
+                    result = PolicyResult.REJECTED;
+                }
+                if ((notAfter.getTime() - notBefore.getTime()) < mMinValidity) {
+                    String params[] = { getInstanceName(),
+                            String.valueOf(
+                                    ((notAfter.getTime() - notBefore.getTime()) / DAYS_TO_MS_FACTOR)),
+                            String.valueOf(mMinValidity / DAYS_TO_MS_FACTOR) };
+
+                    setError(req, CMS.getUserMessage("CMS_POLICY_LESS_THAN_MIN_VALIDITY", params), "");
+                    result = PolicyResult.REJECTED;
+                }
+            }
+        } catch (Exception e) {
+            // e.printStackTrace();
+            String params[] = { getInstanceName(), e.toString() };
+
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR",
+                    params), "");
+            result = PolicyResult.REJECTED;
+        }
+        return result;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector confParams = new Vector();
+
+        confParams.addElement(PROP_MIN_VALIDITY + "=" +
+                mMinValidity / DAYS_TO_MS_FACTOR);
+        confParams.addElement(PROP_MAX_VALIDITY + "=" +
+                mMaxValidity / DAYS_TO_MS_FACTOR);
+        confParams.addElement(PROP_LEAD_TIME + "="
+                + mLeadTime / MINS_TO_MS_FACTOR);
+        confParams.addElement(PROP_LAG_TIME + "=" +
+                mLagTime / MINS_TO_MS_FACTOR);
+        confParams.addElement(PROP_NOT_BEFORE_SKEW + "=" +
+                mNotBeforeSkew / MINS_TO_MS_FACTOR);
+        return confParams;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return defConfParams;
+    }
+
+    /**
+     * Create a default validity value for a request
+     * 
+     * This code can be easily overridden in a derived class, if the
+     * calculations here aren't accepatble.
+     * 
+     * TODO: it might be good to base this calculation on the creation
+     * time of the request.
+     */
+    protected CertificateValidity makeDefaultValidity(IRequest req) {
+        long now = roundTimeToSecond((CMS.getCurrentDate()).getTime());
+
+        // We will set the max duration as the default validity.
+        long notBeforeTime = now - mNotBeforeSkew;
+        Date notBefore = new Date(notBeforeTime);
+        Date notAfter = new Date(notBeforeTime + mMaxValidity);
+
+        return new CertificateValidity(notBefore, notAfter);
+    }
+
+    /**
+     * convert a millisecond resolution time into one with 1 second
+     * resolution. Most times in certificates are storage at 1
+     * second resolution, so its better if we deal with things at
+     * that level.
+     */
+    protected long roundTimeToSecond(long input) {
+        return (input / 1000) * 1000;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java b/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java
new file mode 100644
index 000000000..fea126567
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java
@@ -0,0 +1,394 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.io.Serializable;
+import java.security.cert.CertificateException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.extensions.AuthInfoAccessExtension;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.policy.IGeneralNameUtil;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Authority Information Access extension policy.
+ * If this policy is enabled, it adds an authority
+ * information access extension to the certificate.
+ * 
+ * The following listed sample configuration parameters:
+ * 
+ * ca.Policy.impl.AuthInfoAccess.class=com.netscape.certsrv.policy.AuthInfoAccessExt
+ * ca.Policy.rule.aia.ad0_location=uriName:http://ocsp1.netscape.com
+ * ca.Policy.rule.aia.ad0_method=ocsp
+ * ca.Policy.rule.aia.ad1_location_type=URI
+ * ca.Policy.rule.aia.ad1_location=http://ocsp2.netscape.com
+ * ca.Policy.rule.aia.ad1_method=ocsp
+ * ca.Policy.rule.aia.ad2_location=
+ * ca.Policy.rule.aia.ad2_method=
+ * ca.Policy.rule.aia.ad3_location=
+ * ca.Policy.rule.aia.ad3_method=
+ * ca.Policy.rule.aia.ad4_location=
+ * ca.Policy.rule.aia.ad4_method=
+ * ca.Policy.rule.aia.critical=true
+ * ca.Policy.rule.aia.enable=true
+ * ca.Policy.rule.aia.implName=AuthInfoAccess
+ * ca.Policy.rule.aia.predicate=
+ * 
+ * Currently, this policy only supports the following location:
+ * uriName:[URI], dirName:[DN]
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class AuthInfoAccessExt extends APolicyRule implements
+        IEnrollmentPolicy, IExtendedPluginInfo {
+    protected static final String PROP_CRITICAL =
+            "critical";
+    protected static final String PROP_AD =
+            "ad";
+    protected static final String PROP_METHOD =
+            "method";
+    protected static final String PROP_LOCATION =
+            "location";
+    protected static final String PROP_LOCATION_TYPE =
+            "location_type";
+
+    protected static final String PROP_NUM_ADS =
+            "numADs";
+
+    public static final int MAX_AD = 5;
+
+    public IConfigStore mConfig = null;
+
+    public AuthInfoAccessExt() {
+        NAME = "AuthInfoAccessExt";
+        DESC = "Sets authority information access extension for certificates";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        Vector v = new Vector();
+
+        v.addElement(PROP_CRITICAL +
+                ";boolean;RFC 2459 recommendation: This extension MUST be non-critical.");
+        v.addElement(PROP_NUM_ADS +
+                ";number;The total number of access descriptions.");
+        v.addElement(IExtendedPluginInfo.HELP_TEXT +
+                ";Adds Authority Info Access Extension. Defined in RFC 2459 " + "(4.2.2.1)");
+        v.addElement(IExtendedPluginInfo.HELP_TOKEN +
+                ";configuration-policyrules-authinfoaccess");
+
+        for (int i = 0; i < MAX_AD; i++) {
+            v.addElement(PROP_AD
+                    + Integer.toString(i)
+                    + "_"
+                    + PROP_METHOD
+                    + ";string;"
+                    + "A unique,valid OID specified in dot-separated numeric component notation. e.g. 1.3.6.1.5.5.7.48.1 (ocsp), 1.3.6.1.5.5.7.48.2 (caIssuers), 2.16.840.1.113730.1.16.1 (renewal)");
+            v.addElement(PROP_AD
+                    + Integer.toString(i) + "_" + PROP_LOCATION_TYPE + ";" + IGeneralNameUtil.GENNAME_CHOICE_INFO);
+            v.addElement(PROP_AD
+                    + Integer.toString(i) + "_" + PROP_LOCATION + ";" + IGeneralNameUtil.GENNAME_VALUE_INFO);
+        }
+        return com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v);
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries may be of the form:
+     * 
+     * ca.Policy.rule..implName=AuthInfoAccessExt ca.Policy.rule..enable=true
+     * ca.Policy.rule..predicate=
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+    }
+
+    /**
+     * Returns a sequence of access descriptions.
+     */
+    private Enumeration> getAccessDescriptions() throws EBaseException {
+        Vector> ads = new Vector>();
+
+        //
+        // read until there is *NO* ad_method
+        //
+        for (int i = 0;; i++) {
+            ObjectIdentifier methodOID = null;
+            String method = mConfig.getString(PROP_AD +
+                    Integer.toString(i) + "_" + PROP_METHOD, null);
+
+            if (method == null)
+                break;
+            method = method.trim();
+            if (method.equals(""))
+                break;
+
+            //
+            // method ::= ocsp | caIssuers | 
+            // OID ::= [object identifier]
+            //
+            try {
+                if (method.equalsIgnoreCase("ocsp")) {
+                    methodOID = ObjectIdentifier.getObjectIdentifier("1.3.6.1.5.5.7.48.1");
+                } else if (method.equalsIgnoreCase("caIssuers")) {
+                    methodOID = ObjectIdentifier.getObjectIdentifier("1.3.6.1.5.5.7.48.2");
+                } else if (method.equalsIgnoreCase("renewal")) {
+                    methodOID = ObjectIdentifier.getObjectIdentifier("2.16.840.1.113730.1.16.1");
+                } else {
+                    // it could be an object identifier, test it
+                    methodOID = ObjectIdentifier.getObjectIdentifier(method);
+                }
+            } catch (IOException e) {
+                throw new EBaseException(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NAME_CAN_NOT_BE_RESOLVED", method));
+            }
+
+            //
+            // location ::=  : 
+            // TAG ::= uriName | dirName
+            // VALUE ::= [value defined by TAG]
+            //
+            String location_type = mConfig.getString(PROP_AD +
+                    Integer.toString(i) +
+                    "_" + PROP_LOCATION_TYPE, null);
+            String location = mConfig.getString(PROP_AD +
+                    Integer.toString(i) +
+                    "_" + PROP_LOCATION, null);
+
+            if (location == null)
+                break;
+            GeneralName gn = CMS.form_GeneralName(location_type, location);
+            Vector e = new Vector();
+
+            e.addElement(methodOID);
+            e.addElement(gn);
+            ads.addElement(e);
+        }
+        return ads.elements();
+    }
+
+    /**
+     * If this policy is enabled, add the authority information
+     * access extension to the certificate.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        PolicyResult res = PolicyResult.ACCEPTED;
+
+        X509CertInfo certInfo;
+        X509CertInfo[] ci = req.getExtDataInCertInfoArray(
+                IRequest.CERT_INFO);
+
+        if (ci == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), "");
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+
+        for (int j = 0; j < ci.length; j++) {
+
+            certInfo = ci[j];
+            if (certInfo == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, ""));
+                setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR",
+                        NAME, "Configuration Info Error"), "");
+                return PolicyResult.REJECTED; // unrecoverable error.
+            }
+
+            try {
+                // Find the extensions in the certInfo
+                CertificateExtensions extensions = (CertificateExtensions)
+                        certInfo.get(X509CertInfo.EXTENSIONS);
+
+                // add access descriptions
+                Enumeration> e = getAccessDescriptions();
+
+                if (!e.hasMoreElements()) {
+                    return res;
+                }
+
+                if (extensions == null) {
+                    // create extension if not exist
+                    certInfo.set(X509CertInfo.VERSION,
+                            new CertificateVersion(CertificateVersion.V3));
+                    extensions = new CertificateExtensions();
+                    certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+                } else {
+                    // check to see if AIA is already exist
+                    try {
+                        extensions.delete(AuthInfoAccessExtension.NAME);
+                        log(ILogger.LL_WARN,
+                                "Previous extension deleted: " + AuthInfoAccessExtension.NAME);
+                    } catch (IOException ex) {
+                    }
+                }
+
+                // Create the extension
+                AuthInfoAccessExtension aiaExt = new
+                        AuthInfoAccessExtension(mConfig.getBoolean(
+                                PROP_CRITICAL, false));
+
+                while (e.hasMoreElements()) {
+                    Vector ad = e.nextElement();
+                    ObjectIdentifier oid = (ObjectIdentifier) ad.elementAt(0);
+                    GeneralName gn = (GeneralName) ad.elementAt(1);
+
+                    aiaExt.addAccessDescription(oid, gn);
+                }
+                extensions.set(AuthInfoAccessExtension.NAME, aiaExt);
+
+            } catch (IOException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage()));
+                setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR",
+                        NAME, e.getMessage()), "");
+                return PolicyResult.REJECTED; // unrecoverable error.
+            } catch (EBaseException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage()));
+                setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR",
+                        NAME, "Configuration Info Error"), "");
+                return PolicyResult.REJECTED; // unrecoverable error.
+            } catch (CertificateException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage()));
+                setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR",
+                        NAME, "Certificate Info Error"), "");
+                return PolicyResult.REJECTED; // unrecoverable error.
+            }
+        }
+
+        return res;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector params = new Vector();
+
+        try {
+            params.addElement(PROP_CRITICAL + "=" +
+                    mConfig.getBoolean(PROP_CRITICAL, false));
+        } catch (EBaseException e) {
+            params.addElement(PROP_CRITICAL + "=false");
+        }
+
+        int numADs = MAX_AD;
+
+        try {
+            numADs = mConfig.getInteger(PROP_NUM_ADS, MAX_AD);
+            params.addElement(PROP_NUM_ADS + "=" + numADs);
+        } catch (EBaseException e) {
+            params.addElement(PROP_NUM_ADS + "=" + MAX_AD);
+        }
+
+        for (int i = 0; i < numADs; i++) {
+            String method = null;
+
+            try {
+                method = mConfig.getString(PROP_AD +
+                            Integer.toString(i) + "_" + PROP_METHOD,
+                            "");
+            } catch (EBaseException e) {
+            }
+            params.addElement(PROP_AD +
+                    Integer.toString(i) +
+                    "_" + PROP_METHOD + "=" + method);
+            String location_type = null;
+
+            try {
+                location_type = mConfig.getString(PROP_AD +
+                            Integer.toString(i) + "_" + PROP_LOCATION_TYPE,
+                            IGeneralNameUtil.GENNAME_CHOICE_URL);
+            } catch (EBaseException e) {
+            }
+            params.addElement(PROP_AD +
+                    Integer.toString(i) +
+                    "_" + PROP_LOCATION_TYPE + "=" + location_type);
+            String location = null;
+
+            try {
+                location = mConfig.getString(PROP_AD +
+                            Integer.toString(i) + "_" + PROP_LOCATION,
+                            "");
+            } catch (EBaseException e) {
+            }
+            params.addElement(PROP_AD +
+                    Integer.toString(i) +
+                    "_" + PROP_LOCATION + "=" + location);
+        }
+        return params;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        Vector defParams = new Vector();
+
+        defParams.addElement(PROP_CRITICAL + "=false");
+        defParams.addElement(PROP_NUM_ADS + "=" + MAX_AD);
+
+        //
+        // By default, we create MAX_AD access descriptions.
+        // If this is not enough, admin can manually edit
+        // the CMS.cfg
+        //
+        for (int i = 0; i < MAX_AD; i++) {
+            defParams.addElement(PROP_AD + Integer.toString(i) +
+                    "_" + PROP_METHOD + "=");
+            defParams.addElement(PROP_AD + Integer.toString(i) +
+                    "_" + PROP_LOCATION_TYPE + "=" + IGeneralNameUtil.GENNAME_CHOICE_URL);
+            defParams.addElement(PROP_AD + Integer.toString(i) +
+                    "_" + PROP_LOCATION + "=");
+        }
+        return defParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java b/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java
new file mode 100644
index 000000000..971379a46
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java
@@ -0,0 +1,425 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.AuthorityKeyIdentifierExtension;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.KeyIdentifier;
+import netscape.security.x509.SubjectKeyIdentifierExtension;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Authority Public Key Extension Policy
+ * Adds the subject public key id extension to certificates.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class AuthorityKeyIdentifierExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    protected static final String PROP_CRITICAL = "critical";
+    protected static final String PROP_ALT_KEYID_TYPE = "AltKeyIdType";
+
+    protected static final String ALT_KEYID_TYPE_SPKISHA1 = "SpkiSHA1";
+    protected static final String ALT_KEYID_TYPE_NONE = "None";
+    protected static final String ALT_KEYID_TYPE_EMPTY = "Empty";
+
+    protected static final boolean DEF_CRITICAL = false;
+    protected static final String DEF_ALT_KEYID_TYPE = ALT_KEYID_TYPE_SPKISHA1;
+
+    protected boolean mEnabled = false;
+    protected IConfigStore mConfig = null;
+
+    // config params.
+    protected boolean mCritical = DEF_CRITICAL;
+    protected String mAltKeyIdType = DEF_ALT_KEYID_TYPE;
+
+    // the extension to add to certs. 
+    protected AuthorityKeyIdentifierExtension mTheExtension = null;
+
+    // instance params for console
+    protected Vector mInstanceParams = new Vector();
+
+    // default params for console.
+    protected static Vector mDefaultParams = new Vector();
+    static {
+        // form static default params.
+        mDefaultParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL);
+        mDefaultParams.addElement(PROP_ALT_KEYID_TYPE + "=" + DEF_ALT_KEYID_TYPE);
+    }
+
+    public AuthorityKeyIdentifierExt() {
+        NAME = "AuthorityKeyIdentifierExt";
+        DESC = "Adds Authority Key Idenifier Extension to certs";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * Reads configuration file and creates a authority key identifier
+     * extension to add. Key identifier inside the extension is constructed as
+     * the CA's subject key identifier extension if it exists.
+     * If it does not exist this can be configured to use:
+     * (1) sha-1 hash of the CA's subject public key info
+     * (what communicator expects if the CA does not have a subject key
+     * identifier extension) or (2) No extension set (3) Empty sequence
+     * in Authority Key Identifier extension.
+     * 
+     * 

+     * 
+     * The entries may be of the form:
+     * 
+     * ca.Policy.rule..predicate= ca.Policy.rule..implName= ca.Policy.rule..enable=true
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+
+        mEnabled = mConfig.getBoolean(
+                    IPolicyProcessor.PROP_ENABLE, false);
+        mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL);
+
+        mAltKeyIdType = mConfig.getString(
+                    PROP_ALT_KEYID_TYPE, DEF_ALT_KEYID_TYPE);
+
+        if (mAltKeyIdType.equalsIgnoreCase(ALT_KEYID_TYPE_SPKISHA1))
+            mAltKeyIdType = ALT_KEYID_TYPE_SPKISHA1;
+
+        /*
+         else if (mAltKeyIdType.equalsIgnoreCase(ALT_KEYID_TYPE_EMPTY))
+         mAltKeyIdType = ALT_KEYID_TYPE_EMPTY;
+         */
+        else if (mAltKeyIdType.equalsIgnoreCase(ALT_KEYID_TYPE_NONE))
+            mAltKeyIdType = ALT_KEYID_TYPE_NONE;
+        else {
+            log(ILogger.LL_FAILURE, NAME +
+                    CMS.getLogMessage("CA_UNKNOWN_ALT_KEY_ID_TYPE", mAltKeyIdType));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", PROP_ALT_KEYID_TYPE,
+                        "value must be one of " + ALT_KEYID_TYPE_SPKISHA1 + ", " + ALT_KEYID_TYPE_NONE));
+        }
+
+        // create authority key id extension.
+        ICertAuthority certAuthority = (ICertAuthority)
+                ((IPolicyProcessor) owner).getAuthority();
+
+        if (certAuthority == null) {
+            // should never get here.
+            String msg = NAME + ": " +
+                    "Cannot find the Certificate Manager or Registration Manager";
+
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER"));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg));
+        }
+        if (!(certAuthority instanceof ICertificateAuthority)) {
+            log(ILogger.LL_FAILURE, NAME +
+                    CMS.getLogMessage("POLICY_INVALID_POLICY", NAME));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+                        NAME + " policy can only be used in a Certificate Authority."));
+        }
+        //CertificateChain caChain = certAuthority.getCACertChain();
+        //X509Certificate caCert = caChain.getFirstCertificate();
+        X509CertImpl caCert = certAuthority.getCACert();
+        if (caCert == null || CMS.isPreOpMode()) {
+            return;
+        }
+        KeyIdentifier keyId = formKeyIdentifier(caCert);
+
+        if (keyId != null) {
+            try {
+                mTheExtension = new AuthorityKeyIdentifierExtension(
+                            mCritical, keyId, null, null);
+            } catch (IOException e) {
+                String msg = NAME + ": " +
+                        "Error forming Authority Key Identifier extension: " + e;
+
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_AUTHORITY_KEY_ID_1", NAME));
+                throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg));
+            }
+        } else {
+        }
+
+        // form instance params 
+        mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical);
+        mInstanceParams.addElement(PROP_ALT_KEYID_TYPE + "=" + mAltKeyIdType);
+    }
+
+    /**
+     * Adds Authority Key Identifier Extension to a certificate.
+     * If the extension is already there, accept it if it's from the agent,
+     * else replace it.
+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        // get certInfo from request.
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), "");
+            return PolicyResult.REJECTED;
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certResult = applyCert(req, ci[i]);
+
+            if (certResult == PolicyResult.REJECTED)
+                return certResult;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+
+        try {
+            // if authority key id extension already exists, leave it if 
+            // from agent. else replace it.
+            AuthorityKeyIdentifierExtension authorityKeyIdExt = null;
+            CertificateExtensions extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+
+            try {
+                if (extensions != null) {
+                    authorityKeyIdExt = (AuthorityKeyIdentifierExtension)
+                            extensions.get(AuthorityKeyIdentifierExtension.NAME);
+                }
+            } catch (IOException e) {
+                // extension isn't there. 
+            }
+            if (authorityKeyIdExt != null) {
+                if (agentApproved(req)) {
+                    CMS.debug(
+                            "AuthorityKeyIdentifierKeyExt: agent approved request id " + req.getRequestId() +
+                                    " already has authority key id extension with value " +
+                                    authorityKeyIdExt);
+                    return PolicyResult.ACCEPTED;
+                } else {
+                    CMS.debug(
+                            "AuthorityKeyIdentifierKeyExt: request id from user " + req.getRequestId() +
+                                    " had authority key identifier - deleted");
+                    extensions.delete(AuthorityKeyIdentifierExtension.NAME);
+                }
+            }
+
+            // if no authority key identifier should be set b/c CA does not 
+            // have a subject key identifier, return here. 
+            if (mTheExtension == null)
+                return PolicyResult.ACCEPTED;
+
+            // add authority key id extension.
+            if (extensions == null) {
+                certInfo.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+                extensions = new CertificateExtensions();
+                certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+            }
+            extensions.set(
+                    AuthorityKeyIdentifierExtension.NAME, mTheExtension);
+            CMS.debug(
+                    "AuthorityKeyIdentifierKeyExt: added authority key id ext to request " + req.getRequestId());
+            return PolicyResult.ACCEPTED;
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.toString()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR",
+                    NAME, e.getMessage()), "");
+            return PolicyResult.REJECTED;
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("BASE_INVALID_CERT", e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR",
+                    NAME, "Certificate Info Error"), "");
+            return PolicyResult.REJECTED;
+        }
+    }
+
+    /**
+     * Form the Key Identifier in the Authority Key Identifier extension.
+     * from the CA's cert.
+     * 

+     * 
+     * @param caCertImpl Certificate Info
+     * @return A Key Identifier.
+     * @throws com.netscape.certsrv.base.EBaseException on error
+     */
+    protected KeyIdentifier formKeyIdentifier(X509CertImpl caCertImpl)
+            throws EBaseException {
+        KeyIdentifier keyId = null;
+
+        // get CA's certInfo.
+        X509CertInfo certInfo = null;
+
+        try {
+            certInfo = (X509CertInfo) caCertImpl.get(
+                        X509CertImpl.NAME + "." + X509CertImpl.INFO);
+            if (certInfo == null) {
+                String msg = "Bad CA certificate encountered. " +
+                        "TBS Certificate missing.";
+
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_INVALID_CERT_FORMAT"));
+                throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", NAME + ": " + msg));
+            }
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, NAME + ": " +
+                    CMS.getLogMessage("BASE_DECODE_CERT_FAILED_1", e.toString()));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+                        NAME + " Error decoding the CA Certificate: " + e));
+        }
+
+        // get Key Id from CA's Subject Key Id extension in CA's CertInfo.
+        keyId = getKeyIdentifier(certInfo);
+        if (keyId != null)
+            return keyId;
+
+        // if none exists use the configured alternate.
+        if (mAltKeyIdType == ALT_KEYID_TYPE_SPKISHA1) {
+            keyId = formSpkiSHA1KeyId(certInfo);
+        } /*
+          else if (mAltKeyIdType == ALT_KEYID_TYPE_EMPTY) {
+          keyId = formEmptyKeyId(certInfo);
+          }
+          */else if (mAltKeyIdType == ALT_KEYID_TYPE_NONE) {
+            keyId = null;
+        } else {
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
+                        mAltKeyIdType,
+                        "Unknown Alternate Key Identifier type."));
+        }
+        return keyId;
+    }
+
+    /**
+     * Get the Key Identifier in a subject key identifier extension from a
+     * CertInfo.
+     * 
+     * @param certInfo the CertInfo structure.
+     * @return Key Identifier in a Subject Key Identifier extension if any.
+     */
+    protected KeyIdentifier getKeyIdentifier(X509CertInfo certInfo)
+            throws EBaseException {
+        CertificateExtensions exts = null;
+        SubjectKeyIdentifierExtension subjKeyIdExt = null;
+        KeyIdentifier keyId = null;
+
+        try {
+            exts = (CertificateExtensions) certInfo.get(X509CertInfo.EXTENSIONS);
+        } catch (IOException e) {
+            // extension isn't there.
+            CMS.debug(NAME + ": " + "No extensions found. Error " + e);
+            return null;
+        } catch (CertificateException e) {
+            // extension isn't there.
+            CMS.debug(NAME + ": " + "No extensions found. Error " + e);
+            return null;
+        }
+        if (exts == null)
+            return null;
+
+        try {
+            subjKeyIdExt = (SubjectKeyIdentifierExtension)
+                    exts.get(SubjectKeyIdentifierExtension.NAME);
+        } catch (IOException e) {
+            // extension isn't there.
+            CMS.debug(
+                    "AuthorityKeyIdentifierKeyExt: No Subject Key Identifier Extension found. Error: " + e);
+            return null;
+        }
+        if (subjKeyIdExt == null)
+            return null;
+
+        try {
+            keyId = (KeyIdentifier) subjKeyIdExt.get(
+                        SubjectKeyIdentifierExtension.KEY_ID);
+        } catch (IOException e) {
+            // no key identifier in subject key id extension. 
+            String msg = NAME + ": " +
+                    "Bad Subject Key Identifier Extension found. Error: " + e;
+
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_AUTHORITY_KEY_ID_1", NAME));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg));
+        }
+        return keyId;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        return mInstanceParams;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return mDefaultParams;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_CRITICAL + ";boolean;" +
+                        "RFC 2459 recommendation: MUST NOT be marked critical.",
+                PROP_ALT_KEYID_TYPE + ";" +
+                        "choice(" + ALT_KEYID_TYPE_SPKISHA1 + "," + ALT_KEYID_TYPE_NONE + ");" +
+                        "Specifies whether to use a SHA1 hash of the CA's subject " +
+                        "public key info for key identifier or leave out the " +
+                        "authority key identifier extension if the CA certificate " +
+                        "does not have a Subject Key Identifier extension.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-authkeyid",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Adds Authority Key Identifier Extension. " +
+                        "See RFC 2459 (4.2.1.1)"
+            };
+
+        return params;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/BasicConstraintsExt.java b/base/common/src/com/netscape/cms/policy/extensions/BasicConstraintsExt.java
new file mode 100644
index 000000000..f830b7e3d
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/BasicConstraintsExt.java
@@ -0,0 +1,508 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.EPropertyNotDefined;
+import com.netscape.certsrv.base.EPropertyNotFound;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.ra.IRegistrationAuthority;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Basic Constraints policy.
+ * Adds the Basic constraints extension.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class BasicConstraintsExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    protected static final String PROP_MAXPATHLEN = "maxPathLen";
+    protected static final String PROP_IS_CA = "isCA";
+    protected static final String PROP_IS_CRITICAL = "critical";
+
+    protected static final String ARG_PATHLEN = "BasicConstraintsPathLen";
+
+    protected int mMaxPathLen = 0; // < 0 means unlimited
+    protected String mOrigMaxPathLen = ""; // for UI display only
+    protected boolean mCritical = true;
+    protected int mDefaultMaxPathLen = 0; // depends on the CA's path length.
+    protected int mCAPathLen = 0;
+    protected boolean mRemoveExt = true;
+    protected boolean mIsCA = true;
+
+    public static final boolean DEFAULT_CRITICALITY = true;
+
+    /**
+     * Adds the basic constraints extension as a critical extension in
+     * CA certificates i.e. certype is ca, with either a requested
+     * or configured path len.
+     * The requested or configured path length cannot be greater than
+     * or equal to the CA's basic constraints path length.
+     * If the CA path length is 0, all requests for CA certs are rejected.
+     */
+    public BasicConstraintsExt() {
+        NAME = "BasicConstraintsExt";
+        DESC =
+                "Sets critical basic constraints extension in subordinate CA certs";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * The entries may be of the form:
+     * 
+     * ca.Policy.rule..implName=BasicConstraintsExtImpl ca.Policy.rule..pathLen=, -1 for
+     * undefined. ca.Policy.rule..enable=true
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+
+        // get the CA's path len to check against configured max path len.
+        ICertAuthority certAuthority = (ICertAuthority)
+                ((IPolicyProcessor) owner).getAuthority();
+
+        if (certAuthority == null) {
+            // should never get here.
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER"));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+                        "Cannot find the Certificate Manager or Registration Manager"));
+        }
+        if (certAuthority instanceof IRegistrationAuthority) {
+            log(ILogger.LL_WARN,
+                    "default basic constraints extension path len to -1.");
+            mCAPathLen = -1;
+        } else {
+            CertificateChain caChain = certAuthority.getCACertChain();
+            if (caChain == null || CMS.isPreOpMode()) {
+                return;
+            }
+            X509Certificate caCert = caChain.getFirstCertificate();
+
+            mCAPathLen = caCert.getBasicConstraints();
+        }
+        // set default to one less than the CA's pathlen or 0 if CA's 
+        // pathlen is 0. 
+        // If it's unlimited default the max pathlen also to unlimited.
+        if (mCAPathLen < 0)
+            mDefaultMaxPathLen = -1;
+        else if (mCAPathLen > 0)
+            mDefaultMaxPathLen = mCAPathLen - 1;
+        else // (mCAPathLen == 0)  
+        {
+            log(ILogger.LL_WARN,
+                    CMS.getLogMessage("POLICY_PATHLEN_ZERO"));
+            //return;
+        }
+
+        // get configured max path len, use defaults if not configured. 
+        boolean pathLenConfigured = true;
+
+        try {
+            mCritical = config.getBoolean(PROP_IS_CRITICAL, true);
+            mIsCA = config.getBoolean(PROP_IS_CA, true);
+            mMaxPathLen = config.getInteger(PROP_MAXPATHLEN);
+            if (mMaxPathLen < 0) {
+                log(ILogger.LL_MISCONF,
+                        CMS.getLogMessage("POLICY_INVALID_MAXPATHLEN_4", "",
+                                String.valueOf(mMaxPathLen)));
+                throw new EPolicyException(
+                        CMS.getUserMessage("CMS_POLICY_INVALID_MAXPATHLEN_1",
+                                NAME, String.valueOf(mMaxPathLen)));
+            }
+            mOrigMaxPathLen = Integer.toString(mMaxPathLen);
+        } catch (EBaseException e) {
+            if (!(e instanceof EPropertyNotFound) &&
+                    !(e instanceof EPropertyNotDefined)) {
+                log(ILogger.LL_MISCONF,
+                        CMS.getLogMessage("POLICY_INVALID_MAXPATHLEN"));
+                throw e;
+            }
+
+            // Set the max path len to default if not configured.
+            pathLenConfigured = false;
+            mMaxPathLen = mDefaultMaxPathLen;
+            mOrigMaxPathLen = "";
+        }
+
+        // check if configured path len is valid.
+        if (pathLenConfigured) {
+            // if CA's pathlen is unlimited, any max pathlen is ok. 
+            // else maxPathlen must be at most one less than the CA's 
+            // pathlen or 0 if CA's pathlen is 0. 
+
+            if (mCAPathLen > 0 &&
+                    (mMaxPathLen >= mCAPathLen || mMaxPathLen < 0)) {
+                String maxStr = (mMaxPathLen < 0) ?
+                        String.valueOf(mMaxPathLen) + "(unlimited)" :
+                        String.valueOf(mMaxPathLen);
+
+                log(ILogger.LL_MISCONF,
+                        CMS.getLogMessage("POLICY_MAXPATHLEN_TOO_BIG_3", "",
+                                maxStr,
+                                String.valueOf(mCAPathLen)));
+                throw new EPolicyException(
+                        CMS.getUserMessage("CMS_POLICY_MAXPATHLEN_TOO_BIG_1",
+                                NAME, maxStr, Integer.toString(mCAPathLen)));
+            } else if (mCAPathLen == 0 && mMaxPathLen != 0) {
+                log(ILogger.LL_MISCONF,
+                        CMS.getLogMessage("POLICY_INVALID_MAXPATHLEN_2", "", String.valueOf(mMaxPathLen)));
+                throw new EPolicyException(
+                        CMS.getUserMessage("CMS_POLICY_INVALID_MAXPATHLEN",
+                                NAME, String.valueOf(mMaxPathLen)));
+            }
+        }
+
+    }
+
+    /**
+     * Checks if the basic contraints extension in certInfo is valid and
+     * add the basic constraints extension for CA certs if none exists.
+     * Non-CA certs do not get a basic constraints extension.
+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+
+        // get cert info.
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        X509CertInfo certInfo = null;
+
+        if (ci == null || (certInfo = ci[0]) == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), "");
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+
+        // get cert type
+        boolean isCA = mIsCA;
+
+        /**
+         * boolean isCA = false;
+         * String type = (String)req.get(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE);
+         * if (type != null && type.equalsIgnoreCase(IRequest.CA_CERT)) {
+         * isCA = true;
+         * }
+         **/
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certResult = applyCert(req, isCA, certInfo);
+
+            if (certResult == PolicyResult.REJECTED)
+                return certResult;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public PolicyResult applyCert(
+            IRequest req, boolean isCA, X509CertInfo certInfo) {
+
+        // get basic constraints extension from cert info if any.
+        CertificateExtensions extensions = null;
+        BasicConstraintsExtension basicExt = null;
+
+        try {
+            // get basic constraints extension if any.
+            extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+            if (extensions != null) {
+                basicExt = (BasicConstraintsExtension)
+                        extensions.get(BasicConstraintsExtension.NAME);
+            }
+        } catch (IOException e) {
+            // no extensions or basic constraints extension.
+        } catch (CertificateException e) {
+            // no extensions or basic constraints extension.
+        }
+
+        // for non-CA certs, pkix says it SHOULD NOT have the extension 
+        // so remove it.
+        if (!isCA) {
+            if (extensions == null) {
+                try {
+                    // create extensions set if none.
+                    certInfo.set(X509CertInfo.VERSION,
+                            new CertificateVersion(CertificateVersion.V3));
+                    extensions = new CertificateExtensions();
+                    certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+                } catch (CertificateException e) {
+                } catch (IOException e) {
+                    // not possible 
+                }
+            }
+            if (basicExt != null) {
+                try {
+                    extensions.delete(BasicConstraintsExtension.NAME);
+                } catch (IOException e) {
+                }
+            }
+
+            BasicConstraintsExtension critExt;
+
+            try {
+                critExt = new BasicConstraintsExtension(isCA, mCritical, mMaxPathLen);
+            } catch (IOException e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("POLICY_ERROR_BASIC_CONSTRAINTS_2",
+                                e.toString()));
+                setError(req,
+                        CMS.getUserMessage("CMS_POLICY_BASIC_CONSTRAINTS_ERROR", NAME), "");
+                return PolicyResult.REJECTED; // unrecoverable error.
+            }
+
+            try {
+                extensions.set(BasicConstraintsExtension.NAME, critExt);
+            } catch (IOException e) {
+            }
+            CMS.debug(
+                    "BasicConstraintsExt: PolicyRule BasicConstraintsExt: added the extension to request " +
+                            req.getRequestId());
+            return PolicyResult.ACCEPTED;
+        }
+
+        // For CA certs, check if existing extension is valid, and adjust.
+        // Extension must be marked critial and pathlen must be < CA's pathlen. 
+        // if CA's pathlen is 0 all ca certs are rejected.
+
+        if (mCAPathLen == 0) {
+            // reject all subordinate CA cert requests because CA's 
+            // path length is 0.
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_NO_SUB_CA_CERTS_ALLOWED_1", NAME));
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED", NAME), "");
+            return PolicyResult.REJECTED;
+        }
+
+        if (basicExt != null) {
+            try {
+                boolean extIsCA =
+                        ((Boolean) basicExt.get(BasicConstraintsExtension.IS_CA)).booleanValue();
+                int pathLen =
+                        ((Integer) basicExt.get(BasicConstraintsExtension.PATH_LEN)).intValue();
+
+                if (mMaxPathLen > -1) {
+                    if (pathLen > mMaxPathLen || pathLen < 0) {
+                        log(ILogger.LL_FAILURE,
+                                CMS.getLogMessage("POLICY_MAXPATHLEN_TOO_BIG_3", NAME, "unlimited",
+                                        String.valueOf(pathLen)));
+                        if (pathLen < 0)
+                            setError(req, CMS.getUserMessage("CMS_POLICY_MAXPATHLEN_TOO_BIG",
+                                    NAME, "unlimited", Integer.toString(mMaxPathLen)), "");
+                        else
+                            setError(req, CMS.getUserMessage("CMS_POLICY_MAXPATHLEN_TOO_BIG",
+                                    NAME, Integer.toString(pathLen),
+                                    Integer.toString(mMaxPathLen)), "");
+                        return PolicyResult.REJECTED;
+                    }
+                }
+
+                // adjust isCA field
+                if (!extIsCA) {
+                    basicExt.set(BasicConstraintsExtension.IS_CA,
+                            Boolean.valueOf(true));
+                }
+
+                // adjust path length field.
+                if (mMaxPathLen == 0) {
+                    if (pathLen != 0) {
+                        basicExt.set(BasicConstraintsExtension.PATH_LEN,
+                                Integer.valueOf(0));
+                        pathLen = 0;
+                    }
+                } else if (mMaxPathLen > 0 && pathLen > mMaxPathLen) {
+                    basicExt.set(BasicConstraintsExtension.PATH_LEN,
+                            Integer.valueOf(mMaxPathLen));
+                    pathLen = mMaxPathLen;
+                }
+
+                // adjust critical field.
+                if (!basicExt.isCritical()) {
+                    BasicConstraintsExtension critExt;
+
+                    try {
+                        critExt = new BasicConstraintsExtension(isCA, mCritical, pathLen);
+                    } catch (IOException e) {
+                        log(ILogger.LL_FAILURE,
+                                CMS.getLogMessage("POLICY_ERROR_BASIC_CONSTRAINTS_1", NAME));
+                        setError(req,
+                                CMS.getUserMessage("CMS_POLICY_BASIC_CONSTRAINTS_ERROR", NAME), "");
+                        return PolicyResult.REJECTED; // unrecoverable error.
+                    }
+                    extensions.delete(BasicConstraintsExtension.NAME);
+                    extensions.set(BasicConstraintsExtension.NAME, critExt);
+                }
+            } catch (IOException e) {
+                // not possible in these cases.
+            }
+            CMS.debug(
+                    "BasicConstraintsExt: PolicyRule BasicConstraintsExt: added the extension to request " +
+                            req.getRequestId());
+            return PolicyResult.ACCEPTED;
+        }
+
+        // add the extension for the CA cert.
+        if (extensions == null) {
+            try {
+                // create extensions set if none.
+                certInfo.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+                extensions = new CertificateExtensions();
+                certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+            } catch (CertificateException e) {
+                // not possible
+            } catch (IOException e) {
+                // not possible 
+            }
+        }
+
+        // set path len to requested path len if it's valid.
+        // if no path len requested set path len to max allowed path len.
+        String reqPathLenStr = req.getExtDataInString(ARG_PATHLEN);
+        int reqPathLen;
+
+        if (reqPathLenStr == null) {
+            reqPathLen = mMaxPathLen;
+        } else {
+            try {
+                reqPathLen = Integer.parseInt(reqPathLenStr);
+                if ((mMaxPathLen == 0 && reqPathLen != 0) ||
+                        (mMaxPathLen > 0 &&
+                        (reqPathLen > mMaxPathLen || reqPathLen < 0))) {
+                    String plenStr =
+                            ((reqPathLen < 0) ?
+                                    reqPathLenStr + "(unlimited)" : reqPathLenStr);
+
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("POLICY_PATHLEN_TOO_BIG_3", plenStr,
+                                    String.valueOf(mMaxPathLen)));
+                    setError(req,
+                            CMS.getUserMessage("CMS_POLICY_PATHLEN_TOO_BIG",
+                                    NAME, plenStr, String.valueOf(mMaxPathLen)), "");
+                    return PolicyResult.REJECTED;
+                }
+            } catch (NumberFormatException e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("POLICY_INVALID_PATHLEN_FORMAT_2", NAME, reqPathLenStr));
+                setError(req, CMS.getUserMessage("CMS_POLICY_INVALID_PATHLEN_FORMAT",
+                        NAME, reqPathLenStr), "");
+                return PolicyResult.REJECTED;
+            }
+        }
+        BasicConstraintsExtension newExt;
+
+        try {
+            newExt = new BasicConstraintsExtension(isCA, mCritical, reqPathLen);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_BASIC_CONSTRAINTS_2", e.toString()));
+            setError(req,
+                    CMS.getUserMessage("CMS_POLICY_BASIC_CONSTRAINTS_ERROR", NAME), "");
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+        try {
+            extensions.set(BasicConstraintsExtension.NAME, newExt);
+        } catch (IOException e) {
+            // doesn't happen.
+        }
+        CMS.debug(
+                "BasicConstraintsExt: added the extension to request " +
+                        req.getRequestId());
+        return PolicyResult.ACCEPTED;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector params = new Vector();
+
+        // Because of one of the UI bugs 385273, we should leave the empty space
+        // as is. Do not convert the space to some definite numbers.
+        params.addElement(PROP_MAXPATHLEN + "=" + mOrigMaxPathLen);
+        params.addElement(PROP_IS_CRITICAL + "=" + mCritical);
+        params.addElement(PROP_IS_CA + "=" + mIsCA);
+        return params;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        Vector defParams = new Vector();
+
+        defParams.addElement(PROP_IS_CRITICAL + "=true");
+        defParams.addElement(PROP_MAXPATHLEN + "=");
+        defParams.addElement(PROP_IS_CA + "=true");
+        return defParams;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_MAXPATHLEN
+                        + ";number;'0' means : no subordinates allowed, 'n' means : at most n subordinates allowed.",
+                PROP_IS_CRITICAL + ";boolean;" +
+                        "RFC 2459 recommendation: MUST be critical in CA certs, SHOULD NOT appear in EE certs.",
+                PROP_IS_CA + ";boolean;" +
+                        "Identifies the subject of the certificate is a CA or not.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-basicconstraints",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Adds the Basic Constraints extension. See RFC 2459 (4.2.1.10)"
+        };
+
+        return params;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/CRLDistributionPointsExt.java b/base/common/src/com/netscape/cms/policy/extensions/CRLDistributionPointsExt.java
new file mode 100644
index 000000000..1ede3d5d0
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/CRLDistributionPointsExt.java
@@ -0,0 +1,484 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.security.util.BitArray;
+import netscape.security.x509.CRLDistributionPoint;
+import netscape.security.x509.CRLDistributionPointsExtension;
+import netscape.security.x509.CRLDistributionPointsExtension.Reason;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.GeneralNames;
+import netscape.security.x509.GeneralNamesException;
+import netscape.security.x509.RDN;
+import netscape.security.x509.URIName;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * The type of the distribution point or issuer name. The name is expressed
+ * as a simple string in the configuration file, so this attribute is needed
+ * to tell whether the simple string should be stored in an X.500 Name,
+ * a URL, or an RDN.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+class NameType {
+    private NameType() {
+    } // no default constructor
+
+    private String stringRep; // string representation of this type
+
+    private NameType(String s) {
+        map.put(s, this);
+        stringRep = s;
+    }
+
+    private static Hashtable map = new Hashtable();
+
+    /**
+     * Looks up a NameType from its string representation. Returns null
+     * if no matching NameType was found.
+     */
+    public static NameType fromString(String s) {
+        return map.get(s);
+    }
+
+    public String toString() {
+        return stringRep;
+    }
+
+    public static final NameType DIRECTORY_NAME = new NameType("DirectoryName");
+    public static final NameType URI = new NameType("URI");
+    public static final NameType RELATIVE_TO_ISSUER =
+            new NameType("RelativeToIssuer");
+}
+
+/**
+ * These are the parameters that may be given in the configuration file
+ * for each distribution point. They are parsed by DPParamsToDP().
+ * Any of them may be null.
+ */
+class DistPointParams {
+    public String pointName;
+    public String pointType;
+
+    public String reasons;
+
+    public String issuerName;
+    public String issuerType;
+
+    public DistPointParams() {
+    }
+
+    public DistPointParams(DistPointParams old) {
+        pointName = old.pointName;
+        pointType = old.pointType;
+        reasons = old.reasons;
+        issuerName = old.issuerName;
+        issuerType = old.issuerType;
+    }
+
+}
+
+/**
+ * CRL Distribution Points policy.
+ * Adds the CRL Distribution Points extension to the certificate.
+ */
+public class CRLDistributionPointsExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+
+    public static final String PROP_IS_CRITICAL = "critical";
+    public static final String PROP_NUM_POINTS = "numPoints";
+    public static final String PROP_POINT_TYPE = "pointType";
+    public static final String PROP_POINT_NAME = "pointName";
+    public static final String PROP_REASONS = "reasons";
+    public static final String PROP_ISSUER_NAME = "issuerName";
+    public static final String PROP_ISSUER_TYPE = "issuerType";
+
+    private static final int MAX_POINTS = 10;
+    private static final int DEFAULT_NUM_BLANK_POINTS = 3;
+    private int mNumPoints = DEFAULT_NUM_BLANK_POINTS;
+
+    // PKIX specifies the that the extension SHOULD NOT be critical
+    public static final boolean DEFAULT_CRITICALITY = false;
+
+    private Vector defaultParams = new Vector();
+
+    private Vector mParams = new Vector();
+    private String mExtParams[] = null;
+    private CRLDistributionPointsExtension mCrldpExt = null;
+
+    public CRLDistributionPointsExt() {
+        NAME = "CRLDistributionPointsExt";
+        DESC = "Sets CRL distribution points extension";
+        defaultParams.addElement(PROP_IS_CRITICAL + "=" + DEFAULT_CRITICALITY);
+        defaultParams.addElement(PROP_NUM_POINTS + "=0");
+        for (int i = 0; i < DEFAULT_NUM_BLANK_POINTS; i++) {
+            defaultParams.addElement(PROP_POINT_NAME + i + "=");
+            defaultParams.addElement(PROP_POINT_TYPE + i + "=");
+            defaultParams.addElement(PROP_REASONS + i + "=");
+            defaultParams.addElement(PROP_ISSUER_NAME + i + "=");
+            defaultParams.addElement(PROP_ISSUER_TYPE + i + "=");
+        }
+    }
+
+    private void setExtendedPluginInfo() {
+        Vector v = new Vector();
+
+        // should replace MAX_POINTS with mNumPoints if bug 385118 is fixed
+        for (int i = 0; i < MAX_POINTS; i++) {
+            v.addElement(PROP_POINT_TYPE + Integer.toString(i) + ";choice(" +
+                    "DirectoryName,URI,RelativeToIssuer);" +
+                    "The type of the CRL distribution point.");
+            v.addElement(PROP_POINT_NAME + Integer.toString(i) + ";string;" +
+                    "The name of the CRL distribution point depending on the CRLDP type.");
+            v.addElement(PROP_REASONS
+                    + Integer.toString(i)
+                    + ";string;"
+                    +
+                    "The revocation reasons for the CRL maintained at this distribution point. It's a comma-seperated list of the following constants: unused, keyCompromise, cACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold.");
+            v.addElement(PROP_ISSUER_TYPE + Integer.toString(i) + ";choice(" +
+                    "DirectoryName,URI);" +
+                    "The type of the issuer that has signed the CRL maintained at this distribution point.");
+            v.addElement(PROP_ISSUER_NAME
+                    + Integer.toString(i)
+                    + ";string;"
+                    +
+                    "The name of the issuer that has signed the CRL maintained at this distribution point. The value depends on the issuer type.");
+        }
+
+        v.addElement(PROP_NUM_POINTS +
+                ";number;The total number of CRL distribution points to be contained or allowed in the extension.");
+        v.addElement(PROP_IS_CRITICAL
+                +
+                ";boolean;RFC 2459 recommendation: SHOULD be non-critical. But recommends support for this extension by CAs and applications.");
+        v.addElement(IExtendedPluginInfo.HELP_TOKEN +
+                ";configuration-policyrules-crldistributionpoints");
+        v.addElement(IExtendedPluginInfo.HELP_TEXT +
+                ";This policy inserts the CRL Distribution Points " +
+                "Extension into the certificate. See RFC 2459 (4.2.1.14). "
+                );
+
+        mExtParams = com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v);
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        if (mExtParams == null) {
+            setExtendedPluginInfo();
+        }
+        return mExtParams;
+
+    }
+
+    /**
+     * Performs one-time initialization of the policy.
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        // Register the CRL Distribution Points extension.
+        try {
+            netscape.security.x509.OIDMap.addAttribute(
+                    CRLDistributionPointsExtension.class.getName(),
+                    CRLDistributionPointsExtension.OID,
+                    CRLDistributionPointsExtension.NAME);
+        } catch (CertificateException e) {
+            // ignore, just means it has already been added
+        }
+
+        // assemble the list of Distribution Points from the config file
+        int numPoints = config.getInteger(PROP_NUM_POINTS, 0);
+
+        mParams.addElement(PROP_NUM_POINTS + "=" + numPoints);
+        mNumPoints = numPoints;
+
+        for (int i = 0; i < numPoints; i++) {
+            // construct a distribution point from the parameters
+            DistPointParams params = new DistPointParams();
+
+            params.pointType = config.getString(PROP_POINT_TYPE + i, "");
+            params.pointName = config.getString(PROP_POINT_NAME + i, "");
+            params.reasons = config.getString(PROP_REASONS + i, "");
+            params.issuerType = config.getString(PROP_ISSUER_TYPE + i, "");
+            params.issuerName = config.getString(PROP_ISSUER_NAME + i, "");
+
+            DistPointParams configparams = new DistPointParams(params);
+            CRLDistributionPoint crldp = DPParamsToDP(params);
+
+            mParams.addElement(PROP_POINT_TYPE + i + "=" + configparams.pointType);
+            mParams.addElement(PROP_POINT_NAME + i + "=" + configparams.pointName);
+            mParams.addElement(PROP_REASONS + i + "=" + configparams.reasons);
+            mParams.addElement(PROP_ISSUER_TYPE + i + "=" + configparams.issuerType);
+            mParams.addElement(PROP_ISSUER_NAME + i + "=" + configparams.issuerName);
+
+            // add the distribution point to the extension
+            if (mCrldpExt == null) {
+                mCrldpExt = new CRLDistributionPointsExtension(crldp);
+            } else {
+                mCrldpExt.addPoint(crldp);
+            }
+        }
+
+        boolean crit = config.getBoolean(PROP_IS_CRITICAL,
+                DEFAULT_CRITICALITY);
+
+        mParams.addElement(PROP_IS_CRITICAL + "=" + crit);
+        if (mCrldpExt != null) {
+            // configure the extension itself
+            mCrldpExt.setCritical(crit);
+        }
+        setExtendedPluginInfo();
+
+    }
+
+    /**
+     * Parses the parameters in the config file to create an
+     * actual CRL Distribution Point object.
+     */
+    private CRLDistributionPoint DPParamsToDP(DistPointParams params)
+            throws EBaseException {
+        CRLDistributionPoint crlDP = new CRLDistributionPoint();
+
+        try {
+
+            if (params.pointName != null && params.pointName.length() == 0) {
+                params.pointName = null;
+            }
+            if (params.pointType != null && params.pointType.length() == 0) {
+                params.pointType = null;
+            }
+            if (params.reasons != null && params.reasons.length() == 0) {
+                params.reasons = null;
+            }
+            if (params.issuerName != null && params.issuerName.length() == 0) {
+                params.issuerName = null;
+            }
+            if (params.issuerType != null && params.issuerType.length() == 0) {
+                params.issuerType = null;
+            }
+
+            // deal with the distribution point name
+            if (params.pointName != null && params.pointType != null) {
+                // decode the type of the name
+                NameType nType = NameType.fromString(params.pointType);
+
+                if (nType == null) {
+                    String err = "Unknown name type: " + params.pointType;
+
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_UNKNOWN_NAME_TYPE", params.pointType));
+                    throw new EBaseException(err);
+                }
+
+                if (nType == NameType.DIRECTORY_NAME) {
+                    GeneralNames gen = new GeneralNames();
+
+                    gen.addElement(new GeneralName(new X500Name(params.pointName)));
+                    crlDP.setFullName(gen);
+                } else if (nType == NameType.URI) {
+                    GeneralNames gen = new GeneralNames();
+
+                    gen.addElement(new GeneralName(new URIName(params.pointName)));
+                    crlDP.setFullName(gen);
+                } else if (nType == NameType.RELATIVE_TO_ISSUER) {
+                    crlDP.setRelativeName(new RDN(params.pointName));
+                } else {
+                    String err = "Unknown name type: " + nType.toString();
+
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_UNKNOWN_NAME_TYPE", nType.toString()));
+                    throw new EBaseException(err);
+                }
+            }
+
+            // deal with the reasons
+            if (params.reasons != null) {
+                StringTokenizer tok = new StringTokenizer(params.reasons, ", \t");
+                byte reasonBits = 0;
+
+                while (tok.hasMoreTokens()) {
+                    String s = tok.nextToken();
+                    Reason r = Reason.fromString(s);
+
+                    if (r == null) {
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_UNKNOWN_REASON", s));
+                        throw new EBaseException("Unknown reason: " + s);
+                    } else {
+                        reasonBits |= r.getBitMask();
+                    }
+                }
+                if (reasonBits != 0) {
+                    BitArray ba = new BitArray(8, new byte[] { reasonBits }
+                            );
+
+                    crlDP.setReasons(ba);
+                }
+            }
+
+            // deal with the issuer name
+            if (params.issuerName != null && params.issuerType != null) {
+                // decode the type of the name
+                NameType nType = NameType.fromString(params.issuerType);
+
+                if (nType == null) {
+                    String err = "Unknown name type: " + params.issuerType;
+
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_UNKNOWN_NAME_TYPE", params.issuerType));
+                    throw new EBaseException(err);
+                }
+
+                if (nType == NameType.DIRECTORY_NAME) {
+                    GeneralNames gen = new GeneralNames();
+
+                    gen.addElement(new GeneralName(new X500Name(params.issuerName)));
+                    crlDP.setCRLIssuer(gen);
+                } else if (nType == NameType.URI) {
+                    GeneralNames gen = new GeneralNames();
+
+                    gen.addElement(new GeneralName(new URIName(params.issuerName)));
+                    crlDP.setCRLIssuer(gen);
+                } else {
+                    String err = "Unknown name type: " + nType.toString();
+
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_UNKNOWN_NAME_TYPE", nType.toString()));
+                    throw new EBaseException(err);
+                }
+            }
+
+        } catch (GeneralNamesException e) {
+            throw new EBaseException(e.getMessage());
+        } catch (IOException e) {
+            throw new EBaseException(e.getMessage());
+        }
+
+        // done, return this distribution point
+        return crlDP;
+    }
+
+    /**
+     * Applies the policy to the given request.
+     */
+    public PolicyResult apply(IRequest req) {
+
+        // if the extension was not configured correctly, just skip it
+        if (mCrldpExt == null) {
+            return PolicyResult.ACCEPTED;
+        }
+
+        X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED;
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certRes = applyCert(req, ci[i]);
+
+            if (certRes == PolicyResult.REJECTED)
+                return certRes;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+
+        try {
+            // find the extensions in the certInfo
+            CertificateExtensions extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+
+            // prepare the extensions data structure
+            if (extensions == null) {
+                certInfo.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+                extensions = new CertificateExtensions();
+                certInfo.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+                certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+            } else {
+                // remove any previously computed version of the extension
+                try {
+                    extensions.delete(CRLDistributionPointsExtension.NAME);
+                } catch (IOException e) {
+                    // extension isn't there
+                }
+            }
+            extensions.set(CRLDistributionPointsExtension.NAME, mCrldpExt);
+
+            return PolicyResult.ACCEPTED;
+
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME,
+                    e.getMessage());
+            return PolicyResult.REJECTED;
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR",
+                    e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME,
+                    e.getMessage());
+            return PolicyResult.REJECTED;
+        }
+    }
+
+    // parameters must be entered in the config file
+    public Vector getDefaultParams() {
+        for (int i = DEFAULT_NUM_BLANK_POINTS; i < mNumPoints; i++) {
+            defaultParams.addElement(PROP_POINT_NAME + i + "=");
+            defaultParams.addElement(PROP_POINT_TYPE + i + "=");
+            defaultParams.addElement(PROP_REASONS + i + "=");
+            defaultParams.addElement(PROP_ISSUER_NAME + i + "=");
+            defaultParams.addElement(PROP_ISSUER_TYPE + i + "=");
+        }
+        return defaultParams;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        return mParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/CertificatePoliciesExt.java b/base/common/src/com/netscape/cms/policy/extensions/CertificatePoliciesExt.java
new file mode 100644
index 000000000..597357318
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/CertificatePoliciesExt.java
@@ -0,0 +1,534 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.CPSuri;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificatePoliciesExtension;
+import netscape.security.x509.CertificatePolicyId;
+import netscape.security.x509.CertificatePolicyInfo;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.DisplayText;
+import netscape.security.x509.NoticeReference;
+import netscape.security.x509.PolicyQualifierInfo;
+import netscape.security.x509.PolicyQualifiers;
+import netscape.security.x509.UserNotice;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Certificate Policies.
+ * Adds certificate policies extension.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class CertificatePoliciesExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    protected static final String PROP_CRITICAL = "critical";
+    protected static final String PROP_NUM_CERTPOLICIES = "numCertPolicies";
+
+    protected static final String PROP_CERTPOLICY = "certPolicy";
+
+    protected static final boolean DEF_CRITICAL = false;
+    protected static final int DEF_NUM_CERTPOLICIES = 1;
+
+    protected boolean mEnabled = false;
+    protected IConfigStore mConfig = null;
+
+    protected boolean mCritical = DEF_CRITICAL;
+    protected int mNumCertPolicies = DEF_NUM_CERTPOLICIES;
+    protected CertPolicy[] mCertPolicies = null;
+
+    protected Vector mInstanceParams = new Vector();
+    protected CertificatePoliciesExtension mCertificatePoliciesExtension = null;
+
+    public CertificatePoliciesExt() {
+        NAME = "CertificatePoliciesExt";
+        DESC = "Sets non-critical certificate policies extension in certs";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries may be of the form:
+     * 
+     * ca.Policy.rule..predicate=certType==ca ca.Policy.rule..implName=
+     * ca.Policy.rule..enable=true
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+
+        mEnabled = mConfig.getBoolean(
+                    IPolicyProcessor.PROP_ENABLE, false);
+        mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL);
+
+        mNumCertPolicies = mConfig.getInteger(
+                    PROP_NUM_CERTPOLICIES, DEF_NUM_CERTPOLICIES);
+        if (mNumCertPolicies < 1) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_INVALID_ATTR_VALUE_2", NAME, ""));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
+                        PROP_NUM_CERTPOLICIES,
+                        "value must be greater than or equal to 1"));
+        }
+
+        // init Policy Mappings, check values if enabled. 
+        mCertPolicies = new CertPolicy[mNumCertPolicies];
+        for (int i = 0; i < mNumCertPolicies; i++) {
+            String subtreeName = PROP_CERTPOLICY + i;
+
+            try {
+                mCertPolicies[i] = new CertPolicy(subtreeName, mConfig, mEnabled);
+            } catch (EBaseException e) {
+                log(ILogger.LL_FAILURE, NAME + ": " +
+                        CMS.getLogMessage("POLICY_ERROR_CREATE_CERT_POLICY", e.toString()));
+                throw e;
+            }
+        }
+
+        // create instance of certificate policy extension if enabled.
+        if (mEnabled) {
+            try {
+                Vector CertPolicies = new Vector();
+
+                for (int j = 0; j < mNumCertPolicies; j++) {
+                    CertPolicies.addElement(
+                            mCertPolicies[j].mCertificatePolicyInfo);
+                }
+                mCertificatePoliciesExtension =
+                        new CertificatePoliciesExtension(mCritical, CertPolicies);
+            } catch (IOException e) {
+                throw new EBaseException(
+                        CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+                                "Error initializing " + NAME + " Error: " + e));
+            }
+        }
+
+        // form instance params 
+        mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical);
+        mInstanceParams.addElement(
+                PROP_NUM_CERTPOLICIES + "=" + mNumCertPolicies);
+        for (int i = 0; i < mNumCertPolicies; i++) {
+            mCertPolicies[i].getInstanceParams(mInstanceParams);
+        }
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+
+        // get certInfo from request.
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED;
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certRes = applyCert(req, ci[i]);
+
+            if (certRes == PolicyResult.REJECTED)
+                return certRes;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+        CertificateExtensions extensions = null;
+
+        try {
+            extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+            if (extensions == null) {
+                extensions = new CertificateExtensions();
+                try {
+                    certInfo.set(X509CertInfo.VERSION,
+                            new CertificateVersion(CertificateVersion.V3));
+                    certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+                } catch (Exception e) {
+                }
+            } else {
+                // remove any previously computed version of the extension
+                try {
+                    extensions.delete(CertificatePoliciesExtension.NAME);
+                } catch (IOException e) {
+                    // this is the hack: for some reason, the key which is the name
+                    // of the policy has been converted into the OID 
+                    try {
+                        extensions.delete("2.5.29.32");
+                    } catch (IOException ee) {
+                    }
+                }
+            }
+            extensions.set(CertificatePoliciesExtension.NAME,
+                    mCertificatePoliciesExtension);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1",
+                    e.toString()));
+            setError(req,
+                    CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME);
+            return PolicyResult.REJECTED;
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1",
+                    e.toString()));
+            setError(req,
+                    CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME);
+            return PolicyResult.REJECTED;
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1",
+                    e.toString()));
+            setError(req,
+                    CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME);
+            return PolicyResult.REJECTED;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        return mInstanceParams;
+    }
+
+    /**
+     * Default config parameters.
+     * To add more permitted or excluded subtrees,
+     * increase the num to greater than 0 and more configuration params
+     * will show up in the console.
+     */
+    private static Vector mDefParams = new Vector();
+    static {
+        mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL);
+        mDefParams.addElement(
+                PROP_NUM_CERTPOLICIES + "=" + DEF_NUM_CERTPOLICIES);
+        String certPolicy0Dot = PROP_CERTPOLICY + "0.";
+
+        mDefParams.addElement(
+                certPolicy0Dot + CertPolicy.PROP_POLICY_IDENTIFIER + "=" + "");
+        mDefParams.addElement(
+                certPolicy0Dot + CertPolicy.PROP_NOTICE_REF_ORG + "=" + "");
+        mDefParams.addElement(
+                certPolicy0Dot + CertPolicy.PROP_NOTICE_REF_NUMS + "=" + "");
+        mDefParams.addElement(
+                certPolicy0Dot + CertPolicy.PROP_USER_NOTICE_TEXT + "=" + "");
+        mDefParams.addElement(
+                certPolicy0Dot + CertPolicy.PROP_CPS_URI + "=" + "");
+
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return mDefParams;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        Vector theparams = new Vector();
+
+        theparams.addElement(PROP_CRITICAL + ";boolean;RFC 3280 recommendation: MUST be non-critical.");
+        theparams.addElement(PROP_NUM_CERTPOLICIES
+                + ";number; Number of certificate policies. The value must be greater than or equal to 1");
+
+        for (int k = 0; k < 5; k++) {
+            String certPolicykDot = PROP_CERTPOLICY + k + ".";
+
+            theparams.addElement(certPolicykDot +
+                    CertPolicy.PROP_POLICY_IDENTIFIER + ";string,required;An object identifier in the form n.n.n.n");
+            theparams.addElement(certPolicykDot +
+                    CertPolicy.PROP_NOTICE_REF_ORG + ";string;See RFC 3280 sec 4.2.1.5");
+            theparams.addElement(certPolicykDot +
+                    CertPolicy.PROP_NOTICE_REF_NUMS +
+                    ";string;comma-separated list of numbers. See RFC 3280 sec 4.2.1.5");
+            theparams.addElement(certPolicykDot +
+                    CertPolicy.PROP_USER_NOTICE_TEXT + ";string;See RFC 3280 sec 4.2.1.5");
+            theparams.addElement(certPolicykDot +
+                    CertPolicy.PROP_CPS_URI + ";string;See RFC 3280 sec 4.2.1.5");
+        }
+
+        theparams.addElement(IExtendedPluginInfo.HELP_TOKEN +
+                ";configuration-policyrules-certificatepolicies");
+        theparams.addElement(IExtendedPluginInfo.HELP_TEXT +
+                ";Adds Certificate Policies Extension. See RFC 3280 (4.2.1.5)");
+
+        String[] params = new String[theparams.size()];
+
+        theparams.copyInto(params);
+        return params;
+    }
+}
+
+class CertPolicy {
+
+    protected static final String PROP_POLICY_IDENTIFIER = "policyId";
+    protected static final String PROP_NOTICE_REF_ORG = "noticeRefOrganization";
+    protected static final String PROP_NOTICE_REF_NUMS = "noticeRefNumbers";
+    protected static final String PROP_USER_NOTICE_TEXT = "userNoticeExplicitText";
+    protected static final String PROP_CPS_URI = "cpsURI";
+
+    protected String mName = null;
+    protected String mNameDot = null;
+    protected IConfigStore mConfig = null;
+
+    protected String mPolicyId = null;
+    protected String mNoticeRefOrg = null;
+    protected String mNoticeRefNums = null;
+    protected String mNoticeRefExplicitText = null;
+    protected String mCpsUri = null;
+
+    protected CertificatePolicyInfo mCertificatePolicyInfo = null;
+
+    /**
+     * forms policy map parameters.
+     * 
+     * @param name name of this policy map, for example certPolicy0
+     * @param config parent's config from where we find this configuration.
+     * @param enabled whether policy was enabled.
+     */
+    protected CertPolicy(String name, IConfigStore config, boolean enabled)
+            throws EBaseException {
+        mName = name;
+        mConfig = config.getSubStore(mName);
+        mNameDot = mName + ".";
+
+        if (mConfig == null) {
+            CMS.debug("CertificatePoliciesExt::CertPolicy - mConfig is " +
+                       "null!");
+            throw new EBaseException("mConfig is null");
+        }
+
+        // if there's no configuration for this policy put it there.
+        if (mConfig.size() == 0) {
+            config.putString(mNameDot + PROP_POLICY_IDENTIFIER, "");
+            config.putString(mNameDot + PROP_NOTICE_REF_ORG, "");
+            config.putString(mNameDot + PROP_NOTICE_REF_NUMS, "");
+            config.putString(mNameDot + PROP_USER_NOTICE_TEXT, "");
+            config.putString(mNameDot + PROP_CPS_URI, "");
+            mConfig = config.getSubStore(mName);
+            if (mConfig == null || mConfig.size() == 0) {
+                CMS.debug("CertificatePoliciesExt::CertPolicy - mConfig " +
+                           "is null or empty!");
+                throw new EBaseException("mConfig is null or empty");
+            }
+        }
+
+        // get policy ids from configuration.
+        mPolicyId = mConfig.getString(PROP_POLICY_IDENTIFIER, null);
+        mNoticeRefOrg = mConfig.getString(PROP_NOTICE_REF_ORG, null);
+        mNoticeRefNums = mConfig.getString(PROP_NOTICE_REF_NUMS, null);
+        mNoticeRefExplicitText = mConfig.getString(PROP_USER_NOTICE_TEXT, null);
+        mCpsUri = mConfig.getString(PROP_CPS_URI, null);
+
+        // adjust for "" and console returning "null"
+        if (mPolicyId != null &&
+                (mPolicyId.length() == 0 ||
+                mPolicyId.equals("null"))) {
+            mPolicyId = null;
+        }
+        if (mNoticeRefOrg != null &&
+                (mNoticeRefOrg.length() == 0 ||
+                mNoticeRefOrg.equals("null"))) {
+            mNoticeRefOrg = null;
+        }
+        if (mNoticeRefNums != null &&
+                (mNoticeRefNums.length() == 0 ||
+                mNoticeRefNums.equals("null"))) {
+            mNoticeRefNums = null;
+        }
+        if (mNoticeRefExplicitText != null &&
+                (mNoticeRefExplicitText.length() == 0 ||
+                mNoticeRefExplicitText.equals("null"))) {
+            mNoticeRefExplicitText = null;
+        }
+        if (mCpsUri != null &&
+                (mCpsUri.length() == 0 ||
+                mCpsUri.equals("null"))) {
+            mCpsUri = null;
+        }
+
+        // policy ids cannot be null if policy is enabled.
+        String msg = "value cannot be null.";
+
+        if (mPolicyId == null && enabled)
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
+                        mNameDot + PROP_POLICY_IDENTIFIER, msg));
+        msg = "NoticeReference is optional; If chosen to include, NoticeReference must at least has 'organization'";
+        if (mNoticeRefOrg == null && mNoticeRefNums != null && enabled)
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
+                        mNameDot + PROP_NOTICE_REF_ORG, msg));
+
+        // if a policy id is not null check that it is a valid OID.
+
+        if (mPolicyId != null)
+            CMS.checkOID(mNameDot + PROP_POLICY_IDENTIFIER, mPolicyId);
+
+        // if enabled, form CertificatePolicyInfo to be encoded in
+        // extension. Policy ids should be all set.
+        if (enabled) {
+            CMS.debug("CertPolicy: in CertPolicy");
+            DisplayText displayText = null;
+
+            if (mNoticeRefExplicitText != null &&
+                    !mNoticeRefExplicitText.equals(""))
+                displayText = new DisplayText(DisplayText.tag_VisibleString, mNoticeRefExplicitText);
+            //		  new DisplayText(DisplayText.tag_IA5String, mNoticeRefExplicitText);
+            DisplayText orgName = null;
+
+            if (mNoticeRefOrg != null &&
+                    !mNoticeRefOrg.equals(""))
+                orgName =
+                        new DisplayText(DisplayText.tag_VisibleString, mNoticeRefOrg);
+            //		  new DisplayText(DisplayText.tag_VisibleString, mNoticeRefOrg);
+
+            int[] nums = new int[0];
+            ;
+            if (mNoticeRefNums != null &&
+                    !mNoticeRefNums.equals("")) {
+
+                // should add a method to NoticeReference to take a
+                // Vector...but let's do this for now
+
+                Vector numsVector = new Vector();
+                StringTokenizer tokens = new StringTokenizer(mNoticeRefNums,
+                        ",");
+
+                while (tokens.hasMoreTokens()) {
+                    String num = tokens.nextToken().trim();
+
+                    numsVector.addElement(num);
+                }
+
+                nums = new int[numsVector.size()];
+
+                for (int i = 0; i < numsVector.size(); i++) {
+                    Integer ii = new Integer(numsVector.elementAt(i));
+
+                    nums[i] = ii.intValue();
+                }
+            }
+            CertificatePolicyId cpolicyId = null;
+
+            try {
+                cpolicyId = new CertificatePolicyId(ObjectIdentifier.getObjectIdentifier(mPolicyId));
+            } catch (Exception e) {
+                throw new EBaseException(CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR", mPolicyId));
+            }
+
+            PolicyQualifiers policyQualifiers = new PolicyQualifiers();
+
+            NoticeReference noticeReference = null;
+
+            if (orgName != null)
+                noticeReference = new NoticeReference(orgName, nums);
+
+            UserNotice userNotice = null;
+
+            if (displayText != null || noticeReference != null) {
+                userNotice = new UserNotice(noticeReference, displayText);
+
+                PolicyQualifierInfo policyQualifierInfo1 =
+                        new PolicyQualifierInfo(PolicyQualifierInfo.QT_UNOTICE, userNotice);
+
+                policyQualifiers.add(policyQualifierInfo1);
+            }
+
+            CPSuri cpsUri = null;
+
+            if (mCpsUri != null && mCpsUri.length() > 0) {
+                cpsUri = new CPSuri(mCpsUri);
+                PolicyQualifierInfo policyQualifierInfo2 =
+                        new PolicyQualifierInfo(PolicyQualifierInfo.QT_CPS, cpsUri);
+
+                policyQualifiers.add(policyQualifierInfo2);
+            }
+
+            if ((mNoticeRefOrg == null || mNoticeRefOrg.equals("")) &&
+                    (mNoticeRefExplicitText == null || mNoticeRefExplicitText.equals("")) &&
+                    (mCpsUri == null || mCpsUri.equals(""))) {
+                CMS.debug("CertPolicy mNoticeRefOrg = " + mNoticeRefOrg);
+                CMS.debug("CertPolicy mNoticeRefExplicitText = " + mNoticeRefExplicitText);
+                CMS.debug("CertPolicy mCpsUri = " + mCpsUri);
+
+                mCertificatePolicyInfo = new CertificatePolicyInfo(cpolicyId);
+            } else {
+                CMS.debug("CertPolicy mNoticeRefOrg = " + mNoticeRefOrg);
+                CMS.debug("CertPolicy mNoticeRefExplicitText = " + mNoticeRefExplicitText);
+                CMS.debug("CertPolicy mCpsUri = " + mCpsUri);
+                mCertificatePolicyInfo = new CertificatePolicyInfo(cpolicyId, policyQualifiers);
+            }
+        }
+    }
+
+    protected void getInstanceParams(Vector instanceParams) {
+        instanceParams.addElement(
+                mNameDot + PROP_POLICY_IDENTIFIER + "=" + (mPolicyId == null ? "" :
+                        mPolicyId));
+        instanceParams.addElement(
+                mNameDot + PROP_NOTICE_REF_ORG + "=" + (mNoticeRefOrg == null ? "" :
+                        mNoticeRefOrg));
+        instanceParams.addElement(
+                mNameDot + PROP_NOTICE_REF_NUMS + "=" + (mNoticeRefNums == null ? "" :
+                        mNoticeRefNums));
+        instanceParams.addElement(
+                mNameDot + PROP_USER_NOTICE_TEXT + "=" + (mNoticeRefExplicitText == null ? "" :
+                        mNoticeRefExplicitText));
+        instanceParams.addElement(
+                mNameDot + PROP_CPS_URI + "=" + (mCpsUri == null ? "" :
+                        mCpsUri));
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/CertificateRenewalWindowExt.java b/base/common/src/com/netscape/cms/policy/extensions/CertificateRenewalWindowExt.java
new file mode 100644
index 000000000..28366ade8
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/CertificateRenewalWindowExt.java
@@ -0,0 +1,254 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Date;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.extensions.CertificateRenewalWindowExtension;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Certificate Renewal Window Extension Policy
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class CertificateRenewalWindowExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+
+    protected static final String PROP_END_TIME = "relativeEndTime";
+    protected static final String PROP_BEGIN_TIME = "relativeBeginTime";
+    protected static final String PROP_CRITICAL = "critical";
+
+    protected boolean mCritical;
+    protected String mBeginTime;
+    protected String mEndTime;
+
+    /**
+     * Adds the Netscape comment in the end-entity certificates or
+     * CA certificates. The policy is set to be non-critical with the
+     * provided OID.
+     */
+    public CertificateRenewalWindowExt() {
+        NAME = "CertificateRenewalWindowExt";
+        DESC = "Sets non-critical Certificate Renewal Window extension in certs";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mCritical = config.getBoolean(PROP_CRITICAL, false);
+        mBeginTime = config.getString(PROP_BEGIN_TIME, null);
+        mEndTime = config.getString(PROP_END_TIME, null);
+
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        PolicyResult res = PolicyResult.ACCEPTED;
+
+        // get cert info.
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult r = applyCert(req, ci[i]);
+
+            if (r == PolicyResult.REJECTED)
+                return r;
+        }
+        return res;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+
+        CertificateExtensions extensions = null;
+
+        try {
+            extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+        } catch (IOException e) {
+        } catch (CertificateException e) {
+        }
+
+        if (extensions == null) {
+            extensions = new CertificateExtensions();
+            try {
+                certInfo.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+                certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+            } catch (Exception e) {
+            }
+        } else {
+            // remove any previously computed version of the extension
+            try {
+                extensions.delete(CertificateRenewalWindowExtension.NAME);
+
+            } catch (IOException e) {
+                // this is the hack: for some reason, the key which is the name
+                // of the policy has been converted into the OID 
+                try {
+                    extensions.delete("2.16.840.1.113730.1.15");
+                } catch (IOException ee) {
+                }
+            }
+        }
+
+        try {
+            Date now = CMS.getCurrentDate();
+            CertificateRenewalWindowExtension crwExt = null;
+
+            if (mEndTime == null || mEndTime.equals("")) {
+                crwExt = new CertificateRenewalWindowExtension(
+                            mCritical,
+                            getDateValue(now, mBeginTime),
+                            null);
+            } else {
+                crwExt = new CertificateRenewalWindowExtension(
+                            mCritical,
+                            getDateValue(now, mBeginTime),
+                            getDateValue(now, mEndTime));
+            }
+            extensions.set(CertificateRenewalWindowExtension.NAME,
+                    crwExt);
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", NAME));
+            setError(req,
+                    CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME);
+            return PolicyResult.REJECTED;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public Date getDateValue(Date relativeFrom, String s) {
+        long time;
+
+        if (s.endsWith("s")) {
+            time = 1000 * Long.parseLong(s.substring(0,
+                            s.length() - 1));
+        } else if (s.endsWith("m")) {
+            time = 60 * 1000 * Long.parseLong(s.substring(0,
+                            s.length() - 1));
+        } else if (s.endsWith("h")) {
+            time = 60 * 60 * 1000 * Long.parseLong(s.substring(0,
+                            s.length() - 1));
+        } else if (s.endsWith("D")) {
+            time = 24 * 60 * 60 * 1000 * Long.parseLong(
+                        s.substring(0, s.length() - 1));
+        } else if (s.endsWith("M")) {
+            time = 30 * 60 * 60 * 1000 * Long.parseLong(
+                        s.substring(0, s.length() - 1));
+        } else {
+            time = 1000 * Long.parseLong(s);
+        }
+
+        return new Date(relativeFrom.getTime() + time);
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_CRITICAL + ";boolean;Netscape recommendation: non-critical.",
+                PROP_BEGIN_TIME
+                        + ";string;Start Time in seconds (Relative to the time of issuance). Optionally, time unit (s - seconds, m - minutes, h - hours, D - days, M - months) can be specified right after the value. For example, 5 days can be expressed as 5D.",
+                PROP_END_TIME
+                        + ";string;End Time in seconds (Optional, Relative to the time of issuance). Optionally, time unit (s - seconds, m - minutes, h - hours, D - days, M - months) can be specified right after the value. For example, 5 days can be expressed as 5D.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-certificaterenewalwindow",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Adds 'Certificate Renewal Window' extension. See manual"
+        };
+
+        return params;
+
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector params = new Vector();
+
+        params.addElement(PROP_CRITICAL + "=" + mCritical);
+        if (mBeginTime == null) {
+            params.addElement(PROP_BEGIN_TIME + "=");
+        } else {
+            params.addElement(PROP_BEGIN_TIME + "=" + mBeginTime);
+        }
+        if (mEndTime == null) {
+            params.addElement(PROP_END_TIME + "=");
+        } else {
+            params.addElement(PROP_END_TIME + "=" + mEndTime);
+        }
+        return params;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        Vector defParams = new Vector();
+
+        defParams.addElement(PROP_CRITICAL + "=false");
+        defParams.addElement(PROP_BEGIN_TIME + "=");
+        defParams.addElement(PROP_END_TIME + "=");
+        return defParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/CertificateScopeOfUseExt.java b/base/common/src/com/netscape/cms/policy/extensions/CertificateScopeOfUseExt.java
new file mode 100644
index 000000000..b385923af
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/CertificateScopeOfUseExt.java
@@ -0,0 +1,326 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.extensions.CertificateScopeEntry;
+import netscape.security.extensions.CertificateScopeOfUseExtension;
+import netscape.security.util.BigInt;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.policy.IGeneralNameUtil;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Certificate Scope Of Use extension policy. This extension
+ * is defined in draft-thayes-cert-scope-00.txt
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class CertificateScopeOfUseExt extends APolicyRule implements
+        IEnrollmentPolicy, IExtendedPluginInfo {
+    protected static final String PROP_CRITICAL =
+            "critical";
+    protected static final String PROP_ENTRY =
+            "entry";
+    protected static final String PROP_NAME =
+            "name";
+    protected static final String PROP_NAME_TYPE =
+            "name_type";
+    protected static final String PROP_PORT_NUMBER =
+            "port_number";
+
+    public static final int MAX_ENTRY = 5;
+
+    public IConfigStore mConfig = null;
+
+    public CertificateScopeOfUseExt() {
+        NAME = "CertificateScopeOfUseExt";
+        DESC = "Sets scope of use extension for certificates";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        Vector v = new Vector();
+
+        v.addElement(PROP_CRITICAL +
+                ";boolean; This extension may be either critical or non-critical.");
+        v.addElement(IExtendedPluginInfo.HELP_TOKEN +
+                ";configuration-policyrules-certificatescopeofuse");
+        v.addElement(IExtendedPluginInfo.HELP_TEXT +
+                ";Adds Certificate Scope of Use Extension.");
+
+        for (int i = 0; i < MAX_ENTRY; i++) {
+            v.addElement(PROP_ENTRY + Integer.toString(i) + "_" + PROP_NAME + ";" + IGeneralNameUtil.GENNAME_VALUE_INFO);
+            v.addElement(PROP_ENTRY
+                    + Integer.toString(i) + "_" + PROP_NAME_TYPE + ";" + IGeneralNameUtil.GENNAME_CHOICE_INFO);
+            v.addElement(PROP_ENTRY
+                    + Integer.toString(i) + "_" + PROP_PORT_NUMBER + ";string;" + "The port number (optional).");
+        }
+        return com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v);
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries may be of the form:
+     * 
+     * ca.Policy.rule..implName=AuthInfoAccessExt ca.Policy.rule..enable=true
+     * ca.Policy.rule..predicate=
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+    }
+
+    /**
+     * Returns a sequence of scope entry.
+     */
+    private Vector getScopeEntries() throws EBaseException {
+        Vector entries = new Vector();
+
+        //
+        // read until there is *NO* ad_method
+        //
+        for (int i = 0;; i++) {
+            // get port number (optional)
+            String port = mConfig.getString(PROP_ENTRY +
+                    Integer.toString(i) + "_" + PROP_PORT_NUMBER, null);
+            BigInt portNumber = null;
+
+            if (port != null && !port.equals("")) {
+                portNumber = new BigInt(Integer.parseInt(port));
+            }
+
+            //
+            // location ::=  : 
+            // TAG ::= uriName | dirName
+            // VALUE ::= [value defined by TAG]
+            //
+            String name_type = mConfig.getString(PROP_ENTRY +
+                    Integer.toString(i) +
+                    "_" + PROP_NAME_TYPE, null);
+            String name = mConfig.getString(PROP_ENTRY +
+                    Integer.toString(i) +
+                    "_" + PROP_NAME, null);
+
+            if (name == null || name.equals(""))
+                break;
+            GeneralName gn = CMS.form_GeneralNameAsConstraints(name_type, name);
+
+            entries.addElement(new CertificateScopeEntry(gn, portNumber));
+        }
+        return entries;
+    }
+
+    /**
+     * If this policy is enabled, add the authority information
+     * access extension to the certificate.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        PolicyResult res = PolicyResult.ACCEPTED;
+
+        X509CertInfo certInfo;
+        X509CertInfo[] ci = req.getExtDataInCertInfoArray(
+                IRequest.CERT_INFO);
+
+        if (ci == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+
+        for (int j = 0; j < ci.length; j++) {
+
+            certInfo = ci[j];
+            if (certInfo == null) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("CA_CERT_INFO_ERROR", NAME));
+                setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                        NAME, "Configuration Info Error");
+                return PolicyResult.REJECTED; // unrecoverable error.
+            }
+
+            try {
+                // Find the extensions in the certInfo
+                CertificateExtensions extensions = (CertificateExtensions)
+                        certInfo.get(X509CertInfo.EXTENSIONS);
+
+                // add access descriptions
+                Vector entries = getScopeEntries();
+
+                if (entries.size() == 0) {
+                    return res;
+                }
+
+                if (extensions == null) {
+                    // create extension if not exist
+                    certInfo.set(X509CertInfo.VERSION,
+                            new CertificateVersion(CertificateVersion.V3));
+                    extensions = new CertificateExtensions();
+                    certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+                } else {
+                    // check to see if AIA is already exist
+                    try {
+                        extensions.delete(CertificateScopeOfUseExtension.NAME);
+                        log(ILogger.LL_INFO, "Previous extension deleted: " + CertificateScopeOfUseExtension.NAME);
+                    } catch (IOException ex) {
+                    }
+                }
+
+                // Create the extension
+                CertificateScopeOfUseExtension suExt = new
+                        CertificateScopeOfUseExtension(mConfig.getBoolean(
+                                PROP_CRITICAL, false), entries);
+
+                extensions.set(CertificateScopeOfUseExtension.NAME, suExt);
+
+            } catch (IOException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage()));
+                setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                        NAME, e.getMessage());
+                return PolicyResult.REJECTED; // unrecoverable error.
+            } catch (EBaseException e) {
+                log(ILogger.LL_FAILURE,
+                        "Configuration Info Error encountered: " +
+                                e.getMessage());
+                setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                        NAME, "Configuration Info Error");
+                return PolicyResult.REJECTED; // unrecoverable error.
+            } catch (CertificateException e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage()));
+                setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                        NAME, "Certificate Info Error");
+                return PolicyResult.REJECTED; // unrecoverable error.
+            }
+        }
+
+        return res;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector params = new Vector();
+
+        try {
+            params.addElement(PROP_CRITICAL + "=" +
+                    mConfig.getBoolean(PROP_CRITICAL, false));
+        } catch (EBaseException e) {
+        }
+
+        for (int i = 0;; i++) {
+            String name_type = null;
+
+            try {
+                name_type = mConfig.getString(PROP_ENTRY +
+                            Integer.toString(i) + "_" + PROP_NAME_TYPE,
+                            null);
+            } catch (EBaseException e) {
+            }
+            if (name_type == null)
+                break;
+            params.addElement(PROP_ENTRY +
+                    Integer.toString(i) +
+                    "_" + PROP_NAME_TYPE + "=" + name_type);
+            String name = null;
+
+            try {
+                name = mConfig.getString(PROP_ENTRY +
+                            Integer.toString(i) + "_" + PROP_NAME,
+                            null);
+            } catch (EBaseException e) {
+            }
+            if (name == null)
+                break;
+            params.addElement(PROP_ENTRY +
+                    Integer.toString(i) +
+                    "_" + PROP_NAME + "=" + name);
+            String port = null;
+
+            try {
+                port = mConfig.getString(PROP_ENTRY +
+                            Integer.toString(i) + "_" + PROP_PORT_NUMBER,
+                            "");
+            } catch (EBaseException e) {
+            }
+            params.addElement(PROP_ENTRY +
+                    Integer.toString(i) +
+                    "_" + PROP_PORT_NUMBER + "=" + port);
+        }
+        return params;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        Vector defParams = new Vector();
+
+        defParams.addElement(PROP_CRITICAL + "=false");
+
+        //
+        // By default, we create MAX_AD access descriptions.
+        // If this is not enough, admin can manually edit
+        // the CMS.cfg
+        //
+        for (int i = 0; i < MAX_ENTRY; i++) {
+            defParams.addElement(PROP_ENTRY + Integer.toString(i) +
+                    "_" + PROP_NAME_TYPE + "=");
+            defParams.addElement(PROP_ENTRY + Integer.toString(i) +
+                    "_" + PROP_NAME + "=");
+            defParams.addElement(PROP_ENTRY + Integer.toString(i) +
+                    "_" + PROP_PORT_NUMBER + "=");
+        }
+        return defParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/ExtendedKeyUsageExt.java b/base/common/src/com/netscape/cms/policy/extensions/ExtendedKeyUsageExt.java
new file mode 100644
index 000000000..65ef6b937
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/ExtendedKeyUsageExt.java
@@ -0,0 +1,285 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.extensions.ExtendedKeyUsageExtension;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * This implements the extended key usage extension.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class ExtendedKeyUsageExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    public static final String PROP_CRITICAL = "critical";
+    protected static final String PROP_PURPOSE_ID = "id";
+    protected static final String PROP_NUM_IDS = "numIds";
+    protected static int MAX_PURPOSE_ID = 10;
+    private boolean mCritical = false;
+    private IConfigStore mConfig = null;
+    private Vector mUsages = null;
+
+    private String[] mParams = null;
+
+    // PKIX specifies the that the extension SHOULD NOT be critical
+    public static final boolean DEFAULT_CRITICALITY = false;
+
+    private ExtendedKeyUsageExtension mExtendedKeyUsage = null;
+
+    /**
+     * Constructs extended Key Usage extension.
+     */
+    public ExtendedKeyUsageExt() {
+        NAME = "ExtendedKeyUsageExt";
+        DESC = "Sets ExtendedKeyUsage extension for certificates";
+    }
+
+    /**
+     * Performs one-time initialization of the policy.
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+        setExtendedPluginInfo();
+        setupParams();
+        mExtendedKeyUsage = new ExtendedKeyUsageExtension(mCritical, mUsages);
+    }
+
+    /**
+     * Applies the policy to the given request.
+     */
+    public PolicyResult apply(IRequest req) {
+
+        // if the extension was not configured correctly, just skip it
+        if (mExtendedKeyUsage == null) {
+            return PolicyResult.ACCEPTED;
+        }
+
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED;
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certRes = applyCert(req, ci[i]);
+
+            if (certRes == PolicyResult.REJECTED)
+                return certRes;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+        try {
+            // find the extensions in the certInfo
+            CertificateExtensions extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+
+            // prepare the extensions data structure
+            if (extensions == null) {
+                certInfo.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+                extensions = new CertificateExtensions();
+                certInfo.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+                certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+            } else {
+                try {
+                    extensions.delete(ExtendedKeyUsageExtension.NAME);
+                } catch (IOException ex) {
+                    // ExtendedKeyUsage extension is not already there
+                }
+            }
+
+            extensions.set(ExtendedKeyUsageExtension.NAME, mExtendedKeyUsage);
+
+            return PolicyResult.ACCEPTED;
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME,
+                    e.getMessage());
+            return PolicyResult.REJECTED;
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR",
+                    e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME,
+                    e.getMessage());
+            return PolicyResult.REJECTED;
+        }
+    }
+
+    /**
+     * Returns instance specific parameters.
+     */
+    public Vector getInstanceParams() {
+        Vector params = new Vector();
+
+        params.addElement(PROP_CRITICAL + "=" + mCritical);
+        int numIds = MAX_PURPOSE_ID;
+
+        try {
+            numIds = mConfig.getInteger(PROP_NUM_IDS, MAX_PURPOSE_ID);
+        } catch (EBaseException e) {
+        }
+        params.addElement(PROP_NUM_IDS + "=" + numIds);
+        String usage = null;
+
+        for (int i = 0; i < numIds; i++) {
+            if (mUsages.size() <= i) {
+                params.addElement(PROP_PURPOSE_ID +
+                        Integer.toString(i) + "=");
+            } else {
+                usage = ((ObjectIdentifier) mUsages.elementAt(i)).toString();
+                if (usage == null) {
+                    params.addElement(PROP_PURPOSE_ID +
+                            Integer.toString(i) + "=");
+                } else {
+                    params.addElement(PROP_PURPOSE_ID +
+                            Integer.toString(i) + "=" + usage);
+                }
+            }
+        }
+        return params;
+    }
+
+    private void setExtendedPluginInfo() {
+        Vector v = new Vector();
+        int mNum = MAX_PURPOSE_ID;
+
+        if (mConfig != null) {
+            try {
+                mConfig.getInteger(PROP_NUM_IDS, MAX_PURPOSE_ID);
+            } catch (EBaseException e) {
+            }
+        }
+        for (int i = 0; i < mNum; i++) {
+            v.addElement(PROP_PURPOSE_ID
+                    + Integer.toString(i)
+                    + ";string;"
+                    +
+                    "A unique,valid OID specified in dot-separated numeric component notation. e.g. 2.16.840.1.113730.1.99");
+        }
+
+        v.addElement(PROP_NUM_IDS + ";number;The total number of policy IDs.");
+        v.addElement(PROP_CRITICAL
+                +
+                ";boolean;RFC 2459 recommendation: This extension may, at the option of the certificate issuer, be either critical or non-critical.");
+        v.addElement(IExtendedPluginInfo.HELP_TOKEN +
+                ";configuration-policyrules-extendedkeyusage");
+        v.addElement(IExtendedPluginInfo.HELP_TEXT +
+                ";Adds Extended Key Usage Extension. Defined in RFC 2459 " +
+                "(4.2.1.13)");
+
+        mParams = com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v);
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        if (mParams == null) {
+            setExtendedPluginInfo();
+        }
+        return mParams;
+    }
+
+    /**
+     * Returns default parameters.
+     */
+    public Vector getDefaultParams() {
+        Vector defParams = new Vector();
+
+        defParams.addElement(PROP_CRITICAL + "=false");
+        defParams.addElement(PROP_NUM_IDS + "=" + MAX_PURPOSE_ID);
+        for (int i = 0; i < MAX_PURPOSE_ID; i++) {
+            defParams.addElement(PROP_PURPOSE_ID + Integer.toString(i) + "=");
+        }
+        return defParams;
+    }
+
+    /**
+     * Setups parameters.
+     */
+    private void setupParams() throws EBaseException {
+
+        mCritical = mConfig.getBoolean(PROP_CRITICAL, false);
+        if (mUsages == null) {
+            mUsages = new Vector();
+        }
+
+        int mNum = mConfig.getInteger(PROP_NUM_IDS, MAX_PURPOSE_ID);
+
+        for (int i = 0; i < mNum; i++) {
+            ObjectIdentifier usageOID = null;
+
+            String usage = mConfig.getString(PROP_PURPOSE_ID +
+                    Integer.toString(i), null);
+
+            try {
+
+                if (usage == null)
+                    break;
+                usage = usage.trim();
+                if (usage.equals(""))
+                    break;
+                if (usage.equalsIgnoreCase("ocspsigning")) {
+                    usageOID = ObjectIdentifier.getObjectIdentifier(ExtendedKeyUsageExtension.OID_OCSPSigning);
+                } else if (usage.equalsIgnoreCase("codesigning")) {
+                    usageOID = ObjectIdentifier.getObjectIdentifier(ExtendedKeyUsageExtension.OID_CODESigning);
+                } else {
+                    // it could be an object identifier, test it
+                    usageOID = ObjectIdentifier.getObjectIdentifier(usage);
+                }
+            } catch (IOException ex) {
+                throw new EBaseException(this.getClass().getName() + ":" +
+                        ex.getMessage());
+            } catch (NumberFormatException ex) {
+                throw new EBaseException(this.getClass().getName() + ":" +
+                        "OID '" + usage + "' format error");
+            }
+            mUsages.addElement(usageOID);
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/GenericASN1Ext.java b/base/common/src/com/netscape/cms/policy/extensions/GenericASN1Ext.java
new file mode 100644
index 000000000..0202ee784
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/GenericASN1Ext.java
@@ -0,0 +1,509 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.text.ParseException;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.extensions.GenericASN1Extension;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.OIDMap;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Private Integer extension policy.
+ * If this policy is enabled, it adds an Private Integer
+ * extension to the certificate.
+ * 
+ * The following listed sample configuration parameters:
+ * 
+ * ca.Policy.impl.privateInteger.class=com.netscape.certsrv.policy.genericASNExt
+ * ca.Policy.rule.genericASNExt.enable=true
+ * ca.Policy.rule.genericASNExt.name=myIntegerExtension
+ * ca.Policy.rule.genericASNExt.pattern={{{12}34}5}
+ * ca.Policy.rule.genericASNExt.oid=280.230.123.1234.1
+ * ca.Policy.rule.genericASNExt.critical=false
+ * ca.Policy.rule.genericASNExt.attribute1.type=integer
+ * ca.Policy.rule.genericASNExt.attribute1.source=value
+ * ca.Policy.rule.genericASNExt.attribute1.value=9999
+ * ca.Policy.rule.genericASNExt.attribute2.type=ia5string
+ * ca.Policy.rule.genericASNExt.attribute2.source=value
+ * ca.Policy.rule.genericASNExt.attribute2.value=hello
+ * ca.Policy.rule.genericASNExt.attribute3.type=octetstring
+ * ca.Policy.rule.genericASNExt.attribute3.source=value
+ * ca.Policy.rule.genericASNExt.attribute3.value=hellohello
+ * ca.Policy.rule.genericASNExt.attribute4.type=octetstring
+ * ca.Policy.rule.genericASNExt.attribute4.source=file
+ * ca.Policy.rule.genericASNExt.attribute4.value=c:/tmp/test.txt
+ * ca.Policy.rule.genericASNExt.attribute5.type=
+ * ca.Policy.rule.genericASNExt.attribute5.source=
+ * ca.Policy.rule.genericASNExt.attribute5.value=
+ * ca.Policy.rule.genericASNExt.implName=genericASNExt
+ * ca.Policy.rule.genericASNExt.predicate=
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class GenericASN1Ext extends APolicyRule implements
+        IEnrollmentPolicy, IExtendedPluginInfo {
+    protected static final int MAX_ATTR = 10;
+
+    protected static final String PROP_CRITICAL =
+            "critical";
+    protected static final String PROP_NAME =
+            "name";
+    protected static final String PROP_OID =
+            "oid";
+    protected static final String PROP_PATTERN =
+            "pattern";
+    protected static final String PROP_ATTRIBUTE =
+            "attribute";
+    protected static final String PROP_TYPE =
+            "type";
+    protected static final String PROP_SOURCE =
+            "source";
+    protected static final String PROP_VALUE =
+            "value";
+    protected static final String PROP_PREDICATE =
+            "predicate";
+
+    protected static final String PROP_ENABLE =
+            "enable";
+
+    public IConfigStore mConfig = null;
+
+    private String pattern = null;
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String s[] = {
+                "enable" + ";boolean;Enable this policy",
+                "predicate" + ";string;",
+                PROP_CRITICAL + ";boolean;",
+                PROP_NAME + ";string;Name for this extension.",
+                PROP_OID + ";string;OID number for this extension. It should be unique.",
+                PROP_PATTERN + ";string;Pattern for extension; {012}34",
+                // Attribute 0
+                PROP_ATTRIBUTE + "." + "0" + "." + PROP_TYPE
+                    + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension",
+                PROP_ATTRIBUTE + "." + "0" + "." + PROP_SOURCE
+                    + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.",
+                PROP_ATTRIBUTE + "." + "0" + "." + PROP_VALUE
+                    + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.",
+                // Attribute 1
+                PROP_ATTRIBUTE + "." + "1" + "." + PROP_TYPE
+                    + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension",
+                PROP_ATTRIBUTE + "." + "1" + "." + PROP_SOURCE
+                    + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.",
+                PROP_ATTRIBUTE + "." + "1" + "." + PROP_VALUE
+                    + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.",
+                // Attribute 2
+                PROP_ATTRIBUTE + "." + "2" + "." + PROP_TYPE
+                    + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension",
+                PROP_ATTRIBUTE + "." + "2" + "." + PROP_SOURCE
+                    + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.",
+                PROP_ATTRIBUTE + "." + "2" + "." + PROP_VALUE
+                    + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.",
+                // Attribute 3
+                PROP_ATTRIBUTE + "." + "3" + "." + PROP_TYPE
+                    + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension",
+                PROP_ATTRIBUTE + "." + "3" + "." + PROP_SOURCE
+                    + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.",
+                PROP_ATTRIBUTE + "." + "3" + "." + PROP_VALUE
+                    + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.",
+                // Attribute 4
+                PROP_ATTRIBUTE + "." + "4" + "." + PROP_TYPE
+                    + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension",
+                PROP_ATTRIBUTE + "." + "4" + "." + PROP_SOURCE
+                    + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.",
+                PROP_ATTRIBUTE + "." + "4" + "." + PROP_VALUE
+                    + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.",
+                // Attribute 5
+                PROP_ATTRIBUTE + "." + "5" + "." + PROP_TYPE
+                    + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension",
+                PROP_ATTRIBUTE + "." + "5" + "." + PROP_SOURCE
+                    + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.",
+                PROP_ATTRIBUTE + "." + "5" + "." + PROP_VALUE
+                    + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.",
+                // Attribute 6
+                PROP_ATTRIBUTE + "." + "6" + "." + PROP_TYPE
+                    + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension",
+                PROP_ATTRIBUTE + "." + "6" + "." + PROP_SOURCE
+                    + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.",
+                PROP_ATTRIBUTE + "." + "6" + "." + PROP_VALUE
+                    + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.",
+                // Attribute 7
+                PROP_ATTRIBUTE + "." + "7" + "." + PROP_TYPE
+                    + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension",
+                PROP_ATTRIBUTE + "." + "7" + "." + PROP_SOURCE
+                    + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.",
+                PROP_ATTRIBUTE + "." + "7" + "." + PROP_VALUE
+                    + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.",
+                // Attribute 8
+                PROP_ATTRIBUTE + "." + "8" + "." + PROP_TYPE
+                    + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension",
+                PROP_ATTRIBUTE + "." + "8" + "." + PROP_SOURCE
+                    + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.",
+                PROP_ATTRIBUTE + "." + "8" + "." + PROP_VALUE
+                    + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.",
+                // Attribute 9
+                PROP_ATTRIBUTE + "." + "9" + "." + PROP_TYPE
+                    + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension",
+                PROP_ATTRIBUTE + "." + "9" + "." + PROP_SOURCE
+                    + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.",
+                PROP_ATTRIBUTE + "." + "9" + "." + PROP_VALUE
+                    + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-genericasn1ext",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Adds Private extension based on ASN1. See manual"
+            };
+
+        return s;
+    }
+
+    public GenericASN1Ext() {
+        NAME = "GenericASN1Ext";
+        DESC = "Sets Generic extension for certificates";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries may be of the form:
+     * 
+     * ca.Policy.rule..implName=genericASNExt ca.Policy.rule..enable=true
+     * ca.Policy.rule..predicate=
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+        if (mConfig == null) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_INIT_ERROR"));
+            return;
+        }
+
+        boolean enable = mConfig.getBoolean(PROP_ENABLE, false);
+
+        if (enable == false)
+            return;
+
+        String oid = mConfig.getString(PROP_OID, null);
+
+        if ((oid == null) || (oid.length() == 0)) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_INIT_ERROR"));
+            return;
+        }
+
+        String name = mConfig.getString(PROP_NAME, null);
+
+        if ((name == null) || (name.length() == 0)) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_INIT_ERROR"));
+            return;
+        }
+
+        try {
+            if (File.separatorChar == '\\') {
+                pattern = mConfig.getString(PROP_PATTERN, null);
+                checkFilename(0);
+            }
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, "" + e.toString());
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, "" + e.toString());
+        }
+
+        // Check OID value 
+        CMS.checkOID(name, oid);
+        pattern = mConfig.getString(PROP_PATTERN, null);
+        checkOID(0);
+
+        try {
+            ObjectIdentifier tmpid = new ObjectIdentifier(oid);
+
+            if (OIDMap.getName(tmpid) == null)
+                OIDMap.addAttribute("netscape.security.extensions.GenericASN1Extension", oid, name);
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, "" + e.toString());
+        }
+
+    }
+
+    // Check filename
+    private int checkFilename(int index)
+            throws IOException, EBaseException {
+        String source = null;
+
+        while (index < pattern.length()) {
+            char ch = pattern.charAt(index);
+
+            switch (ch) {
+            case '{':
+                index++;
+                index = checkFilename(index);
+                break;
+
+            case '}':
+                return index;
+
+            default:
+                source = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." + PROP_SOURCE, null);
+                if ((source != null) && (source.equalsIgnoreCase("file"))) {
+                    String oValue = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." + PROP_VALUE, null);
+                    String nValue = oValue.replace('\\', '/');
+
+                    mConfig.putString(PROP_ATTRIBUTE + "." + ch + "." + PROP_VALUE, nValue);
+                    FileInputStream fis = new FileInputStream(nValue);
+                    fis.close();
+                }
+            }
+            index++;
+        }
+
+        return index;
+    }
+
+    // Check oid
+    private int checkOID(int index)
+            throws EBaseException {
+        String type = null;
+        String oid = null;
+
+        while (index < pattern.length()) {
+            char ch = pattern.charAt(index);
+
+            switch (ch) {
+            case '{':
+                index++;
+                index = checkOID(index);
+                break;
+
+            case '}':
+                return index;
+
+            default:
+                type = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." + PROP_TYPE, null);
+                if ((type != null) && (type.equalsIgnoreCase("OID"))) {
+                    oid = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." + PROP_VALUE, null);
+                    CMS.checkOID(oid, oid);
+                }
+            }
+            index++;
+        }
+
+        return index;
+    }
+
+    /**
+     * If this policy is enabled, add the private Integer
+     * information extension to the certificate.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        PolicyResult res = PolicyResult.ACCEPTED;
+        X509CertInfo certInfo;
+        X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+
+        for (int j = 0; j < ci.length; j++) {
+
+            certInfo = ci[j];
+            if (certInfo == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", ""));
+                setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME,
+                        "Configuration Info Error");
+                return PolicyResult.REJECTED; // unrecoverable error.
+            }
+
+            try {
+                // Find the extensions in the certInfo
+                CertificateExtensions extensions = (CertificateExtensions) certInfo.get(X509CertInfo.EXTENSIONS);
+
+                if (extensions == null) {
+                    // create extension if not exist
+                    certInfo.set(X509CertInfo.VERSION,
+                            new CertificateVersion(CertificateVersion.V3));
+                    extensions = new CertificateExtensions();
+                    certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+                } else {
+                    //
+                    // Remove any previousely computed extension
+                    //
+                    try {
+                        extensions.delete(mConfig.getString(PROP_NAME, ""));
+                    } catch (Exception e) {/* extension isn't there */
+                    }
+                }
+
+                // Create the extension
+                GenericASN1Extension priExt = mkExtension();
+
+                extensions.set(priExt.getName(), priExt);
+
+            } catch (IOException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage()));
+                setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                        NAME, e.getMessage());
+                return PolicyResult.REJECTED; // unrecoverable error.
+            } catch (EBaseException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage()));
+                setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                        NAME, "Configuration Info Error");
+                return PolicyResult.REJECTED; // unrecoverable error.
+            } catch (CertificateException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage()));
+                setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                        NAME, "Certificate Info Error");
+                return PolicyResult.REJECTED; // unrecoverable error.
+            } catch (ParseException e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("BASE_EXTENSION_ERROR", e.getMessage()));
+                setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                        NAME, "Pattern parsing error");
+                return PolicyResult.REJECTED; // unrecoverable error.
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("BASE_UNKNOWN_EXCEPTION", e.getMessage()));
+                setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                        NAME, "Unknown Error");
+                return PolicyResult.REJECTED; // unrecoverable error.
+            }
+        }
+        return res;
+    }
+
+    /**
+     * Construct GenericASN1Extension with value from CMS.cfg
+     */
+    protected GenericASN1Extension mkExtension()
+            throws IOException, EBaseException, ParseException {
+        GenericASN1Extension ext;
+
+        Hashtable h = new Hashtable();
+        // This only show one level, not substores!
+        Enumeration e = mConfig.getPropertyNames();
+
+        while (e.hasMoreElements()) {
+            String n = (String) e.nextElement();
+
+            h.put(n, mConfig.getString(n));
+        }
+        for (int idx = 0; idx < MAX_ATTR; idx++) {
+            String proptype = PROP_ATTRIBUTE + "." + idx + "." + PROP_TYPE;
+            String propsource = PROP_ATTRIBUTE + "." + idx + "." + PROP_SOURCE;
+            String propvalue = PROP_ATTRIBUTE + "." + idx + "." + PROP_VALUE;
+
+            h.put(proptype, mConfig.getString(proptype, null));
+            h.put(propsource, mConfig.getString(propsource, null));
+            h.put(propvalue, mConfig.getString(propvalue, null));
+        }
+        ext = new GenericASN1Extension(h);
+        return ext;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        int idx = 0;
+        Vector params = new Vector();
+
+        try {
+            params.addElement(PROP_CRITICAL + "=" + mConfig.getBoolean(PROP_CRITICAL, false));
+            params.addElement(PROP_NAME + "=" + mConfig.getString(PROP_NAME, null));
+            params.addElement(PROP_OID + "=" + mConfig.getString(PROP_OID, null));
+            params.addElement(PROP_PATTERN + "=" + mConfig.getString(PROP_PATTERN, null));
+
+            for (idx = 0; idx < MAX_ATTR; idx++) {
+                String proptype = PROP_ATTRIBUTE + "." + idx + "." + PROP_TYPE;
+                String propsource = PROP_ATTRIBUTE + "." + idx + "." + PROP_SOURCE;
+                String propvalue = PROP_ATTRIBUTE + "." + idx + "." + PROP_VALUE;
+
+                params.addElement(proptype + "=" + mConfig.getString(proptype, null));
+                params.addElement(propsource + "=" + mConfig.getString(propsource, null));
+                params.addElement(propvalue + "=" + mConfig.getString(propvalue, null));
+            }
+            params.addElement(PROP_PREDICATE + "=" + mConfig.getString(PROP_PREDICATE, null));
+        } catch (EBaseException e) {
+            ;
+        }
+
+        return params;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        int idx = 0;
+
+        Vector defParams = new Vector();
+
+        defParams.addElement(PROP_CRITICAL + "=false");
+        defParams.addElement(PROP_NAME + "=");
+        defParams.addElement(PROP_OID + "=");
+        defParams.addElement(PROP_PATTERN + "=");
+
+        for (idx = 0; idx < MAX_ATTR; idx++) {
+            defParams.addElement(PROP_ATTRIBUTE + "." + idx + "." + PROP_TYPE + "=");
+            defParams.addElement(PROP_ATTRIBUTE + "." + idx + "." + PROP_SOURCE + "=");
+            defParams.addElement(PROP_ATTRIBUTE + "." + idx + "." + PROP_VALUE + "=");
+        }
+
+        return defParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/IssuerAltNameExt.java b/base/common/src/com/netscape/cms/policy/extensions/IssuerAltNameExt.java
new file mode 100644
index 000000000..bb9abd9cf
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/IssuerAltNameExt.java
@@ -0,0 +1,249 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.IssuerAlternativeNameExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.policy.IGeneralNamesConfig;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Issuer Alt Name Extension policy.
+ * 
+ * This extension is used to associate Internet-style identities
+ * with the Certificate issuer.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class IssuerAltNameExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    public static final String PROP_CRITICAL = "critical";
+
+    // PKIX specifies the that the extension SHOULD NOT be critical
+    public static final boolean DEFAULT_CRITICALITY = false;
+
+    private static Vector defaultParams = new Vector();
+    private static String[] mInfo = null;
+
+    static {
+        defaultParams.addElement(PROP_CRITICAL + "=" + DEFAULT_CRITICALITY);
+        CMS.getGeneralNamesConfigDefaultParams(null, true, defaultParams);
+
+        Vector info = new Vector();
+
+        info.addElement(PROP_CRITICAL + ";boolean;RFC 2459 recommendation: SHOULD NOT be marked critical.");
+        info.addElement(IExtendedPluginInfo.HELP_TOKEN +
+                ";configuration-policyrules-issueraltname");
+        info.addElement(IExtendedPluginInfo.HELP_TEXT +
+                ";This policy inserts the Issuer Alternative Name " +
+                "Extension into the certificate. See RFC 2459 (4.2.1.8). ");
+
+        CMS.getGeneralNamesConfigExtendedPluginInfo(null, true, info);
+
+        mInfo = new String[info.size()];
+        info.copyInto(mInfo);
+    }
+
+    private Vector mParams = new Vector();
+    private IConfigStore mConfig = null;
+    private boolean mCritical = DEFAULT_CRITICALITY;
+    private boolean mEnabled = false;
+    IGeneralNamesConfig mGNs = null;
+    IssuerAlternativeNameExtension mExtension = null;
+
+    /**
+     * Adds the issuer alternate name extension to all certs.
+     */
+    public IssuerAltNameExt() {
+        NAME = "IssuerAltNameExt";
+        DESC = "Associate Internet-style Identities with Issuer";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+
+        // get criticality
+        mCritical = mConfig.getBoolean(PROP_CRITICAL, DEFAULT_CRITICALITY);
+
+        // get enabled.
+        mEnabled = mConfig.getBoolean(
+                    IPolicyProcessor.PROP_ENABLE, false);
+
+        // form general names.
+        mGNs = CMS.createGeneralNamesConfig(null, config, true, mEnabled);
+
+        // form extension
+        try {
+            if (mEnabled &&
+                    mGNs.getGeneralNames() != null && !mGNs.getGeneralNames().isEmpty()) {
+                mExtension =
+                        new IssuerAlternativeNameExtension(
+                                Boolean.valueOf(mCritical), mGNs.getGeneralNames());
+            }
+        } catch (Exception e) {
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString()));
+        }
+
+        // init instance params
+        mParams.addElement(PROP_CRITICAL + "=" + mCritical);
+        mGNs.getInstanceParams(mParams);
+
+        return;
+    }
+
+    /**
+     * Adds a extension if none exists.
+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        PolicyResult res = PolicyResult.ACCEPTED;
+
+        if (mEnabled == false || mExtension == null)
+            return res;
+
+        // get cert info.
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certRes = applyCert(req, ci[i]);
+
+            if (certRes == PolicyResult.REJECTED)
+                return certRes;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+
+        // get extension from cert info if any.
+        CertificateExtensions extensions = null;
+
+        try {
+            // get extension if any.
+            extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+        } catch (IOException e) {
+            // no extensions.
+        } catch (CertificateException e) {
+            // no extension.
+        }
+
+        if (extensions == null) {
+            extensions = new CertificateExtensions();
+            try {
+                certInfo.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+                certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+            } catch (CertificateException e) {
+                // not possible
+            } catch (Exception e) {
+            }
+        } else {
+
+            // remove any previously computed version of the extension
+            try {
+                extensions.delete(IssuerAlternativeNameExtension.NAME);
+
+            } catch (IOException e) {
+                // this is the hack
+                // If name is not found, try deleting using the OID
+
+                try {
+                    extensions.delete("2.5.29.18");
+                } catch (IOException ee) {
+                }
+            }
+        }
+
+        try {
+            extensions.set(IssuerAlternativeNameExtension.NAME, mExtension);
+        } catch (Exception e) {
+            if (e instanceof RuntimeException)
+                throw (RuntimeException) e;
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CRL_CREATE_ISSUER_ALT_NAME_EXT", e.toString()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR"), NAME);
+            return PolicyResult.REJECTED;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return Empty Vector since this policy has no configuration parameters.
+     *         for this policy instance.
+     */
+    public Vector getInstanceParams() {
+        return mParams;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return Empty Vector since this policy implementation has no
+     *         configuration parameters.
+     */
+    public Vector getDefaultParams() {
+        return defaultParams;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        return mInfo;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java b/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java
new file mode 100644
index 000000000..6594cc4a2
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java
@@ -0,0 +1,362 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.KeyUsageExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Policy to add Key Usage Extension.
+ * Adds the key usage extension based on what's requested.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class KeyUsageExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+
+    private final static String HTTP_INPUT = "HTTP_INPUT";
+    protected static final boolean[] DEF_BITS =
+            new boolean[KeyUsageExtension.NBITS];
+    protected int mCAPathLen = -1;
+    protected IConfigStore mConfig = null;
+    protected static final String PROP_CRITICAL = "critical";
+    protected static final String PROP_DIGITAL_SIGNATURE = "digitalSignature";
+    protected static final String PROP_NON_REPUDIATION = "nonRepudiation";
+    protected static final String PROP_KEY_ENCIPHERMENT = "keyEncipherment";
+    protected static final String PROP_DATA_ENCIPHERMENT = "dataEncipherment";
+    protected static final String PROP_KEY_AGREEMENT = "keyAgreement";
+    protected static final String PROP_KEY_CERTSIGN = "keyCertsign";
+    protected static final String PROP_CRL_SIGN = "crlSign";
+    protected static final String PROP_ENCIPHER_ONLY = "encipherOnly";
+    protected static final String PROP_DECIPHER_ONLY = "decipherOnly";
+
+    protected boolean mCritical;
+    protected String mDigitalSignature;
+    protected String mNonRepudiation;
+    protected String mKeyEncipherment;
+    protected String mDataEncipherment;
+    protected String mKeyAgreement;
+    protected String mKeyCertsign;
+    protected String mCrlSign;
+    protected String mEncipherOnly;
+    protected String mDecipherOnly;
+
+    protected KeyUsageExtension mKeyUsage;
+
+    public KeyUsageExt() {
+        NAME = "KeyUsageExtPolicy";
+        DESC = "Sets Key Usage Extension in certificates.";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries may be of the form:
+     * 
+     * ca.Policy.rule..implName=KeyUsageExt ca.Policy.rule..enable=true ca.Policy.rule..
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+
+        ICertAuthority certAuthority = (ICertAuthority)
+                ((IPolicyProcessor) owner).getAuthority();
+
+        if (certAuthority == null) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER"));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+                        "Cannot find the Certificate Manager or Registration Manager"));
+        }
+
+        if (certAuthority instanceof ICertificateAuthority) {
+            CertificateChain caChain = certAuthority.getCACertChain();
+            X509Certificate caCert = null;
+
+            // Note that in RA the chain could be null if CA was not up when 
+            // RA was started. In that case just set the length to -1 and let 
+            // CA reject if it does not allow any subordinate CA certs. 
+            if (caChain != null) {
+                caCert = caChain.getFirstCertificate();
+                mCAPathLen = caCert.getBasicConstraints();
+            }
+        }
+
+        mCritical = mConfig.getBoolean(PROP_CRITICAL, true);
+        mDigitalSignature = mConfig.getString(PROP_DIGITAL_SIGNATURE, HTTP_INPUT);
+        mNonRepudiation = mConfig.getString(PROP_NON_REPUDIATION, HTTP_INPUT);
+        mKeyEncipherment = mConfig.getString(PROP_KEY_ENCIPHERMENT, HTTP_INPUT);
+        mDataEncipherment = mConfig.getString(PROP_DATA_ENCIPHERMENT, HTTP_INPUT);
+        mKeyAgreement = mConfig.getString(PROP_KEY_AGREEMENT, HTTP_INPUT);
+        mKeyCertsign = mConfig.getString(PROP_KEY_CERTSIGN, HTTP_INPUT);
+        mCrlSign = mConfig.getString(PROP_CRL_SIGN, HTTP_INPUT);
+        mEncipherOnly = mConfig.getString(PROP_ENCIPHER_ONLY, HTTP_INPUT);
+        mDecipherOnly = mConfig.getString(PROP_DECIPHER_ONLY, HTTP_INPUT);
+    }
+
+    /**
+     * Adds the key usage extension if not set already.
+     * (CRMF, agent, authentication (currently) or PKCS#10 (future)
+     * or RA could have set the extension.)
+     * If not set, set from http input parameters or use default if
+     * no http input parameters are set.
+     * 
+     * Note: this allows any bits requested - does not check if user
+     * authenticated is allowed to have a Key Usage Extension with
+     * those bits. Unless the CA's certificate path length is 0, then
+     * we do not allow CA sign or CRL sign bits in any request.
+     * 
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certRes = applyCert(req, ci[i]);
+
+            if (certRes == PolicyResult.REJECTED)
+                return certRes;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+        try {
+            CertificateExtensions extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+            KeyUsageExtension ext = null;
+
+            if (extensions != null) {
+                try {
+                    ext = (KeyUsageExtension)
+                            extensions.get(KeyUsageExtension.NAME);
+                } catch (IOException e) {
+                    // extension isn't there.
+                    ext = null;
+                }
+                // check if CA does not allow subordinate CA certs. 
+                // otherwise accept existing key usage extension.
+                if (ext != null) {
+                    if (mCAPathLen == 0) {
+                        boolean[] bits = ext.getBits();
+
+                        if ((bits.length > KeyUsageExtension.KEY_CERTSIGN_BIT &&
+                                bits[KeyUsageExtension.KEY_CERTSIGN_BIT] == true) ||
+                                (bits.length > KeyUsageExtension.CRL_SIGN_BIT &&
+                                bits[KeyUsageExtension.CRL_SIGN_BIT] == true)) {
+                            setError(req,
+                                    CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"),
+                                    NAME);
+                            return PolicyResult.REJECTED;
+                        }
+                    }
+                    return PolicyResult.ACCEPTED;
+                }
+            } else {
+                // create extensions set if none.
+                if (extensions == null) {
+                    certInfo.set(X509CertInfo.VERSION,
+                            new CertificateVersion(CertificateVersion.V3));
+                    extensions = new CertificateExtensions();
+                    certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+                }
+            }
+
+            boolean[] bits = new boolean[KeyUsageExtension.NBITS];
+
+            bits[KeyUsageExtension.DIGITAL_SIGNATURE_BIT] = getBit("digital_signature",
+                        mDigitalSignature, req);
+            bits[KeyUsageExtension.NON_REPUDIATION_BIT] = getBit("non_repudiation",
+                        mNonRepudiation, req);
+            bits[KeyUsageExtension.KEY_ENCIPHERMENT_BIT] = getBit("key_encipherment",
+                        mKeyEncipherment, req);
+            bits[KeyUsageExtension.DATA_ENCIPHERMENT_BIT] = getBit("data_encipherment",
+                        mDataEncipherment, req);
+            bits[KeyUsageExtension.KEY_AGREEMENT_BIT] = getBit("key_agreement",
+                        mKeyAgreement, req);
+            bits[KeyUsageExtension.KEY_CERTSIGN_BIT] = getBit("key_certsign",
+                        mKeyCertsign, req);
+            bits[KeyUsageExtension.CRL_SIGN_BIT] = getBit("crl_sign", mCrlSign, req);
+            bits[KeyUsageExtension.ENCIPHER_ONLY_BIT] = getBit("encipher_only",
+                        mEncipherOnly, req);
+            bits[KeyUsageExtension.DECIPHER_ONLY_BIT] = getBit("decipher_only",
+                        mDecipherOnly, req);
+
+            // don't allow no bits set or the extension does not 
+            // encode/decode properlly.
+            boolean bitset = false;
+
+            for (int i = 0; i < bits.length; i++) {
+                if (bits[i]) {
+                    bitset = true;
+                    break;
+                }
+            }
+            if (!bitset) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET", NAME));
+                setError(req, CMS.getUserMessage("CMS_POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET"),
+                        NAME);
+                return PolicyResult.REJECTED;
+            }
+
+            // create the extension.
+            try {
+                mKeyUsage = new KeyUsageExtension(mCritical, bits);
+            } catch (IOException e) {
+            }
+            extensions.set(KeyUsageExtension.NAME, mKeyUsage);
+            return PolicyResult.ACCEPTED;
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, e.getMessage());
+            return PolicyResult.REJECTED; // unrecoverable error.
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, "Certificate Info Error");
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector params = new Vector();
+
+        params.addElement(PROP_CRITICAL + "=" + mCritical);
+        params.addElement(PROP_DIGITAL_SIGNATURE + "=" + mDigitalSignature);
+        params.addElement(PROP_NON_REPUDIATION + "=" + mNonRepudiation);
+        params.addElement(PROP_KEY_ENCIPHERMENT + "=" + mKeyEncipherment);
+        params.addElement(PROP_DATA_ENCIPHERMENT + "=" + mDataEncipherment);
+        params.addElement(PROP_KEY_AGREEMENT + "=" + mKeyAgreement);
+        params.addElement(PROP_KEY_CERTSIGN + "=" + mKeyCertsign);
+        params.addElement(PROP_CRL_SIGN + "=" + mCrlSign);
+        params.addElement(PROP_ENCIPHER_ONLY + "=" + mEncipherOnly);
+        params.addElement(PROP_DECIPHER_ONLY + "=" + mDecipherOnly);
+        return params;
+    }
+
+    private static Vector mDefParams = new Vector();
+    static {
+        mDefParams.addElement(PROP_CRITICAL + "=true");
+        mDefParams.addElement(PROP_DIGITAL_SIGNATURE + "=");
+        mDefParams.addElement(PROP_NON_REPUDIATION + "=");
+        mDefParams.addElement(PROP_KEY_ENCIPHERMENT + "=");
+        mDefParams.addElement(PROP_DATA_ENCIPHERMENT + "=");
+        mDefParams.addElement(PROP_KEY_AGREEMENT + "=");
+        mDefParams.addElement(PROP_KEY_CERTSIGN + "=");
+        mDefParams.addElement(PROP_CRL_SIGN + "=");
+        mDefParams.addElement(PROP_ENCIPHER_ONLY + "=");
+        mDefParams.addElement(PROP_DECIPHER_ONLY + "=");
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_CRITICAL + ";boolean;RFC 2459 recommendation: SHOULD be critical",
+                PROP_DIGITAL_SIGNATURE
+                        + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input",
+                PROP_NON_REPUDIATION
+                        + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input",
+                PROP_KEY_ENCIPHERMENT
+                        + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input",
+                PROP_DATA_ENCIPHERMENT
+                        + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input",
+                PROP_KEY_AGREEMENT
+                        + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input",
+                PROP_KEY_CERTSIGN
+                        + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input",
+                PROP_CRL_SIGN
+                        + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input",
+                PROP_ENCIPHER_ONLY
+                        + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input",
+                PROP_DECIPHER_ONLY
+                        + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-keyusage",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Adds Key Usage Extension; See in RFC 2459 (4.2.1.3)"
+
+        };
+
+        return params;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return mDefParams;
+    }
+
+    private boolean getBit(String usage, String choice, IRequest req) {
+        if (choice.equals(HTTP_INPUT)) {
+            choice = req.getExtDataInString(IRequest.HTTP_PARAMS, usage);
+            if (choice == null)
+                choice = "false";
+        }
+        return Boolean.valueOf(choice).booleanValue();
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/NSCCommentExt.java b/base/common/src/com/netscape/cms/policy/extensions/NSCCommentExt.java
new file mode 100644
index 000000000..ecc084d29
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/NSCCommentExt.java
@@ -0,0 +1,293 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.BufferedReader;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FileReader;
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.NSCCommentExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Netscape comment
+ * Adds Netscape comment policy
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class NSCCommentExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+
+    protected static final String PROP_USER_NOTICE_DISPLAY_TEXT = "displayText";
+    protected static final String PROP_COMMENT_FILE = "commentFile";
+    protected static final String PROP_CRITICAL = "critical";
+    protected static final String PROP_INPUT_TYPE = "inputType";
+    protected static final String TEXT = "Text";
+    protected static final String FILE = "File";
+
+    protected String mUserNoticeDisplayText;
+    protected String mCommentFile;
+    protected String mInputType;
+    protected boolean mCritical;
+    private Vector mParams = new Vector();
+
+    protected String tempCommentFile;
+    protected boolean certApplied = false;
+
+    /**
+     * Adds the Netscape comment in the end-entity certificates or
+     * CA certificates. The policy is set to be non-critical with the
+     * provided OID.
+     */
+    public NSCCommentExt() {
+        NAME = "NSCCommentExt";
+        DESC = "Sets non-critical Netscape Comment extension in certs";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * The entries may be of the form:
+     * 
+     * ca.Policy.rule..implName=NSCCommentExtImpl ca.Policy.rule..displayText=
+     * ca.Policy.rule..commentFile= ca.Policy.rule..enable=false
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+
+        FileInputStream fileStream = null;
+
+        try {
+            mCritical = config.getBoolean(PROP_CRITICAL, false);
+            mParams.addElement(PROP_CRITICAL + "=" + mCritical);
+
+            mInputType = config.getString(PROP_INPUT_TYPE, null);
+            mParams.addElement(PROP_INPUT_TYPE + "=" + mInputType);
+
+            mUserNoticeDisplayText = config.getString(PROP_USER_NOTICE_DISPLAY_TEXT, "");
+            mParams.addElement(PROP_USER_NOTICE_DISPLAY_TEXT + "=" + mUserNoticeDisplayText);
+
+            tempCommentFile = config.getString(PROP_COMMENT_FILE, "");
+
+            boolean enable = config.getBoolean(PROP_ENABLE, false);
+
+            if ((enable == true)) {
+
+                if (mInputType.equals("File")) {
+                    if (tempCommentFile.equals(""))
+                        throw new Exception("No file name provided");
+
+                    fileStream = new FileInputStream(tempCommentFile);
+                    fileStream.close();
+                }
+            }
+
+            if (tempCommentFile.equals(""))
+                mCommentFile = "";
+            else
+                mCommentFile = tempCommentFile.replace('\\', '/');
+
+            config.putString(PROP_COMMENT_FILE, mCommentFile);
+
+            mParams.addElement(PROP_COMMENT_FILE + "=" + mCommentFile);
+        } catch (FileNotFoundException e) {
+            Object[] params = { getInstanceName(), "File not found : " + tempCommentFile };
+
+            throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG"), params);
+        } catch (Exception e) {
+            Object[] params = { getInstanceName(), e.getMessage() };
+
+            throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG"), params);
+        }
+    }
+
+    /**
+     * Applies the policy on the given Request.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        PolicyResult res = PolicyResult.ACCEPTED;
+
+        // get cert info.
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult r = applyCert(req, ci[i]);
+
+            if (r == PolicyResult.REJECTED)
+                return r;
+        }
+        return res;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+
+        certApplied = false;
+        CertificateExtensions extensions = null;
+
+        try {
+            extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+        } catch (IOException e) {
+        } catch (CertificateException e) {
+        }
+
+        if (extensions == null) {
+            extensions = new CertificateExtensions();
+            try {
+                certInfo.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+                certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+            } catch (Exception e) {
+            }
+        } else {
+            // remove any previously computed version of the extension
+            try {
+                extensions.delete(NSCCommentExtension.NAME);
+
+            } catch (IOException e) {
+                // this is the hack: for some reason, the key which is the name
+                // of the policy has been converted into the OID 
+                try {
+                    extensions.delete("2.16.840.1.113730.1.13");
+                } catch (IOException ee) {
+                }
+            }
+        }
+        if (mInputType.equals("File")) {
+            //		if ((mUserNoticeDisplayText.equals("")) && !(mCommentFile.equals(""))) {
+            try {
+                // Read the comments file
+                BufferedReader fis = new BufferedReader(new FileReader(mCommentFile));
+
+                String line = null;
+                StringBuffer buffer = new StringBuffer();
+
+                while ((line = fis.readLine()) != null)
+                    buffer.append(line);
+                mUserNoticeDisplayText = new String(buffer);
+                fis.close();
+            } catch (IOException e) {
+                setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                        NAME, " Comment Text file not found : " + mCommentFile);
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("POLICY_COMMENT_FILE_NOT_FOUND", e.toString()));
+                return PolicyResult.REJECTED;
+
+            }
+
+        }
+
+        certApplied = true;
+
+        try {
+            NSCCommentExtension cpExt =
+                    new NSCCommentExtension(mCritical, mUserNoticeDisplayText);
+
+            extensions.set(NSCCommentExtension.NAME, cpExt);
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", NAME));
+            setError(req,
+                    CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME);
+            return PolicyResult.REJECTED;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_CRITICAL + ";boolean;Netscape recommendation: non-critical.",
+                PROP_INPUT_TYPE + ";choice(Text,File);Whether the comments " +
+                        "would be entered in the displayText field or come from " +
+                        "a file.",
+                PROP_USER_NOTICE_DISPLAY_TEXT + ";string;The comment that may be " +
+                        "displayed to the user when the certificate is viewed.",
+                PROP_COMMENT_FILE + ";string; If data source is 'File', specify " +
+                        "the file name with full path.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-nsccomment",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Adds 'netscape comment' extension. See manual"
+            };
+
+        return params;
+
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        return mParams;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        Vector defParams = new Vector();
+
+        defParams.addElement(PROP_CRITICAL + "=false");
+        defParams.addElement(PROP_INPUT_TYPE + "=" + TEXT);
+        defParams.addElement(PROP_USER_NOTICE_DISPLAY_TEXT + "=");
+        defParams.addElement(PROP_COMMENT_FILE + "=");
+        return defParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java b/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java
new file mode 100644
index 000000000..2fb09b2b7
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java
@@ -0,0 +1,535 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.extensions.NSCertTypeExtension;
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.KeyUsageExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * NS Cert Type policy.
+ * Adds the ns cert type extension depending on cert type requested.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class NSCertTypeExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    protected static final String PROP_SET_DEFAULT_BITS = "setDefaultBits";
+    protected static final boolean DEF_SET_DEFAULT_BITS = true;
+    protected static final String DEF_SET_DEFAULT_BITS_VAL =
+            Boolean.valueOf(DEF_SET_DEFAULT_BITS).toString();
+
+    protected static final int DEF_PATHLEN = -1;
+
+    protected static final boolean[] DEF_BITS =
+            new boolean[NSCertTypeExtension.NBITS];
+
+    // XXX for future use. currenlty always allow. 
+    protected static final String PROP_AGENT_OVERR = "allowAgentOverride";
+    protected static final String PROP_EE_OVERR = "AllowEEOverride";
+
+    // XXX for future use. currently always critical 
+    // (standard says SHOULD be marked critical if included.) 
+    protected static final String PROP_CRITICAL = "critical";
+
+    // XXX for future use to allow overrides from forms. 
+    // request must be agent approved or authenticated.
+    protected boolean mAllowAgentOverride = false;
+    protected boolean mAllowEEOverride = false;
+
+    // XXX for future use. currently always non-critical 
+    protected boolean mCritical = false;
+
+    protected int mCAPathLen = -1;
+
+    protected IConfigStore mConfig = null;
+    protected boolean mSetDefaultBits = false;
+
+    static {
+        // set default bits used when request missing ns cert type info.
+        // default is a client cert
+        DEF_BITS[NSCertTypeExtension.SSL_CLIENT_BIT] = true;
+        DEF_BITS[NSCertTypeExtension.SSL_SERVER_BIT] = false;
+        DEF_BITS[NSCertTypeExtension.EMAIL_BIT] = true;
+        DEF_BITS[NSCertTypeExtension.OBJECT_SIGNING_BIT] = true;
+        DEF_BITS[NSCertTypeExtension.SSL_CA_BIT] = false;
+        DEF_BITS[NSCertTypeExtension.EMAIL_CA_BIT] = false;
+        DEF_BITS[NSCertTypeExtension.OBJECT_SIGNING_CA_BIT] = false;
+    }
+
+    public NSCertTypeExt() {
+        NAME = "NSCertType";
+        DESC = "Sets Netscape Cert Type on all certs";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries may be of the form:
+     * 
+     * ra.Policy.rule..implName=nsCertTypeExt ra.Policy.rule..enable=true
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+
+        // XXX future use.
+        //mAllowAgentOverride = config.getBoolean(PROP_AGENT_OVERR, false);
+        //mAllowEEOverride = config.getBoolean(PROP_EE_OVERR, false);
+        mCritical = config.getBoolean(PROP_CRITICAL, false);
+
+        ICertAuthority certAuthority = (ICertAuthority)
+                ((IPolicyProcessor) owner).getAuthority();
+
+        if (certAuthority instanceof ICertificateAuthority) {
+            CertificateChain caChain = certAuthority.getCACertChain();
+            X509Certificate caCert = null;
+
+            // Note that in RA the chain could be null if CA was not up when
+            // RA was started. In that case just set the length to -1 and let
+            // CA reject if it does not allow any subordinate CA certs.
+            if (caChain != null) {
+                caCert = caChain.getFirstCertificate();
+                if (caCert != null)
+                    mCAPathLen = caCert.getBasicConstraints();
+            }
+        }
+
+        mSetDefaultBits = mConfig.getBoolean(
+                    PROP_SET_DEFAULT_BITS, DEF_SET_DEFAULT_BITS);
+    }
+
+    /**
+     * Adds the ns cert type if not set already.
+     * reads ns cert type choices from form. If no choices from form
+     * will defaults to all.
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        CMS.debug("NSCertTypeExt: Impl: " + NAME + ", Instance: " + getInstanceName() + "::apply()");
+
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certRes = applyCert(req, ci[i]);
+
+            if (certRes == PolicyResult.REJECTED)
+                return certRes;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+        try {
+            String certType =
+                    req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE);
+            CertificateExtensions extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+            NSCertTypeExtension nsCertTypeExt = null;
+
+            if (extensions != null) {
+                // See if extension is already set and contains correct values.
+                try {
+                    nsCertTypeExt = (NSCertTypeExtension)
+                            extensions.get(NSCertTypeExtension.NAME);
+                } catch (IOException e) {
+                    // extension isn't there.
+                    nsCertTypeExt = null;
+                }
+                // XXX agent servlet currently sets this. it should be
+                // delayed to here.
+                if (nsCertTypeExt != null &&
+                        extensionIsGood(nsCertTypeExt, req)) {
+                    CMS.debug(
+                            "NSCertTypeExt: already has correct ns cert type ext");
+                    return PolicyResult.ACCEPTED;
+                } else if ((nsCertTypeExt != null) &&
+                        (certType.equals("ocspResponder"))) {
+                    // Fix for #528732 : Always delete
+                    // this extension from OCSP signing cert
+                    extensions.delete(NSCertTypeExtension.NAME);
+                    return PolicyResult.ACCEPTED;
+                }
+            } else {
+                // create extensions set if none.
+                if (extensions == null) {
+                    certInfo.set(X509CertInfo.VERSION,
+                            new CertificateVersion(CertificateVersion.V3));
+                    extensions = new CertificateExtensions();
+                    certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+                    CMS.debug(
+                            "NSCertTypeExt: Created extensions for adding ns cert type..");
+                }
+            }
+            // add ns cert type extension if not set or not set correctly.
+            boolean[] bits = null;
+
+            bits = getBitsFromRequest(req, mSetDefaultBits);
+
+            // check if ca doesn't allow any subordinate ca 
+            if (mCAPathLen == 0 && bits != null) {
+                if (bits[NSCertTypeExtension.SSL_CA_BIT] ||
+                        bits[NSCertTypeExtension.EMAIL_CA_BIT] ||
+                        bits[NSCertTypeExtension.OBJECT_SIGNING_CA_BIT]) {
+                    setError(req,
+                            CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"), NAME);
+                    return PolicyResult.REJECTED;
+                }
+            }
+
+            if (nsCertTypeExt != null) {
+                // replace with correct bits to comply to policy.
+                // take all that are true.
+                extensions.delete(NSCertTypeExtension.NAME);
+            }
+
+            int j;
+
+            for (j = 0; bits != null && j < bits.length; j++)
+                if (bits[j])
+                    break;
+            if (bits == null || j == bits.length) {
+                if (!mSetDefaultBits) {
+                    CMS.debug(
+                            "NSCertTypeExt: no bits requested, not setting default.");
+                    return PolicyResult.ACCEPTED;
+                } else
+                    bits = DEF_BITS;
+            }
+
+            nsCertTypeExt = new NSCertTypeExtension(mCritical, bits);
+            extensions.set(NSCertTypeExtension.NAME, nsCertTypeExt);
+            return PolicyResult.ACCEPTED;
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, e.getMessage());
+            return PolicyResult.REJECTED; // unrecoverable error.
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage()));
+
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, "Certificate Info Error");
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+    }
+
+    /**
+     * check if ns cert type extension is set correctly,
+     * correct bits if not.
+     * if not authorized to set extension, bits will be replaced.
+     */
+    protected boolean extensionIsGood(
+            NSCertTypeExtension nsCertTypeExt, IRequest req)
+            throws IOException, CertificateException {
+        // always return false for now to make sure minimum is set.
+        // agents and ee can add others.
+
+        // must be agent approved or authenticated for allowing extensions 
+        // which is always the case if we get to this point.
+        IAuthToken token = req.getExtDataInAuthToken(IRequest.AUTH_TOKEN);
+
+        if (!agentApproved(req) && token == null) {
+            // don't know where this came from.
+            // set all bits to false to reset.
+            CMS.debug(
+                    "NSCertTypeExt: unknown origin: setting ns cert type bits to false");
+            boolean[] bits = new boolean[8];
+
+            for (int i = bits.length - 1; i >= 0; i--) {
+                nsCertTypeExt.set(i, false);
+            }
+            return false;
+        } else {
+            // check for min bits, set default if not there.
+            String certType = req.getExtDataInString(IRequest.HTTP_PARAMS,
+                    IRequest.CERT_TYPE);
+
+            if ((certType != null) && certType.equals("ocspResponder")) {
+                return false;
+            }
+            if (certType == null || certType.length() == 0) {
+                // if don't know cert type let agent override anything.
+                return true;
+            }
+            if (certType.equals(IRequest.CA_CERT)) {
+                if (!nsCertTypeExt.isSet(NSCertTypeExtension.SSL_CA_BIT) &&
+                        !nsCertTypeExt.isSet(NSCertTypeExtension.EMAIL_CA_BIT) &&
+                        !nsCertTypeExt.isSet(
+                                NSCertTypeExtension.OBJECT_SIGNING_CA_BIT)) {
+                    // min not set so set all.
+                    CMS.debug(
+                            "NSCertTypeExt: is extension good: no ca bits set. set all");
+
+                    nsCertTypeExt.set(NSCertTypeExtension.SSL_CA,
+                            Boolean.valueOf(true));
+                    nsCertTypeExt.set(NSCertTypeExtension.EMAIL_CA,
+                            Boolean.valueOf(true));
+                    nsCertTypeExt.set(NSCertTypeExtension.OBJECT_SIGNING_CA,
+                            Boolean.valueOf(true));
+                }
+                return true;
+            } else if (certType.equals(IRequest.CLIENT_CERT)) {
+                if (!nsCertTypeExt.isSet(NSCertTypeExtension.SSL_CLIENT_BIT) &&
+                        !nsCertTypeExt.isSet(NSCertTypeExtension.EMAIL_BIT) &&
+                        !nsCertTypeExt.isSet(NSCertTypeExtension.SSL_SERVER_BIT) &&
+                        !nsCertTypeExt.isSet(
+                                NSCertTypeExtension.OBJECT_SIGNING_BIT)) {
+                    // min not set so set all.
+                    CMS.debug(
+                            "NSCertTypeExt: is extension good: no cl bits set. set all");
+                    nsCertTypeExt.set(NSCertTypeExtension.SSL_CLIENT,
+                            new Boolean(true));
+                    nsCertTypeExt.set(NSCertTypeExtension.EMAIL,
+                            new Boolean(true));
+                    nsCertTypeExt.set(NSCertTypeExtension.OBJECT_SIGNING,
+                            new Boolean(true));
+                }
+                return true;
+            } else if (certType.equals(IRequest.SERVER_CERT)) {
+                // this bit must be true.
+                nsCertTypeExt.set(NSCertTypeExtension.SSL_SERVER_BIT, true);
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Gets ns cert type bits from request.
+     * If none set, use cert type to determine correct bits.
+     * If no cert type, use default.
+     */
+
+    protected boolean[] getBitsFromRequest(IRequest req, boolean setDefault) {
+        boolean[] bits = null;
+
+        CMS.debug("NSCertTypeExt: ns cert type getting ns cert type vars");
+        bits = getNSCertTypeBits(req);
+        if (bits == null && setDefault) {
+            // no ns cert type bits set in request. go with cert type.
+            CMS.debug("NSCertTypeExt: ns cert type getting cert type vars");
+            bits = getCertTypeBits(req);
+
+            if (bits == null && setDefault) {
+                CMS.debug("NSCertTypeExt: ns cert type getting def bits");
+                bits = DEF_BITS;
+            }
+        }
+        return bits;
+    }
+
+    /**
+     * get ns cert type bits from actual sets in the request
+     */
+    protected boolean[] getNSCertTypeBits(IRequest req) {
+        boolean[] bits = new boolean[NSCertTypeExtension.NBITS];
+
+        bits[NSCertTypeExtension.SSL_CLIENT_BIT] =
+                // XXX should change this to is ns cert type ssl_client defn.
+                req.getExtDataInBoolean(IRequest.HTTP_PARAMS,
+                        NSCertTypeExtension.SSL_CLIENT, false);
+
+        bits[NSCertTypeExtension.SSL_SERVER_BIT] =
+                req.getExtDataInBoolean(IRequest.HTTP_PARAMS,
+                        NSCertTypeExtension.SSL_SERVER, false);
+
+        bits[NSCertTypeExtension.EMAIL_BIT] =
+                // XXX should change this to is ns cert type ssl_client defn.
+                req.getExtDataInBoolean(IRequest.HTTP_PARAMS,
+                        NSCertTypeExtension.EMAIL, false);
+
+        bits[NSCertTypeExtension.OBJECT_SIGNING_BIT] =
+                // XXX should change this to is ns cert type ssl_client defn.
+                req.getExtDataInBoolean(IRequest.HTTP_PARAMS,
+                        NSCertTypeExtension.OBJECT_SIGNING, false);
+
+        bits[NSCertTypeExtension.SSL_CA_BIT] =
+                req.getExtDataInBoolean(IRequest.HTTP_PARAMS,
+                        NSCertTypeExtension.SSL_CA, false);
+
+        bits[NSCertTypeExtension.EMAIL_CA_BIT] =
+                req.getExtDataInBoolean(IRequest.HTTP_PARAMS,
+                        NSCertTypeExtension.EMAIL_CA, false);
+
+        bits[NSCertTypeExtension.OBJECT_SIGNING_CA_BIT] =
+                req.getExtDataInBoolean(IRequest.HTTP_PARAMS,
+                        NSCertTypeExtension.OBJECT_SIGNING_CA, false);
+
+        // if nothing set, return null.
+        int i;
+
+        for (i = bits.length - 1; i >= 0; i--) {
+            if (bits[i] == true) {
+                CMS.debug("NSCertTypeExt: bit " + i + " is set.");
+                break;
+            }
+        }
+        if (i < 0) {
+            // nothing was set.
+            CMS.debug("NSCertTypeExt: No bits were set.");
+            bits = null;
+        }
+        return bits;
+    }
+
+    /**
+     * get cert type bits according to cert type.
+     */
+    protected boolean[] getCertTypeBits(IRequest req) {
+        String certType =
+                req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE);
+
+        if (certType == null || certType.length() == 0)
+            return null;
+
+        boolean[] bits = new boolean[KeyUsageExtension.NBITS];
+
+        for (int i = bits.length - 1; i >= 0; i--)
+            bits[i] = false;
+
+        if (certType.equals(IRequest.CLIENT_CERT)) {
+            CMS.debug("NSCertTypeExt: setting bits for client cert");
+            // we can only guess here when it's client. 
+            // sets all client bit for default.
+            bits[NSCertTypeExtension.SSL_CLIENT_BIT] = true;
+            bits[NSCertTypeExtension.EMAIL_BIT] = true;
+            //bits[NSCertTypeExtension.OBJECT_SIGNING_BIT] = true;
+        } else if (certType.equals(IRequest.SERVER_CERT)) {
+            CMS.debug("NSCertTypeExt: setting bits for server cert");
+            bits[NSCertTypeExtension.SSL_SERVER_BIT] = true;
+        } else if (certType.equals(IRequest.CA_CERT)) {
+            CMS.debug("NSCertType: setting bits for ca cert");
+            bits[NSCertTypeExtension.SSL_CA_BIT] = true;
+            bits[NSCertTypeExtension.EMAIL_CA_BIT] = true;
+            bits[NSCertTypeExtension.OBJECT_SIGNING_CA_BIT] = true;
+        } else if (certType.equals(IRequest.RA_CERT)) {
+            CMS.debug("NSCertType: setting bits for ra cert");
+            bits[NSCertTypeExtension.SSL_CLIENT_BIT] = true;
+        } else {
+            CMS.debug("NSCertTypeExt: no other cert bits set");
+            // return null to use default.
+            bits = DEF_BITS;
+        }
+        return bits;
+    }
+
+    /**
+     * merge bits with those set from form.
+     * make sure required minimum is set. Agent or auth can set others.
+     * XXX form shouldn't set the extension
+     */
+    public void mergeBits(NSCertTypeExtension nsCertTypeExt, boolean[] bits) {
+        for (int i = bits.length - 1; i >= 0; i--) {
+            if (bits[i] == true) {
+                CMS.debug("NSCertTypeExt: ns cert type merging bit " + i);
+                nsCertTypeExt.set(i, true);
+            }
+        }
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector params = new Vector();
+
+        params.addElement(PROP_CRITICAL + "=" + mCritical);
+        params.addElement(PROP_SET_DEFAULT_BITS + "=" + mSetDefaultBits);
+        //new Boolean(mSetDefaultBits).toString());
+        return params;
+    }
+
+    private static Vector mDefParams = new Vector();
+    static {
+        mDefParams.addElement(
+                PROP_CRITICAL + "=false");
+        mDefParams.addElement(
+                PROP_SET_DEFAULT_BITS + "=" + DEF_SET_DEFAULT_BITS);
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_CRITICAL + ";boolean;Netscape recommendation: non-critical.",
+                PROP_SET_DEFAULT_BITS + ";boolean;Specify whether to set the Netscape certificate " +
+                        "type extension with default bits ('ssl client' and 'email') in certificates " +
+                        "specified by the predicate " +
+                        "expression.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-nscerttype",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Adds Netscape Certificate Type extension."
+            };
+
+        return params;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return mDefParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/NameConstraintsExt.java b/base/common/src/com/netscape/cms/policy/extensions/NameConstraintsExt.java
new file mode 100644
index 000000000..f010bf3f1
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/NameConstraintsExt.java
@@ -0,0 +1,475 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.GeneralSubtree;
+import netscape.security.x509.GeneralSubtrees;
+import netscape.security.x509.NameConstraintsExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.policy.IGeneralNameAsConstraintsConfig;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Name Constraints Extension Policy
+ * Adds the name constraints extension to a (CA) certificate.
+ * Filtering of CA certificates is done through predicates.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class NameConstraintsExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    protected static final String PROP_CRITICAL = "critical";
+    protected static final String PROP_NUM_PERMITTEDSUBTREES = "numPermittedSubtrees";
+    protected static final String PROP_NUM_EXCLUDEDSUBTREES = "numExcludedSubtrees";
+
+    protected static final String PROP_PERMITTEDSUBTREES = "permittedSubtrees";
+    protected static final String PROP_EXCLUDEDSUBTREES = "excludedSubtrees";
+
+    protected static final boolean DEF_CRITICAL = true;
+    protected static final int DEF_NUM_PERMITTEDSUBTREES = 8;
+    protected static final int DEF_NUM_EXCLUDEDSUBTREES = 8;
+
+    protected boolean mEnabled = false;
+    protected IConfigStore mConfig = null;
+
+    protected boolean mCritical = DEF_CRITICAL;
+    protected int mNumPermittedSubtrees = 0;
+    protected int mNumExcludedSubtrees = 0;
+    protected Subtree[] mPermittedSubtrees = null;
+    protected Subtree[] mExcludedSubtrees = null;
+    protected NameConstraintsExtension mNameConstraintsExtension = null;
+
+    protected Vector mInstanceParams = new Vector();
+
+    public NameConstraintsExt() {
+        NAME = "NameConstraintsExt";
+        DESC = "Sets Name Constraints Extension on subordinate CA certificates";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries may be of the form:
+     * 
+     * ca.Policy.rule..predicate=certType==ca ca.Policy.rule..implName=
+     * ca.Policy.rule..enable=true
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+
+        // XXX should do do this ? 
+        // if CA does not allow subordinate CAs by way of basic constraints, 
+        // this policy always rejects 
+        /*****
+         * ICertAuthority certAuthority = (ICertAuthority)
+         * ((IPolicyProcessor)owner).getAuthority();
+         * if (certAuthority instanceof ICertificateAuthority) {
+         * CertificateChain caChain = certAuthority.getCACertChain();
+         * X509Certificate caCert = null;
+         * // Note that in RA the chain could be null if CA was not up when
+         * // RA was started. In that case just set the length to -1 and let
+         * // CA reject if it does not allow any subordinate CA certs.
+         * if (caChain != null) {
+         * caCert = caChain.getFirstCertificate();
+         * if (caCert != null)
+         * mCAPathLen = caCert.getBasicConstraints();
+         * }
+         * }
+         ****/
+
+        mEnabled = mConfig.getBoolean(
+                    IPolicyProcessor.PROP_ENABLE, false);
+        mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL);
+        mNumPermittedSubtrees = mConfig.getInteger(
+                    PROP_NUM_PERMITTEDSUBTREES, DEF_NUM_PERMITTEDSUBTREES);
+        mNumExcludedSubtrees = mConfig.getInteger(
+                    PROP_NUM_EXCLUDEDSUBTREES, DEF_NUM_EXCLUDEDSUBTREES);
+
+        if (mNumPermittedSubtrees < 0) {
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
+                        PROP_NUM_PERMITTEDSUBTREES,
+                        "value must be greater than or equal to 0"));
+        }
+        if (mNumExcludedSubtrees < 0) {
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
+                        PROP_NUM_EXCLUDEDSUBTREES,
+                        "value must be greater than or equal to 0"));
+        }
+
+        // init permitted subtrees if any.
+        if (mNumPermittedSubtrees > 0) {
+            mPermittedSubtrees =
+                    form_subtrees(PROP_PERMITTEDSUBTREES, mNumPermittedSubtrees);
+            CMS.debug("NameConstraintsExt: formed permitted subtrees");
+        }
+
+        // init excluded subtrees if any.
+        if (mNumExcludedSubtrees > 0) {
+            mExcludedSubtrees =
+                    form_subtrees(PROP_EXCLUDEDSUBTREES, mNumExcludedSubtrees);
+            CMS.debug("NameConstraintsExt: formed excluded subtrees");
+        }
+
+        // create instance of name constraints extension if enabled.
+        if (mEnabled) {
+            try {
+                Vector permittedSubtrees = new Vector();
+
+                for (int i = 0; i < mNumPermittedSubtrees; i++) {
+                    permittedSubtrees.addElement(
+                            mPermittedSubtrees[i].mGeneralSubtree);
+                }
+                Vector excludedSubtrees = new Vector();
+
+                for (int j = 0; j < mNumExcludedSubtrees; j++) {
+                    excludedSubtrees.addElement(
+                            mExcludedSubtrees[j].mGeneralSubtree);
+                }
+                GeneralSubtrees psb = null;
+
+                if (permittedSubtrees.size() > 0) {
+                    psb = new GeneralSubtrees(permittedSubtrees);
+                }
+                GeneralSubtrees esb = null;
+
+                if (excludedSubtrees.size() > 0) {
+                    esb = new GeneralSubtrees(excludedSubtrees);
+                }
+                mNameConstraintsExtension =
+                        new NameConstraintsExtension(mCritical,
+                                psb,
+                                esb);
+                CMS.debug("NameConstraintsExt: formed Name Constraints Extension " +
+                        mNameConstraintsExtension);
+            } catch (IOException e) {
+                throw new EBaseException(
+                        CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+                                "Error initializing Name Constraints Extension: " + e));
+            }
+        }
+
+        // form instance params 
+        mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical);
+        mInstanceParams.addElement(
+                PROP_NUM_PERMITTEDSUBTREES + "=" + mNumPermittedSubtrees);
+        mInstanceParams.addElement(
+                PROP_NUM_EXCLUDEDSUBTREES + "=" + mNumExcludedSubtrees);
+        if (mNumPermittedSubtrees > 0) {
+            for (int i = 0; i < mPermittedSubtrees.length; i++)
+                mPermittedSubtrees[i].getInstanceParams(mInstanceParams);
+        }
+        if (mNumExcludedSubtrees > 0) {
+            for (int j = 0; j < mExcludedSubtrees.length; j++)
+                mExcludedSubtrees[j].getInstanceParams(mInstanceParams);
+        }
+    }
+
+    Subtree[] form_subtrees(String subtreesName, int numSubtrees)
+            throws EBaseException {
+        Subtree[] subtrees = new Subtree[numSubtrees];
+
+        for (int i = 0; i < numSubtrees; i++) {
+            String subtreeName = subtreesName + i;
+            IConfigStore subtreeConfig = mConfig.getSubStore(subtreeName);
+            Subtree subtree =
+                    new Subtree(subtreeName, subtreeConfig, mEnabled);
+
+            subtrees[i] = subtree;
+        }
+        return subtrees;
+    }
+
+    /**
+     * Adds Name Constraints Extension to a (CA) certificate.
+     * 
+     * If a Name constraints Extension is already there, accept it if
+     * it's been approved by agent, else replace it.
+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        // if extension hasn't been properly configured reject requests until 
+        // it has been resolved (or disabled).
+        if (mNameConstraintsExtension == null) {
+            //setError(req, PolicyResources.EXTENSION_NOT_INITED_1, NAME);
+            //return PolicyResult.REJECTED;
+            return PolicyResult.ACCEPTED;
+        }
+
+        // get certInfo from request.
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED;
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certRes = applyCert(req, ci[i]);
+
+            if (certRes == PolicyResult.REJECTED)
+                return certRes;
+        }
+        return PolicyResult.ACCEPTED;
+
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+        // check if name constraints extension already exists.
+        // if not agent approved, replace name constraints extension with ours.
+        // else ignore.
+        try {
+            NameConstraintsExtension nameConstraintsExt = null;
+            CertificateExtensions extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+
+            try {
+                if (extensions != null) {
+                    nameConstraintsExt = (NameConstraintsExtension)
+                            extensions.get(NameConstraintsExtension.NAME);
+                }
+            } catch (IOException e) {
+                // extension isn't there. 
+            }
+
+            if (nameConstraintsExt != null) {
+                if (agentApproved(req)) {
+                    CMS.debug(
+                            "NameConstraintsExt: request id from agent " + req.getRequestId() +
+                                    " already has name constraints - accepted");
+                    return PolicyResult.ACCEPTED;
+                } else {
+                    CMS.debug(
+                            "NameConstraintsExt: request id " + req.getRequestId() + " from user " +
+                                    " already has name constraints - deleted");
+                    extensions.delete(NameConstraintsExtension.NAME);
+                }
+            }
+
+            if (extensions == null) {
+                certInfo.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+                extensions = new CertificateExtensions();
+                certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+            }
+            extensions.set(
+                    NameConstraintsExtension.NAME, mNameConstraintsExtension);
+            CMS.debug(
+                    "NameConstraintsExt: added Name Constraints Extension to request " +
+                            req.getRequestId());
+            return PolicyResult.ACCEPTED;
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_NAME_CONST_EXTENSION", e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, e.getMessage());
+            return PolicyResult.REJECTED;
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, "Certificate Info Error");
+            return PolicyResult.REJECTED;
+        }
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        return mInstanceParams;
+    }
+
+    /**
+     * Default config parameters.
+     * To add more permitted or excluded subtrees,
+     * increase the num to greater than 0 and more configuration params
+     * will show up in the console.
+     */
+    private static Vector mDefParams = new Vector();
+    static {
+        mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL);
+        mDefParams.addElement(
+                PROP_NUM_PERMITTEDSUBTREES + "=" + DEF_NUM_PERMITTEDSUBTREES);
+        mDefParams.addElement(
+                PROP_NUM_EXCLUDEDSUBTREES + "=" + DEF_NUM_EXCLUDEDSUBTREES);
+        for (int k = 0; k < DEF_NUM_PERMITTEDSUBTREES; k++) {
+            Subtree.getDefaultParams(PROP_PERMITTEDSUBTREES + k, mDefParams);
+        }
+        for (int l = 0; l < DEF_NUM_EXCLUDEDSUBTREES; l++) {
+            Subtree.getDefaultParams(PROP_EXCLUDEDSUBTREES + l, mDefParams);
+        }
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return mDefParams;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        Vector theparams = new Vector();
+
+        theparams.addElement(PROP_CRITICAL + ";boolean;RFC 2459 recommendation: MUST be critical.");
+        theparams.addElement(
+                PROP_NUM_PERMITTEDSUBTREES + ";number;See RFC 2459 sec 4.2.1.11");
+        theparams.addElement(
+                PROP_NUM_EXCLUDEDSUBTREES + ";number;See RFC 2459 sec 4.2.1.11");
+
+        // now do the subtrees.
+        for (int k = 0; k < DEF_NUM_PERMITTEDSUBTREES; k++) {
+            Subtree.getExtendedPluginInfo(PROP_PERMITTEDSUBTREES + k, theparams);
+        }
+        for (int l = 0; l < DEF_NUM_EXCLUDEDSUBTREES; l++) {
+            Subtree.getExtendedPluginInfo(PROP_EXCLUDEDSUBTREES + l, theparams);
+        }
+        theparams.addElement(IExtendedPluginInfo.HELP_TOKEN +
+                ";configuration-policyrules-nameconstraints");
+        theparams.addElement(IExtendedPluginInfo.HELP_TEXT +
+                ";Adds Name Constraints Extension. See RFC 2459");
+
+        String[] info = new String[theparams.size()];
+
+        theparams.copyInto(info);
+        return info;
+    }
+}
+
+/**
+ * subtree configuration
+ */
+class Subtree {
+
+    protected static final String PROP_BASE = "base";
+    protected static final String PROP_MIN = "min";
+    protected static final String PROP_MAX = "max";
+
+    protected static final int DEF_MIN = 0;
+    protected static final int DEF_MAX = -1; // -1 (less than 0) means not set.
+
+    protected static final String MINMAX_INFO = "number;See RFC 2459 section 4.2.1.11";
+
+    String mName = null;
+    IConfigStore mConfig = null;
+    int mMin = DEF_MIN, mMax = DEF_MAX;
+    IGeneralNameAsConstraintsConfig mBase = null;
+    GeneralSubtree mGeneralSubtree = null;
+
+    String mNameDot = null;
+    String mNameDotMin = null;
+    String mNameDotMax = null;
+
+    public Subtree(
+            String subtreeName, IConfigStore config, boolean policyEnabled)
+            throws EBaseException {
+        mName = subtreeName;
+        mConfig = config;
+
+        if (mName != null) {
+            mNameDot = mName + ".";
+            mNameDotMin = mNameDot + PROP_MIN;
+            mNameDotMax = mNameDot + PROP_MAX;
+        } else {
+            mNameDot = "";
+            mNameDotMin = PROP_MIN;
+            mNameDotMax = PROP_MAX;
+        }
+
+        // necessary to expand/shrink # general names from console.
+        if (mConfig.size() == 0) {
+            mConfig.putInteger(mNameDotMin, mMin);
+            mConfig.putInteger(mNameDotMax, mMax);
+            // GeneralNameConfig will take care of stuff for generalname.
+        }
+
+        // if policy enabled get values to form the general subtree.
+        mMin = mConfig.getInteger(PROP_MIN, DEF_MIN);
+        mMax = mConfig.getInteger(PROP_MAX, DEF_MAX);
+        if (mMax < -1)
+            mMax = -1;
+        mBase = CMS.createGeneralNameAsConstraintsConfig(
+                    mNameDot + PROP_BASE, mConfig.getSubStore(PROP_BASE),
+                    true, policyEnabled);
+
+        if (policyEnabled) {
+            mGeneralSubtree =
+                    new GeneralSubtree(mBase.getGeneralName(), mMin, mMax);
+        }
+    }
+
+    void getInstanceParams(Vector instanceParams) {
+        mBase.getInstanceParams(instanceParams);
+        instanceParams.addElement(mNameDotMin + "=" + mMin);
+        instanceParams.addElement(mNameDotMax + "=" + mMax);
+    }
+
+    static void getDefaultParams(String name, Vector params) {
+        String nameDot = "";
+
+        if (name != null && name.length() >= 0)
+            nameDot = name + ".";
+        CMS.getGeneralNameConfigDefaultParams(nameDot + PROP_BASE, true, params);
+        params.addElement(nameDot + PROP_MIN + "=" + DEF_MIN);
+        params.addElement(nameDot + PROP_MAX + "=" + DEF_MAX);
+    }
+
+    static void getExtendedPluginInfo(String name, Vector info) {
+        String nameDot = "";
+
+        if (name != null && name.length() > 0)
+            nameDot = name + ".";
+        CMS.getGeneralNameConfigExtendedPluginInfo(nameDot + PROP_BASE, true, info);
+        info.addElement(nameDot + PROP_MIN + ";" + MINMAX_INFO);
+        info.addElement(nameDot + PROP_MAX + ";" + MINMAX_INFO);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/OCSPNoCheckExt.java b/base/common/src/com/netscape/cms/policy/extensions/OCSPNoCheckExt.java
new file mode 100644
index 000000000..33f2f85e0
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/OCSPNoCheckExt.java
@@ -0,0 +1,190 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.extensions.OCSPNoCheckExtension;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * This implements an OCSP Signing policy, it
+ * adds the OCSP Signing extension to the certificate.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$ $Date$
+ */
+public class OCSPNoCheckExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+
+    public static final String PROP_CRITICAL = "critical";
+    private boolean mCritical = false;
+
+    // PKIX specifies the that the extension SHOULD NOT be critical
+    public static final boolean DEFAULT_CRITICALITY = false;
+
+    private OCSPNoCheckExtension mOCSPNoCheck = null;
+
+    /**
+     * Constructs an OCSP No check extension.
+     */
+    public OCSPNoCheckExt() {
+        NAME = "OCSPNoCheckExt";
+        DESC = "Sets OCSPNoCheck extension for certificates";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_CRITICAL + ";boolean;RFC 2560 recommendation: SHOULD be non-critical.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-ocspnocheck",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Adds OCSP signing extension to certificate"
+            };
+
+        return params;
+
+    }
+
+    /**
+     * Performs one-time initialization of the policy.
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mOCSPNoCheck = new OCSPNoCheckExtension();
+
+        if (mOCSPNoCheck != null) {
+            // configure the extension itself
+            mCritical = config.getBoolean(PROP_CRITICAL,
+                        DEFAULT_CRITICALITY);
+            mOCSPNoCheck.setCritical(mCritical);
+        }
+    }
+
+    /**
+     * Applies the policy to the given request.
+     */
+    public PolicyResult apply(IRequest req) {
+
+        // if the extension was not configured correctly, just skip it
+        if (mOCSPNoCheck == null) {
+            return PolicyResult.ACCEPTED;
+        }
+
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED;
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certRes = applyCert(req, ci[i]);
+
+            if (certRes == PolicyResult.REJECTED)
+                return certRes;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+        try {
+
+            // find the extensions in the certInfo
+            CertificateExtensions extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+
+            // prepare the extensions data structure
+            if (extensions == null) {
+                certInfo.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+                extensions = new CertificateExtensions();
+                certInfo.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+                certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+            } else {
+                try {
+                    extensions.delete(OCSPNoCheckExtension.NAME);
+                } catch (IOException ex) {
+                    // OCSPNoCheck extension is not already there
+                    //  log(ILogger.LL_FAILURE, "No previous extension: "+OCSPNoCheckExtension.NAME+" "+ex.getMessage());
+                }
+            }
+
+            extensions.set(OCSPNoCheckExtension.NAME, mOCSPNoCheck);
+
+            return PolicyResult.ACCEPTED;
+
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME,
+                    e.getMessage());
+            return PolicyResult.REJECTED;
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME,
+                    e.getMessage());
+            return PolicyResult.REJECTED;
+        }
+    }
+
+    /**
+     * Returns instance parameters.
+     */
+    public Vector getInstanceParams() {
+        Vector params = new Vector();
+
+        params.addElement(PROP_CRITICAL + "=" + mCritical);
+        return params;
+
+    }
+
+    /**
+     * Returns default parameters.
+     */
+    public Vector getDefaultParams() {
+        Vector defParams = new Vector();
+
+        defParams.addElement(PROP_CRITICAL + "=false");
+        return defParams;
+
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java b/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java
new file mode 100644
index 000000000..861107b8e
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java
@@ -0,0 +1,287 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.PolicyConstraintsExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Policy Constraints Extension Policy
+ * Adds the policy constraints extension to (CA) certificates.
+ * Filtering of CA certificates is done through predicates.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class PolicyConstraintsExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    protected static final String PROP_CRITICAL = "critical";
+    protected static final String PROP_REQ_EXPLICIT_POLICY = "reqExplicitPolicy";
+    protected static final String PROP_INHIBIT_POLICY_MAPPING = "inhibitPolicyMapping";
+
+    protected static final boolean DEF_CRITICAL = false;
+    protected static final int DEF_REQ_EXPLICIT_POLICY = -1; // not set
+    protected static final int DEF_INHIBIT_POLICY_MAPPING = -1; // not set
+
+    protected boolean mEnabled = false;
+    protected IConfigStore mConfig = null;
+
+    protected boolean mCritical = DEF_CRITICAL;
+    protected int mReqExplicitPolicy = DEF_REQ_EXPLICIT_POLICY;
+    protected int mInhibitPolicyMapping = DEF_INHIBIT_POLICY_MAPPING;
+    protected PolicyConstraintsExtension mPolicyConstraintsExtension = null;
+
+    protected Vector mInstanceParams = new Vector();
+
+    protected static Vector mDefaultParams = new Vector();
+    static {
+        mDefaultParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL);
+        mDefaultParams.addElement(
+                PROP_REQ_EXPLICIT_POLICY + "=" + DEF_REQ_EXPLICIT_POLICY);
+        mDefaultParams.addElement(
+                PROP_INHIBIT_POLICY_MAPPING + "=" + DEF_INHIBIT_POLICY_MAPPING);
+    }
+
+    public PolicyConstraintsExt() {
+        NAME = "PolicyConstriantsExt";
+        DESC = "Sets Policy Constraints Extension on subordinate CA certs";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries may be of the form:
+     * 
+     * ca.Policy.rule..predicate=certType==ca ca.Policy.rule..implName=
+     * ca.Policy.rule..enable=true
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+
+        // XXX should do do this ? 
+        // if CA does not allow subordinate CAs by way of basic constraints, 
+        // this policy always rejects 
+        /*****
+         * ICertAuthority certAuthority = (ICertAuthority)
+         * ((GenericPolicyProcessor)owner).mAuthority;
+         * if (certAuthority instanceof ICertificateAuthority) {
+         * CertificateChain caChain = certAuthority.getCACertChain();
+         * X509Certificate caCert = null;
+         * // Note that in RA the chain could be null if CA was not up when
+         * // RA was started. In that case just set the length to -1 and let
+         * // CA reject if it does not allow any subordinate CA certs.
+         * if (caChain != null) {
+         * caCert = caChain.getFirstCertificate();
+         * if (caCert != null)
+         * mCAPathLen = caCert.getBasicConstraints();
+         * }
+         * }
+         ****/
+
+        mEnabled = mConfig.getBoolean(
+                    IPolicyProcessor.PROP_ENABLE, false);
+        mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL);
+
+        mReqExplicitPolicy = mConfig.getInteger(
+                    PROP_REQ_EXPLICIT_POLICY, DEF_REQ_EXPLICIT_POLICY);
+        mInhibitPolicyMapping = mConfig.getInteger(
+                    PROP_INHIBIT_POLICY_MAPPING, DEF_INHIBIT_POLICY_MAPPING);
+
+        if (mReqExplicitPolicy < -1)
+            mReqExplicitPolicy = -1;
+        if (mInhibitPolicyMapping < -1)
+            mInhibitPolicyMapping = -1;
+
+        // create instance of policy constraings extension 
+        try {
+            mPolicyConstraintsExtension =
+                    new PolicyConstraintsExtension(mCritical,
+                            mReqExplicitPolicy, mInhibitPolicyMapping);
+            CMS.debug(
+                    "PolicyConstraintsExt: Created Policy Constraints Extension: " +
+                            mPolicyConstraintsExtension);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_CANT_INIT_POLICY_CONST_EXT", e.toString()));
+            throw new EBaseException(
+                    CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+                            "Could not init Policy Constraints Extension. Error: " + e));
+        }
+
+        // form instance params 
+        mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical);
+        mInstanceParams.addElement(
+                PROP_REQ_EXPLICIT_POLICY + "=" + mReqExplicitPolicy);
+        mInstanceParams.addElement(
+                PROP_INHIBIT_POLICY_MAPPING + "=" + mInhibitPolicyMapping);
+    }
+
+    /**
+     * Adds Policy Constraints Extension to a (CA) certificate.
+     * 
+     * If a Policy constraints Extension is already there, accept it if
+     * it's been approved by agent, else replace it.
+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        // if extension hasn't been properly configured reject requests until 
+        // it has been resolved (or disabled).
+        if (mPolicyConstraintsExtension == null) {
+            return PolicyResult.ACCEPTED;
+        }
+
+        // get certInfo from request.
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED;
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certRes = applyCert(req, ci[i]);
+
+            if (certRes == PolicyResult.REJECTED)
+                return certRes;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+
+        // check if name constraints extension already exists.
+        // if not agent approved, replace name constraints extension with ours.
+        // else ignore.
+        try {
+            PolicyConstraintsExtension policyConstraintsExt = null;
+            CertificateExtensions extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+
+            try {
+                if (extensions != null) {
+                    policyConstraintsExt = (PolicyConstraintsExtension)
+                            extensions.get(PolicyConstraintsExtension.NAME);
+                }
+            } catch (IOException e) {
+                // extension isn't there. 
+            }
+
+            if (policyConstraintsExt != null) {
+                if (agentApproved(req)) {
+                    return PolicyResult.ACCEPTED;
+                } else {
+                    extensions.delete(PolicyConstraintsExtension.NAME);
+                }
+            }
+
+            if (extensions == null) {
+                certInfo.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+                extensions = new CertificateExtensions();
+                certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+            }
+            extensions.set(
+                    "PolicyConstriantsExt", mPolicyConstraintsExtension);
+            CMS.debug("PolicyConstraintsExt: added our policy constraints extension");
+            return PolicyResult.ACCEPTED;
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_CANT_PROCESS_POLICY_CONST_EXT", e.toString()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, e.getMessage());
+            return PolicyResult.REJECTED;
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, "Certificate Info Error");
+            return PolicyResult.REJECTED;
+        }
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        return mInstanceParams;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return mDefaultParams;
+    }
+
+    /**
+     * gets plugin info for pretty console edit displays.
+     */
+    public String[] getExtendedPluginInfo(Locale locale) {
+        mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical);
+        mInstanceParams.addElement(
+                PROP_REQ_EXPLICIT_POLICY + "=" + mReqExplicitPolicy);
+        mInstanceParams.addElement(
+                PROP_INHIBIT_POLICY_MAPPING + "=" + mInhibitPolicyMapping);
+
+        String[] params = {
+                PROP_CRITICAL + ";boolean;RFC 2459 recommendation: may be critical or non-critical.",
+                PROP_REQ_EXPLICIT_POLICY
+                        + ";integer;Number of addional certificates that may appear in the path before an explicit policy is required. If less than 0 this field is unset in the extension.",
+                PROP_INHIBIT_POLICY_MAPPING
+                        + ";integer;Number of addional certificates that may appear in the path before policy mapping is no longer permitted. If less than 0 this field is unset in the extension.",
+                IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-policyconstraints"
+        };
+
+        return params;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/PolicyMappingsExt.java b/base/common/src/com/netscape/cms/policy/extensions/PolicyMappingsExt.java
new file mode 100644
index 000000000..7623f455f
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/PolicyMappingsExt.java
@@ -0,0 +1,426 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificatePolicyId;
+import netscape.security.x509.CertificatePolicyMap;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.PolicyMappingsExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Policy Mappings Extension Policy
+ * Adds the Policy Mappings extension to a (CA) certificate.
+ * Filtering of CA certificates is done through predicates.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class PolicyMappingsExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    protected static final String PROP_CRITICAL = "critical";
+    protected static final String PROP_NUM_POLICYMAPPINGS = "numPolicyMappings";
+
+    protected static final String PROP_POLICYMAP = "policyMap";
+
+    protected static final boolean DEF_CRITICAL = false;
+    protected static final int DEF_NUM_POLICYMAPPINGS = 1;
+
+    protected boolean mEnabled = false;
+    protected IConfigStore mConfig = null;
+
+    protected boolean mCritical = DEF_CRITICAL;
+    protected int mNumPolicyMappings = DEF_NUM_POLICYMAPPINGS;
+    protected PolicyMap[] mPolicyMaps = null;
+    protected PolicyMappingsExtension mPolicyMappingsExtension = null;
+
+    protected Vector mInstanceParams = new Vector();
+
+    public PolicyMappingsExt() {
+        NAME = "PolicyMappingsExt";
+        DESC = "Sets Policy Mappings Extension on subordinate CA certificates";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries may be of the form:
+     * 
+     * ca.Policy.rule..predicate=certType==ca ca.Policy.rule..implName=
+     * ca.Policy.rule..enable=true
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+
+        // XXX should do do this ? 
+        // if CA does not allow subordinate CAs by way of basic constraints, 
+        // this policy always rejects 
+        /*****
+         * ICertAuthority certAuthority = (ICertAuthority)
+         * ((IPolicyProcessor)owner).getAuthority();
+         * if (certAuthority instanceof ICertificateAuthority) {
+         * CertificateChain caChain = certAuthority.getCACertChain();
+         * X509Certificate caCert = null;
+         * // Note that in RA the chain could be null if CA was not up when
+         * // RA was started. In that case just set the length to -1 and let
+         * // CA reject if it does not allow any subordinate CA certs.
+         * if (caChain != null) {
+         * caCert = caChain.getFirstCertificate();
+         * if (caCert != null)
+         * mCAPathLen = caCert.getBasicConstraints();
+         * }
+         * }
+         ****/
+
+        mEnabled = mConfig.getBoolean(
+                    IPolicyProcessor.PROP_ENABLE, false);
+        mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL);
+
+        mNumPolicyMappings = mConfig.getInteger(
+                    PROP_NUM_POLICYMAPPINGS, DEF_NUM_POLICYMAPPINGS);
+        if (mNumPolicyMappings < 1) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_INVALID_ATTR_VALUE_2", NAME, ""));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
+                        PROP_NUM_POLICYMAPPINGS,
+                        "value must be greater than or equal to 1"));
+        }
+
+        // init Policy Mappings, check values if enabled. 
+        mPolicyMaps = new PolicyMap[mNumPolicyMappings];
+        for (int i = 0; i < mNumPolicyMappings; i++) {
+            String subtreeName = PROP_POLICYMAP + i;
+
+            try {
+                mPolicyMaps[i] = new PolicyMap(subtreeName, mConfig, mEnabled);
+            } catch (EBaseException e) {
+                log(ILogger.LL_FAILURE, NAME + ": " +
+                        CMS.getLogMessage("POLICY_ERROR_CREATE_MAP", e.toString()));
+                throw e;
+            }
+        }
+
+        // create instance of policy mappings extension if enabled.
+        if (mEnabled) {
+            try {
+                Vector certPolicyMaps = new Vector();
+
+                for (int j = 0; j < mNumPolicyMappings; j++) {
+                    certPolicyMaps.addElement(
+                            mPolicyMaps[j].mCertificatePolicyMap);
+                }
+                mPolicyMappingsExtension =
+                        new PolicyMappingsExtension(mCritical, certPolicyMaps);
+            } catch (IOException e) {
+                throw new EBaseException(
+                        CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+                                "Error initializing " + NAME + " Error: " + e));
+            }
+        }
+
+        // form instance params 
+        mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical);
+        mInstanceParams.addElement(
+                PROP_NUM_POLICYMAPPINGS + "=" + mNumPolicyMappings);
+        for (int i = 0; i < mNumPolicyMappings; i++) {
+            mPolicyMaps[i].getInstanceParams(mInstanceParams);
+        }
+    }
+
+    /**
+     * Adds policy mappings Extension to a (CA) certificate.
+     * 
+     * If a policy mappings Extension is already there, accept it if
+     * it's been approved by agent, else replace it.
+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        // if extension hasn't been properly configured reject requests until 
+        // it has been resolved (or disabled).
+        if (mPolicyMappingsExtension == null) {
+            //setError(req, PolicyResources.EXTENSION_NOT_INITED_1, NAME);
+            //return PolicyResult.REJECTED;
+            return PolicyResult.ACCEPTED;
+        }
+
+        // get certInfo from request.
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED;
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certRes = applyCert(req, ci[i]);
+
+            if (certRes == PolicyResult.REJECTED)
+                return certRes;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+        // check if policy mappings extension already exists.
+        // if not agent approved, replace policy mappings extension with ours.
+        // else ignore.
+        try {
+            PolicyMappingsExtension policyMappingsExt = null;
+            CertificateExtensions extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+
+            try {
+                if (extensions != null) {
+                    policyMappingsExt = (PolicyMappingsExtension)
+                            extensions.get(PolicyMappingsExtension.NAME);
+                }
+            } catch (IOException e) {
+                // extension isn't there. 
+            }
+
+            if (policyMappingsExt != null) {
+                if (agentApproved(req)) {
+                    return PolicyResult.ACCEPTED;
+                } else {
+                    extensions.delete(PolicyMappingsExtension.NAME);
+                }
+            }
+
+            if (extensions == null) {
+                certInfo.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+                extensions = new CertificateExtensions();
+                certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+            }
+            extensions.set(
+                    PolicyMappingsExtension.NAME, mPolicyMappingsExtension);
+            return PolicyResult.ACCEPTED;
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_PROCESS_POLICYMAP_EXT", e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, e.getMessage());
+            return PolicyResult.REJECTED;
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString()));
+
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, "Certificate Info Error");
+            return PolicyResult.REJECTED;
+        }
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        return mInstanceParams;
+    }
+
+    /**
+     * Default config parameters.
+     * To add more permitted or excluded subtrees,
+     * increase the num to greater than 0 and more configuration params
+     * will show up in the console.
+     */
+    private static Vector mDefParams = new Vector();
+    static {
+        mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL);
+        mDefParams.addElement(
+                PROP_NUM_POLICYMAPPINGS + "=" + DEF_NUM_POLICYMAPPINGS);
+        String policyMap0Dot = PROP_POLICYMAP + "0.";
+
+        mDefParams.addElement(
+                policyMap0Dot + PolicyMap.PROP_ISSUER_DOMAIN_POLICY + "=" + "");
+        mDefParams.addElement(
+                policyMap0Dot + PolicyMap.PROP_SUBJECT_DOMAIN_POLICY + "=" + "");
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return mDefParams;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        Vector theparams = new Vector();
+
+        theparams.addElement(PROP_CRITICAL + ";boolean;RFC 2459 recommendation: MUST be non-critical.");
+        theparams.addElement(PROP_NUM_POLICYMAPPINGS
+                + ";number; Number of policy mappings. The value must be greater than or equal to 1");
+
+        String policyInfo =
+                ";string;An object identifier in the form n.n.n.n";
+
+        for (int k = 0; k < 5; k++) {
+            String policyMapkDot = PROP_POLICYMAP + k + ".";
+
+            theparams.addElement(policyMapkDot +
+                    PolicyMap.PROP_ISSUER_DOMAIN_POLICY + policyInfo);
+            theparams.addElement(policyMapkDot +
+                    PolicyMap.PROP_SUBJECT_DOMAIN_POLICY + policyInfo);
+        }
+
+        theparams.addElement(IExtendedPluginInfo.HELP_TOKEN +
+                ";configuration-policyrules-policymappings");
+        theparams.addElement(IExtendedPluginInfo.HELP_TEXT +
+                ";Adds Policy Mappings Extension. See RFC 2459 (4.2.1.6)");
+
+        String[] params = new String[theparams.size()];
+
+        theparams.copyInto(params);
+        return params;
+    }
+}
+
+class PolicyMap {
+
+    protected static String PROP_ISSUER_DOMAIN_POLICY = "issuerDomainPolicy";
+    protected static String PROP_SUBJECT_DOMAIN_POLICY = "subjectDomainPolicy";
+
+    protected String mName = null;
+    protected String mNameDot = null;
+    protected IConfigStore mConfig = null;
+    protected String mIssuerDomainPolicy = null;
+    protected String mSubjectDomainPolicy = null;
+    protected CertificatePolicyMap mCertificatePolicyMap = null;
+
+    /**
+     * forms policy map parameters.
+     * 
+     * @param name name of this policy map, for example policyMap0
+     * @param config parent's config from where we find this configuration.
+     * @param enabled whether policy was enabled.
+     */
+    protected PolicyMap(String name, IConfigStore config, boolean enabled)
+            throws EBaseException {
+        mName = name;
+        mConfig = config.getSubStore(mName);
+        mNameDot = mName + ".";
+
+        if (mConfig == null) {
+            CMS.debug("PolicyMappingsExt::PolicyMap - mConfig is null!");
+            return;
+        }
+
+        // if there's no configuration for this map put it there.
+        if (mConfig.size() == 0) {
+            config.putString(mNameDot + PROP_ISSUER_DOMAIN_POLICY, "");
+            config.putString(mNameDot + PROP_SUBJECT_DOMAIN_POLICY, "");
+            mConfig = config.getSubStore(mName);
+            if (mConfig == null || mConfig.size() == 0) {
+                CMS.debug("PolicyMappingsExt::PolicyMap - mConfig " +
+                           "is null or empty!");
+                return;
+            }
+        }
+
+        // get policy ids from configuration.
+        mIssuerDomainPolicy =
+                mConfig.getString(PROP_ISSUER_DOMAIN_POLICY, null);
+        mSubjectDomainPolicy =
+                mConfig.getString(PROP_SUBJECT_DOMAIN_POLICY, null);
+
+        // adjust for "" and console returning "null"
+        if (mIssuerDomainPolicy != null &&
+                (mIssuerDomainPolicy.length() == 0 ||
+                mIssuerDomainPolicy.equals("null"))) {
+            mIssuerDomainPolicy = null;
+        }
+        if (mSubjectDomainPolicy != null &&
+                (mSubjectDomainPolicy.length() == 0 ||
+                mSubjectDomainPolicy.equals("null"))) {
+            mSubjectDomainPolicy = null;
+        }
+
+        // policy ids cannot be null if policy is enabled.
+        String msg = "value cannot be null.";
+
+        if (mIssuerDomainPolicy == null && enabled)
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
+                        mNameDot + PROP_ISSUER_DOMAIN_POLICY, msg));
+        if (mSubjectDomainPolicy == null && enabled)
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
+                        mNameDot + PROP_SUBJECT_DOMAIN_POLICY, msg));
+
+        // if a policy id is not null check that it is a valid OID.
+        ObjectIdentifier issuerPolicyId = null;
+        ObjectIdentifier subjectPolicyId = null;
+
+        if (mIssuerDomainPolicy != null)
+            issuerPolicyId = CMS.checkOID(
+                        mNameDot + PROP_ISSUER_DOMAIN_POLICY, mIssuerDomainPolicy);
+        if (mSubjectDomainPolicy != null)
+            subjectPolicyId = CMS.checkOID(
+                        mNameDot + PROP_SUBJECT_DOMAIN_POLICY, mSubjectDomainPolicy);
+
+        // if enabled, form CertificatePolicyMap to be encoded in extension.
+        // policy ids should be all set.
+        if (enabled) {
+            mCertificatePolicyMap = new CertificatePolicyMap(
+                        new CertificatePolicyId(issuerPolicyId),
+                        new CertificatePolicyId(subjectPolicyId));
+        }
+    }
+
+    protected void getInstanceParams(Vector instanceParams) {
+        instanceParams.addElement(
+                mNameDot + PROP_ISSUER_DOMAIN_POLICY + "=" + (mIssuerDomainPolicy == null ? "" :
+                        mIssuerDomainPolicy));
+        instanceParams.addElement(
+                mNameDot + PROP_SUBJECT_DOMAIN_POLICY + "=" + (mSubjectDomainPolicy == null ? "" :
+                        mSubjectDomainPolicy));
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/PresenceExt.java b/base/common/src/com/netscape/cms/policy/extensions/PresenceExt.java
new file mode 100644
index 000000000..e13a7a84c
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/PresenceExt.java
@@ -0,0 +1,157 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.util.Locale;
+import java.util.Vector;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Checks extension presence.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class PresenceExt extends APolicyRule {
+    private static Vector mDefParams = new Vector();
+    private IConfigStore mConfig = null;
+    private String mOID = null;
+    private boolean mCritical;
+    private int mVersion = 0;
+    private String mStreetAddress;
+    private String mTelephoneNumber;
+    private String mRFC822Name;
+    private String mID;
+    private String mHostName;
+    private int mPortNumber = 0;
+    private int mMaxUsers = 0;
+    private int mServiceLevel = 0;
+
+    public static final String PROP_IS_CRITICAL = "critical";
+    public static final String PROP_OID = "oid";
+    public static final String PROP_VERSION = "version";
+    public static final String PROP_STREET_ADDRESS = "streetAddress";
+    public static final String PROP_TELEPHONE_NUMBER = "telephoneNumber";
+    public static final String PROP_RFC822_NAME = "rfc822Name";
+    public static final String PROP_ID = "id";
+    public static final String PROP_HOSTNAME = "hostName";
+    public static final String PROP_PORT_NUMBER = "portNumber";
+    public static final String PROP_MAX_USERS = "maxUsers";
+    public static final String PROP_SERVICE_LEVEL = "serviceLevel";
+
+    static {
+        mDefParams.addElement(PROP_IS_CRITICAL + "=false");
+    }
+
+    public PresenceExt() {
+        NAME = "PresenceExtPolicy";
+        DESC = "Sets Presence Server Extension in certificates.";
+    }
+
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+
+        mCritical = config.getBoolean(PROP_IS_CRITICAL, false);
+        mOID = config.getString(PROP_OID, "");
+        mVersion = config.getInteger(PROP_VERSION, 0);
+        mStreetAddress = config.getString(PROP_STREET_ADDRESS, "");
+        mTelephoneNumber = config.getString(PROP_TELEPHONE_NUMBER, "");
+        mRFC822Name = config.getString(PROP_RFC822_NAME, "");
+        mID = config.getString(PROP_ID, "");
+        mHostName = config.getString(PROP_HOSTNAME, "");
+        mPortNumber = config.getInteger(PROP_PORT_NUMBER, 0);
+        mMaxUsers = config.getInteger(PROP_MAX_USERS, 0);
+        mServiceLevel = config.getInteger(PROP_SERVICE_LEVEL, 0);
+    }
+
+    public PolicyResult apply(IRequest req) {
+        PolicyResult res = PolicyResult.ACCEPTED;
+
+        /*
+         PresenceServerExtension ext = new PresenceServerExtension(mCritical,
+         mOID, mVersion, mStreetAddress,
+         mTelephoneNumber, mRFC822Name, mID,
+         mHostName, mPortNumber, mMaxUsers, mServiceLevel);
+         */
+
+        return res;
+    }
+
+    public Vector getInstanceParams() {
+        Vector params = new Vector();
+
+        params.addElement(PROP_IS_CRITICAL + "=" + mCritical);
+        params.addElement(PROP_OID + "=" + mOID);
+        params.addElement(PROP_VERSION + "=" + mVersion);
+        params.addElement(PROP_STREET_ADDRESS + "=" + mStreetAddress);
+        params.addElement(PROP_TELEPHONE_NUMBER + "=" + mTelephoneNumber);
+        params.addElement(PROP_RFC822_NAME + "=" + mRFC822Name);
+        params.addElement(PROP_ID + "=" + mID);
+        params.addElement(PROP_HOSTNAME + "=" + mHostName);
+        params.addElement(PROP_PORT_NUMBER + "=" + mPortNumber);
+        params.addElement(PROP_MAX_USERS + "=" + mMaxUsers);
+        params.addElement(PROP_SERVICE_LEVEL + "=" + mServiceLevel);
+        return params;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_IS_CRITICAL + ";boolean;Criticality",
+                PROP_OID + ";string; Object identifier of this extension",
+                PROP_VERSION + ";string; version",
+                PROP_STREET_ADDRESS + ";string; street address",
+                PROP_TELEPHONE_NUMBER + ";string; telephone number",
+                PROP_RFC822_NAME + ";string; rfc822 name",
+                PROP_ID + ";string; identifier",
+                PROP_HOSTNAME + ";string; host name",
+                PROP_PORT_NUMBER + ";string; port number",
+                PROP_MAX_USERS + ";string; max users",
+                PROP_SERVICE_LEVEL + ";string; service level",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-presenceext",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Adds Presence Server Extension;"
+
+        };
+
+        return params;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return mDefParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java b/base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java
new file mode 100644
index 000000000..3b80246a9
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java
@@ -0,0 +1,252 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.PrivateKeyUsageExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * PrivateKeyUsagePeriod Identifier Extension policy.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class PrivateKeyUsagePeriodExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+
+    private final static String PROP_NOT_BEFORE = "notBefore";
+    private final static String PROP_NOT_AFTER = "notAfter";
+    protected static final String PROP_IS_CRITICAL = "critical";
+
+    // 6 months roughly
+    private final static long defDuration = 60L * 60 * 24 * 180 * 1000;
+
+    private static final String DATE_PATTERN = "MM/dd/yyyy";
+    static SimpleDateFormat formatter = new SimpleDateFormat(DATE_PATTERN);
+    private static Date now = CMS.getCurrentDate();
+    private static Date six_months = new Date(now.getTime() + defDuration);
+
+    public static final String DEFAULT_NOT_BEFORE = formatter.format(now);
+    public static final String DEFAULT_NOT_AFTER = formatter.format(six_months);
+
+    // PKIX specifies the that the extension SHOULD NOT be critical
+    public static final boolean DEFAULT_CRITICALITY = false;
+
+    protected String mNotBefore;
+    protected String mNotAfter;
+    protected boolean mCritical;
+
+    private static Vector defaultParams;
+
+    static {
+
+        formatter.setLenient(false);
+
+        defaultParams = new Vector();
+        defaultParams.addElement(PROP_IS_CRITICAL + "=" + DEFAULT_CRITICALITY);
+        defaultParams.addElement(PROP_NOT_BEFORE + "=" + DEFAULT_NOT_BEFORE);
+        defaultParams.addElement(PROP_NOT_AFTER + "=" + DEFAULT_NOT_AFTER);
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_IS_CRITICAL + ";boolean;RFC 2459 recommendation: The profile " +
+                        "recommends against the use of this extension. CAs " +
+                        "conforming to the profile MUST NOT generate certs with " +
+                        "critical private key usage period extensions.",
+                PROP_NOT_BEFORE + ";string; Date before which the Private Key is invalid.",
+                PROP_NOT_AFTER + ";string; Date after which the Private Key is invalid.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-privatekeyusageperiod",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Adds (deprecated) Private Key Usage Period Extension. " +
+                        "Defined in RFC 2459 (4.2.1.4)"
+            };
+
+        return params;
+    }
+
+    /**
+     * Adds the private key usage extension to all certs.
+     */
+    public PrivateKeyUsagePeriodExt() {
+        NAME = "PrivateKeyUsagePeriodExt";
+        DESC = "Sets Private Key Usage Extension for a certificate";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * ra.Policy.rule..implName=PrivateKeyUsageExtension
+     * ra.Policy.rule..enable=true
+     * ra.Policy.rule..notBefore=30
+     * ra.Policy.rule..notAfter=180
+     * ra.Policy.rule..critical=false
+     * ra.Policy.rule..predicate=ou==Sales
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+
+        try {
+            // Get params.
+            mNotBefore = config.getString(PROP_NOT_BEFORE, null);
+            mNotAfter = config.getString(PROP_NOT_AFTER, null);
+            mCritical = config.getBoolean(PROP_IS_CRITICAL, false);
+
+            // Check the parameter formats for errors
+            formatter.format(formatter.parse(mNotBefore.trim()));
+            formatter.format(formatter.parse(mNotAfter.trim()));
+        } catch (Exception e) {
+            // e.printStackTrace();
+            Object[] params = { getInstanceName(), e };
+
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG"), params);
+        }
+
+    }
+
+    /**
+     * Adds a private key usage extension if none exists.
+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+
+        // get cert info.
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certRes = applyCert(req, ci[i]);
+
+            if (certRes == PolicyResult.REJECTED)
+                return certRes;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+        // get private key usage extension from cert info if any.
+        CertificateExtensions extensions = null;
+        PrivateKeyUsageExtension ext = null;
+
+        try {
+            // get subject key id extension if any.
+            extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+        } catch (IOException e) {
+            // no extensions or subject key identifier extension.
+        } catch (CertificateException e) {
+            // no extensions or subject key identifier extension.
+        }
+
+        if (extensions == null) {
+            extensions = new CertificateExtensions();
+        } else {
+            // remove any previously computed version of the extension
+            try {
+                extensions.delete(PrivateKeyUsageExtension.NAME);
+
+            } catch (IOException e) {
+            }
+
+        }
+
+        try {
+            ext = new PrivateKeyUsageExtension(
+                        formatter.parse(mNotBefore),
+                        formatter.parse(mNotAfter));
+            certInfo.set(X509CertInfo.VERSION,
+                    new CertificateVersion(CertificateVersion.V3));
+            extensions.set(PrivateKeyUsageExtension.NAME, ext);
+        } catch (Exception e) {
+            if (e instanceof RuntimeException)
+                throw (RuntimeException) e;
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_CREATE_PRIVATE_KEY_EXT", e.toString()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR"), NAME);
+            return PolicyResult.REJECTED;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return Empty Vector since this policy has no configuration parameters.
+     *         for this policy instance.
+     */
+    public Vector getInstanceParams() {
+        Vector params = new Vector();
+
+        params.addElement(PROP_IS_CRITICAL + "=" + mCritical);
+        params.addElement(PROP_NOT_BEFORE + "=" + mNotBefore);
+        params.addElement(PROP_NOT_AFTER + "=" + mNotAfter);
+        return params;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return Empty Vector since this policy implementation has no
+     *         configuration parameters.
+     */
+    public Vector getDefaultParams() {
+        Vector defParams = new Vector();
+
+        defParams.addElement(PROP_IS_CRITICAL + "=" + DEFAULT_CRITICALITY);
+        defParams.addElement(PROP_NOT_BEFORE + "=" + DEFAULT_NOT_BEFORE);
+        defParams.addElement(PROP_NOT_AFTER + "=" + DEFAULT_NOT_AFTER);
+        return defParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/RemoveBasicConstraintsExt.java b/base/common/src/com/netscape/cms/policy/extensions/RemoveBasicConstraintsExt.java
new file mode 100644
index 000000000..2a5af4240
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/RemoveBasicConstraintsExt.java
@@ -0,0 +1,143 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Remove Basic Constraints policy.
+ * Adds the Basic constraints extension.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class RemoveBasicConstraintsExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    public RemoveBasicConstraintsExt() {
+        NAME = "RemoveBasicConstraintsExt";
+        DESC = "Remove Basic Constraints extension";
+    }
+
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+    }
+
+    public PolicyResult apply(IRequest req) {
+
+        // get cert info.
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        X509CertInfo certInfo = null;
+
+        if (ci == null || (certInfo = ci[0]) == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certResult = applyCert(req, certInfo);
+
+            if (certResult == PolicyResult.REJECTED)
+                return certResult;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public PolicyResult applyCert(
+            IRequest req, X509CertInfo certInfo) {
+        // get basic constraints extension from cert info if any.
+        CertificateExtensions extensions = null;
+
+        try {
+            // get basic constraints extension if any.
+            extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+            if (extensions != null) {
+                try {
+                    extensions.delete(BasicConstraintsExtension.NAME);
+                    CMS.debug("PolicyRule RemoveBasicConstraintsExt: removed the extension from request "
+                            + req.getRequestId().toString());
+                } catch (IOException e) {
+                }
+            }
+        } catch (IOException e) {
+            // no extensions or basic constraints extension.
+        } catch (CertificateException e) {
+            // no extensions or basic constraints extension.
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector params = new Vector();
+
+        return params;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        Vector defParams = new Vector();
+
+        return defParams;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-removebasicconstraints",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Removes the Basic Constraints extension."
+            };
+
+        return params;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java b/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java
new file mode 100644
index 000000000..63bd8804c
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java
@@ -0,0 +1,355 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.GeneralNames;
+import netscape.security.x509.RFC822Name;
+import netscape.security.x509.SubjectAlternativeNameExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * 
+ * THIS POLICY HAS BEEN DEPRECATED SINCE CMS 4.2.
+ * New Policy is com.netscape.certsrv.policy.SubjectAltNameExt.
+ * 

+ * 
+ * Subject Alternative Name extension policy in CMS 4.1.
+ * 
+ * Adds the subject alternative name extension depending on the certificate type requested.
+ * 
+ * Two forms are supported. 1) For S/MIME certificates, email addresses are copied from data stored in the request by
+ * the authentication component. Both 'e' and 'altEmail' are supported so that both the primary address and alternative
+ * forms may be certified. Only the primary goes in the subjectName position (which should be phased out).
+ * 
+ * e mailAlternateAddress
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class SubjAltNameExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    // for future use. currently always allow. 
+    protected static final String PROP_AGENT_OVERR = "allowAgentOverride";
+    protected static final String PROP_EE_OVERR = "AllowEEOverride";
+    protected static final String PROP_ENABLE_MANUAL_VALUES =
+            "enableManualValues";
+
+    // for future use. currently always non-critical 
+    // (standard says SHOULD be marked critical if included.) 
+    protected static final String PROP_CRITICAL = "critical";
+
+    // for future use to allow overrides from forms. 
+    // request must be agent approved or authenticated.
+    protected boolean mAllowAgentOverride = false;
+    protected boolean mAllowEEOverride = false;
+    protected boolean mEnableManualValues = false;
+
+    // for future use. currently always critical 
+    // (standard says SHOULD be marked critical if included.) 
+    protected boolean mCritical = false;
+
+    public SubjAltNameExt() {
+        NAME = "SubjAltNameExt";
+        DESC = "Sets alternative subject names for certificates";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_CRITICAL
+                        + ";boolean;RFC 2459 recommendation: If the certificate subject field contains an empty sequence, the subjectAltName extension MUST be marked critical.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-subjaltname",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";This policy inserts the Subject Alternative Name " +
+                        "Extension into the certificate. See RFC 2459 (4.2.1.7). " +
+                        "* Note: you probably want to use this policy in " +
+                        "conjunction with an authentication manager which sets " +
+                        "the 'mail' or 'mailalternateaddress' values in the authToken. " +
+                        "See the 'ldapStringAttrs' parameter in the Directory-based " +
+                        "authentication plugin"
+        };
+
+        return params;
+
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries may be of the form:
+     * 
+     * ra.Policy.rule..implName=SubjAltNameExt ra.Policy.rule..enable=true
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        // future use.
+        mAllowAgentOverride = config.getBoolean(PROP_AGENT_OVERR, false);
+        mAllowEEOverride = config.getBoolean(PROP_EE_OVERR, false);
+        mCritical = config.getBoolean(PROP_CRITICAL, false);
+        // mEnableManualValues = config.getBoolean(PROP_ENABLE_MANUAL_VALUES, false);
+    }
+
+    /**
+     * Adds the subject alternative names extension if not set already.
+     * 
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        PolicyResult res = PolicyResult.ACCEPTED;
+
+        // Find the X509CertInfo object in the request
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certRes = applyCert(req, ci[i]);
+
+            if (certRes == PolicyResult.REJECTED)
+                return certRes;
+        }
+        return res;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+        PolicyResult res = PolicyResult.ACCEPTED;
+
+        //
+        // General error handling block
+        //
+        apply: try {
+
+            // Find the extensions in the certInfo
+            CertificateExtensions extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+
+            if (extensions != null) {
+                //
+                // Remove any previously computed version of the extension
+                //
+                try {
+                    extensions.delete(SubjectAlternativeNameExtension.NAME);
+                } catch (IOException e) {
+                    // extension isn't there
+                }
+            }
+
+            //
+            // Determine the type of the request.  For future expansion
+            // this test should dispatch to a specialized object to
+            // handle each particular type.  For now just return for
+            // non-client certs, and implement client certs directly here.
+            //
+            String certType =
+                    req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE);
+
+            if (certType == null ||
+                    !certType.equals(IRequest.CLIENT_CERT) ||
+                    !req.getExtDataInBoolean(IRequest.SMIME, false)) {
+                break apply;
+            }
+
+            // Create a list of email addresses that should be added
+            // to the certificate
+
+            IAuthToken tok = findAuthToken(req, null);
+
+            if (tok == null)
+                break apply;
+
+            Vector emails = getEmailList(tok);
+
+            if (emails == null)
+                break apply;
+
+            // Create the extension
+            SubjectAlternativeNameExtension subjAltNameExt = mkExt(emails);
+
+            if (extensions == null)
+                extensions = createCertificateExtensions(certInfo);
+
+            extensions.set(SubjectAlternativeNameExtension.NAME,
+                    subjAltNameExt);
+
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, e.getMessage());
+            return PolicyResult.REJECTED; // unrecoverable error.
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, "Certificate Info Error");
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+
+        return res;
+    }
+
+    /**
+     * Find a particular authentication token by manager name.
+     * If the token is not present return null
+     */
+    protected IAuthToken
+            findAuthToken(IRequest req, String authMgrName) {
+
+        return req.getExtDataInAuthToken(IRequest.AUTH_TOKEN);
+    }
+
+    /**
+     * Generate a String Vector containing all the email addresses
+     * found in this Authentication token
+     */
+    protected Vector /* of String */
+            getEmailList(IAuthToken tok) {
+
+        Vector v = new Vector();
+
+        addValues(tok, "mail", v);
+        addValues(tok, "mailalternateaddress", v);
+
+        if (v.size() == 0)
+            return null;
+
+        return v;
+    }
+
+    /**
+     * Add attribute values from an LDAP attribute to a vector
+     */
+    protected void
+            addValues(IAuthToken tok, String attrName, Vector v) {
+        String attr[] = tok.getInStringArray(attrName);
+
+        if (attr == null)
+            return;
+
+        for (int i = 0; i < attr.length; i++) {
+            v.addElement(attr[i]);
+        }
+    }
+
+    /**
+     * Make a Subject name extension given a list of email addresses
+     */
+    protected SubjectAlternativeNameExtension
+            mkExt(Vector emails)
+                    throws IOException {
+        SubjectAlternativeNameExtension sa;
+        GeneralNames gns = new GeneralNames();
+
+        for (int i = 0; i < emails.size(); i++) {
+            String email = emails.elementAt(i);
+
+            gns.addElement(new RFC822Name(email));
+        }
+
+        sa = new SubjectAlternativeNameExtension(gns);
+
+        return sa;
+    }
+
+    /**
+     * Create a new SET of extensions in the certificate info
+     * object.
+     * 
+     * This should be a method in the X509CertInfo object
+     */
+    protected CertificateExtensions
+            createCertificateExtensions(X509CertInfo certInfo)
+                    throws IOException, CertificateException {
+        CertificateExtensions extensions;
+
+        // Force version to V3
+        certInfo.set(X509CertInfo.VERSION,
+                new CertificateVersion(CertificateVersion.V3));
+
+        extensions = new CertificateExtensions();
+        certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+
+        return extensions;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        Vector params = new Vector();
+
+        //params.addElement("PROP_AGENT_OVERR = " + mAllowAgentOverride);
+        //params.addElement("PROP_EE_OVERR = " + mAllowEEOverride);
+        params.addElement(PROP_CRITICAL + "=" + mCritical);
+        // params.addElement(PROP_ENABLE_MANUAL_VALUES + " = " +
+        //	mEnableManualValues);
+        return params;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        Vector defParams = new Vector();
+
+        //defParams.addElement("PROP_AGENT_OVERR = " + DEF_AGENT_OVERR);
+        //defParams.addElement("PROP_EE_OVERR = " + DEF_EE_OVERR);
+        defParams.addElement(PROP_CRITICAL + "=false");
+        // defParams.addElement(PROP_ENABLE_MANUAL_VALUES + "= false");
+
+        return defParams;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java b/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java
new file mode 100644
index 000000000..62f0b21da
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java
@@ -0,0 +1,331 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.GeneralNames;
+import netscape.security.x509.SubjectAlternativeNameExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.policy.IGeneralNameUtil;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.policy.ISubjAltNameConfig;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Subject Alternative Name extension policy.
+ * 
+ * Adds the subject alternative name extension as configured.
+ * 
+ * Two forms are supported. 1) For S/MIME certificates, email
+ * addresses are copied from data stored in the request by the
+ * authentication component. Both 'e' and 'altEmail' are supported
+ * so that both the primary address and alternative forms may be
+ * certified. Only the primary goes in the subjectName position (which
+ * should be phased out).
+ * 
+ * e
+ * mailAlternateAddress
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class SubjectAltNameExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    // (standard says SHOULD be marked critical if included.) 
+    protected static final String PROP_CRITICAL = "critical";
+    protected static final boolean DEF_CRITICAL = false;
+
+    protected IConfigStore mConfig = null;
+    protected boolean mEnabled = false;
+    protected boolean mCritical = DEF_CRITICAL;
+    protected int mNumGNs = 0;
+    protected ISubjAltNameConfig[] mGNs = null;
+
+    Vector mInstanceParams = new Vector();
+
+    // init default params and extended plugin info.
+    private static Vector mDefParams = new Vector();
+    static {
+        // default params.
+        mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL);
+        mDefParams.addElement(
+                IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" +
+                        IGeneralNameUtil.DEF_NUM_GENERALNAMES);
+        for (int i = 0; i < IGeneralNameUtil.DEF_NUM_GENERALNAMES; i++) {
+            CMS.getSubjAltNameConfigDefaultParams(
+                    IGeneralNameUtil.PROP_GENERALNAME + i, mDefParams);
+        }
+    }
+
+    private String[] mExtendedPluginInfo = null;
+
+    public SubjectAltNameExt() {
+        NAME = "SubjectAltNameExt";
+        DESC = "Sets alternative subject names for certificates";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries may be of the form:
+     * 
+     * ra.Policy.rule..implName=SubjectAltNameExt ra.Policy.rule..enable=true
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+
+        // get criticality
+        mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL);
+
+        // get enabled
+        mEnabled = mConfig.getBoolean(
+                    IPolicyProcessor.PROP_ENABLE, false);
+
+        // get general names configuration.
+        mNumGNs = mConfig.getInteger(IGeneralNameUtil.PROP_NUM_GENERALNAMES);
+        if (mNumGNs <= 0) {
+            throw new EBaseException(
+                    CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER",
+                            IGeneralNameUtil.PROP_NUM_GENERALNAMES));
+        }
+        mGNs = new ISubjAltNameConfig[mNumGNs];
+        for (int i = 0; i < mNumGNs; i++) {
+            String name = IGeneralNameUtil.PROP_GENERALNAME + i;
+            IConfigStore substore = mConfig.getSubStore(name);
+
+            mGNs[i] = CMS.createSubjAltNameConfig(name, substore, mEnabled);
+        }
+
+        // init instance params.
+        mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical);
+        mInstanceParams.addElement(
+                IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + mNumGNs);
+        for (int j = 0; j < mGNs.length; j++) {
+            mGNs[j].getInstanceParams(mInstanceParams);
+        }
+    }
+
+    /**
+     * Adds the subject alternative names extension if not set already.
+     * 
+     * 

+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        PolicyResult res = PolicyResult.ACCEPTED;
+
+        // Find the X509CertInfo object in the request
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certRes = applyCert(req, ci[i]);
+
+            if (certRes == PolicyResult.REJECTED)
+                return certRes;
+        }
+        return res;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+        PolicyResult res = PolicyResult.ACCEPTED;
+
+        try {
+            // Find the extensions in the certInfo
+            CertificateExtensions extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+
+            // Remove any previously computed version of the extension
+            // unless it is from RA. If from RA, accept what RA put in 
+            // request and don't add our own.
+            if (extensions != null) {
+                String sourceId = req.getSourceId();
+
+                if (sourceId != null && sourceId.length() > 0)
+                    return res; // accepted
+                try {
+                    extensions.delete(SubjectAlternativeNameExtension.NAME);
+                } catch (IOException e) {
+                    // extension isn't there
+                }
+            }
+
+            // form list of general names for the extension.
+            GeneralNames gns = new GeneralNames();
+
+            for (int i = 0; i < mNumGNs; i++) {
+                Object value = null;
+
+                value = req.getExtDataInString(mGNs[i].getPfx(), mGNs[i].getAttr());
+                if (value == null) {
+                    continue;
+                }
+                Vector gn = mGNs[i].formGeneralNames(value);
+
+                if (gn.size() == 0)
+                    continue;
+                for (Enumeration n = gn.elements(); n.hasMoreElements();) {
+                    gns.addElement(n.nextElement());
+                }
+            }
+
+            // nothing was found in request to put into extension
+            if (gns.size() == 0)
+                return res; // accepted
+
+            String subject = certInfo.get(X509CertInfo.SUBJECT).toString();
+
+            boolean curCritical = mCritical;
+
+            if (subject.equals("")) {
+                curCritical = true;
+            }
+
+            // make the extension 
+            SubjectAlternativeNameExtension sa = new SubjectAlternativeNameExtension(curCritical, gns);
+
+            // add it to certInfo.
+            if (extensions == null)
+                extensions = createCertificateExtensions(certInfo);
+
+            extensions.set(SubjectAlternativeNameExtension.NAME, sa);
+
+            return res; // accepted.
+
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, e.getMessage());
+            return PolicyResult.REJECTED; // unrecoverable error.
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, "Certificate Info Error");
+            return PolicyResult.REJECTED; // unrecoverable error.
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("BASE_INTERNAL_ERROR_1", e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, "Internal Error");
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+    }
+
+    /**
+     * Create a new SET of extensions in the certificate info
+     * object.
+     * 
+     * This should be a method in the X509CertInfo object
+     */
+    protected CertificateExtensions
+            createCertificateExtensions(X509CertInfo certInfo)
+                    throws IOException, CertificateException {
+        CertificateExtensions extensions;
+
+        // Force version to V3
+        certInfo.set(X509CertInfo.VERSION,
+                new CertificateVersion(CertificateVersion.V3));
+
+        extensions = new CertificateExtensions();
+        certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+
+        return extensions;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        return mInstanceParams;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return mDefParams;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+
+        // extended plugin info.
+        Vector info = new Vector();
+
+        info.addElement(PROP_CRITICAL
+                + ";boolean;RFC2459 recommendation: If the certificate subject field contains an empty sequence, the extension MUST be marked critical.");
+        info.addElement(IGeneralNameUtil.PROP_NUM_GENERALNAMES_INFO);
+        for (int i = 0; i < IGeneralNameUtil.DEF_NUM_GENERALNAMES; i++) {
+            CMS.getSubjAltNameConfigExtendedPluginInfo(
+                    IGeneralNameUtil.PROP_GENERALNAME + i, info);
+        }
+        info.addElement(IExtendedPluginInfo.HELP_TOKEN +
+                ";configuration-policyrules-subjaltname");
+        info.addElement(IExtendedPluginInfo.HELP_TEXT +
+                ";This policy inserts the Subject Alternative Name " +
+                "Extension into the certificate. See RFC 2459 (4.2.1.7). " +
+                "* Note: you probably want to use this policy in " +
+                "conjunction with an authentication manager which sets " +
+                "the 'mail' or 'mailalternateaddress' values in the authToken. " +
+                "See the 'ldapStringAttrs' parameter in the Directory-based " +
+                "authentication plugin");
+        mExtendedPluginInfo = new String[info.size()];
+        info.copyInto(mExtendedPluginInfo);
+        return mExtendedPluginInfo;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/SubjectDirectoryAttributesExt.java b/base/common/src/com/netscape/cms/policy/extensions/SubjectDirectoryAttributesExt.java
new file mode 100644
index 000000000..6b4e7ead9
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/SubjectDirectoryAttributesExt.java
@@ -0,0 +1,428 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.util.DerValue;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.AVAValueConverter;
+import netscape.security.x509.Attribute;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.SubjectDirAttributesExtension;
+import netscape.security.x509.X500NameAttrMap;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Policy to add the subject directory attributes extension.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class SubjectDirectoryAttributesExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    protected static final String PROP_CRITICAL = "critical";
+    protected static final String PROP_ATTRIBUTE = "attribute";
+    protected static final String PROP_NUM_ATTRIBUTES = "numAttributes";
+
+    protected static final boolean DEF_CRITICAL = false;
+    protected static final int DEF_NUM_ATTRIBUTES = 3;
+    protected static final int MAX_NUM_ATTRIBUTES = 10;
+
+    protected boolean mCritical;
+    protected int mNumAttributes;
+    protected AttributeConfig[] mAttributes = null;
+
+    protected IConfigStore mConfig;
+    protected SubjectDirAttributesExtension mExt = null;
+
+    protected Vector mParams = new Vector();
+    private String[] mEPI = null; // extended plugin info
+    protected static Vector mDefParams = new Vector();
+
+    static {
+        setDefaultParams();
+    }
+
+    public SubjectDirectoryAttributesExt() {
+        NAME = "SubjectDirectoryAttributesExtPolicy";
+        DESC = "Sets Subject Directory Attributes Extension in certificates.";
+        setExtendedPluginInfo();
+    }
+
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        boolean enabled = config.getBoolean("enabled", false);
+
+        mConfig = config;
+
+        mCritical = mConfig.getBoolean(PROP_CRITICAL, false);
+        mNumAttributes = mConfig.getInteger(PROP_NUM_ATTRIBUTES, DEF_NUM_ATTRIBUTES);
+        if (mNumAttributes < 1) {
+            EBaseException ex = new EBaseException(
+                    CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER", PROP_NUM_ATTRIBUTES));
+
+            log(ILogger.LL_FAILURE, NAME + " Error: " + ex.toString());
+            throw ex;
+        }
+        mAttributes = new AttributeConfig[mNumAttributes];
+        for (int i = 0; i < mNumAttributes; i++) {
+            String name = PROP_ATTRIBUTE + i;
+            IConfigStore c = mConfig.getSubStore(name);
+
+            mAttributes[i] = new AttributeConfig(name, c, enabled);
+        }
+        if (enabled) {
+            try {
+                mExt = formExt(null);
+            } catch (IOException e) {
+                log(ILogger.LL_FAILURE, NAME + " Error: " + e.getMessage());
+                throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+                            "Error forming Subject Directory Attributes Extension. " +
+                                    "See log file for details."));
+            }
+        }
+        setInstanceParams();
+    }
+
+    public PolicyResult apply(IRequest req) {
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED; // unrecoverable error.
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult r = applyCert(req, ci[i]);
+
+            if (r == PolicyResult.REJECTED)
+                return r;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+        CertificateExtensions extensions = null;
+
+        try {
+            // get extension and remove if exists.
+            extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+            if (extensions == null) {
+                extensions = new CertificateExtensions();
+                certInfo.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+                certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+            } else {
+                try {
+                    extensions.delete(SubjectDirAttributesExtension.NAME);
+                } catch (IOException ee) {
+                    // if name is not found, try deleting the extension using the OID
+                    try {
+                        extensions.delete("2.5.29.9");
+                    } catch (IOException eee) {
+                    }
+                }
+            }
+
+            // form extension and set.
+            if (mExt != null) {
+                extensions.set(SubjectDirAttributesExtension.NAME, mExt);
+            } else {
+                SubjectDirAttributesExtension ext = formExt(req);
+
+                if (ext != null)
+                    extensions.set(SubjectDirAttributesExtension.NAME, formExt(req));
+            }
+            return PolicyResult.ACCEPTED;
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage()));
+
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, "Certificate Info Error");
+            return PolicyResult.REJECTED; // unrecoverable error.
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, "IOException Error");
+            return PolicyResult.REJECTED;
+        }
+    }
+
+    public Vector getInstanceParams() {
+        return mParams; // inited in init()
+    }
+
+    public Vector getDefaultParams() {
+        return mDefParams;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        return mEPI; // inited in the constructor.
+    }
+
+    private void setInstanceParams() {
+        mParams.addElement(PROP_CRITICAL + "=" + mCritical);
+        mParams.addElement(PROP_NUM_ATTRIBUTES + "=" + mNumAttributes);
+        for (int i = 0; i < mNumAttributes; i++) {
+            mAttributes[i].getInstanceParams(mParams);
+        }
+        // clean up others if exists. expensive.
+        for (int j = mNumAttributes; j < MAX_NUM_ATTRIBUTES; j++) {
+            mConfig.removeSubStore(PROP_ATTRIBUTE + j);
+        }
+    }
+
+    private static void setDefaultParams() {
+        mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL);
+        mDefParams.addElement(PROP_NUM_ATTRIBUTES + "=" + DEF_NUM_ATTRIBUTES);
+        for (int i = 0; i < DEF_NUM_ATTRIBUTES; i++) {
+            AttributeConfig.getDefaultParams(PROP_ATTRIBUTE + i, mDefParams);
+        }
+    }
+
+    private void setExtendedPluginInfo() {
+        Vector v = new Vector();
+
+        v.addElement(PROP_CRITICAL + ";boolean;" +
+                "RFC 2459 recommendation: MUST be non-critical.");
+        v.addElement(PROP_NUM_ATTRIBUTES + ";number;" +
+                "Number of Attributes in the extension.");
+
+        for (int i = 0; i < MAX_NUM_ATTRIBUTES; i++) {
+            AttributeConfig.getExtendedPluginInfo(PROP_ATTRIBUTE + i, v);
+        }
+
+        v.addElement(IExtendedPluginInfo.HELP_TOKEN +
+                ";configuration-policyrules-subjectdirectoryattributes");
+        v.addElement(IExtendedPluginInfo.HELP_TEXT
+                +
+                ";Adds Subject Directory Attributes extension. See RFC 2459 (4.2.1.9). It's not recommended as an essential part of the profile, but may be used in local environments.");
+
+        mEPI = com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v);
+    }
+
+    private SubjectDirAttributesExtension formExt(IRequest req)
+            throws IOException {
+        Vector attrs = new Vector();
+
+        // if we're called from init and one attribute is from request attribute
+        // the ext can't be formed yet.
+        if (req == null) {
+            for (int i = 0; i < mNumAttributes; i++) {
+                if (mAttributes[i].mWhereToGetValue == AttributeConfig.USE_REQUEST_ATTR)
+                    return null;
+            }
+        }
+        // either we're called from apply or all values are fixed.
+        for (int i = 0; i < mNumAttributes; i++) {
+            if (mAttributes[i].mAttribute != null) {
+                attrs.addElement(mAttributes[i].mAttribute);
+            } else {
+                // skip attribute if request attribute doesn't exist.
+                Attribute a = mAttributes[i].formAttr(req);
+
+                if (a == null)
+                    continue;
+                attrs.addElement(a);
+            }
+        }
+        if (attrs.size() == 0)
+            return null;
+        Attribute[] attrList = new Attribute[attrs.size()];
+
+        attrs.copyInto(attrList);
+        SubjectDirAttributesExtension ext =
+                new SubjectDirAttributesExtension(attrList);
+
+        return ext;
+    }
+}
+
+class AttributeConfig {
+
+    protected static final String PROP_ATTRIBUTE_NAME = "attributeName";
+    protected static final String PROP_WTG_VALUE = "whereToGetValue";
+    protected static final String PROP_VALUE = "value";
+
+    protected static final String USE_REQUEST_ATTR = "Request Attribute";
+    protected static final String USE_FIXED = "Fixed Value";
+
+    protected String mAttributeName = null;
+    protected String mWhereToGetValue = null;
+    protected String mValue = null;
+
+    protected String mPrefix = null;
+    protected String mReqAttr = null;
+    protected ObjectIdentifier mAttributeOID = null;
+
+    protected String mName = null;
+    protected IConfigStore mConfig = null;
+    protected Attribute mAttribute = null;
+
+    protected static final String ATTRIBUTE_NAME_INFO = "Attribute name.";
+    protected static final String WTG_VALUE_INFO =
+            PROP_WTG_VALUE + ";choice(" + USE_REQUEST_ATTR + "," + USE_FIXED + ");" +
+                    "Get value from a request attribute or use a fixed value specified below.";
+    protected static final String VALUE_INFO =
+            PROP_VALUE + ";string;" +
+                    "Request attribute name or a fixed value to put into the extension.";
+
+    public AttributeConfig(String name, IConfigStore config, boolean enabled)
+            throws EBaseException {
+        X500NameAttrMap map = X500NameAttrMap.getDefault();
+
+        mName = name;
+        mConfig = config;
+        if (enabled) {
+            mAttributeName = mConfig.getString(PROP_ATTRIBUTE_NAME);
+            mWhereToGetValue = mConfig.getString(PROP_WTG_VALUE);
+            mValue = mConfig.getString(PROP_VALUE);
+        } else {
+            mAttributeName = mConfig.getString(PROP_ATTRIBUTE_NAME, "");
+            mWhereToGetValue = mConfig.getString(PROP_WTG_VALUE, USE_REQUEST_ATTR);
+            mValue = mConfig.getString(PROP_VALUE, "");
+        }
+
+        if (mAttributeName.length() > 0) {
+            mAttributeOID = map.getOid(mAttributeName);
+            if (mAttributeOID == null)
+                throw new EBaseException(
+                        CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", mAttributeName));
+        }
+
+        if (mWhereToGetValue.equalsIgnoreCase(USE_REQUEST_ATTR)) {
+            mWhereToGetValue = USE_REQUEST_ATTR;
+            if (enabled && mValue.length() == 0) {
+                throw new EBaseException(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", PROP_VALUE));
+            }
+            int dot = mValue.indexOf('.');
+
+            if (dot != -1) {
+                mPrefix = mValue.substring(0, dot);
+                mReqAttr = mValue.substring(dot + 1);
+                if (mPrefix == null || mPrefix.length() == 0 ||
+                        mReqAttr == null || mReqAttr.length() == 0) {
+                    throw new EBaseException(
+                            CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", mValue));
+                }
+            } else {
+                mPrefix = null;
+                mReqAttr = mValue;
+            }
+        } else if (mWhereToGetValue.equalsIgnoreCase(USE_FIXED)) {
+            mWhereToGetValue = USE_FIXED;
+            if (mAttributeOID != null) {
+                try {
+                    checkValue(mAttributeOID, mValue);
+                    mAttribute = new Attribute(mAttributeOID, mValue);
+                } catch (Exception e) {
+                    throw new EBaseException(
+                            CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
+                                    mAttributeName, e.getMessage()));
+                }
+            }
+        } else if (enabled || mWhereToGetValue.length() > 0) {
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_VALUE_FOR_TYPE", PROP_WTG_VALUE,
+                        "Must be either '" + USE_REQUEST_ATTR + "' or '" + USE_FIXED + "'."));
+        }
+    }
+
+    public static void getDefaultParams(String name, Vector v) {
+        String nameDot = name + ".";
+
+        v.addElement(nameDot + PROP_ATTRIBUTE_NAME + "=");
+        v.addElement(nameDot + PROP_WTG_VALUE + "=" + USE_REQUEST_ATTR);
+        v.addElement(nameDot + PROP_VALUE + "=");
+    }
+
+    public static void getExtendedPluginInfo(String name, Vector v) {
+        String nameDot = name + ".";
+        String attrChoices = getAllNames();
+
+        v.addElement(nameDot + PROP_ATTRIBUTE_NAME + ";choice(" + attrChoices + ");" +
+                ATTRIBUTE_NAME_INFO);
+        v.addElement(nameDot + WTG_VALUE_INFO);
+        v.addElement(nameDot + VALUE_INFO);
+    }
+
+    public void getInstanceParams(Vector v) {
+        String nameDot = mName + ".";
+
+        v.addElement(nameDot + PROP_ATTRIBUTE_NAME + "=" + mAttributeName);
+        v.addElement(nameDot + PROP_WTG_VALUE + "=" + mWhereToGetValue);
+        v.addElement(nameDot + PROP_VALUE + "=" + mValue);
+    }
+
+    public Attribute formAttr(IRequest req)
+            throws IOException {
+        String val = req.getExtDataInString(mPrefix, mReqAttr);
+
+        if (val == null || val.length() == 0) {
+            return null;
+        }
+        checkValue(mAttributeOID, val);
+        return new Attribute(mAttributeOID, val);
+    }
+
+    static private String getAllNames() {
+        Enumeration n = X500NameAttrMap.getDefault().getAllNames();
+        StringBuffer sb = new StringBuffer();
+        sb.append(n.nextElement());
+
+        while (n.hasMoreElements()) {
+            sb.append(",");
+            sb.append(n.nextElement());
+        }
+        return sb.toString();
+    }
+
+    private static void checkValue(ObjectIdentifier oid, String val)
+            throws IOException {
+        AVAValueConverter c = X500NameAttrMap.getDefault().getValueConverter(oid);
+
+        @SuppressWarnings("unused")
+        DerValue derval = c.getValue(val); // check for errors
+        return;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java b/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java
new file mode 100644
index 000000000..32d254c40
--- /dev/null
+++ b/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java
@@ -0,0 +1,377 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.policy.extensions;
+
+import java.io.IOException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.KeyIdentifier;
+import netscape.security.x509.SubjectKeyIdentifierExtension;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.EPolicyException;
+import com.netscape.certsrv.policy.IEnrollmentPolicy;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.PolicyResult;
+import com.netscape.cms.policy.APolicyRule;
+
+/**
+ * Subject Public Key Extension Policy
+ * Adds the subject public key id extension to certificates.
+ * 

+ * 
+ * 
+ * NOTE:  The Policy Framework has been replaced by the Profile Framework.
+ * 

+ * 

+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class SubjectKeyIdentifierExt extends APolicyRule
+        implements IEnrollmentPolicy, IExtendedPluginInfo {
+    protected static final String PROP_CRITICAL = "critical";
+    protected static final String PROP_KEYID_TYPE = "keyIdentifierType";
+    protected static final String PROP_REQATTR_NAME = "requestAttrName";
+
+    protected static final String KEYID_TYPE_SHA1 = "SHA1";
+    protected static final String KEYID_TYPE_TYPEFIELD = "TypeField";
+    protected static final String KEYID_TYPE_SPKISHA1 = "SpkiSHA1";
+    protected static final String KEYID_TYPE_REQATTR = "RequestAttribute";
+
+    protected static final boolean DEF_CRITICAL = false;
+    protected static final String DEF_KEYID_TYPE = KEYID_TYPE_SHA1;
+    protected static final String DEF_REQATTR_NAME = "KeyIdentifier";
+
+    protected boolean mEnabled = false;
+    protected IConfigStore mConfig = null;
+
+    protected boolean mCritical = DEF_CRITICAL;
+    protected String mKeyIdType = DEF_KEYID_TYPE;;
+    protected String mReqAttrName = DEF_REQATTR_NAME;
+
+    protected Vector mInstanceParams = new Vector();
+
+    protected static Vector mDefaultParams = new Vector();
+    static {
+        // form static default params.
+        mDefaultParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL);
+        mDefaultParams.addElement(PROP_KEYID_TYPE + "=" + DEF_KEYID_TYPE);
+
+        /*
+         mDefaultParams.addElement(PROP_REQATTR_NAME+"="+DEF_REQATTR_NAME);
+         */
+    }
+
+    public SubjectKeyIdentifierExt() {
+        NAME = "SubjectKeyIdentifierExt";
+        DESC = "Adds Subject Key Idenifier Extension to certs";
+    }
+
+    /**
+     * Initializes this policy rule.
+     * 

+     * 
+     * The entries may be of the form:
+     * 
+     * ca.Policy.rule..predicate= ca.Policy.rule..implName= ca.Policy.rule..enable=true
+     * 
+     * @param config The config store reference
+     */
+    public void init(ISubsystem owner, IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+
+        mEnabled = mConfig.getBoolean(
+                    IPolicyProcessor.PROP_ENABLE, false);
+        mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL);
+
+        mKeyIdType = mConfig.getString(PROP_KEYID_TYPE, DEF_KEYID_TYPE);
+
+        /*
+         mReqAttrName = mConfig.getString(PROP_REQATTR_NAME, DEF_REQATTR_NAME);
+         */
+
+        // parse key id type
+        if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_SHA1))
+            mKeyIdType = KEYID_TYPE_SHA1;
+        else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_TYPEFIELD))
+            mKeyIdType = KEYID_TYPE_TYPEFIELD;
+
+        /*
+         else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_REQATTR)
+         mKeyIdType = KEYID_TYPE_REQATTR;
+         */
+        else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_SPKISHA1))
+            mKeyIdType = KEYID_TYPE_SPKISHA1;
+        else {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("KRA_UNKNOWN_KEY_ID_TYPE", mKeyIdType));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
+                        PROP_KEYID_TYPE,
+                        "value must be one of " +
+                                KEYID_TYPE_SHA1 + ", " +
+                                KEYID_TYPE_TYPEFIELD + ", " +
+                                KEYID_TYPE_SPKISHA1));
+        }
+
+        // form instance params 
+        mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical);
+        mInstanceParams.addElement(PROP_KEYID_TYPE + "=" + mKeyIdType);
+
+        /*
+         mInstanceParams.addElement(PROP_REQATTR_NAME+"="+mReqAttrName);
+         */
+    }
+
+    /**
+     * Adds Subject Key identifier Extension to a certificate.
+     * If the extension is already there, accept it.
+     * 
+     * @param req The request on which to apply policy.
+     * @return The policy result object.
+     */
+    public PolicyResult apply(IRequest req) {
+        // get certInfo from request.
+        X509CertInfo[] ci =
+                req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+        if (ci == null || ci[0] == null) {
+            setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+            return PolicyResult.REJECTED;
+        }
+
+        for (int i = 0; i < ci.length; i++) {
+            PolicyResult certRes = applyCert(req, ci[i]);
+
+            if (certRes == PolicyResult.REJECTED)
+                return certRes;
+        }
+        return PolicyResult.ACCEPTED;
+    }
+
+    public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
+
+        try {
+            // if subject key id extension already exists, leave it if approved.
+            SubjectKeyIdentifierExtension subjectKeyIdExt = null;
+            CertificateExtensions extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+
+            try {
+                if (extensions != null) {
+                    subjectKeyIdExt = (SubjectKeyIdentifierExtension)
+                            extensions.get(SubjectKeyIdentifierExtension.NAME);
+                }
+            } catch (IOException e) {
+                // extension isn't there. 
+            }
+            if (subjectKeyIdExt != null) {
+                if (agentApproved(req)) {
+                    CMS.debug(
+                            "SubjectKeyIdentifierExt: agent approved request id " + req.getRequestId() +
+                                    " already has subject key id extension with value " +
+                                    subjectKeyIdExt);
+                    return PolicyResult.ACCEPTED;
+                } else {
+                    CMS.debug(
+                            "SubjectKeyIdentifierExt: request id from user " + req.getRequestId() +
+                                    " had subject key identifier - deleted to be replaced");
+                    extensions.delete(SubjectKeyIdentifierExtension.NAME);
+                }
+            }
+
+            // create subject key id extension.
+            KeyIdentifier keyId = null;
+
+            try {
+                keyId = formKeyIdentifier(certInfo, req);
+            } catch (EBaseException e) {
+                setPolicyException(req, e);
+                return PolicyResult.REJECTED;
+            }
+            subjectKeyIdExt =
+                    new SubjectKeyIdentifierExtension(
+                            mCritical, keyId.getIdentifier());
+
+            // add subject key id extension.
+            if (extensions == null) {
+                certInfo.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+                extensions = new CertificateExtensions();
+                certInfo.set(X509CertInfo.EXTENSIONS, extensions);
+            }
+            extensions.set(
+                    SubjectKeyIdentifierExtension.NAME, subjectKeyIdExt);
+            CMS.debug(
+                    "SubjectKeyIdentifierExt: added subject key id ext to request " + req.getRequestId());
+            return PolicyResult.ACCEPTED;
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR,NAME", e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, e.getMessage());
+            return PolicyResult.REJECTED;
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage()));
+            setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+                    NAME, "Certificate Info Error");
+            return PolicyResult.REJECTED;
+        }
+    }
+
+    /**
+     * Form the Key Identifier in the Subject Key Identifier extension.
+     * 

+     * 
+     * @param certInfo Certificate Info
+     * @param req request
+     * @return A Key Identifier.
+     */
+    protected KeyIdentifier formKeyIdentifier(
+            X509CertInfo certInfo, IRequest req) throws EBaseException {
+        KeyIdentifier keyId = null;
+
+        if (mKeyIdType == KEYID_TYPE_SHA1) {
+            keyId = formSHA1KeyId(certInfo);
+        } else if (mKeyIdType == KEYID_TYPE_TYPEFIELD) {
+            keyId = formTypeFieldKeyId(certInfo);
+        } /*
+          else if (mKeyIdType == KEYID_TYPE_REQATTR) {
+          keyId = formReqAttrKeyId(certInfo, req);
+          }
+          */else if (mKeyIdType == KEYID_TYPE_SPKISHA1) {
+            keyId = formSpkiSHA1KeyId(certInfo);
+        } else {
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
+                        mKeyIdType, "Unknown Key Identifier type."));
+        }
+        return keyId;
+    }
+
+    /**
+     * Form key identifier from a type field value of 0100 followed by
+     * the least significate 60 bits of the sha-1 hash of the subject
+     * public key BIT STRING in accordance with RFC 2459.
+     * 

+     * 
+     * @param certInfo - certificate info
+     * @return A Key Identifier with value formulatd as described.
+     */
+
+    protected KeyIdentifier formTypeFieldKeyId(X509CertInfo certInfo)
+            throws EBaseException {
+        KeyIdentifier keyId = null;
+        X509Key key = null;
+
+        try {
+            CertificateX509Key certKey =
+                    (CertificateX509Key) certInfo.get(X509CertInfo.KEY);
+
+            if (certKey == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_MISSING_KEY_1", NAME));
+                throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_MISSING_KEY", NAME));
+            }
+            key = (X509Key) certKey.get(CertificateX509Key.KEY);
+            if (key == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_MISSING_KEY_1", NAME));
+                throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_MISSING_KEY", NAME));
+            }
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_GET_KEY_FROM_CERT", e.toString()));
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME));
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_GET_KEY_FROM_CERT", e.toString()));
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME));
+        }
+        try {
+            byte[] octetString = new byte[8];
+            MessageDigest md = MessageDigest.getInstance("SHA-1");
+
+            md.update(key.getKey());
+            byte[] hash = md.digest();
+
+            System.arraycopy(hash, hash.length - 8, octetString, 0, 8);
+            octetString[0] &= (0x08f & octetString[0]);
+            keyId = new KeyIdentifier(octetString);
+        } catch (NoSuchAlgorithmException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("POLICY_ERROR_SUBJECT_KEY_ID_1", NAME));
+            throw new EPolicyException(
+                    CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME));
+        }
+        return keyId;
+    }
+
+    /**
+     * Return configured parameters for a policy rule instance.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getInstanceParams() {
+        return mInstanceParams;
+    }
+
+    /**
+     * Return default parameters for a policy implementation.
+     * 
+     * @return nvPairs A Vector of name/value pairs.
+     */
+    public Vector getDefaultParams() {
+        return mDefaultParams;
+    }
+
+    /**
+     * Gets extended plugin info for pretty Console displays.
+     */
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_CRITICAL + ";boolean;RFC 2459 recommendation: MUST NOT be marked critical.",
+                PROP_KEYID_TYPE + ";" +
+                        "choice(" + KEYID_TYPE_SHA1 + "," +
+                        KEYID_TYPE_TYPEFIELD + "," +
+                        KEYID_TYPE_SPKISHA1 + ");" +
+                        "Method to derive the Key Identifier.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-policyrules-subjectkeyidentifier",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Adds the Subject Key Identifier extension. See RFC 2459 (4.2.1.2)"
+            };
+
+        return params;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/common/BasicProfile.java b/base/common/src/com/netscape/cms/profile/common/BasicProfile.java
new file mode 100644
index 000000000..696d0cd13
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/common/BasicProfile.java
@@ -0,0 +1,1171 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.common;
+
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthSubsystem;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyConstraint;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileAuthenticator;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.profile.IProfileOutput;
+import com.netscape.certsrv.profile.IProfilePolicy;
+import com.netscape.certsrv.profile.IProfileSubsystem;
+import com.netscape.certsrv.profile.IProfileUpdater;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.registry.IPluginInfo;
+import com.netscape.certsrv.registry.IPluginRegistry;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.RequestStatus;
+
+/**
+ * This class implements a basic profile.
+ * 
+ * @version $Revision$, $Date$
+ */
+public abstract class BasicProfile implements IProfile {
+
+    public static final String PROP_ENABLE = "enable";
+    public static final String PROP_ENABLE_BY = "enableBy";
+    public static final String PROP_IS_RENEWAL = "renewal";
+    public static final String PROP_XML_OUTPUT = "xmlOutput";
+    public static final String PROP_VISIBLE = "visible";
+    public static final String PROP_INPUT_LIST = "list";
+    public static final String PROP_OUTPUT_LIST = "list";
+    public static final String PROP_UPDATER_LIST = "list";
+    public static final String PROP_POLICY_LIST = "list";
+    public static final String PROP_DEFAULT = "default";
+    public static final String PROP_CONSTRAINT = "constraint";
+    public static final String PROP_INPUT = "input";
+    public static final String PROP_OUTPUT = "output";
+    public static final String PROP_CLASS_ID = "class_id";
+    public static final String PROP_INSTANCE_ID = "instance_id";
+    public static final String PROP_PARAMS = "params";
+    public static final String PROP_NAME = "name";
+    public static final String PROP_DESC = "desc";
+    public static final String PROP_NO_DEFAULT = "noDefaultImpl";
+    public static final String PROP_NO_CONSTRAINT = "noConstraintImpl";
+    public static final String PROP_GENERIC_EXT_DEFAULT = "genericExtDefaultImpl";
+
+    protected IProfileSubsystem mOwner = null;
+    protected IConfigStore mConfig = null;
+    protected IPluginRegistry mRegistry = null;
+
+    protected Vector mInputNames = new Vector();
+    protected Hashtable mInputs = new Hashtable();
+    protected Vector mInputIds = new Vector();
+    protected Hashtable mOutputs = new Hashtable();
+    protected Vector mOutputIds = new Vector();
+    protected Hashtable mUpdaters = new Hashtable();
+    protected Vector mUpdaterIds = new Vector();
+    protected IProfileAuthenticator mAuthenticator = null;
+    protected String mAuthInstanceId = null;
+    protected String mId = null;
+    protected String mAuthzAcl = "";
+
+    protected Hashtable> mPolicySet = new Hashtable>();
+
+    protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+
+    public BasicProfile() {
+    }
+
+    public boolean isEnable() {
+        try {
+            return mConfig.getBoolean(PROP_ENABLE, false);
+        } catch (EBaseException e) {
+            return false;
+        }
+    }
+
+    public String isRenewal() {
+        try {
+            return mConfig.getString(PROP_IS_RENEWAL, "false");
+        } catch (EBaseException e) {
+            return "false";
+        }
+    }
+
+    public String isXmlOutput() {
+        try {
+            return mConfig.getString(PROP_XML_OUTPUT, "false");
+        } catch (EBaseException e) {
+            return "false";
+        }
+    }
+
+    public String getApprovedBy() {
+        try {
+            return mConfig.getString(PROP_ENABLE_BY, "");
+        } catch (EBaseException e) {
+            return "";
+        }
+    }
+
+    public void setId(String id) {
+        mId = id;
+    }
+
+    public String getId() {
+        return mId;
+    }
+
+    public IProfileAuthenticator getAuthenticator() throws EProfileException {
+        try {
+            IAuthSubsystem authSub = (IAuthSubsystem)
+                    CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
+            IProfileAuthenticator auth = (IProfileAuthenticator)
+                    authSub.get(mAuthInstanceId);
+
+            if (mAuthInstanceId != null && mAuthInstanceId.length() > 0
+                    && auth == null) {
+                throw new EProfileException("Cannot load " +
+                        mAuthInstanceId);
+            }
+            return auth;
+        } catch (Exception e) {
+            if (mAuthInstanceId != null) {
+                throw new EProfileException("Cannot load " +
+                        mAuthInstanceId);
+            }
+            return null;
+        }
+    }
+
+    public String getRequestorDN(IRequest request) {
+        return null;
+    }
+
+    public String getAuthenticatorId() {
+        return mAuthInstanceId;
+    }
+
+    public void setAuthenticatorId(String id) {
+        mAuthInstanceId = id;
+        mConfig.putString("auth." + PROP_INSTANCE_ID, id);
+    }
+
+    public String getAuthzAcl() {
+        return mAuthzAcl;
+    }
+
+    /**
+     * Initializes this profile.
+     */
+    public void init(IProfileSubsystem owner, IConfigStore config)
+            throws EBaseException {
+        CMS.debug("BasicProfile: start init");
+        mOwner = owner;
+        mConfig = config;
+
+        mRegistry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY);
+
+        // Configure File Formats:
+        // visible
+        // auth.class_id=NoAuthImpl
+        // auth.params.x1=x1
+        // input.list=i1,i2,...
+        // input.i1.class=com.netscape.cms.profile.input.CertReqInput
+        // input.i1.params.x1=x1
+        // policy.list=p1,p2,...
+        // policy.p1.enable=true
+        // policy.p1.default.class=com.netscape.cms.profile.defaults.SubjectName
+        // policy.p1.default.params.x1=x1
+        // policy.p1.default.params.x2=x2
+        // policy.p1.constraint.class= ... .cms.profile.constraints.ValidityRange
+        // policy.p1.constraint.params.x1=x1
+        // policy.p1.constraint.params.x2=x2
+
+        // handle profile authentication plugins 
+        try {
+            mAuthInstanceId = config.getString("auth." + PROP_INSTANCE_ID, null);
+            mAuthzAcl = config.getString("authz.acl", "");
+        } catch (EBaseException e) {
+            CMS.debug("BasicProfile: authentication class not found " +
+                    e.toString());
+        }
+
+        // handle profile input plugins
+        IConfigStore inputStore = config.getSubStore("input");
+        String input_list = inputStore.getString(PROP_INPUT_LIST, "");
+        StringTokenizer input_st = new StringTokenizer(input_list, ",");
+
+        while (input_st.hasMoreTokens()) {
+            String input_id = input_st.nextToken();
+            String inputClassId = inputStore.getString(input_id + "." +
+                    PROP_CLASS_ID);
+            IPluginInfo inputInfo = mRegistry.getPluginInfo("profileInput",
+                    inputClassId);
+            String inputClass = inputInfo.getClassName();
+
+            IProfileInput input = null;
+
+            try {
+                input = (IProfileInput)
+                        Class.forName(inputClass).newInstance();
+            } catch (Exception e) {
+                // throw Exception
+                CMS.debug("BasicProfile: input plugin Class.forName " +
+                        inputClass + " " + e.toString());
+                throw new EBaseException(e.toString());
+            }
+            IConfigStore inputConfig = inputStore.getSubStore(input_id);
+            input.init(this, inputConfig);
+            mInputs.put(input_id, input);
+            mInputIds.addElement(input_id);
+        }
+
+        // handle profile output plugins
+        IConfigStore outputStore = config.getSubStore("output");
+        String output_list = outputStore.getString(PROP_OUTPUT_LIST, "");
+        StringTokenizer output_st = new StringTokenizer(output_list, ",");
+
+        while (output_st.hasMoreTokens()) {
+            String output_id = output_st.nextToken();
+
+            String outputClassId = outputStore.getString(output_id + "." +
+                    PROP_CLASS_ID);
+            IPluginInfo outputInfo = mRegistry.getPluginInfo("profileOutput",
+                    outputClassId);
+            String outputClass = outputInfo.getClassName();
+
+            IProfileOutput output = null;
+
+            try {
+                output = (IProfileOutput)
+                        Class.forName(outputClass).newInstance();
+            } catch (Exception e) {
+                // throw Exception
+                CMS.debug("BasicProfile: output plugin Class.forName " +
+                        outputClass + " " + e.toString());
+                throw new EBaseException(e.toString());
+            }
+            IConfigStore outputConfig = outputStore.getSubStore(output_id);
+            output.init(this, outputConfig);
+            mOutputs.put(output_id, output);
+            mOutputIds.addElement(output_id);
+        }
+
+        // handle profile output plugins
+        IConfigStore updaterStore = config.getSubStore("updater");
+        String updater_list = updaterStore.getString(PROP_UPDATER_LIST, "");
+        StringTokenizer updater_st = new StringTokenizer(updater_list, ",");
+
+        while (updater_st.hasMoreTokens()) {
+            String updater_id = updater_st.nextToken();
+
+            String updaterClassId = updaterStore.getString(updater_id + "." +
+                    PROP_CLASS_ID);
+            IPluginInfo updaterInfo = mRegistry.getPluginInfo("profileUpdater",
+                     updaterClassId);
+            String updaterClass = updaterInfo.getClassName();
+
+            IProfileUpdater updater = null;
+
+            try {
+                updater = (IProfileUpdater)
+                        Class.forName(updaterClass).newInstance();
+            } catch (Exception e) {
+                // throw Exception
+                CMS.debug("BasicProfile: updater plugin Class.forName " +
+                        updaterClass + " " + e.toString());
+                throw new EBaseException(e.toString());
+            }
+            IConfigStore updaterConfig = updaterStore.getSubStore(updater_id);
+            updater.init(this, updaterConfig);
+            mUpdaters.put(updater_id, updater);
+            mUpdaterIds.addElement(updater_id);
+        }
+
+        // handle profile policy plugins
+        IConfigStore policySetStore = config.getSubStore("policyset");
+        String setlist = policySetStore.getString("list", "");
+        StringTokenizer st = new StringTokenizer(setlist, ",");
+
+        while (st.hasMoreTokens()) {
+            String setId = st.nextToken();
+
+            IConfigStore policyStore = policySetStore.getSubStore(setId);
+            String list = policyStore.getString(PROP_POLICY_LIST, "");
+            StringTokenizer st1 = new StringTokenizer(list, ",");
+
+            while (st1.hasMoreTokens()) {
+                String id = st1.nextToken();
+
+                String defaultRoot = id + "." + PROP_DEFAULT;
+                String defaultClassId = policyStore.getString(defaultRoot + "." +
+                        PROP_CLASS_ID);
+
+                String constraintRoot = id + "." + PROP_CONSTRAINT;
+                String constraintClassId =
+                        policyStore.getString(constraintRoot + "." + PROP_CLASS_ID);
+
+                createProfilePolicy(setId, id, defaultClassId,
+                        constraintClassId, false);
+            }
+        }
+        CMS.debug("BasicProfile: done init");
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public Enumeration getInputNames() {
+        return mInputNames.elements();
+    }
+
+    public Enumeration getProfileUpdaterIds() {
+        return mUpdaterIds.elements(); // ordered list
+    }
+
+    public IProfileUpdater getProfileUpdater(String name) {
+        return mUpdaters.get(name);
+    }
+
+    public Enumeration getProfileOutputIds() {
+        return mOutputIds.elements(); // ordered list
+    }
+
+    public IProfileOutput getProfileOutput(String name) {
+        return mOutputs.get(name);
+    }
+
+    public Enumeration getProfileInputIds() {
+        return mInputIds.elements(); // ordered list
+    }
+
+    public IProfileInput getProfileInput(String name) {
+        return mInputs.get(name);
+    }
+
+    public void addInputName(String name) {
+        mInputNames.addElement(name);
+    }
+
+    public IDescriptor getInputDescriptor(String name) {
+        return null;
+    }
+
+    public String getInput(String name, Locale locale, IRequest request)
+            throws EProfileException {
+        return null;
+    }
+
+    public void setInput(String name, Locale locale, IRequest request,
+            String value) throws EProfileException {
+    }
+
+    public Enumeration getProfilePolicySetIds() {
+        return mPolicySet.keys();
+    }
+
+    public void deleteProfilePolicy(String setId, String policyId)
+            throws EProfileException {
+        Vector policies = mPolicySet.get(setId);
+
+        if (policies == null) {
+            return;
+        }
+        try {
+            IConfigStore policySetSubStore = mConfig.getSubStore("policyset");
+            IConfigStore policySubStore = policySetSubStore.getSubStore(setId);
+
+            policySubStore.removeSubStore(policyId);
+            String list = policySubStore.getString(PROP_POLICY_LIST, null);
+            StringTokenizer st = new StringTokenizer(list, ",");
+            String newlist = "";
+            StringBuffer sb = new StringBuffer();
+
+            while (st.hasMoreTokens()) {
+                String e = st.nextToken();
+
+                if (!e.equals(policyId)) {
+                    sb.append(e);
+                    sb.append(",");
+                }
+            }
+            newlist = sb.toString();
+            if (!newlist.equals("")) {
+                newlist = newlist.substring(0, newlist.length() - 1);
+                policySubStore.putString(PROP_POLICY_LIST, newlist);
+            } else {
+                policySetSubStore.removeSubStore(setId);
+            }
+
+            int size = policies.size();
+
+            for (int i = 0; i < size; i++) {
+                ProfilePolicy policy = policies.elementAt(i);
+                String id = policy.getId();
+
+                if (id.equals(policyId)) {
+                    policies.removeElementAt(i);
+                    if (size == 1) {
+                        mPolicySet.remove(setId);
+                        String setlist = policySetSubStore.getString(PROP_POLICY_LIST, null);
+                        StringTokenizer st1 = new StringTokenizer(setlist, ",");
+                        String newlist1 = "";
+
+                        while (st1.hasMoreTokens()) {
+                            String e = st1.nextToken();
+
+                            if (!e.equals(setId))
+                                newlist1 = newlist1 + e + ",";
+                        }
+                        if (!newlist1.equals(""))
+                            newlist1 = newlist1.substring(0, newlist1.length() - 1);
+                        policySetSubStore.putString(PROP_POLICY_LIST, newlist1);
+                    }
+                    break;
+                }
+            }
+
+            mConfig.putString("lastModified",
+                    Long.toString(CMS.getCurrentDate().getTime()));
+            mConfig.commit(false);
+        } catch (Exception e) {
+        }
+
+    }
+
+    public void deleteProfileInput(String inputId) throws EProfileException {
+        try {
+            mConfig.removeSubStore("input." + inputId);
+            String list = mConfig.getString("input." + PROP_INPUT_LIST, null);
+            StringTokenizer st = new StringTokenizer(list, ",");
+            String newlist = "";
+            StringBuffer sb = new StringBuffer();
+
+            while (st.hasMoreTokens()) {
+                String e = st.nextToken();
+
+                if (!e.equals(inputId)) {
+                    sb.append(e);
+                    sb.append(",");
+                }
+            }
+            newlist = sb.toString();
+            if (!newlist.equals(""))
+                newlist = newlist.substring(0, newlist.length() - 1);
+
+            int size = mInputIds.size();
+
+            for (int i = 0; i < size; i++) {
+                String id = mInputIds.elementAt(i);
+
+                if (id.equals(inputId)) {
+                    mInputIds.removeElementAt(i);
+                    break;
+                }
+            }
+
+            mInputs.remove(inputId);
+            mConfig.putString("input." + PROP_INPUT_LIST, newlist);
+            mConfig.putString("lastModified",
+                    Long.toString(CMS.getCurrentDate().getTime()));
+            mConfig.commit(false);
+        } catch (Exception e) {
+        }
+    }
+
+    public void deleteProfileOutput(String outputId) throws EProfileException {
+        try {
+            mConfig.removeSubStore("output." + outputId);
+            String list = mConfig.getString("output." + PROP_OUTPUT_LIST, null);
+            StringTokenizer st = new StringTokenizer(list, ",");
+            String newlist = "";
+            StringBuffer sb = new StringBuffer();
+
+            while (st.hasMoreTokens()) {
+                String e = st.nextToken();
+
+                if (!e.equals(outputId)) {
+                    sb.append(e);
+                    sb.append(",");
+                }
+            }
+            newlist = sb.toString();
+            if (!newlist.equals(""))
+                newlist = newlist.substring(0, newlist.length() - 1);
+
+            int size = mOutputIds.size();
+
+            for (int i = 0; i < size; i++) {
+                String id = mOutputIds.elementAt(i);
+
+                if (id.equals(outputId)) {
+                    mOutputIds.removeElementAt(i);
+                    break;
+                }
+            }
+
+            mOutputs.remove(outputId);
+            mConfig.putString("output." + PROP_OUTPUT_LIST, newlist);
+            mConfig.putString("lastModified",
+                    Long.toString(CMS.getCurrentDate().getTime()));
+            mConfig.commit(false);
+        } catch (Exception e) {
+        }
+    }
+
+    public IProfileOutput createProfileOutput(String id, String outputId,
+            NameValuePairs nvps)
+            throws EProfileException {
+        return createProfileOutput(id, outputId, nvps, true);
+    }
+
+    public IProfileOutput createProfileOutput(String id, String outputId,
+            NameValuePairs nvps, boolean createConfig)
+
+    throws EProfileException {
+        IConfigStore outputStore = mConfig.getSubStore("output");
+
+        IPluginInfo outputInfo = mRegistry.getPluginInfo("profileOutput",
+                outputId);
+
+        if (outputInfo == null) {
+            CMS.debug("Cannot find " + outputId);
+            throw new EProfileException("Cannot find " + outputId);
+        }
+        String outputClass = outputInfo.getClassName();
+
+        CMS.debug("BasicProfile: loading output class " + outputClass);
+        IProfileOutput output = null;
+
+        try {
+            output = (IProfileOutput)
+                    Class.forName(outputClass).newInstance();
+        } catch (Exception e) {
+            // throw Exception
+            CMS.debug(e.toString());
+        }
+        if (output == null) {
+            CMS.debug("BasicProfile: failed to create " + outputClass);
+        } else {
+            CMS.debug("BasicProfile: initing " + id + " output");
+
+            CMS.debug("BasicProfile: outputStore " + outputStore);
+            output.init(this, outputStore);
+
+            mOutputs.put(id, output);
+            mOutputIds.addElement(id);
+        }
+
+        if (createConfig) {
+            String list = null;
+
+            try {
+                list = outputStore.getString(PROP_OUTPUT_LIST, null);
+            } catch (EBaseException e) {
+            }
+            if (list == null || list.equals("")) {
+                outputStore.putString(PROP_OUTPUT_LIST, id);
+            } else {
+                StringTokenizer st1 = new StringTokenizer(list, ",");
+
+                while (st1.hasMoreTokens()) {
+                    String pid = st1.nextToken();
+
+                    if (pid.equals(id)) {
+                        throw new EProfileException("Duplicate output id: " + id);
+                    }
+                }
+                outputStore.putString(PROP_OUTPUT_LIST, list + "," + id);
+            }
+            String prefix = id + ".";
+
+            outputStore.putString(prefix + "name",
+                    outputInfo.getName(Locale.getDefault()));
+            outputStore.putString(prefix + "class_id", outputId);
+
+            for (String name : nvps.keySet()) {
+
+                outputStore.putString(prefix + "params." + name, nvps.get(name));
+                try {
+                    if (output != null) {
+                        output.setConfig(name, nvps.get(name));
+                    }
+                } catch (EBaseException e) {
+                    CMS.debug(e.toString());
+                }
+            }
+
+            try {
+                mConfig.putString("lastModified",
+                        Long.toString(CMS.getCurrentDate().getTime()));
+                mConfig.commit(false);
+            } catch (EBaseException e) {
+                CMS.debug(e.toString());
+            }
+        }
+
+        return output;
+    }
+
+    public IProfileInput createProfileInput(String id, String inputId,
+            NameValuePairs nvps)
+            throws EProfileException {
+        return createProfileInput(id, inputId, nvps, true);
+    }
+
+    public IProfileInput createProfileInput(String id, String inputId,
+            NameValuePairs nvps, boolean createConfig)
+            throws EProfileException {
+        IConfigStore inputStore = mConfig.getSubStore("input");
+
+        IPluginInfo inputInfo = mRegistry.getPluginInfo("profileInput",
+                inputId);
+
+        if (inputInfo == null) {
+            CMS.debug("Cannot find " + inputId);
+            throw new EProfileException("Cannot find " + inputId);
+        }
+        String inputClass = inputInfo.getClassName();
+
+        CMS.debug("BasicProfile: loading input class " + inputClass);
+        IProfileInput input = null;
+
+        try {
+            input = (IProfileInput)
+                    Class.forName(inputClass).newInstance();
+        } catch (Exception e) {
+            // throw Exception
+            CMS.debug(e.toString());
+        }
+        if (input == null) {
+            CMS.debug("BasicProfile: failed to create " + inputClass);
+        } else {
+            CMS.debug("BasicProfile: initing " + id + " input");
+
+            CMS.debug("BasicProfile: inputStore " + inputStore);
+            input.init(this, inputStore);
+
+            mInputs.put(id, input);
+            mInputIds.addElement(id);
+        }
+
+        if (createConfig) {
+            String list = null;
+
+            try {
+                list = inputStore.getString(PROP_INPUT_LIST, null);
+            } catch (EBaseException e) {
+            }
+            if (list == null || list.equals("")) {
+                inputStore.putString(PROP_INPUT_LIST, id);
+            } else {
+                StringTokenizer st1 = new StringTokenizer(list, ",");
+
+                while (st1.hasMoreTokens()) {
+                    String pid = st1.nextToken();
+
+                    if (pid.equals(id)) {
+                        throw new EProfileException("Duplicate input id: " + id);
+                    }
+                }
+                inputStore.putString(PROP_INPUT_LIST, list + "," + id);
+            }
+            String prefix = id + ".";
+
+            inputStore.putString(prefix + "name",
+                    inputInfo.getName(Locale.getDefault()));
+            inputStore.putString(prefix + "class_id", inputId);
+
+            for (String name : nvps.keySet()) {
+
+                inputStore.putString(prefix + "params." + name, nvps.get(name));
+                try {
+                    if (input != null) {
+                        input.setConfig(name, nvps.get(name));
+                    }
+                } catch (EBaseException e) {
+                    CMS.debug(e.toString());
+                }
+            }
+
+            try {
+                mConfig.putString("lastModified",
+                        Long.toString(CMS.getCurrentDate().getTime()));
+                mConfig.commit(false);
+            } catch (EBaseException e) {
+                CMS.debug(e.toString());
+            }
+        }
+
+        return input;
+    }
+
+    /**
+     * Creates a profile policy
+     */
+    public IProfilePolicy createProfilePolicy(String setId, String id,
+            String defaultClassId, String constraintClassId)
+            throws EProfileException {
+        return createProfilePolicy(setId, id, defaultClassId,
+                constraintClassId, true);
+    }
+
+    public IProfilePolicy createProfilePolicy(String setId, String id,
+            String defaultClassId, String constraintClassId,
+            boolean createConfig)
+            throws EProfileException {
+
+        // String setId ex: policyset.set1
+        // String id    Id of policy : examples: p1,p2,p3 
+        // String defaultClassId : id of the default plugin ex: validityDefaultImpl
+        // String constraintClassId : if of the constraint plugin ex: basicConstraintsExtConstraintImpl
+        // boolean createConfig : true : being called from the console. false: being called from server startup code
+
+        Vector policies = mPolicySet.get(setId);
+
+        IConfigStore policyStore = mConfig.getSubStore("policyset." + setId);
+        if (policies == null) {
+            policies = new Vector();
+            mPolicySet.put(setId, policies);
+            if (createConfig) {
+                // re-create policyset.list
+                StringBuffer setlist = new StringBuffer();
+                Enumeration keys = mPolicySet.keys();
+
+                while (keys.hasMoreElements()) {
+                    String k = keys.nextElement();
+
+                    if (!(setlist.toString()).equals("")) {
+                        setlist.append(",");
+                    }
+                    setlist.append(k);
+                }
+                mConfig.putString("policyset.list", setlist.toString());
+            }
+        } else {
+            String ids = null;
+
+            try {
+                ids = policyStore.getString(PROP_POLICY_LIST, "");
+            } catch (Exception ee) {
+            }
+
+            if (ids == null) {
+                CMS.debug("BasicProfile::createProfilePolicy() - ids is null!");
+                return null;
+            }
+
+            StringTokenizer st1 = new StringTokenizer(ids, ",");
+            int appearances = 0;
+            int appearancesTooMany = 0;
+            if (createConfig)
+                appearancesTooMany = 1;
+            else
+                appearancesTooMany = 2;
+
+            while (st1.hasMoreTokens()) {
+                String pid = st1.nextToken();
+                if (pid.equals(id)) {
+                    appearances++;
+                    if (appearances >= appearancesTooMany) {
+                        CMS.debug("WARNING detected duplicate policy id:   " + id + " Profile: " + mId);
+                        if (createConfig) {
+                            throw new EProfileException("Duplicate policy id: " + id);
+                        }
+                    }
+                }
+            }
+        }
+
+        // Now make sure we aren't trying to add a policy that already exists
+        IConfigStore policySetStore = mConfig.getSubStore("policyset");
+        String setlist = null;
+        try {
+            setlist = policySetStore.getString("list", "");
+        } catch (Exception e) {
+        }
+        StringTokenizer st = new StringTokenizer(setlist, ",");
+
+        int matches = 0;
+        while (st.hasMoreTokens()) {
+            String sId = st.nextToken();
+
+            //Only search the setId set. Ex: encryptionCertSet
+            if (!sId.equals(setId)) {
+                continue;
+            }
+            IConfigStore pStore = policySetStore.getSubStore(sId);
+
+            String list = null;
+            try {
+                list = pStore.getString(PROP_POLICY_LIST, "");
+            } catch (Exception e) {
+                CMS.debug("WARNING, can't get policy id list!");
+            }
+
+            StringTokenizer st1 = new StringTokenizer(list, ",");
+
+            while (st1.hasMoreTokens()) {
+                String curId = st1.nextToken();
+
+                String defaultRoot = curId + "." + PROP_DEFAULT;
+                String curDefaultClassId = null;
+                try {
+                    curDefaultClassId = pStore.getString(defaultRoot + "." +
+                            PROP_CLASS_ID);
+                } catch (Exception e) {
+                    CMS.debug("WARNING, can't get default plugin id!");
+                }
+
+                //Disallow duplicate defaults  with the following exceptions:
+                // noDefaultImpl, genericExtDefaultImpl
+
+                if ((curDefaultClassId.equals(defaultClassId) &&
+                        !curDefaultClassId.equals(PROP_NO_DEFAULT) && 
+                        !curDefaultClassId.equals(PROP_GENERIC_EXT_DEFAULT))) {
+
+                    matches++;
+                    if (createConfig) {
+                        if (matches == 1) {
+                            CMS.debug("WARNING attempt to add duplicate Policy "
+                                    + defaultClassId + ":" + constraintClassId +
+                                    " Contact System Administrator.");
+                            throw new EProfileException("Attempt to add duplicate Policy : "
+                                    + defaultClassId + ":" + constraintClassId);
+                        }
+                    } else {
+                        if (matches > 1) {
+                            CMS.debug("WARNING attempt to add duplicate Policy "
+                                    + defaultClassId + ":" + constraintClassId +
+                                    " Contact System Administrator.");
+                        }
+                    }
+                }
+            }
+        }
+
+        String defaultRoot = id + "." + PROP_DEFAULT;
+        String constraintRoot = id + "." + PROP_CONSTRAINT;
+        IPluginInfo defInfo = mRegistry.getPluginInfo("defaultPolicy",
+                defaultClassId);
+
+        if (defInfo == null) {
+            CMS.debug("BasicProfile: Cannot find " + defaultClassId);
+            throw new EProfileException("Cannot find " + defaultClassId);
+        }
+        String defaultClass = defInfo.getClassName();
+
+        CMS.debug("BasicProfile: loading default class " + defaultClass);
+        IPolicyDefault def = null;
+
+        try {
+            def = (IPolicyDefault)
+                    Class.forName(defaultClass).newInstance();
+        } catch (Exception e) {
+            // throw Exception
+            CMS.debug("BasicProfile: default policy " +
+                    defaultClass + " " + e.toString());
+        }
+        if (def == null) {
+            CMS.debug("BasicProfile: failed to create " + defaultClass);
+        } else {
+            IConfigStore defStore = null;
+
+            defStore = policyStore.getSubStore(defaultRoot);
+            def.init(this, defStore);
+        }
+
+        IPluginInfo conInfo = mRegistry.getPluginInfo("constraintPolicy",
+                constraintClassId);
+        String constraintClass = conInfo.getClassName();
+        IPolicyConstraint constraint = null;
+
+        try {
+            constraint = (IPolicyConstraint)
+                    Class.forName(constraintClass).newInstance();
+        } catch (Exception e) {
+            // throw Exception
+            CMS.debug("BasicProfile: constraint policy " +
+                    constraintClass + " " + e.toString());
+        }
+        ProfilePolicy policy = null;
+        if (constraint == null) {
+            CMS.debug("BasicProfile: failed to create " + constraintClass);
+        } else {
+            IConfigStore conStore = null;
+
+            conStore = policyStore.getSubStore(constraintRoot);
+            constraint.init(this, conStore);
+            policy = new ProfilePolicy(id, def, constraint);
+            policies.addElement(policy);
+        }
+
+        if (createConfig) {
+            String list = null;
+
+            try {
+                list = policyStore.getString(PROP_POLICY_LIST, null);
+            } catch (EBaseException e) {
+            }
+            if (list == null || list.equals("")) {
+                policyStore.putString(PROP_POLICY_LIST, id);
+            } else {
+                policyStore.putString(PROP_POLICY_LIST, list + "," + id);
+            }
+            policyStore.putString(id + ".default.name",
+                    defInfo.getName(Locale.getDefault()));
+            policyStore.putString(id + ".default.class_id",
+                    defaultClassId);
+            policyStore.putString(id + ".constraint.name",
+                    conInfo.getName(Locale.getDefault()));
+            policyStore.putString(id + ".constraint.class_id",
+                    constraintClassId);
+            try {
+                mConfig.putString("lastModified",
+                        Long.toString(CMS.getCurrentDate().getTime()));
+                policyStore.commit(false);
+            } catch (EBaseException e) {
+                CMS.debug("BasicProfile: commiting config store " +
+                        e.toString());
+            }
+        }
+
+        return policy;
+    }
+
+    public IProfilePolicy getProfilePolicy(String setId, String id) {
+        Vector policies = mPolicySet.get(setId);
+
+        if (policies == null)
+            return null;
+
+        for (int i = 0; i < policies.size(); i++) {
+            ProfilePolicy policy = policies.elementAt(i);
+
+            if (policy.getId().equals(id)) {
+                return policy;
+            }
+        }
+        return null;
+    }
+
+    public boolean isVisible() {
+        try {
+            return mConfig.getBoolean(PROP_VISIBLE, false);
+        } catch (EBaseException e) {
+            return false;
+        }
+    }
+
+    public void setVisible(boolean v) {
+        mConfig.putBoolean(PROP_VISIBLE, v);
+    }
+
+    /**
+     * Returns the profile name.
+     */
+    public String getName(Locale locale) {
+        try {
+            return mConfig.getString(PROP_NAME, "");
+        } catch (EBaseException e) {
+            return "";
+        }
+    }
+
+    public void setName(Locale locale, String name) {
+        mConfig.putString(PROP_NAME, name);
+    }
+
+    public abstract IProfileContext createContext();
+
+    /**
+     * Creates request.
+     */
+    public abstract IRequest[] createRequests(IProfileContext ctx, Locale locale)
+            throws EProfileException;
+
+    /**
+     * Returns the profile description.
+     */
+    public String getDescription(Locale locale) {
+        try {
+            return mConfig.getString(PROP_DESC, "");
+        } catch (EBaseException e) {
+            return "";
+        }
+    }
+
+    public void setDescription(Locale locale, String desc) {
+        mConfig.putString(PROP_DESC, desc);
+    }
+
+    public void populateInput(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        Enumeration ids = getProfileInputIds();
+
+        while (ids.hasMoreElements()) {
+            String id = ids.nextElement();
+            IProfileInput input = getProfileInput(id);
+
+            input.populate(ctx, request);
+        }
+    }
+
+    public Vector getPolicies(String setId) {
+        Vector policies = mPolicySet.get(setId);
+
+        return policies;
+    }
+
+    /**
+     * Passes the request to the set of default policies that
+     * populate the profile information against the profile.
+     */
+    public void populate(IRequest request)
+            throws EProfileException {
+        String setId = getPolicySetId(request);
+        Vector policies = getPolicies(setId);
+        CMS.debug("BasicProfile: populate() policy setid =" + setId);
+
+        for (int i = 0; i < policies.size(); i++) {
+            ProfilePolicy policy = policies.elementAt(i);
+
+            policy.getDefault().populate(request);
+        }
+    }
+
+    /**
+     * Passes the request to the set of constraint policies
+     * that validate the request against the profile.
+     */
+    public void validate(IRequest request)
+            throws ERejectException {
+        String setId = getPolicySetId(request);
+        CMS.debug("BasicProfile: validate start on setId=" + setId);
+        Vector policies = getPolicies(setId);
+
+        for (int i = 0; i < policies.size(); i++) {
+            ProfilePolicy policy = policies.elementAt(i);
+
+            policy.getConstraint().validate(request);
+        }
+        CMS.debug("BasicProfile: change to pending state");
+        request.setRequestStatus(RequestStatus.PENDING);
+        CMS.debug("BasicProfile: validate end");
+    }
+
+    public Enumeration getProfilePolicies(String setId) {
+        Vector policies = mPolicySet.get(setId);
+
+        if (policies == null)
+            return null;
+        return policies.elements();
+    }
+
+    public Enumeration getProfilePolicyIds(String setId) {
+        Vector policies = mPolicySet.get(setId);
+
+        if (policies == null)
+            return null;
+
+        Vector v = new Vector();
+
+        for (int i = 0; i < policies.size(); i++) {
+            ProfilePolicy policy = policies.elementAt(i);
+
+            v.addElement(policy.getId());
+        }
+        return v.elements();
+    }
+
+    public void execute(IRequest request)
+            throws EProfileException {
+    }
+
+    /**
+     * Signed Audit Log
+     * 
+     * This method is inherited by all extended "BasicProfile"s,
+     * and is called to store messages to the signed audit log.
+     * 

+     * 
+     * @param msg signed audit log message
+     */
+    protected void audit(String msg) {
+        // in this case, do NOT strip preceding/trailing whitespace
+        // from passed-in String parameters
+
+        if (mSignedAuditLogger == null) {
+            return;
+        }
+
+        mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
+                null,
+                ILogger.S_SIGNED_AUDIT,
+                ILogger.LL_SECURITY,
+                msg);
+    }
+
+    /**
+     * Signed Audit Log Subject ID
+     * 
+     * This method is inherited by all extended "BasicProfile"s,
+     * and is called to obtain the "SubjectID" for
+     * a signed audit log message.
+     * 

+     * 
+     * @return id string containing the signed audit log message SubjectID
+     */
+    protected String auditSubjectID() {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String subjectID = null;
+
+        // Initialize subjectID
+        SessionContext auditContext = SessionContext.getExistingContext();
+
+        if (auditContext != null) {
+            subjectID = (String)
+                    auditContext.get(SessionContext.USER_ID);
+
+            if (subjectID != null) {
+                subjectID = subjectID.trim();
+            } else {
+                subjectID = ILogger.NONROLEUSER;
+            }
+        } else {
+            subjectID = ILogger.UNIDENTIFIED;
+        }
+
+        return subjectID;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java b/base/common/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java
new file mode 100644
index 000000000..b95b22339
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java
@@ -0,0 +1,107 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.common;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfileEx;
+import com.netscape.certsrv.profile.IProfilePolicy;
+
+/**
+ * This class implements a Certificate Manager enrollment
+ * profile for CA Certificates.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CACertCAEnrollProfile extends CAEnrollProfile
+        implements IProfileEx {
+
+    /**
+     * Called after initialization. It populates default
+     * policies, inputs, and outputs.
+     */
+    public void populate() throws EBaseException {
+        // create inputs
+        NameValuePairs inputParams1 = new NameValuePairs();
+        createProfileInput("i1", "certReqInputImpl", inputParams1);
+        NameValuePairs inputParams2 = new NameValuePairs();
+        createProfileInput("i2", "submitterInfoInputImpl", inputParams2);
+
+        // create outputs 
+        NameValuePairs outputParams1 = new NameValuePairs();
+        createProfileOutput("o1", "certOutputImpl", outputParams1);
+
+        // create policies
+        createProfilePolicy("set1", "p1",
+                        "userSubjectNameDefaultImpl", "noConstraintImpl");
+
+        IProfilePolicy policy2 =
+                createProfilePolicy("set1", "p2",
+                        "validityDefaultImpl", "noConstraintImpl");
+        IPolicyDefault def2 = policy2.getDefault();
+        IConfigStore defConfig2 = def2.getConfigStore();
+        defConfig2.putString("params.range", "180");
+        defConfig2.putString("params.startTime", "0");
+
+        IProfilePolicy policy3 =
+                createProfilePolicy("set1", "p3",
+                        "userKeyDefaultImpl", "noConstraintImpl");
+        IPolicyDefault def3 = policy3.getDefault();
+        IConfigStore defConfig3 = def3.getConfigStore();
+        defConfig3.putString("params.keyType", "RSA");
+        defConfig3.putString("params.keyMinLength", "512");
+        defConfig3.putString("params.keyMaxLength", "4096");
+
+        IProfilePolicy policy4 =
+                createProfilePolicy("set1", "p4",
+                        "signingAlgDefaultImpl", "noConstraintImpl");
+        IPolicyDefault def4 = policy4.getDefault();
+        IConfigStore defConfig4 = def4.getConfigStore();
+        defConfig4.putString("params.signingAlg", "-");
+        defConfig4.putString("params.signingAlgsAllowed",
+                "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA256withEC,SHA384withEC,SHA512withEC");
+
+        // extensions
+        IProfilePolicy policy5 =
+                createProfilePolicy("set1", "p5",
+                        "keyUsageExtDefaultImpl", "noConstraintImpl");
+        IPolicyDefault def5 = policy5.getDefault();
+        IConfigStore defConfig5 = def5.getConfigStore();
+        defConfig5.putString("params.keyUsageCritical", "true");
+        defConfig5.putString("params.keyUsageCrlSign", "true");
+        defConfig5.putString("params.keyUsageDataEncipherment", "false");
+        defConfig5.putString("params.keyUsageDecipherOnly", "false");
+        defConfig5.putString("params.keyUsageDigitalSignature", "true");
+        defConfig5.putString("params.keyUsageEncipherOnly", "false");
+        defConfig5.putString("params.keyUsageKeyAgreement", "false");
+        defConfig5.putString("params.keyUsageKeyCertSign", "true");
+        defConfig5.putString("params.keyUsageKeyEncipherment", "false");
+        defConfig5.putString("params.keyUsageNonRepudiation", "true");
+
+        IProfilePolicy policy6 =
+                createProfilePolicy("set1", "p6",
+                        "basicConstraintsExtDefaultImpl", "noConstraintImpl");
+        IPolicyDefault def6 = policy6.getDefault();
+        IConfigStore defConfig6 = def6.getConfigStore();
+        defConfig6.putString("params.basicConstraintsPathLen", "-1");
+        defConfig6.putString("params.basicConstraintsIsCA", "true");
+        defConfig6.putString("params.basicConstraintsPathLen", "-1");
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java
new file mode 100644
index 000000000..c03f90a4b
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java
@@ -0,0 +1,242 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.common;
+
+import java.util.Enumeration;
+
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import org.mozilla.jss.pkix.crmf.PKIArchiveOptions;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.IAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.ca.ICAService;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.connector.IConnector;
+import com.netscape.certsrv.logging.AuditFormat;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IProfileUpdater;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.RequestStatus;
+
+/**
+ * This class implements a Certificate Manager enrollment
+ * profile.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CAEnrollProfile extends EnrollProfile {
+
+    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST =
+            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
+
+    public CAEnrollProfile() {
+        super();
+    }
+
+    public IAuthority getAuthority() {
+        IAuthority authority = (IAuthority)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+
+        if (authority == null)
+            return null;
+        return authority;
+    }
+
+    public X500Name getIssuerName() {
+        ICertificateAuthority ca = (ICertificateAuthority)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+        X500Name issuerName = ca.getX500Name();
+
+        return issuerName;
+    }
+
+    public void execute(IRequest request)
+            throws EProfileException {
+
+        long startTime = CMS.getCurrentDate().getTime();
+
+        if (!isEnable()) {
+            CMS.debug("CAEnrollProfile: Profile Not Enabled");
+            throw new EProfileException("Profile Not Enabled");
+        }
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+        String auditRequesterID = auditRequesterID(request);
+        String auditArchiveID = ILogger.UNIDENTIFIED;
+
+        String id = request.getRequestId().toString();
+        if (id != null) {
+            auditArchiveID = id.trim();
+        }
+
+        CMS.debug("CAEnrollProfile: execute reqId=" +
+                request.getRequestId().toString());
+        ICertificateAuthority ca = (ICertificateAuthority) getAuthority();
+        ICAService caService = (ICAService) ca.getCAService();
+
+        if (caService == null) {
+            throw new EProfileException("No CA Service");
+        }
+
+        // if PKI Archive Option present, send this request
+        // to DRM
+        byte optionsData[] = request.getExtDataInByteArray(REQUEST_ARCHIVE_OPTIONS);
+
+        // do not archive keys for renewal requests
+        if ((optionsData != null) && (!request.getRequestType().equals(IRequest.RENEWAL_REQUEST))) {
+            PKIArchiveOptions options = (PKIArchiveOptions)
+                    toPKIArchiveOptions(optionsData);
+
+            if (options != null) {
+                CMS.debug("CAEnrollProfile: execute found " +
+                        "PKIArchiveOptions");
+                try {
+                    IConnector kraConnector = caService.getKRAConnector();
+
+                    if (kraConnector == null) {
+                        CMS.debug("CAEnrollProfile: KRA connector " +
+                                "not configured");
+
+                        auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditRequesterID,
+                                auditArchiveID);
+
+                        audit(auditMessage);
+
+                    } else {
+                        CMS.debug("CAEnrollProfile: execute send request");
+                        kraConnector.send(request);
+
+                        // check response
+                        if (!request.isSuccess()) {
+                            auditMessage = CMS.getLogMessage(
+                                    LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                                    auditSubjectID,
+                                    ILogger.FAILURE,
+                                    auditRequesterID,
+                                    auditArchiveID);
+
+                            audit(auditMessage);
+                            throw new ERejectException(
+                                    request.getError(getLocale(request)));
+                        }
+
+                        auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                                auditSubjectID,
+                                ILogger.SUCCESS,
+                                auditRequesterID,
+                                auditArchiveID);
+
+                        audit(auditMessage);
+                    }
+                } catch (Exception e) {
+
+                    if (e instanceof ERejectException) {
+                        throw (ERejectException) e;
+                    }
+                    CMS.debug("CAEnrollProfile: " + e.toString());
+                    CMS.debug(e);
+
+                    auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditRequesterID,
+                            auditArchiveID);
+
+                    audit(auditMessage);
+                    throw new EProfileException(e.toString());
+                }
+            }
+        }
+
+        // process certificate issuance
+        X509CertInfo info = request.getExtDataInCertInfo(REQUEST_CERTINFO);
+        X509CertImpl theCert = null;
+
+        // #615460 - added audit log (transaction) 
+        SessionContext sc = SessionContext.getExistingContext();
+        sc.put("profileId", getId());
+        String setId = request.getExtDataInString("profileSetId");
+        if (setId != null) {
+            sc.put("profileSetId", setId);
+        }
+
+        try {
+            theCert = caService.issueX509Cert(info, getId() /* profileId */,
+                    id /* requestId */);
+        } catch (EBaseException e) {
+            CMS.debug(e.toString());
+
+            throw new EProfileException(e.toString());
+        }
+        request.setExtData(REQUEST_ISSUED_CERT, theCert);
+
+        long endTime = CMS.getCurrentDate().getTime();
+
+        String initiative = AuditFormat.FROMAGENT
+                          + " userID: "
+                          + (String) sc.get(SessionContext.USER_ID);
+        String authMgr = (String) sc.get(SessionContext.AUTH_MANAGER_ID);
+
+        ILogger logger = CMS.getLogger();
+        if (logger != null) {
+            logger.log(ILogger.EV_AUDIT,
+                        ILogger.S_OTHER, AuditFormat.LEVEL, AuditFormat.FORMAT,
+                        new Object[] {
+                                request.getRequestType(),
+                                request.getRequestId(),
+                                initiative,
+                                authMgr,
+                                "completed",
+                                theCert.getSubjectDN(),
+                                "cert issued serial number: 0x" +
+                                        theCert.getSerialNumber().toString(16) +
+                                        " time: " + (endTime - startTime) }
+                    );
+        }
+
+        request.setRequestStatus(RequestStatus.COMPLETE);
+
+        // notifies updater plugins
+        Enumeration updaterIds = getProfileUpdaterIds();
+        while (updaterIds.hasMoreElements()) {
+            String updaterId = updaterIds.nextElement();
+            IProfileUpdater updater = getProfileUpdater(updaterId);
+            updater.update(request, RequestStatus.COMPLETE);
+        }
+
+        // set value for predicate value - checking in getRule
+        if (CMS.isEncryptionCert(theCert))
+            request.setExtData("isEncryptionCert", "true");
+        else
+            request.setExtData("isEncryptionCert", "false");
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java
new file mode 100644
index 000000000..d574f0f94
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java
@@ -0,0 +1,1468 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.common;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.InvalidKeyException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import netscape.security.pkcs.PKCS10;
+import netscape.security.pkcs.PKCS10Attribute;
+import netscape.security.pkcs.PKCS10Attributes;
+import netscape.security.pkcs.PKCS9Attribute;
+import netscape.security.util.DerInputStream;
+import netscape.security.util.DerOutputStream;
+import netscape.security.util.DerValue;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CertificateAlgorithmId;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateIssuerName;
+import netscape.security.x509.CertificateSerialNumber;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.Extension;
+import netscape.security.x509.Extensions;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.asn1.ASN1Util;
+import org.mozilla.jss.asn1.ASN1Value;
+import org.mozilla.jss.asn1.INTEGER;
+import org.mozilla.jss.asn1.InvalidBERException;
+import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
+import org.mozilla.jss.asn1.OCTET_STRING;
+import org.mozilla.jss.asn1.SEQUENCE;
+import org.mozilla.jss.asn1.SET;
+import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.pkcs10.CertificationRequest;
+import org.mozilla.jss.pkcs10.CertificationRequestInfo;
+import org.mozilla.jss.pkix.cmc.LraPopWitness;
+import org.mozilla.jss.pkix.cmc.OtherMsg;
+import org.mozilla.jss.pkix.cmc.PKIData;
+import org.mozilla.jss.pkix.cmc.TaggedAttribute;
+import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest;
+import org.mozilla.jss.pkix.cmc.TaggedRequest;
+import org.mozilla.jss.pkix.crmf.CertReqMsg;
+import org.mozilla.jss.pkix.crmf.CertRequest;
+import org.mozilla.jss.pkix.crmf.CertTemplate;
+import org.mozilla.jss.pkix.crmf.PKIArchiveOptions;
+import org.mozilla.jss.pkix.crmf.ProofOfPossession;
+import org.mozilla.jss.pkix.primitive.AVA;
+import org.mozilla.jss.pkix.primitive.Attribute;
+import org.mozilla.jss.pkix.primitive.Name;
+import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authentication.ISharedToken;
+import com.netscape.certsrv.authority.IAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.EPropertyNotFound;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.profile.EDeferException;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IEnrollProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.cmsutil.util.HMACDigest;
+
+/**
+ * This class implements a generic enrollment profile.
+ * 
+ * @version $Revision$, $Date$
+ */
+public abstract class EnrollProfile extends BasicProfile
+        implements IEnrollProfile {
+
+    private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST =
+            "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5";
+    private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION =
+            "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2";
+
+    private PKIData mCMCData;
+
+    public EnrollProfile() {
+        super();
+    }
+
+    public abstract IAuthority getAuthority();
+
+    public IRequestQueue getRequestQueue() {
+        IAuthority authority = getAuthority();
+
+        return authority.getRequestQueue();
+    }
+
+    public IProfileContext createContext() {
+        return new EnrollProfileContext();
+    }
+
+    /**
+     * Creates request.
+     */
+    public IRequest[] createRequests(IProfileContext context, Locale locale)
+            throws EProfileException {
+        EnrollProfileContext ctx = (EnrollProfileContext) context;
+
+        // determine how many requests should be created
+        String cert_request_type = ctx.get(CTX_CERT_REQUEST_TYPE);
+        String cert_request = ctx.get(CTX_CERT_REQUEST);
+        String is_renewal = ctx.get(CTX_RENEWAL);
+        Integer renewal_seq_num = 0;
+
+        /* cert_request_type can be null for the case of CMC */
+        if (cert_request_type == null) {
+            CMS.debug("EnrollProfile: request type is null");
+        }
+
+        int num_requests = 1; // default to 1 request
+
+        if (cert_request_type != null && cert_request_type.startsWith("pkcs10")) {
+            // catch for invalid request
+            parsePKCS10(locale, cert_request);
+        }
+        if (cert_request_type != null && cert_request_type.startsWith("crmf")) {
+            CertReqMsg msgs[] = parseCRMF(locale, cert_request);
+
+            num_requests = msgs.length;
+        }
+        if (cert_request_type != null && cert_request_type.startsWith("cmc")) {
+            // catch for invalid request
+            TaggedRequest[] msgs = parseCMC(locale, cert_request);
+            if (msgs == null)
+                return null;
+            else
+                num_requests = msgs.length;
+        }
+
+        // only 1 request for renewal 
+        if ((is_renewal != null) && (is_renewal.equals("true"))) {
+            num_requests = 1;
+            String renewal_seq_num_str = ctx.get(CTX_RENEWAL_SEQ_NUM);
+            if (renewal_seq_num_str != null) {
+                renewal_seq_num = Integer.parseInt(renewal_seq_num_str);
+            } else {
+                renewal_seq_num = 0;
+            }
+        }
+
+        // populate requests with appropriate content
+        IRequest result[] = new IRequest[num_requests];
+
+        for (int i = 0; i < num_requests; i++) {
+            result[i] = createEnrollmentRequest();
+            if ((is_renewal != null) && (is_renewal.equals("true"))) {
+                result[i].setExtData(REQUEST_SEQ_NUM, renewal_seq_num);
+            } else {
+                result[i].setExtData(REQUEST_SEQ_NUM, Integer.valueOf(i));
+            }
+            if (locale != null) {
+                result[i].setExtData(REQUEST_LOCALE, locale.getLanguage());
+            }
+        }
+        return result;
+    }
+
+    public abstract X500Name getIssuerName();
+
+    public void setDefaultCertInfo(IRequest req) throws EProfileException {
+        // create an empty certificate template so that
+        // default plugins that store stuff
+        X509CertInfo info = new X509CertInfo();
+
+        // retrieve issuer name
+        X500Name issuerName = getIssuerName();
+
+        byte[] dummykey = new byte[] {
+                48, 92, 48, 13, 6, 9, 42, -122, 72, -122, -9, 13, 1, 1, 1, 5,
+                0, 3, 75, 0, 48, 72, 2, 65, 0, -65, 121, -119, -59, 105, 66,
+                -122, -78, -30, -64, 63, -47, 44, -48, -104, 103, -47, -108,
+                42, -38, 46, -8, 32, 49, -29, -26, -112, -29, -86, 71, 24,
+                -104, 78, -31, -75, -128, 90, -92, -34, -51, -125, -13, 80, 101,
+                -78, 39, -119, -38, 117, 28, 67, -19, -71, -124, -85, 105, -53,
+                -103, -59, -67, -38, -83, 118, 65, 2, 3, 1, 0, 1 };
+        // default values into x509 certinfo. This thing is
+        // not serializable by default
+        try {
+            info.set(X509CertInfo.VERSION,
+                    new CertificateVersion(CertificateVersion.V3));
+            info.set(X509CertInfo.SERIAL_NUMBER,
+                    new CertificateSerialNumber(new BigInteger("0")));
+            info.set(X509CertInfo.ISSUER,
+                    new CertificateIssuerName(issuerName));
+            info.set(X509CertInfo.KEY,
+                    new CertificateX509Key(X509Key.parse(new DerValue(dummykey))));
+            info.set(X509CertInfo.SUBJECT,
+                    new CertificateSubjectName(issuerName));
+            info.set(X509CertInfo.VALIDITY,
+                    new CertificateValidity(new Date(), new Date()));
+            info.set(X509CertInfo.ALGORITHM_ID,
+                    new CertificateAlgorithmId(
+                            AlgorithmId.getAlgorithmId("MD5withRSA")));
+
+            // add default extension container
+            info.set(X509CertInfo.EXTENSIONS,
+                    new CertificateExtensions());
+        } catch (Exception e) {
+            // throw exception - add key to template
+            CMS.debug("EnrollProfile: Building X509CertInfo - " + e.toString());
+            throw new EProfileException(e.toString());
+        }
+        req.setExtData(REQUEST_CERTINFO, info);
+    }
+
+    public IRequest createEnrollmentRequest()
+            throws EProfileException {
+        IRequest req = null;
+
+        try {
+            req = getRequestQueue().newRequest("enrollment");
+
+            setDefaultCertInfo(req);
+
+            // put the certificate info into request
+            req.setExtData(REQUEST_EXTENSIONS,
+                    new CertificateExtensions());
+
+            CMS.debug("EnrollProfile: createRequest " +
+                    req.getRequestId().toString());
+        } catch (EBaseException e) {
+            // raise exception
+            CMS.debug("EnrollProfile: create new enroll request " +
+                    e.toString());
+        }
+
+        return req;
+    }
+
+    public abstract void execute(IRequest request)
+            throws EProfileException;
+
+    /**
+     * Perform simple policy set assignment.
+     */
+    public String getPolicySetId(IRequest req) {
+        Integer seq = req.getExtDataInInteger(REQUEST_SEQ_NUM);
+        int seq_no = seq.intValue(); // start from 0
+
+        int count = 0;
+        Enumeration setIds = getProfilePolicySetIds();
+
+        while (setIds.hasMoreElements()) {
+            String setId = (String) setIds.nextElement();
+
+            if (count == seq_no) {
+                return setId;
+            }
+            count++;
+        }
+        return null;
+    }
+
+    public String getRequestorDN(IRequest request) {
+        X509CertInfo info = request.getExtDataInCertInfo(REQUEST_CERTINFO);
+
+        try {
+            CertificateSubjectName sn = (CertificateSubjectName)
+                    info.get(X509CertInfo.SUBJECT);
+
+            return sn.toString();
+        } catch (Exception e) {
+            CMS.debug("EnrollProfile: getRequestDN " + e.toString());
+        }
+        return null;
+    }
+
+    /**
+     * This method is called after the user submits the
+     * request from the end-entity page.
+     */
+    public void submit(IAuthToken token, IRequest request)
+            throws EDeferException, EProfileException {
+        // Request Submission Logic:
+        //
+        // if (Authentication Failed) {
+        //   return Error
+        // } else {
+        //   if (No Auth Token) {
+        //     queue request
+        //   } else {
+        //     process request
+        //   }
+        // }
+
+        IAuthority authority = (IAuthority)
+                getAuthority();
+        IRequestQueue queue = authority.getRequestQueue();
+
+        // this profile queues request that is authenticated
+        // by NoAuth
+        try {
+            queue.updateRequest(request);
+        } catch (EBaseException e) {
+            // save request to disk
+            CMS.debug("EnrollProfile: Update request " + e.toString());
+        }
+
+        if (token == null) {
+            CMS.debug("EnrollProfile: auth token is null");
+            CMS.debug("EnrollProfile: validating request");
+            validate(request);
+            try {
+                queue.updateRequest(request);
+            } catch (EBaseException e) {
+                CMS.debug("EnrollProfile: Update request (after validation) " + e.toString());
+            }
+
+            throw new EDeferException("defer request");
+        } else {
+            // this profile executes request that is authenticated
+            // by non NoAuth
+            CMS.debug("EnrollProfile: auth token is not null");
+            validate(request);
+            execute(request);
+        }
+    }
+
+    public TaggedRequest[] parseCMC(Locale locale, String certreq)
+            throws EProfileException {
+        /* cert request must not be null */
+        if (certreq == null) {
+            CMS.debug("EnrollProfile: parseCMC() certreq null");
+            throw new EProfileException(
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
+        }
+        CMS.debug("EnrollProfile: Start parseCMC(): " + certreq);
+
+        TaggedRequest msgs[] = null;
+
+        String creq = normalizeCertReq(certreq);
+        try {
+            byte data[] = CMS.AtoB(creq);
+            ByteArrayInputStream cmcBlobIn =
+                    new ByteArrayInputStream(data);
+
+            org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo)
+                    org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode(cmcBlobIn);
+            org.mozilla.jss.pkix.cms.SignedData cmcFullReq = 
+                (org.mozilla.jss.pkix.cms.SignedData) cmcReq.getInterpretedContent();
+            org.mozilla.jss.pkix.cms.EncapsulatedContentInfo ci = cmcFullReq.getContentInfo();
+            OCTET_STRING content = ci.getContent();
+
+            ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray());
+            PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s);
+
+            mCMCData = pkiData;
+            //PKIData pkiData = (PKIData)
+            //    (new PKIData.Template()).decode(cmcBlobIn);
+            SEQUENCE controlSeq = pkiData.getControlSequence();
+            int numcontrols = controlSeq.size();
+            SEQUENCE reqSeq = pkiData.getReqSequence();
+            byte randomSeed[] = null;
+            SessionContext context = SessionContext.getContext();
+            if (!context.containsKey("numOfControls")) {
+                if (numcontrols > 0) {
+                    context.put("numOfControls", Integer.valueOf(numcontrols));
+                    TaggedAttribute[] attributes = new TaggedAttribute[numcontrols];
+                    for (int i = 0; i < numcontrols; i++) {
+                        attributes[i] = (TaggedAttribute) controlSeq.elementAt(i);
+                        OBJECT_IDENTIFIER oid = attributes[i].getType();
+                        if (oid.equals(OBJECT_IDENTIFIER.id_cmc_identityProof)) {
+                            boolean valid = verifyIdentityProof(attributes[i],
+                                    reqSeq);
+                            if (!valid) {
+                                SEQUENCE bpids = getRequestBpids(reqSeq);
+                                context.put("identityProof", bpids);
+                                return null;
+                            }
+                        } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkRandom)) {
+                            SET vals = attributes[i].getValues();
+                            OCTET_STRING ostr =
+                                    (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(),
+                                            ASN1Util.encode(vals.elementAt(0))));
+                            randomSeed = ostr.toByteArray();
+                        } else {
+                            context.put(attributes[i].getType(), attributes[i]);
+                        }
+                    }
+                }
+            }
+
+            SEQUENCE otherMsgSeq = pkiData.getOtherMsgSequence();
+            int numOtherMsgs = otherMsgSeq.size();
+            if (!context.containsKey("numOfOtherMsgs")) {
+                context.put("numOfOtherMsgs", Integer.valueOf(numOtherMsgs));
+                for (int i = 0; i < numOtherMsgs; i++) {
+                    OtherMsg omsg = (OtherMsg) (ASN1Util.decode(OtherMsg.getTemplate(),
+                            ASN1Util.encode(otherMsgSeq.elementAt(i))));
+                    context.put("otherMsg" + i, omsg);
+                }
+            }
+
+            int nummsgs = reqSeq.size();
+            if (nummsgs > 0) {
+                msgs = new TaggedRequest[reqSeq.size()];
+                SEQUENCE bpids = new SEQUENCE();
+                boolean valid = true;
+                for (int i = 0; i < nummsgs; i++) {
+                    msgs[i] = (TaggedRequest) reqSeq.elementAt(i);
+                    if (!context.containsKey("POPLinkWitness")) {
+                        if (randomSeed != null) {
+                            valid = verifyPOPLinkWitness(randomSeed, msgs[i], bpids);
+                            if (!valid || bpids.size() > 0) {
+                                context.put("POPLinkWitness", bpids);
+                                return null;
+                            }
+                        }
+                    }
+                }
+            } else
+                return null;
+
+            return msgs;
+        } catch (Exception e) {
+            CMS.debug("EnrollProfile: parseCMC " + e.toString());
+            throw new EProfileException(
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
+        }
+    }
+
+    private boolean verifyPOPLinkWitness(byte[] randomSeed, TaggedRequest req,
+            SEQUENCE bpids) {
+        ISharedToken tokenClass = null;
+        boolean sharedSecretFound = true;
+        String name = null;
+        try {
+            name = CMS.getConfigStore().getString("cmc.sharedSecret.class");
+        } catch (EPropertyNotFound e) {
+            CMS.debug("EnrollProfile: Failed to find the token class in the configuration file.");
+            sharedSecretFound = false;
+        } catch (EBaseException e) {
+            CMS.debug("EnrollProfile: Failed to find the token class in the configuration file.");
+            sharedSecretFound = false;
+        }
+
+        try {
+            tokenClass = (ISharedToken) Class.forName(name).newInstance();
+        } catch (ClassNotFoundException e) {
+            CMS.debug("EnrollProfile: Failed to find class name: " + name);
+            sharedSecretFound = false;
+        } catch (InstantiationException e) {
+            CMS.debug("EnrollProfile: Failed to instantiate class: " + name);
+            sharedSecretFound = false;
+        } catch (IllegalAccessException e) {
+            CMS.debug("EnrollProfile: Illegal access: " + name);
+            sharedSecretFound = false;
+        }
+
+        INTEGER reqId = null;
+        byte[] bv = null;
+        String sharedSecret = null;
+        if (tokenClass != null)
+            sharedSecret = tokenClass.getSharedToken(mCMCData);
+        if (req.getType().equals(TaggedRequest.PKCS10)) {
+            TaggedCertificationRequest tcr = req.getTcr();
+            if (!sharedSecretFound) {
+                bpids.addElement(tcr.getBodyPartID());
+                return false;
+            } else {
+                CertificationRequest creq = tcr.getCertificationRequest();
+                CertificationRequestInfo cinfo = creq.getInfo();
+                SET attrs = cinfo.getAttributes();
+                for (int j = 0; j < attrs.size(); j++) {
+                    Attribute pkcs10Attr = (Attribute) attrs.elementAt(j);
+                    if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) {
+                        SET witnessVal = pkcs10Attr.getValues();
+                        if (witnessVal.size() > 0) {
+                            try {
+                                OCTET_STRING str =
+                                        (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(),
+                                                ASN1Util.encode(witnessVal.elementAt(0))));
+                                bv = str.toByteArray();
+                                return verifyDigest(sharedSecret.getBytes(),
+                                        randomSeed, bv);
+                            } catch (InvalidBERException ex) {
+                                return false;
+                            }
+                        }
+                    }
+                }
+
+                return false;
+            }
+        } else if (req.getType().equals(TaggedRequest.CRMF)) {
+            CertReqMsg crm = req.getCrm();
+            CertRequest certReq = crm.getCertReq();
+            reqId = certReq.getCertReqId();
+            if (!sharedSecretFound) {
+                bpids.addElement(reqId);
+                return false;
+            } else {
+                for (int i = 0; i < certReq.numControls(); i++) {
+                    AVA ava = certReq.controlAt(i);
+
+                    if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) {
+                        ASN1Value value = ava.getValue();
+                        ByteArrayInputStream bis = new ByteArrayInputStream(
+                                ASN1Util.encode(value));
+                        OCTET_STRING ostr = null;
+                        try {
+                            ostr = (OCTET_STRING)
+                                    (new OCTET_STRING.Template()).decode(bis);
+                            bv = ostr.toByteArray();
+                        } catch (Exception e) {
+                            bpids.addElement(reqId);
+                            return false;
+                        }
+
+                        boolean valid = verifyDigest(sharedSecret.getBytes(),
+                                randomSeed, bv);
+                        if (!valid) {
+                            bpids.addElement(reqId);
+                            return valid;
+                        }
+                    }
+                }
+            }
+        }
+
+        return true;
+    }
+
+    private boolean verifyDigest(byte[] sharedSecret, byte[] text, byte[] bv) {
+        byte[] key = null;
+        try {
+            MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1");
+            key = SHA1Digest.digest(sharedSecret);
+        } catch (NoSuchAlgorithmException ex) {
+            CMS.debug("EnrollProfile: No such algorithm for this message digest.");
+            return false;
+        }
+
+        byte[] finalDigest = null;
+        try {
+            MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1");
+            HMACDigest hmacDigest = new HMACDigest(SHA1Digest, key);
+            hmacDigest.update(text);
+            finalDigest = hmacDigest.digest();
+        } catch (NoSuchAlgorithmException ex) {
+            CMS.debug("EnrollProfile: No such algorithm for this message digest.");
+            return false;
+        }
+
+        if (finalDigest.length != bv.length) {
+            CMS.debug("EnrollProfile: The length of two HMAC digest are not the same.");
+            return false;
+        }
+
+        for (int j = 0; j < bv.length; j++) {
+            if (bv[j] != finalDigest[j]) {
+                CMS.debug("EnrollProfile: The content of two HMAC digest are not the same.");
+                return false;
+            }
+        }
+
+        CMS.debug("EnrollProfile: The content of two HMAC digest are the same.");
+        return true;
+    }
+
+    private SEQUENCE getRequestBpids(SEQUENCE reqSeq) {
+        SEQUENCE bpids = new SEQUENCE();
+        for (int i = 0; i < reqSeq.size(); i++) {
+            TaggedRequest req = (TaggedRequest) reqSeq.elementAt(i);
+            if (req.getType().equals(TaggedRequest.PKCS10)) {
+                TaggedCertificationRequest tcr = req.getTcr();
+                bpids.addElement(tcr.getBodyPartID());
+            } else if (req.getType().equals(TaggedRequest.CRMF)) {
+                CertReqMsg crm = req.getCrm();
+                CertRequest request = crm.getCertReq();
+                bpids.addElement(request.getCertReqId());
+            }
+        }
+
+        return bpids;
+    }
+
+    private boolean verifyIdentityProof(TaggedAttribute attr, SEQUENCE reqSeq) {
+        SET vals = attr.getValues();
+        if (vals.size() < 1)
+            return false;
+        String name = null;
+        try {
+            name = CMS.getConfigStore().getString("cmc.sharedSecret.class");
+        } catch (EPropertyNotFound e) {
+        } catch (EBaseException e) {
+        }
+
+        if (name == null)
+            return false;
+        else {
+            ISharedToken tokenClass = null;
+            try {
+                tokenClass = (ISharedToken) Class.forName(name).newInstance();
+            } catch (ClassNotFoundException e) {
+                CMS.debug("EnrollProfile: Failed to find class name: " + name);
+                return false;
+            } catch (InstantiationException e) {
+                CMS.debug("EnrollProfile: Failed to instantiate class: " + name);
+                return false;
+            } catch (IllegalAccessException e) {
+                CMS.debug("EnrollProfile: Illegal access: " + name);
+                return false;
+            }
+
+            String token = tokenClass.getSharedToken(mCMCData);
+            OCTET_STRING ostr = null;
+            try {
+                ostr = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(),
+                        ASN1Util.encode(vals.elementAt(0))));
+            } catch (InvalidBERException e) {
+                CMS.debug("EnrollProfile: Failed to decode the byte value.");
+                return false;
+            }
+            byte[] b = ostr.toByteArray();
+            byte[] text = ASN1Util.encode(reqSeq);
+
+            return verifyDigest(token.getBytes(), text, b);
+        }
+    }
+
+    public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo info,
+            IRequest req)
+            throws EProfileException {
+        TaggedRequest.Type type = tagreq.getType();
+
+        if (type.equals(TaggedRequest.PKCS10)) {
+            try {
+                TaggedCertificationRequest tcr = tagreq.getTcr();
+                CertificationRequest p10 = tcr.getCertificationRequest();
+                ByteArrayOutputStream ostream = new ByteArrayOutputStream();
+
+                p10.encode(ostream);
+                PKCS10 pkcs10 = new PKCS10(ostream.toByteArray());
+
+                req.setExtData("bodyPartId", tcr.getBodyPartID());
+                fillPKCS10(locale, pkcs10, info, req);
+            } catch (Exception e) {
+                CMS.debug("EnrollProfile: fillTaggedRequest " +
+                        e.toString());
+            }
+        } else if (type.equals(TaggedRequest.CRMF)) {
+            CertReqMsg crm = tagreq.getCrm();
+            SessionContext context = SessionContext.getContext();
+            Integer nums = (Integer) (context.get("numOfControls"));
+
+            // check if the LRA POP Witness Control attribute exists
+            if (nums != null && nums.intValue() > 0) {
+                TaggedAttribute attr =
+                        (TaggedAttribute) (context.get(OBJECT_IDENTIFIER.id_cmc_lraPOPWitness));
+                if (attr != null) {
+                    parseLRAPopWitness(locale, crm, attr);
+                } else {
+                    CMS.debug("EnrollProfile: verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request.");
+                    verifyPOP(locale, crm);
+                }
+            } else {
+                CMS.debug("EnrollProfile: verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request.");
+                verifyPOP(locale, crm);
+            }
+
+            fillCertReqMsg(locale, crm, info, req);
+        } else {
+            throw new EProfileException(
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
+        }
+    }
+
+    private void parseLRAPopWitness(Locale locale, CertReqMsg crm,
+            TaggedAttribute attr) throws EProfileException {
+        SET vals = attr.getValues();
+        boolean donePOP = false;
+        INTEGER reqId = null;
+        if (vals.size() > 0) {
+            LraPopWitness lraPop = null;
+            try {
+                lraPop = (LraPopWitness) (ASN1Util.decode(LraPopWitness.getTemplate(),
+                        ASN1Util.encode(vals.elementAt(0))));
+            } catch (InvalidBERException e) {
+                throw new EProfileException(
+                        CMS.getUserMessage(locale, "CMS_PROFILE_ENCODING_ERROR"));
+            }
+
+            SEQUENCE bodyIds = lraPop.getBodyIds();
+            reqId = crm.getCertReq().getCertReqId();
+
+            for (int i = 0; i < bodyIds.size(); i++) {
+                INTEGER num = (INTEGER) (bodyIds.elementAt(i));
+                if (num.toString().equals(reqId.toString())) {
+                    donePOP = true;
+                    CMS.debug("EnrollProfile: skip POP for request: "
+                            + reqId.toString() + " because LRA POP Witness control is found.");
+                    break;
+                }
+            }
+        }
+
+        if (!donePOP) {
+            CMS.debug("EnrollProfile: not skip POP for request: "
+                    + reqId.toString()
+                    + " because this request id is not part of the body list in LRA Pop witness control.");
+            verifyPOP(locale, crm);
+        }
+    }
+
+    public CertReqMsg[] parseCRMF(Locale locale, String certreq)
+            throws EProfileException {
+
+        /* cert request must not be null */
+        if (certreq == null) {
+            CMS.debug("EnrollProfile: parseCRMF() certreq null");
+            throw new EProfileException(
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
+        }
+        CMS.debug("EnrollProfile: Start parseCRMF(): " + certreq);
+
+        CertReqMsg msgs[] = null;
+        String creq = normalizeCertReq(certreq);
+        try {
+            byte data[] = CMS.AtoB(creq);
+            ByteArrayInputStream crmfBlobIn =
+                    new ByteArrayInputStream(data);
+            SEQUENCE crmfMsgs = (SEQUENCE)
+                    new SEQUENCE.OF_Template(new
+                            CertReqMsg.Template()).decode(crmfBlobIn);
+            int nummsgs = crmfMsgs.size();
+
+            if (nummsgs <= 0)
+                return null;
+            msgs = new CertReqMsg[crmfMsgs.size()];
+            for (int i = 0; i < nummsgs; i++) {
+                msgs[i] = (CertReqMsg) crmfMsgs.elementAt(i);
+            }
+            return msgs;
+        } catch (Exception e) {
+            CMS.debug("EnrollProfile: parseCRMF " + e.toString());
+            throw new EProfileException(
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
+        }
+    }
+
+    private static final OBJECT_IDENTIFIER PKIARCHIVEOPTIONS_OID =
+            new OBJECT_IDENTIFIER(new long[] { 1, 3, 6, 1, 5, 5, 7, 5, 1, 4 }
+            );
+
+    protected PKIArchiveOptions getPKIArchiveOptions(AVA ava) {
+        ASN1Value archVal = ava.getValue();
+        ByteArrayInputStream bis = new ByteArrayInputStream(
+                ASN1Util.encode(archVal));
+        PKIArchiveOptions archOpts = null;
+
+        try {
+            archOpts = (PKIArchiveOptions)
+                    (new PKIArchiveOptions.Template()).decode(bis);
+        } catch (Exception e) {
+            CMS.debug("EnrollProfile: getPKIArchiveOptions " + e.toString());
+        }
+        return archOpts;
+    }
+
+    public PKIArchiveOptions toPKIArchiveOptions(byte options[]) {
+        ByteArrayInputStream bis = new ByteArrayInputStream(options);
+        PKIArchiveOptions archOpts = null;
+
+        try {
+            archOpts = (PKIArchiveOptions)
+                    (new PKIArchiveOptions.Template()).decode(bis);
+        } catch (Exception e) {
+            CMS.debug("EnrollProfile: toPKIArchiveOptions " + e.toString());
+        }
+        return archOpts;
+    }
+
+    public byte[] toByteArray(PKIArchiveOptions options) {
+        return ASN1Util.encode(options);
+    }
+
+    public void fillCertReqMsg(Locale locale, CertReqMsg certReqMsg, X509CertInfo info,
+            IRequest req)
+            throws EProfileException {
+        try {
+            CMS.debug("Start parseCertReqMsg ");
+            CertRequest certReq = certReqMsg.getCertReq();
+            req.setExtData("bodyPartId", certReq.getCertReqId());
+            // handle PKIArchiveOption (key archival)
+            for (int i = 0; i < certReq.numControls(); i++) {
+                AVA ava = certReq.controlAt(i);
+
+                if (ava.getOID().equals(PKIARCHIVEOPTIONS_OID)) {
+                    PKIArchiveOptions opt = getPKIArchiveOptions(ava);
+
+                    //req.set(REQUEST_ARCHIVE_OPTIONS, opt);
+                    req.setExtData(REQUEST_ARCHIVE_OPTIONS,
+                            toByteArray(opt));
+                }
+            }
+
+            CertTemplate certTemplate = certReq.getCertTemplate();
+
+            // parse key
+            SubjectPublicKeyInfo spki = certTemplate.getPublicKey();
+            ByteArrayOutputStream keyout = new ByteArrayOutputStream();
+
+            spki.encode(keyout);
+            byte[] keybytes = keyout.toByteArray();
+            X509Key key = new X509Key();
+
+            key.decode(keybytes);
+
+            // XXX - kmccarth - this may simply undo the decoding above
+            //                  but for now it's unclear whether X509Key
+            //                  changest the format when decoding.
+            CertificateX509Key certKey = new CertificateX509Key(key);
+            ByteArrayOutputStream certKeyOut = new ByteArrayOutputStream();
+            certKey.encode(certKeyOut);
+            req.setExtData(REQUEST_KEY, certKeyOut.toByteArray());
+
+            // parse validity
+            if (certTemplate.getNotBefore() != null ||
+                    certTemplate.getNotAfter() != null) {
+                CMS.debug("EnrollProfile:  requested notBefore: " + certTemplate.getNotBefore());
+                CMS.debug("EnrollProfile:  requested notAfter:  " + certTemplate.getNotAfter());
+                CMS.debug("EnrollProfile:  current CA time:     " + new Date());
+                CertificateValidity certValidity = new CertificateValidity(
+                        certTemplate.getNotBefore(), certTemplate.getNotAfter());
+                ByteArrayOutputStream certValidityOut =
+                        new ByteArrayOutputStream();
+                certValidity.encode(certValidityOut);
+                req.setExtData(REQUEST_VALIDITY, certValidityOut.toByteArray());
+            } else {
+                CMS.debug("EnrollProfile:  validity not supplied");
+            }
+
+            // parse subject
+            if (certTemplate.hasSubject()) {
+                Name subjectdn = certTemplate.getSubject();
+                ByteArrayOutputStream subjectEncStream =
+                        new ByteArrayOutputStream();
+
+                subjectdn.encode(subjectEncStream);
+                byte[] subjectEnc = subjectEncStream.toByteArray();
+                X500Name subject = new X500Name(subjectEnc);
+
+                //info.set(X509CertInfo.SUBJECT,
+                //  new CertificateSubjectName(subject));
+
+                req.setExtData(REQUEST_SUBJECT_NAME,
+                        new CertificateSubjectName(subject));
+                try {
+                    String subjectCN = subject.getCommonName();
+                    if (subjectCN == null)
+                        subjectCN = "";
+                    req.setExtData(REQUEST_SUBJECT_NAME + ".cn", subjectCN);
+                } catch (Exception ee) {
+                    req.setExtData(REQUEST_SUBJECT_NAME + ".cn", "");
+                }
+                try {
+                    String subjectUID = subject.getUserID();
+                    if (subjectUID == null)
+                        subjectUID = "";
+                    req.setExtData(REQUEST_SUBJECT_NAME + ".uid", subjectUID);
+                } catch (Exception ee) {
+                    req.setExtData(REQUEST_SUBJECT_NAME + ".uid", "");
+                }
+            }
+
+            // parse extensions
+            CertificateExtensions extensions = null;
+
+            // try {
+            extensions = req.getExtDataInCertExts(REQUEST_EXTENSIONS);
+            //  } catch (CertificateException e) {
+            //     extensions = null;
+            // } catch (IOException e) {
+            //    extensions = null;
+            //  }
+            if (certTemplate.hasExtensions()) {
+                // put each extension from CRMF into CertInfo.
+                // index by extension name, consistent with
+                // CertificateExtensions.parseExtension() method.
+                if (extensions == null)
+                    extensions = new CertificateExtensions();
+                int numexts = certTemplate.numExtensions();
+
+                for (int j = 0; j < numexts; j++) {
+                    org.mozilla.jss.pkix.cert.Extension jssext =
+                            certTemplate.extensionAt(j);
+                    boolean isCritical = jssext.getCritical();
+                    org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssoid =
+                            jssext.getExtnId();
+                    long[] numbers = jssoid.getNumbers();
+                    int[] oidNumbers = new int[numbers.length];
+
+                    for (int k = numbers.length - 1; k >= 0; k--) {
+                        oidNumbers[k] = (int) numbers[k];
+                    }
+                    ObjectIdentifier oid =
+                            new ObjectIdentifier(oidNumbers);
+                    org.mozilla.jss.asn1.OCTET_STRING jssvalue =
+                            jssext.getExtnValue();
+                    ByteArrayOutputStream jssvalueout =
+                            new ByteArrayOutputStream();
+
+                    jssvalue.encode(jssvalueout);
+                    byte[] extValue = jssvalueout.toByteArray();
+
+                    Extension ext =
+                            new Extension(oid, isCritical, extValue);
+
+                    extensions.parseExtension(ext);
+                }
+                //                info.set(X509CertInfo.EXTENSIONS, extensions);
+                req.setExtData(REQUEST_EXTENSIONS, extensions);
+
+            }
+        } catch (IOException e) {
+            CMS.debug("EnrollProfile: fillCertReqMsg " + e.toString());
+            throw new EProfileException(
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
+        } catch (InvalidKeyException e) {
+            CMS.debug("EnrollProfile: fillCertReqMsg " + e.toString());
+            throw new EProfileException(
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
+            //  } catch (CertificateException e) {
+            //     CMS.debug("EnrollProfile: fillCertReqMsg " + e.toString());
+            //    throw new EProfileException(e.toString());
+        }
+    }
+
+    public PKCS10 parsePKCS10(Locale locale, String certreq)
+            throws EProfileException {
+        /* cert request must not be null */
+        if (certreq == null) {
+            CMS.debug("EnrollProfile:parsePKCS10() certreq null");
+            throw new EProfileException(
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
+        }
+        CMS.debug("Start parsePKCS10(): " + certreq);
+
+        // trim header and footer
+        String creq = normalizeCertReq(certreq);
+
+        // parse certificate into object
+        byte data[] = CMS.AtoB(creq);
+        PKCS10 pkcs10 = null;
+        CryptoManager cm = null;
+        CryptoToken savedToken = null;
+        boolean sigver = true;
+
+        try {
+            cm = CryptoManager.getInstance();
+            sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true);
+            if (sigver) {
+                CMS.debug("EnrollProfile: parsePKCS10: signature verification enabled");
+                String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", "internal");
+                savedToken = cm.getThreadToken();
+                CryptoToken signToken = null;
+                if (tokenName.equals("internal")) {
+                    CMS.debug("EnrollProfile: parsePKCS10: use internal token");
+                    signToken = cm.getInternalCryptoToken();
+                } else {
+                    CMS.debug("EnrollProfile: parsePKCS10: tokenName=" + tokenName);
+                    signToken = cm.getTokenByName(tokenName);
+                }
+                CMS.debug("EnrollProfile: parsePKCS10 setting thread token");
+                cm.setThreadToken(signToken);
+                pkcs10 = new PKCS10(data);
+            } else {
+                CMS.debug("EnrollProfile: parsePKCS10: signature verification disabled");
+                pkcs10 = new PKCS10(data, sigver);
+            }
+        } catch (Exception e) {
+            CMS.debug("EnrollProfile: parsePKCS10 " + e.toString());
+            throw new EProfileException(
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
+        } finally {
+            if (sigver) {
+                CMS.debug("EnrollProfile: parsePKCS10 restoring thread token");
+                cm.setThreadToken(savedToken);
+            }
+        }
+
+        return pkcs10;
+    }
+
+    public void fillPKCS10(Locale locale, PKCS10 pkcs10, X509CertInfo info, IRequest req)
+            throws EProfileException {
+        X509Key key = pkcs10.getSubjectPublicKeyInfo();
+
+        try {
+            CertificateX509Key certKey = new CertificateX509Key(key);
+            ByteArrayOutputStream certKeyOut = new ByteArrayOutputStream();
+            certKey.encode(certKeyOut);
+            req.setExtData(IEnrollProfile.REQUEST_KEY, certKeyOut.toByteArray());
+
+            req.setExtData(EnrollProfile.REQUEST_SUBJECT_NAME,
+                    new CertificateSubjectName(pkcs10.getSubjectName()));
+            try {
+                String subjectCN = pkcs10.getSubjectName().getCommonName();
+                if (subjectCN == null)
+                    subjectCN = "";
+                req.setExtData(REQUEST_SUBJECT_NAME + ".cn", subjectCN);
+            } catch (Exception ee) {
+                req.setExtData(REQUEST_SUBJECT_NAME + ".cn", "");
+            }
+            try {
+                String subjectUID = pkcs10.getSubjectName().getUserID();
+                if (subjectUID == null)
+                    subjectUID = "";
+                req.setExtData(REQUEST_SUBJECT_NAME + ".uid", subjectUID);
+            } catch (Exception ee) {
+                req.setExtData(REQUEST_SUBJECT_NAME + ".uid", "");
+            }
+
+            info.set(X509CertInfo.KEY, certKey);
+
+            PKCS10Attributes p10Attrs = pkcs10.getAttributes();
+            if (p10Attrs != null) {
+                PKCS10Attribute p10Attr = (PKCS10Attribute)
+                        (p10Attrs.getAttribute(CertificateExtensions.NAME));
+                if (p10Attr != null && p10Attr.getAttributeId().equals(
+                        PKCS9Attribute.EXTENSION_REQUEST_OID)) {
+                    CMS.debug("Found PKCS10 extension");
+                    Extensions exts0 = (Extensions)
+                            (p10Attr.getAttributeValue());
+                    DerOutputStream extOut = new DerOutputStream();
+
+                    exts0.encode(extOut);
+                    byte[] extB = extOut.toByteArray();
+                    DerInputStream extIn = new DerInputStream(extB);
+                    CertificateExtensions exts = new CertificateExtensions(extIn);
+                    if (exts != null) {
+                        CMS.debug("Set extensions " + exts);
+                        // info.set(X509CertInfo.EXTENSIONS, exts);
+                        req.setExtData(REQUEST_EXTENSIONS, exts);
+                    }
+                } else {
+                    CMS.debug("PKCS10 extension Not Found");
+                }
+            }
+
+            CMS.debug("Finish parsePKCS10 - " + pkcs10.getSubjectName());
+        } catch (IOException e) {
+            CMS.debug("EnrollProfile: fillPKCS10 " + e.toString());
+            throw new EProfileException(
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
+        } catch (CertificateException e) {
+            CMS.debug("EnrollProfile: fillPKCS10 " + e.toString());
+            throw new EProfileException(
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
+        }
+    }
+
+    // for netkey
+    public void fillNSNKEY(Locale locale, String sn, String skey, X509CertInfo info, IRequest req)
+            throws EProfileException {
+
+        try {
+            //cfu - is the algorithm going to be replaced by the policy?
+            X509Key key = new X509Key();
+            key.decode(CMS.AtoB(skey));
+
+            info.set(X509CertInfo.KEY, new CertificateX509Key(key));
+            //                      req.set(EnrollProfile.REQUEST_SUBJECT_NAME,
+            //                              new CertificateSubjectName(new
+            //                              X500Name("CN="+sn)));
+            req.setExtData("screenname", sn);
+            // keeping "aoluid" to be backward compatible
+            req.setExtData("aoluid", sn);
+            req.setExtData("uid", sn);
+            CMS.debug("EnrollPrifile: fillNSNKEY(): uid=" + sn);
+
+        } catch (Exception e) {
+            CMS.debug("EnrollProfile: fillNSNKEY(): " + e.toString());
+            throw new EProfileException(
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
+        }
+    }
+
+    // for house key
+    public void fillNSHKEY(Locale locale, String tcuid, String skey, X509CertInfo info, IRequest req)
+            throws EProfileException {
+
+        try {
+            //cfu - is the algorithm going to be replaced by the policy?
+            X509Key key = new X509Key();
+            key.decode(CMS.AtoB(skey));
+
+            info.set(X509CertInfo.KEY, new CertificateX509Key(key));
+            //                      req.set(EnrollProfile.REQUEST_SUBJECT_NAME,
+            //                              new CertificateSubjectName(new
+            //                              X500Name("CN="+sn)));
+            req.setExtData("tokencuid", tcuid);
+
+            CMS.debug("EnrollPrifile: fillNSNKEY(): tokencuid=" + tcuid);
+
+        } catch (Exception e) {
+            CMS.debug("EnrollProfile: fillNSHKEY(): " + e.toString());
+            throw new EProfileException(
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
+        }
+    }
+
+    public DerInputStream parseKeyGen(Locale locale, String certreq)
+            throws EProfileException {
+        byte data[] = CMS.AtoB(certreq);
+
+        DerInputStream derIn = new DerInputStream(data);
+
+        return derIn;
+    }
+
+    public void fillKeyGen(Locale locale, DerInputStream derIn, X509CertInfo info, IRequest req
+            )
+                    throws EProfileException {
+        try {
+
+            /* get SPKAC Algorithm & Signature */
+            DerValue derSPKACContent[] = derIn.getSequence(3);
+            @SuppressWarnings("unused")
+            AlgorithmId mAlgId = AlgorithmId.parse(derSPKACContent[1]);
+            @SuppressWarnings("unused")
+            byte mSignature[] = derSPKACContent[2].getBitString();
+
+            /* get PKAC SPKI & Challenge */
+            byte mPKAC[] = derSPKACContent[0].toByteArray();
+
+            derIn = new DerInputStream(mPKAC);
+            DerValue derPKACContent[] = derIn.getSequence(2);
+
+            @SuppressWarnings("unused")
+            DerValue mDerSPKI = derPKACContent[0];
+            X509Key mSPKI = X509Key.parse(derPKACContent[0]);
+
+            @SuppressWarnings("unused")
+            String mChallenge;
+            DerValue mDerChallenge = derPKACContent[1];
+
+            if (mDerChallenge.length() != 0)
+                mChallenge = derPKACContent[1].getIA5String();
+
+            CertificateX509Key certKey = new CertificateX509Key(mSPKI);
+            ByteArrayOutputStream certKeyOut = new ByteArrayOutputStream();
+            certKey.encode(certKeyOut);
+            req.setExtData(IEnrollProfile.REQUEST_KEY, certKeyOut.toByteArray());
+            info.set(X509CertInfo.KEY, certKey);
+        } catch (IOException e) {
+            CMS.debug("EnrollProfile: fillKeyGen " + e.toString());
+            throw new EProfileException(
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
+        } catch (CertificateException e) {
+            CMS.debug("EnrollProfile: fillKeyGen " + e.toString());
+            throw new EProfileException(
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
+        }
+    }
+
+    public String normalizeCertReq(String s) {
+        if (s == null) {
+            return s;
+        }
+        s = s.replaceAll("-----BEGIN CERTIFICATE REQUEST-----", "");
+        s = s.replaceAll("-----BEGIN NEW CERTIFICATE REQUEST-----", "");
+        s = s.replaceAll("-----END CERTIFICATE REQUEST-----", "");
+        s = s.replaceAll("-----END NEW CERTIFICATE REQUEST-----", "");
+
+        StringBuffer sb = new StringBuffer();
+        StringTokenizer st = new StringTokenizer(s, "\r\n ");
+
+        while (st.hasMoreTokens()) {
+            String nextLine = st.nextToken();
+
+            nextLine = nextLine.trim();
+            if (nextLine.equals("-----BEGIN CERTIFICATE REQUEST-----"))
+                continue;
+            if (nextLine.equals("-----BEGIN NEW CERTIFICATE REQUEST-----"))
+                continue;
+            if (nextLine.equals("-----END CERTIFICATE REQUEST-----"))
+                continue;
+            if (nextLine.equals("-----END NEW CERTIFICATE REQUEST-----"))
+                continue;
+            sb.append(nextLine);
+        }
+        return sb.toString();
+    }
+
+    public Locale getLocale(IRequest request) {
+        Locale locale = null;
+        String language = request.getExtDataInString(
+                EnrollProfile.REQUEST_LOCALE);
+        if (language != null) {
+            locale = new Locale(language);
+        }
+        return locale;
+    }
+
+    /**
+     * Populate input
+     * 

+     * 
+     * (either all "agent" profile cert requests NOT made through a connector, or all "EE" profile cert requests NOT
+     * made through a connector)
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST used when a profile cert request is made (before
+     * approval process)
+     * 

+     * 
+     * @param ctx profile context
+     * @param request the certificate request
+     * @exception EProfileException an error related to this profile has
+     *                occurred
+     */
+    public void populateInput(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        super.populateInput(ctx, request);
+    }
+
+    public void populate(IRequest request)
+            throws EProfileException {
+        super.populate(request);
+
+    }
+
+    /**
+     * Passes the request to the set of constraint policies
+     * that validate the request against the profile.
+     */
+    public void validate(IRequest request)
+            throws ERejectException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+        String auditRequesterID = auditRequesterID(request);
+        String auditProfileID = auditProfileID();
+        String auditCertificateSubjectName = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        String subject = null;
+
+        // try {
+        X509CertInfo info = request.getExtDataInCertInfo(REQUEST_CERTINFO);
+
+        try {
+            CertificateSubjectName sn = (CertificateSubjectName)
+                    info.get(X509CertInfo.SUBJECT);
+
+            // if the cert subject name is NOT MISSING, retrieve the
+            // actual "auditCertificateSubjectName" and "normalize" it
+            if (sn != null) {
+                subject = sn.toString();
+                if (subject != null) {
+                    // NOTE:  This is ok even if the cert subject name
+                    //        is "" (empty)!
+                    auditCertificateSubjectName = subject.trim();
+                }
+            }
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditRequesterID,
+                        auditProfileID,
+                        auditCertificateSubjectName);
+
+            audit(auditMessage);
+        } catch (CertificateException e) {
+            CMS.debug("EnrollProfile: populate " + e.toString());
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditRequesterID,
+                        auditProfileID,
+                        auditCertificateSubjectName);
+
+            audit(auditMessage);
+        } catch (IOException e) {
+            CMS.debug("EnrollProfile: populate " + e.toString());
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditRequesterID,
+                        auditProfileID,
+                        auditCertificateSubjectName);
+
+            audit(auditMessage);
+        }
+
+        super.validate(request);
+        Object key = null;
+
+        try {
+            key = info.get(X509CertInfo.KEY);
+        } catch (CertificateException e) {
+        } catch (IOException e) {
+        }
+
+        if (key == null) {
+            Locale locale = getLocale(request);
+
+            throw new ERejectException(CMS.getUserMessage(
+                        locale, "CMS_PROFILE_EMPTY_KEY"));
+        }
+
+        try {
+            CMS.debug("EnrollProfile certInfo : " + info);
+        } catch (NullPointerException e) {
+            // do nothing
+        }
+    }
+
+    /**
+     * Signed Audit Log Requester ID
+     * 
+     * This method is inherited by all extended "EnrollProfile"s,
+     * and is called to obtain the "RequesterID" for
+     * a signed audit log message.
+     * 

+     * 
+     * @param request the actual request
+     * @return id string containing the signed audit log message RequesterID
+     */
+    protected String auditRequesterID(IRequest request) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String requesterID = ILogger.UNIDENTIFIED;
+
+        if (request != null) {
+            // overwrite "requesterID" if and only if "id" != null
+            String id = request.getRequestId().toString();
+
+            if (id != null) {
+                requesterID = id.trim();
+            }
+        }
+
+        return requesterID;
+    }
+
+    /**
+     * Signed Audit Log Profile ID
+     * 
+     * This method is inherited by all extended "EnrollProfile"s,
+     * and is called to obtain the "ProfileID" for
+     * a signed audit log message.
+     * 

+     * 
+     * @return id string containing the signed audit log message ProfileID
+     */
+    protected String auditProfileID() {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String profileID = getId();
+
+        if (profileID != null) {
+            profileID = profileID.trim();
+        } else {
+            profileID = ILogger.UNIDENTIFIED;
+        }
+
+        return profileID;
+    }
+
+    public void verifyPOP(Locale locale, CertReqMsg certReqMsg)
+            throws EProfileException {
+        CMS.debug("EnrollProfile ::in verifyPOP");
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        if (!certReqMsg.hasPop()) {
+            return;
+        }
+        ProofOfPossession pop = certReqMsg.getPop();
+        ProofOfPossession.Type popType = pop.getType();
+
+        if (popType != ProofOfPossession.SIGNATURE) {
+            return;
+        }
+
+        try {
+            CryptoManager cm = CryptoManager.getInstance();
+            CryptoToken verifyToken = null;
+            String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", "internal");
+            if (tokenName.equals("internal")) {
+                CMS.debug("POP verification using internal token");
+                certReqMsg.verify();
+            } else {
+                CMS.debug("POP verification using token:" + tokenName);
+                verifyToken = cm.getTokenByName(tokenName);
+                certReqMsg.verify(verifyToken);
+            }
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                    LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
+                    auditSubjectID,
+                    ILogger.SUCCESS);
+            audit(auditMessage);
+        } catch (Exception e) {
+
+            CMS.debug("Failed POP verify! " + e.toString());
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                    LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
+                    auditSubjectID,
+                    ILogger.FAILURE);
+
+            audit(auditMessage);
+
+            throw new EProfileException(CMS.getUserMessage(locale,
+                        "CMS_POP_VERIFICATION_ERROR"));
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/common/EnrollProfileContext.java b/base/common/src/com/netscape/cms/profile/common/EnrollProfileContext.java
new file mode 100644
index 000000000..3610520fd
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/common/EnrollProfileContext.java
@@ -0,0 +1,31 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.common;
+
+import com.netscape.certsrv.profile.IProfileContext;
+
+/**
+ * This class implements an enrollment profile context
+ * that carries information for request creation.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class EnrollProfileContext extends ProfileContext
+        implements IProfileContext {
+
+}
diff --git a/base/common/src/com/netscape/cms/profile/common/ProfileContext.java b/base/common/src/com/netscape/cms/profile/common/ProfileContext.java
new file mode 100644
index 000000000..7d0686378
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/common/ProfileContext.java
@@ -0,0 +1,39 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.common;
+
+import java.util.Hashtable;
+
+import com.netscape.certsrv.profile.IProfileContext;
+
+/**
+ * This class implements the profile context.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ProfileContext implements IProfileContext {
+    private Hashtable m_Attrs = new Hashtable();
+
+    public void set(String name, String value) {
+        m_Attrs.put(name, value);
+    }
+
+    public String get(String name) {
+        return m_Attrs.get(name);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/common/ProfilePolicy.java b/base/common/src/com/netscape/cms/profile/common/ProfilePolicy.java
new file mode 100644
index 000000000..a8a90aef9
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/common/ProfilePolicy.java
@@ -0,0 +1,53 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.common;
+
+import com.netscape.certsrv.profile.IPolicyConstraint;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfilePolicy;
+
+/**
+ * This class implements a profile policy that
+ * contains a default policy and a constraint
+ * policy.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ProfilePolicy implements IProfilePolicy {
+    private String mId = null;
+    private IPolicyDefault mDefault = null;
+    private IPolicyConstraint mConstraint = null;
+
+    public ProfilePolicy(String id, IPolicyDefault def, IPolicyConstraint constraint) {
+        mId = id;
+        mDefault = def;
+        mConstraint = constraint;
+    }
+
+    public String getId() {
+        return mId;
+    }
+
+    public IPolicyDefault getDefault() {
+        return mDefault;
+    }
+
+    public IPolicyConstraint getConstraint() {
+        return mConstraint;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/common/RAEnrollProfile.java b/base/common/src/com/netscape/cms/profile/common/RAEnrollProfile.java
new file mode 100644
index 000000000..36bac1fa7
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/common/RAEnrollProfile.java
@@ -0,0 +1,128 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.common;
+
+import java.util.Enumeration;
+
+import netscape.security.x509.X500Name;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.IAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.connector.IConnector;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.ra.IRAService;
+import com.netscape.certsrv.ra.IRegistrationAuthority;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestListener;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.certsrv.request.RequestStatus;
+
+/**
+ * This class implements a Registration Manager
+ * enrollment profile.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class RAEnrollProfile extends EnrollProfile {
+
+    public RAEnrollProfile() {
+        super();
+    }
+
+    public IAuthority getAuthority() {
+        IAuthority authority = (IAuthority)
+                CMS.getSubsystem(CMS.SUBSYSTEM_RA);
+
+        if (authority == null)
+            return null;
+        return authority;
+    }
+
+    public X500Name getIssuerName() {
+        IRegistrationAuthority ra = (IRegistrationAuthority)
+                CMS.getSubsystem(CMS.SUBSYSTEM_RA);
+        X500Name issuerName = ra.getX500Name();
+
+        return issuerName;
+    }
+
+    public void execute(IRequest request)
+            throws EProfileException {
+
+        if (!isEnable()) {
+            CMS.debug("CAEnrollProfile: Profile Not Enabled");
+            throw new EProfileException("Profile Not Enabled");
+        }
+
+        IRegistrationAuthority ra =
+                (IRegistrationAuthority) getAuthority();
+        IRAService raService = (IRAService) ra.getRAService();
+
+        if (raService == null) {
+            throw new EProfileException("No RA Service");
+        }
+
+        IRequestQueue queue = ra.getRequestQueue();
+
+        // send request to CA
+        try {
+            IConnector caConnector = raService.getCAConnector();
+
+            if (caConnector == null) {
+                CMS.debug("RAEnrollProfile: CA connector not configured");
+            } else {
+                caConnector.send(request);
+                // check response
+                if (!request.isSuccess()) {
+                    CMS.debug("RAEnrollProfile error talking to CA setting req status to SVC_PENDING");
+
+                    request.setRequestStatus(RequestStatus.SVC_PENDING);
+
+                    try {
+                        queue.updateRequest(request);
+                    } catch (EBaseException e) {
+                        CMS.debug("RAEnrollProfile: Update request " + e.toString());
+                    }
+                    throw new ERejectException(
+                            request.getError(getLocale(request)));
+                }
+            }
+        } catch (Exception e) {
+            CMS.debug("RAEnrollProfile: " + e.toString());
+            throw new EProfileException(e.toString());
+        }
+
+        // request handling
+        Enumeration names = ra.getRequestListenerNames();
+
+        if (names != null) {
+            while (names.hasMoreElements()) {
+                String name = names.nextElement();
+
+                CMS.debug("CAEnrollProfile: listener " + name);
+                IRequestListener listener = ra.getRequestListener(name);
+
+                if (listener != null) {
+                    listener.accept(request);
+                }
+            }
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java b/base/common/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
new file mode 100644
index 000000000..9be1e43c4
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
@@ -0,0 +1,100 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.common;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfileEx;
+import com.netscape.certsrv.profile.IProfilePolicy;
+
+/**
+ * This class implements a Certificate Manager enrollment
+ * profile for Server Certificates.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ServerCertCAEnrollProfile extends CAEnrollProfile
+        implements IProfileEx {
+
+    /**
+     * Called after initialization. It populates default
+     * policies, inputs, and outputs.
+     */
+    public void populate() throws EBaseException {
+        // create inputs
+        NameValuePairs inputParams1 = new NameValuePairs();
+        createProfileInput("i1", "certReqInputImpl", inputParams1);
+        NameValuePairs inputParams2 = new NameValuePairs();
+        createProfileInput("i2", "submitterInfoInputImpl", inputParams2);
+
+        // create outputs
+        NameValuePairs outputParams1 = new NameValuePairs();
+        createProfileOutput("o1", "certOutputImpl", outputParams1);
+
+        createProfilePolicy("set1", "p1",
+                        "userSubjectNameDefaultImpl", "noConstraintImpl");
+
+        IProfilePolicy policy2 =
+                createProfilePolicy("set1", "p2",
+                        "validityDefaultImpl", "noConstraintImpl");
+        IPolicyDefault def2 = policy2.getDefault();
+        IConfigStore defConfig2 = def2.getConfigStore();
+        defConfig2.putString("params.range", "180");
+        defConfig2.putString("params.startTime", "0");
+
+        IProfilePolicy policy3 =
+                createProfilePolicy("set1", "p3",
+                        "userKeyDefaultImpl", "noConstraintImpl");
+        IPolicyDefault def3 = policy3.getDefault();
+        IConfigStore defConfig3 = def3.getConfigStore();
+        defConfig3.putString("params.keyType", "RSA");
+        defConfig3.putString("params.keyMinLength", "512");
+        defConfig3.putString("params.keyMaxLength", "4096");
+
+        IProfilePolicy policy4 =
+                createProfilePolicy("set1", "p4",
+                        "signingAlgDefaultImpl", "noConstraintImpl");
+        IPolicyDefault def4 = policy4.getDefault();
+        IConfigStore defConfig4 = def4.getConfigStore();
+        defConfig4.putString("params.signingAlg", "-");
+        defConfig4
+                .putString(
+                        "params.signingAlgsAllowed",
+                        "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
+
+        IProfilePolicy policy5 =
+                createProfilePolicy("set1", "p5",
+                        "keyUsageExtDefaultImpl", "noConstraintImpl");
+        IPolicyDefault def5 = policy5.getDefault();
+        IConfigStore defConfig5 = def5.getConfigStore();
+        defConfig5.putString("params.keyUsageCritical", "true");
+        defConfig5.putString("params.keyUsageCrlSign", "false");
+        defConfig5.putString("params.keyUsageDataEncipherment", "true");
+        defConfig5.putString("params.keyUsageDecipherOnly", "false");
+        defConfig5.putString("params.keyUsageDigitalSignature", "true");
+        defConfig5.putString("params.keyUsageEncipherOnly", "false");
+        defConfig5.putString("params.keyUsageKeyAgreement", "false");
+        defConfig5.putString("params.keyUsageKeyCertSign", "false");
+        defConfig5.putString("params.keyUsageKeyEncipherment", "true");
+        defConfig5.putString("params.keyUsageNonRepudiation", "true");
+
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java b/base/common/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
new file mode 100644
index 000000000..3f1cdfb21
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
@@ -0,0 +1,100 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.common;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfileEx;
+import com.netscape.certsrv.profile.IProfilePolicy;
+
+/**
+ * This class implements a Certificate Manager enrollment
+ * profile for User Certificates.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class UserCertCAEnrollProfile extends CAEnrollProfile
+        implements IProfileEx {
+
+    /**
+     * Called after initialization. It populates default
+     * policies, inputs, and outputs.
+     */
+    public void populate() throws EBaseException {
+        // create inputs
+        NameValuePairs inputParams1 = new NameValuePairs();
+        createProfileInput("i1", "keyGenInputImpl", inputParams1);
+        NameValuePairs inputParams2 = new NameValuePairs();
+        createProfileInput("i2", "subjectNameInputImpl", inputParams2);
+        createProfileInput("i3", "submitterInfoInputImpl", inputParams2);
+
+        // create outputs
+        NameValuePairs outputParams1 = new NameValuePairs();
+        createProfileOutput("o1", "certOutputImpl", outputParams1);
+
+        // create policies
+        createProfilePolicy("set1", "p1",
+                        "userSubjectNameDefaultImpl", "noConstraintImpl");
+
+        IProfilePolicy policy2 =
+                createProfilePolicy("set1", "p2",
+                        "validityDefaultImpl", "noConstraintImpl");
+        IPolicyDefault def2 = policy2.getDefault();
+        IConfigStore defConfig2 = def2.getConfigStore();
+        defConfig2.putString("params.range", "180");
+        defConfig2.putString("params.startTime", "0");
+
+        IProfilePolicy policy3 =
+                createProfilePolicy("set1", "p3",
+                        "userKeyDefaultImpl", "noConstraintImpl");
+        IPolicyDefault def3 = policy3.getDefault();
+        IConfigStore defConfig3 = def3.getConfigStore();
+        defConfig3.putString("params.keyType", "RSA");
+        defConfig3.putString("params.keyMinLength", "512");
+        defConfig3.putString("params.keyMaxLength", "4096");
+
+        IProfilePolicy policy4 =
+                createProfilePolicy("set1", "p4",
+                        "signingAlgDefaultImpl", "noConstraintImpl");
+        IPolicyDefault def4 = policy4.getDefault();
+        IConfigStore defConfig4 = def4.getConfigStore();
+        defConfig4.putString("params.signingAlg", "-");
+        defConfig4
+                .putString(
+                        "params.signingAlgsAllowed",
+                        "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
+
+        IProfilePolicy policy5 =
+                createProfilePolicy("set1", "p5",
+                        "keyUsageExtDefaultImpl", "noConstraintImpl");
+        IPolicyDefault def5 = policy5.getDefault();
+        IConfigStore defConfig5 = def5.getConfigStore();
+        defConfig5.putString("params.keyUsageCritical", "true");
+        defConfig5.putString("params.keyUsageCrlSign", "false");
+        defConfig5.putString("params.keyUsageDataEncipherment", "false");
+        defConfig5.putString("params.keyUsageDecipherOnly", "false");
+        defConfig5.putString("params.keyUsageDigitalSignature", "true");
+        defConfig5.putString("params.keyUsageEncipherOnly", "false");
+        defConfig5.putString("params.keyUsageKeyAgreement", "false");
+        defConfig5.putString("params.keyUsageKeyCertSign", "false");
+        defConfig5.putString("params.keyUsageKeyEncipherment", "true");
+        defConfig5.putString("params.keyUsageNonRepudiation", "true");
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java
new file mode 100644
index 000000000..f924c587f
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java
@@ -0,0 +1,224 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.def.BasicConstraintsExtDefault;
+import com.netscape.cms.profile.def.NoDefault;
+import com.netscape.cms.profile.def.UserExtensionDefault;
+
+/**
+ * This class implements the basic constraints extension constraint.
+ * It checks if the basic constraint in the certificate
+ * template satisfies the criteria.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class BasicConstraintsExtConstraint extends EnrollConstraint {
+
+    public static final String CONFIG_CRITICAL =
+            "basicConstraintsCritical";
+    public static final String CONFIG_IS_CA =
+            "basicConstraintsIsCA";
+    public static final String CONFIG_MIN_PATH_LEN =
+            "basicConstraintsMinPathLen";
+    public static final String CONFIG_MAX_PATH_LEN =
+            "basicConstraintsMaxPathLen";
+
+    public BasicConstraintsExtConstraint() {
+        super();
+        addConfigName(CONFIG_CRITICAL);
+        addConfigName(CONFIG_IS_CA);
+        addConfigName(CONFIG_MIN_PATH_LEN);
+        addConfigName(CONFIG_MAX_PATH_LEN);
+    }
+
+    /**
+     * Initializes this constraint plugin.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(CONFIG_IS_CA)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_IS_CA"));
+        } else if (name.equals(CONFIG_MIN_PATH_LEN)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "-1",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_MIN_PATH_LEN"));
+        } else if (name.equals(CONFIG_MAX_PATH_LEN)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "100",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_MAX_PATH_LEN"));
+        }
+        return null;
+    }
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     */
+    public void validate(IRequest request, X509CertInfo info)
+            throws ERejectException {
+
+        try {
+            BasicConstraintsExtension ext = (BasicConstraintsExtension)
+                    getExtension(PKIXExtensions.BasicConstraints_Id.toString(),
+                            info);
+
+            if (ext == null) {
+                throw new ERejectException(
+                        CMS.getUserMessage(
+                                getLocale(request),
+                                "CMS_PROFILE_EXTENSION_NOT_FOUND",
+                                PKIXExtensions.BasicConstraints_Id.toString()));
+            }
+
+            // check criticality
+            String value = getConfig(CONFIG_CRITICAL);
+
+            if (!isOptional(value)) {
+                boolean critical = getBoolean(value);
+
+                if (critical != ext.isCritical()) {
+                    throw new ERejectException(
+                            CMS.getUserMessage(getLocale(request),
+                                    "CMS_PROFILE_CRITICAL_NOT_MATCHED"));
+                }
+            }
+            value = getConfig(CONFIG_IS_CA);
+            if (!isOptional(value)) {
+                boolean isCA = getBoolean(value);
+                Boolean extIsCA = (Boolean) ext.get(BasicConstraintsExtension.IS_CA);
+
+                if (isCA != extIsCA.booleanValue()) {
+                    throw new ERejectException(
+                            CMS.getUserMessage(getLocale(request),
+                                    "CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_IS_CA"));
+                }
+            }
+            value = getConfig(CONFIG_MIN_PATH_LEN);
+            if (!isOptional(value)) {
+                int pathLen = getInt(value);
+                Integer extPathLen = (Integer) ext.get(BasicConstraintsExtension.PATH_LEN);
+
+                if (pathLen > extPathLen.intValue()) {
+                    CMS.debug("BasicCOnstraintsExtConstraint: pathLen=" + pathLen + " > extPathLen=" + extPathLen);
+                    throw new ERejectException(
+                            CMS.getUserMessage(getLocale(request),
+                                    "CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_MIN_PATH"));
+                }
+            }
+            value = getConfig(CONFIG_MAX_PATH_LEN);
+            if (!isOptional(value)) {
+                int pathLen = getInt(value);
+                Integer extPathLen = (Integer) ext.get(BasicConstraintsExtension.PATH_LEN);
+
+                if (pathLen < extPathLen.intValue()) {
+                    CMS.debug("BasicCOnstraintsExtConstraint: pathLen=" + pathLen + " < extPathLen=" + extPathLen);
+                    throw new ERejectException(
+                            CMS.getUserMessage(getLocale(request),
+                                    "CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_MAX_PATH"));
+                }
+            }
+        } catch (IOException e) {
+            CMS.debug("BasicConstraintsExt: validate " + e.toString());
+            throw new ERejectException(
+                    CMS.getUserMessage(
+                            getLocale(request),
+                            "CMS_PROFILE_EXTENSION_NOT_FOUND",
+                            PKIXExtensions.BasicConstraints_Id.toString()));
+        }
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_CRITICAL),
+                getConfig(CONFIG_IS_CA),
+                getConfig(CONFIG_MIN_PATH_LEN),
+                getConfig(CONFIG_MAX_PATH_LEN)
+            };
+
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_TEXT",
+                params);
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        if (def instanceof NoDefault)
+            return true;
+        if (def instanceof BasicConstraintsExtDefault)
+            return true;
+        if (def instanceof UserExtensionDefault)
+            return true;
+        return false;
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+
+        if (mConfig.getSubStore("params") == null) {
+            CMS.debug("BasicConstraintsExt: mConfig.getSubStore is null");
+            //
+        } else {
+
+            CMS.debug("BasicConstraintsExt: setConfig name " + name + " value " + value);
+
+            if (name.equals(CONFIG_MAX_PATH_LEN)) {
+
+                String minPathLen = getConfig(CONFIG_MIN_PATH_LEN);
+
+                int minLen = getInt(minPathLen);
+
+                int maxLen = getInt(value);
+
+                if (minLen >= maxLen) {
+                    CMS.debug("BasicConstraintExt:  minPathLen >= maxPathLen!");
+
+                    throw new EPropertyException("bad value");
+                }
+
+            }
+            mConfig.getSubStore("params").putString(name, value);
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/constraint/CAEnrollConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/CAEnrollConstraint.java
new file mode 100644
index 000000000..c0a9758da
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/constraint/CAEnrollConstraint.java
@@ -0,0 +1,48 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+
+/**
+ * This class represents an abstract class for CA enrollment
+ * constraint.
+ */
+public abstract class CAEnrollConstraint extends EnrollConstraint {
+
+    /**
+     * Constructs a CA enrollment constraint.
+     */
+    public CAEnrollConstraint() {
+        super();
+    }
+
+    /**
+     * Retrieves the CA certificate.
+     */
+    public X509CertImpl getCACert() {
+        ICertificateAuthority ca = (ICertificateAuthority)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+        X509CertImpl caCert = ca.getCACert();
+
+        return caCert;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java
new file mode 100644
index 000000000..e118fa215
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java
@@ -0,0 +1,139 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import java.io.IOException;
+import java.util.Date;
+import java.util.Locale;
+
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.def.CAValidityDefault;
+import com.netscape.cms.profile.def.NoDefault;
+import com.netscape.cms.profile.def.UserValidityDefault;
+import com.netscape.cms.profile.def.ValidityDefault;
+
+/**
+ * This class implements the validity constraint.
+ * It checks if the validity in the certificate
+ * template is within the CA's validity.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CAValidityConstraint extends CAEnrollConstraint {
+
+    private Date mDefNotBefore = null;
+    private Date mDefNotAfter = null;
+
+    public CAValidityConstraint() {
+        super();
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+        X509CertImpl caCert = getCACert();
+
+        mDefNotBefore = caCert.getNotBefore();
+        mDefNotAfter = caCert.getNotAfter();
+    }
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     */
+    public void validate(IRequest request, X509CertInfo info)
+            throws ERejectException {
+        CMS.debug("CAValidityConstraint: validate start");
+        CertificateValidity v = null;
+
+        try {
+            v = (CertificateValidity) info.get(X509CertInfo.VALIDITY);
+        } catch (Exception e) {
+            throw new ERejectException(CMS.getUserMessage(
+                        getLocale(request), "CMS_PROFILE_VALIDITY_NOT_FOUND"));
+        }
+        Date notBefore = null;
+
+        try {
+            notBefore = (Date) v.get(CertificateValidity.NOT_BEFORE);
+        } catch (IOException e) {
+            CMS.debug("CAValidity: not before " + e.toString());
+            throw new ERejectException(CMS.getUserMessage(
+                        getLocale(request), "CMS_PROFILE_INVALID_NOT_BEFORE"));
+        }
+        Date notAfter = null;
+
+        try {
+            notAfter = (Date) v.get(CertificateValidity.NOT_AFTER);
+        } catch (IOException e) {
+            CMS.debug("CAValidity: not after " + e.toString());
+            throw new ERejectException(CMS.getUserMessage(
+                        getLocale(request), "CMS_PROFILE_INVALID_NOT_AFTER"));
+        }
+
+        if (mDefNotBefore != null) {
+            CMS.debug("ValidtyConstraint: notBefore=" + notBefore +
+                    " defNotBefore=" + mDefNotBefore);
+            if (notBefore.before(mDefNotBefore)) {
+                throw new ERejectException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_INVALID_NOT_BEFORE"));
+            }
+        }
+        CMS.debug("ValidtyConstraint: notAfter=" + notAfter +
+                " defNotAfter=" + mDefNotAfter);
+        if (notAfter.after(mDefNotAfter)) {
+            throw new ERejectException(CMS.getUserMessage(
+                        getLocale(request), "CMS_PROFILE_INVALID_NOT_AFTER"));
+        }
+
+        CMS.debug("CAValidtyConstraint: validate end");
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                mDefNotBefore.toString(),
+                mDefNotAfter.toString()
+            };
+
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_CONSTRAINT_CA_VALIDITY_CONSTRAINT_TEXT",
+                params);
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        if (def instanceof NoDefault)
+            return true;
+        if (def instanceof UserValidityDefault)
+            return true;
+        if (def instanceof ValidityDefault)
+            return true;
+        if (def instanceof CAValidityDefault)
+            return true;
+        return false;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/constraint/EnrollConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/EnrollConstraint.java
new file mode 100644
index 000000000..40c2153a8
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/constraint/EnrollConstraint.java
@@ -0,0 +1,214 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.Extension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyConstraint;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements the generic enrollment constraint.
+ * 
+ * @version $Revision$, $Date$
+ */
+public abstract class EnrollConstraint implements IPolicyConstraint {
+    public static final String CONFIG_NAME = "name";
+
+    protected IConfigStore mConfig = null;
+    protected Vector mConfigNames = new Vector();
+
+    public EnrollConstraint() {
+    }
+
+    public Enumeration getConfigNames() {
+        return mConfigNames.elements();
+    }
+
+    public void addConfigName(String name) {
+        mConfigNames.addElement(name);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public Locale getLocale(IRequest request) {
+        Locale locale = null;
+        String language = request.getExtDataInString(
+                EnrollProfile.REQUEST_LOCALE);
+        if (language != null) {
+            locale = new Locale(language);
+        }
+        return locale;
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        if (mConfig.getSubStore("params") == null) {
+            //
+        } else {
+            mConfig.getSubStore("params").putString(name, value);
+        }
+    }
+
+    public String getConfig(String name) {
+        try {
+            if (mConfig == null)
+                return null;
+            if (mConfig.getSubStore("params") != null) {
+                String val = mConfig.getSubStore("params").getString(name);
+
+                return val;
+            }
+        } catch (EBaseException e) {
+            CMS.debug(e.toString());
+        }
+        return "";
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        mConfig = config;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     * 
+     * @param request enrollment request
+     * @param info certificate template
+     * @exception ERejectException request is rejected due
+     *                to violation of constraint
+     */
+    public abstract void validate(IRequest request, X509CertInfo info)
+            throws ERejectException;
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     * 
+     * The current implementation of this method calls
+     * into the subclass's validate(request, info)
+     * method for validation checking.
+     * 
+     * @param request request
+     * @exception ERejectException request is rejected due
+     *                to violation of constraint
+     */
+    public void validate(IRequest request)
+            throws ERejectException {
+        String name = getClass().getName();
+
+        name = name.substring(name.lastIndexOf('.') + 1);
+        CMS.debug(name + ": validate start");
+        X509CertInfo info =
+                request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO);
+
+        validate(request, info);
+
+        request.setExtData(EnrollProfile.REQUEST_CERTINFO, info);
+        CMS.debug(name + ": validate end");
+    }
+
+    public String getText(Locale locale) {
+        return "Enroll Constraint";
+    }
+
+    public String getName(Locale locale) {
+        try {
+            return mConfig.getString(CONFIG_NAME);
+        } catch (EBaseException e) {
+            return null;
+        }
+    }
+
+    protected Extension getExtension(String name, X509CertInfo info) {
+        CertificateExtensions exts = null;
+
+        try {
+            exts = (CertificateExtensions)
+                    info.get(X509CertInfo.EXTENSIONS);
+        } catch (Exception e) {
+            CMS.debug("EnrollConstraint: getExtension " + e.toString());
+        }
+        if (exts == null)
+            return null;
+        Enumeration e = exts.getAttributes();
+
+        while (e.hasMoreElements()) {
+            Extension ext = e.nextElement();
+
+            if (ext.getExtensionId().toString().equals(name)) {
+                return ext;
+            }
+        }
+        return null;
+    }
+
+    protected boolean isOptional(String value) {
+        if (value.equals("") || value.equals("-"))
+            return true;
+        else
+            return false;
+    }
+
+    protected boolean getBoolean(String value) {
+        return Boolean.valueOf(value).booleanValue();
+    }
+
+    protected int getInt(String value) {
+        return Integer.valueOf(value).intValue();
+    }
+
+    protected boolean getConfigBoolean(String value) {
+        return getBoolean(getConfig(value));
+    }
+
+    protected int getConfigInt(String value) {
+        return getInt(getConfig(value));
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        return true;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/constraint/ExtendedKeyUsageExtConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/ExtendedKeyUsageExtConstraint.java
new file mode 100644
index 000000000..3c737e8a5
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/constraint/ExtendedKeyUsageExtConstraint.java
@@ -0,0 +1,156 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.security.extensions.ExtendedKeyUsageExtension;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault;
+import com.netscape.cms.profile.def.NoDefault;
+import com.netscape.cms.profile.def.UserExtensionDefault;
+
+/**
+ * This class implements the extended key usage extension constraint.
+ * It checks if the extended key usage extension in the certificate
+ * template satisfies the criteria.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ExtendedKeyUsageExtConstraint extends EnrollConstraint {
+
+    public static final String CONFIG_CRITICAL = "exKeyUsageCritical";
+    public static final String CONFIG_OIDS =
+            "exKeyUsageOIDs";
+
+    public ExtendedKeyUsageExtConstraint() {
+        super();
+        addConfigName(CONFIG_CRITICAL);
+        addConfigName(CONFIG_OIDS);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(CONFIG_OIDS)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_OIDS"));
+        }
+        return null;
+    }
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     */
+    public void validate(IRequest request, X509CertInfo info)
+            throws ERejectException {
+        ExtendedKeyUsageExtension ext = (ExtendedKeyUsageExtension)
+                getExtension(ExtendedKeyUsageExtension.OID, info);
+
+        if (ext == null) {
+            throw new ERejectException(
+                    CMS.getUserMessage(
+                            getLocale(request),
+                            "CMS_PROFILE_EXTENSION_NOT_FOUND",
+                            ExtendedKeyUsageExtension.OID));
+        }
+
+        // check criticality
+        String value = getConfig(CONFIG_CRITICAL);
+
+        if (!isOptional(value)) {
+            boolean critical = getBoolean(value);
+
+            if (critical != ext.isCritical()) {
+                throw new ERejectException(
+                        CMS.getUserMessage(
+                                getLocale(request),
+                                "CMS_PROFILE_CRITICAL_NOT_MATCHED"));
+            }
+        }
+
+        // Build local cache of configured OIDs
+        Vector mCache = new Vector();
+        StringTokenizer st = new StringTokenizer(getConfig(CONFIG_OIDS), ",");
+
+        while (st.hasMoreTokens()) {
+            String oid = st.nextToken();
+
+            mCache.addElement(oid);
+        }
+
+        // check OIDs
+        Enumeration e = ext.getOIDs();
+
+        while (e.hasMoreElements()) {
+            ObjectIdentifier oid = e.nextElement();
+
+            if (!mCache.contains(oid.toString())) {
+                throw new ERejectException(
+                        CMS.getUserMessage(
+                                getLocale(request),
+                                "CMS_PROFILE_OID_NOT_MATCHED",
+                                oid.toString()));
+            }
+        }
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_CRITICAL),
+                getConfig(CONFIG_OIDS)
+            };
+
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_CONSTRAINT_EXTENDED_KEY_EXT_TEXT",
+                params);
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        if (def instanceof NoDefault)
+            return true;
+        if (def instanceof ExtendedKeyUsageExtDefault)
+            return true;
+        if (def instanceof UserExtensionDefault)
+            return true;
+        return false;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/constraint/ExtensionConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/ExtensionConstraint.java
new file mode 100644
index 000000000..1562fddb8
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/constraint/ExtensionConstraint.java
@@ -0,0 +1,146 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import java.util.Locale;
+
+import netscape.security.x509.Extension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.def.EnrollExtDefault;
+import com.netscape.cms.profile.def.NoDefault;
+import com.netscape.cms.profile.def.UserExtensionDefault;
+
+/**
+ * This class implements the general extension constraint.
+ * It checks if the extension in the certificate
+ * template satisfies the criteria.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ExtensionConstraint extends EnrollConstraint {
+
+    public static final String CONFIG_CRITICAL = "extCritical";
+    public static final String CONFIG_OID = "extOID";
+
+    public ExtensionConstraint() {
+        super();
+        addConfigName(CONFIG_CRITICAL);
+        addConfigName(CONFIG_OID);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+
+        if (mConfig.getSubStore("params") == null) {
+            CMS.debug("ExtensionConstraint: mConfig.getSubStore is null");
+        } else {
+            CMS.debug("ExtensionConstraint: setConfig name=" + name +
+                    " value=" + value);
+
+            if (name.equals(CONFIG_OID)) {
+                try {
+                    CMS.checkOID("", value);
+                } catch (Exception e) {
+                    throw new EPropertyException(
+                            CMS.getUserMessage("CMS_PROFILE_PROPERTY_ERROR", value));
+                }
+            }
+            mConfig.getSubStore("params").putString(name, value);
+        }
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(CONFIG_OID)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_OID"));
+        }
+        return null;
+    }
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     */
+    public void validate(IRequest request, X509CertInfo info)
+            throws ERejectException {
+
+        Extension ext = getExtension(getConfig(CONFIG_OID), info);
+
+        if (ext == null) {
+            throw new ERejectException(
+                    CMS.getUserMessage(
+                            getLocale(request),
+                            "CMS_PROFILE_EXTENSION_NOT_FOUND",
+                            getConfig(CONFIG_OID)));
+        }
+
+        // check criticality 
+        String value = getConfig(CONFIG_CRITICAL);
+
+        if (!isOptional(value)) {
+            boolean critical = getBoolean(value);
+
+            if (critical != ext.isCritical()) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_CRITICAL_NOT_MATCHED"));
+            }
+        }
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_CRITICAL),
+                getConfig(CONFIG_OID)
+            };
+
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_CONSTRAINT_EXTENSION_TEXT", params);
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        if (def instanceof NoDefault)
+            return true;
+        if (def instanceof UserExtensionDefault)
+            return true;
+        if (def instanceof EnrollExtDefault)
+            return true;
+        return false;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/constraint/KeyConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/KeyConstraint.java
new file mode 100644
index 000000000..e6f5019a0
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/constraint/KeyConstraint.java
@@ -0,0 +1,644 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import java.math.BigInteger;
+import java.security.interfaces.DSAParams;
+import java.util.HashMap;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.provider.DSAPublicKey;
+import netscape.security.provider.RSAPublicKey;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.def.NoDefault;
+import com.netscape.cms.profile.def.UserKeyDefault;
+
+/**
+ * This constraint is to check the key type and
+ * key length.
+ * 
+ * @version $Revision$, $Date$
+ */
+@SuppressWarnings("serial")
+public class KeyConstraint extends EnrollConstraint {
+
+    public static final String CONFIG_KEY_TYPE = "keyType"; // (EC, RSA)
+    public static final String CONFIG_KEY_PARAMETERS = "keyParameters";
+
+    private static final String[] ecCurves = {
+            "nistp256", "nistp384", "nistp521", "sect163k1", "nistk163", "sect163r1", "sect163r2",
+            "nistb163", "sect193r1", "sect193r2", "sect233k1", "nistk233", "sect233r1", "nistb233", "sect239k1",
+            "sect283k1", "nistk283",
+            "sect283r1", "nistb283", "sect409k1", "nistk409", "sect409r1", "nistb409", "sect571k1", "nistk571",
+            "sect571r1", "nistb571",
+            "secp160k1", "secp160r1", "secp160r2", "secp192k1", "secp192r1", "nistp192", "secp224k1", "secp224r1",
+            "nistp224", "secp256k1",
+            "secp256r1", "secp384r1", "secp521r1", "prime192v1", "prime192v2", "prime192v3", "prime239v1",
+            "prime239v2", "prime239v3", "c2pnb163v1",
+            "c2pnb163v2", "c2pnb163v3", "c2pnb176v1", "c2tnb191v1", "c2tnb191v2", "c2tnb191v3", "c2pnb208w1",
+            "c2tnb239v1", "c2tnb239v2", "c2tnb239v3",
+            "c2pnb272w1", "c2pnb304w1", "c2tnb359w1", "c2pnb368w1", "c2tnb431r1", "secp112r1", "secp112r2",
+            "secp128r1", "secp128r2", "sect113r1", "sect113r2",
+            "sect131r1", "sect131r2"
+    };
+
+    private final static HashMap> ecOIDs = new HashMap>();
+    static {
+        ecOIDs.put("1.2.840.10045.3.1.7", new Vector() {
+            {
+                add("nistp256");
+                add("secp256r1");
+            }
+        });
+        ecOIDs.put("1.3.132.0.34", new Vector() {
+            {
+                add("nistp384");
+                add("secp384r1");
+            }
+        });
+        ecOIDs.put("1.3.132.0.35", new Vector() {
+            {
+                add("nistp521");
+                add("secp521r1");
+            }
+        });
+        ecOIDs.put("1.3.132.0.1", new Vector() {
+            {
+                add("sect163k1");
+                add("nistk163");
+            }
+        });
+        ecOIDs.put("1.3.132.0.2", new Vector() {
+            {
+                add("sect163r1");
+            }
+        });
+        ecOIDs.put("1.3.132.0.15", new Vector() {
+            {
+                add("sect163r2");
+                add("nistb163");
+            }
+        });
+        ecOIDs.put("1.3.132.0.24", new Vector() {
+            {
+                add("sect193r1");
+            }
+        });
+        ecOIDs.put("1.3.132.0.25", new Vector() {
+            {
+                add("sect193r2");
+            }
+        });
+        ecOIDs.put("1.3.132.0.26", new Vector() {
+            {
+                add("sect233k1");
+                add("nistk233");
+            }
+        });
+        ecOIDs.put("1.3.132.0.27", new Vector() {
+            {
+                add("sect233r1");
+                add("nistb233");
+            }
+        });
+        ecOIDs.put("1.3.132.0.3", new Vector() {
+            {
+                add("sect239k1");
+            }
+        });
+        ecOIDs.put("1.3.132.0.16", new Vector() {
+            {
+                add("sect283k1");
+                add("nistk283");
+            }
+        });
+        ecOIDs.put("1.3.132.0.17", new Vector() {
+            {
+                add("sect283r1");
+                add("nistb283");
+            }
+        });
+        ecOIDs.put("1.3.132.0.36", new Vector() {
+            {
+                add("sect409k1");
+                add("nistk409");
+            }
+        });
+        ecOIDs.put("1.3.132.0.37", new Vector() {
+            {
+                add("sect409r1");
+                add("nistb409");
+            }
+        });
+        ecOIDs.put("1.3.132.0.38", new Vector() {
+            {
+                add("sect571k1");
+                add("nistk571");
+            }
+        });
+        ecOIDs.put("1.3.132.0.39", new Vector() {
+            {
+                add("sect571r1");
+                add("nistb571");
+            }
+        });
+        ecOIDs.put("1.3.132.0.9", new Vector() {
+            {
+                add("secp160k1");
+            }
+        });
+        ecOIDs.put("1.3.132.0.8", new Vector() {
+            {
+                add("secp160r1");
+            }
+        });
+        ecOIDs.put("1.3.132.0.30", new Vector() {
+            {
+                add("secp160r2");
+            }
+        });
+        ecOIDs.put("1.3.132.0.31", new Vector() {
+            {
+                add("secp192k1");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.1.1", new Vector() {
+            {
+                add("secp192r1");
+                add("nistp192");
+                add("prime192v1");
+            }
+        });
+        ecOIDs.put("1.3.132.0.32", new Vector() {
+            {
+                add("secp224k1");
+            }
+        });
+        ecOIDs.put("1.3.132.0.33", new Vector() {
+            {
+                add("secp224r1");
+                add("nistp224");
+            }
+        });
+        ecOIDs.put("1.3.132.0.10", new Vector() {
+            {
+                add("secp256k1");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.1.2", new Vector() {
+            {
+                add("prime192v2");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.1.3", new Vector() {
+            {
+                add("prime192v3");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.1.4", new Vector() {
+            {
+                add("prime239v1");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.1.5", new Vector() {
+            {
+                add("prime239v2");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.1.6", new Vector() {
+            {
+                add("prime239v3");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.0.1", new Vector() {
+            {
+                add("c2pnb163v1");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.0.2", new Vector() {
+            {
+                add("c2pnb163v2");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.0.3", new Vector() {
+            {
+                add("c2pnb163v3");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.0.4", new Vector() {
+            {
+                add("c2pnb176v1");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.0.5", new Vector() {
+            {
+                add("c2tnb191v1");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.0.6", new Vector() {
+            {
+                add("c2tnb191v2");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.0.7", new Vector() {
+            {
+                add("c2tnb191v3");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.0.10", new Vector() {
+            {
+                add("c2pnb208w1");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.0.11", new Vector() {
+            {
+                add("c2tnb239v1");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.0.12", new Vector() {
+            {
+                add("c2tnb239v2");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.0.13", new Vector() {
+            {
+                add("c2tnb239v3");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.0.16", new Vector() {
+            {
+                add("c2pnb272w1");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.0.17", new Vector() {
+            {
+                add("c2pnb304w1");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.0.19", new Vector() {
+            {
+                add("c2pnb368w1");
+            }
+        });
+        ecOIDs.put("1.2.840.10045.3.0.20", new Vector() {
+            {
+                add("c2tnb431r1");
+            }
+        });
+        ecOIDs.put("1.3.132.0.6", new Vector() {
+            {
+                add("secp112r1");
+            }
+        });
+        ecOIDs.put("1.3.132.0.7", new Vector() {
+            {
+                add("secp112r2");
+            }
+        });
+        ecOIDs.put("1.3.132.0.28", new Vector() {
+            {
+                add("secp128r1");
+            }
+        });
+        ecOIDs.put("1.3.132.0.29", new Vector() {
+            {
+                add("secp128r2");
+            }
+        });
+        ecOIDs.put("1.3.132.0.4", new Vector() {
+            {
+                add("sect113r1");
+            }
+        });
+        ecOIDs.put("1.3.132.0.5", new Vector() {
+            {
+                add("sect113r2");
+            }
+        });
+        ecOIDs.put("1.3.132.0.22", new Vector() {
+            {
+                add("sect131r1");
+            }
+        });
+        ecOIDs.put("1.3.132.0.23", new Vector() {
+            {
+                add("sect131r2");
+            }
+        });
+    }
+
+    private static String[] cfgECCurves = null;
+    private static String keyType = "";
+    private static String keyParams = "";
+
+    public KeyConstraint() {
+        super();
+        addConfigName(CONFIG_KEY_TYPE);
+        addConfigName(CONFIG_KEY_PARAMETERS);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+
+        String ecNames = "";
+        try {
+            ecNames = CMS.getConfigStore().getString("keys.ecc.curve.list");
+        } catch (Exception e) {
+        }
+
+        CMS.debug("KeyConstraint.init ecNames: " + ecNames);
+        if (ecNames != null && ecNames.length() != 0) {
+            cfgECCurves = ecNames.split(",");
+        }
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_KEY_TYPE)) {
+            return new Descriptor(IDescriptor.CHOICE, "-,RSA,EC",
+                    "RSA",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_KEY_TYPE"));
+        } else if (name.equals(CONFIG_KEY_PARAMETERS)) {
+            return new Descriptor(IDescriptor.STRING, null, "",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_KEY_PARAMETERS"));
+        }
+
+        return null;
+    }
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     */
+    public void validate(IRequest request, X509CertInfo info)
+            throws ERejectException {
+        try {
+            CertificateX509Key infokey = (CertificateX509Key)
+                    info.get(X509CertInfo.KEY);
+            X509Key key = (X509Key) infokey.get(CertificateX509Key.KEY);
+
+            String alg = key.getAlgorithmId().getName().toUpperCase();
+            String value = getConfig(CONFIG_KEY_TYPE);
+            String keyType = value;
+
+            if (!isOptional(value)) {
+                if (!alg.equals(value)) {
+                    throw new ERejectException(
+                            CMS.getUserMessage(
+                                    getLocale(request),
+                                    "CMS_PROFILE_KEY_TYPE_NOT_MATCHED",
+                                    value));
+                }
+            }
+
+            int keySize = 0;
+
+            if (alg.equals("RSA")) {
+                keySize = getRSAKeyLen(key);
+            } else if (alg.equals("DSA")) {
+                keySize = getDSAKeyLen(key);
+            } else if (alg.equals("EC")) {
+                //EC key case.
+            } else {
+                throw new ERejectException(
+                        CMS.getUserMessage(
+                                getLocale(request),
+                                "CMS_PROFILE_INVALID_KEY_TYPE",
+                                alg));
+            }
+
+            value = getConfig(CONFIG_KEY_PARAMETERS);
+
+            String[] keyParams = value.split(",");
+
+            if (alg.equals("EC")) {
+                if (!alg.equals(keyType) && !isOptional(keyType)) {
+                    throw new ERejectException(
+                            CMS.getUserMessage(
+                                    getLocale(request),
+                                    "CMS_PROFILE_KEY_PARAMS_NOT_MATCHED",
+                                    value));
+                }
+
+                AlgorithmId algid = key.getAlgorithmId();
+
+                CMS.debug("algId: " + algid);
+
+                //Get raw string representation of alg parameters, will give 
+                //us the curve OID.
+
+                String params = null;
+                if (algid != null) {
+                    params = algid.getParametersString();
+                }
+
+                if (params.startsWith("OID.")) {
+                    params = params.substring(4);
+                }
+
+                CMS.debug("EC key OID: " + params);
+                Vector vect = ecOIDs.get(params);
+
+                boolean curveFound = false;
+
+                if (vect != null) {
+                    CMS.debug("vect: " + vect.toString());
+
+                    if (!isOptional(keyType)) {
+                        //Check the curve parameters only if explicit ECC or not optional
+                        for (int i = 0; i < keyParams.length; i++) {
+                            String ecParam = keyParams[i];
+                            CMS.debug("keyParams[i]: " + i + " param: " + ecParam);
+                            if (vect.contains(ecParam)) {
+                                curveFound = true;
+                                CMS.debug("KeyConstraint.validate: EC key constrainst passed.");
+                                break;
+                            }
+                        }
+                    } else {
+                        curveFound = true;
+                    }
+                }
+
+                if (!curveFound) {
+                    CMS.debug("KeyConstraint.validate: EC key constrainst failed.");
+                    throw new ERejectException(
+                            CMS.getUserMessage(
+                                    getLocale(request),
+                                    "CMS_PROFILE_KEY_PARAMS_NOT_MATCHED",
+                                    value));
+                }
+
+            } else {
+                if (!arrayContainsString(keyParams, Integer.toString(keySize))) {
+                    throw new ERejectException(
+                            CMS.getUserMessage(
+                                    getLocale(request),
+                                    "CMS_PROFILE_KEY_PARAMS_NOT_MATCHED",
+                                    value));
+                }
+                CMS.debug("KeyConstraint.validate: RSA key contraints passed.");
+            }
+        } catch (Exception e) {
+            if (e instanceof ERejectException) {
+                throw (ERejectException) e;
+            }
+            CMS.debug("KeyConstraint: " + e.toString());
+            throw new ERejectException(CMS.getUserMessage(
+                        getLocale(request), "CMS_PROFILE_KEY_NOT_FOUND"));
+        }
+    }
+
+    public int getRSAKeyLen(X509Key key) throws Exception {
+        X509Key newkey = null;
+
+        try {
+            newkey = new X509Key(AlgorithmId.get("RSA"),
+                        key.getKey());
+        } catch (Exception e) {
+            CMS.debug("KeyConstraint: getRSAKey Len " + e.toString());
+            return -1;
+        }
+        RSAPublicKey rsaKey = new RSAPublicKey(newkey.getEncoded());
+
+        return rsaKey.getKeySize();
+    }
+
+    public int getDSAKeyLen(X509Key key) throws Exception {
+        // Check DSAKey parameters.
+        // size refers to the p parameter.
+        DSAPublicKey dsaKey = new DSAPublicKey(key.getEncoded());
+        DSAParams keyParams = dsaKey.getParams();
+        BigInteger p = keyParams.getP();
+        int len = p.bitLength();
+
+        return len;
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_KEY_TYPE),
+                getConfig(CONFIG_KEY_PARAMETERS)
+            };
+
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_CONSTRAINT_KEY_TEXT", params);
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        if (def instanceof NoDefault)
+            return true;
+        if (def instanceof UserKeyDefault)
+            return true;
+        return false;
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+
+        CMS.debug("KeyConstraint.setConfig name: " + name + " value: " + value);
+        //establish keyType, we don't know which order these params will arrive
+        if (name.equals(CONFIG_KEY_TYPE)) {
+            keyType = value;
+            if (keyParams.equals(""))
+                return;
+        }
+
+        //establish keyParams
+        if (name.equals(CONFIG_KEY_PARAMETERS)) {
+            CMS.debug("establish keyParams: " + value);
+            keyParams = value;
+
+            if (keyType.equals(""))
+                return;
+        }
+        // All the params we need for validation have been collected, 
+        // we don't know which order they will show up
+        if (keyType.length() > 0 && keyParams.length() > 0) {
+            String[] params = keyParams.split(",");
+            boolean isECCurve = false;
+            int keySize = 0;
+
+            for (int i = 0; i < params.length; i++) {
+                if (keyType.equals("EC")) {
+                    if (cfgECCurves == null) {
+                        //Use the static array as a backup if the config values are not present.
+                        isECCurve = arrayContainsString(ecCurves, params[i]);
+                    } else {
+                        isECCurve = arrayContainsString(cfgECCurves, params[i]);
+                    }
+                    if (isECCurve == false) { //Not a valid EC curve throw exception.
+                        keyType = "";
+                        keyParams = "";
+                        throw new EPropertyException(CMS.getUserMessage(
+                                "CMS_INVALID_PROPERTY", name));
+                    }
+                } else {
+                    try {
+                        keySize = Integer.parseInt(params[i]);
+                    } catch (Exception e) {
+                        keySize = 0;
+                    }
+                    if (keySize <= 0) {
+                        keyType = "";
+                        keyParams = "";
+                        throw new EPropertyException(CMS.getUserMessage(
+                                "CMS_INVALID_PROPERTY", name));
+                    }
+                }
+            }
+        }
+        //Actually set the configuration in the profile
+        super.setConfig(CONFIG_KEY_TYPE, keyType);
+        super.setConfig(CONFIG_KEY_PARAMETERS, keyParams);
+
+        //Reset the vars for next round.
+        keyType = "";
+        keyParams = "";
+    }
+
+    private boolean arrayContainsString(String[] array, String value) {
+
+        if (array == null || value == null) {
+            return false;
+        }
+
+        for (int i = 0; i < array.length; i++) {
+            if (array[i].equals(value)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/constraint/KeyUsageExtConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/KeyUsageExtConstraint.java
new file mode 100644
index 000000000..927c64ec2
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/constraint/KeyUsageExtConstraint.java
@@ -0,0 +1,291 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import java.util.Locale;
+
+import netscape.security.x509.KeyUsageExtension;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.def.KeyUsageExtDefault;
+import com.netscape.cms.profile.def.NoDefault;
+import com.netscape.cms.profile.def.UserExtensionDefault;
+
+/**
+ * This class implements the key usage extension constraint.
+ * It checks if the key usage constraint in the certificate
+ * template satisfies the criteria.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class KeyUsageExtConstraint extends EnrollConstraint {
+
+    public static final String CONFIG_CRITICAL = "keyUsageCritical";
+    public static final String CONFIG_DIGITAL_SIGNATURE =
+            "keyUsageDigitalSignature";
+    public static final String CONFIG_NON_REPUDIATION =
+            "keyUsageNonRepudiation";
+    public static final String CONFIG_KEY_ENCIPHERMENT =
+            "keyUsageKeyEncipherment";
+    public static final String CONFIG_DATA_ENCIPHERMENT =
+            "keyUsageDataEncipherment";
+    public static final String CONFIG_KEY_AGREEMENT = "keyUsageKeyAgreement";
+    public static final String CONFIG_KEY_CERTSIGN = "keyUsageKeyCertSign";
+    public static final String CONFIG_CRL_SIGN = "keyUsageCrlSign";
+    public static final String CONFIG_ENCIPHER_ONLY = "keyUsageEncipherOnly";
+    public static final String CONFIG_DECIPHER_ONLY = "keyUsageDecipherOnly";
+
+    public KeyUsageExtConstraint() {
+        super();
+        addConfigName(CONFIG_CRITICAL);
+        addConfigName(CONFIG_DIGITAL_SIGNATURE);
+        addConfigName(CONFIG_NON_REPUDIATION);
+        addConfigName(CONFIG_KEY_ENCIPHERMENT);
+        addConfigName(CONFIG_DATA_ENCIPHERMENT);
+        addConfigName(CONFIG_KEY_AGREEMENT);
+        addConfigName(CONFIG_KEY_CERTSIGN);
+        addConfigName(CONFIG_CRL_SIGN);
+        addConfigName(CONFIG_ENCIPHER_ONLY);
+        addConfigName(CONFIG_DECIPHER_ONLY);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(CONFIG_DIGITAL_SIGNATURE)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_DIGITAL_SIGNATURE"));
+        } else if (name.equals(CONFIG_NON_REPUDIATION)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NON_REPUDIATION"));
+        } else if (name.equals(CONFIG_KEY_ENCIPHERMENT)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_KEY_ENCIPHERMENT"));
+        } else if (name.equals(CONFIG_DATA_ENCIPHERMENT)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_DATA_ENCIPHERMENT"));
+        } else if (name.equals(CONFIG_KEY_AGREEMENT)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_KEY_AGREEMENT"));
+        } else if (name.equals(CONFIG_KEY_CERTSIGN)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_KEY_CERTSIGN"));
+        } else if (name.equals(CONFIG_CRL_SIGN)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRL_SIGN"));
+        } else if (name.equals(CONFIG_ENCIPHER_ONLY)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_ENCIPHER_ONLY"));
+        } else if (name.equals(CONFIG_DECIPHER_ONLY)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_DECIPHER_ONLY"));
+        }
+        return null;
+    }
+
+    public boolean isSet(boolean bits[], int position) {
+        if (bits.length <= position)
+            return false;
+        return bits[position];
+    }
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     */
+    public void validate(IRequest request, X509CertInfo info)
+            throws ERejectException {
+        KeyUsageExtension ext = (KeyUsageExtension)
+                getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+
+        if (ext == null) {
+            throw new ERejectException(
+                    CMS.getUserMessage(
+                            getLocale(request),
+                            "CMS_PROFILE_EXTENSION_NOT_FOUND",
+                            PKIXExtensions.KeyUsage_Id.toString()));
+        }
+
+        boolean[] bits = ext.getBits();
+        String value = getConfig(CONFIG_CRITICAL);
+
+        if (!isOptional(value)) {
+            boolean critical = getBoolean(value);
+
+            if (critical != ext.isCritical()) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_CRITICAL_NOT_MATCHED"));
+            }
+        }
+        value = getConfig(CONFIG_DIGITAL_SIGNATURE);
+        if (!isOptional(value)) {
+            boolean bit = getBoolean(value);
+
+            if (bit != isSet(bits, 0)) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_DIGITAL_SIGNATURE_NOT_MATCHED",
+                                value));
+            }
+        }
+        value = getConfig(CONFIG_NON_REPUDIATION);
+        if (!isOptional(value)) {
+            boolean bit = getBoolean(value);
+
+            if (bit != isSet(bits, 1)) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_NON_REPUDIATION_NOT_MATCHED",
+                                value));
+            }
+        }
+        value = getConfig(CONFIG_KEY_ENCIPHERMENT);
+        if (!isOptional(value)) {
+            boolean bit = getBoolean(value);
+
+            if (bit != isSet(bits, 2)) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_KEY_ENCIPHERMENT_NOT_MATCHED",
+                                value));
+            }
+        }
+        value = getConfig(CONFIG_DATA_ENCIPHERMENT);
+        if (!isOptional(value)) {
+            boolean bit = getBoolean(value);
+
+            if (bit != isSet(bits, 3)) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_DATA_ENCIPHERMENT_NOT_MATCHED",
+                                value));
+            }
+        }
+        value = getConfig(CONFIG_KEY_AGREEMENT);
+        if (!isOptional(value)) {
+            boolean bit = getBoolean(value);
+
+            if (bit != isSet(bits, 4)) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_KEY_AGREEMENT_NOT_MATCHED",
+                                value));
+            }
+        }
+        value = getConfig(CONFIG_KEY_CERTSIGN);
+        if (!isOptional(value)) {
+            boolean bit = getBoolean(value);
+
+            if (bit != isSet(bits, 5)) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_KEY_CERTSIGN_NOT_MATCHED",
+                                value));
+            }
+        }
+        value = getConfig(CONFIG_CRL_SIGN);
+        if (!isOptional(value)) {
+            boolean bit = getBoolean(value);
+
+            if (bit != isSet(bits, 6)) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_CRL_SIGN_NOT_MATCHED",
+                                value));
+            }
+        }
+        value = getConfig(CONFIG_ENCIPHER_ONLY);
+        if (!isOptional(value)) {
+            boolean bit = getBoolean(value);
+
+            if (bit != isSet(bits, 7)) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_ENCIPHER_ONLY_NOT_MATCHED",
+                                value));
+            }
+        }
+        value = getConfig(CONFIG_DECIPHER_ONLY);
+        if (!isOptional(value)) {
+            boolean bit = getBoolean(value);
+
+            if (bit != isSet(bits, 8)) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_DECIPHER_ONLY_NOT_MATCHED",
+                                value));
+            }
+        }
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_CRITICAL),
+                getConfig(CONFIG_DIGITAL_SIGNATURE),
+                getConfig(CONFIG_NON_REPUDIATION),
+                getConfig(CONFIG_KEY_ENCIPHERMENT),
+                getConfig(CONFIG_DATA_ENCIPHERMENT),
+                getConfig(CONFIG_KEY_AGREEMENT),
+                getConfig(CONFIG_KEY_CERTSIGN),
+                getConfig(CONFIG_CRL_SIGN),
+                getConfig(CONFIG_ENCIPHER_ONLY),
+                getConfig(CONFIG_DECIPHER_ONLY)
+            };
+
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_CONSTRAINT_KEY_USAGE_EXT_TEXT", params);
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        if (def instanceof NoDefault)
+            return true;
+        if (def instanceof KeyUsageExtDefault)
+            return true;
+        if (def instanceof UserExtensionDefault)
+            return true;
+        return false;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java
new file mode 100644
index 000000000..843360542
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java
@@ -0,0 +1,243 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import java.util.Locale;
+
+import netscape.security.extensions.NSCertTypeExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.def.NSCertTypeExtDefault;
+import com.netscape.cms.profile.def.NoDefault;
+import com.netscape.cms.profile.def.UserExtensionDefault;
+
+/**
+ * This class implements the Netscape certificate type extension constraint.
+ * It checks if the Netscape certificate type extension in the certificate
+ * template satisfies the criteria.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class NSCertTypeExtConstraint extends EnrollConstraint {
+
+    public static final String CONFIG_CRITICAL = "nsCertCritical";
+    public static final String CONFIG_SSL_CLIENT = "nsCertSSLClient";
+    public static final String CONFIG_SSL_SERVER = "nsCertSSLServer";
+    public static final String CONFIG_EMAIL = "nsCertEmail";
+    public static final String CONFIG_OBJECT_SIGNING = "nsCertObjectSigning";
+    public static final String CONFIG_SSL_CA = "nsCertSSLCA";
+    public static final String CONFIG_EMAIL_CA = "nsCertEmailCA";
+    public static final String CONFIG_OBJECT_SIGNING_CA = "nsCertObjectSigningCA";
+
+    public NSCertTypeExtConstraint() {
+        super();
+        addConfigName(CONFIG_CRITICAL);
+        addConfigName(CONFIG_SSL_CLIENT);
+        addConfigName(CONFIG_SSL_SERVER);
+        addConfigName(CONFIG_EMAIL);
+        addConfigName(CONFIG_OBJECT_SIGNING);
+        addConfigName(CONFIG_SSL_CA);
+        addConfigName(CONFIG_EMAIL_CA);
+        addConfigName(CONFIG_OBJECT_SIGNING_CA);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(CONFIG_SSL_CLIENT)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CLIENT"));
+        } else if (name.equals(CONFIG_SSL_SERVER)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SSL_SERVER"));
+        } else if (name.equals(CONFIG_EMAIL)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL"));
+        } else if (name.equals(CONFIG_OBJECT_SIGNING)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_OBJECT_SIGNING"));
+        } else if (name.equals(CONFIG_SSL_CA)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CA"));
+        } else if (name.equals(CONFIG_EMAIL_CA)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL_CA"));
+        } else if (name.equals(CONFIG_OBJECT_SIGNING_CA)) {
+            return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+                    "-",
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_OBJECT_SIGNING_CA"));
+        }
+        return null;
+    }
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     */
+    public void validate(IRequest request, X509CertInfo info)
+            throws ERejectException {
+        NSCertTypeExtension ext = (NSCertTypeExtension)
+                getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+
+        if (ext == null) {
+            throw new ERejectException(
+                    CMS.getUserMessage(
+                            getLocale(request),
+                            "CMS_PROFILE_EXTENSION_NOT_FOUND",
+                            NSCertTypeExtension.CertType_Id.toString()));
+        }
+
+        String value = getConfig(CONFIG_CRITICAL);
+
+        if (!isOptional(value)) {
+            boolean critical = getBoolean(value);
+
+            if (critical != ext.isCritical()) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_CRITICAL_NOT_MATCHED"));
+            }
+        }
+        value = getConfig(CONFIG_SSL_CLIENT);
+        if (!isOptional(value)) {
+            boolean bit = getBoolean(value);
+
+            if (bit != ext.isSet(0)) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_SSL_CLIENT_NOT_MATCHED",
+                                value));
+            }
+        }
+        value = getConfig(CONFIG_SSL_SERVER);
+        if (!isOptional(value)) {
+            boolean bit = getBoolean(value);
+
+            if (bit != ext.isSet(1)) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_SSL_SERVER_NOT_MATCHED",
+                                value));
+            }
+        }
+        value = getConfig(CONFIG_EMAIL);
+        if (!isOptional(value)) {
+            boolean bit = getBoolean(value);
+
+            if (bit != ext.isSet(2)) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_EMAIL_NOT_MATCHED",
+                                value));
+            }
+        }
+        value = getConfig(CONFIG_OBJECT_SIGNING);
+        if (!isOptional(value)) {
+            boolean bit = getBoolean(value);
+
+            if (bit != ext.isSet(3)) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_OBJECT_SIGNING_NOT_MATCHED",
+                                value));
+            }
+        }
+        value = getConfig(CONFIG_SSL_CA);
+        if (!isOptional(value)) {
+            boolean bit = getBoolean(value);
+
+            if (bit != ext.isSet(4)) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_SSL_CA_NOT_MATCHED",
+                                value));
+            }
+        }
+        value = getConfig(CONFIG_EMAIL_CA);
+        if (!isOptional(value)) {
+            boolean bit = getBoolean(value);
+
+            if (bit != ext.isSet(5)) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_EMAIL_CA_NOT_MATCHED",
+                                value));
+            }
+        }
+        value = getConfig(CONFIG_OBJECT_SIGNING_CA);
+        if (!isOptional(value)) {
+            boolean bit = getBoolean(value);
+
+            if (bit != ext.isSet(6)) {
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_OBJECT_SIGNING_CA_NOT_MATCHED",
+                                value));
+            }
+        }
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_CRITICAL),
+                getConfig(CONFIG_SSL_CLIENT),
+                getConfig(CONFIG_SSL_SERVER),
+                getConfig(CONFIG_EMAIL),
+                getConfig(CONFIG_OBJECT_SIGNING),
+                getConfig(CONFIG_SSL_CA),
+                getConfig(CONFIG_EMAIL_CA),
+                getConfig(CONFIG_OBJECT_SIGNING_CA)
+            };
+
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_CONSTRAINT_NS_CERT_EXT_TEXT", params);
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        if (def instanceof NoDefault)
+            return true;
+        if (def instanceof NSCertTypeExtDefault)
+            return true;
+        if (def instanceof UserExtensionDefault)
+            return true;
+        return false;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/constraint/NoConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/NoConstraint.java
new file mode 100644
index 000000000..459e9f219
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/constraint/NoConstraint.java
@@ -0,0 +1,101 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyConstraint;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements no constraint.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class NoConstraint implements IPolicyConstraint {
+
+    public static final String CONFIG_NAME = "name";
+
+    private IConfigStore mConfig = null;
+    private Vector mNames = new Vector();
+
+    public Enumeration getConfigNames() {
+        return mNames.elements();
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+    }
+
+    public String getConfig(String name) {
+        return null;
+    }
+
+    public String getDefaultConfig(String name) {
+        return null;
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        mConfig = config;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     */
+    public void validate(IRequest request)
+            throws ERejectException {
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_CONSTRAINT_NO_CONSTRAINT_TEXT");
+    }
+
+    public String getName(Locale locale) {
+        try {
+            return mConfig.getString(CONFIG_NAME);
+        } catch (EBaseException e) {
+            return null;
+        }
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        return true;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java
new file mode 100644
index 000000000..fb01d7d14
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java
@@ -0,0 +1,165 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import java.math.BigInteger;
+import java.util.Date;
+import java.util.Locale;
+
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.def.NoDefault;
+
+/**
+ * This class supports renewal grace period, which has two
+ * parameters: graceBefore and graceAfter
+ * 
+ * @author Christina Fu
+ * @version $Revision$, $Date$
+ */
+public class RenewGracePeriodConstraint extends EnrollConstraint {
+
+    // for renewal: # of days before the orig cert expiration date 
+    public static final String CONFIG_RENEW_GRACE_BEFORE = "renewal.graceBefore";
+    // for renewal: # of days after the orig cert expiration date
+    public static final String CONFIG_RENEW_GRACE_AFTER = "renewal.graceAfter";
+
+    public RenewGracePeriodConstraint() {
+        super();
+        addConfigName(CONFIG_RENEW_GRACE_BEFORE);
+        addConfigName(CONFIG_RENEW_GRACE_AFTER);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        if (name.equals(CONFIG_RENEW_GRACE_BEFORE) ||
+                name.equals(CONFIG_RENEW_GRACE_AFTER)) {
+            try {
+                Integer.parseInt(value);
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_RENEW_GRACE_BEFORE + " or " + CONFIG_RENEW_GRACE_AFTER));
+            }
+        }
+        super.setConfig(name, value);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_RENEW_GRACE_BEFORE)) {
+            return new Descriptor(IDescriptor.INTEGER, null, "30",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_RENEW_GRACE_BEFORE"));
+        } else if (name.equals(CONFIG_RENEW_GRACE_AFTER)) {
+            return new Descriptor(IDescriptor.INTEGER, null, "30",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_RENEW_GRACE_AFTER"));
+        }
+        return null;
+    }
+
+    public void validate(IRequest req, X509CertInfo info)
+            throws ERejectException {
+        String origExpDate_s = req.getExtDataInString("origNotAfter");
+        // probably not for renewal
+        if (origExpDate_s == null) {
+            return;
+        } else {
+            CMS.debug("validate RenewGracePeriod: original cert expiration date found... renewing");
+        }
+        CMS.debug("ValidilityConstraint: validateRenewGraceperiod begins");
+        BigInteger origExpDate_BI = new BigInteger(origExpDate_s);
+        Date origExpDate = new Date(origExpDate_BI.longValue());
+        String renew_grace_before_s = getConfig(CONFIG_RENEW_GRACE_BEFORE);
+        String renew_grace_after_s = getConfig(CONFIG_RENEW_GRACE_AFTER);
+        int renew_grace_before = 0;
+        int renew_grace_after = 0;
+        BigInteger renew_grace_before_BI = new BigInteger(renew_grace_before_s);
+        BigInteger renew_grace_after_BI = new BigInteger(renew_grace_after_s);
+
+        // -1 means no limit
+        if (renew_grace_before_s == "")
+            renew_grace_before = -1;
+        else
+            renew_grace_before = Integer.parseInt(renew_grace_before_s);
+
+        if (renew_grace_after_s == "")
+            renew_grace_after = -1;
+        else
+            renew_grace_after = Integer.parseInt(renew_grace_after_s);
+
+        if (renew_grace_before > 0)
+            renew_grace_before_BI = renew_grace_before_BI.multiply(BigInteger.valueOf(1000 * 86400));
+        if (renew_grace_after > 0)
+            renew_grace_after_BI = renew_grace_after_BI.multiply(BigInteger.valueOf(1000 * 86400));
+
+        Date current = CMS.getCurrentDate();
+        long millisDiff = origExpDate.getTime() - current.getTime();
+        CMS.debug("validateRenewGracePeriod: millisDiff="
+                + millisDiff + " origExpDate=" + origExpDate.getTime() + " current=" + current.getTime());
+
+        /*
+         * "days", if positive, has to be less than renew_grace_before
+         * "days", if negative, means already past expiration date,
+         *     (abs value) has to be less than renew_grace_after
+         * if renew_grace_before or renew_grace_after are negative
+         *    the one with negative value is ignored
+         */
+        if (millisDiff >= 0) {
+            if ((renew_grace_before > 0) && (millisDiff > renew_grace_before_BI.longValue())) {
+                throw new ERejectException(CMS.getUserMessage(getLocale(req),
+                        "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD",
+                        renew_grace_before + " days before and " +
+                                renew_grace_after + " days after original cert expiration date"));
+            }
+        } else {
+            if ((renew_grace_after > 0) && ((0 - millisDiff) > renew_grace_after_BI.longValue())) {
+                throw new ERejectException(CMS.getUserMessage(getLocale(req),
+                        "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD",
+                        renew_grace_before + " days before and " +
+                                renew_grace_after + " days after original cert expiration date"));
+            }
+        }
+    }
+
+    public String getText(Locale locale) {
+        String renew_grace_before_s = getConfig(CONFIG_RENEW_GRACE_BEFORE);
+        String renew_grace_after_s = getConfig(CONFIG_RENEW_GRACE_AFTER);
+        return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT",
+                        renew_grace_before_s + " days before and " +
+                                renew_grace_after_s + " days after original cert expiration date");
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        if (def instanceof NoDefault)
+            return true;
+        return false;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/constraint/SigningAlgConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/SigningAlgConstraint.java
new file mode 100644
index 000000000..4dbe329b3
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/constraint/SigningAlgConstraint.java
@@ -0,0 +1,160 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CertificateAlgorithmId;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.def.NoDefault;
+import com.netscape.cms.profile.def.SigningAlgDefault;
+import com.netscape.cms.profile.def.UserSigningAlgDefault;
+
+/**
+ * This class implements the signing algorithm constraint.
+ * It checks if the signing algorithm in the certificate
+ * template satisfies the criteria.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class SigningAlgConstraint extends EnrollConstraint {
+
+    public static final String CONFIG_ALGORITHMS_ALLOWED = "signingAlgsAllowed";
+
+    private static StringBuffer sb = new StringBuffer("");
+    static {
+        for (int i = 0; i < AlgorithmId.ALL_SIGNING_ALGORITHMS.length; i++) {
+            if (i > 0) {
+                sb.append(",");
+            }
+            sb.append(AlgorithmId.ALL_SIGNING_ALGORITHMS[i]);
+        }
+    }
+    public static final String DEF_CONFIG_ALGORITHMS = new String(sb);
+
+    public SigningAlgConstraint() {
+        super();
+        addConfigName(CONFIG_ALGORITHMS_ALLOWED);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+
+        if (mConfig.getSubStore("params") == null) {
+            CMS.debug("SigningAlgConstraint: mConfig.getSubStore is null");
+        } else {
+            CMS.debug("SigningAlgConstraint: setConfig name=" + name +
+                    " value=" + value);
+
+            if (name.equals(CONFIG_ALGORITHMS_ALLOWED)) {
+                StringTokenizer st = new StringTokenizer(value, ",");
+                while (st.hasMoreTokens()) {
+                    String v = st.nextToken();
+                    if (DEF_CONFIG_ALGORITHMS.indexOf(v) == -1) {
+                        throw new EPropertyException(
+                                CMS.getUserMessage("CMS_PROFILE_PROPERTY_ERROR", v));
+                    }
+                }
+            }
+            mConfig.getSubStore("params").putString(name, value);
+        }
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_ALGORITHMS_ALLOWED)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    DEF_CONFIG_ALGORITHMS,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_SIGNING_ALGORITHMS_ALLOWED"));
+        }
+        return null;
+    }
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     */
+    public void validate(IRequest request, X509CertInfo info)
+            throws ERejectException {
+        CertificateAlgorithmId algId = null;
+
+        try {
+            algId = (CertificateAlgorithmId) info.get(X509CertInfo.ALGORITHM_ID);
+            AlgorithmId id = (AlgorithmId)
+                    algId.get(CertificateAlgorithmId.ALGORITHM);
+
+            Vector mCache = new Vector();
+            StringTokenizer st = new StringTokenizer(
+                    getConfig(CONFIG_ALGORITHMS_ALLOWED), ",");
+
+            while (st.hasMoreTokens()) {
+                String token = st.nextToken();
+
+                mCache.addElement(token);
+            }
+
+            if (!mCache.contains(id.toString())) {
+                throw new ERejectException(CMS.getUserMessage(
+                            getLocale(request),
+                            "CMS_PROFILE_SIGNING_ALGORITHM_NOT_MATCHED", id.toString()));
+            }
+        } catch (Exception e) {
+            if (e instanceof ERejectException) {
+                throw (ERejectException) e;
+            }
+            CMS.debug("SigningAlgConstraint: " + e.toString());
+            throw new ERejectException(CMS.getUserMessage(
+                        getLocale(request), "CMS_PROFILE_SIGNING_ALGORITHM_NOT_FOUND"));
+        }
+
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT",
+                getConfig(CONFIG_ALGORITHMS_ALLOWED));
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        if (def instanceof NoDefault)
+            return true;
+        if (def instanceof UserSigningAlgDefault)
+            return true;
+        if (def instanceof SigningAlgDefault)
+            return true;
+        return false;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java
new file mode 100644
index 000000000..477e99b98
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java
@@ -0,0 +1,136 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.def.NoDefault;
+import com.netscape.cms.profile.def.SubjectNameDefault;
+import com.netscape.cms.profile.def.UserSubjectNameDefault;
+
+/**
+ * This class implements the subject name constraint.
+ * It checks if the subject name in the certificate
+ * template satisfies the criteria.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class SubjectNameConstraint extends EnrollConstraint {
+
+    public static final String CONFIG_PATTERN = "pattern";
+
+    public SubjectNameConstraint() {
+        // configuration names
+        addConfigName(CONFIG_PATTERN);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_PATTERN)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null, null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME_PATTERN"));
+        } else {
+            return null;
+        }
+    }
+
+    public String getDefaultConfig(String name) {
+        return null;
+    }
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     */
+    public void validate(IRequest request, X509CertInfo info)
+            throws ERejectException {
+        CMS.debug("SubjectNameConstraint: validate start");
+        CertificateSubjectName sn = null;
+
+        try {
+            sn = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT);
+            CMS.debug("SubjectNameConstraint: validate cert subject =" +
+                         sn.toString());
+        } catch (Exception e) {
+            throw new ERejectException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND"));
+        }
+        X500Name sn500 = null;
+
+        try {
+            sn500 = (X500Name) sn.get(CertificateSubjectName.DN_NAME);
+        } catch (IOException e) {
+            throw new ERejectException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND"));
+        }
+        if (sn500 == null) {
+            CMS.debug("SubjectNameConstraint: validate() - sn500 is null");
+            throw new ERejectException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND"));
+        } else {
+            CMS.debug("SubjectNameConstraint: validate() - sn500 " +
+                    CertificateSubjectName.DN_NAME + " = " +
+                    sn500.toString());
+        }
+        if (!sn500.toString().matches(getConfig(CONFIG_PATTERN))) {
+            CMS.debug("SubjectNameConstraint: validate() - sn500 not matching pattern " + getConfig(CONFIG_PATTERN));
+            throw new ERejectException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED",
+                            sn500.toString()));
+        }
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT",
+                getConfig(CONFIG_PATTERN));
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        if (def instanceof NoDefault)
+            return true;
+        if (def instanceof SubjectNameDefault)
+            return true;
+        if (def instanceof UserSubjectNameDefault)
+            return true;
+        return false;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java
new file mode 100644
index 000000000..f10130aa6
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java
@@ -0,0 +1,295 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import java.util.Enumeration;
+import java.util.Locale;
+
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertRecordList;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.def.NoDefault;
+
+/**
+ * This constraint is to check for publickey uniqueness.
+ * The config param "allowSameKeyRenewal" enables the
+ * situation where if the publickey is not unique, and if
+ * the subject DN is the same, that is a "renewal".
+ * 
+ * Another "feature" that is quoted out of this code is the
+ * "revokeDupKeyCert" option, which enables the revocation
+ * of certs that bear the same publickey as the enrolling
+ * request. Since this can potentially be abused, it is taken
+ * out and preserved in comments to allow future refinement.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class UniqueKeyConstraint extends EnrollConstraint {
+    /*
+    public static final String CONFIG_REVOKE_DUPKEY_CERT =
+    	"revokeDupKeyCert";
+    boolean mRevokeDupKeyCert = false;
+    */
+    public static final String CONFIG_ALLOW_SAME_KEY_RENEWAL =
+            "allowSameKeyRenewal";
+    boolean mAllowSameKeyRenewal = false;
+    public ICertificateAuthority mCA = null;
+
+    public UniqueKeyConstraint() {
+        super();
+        /*
+        addConfigName(CONFIG_REVOKE_DUPKEY_CERT);
+        */
+        addConfigName(CONFIG_ALLOW_SAME_KEY_RENEWAL);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+        mCA = (ICertificateAuthority)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        /*
+        if (name.equals(CONFIG_REVOKE_DUPKEY_CERT)) {
+        	return new Descriptor(IDescriptor.BOOLEAN, null, "false",
+        		  CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_REVOKE_DUPKEY_CERT"));
+        }
+        */
+        if (name.equals(CONFIG_ALLOW_SAME_KEY_RENEWAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null, "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_ALLOW_SAME_KEY_RENEWAL"));
+        }
+        return null;
+    }
+
+    public String getDefaultConfig(String name) {
+        return null;
+    }
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     */
+    public void validate(IRequest request, X509CertInfo info)
+            throws ERejectException {
+        boolean rejected = false;
+        int size = 0;
+        ICertRecordList list;
+
+        /*
+        mRevokeDupKeyCert =
+        getConfigBoolean(CONFIG_REVOKE_DUPKEY_CERT);
+        */
+        mAllowSameKeyRenewal = getConfigBoolean(CONFIG_ALLOW_SAME_KEY_RENEWAL);
+
+        try {
+            CertificateX509Key infokey = (CertificateX509Key)
+                    info.get(X509CertInfo.KEY);
+            X509Key key = (X509Key)
+                    infokey.get(CertificateX509Key.KEY);
+
+            // check for key uniqueness
+            byte pub[] = key.getEncoded();
+            String pub_s = escapeBinaryData(pub);
+            String filter = "(" + ICertRecord.ATTR_X509CERT_PUBLIC_KEY_DATA + "=" + pub_s + ")";
+            list =
+                    (ICertRecordList)
+                    mCA.getCertificateRepository().findCertRecordsInList(filter, null, 10);
+            size = list.getSize();
+
+        } catch (Exception e) {
+            throw new ERejectException(
+                        CMS.getUserMessage(
+                                getLocale(request),
+                                "CMS_PROFILE_INTERNAL_ERROR", e.toString()));
+        }
+
+        /*
+         * It does not matter if the corresponding cert's status
+         * is valid or not, we don't want a key that was once
+         * generated before
+         */
+        if (size > 0) {
+            CMS.debug("UniqueKeyConstraint: found existing cert with duplicate key.");
+
+            /*
+                The following code revokes the existing certs that have
+            	the same public key as the one submitted for enrollment
+            	request.  However, it is not a good idea due to possible
+            	abuse.  It is therefore commented out.  It is still
+            	however still maintained for possible utilization at later
+            	time
+
+            	// if configured to revoke duplicated key
+            	//    revoke cert
+            	if (mRevokeDupKeyCert) {
+            		try {
+            			Enumeration e = list.getCertRecords(0, size-1);
+            			while (e != null && e.hasMoreElements()) {
+            				ICertRecord rec = (ICertRecord) e.nextElement();
+            				X509CertImpl cert = rec.getCertificate();
+
+            				// revoke the cert
+            				BigInteger serialNum = cert.getSerialNumber();
+            				ICAService service = (ICAService) mCA.getCAService();
+
+            				RevokedCertImpl crlEntry = 
+            					formCRLEntry(serialNum, RevocationReason.KEY_COMPROMISE);
+            				service.revokeCert(crlEntry);
+            				CMS.debug("UniqueKeyConstraint: certificate with duplicate publickey revoked successfully");
+            			}
+            		} catch (Exception ex) {
+            			CMS.debug("UniqueKeyConstraint: error in revoke dupkey cert");
+            		}
+            	} // revoke dupkey cert turned on
+            */
+
+            if (mAllowSameKeyRenewal == true) {
+                X500Name sjname_in_db = null;
+                X500Name sjname_in_req = null;
+
+                try {
+                    // get subject of request
+                    CertificateSubjectName subName =
+                            (CertificateSubjectName) info.get(X509CertInfo.SUBJECT);
+
+                    if (subName != null) {
+
+                        sjname_in_req =
+                                (X500Name) subName.get(CertificateSubjectName.DN_NAME);
+                        CMS.debug("UniqueKeyConstraint: cert request subject DN =" + sjname_in_req.toString());
+                        Enumeration e = list.getCertRecords(0, size - 1);
+                        while (e != null && e.hasMoreElements()) {
+                            ICertRecord rec = e.nextElement();
+                            X509CertImpl cert = rec.getCertificate();
+                            String certDN =
+                                    cert.getSubjectDN().toString();
+                            CMS.debug("UniqueKeyConstraint: cert retrieved from ldap has subject DN =" + certDN);
+
+                            sjname_in_db = new X500Name(certDN);
+
+                            if (sjname_in_db.equals(sjname_in_req) == false) {
+                                rejected = true;
+                                break;
+                            } else {
+                                rejected = false;
+                            }
+                        } // while
+                    } else { //subName is null
+                        rejected = true;
+                    }
+                } catch (Exception ex1) {
+                    CMS.debug("UniqueKeyConstraint: error in allowSameKeyRenewal: " + ex1.toString());
+                    rejected = true;
+                } // try
+
+            } else {
+                rejected = true;
+            }// allowSameKeyRenewal
+        } // (size > 0)
+
+        if (rejected == true) {
+            CMS.debug("UniqueKeyConstraint: rejected");
+            throw new ERejectException(
+                           CMS.getUserMessage(
+                                   getLocale(request),
+                                   "CMS_PROFILE_DUPLICATE_KEY"));
+        } else {
+            CMS.debug("UniqueKeyConstraint: approved");
+        }
+    }
+
+    /**
+     * make a CRL entry from a serial number and revocation reason.
+     * 
+     * @return a RevokedCertImpl that can be entered in a CRL.
+     * 
+     *         protected RevokedCertImpl formCRLEntry(
+     *         BigInteger serialNo, RevocationReason reason)
+     *         throws EBaseException {
+     *         CRLReasonExtension reasonExt = new CRLReasonExtension(reason);
+     *         CRLExtensions crlentryexts = new CRLExtensions();
+     * 
+     *         try {
+     *         crlentryexts.set(CRLReasonExtension.NAME, reasonExt);
+     *         } catch (IOException e) {
+     *         CMS.debug("CMSGW_ERR_CRL_REASON "+e.toString());
+     * 
+     *         // throw new ECMSGWException(
+     *         // CMS.getLogMessage("CMSGW_ERROR_SETTING_CRLREASON"));
+     * 
+     *         }
+     *         RevokedCertImpl crlentry =
+     *         new RevokedCertImpl(serialNo, CMS.getCurrentDate(),
+     *         crlentryexts);
+     * 
+     *         return crlentry;
+     *         }
+     */
+
+    public String getText(Locale locale) {
+        String params[] = {
+        /*
+                        getConfig(CONFIG_REVOKE_DUPKEY_CERT),
+        */
+        };
+
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_CONSTRAINT_ALLOW_SAME_KEY_RENEWAL_TEXT", params);
+    }
+
+    public static String escapeBinaryData(byte data[]) {
+        StringBuffer sb = new StringBuffer();
+
+        for (int i = 0; i < data.length; i++) {
+            int v = 0xff & data[i];
+            sb.append("\\");
+            sb.append((v < 16 ? "0" : ""));
+            sb.append(Integer.toHexString(v));
+        }
+        return sb.toString();
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        if (def instanceof NoDefault)
+            return true;
+        if (def instanceof UniqueKeyConstraint)
+            return true;
+
+        return false;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java
new file mode 100644
index 000000000..7a985b631
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java
@@ -0,0 +1,251 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.Extension;
+import netscape.security.x509.KeyUsageExtension;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.IAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.dbs.certdb.IRevocationInfo;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.def.NoDefault;
+import com.netscape.cms.profile.def.SubjectNameDefault;
+import com.netscape.cms.profile.def.UserSubjectNameDefault;
+
+/**
+ * This class implements the unique subject name constraint.
+ * It checks if the subject name in the certificate is
+ * unique in the internal database, ie, no two certificates
+ * have the same subject name.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class UniqueSubjectNameConstraint extends EnrollConstraint {
+
+    public static final String CONFIG_KEY_USAGE_EXTENSION_CHECKING =
+            "enableKeyUsageExtensionChecking";
+    private boolean mKeyUsageExtensionChecking = true;
+
+    public UniqueSubjectNameConstraint() {
+        addConfigName(CONFIG_KEY_USAGE_EXTENSION_CHECKING);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_KEY_USAGE_EXTENSION_CHECKING)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null, "true",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_KEY_USAGE_EXTENSION_CHECKING"));
+        }
+        return null;
+    }
+
+    public String getDefaultConfig(String name) {
+        return null;
+    }
+
+    /**
+     * Checks if the key extension in the issued certificate
+     * is the same as the one in the certificate template.
+     */
+    private boolean sameKeyUsageExtension(ICertRecord rec,
+            X509CertInfo certInfo) {
+        X509CertImpl impl = rec.getCertificate();
+        boolean bits[] = impl.getKeyUsage();
+
+        CertificateExtensions extensions = null;
+
+        try {
+            extensions = (CertificateExtensions)
+                    certInfo.get(X509CertInfo.EXTENSIONS);
+        } catch (IOException e) {
+        } catch (java.security.cert.CertificateException e) {
+        }
+        KeyUsageExtension ext = null;
+
+        if (extensions == null) {
+            if (bits != null)
+                return false;
+        } else {
+            try {
+                ext = (KeyUsageExtension) extensions.get(
+                        KeyUsageExtension.NAME);
+            } catch (IOException e) {
+                // extension isn't there.
+            }
+
+            if (ext == null) {
+                if (bits != null)
+                    return false;
+            } else {
+                boolean[] InfoBits = ext.getBits();
+
+                if (InfoBits == null) {
+                    if (bits != null)
+                        return false;
+                } else {
+                    if (bits == null)
+                        return false;
+                    if (InfoBits.length != bits.length) {
+                        return false;
+                    }
+                    for (int i = 0; i < InfoBits.length; i++) {
+                        if (InfoBits[i] != bits[i])
+                            return false;
+                    }
+                }
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     * 
+     * Rules are as follows:
+     * If the subject name is not unique, then the request will be rejected unless:
+     * 1. the certificate is expired or expired_revoked
+     * 2. the certificate is revoked and the revocation reason is not "on hold"
+     * 3. the keyUsageExtension bits are different and enableKeyUsageExtensionChecking=true (default)
+     */
+    public void validate(IRequest request, X509CertInfo info)
+            throws ERejectException {
+        CMS.debug("UniqueSubjectNameConstraint: validate start");
+        CertificateSubjectName sn = null;
+        IAuthority authority = (IAuthority) CMS.getSubsystem("ca");
+
+        mKeyUsageExtensionChecking = getConfigBoolean(CONFIG_KEY_USAGE_EXTENSION_CHECKING);
+        ICertificateRepository certdb = null;
+        if (authority != null && authority instanceof ICertificateAuthority) {
+            ICertificateAuthority ca = (ICertificateAuthority) authority;
+            certdb = ca.getCertificateRepository();
+        }
+
+        try {
+            sn = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT);
+        } catch (Exception e) {
+            throw new ERejectException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND"));
+        }
+
+        String certsubjectname = null;
+        if (sn == null)
+            throw new ERejectException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND"));
+        else {
+            certsubjectname = sn.toString();
+            String filter = "x509Cert.subject=" + certsubjectname;
+            Enumeration sameSubjRecords = null;
+            try {
+                sameSubjRecords = certdb.findCertRecords(filter);
+            } catch (EBaseException e) {
+                CMS.debug("UniqueSubjectNameConstraint exception: " + e.toString());
+            }
+            while (sameSubjRecords != null && sameSubjRecords.hasMoreElements()) {
+                ICertRecord rec = sameSubjRecords.nextElement();
+                String status = rec.getStatus();
+
+                IRevocationInfo revocationInfo = rec.getRevocationInfo();
+                RevocationReason reason = null;
+
+                if (revocationInfo != null) {
+                    CRLExtensions crlExts = revocationInfo.getCRLEntryExtensions();
+
+                    if (crlExts != null) {
+                        Enumeration enumx = crlExts.getElements();
+
+                        while (enumx.hasMoreElements()) {
+                            Extension ext = enumx.nextElement();
+
+                            if (ext instanceof CRLReasonExtension) {
+                                reason = ((CRLReasonExtension) ext).getReason();
+                            }
+                        }
+                    }
+                }
+
+                if (status.equals(ICertRecord.STATUS_EXPIRED) || status.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) {
+                    continue;
+                }
+
+                if (status.equals(ICertRecord.STATUS_REVOKED) && reason != null &&
+                        (!reason.equals(RevocationReason.CERTIFICATE_HOLD))) {
+                    continue;
+                }
+
+                if (mKeyUsageExtensionChecking && !sameKeyUsageExtension(rec, info)) {
+                    continue;
+                }
+
+                throw new ERejectException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_SUBJECT_NAME_NOT_UNIQUE",
+                                certsubjectname));
+            }
+        }
+        CMS.debug("UniqueSubjectNameConstraint: validate end");
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_KEY_USAGE_EXTENSION_CHECKING)
+        };
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT",
+                params);
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        if (def instanceof NoDefault)
+            return true;
+        if (def instanceof SubjectNameDefault)
+            return true;
+        if (def instanceof UserSubjectNameDefault)
+            return true;
+        return false;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java
new file mode 100644
index 000000000..98a7b4f96
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java
@@ -0,0 +1,218 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import java.io.IOException;
+import java.util.Date;
+import java.util.Locale;
+
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.def.CAValidityDefault;
+import com.netscape.cms.profile.def.NoDefault;
+import com.netscape.cms.profile.def.UserValidityDefault;
+import com.netscape.cms.profile.def.ValidityDefault;
+
+/**
+ * This class implements the validity constraint.
+ * It checks if the validity in the certificate
+ * template satisfies the criteria.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ValidityConstraint extends EnrollConstraint {
+
+    public static final String CONFIG_RANGE = "range";
+    public static final String CONFIG_NOT_BEFORE_GRACE_PERIOD = "notBeforeGracePeriod";
+    public static final String CONFIG_CHECK_NOT_BEFORE = "notBeforeCheck";
+    public static final String CONFIG_CHECK_NOT_AFTER = "notAfterCheck";
+    public final static long SECS_IN_MS = 1000L;
+
+    private Date mDefNotBefore = null;
+    private Date mDefNotAfter = null;
+
+    public ValidityConstraint() {
+        super();
+        addConfigName(CONFIG_RANGE);
+        addConfigName(CONFIG_NOT_BEFORE_GRACE_PERIOD);
+        addConfigName(CONFIG_CHECK_NOT_BEFORE);
+        addConfigName(CONFIG_CHECK_NOT_AFTER);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        if (name.equals(CONFIG_RANGE) ||
+                name.equals(CONFIG_NOT_BEFORE_GRACE_PERIOD)) {
+            try {
+                Integer.parseInt(value);
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", name));
+            }
+        }
+        super.setConfig(name, value);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_RANGE)) {
+            return new Descriptor(IDescriptor.INTEGER, null, "365",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_RANGE"));
+        } else if (name.equals(CONFIG_NOT_BEFORE_GRACE_PERIOD)) {
+            return new Descriptor(IDescriptor.INTEGER, null, "0",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_NOT_BEFORE_GRACE_PERIOD"));
+        } else if (name.equals(CONFIG_CHECK_NOT_BEFORE)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null, "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_CHECK_NOT_BEFORE"));
+        } else if (name.equals(CONFIG_CHECK_NOT_AFTER)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null, "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_CHECK_NOT_AFTER"));
+        }
+        return null;
+    }
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     */
+    public void validate(IRequest request, X509CertInfo info)
+            throws ERejectException {
+        CertificateValidity v = null;
+
+        try {
+            v = (CertificateValidity) info.get(X509CertInfo.VALIDITY);
+        } catch (Exception e) {
+            throw new ERejectException(CMS.getUserMessage(getLocale(request),
+                        "CMS_PROFILE_VALIDITY_NOT_FOUND"));
+        }
+        Date notBefore = null;
+
+        try {
+            notBefore = (Date) v.get(CertificateValidity.NOT_BEFORE);
+        } catch (IOException e) {
+            CMS.debug("ValidityConstraint: not before not found");
+            throw new ERejectException(CMS.getUserMessage(getLocale(request),
+                        "CMS_PROFILE_VALIDITY_NOT_FOUND"));
+        }
+        Date notAfter = null;
+
+        try {
+            notAfter = (Date) v.get(CertificateValidity.NOT_AFTER);
+        } catch (IOException e) {
+            CMS.debug("ValidityConstraint: not after not found");
+            throw new ERejectException(CMS.getUserMessage(getLocale(request),
+                        "CMS_PROFILE_VALIDITY_NOT_FOUND"));
+        }
+
+        if (notAfter.getTime() < notBefore.getTime()) {
+            CMS.debug("ValidityConstraint: notAfter (" + notAfter + ") < notBefore (" + notBefore + ")");
+            throw new ERejectException(CMS.getUserMessage(getLocale(request),
+                        "CMS_PROFILE_NOT_AFTER_BEFORE_NOT_BEFORE"));
+        }
+
+        long millisDiff = notAfter.getTime() - notBefore.getTime();
+        CMS.debug("ValidityConstraint: millisDiff="
+                + millisDiff + " notAfter=" + notAfter.getTime() + " notBefore=" + notBefore.getTime());
+        long long_days = (millisDiff / 1000) / 86400;
+        CMS.debug("ValidityConstraint: long_days: " + long_days);
+        int days = (int) long_days;
+        CMS.debug("ValidityConstraint: days: " + days);
+
+        if (days > Integer.parseInt(getConfig(CONFIG_RANGE))) {
+            throw new ERejectException(CMS.getUserMessage(getLocale(request),
+                        "CMS_PROFILE_VALIDITY_OUT_OF_RANGE",
+                        Integer.toString(days)));
+        }
+
+        // 613828 
+        // The validity field shall specify a notBefore value 
+        // that does not precede the current time and a notAfter 
+        // value that does not precede the value specified in 
+        // notBefore (test can be automated; try entering violating 
+        // time values and check result).
+        String notBeforeCheckStr = getConfig(CONFIG_CHECK_NOT_BEFORE);
+        boolean notBeforeCheck;
+
+        if (notBeforeCheckStr == null || notBeforeCheckStr.equals("")) {
+            notBeforeCheckStr = "false";
+        }
+        notBeforeCheck = Boolean.valueOf(notBeforeCheckStr).booleanValue();
+
+        String notAfterCheckStr = getConfig(CONFIG_CHECK_NOT_AFTER);
+        boolean notAfterCheck;
+
+        if (notAfterCheckStr == null || notAfterCheckStr.equals("")) {
+            notAfterCheckStr = "false";
+        }
+        notAfterCheck = Boolean.valueOf(notAfterCheckStr).booleanValue();
+
+        String notBeforeGracePeriodStr = getConfig(CONFIG_NOT_BEFORE_GRACE_PERIOD);
+        if (notBeforeGracePeriodStr == null || notBeforeGracePeriodStr.equals("")) {
+            notBeforeGracePeriodStr = "0";
+        }
+        long notBeforeGracePeriod = Long.parseLong(notBeforeGracePeriodStr) * SECS_IN_MS;
+
+        Date current = CMS.getCurrentDate();
+        if (notBeforeCheck) {
+            if (notBefore.getTime() > (current.getTime() + notBeforeGracePeriod)) {
+                CMS.debug("ValidityConstraint: notBefore (" + notBefore + ") > current + " +
+                          "gracePeriod (" + new Date(current.getTime() + notBeforeGracePeriod) + ")");
+                throw new ERejectException(CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_NOT_BEFORE_AFTER_CURRENT"));
+            }
+        }
+        if (notAfterCheck) {
+            if (notAfter.getTime() < current.getTime()) {
+                CMS.debug("ValidityConstraint: notAfter (" + notAfter + ") <  current + (" + current + ")");
+                throw new ERejectException(CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_NOT_AFTER_BEFORE_CURRENT"));
+            }
+        }
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT", getConfig(CONFIG_RANGE));
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        if (def instanceof NoDefault)
+            return true;
+        if (def instanceof UserValidityDefault)
+            return true;
+        if (def instanceof ValidityDefault)
+            return true;
+        if (def instanceof CAValidityDefault)
+            return true;
+        return false;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java b/base/common/src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java
new file mode 100644
index 000000000..4e4f951f7
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java
@@ -0,0 +1,454 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.extensions.AccessDescription;
+import netscape.security.extensions.AuthInfoAccessExtension;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.GeneralNameInterface;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates Authuority Info Access extension.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class AuthInfoAccessExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "authInfoAccessCritical";
+    public static final String CONFIG_NUM_ADS = "authInfoAccessNumADs";
+    public static final String CONFIG_AD_ENABLE = "authInfoAccessADEnable_";
+    public static final String CONFIG_AD_METHOD = "authInfoAccessADMethod_";
+    public static final String CONFIG_AD_LOCATIONTYPE = "authInfoAccessADLocationType_";
+    public static final String CONFIG_AD_LOCATION = "authInfoAccessADLocation_";
+
+    public static final String VAL_CRITICAL = "authInfoAccessCritical";
+    public static final String VAL_GENERAL_NAMES = "authInfoAccessGeneralNames";
+
+    private static final String AD_METHOD = "Method";
+    private static final String AD_LOCATION_TYPE = "Location Type";
+    private static final String AD_LOCATION = "Location";
+    private static final String AD_ENABLE = "Enable";
+
+    private static final int DEF_NUM_AD = 1;
+    private static final int MAX_NUM_AD = 100;
+
+    public AuthInfoAccessExtDefault() {
+        super();
+    }
+
+    protected int getNumAds() {
+        int num = DEF_NUM_AD;
+        String numAds = getConfig(CONFIG_NUM_ADS);
+
+        if (numAds != null) {
+            try {
+                num = Integer.parseInt(numAds);
+            } catch (NumberFormatException e) {
+                // ignore
+            }
+        }
+
+        if (num > MAX_NUM_AD) {
+            num = DEF_NUM_AD;
+        }
+
+        return num;
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+        refreshConfigAndValueNames();
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        int num = 0;
+        if (name.equals(CONFIG_NUM_ADS)) {
+            try {
+                num = Integer.parseInt(value);
+
+                if (num >= MAX_NUM_AD || num < 0) {
+                    throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_ADS));
+                }
+
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_ADS));
+            }
+        }
+        super.setConfig(name, value);
+    }
+
+    public Enumeration getConfigNames() {
+        refreshConfigAndValueNames();
+        return super.getConfigNames();
+    }
+
+    protected void refreshConfigAndValueNames() {
+        //refesh our config name list
+
+        super.refreshConfigAndValueNames();
+        mConfigNames.removeAllElements();
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_GENERAL_NAMES);
+
+        // register configuration names bases on num ads
+        addConfigName(CONFIG_CRITICAL);
+        int num = getNumAds();
+
+        addConfigName(CONFIG_NUM_ADS);
+        for (int i = 0; i < num; i++) {
+            addConfigName(CONFIG_AD_METHOD + i);
+            addConfigName(CONFIG_AD_LOCATIONTYPE + i);
+            addConfigName(CONFIG_AD_LOCATION + i);
+            addConfigName(CONFIG_AD_ENABLE + i);
+        }
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.startsWith(CONFIG_AD_METHOD)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_AD_METHOD"));
+        } else if (name.startsWith(CONFIG_AD_LOCATIONTYPE)) {
+            return new Descriptor(IDescriptor.CHOICE,
+                    "RFC822Name,DNSName,DirectoryName,EDIPartyName,URIName,IPAddress,OIDName",
+                    "URIName",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_AD_LOCATIONTYPE"));
+        } else if (name.startsWith(CONFIG_AD_LOCATION)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_AD_LOCATION"));
+        } else if (name.startsWith(CONFIG_AD_ENABLE)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_AD_ENABLE"));
+        } else if (name.startsWith(CONFIG_NUM_ADS)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "1",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NUM_ADS"));
+        }
+        return null;
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_GENERAL_NAMES)) {
+            return new Descriptor(IDescriptor.STRING_LIST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_GENERAL_NAMES"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            AuthInfoAccessExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            AuthInfoAccessExtension a = new AuthInfoAccessExtension(false);
+            ObjectIdentifier oid = a.getExtensionId();
+
+            ext = (AuthInfoAccessExtension)
+                        getExtension(oid.toString(), info);
+
+            if (ext == null) {
+                populate(null, info);
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+
+                ext = (AuthInfoAccessExtension)
+                        getExtension(oid.toString(), info);
+                boolean val = Boolean.valueOf(value).booleanValue();
+
+                if (ext == null) {
+                    return;
+                }
+                ext.setCritical(val);
+            } else if (name.equals(VAL_GENERAL_NAMES)) {
+
+                ext = (AuthInfoAccessExtension)
+                        getExtension(oid.toString(), info);
+
+                if (ext == null) {
+                    return;
+                }
+                boolean critical = ext.isCritical();
+
+                Vector v = parseRecords(value);
+                int size = v.size();
+
+                ext = new AuthInfoAccessExtension(critical);
+                String method = null;
+                String locationType = null;
+                String location = null;
+                String enable = null;
+
+                for (int i = 0; i < size; i++) {
+                    NameValuePairs nvps = v.elementAt(i);
+
+                    for (String name1 : nvps.keySet()) {
+
+                        if (name1.equals(AD_METHOD)) {
+                            method = nvps.get(name1);
+                        } else if (name1.equals(AD_LOCATION_TYPE)) {
+                            locationType = nvps.get(name1);
+                        } else if (name1.equals(AD_LOCATION)) {
+                            location = nvps.get(name1);
+                        } else if (name1.equals(AD_ENABLE)) {
+                            enable = nvps.get(name1);
+                        }
+                    }
+
+                    if (enable != null && enable.equals("true")) {
+                        GeneralName gn = null;
+
+                        if (locationType != null || location != null) {
+                            GeneralNameInterface interface1 = parseGeneralName(locationType + ":" + location);
+                            if (interface1 == null)
+                                throw new EPropertyException(CMS.getUserMessage(
+                                        locale, "CMS_INVALID_PROPERTY", locationType));
+                            gn = new GeneralName(interface1);
+                        }
+
+                        if (method != null) {
+                            try {
+                                ext.addAccessDescription(new ObjectIdentifier(method), gn);
+                            } catch (NumberFormatException ee) {
+                                CMS.debug("AuthInfoAccessExtDefault: " + ee.toString());
+                                throw new EPropertyException(CMS.getUserMessage(
+                                        locale, "CMS_PROFILE_DEF_AIA_OID", method));
+                            }
+                        }
+                    }
+                }
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            replaceExtension(ext.getExtensionId().toString(), ext, info);
+        } catch (IOException e) {
+            CMS.debug("AuthInfoAccessExtDefault: " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } catch (EProfileException e) {
+            CMS.debug("AuthInfoAccessExtDefault: " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        AuthInfoAccessExtension ext = null;
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        AuthInfoAccessExtension a = new AuthInfoAccessExtension(false);
+        ObjectIdentifier oid = a.getExtensionId();
+
+        ext = (AuthInfoAccessExtension)
+                    getExtension(oid.toString(), info);
+
+        if (ext == null) {
+            try {
+                populate(null, info);
+
+            } catch (EProfileException e) {
+                CMS.debug("AuthInfoAccessExtDefault: getValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+        }
+        if (name.equals(VAL_CRITICAL)) {
+
+            ext = (AuthInfoAccessExtension)
+                    getExtension(oid.toString(), info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else if (name.equals(VAL_GENERAL_NAMES)) {
+
+            ext = (AuthInfoAccessExtension)
+                    getExtension(oid.toString(), info);
+
+            if (ext == null)
+                return "";
+
+            int num = getNumAds();
+
+            CMS.debug("AuthInfoAccess num=" + num);
+            Vector recs = new Vector();
+
+            for (int i = 0; i < num; i++) {
+                NameValuePairs np = new NameValuePairs();
+                AccessDescription des = null;
+
+                if (i < ext.numberOfAccessDescription()) {
+                    des = ext.getAccessDescription(i);
+                }
+                if (des == null) {
+                    np.put(AD_METHOD, "");
+                    np.put(AD_LOCATION_TYPE, "");
+                    np.put(AD_LOCATION, "");
+                    np.put(AD_ENABLE, "false");
+                } else {
+                    ObjectIdentifier methodOid = des.getMethod();
+                    GeneralName gn = des.getLocation();
+
+                    np.put(AD_METHOD, methodOid.toString());
+                    np.put(AD_LOCATION_TYPE, getGeneralNameType(gn));
+                    np.put(AD_LOCATION, getGeneralNameValue(gn));
+                    np.put(AD_ENABLE, "true");
+                }
+                recs.addElement(np);
+            }
+
+            return buildRecords(recs);
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        StringBuffer ads = new StringBuffer();
+        int num = getNumAds();
+
+        for (int i = 0; i < num; i++) {
+            ads.append("Record #");
+            ads.append(i);
+            ads.append("{");
+            ads.append(AD_METHOD + ":");
+            ads.append(getConfig(CONFIG_AD_METHOD + i));
+            ads.append(",");
+            ads.append(AD_LOCATION_TYPE + ":");
+            ads.append(getConfig(CONFIG_AD_LOCATIONTYPE + i));
+            ads.append(",");
+            ads.append(AD_LOCATION + ":");
+            ads.append(getConfig(CONFIG_AD_LOCATION + i));
+            ads.append(",");
+            ads.append(AD_ENABLE + ":");
+            ads.append(getConfig(CONFIG_AD_ENABLE + i));
+            ads.append("}");
+        }
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_AIA_TEXT",
+                getConfig(CONFIG_CRITICAL), ads.toString());
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        AuthInfoAccessExtension ext = createExtension();
+
+        addExtension(ext.getExtensionId().toString(), ext, info);
+    }
+
+    public AuthInfoAccessExtension createExtension() {
+        AuthInfoAccessExtension ext = null;
+        int num = getNumAds();
+
+        try {
+            boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+
+            ext = new AuthInfoAccessExtension(critical);
+            for (int i = 0; i < num; i++) {
+                String enable = getConfig(CONFIG_AD_ENABLE + i);
+                if (enable != null && enable.equals("true")) {
+                    CMS.debug("AuthInfoAccess: createExtension i=" + i);
+                    String method = getConfig(CONFIG_AD_METHOD + i);
+                    String locationType = getConfig(CONFIG_AD_LOCATIONTYPE + i);
+                    if (locationType == null || locationType.length() == 0)
+                        locationType = "URIName";
+                    String location = getConfig(CONFIG_AD_LOCATION + i);
+
+                    if (location == null || location.equals("")) {
+                        if (method.equals("1.3.6.1.5.5.7.48.1")) {
+                            String hostname = CMS.getEENonSSLHost();
+                            String port = CMS.getEENonSSLPort();
+                            if (hostname != null && port != null)
+                                // location = "http://"+hostname+":"+port+"/ocsp/ee/ocsp";
+                                location = "http://" + hostname + ":" + port + "/ca/ocsp";
+                        }
+                    }
+
+                    String s = locationType + ":" + location;
+                    GeneralNameInterface gn = parseGeneralName(s);
+                    if (gn != null) {
+                        ext.addAccessDescription(new ObjectIdentifier(method),
+                                new GeneralName(gn));
+                    }
+                }
+            }
+        } catch (Exception e) {
+            CMS.debug("AuthInfoAccessExtDefault: createExtension " +
+                    e.toString());
+        }
+
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java b/base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
new file mode 100644
index 000000000..6c0f6e9fc
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
@@ -0,0 +1,152 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileAuthenticator;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy that
+ * populates subject name based on the attribute values
+ * in the authentication token (AuthToken) object.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class AuthTokenSubjectNameDefault extends EnrollDefault {
+
+    public static final String VAL_NAME = "name";
+
+    public AuthTokenSubjectNameDefault() {
+        super();
+        addValueName(VAL_NAME);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_NAME)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        CMS.debug("AuthTokenSubjectNameDefault: begins");
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(locale,
+                        "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_NAME)) {
+            X500Name x500name = null;
+
+            try {
+                x500name = new X500Name(value);
+                CMS.debug("AuthTokenSubjectNameDefault: setValue x500name=" + x500name.toString());
+            } catch (IOException e) {
+                CMS.debug("AuthTokenSubjectNameDefault: setValue " +
+                        e.toString());
+                // failed to build x500 name
+            }
+            CMS.debug("AuthTokenSubjectNameDefault: setValue name=" + x500name.toString());
+            try {
+                info.set(X509CertInfo.SUBJECT,
+                        new CertificateSubjectName(x500name));
+            } catch (Exception e) {
+                // failed to insert subject name
+                CMS.debug("AuthTokenSubjectNameDefault: setValue " +
+                        e.toString());
+            }
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(locale,
+                        "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        if (name == null)
+            throw new EPropertyException("Invalid name " + name);
+        if (name.equals(VAL_NAME)) {
+            CertificateSubjectName sn = null;
+
+            try {
+                sn = (CertificateSubjectName)
+                        info.get(X509CertInfo.SUBJECT);
+                return sn.toString();
+            } catch (Exception e) {
+                // nothing
+                CMS.debug("AuthTokenSubjectNameDefault: getValue " +
+                        e.toString());
+            }
+            throw new EPropertyException(CMS.getUserMessage(locale,
+                        "CMS_INVALID_PROPERTY", name));
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(locale,
+                        "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_DEF_AUTHTOKEN_SUBJECT_NAME");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+
+        // authenticate the subject name and populate it
+        // to the certinfo
+        try {
+            X500Name name = new X500Name(
+                    request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));
+
+            CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.toString());
+            info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(name));
+        } catch (Exception e) {
+            // failed to insert subject name
+            CMS.debug("AuthTokenSubjectNameDefault: " + e.toString());
+            throw new EProfileException(CMS.getUserMessage(getLocale(request),
+                        "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND"));
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java b/base/common/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java
new file mode 100644
index 000000000..6ec75990c
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java
@@ -0,0 +1,190 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.x509.AuthorityKeyIdentifierExtension;
+import netscape.security.x509.KeyIdentifier;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates Authority Key Identifier extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class AuthorityKeyIdentifierExtDefault extends CAEnrollDefault {
+
+    public static final String VAL_CRITICAL = "critical";
+    public static final String VAL_KEY_ID = "keyid";
+
+    public AuthorityKeyIdentifierExtDefault() {
+        super();
+
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_KEY_ID);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.STRING,
+                    IDescriptor.READONLY, null, CMS.getUserMessage(locale,
+                            "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_KEY_ID)) {
+            return new Descriptor(IDescriptor.STRING,
+                    IDescriptor.READONLY, null, CMS.getUserMessage(locale,
+                            "CMS_PROFILE_KEY_ID"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_CRITICAL)) {
+            // do nothing for read only value
+        } else if (name.equals(VAL_KEY_ID)) {
+            // do nothing for read only value
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        AuthorityKeyIdentifierExtension ext =
+                (AuthorityKeyIdentifierExtension) getExtension(
+                        PKIXExtensions.AuthorityKey_Id.toString(), info);
+
+        if (ext == null) {
+            try {
+                populate(null, info);
+
+            } catch (EProfileException e) {
+                CMS.debug("BasicConstraintsExtDefault: getValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+        }
+        if (name.equals(VAL_CRITICAL)) {
+            ext =
+                    (AuthorityKeyIdentifierExtension) getExtension(
+                            PKIXExtensions.AuthorityKey_Id.toString(), info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else if (name.equals(VAL_KEY_ID)) {
+            ext =
+                    (AuthorityKeyIdentifierExtension) getExtension(
+                            PKIXExtensions.AuthorityKey_Id.toString(), info);
+
+            if (ext == null) {
+                // do something here
+                return "";
+            }
+            KeyIdentifier kid = null;
+
+            try {
+                kid = (KeyIdentifier)
+                        ext.get(AuthorityKeyIdentifierExtension.KEY_ID);
+            } catch (IOException e) {
+                //
+                CMS.debug(e.toString());
+            }
+            if (kid == null)
+                return "";
+            return toHexString(kid.getIdentifier());
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_AKI_EXT");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        AuthorityKeyIdentifierExtension ext = createExtension(info);
+
+        addExtension(PKIXExtensions.AuthorityKey_Id.toString(), ext, info);
+    }
+
+    public AuthorityKeyIdentifierExtension createExtension(X509CertInfo info) {
+        KeyIdentifier kid = null;
+        String localKey = getConfig("localKey");
+        if (localKey != null && localKey.equals("true")) {
+            kid = getKeyIdentifier(info);
+        } else {
+            kid = getCAKeyIdentifier();
+        }
+
+        if (kid == null)
+            return null;
+        AuthorityKeyIdentifierExtension ext = null;
+
+        try {
+            ext = new AuthorityKeyIdentifierExtension(false, kid, null, null);
+        } catch (IOException e) {
+            CMS.debug("AuthorityKeyIdentifierExtDefault: createExtension " +
+                    e.toString());
+        }
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/AutoAssignDefault.java b/base/common/src/com/netscape/cms/profile/def/AutoAssignDefault.java
new file mode 100644
index 000000000..043cf029b
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/AutoAssignDefault.java
@@ -0,0 +1,96 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.util.Locale;
+
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that automatically assign request to agent.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class AutoAssignDefault extends EnrollDefault {
+
+    public static final String CONFIG_ASSIGN_TO = "assignTo";
+
+    public AutoAssignDefault() {
+        super();
+        addConfigName(CONFIG_ASSIGN_TO);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_ASSIGN_TO)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null, "admin", CMS.getUserMessage(locale,
+                            "CMS_PROFILE_AUTO_ASSIGN"));
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        return null;
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_AUTO_ASSIGN",
+                getConfig(CONFIG_ASSIGN_TO));
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        try {
+            request.setRequestOwner(
+                    mapPattern(request, getConfig(CONFIG_ASSIGN_TO)));
+        } catch (Exception e) {
+            // failed to insert subject name
+            CMS.debug("AutoAssignDefault: populate " + e.toString());
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/BasicConstraintsExtDefault.java b/base/common/src/com/netscape/cms/profile/def/BasicConstraintsExtDefault.java
new file mode 100644
index 000000000..c442bf576
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/BasicConstraintsExtDefault.java
@@ -0,0 +1,297 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates Basic Constraint extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class BasicConstraintsExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "basicConstraintsCritical";
+    public static final String CONFIG_IS_CA = "basicConstraintsIsCA";
+    public static final String CONFIG_PATH_LEN = "basicConstraintsPathLen";
+
+    public static final String VAL_CRITICAL = "basicConstraintsCritical";
+    public static final String VAL_IS_CA = "basicConstraintsIsCA";
+    public static final String VAL_PATH_LEN = "basicConstraintsPathLen";
+
+    public BasicConstraintsExtDefault() {
+        super();
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_IS_CA);
+        addValueName(VAL_PATH_LEN);
+
+        addConfigName(CONFIG_CRITICAL);
+        addConfigName(CONFIG_IS_CA);
+        addConfigName(CONFIG_PATH_LEN);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(CONFIG_IS_CA)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "true",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_IS_CA"));
+        } else if (name.equals(CONFIG_PATH_LEN)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "-1",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_PATH_LEN"));
+        }
+        return null;
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_IS_CA)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "true",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_IS_CA"));
+        } else if (name.equals(VAL_PATH_LEN)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "-1",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_PATH_LEN"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            BasicConstraintsExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            ext = (BasicConstraintsExtension)
+                        getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info);
+
+            if (ext == null) {
+                populate(null, info);
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+
+                ext = (BasicConstraintsExtension)
+                        getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info);
+                boolean val = Boolean.valueOf(value).booleanValue();
+
+                if (ext == null) {
+                    return;
+                }
+                ext.setCritical(val);
+            } else if (name.equals(VAL_IS_CA)) {
+                ext = (BasicConstraintsExtension)
+                        getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean isCA = Boolean.valueOf(value);
+
+                ext.set(BasicConstraintsExtension.IS_CA, isCA);
+            } else if (name.equals(VAL_PATH_LEN)) {
+                ext = (BasicConstraintsExtension)
+                        getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info);
+
+                if (ext == null) {
+                    return;
+                }
+                Integer pathLen = Integer.valueOf(value);
+
+                ext.set(BasicConstraintsExtension.PATH_LEN, pathLen);
+            } else {
+                throw new EPropertyException("Invalid name " + name);
+            }
+            replaceExtension(PKIXExtensions.BasicConstraints_Id.toString(),
+                    ext, info);
+        } catch (IOException e) {
+            CMS.debug("BasicConstraintsExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } catch (EProfileException e) {
+            CMS.debug("BasicConstraintsExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        try {
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            BasicConstraintsExtension ext = (BasicConstraintsExtension)
+                    getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info);
+
+            if (ext == null) {
+                CMS.debug("BasicConstraintsExtDefault: getValue ext is null, populating a new one ");
+
+                try {
+                    populate(null, info);
+
+                } catch (EProfileException e) {
+                    CMS.debug("BasicConstraintsExtDefault: getValue " + e.toString());
+                    throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+                }
+
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+                ext = (BasicConstraintsExtension)
+                        getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info);
+
+                if (ext == null) {
+                    return null;
+                }
+                if (ext.isCritical()) {
+                    return "true";
+                } else {
+                    return "false";
+                }
+            } else if (name.equals(VAL_IS_CA)) {
+                ext = (BasicConstraintsExtension)
+                        getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info);
+
+                if (ext == null) {
+                    return null;
+                }
+                Boolean isCA = (Boolean) ext.get(BasicConstraintsExtension.IS_CA);
+
+                return isCA.toString();
+            } else if (name.equals(VAL_PATH_LEN)) {
+                ext = (BasicConstraintsExtension)
+                        getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info);
+
+                if (ext == null) {
+                    return null;
+                }
+                Integer pathLen = (Integer)
+                        ext.get(BasicConstraintsExtension.PATH_LEN);
+
+                String pLen = null;
+
+                pLen = pathLen.toString();
+                if (pLen.equals("-2")) {
+                    //This is done for bug 621700.  Profile constraints actually checks for -1
+                    //The low level security class for some reason sets this to -2
+                    //This will allow the request to be approved successfuly by the agent.
+
+                    pLen = "-1";
+
+                }
+
+                CMS.debug("BasicConstriantsExtDefault getValue(pLen) " + pLen);
+
+                return pLen;
+
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } catch (IOException e) {
+            CMS.debug("BasicConstraintsExtDefault: getValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_CRITICAL),
+                getConfig(CONFIG_IS_CA),
+                getConfig(CONFIG_PATH_LEN)
+            };
+
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_BASIC_CONSTRAINTS_EXT", params);
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        BasicConstraintsExtension ext = createExtension();
+
+        addExtension(PKIXExtensions.BasicConstraints_Id.toString(), ext,
+                info);
+    }
+
+    public BasicConstraintsExtension createExtension() {
+        BasicConstraintsExtension ext = null;
+
+        boolean critical = Boolean.valueOf(getConfig(CONFIG_CRITICAL)).booleanValue();
+        boolean isCA = Boolean.valueOf(getConfig(CONFIG_IS_CA)).booleanValue();
+        String pathLenStr = getConfig(CONFIG_PATH_LEN);
+
+        int pathLen = -2;
+
+        if (!pathLenStr.equals("")) {
+
+            pathLen = Integer.valueOf(pathLenStr).intValue();
+        }
+
+        try {
+            ext = new BasicConstraintsExtension(isCA, critical, pathLen);
+        } catch (Exception e) {
+            CMS.debug("BasicConstraintsExtDefault: createExtension " +
+                    e.toString());
+            return null;
+        }
+        ext.setCritical(critical);
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/CAEnrollDefault.java b/base/common/src/com/netscape/cms/profile/def/CAEnrollDefault.java
new file mode 100644
index 000000000..872e32960
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/CAEnrollDefault.java
@@ -0,0 +1,106 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.KeyIdentifier;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.SubjectKeyIdentifierExtension;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+
+/**
+ * This class implements an abstract CA specific
+ * Enrollment default. This policy can only be
+ * used with CA subsystem.
+ * 
+ * @version $Revision$, $Date$
+ */
+public abstract class CAEnrollDefault extends EnrollDefault {
+    public CAEnrollDefault() {
+    }
+
+    public KeyIdentifier getKeyIdentifier(X509CertInfo info) {
+        try {
+            CertificateX509Key ckey = (CertificateX509Key)
+                    info.get(X509CertInfo.KEY);
+            X509Key key = (X509Key) ckey.get(CertificateX509Key.KEY);
+            MessageDigest md = MessageDigest.getInstance("SHA-1");
+
+            md.update(key.getKey());
+            byte[] hash = md.digest();
+
+            return new KeyIdentifier(hash);
+        } catch (IOException e) {
+            CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " +
+                    e.toString());
+        } catch (CertificateException e) {
+            CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " +
+                    e.toString());
+        } catch (NoSuchAlgorithmException e) {
+            CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " +
+                    e.toString());
+        }
+        return null;
+    }
+
+    public KeyIdentifier getCAKeyIdentifier() {
+        ICertificateAuthority ca = (ICertificateAuthority)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+        X509CertImpl caCert = ca.getCACert();
+        if (caCert == null) {
+            // during configuration, we dont have the CA certificate
+            return null;
+        }
+        X509Key key = (X509Key) caCert.getPublicKey();
+
+        SubjectKeyIdentifierExtension subjKeyIdExt =
+                (SubjectKeyIdentifierExtension)
+                caCert.getExtension(PKIXExtensions.SubjectKey_Id.toString());
+        if (subjKeyIdExt != null) {
+            try {
+                KeyIdentifier keyId = (KeyIdentifier) subjKeyIdExt.get(
+                        SubjectKeyIdentifierExtension.KEY_ID);
+                return keyId;
+            } catch (IOException e) {
+            }
+        }
+
+        try {
+            MessageDigest md = MessageDigest.getInstance("SHA-1");
+
+            md.update(key.getKey());
+            byte[] hash = md.digest();
+
+            return new KeyIdentifier(hash);
+        } catch (NoSuchAlgorithmException e) {
+            CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " +
+                    e.toString());
+        }
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/CAValidityDefault.java b/base/common/src/com/netscape/cms/profile/def/CAValidityDefault.java
new file mode 100644
index 000000000..e3b834ce5
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/CAValidityDefault.java
@@ -0,0 +1,348 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.text.ParsePosition;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Locale;
+
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements a CA signing cert enrollment default policy
+ * that populates a server-side configurable validity
+ * into the certificate template.
+ * It allows an agent to bypass the CA's signing cert's expiration constraint
+ */
+public class CAValidityDefault extends EnrollDefault {
+    public static final String CONFIG_RANGE = "range";
+    public static final String CONFIG_START_TIME = "startTime";
+    public static final String CONFIG_BYPASS_CA_NOTAFTER = "bypassCAnotafter";
+
+    public static final String VAL_NOT_BEFORE = "notBefore";
+    public static final String VAL_NOT_AFTER = "notAfter";
+    public static final String VAL_BYPASS_CA_NOTAFTER = "bypassCAnotafter";
+
+    public static final String DATE_FORMAT = "yyyy-MM-dd HH:mm:ss";
+
+    private long mDefault = 86400000; // 1 days
+    public ICertificateAuthority mCA = null;
+
+    public CAValidityDefault() {
+        super();
+        addConfigName(CONFIG_RANGE);
+        addConfigName(CONFIG_START_TIME);
+        addConfigName(CONFIG_BYPASS_CA_NOTAFTER);
+
+        addValueName(VAL_NOT_BEFORE);
+        addValueName(VAL_NOT_AFTER);
+        addValueName(VAL_BYPASS_CA_NOTAFTER);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+        mCA = (ICertificateAuthority)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        if (name.equals(CONFIG_RANGE)) {
+            try {
+                Integer.parseInt(value);
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_RANGE));
+            }
+        } else if (name.equals(CONFIG_START_TIME)) {
+            try {
+                Integer.parseInt(value);
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_START_TIME));
+            }
+        }
+        super.setConfig(name, value);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_RANGE)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    "2922", /* 8 years */
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_VALIDITY_RANGE"));
+        } else if (name.equals(CONFIG_START_TIME)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    "60", /* 1 minute */
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_VALIDITY_START_TIME"));
+        } else if (name.equals(CONFIG_BYPASS_CA_NOTAFTER)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_BYPASS_CA_NOTAFTER"));
+
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_NOT_BEFORE)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NOT_BEFORE"));
+        } else if (name.equals(VAL_NOT_AFTER)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NOT_AFTER"));
+        } else if (name.equals(VAL_BYPASS_CA_NOTAFTER)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_BYPASS_CA_NOTAFTER"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (value == null || value.equals("")) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        CMS.debug("CAValidityDefault: setValue name= " + name);
+
+        if (name.equals(VAL_NOT_BEFORE)) {
+            SimpleDateFormat formatter =
+                    new SimpleDateFormat(DATE_FORMAT);
+            ParsePosition pos = new ParsePosition(0);
+            Date date = formatter.parse(value, pos);
+            CertificateValidity validity = null;
+
+            try {
+                validity = (CertificateValidity)
+                        info.get(X509CertInfo.VALIDITY);
+                validity.set(CertificateValidity.NOT_BEFORE,
+                        date);
+            } catch (Exception e) {
+                CMS.debug("CAValidityDefault: setValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else if (name.equals(VAL_NOT_AFTER)) {
+            SimpleDateFormat formatter =
+                    new SimpleDateFormat(DATE_FORMAT);
+            ParsePosition pos = new ParsePosition(0);
+            Date date = formatter.parse(value, pos);
+            CertificateValidity validity = null;
+
+            try {
+                validity = (CertificateValidity)
+                        info.get(X509CertInfo.VALIDITY);
+                validity.set(CertificateValidity.NOT_AFTER,
+                        date);
+            } catch (Exception e) {
+                CMS.debug("CAValidityDefault: setValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else if (name.equals(VAL_BYPASS_CA_NOTAFTER)) {
+            boolean bypassCAvalidity = Boolean.valueOf(value).booleanValue();
+            CMS.debug("CAValidityDefault: setValue: bypassCAvalidity=" + bypassCAvalidity);
+
+            BasicConstraintsExtension ext = (BasicConstraintsExtension)
+                    getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info);
+
+            if (ext == null) {
+                CMS.debug("CAValidityDefault: setValue: this default cannot be applied to non-CA cert.");
+                return;
+            }
+            try {
+                Boolean isCA = (Boolean) ext.get(BasicConstraintsExtension.IS_CA);
+                if (isCA.booleanValue() != true) {
+                    CMS.debug("CAValidityDefault: setValue: this default cannot be aplied to non-CA cert.");
+                    return;
+                }
+            } catch (Exception e) {
+                CMS.debug("CAValidityDefault: setValue: this default cannot be aplied to non-CA cert." + e.toString());
+                return;
+            }
+
+            CertificateValidity validity = null;
+            Date notAfter = null;
+            try {
+                validity = (CertificateValidity)
+                        info.get(X509CertInfo.VALIDITY);
+                notAfter = (Date) validity.get(CertificateValidity.NOT_AFTER);
+            } catch (Exception e) {
+                CMS.debug("CAValidityDefault: setValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            // not to exceed CA's expiration
+            Date caNotAfter =
+                    mCA.getSigningUnit().getCertImpl().getNotAfter();
+
+            if (notAfter.after(caNotAfter)) {
+                if (bypassCAvalidity == false) {
+                    notAfter = caNotAfter;
+                    CMS.debug("CAValidityDefault: setValue: bypassCAvalidity off. reset notAfter to caNotAfter. reset ");
+                } else {
+                    CMS.debug("CAValidityDefault: setValue: bypassCAvalidity on.  notAfter is after caNotAfter. no reset");
+                }
+            }
+            try {
+                validity.set(CertificateValidity.NOT_AFTER,
+                        notAfter);
+            } catch (Exception e) {
+                CMS.debug("CAValidityDefault: setValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+
+        if (name == null)
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+
+        CMS.debug("CAValidityDefault: getValue: name= " + name);
+        if (name.equals(VAL_NOT_BEFORE)) {
+            SimpleDateFormat formatter =
+                    new SimpleDateFormat(DATE_FORMAT);
+            CertificateValidity validity = null;
+
+            try {
+                validity = (CertificateValidity)
+                        info.get(X509CertInfo.VALIDITY);
+                return formatter.format((Date)
+                        validity.get(CertificateValidity.NOT_BEFORE));
+            } catch (Exception e) {
+                CMS.debug("CAValidityDefault: getValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else if (name.equals(VAL_NOT_AFTER)) {
+            SimpleDateFormat formatter =
+                    new SimpleDateFormat(DATE_FORMAT);
+            CertificateValidity validity = null;
+
+            try {
+                validity = (CertificateValidity)
+                        info.get(X509CertInfo.VALIDITY);
+                return formatter.format((Date)
+                        validity.get(CertificateValidity.NOT_AFTER));
+            } catch (Exception e) {
+                CMS.debug("CAValidityDefault: getValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else if (name.equals(VAL_BYPASS_CA_NOTAFTER)) {
+            return "false";
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_RANGE),
+                getConfig(CONFIG_BYPASS_CA_NOTAFTER)
+            };
+
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_VALIDITY", params);
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+
+        // always + 60 seconds
+        String startTimeStr = getConfig(CONFIG_START_TIME);
+        try {
+            startTimeStr = mapPattern(request, startTimeStr);
+        } catch (IOException e) {
+            CMS.debug("CAValidityDefault: populate " + e.toString());
+        }
+
+        if (startTimeStr == null || startTimeStr.equals("")) {
+            startTimeStr = "60";
+        }
+        int startTime = Integer.parseInt(startTimeStr);
+        Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime));
+        long notAfterVal = 0;
+
+        try {
+            String rangeStr = getConfig(CONFIG_RANGE);
+            rangeStr = mapPattern(request, rangeStr);
+            notAfterVal = notBefore.getTime() +
+                    (mDefault * Integer.parseInt(rangeStr));
+        } catch (Exception e) {
+            // configured value is not correct
+            CMS.debug("CAValidityDefault: populate " + e.toString());
+            throw new EProfileException(CMS.getUserMessage(
+                        getLocale(request), "CMS_INVALID_PROPERTY", CONFIG_RANGE));
+        }
+        Date notAfter = new Date(notAfterVal);
+
+        CertificateValidity validity =
+                new CertificateValidity(notBefore, notAfter);
+
+        try {
+            info.set(X509CertInfo.VALIDITY, validity);
+        } catch (Exception e) {
+            // failed to insert subject name
+            CMS.debug("CAValidityDefault: populate " + e.toString());
+            throw new EProfileException(CMS.getUserMessage(
+                        getLocale(request), "CMS_INVALID_PROPERTY", X509CertInfo.VALIDITY));
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/CRLDistributionPointsExtDefault.java b/base/common/src/com/netscape/cms/profile/def/CRLDistributionPointsExtDefault.java
new file mode 100644
index 000000000..d1def3d5d
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/CRLDistributionPointsExtDefault.java
@@ -0,0 +1,696 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.security.util.BitArray;
+import netscape.security.x509.CRLDistributionPoint;
+import netscape.security.x509.CRLDistributionPointsExtension;
+import netscape.security.x509.CRLDistributionPointsExtension.Reason;
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.GeneralNames;
+import netscape.security.x509.GeneralNamesException;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.RDN;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a CRL Distribution points extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CRLDistributionPointsExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "crlDistPointsCritical";
+    public static final String CONFIG_NUM_POINTS = "crlDistPointsNum";
+    public static final String CONFIG_POINT_TYPE = "crlDistPointsPointType_";
+    public static final String CONFIG_POINT_NAME = "crlDistPointsPointName_";
+    public static final String CONFIG_REASONS = "crlDistPointsReasons_";
+    public static final String CONFIG_ISSUER_TYPE = "crlDistPointsIssuerType_";
+    public static final String CONFIG_ISSUER_NAME = "crlDistPointsIssuerName_";
+    public static final String CONFIG_ENABLE = "crlDistPointsEnable_";
+
+    public static final String VAL_CRITICAL = "crlDistPointsCritical";
+    public static final String VAL_CRL_DISTRIBUTION_POINTS = "crlDistPointsValue";
+
+    private static final String REASONS = "Reasons";
+    private static final String POINT_TYPE = "Point Type";
+    private static final String POINT_NAME = "Point Name";
+    private static final String ISSUER_TYPE = "Issuer Type";
+    private static final String ISSUER_NAME = "Issuer Name";
+    private static final String ENABLE = "Enable";
+
+    private static final String RELATIVETOISSUER = "RelativeToIssuer";
+
+    private static final int DEF_NUM_POINTS = 1;
+    private static final int MAX_NUM_POINTS = 100;
+
+    public CRLDistributionPointsExtDefault() {
+        super();
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+        refreshConfigAndValueNames();
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        int num = 0;
+        if (name.equals(CONFIG_NUM_POINTS)) {
+            try {
+                num = Integer.parseInt(value);
+
+                if (num >= MAX_NUM_POINTS || num < 0) {
+                    throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_POINTS));
+                }
+
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_POINTS));
+            }
+        }
+        super.setConfig(name, value);
+    }
+
+    public Enumeration getConfigNames() {
+        refreshConfigAndValueNames();
+        return super.getConfigNames();
+    }
+
+    protected void refreshConfigAndValueNames() {
+        super.refreshConfigAndValueNames();
+
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_CRL_DISTRIBUTION_POINTS);
+
+        addConfigName(CONFIG_CRITICAL);
+        int num = getNumPoints();
+
+        addConfigName(CONFIG_NUM_POINTS);
+        for (int i = 0; i < num; i++) {
+            addConfigName(CONFIG_POINT_TYPE + i);
+            addConfigName(CONFIG_POINT_NAME + i);
+            addConfigName(CONFIG_REASONS + i);
+            addConfigName(CONFIG_ISSUER_TYPE + i);
+            addConfigName(CONFIG_ISSUER_NAME + i);
+            addConfigName(CONFIG_ENABLE + i);
+        }
+    }
+
+    protected int getNumPoints() {
+        int num = DEF_NUM_POINTS;
+        String val = getConfig(CONFIG_NUM_POINTS);
+
+        if (val != null) {
+            try {
+                num = Integer.parseInt(val);
+            } catch (NumberFormatException e) {
+                // ignore
+            }
+        }
+
+        if (num >= MAX_NUM_POINTS)
+            num = DEF_NUM_POINTS;
+
+        return num;
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.startsWith(CONFIG_POINT_TYPE)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_POINT_TYPE"));
+        } else if (name.startsWith(CONFIG_POINT_NAME)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_POINT_NAME"));
+        } else if (name.startsWith(CONFIG_REASONS)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_REASONS"));
+        } else if (name.startsWith(CONFIG_ISSUER_TYPE)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_ISSUER_TYPE"));
+        } else if (name.startsWith(CONFIG_ISSUER_NAME)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_ISSUER_NAME"));
+        } else if (name.startsWith(CONFIG_ENABLE)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_ENABLE"));
+        } else if (name.startsWith(CONFIG_NUM_POINTS)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "1",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NUM_DIST_POINTS"));
+
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_CRL_DISTRIBUTION_POINTS)) {
+            return new Descriptor(IDescriptor.STRING_LIST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRL_DISTRIBUTION_POINTS"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            CRLDistributionPointsExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            ext = (CRLDistributionPointsExtension)
+                        getExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(),
+                                info);
+
+            if (ext == null) {
+                populate(locale, info);
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+                ext = (CRLDistributionPointsExtension)
+                        getExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(),
+                                info);
+                boolean val = Boolean.valueOf(value).booleanValue();
+
+                if (ext == null) {
+                    return;
+                }
+                ext.setCritical(val);
+            } else if (name.equals(VAL_CRL_DISTRIBUTION_POINTS)) {
+                ext = (CRLDistributionPointsExtension)
+                        getExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(),
+                                info);
+
+                if (ext == null) {
+                    return;
+                }
+                Vector v = parseRecords(value);
+                int size = v.size();
+
+                boolean critical = ext.isCritical();
+                int i = 0;
+
+                for (; i < size; i++) {
+                    NameValuePairs nvps = v.elementAt(i);
+                    String pointType = null;
+                    String pointValue = null;
+                    String issuerType = null;
+                    String issuerValue = null;
+                    String enable = null;
+                    CRLDistributionPoint cdp = new CRLDistributionPoint();
+
+                    for (String name1 : nvps.keySet()) {
+
+                        if (name1.equals(REASONS)) {
+                            addReasons(locale, cdp, REASONS, nvps.get(name1));
+                        } else if (name1.equals(POINT_TYPE)) {
+                            pointType = nvps.get(name1);
+                        } else if (name1.equals(POINT_NAME)) {
+                            pointValue = nvps.get(name1);
+                        } else if (name1.equals(ISSUER_TYPE)) {
+                            issuerType = nvps.get(name1);
+                        } else if (name1.equals(ISSUER_NAME)) {
+                            issuerValue = nvps.get(name1);
+                        } else if (name1.equals(ENABLE)) {
+                            enable = nvps.get(name1);
+                        }
+                    }
+
+                    if (enable != null && enable.equals("true")) {
+                        if (pointType != null)
+                            addCRLPoint(locale, cdp, pointType, pointValue);
+                        if (issuerType != null)
+                            addIssuer(locale, cdp, issuerType, issuerValue);
+
+                        // this is the first distribution point
+                        if (i == 0) {
+                            ext = new CRLDistributionPointsExtension(cdp);
+                            ext.setCritical(critical);
+                        } else {
+                            ext.addPoint(cdp);
+                        }
+                    }
+                }
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            replaceExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(),
+                    ext, info);
+        } catch (EProfileException e) {
+            CMS.debug("CRLDistributionPointsExtDefault: setValue " +
+                    e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    private void addCRLPoint(Locale locale, CRLDistributionPoint cdp, String type,
+            String value) throws EPropertyException {
+        try {
+            if (value == null || value.length() == 0)
+                return;
+
+            if (type.equals(RELATIVETOISSUER)) {
+                cdp.setRelativeName(new RDN(value));
+            } else if (isGeneralNameType(type)) {
+                GeneralNames gen = new GeneralNames();
+                gen.addElement(parseGeneralName(type, value));
+                cdp.setFullName(gen);
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", type));
+            }
+        } catch (IOException e) {
+            CMS.debug("CRLDistributionPointsExtDefault: addCRLPoint " +
+                    e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", type));
+        } catch (GeneralNamesException e) {
+            CMS.debug("CRLDistributionPointsExtDefault: addCRLPoint " +
+                    e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", type));
+        }
+    }
+
+    private void addIssuer(Locale locale, CRLDistributionPoint cdp, String type,
+            String value) throws EPropertyException {
+        if (value == null || value.length() == 0)
+            return;
+        try {
+            if (isGeneralNameType(type)) {
+                GeneralNames gen = new GeneralNames();
+
+                gen.addElement(parseGeneralName(type, value));
+                cdp.setCRLIssuer(gen);
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", type));
+            }
+        } catch (IOException e) {
+            CMS.debug("CRLDistributionPointsExtDefault: addIssuer " +
+                    e.toString());
+        } catch (GeneralNamesException e) {
+            CMS.debug("CRLDistributionPointsExtDefault: addIssuer " +
+                    e.toString());
+        }
+    }
+
+    private void addReasons(Locale locale, CRLDistributionPoint cdp, String type,
+            String value) throws EPropertyException {
+        if (value == null || value.length() == 0)
+            return;
+        if (type.equals(REASONS)) {
+            if (value != null && !value.equals("")) {
+                StringTokenizer st = new StringTokenizer(value, ", \t");
+                byte reasonBits = 0;
+
+                while (st.hasMoreTokens()) {
+                    String s = st.nextToken();
+                    Reason r = Reason.fromString(s);
+
+                    if (r == null) {
+                        CMS.debug("CRLDistributeionPointsExtDefault: addReasons Unknown reason: " + s);
+                        throw new EPropertyException(CMS.getUserMessage(
+                                    locale, "CMS_INVALID_PROPERTY", s));
+                    } else {
+                        reasonBits |= r.getBitMask();
+                    }
+                }
+
+                if (reasonBits != 0) {
+                    BitArray ba = new BitArray(8, new byte[] { reasonBits }
+                            );
+
+                    cdp.setReasons(ba);
+                }
+            }
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", type));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        CRLDistributionPointsExtension ext = null;
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        ext = (CRLDistributionPointsExtension)
+                    getExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(),
+                            info);
+
+        if (ext == null) {
+            try {
+                populate(locale, info);
+
+            } catch (EProfileException e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+        }
+
+        if (name.equals(VAL_CRITICAL)) {
+            ext = (CRLDistributionPointsExtension)
+                    getExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(),
+                            info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else if (name.equals(VAL_CRL_DISTRIBUTION_POINTS)) {
+            ext = (CRLDistributionPointsExtension)
+                    getExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(),
+                            info);
+
+            if (ext == null)
+                return "";
+
+            Vector recs = new Vector();
+            int num = getNumPoints();
+
+            for (int i = 0; i < num; i++) {
+                NameValuePairs pairs = null;
+
+                if (i < ext.getNumPoints()) {
+                    CRLDistributionPoint p = ext.getPointAt(i);
+                    GeneralNames gns = p.getFullName();
+
+                    pairs = buildGeneralNames(gns, p);
+                    recs.addElement(pairs);
+                } else {
+                    pairs = buildEmptyGeneralNames();
+                    recs.addElement(pairs);
+                }
+            }
+
+            return buildRecords(recs);
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    protected NameValuePairs buildEmptyGeneralNames() {
+        NameValuePairs pairs = new NameValuePairs();
+
+        pairs.put(POINT_TYPE, "");
+        pairs.put(POINT_NAME, "");
+        pairs.put(REASONS, "");
+        pairs.put(ISSUER_TYPE, "");
+        pairs.put(ISSUER_NAME, "");
+        pairs.put(ENABLE, "false");
+        return pairs;
+    }
+
+    protected NameValuePairs buildGeneralNames(GeneralNames gns, CRLDistributionPoint p)
+            throws EPropertyException {
+
+        NameValuePairs pairs = new NameValuePairs();
+
+        RDN rdn = null;
+        boolean hasFullName = false;
+
+        pairs.put(ENABLE, "true");
+        if (gns == null) {
+            rdn = p.getRelativeName();
+            if (rdn != null) {
+                hasFullName = true;
+                pairs.put(POINT_TYPE, RELATIVETOISSUER);
+                pairs.put(POINT_NAME, rdn.toString());
+            } else {
+                pairs.put(POINT_TYPE, "");
+                pairs.put(POINT_NAME, "");
+            }
+        } else {
+            GeneralName gn = (GeneralName) gns.elementAt(0);
+
+            if (gn != null) {
+                hasFullName = true;
+
+                pairs.put(POINT_TYPE, getGeneralNameType(gn));
+                pairs.put(POINT_NAME, getGeneralNameValue(gn));
+            }
+        }
+
+        if (!hasFullName) {
+            pairs.put(POINT_TYPE, GN_DIRECTORY_NAME);
+            pairs.put(POINT_NAME, "");
+        }
+
+        BitArray reasons = p.getReasons();
+        String s = convertBitArrayToReasonNames(reasons);
+
+        if (s.length() > 0) {
+            pairs.put(REASONS, s);
+        } else {
+            pairs.put(REASONS, "");
+        }
+
+        gns = p.getCRLIssuer();
+
+        if (gns == null) {
+            pairs.put(ISSUER_TYPE, GN_DIRECTORY_NAME);
+            pairs.put(ISSUER_NAME, "");
+        } else {
+            GeneralName gn = (GeneralName) gns.elementAt(0);
+
+            if (gn != null) {
+                hasFullName = true;
+
+                pairs.put(ISSUER_TYPE, getGeneralNameType(gn));
+                pairs.put(ISSUER_NAME, getGeneralNameValue(gn));
+            }
+        }
+        return pairs;
+    }
+
+    private String convertBitArrayToReasonNames(BitArray reasons) {
+        StringBuffer sb = new StringBuffer();
+
+        if (reasons != null) {
+            byte[] b = reasons.toByteArray();
+            Reason[] reasonArray = Reason.bitArrayToReasonArray(b);
+
+            for (int i = 0; i < reasonArray.length; i++) {
+                if (sb.length() > 0)
+                    sb.append(",");
+                sb.append(reasonArray[i].getName());
+            }
+        }
+
+        return sb.toString();
+    }
+
+    public String getText(Locale locale) {
+        StringBuffer sb = new StringBuffer();
+        int num = getNumPoints();
+
+        for (int i = 0; i < num; i++) {
+            sb.append("Record #");
+            sb.append(i);
+            sb.append("{");
+            sb.append(POINT_TYPE + ":");
+            sb.append(getConfig(CONFIG_POINT_TYPE + i));
+            sb.append(",");
+            sb.append(POINT_NAME + ":");
+            sb.append(getConfig(CONFIG_POINT_NAME + i));
+            sb.append(",");
+            sb.append(REASONS + ":");
+            sb.append(getConfig(CONFIG_REASONS + i));
+            sb.append(",");
+            sb.append(ISSUER_TYPE + ":");
+            sb.append(getConfig(CONFIG_ISSUER_TYPE + i));
+            sb.append(",");
+            sb.append(ISSUER_NAME + ":");
+            sb.append(getConfig(CONFIG_ISSUER_NAME + i));
+            sb.append(",");
+            sb.append(ENABLE + ":");
+            sb.append(getConfig(CONFIG_ENABLE + i));
+            sb.append("}");
+        }
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_DEF_CRL_DIST_POINTS_EXT",
+                getConfig(CONFIG_CRITICAL),
+                sb.toString());
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    private void populate(Locale locale, X509CertInfo info)
+            throws EProfileException {
+        CRLDistributionPointsExtension ext = createExtension(locale);
+
+        if (ext == null)
+            return;
+        addExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(),
+                ext, info);
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        CRLDistributionPointsExtension ext = createExtension(request);
+
+        if (ext == null)
+            return;
+        addExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(),
+                ext, info);
+    }
+
+    public CRLDistributionPointsExtension createExtension(IRequest request) {
+        CRLDistributionPointsExtension ext = null;
+        int num = 0;
+
+        try {
+            boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+
+            num = getNumPoints();
+            for (int i = 0; i < num; i++) {
+                CRLDistributionPoint cdp = new CRLDistributionPoint();
+
+                String enable = getConfig(CONFIG_ENABLE + i);
+                String pointType = getConfig(CONFIG_POINT_TYPE + i);
+                String pointName = getConfig(CONFIG_POINT_NAME + i);
+                String reasons = getConfig(CONFIG_REASONS + i);
+                String issuerType = getConfig(CONFIG_ISSUER_TYPE + i);
+                String issuerName = getConfig(CONFIG_ISSUER_NAME + i);
+
+                if (enable != null && enable.equals("true")) {
+                    if (pointType != null)
+                        addCRLPoint(getLocale(request), cdp, pointType, pointName);
+                    if (issuerType != null)
+                        addIssuer(getLocale(request), cdp, issuerType, issuerName);
+                    if (reasons != null)
+                        addReasons(getLocale(request), cdp, REASONS, reasons);
+
+                    if (i == 0) {
+                        ext = new CRLDistributionPointsExtension(cdp);
+                        ext.setCritical(critical);
+                    } else {
+                        ext.addPoint(cdp);
+                    }
+                }
+            }
+        } catch (Exception e) {
+            CMS.debug("CRLDistribtionPointsExtDefault: createExtension " +
+                    e.toString());
+            CMS.debug(e);
+        }
+
+        return ext;
+    }
+
+    private CRLDistributionPointsExtension createExtension(Locale locale) {
+        CRLDistributionPointsExtension ext = null;
+        int num = 0;
+
+        try {
+            boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+
+            num = getNumPoints();
+            for (int i = 0; i < num; i++) {
+                CRLDistributionPoint cdp = new CRLDistributionPoint();
+
+                String enable = getConfig(CONFIG_ENABLE + i);
+                String pointType = getConfig(CONFIG_POINT_TYPE + i);
+                String pointName = getConfig(CONFIG_POINT_NAME + i);
+                String reasons = getConfig(CONFIG_REASONS + i);
+                String issuerType = getConfig(CONFIG_ISSUER_TYPE + i);
+                String issuerName = getConfig(CONFIG_ISSUER_NAME + i);
+
+                if (enable != null && enable.equals("true")) {
+                    if (pointType != null)
+                        addCRLPoint(locale, cdp, pointType, pointName);
+                    if (issuerType != null)
+                        addIssuer(locale, cdp, issuerType, issuerName);
+                    addReasons(locale, cdp, REASONS, reasons);
+
+                    if (i == 0) {
+                        ext = new CRLDistributionPointsExtension(cdp);
+                        ext.setCritical(critical);
+                    } else {
+                        ext.addPoint(cdp);
+                    }
+                }
+            }
+        } catch (Exception e) {
+            CMS.debug("CRLDistribtionPointsExtDefault: createExtension " +
+                    e.toString());
+            CMS.debug(e);
+        }
+
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/CertificatePoliciesExtDefault.java b/base/common/src/com/netscape/cms/profile/def/CertificatePoliciesExtDefault.java
new file mode 100644
index 000000000..8d4ae2288
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/CertificatePoliciesExtDefault.java
@@ -0,0 +1,796 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.CPSuri;
+import netscape.security.x509.CertificatePoliciesExtension;
+import netscape.security.x509.CertificatePolicyId;
+import netscape.security.x509.CertificatePolicyInfo;
+import netscape.security.x509.DisplayText;
+import netscape.security.x509.NoticeReference;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.PolicyQualifiers;
+import netscape.security.x509.Qualifier;
+import netscape.security.x509.UserNotice;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a policy mappings extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CertificatePoliciesExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "Critical";
+    public static final String CONFIG_PREFIX = "PoliciesExt.certPolicy";
+    public static final String CONFIG_PREFIX1 = "PolicyQualifiers";
+    public static final String CONFIG_POLICY_ENABLE = "enable";
+    public static final String CONFIG_POLICY_NUM = "PoliciesExt.num";
+    public static final String CONFIG_POLICY_ID = "policyId";
+    public static final String CONFIG_POLICY_QUALIFIERS_NUM = "PolicyQualifiers.num";
+    public static final String CONFIG_CPSURI_ENABLE = "CPSURI.enable";
+    public static final String CONFIG_USERNOTICE_ENABLE = "usernotice.enable";
+    public static final String CONFIG_CPSURI_VALUE = "CPSURI.value";
+    public static final String CONFIG_USERNOTICE_ORG = "usernotice.noticeReference.organization";
+    public static final String CONFIG_USERNOTICE_NUMBERS = "usernotice.noticeReference.noticeNumbers";
+    public static final String CONFIG_USERNOTICE_TEXT = "usernotice.explicitText.value";
+
+    public static final String VAL_CRITICAL = "Critical";
+    public static final String VAL_POLICY_QUALIFIERS = "policyQualifiers";
+
+    private static final String SEPARATOR = ".";
+    private static final int DEF_NUM_POLICIES = 5;
+    private static final int DEF_NUM_QUALIFIERS = 1;
+    private static final int MAX_NUM_POLICIES = 20;
+    private static final String POLICY_ID_ENABLE = "Enable";
+    private static final String POLICY_ID = "Policy Id";
+    private static final String POLICY_QUALIFIER_CPSURI_ENABLE = "CPSuri Enable";
+    private static final String POLICY_QUALIFIER_USERNOTICE_ENABLE = "UserNotice Enable";
+    private static final String USERNOTICE_REF_ORG = "UserNoticeReference Organization";
+    private static final String USERNOTICE_REF_NUMBERS = "UserNoticeReference Numbers";
+    private static final String USERNOTICE_EXPLICIT_TEXT = "UserNoticeReference Explicit Text";
+    private static final String CPSURI = "CPS uri";
+
+    public CertificatePoliciesExtDefault() {
+        super();
+    }
+
+    protected int getNumPolicies() {
+        int num = DEF_NUM_POLICIES;
+        String numPolicies = getConfig(CONFIG_POLICY_NUM);
+
+        if (numPolicies != null) {
+            try {
+                num = Integer.parseInt(numPolicies);
+            } catch (NumberFormatException e) {
+                // ignore
+            }
+        }
+
+        if (num >= MAX_NUM_POLICIES)
+            num = DEF_NUM_POLICIES;
+        return num;
+    }
+
+    protected int getNumQualifiers() {
+        int num = DEF_NUM_QUALIFIERS;
+        String numQualifiers = getConfig(CONFIG_POLICY_QUALIFIERS_NUM);
+        if (numQualifiers != null) {
+            try {
+                num = Integer.parseInt(numQualifiers);
+            } catch (NumberFormatException e) {
+                // ignore
+            }
+        }
+        return num;
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+
+        refreshConfigAndValueNames();
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        int num = 0;
+        if (name.equals(CONFIG_POLICY_NUM)) {
+            try {
+                num = Integer.parseInt(value);
+
+                if (num >= MAX_NUM_POLICIES || num < 0) {
+                    throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_POLICY_NUM));
+                }
+
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_POLICY_NUM));
+            }
+        }
+        super.setConfig(name, value);
+    }
+
+    public Enumeration getConfigNames() {
+        refreshConfigAndValueNames();
+        return super.getConfigNames();
+    }
+
+    protected void refreshConfigAndValueNames() {
+
+        super.refreshConfigAndValueNames();
+
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_POLICY_QUALIFIERS);
+
+        addConfigName(CONFIG_CRITICAL);
+        int num = getNumPolicies();
+        int numQualifiers = getNumQualifiers();
+
+        addConfigName(CONFIG_POLICY_NUM);
+
+        for (int i = 0; i < num; i++) {
+            addConfigName(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_ID);
+            addConfigName(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_ENABLE);
+            for (int j = 0; j < numQualifiers; j++) {
+                addConfigName(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_CPSURI_ENABLE);
+                addConfigName(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_USERNOTICE_ENABLE);
+                addConfigName(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_CPSURI_VALUE);
+                addConfigName(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_USERNOTICE_ORG);
+                addConfigName(CONFIG_PREFIX
+                        + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_USERNOTICE_NUMBERS);
+                addConfigName(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_USERNOTICE_TEXT);
+            }
+        }
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.indexOf(CONFIG_POLICY_ID) >= 0) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_ID"));
+        } else if (name.indexOf(CONFIG_CPSURI_ENABLE) >= 0) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_QUALIFIER_CPSURI_ENABLE"));
+        } else if (name.indexOf(CONFIG_USERNOTICE_ENABLE) >= 0) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_QUALIFIER_USERNOTICE_ENABLE"));
+        } else if (name.indexOf(CONFIG_POLICY_ENABLE) >= 0) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CERTIFICATE_POLICY_ENABLE"));
+        } else if (name.indexOf(CONFIG_POLICY_QUALIFIERS_NUM) >= 0) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "1",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_QUALIFIER_NUM"));
+        } else if (name.indexOf(CONFIG_USERNOTICE_ORG) >= 0) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_USERNOTICE_REF_ORG"));
+        } else if (name.indexOf(CONFIG_USERNOTICE_NUMBERS) >= 0) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_USERNOTICE_REF_NUMBERS"));
+        } else if (name.indexOf(CONFIG_USERNOTICE_TEXT) >= 0) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_USERNOTICE_EXPLICIT_TEXT"));
+        } else if (name.indexOf(CONFIG_CPSURI_VALUE) >= 0) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_CPSURI"));
+        } else if (name.indexOf(CONFIG_POLICY_NUM) >= 0) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "5",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NUM_POLICIES"));
+        }
+        return null;
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_POLICY_QUALIFIERS)) {
+            return new Descriptor(IDescriptor.STRING_LIST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_QUALIFIERS"));
+        }
+        return null;
+    }
+
+    private Hashtable buildRecords(String value) throws EPropertyException {
+        StringTokenizer st = new StringTokenizer(value, "\r\n");
+        Hashtable table = new Hashtable();
+        while (st.hasMoreTokens()) {
+            String token = (String) st.nextToken();
+            int index = token.indexOf(":");
+            if (index <= 0)
+                throw new EPropertyException(CMS.getUserMessage(
+                        "CMS_INVALID_PROPERTY", token));
+            String name = token.substring(0, index);
+            String val = "";
+            if ((token.length() - 1) > index) {
+                val = token.substring(index + 1);
+            }
+            table.put(name, val);
+        }
+
+        return table;
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            CertificatePoliciesExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+            if (name.equals(VAL_CRITICAL)) {
+                ext = (CertificatePoliciesExtension)
+                        getExtension(PKIXExtensions.CertificatePolicies_Id.toString(),
+                                info);
+                boolean val = Boolean.valueOf(value).booleanValue();
+
+                ext.setCritical(val);
+            } else if (name.equals(VAL_POLICY_QUALIFIERS)) {
+                ext = (CertificatePoliciesExtension)
+                        getExtension(PKIXExtensions.CertificatePolicies_Id.toString(),
+                                info);
+
+                Hashtable h = buildRecords(value);
+
+                String numStr = (String) h.get(CONFIG_POLICY_NUM);
+                int size = Integer.parseInt(numStr);
+
+                Vector certificatePolicies = new Vector();
+                for (int i = 0; i < size; i++) {
+                    String enable = (String) h.get(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_ENABLE);
+                    CertificatePolicyInfo cinfo = null;
+                    if (enable != null && enable.equals("true")) {
+                        String policyId = (String) h.get(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_ID);
+
+                        if (policyId == null || policyId.length() == 0)
+                            throw new EPropertyException(CMS.getUserMessage(
+                                        locale, "CMS_PROFILE_CERTIFICATE_POLICIES_EMPTY_POLICYID"));
+                        CertificatePolicyId cpolicyId = getPolicyId(policyId);
+
+                        String qualifersNum =
+                                (String) h.get(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_QUALIFIERS_NUM);
+                        PolicyQualifiers policyQualifiers = new PolicyQualifiers();
+                        int num = 0;
+                        if (qualifersNum != null && qualifersNum.length() > 0)
+                            num = Integer.parseInt(qualifersNum);
+                        for (int j = 0; j < num; j++) {
+                            String cpsuriEnable =
+                                    (String) h.get(CONFIG_PREFIX
+                                            + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_CPSURI_ENABLE);
+                            String usernoticeEnable =
+                                    (String) h
+                                            .get(CONFIG_PREFIX
+                                                    + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR
+                                                    + CONFIG_USERNOTICE_ENABLE);
+                            if (cpsuriEnable != null && cpsuriEnable.equals("true")) {
+                                String cpsuri =
+                                        (String) h.get(CONFIG_PREFIX
+                                                + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_CPSURI_VALUE);
+                                netscape.security.x509.PolicyQualifierInfo qualifierInfo = createCPSuri(cpsuri);
+                                if (qualifierInfo != null)
+                                    policyQualifiers.add(qualifierInfo);
+                            } else if (usernoticeEnable != null && enable.equals("true")) {
+                                String org =
+                                        (String) h.get(CONFIG_PREFIX
+                                                + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR
+                                                + CONFIG_USERNOTICE_ORG);
+                                String noticenumbers =
+                                        (String) h.get(CONFIG_PREFIX
+                                                + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR
+                                                + CONFIG_USERNOTICE_NUMBERS);
+                                String explicitText =
+                                        (String) h.get(CONFIG_PREFIX
+                                                + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR
+                                                + CONFIG_USERNOTICE_TEXT);
+                                netscape.security.x509.PolicyQualifierInfo qualifierInfo = createUserNotice(org,
+                                        noticenumbers, explicitText);
+                                if (qualifierInfo != null)
+                                    policyQualifiers.add(qualifierInfo);
+                            }
+                        }
+
+                        if (policyQualifiers.size() <= 0) {
+                            cinfo =
+                                    new CertificatePolicyInfo(cpolicyId);
+                        } else {
+                            cinfo =
+                                    new CertificatePolicyInfo(cpolicyId, policyQualifiers);
+                        }
+                        if (cinfo != null)
+                            certificatePolicies.addElement(cinfo);
+                    }
+                }
+
+                ext.set(CertificatePoliciesExtension.INFOS, certificatePolicies);
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            replaceExtension(PKIXExtensions.CertificatePolicies_Id.toString(),
+                    ext, info);
+        } catch (EProfileException e) {
+            CMS.debug("CertificatePoliciesExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } catch (IOException e) {
+            CMS.debug("CertificatePoliciesExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    @SuppressWarnings("unchecked")
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        CertificatePoliciesExtension ext = null;
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        if (name.equals(VAL_CRITICAL)) {
+            ext = (CertificatePoliciesExtension)
+                    getExtension(PKIXExtensions.CertificatePolicies_Id.toString(),
+                            info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else if (name.equals(VAL_POLICY_QUALIFIERS)) {
+            ext = (CertificatePoliciesExtension)
+                    getExtension(PKIXExtensions.CertificatePolicies_Id.toString(),
+                            info);
+
+            if (ext == null)
+                return "";
+
+            StringBuffer sb = new StringBuffer();
+            int num_policies = getNumPolicies();
+            sb.append(CONFIG_POLICY_NUM);
+            sb.append(":");
+            sb.append(num_policies);
+            sb.append("\n");
+            Vector infos;
+
+            try {
+                infos = (Vector) ext.get(CertificatePoliciesExtension.INFOS);
+            } catch (IOException ee) {
+                infos = null;
+            }
+
+            for (int i = 0; i < num_policies; i++) {
+                int qSize = 0;
+                String policyId = "";
+                String policyEnable = "false";
+                PolicyQualifiers qualifiers = null;
+                if (infos.size() > 0) {
+                    CertificatePolicyInfo cinfo =
+                            infos.elementAt(0);
+
+                    CertificatePolicyId id1 = cinfo.getPolicyIdentifier();
+                    policyId = id1.getIdentifier().toString();
+                    policyEnable = "true";
+                    qualifiers = cinfo.getPolicyQualifiers();
+                    if (qualifiers != null)
+                        qSize = qualifiers.size();
+                    infos.removeElementAt(0);
+                }
+                sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_ENABLE);
+                sb.append(":");
+                sb.append(policyEnable);
+                sb.append("\n");
+                sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_ID);
+                sb.append(":");
+                sb.append(policyId);
+                sb.append("\n");
+
+                if (qSize == 0) {
+                    sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_QUALIFIERS_NUM);
+                    sb.append(":");
+                    sb.append(DEF_NUM_QUALIFIERS);
+                    sb.append("\n");
+                } else {
+                    sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_QUALIFIERS_NUM);
+                    sb.append(":");
+                    sb.append(qSize);
+                    sb.append("\n");
+                }
+                if (qSize == 0) {
+                    sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + "0" + SEPARATOR + CONFIG_CPSURI_ENABLE);
+                    sb.append(":");
+                    sb.append("false");
+                    sb.append("\n");
+                    sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + "0" + SEPARATOR + CONFIG_CPSURI_VALUE);
+                    sb.append(":");
+                    sb.append("");
+                    sb.append("\n");
+                    sb.append(CONFIG_PREFIX
+                            + i + SEPARATOR + CONFIG_PREFIX1 + "0" + SEPARATOR + CONFIG_USERNOTICE_ENABLE);
+                    sb.append(":");
+                    sb.append("false");
+                    sb.append("\n");
+                    sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + "0" + SEPARATOR + CONFIG_USERNOTICE_ORG);
+                    sb.append(":");
+                    sb.append("");
+                    sb.append("\n");
+                    sb.append(CONFIG_PREFIX
+                            + i + SEPARATOR + CONFIG_PREFIX1 + "0" + SEPARATOR + CONFIG_USERNOTICE_NUMBERS);
+                    sb.append(":");
+                    sb.append("");
+                    sb.append("\n");
+                    sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + "0" + SEPARATOR + CONFIG_USERNOTICE_TEXT);
+                    sb.append(":");
+                    sb.append("");
+                    sb.append("\n");
+                }
+
+                for (int j = 0; j < qSize; j++) {
+                    netscape.security.x509.PolicyQualifierInfo qinfo = qualifiers.getInfoAt(j);
+                    ObjectIdentifier oid = qinfo.getId();
+                    Qualifier qualifier = qinfo.getQualifier();
+
+                    String cpsuriEnable = "false";
+                    String usernoticeEnable = "false";
+                    String cpsuri = "";
+                    String org = "";
+                    StringBuffer noticeNum = new StringBuffer();
+                    String explicitText = "";
+
+                    if (oid.toString().equals(netscape.security.x509.PolicyQualifierInfo.QT_CPS.toString())) {
+                        cpsuriEnable = "true";
+                        CPSuri content = (CPSuri) qualifier;
+                        cpsuri = content.getURI();
+                    } else if (oid.toString().equals(netscape.security.x509.PolicyQualifierInfo.QT_UNOTICE.toString())) {
+                        usernoticeEnable = "true";
+                        UserNotice content = (UserNotice) qualifier;
+                        NoticeReference ref = content.getNoticeReference();
+                        if (ref != null) {
+                            org = ref.getOrganization().getText();
+                            int[] nums = ref.getNumbers();
+                            for (int k = 0; k < nums.length; k++) {
+                                if (k != 0) {
+                                    noticeNum.append(",");
+                                    noticeNum.append(nums[k]);
+                                } else
+                                    noticeNum.append(nums[k]);
+                            }
+                        }
+                        DisplayText displayText = content.getDisplayText();
+                        if (displayText != null)
+                            explicitText = displayText.getText();
+                    }
+
+                    sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_CPSURI_ENABLE);
+                    sb.append(":");
+                    sb.append(cpsuriEnable);
+                    sb.append("\n");
+                    sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_CPSURI_VALUE);
+                    sb.append(":");
+                    sb.append(cpsuri);
+                    sb.append("\n");
+                    sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_USERNOTICE_ENABLE);
+                    sb.append(":");
+                    sb.append(usernoticeEnable);
+                    sb.append("\n");
+                    sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_USERNOTICE_ORG);
+                    sb.append(":");
+                    sb.append(org);
+                    sb.append("\n");
+                    sb.append(CONFIG_PREFIX
+                            + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_USERNOTICE_NUMBERS);
+                    sb.append(":");
+                    sb.append(noticeNum.toString());
+                    sb.append("\n");
+                    sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_USERNOTICE_TEXT);
+                    sb.append(":");
+                    sb.append(explicitText);
+                    sb.append("\n");
+                }
+            } // end of for loop
+            return sb.toString();
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        StringBuffer sb = new StringBuffer();
+        int num = getNumPolicies();
+        int num1 = getNumQualifiers();
+
+        try {
+            IConfigStore basesubstore = getConfigStore().getSubStore("params");
+            sb.append("{");
+            sb.append(CONFIG_POLICY_NUM + ":");
+            sb.append(num);
+            sb.append(",");
+            for (int i = 0; i < num; i++) {
+                sb.append("{");
+                IConfigStore substore = basesubstore.getSubStore(CONFIG_PREFIX + i);
+                String enable = substore.getString(CONFIG_POLICY_ENABLE, "");
+                sb.append(POLICY_ID_ENABLE + ":");
+                sb.append(enable);
+                sb.append(",");
+                String policyId = substore.getString(CONFIG_POLICY_ID, "");
+                sb.append(POLICY_ID + ":");
+                sb.append(policyId);
+                sb.append(",");
+                String qualifiersNum = substore.getString(CONFIG_POLICY_QUALIFIERS_NUM, "");
+                sb.append(CONFIG_POLICY_QUALIFIERS_NUM + ":");
+                sb.append(qualifiersNum);
+                sb.append(",");
+                for (int j = 0; j < num1; j++) {
+                    IConfigStore substore1 = substore.getSubStore(CONFIG_PREFIX1 + j);
+                    sb.append("{");
+                    String cpsuriEnable = substore1.getString(CONFIG_CPSURI_ENABLE, "");
+                    sb.append(POLICY_QUALIFIER_CPSURI_ENABLE + ":");
+                    sb.append(cpsuriEnable);
+                    sb.append(",");
+                    String usernoticeEnable = substore1.getString(CONFIG_USERNOTICE_ENABLE, "");
+                    sb.append(POLICY_QUALIFIER_USERNOTICE_ENABLE + ":");
+                    sb.append(usernoticeEnable);
+                    sb.append(",");
+                    String org = substore1.getString(CONFIG_USERNOTICE_ORG, "");
+                    sb.append(USERNOTICE_REF_ORG + ":");
+                    sb.append(org);
+                    sb.append(",");
+                    String refNums = substore1.getString(CONFIG_USERNOTICE_NUMBERS, "");
+                    sb.append(USERNOTICE_REF_NUMBERS + ":");
+                    sb.append(refNums);
+                    sb.append(",");
+                    String explicitText = substore1.getString(CONFIG_USERNOTICE_TEXT, "");
+                    sb.append(USERNOTICE_EXPLICIT_TEXT + ":");
+                    sb.append(explicitText);
+                    sb.append(",");
+                    String cpsuri = substore1.getString(CONFIG_CPSURI_VALUE, "");
+                    sb.append(CPSURI + ":");
+                    sb.append(cpsuri);
+                    sb.append("}");
+                }
+                sb.append("}");
+            }
+            sb.append("}");
+            return CMS.getUserMessage(locale,
+                    "CMS_PROFILE_DEF_CERTIFICATE_POLICIES_EXT",
+                    getConfig(CONFIG_CRITICAL), sb.toString());
+        } catch (Exception e) {
+            return "";
+        }
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        CertificatePoliciesExtension ext = createExtension();
+
+        if (ext == null)
+            return;
+        addExtension(PKIXExtensions.CertificatePolicies_Id.toString(),
+                ext, info);
+    }
+
+    public CertificatePoliciesExtension createExtension()
+            throws EProfileException {
+        CertificatePoliciesExtension ext = null;
+
+        try {
+            boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+            Vector certificatePolicies = new Vector();
+            int num = getNumPolicies();
+            CMS.debug("CertificatePoliciesExtension: createExtension: number of policies=" + num);
+            IConfigStore config = getConfigStore();
+
+            for (int i = 0; i < num; i++) {
+                IConfigStore basesubstore = config.getSubStore("params");
+                IConfigStore substore = basesubstore.getSubStore(CONFIG_PREFIX + i);
+                String enable = substore.getString(CONFIG_POLICY_ENABLE);
+
+                CMS.debug("CertificatePoliciesExtension: createExtension: CertificatePolicy " + i + " enable=" + enable);
+                if (enable != null && enable.equals("true")) {
+                    String policyId = substore.getString(CONFIG_POLICY_ID);
+                    CertificatePolicyId cpolicyId = getPolicyId(policyId);
+                    CMS.debug("CertificatePoliciesExtension: createExtension: CertificatePolicy "
+                            + i + " policyId=" + policyId);
+                    int qualifierNum = getNumQualifiers();
+                    PolicyQualifiers policyQualifiers = new PolicyQualifiers();
+                    for (int j = 0; j < qualifierNum; j++) {
+                        IConfigStore substore1 = substore.getSubStore(CONFIG_PREFIX1 + j);
+                        String cpsuriEnable = substore1.getString(CONFIG_CPSURI_ENABLE);
+                        String usernoticeEnable = substore1.getString(CONFIG_USERNOTICE_ENABLE);
+
+                        if (cpsuriEnable != null && cpsuriEnable.equals("true")) {
+                            String cpsuri = substore1.getString(CONFIG_CPSURI_VALUE, "");
+                            netscape.security.x509.PolicyQualifierInfo qualifierInfo = createCPSuri(cpsuri);
+                            if (qualifierInfo != null)
+                                policyQualifiers.add(qualifierInfo);
+                        } else if (usernoticeEnable != null &&
+                                     usernoticeEnable.equals("true")) {
+
+                            String org = substore1.getString(CONFIG_USERNOTICE_ORG);
+                            String noticenumbers = substore1.getString(CONFIG_USERNOTICE_NUMBERS);
+                            String explicitText = substore1.getString(CONFIG_USERNOTICE_TEXT);
+                            netscape.security.x509.PolicyQualifierInfo qualifierInfo = createUserNotice(org,
+                                    noticenumbers, explicitText);
+                            if (qualifierInfo != null)
+                                policyQualifiers.add(qualifierInfo);
+                        }
+                    }
+
+                    CertificatePolicyInfo info = null;
+                    if (policyQualifiers.size() <= 0) {
+                        info =
+                                new CertificatePolicyInfo(cpolicyId);
+                    } else {
+                        info =
+                                new CertificatePolicyInfo(cpolicyId, policyQualifiers);
+                    }
+
+                    if (info != null)
+                        certificatePolicies.addElement(info);
+                }
+            }
+
+            ext = new CertificatePoliciesExtension(critical, certificatePolicies);
+        } catch (EPropertyException e) {
+            throw new EProfileException(e.toString());
+        } catch (EProfileException e) {
+            throw e;
+        } catch (Exception e) {
+            CMS.debug("CertificatePoliciesExtDefault: createExtension " +
+                    e.toString());
+        }
+
+        return ext;
+    }
+
+    private CertificatePolicyId getPolicyId(String policyId) throws EPropertyException {
+        if (policyId == null || policyId.length() == 0)
+            throw new EPropertyException(CMS.getUserMessage(
+                    "CMS_PROFILE_CERTIFICATE_POLICIES_EMPTY_POLICYID"));
+
+        CertificatePolicyId cpolicyId = null;
+        try {
+            cpolicyId = new CertificatePolicyId(
+                    ObjectIdentifier.getObjectIdentifier(policyId));
+            return cpolicyId;
+        } catch (Exception e) {
+            throw new EPropertyException(CMS.getUserMessage(
+                    "CMS_PROFILE_CERTIFICATE_POLICIES_POLICYID_ERROR", policyId));
+        }
+    }
+
+    private netscape.security.x509.PolicyQualifierInfo createCPSuri(String uri) throws EPropertyException {
+        if (uri == null || uri.length() == 0)
+            throw new EPropertyException(CMS.getUserMessage(
+                    "CMS_PROFILE_CERTIFICATE_POLICIES_EMPTY_CPSURI"));
+
+        CPSuri cpsURI = new CPSuri(uri);
+        netscape.security.x509.PolicyQualifierInfo policyQualifierInfo2 =
+                new netscape.security.x509.PolicyQualifierInfo(netscape.security.x509.PolicyQualifierInfo.QT_CPS,
+                        cpsURI);
+
+        return policyQualifierInfo2;
+    }
+
+    private netscape.security.x509.PolicyQualifierInfo createUserNotice(String organization,
+            String noticeText, String noticeNums) throws EPropertyException {
+
+        if ((organization == null || organization.length() == 0) &&
+                (noticeNums == null || noticeNums.length() == 0) &&
+                (noticeText == null || noticeText.length() == 0))
+            return null;
+
+        DisplayText explicitText = null;
+        if (noticeText != null && noticeText.length() > 0)
+            explicitText = new DisplayText(DisplayText.tag_VisibleString, noticeText);
+
+        int nums[] = null;
+        if (noticeNums != null && noticeNums.length() > 0) {
+            Vector numsVector = new Vector();
+            StringTokenizer tokens = new StringTokenizer(noticeNums, ";");
+            while (tokens.hasMoreTokens()) {
+                String num = tokens.nextToken().trim();
+                numsVector.addElement(num);
+            }
+
+            nums = new int[numsVector.size()];
+            try {
+                for (int i = 0; i < numsVector.size(); i++) {
+                    Integer ii = new Integer((String) numsVector.elementAt(i));
+                    nums[i] = ii.intValue();
+                }
+            } catch (Exception e) {
+                throw new EPropertyException("Wrong notice numbers");
+            }
+        }
+
+        DisplayText orgName = null;
+        if (organization != null && organization.length() > 0) {
+            orgName =
+                    new DisplayText(DisplayText.tag_VisibleString, organization);
+        }
+
+        NoticeReference noticeReference = null;
+
+        if (orgName != null)
+            noticeReference = new NoticeReference(orgName, nums);
+
+        UserNotice userNotice = null;
+        if (explicitText != null || noticeReference != null) {
+            userNotice = new UserNotice(noticeReference, explicitText);
+
+            netscape.security.x509.PolicyQualifierInfo policyQualifierInfo1 =
+                    new netscape.security.x509.PolicyQualifierInfo(
+                            netscape.security.x509.PolicyQualifierInfo.QT_UNOTICE, userNotice);
+            return policyQualifierInfo1;
+        }
+
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/CertificateVersionDefault.java b/base/common/src/com/netscape/cms/profile/def/CertificateVersionDefault.java
new file mode 100644
index 000000000..d30f971dd
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/CertificateVersionDefault.java
@@ -0,0 +1,193 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a Netscape comment extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CertificateVersionDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_VERSION = "certVersionNum";
+
+    public static final String VAL_VERSION = "certVersionNum";
+
+    public CertificateVersionDefault() {
+        super();
+        addValueName(VAL_VERSION);
+
+        addConfigName(CONFIG_VERSION);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_VERSION)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "3",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_VERSION"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        if (name.equals(CONFIG_VERSION)) {
+            try {
+                Integer.parseInt(value);
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_VERSION));
+            }
+        }
+        super.setConfig(name, value);
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_VERSION)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "3",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_VERSION"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+            if (name.equals(VAL_VERSION)) {
+                if (value == null || value.equals(""))
+                    throw new EPropertyException(name + " cannot be empty");
+                else {
+                    int version = Integer.valueOf(value).intValue() - 1;
+
+                    if (version == CertificateVersion.V1)
+                        info.set(X509CertInfo.VERSION,
+                                new CertificateVersion(CertificateVersion.V1));
+                    else if (version == CertificateVersion.V2)
+                        info.set(X509CertInfo.VERSION,
+                                new CertificateVersion(CertificateVersion.V2));
+                    else if (version == CertificateVersion.V3)
+                        info.set(X509CertInfo.VERSION,
+                                new CertificateVersion(CertificateVersion.V3));
+                }
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } catch (IOException e) {
+            CMS.debug("CertificateVersionDefault: setValue " + e.toString());
+        } catch (CertificateException e) {
+            CMS.debug("CertificateVersionDefault: setValue " + e.toString());
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        if (name.equals(VAL_VERSION)) {
+            CertificateVersion v = null;
+            try {
+                v = (CertificateVersion) info.get(
+                        X509CertInfo.VERSION);
+            } catch (Exception e) {
+            }
+
+            if (v == null)
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            int version = v.compare(0);
+
+            return "" + (version + 1);
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_VERSION)
+            };
+
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_CERT_VERSION", params);
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        String v = getConfig(CONFIG_VERSION);
+        int version = Integer.valueOf(v).intValue() - 1;
+
+        try {
+            if (version == CertificateVersion.V1)
+                info.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V1));
+            else if (version == CertificateVersion.V2)
+                info.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V2));
+            else if (version == CertificateVersion.V3)
+                info.set(X509CertInfo.VERSION,
+                        new CertificateVersion(CertificateVersion.V3));
+            else {
+                throw new EProfileException(CMS.getUserMessage(
+                        getLocale(request), "CMS_INVALID_PROPERTY", CONFIG_VERSION));
+            }
+        } catch (IOException e) {
+        } catch (CertificateException e) {
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/common/src/com/netscape/cms/profile/def/EnrollDefault.java
new file mode 100644
index 000000000..67ebadbe4
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/EnrollDefault.java
@@ -0,0 +1,815 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.NoSuchElementException;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.security.extensions.KerberosName;
+import netscape.security.util.DerInputStream;
+import netscape.security.util.DerOutputStream;
+import netscape.security.util.DerValue;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.DNSName;
+import netscape.security.x509.EDIPartyName;
+import netscape.security.x509.Extension;
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.GeneralNameInterface;
+import netscape.security.x509.IPAddressName;
+import netscape.security.x509.OIDName;
+import netscape.security.x509.OtherName;
+import netscape.security.x509.RFC822Name;
+import netscape.security.x509.URIName;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IAttrSet;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IPrettyPrintFormat;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.pattern.Pattern;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ICertInfoPolicyDefault;
+import com.netscape.certsrv.profile.IEnrollProfile;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements an enrollment default policy.
+ * 
+ * @version $Revision$, $Date$
+ */
+public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDefault {
+
+    public static final String PROP_NAME = "name";
+
+    public static final String GN_RFC822_NAME = "RFC822Name";
+    public static final String GN_DNS_NAME = "DNSName";
+    public static final String GN_URI_NAME = "URIName";
+    public static final String GN_IP_NAME = "IPAddressName";
+    public static final String GN_DIRECTORY_NAME = "DirectoryName";
+    public static final String GN_EDI_NAME = "EDIPartyName";
+    public static final String GN_ANY_NAME = "OtherName";
+    public static final String GN_OID_NAME = "OIDName";
+
+    protected IConfigStore mConfig = null;
+    protected Vector mConfigNames = new Vector();
+    protected Vector mValueNames = new Vector();
+
+    public EnrollDefault() {
+    }
+
+    public Enumeration getConfigNames() {
+        return mConfigNames.elements();
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public void addConfigName(String name) {
+        mConfigNames.addElement(name);
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        if (mConfig.getSubStore("params") == null) {
+            //
+        } else {
+            mConfig.getSubStore("params").putString(name, value);
+        }
+    }
+
+    public String getConfig(String name) {
+        try {
+            if (mConfig == null)
+                return null;
+            if (mConfig.getSubStore("params") != null) {
+                return mConfig.getSubStore("params").getString(name);
+            }
+        } catch (EBaseException e) {
+        }
+        return "";
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        mConfig = config;
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     * 
+     * @param locale locale of the end user
+     * @return localized description of this default policy
+     */
+    public abstract String getText(Locale locale);
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public String getName(Locale locale) {
+        try {
+            return mConfig.getString(PROP_NAME);
+        } catch (EBaseException e) {
+            return null;
+        }
+    }
+
+    /**
+     * Populates attributes into the certificate template.
+     * 
+     * @param request enrollment request
+     * @param info certificate template
+     * @exception EProfileException failed to populate attributes
+     *                into request
+     */
+    public abstract void populate(IRequest request, X509CertInfo info)
+            throws EProfileException;
+
+    /**
+     * Sets values from the approval page into certificate template.
+     * 
+     * @param name name of the attribute
+     * @param locale user locale
+     * @param info certificate template
+     * @param value attribute value
+     * @exception EProfileException failed to set attributes
+     *                into request
+     */
+    public abstract void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException;
+
+    /**
+     * Retrieves certificate template values and returns them to
+     * the approval page.
+     * 
+     * @param name name of the attribute
+     * @param locale user locale
+     * @param info certificate template
+     * @exception EProfileException failed to get attributes
+     *                from request
+     */
+    public abstract String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException;
+
+    /**
+     * Populates the request with this policy default.
+     * 
+     * The current implementation extracts enrollment specific attributes
+     * and calls the populate() method of the subclass.
+     * 
+     * @param request request to be populated
+     * @exception EProfileException failed to populate
+     */
+    public void populate(IRequest request)
+            throws EProfileException {
+        String name = getClass().getName();
+
+        name = name.substring(name.lastIndexOf('.') + 1);
+        CMS.debug(name + ": populate start");
+        X509CertInfo info =
+                request.getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO);
+
+        populate(request, info);
+
+        request.setExtData(IEnrollProfile.REQUEST_CERTINFO, info);
+        CMS.debug(name + ": populate end");
+    }
+
+    public void addValueName(String name) {
+        mValueNames.addElement(name);
+    }
+
+    public Enumeration getValueNames() {
+        return mValueNames.elements();
+    }
+
+    public IDescriptor getValueDescriptor(String name) {
+        return null;
+    }
+
+    /**
+     * Sets the value of the given value property by name.
+     * 
+     * The current implementation extracts enrollment specific attributes
+     * and calls the setValue() method of the subclass.
+     * 
+     * @param name name of property
+     * @param locale locale of the end user
+     * @param request request
+     * @param value value to be set in the given request
+     * @exception EPropertyException failed to set property
+     */
+    public void setValue(String name, Locale locale, IRequest request,
+            String value)
+            throws EPropertyException {
+        X509CertInfo info =
+                request.getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO);
+
+        setValue(name, locale, info, value);
+
+        request.setExtData(IEnrollProfile.REQUEST_CERTINFO, info);
+    }
+
+    /**
+     * Retrieves the value of the given value
+     * property by name.
+     * 
+     * The current implementation extracts enrollment specific attributes
+     * and calls the getValue() method of the subclass.
+     * 
+     * @param name name of property
+     * @param locale locale of the end user
+     * @param request request
+     * @exception EPropertyException failed to get property
+     */
+    public String getValue(String name, Locale locale, IRequest request)
+            throws EPropertyException {
+        X509CertInfo info =
+                request.getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO);
+
+        String value = getValue(name, locale, info);
+        request.setExtData(IEnrollProfile.REQUEST_CERTINFO, info);
+        return value;
+    }
+
+    public String toHexString(byte data[]) {
+        IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":");
+        String s = pp.toHexString(data, 0, 16);
+        StringTokenizer st = new StringTokenizer(s, "\n");
+        StringBuffer buffer = new StringBuffer();
+
+        while (st.hasMoreTokens()) {
+            buffer.append(st.nextToken());
+            buffer.append("\\n");
+        }
+        return buffer.toString();
+    }
+
+    protected void refreshConfigAndValueNames() {
+        mConfigNames.removeAllElements();
+        mValueNames.removeAllElements();
+    }
+
+    protected void deleteExtension(String name, X509CertInfo info) {
+        CertificateExtensions exts = null;
+
+        try {
+            exts = (CertificateExtensions)
+                    info.get(X509CertInfo.EXTENSIONS);
+            if (exts == null)
+                return;
+            Enumeration e = exts.getNames();
+
+            while (e.hasMoreElements()) {
+                String n = e.nextElement();
+                Extension ext = (Extension) exts.get(n);
+
+                if (ext.getExtensionId().toString().equals(name)) {
+                    exts.delete(n);
+                }
+            }
+        } catch (Exception e) {
+            CMS.debug(e.toString());
+        }
+    }
+
+    protected Extension getExtension(String name, X509CertInfo info) {
+        CertificateExtensions exts = null;
+
+        try {
+            exts = (CertificateExtensions)
+                    info.get(X509CertInfo.EXTENSIONS);
+        } catch (Exception e) {
+            CMS.debug("EnrollDefault: getExtension " + e.toString());
+        }
+        if (exts == null)
+            return null;
+        return getExtension(name, exts);
+    }
+
+    protected Extension getExtension(String name, CertificateExtensions exts) {
+        if (exts == null)
+            return null;
+        Enumeration e = exts.getAttributes();
+
+        while (e.hasMoreElements()) {
+            Extension ext = e.nextElement();
+
+            if (ext.getExtensionId().toString().equals(name)) {
+                return ext;
+            }
+        }
+        return null;
+    }
+
+    protected void addExtension(String name, Extension ext, X509CertInfo info)
+            throws EProfileException {
+        if (ext == null) {
+            throw new EProfileException("extension not found");
+        }
+        CertificateExtensions exts = null;
+
+        Extension alreadyPresentExtension = getExtension(name, info);
+
+        if (alreadyPresentExtension != null) {
+            String eName = ext.toString();
+            CMS.debug("EnrollDefault.addExtension: duplicate extension attempted! Name:  " + eName);
+            throw new EProfileException(CMS.getUserMessage("CMS_PROFILE_DUPLICATE_EXTENSION", eName));
+        }
+
+        try {
+            exts = (CertificateExtensions)
+                    info.get(X509CertInfo.EXTENSIONS);
+        } catch (Exception e) {
+            CMS.debug("EnrollDefault: " + e.toString());
+        }
+        if (exts == null) {
+            throw new EProfileException("extensions not found");
+        }
+        try {
+            exts.set(name, ext);
+        } catch (IOException e) {
+            CMS.debug("EnrollDefault: " + e.toString());
+        }
+    }
+
+    protected void replaceExtension(String name, Extension ext, X509CertInfo info)
+            throws EProfileException {
+        deleteExtension(name, info);
+        addExtension(name, ext, info);
+    }
+
+    protected boolean isOptional(String value) {
+        return value.equals("");
+    }
+
+    protected boolean getBoolean(String value) {
+        return Boolean.valueOf(value).booleanValue();
+    }
+
+    protected int getInt(String value) {
+        return Integer.valueOf(value).intValue();
+    }
+
+    protected boolean getConfigBoolean(String value) {
+        return getBoolean(getConfig(value));
+    }
+
+    protected int getConfigInt(String value) {
+        return getInt(getConfig(value));
+    }
+
+    protected boolean isGeneralNameValid(String name) {
+        if (name == null)
+            return false;
+        int pos = name.indexOf(':');
+        if (pos == -1)
+            return false;
+        String nameValue = name.substring(pos + 1).trim();
+        if (nameValue.equals(""))
+            return false;
+        return true;
+    }
+
+    protected GeneralNameInterface parseGeneralName(String name)
+            throws IOException {
+        int pos = name.indexOf(':');
+        if (pos == -1)
+            return null;
+        String nameType = name.substring(0, pos).trim();
+        String nameValue = name.substring(pos + 1).trim();
+        return parseGeneralName(nameType, nameValue);
+    }
+
+    protected boolean isGeneralNameType(String nameType) {
+        if (nameType.equalsIgnoreCase("RFC822Name")) {
+            return true;
+        }
+        if (nameType.equalsIgnoreCase("DNSName")) {
+            return true;
+        }
+        if (nameType.equalsIgnoreCase("x400")) {
+            return true;
+        }
+        if (nameType.equalsIgnoreCase("DirectoryName")) {
+            return true;
+        }
+        if (nameType.equalsIgnoreCase("EDIPartyName")) {
+            return true;
+        }
+        if (nameType.equalsIgnoreCase("URIName")) {
+            return true;
+        }
+        if (nameType.equalsIgnoreCase("IPAddress")) {
+            return true;
+        }
+        if (nameType.equalsIgnoreCase("OIDName")) {
+            return true;
+        }
+        if (nameType.equalsIgnoreCase("OtherName")) {
+            return true;
+        }
+        return false;
+    }
+
+    protected GeneralNameInterface parseGeneralName(String nameType, String nameValue)
+            throws IOException {
+        if (nameType.equalsIgnoreCase("RFC822Name")) {
+            return new RFC822Name(nameValue);
+        }
+        if (nameType.equalsIgnoreCase("DNSName")) {
+            return new DNSName(nameValue);
+        }
+        if (nameType.equalsIgnoreCase("x400")) {
+            // XXX
+        }
+        if (nameType.equalsIgnoreCase("DirectoryName")) {
+            return new X500Name(nameValue);
+        }
+        if (nameType.equalsIgnoreCase("EDIPartyName")) {
+            return new EDIPartyName(nameValue);
+        }
+        if (nameType.equalsIgnoreCase("URIName")) {
+            return new URIName(nameValue);
+        }
+        if (nameType.equalsIgnoreCase("IPAddress")) {
+            CMS.debug("IP Value:" + nameValue);
+            if (nameValue.indexOf('/') != -1) {
+                // CIDR support for NameConstraintsExt
+                StringTokenizer st = new StringTokenizer(nameValue, "/");
+                String addr = st.nextToken();
+                String netmask = st.nextToken();
+                CMS.debug("addr:" + addr + " netmask: " + netmask);
+                return new IPAddressName(addr, netmask);
+            } else {
+                return new IPAddressName(nameValue);
+            }
+        }
+        if (nameType.equalsIgnoreCase("OIDName")) {
+            try {
+                // check if OID
+                new ObjectIdentifier(nameValue);
+            } catch (Exception e) {
+                return null;
+            }
+            return new OIDName(nameValue);
+        }
+        if (nameType.equals("OtherName")) {
+            if (nameValue == null || nameValue.length() == 0)
+                nameValue = " ";
+            if (nameValue.startsWith("(PrintableString)")) {
+                // format: OtherName: (PrintableString)oid,value
+                int pos0 = nameValue.indexOf(')');
+                int pos1 = nameValue.indexOf(',');
+                if (pos1 == -1)
+                    return null;
+                String on_oid = nameValue.substring(pos0 + 1, pos1).trim();
+                String on_value = nameValue.substring(pos1 + 1).trim();
+                if (isValidOID(on_oid)) {
+                    return new OtherName(new ObjectIdentifier(on_oid), DerValue.tag_PrintableString, on_value);
+                } else {
+                    return null;
+                }
+            } else if (nameValue.startsWith("(KerberosName)")) {
+                // Syntax: (KerberosName)Realm|NameType|NameString(s)
+                int pos0 = nameValue.indexOf(')');
+                int pos1 = nameValue.indexOf('|');
+                int pos2 = nameValue.lastIndexOf('|');
+                String realm = nameValue.substring(pos0 + 1, pos1).trim();
+                String name_type = nameValue.substring(pos1 + 1, pos2).trim();
+                String name_strings = nameValue.substring(pos2 + 1).trim();
+                Vector strings = new Vector();
+                StringTokenizer st = new StringTokenizer(name_strings, ",");
+                while (st.hasMoreTokens()) {
+                    strings.addElement(st.nextToken());
+                }
+                KerberosName name = new KerberosName(realm,
+                        Integer.parseInt(name_type), strings);
+                // krb5 OBJECT IDENTIFIER ::= { iso (1)
+                //                    org (3)
+                //                    dod (6)
+                //                    internet (1)
+                //                    security (5)
+                //                    kerberosv5 (2) }
+                // krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 }
+                return new OtherName(KerberosName.KRB5_PRINCIPAL_NAME,
+                        name.toByteArray());
+            } else if (nameValue.startsWith("(IA5String)")) {
+                int pos0 = nameValue.indexOf(')');
+                int pos1 = nameValue.indexOf(',');
+                if (pos1 == -1)
+                    return null;
+                String on_oid = nameValue.substring(pos0 + 1, pos1).trim();
+                String on_value = nameValue.substring(pos1 + 1).trim();
+                if (isValidOID(on_oid)) {
+                    return new OtherName(new ObjectIdentifier(on_oid), DerValue.tag_IA5String, on_value);
+                } else {
+                    return null;
+                }
+            } else if (nameValue.startsWith("(UTF8String)")) {
+                int pos0 = nameValue.indexOf(')');
+                int pos1 = nameValue.indexOf(',');
+                if (pos1 == -1)
+                    return null;
+                String on_oid = nameValue.substring(pos0 + 1, pos1).trim();
+                String on_value = nameValue.substring(pos1 + 1).trim();
+                if (isValidOID(on_oid)) {
+                    return new OtherName(new ObjectIdentifier(on_oid), DerValue.tag_UTF8String, on_value);
+                } else {
+                    return null;
+                }
+            } else if (nameValue.startsWith("(BMPString)")) {
+                int pos0 = nameValue.indexOf(')');
+                int pos1 = nameValue.indexOf(',');
+                if (pos1 == -1)
+                    return null;
+                String on_oid = nameValue.substring(pos0 + 1, pos1).trim();
+                String on_value = nameValue.substring(pos1 + 1).trim();
+                if (isValidOID(on_oid)) {
+                    return new OtherName(new ObjectIdentifier(on_oid), DerValue.tag_BMPString, on_value);
+                } else {
+                    return null;
+                }
+            } else if (nameValue.startsWith("(Any)")) {
+                int pos0 = nameValue.indexOf(')');
+                int pos1 = nameValue.indexOf(',');
+                if (pos1 == -1)
+                    return null;
+                String on_oid = nameValue.substring(pos0 + 1, pos1).trim();
+                String on_value = nameValue.substring(pos1 + 1).trim();
+                if (isValidOID(on_oid)) {
+                    CMS.debug("OID: " + on_oid + " Value:" + on_value);
+                    return new OtherName(new ObjectIdentifier(on_oid), getBytes(on_value));
+                } else {
+                    CMS.debug("Invalid OID " + on_oid);
+                    return null;
+                }
+            } else {
+                return null;
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Converts string containing pairs of characters in the range of '0'
+     * to '9', 'a' to 'f' to an array of bytes such that each pair of
+     * characters in the string represents an individual byte
+     */
+    public byte[] getBytes(String string) {
+        if (string == null)
+            return null;
+        int stringLength = string.length();
+        if ((stringLength == 0) || ((stringLength % 2) != 0))
+            return null;
+        byte[] bytes = new byte[(stringLength / 2)];
+        for (int i = 0, b = 0; i < stringLength; i += 2, ++b) {
+            String nextByte = string.substring(i, (i + 2));
+            bytes[b] = (byte) Integer.parseInt(nextByte, 0x10);
+        }
+        return bytes;
+    }
+
+    /**
+     * Check if a object identifier in string form is valid,
+     * that is a string in the form n.n.n.n and der encode and decode-able.
+     * 
+     * @param oid object identifier string.
+     * @return true if the oid is valid
+     */
+    public boolean isValidOID(String oid) {
+        ObjectIdentifier v = null;
+        try {
+            v = ObjectIdentifier.getObjectIdentifier(oid);
+        } catch (Exception e) {
+            return false;
+        }
+        if (v == null)
+            return false;
+
+        // if the OID isn't valid (ex. n.n) the error isn't caught til
+        // encoding time leaving a bad request in the request queue.
+        try {
+            DerOutputStream derOut = new DerOutputStream();
+
+            derOut.putOID(v);
+            new ObjectIdentifier(new DerInputStream(derOut.toByteArray()));
+        } catch (Exception e) {
+            return false;
+        }
+        return true;
+    }
+
+    protected String buildRecords(Vector recs) throws EPropertyException {
+        StringBuffer sb = new StringBuffer();
+
+        for (int i = 0; i < recs.size(); i++) {
+            NameValuePairs pairs = recs.elementAt(i);
+
+            sb.append("Record #");
+            sb.append(i);
+            sb.append("\r\n");
+
+            for (String key : pairs.keySet()) {
+                String val = pairs.get(key);
+
+                sb.append(key);
+                sb.append(":");
+                sb.append(val);
+                sb.append("\r\n");
+            }
+            sb.append("\r\n");
+
+        }
+        return sb.toString();
+    }
+
+    protected Vector parseRecords(String value) throws EPropertyException {
+        StringTokenizer st = new StringTokenizer(value, "\r\n");
+        int num = 0;
+        Vector v = new Vector();
+        NameValuePairs nvps = null;
+
+        while (st.hasMoreTokens()) {
+            String token = st.nextToken();
+
+            if (token.equals("Record #" + num)) {
+                CMS.debug("parseRecords: Record" + num);
+                nvps = new NameValuePairs();
+                v.addElement(nvps);
+                try {
+                    token = st.nextToken();
+                } catch (NoSuchElementException e) {
+                    v.removeElementAt(num);
+                    CMS.debug(e.toString());
+                    return v;
+                }
+                num++;
+            }
+
+            if (nvps == null)
+                throw new EPropertyException("Bad Input Format");
+
+            int pos = token.indexOf(":");
+
+            if (pos <= 0) {
+                CMS.debug("parseRecords: No colon found in the input line");
+                throw new EPropertyException("Bad Input Format");
+            } else {
+                if (pos == (token.length() - 1)) {
+                    nvps.put(token.substring(0, pos), "");
+                } else {
+                    nvps.put(token.substring(0, pos), token.substring(pos + 1));
+                }
+            }
+        }
+
+        return v;
+    }
+
+    protected String getGeneralNameType(GeneralName gn)
+            throws EPropertyException {
+        int type = gn.getType();
+
+        if (type == GeneralNameInterface.NAME_RFC822)
+            return "RFC822Name";
+        else if (type == GeneralNameInterface.NAME_DNS)
+            return "DNSName";
+        else if (type == GeneralNameInterface.NAME_URI)
+            return "URIName";
+        else if (type == GeneralNameInterface.NAME_IP)
+            return "IPAddress";
+        else if (type == GeneralNameInterface.NAME_DIRECTORY)
+            return "DirectoryName";
+        else if (type == GeneralNameInterface.NAME_EDI)
+            return "EDIPartyName";
+        else if (type == GeneralNameInterface.NAME_ANY)
+            return "OtherName";
+        else if (type == GeneralNameInterface.NAME_OID)
+            return "OIDName";
+
+        throw new EPropertyException("Unsupported type: " + type);
+    }
+
+    protected String getGeneralNameValue(GeneralName gn) throws EPropertyException {
+        String s = gn.toString();
+        int type = gn.getType();
+
+        if (type == GeneralNameInterface.NAME_DIRECTORY)
+            return s;
+        else {
+            int pos = s.indexOf(":");
+
+            if (pos <= 0)
+                throw new EPropertyException("Badly formatted general name: " + s);
+            else {
+                return s.substring(pos + 1).trim();
+            }
+        }
+    }
+
+    public Locale getLocale(IRequest request) {
+        Locale locale = null;
+
+        if (request == null)
+            return null;
+
+        String language = request.getExtDataInString(
+                EnrollProfile.REQUEST_LOCALE);
+        if (language != null) {
+            locale = new Locale(language);
+        }
+        return locale;
+    }
+
+    public String toGeneralNameString(GeneralNameInterface gn) {
+        int type = gn.getType();
+        // Sun's General Name is not consistent, so we need
+        // to do a special case for directory string
+        if (type == GeneralNameInterface.NAME_DIRECTORY) {
+            return "DirectoryName: " + gn.toString();
+        }
+        return gn.toString();
+    }
+
+    protected String mapPattern(IRequest request, String pattern)
+            throws IOException {
+        Pattern p = new Pattern(pattern);
+        IAttrSet attrSet = null;
+        if (request != null) {
+            attrSet = request.asIAttrSet();
+        }
+        return p.substitute2("request", attrSet);
+    }
+
+    protected StringBuffer escapeValueRfc1779(String v, boolean doubleEscape) {
+        StringBuffer result = new StringBuffer();
+
+        // Do we need to escape any characters
+        for (int i = 0; i < v.length(); i++) {
+            int c = v.charAt(i);
+            if (c == ',' || c == '=' || c == '+' || c == '<' ||
+                    c == '>' || c == '#' || c == ';' || c == '\r' ||
+                    c == '\n' || c == '\\' || c == '"') {
+                if ((c == 0x5c) && ((i + 1) < v.length())) {
+                    int nextC = v.charAt(i + 1);
+                    if ((c == 0x5c) && (nextC == ',' || nextC == '=' || nextC == '+' ||
+                                        nextC == '<' || nextC == '>' || nextC == '#' ||
+                                        nextC == ';' || nextC == '\r' || nextC == '\n' ||
+                                        nextC == '\\' || nextC == '"')) {
+                        if (doubleEscape)
+                            result.append('\\');
+                    } else {
+                        result.append('\\');
+                        if (doubleEscape)
+                            result.append('\\');
+                    }
+                } else {
+                    result.append('\\');
+                    if (doubleEscape)
+                        result.append('\\');
+                }
+            }
+            if (c == '\r') {
+                result.append("0D");
+            } else if (c == '\n') {
+                result.append("0A");
+            } else {
+                result.append((char) c);
+            }
+        }
+        return result;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/EnrollExtDefault.java b/base/common/src/com/netscape/cms/profile/def/EnrollExtDefault.java
new file mode 100644
index 000000000..24f79cdec
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/EnrollExtDefault.java
@@ -0,0 +1,28 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+/**
+ * This class implements an enrollment extension
+ * default policy that extension into the certificate
+ * template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public abstract class EnrollExtDefault extends EnrollDefault {
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java b/base/common/src/com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java
new file mode 100644
index 000000000..f1d63a348
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java
@@ -0,0 +1,250 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import netscape.security.extensions.ExtendedKeyUsageExtension;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates Extended Key Usage extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ExtendedKeyUsageExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "exKeyUsageCritical";
+    public static final String CONFIG_OIDS = "exKeyUsageOIDs";
+
+    public static final String VAL_CRITICAL = "exKeyUsageCritical";
+    public static final String VAL_OIDS = "exKeyUsageOIDs";
+
+    public ExtendedKeyUsageExtDefault() {
+        super();
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_OIDS);
+        addConfigName(CONFIG_CRITICAL);
+        addConfigName(CONFIG_OIDS);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(CONFIG_OIDS)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_OIDS"));
+        }
+        return null;
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_OIDS)) {
+            return new Descriptor(IDescriptor.STRING_LIST, null, null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_OIDS"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        ExtendedKeyUsageExtension ext = null;
+
+        ext = (ExtendedKeyUsageExtension)
+                    getExtension(ExtendedKeyUsageExtension.OID, info);
+
+        if (ext == null) {
+            try {
+                populate(null, info);
+
+            } catch (EProfileException e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+        }
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_CRITICAL)) {
+            ext = (ExtendedKeyUsageExtension)
+                    getExtension(ExtendedKeyUsageExtension.OID, info);
+            boolean val = Boolean.valueOf(value).booleanValue();
+
+            if (ext == null) {
+                return;
+            }
+            ext.setCritical(val);
+        } else if (name.equals(VAL_OIDS)) {
+            ext = (ExtendedKeyUsageExtension)
+                    getExtension(ExtendedKeyUsageExtension.OID, info);
+            //		ext.deleteAllOIDs();
+            StringTokenizer st = new StringTokenizer(value, ",");
+
+            if (ext == null) {
+                return;
+            }
+            while (st.hasMoreTokens()) {
+                String oid = st.nextToken();
+
+                ext.addOID(new ObjectIdentifier(oid));
+            }
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        try {
+            replaceExtension(ExtendedKeyUsageExtension.OID, ext, info);
+        } catch (EProfileException e) {
+            CMS.debug("ExtendedKeyUsageExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        ExtendedKeyUsageExtension ext = (ExtendedKeyUsageExtension)
+                getExtension(ExtendedKeyUsageExtension.OID, info);
+
+        if (ext == null) {
+            try {
+                populate(null, info);
+
+            } catch (EProfileException e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+        }
+
+        if (name.equals(VAL_CRITICAL)) {
+            ext = (ExtendedKeyUsageExtension)
+                    getExtension(ExtendedKeyUsageExtension.OID, info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else if (name.equals(VAL_OIDS)) {
+            ext = (ExtendedKeyUsageExtension)
+                    getExtension(ExtendedKeyUsageExtension.OID, info);
+            StringBuffer sb = new StringBuffer();
+            if (ext == null) {
+                return "";
+            }
+            Enumeration e = ext.getOIDs();
+
+            while (e.hasMoreElements()) {
+                ObjectIdentifier oid = e.nextElement();
+
+                if (!sb.toString().equals("")) {
+                    sb.append(",");
+                }
+                sb.append(oid.toString());
+            }
+            return sb.toString();
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_CRITICAL),
+                getConfig(CONFIG_OIDS)
+            };
+
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_DEF_EXTENDED_KEY_EXT", params);
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        ExtendedKeyUsageExtension ext = createExtension();
+
+        addExtension(ExtendedKeyUsageExtension.OID, ext, info);
+    }
+
+    public ExtendedKeyUsageExtension createExtension() {
+        ExtendedKeyUsageExtension ext = null;
+
+        try {
+            ext = new ExtendedKeyUsageExtension();
+        } catch (Exception e) {
+            CMS.debug("ExtendedKeyUsageExtDefault: createExtension " +
+                    e.toString());
+        }
+        if (ext == null)
+            return null;
+        boolean critical = getBoolean(getConfig(CONFIG_CRITICAL));
+
+        ext.setCritical(critical);
+        StringTokenizer st = new StringTokenizer(getConfig(CONFIG_OIDS), ",");
+
+        while (st.hasMoreTokens()) {
+            String oid = st.nextToken();
+
+            ext.addOID(new ObjectIdentifier(oid));
+        }
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/FreshestCRLExtDefault.java b/base/common/src/com/netscape/cms/profile/def/FreshestCRLExtDefault.java
new file mode 100644
index 000000000..acbbd1089
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/FreshestCRLExtDefault.java
@@ -0,0 +1,584 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CRLDistributionPoint;
+import netscape.security.x509.FreshestCRLExtension;
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.GeneralNames;
+import netscape.security.x509.GeneralNamesException;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates Freshest CRL extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class FreshestCRLExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "freshestCRLCritical";
+    public static final String CONFIG_NUM_POINTS = "freshestCRLPointNum";
+    public static final String CONFIG_POINT_TYPE = "freshestCRLPointType_";
+    public static final String CONFIG_POINT_NAME = "freshestCRLPointName_";
+    public static final String CONFIG_ISSUER_TYPE = "freshestCRLPointIssuerType_";
+    public static final String CONFIG_ISSUER_NAME = "freshestCRLPointIssuerName_";
+    public static final String CONFIG_ENABLE = "freshestCRLPointEnable_";
+
+    public static final String VAL_CRITICAL = "freshestCRLCritical";
+    public static final String VAL_CRL_DISTRIBUTION_POINTS =
+            "freshestCRLPointsValue";
+
+    private static final String POINT_TYPE = "Point Type";
+    private static final String POINT_NAME = "Point Name";
+    private static final String ISSUER_TYPE = "Issuer Type";
+    private static final String ISSUER_NAME = "Issuer Name";
+    private static final String ENABLE = "Enable";
+
+    private static final int DEF_NUM_POINTS = 1;
+    private static final int MAX_NUM_POINTS = 100;
+
+    public FreshestCRLExtDefault() {
+        super();
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+        refreshConfigAndValueNames();
+    }
+
+    protected int getNumPoints() {
+        int num = DEF_NUM_POINTS;
+        String val = getConfig(CONFIG_NUM_POINTS);
+
+        if (val != null) {
+            try {
+                num = Integer.parseInt(val);
+            } catch (NumberFormatException e) {
+                // ignore
+            }
+        }
+
+        if (num >= MAX_NUM_POINTS)
+            num = DEF_NUM_POINTS;
+
+        return num;
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        int num = 0;
+        if (name.equals(CONFIG_NUM_POINTS)) {
+            try {
+                num = Integer.parseInt(value);
+
+                if (num >= MAX_NUM_POINTS || num < 0) {
+                    throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_POINTS));
+                }
+
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_POINTS));
+            }
+        }
+        super.setConfig(name, value);
+    }
+
+    public Enumeration getConfigNames() {
+        refreshConfigAndValueNames();
+        return super.getConfigNames();
+    }
+
+    protected void refreshConfigAndValueNames() {
+        //refesh our config name list
+
+        super.refreshConfigAndValueNames();
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_CRL_DISTRIBUTION_POINTS);
+
+        addConfigName(CONFIG_CRITICAL);
+        int num = getNumPoints();
+
+        addConfigName(CONFIG_NUM_POINTS);
+        for (int i = 0; i < num; i++) {
+            addConfigName(CONFIG_POINT_TYPE + i);
+            addConfigName(CONFIG_POINT_NAME + i);
+            addConfigName(CONFIG_ISSUER_TYPE + i);
+            addConfigName(CONFIG_ISSUER_NAME + i);
+            addConfigName(CONFIG_ENABLE + i);
+        }
+
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.startsWith(CONFIG_POINT_TYPE)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_POINT_TYPE"));
+        } else if (name.startsWith(CONFIG_POINT_NAME)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_POINT_NAME"));
+        } else if (name.startsWith(CONFIG_ISSUER_TYPE)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_ISSUER_TYPE"));
+        } else if (name.startsWith(CONFIG_ISSUER_NAME)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_ISSUER_NAME"));
+        } else if (name.startsWith(CONFIG_ENABLE)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_ENABLE"));
+        } else if (name.startsWith(CONFIG_NUM_POINTS)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "1",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NUM_DIST_POINTS"));
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_CRL_DISTRIBUTION_POINTS)) {
+            return new Descriptor(IDescriptor.STRING_LIST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRL_DISTRIBUTION_POINTS"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            FreshestCRLExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            ext = (FreshestCRLExtension)
+                        getExtension(FreshestCRLExtension.OID,
+                                info);
+
+            if (ext == null) {
+                populate(locale, info);
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+                ext = (FreshestCRLExtension)
+                        getExtension(FreshestCRLExtension.OID,
+                                info);
+                boolean val = Boolean.valueOf(value).booleanValue();
+
+                ext.setCritical(val);
+            } else if (name.equals(VAL_CRL_DISTRIBUTION_POINTS)) {
+                ext = (FreshestCRLExtension)
+                        getExtension(FreshestCRLExtension.OID,
+                                info);
+
+                Vector v = parseRecords(value);
+                int size = v.size();
+
+                boolean critical = ext.isCritical();
+                int i = 0;
+
+                for (; i < size; i++) {
+                    NameValuePairs nvps = v.elementAt(i);
+                    String pointType = null;
+                    String pointValue = null;
+                    String issuerType = null;
+                    String issuerValue = null;
+                    String enable = null;
+                    CRLDistributionPoint cdp = new CRLDistributionPoint();
+
+                    for (String name1 : nvps.keySet()) {
+
+                        if (name1.equals(POINT_TYPE)) {
+                            pointType = nvps.get(name1);
+                        } else if (name1.equals(POINT_NAME)) {
+                            pointValue = nvps.get(name1);
+                        } else if (name1.equals(ISSUER_TYPE)) {
+                            issuerType = nvps.get(name1);
+                        } else if (name1.equals(ISSUER_NAME)) {
+                            issuerValue = nvps.get(name1);
+                        } else if (name1.equals(ENABLE)) {
+                            enable = nvps.get(name1);
+                        }
+                    }
+
+                    if (enable != null && enable.equals("true")) {
+                        if (pointType != null)
+                            addCRLPoint(locale, cdp, pointType, pointValue);
+                        if (issuerType != null)
+                            addIssuer(locale, cdp, issuerType, issuerValue);
+
+                        // this is the first distribution point
+                        if (i == 0) {
+                            ext = new FreshestCRLExtension(cdp);
+                            ext.setCritical(critical);
+                        } else {
+                            ext.addPoint(cdp);
+                        }
+                    }
+                }
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            replaceExtension(PKIXExtensions.FreshestCRL_Id.toString(),
+                    ext, info);
+        } catch (EProfileException e) {
+            CMS.debug("FreshestCRLExtDefault: setValue " +
+                    e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    private void addCRLPoint(Locale locale, CRLDistributionPoint cdp, String type,
+            String value) throws EPropertyException {
+        try {
+            if (value == null || value.length() == 0)
+                return;
+
+            if (isGeneralNameType(type)) {
+                GeneralNames gen = new GeneralNames();
+
+                gen.addElement(parseGeneralName(type, value));
+                cdp.setFullName(gen);
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", type));
+            }
+        } catch (IOException e) {
+            CMS.debug("FreshestCRLExtDefault: addCRLPoint " +
+                    e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", type));
+        } catch (GeneralNamesException e) {
+            CMS.debug("FreshestCRLExtDefault: addCRLPoint " +
+                    e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", type));
+        }
+    }
+
+    private void addIssuer(Locale locale, CRLDistributionPoint cdp, String type,
+            String value) throws EPropertyException {
+        if (value == null || value.length() == 0)
+            return;
+        try {
+            if (isGeneralNameType(type)) {
+                GeneralNames gen = new GeneralNames();
+
+                gen.addElement(parseGeneralName(type, value));
+                cdp.setCRLIssuer(gen);
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", type));
+            }
+        } catch (IOException e) {
+            CMS.debug("FreshestCRLExtDefault: addIssuer " +
+                    e.toString());
+        } catch (GeneralNamesException e) {
+            CMS.debug("FreshestCRLExtDefault: addIssuer " +
+                    e.toString());
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        FreshestCRLExtension ext = null;
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        ext = (FreshestCRLExtension)
+                    getExtension(FreshestCRLExtension.OID,
+                            info);
+        if (ext == null) {
+            try {
+                populate(locale, info);
+
+            } catch (EProfileException e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+        }
+
+        if (name.equals(VAL_CRITICAL)) {
+            ext = (FreshestCRLExtension)
+                    getExtension(FreshestCRLExtension.OID,
+                            info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else if (name.equals(VAL_CRL_DISTRIBUTION_POINTS)) {
+            ext = (FreshestCRLExtension)
+                    getExtension(FreshestCRLExtension.OID,
+                            info);
+
+            if (ext == null)
+                return "";
+
+            Vector recs = new Vector();
+            int num = getNumPoints();
+            for (int i = 0; i < num; i++) {
+                NameValuePairs pairs = null;
+
+                if (i < ext.getNumPoints()) {
+                    CRLDistributionPoint p = ext.getPointAt(i);
+                    GeneralNames gns = p.getFullName();
+
+                    pairs = buildGeneralNames(gns, p);
+                } else {
+                    pairs = buildEmptyGeneralNames();
+                }
+                recs.addElement(pairs);
+            }
+
+            return buildRecords(recs);
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    protected NameValuePairs buildEmptyGeneralNames() {
+        NameValuePairs pairs = new NameValuePairs();
+
+        pairs.put(POINT_TYPE, "");
+        pairs.put(POINT_NAME, "");
+        pairs.put(ISSUER_TYPE, "");
+        pairs.put(ISSUER_NAME, "");
+        pairs.put(ENABLE, "false");
+        return pairs;
+    }
+
+    protected NameValuePairs buildGeneralNames(GeneralNames gns, CRLDistributionPoint p)
+            throws EPropertyException {
+
+        NameValuePairs pairs = new NameValuePairs();
+
+        boolean hasFullName = false;
+
+        pairs.put(ENABLE, "true");
+        if (gns == null) {
+            pairs.put(POINT_TYPE, "");
+            pairs.put(POINT_NAME, "");
+        } else {
+            GeneralName gn = (GeneralName) gns.elementAt(0);
+
+            if (gn != null) {
+                hasFullName = true;
+
+                pairs.put(POINT_TYPE, getGeneralNameType(gn));
+                pairs.put(POINT_NAME, getGeneralNameValue(gn));
+            }
+        }
+
+        if (!hasFullName) {
+            pairs.put(POINT_TYPE, GN_DIRECTORY_NAME);
+            pairs.put(POINT_NAME, "");
+        }
+
+        gns = p.getCRLIssuer();
+
+        if (gns == null) {
+            pairs.put(ISSUER_TYPE, GN_DIRECTORY_NAME);
+            pairs.put(ISSUER_NAME, "");
+        } else {
+            GeneralName gn = (GeneralName) gns.elementAt(0);
+
+            if (gn != null) {
+                hasFullName = true;
+
+                pairs.put(ISSUER_TYPE, getGeneralNameType(gn));
+                pairs.put(ISSUER_NAME, getGeneralNameValue(gn));
+            }
+        }
+        return pairs;
+    }
+
+    public String getText(Locale locale) {
+        StringBuffer sb = new StringBuffer();
+        int num = getNumPoints();
+
+        for (int i = 0; i < num; i++) {
+            sb.append("Record #");
+            sb.append(i);
+            sb.append("{");
+            sb.append(POINT_TYPE + ":");
+            sb.append(getConfig(CONFIG_POINT_TYPE + i));
+            sb.append(",");
+            sb.append(POINT_NAME + ":");
+            sb.append(getConfig(CONFIG_POINT_NAME + i));
+            sb.append(",");
+            sb.append(ISSUER_TYPE + ":");
+            sb.append(getConfig(CONFIG_ISSUER_TYPE + i));
+            sb.append(",");
+            sb.append(ISSUER_NAME + ":");
+            sb.append(getConfig(CONFIG_ISSUER_NAME + i));
+            sb.append(",");
+            sb.append(ENABLE + ":");
+            sb.append(getConfig(CONFIG_ENABLE + i));
+            sb.append("}");
+        }
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_DEF_FRESHEST_CRL_EXT",
+                getConfig(CONFIG_CRITICAL),
+                sb.toString());
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        FreshestCRLExtension ext = createExtension(request);
+
+        if (ext == null)
+            return;
+        addExtension(FreshestCRLExtension.OID, ext, info);
+    }
+
+    public FreshestCRLExtension createExtension(IRequest request) {
+        FreshestCRLExtension ext = new FreshestCRLExtension();
+        int num = 0;
+
+        try {
+            boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+            ext.setCritical(critical);
+
+            num = getNumPoints();
+            for (int i = 0; i < num; i++) {
+                CRLDistributionPoint cdp = new CRLDistributionPoint();
+
+                String enable = getConfig(CONFIG_ENABLE + i);
+                String pointType = getConfig(CONFIG_POINT_TYPE + i);
+                String pointName = getConfig(CONFIG_POINT_NAME + i);
+                String issuerType = getConfig(CONFIG_ISSUER_TYPE + i);
+                String issuerName = getConfig(CONFIG_ISSUER_NAME + i);
+
+                if (enable != null && enable.equals("true")) {
+                    if (pointType != null)
+                        addCRLPoint(getLocale(request), cdp, pointType, pointName);
+                    if (issuerType != null)
+                        addIssuer(getLocale(request), cdp, issuerType, issuerName);
+
+                    ext.addPoint(cdp);
+                }
+            }
+        } catch (Exception e) {
+            CMS.debug("FreshestCRLExtDefault: createExtension " +
+                    e.toString());
+        }
+
+        return ext;
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    private void populate(Locale locale, X509CertInfo info)
+            throws EProfileException {
+        FreshestCRLExtension ext = createExtension(locale);
+
+        if (ext == null)
+            return;
+        addExtension(FreshestCRLExtension.OID, ext, info);
+    }
+
+    public FreshestCRLExtension createExtension(Locale locale) {
+        FreshestCRLExtension ext = new FreshestCRLExtension();
+        int num = 0;
+
+        try {
+            boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+            ext.setCritical(critical);
+
+            num = getNumPoints();
+            for (int i = 0; i < num; i++) {
+                CRLDistributionPoint cdp = new CRLDistributionPoint();
+
+                String enable = getConfig(CONFIG_ENABLE + i);
+                String pointType = getConfig(CONFIG_POINT_TYPE + i);
+                String pointName = getConfig(CONFIG_POINT_NAME + i);
+                String issuerType = getConfig(CONFIG_ISSUER_TYPE + i);
+                String issuerName = getConfig(CONFIG_ISSUER_NAME + i);
+
+                if (enable != null && enable.equals("true")) {
+                    if (pointType != null)
+                        addCRLPoint(locale, cdp, pointType, pointName);
+                    if (issuerType != null)
+                        addIssuer(locale, cdp, issuerType, issuerName);
+
+                    ext.addPoint(cdp);
+                }
+            }
+        } catch (Exception e) {
+            CMS.debug("FreshestCRLExtDefault: createExtension " +
+                    e.toString());
+        }
+
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/GenericExtDefault.java b/base/common/src/com/netscape/cms/profile/def/GenericExtDefault.java
new file mode 100644
index 000000000..1797091b7
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/GenericExtDefault.java
@@ -0,0 +1,260 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.util.Locale;
+
+import netscape.security.util.DerOutputStream;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.Extension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a Netscape comment extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class GenericExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "genericExtCritical";
+    public static final String CONFIG_OID = "genericExtOID";
+    public static final String CONFIG_DATA = "genericExtData";
+
+    public static final String VAL_CRITICAL = "genericExtCritical";
+    public static final String VAL_DATA = "genericExtData";
+
+    public GenericExtDefault() {
+        super();
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_DATA);
+
+        addConfigName(CONFIG_CRITICAL);
+        addConfigName(CONFIG_OID);
+        addConfigName(CONFIG_DATA);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(CONFIG_OID)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    "Comment Here...",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_OID"));
+        } else if (name.equals(CONFIG_DATA)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    "Comment Here...",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_EXT_VALUE"));
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_DATA)) {
+            return new Descriptor(IDescriptor.STRING_LIST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_EXT_VALUE"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            Extension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            ObjectIdentifier oid = new ObjectIdentifier(getConfig(CONFIG_OID));
+
+            ext = (Extension)
+                        getExtension(oid.toString(), info);
+
+            if (ext == null) {
+                populate(null, info);
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+                ext = (Extension)
+                        getExtension(oid.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                boolean val = Boolean.valueOf(value).booleanValue();
+                ext.setCritical(val);
+            } else if (name.equals(VAL_DATA)) {
+                ext = (Extension)
+                        getExtension(oid.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                byte data[] = getBytes(value);
+                ext.setExtensionValue(data);
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            replaceExtension(ext.getExtensionId().toString(), ext, info);
+        } catch (EProfileException e) {
+            CMS.debug("GenericExtDefault: setValue " + e.toString());
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        Extension ext = null;
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        ObjectIdentifier oid = new ObjectIdentifier(getConfig(CONFIG_OID));
+
+        ext = (Extension)
+                    getExtension(oid.toString(), info);
+
+        if (ext == null) {
+            try {
+                populate(null, info);
+
+            } catch (EProfileException e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+        }
+
+        if (name.equals(VAL_CRITICAL)) {
+
+            ext = (Extension)
+                    getExtension(oid.toString(), info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else if (name.equals(VAL_DATA)) {
+
+            ext = (Extension)
+                    getExtension(oid.toString(), info);
+
+            if (ext == null)
+                return "";
+
+            byte data[] = ext.getExtensionValue();
+
+            if (data == null)
+                return "";
+
+            return toStr(data);
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_CRITICAL),
+                getConfig(CONFIG_OID),
+                getConfig(CONFIG_DATA)
+            };
+
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_GENERIC_EXT", params);
+    }
+
+    public String toStr(byte data[]) {
+        StringBuffer b = new StringBuffer();
+        for (int i = 0; i < data.length; i++) {
+            if ((data[i] & 0xff) < 16) {
+                b.append("0");
+            }
+            b.append(Integer.toString((int) (data[i] & 0xff), 0x10));
+        }
+        return b.toString();
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        Extension ext = createExtension(request);
+
+        addExtension(ext.getExtensionId().toString(), ext, info);
+    }
+
+    public Extension createExtension(IRequest request) {
+        Extension ext = null;
+
+        try {
+            boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+            ObjectIdentifier oid = new ObjectIdentifier(getConfig(CONFIG_OID));
+            byte data[] = null;
+
+            if (request == null) {
+                data = getBytes(getConfig(CONFIG_DATA));
+            } else {
+                data = getBytes(mapPattern(request, getConfig(CONFIG_DATA)));
+            }
+
+            DerOutputStream out = new DerOutputStream();
+            out.putOctetString(data);
+
+            ext = new Extension(oid, critical, out.toByteArray());
+        } catch (Exception e) {
+            CMS.debug("GenericExtDefault: createExtension " +
+                    e.toString());
+        }
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/ImageDefault.java b/base/common/src/com/netscape/cms/profile/def/ImageDefault.java
new file mode 100644
index 000000000..16a7ac402
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/ImageDefault.java
@@ -0,0 +1,105 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.util.Locale;
+
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that shows an image in the approval page.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ImageDefault extends EnrollDefault {
+
+    public static final String INPUT_IMAGE_URL = "image_url";
+
+    public static final String VAL_IMAGE_URL = "pd_image_url";
+
+    public ImageDefault() {
+        super();
+        addValueName(VAL_IMAGE_URL);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_IMAGE_URL)) {
+            return new Descriptor(IDescriptor.IMAGE_URL, null, null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_IMAGE"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+    }
+
+    public String getValue(String name, Locale locale, IRequest request)
+            throws EPropertyException {
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        if (name.equals(VAL_IMAGE_URL)) {
+            return request.getExtDataInString(INPUT_IMAGE_URL);
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        return null;
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_IMAGE");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/InhibitAnyPolicyExtDefault.java b/base/common/src/com/netscape/cms/profile/def/InhibitAnyPolicyExtDefault.java
new file mode 100644
index 000000000..97cfb3ff4
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/InhibitAnyPolicyExtDefault.java
@@ -0,0 +1,271 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.math.BigInteger;
+import java.util.Locale;
+
+import netscape.security.extensions.InhibitAnyPolicyExtension;
+import netscape.security.util.BigInt;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an inhibit Any-Policy extension
+ * 
+ * @version $Revision$, $Date$
+ */
+public class InhibitAnyPolicyExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "critical";
+    public static final String CONFIG_SKIP_CERTS = "skipCerts";
+
+    public static final String VAL_CRITICAL = "critical";
+    public static final String VAL_SKIP_CERTS = "skipCerts";
+
+    private static final String SKIP_CERTS = "Skip Certs";
+    private static final String GN_PATTERN = "Pattern";
+
+    public InhibitAnyPolicyExtDefault() {
+        super();
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_SKIP_CERTS);
+
+        addConfigName(CONFIG_CRITICAL);
+        addConfigName(CONFIG_SKIP_CERTS);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null, "true",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.startsWith(CONFIG_SKIP_CERTS)) {
+            return new Descriptor(IDescriptor.INTEGER, null, "0",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SKIP_CERTS"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        if (name.equals(CONFIG_SKIP_CERTS)) {
+            try {
+                Integer.parseInt(value);
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_SKIP_CERTS));
+            }
+        }
+        super.setConfig(name, value);
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null, "true",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_SKIP_CERTS)) {
+            return new Descriptor(IDescriptor.INTEGER, null, "0",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SKIP_CERTS"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            InhibitAnyPolicyExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            ext = (InhibitAnyPolicyExtension)
+                    getExtension(InhibitAnyPolicyExtension.OID, info);
+
+            if (ext == null) {
+                populate(null, info);
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+                ext = (InhibitAnyPolicyExtension)
+                        getExtension(InhibitAnyPolicyExtension.OID, info);
+
+                if (ext == null) {
+                    // it is ok, the extension is never populated or delted
+                    return;
+                }
+                boolean critical = Boolean.valueOf(value).booleanValue();
+
+                ext.setCritical(critical);
+            } else if (name.equals(VAL_SKIP_CERTS)) {
+                ext = (InhibitAnyPolicyExtension)
+                        getExtension(InhibitAnyPolicyExtension.OID, info);
+
+                if (ext == null) {
+                    // it is ok, the extension is never populated or delted
+                    return;
+                }
+                boolean critical = ext.isCritical();
+                if (value.equals("")) {
+                    // if value is empty, do not add this extension
+                    deleteExtension(InhibitAnyPolicyExtension.OID, info);
+                    return;
+                }
+                BigInt num = null;
+                try {
+                    BigInteger l = new BigInteger(value);
+                    num = new BigInt(l);
+                } catch (Exception e) {
+                    throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+                }
+                ext = new InhibitAnyPolicyExtension(critical,
+                        num);
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+            replaceExtension(InhibitAnyPolicyExtension.OID, ext, info);
+        } catch (EProfileException e) {
+            CMS.debug("InhibitAnyPolicyExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                    locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        InhibitAnyPolicyExtension ext =
+                (InhibitAnyPolicyExtension)
+                getExtension(InhibitAnyPolicyExtension.OID, info);
+
+        if (ext == null) {
+            try {
+                populate(null, info);
+            } catch (EProfileException e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+        }
+
+        if (name.equals(VAL_CRITICAL)) {
+            ext = (InhibitAnyPolicyExtension)
+                    getExtension(InhibitAnyPolicyExtension.OID, info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else if (name.equals(VAL_SKIP_CERTS)) {
+            ext = (InhibitAnyPolicyExtension)
+                    getExtension(InhibitAnyPolicyExtension.OID, info);
+            if (ext == null) {
+                return null;
+            }
+
+            BigInt n = ext.getSkipCerts();
+            return "" + n.toInt();
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                    locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    /*
+     * returns text that goes into description for this extension on
+     * a profile
+     */
+    public String getText(Locale locale) {
+        StringBuffer sb = new StringBuffer();
+        sb.append(SKIP_CERTS + ":");
+        sb.append(getConfig(CONFIG_SKIP_CERTS));
+
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_DEF_INHIBIT_ANY_POLICY_EXT",
+                getConfig(CONFIG_CRITICAL), sb.toString());
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        InhibitAnyPolicyExtension ext = null;
+
+        ext = createExtension(request);
+        addExtension(InhibitAnyPolicyExtension.OID, ext, info);
+    }
+
+    public InhibitAnyPolicyExtension createExtension(IRequest request)
+            throws EProfileException {
+        InhibitAnyPolicyExtension ext = null;
+
+        boolean critical = Boolean.valueOf(
+                getConfig(CONFIG_CRITICAL)).booleanValue();
+
+        String str = getConfig(CONFIG_SKIP_CERTS);
+        if (str == null || str.equals("")) {
+            ext = new InhibitAnyPolicyExtension();
+            ext.setCritical(critical);
+        } else {
+            BigInt val = null;
+            try {
+                BigInteger b = new BigInteger(str);
+                val = new BigInt(b);
+            } catch (NumberFormatException e) {
+                throw new EProfileException(
+                        CMS.getUserMessage("CMS_PROFILE_INHIBIT_ANY_POLICY_WRONG_SKIP_CERTS"));
+            }
+
+            try {
+                ext = new InhibitAnyPolicyExtension(critical, val);
+            } catch (Exception e) {
+                CMS.debug(e.toString());
+            }
+        }
+
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java b/base/common/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java
new file mode 100644
index 000000000..251d8a3e7
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java
@@ -0,0 +1,317 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.GeneralNameInterface;
+import netscape.security.x509.GeneralNames;
+import netscape.security.x509.IssuerAlternativeNameExtension;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a issuer alternative name extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class IssuerAltNameExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "issuerAltNameExtCritical";
+    public static final String CONFIG_TYPE = "issuerAltExtType";
+    public static final String CONFIG_PATTERN = "issuerAltExtPattern";
+
+    public static final String VAL_CRITICAL = "issuerAltNameExtCritical";
+    public static final String VAL_GENERAL_NAMES = "issuerAltNames";
+
+    public IssuerAltNameExtDefault() {
+        super();
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_GENERAL_NAMES);
+
+        addConfigName(CONFIG_CRITICAL);
+        addConfigName(CONFIG_TYPE);
+        addConfigName(CONFIG_PATTERN);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(CONFIG_TYPE)) {
+            return new Descriptor(IDescriptor.CHOICE,
+                    "RFC822Name,DNSName,DirectoryName,EDIPartyName,URIName,IPAddress,OIDName",
+                    "RFC822Name",
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_ISSUER_ALT_NAME_TYPE"));
+        } else if (name.equals(CONFIG_PATTERN)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_ISSUER_ALT_NAME_PATTERN"));
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_GENERAL_NAMES)) {
+            return new Descriptor(IDescriptor.STRING_LIST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_GENERAL_NAMES"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            IssuerAlternativeNameExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            ext =
+                        (IssuerAlternativeNameExtension)
+                        getExtension(PKIXExtensions.IssuerAlternativeName_Id.toString(), info);
+
+            if (ext == null) {
+                try {
+                    populate(null, info);
+
+                } catch (EProfileException e) {
+                    throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+                }
+
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+                ext =
+                        (IssuerAlternativeNameExtension)
+                        getExtension(PKIXExtensions.IssuerAlternativeName_Id.toString(), info);
+
+                if (ext == null) {
+                    // it is ok, the extension is never populated or delted
+                    return;
+                }
+                boolean critical = Boolean.valueOf(value).booleanValue();
+
+                ext.setCritical(critical);
+            } else if (name.equals(VAL_GENERAL_NAMES)) {
+                ext =
+                        (IssuerAlternativeNameExtension)
+                        getExtension(PKIXExtensions.IssuerAlternativeName_Id.toString(), info);
+
+                if (ext == null) {
+                    // it is ok, the extension is never populated or delted
+                    return;
+                }
+                if (value.equals("")) {
+                    // if value is empty, do not add this extension
+                    deleteExtension(PKIXExtensions.IssuerAlternativeName_Id.toString(), info);
+                    return;
+                }
+                GeneralNames gn = new GeneralNames();
+                StringTokenizer st = new StringTokenizer(value, "\r\n");
+
+                while (st.hasMoreTokens()) {
+                    String gname = (String) st.nextToken();
+
+                    GeneralNameInterface n = parseGeneralName(gname);
+                    if (n != null) {
+                        gn.addElement(n);
+                    }
+                }
+                ext.set(IssuerAlternativeNameExtension.ISSUER_NAME, gn);
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+            replaceExtension(
+                    PKIXExtensions.IssuerAlternativeName_Id.toString(),
+                    ext, info);
+        } catch (IOException e) {
+            CMS.debug("IssuerAltNameExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } catch (EProfileException e) {
+            CMS.debug("IssuerAltNameExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        try {
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            IssuerAlternativeNameExtension ext =
+                    (IssuerAlternativeNameExtension)
+                    getExtension(PKIXExtensions.IssuerAlternativeName_Id.toString(), info);
+
+            if (ext == null) {
+
+                try {
+                    populate(null, info);
+
+                } catch (EProfileException e) {
+                    throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+                }
+
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+                ext =
+                        (IssuerAlternativeNameExtension)
+                        getExtension(PKIXExtensions.IssuerAlternativeName_Id.toString(), info);
+
+                if (ext == null) {
+                    return null;
+                }
+                if (ext.isCritical()) {
+                    return "true";
+                } else {
+                    return "false";
+                }
+            } else if (name.equals(VAL_GENERAL_NAMES)) {
+                ext =
+                        (IssuerAlternativeNameExtension)
+                        getExtension(PKIXExtensions.IssuerAlternativeName_Id.toString(), info);
+                if (ext == null) {
+                    return "";
+                }
+
+                GeneralNames names = (GeneralNames)
+                        ext.get(IssuerAlternativeNameExtension.ISSUER_NAME);
+                StringBuffer sb = new StringBuffer();
+                Enumeration e = names.elements();
+
+                while (e.hasMoreElements()) {
+                    GeneralName gn = (GeneralName) e.nextElement();
+
+                    if (!sb.toString().equals("")) {
+                        sb.append("\r\n");
+                    }
+                    sb.append(toGeneralNameString(gn));
+                }
+                return sb.toString();
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } catch (IOException e) {
+            CMS.debug("IssuerAltNameExtDefault: getValue " +
+                    e.toString());
+        }
+        return null;
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_CRITICAL),
+                getConfig(CONFIG_PATTERN),
+                getConfig(CONFIG_TYPE)
+            };
+
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_ISSUER_ALT_NAME_EXT", params);
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        IssuerAlternativeNameExtension ext = null;
+
+        try {
+            ext = createExtension(request);
+
+        } catch (IOException e) {
+            CMS.debug("IssuerAltNameExtDefault: populate " + e.toString());
+        }
+        addExtension(PKIXExtensions.IssuerAlternativeName_Id.toString(),
+                ext, info);
+    }
+
+    public IssuerAlternativeNameExtension createExtension(IRequest request)
+            throws IOException {
+        IssuerAlternativeNameExtension ext = null;
+
+        try {
+            ext = new IssuerAlternativeNameExtension();
+        } catch (Exception e) {
+            CMS.debug(e.toString());
+            throw new IOException(e.toString());
+        }
+        boolean critical = Boolean.valueOf(
+                getConfig(CONFIG_CRITICAL)).booleanValue();
+        String pattern = getConfig(CONFIG_PATTERN);
+
+        if (!pattern.equals("")) {
+            GeneralNames gn = new GeneralNames();
+
+            String gname = "";
+
+            if (request != null) {
+                gname = mapPattern(request, pattern);
+            }
+
+            gn.addElement(parseGeneralName(
+                    getConfig(CONFIG_TYPE) + ":" + gname));
+            ext.set(IssuerAlternativeNameExtension.ISSUER_NAME, gn);
+        }
+        ext.setCritical(critical);
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/KeyUsageExtDefault.java b/base/common/src/com/netscape/cms/profile/def/KeyUsageExtDefault.java
new file mode 100644
index 000000000..1bfda9ad9
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/KeyUsageExtDefault.java
@@ -0,0 +1,511 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.x509.KeyUsageExtension;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a Key Usage extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class KeyUsageExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "keyUsageCritical";
+    public static final String CONFIG_DIGITAL_SIGNATURE =
+            "keyUsageDigitalSignature";
+    public static final String CONFIG_NON_REPUDIATION =
+            "keyUsageNonRepudiation";
+    public static final String CONFIG_KEY_ENCIPHERMENT =
+            "keyUsageKeyEncipherment";
+    public static final String CONFIG_DATA_ENCIPHERMENT =
+            "keyUsageDataEncipherment";
+    public static final String CONFIG_KEY_AGREEMENT = "keyUsageKeyAgreement";
+    public static final String CONFIG_KEY_CERTSIGN = "keyUsageKeyCertSign";
+    public static final String CONFIG_CRL_SIGN = "keyUsageCrlSign";
+    public static final String CONFIG_ENCIPHER_ONLY = "keyUsageEncipherOnly";
+    public static final String CONFIG_DECIPHER_ONLY = "keyUsageDecipherOnly";
+
+    public static final String VAL_CRITICAL = "keyUsageCritical";
+    public static final String VAL_DIGITAL_SIGNATURE =
+            "keyUsageDigitalSignature";
+    public static final String VAL_NON_REPUDIATION =
+            "keyUsageNonRepudiation";
+    public static final String VAL_KEY_ENCIPHERMENT =
+            "keyUsageKeyEncipherment";
+    public static final String VAL_DATA_ENCIPHERMENT =
+            "keyUsageDataEncipherment";
+    public static final String VAL_KEY_AGREEMENT = "keyUsageKeyAgreement";
+    public static final String VAL_KEY_CERTSIGN = "keyUsageKeyCertSign";
+    public static final String VAL_CRL_SIGN = "keyUsageCrlSign";
+    public static final String VAL_ENCIPHER_ONLY = "keyUsageEncipherOnly";
+    public static final String VAL_DECIPHER_ONLY = "keyUsageDecipherOnly";
+
+    public KeyUsageExtDefault() {
+        super();
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_DIGITAL_SIGNATURE);
+        addValueName(VAL_NON_REPUDIATION);
+        addValueName(VAL_KEY_ENCIPHERMENT);
+        addValueName(VAL_DATA_ENCIPHERMENT);
+        addValueName(VAL_KEY_AGREEMENT);
+        addValueName(VAL_KEY_CERTSIGN);
+        addValueName(VAL_CRL_SIGN);
+        addValueName(VAL_ENCIPHER_ONLY);
+        addValueName(VAL_DECIPHER_ONLY);
+
+        addConfigName(CONFIG_CRITICAL);
+        addConfigName(CONFIG_DIGITAL_SIGNATURE);
+        addConfigName(CONFIG_NON_REPUDIATION);
+        addConfigName(CONFIG_KEY_ENCIPHERMENT);
+        addConfigName(CONFIG_DATA_ENCIPHERMENT);
+        addConfigName(CONFIG_KEY_AGREEMENT);
+        addConfigName(CONFIG_KEY_CERTSIGN);
+        addConfigName(CONFIG_CRL_SIGN);
+        addConfigName(CONFIG_ENCIPHER_ONLY);
+        addConfigName(CONFIG_DECIPHER_ONLY);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(CONFIG_DIGITAL_SIGNATURE)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_DIGITAL_SIGNATURE"));
+        } else if (name.equals(CONFIG_NON_REPUDIATION)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NON_REPUDIATION"));
+        } else if (name.equals(CONFIG_KEY_ENCIPHERMENT)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_KEY_ENCIPHERMENT"));
+        } else if (name.equals(CONFIG_DATA_ENCIPHERMENT)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_DATA_ENCIPHERMENT"));
+        } else if (name.equals(CONFIG_KEY_AGREEMENT)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_KEY_AGREEMENT"));
+        } else if (name.equals(CONFIG_KEY_CERTSIGN)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_KEY_CERTSIGN"));
+        } else if (name.equals(CONFIG_CRL_SIGN)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRL_SIGN"));
+        } else if (name.equals(CONFIG_ENCIPHER_ONLY)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_ENCIPHER_ONLY"));
+        } else if (name.equals(CONFIG_DECIPHER_ONLY)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_DECIPHER_ONLY"));
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_DIGITAL_SIGNATURE)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_DIGITAL_SIGNATURE"));
+        } else if (name.equals(VAL_NON_REPUDIATION)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NON_REPUDIATION"));
+        } else if (name.equals(VAL_KEY_ENCIPHERMENT)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_KEY_ENCIPHERMENT"));
+        } else if (name.equals(VAL_DATA_ENCIPHERMENT)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_DATA_ENCIPHERMENT"));
+        } else if (name.equals(VAL_KEY_AGREEMENT)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_KEY_AGREEMENT"));
+        } else if (name.equals(VAL_KEY_CERTSIGN)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_KEY_CERTSIGN"));
+        } else if (name.equals(VAL_CRL_SIGN)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRL_SIGN"));
+        } else if (name.equals(VAL_ENCIPHER_ONLY)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_ENCIPHER_ONLY"));
+        } else if (name.equals(VAL_DECIPHER_ONLY)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_DECIPHER_ONLY"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            KeyUsageExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+
+            if (ext == null) {
+                populate(null, info);
+
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                boolean val = Boolean.valueOf(value).booleanValue();
+
+                if (ext == null) {
+                    return;
+                }
+                ext.setCritical(val);
+            } else if (name.equals(VAL_DIGITAL_SIGNATURE)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean val = Boolean.valueOf(value);
+
+                ext.set(KeyUsageExtension.DIGITAL_SIGNATURE, val);
+            } else if (name.equals(VAL_NON_REPUDIATION)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean val = Boolean.valueOf(value);
+
+                ext.set(KeyUsageExtension.NON_REPUDIATION, val);
+            } else if (name.equals(VAL_KEY_ENCIPHERMENT)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean val = Boolean.valueOf(value);
+
+                ext.set(KeyUsageExtension.KEY_ENCIPHERMENT, val);
+            } else if (name.equals(VAL_DATA_ENCIPHERMENT)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean val = Boolean.valueOf(value);
+
+                ext.set(KeyUsageExtension.DATA_ENCIPHERMENT, val);
+            } else if (name.equals(VAL_KEY_AGREEMENT)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean val = Boolean.valueOf(value);
+
+                ext.set(KeyUsageExtension.KEY_AGREEMENT, val);
+            } else if (name.equals(VAL_KEY_CERTSIGN)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean val = Boolean.valueOf(value);
+
+                ext.set(KeyUsageExtension.KEY_CERTSIGN, val);
+            } else if (name.equals(VAL_CRL_SIGN)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean val = Boolean.valueOf(value);
+
+                ext.set(KeyUsageExtension.CRL_SIGN, val);
+            } else if (name.equals(VAL_ENCIPHER_ONLY)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean val = Boolean.valueOf(value);
+
+                ext.set(KeyUsageExtension.ENCIPHER_ONLY, val);
+            } else if (name.equals(VAL_DECIPHER_ONLY)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean val = Boolean.valueOf(value);
+
+                ext.set(KeyUsageExtension.DECIPHER_ONLY, val);
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            replaceExtension(PKIXExtensions.KeyUsage_Id.toString(), ext, info);
+        } catch (IOException e) {
+            CMS.debug("KeyUsageExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } catch (EProfileException e) {
+            CMS.debug("KeyUsageExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        try {
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            KeyUsageExtension ext = (KeyUsageExtension)
+                    getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+
+            if (ext == null) {
+                try {
+                    populate(null, info);
+
+                } catch (EProfileException e) {
+                    throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+                }
+
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+
+                if (ext == null) {
+                    return null;
+                }
+                if (ext.isCritical()) {
+                    return "true";
+                } else {
+                    return "false";
+                }
+            } else if (name.equals(VAL_DIGITAL_SIGNATURE)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+
+                Boolean val = (Boolean)
+                        ext.get(KeyUsageExtension.DIGITAL_SIGNATURE);
+
+                return val.toString();
+            } else if (name.equals(VAL_NON_REPUDIATION)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+                Boolean val = (Boolean)
+                        ext.get(KeyUsageExtension.NON_REPUDIATION);
+
+                return val.toString();
+            } else if (name.equals(VAL_KEY_ENCIPHERMENT)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+                Boolean val = (Boolean)
+                        ext.get(KeyUsageExtension.KEY_ENCIPHERMENT);
+
+                return val.toString();
+            } else if (name.equals(VAL_DATA_ENCIPHERMENT)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+                Boolean val = (Boolean)
+                        ext.get(KeyUsageExtension.DATA_ENCIPHERMENT);
+
+                return val.toString();
+            } else if (name.equals(VAL_KEY_AGREEMENT)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+                Boolean val = (Boolean)
+                        ext.get(KeyUsageExtension.KEY_AGREEMENT);
+
+                return val.toString();
+            } else if (name.equals(VAL_KEY_CERTSIGN)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+                Boolean val = (Boolean)
+                        ext.get(KeyUsageExtension.KEY_CERTSIGN);
+
+                return val.toString();
+            } else if (name.equals(VAL_CRL_SIGN)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+                Boolean val = (Boolean)
+                        ext.get(KeyUsageExtension.CRL_SIGN);
+
+                return val.toString();
+            } else if (name.equals(VAL_ENCIPHER_ONLY)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+                Boolean val = (Boolean)
+                        ext.get(KeyUsageExtension.ENCIPHER_ONLY);
+
+                return val.toString();
+            } else if (name.equals(VAL_DECIPHER_ONLY)) {
+                ext = (KeyUsageExtension)
+                        getExtension(PKIXExtensions.KeyUsage_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+                Boolean val = (Boolean)
+                        ext.get(KeyUsageExtension.DECIPHER_ONLY);
+
+                return val.toString();
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } catch (IOException e) {
+            CMS.debug("KeyUsageExtDefault: getValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_CRITICAL),
+                getConfig(CONFIG_DIGITAL_SIGNATURE),
+                getConfig(CONFIG_NON_REPUDIATION),
+                getConfig(CONFIG_KEY_ENCIPHERMENT),
+                getConfig(CONFIG_DATA_ENCIPHERMENT),
+                getConfig(CONFIG_KEY_AGREEMENT),
+                getConfig(CONFIG_KEY_CERTSIGN),
+                getConfig(CONFIG_CRL_SIGN),
+                getConfig(CONFIG_ENCIPHER_ONLY),
+                getConfig(CONFIG_DECIPHER_ONLY)
+            };
+
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_KEY_USAGE_EXT", params);
+
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        KeyUsageExtension ext = createKeyUsageExtension();
+
+        addExtension(PKIXExtensions.KeyUsage_Id.toString(), ext, info);
+    }
+
+    public KeyUsageExtension createKeyUsageExtension() {
+        KeyUsageExtension ext = null;
+        boolean[] bits = new boolean[KeyUsageExtension.NBITS];
+
+        boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+
+        bits[0] = getConfigBoolean(CONFIG_DIGITAL_SIGNATURE);
+        bits[1] = getConfigBoolean(CONFIG_NON_REPUDIATION);
+        bits[2] = getConfigBoolean(CONFIG_KEY_ENCIPHERMENT);
+        bits[3] = getConfigBoolean(CONFIG_DATA_ENCIPHERMENT);
+        bits[4] = getConfigBoolean(CONFIG_KEY_AGREEMENT);
+        bits[5] = getConfigBoolean(CONFIG_KEY_CERTSIGN);
+        bits[6] = getConfigBoolean(CONFIG_CRL_SIGN);
+        bits[7] = getConfigBoolean(CONFIG_ENCIPHER_ONLY);
+        bits[8] = getConfigBoolean(CONFIG_DECIPHER_ONLY);
+        try {
+            ext = new KeyUsageExtension(critical, bits);
+        } catch (Exception e) {
+            CMS.debug("KeyUsageExtDefault: createKeyUsageExtension " +
+                    e.toString());
+        }
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/NSCCommentExtDefault.java b/base/common/src/com/netscape/cms/profile/def/NSCCommentExtDefault.java
new file mode 100644
index 000000000..cc96f3e90
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/NSCCommentExtDefault.java
@@ -0,0 +1,246 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.NSCCommentExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a Netscape comment extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class NSCCommentExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "nscCommentCritical";
+    public static final String CONFIG_COMMENT = "nscCommentContent";
+
+    public static final String VAL_CRITICAL = "nscCommentCritical";
+    public static final String VAL_COMMENT = "nscCommentContent";
+
+    public NSCCommentExtDefault() {
+        super();
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_COMMENT);
+
+        addConfigName(CONFIG_CRITICAL);
+        addConfigName(CONFIG_COMMENT);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(CONFIG_COMMENT)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    "Comment Here...",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_COMMENT"));
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_COMMENT)) {
+            return new Descriptor(IDescriptor.STRING_LIST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_COMMENT"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            NSCCommentExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            ObjectIdentifier oid = NSCCommentExtension.OID;
+
+            ext = (NSCCommentExtension)
+                        getExtension(oid.toString(), info);
+
+            if (ext == null) {
+                populate(null, info);
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+
+                ext = (NSCCommentExtension)
+                        getExtension(oid.toString(), info);
+                boolean val = Boolean.valueOf(value).booleanValue();
+
+                if (ext == null) {
+                    return;
+                }
+                ext.setCritical(val);
+            } else if (name.equals(VAL_COMMENT)) {
+
+                ext = (NSCCommentExtension)
+                        getExtension(oid.toString(), info);
+
+                if (ext == null) {
+                    return;
+                }
+                boolean critical = ext.isCritical();
+
+                if (value == null || value.equals(""))
+                    ext = new NSCCommentExtension(critical, "");
+                //                    throw new EPropertyException(name+" cannot be empty");
+                else
+                    ext = new NSCCommentExtension(critical, value);
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            replaceExtension(ext.getExtensionId().toString(), ext, info);
+        } catch (IOException e) {
+            CMS.debug("NSCCommentExtDefault: setValue " + e.toString());
+        } catch (EProfileException e) {
+            CMS.debug("NSCCommentExtDefault: setValue " + e.toString());
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        NSCCommentExtension ext = null;
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        ObjectIdentifier oid = NSCCommentExtension.OID;
+
+        ext = (NSCCommentExtension)
+                    getExtension(oid.toString(), info);
+
+        if (ext == null) {
+            try {
+                populate(null, info);
+
+            } catch (EProfileException e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+        }
+
+        if (name.equals(VAL_CRITICAL)) {
+
+            ext = (NSCCommentExtension)
+                    getExtension(oid.toString(), info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else if (name.equals(VAL_COMMENT)) {
+
+            ext = (NSCCommentExtension)
+                    getExtension(oid.toString(), info);
+
+            if (ext == null)
+                return "";
+
+            String comment = ext.getComment();
+
+            if (comment == null)
+                comment = "";
+
+            return comment;
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_CRITICAL),
+                getConfig(CONFIG_COMMENT)
+            };
+
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_NS_COMMENT_EXT", params);
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        NSCCommentExtension ext = createExtension();
+
+        addExtension(ext.getExtensionId().toString(), ext, info);
+    }
+
+    public NSCCommentExtension createExtension() {
+        NSCCommentExtension ext = null;
+
+        try {
+            boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+            String comment = getConfig(CONFIG_COMMENT);
+
+            if (comment == null || comment.equals(""))
+                ext = new NSCCommentExtension(critical, "");
+            else
+                ext = new NSCCommentExtension(critical, comment);
+        } catch (Exception e) {
+            CMS.debug("NSCCommentExtension: createExtension " +
+                    e.toString());
+        }
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/NSCertTypeExtDefault.java b/base/common/src/com/netscape/cms/profile/def/NSCertTypeExtDefault.java
new file mode 100644
index 000000000..0677ef69f
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/NSCertTypeExtDefault.java
@@ -0,0 +1,419 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.security.cert.CertificateException;
+import java.util.Locale;
+
+import netscape.security.extensions.NSCertTypeExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a Netscape Certificate Type extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class NSCertTypeExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "nsCertCritical";
+    public static final String CONFIG_SSL_CLIENT = "nsCertSSLClient";
+    public static final String CONFIG_SSL_SERVER = "nsCertSSLServer";
+    public static final String CONFIG_EMAIL = "nsCertEmail";
+    public static final String CONFIG_OBJECT_SIGNING = "nsCertObjectSigning";
+    public static final String CONFIG_SSL_CA = "nsCertSSLCA";
+    public static final String CONFIG_EMAIL_CA = "nsCertEmailCA";
+    public static final String CONFIG_OBJECT_SIGNING_CA = "nsCertObjectSigningCA";
+
+    public static final String VAL_CRITICAL = "nsCertCritical";
+    public static final String VAL_SSL_CLIENT = "nsCertSSLClient";
+    public static final String VAL_SSL_SERVER = "nsCertSSLServer";
+    public static final String VAL_EMAIL = "nsCertEmail";
+    public static final String VAL_OBJECT_SIGNING = "nsCertObjectSigning";
+    public static final String VAL_SSL_CA = "nsCertSSLCA";
+    public static final String VAL_EMAIL_CA = "nsCertEmailCA";
+    public static final String VAL_OBJECT_SIGNING_CA = "nsCertObjectSigningCA";
+
+    public NSCertTypeExtDefault() {
+        super();
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_SSL_CLIENT);
+        addValueName(VAL_SSL_SERVER);
+        addValueName(VAL_EMAIL);
+        addValueName(VAL_OBJECT_SIGNING);
+        addValueName(VAL_SSL_CA);
+        addValueName(VAL_EMAIL_CA);
+        addValueName(VAL_OBJECT_SIGNING_CA);
+
+        addConfigName(CONFIG_CRITICAL);
+        addConfigName(CONFIG_SSL_CLIENT);
+        addConfigName(CONFIG_SSL_SERVER);
+        addConfigName(CONFIG_EMAIL);
+        addConfigName(CONFIG_OBJECT_SIGNING);
+        addConfigName(CONFIG_SSL_CA);
+        addConfigName(CONFIG_EMAIL_CA);
+        addConfigName(CONFIG_OBJECT_SIGNING_CA);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(CONFIG_SSL_CLIENT)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CLIENT"));
+        } else if (name.equals(CONFIG_SSL_SERVER)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SSL_SERVER"));
+        } else if (name.equals(CONFIG_EMAIL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL"));
+        } else if (name.equals(CONFIG_OBJECT_SIGNING)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_OBJECT_SIGNING"));
+        } else if (name.equals(CONFIG_SSL_CA)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CA"));
+        } else if (name.equals(CONFIG_EMAIL_CA)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL_CA"));
+        } else if (name.equals(CONFIG_OBJECT_SIGNING_CA)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_OBJECT_SIGNING_CA"));
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_SSL_CLIENT)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CLIENT"));
+        } else if (name.equals(VAL_SSL_SERVER)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SSL_SERVER"));
+        } else if (name.equals(VAL_EMAIL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL"));
+        } else if (name.equals(VAL_OBJECT_SIGNING)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_OBJECT_SIGNING"));
+        } else if (name.equals(VAL_SSL_CA)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CA"));
+        } else if (name.equals(VAL_EMAIL_CA)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL_CA"));
+        } else if (name.equals(VAL_OBJECT_SIGNING_CA)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_OBJECT_SIGNING_CA"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            NSCertTypeExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+
+            if (ext == null) {
+                populate(null, info);
+
+            }
+            if (name.equals(VAL_CRITICAL)) {
+                ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+                boolean val = Boolean.valueOf(value).booleanValue();
+
+                if (ext == null) {
+                    return;
+                }
+                ext.setCritical(val);
+            } else if (name.equals(VAL_SSL_CLIENT)) {
+                ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean val = Boolean.valueOf(value);
+
+                ext.set(NSCertTypeExtension.SSL_CLIENT, val);
+            } else if (name.equals(VAL_SSL_SERVER)) {
+                ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean val = Boolean.valueOf(value);
+
+                ext.set(NSCertTypeExtension.SSL_SERVER, val);
+            } else if (name.equals(VAL_EMAIL)) {
+                ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean val = Boolean.valueOf(value);
+
+                ext.set(NSCertTypeExtension.EMAIL, val);
+            } else if (name.equals(VAL_OBJECT_SIGNING)) {
+                ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean val = Boolean.valueOf(value);
+
+                ext.set(NSCertTypeExtension.OBJECT_SIGNING, val);
+            } else if (name.equals(VAL_SSL_CA)) {
+                ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean val = Boolean.valueOf(value);
+
+                ext.set(NSCertTypeExtension.SSL_CA, val);
+            } else if (name.equals(VAL_EMAIL_CA)) {
+                ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean val = Boolean.valueOf(value);
+
+                ext.set(NSCertTypeExtension.EMAIL_CA, val);
+            } else if (name.equals(VAL_OBJECT_SIGNING_CA)) {
+                ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+                if (ext == null) {
+                    return;
+                }
+                Boolean val = Boolean.valueOf(value);
+
+                ext.set(NSCertTypeExtension.OBJECT_SIGNING_CA, val);
+            } else {
+                throw new EPropertyException("Invalid name " + name);
+            }
+            replaceExtension(NSCertTypeExtension.CertType_Id.toString(), ext, info);
+        } catch (CertificateException e) {
+            CMS.debug("NSCertTypeExtDefault: setValue " + e.toString());
+        } catch (EProfileException e) {
+            CMS.debug("NSCertTypeExtDefault: setValue " + e.toString());
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        try {
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            NSCertTypeExtension ext = (NSCertTypeExtension)
+                    getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+
+            if (ext == null) {
+                try {
+                    populate(null, info);
+
+                } catch (EProfileException e) {
+                    throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+                }
+
+            }
+            if (name.equals(VAL_CRITICAL)) {
+                ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+
+                if (ext == null) {
+                    return null;
+                }
+                if (ext.isCritical()) {
+                    return "true";
+                } else {
+                    return "false";
+                }
+            } else if (name.equals(VAL_SSL_CLIENT)) {
+                ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+                Boolean val = (Boolean) ext.get(NSCertTypeExtension.SSL_CLIENT);
+
+                return val.toString();
+            } else if (name.equals(VAL_SSL_SERVER)) {
+                ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+                Boolean val = (Boolean) ext.get(NSCertTypeExtension.SSL_SERVER);
+
+                return val.toString();
+            } else if (name.equals(VAL_EMAIL)) {
+                ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+                Boolean val = (Boolean) ext.get(NSCertTypeExtension.EMAIL);
+
+                return val.toString();
+            } else if (name.equals(VAL_OBJECT_SIGNING)) {
+                ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+                Boolean val = (Boolean) ext.get(NSCertTypeExtension.OBJECT_SIGNING);
+
+                return val.toString();
+            } else if (name.equals(VAL_SSL_CA)) {
+                ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+                Boolean val = (Boolean) ext.get(NSCertTypeExtension.SSL_CA);
+
+                return val.toString();
+            } else if (name.equals(VAL_EMAIL_CA)) {
+                ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+                Boolean val = (Boolean) ext.get(NSCertTypeExtension.EMAIL_CA);
+
+                return val.toString();
+            } else if (name.equals(VAL_OBJECT_SIGNING_CA)) {
+                ext = (NSCertTypeExtension)
+                        getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+                Boolean val = (Boolean) ext.get(NSCertTypeExtension.OBJECT_SIGNING_CA);
+
+                return val.toString();
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } catch (CertificateException e) {
+            CMS.debug("NSCertTypeExtDefault: setValue " + e.toString());
+        }
+        return null;
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_CRITICAL),
+                getConfig(CONFIG_SSL_CLIENT),
+                getConfig(CONFIG_SSL_SERVER),
+                getConfig(CONFIG_EMAIL),
+                getConfig(CONFIG_OBJECT_SIGNING),
+                getConfig(CONFIG_SSL_CA),
+                getConfig(CONFIG_EMAIL_CA),
+                getConfig(CONFIG_OBJECT_SIGNING_CA)
+            };
+
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_NS_CERT_TYPE_EXT", params);
+
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        NSCertTypeExtension ext = createExtension();
+
+        addExtension(NSCertTypeExtension.CertType_Id.toString(), ext, info);
+    }
+
+    public NSCertTypeExtension createExtension() {
+        NSCertTypeExtension ext = null;
+        boolean[] bits = new boolean[NSCertTypeExtension.NBITS];
+
+        boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+
+        bits[0] = getConfigBoolean(CONFIG_SSL_CLIENT);
+        bits[1] = getConfigBoolean(CONFIG_SSL_SERVER);
+        bits[2] = getConfigBoolean(CONFIG_EMAIL);
+        bits[3] = getConfigBoolean(CONFIG_OBJECT_SIGNING);
+        bits[4] = getConfigBoolean(CONFIG_SSL_CA);
+        bits[5] = getConfigBoolean(CONFIG_EMAIL_CA);
+        bits[6] = getConfigBoolean(CONFIG_OBJECT_SIGNING_CA);
+        try {
+            ext = new NSCertTypeExtension(critical, bits);
+        } catch (Exception e) {
+            CMS.debug("NSCertTypeExtDefault: createExtension " +
+                    e.toString());
+        }
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java b/base/common/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java
new file mode 100644
index 000000000..e57d04067
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java
@@ -0,0 +1,670 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.GeneralNameInterface;
+import netscape.security.x509.GeneralSubtree;
+import netscape.security.x509.GeneralSubtrees;
+import netscape.security.x509.NameConstraintsExtension;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a name constraint extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class NameConstraintsExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "nameConstraintsCritical";
+    public static final String CONFIG_NUM_PERMITTED_SUBTREES =
+            "nameConstraintsNumPermittedSubtrees";
+    public static final String CONFIG_PERMITTED_MIN_VAL = "nameConstraintsPermittedSubtreeMinValue_";
+    public static final String CONFIG_PERMITTED_MAX_VAL = "nameConstraintsPermittedSubtreeMaxValue_";
+    public static final String CONFIG_PERMITTED_NAME_CHOICE = "nameConstraintsPermittedSubtreeNameChoice_";
+    public static final String CONFIG_PERMITTED_NAME_VAL = "nameConstraintsPermittedSubtreeNameValue_";
+    public static final String CONFIG_PERMITTED_ENABLE = "nameConstraintsPermittedSubtreeEnable_";
+
+    public static final String CONFIG_NUM_EXCLUDED_SUBTREES = "nameConstraintsNumExcludedSubtrees";
+    public static final String CONFIG_EXCLUDED_MIN_VAL = "nameConstraintsExcludedSubtreeMinValue_";
+    public static final String CONFIG_EXCLUDED_MAX_VAL = "nameConstraintsExcludedSubtreeMaxValue_";
+    public static final String CONFIG_EXCLUDED_NAME_CHOICE = "nameConstraintsExcludedSubtreeNameChoice_";
+    public static final String CONFIG_EXCLUDED_NAME_VAL = "nameConstraintsExcludedSubtreeNameValue_";
+    public static final String CONFIG_EXCLUDED_ENABLE = "nameConstraintsExcludedSubtreeEnable_";
+
+    public static final String VAL_CRITICAL = "nameConstraintsCritical";
+    public static final String VAL_PERMITTED_SUBTREES = "nameConstraintsPermittedSubtreesValue";
+    public static final String VAL_EXCLUDED_SUBTREES = "nameConstraintsExcludedSubtreesValue";
+
+    private static final String GENERAL_NAME_CHOICE = "GeneralNameChoice";
+    private static final String GENERAL_NAME_VALUE = "GeneralNameValue";
+    private static final String MIN_VALUE = "Min Value";
+    private static final String MAX_VALUE = "Max Value";
+    private static final String ENABLE = "Enable";
+
+    protected static final int DEF_NUM_PERMITTED_SUBTREES = 1;
+    protected static final int DEF_NUM_EXCLUDED_SUBTREES = 1;
+    protected static final int MAX_NUM_EXCLUDED_SUBTREES = 100;
+    protected static final int MAX_NUM_PERMITTED_SUBTREES = 100;
+
+    public NameConstraintsExtDefault() {
+        super();
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+        refreshConfigAndValueNames();
+
+    }
+
+    protected int getNumPermitted() {
+        int num = DEF_NUM_PERMITTED_SUBTREES;
+        String val = getConfig(CONFIG_NUM_PERMITTED_SUBTREES);
+
+        if (val != null) {
+            try {
+                num = Integer.parseInt(val);
+            } catch (NumberFormatException e) {
+                // ignore
+            }
+        }
+
+        if (num >= MAX_NUM_PERMITTED_SUBTREES)
+            num = DEF_NUM_PERMITTED_SUBTREES;
+        return num;
+    }
+
+    protected int getNumExcluded() {
+        int num = DEF_NUM_EXCLUDED_SUBTREES;
+        String val = getConfig(CONFIG_NUM_EXCLUDED_SUBTREES);
+
+        if (val != null) {
+            try {
+                num = Integer.parseInt(val);
+            } catch (NumberFormatException e) {
+                // ignore
+            }
+        }
+
+        if (num >= MAX_NUM_EXCLUDED_SUBTREES)
+            num = DEF_NUM_EXCLUDED_SUBTREES;
+
+        return num;
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        int num = 0;
+        if (name.equals(CONFIG_NUM_PERMITTED_SUBTREES)) {
+            try {
+                num = Integer.parseInt(value);
+
+                if (num >= MAX_NUM_PERMITTED_SUBTREES || num < 0) {
+                    throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_PERMITTED_SUBTREES));
+                }
+
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_PERMITTED_SUBTREES));
+            }
+        } else if (name.equals(CONFIG_NUM_EXCLUDED_SUBTREES)) {
+
+            try {
+                num = Integer.parseInt(value);
+
+                if (num >= MAX_NUM_EXCLUDED_SUBTREES || num < 0) {
+                    throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_EXCLUDED_SUBTREES));
+                }
+
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_EXCLUDED_SUBTREES));
+            }
+        }
+        super.setConfig(name, value);
+    }
+
+    public Enumeration getConfigNames() {
+        refreshConfigAndValueNames();
+        return super.getConfigNames();
+    }
+
+    protected void refreshConfigAndValueNames() {
+        //refesh our config name list
+
+        super.refreshConfigAndValueNames();
+
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_PERMITTED_SUBTREES);
+        addValueName(VAL_EXCLUDED_SUBTREES);
+
+        addConfigName(CONFIG_CRITICAL);
+        int num = getNumPermitted();
+
+        addConfigName(CONFIG_NUM_PERMITTED_SUBTREES);
+
+        for (int i = 0; i < num; i++) {
+            addConfigName(CONFIG_PERMITTED_MIN_VAL + i);
+            addConfigName(CONFIG_PERMITTED_MAX_VAL + i);
+            addConfigName(CONFIG_PERMITTED_NAME_CHOICE + i);
+            addConfigName(CONFIG_PERMITTED_NAME_VAL + i);
+            addConfigName(CONFIG_PERMITTED_ENABLE + i);
+        }
+
+        num = getNumExcluded();
+
+        addConfigName(CONFIG_NUM_EXCLUDED_SUBTREES);
+        for (int i = 0; i < num; i++) {
+            addConfigName(CONFIG_EXCLUDED_MIN_VAL + i);
+            addConfigName(CONFIG_EXCLUDED_MAX_VAL + i);
+            addConfigName(CONFIG_EXCLUDED_NAME_CHOICE + i);
+            addConfigName(CONFIG_EXCLUDED_NAME_VAL + i);
+            addConfigName(CONFIG_EXCLUDED_ENABLE + i);
+        }
+
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.startsWith(CONFIG_PERMITTED_MIN_VAL)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_PERMITTED_MIN_VAL"));
+        } else if (name.startsWith(CONFIG_PERMITTED_MAX_VAL)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_PERMITTED_MAX_VAL"));
+        } else if (name.startsWith(CONFIG_PERMITTED_NAME_CHOICE)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_PERMITTED_NAME_CHOICE"));
+        } else if (name.startsWith(CONFIG_PERMITTED_NAME_VAL)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_PERMITTED_NAME_VAL"));
+        } else if (name.startsWith(CONFIG_PERMITTED_ENABLE)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_ENABLE"));
+        } else if (name.startsWith(CONFIG_EXCLUDED_MIN_VAL)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_EXCLUDED_MIN_VAL"));
+        } else if (name.startsWith(CONFIG_EXCLUDED_MAX_VAL)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_EXCLUDED_MAX_VAL"));
+        } else if (name.startsWith(CONFIG_EXCLUDED_NAME_CHOICE)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_EXCLUDED_NAME_CHOICE"));
+        } else if (name.startsWith(CONFIG_EXCLUDED_NAME_VAL)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_EXCLUDED_NAME_VAL"));
+        } else if (name.startsWith(CONFIG_EXCLUDED_ENABLE)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_ENABLE"));
+        } else if (name.startsWith(CONFIG_NUM_EXCLUDED_SUBTREES)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "1",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NUM_EXCLUDED_SUBTREES"));
+        } else if (name.startsWith(CONFIG_NUM_PERMITTED_SUBTREES)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "1",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NUM_PERMITTED_SUBTREES"));
+        }
+        return null;
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_PERMITTED_SUBTREES)) {
+            return new Descriptor(IDescriptor.STRING_LIST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_PERMITTED_SUBTREES"));
+        } else if (name.equals(VAL_EXCLUDED_SUBTREES)) {
+            return new Descriptor(IDescriptor.STRING_LIST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_EXCLUDED_SUBTREES"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            NameConstraintsExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            ext = (NameConstraintsExtension)
+                        getExtension(PKIXExtensions.NameConstraints_Id.toString(), info);
+
+            if (ext == null) {
+                populate(null, info);
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+                ext = (NameConstraintsExtension)
+                        getExtension(PKIXExtensions.NameConstraints_Id.toString(), info);
+                boolean val = Boolean.valueOf(value).booleanValue();
+
+                if (ext == null) {
+                    return;
+                }
+                ext.setCritical(val);
+            } else if (name.equals(VAL_PERMITTED_SUBTREES)) {
+                ext = (NameConstraintsExtension)
+                        getExtension(PKIXExtensions.NameConstraints_Id.toString(), info);
+
+                if (ext == null) {
+                    return;
+                }
+                if ((value == null) || (value.equals("null")) || (value.equals(""))) {
+                    CMS.debug("NameConstraintsExtDefault:setValue : " +
+                              "blank value for permitted subtrees ... returning");
+                    return;
+                }
+
+                Vector v = parseRecords(value);
+
+                Vector permittedSubtrees = createSubtrees(locale, v);
+
+                ext.set(NameConstraintsExtension.PERMITTED_SUBTREES,
+                        new GeneralSubtrees(permittedSubtrees));
+            } else if (name.equals(VAL_EXCLUDED_SUBTREES)) {
+                ext = (NameConstraintsExtension)
+                        getExtension(PKIXExtensions.NameConstraints_Id.toString(), info);
+
+                if (ext == null) {
+                    return;
+                }
+                if ((value == null) || (value.equals("null")) || (value.equals(""))) {
+                    CMS.debug("NameConstraintsExtDefault:setValue : " +
+                              "blank value for excluded subtrees ... returning");
+                    return;
+                }
+                Vector v = parseRecords(value);
+
+                Vector excludedSubtrees = createSubtrees(locale, v);
+
+                ext.set(NameConstraintsExtension.EXCLUDED_SUBTREES,
+                        new GeneralSubtrees(excludedSubtrees));
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            replaceExtension(PKIXExtensions.NameConstraints_Id.toString(), ext, info);
+        } catch (IOException e) {
+            CMS.debug("NameConstraintsExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } catch (EProfileException e) {
+            CMS.debug("NameConstraintsExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    private Vector createSubtrees(Locale locale, Vector v) throws EPropertyException {
+        int size = v.size();
+        String choice = null;
+        String val = "";
+        String minS = null;
+        String maxS = null;
+
+        Vector subtrees = new Vector();
+
+        for (int i = 0; i < size; i++) {
+            NameValuePairs nvps = v.elementAt(i);
+
+            for (String name1 : nvps.keySet()) {
+
+                if (name1.equals(GENERAL_NAME_CHOICE)) {
+                    choice = nvps.get(name1);
+                } else if (name1.equals(GENERAL_NAME_VALUE)) {
+                    val = nvps.get(name1);
+                } else if (name1.equals(MIN_VALUE)) {
+                    minS = nvps.get(name1);
+                } else if (name1.equals(MAX_VALUE)) {
+                    maxS = nvps.get(name1);
+                }
+            }
+
+            if (choice == null || choice.length() == 0) {
+                throw new EPropertyException(CMS.getUserMessage(locale,
+                            "CMS_PROFILE_GENERAL_NAME_NOT_FOUND"));
+            }
+
+            if (val == null)
+                val = "";
+
+            int min = 0;
+            int max = -1;
+
+            if (minS != null && minS.length() > 0)
+                min = Integer.parseInt(minS);
+            if (maxS != null && maxS.length() > 0)
+                max = Integer.parseInt(maxS);
+
+            GeneralName gn = null;
+            GeneralNameInterface gnI = null;
+
+            try {
+                gnI = parseGeneralName(choice + ":" + val);
+            } catch (IOException e) {
+                CMS.debug("NameConstraintsExtDefault: createSubtress " +
+                        e.toString());
+            }
+
+            if (gnI != null) {
+                gn = new GeneralName(gnI);
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(locale,
+                            "CMS_PROFILE_GENERAL_NAME_NOT_FOUND"));
+            }
+            GeneralSubtree subtree = new GeneralSubtree(
+                    gn, min, max);
+
+            subtrees.addElement(subtree);
+        }
+
+        return subtrees;
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        NameConstraintsExtension ext = null;
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        ext = (NameConstraintsExtension)
+                    getExtension(PKIXExtensions.NameConstraints_Id.toString(), info);
+
+        if (ext == null) {
+            try {
+                populate(null, info);
+
+            } catch (EProfileException e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+        }
+
+        if (name.equals(VAL_CRITICAL)) {
+            ext = (NameConstraintsExtension)
+                    getExtension(PKIXExtensions.NameConstraints_Id.toString(), info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else if (name.equals(VAL_PERMITTED_SUBTREES)) {
+            ext = (NameConstraintsExtension)
+                    getExtension(PKIXExtensions.NameConstraints_Id.toString(), info);
+
+            if (ext == null)
+                return "";
+
+            GeneralSubtrees subtrees = null;
+
+            try {
+                subtrees = (GeneralSubtrees)
+                        ext.get(NameConstraintsExtension.PERMITTED_SUBTREES);
+            } catch (IOException e) {
+                CMS.debug("NameConstraintExtDefault: getValue " + e.toString());
+            }
+
+            if (subtrees == null) {
+                CMS.debug("NameConstraintsExtDefault::getValue() VAL_PERMITTED_SUBTREES is null!");
+                throw new EPropertyException("subtrees is null");
+            }
+
+            return getSubtreesInfo(ext, subtrees);
+        } else if (name.equals(VAL_EXCLUDED_SUBTREES)) {
+            ext = (NameConstraintsExtension)
+                    getExtension(PKIXExtensions.NameConstraints_Id.toString(), info);
+
+            if (ext == null)
+                return "";
+
+            GeneralSubtrees subtrees = null;
+
+            try {
+                subtrees = (GeneralSubtrees)
+                        ext.get(NameConstraintsExtension.EXCLUDED_SUBTREES);
+            } catch (IOException e) {
+                CMS.debug("NameConstraintExtDefault: getValue " + e.toString());
+            }
+
+            if (subtrees == null) {
+                CMS.debug("NameConstraintsExtDefault::getValue() VAL_EXCLUDED_SUBTREES is null!");
+                throw new EPropertyException("subtrees is null");
+            }
+
+            return getSubtreesInfo(ext, subtrees);
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    private String getSubtreesInfo(NameConstraintsExtension ext,
+            GeneralSubtrees subtrees) throws EPropertyException {
+        Vector trees = subtrees.getSubtrees();
+        int size = trees.size();
+
+        Vector recs = new Vector();
+
+        for (int i = 0; i < size; i++) {
+            GeneralSubtree tree = (GeneralSubtree) trees.elementAt(i);
+
+            GeneralName gn = tree.getGeneralName();
+            String type = getGeneralNameType(gn);
+            int max = tree.getMaxValue();
+            int min = tree.getMinValue();
+
+            NameValuePairs pairs = new NameValuePairs();
+
+            pairs.put(GENERAL_NAME_CHOICE, type);
+            pairs.put(GENERAL_NAME_VALUE, getGeneralNameValue(gn));
+            pairs.put(MIN_VALUE, Integer.toString(min));
+            pairs.put(MAX_VALUE, Integer.toString(max));
+            pairs.put(ENABLE, "true");
+
+            recs.addElement(pairs);
+        }
+
+        return buildRecords(recs);
+    }
+
+    public String getText(Locale locale) {
+        StringBuffer sb = new StringBuffer();
+        int num = getNumPermitted();
+
+        for (int i = 0; i < num; i++) {
+            sb.append("Permitted #");
+            sb.append(i);
+            sb.append("{");
+            sb.append(GENERAL_NAME_CHOICE + ":");
+            sb.append(getConfig(CONFIG_PERMITTED_NAME_CHOICE + i));
+            sb.append(",");
+            sb.append(GENERAL_NAME_VALUE + ":");
+            sb.append(getConfig(CONFIG_PERMITTED_NAME_VAL + i));
+            sb.append(",");
+            sb.append(MIN_VALUE + ":");
+            sb.append(getConfig(CONFIG_PERMITTED_MIN_VAL + i));
+            sb.append(",");
+            sb.append(MAX_VALUE + ":");
+            sb.append(getConfig(CONFIG_PERMITTED_MAX_VAL + i));
+            sb.append("}");
+        }
+        num = getNumExcluded();
+        for (int i = 0; i < num; i++) {
+            sb.append("Exluded #");
+            sb.append(i);
+            sb.append("{");
+            sb.append(GENERAL_NAME_CHOICE + ":");
+            sb.append(getConfig(CONFIG_EXCLUDED_NAME_CHOICE + i));
+            sb.append(",");
+            sb.append(GENERAL_NAME_VALUE + ":");
+            sb.append(getConfig(CONFIG_EXCLUDED_NAME_VAL + i));
+            sb.append(",");
+            sb.append(MIN_VALUE + ":");
+            sb.append(getConfig(CONFIG_EXCLUDED_MIN_VAL + i));
+            sb.append(",");
+            sb.append(MAX_VALUE + ":");
+            sb.append(getConfig(CONFIG_EXCLUDED_MAX_VAL + i));
+            sb.append("}");
+        }
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_DEF_NAME_CONSTRAINTS_EXT",
+                getConfig(CONFIG_CRITICAL), sb.toString());
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        NameConstraintsExtension ext = createExtension();
+
+        addExtension(PKIXExtensions.NameConstraints_Id.toString(), ext, info);
+    }
+
+    public NameConstraintsExtension createExtension() {
+        NameConstraintsExtension ext = null;
+
+        try {
+            int num = getNumPermitted();
+
+            boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+
+            Vector v = new Vector();
+
+            for (int i = 0; i < num; i++) {
+                String enable = getConfig(CONFIG_PERMITTED_ENABLE + i);
+
+                if (enable != null && enable.equals("true")) {
+                    String choice = getConfig(CONFIG_PERMITTED_NAME_CHOICE + i);
+                    String value = getConfig(CONFIG_PERMITTED_NAME_VAL + i);
+                    String minS = getConfig(CONFIG_PERMITTED_MIN_VAL + i);
+                    String maxS = getConfig(CONFIG_PERMITTED_MAX_VAL + i);
+
+                    v.addElement(createSubtree(choice, value, minS, maxS));
+                }
+            }
+
+            Vector v1 = new Vector();
+
+            num = getNumExcluded();
+            for (int i = 0; i < num; i++) {
+                String enable = getConfig(CONFIG_EXCLUDED_ENABLE + i);
+
+                if (enable != null && enable.equals("true")) {
+                    String choice = getConfig(CONFIG_EXCLUDED_NAME_CHOICE + i);
+                    String value = getConfig(CONFIG_EXCLUDED_NAME_VAL + i);
+                    String minS = getConfig(CONFIG_EXCLUDED_MIN_VAL + i);
+                    String maxS = getConfig(CONFIG_EXCLUDED_MAX_VAL + i);
+
+                    v1.addElement(createSubtree(choice, value, minS, maxS));
+                }
+            }
+
+            ext = new NameConstraintsExtension(critical,
+                        new GeneralSubtrees(v), new GeneralSubtrees(v1));
+        } catch (Exception e) {
+            CMS.debug("NameConstraintsExtDefault: createExtension " +
+                    e.toString());
+        }
+
+        return ext;
+    }
+
+    private GeneralSubtree createSubtree(String choice, String value,
+            String minS, String maxS) {
+        GeneralName gn = null;
+        GeneralNameInterface gnI = null;
+
+        try {
+            gnI = parseGeneralName(choice + ":" + value);
+        } catch (IOException e) {
+            CMS.debug(e.toString());
+        }
+        if (gnI != null)
+            gn = new GeneralName(gnI);
+        else
+            //throw new EPropertyException("GeneralName must not be null");
+            return null;
+
+        int min = 0;
+
+        if (minS != null && minS.length() > 0)
+            min = Integer.parseInt(minS);
+        int max = -1;
+
+        if (maxS != null && maxS.length() > 0)
+            max = Integer.parseInt(maxS);
+
+        return (new GeneralSubtree(gn, min, max));
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/NoDefault.java b/base/common/src/com/netscape/cms/profile/def/NoDefault.java
new file mode 100644
index 000000000..4678f4487
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/NoDefault.java
@@ -0,0 +1,111 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements no default policy.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class NoDefault implements IPolicyDefault {
+
+    public static final String PROP_NAME = "name";
+
+    protected Vector mValues = new Vector();
+    protected Vector mNames = new Vector();
+    protected IConfigStore mConfig = null;
+
+    public Enumeration getConfigNames() {
+        return mNames.elements();
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+    }
+
+    public String getDefaultConfig(String name) {
+        return null;
+    }
+
+    public String getConfig(String name) {
+        return null;
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        mConfig = config;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request)
+            throws EProfileException {
+    }
+
+    public Enumeration getValueNames() {
+        return mValues.elements();
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public void setValue(String name, Locale locale, IRequest request,
+            String value)
+            throws EPropertyException {
+    }
+
+    public String getValue(String name, Locale locale, IRequest request) {
+        return null;
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_NO_DEFAULT");
+    }
+
+    public String getName(Locale locale) {
+        try {
+            return mConfig.getString(PROP_NAME);
+        } catch (EBaseException e) {
+            return null;
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/OCSPNoCheckExtDefault.java b/base/common/src/com/netscape/cms/profile/def/OCSPNoCheckExtDefault.java
new file mode 100644
index 000000000..382f3cec3
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/OCSPNoCheckExtDefault.java
@@ -0,0 +1,185 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.util.Locale;
+
+import netscape.security.extensions.OCSPNoCheckExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates an OCSP No Check extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class OCSPNoCheckExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "ocspNoCheckCritical";
+
+    public static final String VAL_CRITICAL = "ocspNoCheckCritical";
+
+    public OCSPNoCheckExtDefault() {
+        super();
+        addValueName(VAL_CRITICAL);
+        addConfigName(CONFIG_CRITICAL);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        OCSPNoCheckExtension ext = (OCSPNoCheckExtension)
+                getExtension(OCSPNoCheckExtension.OID, info);
+
+        if (ext == null) {
+            try {
+                populate(null, info);
+
+            } catch (EProfileException e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+        }
+
+        if (name.equals(VAL_CRITICAL)) {
+            ext = (OCSPNoCheckExtension)
+                    getExtension(OCSPNoCheckExtension.OID, info);
+            boolean val = Boolean.valueOf(value).booleanValue();
+
+            if (ext == null) {
+                return;
+            }
+            ext.setCritical(val);
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        OCSPNoCheckExtension ext = (OCSPNoCheckExtension)
+                getExtension(OCSPNoCheckExtension.OID, info);
+
+        if (ext == null) {
+            try {
+                populate(null, info);
+
+            } catch (EProfileException e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+        }
+
+        if (name.equals(VAL_CRITICAL)) {
+            ext = (OCSPNoCheckExtension)
+                    getExtension(OCSPNoCheckExtension.OID, info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_OCSP_NO_CHECK_EXT",
+                getConfig(CONFIG_CRITICAL));
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        OCSPNoCheckExtension ext = createExtension();
+
+        addExtension(OCSPNoCheckExtension.OID, ext, info);
+    }
+
+    public OCSPNoCheckExtension createExtension() {
+        OCSPNoCheckExtension ext = null;
+
+        try {
+            ext = new OCSPNoCheckExtension();
+        } catch (Exception e) {
+            CMS.debug("OCSPNoCheckExtDefault:  createExtension " +
+                    e.toString());
+            return null;
+        }
+        boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+
+        ext.setCritical(critical);
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/PolicyConstraintsExtDefault.java b/base/common/src/com/netscape/cms/profile/def/PolicyConstraintsExtDefault.java
new file mode 100644
index 000000000..db9b95a04
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/PolicyConstraintsExtDefault.java
@@ -0,0 +1,287 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.PolicyConstraintsExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a policy constraints extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class PolicyConstraintsExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "policyConstraintsCritical";
+    public static final String CONFIG_REQ_EXPLICIT_POLICY = "policyConstraintsReqExplicitPolicy";
+    public static final String CONFIG_INHIBIT_POLICY_MAPPING = "policyConstraintsInhibitPolicyMapping";
+
+    public static final String VAL_CRITICAL = "policyConstraintsCritical";
+    public static final String VAL_REQ_EXPLICIT_POLICY = "policyConstraintsReqExplicitPolicy";
+    public static final String VAL_INHIBIT_POLICY_MAPPING = "policyConstraintsInhibitPolicyMapping";
+
+    public PolicyConstraintsExtDefault() {
+        super();
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_REQ_EXPLICIT_POLICY);
+        addValueName(VAL_INHIBIT_POLICY_MAPPING);
+
+        addConfigName(CONFIG_CRITICAL);
+        addConfigName(CONFIG_REQ_EXPLICIT_POLICY);
+        addConfigName(CONFIG_INHIBIT_POLICY_MAPPING);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(CONFIG_REQ_EXPLICIT_POLICY)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_REQUIRED_EXPLICIT_POLICY"));
+        } else if (name.equals(CONFIG_INHIBIT_POLICY_MAPPING)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INHIBIT_POLICY_MAPPING"));
+        }
+        return null;
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_REQ_EXPLICIT_POLICY)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_REQUIRED_EXPLICIT_POLICY"));
+        } else if (name.equals(VAL_INHIBIT_POLICY_MAPPING)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INHIBIT_POLICY_MAPPING"));
+        }
+        return null;
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            PolicyConstraintsExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            ext = (PolicyConstraintsExtension)
+                        getExtension(PKIXExtensions.PolicyConstraints_Id.toString(),
+                                info);
+
+            if (ext == null) {
+                populate(null, info);
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+                ext = (PolicyConstraintsExtension)
+                        getExtension(PKIXExtensions.PolicyConstraints_Id.toString(),
+                                info);
+                boolean val = Boolean.valueOf(value).booleanValue();
+
+                if (ext == null) {
+                    return;
+                }
+                ext.setCritical(val);
+            } else if (name.equals(VAL_REQ_EXPLICIT_POLICY)) {
+                ext = (PolicyConstraintsExtension)
+                        getExtension(PKIXExtensions.PolicyConstraints_Id.toString(),
+                                info);
+
+                if (ext == null) {
+                    return;
+                }
+                Integer num = new Integer(value);
+
+                ext.set(PolicyConstraintsExtension.REQUIRE, num);
+            } else if (name.equals(VAL_INHIBIT_POLICY_MAPPING)) {
+                ext = (PolicyConstraintsExtension)
+                        getExtension(PKIXExtensions.PolicyConstraints_Id.toString(),
+                                info);
+
+                if (ext == null) {
+                    return;
+                }
+                Integer num = new Integer(value);
+
+                ext.set(PolicyConstraintsExtension.INHIBIT, num);
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            replaceExtension(PKIXExtensions.PolicyConstraints_Id.toString(),
+                    ext, info);
+        } catch (EProfileException e) {
+            CMS.debug("PolicyConstraintsExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } catch (IOException e) {
+            CMS.debug("PolicyConstraintsExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        PolicyConstraintsExtension ext = null;
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        ext = (PolicyConstraintsExtension)
+                    getExtension(PKIXExtensions.PolicyConstraints_Id.toString(),
+                            info);
+        if (ext == null) {
+
+            try {
+                populate(null, info);
+
+            } catch (EProfileException e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+        }
+
+        if (name.equals(VAL_CRITICAL)) {
+            ext = (PolicyConstraintsExtension)
+                    getExtension(PKIXExtensions.PolicyConstraints_Id.toString(),
+                            info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else if (name.equals(VAL_REQ_EXPLICIT_POLICY)) {
+            ext = (PolicyConstraintsExtension)
+                    getExtension(PKIXExtensions.PolicyConstraints_Id.toString(),
+                            info);
+
+            if (ext == null)
+                return "";
+
+            int num = ext.getRequireExplicitMapping();
+
+            return "" + num;
+        } else if (name.equals(VAL_INHIBIT_POLICY_MAPPING)) {
+            ext = (PolicyConstraintsExtension)
+                    getExtension(PKIXExtensions.PolicyConstraints_Id.toString(),
+                            info);
+
+            if (ext == null)
+                return "";
+
+            int num = ext.getInhibitPolicyMapping();
+
+            return "" + num;
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_CRITICAL),
+                getConfig(CONFIG_REQ_EXPLICIT_POLICY),
+                getConfig(CONFIG_INHIBIT_POLICY_MAPPING)
+            };
+
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_POLICY_CONSTRAINTS_EXT", params);
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        PolicyConstraintsExtension ext = createExtension();
+
+        if (ext == null)
+            return;
+        addExtension(PKIXExtensions.PolicyConstraints_Id.toString(),
+                ext, info);
+    }
+
+    public PolicyConstraintsExtension createExtension() {
+        PolicyConstraintsExtension ext = null;
+
+        try {
+            boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+
+            int reqNum = -1;
+            int inhibitNum = -1;
+            String req = getConfig(CONFIG_REQ_EXPLICIT_POLICY);
+
+            if (req != null && req.length() > 0) {
+                reqNum = Integer.parseInt(req);
+            }
+            String inhibit = getConfig(CONFIG_INHIBIT_POLICY_MAPPING);
+
+            if (inhibit != null && inhibit.length() > 0) {
+                inhibitNum = Integer.parseInt(inhibit);
+            }
+            ext = new PolicyConstraintsExtension(critical, reqNum, inhibitNum);
+        } catch (Exception e) {
+            CMS.debug("PolicyConstraintsExtDefault: createExtension " +
+                    e.toString());
+        }
+
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/PolicyMappingsExtDefault.java b/base/common/src/com/netscape/cms/profile/def/PolicyMappingsExtDefault.java
new file mode 100644
index 000000000..712641c0d
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/PolicyMappingsExtDefault.java
@@ -0,0 +1,420 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.CertificatePolicyId;
+import netscape.security.x509.CertificatePolicyMap;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.PolicyMappingsExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a policy mappings extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class PolicyMappingsExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "policyMappingsCritical";
+    public static final String CONFIG_NUM_POLICY_MAPPINGS = "policyMappingsNum";
+    public static final String CONFIG_ISSUER_DOMAIN_POLICY = "policyMappingsIssuerDomainPolicy_";
+    public static final String CONFIG_SUBJECT_DOMAIN_POLICY = "policyMappingsSubjectDomainPolicy_";
+    public static final String CONFIG_ENABLE = "policyMappingsEnable_";
+
+    public static final String VAL_CRITICAL = "policyMappingsCritical";
+    public static final String VAL_DOMAINS = "policyMappingsDomains";
+
+    private static final String ISSUER_POLICY_ID = "Issuer Policy Id";
+    private static final String SUBJECT_POLICY_ID = "Subject Policy Id";
+    private static final String POLICY_ID_ENABLE = "Enable";
+
+    private static final int DEF_NUM_MAPPINGS = 1;
+    private static final int MAX_NUM_MAPPINGS = 100;
+
+    public PolicyMappingsExtDefault() {
+        super();
+    }
+
+    protected int getNumMappings() {
+        int num = DEF_NUM_MAPPINGS;
+        String numMappings = getConfig(CONFIG_NUM_POLICY_MAPPINGS);
+
+        if (numMappings != null) {
+            try {
+                num = Integer.parseInt(numMappings);
+            } catch (NumberFormatException e) {
+                // ignore
+            }
+        }
+        return num;
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+        refreshConfigAndValueNames();
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        int num = 0;
+        if (name.equals(CONFIG_NUM_POLICY_MAPPINGS)) {
+            try {
+                num = Integer.parseInt(value);
+
+                if (num >= MAX_NUM_MAPPINGS || num < 0) {
+                    throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_POLICY_MAPPINGS));
+                }
+
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_POLICY_MAPPINGS));
+            }
+        }
+        super.setConfig(name, value);
+    }
+
+    public Enumeration getConfigNames() {
+        refreshConfigAndValueNames();
+        return super.getConfigNames();
+    }
+
+    protected void refreshConfigAndValueNames() {
+        super.refreshConfigAndValueNames();
+
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_DOMAINS);
+
+        addConfigName(CONFIG_CRITICAL);
+        int num = getNumMappings();
+
+        addConfigName(CONFIG_NUM_POLICY_MAPPINGS);
+        for (int i = 0; i < num; i++) {
+            addConfigName(CONFIG_ISSUER_DOMAIN_POLICY + i);
+            addConfigName(CONFIG_SUBJECT_DOMAIN_POLICY + i);
+            addConfigName(CONFIG_ENABLE + i);
+        }
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.startsWith(CONFIG_ISSUER_DOMAIN_POLICY)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_ISSUER_DOMAIN_POLICY"));
+        } else if (name.startsWith(CONFIG_SUBJECT_DOMAIN_POLICY)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_DOMAIN_POLICY"));
+        } else if (name.startsWith(CONFIG_ENABLE)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_ENABLE"));
+        } else if (name.startsWith(CONFIG_NUM_POLICY_MAPPINGS)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "1",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NUM_POLICY_MAPPINGS"));
+        }
+
+        return null;
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_DOMAINS)) {
+            return new Descriptor(IDescriptor.STRING_LIST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_DOMAINS"));
+        }
+        return null;
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            PolicyMappingsExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            ext = (PolicyMappingsExtension)
+                        getExtension(PKIXExtensions.PolicyMappings_Id.toString(),
+                                info);
+
+            if (ext == null) {
+                populate(null, info);
+
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+                ext = (PolicyMappingsExtension)
+                        getExtension(PKIXExtensions.PolicyMappings_Id.toString(),
+                                info);
+                boolean val = Boolean.valueOf(value).booleanValue();
+
+                if (ext == null) {
+                    return;
+                }
+                ext.setCritical(val);
+            } else if (name.equals(VAL_DOMAINS)) {
+                ext = (PolicyMappingsExtension)
+                        getExtension(PKIXExtensions.PolicyMappings_Id.toString(),
+                                info);
+
+                if (ext == null) {
+                    return;
+                }
+                Vector v = parseRecords(value);
+                int size = v.size();
+
+                String issuerPolicyId = null;
+                String subjectPolicyId = null;
+                String enable = null;
+                Vector policyMaps = new Vector();
+
+                for (int i = 0; i < size; i++) {
+                    NameValuePairs nvps = v.elementAt(i);
+
+                    for (String name1 : nvps.keySet()) {
+
+                        if (name1.equals(ISSUER_POLICY_ID)) {
+                            issuerPolicyId = nvps.get(name1);
+                        } else if (name1.equals(SUBJECT_POLICY_ID)) {
+                            subjectPolicyId = nvps.get(name1);
+                        } else if (name1.equals(POLICY_ID_ENABLE)) {
+                            enable = nvps.get(name1);
+                        }
+                    }
+
+                    if (enable != null && enable.equals("true")) {
+                        if (issuerPolicyId == null ||
+                                issuerPolicyId.length() == 0 || subjectPolicyId == null ||
+                                subjectPolicyId.length() == 0)
+                            throw new EPropertyException(CMS.getUserMessage(
+                                        locale, "CMS_PROFILE_POLICY_ID_NOT_FOUND"));
+                        CertificatePolicyMap map = new CertificatePolicyMap(
+                                new CertificatePolicyId(new ObjectIdentifier(issuerPolicyId)),
+                                new CertificatePolicyId(new ObjectIdentifier(subjectPolicyId)));
+
+                        policyMaps.addElement(map);
+                    }
+                }
+                ext.set(PolicyMappingsExtension.MAP, policyMaps);
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            replaceExtension(PKIXExtensions.PolicyMappings_Id.toString(),
+                    ext, info);
+        } catch (EProfileException e) {
+            CMS.debug("PolicyMappingsExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } catch (IOException e) {
+            CMS.debug("PolicyMappingsExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        PolicyMappingsExtension ext = null;
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        ext = (PolicyMappingsExtension)
+                    getExtension(PKIXExtensions.PolicyMappings_Id.toString(),
+                            info);
+        if (ext == null) {
+            try {
+                populate(null, info);
+
+            } catch (EProfileException e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+        }
+
+        if (name.equals(VAL_CRITICAL)) {
+            ext = (PolicyMappingsExtension)
+                    getExtension(PKIXExtensions.PolicyMappings_Id.toString(),
+                            info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else if (name.equals(VAL_DOMAINS)) {
+            ext = (PolicyMappingsExtension)
+                    getExtension(PKIXExtensions.PolicyMappings_Id.toString(),
+                            info);
+
+            if (ext == null)
+                return "";
+
+            int num_mappings = getNumMappings();
+
+            Enumeration maps = ext.getMappings();
+
+            Vector recs = new Vector();
+
+            for (int i = 0; i < num_mappings; i++) {
+                NameValuePairs pairs = new NameValuePairs();
+
+                if (maps.hasMoreElements()) {
+                    CertificatePolicyMap map =
+                            (CertificatePolicyMap) maps.nextElement();
+
+                    CertificatePolicyId i1 = map.getIssuerIdentifier();
+                    CertificatePolicyId s1 = map.getSubjectIdentifier();
+
+                    pairs.put(ISSUER_POLICY_ID, i1.getIdentifier().toString());
+                    pairs.put(SUBJECT_POLICY_ID, s1.getIdentifier().toString());
+                    pairs.put(POLICY_ID_ENABLE, "true");
+                } else {
+                    pairs.put(ISSUER_POLICY_ID, "");
+                    pairs.put(SUBJECT_POLICY_ID, "");
+                    pairs.put(POLICY_ID_ENABLE, "false");
+
+                }
+                recs.addElement(pairs);
+            }
+
+            return buildRecords(recs);
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        StringBuffer sb = new StringBuffer();
+        int num = getNumMappings();
+
+        for (int i = 0; i < num; i++) {
+            sb.append("Record #");
+            sb.append(i);
+            sb.append("{");
+            sb.append(ISSUER_POLICY_ID + ":");
+            sb.append(getConfig(CONFIG_ISSUER_DOMAIN_POLICY + i));
+            sb.append(",");
+            sb.append(SUBJECT_POLICY_ID + ":");
+            sb.append(getConfig(CONFIG_SUBJECT_DOMAIN_POLICY + i));
+            sb.append(",");
+            sb.append(POLICY_ID_ENABLE + ":");
+            sb.append(getConfig(CONFIG_ENABLE + i));
+            sb.append("}");
+        }
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_DEF_POLICY_MAPPINGS_EXT",
+                getConfig(CONFIG_CRITICAL), sb.toString());
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        PolicyMappingsExtension ext = createExtension();
+
+        if (ext == null)
+            return;
+        addExtension(PKIXExtensions.PolicyMappings_Id.toString(),
+                ext, info);
+    }
+
+    public PolicyMappingsExtension createExtension() {
+        PolicyMappingsExtension ext = null;
+
+        try {
+            boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+            Vector policyMaps = new Vector();
+            int num = getNumMappings();
+
+            for (int i = 0; i < num; i++) {
+                String enable = getConfig(CONFIG_ENABLE + i);
+
+                if (enable != null && enable.equals("true")) {
+                    String issuerID = getConfig(CONFIG_ISSUER_DOMAIN_POLICY + i);
+
+                    if (issuerID == null || issuerID.length() == 0) {
+                        return null;
+                    }
+
+                    String subjectID = getConfig(CONFIG_SUBJECT_DOMAIN_POLICY + i);
+
+                    if (subjectID == null || subjectID.length() == 0) {
+                        return null;
+                    }
+
+                    CertificatePolicyMap map = new CertificatePolicyMap(
+                            new CertificatePolicyId(new ObjectIdentifier(issuerID)),
+                            new CertificatePolicyId(new ObjectIdentifier(subjectID)));
+
+                    policyMaps.addElement(map);
+                }
+            }
+
+            ext = new PolicyMappingsExtension(critical, policyMaps);
+        } catch (Exception e) {
+            CMS.debug("PolicyMappingsExtDefault: createExtension " +
+                    e.toString());
+        }
+
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java b/base/common/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
new file mode 100644
index 000000000..20285567e
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
@@ -0,0 +1,316 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.text.ParsePosition;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Locale;
+
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.PrivateKeyUsageExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a Private Key Usage Period extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class PrivateKeyUsagePeriodExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "puCritical";
+    public static final String CONFIG_START_TIME = "puStartTime";
+    public static final String CONFIG_DURATION = "puDurationInDays"; // in days
+
+    public static final String VAL_CRITICAL = "puCritical";
+    public static final String VAL_NOT_BEFORE = "puNotBefore";
+    public static final String VAL_NOT_AFTER = "puNotAfter";
+
+    public static final String DATE_FORMAT = "yyyy-MM-dd HH:mm:ss";
+    private long mDefault = 86400000; // 1 days
+
+    public PrivateKeyUsagePeriodExtDefault() {
+        super();
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_NOT_BEFORE);
+        addValueName(VAL_NOT_AFTER);
+
+        addConfigName(CONFIG_CRITICAL);
+        addConfigName(CONFIG_START_TIME);
+        addConfigName(CONFIG_DURATION);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(CONFIG_START_TIME)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    "0",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_START_TIME"));
+        } else if (name.equals(CONFIG_DURATION)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    "365",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_RANGE"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        if (name.equals(CONFIG_START_TIME)) {
+            try {
+                Integer.parseInt(value);
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_START_TIME));
+            }
+        } else if (name.equals(CONFIG_DURATION)) {
+            try {
+                Integer.parseInt(value);
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_DURATION));
+            }
+        }
+        super.setConfig(name, value);
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_NOT_BEFORE)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    "0",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NOT_BEFORE"));
+        } else if (name.equals(VAL_NOT_AFTER)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    "30",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NOT_AFTER"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            PrivateKeyUsageExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            ObjectIdentifier oid = PKIXExtensions.PrivateKeyUsage_Id;
+
+            ext = (PrivateKeyUsageExtension)
+                        getExtension(oid.toString(), info);
+
+            if (ext == null) {
+                populate(null, info);
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+
+                ext = (PrivateKeyUsageExtension)
+                        getExtension(oid.toString(), info);
+                boolean val = Boolean.valueOf(value).booleanValue();
+
+                if (ext == null) {
+                    return;
+                }
+                ext.setCritical(val);
+            } else if (name.equals(VAL_NOT_BEFORE)) {
+                SimpleDateFormat formatter =
+                        new SimpleDateFormat(DATE_FORMAT);
+                ParsePosition pos = new ParsePosition(0);
+                Date date = formatter.parse(value, pos);
+
+                ext = (PrivateKeyUsageExtension)
+                        getExtension(oid.toString(), info);
+
+                if (ext == null) {
+                    return;
+                }
+                ext.set(PrivateKeyUsageExtension.NOT_BEFORE, date);
+            } else if (name.equals(VAL_NOT_AFTER)) {
+                SimpleDateFormat formatter =
+                        new SimpleDateFormat(DATE_FORMAT);
+                ParsePosition pos = new ParsePosition(0);
+                Date date = formatter.parse(value, pos);
+
+                ext = (PrivateKeyUsageExtension)
+                        getExtension(oid.toString(), info);
+
+                if (ext == null) {
+                    return;
+                }
+                ext.set(PrivateKeyUsageExtension.NOT_AFTER, date);
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            replaceExtension(ext.getExtensionId().toString(), ext, info);
+        } catch (EProfileException e) {
+            CMS.debug("PrivateKeyUsageExtension: setValue " + e.toString());
+        } catch (Exception e) {
+            CMS.debug("PrivateKeyUsageExtension: setValue " + e.toString());
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        PrivateKeyUsageExtension ext = null;
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        ObjectIdentifier oid = PKIXExtensions.PrivateKeyUsage_Id;
+
+        ext = (PrivateKeyUsageExtension)
+                    getExtension(oid.toString(), info);
+
+        if (ext == null) {
+            try {
+                populate(null, info);
+
+            } catch (EProfileException e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+        }
+
+        if (name.equals(VAL_CRITICAL)) {
+
+            ext = (PrivateKeyUsageExtension)
+                    getExtension(oid.toString(), info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else if (name.equals(VAL_NOT_BEFORE)) {
+            SimpleDateFormat formatter =
+                    new SimpleDateFormat(DATE_FORMAT);
+
+            ext = (PrivateKeyUsageExtension)
+                    getExtension(oid.toString(), info);
+
+            if (ext == null)
+                return "";
+
+            return formatter.format(ext.getNotBefore());
+        } else if (name.equals(VAL_NOT_AFTER)) {
+            SimpleDateFormat formatter =
+                    new SimpleDateFormat(DATE_FORMAT);
+
+            ext = (PrivateKeyUsageExtension)
+                    getExtension(oid.toString(), info);
+
+            if (ext == null)
+                return "";
+
+            return formatter.format(ext.getNotAfter());
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                getConfig(CONFIG_CRITICAL),
+                getConfig(CONFIG_START_TIME),
+                getConfig(CONFIG_DURATION)
+            };
+
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_PRIVATE_KEY_EXT", params);
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        PrivateKeyUsageExtension ext = createExtension();
+
+        addExtension(ext.getExtensionId().toString(), ext, info);
+    }
+
+    public PrivateKeyUsageExtension createExtension() {
+        PrivateKeyUsageExtension ext = null;
+
+        try {
+            boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+
+            // always + 60 seconds 
+            String startTimeStr = getConfig(CONFIG_START_TIME);
+
+            if (startTimeStr == null || startTimeStr.equals("")) {
+                startTimeStr = "60";
+            }
+            int startTime = Integer.parseInt(startTimeStr);
+            Date notBefore = new Date(CMS.getCurrentDate().getTime() +
+                    (1000 * startTime));
+            long notAfterVal = 0;
+
+            notAfterVal = notBefore.getTime() +
+                    (mDefault * Integer.parseInt(getConfig(CONFIG_DURATION)));
+            Date notAfter = new Date(notAfterVal);
+
+            ext = new PrivateKeyUsageExtension(notBefore, notAfter);
+            ext.setCritical(critical);
+        } catch (Exception e) {
+            CMS.debug("PrivateKeyUsagePeriodExt: createExtension " +
+                    e.toString());
+        }
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/SigningAlgDefault.java b/base/common/src/com/netscape/cms/profile/def/SigningAlgDefault.java
new file mode 100644
index 000000000..11da93fc8
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/SigningAlgDefault.java
@@ -0,0 +1,183 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.util.Locale;
+
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CertificateAlgorithmId;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a signing algorithm
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class SigningAlgDefault extends EnrollDefault {
+
+    public static final String CONFIG_ALGORITHM = "signingAlg";
+
+    public static final String VAL_ALGORITHM = "signingAlg";
+    public static final String DEF_CONFIG_ALGORITHMS =
+            "-,MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA";
+
+    public SigningAlgDefault() {
+        super();
+        addConfigName(CONFIG_ALGORITHM);
+        addValueName(VAL_ALGORITHM);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_ALGORITHM)) {
+            return new Descriptor(IDescriptor.CHOICE, DEF_CONFIG_ALGORITHMS,
+                    "SHA256withRSA",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SIGNING_ALGORITHM"));
+        } else {
+            return null;
+        }
+    }
+
+    public String getSigningAlg() {
+        String signingAlg = getConfig(CONFIG_ALGORITHM);
+        // if specified, use the specified one. Otherwise, pick
+        // the best selection for the user
+        if (signingAlg == null || signingAlg.equals("") ||
+                signingAlg.equals("-")) {
+            // best pick for the user
+            ICertificateAuthority ca = (ICertificateAuthority)
+                    CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+            return ca.getDefaultAlgorithm();
+        } else {
+            return signingAlg;
+        }
+    }
+
+    public String getDefSigningAlgorithms() {
+        StringBuffer allowed = new StringBuffer();
+        ICertificateAuthority ca = (ICertificateAuthority)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+        String algos[] = ca.getCASigningAlgorithms();
+        for (int i = 0; i < algos.length; i++) {
+            if (allowed.length() == 0) {
+                allowed.append(algos[i]);
+            } else {
+                allowed.append(",");
+                allowed.append(algos[i]);
+            }
+        }
+        return allowed.toString();
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_ALGORITHM)) {
+            String allowed = getDefSigningAlgorithms();
+            return new Descriptor(IDescriptor.CHOICE,
+                    allowed, null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SIGNING_ALGORITHM"));
+        }
+        return null;
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_ALGORITHM)) {
+            try {
+                info.set(X509CertInfo.ALGORITHM_ID,
+                        new CertificateAlgorithmId(
+                                AlgorithmId.getAlgorithmId(value)));
+            } catch (Exception e) {
+                CMS.debug("SigningAlgDefault: setValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+
+        if (name == null)
+            throw new EPropertyException("Invalid name " + name);
+
+        if (name.equals(VAL_ALGORITHM)) {
+            CertificateAlgorithmId algId = null;
+
+            try {
+                algId = (CertificateAlgorithmId)
+                        info.get(X509CertInfo.ALGORITHM_ID);
+                AlgorithmId id = (AlgorithmId)
+                        algId.get(CertificateAlgorithmId.ALGORITHM);
+
+                return id.toString();
+            } catch (Exception e) {
+                CMS.debug("SigningAlgDefault: getValue " + e.toString());
+            }
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_SIGNING_ALGORITHM",
+                getSigningAlg());
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        try {
+            info.set(X509CertInfo.ALGORITHM_ID,
+                    new CertificateAlgorithmId(
+                            AlgorithmId.getAlgorithmId(getSigningAlg())));
+        } catch (Exception e) {
+            CMS.debug("SigningAlgDefault: populate " + e.toString());
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java b/base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java
new file mode 100644
index 000000000..d3838577e
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java
@@ -0,0 +1,542 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.UUID;
+
+import netscape.security.x509.GeneralNameInterface;
+import netscape.security.x509.GeneralNames;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.SubjectAlternativeNameExtension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IAttrSet;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.pattern.Pattern;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a subject alternative name extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class SubjectAltNameExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "subjAltNameExtCritical";
+    public static final String CONFIG_NUM_GNS = "subjAltNameNumGNs";
+    public static final String CONFIG_GN_ENABLE = "subjAltExtGNEnable_";
+    public static final String CONFIG_TYPE = "subjAltExtType_";
+    public static final String CONFIG_PATTERN = "subjAltExtPattern_";
+    public static final String CONFIG_SOURCE = "subjAltExtSource_";
+    public static final String CONFIG_SOURCE_UUID4 = "UUID4";
+
+    public static final String CONFIG_OLD_TYPE = "subjAltExtType";
+    public static final String CONFIG_OLD_PATTERN = "subjAltExtPattern";
+
+    public static final String VAL_CRITICAL = "subjAltNameExtCritical";
+    public static final String VAL_GENERAL_NAMES = "subjAltNames";
+
+    private static final String GN_ENABLE = "Enable";
+    private static final String GN_TYPE = "Pattern Type";
+    private static final String GN_PATTERN = "Pattern";
+
+    private static final int DEF_NUM_GN = 1;
+    private static final int MAX_NUM_GN = 100;
+
+    public SubjectAltNameExtDefault() {
+        super();
+    }
+
+    protected int getNumGNs() {
+        int num = DEF_NUM_GN;
+        String numGNs = getConfig(CONFIG_NUM_GNS);
+
+        if (numGNs != null) {
+            try {
+                num = Integer.parseInt(numGNs);
+            } catch (NumberFormatException e) {
+                // ignore
+            }
+        }
+
+        if (num >= MAX_NUM_GN)
+            num = DEF_NUM_GN;
+        return num;
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+
+        super.init(profile, config);
+        refreshConfigAndValueNames();
+        // migrate old parameters to new parameters
+        String old_type = null;
+        String old_pattern = null;
+        IConfigStore paramConfig = config.getSubStore("params");
+        try {
+            if (paramConfig != null) {
+                old_type = paramConfig.getString(CONFIG_OLD_TYPE);
+            }
+        } catch (EBaseException e) {
+            // nothing to do here
+        }
+        CMS.debug("SubjectAltNameExtDefault: Upgrading old_type=" +
+                old_type);
+        try {
+            if (paramConfig != null) {
+                old_pattern = paramConfig.getString(CONFIG_OLD_PATTERN);
+            }
+        } catch (EBaseException e) {
+            // nothing to do here
+        }
+        CMS.debug("SubjectAltNameExtDefault: Upgrading old_pattern=" +
+                old_pattern);
+        if (old_type != null && old_pattern != null) {
+            CMS.debug("SubjectAltNameExtDefault: Upgrading");
+            try {
+                paramConfig.putString(CONFIG_NUM_GNS, "1");
+                paramConfig.putString(CONFIG_GN_ENABLE + "0", "true");
+                paramConfig.putString(CONFIG_TYPE + "0", old_type);
+                paramConfig.putString(CONFIG_PATTERN + "0", old_pattern);
+                paramConfig.remove(CONFIG_OLD_TYPE);
+                paramConfig.remove(CONFIG_OLD_PATTERN);
+                profile.getConfigStore().commit(true);
+            } catch (Exception e) {
+                CMS.debug("SubjectAltNameExtDefault: Failed to upgrade " + e);
+            }
+        }
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        int num = 0;
+        if (name.equals(CONFIG_NUM_GNS)) {
+            try {
+                num = Integer.parseInt(value);
+
+                if (num >= MAX_NUM_GN || num < 0) {
+                    throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_GNS));
+                }
+
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_GNS));
+            }
+        }
+        super.setConfig(name, value);
+    }
+
+    public Enumeration getConfigNames() {
+        refreshConfigAndValueNames();
+        return super.getConfigNames();
+    }
+
+    protected void refreshConfigAndValueNames() {
+        super.refreshConfigAndValueNames();
+
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_GENERAL_NAMES);
+
+        addConfigName(CONFIG_CRITICAL);
+        int num = getNumGNs();
+        addConfigName(CONFIG_NUM_GNS);
+        for (int i = 0; i < num; i++) {
+            addConfigName(CONFIG_TYPE + i);
+            addConfigName(CONFIG_PATTERN + i);
+            addConfigName(CONFIG_GN_ENABLE + i);
+        }
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.startsWith(CONFIG_TYPE)) {
+            return new Descriptor(IDescriptor.CHOICE,
+                    "RFC822Name,DNSName,DirectoryName,EDIPartyName,URIName,IPAddress,OIDName,OtherName",
+                    "RFC822Name",
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_SUBJECT_ALT_NAME_TYPE"));
+        } else if (name.startsWith(CONFIG_PATTERN)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_SUBJECT_ALT_NAME_PATTERN"));
+        } else if (name.startsWith(CONFIG_GN_ENABLE)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_GN_ENABLE"));
+        } else if (name.startsWith(CONFIG_NUM_GNS)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "1",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NUM_GNS"));
+        }
+
+        return null;
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_GENERAL_NAMES)) {
+            return new Descriptor(IDescriptor.STRING_LIST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_GENERAL_NAMES"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            SubjectAlternativeNameExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            ext =
+                        (SubjectAlternativeNameExtension)
+                        getExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info);
+
+            if (ext == null) {
+                populate(null, info);
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+                ext =
+                        (SubjectAlternativeNameExtension)
+                        getExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info);
+
+                if (ext == null) {
+                    // it is ok, the extension is never populated or delted
+                    return;
+                }
+                boolean critical = Boolean.valueOf(value).booleanValue();
+
+                ext.setCritical(critical);
+            } else if (name.equals(VAL_GENERAL_NAMES)) {
+                ext =
+                        (SubjectAlternativeNameExtension)
+                        getExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info);
+
+                if (ext == null) {
+                    // it is ok, the extension is never populated or delted
+                    return;
+                }
+                if (value.equals("")) {
+                    // if value is empty, do not add this extension
+                    deleteExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info);
+                    return;
+                }
+                GeneralNames gn = new GeneralNames();
+                StringTokenizer st = new StringTokenizer(value, "\r\n");
+
+                while (st.hasMoreTokens()) {
+                    String gname = (String) st.nextToken();
+                    CMS.debug("SubjectAltNameExtDefault: setValue GN:" + gname);
+
+                    if (!isGeneralNameValid(gname)) {
+                        continue;
+                    }
+                    GeneralNameInterface n = parseGeneralName(gname);
+                    if (n != null) {
+                        gn.addElement(n);
+                    }
+                }
+                if (gn.size() == 0) {
+                    CMS.debug("GN size is zero");
+                    deleteExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info);
+                    return;
+                } else {
+                    CMS.debug("GN size is non zero (" + gn.size() + ")");
+                    ext.set(SubjectAlternativeNameExtension.SUBJECT_NAME, gn);
+                }
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+            replaceExtension(
+                    PKIXExtensions.SubjectAlternativeName_Id.toString(),
+                    ext, info);
+        } catch (IOException e) {
+            CMS.debug("SubjectAltNameExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } catch (EProfileException e) {
+            CMS.debug("SubjectAltNameExtDefault: setValue " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        try {
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            SubjectAlternativeNameExtension ext =
+                    (SubjectAlternativeNameExtension)
+                    getExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info);
+
+            if (ext == null) {
+                try {
+                    populate(null, info);
+
+                } catch (EProfileException e) {
+                    throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+                }
+
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+                ext =
+                        (SubjectAlternativeNameExtension)
+                        getExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info);
+
+                if (ext == null) {
+                    return null;
+                }
+                if (ext.isCritical()) {
+                    return "true";
+                } else {
+                    return "false";
+                }
+            } else if (name.equals(VAL_GENERAL_NAMES)) {
+                ext =
+                        (SubjectAlternativeNameExtension)
+                        getExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info);
+                if (ext == null) {
+                    return null;
+                }
+
+                GeneralNames names = (GeneralNames)
+                        ext.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
+                StringBuffer sb = new StringBuffer();
+                Enumeration e = names.elements();
+
+                while (e.hasMoreElements()) {
+                    GeneralNameInterface gn = e.nextElement();
+
+                    if (!sb.toString().equals("")) {
+                        sb.append("\r\n");
+                    }
+                    sb.append(toGeneralNameString(gn));
+                    CMS.debug("SubjectAltNameExtDefault: getValue append GN:" + toGeneralNameString(gn));
+                }
+                return sb.toString();
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } catch (IOException e) {
+            CMS.debug("SubjectAltNameExtDefault: getValue " +
+                    e.toString());
+        }
+        return null;
+    }
+
+    /*
+     * returns text that goes into description for this extension on
+     * a profile
+     */
+    public String getText(Locale locale) {
+        StringBuffer sb = new StringBuffer();
+        int num = getNumGNs();
+
+        for (int i = 0; i < num; i++) {
+            sb.append("Record #");
+            sb.append(i);
+            sb.append("{");
+            sb.append(GN_PATTERN + ":");
+            sb.append(getConfig(CONFIG_PATTERN + i));
+            sb.append(",");
+            sb.append(GN_TYPE + ":");
+            sb.append(getConfig(CONFIG_TYPE + i));
+            sb.append(",");
+            sb.append(GN_ENABLE + ":");
+            sb.append(getConfig(CONFIG_GN_ENABLE + i));
+            sb.append("}");
+        }
+        ;
+
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_SUBJECT_ALT_NAME_EXT", getConfig(CONFIG_CRITICAL),
+                sb.toString());
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        SubjectAlternativeNameExtension ext = null;
+
+        try {
+            /* read from config file*/
+            ext = createExtension(request);
+
+        } catch (IOException e) {
+            CMS.debug("SubjectAltNameExtDefault: populate " + e.toString());
+        }
+        if (ext != null) {
+            addExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(),
+                    ext, info);
+        } else {
+            CMS.debug("SubjectAltNameExtDefault: populate sees no extension.  get out");
+        }
+    }
+
+    public SubjectAlternativeNameExtension createExtension(IRequest request)
+            throws IOException {
+        SubjectAlternativeNameExtension ext = null;
+        int num = getNumGNs();
+
+        boolean critical = Boolean.valueOf(
+                getConfig(CONFIG_CRITICAL)).booleanValue();
+
+        GeneralNames gn = new GeneralNames();
+        int count = 0; // # of actual gnames
+        for (int i = 0; i < num; i++) {
+            String enable = getConfig(CONFIG_GN_ENABLE + i);
+            if (enable != null && enable.equals("true")) {
+                CMS.debug("SubjectAltNameExtDefault: createExtension i=" + i);
+
+                String pattern = getConfig(CONFIG_PATTERN + i);
+                if (pattern == null || pattern.equals("")) {
+                    pattern = " ";
+                }
+
+                if (!pattern.equals("")) {
+                    String gname = "";
+
+                    // cfu - see if this is server-generated (e.g. UUID4)
+                    // to use this feature, use $server.source$ in pattern
+                    String source = getConfig(CONFIG_SOURCE + i);
+                    String type = getConfig(CONFIG_TYPE + i);
+                    if ((source != null) && (!source.equals(""))) {
+                        if (type.equalsIgnoreCase("OtherName")) {
+                            CMS.debug("SubjectAlternativeNameExtension: using " +
+                                    source + " as gn");
+                            if (source.equals(CONFIG_SOURCE_UUID4)) {
+                                UUID randUUID = UUID.randomUUID();
+                                // call the mapPattern that does server-side gen
+                                // request is not used, but needed for the substitute
+                                // function
+                                gname = mapPattern(randUUID.toString(), request, pattern);
+                            } else { //expand more server-gen types here
+                                CMS.debug("SubjectAltNameExtDefault: createExtension - unsupported server-generated type: "
+                                        + source + ". Supported: UUID4");
+                                continue;
+                            }
+                        } else {
+                            CMS.debug("SubjectAltNameExtDefault: createExtension - source is only supported for subjAltExtType OtherName");
+                            continue;
+                        }
+                    } else {
+                        if (request != null) {
+                            gname = mapPattern(request, pattern);
+                        }
+                    }
+
+                    if (gname.equals("")) {
+                        CMS.debug("gname is empty, not added");
+                        continue;
+                    }
+                    CMS.debug("SubjectAltNameExtDefault: createExtension got gname=" + gname);
+
+                    GeneralNameInterface n = parseGeneralName(type + ":" + gname);
+
+                    CMS.debug("adding gname: " + gname);
+                    if (n != null) {
+                        CMS.debug("SubjectAlternativeNameExtension: n not null");
+                        gn.addElement(n);
+                        count++;
+                    } else {
+                        CMS.debug("SubjectAlternativeNameExtension: n null");
+                    }
+                }
+            }
+        } //for
+
+        if (count != 0) {
+            try {
+                ext = new SubjectAlternativeNameExtension();
+            } catch (Exception e) {
+                CMS.debug(e.toString());
+                throw new IOException(e.toString());
+            }
+            ext.set(SubjectAlternativeNameExtension.SUBJECT_NAME, gn);
+            ext.setCritical(critical);
+        } else {
+            CMS.debug("count is 0");
+        }
+        return ext;
+    }
+
+    public String mapPattern(IRequest request, String pattern)
+            throws IOException {
+        Pattern p = new Pattern(pattern);
+        IAttrSet attrSet = null;
+        if (request != null) {
+            attrSet = request.asIAttrSet();
+        }
+        return p.substitute("request", attrSet);
+    }
+
+    // for server-side generated values
+    public String mapPattern(String val, IRequest request, String pattern)
+            throws IOException {
+        Pattern p = new Pattern(pattern);
+        IAttrSet attrSet = null;
+        if (request != null) {
+            attrSet = request.asIAttrSet();
+        }
+        try {
+            attrSet.set("source", val);
+        } catch (Exception e) {
+            CMS.debug("SubjectAlternativeNameExtension: mapPattern source " + e.toString());
+        }
+
+        return p.substitute("server", attrSet);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/SubjectDirAttributesExtDefault.java b/base/common/src/com/netscape/cms/profile/def/SubjectDirAttributesExtDefault.java
new file mode 100644
index 000000000..cca5ab234
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/SubjectDirAttributesExtDefault.java
@@ -0,0 +1,527 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.security.util.DerValue;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.AVAValueConverter;
+import netscape.security.x509.Attribute;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.SubjectDirAttributesExtension;
+import netscape.security.x509.X500NameAttrMap;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a subject directory attributes extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class SubjectDirAttributesExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "subjDirAttrsCritical";
+    public static final String CONFIG_NUM_ATTRS = "subjDirAttrsNum";
+    public static final String CONFIG_ATTR_NAME = "subjDirAttrName_";
+    public static final String CONFIG_PATTERN = "subjDirAttrPattern_";
+    public static final String CONFIG_ENABLE = "subjDirAttrEnable_";
+
+    public static final String VAL_CRITICAL = "subjDirAttrCritical";
+    public static final String VAL_ATTR = "subjDirAttrValue";
+
+    private static final int DEF_NUM_ATTRS = 1;
+    private static final int MAX_NUM_ATTRS = 100;
+    private static final String ENABLE = "Enable";
+    private static final String ATTR_NAME = "Attribute Name";
+    private static final String ATTR_VALUE = "Attribute Value";
+
+    public SubjectDirAttributesExtDefault() {
+        super();
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+        refreshConfigAndValueNames();
+    }
+
+    protected int getNumAttrs() {
+        int num = DEF_NUM_ATTRS;
+        String val = getConfig(CONFIG_NUM_ATTRS);
+
+        if (val != null) {
+            try {
+                num = Integer.parseInt(val);
+            } catch (NumberFormatException e) {
+                // ignore
+            }
+        }
+
+        if (num >= MAX_NUM_ATTRS)
+            num = DEF_NUM_ATTRS;
+
+        return num;
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        int num = 0;
+        if (name.equals(DEF_NUM_ATTRS)) {
+            try {
+                num = Integer.parseInt(value);
+
+                if (num >= MAX_NUM_ATTRS || num < 0) {
+                    throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_ATTRS));
+                }
+
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_ATTRS));
+            }
+        }
+        super.setConfig(name, value);
+    }
+
+    public Enumeration getConfigNames() {
+        refreshConfigAndValueNames();
+        return super.getConfigNames();
+    }
+
+    protected void refreshConfigAndValueNames() {
+        super.refreshConfigAndValueNames();
+
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_ATTR);
+
+        addConfigName(CONFIG_CRITICAL);
+        int num = getNumAttrs();
+        addConfigName(CONFIG_NUM_ATTRS);
+        for (int i = 0; i < num; i++) {
+            addConfigName(CONFIG_ATTR_NAME + i);
+            addConfigName(CONFIG_PATTERN + i);
+            addConfigName(CONFIG_ENABLE + i);
+        }
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.startsWith(CONFIG_ATTR_NAME)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NUM_ATTRS"));
+        } else if (name.startsWith(CONFIG_ATTR_NAME)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_ATTR_NAME"));
+        } else if (name.startsWith(CONFIG_PATTERN)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_ATTR_VALUE"));
+        } else if (name.startsWith(CONFIG_ENABLE)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_ENABLE"));
+        } else if (name.startsWith(CONFIG_NUM_ATTRS)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "1",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NUM_ATTRS"));
+        }
+
+        return null;
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_ATTR)) {
+            return new Descriptor(IDescriptor.STRING_LIST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SUBJDIR_ATTRS"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            SubjectDirAttributesExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            ext = (SubjectDirAttributesExtension)
+                    getExtension(PKIXExtensions.SubjectDirectoryAttributes_Id.toString(),
+                            info);
+
+            if (name.equals(VAL_CRITICAL)) {
+                ext = (SubjectDirAttributesExtension)
+                        getExtension(PKIXExtensions.SubjectDirectoryAttributes_Id.toString(),
+                                info);
+                boolean val = Boolean.valueOf(value).booleanValue();
+
+                if (ext == null) {
+                    return;
+                }
+                ext.setCritical(val);
+            } else if (name.equals(VAL_ATTR)) {
+                ext = (SubjectDirAttributesExtension)
+                        getExtension(PKIXExtensions.SubjectDirectoryAttributes_Id.toString(),
+                                info);
+
+                if (ext == null) {
+                    return;
+                }
+                Vector v = parseRecords(value);
+                int size = v.size();
+
+                boolean critical = ext.isCritical();
+
+                Vector attrV = new Vector();
+                for (int i = 0; i < size; i++) {
+                    NameValuePairs nvps = v.elementAt(i);
+                    String attrName = null;
+                    String attrValue = null;
+                    String enable = "false";
+
+                    for (String name1 : nvps.keySet()) {
+
+                        if (name1.equals(ATTR_NAME)) {
+                            attrName = nvps.get(name1);
+                        } else if (name1.equals(ATTR_VALUE)) {
+                            attrValue = nvps.get(name1);
+                        } else if (name1.equals(ENABLE)) {
+                            enable = nvps.get(name1);
+                        }
+                    }
+
+                    if (enable.equals("true")) {
+                        AttributeConfig attributeConfig =
+                                new AttributeConfig(attrName, attrValue);
+                        Attribute attr = attributeConfig.mAttribute;
+                        if (attr != null)
+                            attrV.addElement(attr);
+                    }
+                }
+
+                if (attrV.size() > 0) {
+                    Attribute[] attrList = new Attribute[attrV.size()];
+                    attrV.copyInto(attrList);
+                    ext = new SubjectDirAttributesExtension(attrList, critical);
+                } else
+                    return;
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            replaceExtension(PKIXExtensions.SubjectDirectoryAttributes_Id.toString(),
+                    ext, info);
+        } catch (EProfileException e) {
+            CMS.debug("SubjectDirAttributesExtDefault: setValue " +
+                    e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } catch (IOException e) {
+            CMS.debug("SubjectDirAttributesExtDefault: setValue " +
+                    e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        SubjectDirAttributesExtension ext = null;
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        ext = (SubjectDirAttributesExtension)
+                getExtension(PKIXExtensions.SubjectDirectoryAttributes_Id.toString(),
+                        info);
+
+        if (name.equals(VAL_CRITICAL)) {
+            ext = (SubjectDirAttributesExtension)
+                    getExtension(PKIXExtensions.SubjectDirectoryAttributes_Id.toString(),
+                            info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else if (name.equals(VAL_ATTR)) {
+            ext = (SubjectDirAttributesExtension)
+                    getExtension(PKIXExtensions.SubjectDirectoryAttributes_Id.toString(),
+                            info);
+
+            if (ext == null)
+                return "";
+
+            X500NameAttrMap map = X500NameAttrMap.getDefault();
+
+            Vector recs = new Vector();
+            int num = getNumAttrs();
+            Enumeration e = ext.getAttributesList();
+            CMS.debug("SubjectDirAttributesExtDefault: getValue: attributesList=" + e);
+            int i = 0;
+
+            while (e.hasMoreElements()) {
+                NameValuePairs pairs = new NameValuePairs();
+                pairs.put(ENABLE, "true");
+                Attribute attr = e.nextElement();
+                CMS.debug("SubjectDirAttributesExtDefault: getValue: attribute=" + attr);
+                ObjectIdentifier oid = attr.getOid();
+                CMS.debug("SubjectDirAttributesExtDefault: getValue: oid=" + oid);
+
+                String vv = map.getName(oid);
+
+                if (vv != null)
+                    pairs.put(ATTR_NAME, vv);
+                else
+                    pairs.put(ATTR_NAME, oid.toString());
+                Enumeration v = attr.getValues();
+
+                // just support single value for now
+                StringBuffer ss = new StringBuffer();
+                while (v.hasMoreElements()) {
+                    if (ss.length() == 0)
+                        ss.append((String) (v.nextElement()));
+                    else {
+                        ss.append(",");
+                        ss.append((String) (v.nextElement()));
+                    }
+                }
+
+                pairs.put(ATTR_VALUE, ss.toString());
+                recs.addElement(pairs);
+                i++;
+            }
+
+            for (; i < num; i++) {
+                NameValuePairs pairs = new NameValuePairs();
+                pairs.put(ENABLE, "false");
+                pairs.put(ATTR_NAME, "GENERATIONQUALIFIER");
+                pairs.put(ATTR_VALUE, "");
+                recs.addElement(pairs);
+            }
+
+            return buildRecords(recs);
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        StringBuffer sb = new StringBuffer();
+        int num = getNumAttrs();
+
+        for (int i = 0; i < num; i++) {
+            sb.append("Record #");
+            sb.append(i);
+            sb.append("{");
+            sb.append(ATTR_NAME + ":");
+            sb.append(getConfig(CONFIG_ATTR_NAME + i));
+            sb.append(",");
+            sb.append(ATTR_VALUE + ":");
+            sb.append(getConfig(CONFIG_PATTERN + i));
+            sb.append(",");
+            sb.append(ENABLE + ":");
+            sb.append(getConfig(CONFIG_ENABLE + i));
+            sb.append("}");
+        }
+        return CMS.getUserMessage(locale,
+                "CMS_PROFILE_DEF_SUBJECT_DIR_ATTR_EXT",
+                getConfig(CONFIG_CRITICAL),
+                sb.toString());
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        SubjectDirAttributesExtension ext = createExtension(request);
+
+        if (ext == null)
+            return;
+
+        addExtension(PKIXExtensions.SubjectDirectoryAttributes_Id.toString(),
+                ext, info);
+    }
+
+    public SubjectDirAttributesExtension createExtension(IRequest request)
+            throws EProfileException {
+        SubjectDirAttributesExtension ext = null;
+        int num = 0;
+
+        boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+
+        num = getNumAttrs();
+
+        AttributeConfig attributeConfig = null;
+        Vector attrs = new Vector();
+        for (int i = 0; i < num; i++) {
+            String enable = getConfig(CONFIG_ENABLE + i);
+            if (enable != null && enable.equals("true")) {
+                String attrName = getConfig(CONFIG_ATTR_NAME + i);
+                String pattern = getConfig(CONFIG_PATTERN + i);
+                if (pattern == null || pattern.equals(""))
+                    pattern = " ";
+
+                //check pattern syntax
+                int startpos = pattern.indexOf("$");
+                int lastpos = pattern.lastIndexOf("$");
+                String attrValue = pattern;
+                if (!pattern.equals("") && startpos != -1 &&
+                        startpos == 0 && lastpos != -1 &&
+                        lastpos == (pattern.length() - 1)) {
+                    if (request != null) {
+                        try {
+                            attrValue = mapPattern(request, pattern);
+                        } catch (IOException e) {
+                            throw new EProfileException(e.toString());
+                        }
+                    }
+                }
+                try {
+                    attributeConfig = new AttributeConfig(attrName, attrValue);
+                } catch (EPropertyException e) {
+                    throw new EProfileException(e.toString());
+                }
+                Attribute attr = attributeConfig.mAttribute;
+                if (attr != null) {
+                    attrs.addElement(attr);
+                }
+            }
+        }
+
+        if (attrs.size() > 0) {
+            Attribute[] attrList = new Attribute[attrs.size()];
+            attrs.copyInto(attrList);
+            try {
+                ext =
+                        new SubjectDirAttributesExtension(attrList, critical);
+            } catch (IOException e) {
+                throw new EProfileException(e.toString());
+            }
+        }
+
+        return ext;
+    }
+}
+
+class AttributeConfig {
+
+    protected ObjectIdentifier mAttributeOID = null;
+    protected Attribute mAttribute = null;
+
+    public AttributeConfig(String attrName, String attrValue)
+            throws EPropertyException {
+        X500NameAttrMap map = X500NameAttrMap.getDefault();
+
+        if (attrName == null || attrName.length() == 0) {
+            throw new EPropertyException(
+                    CMS.getUserMessage("CMS_PROFILE_SUBJDIR_EMPTY_ATTRNAME", attrName));
+        }
+
+        if (attrValue == null || attrValue.length() == 0) {
+            throw new EPropertyException(
+                    CMS.getUserMessage("CMS_PROFILE_SUBJDIR_EMPTY_ATTRVAL", attrValue));
+        }
+
+        try {
+            mAttributeOID = new ObjectIdentifier(attrName);
+        } catch (Exception e) {
+            CMS.debug("SubjectDirAttributesExtDefault: invalid OID syntax: " + attrName);
+        }
+
+        if (mAttributeOID == null) {
+            mAttributeOID = map.getOid(attrName);
+            if (mAttributeOID == null)
+                throw new EPropertyException(
+                        CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", attrName));
+            try {
+                checkValue(mAttributeOID, attrValue);
+            } catch (IOException e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                        "CMS_BASE_INVALID_ATTR_VALUE", e.getMessage()));
+            }
+        }
+
+        try {
+            mAttribute = new Attribute(mAttributeOID,
+                    str2MultiValues(attrValue));
+        } catch (IOException e) {
+            throw new EPropertyException(CMS.getUserMessage(
+                    "CMS_BASE_INVALID_ATTR_VALUE", e.getMessage()));
+        }
+    }
+
+    private static void checkValue(ObjectIdentifier oid, String val)
+            throws IOException {
+        AVAValueConverter c = X500NameAttrMap.getDefault().getValueConverter(oid);
+
+        @SuppressWarnings("unused")
+        DerValue derval = c.getValue(val); // check for errors
+        return;
+    }
+
+    private Vector str2MultiValues(String attrValue) {
+        StringTokenizer tokenizer = new StringTokenizer(attrValue, ",");
+        Vector v = new Vector();
+        while (tokenizer.hasMoreTokens()) {
+            v.addElement(tokenizer.nextToken());
+        }
+
+        return v;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/SubjectInfoAccessExtDefault.java b/base/common/src/com/netscape/cms/profile/def/SubjectInfoAccessExtDefault.java
new file mode 100644
index 000000000..8ea7533cc
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/SubjectInfoAccessExtDefault.java
@@ -0,0 +1,448 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.extensions.AccessDescription;
+import netscape.security.extensions.SubjectInfoAccessExtension;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.GeneralNameInterface;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates Subject Info Access extension.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class SubjectInfoAccessExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "subjInfoAccessCritical";
+    public static final String CONFIG_NUM_ADS = "subjInfoAccessNumADs";
+    public static final String CONFIG_AD_ENABLE = "subjInfoAccessADEnable_";
+    public static final String CONFIG_AD_METHOD = "subjInfoAccessADMethod_";
+    public static final String CONFIG_AD_LOCATIONTYPE = "subjInfoAccessADLocationType_";
+    public static final String CONFIG_AD_LOCATION = "subjInfoAccessADLocation_";
+
+    public static final String VAL_CRITICAL = "subjInfoAccessCritical";
+    public static final String VAL_GENERAL_NAMES = "subjInfoAccessGeneralNames";
+
+    private static final String AD_METHOD = "Method";
+    private static final String AD_LOCATION_TYPE = "Location Type";
+    private static final String AD_LOCATION = "Location";
+    private static final String AD_ENABLE = "Enable";
+
+    private static final int DEF_NUM_AD = 1;
+    private static final int MAX_NUM_AD = 100;
+
+    public SubjectInfoAccessExtDefault() {
+        super();
+    }
+
+    protected int getNumAds() {
+        int num = DEF_NUM_AD;
+        String numAds = getConfig(CONFIG_NUM_ADS);
+
+        if (numAds != null) {
+            try {
+                num = Integer.parseInt(numAds);
+            } catch (NumberFormatException e) {
+                // ignore
+            }
+        }
+        if (num >= MAX_NUM_AD)
+            num = DEF_NUM_AD;
+
+        return num;
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+        refreshConfigAndValueNames();
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        int num = 0;
+        if (name.equals(CONFIG_NUM_ADS)) {
+            try {
+                num = Integer.parseInt(value);
+
+                if (num >= MAX_NUM_AD || num < 0) {
+                    throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_ADS));
+                }
+
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_NUM_ADS));
+            }
+        }
+        super.setConfig(name, value);
+    }
+
+    public Enumeration getConfigNames() {
+        refreshConfigAndValueNames();
+        return super.getConfigNames();
+    }
+
+    protected void refreshConfigAndValueNames() {
+        super.refreshConfigAndValueNames();
+
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_GENERAL_NAMES);
+
+        // register configuration names bases on num ads
+        addConfigName(CONFIG_CRITICAL);
+        int num = getNumAds();
+        addConfigName(CONFIG_NUM_ADS);
+        for (int i = 0; i < num; i++) {
+            addConfigName(CONFIG_AD_METHOD + i);
+            addConfigName(CONFIG_AD_LOCATIONTYPE + i);
+            addConfigName(CONFIG_AD_LOCATION + i);
+            addConfigName(CONFIG_AD_ENABLE + i);
+        }
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.startsWith(CONFIG_AD_METHOD)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_AD_METHOD"));
+        } else if (name.startsWith(CONFIG_AD_LOCATIONTYPE)) {
+            return new Descriptor(IDescriptor.CHOICE,
+                    "RFC822Name,DNSName,DirectoryName,EDIPartyName,URIName,IPAddress,OIDName",
+                    "URIName",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_AD_LOCATIONTYPE"));
+        } else if (name.startsWith(CONFIG_AD_LOCATION)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_AD_LOCATION"));
+        } else if (name.startsWith(CONFIG_AD_ENABLE)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_AD_ENABLE"));
+        } else if (name.startsWith(CONFIG_NUM_ADS)) {
+            return new Descriptor(IDescriptor.INTEGER, null,
+                    "1",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NUM_ADS"));
+        }
+        return null;
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_GENERAL_NAMES)) {
+            return new Descriptor(IDescriptor.STRING_LIST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_GENERAL_NAMES"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        try {
+            SubjectInfoAccessExtension ext = null;
+
+            if (name == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            SubjectInfoAccessExtension a = new SubjectInfoAccessExtension(false);
+            ObjectIdentifier oid = a.getExtensionId();
+
+            ext = (SubjectInfoAccessExtension)
+                        getExtension(oid.toString(), info);
+
+            if (ext == null) {
+                populate(null, info);
+            }
+
+            if (name.equals(VAL_CRITICAL)) {
+
+                ext = (SubjectInfoAccessExtension)
+                        getExtension(oid.toString(), info);
+                boolean val = Boolean.valueOf(value).booleanValue();
+
+                if (ext == null) {
+                    return;
+                }
+                ext.setCritical(val);
+            } else if (name.equals(VAL_GENERAL_NAMES)) {
+
+                ext = (SubjectInfoAccessExtension)
+                        getExtension(oid.toString(), info);
+
+                if (ext == null) {
+                    return;
+                }
+                boolean critical = ext.isCritical();
+
+                Vector v = parseRecords(value);
+                int size = v.size();
+
+                ext = new SubjectInfoAccessExtension(critical);
+                String method = null;
+                String locationType = null;
+                String location = null;
+                String enable = null;
+
+                for (int i = 0; i < size; i++) {
+                    NameValuePairs nvps = v.elementAt(i);
+
+                    for (String name1 : nvps.keySet()) {
+
+                        if (name1.equals(AD_METHOD)) {
+                            method = nvps.get(name1);
+                        } else if (name1.equals(AD_LOCATION_TYPE)) {
+                            locationType = nvps.get(name1);
+                        } else if (name1.equals(AD_LOCATION)) {
+                            location = nvps.get(name1);
+                        } else if (name1.equals(AD_ENABLE)) {
+                            enable = nvps.get(name1);
+                        }
+                    }
+
+                    if (enable != null && enable.equals("true")) {
+                        GeneralName gn = null;
+
+                        if (locationType != null || location != null) {
+                            GeneralNameInterface interface1 = parseGeneralName(locationType + ":" + location);
+                            if (interface1 == null)
+                                throw new EPropertyException(CMS.getUserMessage(
+                                        locale, "CMS_INVALID_PROPERTY", locationType));
+                            gn = new GeneralName(interface1);
+                        }
+
+                        if (method != null) {
+                            try {
+                                ext.addAccessDescription(new ObjectIdentifier(method), gn);
+                            } catch (NumberFormatException ee) {
+                                CMS.debug("SubjectInfoAccessExtDefault: " + ee.toString());
+                                throw new EPropertyException(CMS.getUserMessage(
+                                        locale, "CMS_PROFILE_DEF_SIA_OID", method));
+                            }
+                        }
+                    }
+                }
+            } else {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+            replaceExtension(ext.getExtensionId().toString(), ext, info);
+        } catch (IOException e) {
+            CMS.debug("SubjectInfoAccessExtDefault: " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } catch (EProfileException e) {
+            CMS.debug("SubjectInfoAccessExtDefault: " + e.toString());
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        SubjectInfoAccessExtension ext = null;
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        SubjectInfoAccessExtension a = new SubjectInfoAccessExtension(false);
+        ObjectIdentifier oid = a.getExtensionId();
+
+        ext = (SubjectInfoAccessExtension)
+                    getExtension(oid.toString(), info);
+
+        if (ext == null) {
+            try {
+                populate(null, info);
+
+            } catch (EProfileException e) {
+                CMS.debug("SubjectInfoAccessExtDefault: getValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+        }
+        if (name.equals(VAL_CRITICAL)) {
+
+            ext = (SubjectInfoAccessExtension)
+                    getExtension(oid.toString(), info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else if (name.equals(VAL_GENERAL_NAMES)) {
+
+            ext = (SubjectInfoAccessExtension)
+                    getExtension(oid.toString(), info);
+
+            if (ext == null)
+                return "";
+
+            int num = getNumAds();
+
+            CMS.debug("SubjectInfoAccess num=" + num);
+            Vector recs = new Vector();
+
+            for (int i = 0; i < num; i++) {
+                NameValuePairs np = new NameValuePairs();
+                AccessDescription des = null;
+
+                if (i < ext.numberOfAccessDescription()) {
+                    des = ext.getAccessDescription(i);
+                }
+                if (des == null) {
+                    np.put(AD_METHOD, "");
+                    np.put(AD_LOCATION_TYPE, "");
+                    np.put(AD_LOCATION, "");
+                    np.put(AD_ENABLE, "false");
+                } else {
+                    ObjectIdentifier methodOid = des.getMethod();
+                    GeneralName gn = des.getLocation();
+
+                    np.put(AD_METHOD, methodOid.toString());
+                    np.put(AD_LOCATION_TYPE, getGeneralNameType(gn));
+                    np.put(AD_LOCATION, getGeneralNameValue(gn));
+                    np.put(AD_ENABLE, "true");
+                }
+                recs.addElement(np);
+            }
+
+            return buildRecords(recs);
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        StringBuffer ads = new StringBuffer();
+        int num = getNumAds();
+
+        for (int i = 0; i < num; i++) {
+            ads.append("Record #");
+            ads.append(i);
+            ads.append("{");
+            ads.append(AD_METHOD + ":");
+            ads.append(getConfig(CONFIG_AD_METHOD + i));
+            ads.append(",");
+            ads.append(AD_LOCATION_TYPE + ":");
+            ads.append(getConfig(CONFIG_AD_LOCATIONTYPE + i));
+            ads.append(",");
+            ads.append(AD_LOCATION + ":");
+            ads.append(getConfig(CONFIG_AD_LOCATION + i));
+            ads.append(",");
+            ads.append(AD_ENABLE + ":");
+            ads.append(getConfig(CONFIG_AD_ENABLE + i));
+            ads.append("}");
+        }
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_SIA_TEXT",
+                getConfig(CONFIG_CRITICAL), ads.toString());
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        SubjectInfoAccessExtension ext = createExtension();
+
+        addExtension(ext.getExtensionId().toString(), ext, info);
+    }
+
+    public SubjectInfoAccessExtension createExtension() {
+        SubjectInfoAccessExtension ext = null;
+        int num = getNumAds();
+
+        try {
+            boolean critical = getConfigBoolean(CONFIG_CRITICAL);
+
+            ext = new SubjectInfoAccessExtension(critical);
+            for (int i = 0; i < num; i++) {
+                String enable = getConfig(CONFIG_AD_ENABLE + i);
+                if (enable != null && enable.equals("true")) {
+                    CMS.debug("SubjectInfoAccess: createExtension i=" + i);
+                    String method = getConfig(CONFIG_AD_METHOD + i);
+                    String locationType = getConfig(CONFIG_AD_LOCATIONTYPE + i);
+                    if (locationType == null || locationType.length() == 0)
+                        locationType = "URIName";
+                    String location = getConfig(CONFIG_AD_LOCATION + i);
+
+                    if (location == null || location.equals("")) {
+                        if (method.equals("1.3.6.1.5.5.7.48.1")) {
+                            String hostname = CMS.getEENonSSLHost();
+                            String port = CMS.getEENonSSLPort();
+                            if (hostname != null && port != null)
+                                location = "http://" + hostname + ":" + port + "/ocsp";
+                        }
+                    }
+
+                    String s = locationType + ":" + location;
+                    GeneralNameInterface gn = parseGeneralName(s);
+                    if (gn != null) {
+                        ext.addAccessDescription(new ObjectIdentifier(method),
+                                new GeneralName(gn));
+                    }
+                }
+            }
+        } catch (Exception e) {
+            CMS.debug("SubjectInfoAccessExtDefault: createExtension " +
+                    e.toString());
+        }
+
+        return ext;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java b/base/common/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java
new file mode 100644
index 000000000..9476e45f6
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java
@@ -0,0 +1,217 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Locale;
+
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.KeyIdentifier;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.SubjectKeyIdentifierExtension;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a subject key identifier extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class SubjectKeyIdentifierExtDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "critical";
+
+    public static final String VAL_CRITICAL = "critical";
+    public static final String VAL_KEY_ID = "keyid";
+
+    public SubjectKeyIdentifierExtDefault() {
+        super();
+        addValueName(VAL_CRITICAL);
+        addValueName(VAL_KEY_ID);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CRITICAL)) {
+            return new Descriptor(IDescriptor.STRING,
+                    IDescriptor.READONLY,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+        } else if (name.equals(VAL_KEY_ID)) {
+            return new Descriptor(IDescriptor.STRING,
+                    IDescriptor.READONLY,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_KEY_ID"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_CRITICAL)) {
+            // read-only; do nothing
+        } else if (name.equals(VAL_KEY_ID)) {
+            // read-only; do nothing
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+        SubjectKeyIdentifierExtension ext =
+                (SubjectKeyIdentifierExtension) getExtension(
+                        PKIXExtensions.SubjectKey_Id.toString(), info);
+
+        if (ext == null) {
+            try {
+                populate(null, info);
+
+            } catch (EProfileException e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+            }
+
+        }
+
+        if (name.equals(VAL_CRITICAL)) {
+            ext =
+                    (SubjectKeyIdentifierExtension) getExtension(
+                            PKIXExtensions.SubjectKey_Id.toString(), info);
+
+            if (ext == null) {
+                return null;
+            }
+            if (ext.isCritical()) {
+                return "true";
+            } else {
+                return "false";
+            }
+        } else if (name.equals(VAL_KEY_ID)) {
+            ext =
+                    (SubjectKeyIdentifierExtension) getExtension(
+                            PKIXExtensions.SubjectKey_Id.toString(), info);
+
+            if (ext == null) {
+                return null;
+            }
+            KeyIdentifier kid = null;
+
+            try {
+                kid = (KeyIdentifier)
+                        ext.get(SubjectKeyIdentifierExtension.KEY_ID);
+            } catch (IOException e) {
+                CMS.debug("SubjectKeyIdentifierExtDefault::getValue() - " +
+                           "kid is null!");
+                throw new EPropertyException(CMS.getUserMessage(locale,
+                                                                  "CMS_INVALID_PROPERTY",
+                                                                  name));
+            }
+            return toHexString(kid.getIdentifier());
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_SUBJECT_KEY_ID_EXT");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        SubjectKeyIdentifierExtension ext = createExtension(info);
+
+        addExtension(PKIXExtensions.SubjectKey_Id.toString(), ext, info);
+    }
+
+    public SubjectKeyIdentifierExtension createExtension(X509CertInfo info) {
+        KeyIdentifier kid = getKeyIdentifier(info);
+
+        if (kid == null) {
+            CMS.debug("SubjectKeyIdentifierExtDefault: KeyIdentifier not found");
+            return null;
+        }
+        SubjectKeyIdentifierExtension ext = null;
+
+        boolean critical = Boolean.valueOf(getConfig(CONFIG_CRITICAL)).booleanValue();
+
+        try {
+            ext = new SubjectKeyIdentifierExtension(critical, kid.getIdentifier());
+        } catch (IOException e) {
+            CMS.debug("SubjectKeyIdentifierExtDefault: createExtension " +
+                    e.toString());
+            //
+        }
+        return ext;
+    }
+
+    public KeyIdentifier getKeyIdentifier(X509CertInfo info) {
+        try {
+            CertificateX509Key infokey = (CertificateX509Key)
+                    info.get(X509CertInfo.KEY);
+            X509Key key = (X509Key) infokey.get(CertificateX509Key.KEY);
+            MessageDigest md = MessageDigest.getInstance("SHA-1");
+
+            md.update(key.getKey());
+            byte[] hash = md.digest();
+
+            return new KeyIdentifier(hash);
+        } catch (NoSuchAlgorithmException e) {
+            CMS.debug("SubjectKeyIdentifierExtDefault: getKeyIdentifier " +
+                    e.toString());
+        } catch (Exception e) {
+            CMS.debug("SubjectKeyIdentifierExtDefault: getKeyIdentifier " +
+                    e.toString());
+        }
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/SubjectNameDefault.java b/base/common/src/com/netscape/cms/profile/def/SubjectNameDefault.java
new file mode 100644
index 000000000..479219b84
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/SubjectNameDefault.java
@@ -0,0 +1,184 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates server-side configurable subject name
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class SubjectNameDefault extends EnrollDefault {
+
+    public static final String CONFIG_NAME = "name";
+
+    public static final String VAL_NAME = "name";
+
+    public SubjectNameDefault() {
+        super();
+        addValueName(VAL_NAME);
+        addConfigName(CONFIG_NAME);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_NAME)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null, "CN=TEST", CMS.getUserMessage(locale,
+                            "CMS_PROFILE_SUBJECT_NAME"));
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_NAME)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_SUBJECT_NAME"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_NAME)) {
+            X500Name x500name = null;
+
+            try {
+                x500name = new X500Name(value);
+                if (x500name != null) {
+                    CMS.debug("SubjectNameDefault: setValue x500name=" + x500name.toString());
+                }
+            } catch (IOException e) {
+                CMS.debug("SubjectNameDefault: setValue " + e.toString());
+                // failed to build x500 name
+            }
+            CMS.debug("SubjectNameDefault: setValue name=" + x500name.toString());
+            try {
+                info.set(X509CertInfo.SUBJECT,
+                        new CertificateSubjectName(x500name));
+            } catch (Exception e) {
+                // failed to insert subject name
+                CMS.debug("SubjectNameDefault: setValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_NAME)) {
+            CertificateSubjectName sn = null;
+
+            try {
+                CMS.debug("SubjectNameDefault: getValue info=" + info);
+                sn = (CertificateSubjectName)
+                        info.get(X509CertInfo.SUBJECT);
+                CMS.debug("SubjectNameDefault: getValue name=" + sn);
+                return sn.toString();
+            } catch (Exception e) {
+                // nothing
+                CMS.debug("SubjectNameDefault: getValue " + e.toString());
+
+            }
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_SUBJECT_NAME",
+                getConfig(CONFIG_NAME));
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        X500Name name = null;
+
+        String subjectName = null;
+
+        try {
+            subjectName = mapPattern(request, getConfig(CONFIG_NAME));
+        } catch (IOException e) {
+            CMS.debug("SubjectNameDefault: mapPattern " + e.toString());
+        }
+
+        CMS.debug("subjectName=" + subjectName);
+        if (subjectName == null || subjectName.equals(""))
+            return;
+        try {
+            name = new X500Name(subjectName);
+        } catch (IOException e) {
+            // failed to build x500 name
+            CMS.debug("SubjectNameDefault: populate " + e.toString());
+        }
+        if (name == null) {
+            // failed to build x500 name
+        }
+        try {
+            info.set(X509CertInfo.SUBJECT,
+                    new CertificateSubjectName(name));
+        } catch (Exception e) {
+            // failed to insert subject name
+            CMS.debug("SubjectNameDefault: populate " + e.toString());
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/UserExtensionDefault.java b/base/common/src/com/netscape/cms/profile/def/UserExtensionDefault.java
new file mode 100644
index 000000000..46a78c731
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/UserExtensionDefault.java
@@ -0,0 +1,136 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.util.Locale;
+
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.Extension;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IEnrollProfile;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a user-supplied extension
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class UserExtensionDefault extends EnrollExtDefault {
+
+    public static final String CONFIG_CRITICAL = "userExtCritical";
+    public static final String CONFIG_OID = "userExtOID";
+
+    public static final String VAL_CRITICAL = "userExtCritical";
+    public static final String VAL_OID = "userExtOID";
+
+    public UserExtensionDefault() {
+        super();
+        addValueName(VAL_OID);
+        addConfigName(CONFIG_OID);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_OID)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    "Comment Here...",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_OID"));
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_OID)) {
+            return new Descriptor(IDescriptor.STRING,
+                    IDescriptor.READONLY,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_OID"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        // Nothing to do for read-only values
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_OID)) {
+            Extension ext = getExtension(getConfig(CONFIG_OID), info);
+
+            if (ext == null) {
+                // do something here
+                return "";
+            }
+            return ext.getExtensionId().toString();
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_USER_EXT", getConfig(CONFIG_OID));
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        CertificateExtensions inExts = null;
+        String oid = getConfig(CONFIG_OID);
+
+        inExts = request.getExtDataInCertExts(IEnrollProfile.REQUEST_EXTENSIONS);
+        if (inExts == null)
+            return;
+        Extension ext = getExtension(getConfig(CONFIG_OID), inExts);
+        if (ext == null) {
+            CMS.debug("UserExtensionDefault: no user ext supplied for " + oid);
+            return;
+        }
+
+        // user supplied the ext that's allowed, replace the def set by system
+        deleteExtension(oid, info);
+        CMS.debug("UserExtensionDefault: using user supplied ext for " + oid);
+        addExtension(oid, ext, info);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/UserKeyDefault.java b/base/common/src/com/netscape/cms/profile/def/UserKeyDefault.java
new file mode 100644
index 000000000..b1dc9d116
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/UserKeyDefault.java
@@ -0,0 +1,233 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.ByteArrayInputStream;
+import java.math.BigInteger;
+import java.security.interfaces.DSAParams;
+import java.util.Locale;
+
+import netscape.security.provider.DSAPublicKey;
+import netscape.security.provider.RSAPublicKey;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IEnrollProfile;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a user supplied key
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class UserKeyDefault extends EnrollDefault {
+
+    public static final String VAL_KEY = "KEY";
+    public static final String VAL_LEN = "LEN";
+    public static final String VAL_TYPE = "TYPE";
+
+    public UserKeyDefault() {
+        super();
+        addValueName(VAL_TYPE);
+        addValueName(VAL_LEN);
+        addValueName(VAL_KEY);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_KEY)) {
+            return new Descriptor(IDescriptor.STRING,
+                    IDescriptor.READONLY,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_KEY"));
+        } else if (name.equals(VAL_LEN)) {
+            return new Descriptor(IDescriptor.STRING,
+                    IDescriptor.READONLY,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_KEY_LEN"));
+        } else if (name.equals(VAL_TYPE)) {
+            return new Descriptor(IDescriptor.STRING,
+                    IDescriptor.READONLY,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_KEY_TYPE"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        // this default rule is readonly
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_KEY)) {
+            CertificateX509Key ck = null;
+
+            try {
+                ck = (CertificateX509Key)
+                        info.get(X509CertInfo.KEY);
+            } catch (Exception e) {
+                // nothing
+            }
+            X509Key k = null;
+
+            try {
+                k = (X509Key)
+                        ck.get(CertificateX509Key.KEY);
+            } catch (Exception e) {
+                // nothing
+            }
+            if (k == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_PROFILE_KEY_NOT_FOUND"));
+            }
+            return toHexString(k.getKey());
+        } else if (name.equals(VAL_LEN)) {
+            CertificateX509Key ck = null;
+
+            try {
+                ck = (CertificateX509Key)
+                        info.get(X509CertInfo.KEY);
+            } catch (Exception e) {
+                // nothing
+            }
+            X509Key k = null;
+
+            try {
+                k = (X509Key)
+                        ck.get(CertificateX509Key.KEY);
+            } catch (Exception e) {
+                // nothing
+            }
+            if (k == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_PROFILE_KEY_NOT_FOUND"));
+            }
+            try {
+                if (k.getAlgorithm().equals("RSA")) {
+                    return Integer.toString(getRSAKeyLen(k));
+                } else {
+                    return Integer.toString(getDSAKeyLen(k));
+                }
+            } catch (Exception e) {
+                CMS.debug("UserKeyDefault: getValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else if (name.equals(VAL_TYPE)) {
+            CertificateX509Key ck = null;
+
+            try {
+                ck = (CertificateX509Key)
+                        info.get(X509CertInfo.KEY);
+            } catch (Exception e) {
+                // nothing
+            }
+            X509Key k = null;
+
+            try {
+                k = (X509Key)
+                        ck.get(CertificateX509Key.KEY);
+            } catch (Exception e) {
+                // nothing
+            }
+            if (k == null) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_PROFILE_KEY_NOT_FOUND"));
+            }
+            return k.getAlgorithm() + " - " +
+                    k.getAlgorithmId().getOID().toString();
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_USER_KEY");
+    }
+
+    public int getRSAKeyLen(X509Key key) throws Exception {
+        X509Key newkey = null;
+
+        try {
+            newkey = new X509Key(AlgorithmId.get("RSA"),
+                        key.getKey());
+        } catch (Exception e) {
+            CMS.debug("UserKeyDefault: getRSAKey " + e.toString());
+            throw e;
+        }
+        RSAPublicKey rsaKey = new RSAPublicKey(newkey.getEncoded());
+
+        return rsaKey.getKeySize();
+    }
+
+    public int getDSAKeyLen(X509Key key) throws Exception {
+        // Check DSAKey parameters.
+        // size refers to the p parameter.
+        DSAPublicKey dsaKey = new DSAPublicKey(key.getEncoded());
+        DSAParams keyParams = dsaKey.getParams();
+        BigInteger p = keyParams.getP();
+        int len = p.bitLength();
+
+        return len;
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        CertificateX509Key certKey = null;
+        // authenticate the certificate key, and move
+        // the key from request into x509 certinfo
+        try {
+            byte[] certKeyData = request.getExtDataInByteArray(IEnrollProfile.REQUEST_KEY);
+            if (certKeyData != null) {
+                certKey = new CertificateX509Key(
+                        new ByteArrayInputStream(certKeyData));
+            }
+            info.set(X509CertInfo.KEY, certKey);
+        } catch (Exception e) {
+            CMS.debug("UserKeyDefault: populate " + e.toString());
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/UserSigningAlgDefault.java b/base/common/src/com/netscape/cms/profile/def/UserSigningAlgDefault.java
new file mode 100644
index 000000000..4aeed6ba3
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/UserSigningAlgDefault.java
@@ -0,0 +1,126 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.ByteArrayInputStream;
+import java.util.Locale;
+
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CertificateAlgorithmId;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IEnrollProfile;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a user-supplied signing algorithm
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class UserSigningAlgDefault extends EnrollDefault {
+
+    public static final String VAL_ALG_ID = "userSigningAlgID";
+
+    public UserSigningAlgDefault() {
+        super();
+        addValueName(VAL_ALG_ID);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_ALG_ID)) {
+            return new Descriptor(IDescriptor.STRING,
+                    IDescriptor.READONLY, null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_SIGNING_ALGORITHM"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        // this default rule is readonly
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_ALG_ID)) {
+            CertificateAlgorithmId algID = null;
+
+            try {
+                algID = (CertificateAlgorithmId)
+                        info.get(X509CertInfo.ALGORITHM_ID);
+                AlgorithmId id = (AlgorithmId)
+                        algID.get(CertificateAlgorithmId.ALGORITHM);
+
+                return id.toString();
+            } catch (Exception e) {
+                CMS.debug("UserSigningAlgDefault: setValue " + e.toString());
+                return ""; //XXX
+            }
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_USER_SIGNING_ALGORITHM");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        CertificateAlgorithmId certAlg = null;
+        // authenticate the certificate key, and move
+        // the key from request into x509 certinfo
+        try {
+            byte[] certAlgData = request.getExtDataInByteArray(
+                    IEnrollProfile.REQUEST_SIGNING_ALGORITHM);
+            if (certAlgData != null) {
+                certAlg = new CertificateAlgorithmId(
+                        new ByteArrayInputStream(certAlgData));
+            }
+            info.set(X509CertInfo.ALGORITHM_ID, certAlg);
+        } catch (Exception e) {
+            CMS.debug("UserSigningAlgDefault: populate " + e.toString());
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java b/base/common/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java
new file mode 100644
index 000000000..65456e256
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java
@@ -0,0 +1,143 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IEnrollProfile;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a user-supplied subject name
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class UserSubjectNameDefault extends EnrollDefault {
+
+    public static final String VAL_NAME = "name";
+
+    public UserSubjectNameDefault() {
+        super();
+        addValueName(VAL_NAME);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_NAME)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_NAME)) {
+            X500Name x500name = null;
+
+            try {
+                x500name = new X500Name(value);
+            } catch (IOException e) {
+                CMS.debug(e.toString());
+                // failed to build x500 name
+            }
+            CMS.debug("SubjectNameDefault: setValue name=" + x500name);
+            try {
+                info.set(X509CertInfo.SUBJECT,
+                        new CertificateSubjectName(x500name));
+            } catch (Exception e) {
+                // failed to insert subject name
+                CMS.debug("UserSubjectNameDefault: setValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_NAME)) {
+            CertificateSubjectName sn = null;
+
+            try {
+                sn = (CertificateSubjectName)
+                        info.get(X509CertInfo.SUBJECT);
+                return sn.toString();
+            } catch (Exception e) {
+                // nothing
+            }
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_USER_SUBJECT_NAME");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        // authenticate the subject name and populate it
+        // to the certinfo
+        try {
+            info.set(X509CertInfo.SUBJECT, request.getExtDataInCertSubjectName(
+                    IEnrollProfile.REQUEST_SUBJECT_NAME));
+        } catch (Exception e) {
+            // failed to insert subject name
+            CMS.debug("UserSubjectNameDefault: populate " + e.toString());
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/UserValidityDefault.java b/base/common/src/com/netscape/cms/profile/def/UserValidityDefault.java
new file mode 100644
index 000000000..3fadb81fd
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/UserValidityDefault.java
@@ -0,0 +1,149 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.ByteArrayInputStream;
+import java.util.Date;
+import java.util.Locale;
+
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IEnrollProfile;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a user-supplied validity
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class UserValidityDefault extends EnrollDefault {
+
+    public static final String VAL_NOT_BEFORE = "userValdityNotBefore";
+    public static final String VAL_NOT_AFTER = "userValdityNotAfter";
+
+    public UserValidityDefault() {
+        super();
+        addValueName(VAL_NOT_BEFORE);
+        addValueName(VAL_NOT_AFTER);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_NOT_BEFORE)) {
+            return new Descriptor(IDescriptor.STRING,
+                    IDescriptor.READONLY,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NOT_BEFORE"));
+        } else if (name.equals(VAL_NOT_AFTER)) {
+            return new Descriptor(IDescriptor.STRING,
+                    IDescriptor.READONLY,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NOT_AFTER"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        // this default rule is readonly
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_NOT_BEFORE)) {
+            CertificateValidity validity = null;
+
+            try {
+                validity = (CertificateValidity)
+                        info.get(X509CertInfo.VALIDITY);
+                Date notBefore = (Date)
+                        validity.get(CertificateValidity.NOT_BEFORE);
+
+                return notBefore.toString();
+            } catch (Exception e) {
+                CMS.debug("UserValidityDefault: getValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else if (name.equals(VAL_NOT_AFTER)) {
+            try {
+                CertificateValidity validity = null;
+                validity = (CertificateValidity)
+                        info.get(X509CertInfo.VALIDITY);
+                Date notAfter = (Date)
+                        validity.get(CertificateValidity.NOT_AFTER);
+
+                return notAfter.toString();
+            } catch (Exception e) {
+                CMS.debug("UserValidityDefault: getValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_USER_VALIDITY");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        CertificateValidity certValidity = null;
+        // authenticate the certificate key, and move
+        // the key from request into x509 certinfo
+        try {
+            byte[] certValidityData = request.getExtDataInByteArray(
+                    IEnrollProfile.REQUEST_VALIDITY);
+            if (certValidityData != null) {
+                certValidity = new CertificateValidity();
+                certValidity.decode(
+                        new ByteArrayInputStream(certValidityData));
+            }
+            info.set(X509CertInfo.VALIDITY, certValidity);
+        } catch (Exception e) {
+            CMS.debug("UserValidityDefault: populate " + e.toString());
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/ValidityDefault.java b/base/common/src/com/netscape/cms/profile/def/ValidityDefault.java
new file mode 100644
index 000000000..ad06400f3
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/ValidityDefault.java
@@ -0,0 +1,263 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.text.ParsePosition;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Locale;
+
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates a server-side configurable validity
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ValidityDefault extends EnrollDefault {
+    public static final String CONFIG_RANGE = "range";
+    public static final String CONFIG_START_TIME = "startTime";
+
+    public static final String VAL_NOT_BEFORE = "notBefore";
+    public static final String VAL_NOT_AFTER = "notAfter";
+
+    public static final String DATE_FORMAT = "yyyy-MM-dd HH:mm:ss";
+
+    private long mDefault = 86400000; // 1 days
+
+    public ValidityDefault() {
+        super();
+        addConfigName(CONFIG_RANGE);
+        addConfigName(CONFIG_START_TIME);
+        addValueName(VAL_NOT_BEFORE);
+        addValueName(VAL_NOT_AFTER);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        if (name.equals(CONFIG_RANGE)) {
+            try {
+                Integer.parseInt(value);
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_RANGE));
+            }
+        } else if (name.equals(CONFIG_START_TIME)) {
+            try {
+                Integer.parseInt(value);
+            } catch (Exception e) {
+                throw new EPropertyException(CMS.getUserMessage(
+                            "CMS_INVALID_PROPERTY", CONFIG_START_TIME));
+            }
+        }
+        super.setConfig(name, value);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_RANGE)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    "2922",
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_VALIDITY_RANGE"));
+        } else if (name.equals(CONFIG_START_TIME)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    "60", /* 1 minute */
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_VALIDITY_START_TIME"));
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_NOT_BEFORE)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NOT_BEFORE"));
+        } else if (name.equals(VAL_NOT_AFTER)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NOT_AFTER"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (value == null || value.equals("")) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_NOT_BEFORE)) {
+            SimpleDateFormat formatter =
+                    new SimpleDateFormat(DATE_FORMAT);
+            ParsePosition pos = new ParsePosition(0);
+            Date date = formatter.parse(value, pos);
+            CertificateValidity validity = null;
+
+            try {
+                validity = (CertificateValidity)
+                        info.get(X509CertInfo.VALIDITY);
+                validity.set(CertificateValidity.NOT_BEFORE,
+                        date);
+            } catch (Exception e) {
+                CMS.debug("ValidityDefault: setValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else if (name.equals(VAL_NOT_AFTER)) {
+            SimpleDateFormat formatter =
+                    new SimpleDateFormat(DATE_FORMAT);
+            ParsePosition pos = new ParsePosition(0);
+            Date date = formatter.parse(value, pos);
+            CertificateValidity validity = null;
+
+            try {
+                validity = (CertificateValidity)
+                        info.get(X509CertInfo.VALIDITY);
+                validity.set(CertificateValidity.NOT_AFTER,
+                        date);
+            } catch (Exception e) {
+                CMS.debug("ValidityDefault: setValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+
+        if (name == null)
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+
+        if (name.equals(VAL_NOT_BEFORE)) {
+            SimpleDateFormat formatter =
+                    new SimpleDateFormat(DATE_FORMAT);
+            CertificateValidity validity = null;
+
+            try {
+                validity = (CertificateValidity)
+                        info.get(X509CertInfo.VALIDITY);
+                return formatter.format((Date)
+                        validity.get(CertificateValidity.NOT_BEFORE));
+            } catch (Exception e) {
+                CMS.debug("ValidityDefault: getValue " + e.toString());
+            }
+            throw new EPropertyException("Invalid valie");
+        } else if (name.equals(VAL_NOT_AFTER)) {
+            SimpleDateFormat formatter =
+                    new SimpleDateFormat(DATE_FORMAT);
+            CertificateValidity validity = null;
+
+            try {
+                validity = (CertificateValidity)
+                        info.get(X509CertInfo.VALIDITY);
+                return formatter.format((Date)
+                        validity.get(CertificateValidity.NOT_AFTER));
+            } catch (Exception e) {
+                CMS.debug("ValidityDefault: getValue " + e.toString());
+            }
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_VALIDITY",
+                getConfig(CONFIG_RANGE));
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        // always + 60 seconds
+        String startTimeStr = getConfig(CONFIG_START_TIME);
+        try {
+            startTimeStr = mapPattern(request, startTimeStr);
+        } catch (IOException e) {
+            CMS.debug("ValidityDefault: populate " + e.toString());
+        }
+
+        if (startTimeStr == null || startTimeStr.equals("")) {
+            startTimeStr = "60";
+        }
+        int startTime = Integer.parseInt(startTimeStr);
+        Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime));
+        long notAfterVal = 0;
+
+        try {
+            String rangeStr = getConfig(CONFIG_RANGE);
+            rangeStr = mapPattern(request, rangeStr);
+            notAfterVal = notBefore.getTime() +
+                    (mDefault * Integer.parseInt(rangeStr));
+        } catch (Exception e) {
+            // configured value is not correct
+            CMS.debug("ValidityDefault: populate " + e.toString());
+            throw new EProfileException(CMS.getUserMessage(
+                        getLocale(request), "CMS_INVALID_PROPERTY", CONFIG_RANGE));
+        }
+        Date notAfter = new Date(notAfterVal);
+        CertificateValidity validity =
+                new CertificateValidity(notBefore, notAfter);
+
+        try {
+            info.set(X509CertInfo.VALIDITY, validity);
+        } catch (Exception e) {
+            // failed to insert subject name
+            CMS.debug("ValidityDefault: populate " + e.toString());
+            throw new EProfileException(CMS.getUserMessage(
+                        getLocale(request), "CMS_INVALID_PROPERTY", X509CertInfo.VALIDITY));
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/nsHKeySubjectNameDefault.java b/base/common/src/com/netscape/cms/profile/def/nsHKeySubjectNameDefault.java
new file mode 100644
index 000000000..6b5ab6bc0
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/nsHKeySubjectNameDefault.java
@@ -0,0 +1,215 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates server-side configurable subject name
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class nsHKeySubjectNameDefault extends EnrollDefault {
+
+    public static final String PROP_PARAMS = "params";
+    public static final String CONFIG_DNPATTERN = "dnpattern";
+
+    public static final String VAL_NAME = "name";
+
+    /* default dn pattern if left blank or not set in the config */
+    protected static String DEFAULT_DNPATTERN =
+            "CN=SecureMember - $request.tokencuid$, OU=Subscriber, O=Red Hat, C=US";
+
+    protected IConfigStore mParamsConfig;
+
+    public nsHKeySubjectNameDefault() {
+        super();
+        addConfigName(CONFIG_DNPATTERN);
+
+        addValueName(CONFIG_DNPATTERN);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        CMS.debug("nsHKeySubjectNameDefault: in getConfigDescriptor, name=" + name);
+        if (name.equals(CONFIG_DNPATTERN)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null, null, CMS.getUserMessage(locale,
+                            "CMS_PROFILE_SUBJECT_NAME"));
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        CMS.debug("nsHKeySubjectNameDefault: in getValueDescriptor name=" + name);
+
+        if (name.equals(VAL_NAME)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_SUBJECT_NAME"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+
+        CMS.debug("nsHKeySubjectNameDefault: in setValue, value=" + value);
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_NAME)) {
+            X500Name x500name = null;
+
+            try {
+                x500name = new X500Name(value);
+            } catch (IOException e) {
+                CMS.debug("nsHKeySubjectNameDefault: setValue " + e.toString());
+                // failed to build x500 name
+            }
+            CMS.debug("nsHKeySubjectNameDefault: setValue name=" + x500name);
+            try {
+                info.set(X509CertInfo.SUBJECT,
+                        new CertificateSubjectName(x500name));
+            } catch (Exception e) {
+                // failed to insert subject name
+                CMS.debug("nsHKeySubjectNameDefault: setValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        CMS.debug("nsHKeySubjectNameDefault: in getValue, name=" + name);
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_NAME)) {
+            CertificateSubjectName sn = null;
+
+            try {
+                CMS.debug("nsHKeySubjectNameDefault: getValue info=" + info);
+                sn = (CertificateSubjectName)
+                        info.get(X509CertInfo.SUBJECT);
+                CMS.debug("nsHKeySubjectNameDefault: getValue name=" + sn);
+                return sn.toString();
+            } catch (Exception e) {
+                // nothing
+                CMS.debug("nsHKeySubjectNameDefault: getValue " + e.toString());
+
+            }
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        CMS.debug("nsHKeySubjectNameDefault: in getText");
+        return CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME",
+                getConfig(CONFIG_DNPATTERN));
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        X500Name name = null;
+        CMS.debug("nsHKeySubjectNameDefault: in populate");
+
+        try {
+            String subjectName = getSubjectName(request);
+            CMS.debug("subjectName=" + subjectName);
+            if (subjectName == null || subjectName.equals(""))
+                return;
+
+            name = new X500Name(subjectName);
+        } catch (IOException e) {
+            // failed to build x500 name
+            CMS.debug("nsHKeySubjectNameDefault: populate " + e.toString());
+        }
+        if (name == null) {
+            // failed to build x500 name
+        }
+        try {
+            info.set(X509CertInfo.SUBJECT,
+                    new CertificateSubjectName(name));
+        } catch (Exception e) {
+            // failed to insert subject name
+            CMS.debug("nsHKeySubjectNameDefault: populate " + e.toString());
+        }
+    }
+
+    private String getSubjectName(IRequest request)
+            throws EProfileException, IOException {
+
+        CMS.debug("nsHKeySubjectNameDefault: in getSubjectName");
+
+        String pattern = getConfig(CONFIG_DNPATTERN);
+        if (pattern == null || pattern.equals("")) {
+            pattern = " ";
+        }
+
+        String sbjname = "";
+
+        if (request != null) {
+            CMS.debug("pattern = " + pattern);
+            sbjname = mapPattern(request, pattern);
+            CMS.debug("nsHKeySubjectNameDefault: getSubjectName(): subject name mapping done");
+        }
+
+        return sbjname;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/nsNKeySubjectNameDefault.java b/base/common/src/com/netscape/cms/profile/def/nsNKeySubjectNameDefault.java
new file mode 100644
index 000000000..cc1a8de81
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/nsNKeySubjectNameDefault.java
@@ -0,0 +1,423 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+//ldap java sdk
+import java.io.IOException;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.ldap.ILdapConnFactory;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates server-side configurable subject name
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class nsNKeySubjectNameDefault extends EnrollDefault {
+
+    public static final String PROP_LDAP = "ldap";
+    public static final String PROP_PARAMS = "params";
+    public static final String CONFIG_DNPATTERN = "dnpattern";
+    public static final String CONFIG_LDAP_STRING_ATTRS = "ldapStringAttributes";
+    public static final String CONFIG_LDAP_HOST = "ldap.ldapconn.host";
+    public static final String CONFIG_LDAP_PORT = "ldap.ldapconn.port";
+    public static final String CONFIG_LDAP_SEC_CONN = "ldap.ldapconn.secureConn";
+    public static final String CONFIG_LDAP_VER = "ldap.ldapconn.Version";
+    public static final String CONFIG_LDAP_BASEDN = "ldap.basedn";
+    public static final String CONFIG_LDAP_MIN_CONN = "ldap.minConns";
+    public static final String CONFIG_LDAP_MAX_CONN = "ldap.maxConns";
+
+    public static final String VAL_NAME = "name";
+
+    public static final String CONFIG_LDAP_VERS =
+            "2,3";
+
+    /* default dn pattern if left blank or not set in the config */
+    protected static String DEFAULT_DNPATTERN =
+            "CN=$request.aoluid$, E=$request.mail$";
+
+    /* ldap configuration sub-store */
+    boolean mInitialized = false;
+    protected IConfigStore mInstConfig;
+    protected IConfigStore mLdapConfig;
+    protected IConfigStore mParamsConfig;
+
+    /* ldap base dn */
+    protected String mBaseDN = null;
+
+    /* factory of anonymous ldap connections */
+    protected ILdapConnFactory mConnFactory = null;
+
+    /* the list of LDAP attributes with string values to retrieve to
+     * form the subject dn. */
+    protected String[] mLdapStringAttrs = null;
+
+    public nsNKeySubjectNameDefault() {
+        super();
+        addConfigName(CONFIG_DNPATTERN);
+        addConfigName(CONFIG_LDAP_STRING_ATTRS);
+        addConfigName(CONFIG_LDAP_HOST);
+        addConfigName(CONFIG_LDAP_PORT);
+        addConfigName(CONFIG_LDAP_SEC_CONN);
+        addConfigName(CONFIG_LDAP_VER);
+        addConfigName(CONFIG_LDAP_BASEDN);
+        addConfigName(CONFIG_LDAP_MIN_CONN);
+        addConfigName(CONFIG_LDAP_MAX_CONN);
+
+        addValueName(CONFIG_DNPATTERN);
+        addValueName(CONFIG_LDAP_STRING_ATTRS);
+        addValueName(CONFIG_LDAP_HOST);
+        addValueName(CONFIG_LDAP_PORT);
+        addValueName(CONFIG_LDAP_SEC_CONN);
+        addValueName(CONFIG_LDAP_VER);
+        addValueName(CONFIG_LDAP_BASEDN);
+        addValueName(CONFIG_LDAP_MIN_CONN);
+        addValueName(CONFIG_LDAP_MAX_CONN);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        mInstConfig = config;
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        CMS.debug("nsNKeySubjectNameDefault: in getConfigDescriptor, name=" + name);
+        if (name.equals(CONFIG_DNPATTERN)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null, null, CMS.getUserMessage(locale,
+                            "CMS_PROFILE_SUBJECT_NAME"));
+        } else if (name.equals(CONFIG_LDAP_STRING_ATTRS)) {
+            return new Descriptor(IDescriptor.STRING,
+                                  null,
+                                  null,
+                                  CMS.getUserMessage(locale, "CMS_PROFILE_NSNKEY_LDAP_STRING_ATTRS"));
+        } else if (name.equals(CONFIG_LDAP_HOST)) {
+            return new Descriptor(IDescriptor.STRING,
+                                  null,
+                                  null,
+                                  CMS.getUserMessage(locale, "CMS_PROFILE_NSNKEY_HOST_NAME"));
+        } else if (name.equals(CONFIG_LDAP_PORT)) {
+            return new Descriptor(IDescriptor.STRING,
+                                  null,
+                                  null,
+                                  CMS.getUserMessage(locale, "CMS_PROFILE_NSNKEY_PORT_NUMBER"));
+        } else if (name.equals(CONFIG_LDAP_SEC_CONN)) {
+            return new Descriptor(IDescriptor.BOOLEAN,
+                                  null,
+                                  "false",
+                                  CMS.getUserMessage(locale, "CMS_PROFILE_NSNKEY_SECURE_CONN"));
+        } else if (name.equals(CONFIG_LDAP_VER)) {
+            return new Descriptor(IDescriptor.CHOICE, CONFIG_LDAP_VERS,
+                    "3",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_NSNKEY_LDAP_VERSION"));
+        } else if (name.equals(CONFIG_LDAP_BASEDN)) {
+            return new Descriptor(IDescriptor.STRING,
+                                  null,
+                                  null,
+                                  CMS.getUserMessage(locale, "CMS_PROFILE_NSNKEY_BASEDN"));
+        } else if (name.equals(CONFIG_LDAP_MIN_CONN)) {
+            return new Descriptor(IDescriptor.STRING,
+                                  null,
+                                  null,
+                                  CMS.getUserMessage(locale, "CMS_PROFILE_NSNKEY_LDAP_MIN_CONN"));
+        } else if (name.equals(CONFIG_LDAP_MAX_CONN)) {
+            return new Descriptor(IDescriptor.STRING,
+                                  null,
+                                  null,
+                                  CMS.getUserMessage(locale, "CMS_PROFILE_NSNKEY_LDAP_MAX_CONN"));
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        CMS.debug("nsNKeySubjectNameDefault: in getValueDescriptor name=" + name);
+
+        if (name.equals(VAL_NAME)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_SUBJECT_NAME"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+
+        CMS.debug("nsNKeySubjectNameDefault: in setValue, value=" + value);
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_NAME)) {
+            X500Name x500name = null;
+
+            try {
+                x500name = new X500Name(value);
+            } catch (IOException e) {
+                CMS.debug("nsNKeySubjectNameDefault: setValue " + e.toString());
+                // failed to build x500 name
+            }
+            CMS.debug("nsNKeySubjectNameDefault: setValue name=" + x500name);
+            try {
+                info.set(X509CertInfo.SUBJECT,
+                        new CertificateSubjectName(x500name));
+            } catch (Exception e) {
+                // failed to insert subject name
+                CMS.debug("nsNKeySubjectNameDefault: setValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        CMS.debug("nsNKeySubjectNameDefault: in getValue, name=" + name);
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_NAME)) {
+            CertificateSubjectName sn = null;
+
+            try {
+                CMS.debug("nsNKeySubjectNameDefault: getValue info=" + info);
+                sn = (CertificateSubjectName)
+                        info.get(X509CertInfo.SUBJECT);
+                CMS.debug("nsNKeySubjectNameDefault: getValue name=" + sn);
+                return sn.toString();
+            } catch (Exception e) {
+                // nothing
+                CMS.debug("nsNKeySubjectNameDefault: getValue " + e.toString());
+
+            }
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        CMS.debug("nsNKeySubjectNameDefault: in getText");
+        return CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME",
+                getConfig(CONFIG_DNPATTERN));
+    }
+
+    public void ldapInit()
+            throws EProfileException {
+        if (mInitialized == true)
+            return;
+
+        CMS.debug("nsNKeySubjectNameDefault: ldapInit(): begin");
+
+        try {
+            // cfu - XXX do more error handling here later
+            /* initialize ldap server configuration */
+            mParamsConfig = mInstConfig.getSubStore(PROP_PARAMS);
+            mLdapConfig = mParamsConfig.getSubStore(PROP_LDAP);
+            mBaseDN = mParamsConfig.getString(CONFIG_LDAP_BASEDN, null);
+            mConnFactory = CMS.getLdapAnonConnFactory();
+            mConnFactory.init(mLdapConfig);
+
+            /* initialize dn pattern */
+            String pattern = mParamsConfig.getString(CONFIG_DNPATTERN, null);
+
+            if (pattern == null || pattern.length() == 0)
+                pattern = DEFAULT_DNPATTERN;
+
+            /* initialize ldap string attribute list */
+            String ldapStringAttrs = mParamsConfig.getString(CONFIG_LDAP_STRING_ATTRS, null);
+
+            if ((ldapStringAttrs != null) && (ldapStringAttrs.length() != 0)) {
+                StringTokenizer pAttrs =
+                        new StringTokenizer(ldapStringAttrs, ",", false);
+
+                mLdapStringAttrs = new String[pAttrs.countTokens()];
+
+                for (int i = 0; i < mLdapStringAttrs.length; i++) {
+                    mLdapStringAttrs[i] = ((String) pAttrs.nextElement()).trim();
+                }
+            }
+            CMS.debug("nsNKeySubjectNameDefault: ldapInit(): done");
+            mInitialized = true;
+        } catch (Exception e) {
+            CMS.debug("nsNKeySubjectNameDefault: ldapInit(): " + e.toString());
+            // throw EProfileException...
+            throw new EProfileException("ldap init failure: " + e.toString());
+        }
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        X500Name name = null;
+        CMS.debug("nsNKeySubjectNameDefault: in populate");
+        ldapInit();
+        try {
+            // cfu - this goes to ldap
+            String subjectName = getSubjectName(request);
+            CMS.debug("subjectName=" + subjectName);
+            if (subjectName == null || subjectName.equals(""))
+                return;
+
+            name = new X500Name(subjectName);
+        } catch (IOException e) {
+            // failed to build x500 name
+            CMS.debug("nsNKeySubjectNameDefault: populate " + e.toString());
+        }
+        if (name == null) {
+            // failed to build x500 name
+        }
+        try {
+            info.set(X509CertInfo.SUBJECT,
+                    new CertificateSubjectName(name));
+        } catch (Exception e) {
+            // failed to insert subject name
+            CMS.debug("nsNKeySubjectNameDefault: populate " + e.toString());
+        }
+    }
+
+    private String getSubjectName(IRequest request)
+            throws EProfileException, IOException {
+
+        CMS.debug("nsNKeySubjectNameDefault: in getSubjectName");
+
+        String pattern = getConfig(CONFIG_DNPATTERN);
+        if (pattern == null || pattern.equals("")) {
+            pattern = " ";
+        }
+
+        LDAPConnection conn = null;
+        String userdn = null;
+        String sbjname = "";
+        // get DN from ldap to fill request
+        try {
+            if (mConnFactory == null) {
+                conn = null;
+                CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): no LDAP connection");
+                throw new EProfileException("no LDAP connection");
+            } else {
+                conn = mConnFactory.getConn();
+                if (conn == null) {
+                    CMS.debug("nsNKeySubjectNameDefault::getSubjectName() - " +
+                               "no LDAP connection");
+                    throw new EProfileException("no LDAP connection");
+                }
+                CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): got LDAP connection");
+            }
+
+            if (request != null) {
+                CMS.debug("pattern = " + pattern);
+                sbjname = mapPattern(request, pattern);
+                CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): subject name mapping done");
+            } else {
+                CMS.debug("nsNKeySubjectNameDefault::getSubjectName() - " +
+                           "request is null!");
+                throw new EProfileException("request is null");
+            }
+            // retrieve the attributes
+            // get user dn.
+            CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): about to search with basedn = " + mBaseDN);
+            LDAPSearchResults res = conn.search(mBaseDN,
+                    LDAPv2.SCOPE_SUB, "(aoluid=" + request.getExtDataInString("aoluid") + ")", null, false);
+
+            if (res.hasMoreElements()) {
+                LDAPEntry entry = res.next();
+
+                userdn = entry.getDN();
+            } else {// put into property file later - cfu
+                CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): screen name does not exist");
+                throw new EProfileException("screenname does not exist");
+            }
+            CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): retrieved entry for aoluid = "
+                    + request.getExtDataInString("aoluid"));
+            ;
+
+            LDAPEntry entry = null;
+            CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): about to search with "
+                    + mLdapStringAttrs.length + " attributes");
+            LDAPSearchResults results =
+                    conn.search(userdn, LDAPv2.SCOPE_BASE, "objectclass=*",
+                            mLdapStringAttrs, false);
+
+            if (!results.hasMoreElements()) {
+                CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): no attributes");
+                throw new EProfileException("no ldap attributes found");
+            }
+            entry = results.next();
+            // set attrs into request
+            for (int i = 0; i < mLdapStringAttrs.length; i++) {
+                LDAPAttribute la =
+                        entry.getAttribute(mLdapStringAttrs[i]);
+                if (la != null) {
+                    String[] sla = la.getStringValueArray();
+                    CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): got attribute: " + sla[0]);
+                    request.setExtData(mLdapStringAttrs[i], sla[0]);
+                }
+            }
+            CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): attributes set in request");
+        } catch (Exception e) {
+            CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): " + e.toString());
+            throw new EProfileException("getSubjectName() failure: " + e.toString());
+        } finally {
+            try {
+                if (conn != null)
+                    mConnFactory.returnConn(conn);
+            } catch (Exception e) {
+                throw new EProfileException("nsNKeySubjectNameDefault: getSubjectName(): connection return failure");
+            }
+        }
+        return sbjname;
+
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/nsTokenDeviceKeySubjectNameDefault.java b/base/common/src/com/netscape/cms/profile/def/nsTokenDeviceKeySubjectNameDefault.java
new file mode 100644
index 000000000..77fa417f6
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/nsTokenDeviceKeySubjectNameDefault.java
@@ -0,0 +1,215 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates server-side configurable subject name
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class nsTokenDeviceKeySubjectNameDefault extends EnrollDefault {
+
+    public static final String PROP_PARAMS = "params";
+    public static final String CONFIG_DNPATTERN = "dnpattern";
+
+    public static final String VAL_NAME = "name";
+
+    /* default dn pattern if left blank or not set in the config */
+    protected static String DEFAULT_DNPATTERN =
+            "Token Key Device - $request.tokencuid$";
+
+    protected IConfigStore mParamsConfig;
+
+    public nsTokenDeviceKeySubjectNameDefault() {
+        super();
+        addConfigName(CONFIG_DNPATTERN);
+
+        addValueName(CONFIG_DNPATTERN);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        CMS.debug("nsTokenDeviceKeySubjectNameDefault: in getConfigDescriptor, name=" + name);
+        if (name.equals(CONFIG_DNPATTERN)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null, null, CMS.getUserMessage(locale,
+                            "CMS_PROFILE_SUBJECT_NAME"));
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        CMS.debug("nsTokenDeviceKeySubjectNameDefault: in getValueDescriptor name=" + name);
+
+        if (name.equals(VAL_NAME)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_SUBJECT_NAME"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+
+        CMS.debug("nsTokenDeviceKeySubjectNameDefault: in setValue, value=" + value);
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_NAME)) {
+            X500Name x500name = null;
+
+            try {
+                x500name = new X500Name(value);
+            } catch (IOException e) {
+                CMS.debug("nsTokenDeviceKeySubjectNameDefault: setValue " + e.toString());
+                // failed to build x500 name
+            }
+            CMS.debug("nsTokenDeviceKeySubjectNameDefault: setValue name=" + x500name);
+            try {
+                info.set(X509CertInfo.SUBJECT,
+                        new CertificateSubjectName(x500name));
+            } catch (Exception e) {
+                // failed to insert subject name
+                CMS.debug("nsTokenDeviceKeySubjectNameDefault: setValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        CMS.debug("nsTokenDeviceKeySubjectNameDefault: in getValue, name=" + name);
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_NAME)) {
+            CertificateSubjectName sn = null;
+
+            try {
+                CMS.debug("nsTokenDeviceKeySubjectNameDefault: getValue info=" + info);
+                sn = (CertificateSubjectName)
+                        info.get(X509CertInfo.SUBJECT);
+                CMS.debug("nsTokenDeviceKeySubjectNameDefault: getValue name=" + sn);
+                return sn.toString();
+            } catch (Exception e) {
+                // nothing
+                CMS.debug("nsTokenDeviceKeySubjectNameDefault: getValue " + e.toString());
+
+            }
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        CMS.debug("nsTokenDeviceKeySubjectNameDefault: in getText");
+        return CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME",
+                getConfig(CONFIG_DNPATTERN));
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        X500Name name = null;
+        CMS.debug("nsTokenDeviceKeySubjectNameDefault: in populate");
+
+        try {
+            String subjectName = getSubjectName(request);
+            CMS.debug("subjectName=" + subjectName);
+            if (subjectName == null || subjectName.equals(""))
+                return;
+
+            name = new X500Name(subjectName);
+        } catch (IOException e) {
+            // failed to build x500 name
+            CMS.debug("nsTokenDeviceKeySubjectNameDefault: populate " + e.toString());
+        }
+        if (name == null) {
+            // failed to build x500 name
+        }
+        try {
+            info.set(X509CertInfo.SUBJECT,
+                    new CertificateSubjectName(name));
+        } catch (Exception e) {
+            // failed to insert subject name
+            CMS.debug("nsTokenDeviceKeySubjectNameDefault: populate " + e.toString());
+        }
+    }
+
+    private String getSubjectName(IRequest request)
+            throws EProfileException, IOException {
+
+        CMS.debug("nsTokenDeviceKeySubjectNameDefault: in getSubjectName");
+
+        String pattern = getConfig(CONFIG_DNPATTERN);
+        if (pattern == null || pattern.equals("")) {
+            pattern = " ";
+        }
+
+        String sbjname = "";
+
+        if (request != null) {
+            CMS.debug("pattern = " + pattern);
+            sbjname = mapPattern(request, pattern);
+            CMS.debug("nsTokenDeviceKeySubjectNameDefault: getSubjectName(): subject name mapping done");
+        }
+
+        return sbjname;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java b/base/common/src/com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java
new file mode 100644
index 000000000..65adabfad
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java
@@ -0,0 +1,456 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+//ldap java sdk
+import java.io.IOException;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.ldap.ILdapConnFactory;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates server-side configurable subject name
+ * into the certificate template.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class nsTokenUserKeySubjectNameDefault extends EnrollDefault {
+
+    public static final String PROP_LDAP = "ldap";
+    public static final String PROP_PARAMS = "params";
+    public static final String CONFIG_DNPATTERN = "dnpattern";
+    public static final String CONFIG_LDAP_ENABLE = "ldap.enable";
+    public static final String CONFIG_LDAP_SEARCH_NAME = "ldap.searchName";
+    public static final String CONFIG_LDAP_STRING_ATTRS = "ldapStringAttributes";
+    public static final String CONFIG_LDAP_HOST = "ldap.ldapconn.host";
+    public static final String CONFIG_LDAP_PORT = "ldap.ldapconn.port";
+    public static final String CONFIG_LDAP_SEC_CONN = "ldap.ldapconn.secureConn";
+    public static final String CONFIG_LDAP_VER = "ldap.ldapconn.Version";
+    public static final String CONFIG_LDAP_BASEDN = "ldap.basedn";
+    public static final String CONFIG_LDAP_MIN_CONN = "ldap.minConns";
+    public static final String CONFIG_LDAP_MAX_CONN = "ldap.maxConns";
+
+    public static final String VAL_NAME = "name";
+
+    public static final String CONFIG_LDAP_VERS =
+            "2,3";
+
+    /* default dn pattern if left blank or not set in the config */
+    protected static String DEFAULT_DNPATTERN =
+            "CN=$request.uid$, E=$request.mail$";
+
+    /* ldap configuration sub-store */
+    boolean mldapInitialized = false;
+    boolean mldapEnabled = false;
+    protected IConfigStore mInstConfig;
+    protected IConfigStore mLdapConfig;
+    protected IConfigStore mParamsConfig;
+
+    /* ldap base dn */
+    protected String mBaseDN = null;
+
+    /* factory of anonymous ldap connections */
+    protected ILdapConnFactory mConnFactory = null;
+
+    /* the list of LDAP attributes with string values to retrieve to
+     * form the subject dn. */
+    protected String[] mLdapStringAttrs = null;
+
+    public nsTokenUserKeySubjectNameDefault() {
+        super();
+        addConfigName(CONFIG_DNPATTERN);
+        addConfigName(CONFIG_LDAP_ENABLE);
+        addConfigName(CONFIG_LDAP_SEARCH_NAME);
+        addConfigName(CONFIG_LDAP_STRING_ATTRS);
+        addConfigName(CONFIG_LDAP_HOST);
+        addConfigName(CONFIG_LDAP_PORT);
+        addConfigName(CONFIG_LDAP_SEC_CONN);
+        addConfigName(CONFIG_LDAP_VER);
+        addConfigName(CONFIG_LDAP_BASEDN);
+        addConfigName(CONFIG_LDAP_MIN_CONN);
+        addConfigName(CONFIG_LDAP_MAX_CONN);
+
+        addValueName(CONFIG_DNPATTERN);
+        addValueName(CONFIG_LDAP_ENABLE);
+        addValueName(CONFIG_LDAP_SEARCH_NAME);
+        addValueName(CONFIG_LDAP_STRING_ATTRS);
+        addValueName(CONFIG_LDAP_HOST);
+        addValueName(CONFIG_LDAP_PORT);
+        addValueName(CONFIG_LDAP_SEC_CONN);
+        addValueName(CONFIG_LDAP_VER);
+        addValueName(CONFIG_LDAP_BASEDN);
+        addValueName(CONFIG_LDAP_MIN_CONN);
+        addValueName(CONFIG_LDAP_MAX_CONN);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        mInstConfig = config;
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        CMS.debug("nsTokenUserKeySubjectNameDefault: in getConfigDescriptor, name=" + name);
+        if (name.equals(CONFIG_DNPATTERN)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null, null, CMS.getUserMessage(locale,
+                            "CMS_PROFILE_SUBJECT_NAME"));
+        } else if (name.equals(CONFIG_LDAP_STRING_ATTRS)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_STRING_ATTRS"));
+        } else if (name.equals(CONFIG_LDAP_ENABLE)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_ENABLE"));
+        } else if (name.equals(CONFIG_LDAP_SEARCH_NAME)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_SEARCH_NAME"));
+        } else if (name.equals(CONFIG_LDAP_HOST)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_HOST_NAME"));
+        } else if (name.equals(CONFIG_LDAP_PORT)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_PORT_NUMBER"));
+        } else if (name.equals(CONFIG_LDAP_SEC_CONN)) {
+            return new Descriptor(IDescriptor.BOOLEAN,
+                    null,
+                    "false",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_SECURE_CONN"));
+        } else if (name.equals(CONFIG_LDAP_VER)) {
+            return new Descriptor(IDescriptor.CHOICE, CONFIG_LDAP_VERS,
+                    "3",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_VERSION"));
+        } else if (name.equals(CONFIG_LDAP_BASEDN)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_BASEDN"));
+        } else if (name.equals(CONFIG_LDAP_MIN_CONN)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_MIN_CONN"));
+        } else if (name.equals(CONFIG_LDAP_MAX_CONN)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_MAX_CONN"));
+        } else {
+            return null;
+        }
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        CMS.debug("nsTokenUserKeySubjectNameDefault: in getValueDescriptor name=" + name);
+
+        if (name.equals(VAL_NAME)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_SUBJECT_NAME"));
+        } else {
+            return null;
+        }
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+
+        CMS.debug("nsTokenUserKeySubjectNameDefault: in setValue, value=" + value);
+
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_NAME)) {
+            X500Name x500name = null;
+
+            try {
+                x500name = new X500Name(value);
+            } catch (IOException e) {
+                CMS.debug("nsTokenUserKeySubjectNameDefault: setValue " + e.toString());
+                // failed to build x500 name
+            }
+            CMS.debug("nsTokenUserKeySubjectNameDefault: setValue name=" + x500name);
+            try {
+                info.set(X509CertInfo.SUBJECT,
+                        new CertificateSubjectName(x500name));
+            } catch (Exception e) {
+                // failed to insert subject name
+                CMS.debug("nsTokenUserKeySubjectNameDefault: setValue " + e.toString());
+                throw new EPropertyException(CMS.getUserMessage(
+                            locale, "CMS_INVALID_PROPERTY", name));
+            }
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        CMS.debug("nsTokenUserKeySubjectNameDefault: in getValue, name=" + name);
+        if (name == null) {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+        if (name.equals(VAL_NAME)) {
+            CertificateSubjectName sn = null;
+
+            try {
+                CMS.debug("nsTokenUserKeySubjectNameDefault: getValue info=" + info);
+                sn = (CertificateSubjectName)
+                        info.get(X509CertInfo.SUBJECT);
+                CMS.debug("nsTokenUserKeySubjectNameDefault: getValue name=" + sn);
+                return sn.toString();
+            } catch (Exception e) {
+                // nothing
+                CMS.debug("nsTokenUserKeySubjectNameDefault: getValue " + e.toString());
+
+            }
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        } else {
+            throw new EPropertyException(CMS.getUserMessage(
+                        locale, "CMS_INVALID_PROPERTY", name));
+        }
+    }
+
+    public String getText(Locale locale) {
+        CMS.debug("nsTokenUserKeySubjectNameDefault: in getText");
+        return CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME",
+                getConfig(CONFIG_DNPATTERN));
+    }
+
+    public void ldapInit()
+            throws EProfileException {
+        if (mldapInitialized == true)
+            return;
+
+        CMS.debug("nsTokenUserKeySubjectNameDefault: ldapInit(): begin");
+
+        try {
+            // cfu - XXX do more error handling here later
+            /* initialize ldap server configuration */
+            mParamsConfig = mInstConfig.getSubStore(PROP_PARAMS);
+            mLdapConfig = mParamsConfig.getSubStore(PROP_LDAP);
+            mldapEnabled = mParamsConfig.getBoolean(CONFIG_LDAP_ENABLE,
+                    false);
+            if (mldapEnabled == false)
+                return;
+
+            mBaseDN = mParamsConfig.getString(CONFIG_LDAP_BASEDN, null);
+            mConnFactory = CMS.getLdapAnonConnFactory();
+            mConnFactory.init(mLdapConfig);
+
+            /* initialize dn pattern */
+            String pattern = mParamsConfig.getString(CONFIG_DNPATTERN, null);
+
+            if (pattern == null || pattern.length() == 0)
+                pattern = DEFAULT_DNPATTERN;
+
+            /* initialize ldap string attribute list */
+            String ldapStringAttrs = mParamsConfig.getString(CONFIG_LDAP_STRING_ATTRS, null);
+
+            if ((ldapStringAttrs != null) && (ldapStringAttrs.length() != 0)) {
+                StringTokenizer pAttrs =
+                        new StringTokenizer(ldapStringAttrs, ",", false);
+
+                mLdapStringAttrs = new String[pAttrs.countTokens()];
+
+                for (int i = 0; i < mLdapStringAttrs.length; i++) {
+                    mLdapStringAttrs[i] = ((String) pAttrs.nextElement()).trim();
+                }
+            }
+            CMS.debug("nsTokenUserKeySubjectNameDefault: ldapInit(): done");
+            mldapInitialized = true;
+        } catch (Exception e) {
+            CMS.debug("nsTokenUserKeySubjectNameDefault: ldapInit(): " + e.toString());
+            // throw EProfileException...
+            throw new EProfileException("ldap init failure: " + e.toString());
+        }
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        X500Name name = null;
+        CMS.debug("nsTokenUserKeySubjectNameDefault: in populate");
+        ldapInit();
+        try {
+            // cfu - this goes to ldap
+            String subjectName = getSubjectName(request);
+            CMS.debug("subjectName=" + subjectName);
+            if (subjectName == null || subjectName.equals(""))
+                return;
+
+            name = new X500Name(subjectName);
+        } catch (IOException e) {
+            // failed to build x500 name
+            CMS.debug("nsTokenUserKeySubjectNameDefault: populate " + e.toString());
+        }
+        if (name == null) {
+            // failed to build x500 name
+        }
+        try {
+            info.set(X509CertInfo.SUBJECT,
+                    new CertificateSubjectName(name));
+        } catch (Exception e) {
+            // failed to insert subject name
+            CMS.debug("nsTokenUserKeySubjectNameDefault: populate " + e.toString());
+        }
+    }
+
+    private String getSubjectName(IRequest request)
+            throws EProfileException, IOException {
+
+        CMS.debug("nsTokenUserKeySubjectNameDefault: in getSubjectName");
+
+        String pattern = getConfig(CONFIG_DNPATTERN);
+        if (pattern == null || pattern.equals("")) {
+            pattern = " ";
+        }
+        String sbjname = "";
+
+        if (mldapInitialized == false) {
+            if (request != null) {
+                CMS.debug("pattern = " + pattern);
+                sbjname = mapPattern(request, pattern);
+                CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): subject name mapping done");
+            }
+            return sbjname;
+        }
+
+        // ldap is initialized, do more substitution
+        String searchName = getConfig(CONFIG_LDAP_SEARCH_NAME);
+        if (searchName == null || searchName.equals("")) {
+            searchName = "uid";
+        }
+
+        LDAPConnection conn = null;
+        String userdn = null;
+        // get DN from ldap to fill request
+        try {
+            if (mConnFactory == null) {
+                conn = null;
+                CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): no LDAP connection");
+                throw new EProfileException("no LDAP connection");
+            } else {
+                conn = mConnFactory.getConn();
+                if (conn == null) {
+                    CMS.debug("nsTokenUserKeySubjectNameDefault::getSubjectName() - " +
+                               "no LDAP connection");
+                    throw new EProfileException("no LDAP connection");
+                }
+                CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): got LDAP connection");
+            }
+            // retrieve the attributes
+            // get user dn.
+            CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): about to search with basedn = " + mBaseDN);
+            LDAPSearchResults res = conn.search(mBaseDN,
+                    LDAPv2.SCOPE_SUB, "(" + searchName + "=" + request.getExtDataInString("uid") + ")", null, false);
+
+            if (res.hasMoreElements()) {
+                LDAPEntry entry = res.next();
+
+                userdn = entry.getDN();
+            } else {// put into property file later - cfu
+                CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): " + searchName + " does not exist");
+                throw new EProfileException("id does not exist");
+            }
+            CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): retrieved entry for "
+                    + searchName + " = " + request.getExtDataInString("uid"));
+
+            LDAPEntry entry = null;
+            CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): about to search with "
+                    + mLdapStringAttrs.length + " attributes");
+            LDAPSearchResults results =
+                    conn.search(userdn, LDAPv2.SCOPE_BASE, "objectclass=*",
+                            mLdapStringAttrs, false);
+
+            if (!results.hasMoreElements()) {
+                CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): no attributes");
+                throw new EProfileException("no ldap attributes found");
+            }
+            entry = results.next();
+            // set attrs into request
+            for (int i = 0; i < mLdapStringAttrs.length; i++) {
+                LDAPAttribute la =
+                        entry.getAttribute(mLdapStringAttrs[i]);
+                if (la != null) {
+                    String[] sla = la.getStringValueArray();
+                    CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): got attribute: "
+                            + mLdapStringAttrs[i] +
+                            "=" + escapeValueRfc1779(sla[0], false).toString());
+                    request.setExtData(mLdapStringAttrs[i], escapeValueRfc1779(sla[0], false).toString());
+                }
+            }
+            CMS.debug("pattern = " + pattern);
+            sbjname = mapPattern(request, pattern);
+            CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): subject name mapping done");
+            CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): attributes set in request");
+
+        } catch (Exception e) {
+            CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): " + e.toString());
+            throw new EProfileException("getSubjectName() failure: " + e.toString());
+        } finally {
+            try {
+                if (conn != null)
+                    mConnFactory.returnConn(conn);
+            } catch (Exception e) {
+                throw new EProfileException(
+                        "nsTokenUserKeySubjectNameDefault: getSubjectName(): connection return failure");
+            }
+        }
+        return sbjname;
+
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java b/base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java
new file mode 100644
index 000000000..77d4b1ce0
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java
@@ -0,0 +1,122 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.input;
+
+import java.util.Locale;
+
+import netscape.security.x509.X509CertInfo;
+
+import org.mozilla.jss.pkix.cmc.TaggedRequest;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements the certificate request input.
+ * This input populates 2 main fields to the enrollment page:
+ * 1/ Certificate Request Type, 2/ Certificate Request
+ * 

+ * 
+ * This input usually is used by an enrollment profile for certificate requests.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CMCCertReqInput extends EnrollInput implements IProfileInput {
+    public static final String VAL_CERT_REQUEST_TYPE =
+            EnrollProfile.CTX_CERT_REQUEST_TYPE;
+    public static final String VAL_CERT_REQUEST =
+            EnrollProfile.CTX_CERT_REQUEST;
+
+    public EnrollProfile mEnrollProfile = null;
+
+    public CMCCertReqInput() {
+        addValueName(VAL_CERT_REQUEST);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+
+        mEnrollProfile = (EnrollProfile) profile;
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_CERT_REQ_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_CERT_REQ_TEXT");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        String cert_request = ctx.get(VAL_CERT_REQUEST);
+        X509CertInfo info =
+                request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO);
+
+        TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request);
+
+        if (msgs == null) {
+            return;
+        }
+        // This profile only handle the first request in CRMF
+        Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM);
+        if (seqNum == null) {
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_UNKNOWN_SEQ_NUM"));
+        }
+
+        mEnrollProfile.fillTaggedRequest(getLocale(request), msgs[seqNum.intValue()], info, request);
+        request.setExtData(EnrollProfile.REQUEST_CERTINFO, info);
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CERT_REQUEST)) {
+            return new Descriptor(IDescriptor.CERT_REQUEST, null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_INPUT_CERT_REQ"));
+        }
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/input/CertReqInput.java b/base/common/src/com/netscape/cms/profile/input/CertReqInput.java
new file mode 100644
index 000000000..0b7e9f071
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/input/CertReqInput.java
@@ -0,0 +1,185 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.input;
+
+import java.util.Locale;
+
+import netscape.security.pkcs.PKCS10;
+import netscape.security.util.DerInputStream;
+import netscape.security.x509.X509CertInfo;
+
+import org.mozilla.jss.pkix.cmc.TaggedRequest;
+import org.mozilla.jss.pkix.crmf.CertReqMsg;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements the certificate request input.
+ * This input populates 2 main fields to the enrollment page:
+ * 1/ Certificate Request Type, 2/ Certificate Request
+ * 

+ * 
+ * This input usually is used by an enrollment profile for certificate requests.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CertReqInput extends EnrollInput implements IProfileInput {
+    public static final String VAL_CERT_REQUEST_TYPE =
+            EnrollProfile.CTX_CERT_REQUEST_TYPE;
+    public static final String VAL_CERT_REQUEST =
+            EnrollProfile.CTX_CERT_REQUEST;
+
+    public EnrollProfile mEnrollProfile = null;
+
+    public CertReqInput() {
+        addValueName(VAL_CERT_REQUEST_TYPE);
+        addValueName(VAL_CERT_REQUEST);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+
+        mEnrollProfile = (EnrollProfile) profile;
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_CERT_REQ_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_CERT_REQ_TEXT");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        String cert_request_type = ctx.get(VAL_CERT_REQUEST_TYPE);
+        String cert_request = ctx.get(VAL_CERT_REQUEST);
+        X509CertInfo info =
+                request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO);
+
+        if (cert_request_type == null) {
+            CMS.debug("CertReqInput: populate - invalid cert request type " +
+                    "");
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE",
+                            ""));
+        }
+
+        if (cert_request_type.equals(EnrollProfile.REQ_TYPE_PKCS10)) {
+            PKCS10 pkcs10 = mEnrollProfile.parsePKCS10(getLocale(request), cert_request);
+
+            if (pkcs10 == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+
+            mEnrollProfile.fillPKCS10(getLocale(request), pkcs10, info, request);
+        } else if (cert_request_type.startsWith(EnrollProfile.REQ_TYPE_KEYGEN)) {
+            DerInputStream keygen = mEnrollProfile.parseKeyGen(getLocale(request), cert_request);
+
+            if (keygen == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+
+            mEnrollProfile.fillKeyGen(getLocale(request), keygen, info, request);
+        } else if (cert_request_type.startsWith(EnrollProfile.REQ_TYPE_CRMF)) {
+            CertReqMsg msgs[] = mEnrollProfile.parseCRMF(getLocale(request), cert_request);
+
+            if (msgs == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+            for (int x = 0; x < msgs.length; x++) {
+                verifyPOP(getLocale(request), msgs[x]);
+            }
+            // This profile only handle the first request in CRMF
+            Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM);
+
+            mEnrollProfile.fillCertReqMsg(getLocale(request), msgs[seqNum.intValue()], info, request
+                    );
+        } else if (cert_request_type.startsWith(EnrollProfile.REQ_TYPE_CMC)) {
+            TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request);
+
+            if (msgs == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+            // This profile only handle the first request in CRMF
+            Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM);
+            if (seqNum == null) {
+                throw new EProfileException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_UNKNOWN_SEQ_NUM"));
+            }
+
+            mEnrollProfile.fillTaggedRequest(getLocale(request), msgs[seqNum.intValue()], info, request);
+        } else {
+            // error
+            CMS.debug("CertReqInput: populate - invalid cert request type " +
+                    cert_request_type);
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE",
+                            cert_request_type));
+        }
+        request.setExtData(EnrollProfile.REQUEST_CERTINFO, info);
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_CERT_REQUEST_TYPE)) {
+            return new Descriptor(IDescriptor.CERT_REQUEST_TYPE, null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_INPUT_CERT_REQ_TYPE"));
+        } else if (name.equals(VAL_CERT_REQUEST)) {
+            return new Descriptor(IDescriptor.CERT_REQUEST, null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_INPUT_CERT_REQ"));
+        }
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/input/DualKeyGenInput.java b/base/common/src/com/netscape/cms/profile/input/DualKeyGenInput.java
new file mode 100644
index 000000000..18b9ecf52
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/input/DualKeyGenInput.java
@@ -0,0 +1,163 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.input;
+
+import java.util.Locale;
+
+import netscape.security.pkcs.PKCS10;
+import netscape.security.util.DerInputStream;
+import netscape.security.x509.X509CertInfo;
+
+import org.mozilla.jss.pkix.crmf.CertReqMsg;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements the dual key generation input.
+ * This input populates parameters to the enrollment
+ * pages so that a CRMF request containing 2 certificate
+ * requests will be generated.
+ * 

+ * 
+ * This input can only be used with Netscape 7.x or later clients.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class DualKeyGenInput extends EnrollInput implements IProfileInput {
+
+    public static final String VAL_KEYGEN_REQUEST_TYPE =
+            EnrollProfile.CTX_CERT_REQUEST_TYPE;
+    public static final String VAL_KEYGEN_REQUEST =
+            EnrollProfile.CTX_CERT_REQUEST;
+
+    public EnrollProfile mEnrollProfile = null;
+
+    public DualKeyGenInput() {
+        addValueName(VAL_KEYGEN_REQUEST_TYPE);
+        addValueName(VAL_KEYGEN_REQUEST);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+        mEnrollProfile = (EnrollProfile) profile;
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_DUAL_KEY_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_DUAL_KEY_TEXT");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        String keygen_request_type = ctx.get(VAL_KEYGEN_REQUEST_TYPE);
+        String keygen_request = ctx.get(VAL_KEYGEN_REQUEST);
+
+        X509CertInfo info =
+                request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO);
+
+        if (keygen_request_type == null) {
+            CMS.debug("DualKeyGenInput: populate - invalid cert request type " +
+                    "");
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE",
+                            ""));
+        }
+        if (keygen_request_type.startsWith("pkcs10")) {
+            PKCS10 pkcs10 = mEnrollProfile.parsePKCS10(getLocale(request), keygen_request);
+
+            mEnrollProfile.fillPKCS10(getLocale(request), pkcs10, info, request);
+        } else if (keygen_request_type.startsWith("keygen")) {
+            DerInputStream keygen = mEnrollProfile.parseKeyGen(getLocale(request), keygen_request);
+
+            mEnrollProfile.fillKeyGen(getLocale(request), keygen, info, request);
+        } else if (keygen_request_type.startsWith("crmf")) {
+            CertReqMsg msgs[] = mEnrollProfile.parseCRMF(getLocale(request), keygen_request);
+
+            if (msgs == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+            for (int x = 0; x < msgs.length; x++) {
+                verifyPOP(getLocale(request), msgs[x]);
+            }
+            // This profile only handle the first request in CRMF
+            Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM);
+
+            if (seqNum == null) {
+                throw new EProfileException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_UNKNOWN_SEQ_NUM"));
+            }
+
+            mEnrollProfile.fillCertReqMsg(getLocale(request), msgs[seqNum.intValue()], info, request);
+        } else {
+            // error
+            CMS.debug("DualKeyGenInput: populate - " +
+                    "invalid cert request type " + keygen_request_type);
+            throw new EProfileException(CMS.getUserMessage(
+                        getLocale(request),
+                        "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE",
+                        keygen_request_type));
+        }
+        request.setExtData(EnrollProfile.REQUEST_CERTINFO, info);
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_KEYGEN_REQUEST_TYPE)) {
+            return new Descriptor(IDescriptor.DUAL_KEYGEN_REQUEST_TYPE, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ_TYPE"));
+        } else if (name.equals(VAL_KEYGEN_REQUEST)) {
+            return new Descriptor(IDescriptor.DUAL_KEYGEN_REQUEST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ"));
+        }
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/input/EncryptionKeyGenInput.java b/base/common/src/com/netscape/cms/profile/input/EncryptionKeyGenInput.java
new file mode 100644
index 000000000..d59629f78
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/input/EncryptionKeyGenInput.java
@@ -0,0 +1,184 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.input;
+
+import java.util.Locale;
+
+import netscape.security.pkcs.PKCS10;
+import netscape.security.util.DerInputStream;
+import netscape.security.x509.X509CertInfo;
+
+import org.mozilla.jss.pkix.cmc.TaggedRequest;
+import org.mozilla.jss.pkix.crmf.CertReqMsg;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements the key generation input that
+ * populates parameters to the enrollment page for
+ * key generation.
+ * 

+ * 
+ * This input normally is used with user-based or non certificate request profile.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class EncryptionKeyGenInput extends EnrollInput implements IProfileInput {
+
+    public static final String VAL_KEYGEN_REQUEST_TYPE =
+            EnrollProfile.CTX_CERT_REQUEST_TYPE;
+    public static final String VAL_KEYGEN_REQUEST =
+            EnrollProfile.CTX_CERT_REQUEST;
+
+    public EnrollProfile mEnrollProfile = null;
+
+    public EncryptionKeyGenInput() {
+        addValueName(VAL_KEYGEN_REQUEST_TYPE);
+        addValueName(VAL_KEYGEN_REQUEST);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+        mEnrollProfile = (EnrollProfile) profile;
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_ENC_KEY_GEN_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_ENC_KEY_GEN_TEXT");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        String keygen_request_type = ctx.get(VAL_KEYGEN_REQUEST_TYPE);
+        String keygen_request = ctx.get(VAL_KEYGEN_REQUEST);
+
+        X509CertInfo info =
+                request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO);
+
+        if (keygen_request_type == null) {
+            CMS.debug("EncryptionKeyGenInput: populate - invalid cert request type " +
+                    "");
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE",
+                            ""));
+        }
+        if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_PKCS10)) {
+            PKCS10 pkcs10 = mEnrollProfile.parsePKCS10(getLocale(request), keygen_request);
+
+            if (pkcs10 == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+
+            mEnrollProfile.fillPKCS10(getLocale(request), pkcs10, info, request);
+        } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_KEYGEN)) {
+            DerInputStream keygen = mEnrollProfile.parseKeyGen(getLocale(request), keygen_request);
+
+            if (keygen == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+
+            mEnrollProfile.fillKeyGen(getLocale(request), keygen, info, request);
+        } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_CRMF)) {
+            CertReqMsg msgs[] = mEnrollProfile.parseCRMF(getLocale(request), keygen_request);
+
+            if (msgs == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+            for (int x = 0; x < msgs.length; x++) {
+                verifyPOP(getLocale(request), msgs[x]);
+            }
+            // This profile only handle the first request in CRMF
+            Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM);
+
+            mEnrollProfile.fillCertReqMsg(getLocale(request), msgs[seqNum.intValue()], info, request);
+        } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_CMC)) {
+            TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), keygen_request);
+
+            if (msgs == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+            // This profile only handle the first request in CRMF
+            Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM);
+
+            if (seqNum == null) {
+                throw new EProfileException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_UNKNOWN_SEQ_NUM"));
+            }
+
+            mEnrollProfile.fillTaggedRequest(getLocale(request), msgs[seqNum.intValue()], info, request);
+        } else {
+            // error
+            CMS.debug("EncryptionKeyGenInput: populate - " +
+                    "invalid cert request type " + keygen_request_type);
+            throw new EProfileException(CMS.getUserMessage(
+                        getLocale(request),
+                        "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE",
+                        keygen_request_type));
+        }
+        request.setExtData(EnrollProfile.REQUEST_CERTINFO, info);
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_KEYGEN_REQUEST_TYPE)) {
+            return new Descriptor(IDescriptor.ENC_KEYGEN_REQUEST_TYPE, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ_TYPE"));
+        } else if (name.equals(VAL_KEYGEN_REQUEST)) {
+            return new Descriptor(IDescriptor.ENC_KEYGEN_REQUEST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ"));
+        }
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/input/EnrollInput.java b/base/common/src/com/netscape/cms/profile/input/EnrollInput.java
new file mode 100644
index 000000000..c4269ba7d
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/input/EnrollInput.java
@@ -0,0 +1,303 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.input;
+
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.pkix.crmf.CertReqMsg;
+import org.mozilla.jss.pkix.crmf.ProofOfPossession;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements the base enrollment input.
+ * 
+ * @version $Revision$, $Date$
+ */
+public abstract class EnrollInput implements IProfileInput {
+
+    private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION =
+            "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2";
+
+    protected IConfigStore mConfig = null;
+    protected Vector mValueNames = new Vector();
+    protected Vector mConfigNames = new Vector();
+    protected IProfile mProfile = null;
+
+    protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        mConfig = config;
+        mProfile = profile;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    /**
+     * Populates the request with this policy default.
+     * 
+     * @param ctx profile context
+     * @param request request
+     * @exception EProfileException failed to populate
+     */
+    public abstract void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException;
+
+    /**
+     * Retrieves the localizable name of this policy.
+     * 
+     * @param locale user locale
+     * @return localized input name
+     */
+    public abstract String getName(Locale locale);
+
+    /**
+     * Retrieves the localizable description of this policy.
+     * 
+     * @param locale user locale
+     * @return localized input description
+     */
+    public abstract String getText(Locale locale);
+
+    /**
+     * Retrieves the descriptor of the given value
+     * property by name.
+     * 
+     * @param locale user locale
+     * @param name property name
+     * @return descriptor of the property
+     */
+    public abstract IDescriptor getValueDescriptor(Locale locale, String name);
+
+    public void addValueName(String name) {
+        mValueNames.addElement(name);
+    }
+
+    /**
+     * Retrieves a list of names of the value parameter.
+     */
+    public Enumeration getValueNames() {
+        return mValueNames.elements();
+    }
+
+    public void addConfigName(String name) {
+        mConfigNames.addElement(name);
+    }
+
+    public Enumeration getConfigNames() {
+        return mConfigNames.elements();
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        if (mConfig.getSubStore("params") == null) {
+            //
+        } else {
+            mConfig.getSubStore("params").putString(name, value);
+        }
+    }
+
+    public String getConfig(String name) {
+        try {
+            if (mConfig == null) {
+                return null;
+            }
+            if (mConfig.getSubStore("params") != null) {
+                return mConfig.getSubStore("params").getString(name);
+            }
+        } catch (EBaseException e) {
+        }
+        return "";
+    }
+
+    public String getDefaultConfig(String name) {
+        return null;
+    }
+
+    public String getValue(String name, Locale locale, IRequest request)
+            throws EProfileException {
+        return request.getExtDataInString(name);
+    }
+
+    /**
+     * Sets the value of the given value parameter by name.
+     */
+    public void setValue(String name, Locale locale, IRequest request,
+            String value) throws EPropertyException {
+        request.setExtData(name, value);
+    }
+
+    public Locale getLocale(IRequest request) {
+        Locale locale = null;
+        String language = request.getExtDataInString(
+                EnrollProfile.REQUEST_LOCALE);
+        if (language != null) {
+            locale = new Locale(language);
+        }
+        return locale;
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public void verifyPOP(Locale locale, CertReqMsg certReqMsg)
+            throws EProfileException {
+        CMS.debug("EnrollInput ::in verifyPOP");
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        if (!certReqMsg.hasPop()) {
+            CMS.debug("CertReqMsg has not POP, return");
+            return;
+        }
+        ProofOfPossession pop = certReqMsg.getPop();
+        ProofOfPossession.Type popType = pop.getType();
+
+        if (popType != ProofOfPossession.SIGNATURE) {
+            CMS.debug("not POP SIGNATURE, return");
+            return;
+        }
+
+        try {
+            if (CMS.getConfigStore().getBoolean("cms.skipPOPVerify", false)) {
+                CMS.debug("skipPOPVerify on, return");
+                return;
+            }
+            CMS.debug("POP verification begins:");
+            CryptoManager cm = CryptoManager.getInstance();
+
+            CryptoToken verifyToken = null;
+            String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", "internal");
+            if (tokenName.equals("internal")) {
+                CMS.debug("POP verification using internal token");
+                certReqMsg.verify();
+            } else {
+                CMS.debug("POP verification using token:" + tokenName);
+                verifyToken = cm.getTokenByName(tokenName);
+                certReqMsg.verify(verifyToken);
+            }
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                    LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
+                    auditSubjectID,
+                    ILogger.SUCCESS);
+            audit(auditMessage);
+        } catch (Exception e) {
+
+            CMS.debug("Failed POP verify! " + e.toString());
+            CMS.debug(e);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                    LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
+                    auditSubjectID,
+                    ILogger.FAILURE);
+
+            audit(auditMessage);
+
+            throw new EProfileException(CMS.getUserMessage(locale,
+                        "CMS_POP_VERIFICATION_ERROR"));
+        }
+    }
+
+    /**
+     * Signed Audit Log
+     * 
+     * This method is inherited by all extended "CMSServlet"s,
+     * and is called to store messages to the signed audit log.
+     * 

+     * 
+     * @param msg signed audit log message
+     */
+    protected void audit(String msg) {
+        // in this case, do NOT strip preceding/trailing whitespace
+        // from passed-in String parameters
+
+        if (mSignedAuditLogger == null) {
+            return;
+        }
+
+        mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
+                null,
+                ILogger.S_SIGNED_AUDIT,
+                ILogger.LL_SECURITY,
+                msg);
+    }
+
+    /**
+     * Signed Audit Log Subject ID
+     * 
+     * This method is inherited by all extended "CMSServlet"s,
+     * and is called to obtain the "SubjectID" for
+     * a signed audit log message.
+     * 

+     * 
+     * @return id string containing the signed audit log message SubjectID
+     */
+    protected String auditSubjectID() {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String subjectID = null;
+
+        // Initialize subjectID
+        SessionContext auditContext = SessionContext.getExistingContext();
+
+        if (auditContext != null) {
+            subjectID = (String)
+                    auditContext.get(SessionContext.USER_ID);
+
+            if (subjectID != null) {
+                subjectID = subjectID.trim();
+            } else {
+                subjectID = ILogger.NONROLEUSER;
+            }
+        } else {
+            subjectID = ILogger.UNIDENTIFIED;
+        }
+
+        return subjectID;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/input/FileSigningInput.java b/base/common/src/com/netscape/cms/profile/input/FileSigningInput.java
new file mode 100644
index 000000000..357488186
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/input/FileSigningInput.java
@@ -0,0 +1,143 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.input;
+
+import java.io.BufferedInputStream;
+import java.net.URL;
+import java.net.URLConnection;
+import java.security.MessageDigest;
+import java.util.Locale;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements the image
+ * input that collects a picture.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class FileSigningInput extends EnrollInput implements IProfileInput {
+
+    public static final String URL = "file_signing_url";
+    public static final String TEXT = "file_signing_text";
+    public static final String SIZE = "file_signing_size";
+    public static final String DIGEST = "file_signing_digest";
+    public static final String DIGEST_TYPE = "file_signing_digest_type";
+
+    public FileSigningInput() {
+        addValueName(URL);
+        addValueName(TEXT);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_FILE_SIGNING_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_FILE_SIGNING_TEXT");
+    }
+
+    public String toHexString(byte data[]) {
+        StringBuffer sb = new StringBuffer();
+        for (int i = 0; i < data.length; i++) {
+            int v = data[i] & 0xff;
+            if (v < 16) {
+                sb.append("0");
+            }
+            sb.append(Integer.toHexString(v));
+        }
+        return sb.toString();
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        request.setExtData(TEXT, ctx.get(TEXT));
+        request.setExtData(URL, ctx.get(URL));
+        request.setExtData(DIGEST_TYPE, "SHA256");
+
+        try {
+            // retrieve file and calculate the hash
+            URL url = new URL(ctx.get(URL));
+            URLConnection c = url.openConnection();
+            c.setAllowUserInteraction(false);
+            c.setDoInput(true);
+            c.setDoOutput(false);
+            c.setUseCaches(false);
+            c.connect();
+            int len = c.getContentLength();
+            request.setExtData(SIZE, Integer.toString(len));
+            BufferedInputStream is = new BufferedInputStream(c.getInputStream());
+            byte data[] = new byte[len];
+            is.read(data, 0, len);
+            is.close();
+
+            // calculate digest
+            MessageDigest digester = MessageDigest.getInstance("SHA256");
+            byte digest[] = digester.digest(data);
+            request.setExtData(DIGEST, toHexString(digest));
+        } catch (Exception e) {
+            CMS.debug("FileSigningInput populate failure " + e);
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_FILE_NOT_FOUND"));
+        }
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(URL)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_FILE_SIGNING_URL"));
+        } else if (name.equals(TEXT)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_FILE_SIGNING_TEXT"));
+        }
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/input/GenericInput.java b/base/common/src/com/netscape/cms/profile/input/GenericInput.java
new file mode 100644
index 000000000..e8edfaa6d
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/input/GenericInput.java
@@ -0,0 +1,160 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.input;
+
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements a generic input.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class GenericInput extends EnrollInput implements IProfileInput {
+
+    public static final String CONFIG_NUM = "gi_num";
+    public static final String CONFIG_DISPLAY_NAME = "gi_display_name";
+    public static final String CONFIG_PARAM_NAME = "gi_param_name";
+    public static final String CONFIG_ENABLE = "gi_param_enable";
+
+    public static final int DEF_NUM = 5;
+
+    public GenericInput() {
+        int num = getNum();
+        for (int i = 0; i < num; i++) {
+            addConfigName(CONFIG_PARAM_NAME + i);
+            addConfigName(CONFIG_DISPLAY_NAME + i);
+            addConfigName(CONFIG_ENABLE + i);
+        }
+    }
+
+    protected int getNum() {
+        int num = DEF_NUM;
+        String numC = getConfig(CONFIG_NUM);
+
+        if (numC != null) {
+            try {
+                num = Integer.parseInt(numC);
+            } catch (NumberFormatException e) {
+                // ignore
+            }
+        }
+        return num;
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_GENERIC_NAME_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_GENERIC_NAME_TEXT");
+    }
+
+    /**
+     * Returns selected value names based on the configuration.
+     */
+    public Enumeration getValueNames() {
+        Vector v = new Vector();
+        int num = getNum();
+        for (int i = 0; i < num; i++) {
+            String enable = getConfig(CONFIG_ENABLE + i);
+            if (enable != null && enable.equals("true")) {
+                v.addElement(getConfig(CONFIG_PARAM_NAME + i));
+            }
+        }
+        return v.elements();
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        int num = getNum();
+        for (int i = 0; i < num; i++) {
+            String enable = getConfig(CONFIG_ENABLE + i);
+            if (enable != null && enable.equals("true")) {
+                String param = getConfig(CONFIG_PARAM_NAME + i);
+                request.setExtData(param, ctx.get(param));
+            }
+        }
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        int num = getNum();
+        for (int i = 0; i < num; i++) {
+            if (name.equals(CONFIG_PARAM_NAME + i)) {
+                return new Descriptor(IDescriptor.STRING, null,
+                        null,
+                        CMS.getUserMessage(locale, "CMS_PROFILE_GI_PARAM_NAME") + i);
+            } else if (name.equals(CONFIG_DISPLAY_NAME + i)) {
+                return new Descriptor(IDescriptor.STRING, null,
+                        null,
+                        CMS.getUserMessage(locale, "CMS_PROFILE_GI_DISPLAY_NAME") + i);
+            } else if (name.equals(CONFIG_ENABLE + i)) {
+                return new Descriptor(IDescriptor.BOOLEAN, null,
+                        "false",
+                        CMS.getUserMessage(locale, "CMS_PROFILE_GI_ENABLE") + i);
+            }
+        } // for
+        return null;
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        int num = getNum();
+        for (int i = 0; i < num; i++) {
+            String param = getConfig(CONFIG_PARAM_NAME + i);
+            if (param != null && param.equals(name)) {
+                return new Descriptor(IDescriptor.STRING, null,
+                        null,
+                        getConfig(CONFIG_DISPLAY_NAME + i));
+            }
+        }
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/input/ImageInput.java b/base/common/src/com/netscape/cms/profile/input/ImageInput.java
new file mode 100644
index 000000000..30570b56c
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/input/ImageInput.java
@@ -0,0 +1,89 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.input;
+
+import java.util.Locale;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements the image
+ * input that collects a picture.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class ImageInput extends EnrollInput implements IProfileInput {
+
+    public static final String IMAGE_URL = "image_url";
+
+    public ImageInput() {
+        addValueName(IMAGE_URL);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IMAGE_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IMAGE_TEXT");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        request.setExtData(IMAGE_URL, ctx.get(IMAGE_URL));
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(IMAGE_URL)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IMAGE_URL"));
+        }
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/input/KeyGenInput.java b/base/common/src/com/netscape/cms/profile/input/KeyGenInput.java
new file mode 100644
index 000000000..c2b3cf0d5
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/input/KeyGenInput.java
@@ -0,0 +1,184 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.input;
+
+import java.util.Locale;
+
+import netscape.security.pkcs.PKCS10;
+import netscape.security.util.DerInputStream;
+import netscape.security.x509.X509CertInfo;
+
+import org.mozilla.jss.pkix.cmc.TaggedRequest;
+import org.mozilla.jss.pkix.crmf.CertReqMsg;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements the key generation input that
+ * populates parameters to the enrollment page for
+ * key generation.
+ * 

+ * 
+ * This input normally is used with user-based or non certificate request profile.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class KeyGenInput extends EnrollInput implements IProfileInput {
+
+    public static final String VAL_KEYGEN_REQUEST_TYPE =
+            EnrollProfile.CTX_CERT_REQUEST_TYPE;
+    public static final String VAL_KEYGEN_REQUEST =
+            EnrollProfile.CTX_CERT_REQUEST;
+
+    public EnrollProfile mEnrollProfile = null;
+
+    public KeyGenInput() {
+        addValueName(VAL_KEYGEN_REQUEST_TYPE);
+        addValueName(VAL_KEYGEN_REQUEST);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+        mEnrollProfile = (EnrollProfile) profile;
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEY_GEN_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEY_GEN_TEXT");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        String keygen_request_type = ctx.get(VAL_KEYGEN_REQUEST_TYPE);
+        String keygen_request = ctx.get(VAL_KEYGEN_REQUEST);
+
+        X509CertInfo info =
+                request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO);
+
+        if (keygen_request_type == null) {
+            CMS.debug("KeyGenInput: populate - invalid cert request type " +
+                    "");
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE",
+                            ""));
+        }
+        if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_PKCS10)) {
+            PKCS10 pkcs10 = mEnrollProfile.parsePKCS10(getLocale(request), keygen_request);
+
+            if (pkcs10 == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+
+            mEnrollProfile.fillPKCS10(getLocale(request), pkcs10, info, request);
+        } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_KEYGEN)) {
+            DerInputStream keygen = mEnrollProfile.parseKeyGen(getLocale(request), keygen_request);
+
+            if (keygen == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+
+            mEnrollProfile.fillKeyGen(getLocale(request), keygen, info, request);
+        } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_CRMF)) {
+            CertReqMsg msgs[] = mEnrollProfile.parseCRMF(getLocale(request), keygen_request);
+
+            if (msgs == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+            for (int x = 0; x < msgs.length; x++) {
+                verifyPOP(getLocale(request), msgs[x]);
+            }
+            // This profile only handle the first request in CRMF
+            Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM);
+
+            mEnrollProfile.fillCertReqMsg(getLocale(request), msgs[seqNum.intValue()], info, request);
+        } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_CMC)) {
+            TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), keygen_request);
+
+            if (msgs == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+            // This profile only handle the first request in CRMF
+            Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM);
+
+            if (seqNum == null) {
+                throw new EProfileException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_UNKNOWN_SEQ_NUM"));
+            }
+
+            mEnrollProfile.fillTaggedRequest(getLocale(request), msgs[seqNum.intValue()], info, request);
+        } else {
+            // error
+            CMS.debug("DualKeyGenInput: populate - " +
+                    "invalid cert request type " + keygen_request_type);
+            throw new EProfileException(CMS.getUserMessage(
+                        getLocale(request),
+                        "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE",
+                        keygen_request_type));
+        }
+        request.setExtData(EnrollProfile.REQUEST_CERTINFO, info);
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_KEYGEN_REQUEST_TYPE)) {
+            return new Descriptor(IDescriptor.KEYGEN_REQUEST_TYPE, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ_TYPE"));
+        } else if (name.equals(VAL_KEYGEN_REQUEST)) {
+            return new Descriptor(IDescriptor.KEYGEN_REQUEST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ"));
+        }
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java b/base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java
new file mode 100644
index 000000000..542a2c940
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java
@@ -0,0 +1,89 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.input;
+
+import java.util.Locale;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements the serial number input
+ * for renewal
+ * 

+ * 
+ * @author Christina Fu
+ */
+public class SerialNumRenewInput extends EnrollInput implements IProfileInput {
+
+    public static final String SERIAL_NUM = "serial_num";
+
+    public SerialNumRenewInput() {
+        addValueName(SERIAL_NUM);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SERIAL_NUM_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SERIAL_NUM_TEXT");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        //
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(SERIAL_NUM)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SERIAL_NUM_NAME"));
+        }
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/input/SigningKeyGenInput.java b/base/common/src/com/netscape/cms/profile/input/SigningKeyGenInput.java
new file mode 100644
index 000000000..aa471d4f6
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/input/SigningKeyGenInput.java
@@ -0,0 +1,184 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.input;
+
+import java.util.Locale;
+
+import netscape.security.pkcs.PKCS10;
+import netscape.security.util.DerInputStream;
+import netscape.security.x509.X509CertInfo;
+
+import org.mozilla.jss.pkix.cmc.TaggedRequest;
+import org.mozilla.jss.pkix.crmf.CertReqMsg;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements the key generation input that
+ * populates parameters to the enrollment page for
+ * key generation.
+ * 

+ * 
+ * This input normally is used with user-based or non certificate request profile.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class SigningKeyGenInput extends EnrollInput implements IProfileInput {
+
+    public static final String VAL_KEYGEN_REQUEST_TYPE =
+            EnrollProfile.CTX_CERT_REQUEST_TYPE;
+    public static final String VAL_KEYGEN_REQUEST =
+            EnrollProfile.CTX_CERT_REQUEST;
+
+    public EnrollProfile mEnrollProfile = null;
+
+    public SigningKeyGenInput() {
+        addValueName(VAL_KEYGEN_REQUEST_TYPE);
+        addValueName(VAL_KEYGEN_REQUEST);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+        mEnrollProfile = (EnrollProfile) profile;
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SIGN_KEY_GEN_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SIGN_KEY_GEN_TEXT");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        String keygen_request_type = ctx.get(VAL_KEYGEN_REQUEST_TYPE);
+        String keygen_request = ctx.get(VAL_KEYGEN_REQUEST);
+
+        X509CertInfo info =
+                request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO);
+
+        if (keygen_request_type == null) {
+            CMS.debug("SigningKeyGenInput: populate - invalid cert request type " +
+                    "");
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE",
+                            ""));
+        }
+        if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_PKCS10)) {
+            PKCS10 pkcs10 = mEnrollProfile.parsePKCS10(getLocale(request), keygen_request);
+
+            if (pkcs10 == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+
+            mEnrollProfile.fillPKCS10(getLocale(request), pkcs10, info, request);
+        } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_KEYGEN)) {
+            DerInputStream keygen = mEnrollProfile.parseKeyGen(getLocale(request), keygen_request);
+
+            if (keygen == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+
+            mEnrollProfile.fillKeyGen(getLocale(request), keygen, info, request);
+        } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_CRMF)) {
+            CertReqMsg msgs[] = mEnrollProfile.parseCRMF(getLocale(request), keygen_request);
+
+            if (msgs == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+            for (int x = 0; x < msgs.length; x++) {
+                verifyPOP(getLocale(request), msgs[x]);
+            }
+            // This profile only handle the first request in CRMF
+            Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM);
+
+            mEnrollProfile.fillCertReqMsg(getLocale(request), msgs[seqNum.intValue()], info, request);
+        } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_CMC)) {
+            TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), keygen_request);
+
+            if (msgs == null) {
+                throw new EProfileException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+            }
+            // This profile only handle the first request in CRMF
+            Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM);
+
+            if (seqNum == null) {
+                throw new EProfileException(
+                        CMS.getUserMessage(getLocale(request),
+                                "CMS_PROFILE_UNKNOWN_SEQ_NUM"));
+            }
+
+            mEnrollProfile.fillTaggedRequest(getLocale(request), msgs[seqNum.intValue()], info, request);
+        } else {
+            // error
+            CMS.debug("SigningKeyGenInput: populate - " +
+                    "invalid cert request type " + keygen_request_type);
+            throw new EProfileException(CMS.getUserMessage(
+                        getLocale(request),
+                        "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE",
+                        keygen_request_type));
+        }
+        request.setExtData(EnrollProfile.REQUEST_CERTINFO, info);
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_KEYGEN_REQUEST_TYPE)) {
+            return new Descriptor(IDescriptor.SIGN_KEYGEN_REQUEST_TYPE, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ_TYPE"));
+        } else if (name.equals(VAL_KEYGEN_REQUEST)) {
+            return new Descriptor(IDescriptor.SIGN_KEYGEN_REQUEST, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ"));
+        }
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/input/SubjectDNInput.java b/base/common/src/com/netscape/cms/profile/input/SubjectDNInput.java
new file mode 100644
index 000000000..a12351f8a
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/input/SubjectDNInput.java
@@ -0,0 +1,142 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.input;
+
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This plugin accepts subject DN from end user.
+ */
+public class SubjectDNInput extends EnrollInput implements IProfileInput {
+
+    public static final String VAL_SUBJECT = "subject";
+
+    public SubjectDNInput() {
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SUBJECT_NAME_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SUBJECT_NAME_TEXT");
+    }
+
+    public String getConfig(String name) {
+        String config = super.getConfig(name);
+        if (config == null || config.equals(""))
+            return "true";
+        return config;
+    }
+
+    /**
+     * Returns selected value names based on the configuration.
+     */
+    public Enumeration getValueNames() {
+        Vector v = new Vector();
+        v.addElement(VAL_SUBJECT);
+        return v.elements();
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        X509CertInfo info =
+                request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO);
+        String subjectName = "";
+
+        subjectName = ctx.get(VAL_SUBJECT);
+        if (subjectName.equals("")) {
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND"));
+        }
+        X500Name name = null;
+
+        try {
+            name = new X500Name(subjectName);
+        } catch (Exception e) {
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_INVALID_SUBJECT_NAME", subjectName));
+        }
+        parseSubjectName(name, info, request);
+        request.setExtData(EnrollProfile.REQUEST_CERTINFO, info);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_SUBJECT)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME"));
+        }
+        return null;
+    }
+
+    protected void parseSubjectName(X500Name subj, X509CertInfo info, IRequest req)
+            throws EProfileException {
+        try {
+            req.setExtData(EnrollProfile.REQUEST_SUBJECT_NAME,
+                    new CertificateSubjectName(subj));
+        } catch (Exception e) {
+            CMS.debug("SubjectNameInput: parseSubject Name " +
+                    e.toString());
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/input/SubjectNameInput.java b/base/common/src/com/netscape/cms/profile/input/SubjectNameInput.java
new file mode 100644
index 000000000..db70da666
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/input/SubjectNameInput.java
@@ -0,0 +1,382 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.input;
+
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements the subject name input
+ * that populates text fields to the enrollment
+ * page so that distinguished name parameters
+ * can be collected from the user.
+ * 

+ * The collected parameters could be used for fomulating the subject name in the certificate.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class SubjectNameInput extends EnrollInput implements IProfileInput {
+
+    public static final String CONFIG_UID = "sn_uid";
+    public static final String CONFIG_EMAIL = "sn_e";
+    public static final String CONFIG_CN = "sn_cn";
+    public static final String CONFIG_OU3 = "sn_ou3";
+    public static final String CONFIG_OU2 = "sn_ou2";
+    public static final String CONFIG_OU1 = "sn_ou1";
+    public static final String CONFIG_OU = "sn_ou";
+    public static final String CONFIG_O = "sn_o";
+    public static final String CONFIG_C = "sn_c";
+
+    public static final String VAL_UID = "sn_uid";
+    public static final String VAL_EMAIL = "sn_e";
+    public static final String VAL_CN = "sn_cn";
+    public static final String VAL_OU3 = "sn_ou3";
+    public static final String VAL_OU2 = "sn_ou2";
+    public static final String VAL_OU1 = "sn_ou1";
+    public static final String VAL_OU = "sn_ou";
+    public static final String VAL_O = "sn_o";
+    public static final String VAL_C = "sn_c";
+
+    public SubjectNameInput() {
+        addConfigName(CONFIG_UID);
+        addConfigName(CONFIG_EMAIL);
+        addConfigName(CONFIG_CN);
+        addConfigName(CONFIG_OU3);
+        addConfigName(CONFIG_OU2);
+        addConfigName(CONFIG_OU1);
+        addConfigName(CONFIG_OU);
+        addConfigName(CONFIG_O);
+        addConfigName(CONFIG_C);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SUBJECT_NAME_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SUBJECT_NAME_TEXT");
+    }
+
+    public String getConfig(String name) {
+        String config = super.getConfig(name);
+        if (config == null || config.equals(""))
+            return "true";
+        return config;
+    }
+
+    /**
+     * Returns selected value names based on the configuration.
+     */
+    public Enumeration getValueNames() {
+        Vector v = new Vector();
+        String c_uid = getConfig(CONFIG_UID);
+        if (c_uid == null || c_uid.equals("")) {
+            v.addElement(VAL_UID); // default case
+        } else {
+            if (c_uid.equals("true")) {
+                v.addElement(VAL_UID);
+            }
+        }
+        String c_email = getConfig(CONFIG_EMAIL);
+        if (c_email == null || c_email.equals("")) {
+            v.addElement(VAL_EMAIL);
+        } else {
+            if (c_email.equals("true")) {
+                v.addElement(VAL_EMAIL);
+            }
+        }
+        String c_cn = getConfig(CONFIG_CN);
+        if (c_cn == null || c_cn.equals("")) {
+            v.addElement(VAL_CN);
+        } else {
+            if (c_cn.equals("true")) {
+                v.addElement(VAL_CN);
+            }
+        }
+        String c_ou3 = getConfig(CONFIG_OU3);
+        if (c_ou3 == null || c_ou3.equals("")) {
+            v.addElement(VAL_OU3);
+        } else {
+            if (c_ou3.equals("true")) {
+                v.addElement(VAL_OU3);
+            }
+        }
+        String c_ou2 = getConfig(CONFIG_OU2);
+        if (c_ou2 == null || c_ou2.equals("")) {
+            v.addElement(VAL_OU2);
+        } else {
+            if (c_ou2.equals("true")) {
+                v.addElement(VAL_OU2);
+            }
+        }
+        String c_ou1 = getConfig(CONFIG_OU1);
+        if (c_ou1 == null || c_ou1.equals("")) {
+            v.addElement(VAL_OU1);
+        } else {
+            if (c_ou1.equals("true")) {
+                v.addElement(VAL_OU1);
+            }
+        }
+        String c_ou = getConfig(CONFIG_OU);
+        if (c_ou == null || c_ou.equals("")) {
+            v.addElement(VAL_OU);
+        } else {
+            if (c_ou.equals("true")) {
+                v.addElement(VAL_OU);
+            }
+        }
+        String c_o = getConfig(CONFIG_O);
+        if (c_o == null || c_o.equals("")) {
+            v.addElement(VAL_O);
+        } else {
+            if (c_o.equals("true")) {
+                v.addElement(VAL_O);
+            }
+        }
+        String c_c = getConfig(CONFIG_C);
+        if (c_c == null || c_c.equals("")) {
+            v.addElement(VAL_C);
+        } else {
+            if (c_c.equals("true")) {
+                v.addElement(VAL_C);
+            }
+        }
+        return v.elements();
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        X509CertInfo info =
+                request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO);
+        String subjectName = "";
+
+        String uid = ctx.get(VAL_UID);
+
+        if (uid != null && !uid.equals("")) {
+            subjectName += "UID=" + uid;
+        }
+        String email = ctx.get(VAL_EMAIL);
+
+        if (email != null && !email.equals("")) {
+            if (!subjectName.equals("")) {
+                subjectName += ",";
+            }
+            subjectName += "E=" + email;
+        }
+        String cn = ctx.get(VAL_CN);
+
+        if (cn != null && !cn.equals("")) {
+            if (!subjectName.equals("")) {
+                subjectName += ",";
+            }
+            subjectName += "CN=" + cn;
+        }
+        String ou3 = ctx.get(VAL_OU3);
+        if (ou3 != null && !ou3.equals("")) {
+            if (!subjectName.equals("")) {
+                subjectName += ",";
+            }
+            subjectName += "OU=" + ou3;
+        }
+        String ou2 = ctx.get(VAL_OU2);
+        if (ou2 != null && !ou2.equals("")) {
+            if (!subjectName.equals("")) {
+                subjectName += ",";
+            }
+            subjectName += "OU=" + ou2;
+        }
+        String ou1 = ctx.get(VAL_OU1);
+        if (ou1 != null && !ou1.equals("")) {
+            if (!subjectName.equals("")) {
+                subjectName += ",";
+            }
+            subjectName += "OU=" + ou1;
+        }
+        String ou = ctx.get(VAL_OU);
+        if (ou != null && !ou.equals("")) {
+            if (!subjectName.equals("")) {
+                subjectName += ",";
+            }
+            subjectName += "OU=" + ou;
+        }
+        String o = ctx.get(VAL_O);
+
+        if (o != null && !o.equals("")) {
+            if (!subjectName.equals("")) {
+                subjectName += ",";
+            }
+            subjectName += "O=" + o;
+        }
+        String c = ctx.get(VAL_C);
+
+        if (c != null && !c.equals("")) {
+            if (!subjectName.equals("")) {
+                subjectName += ",";
+            }
+            subjectName += "C=" + c;
+        }
+        if (subjectName.equals("")) {
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND"));
+        }
+        X500Name name = null;
+
+        try {
+            name = new X500Name(subjectName);
+        } catch (Exception e) {
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_INVALID_SUBJECT_NAME", subjectName));
+        }
+        parseSubjectName(name, info, request);
+        request.setExtData(EnrollProfile.REQUEST_CERTINFO, info);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_UID)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "true",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_UID"));
+        } else if (name.equals(CONFIG_EMAIL)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "true",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_UID"));
+        } else if (name.equals(CONFIG_CN)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "true",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_CN"));
+        } else if (name.equals(CONFIG_OU3)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "true",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_OU"));
+        } else if (name.equals(CONFIG_OU2)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "true",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_OU"));
+        } else if (name.equals(CONFIG_OU1)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "true",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_OU"));
+        } else if (name.equals(CONFIG_OU)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "true",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_OU"));
+        } else if (name.equals(CONFIG_O)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "true",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_O"));
+        } else if (name.equals(CONFIG_C)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null,
+                    "true",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_C"));
+        } else {
+            return null;
+        }
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_UID)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_UID"));
+        } else if (name.equals(VAL_EMAIL)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_EMAIL"));
+        } else if (name.equals(VAL_CN)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_CN"));
+        } else if (name.equals(VAL_OU3)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_OU") + " 3");
+        } else if (name.equals(VAL_OU2)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_OU") + " 2");
+        } else if (name.equals(VAL_OU1)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_OU") + " 1");
+        } else if (name.equals(VAL_OU)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_OU"));
+        } else if (name.equals(VAL_O)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_O"));
+        } else if (name.equals(VAL_C)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_SN_C"));
+        }
+        return null;
+    }
+
+    protected void parseSubjectName(X500Name subj, X509CertInfo info, IRequest req)
+            throws EProfileException {
+        try {
+            req.setExtData(EnrollProfile.REQUEST_SUBJECT_NAME,
+                    new CertificateSubjectName(subj));
+        } catch (Exception e) {
+            CMS.debug("SubjectNameInput: parseSubject Name " +
+                    e.toString());
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/input/SubmitterInfoInput.java b/base/common/src/com/netscape/cms/profile/input/SubmitterInfoInput.java
new file mode 100644
index 000000000..984706f42
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/input/SubmitterInfoInput.java
@@ -0,0 +1,102 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.input;
+
+import java.util.Locale;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements the submitter information
+ * input that collects certificate requestor's
+ * information such as name, email and phone.
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class SubmitterInfoInput extends EnrollInput implements IProfileInput {
+
+    public static final String NAME = "requestor_name";
+    public static final String EMAIL = "requestor_email";
+    public static final String PHONE = "requestor_phone";
+
+    public SubmitterInfoInput() {
+        addValueName(NAME);
+        addValueName(EMAIL);
+        addValueName(PHONE);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SUBMITTER_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SUBMITTER_TEXT");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        //
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(NAME)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_REQUESTOR_NAME"));
+        } else if (name.equals(EMAIL)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_REQUESTOR_EMAIL"));
+        } else if (name.equals(PHONE)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_REQUESTOR_PHONE"));
+        }
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/input/nsHKeyCertReqInput.java b/base/common/src/com/netscape/cms/profile/input/nsHKeyCertReqInput.java
new file mode 100644
index 000000000..3c6067891
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/input/nsHKeyCertReqInput.java
@@ -0,0 +1,160 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.input;
+
+import java.util.Locale;
+
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements the certificate request input from TPS.
+ * This input populates 2 main fields to the enrollment "page":
+ * 1/ token cuid, 2/ publickey
+ * 

+ * 
+ * This input usually is used by an enrollment profile for certificate requests coming from TPS.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class nsHKeyCertReqInput extends EnrollInput implements IProfileInput {
+    public static final String VAL_TOKEN_CUID = "tokencuid";
+    public static final String VAL_PUBLIC_KEY = "publickey";
+
+    public EnrollProfile mEnrollProfile = null;
+
+    public nsHKeyCertReqInput() {
+        addValueName(VAL_TOKEN_CUID);
+        addValueName(VAL_PUBLIC_KEY);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+
+        mEnrollProfile = (EnrollProfile) profile;
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_TEXT");
+    }
+
+    /*
+     * Pretty print token cuid
+     */
+    public String toPrettyPrint(String cuid) {
+        if (cuid == null)
+            return null;
+
+        if (cuid.length() != 20)
+            return null;
+
+        StringBuffer sb = new StringBuffer();
+        for (int i = 0; i < cuid.length(); i++) {
+            if (i == 4 || i == 8 || i == 12 || i == 16) {
+                sb.append("-");
+            }
+            sb.append(cuid.charAt(i));
+        }
+        return sb.toString();
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        String tcuid = ctx.get(VAL_TOKEN_CUID);
+        // pretty print tcuid
+        String prettyPrintCuid = toPrettyPrint(tcuid);
+        if (prettyPrintCuid == null) {
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_TOKENKEY_NO_TOKENCUID",
+                            ""));
+        }
+
+        request.setExtData("pretty_print_tokencuid", prettyPrintCuid);
+
+        String pk = ctx.get(VAL_PUBLIC_KEY);
+        X509CertInfo info =
+                request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO);
+
+        if (tcuid == null) {
+            CMS.debug("nsHKeyCertReqInput: populate - tokencuid not found " +
+                    "");
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_TOKENKEY_NO_TOKENCUID",
+                            ""));
+        }
+        if (pk == null) {
+            CMS.debug("nsHKeyCertReqInput: populate - public key not found " +
+                    "");
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_TOKENKEY_NO_PUBLIC_KEY",
+                            ""));
+        }
+
+        mEnrollProfile.fillNSHKEY(getLocale(request), tcuid, pk, info, request);
+        request.setExtData(EnrollProfile.REQUEST_CERTINFO, info);
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_TOKEN_CUID)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_TOKEN_CUID"));
+        } else if (name.equals(VAL_PUBLIC_KEY)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_PK"));
+        }
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/input/nsNKeyCertReqInput.java b/base/common/src/com/netscape/cms/profile/input/nsNKeyCertReqInput.java
new file mode 100644
index 000000000..196798683
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/input/nsNKeyCertReqInput.java
@@ -0,0 +1,129 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.input;
+
+import java.util.Locale;
+
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements the certificate request input from TPS.
+ * This input populates 2 main fields to the enrollment "page":
+ * 1/ id, 2/ publickey
+ * 

+ * 
+ * This input usually is used by an enrollment profile for certificate requests coming from TPS.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class nsNKeyCertReqInput extends EnrollInput implements IProfileInput {
+    public static final String VAL_SN = "screenname";
+    public static final String VAL_PUBLIC_KEY = "publickey";
+
+    public EnrollProfile mEnrollProfile = null;
+
+    public nsNKeyCertReqInput() {
+        addValueName(VAL_SN);
+        addValueName(VAL_PUBLIC_KEY);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+
+        mEnrollProfile = (EnrollProfile) profile;
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_TEXT");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+        String sn = ctx.get(VAL_SN);
+        String pk = ctx.get(VAL_PUBLIC_KEY);
+        X509CertInfo info =
+                request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO);
+
+        if (sn == null) {
+            CMS.debug("nsNKeyCertReqInput: populate - id not found " +
+                    "");
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_TOKENKEY_NO_ID",
+                            ""));
+        }
+        if (pk == null) {
+            CMS.debug("nsNKeyCertReqInput: populate - public key not found " +
+                    "");
+            throw new EProfileException(
+                    CMS.getUserMessage(getLocale(request),
+                            "CMS_PROFILE_TOKENKEY_NO_PUBLIC_KEY",
+                            ""));
+        }
+
+        mEnrollProfile.fillNSNKEY(getLocale(request), sn, pk, info, request);
+        request.setExtData(EnrollProfile.REQUEST_CERTINFO, info);
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_SN)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_UID"));
+        } else if (name.equals(VAL_PUBLIC_KEY)) {
+            return new Descriptor(IDescriptor.STRING, null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_PK"));
+        }
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/output/CMMFOutput.java b/base/common/src/com/netscape/cms/profile/output/CMMFOutput.java
new file mode 100644
index 000000000..2253460b1
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/output/CMMFOutput.java
@@ -0,0 +1,161 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.output;
+
+import java.io.ByteArrayOutputStream;
+import java.security.cert.X509Certificate;
+import java.util.Locale;
+
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.X509CertImpl;
+
+import org.mozilla.jss.asn1.INTEGER;
+import org.mozilla.jss.pkix.cmmf.CertOrEncCert;
+import org.mozilla.jss.pkix.cmmf.CertRepContent;
+import org.mozilla.jss.pkix.cmmf.CertResponse;
+import org.mozilla.jss.pkix.cmmf.CertifiedKeyPair;
+import org.mozilla.jss.pkix.cmmf.PKIStatusInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.ICertPrettyPrint;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileOutput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements the output plugin that outputs
+ * CMMF response for the issued certificate.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CMMFOutput extends EnrollOutput implements IProfileOutput {
+
+    public static final String VAL_PRETTY_CERT = "pretty_cert";
+    public static final String VAL_CMMF_RESPONSE = "cmmf_response";
+
+    public CMMFOutput() {
+        addValueName(VAL_PRETTY_CERT);
+        addValueName(VAL_CMMF_RESPONSE);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_OUTPUT_CERT_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_OUTPUT_CERT_TEXT");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_PRETTY_CERT)) {
+            return new Descriptor(IDescriptor.PRETTY_PRINT, null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_OUTPUT_CERT_PP"));
+        } else if (name.equals(VAL_CMMF_RESPONSE)) {
+            return new Descriptor(IDescriptor.PRETTY_PRINT, null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_OUTPUT_CMMF_B64"));
+        }
+        return null;
+    }
+
+    public String getValue(String name, Locale locale, IRequest request)
+            throws EProfileException {
+        if (name.equals(VAL_PRETTY_CERT)) {
+            X509CertImpl cert = request.getExtDataInCert(
+                    EnrollProfile.REQUEST_ISSUED_CERT);
+            ICertPrettyPrint prettyCert = CMS.getCertPrettyPrint(cert);
+
+            return prettyCert.toString(locale);
+        } else if (name.equals(VAL_CMMF_RESPONSE)) {
+            try {
+                X509CertImpl cert = request.getExtDataInCert(
+                        EnrollProfile.REQUEST_ISSUED_CERT);
+                if (cert == null)
+                    return null;
+
+                ICertificateAuthority ca = (ICertificateAuthority)
+                        CMS.getSubsystem("ca");
+                CertificateChain cachain = ca.getCACertChain();
+                X509Certificate[] cacerts = cachain.getChain();
+
+                byte[][] caPubs = new byte[cacerts.length][];
+
+                for (int j = 0; j < cacerts.length; j++) {
+                    caPubs[j] = ((X509CertImpl) cacerts[j]).getEncoded();
+                }
+
+                CertRepContent certRepContent = null;
+                certRepContent = new CertRepContent(caPubs);
+
+                PKIStatusInfo status = new PKIStatusInfo(PKIStatusInfo.granted);
+                CertifiedKeyPair certifiedKP =
+                        new CertifiedKeyPair(new CertOrEncCert(cert.getEncoded()));
+                CertResponse resp =
+                        new CertResponse(new INTEGER(request.getRequestId().toString()),
+                                status, certifiedKP);
+                certRepContent.addCertResponse(resp);
+
+                ByteArrayOutputStream certRepOut = new ByteArrayOutputStream();
+                certRepContent.encode(certRepOut);
+                byte[] certRepBytes = certRepOut.toByteArray();
+
+                return CMS.BtoA(certRepBytes);
+            } catch (Exception e) {
+                return null;
+            }
+        } else {
+            return null;
+        }
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/profile/output/CertOutput.java b/base/common/src/com/netscape/cms/profile/output/CertOutput.java
new file mode 100644
index 000000000..1293c055c
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/output/CertOutput.java
@@ -0,0 +1,120 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.output;
+
+import java.util.Locale;
+
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.ICertPrettyPrint;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileOutput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements the pretty print certificate output
+ * that displays the issued certificate in a pretty print format.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CertOutput extends EnrollOutput implements IProfileOutput {
+    public static final String VAL_PRETTY_CERT = "pretty_cert";
+    public static final String VAL_B64_CERT = "b64_cert";
+
+    public CertOutput() {
+        addValueName(VAL_PRETTY_CERT);
+        addValueName(VAL_B64_CERT);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_OUTPUT_CERT_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_OUTPUT_CERT_TEXT");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_PRETTY_CERT)) {
+            return new Descriptor(IDescriptor.PRETTY_PRINT, null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_OUTPUT_CERT_PP"));
+        } else if (name.equals(VAL_B64_CERT)) {
+            return new Descriptor(IDescriptor.PRETTY_PRINT, null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_OUTPUT_CERT_B64"));
+        }
+        return null;
+    }
+
+    public String getValue(String name, Locale locale, IRequest request)
+            throws EProfileException {
+        if (name.equals(VAL_PRETTY_CERT)) {
+            X509CertImpl cert = request.getExtDataInCert(
+                    EnrollProfile.REQUEST_ISSUED_CERT);
+            if (cert == null)
+                return null;
+            ICertPrettyPrint prettyCert = CMS.getCertPrettyPrint(cert);
+
+            return prettyCert.toString(locale);
+        } else if (name.equals(VAL_B64_CERT)) {
+            X509CertImpl cert = request.getExtDataInCert(
+                    EnrollProfile.REQUEST_ISSUED_CERT);
+            if (cert == null)
+                return null;
+            return CMS.getEncodedCert(cert);
+        } else {
+            return null;
+        }
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/profile/output/EnrollOutput.java b/base/common/src/com/netscape/cms/profile/output/EnrollOutput.java
new file mode 100644
index 000000000..25a4b4908
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/output/EnrollOutput.java
@@ -0,0 +1,134 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.output;
+
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileOutput;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * This class implements the basic enrollment output.
+ * 
+ * @version $Revision$, $Date$
+ */
+public abstract class EnrollOutput implements IProfileOutput {
+    private IConfigStore mConfig = null;
+    private Vector mValueNames = new Vector();
+    protected Vector mConfigNames = new Vector();
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        mConfig = config;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public void addValueName(String name) {
+        mValueNames.addElement(name);
+    }
+
+    /**
+     * Populates the request with this policy default.
+     * 
+     * @param ctx profile context
+     * @param request request
+     * @exception EProfileException failed to populate
+     */
+    public abstract void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException;
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     * 
+     * @param locale user locale
+     * @param name property name
+     * @return property descriptor
+     */
+    public abstract IDescriptor getValueDescriptor(Locale locale, String name);
+
+    /**
+     * Retrieves the localizable name of this policy.
+     * 
+     * @param locale user locale
+     * @return output policy name
+     */
+    public abstract String getName(Locale locale);
+
+    /**
+     * Retrieves the localizable description of this policy.
+     * 
+     * @param locale user locale
+     * @return output policy description
+     */
+    public abstract String getText(Locale locale);
+
+    /**
+     * Retrieves a list of names of the value parameter.
+     */
+    public Enumeration getValueNames() {
+        return mValueNames.elements();
+    }
+
+    public String getValue(String name, Locale locale, IRequest request)
+            throws EProfileException {
+        return request.getExtDataInString(name);
+    }
+
+    /**
+     * Sets the value of the given value parameter by name.
+     */
+    public void setValue(String name, Locale locale, IRequest request,
+            String value) throws EPropertyException {
+        request.setExtData(name, value);
+    }
+
+    public Enumeration getConfigNames() {
+        return mConfigNames.elements();
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+    }
+
+    public String getConfig(String name) {
+        return null;
+    }
+
+    public String getDefaultConfig(String name) {
+        return null;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/profile/output/PKCS7Output.java b/base/common/src/com/netscape/cms/profile/output/PKCS7Output.java
new file mode 100644
index 000000000..0e01e15dd
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/output/PKCS7Output.java
@@ -0,0 +1,158 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.output;
+
+import java.io.ByteArrayOutputStream;
+import java.security.cert.X509Certificate;
+import java.util.Locale;
+
+import netscape.security.pkcs.ContentInfo;
+import netscape.security.pkcs.PKCS7;
+import netscape.security.pkcs.SignerInfo;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.ICertPrettyPrint;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileOutput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements the output plugin that outputs
+ * PKCS7 for the issued certificate.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class PKCS7Output extends EnrollOutput implements IProfileOutput {
+
+    public static final String VAL_PRETTY_CERT = "pretty_cert";
+    public static final String VAL_PKCS7 = "pkcs7";
+
+    public PKCS7Output() {
+        addValueName(VAL_PRETTY_CERT);
+        addValueName(VAL_PKCS7);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_OUTPUT_CERT_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_OUTPUT_CERT_TEXT");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_PRETTY_CERT)) {
+            return new Descriptor(IDescriptor.PRETTY_PRINT, null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_OUTPUT_CERT_PP"));
+        } else if (name.equals(VAL_PKCS7)) {
+            return new Descriptor(IDescriptor.PRETTY_PRINT, null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_OUTPUT_PKCS7_B64"));
+        }
+        return null;
+    }
+
+    public String getValue(String name, Locale locale, IRequest request)
+            throws EProfileException {
+        if (name.equals(VAL_PRETTY_CERT)) {
+            X509CertImpl cert = request.getExtDataInCert(
+                    EnrollProfile.REQUEST_ISSUED_CERT);
+            if (cert == null)
+                return null;
+            ICertPrettyPrint prettyCert = CMS.getCertPrettyPrint(cert);
+
+            return prettyCert.toString(locale);
+        } else if (name.equals(VAL_PKCS7)) {
+
+            try {
+                X509CertImpl cert = request.getExtDataInCert(
+                        EnrollProfile.REQUEST_ISSUED_CERT);
+                if (cert == null)
+                    return null;
+
+                ICertificateAuthority ca = (ICertificateAuthority)
+                        CMS.getSubsystem("ca");
+                CertificateChain cachain = ca.getCACertChain();
+                X509Certificate[] cacerts = cachain.getChain();
+
+                X509CertImpl[] userChain = new X509CertImpl[cacerts.length + 1];
+                int m = 1, n = 0;
+
+                for (; n < cacerts.length; m++, n++) {
+                    userChain[m] = (X509CertImpl) cacerts[n];
+                }
+
+                userChain[0] = cert;
+                PKCS7 p7 = new PKCS7(new AlgorithmId[0],
+                        new ContentInfo(new byte[0]),
+                        userChain,
+                        new SignerInfo[0]);
+                ByteArrayOutputStream bos = new ByteArrayOutputStream();
+
+                p7.encodeSignedData(bos);
+                byte[] p7Bytes = bos.toByteArray();
+                String p7Str = CMS.BtoA(p7Bytes);
+
+                return p7Str;
+            } catch (Exception e) {
+                return "";
+            }
+        } else {
+            return null;
+        }
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/profile/output/nsNKeyOutput.java b/base/common/src/com/netscape/cms/profile/output/nsNKeyOutput.java
new file mode 100644
index 000000000..6bf03f436
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/output/nsNKeyOutput.java
@@ -0,0 +1,110 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.output;
+
+import java.util.Locale;
+
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileOutput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements the output plugin that outputs
+ * DER for the issued certificate for token keys
+ * 
+ * @version $Revision$, $Date$
+ */
+public class nsNKeyOutput extends EnrollOutput implements IProfileOutput {
+
+    public static final String VAL_DER = "der";
+
+    public nsNKeyOutput() {
+        addValueName(VAL_DER);
+    }
+
+    /**
+     * Initializes this default policy.
+     */
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_OUTPUT_CERT_TOKENKEY_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_OUTPUT_CERT_TOKENKEY_TEXT");
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_DER)) {
+            return new Descriptor("der_b64", null,
+                    null,
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_OUTPUT_DER_B64"));
+        }
+        return null;
+    }
+
+    public String getValue(String name, Locale locale, IRequest request)
+            throws EProfileException {
+        if (name.equals(VAL_DER)) {
+
+            try {
+                X509CertImpl cert = request.getExtDataInCert(
+                        EnrollProfile.REQUEST_ISSUED_CERT);
+                if (cert == null)
+                    return null;
+                return CMS.BtoA(cert.getEncoded());
+            } catch (Exception e) {
+                return "";
+            }
+        } else {
+            return null;
+        }
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/common/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
new file mode 100644
index 000000000..52c87113d
--- /dev/null
+++ b/base/common/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
@@ -0,0 +1,321 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.updater;
+
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPException;
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IEnrollProfile;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileUpdater;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.RequestStatus;
+import com.netscape.certsrv.usrgrp.IGroup;
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
+import com.netscape.certsrv.usrgrp.IUser;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This updater class will create the new user to the subsystem group and
+ * then add the subsystem certificate to the user.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class SubsystemGroupUpdater implements IProfileUpdater {
+
+    private IProfile mProfile = null;
+    private EnrollProfile mEnrollProfile = null;
+    private IConfigStore mConfig = null;
+    private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+    private Vector mConfigNames = new Vector();
+    private Vector mValueNames = new Vector();
+
+    private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE =
+            "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
+    private final static String SIGNED_AUDIT_PASSWORD_VALUE = "********";
+    private final static String SIGNED_AUDIT_EMPTY_NAME_VALUE_PAIR = "Unknown";
+    private final static String SIGNED_AUDIT_NAME_VALUE_DELIMITER = ";;";
+    private final static String SIGNED_AUDIT_NAME_VALUE_PAIRS_DELIMITER = "+";
+
+    public SubsystemGroupUpdater() {
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        mConfig = config;
+        mProfile = profile;
+        mEnrollProfile = (EnrollProfile) profile;
+    }
+
+    public Enumeration getConfigNames() {
+        return mConfigNames.elements();
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+        if (mConfig.getSubStore("params") == null) {
+            //
+        } else {
+            mConfig.getSubStore("params").putString(name, value);
+        }
+    }
+
+    public String getConfig(String name) {
+        try {
+            if (mConfig == null) {
+                return null;
+            }
+            if (mConfig.getSubStore("params") != null) {
+                return mConfig.getSubStore("params").getString(name);
+            }
+        } catch (EBaseException e) {
+        }
+        return "";
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public void update(IRequest req, RequestStatus status)
+            throws EProfileException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        CMS.debug("SubsystemGroupUpdater update starts");
+        if (status != req.getRequestStatus()) {
+            return;
+        }
+
+        X509CertImpl cert = req.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
+        if (cert == null)
+            return;
+
+        IConfigStore mainConfig = CMS.getConfigStore();
+
+        int num = 0;
+        try {
+            num = mainConfig.getInteger("subsystem.count", 0);
+        } catch (Exception e) {
+        }
+
+        IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
+
+        String requestor_name = "subsystem";
+        try {
+            requestor_name = req.getExtDataInString("requestor_name");
+        } catch (Exception e1) {
+            // ignore
+        }
+
+        // i.e. tps-1.2.3.4-4
+        String id = requestor_name;
+
+        num++;
+        mainConfig.putInteger("subsystem.count", num);
+
+        try {
+            mainConfig.commit(false);
+        } catch (Exception e) {
+        }
+        String auditParams = "Scope;;users+Operation;;OP_ADD+source;;SubsystemGroupUpdater" +
+                             "+Resource;;" + id +
+                             "+fullname;;" + id +
+                             "+state;;1" +
+                             "+userType;;agentType+email;;+password;;+phone;;";
+
+        IUser user = null;
+        CMS.debug("SubsystemGroupUpdater adduser");
+        try {
+            user = system.createUser(id);
+            user.setFullName(id);
+            user.setEmail("");
+            user.setPassword("");
+            user.setUserType("agentType");
+            user.setState("1");
+            user.setPhone("");
+            X509CertImpl[] certs = new X509CertImpl[1];
+            certs[0] = cert;
+            user.setX509Certificates(certs);
+
+            system.addUser(user);
+            CMS.debug("SubsystemGroupUpdater update: successfully add the user");
+            auditMessage = CMS.getLogMessage(
+                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                               auditSubjectID,
+                               ILogger.SUCCESS,
+                               auditParams);
+            audit(auditMessage);
+
+            String b64 = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+            try {
+                byte[] certEncoded = cert.getEncoded();
+                b64 = CMS.BtoA(certEncoded).trim();
+
+                // extract all line separators
+                StringBuffer sb = new StringBuffer();
+                for (int i = 0; i < b64.length(); i++) {
+                    if (!Character.isWhitespace(b64.charAt(i))) {
+                        sb.append(b64.charAt(i));
+                    }
+                }
+                b64 = sb.toString();
+            } catch (Exception ence) {
+                CMS.debug("SubsystemGroupUpdater update: user cert encoding failed: " + ence);
+            }
+
+            auditParams = "Scope;;certs+Operation;;OP_ADD+source;;SubsystemGroupUpdater" +
+                             "+Resource;;" + id +
+                             "+cert;;" + b64;
+
+            system.addUserCert(user);
+            CMS.debug("SubsystemGroupUpdater update: successfully add the user certificate");
+            auditMessage = CMS.getLogMessage(
+                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                               auditSubjectID,
+                               ILogger.SUCCESS,
+                               auditParams);
+            audit(auditMessage);
+        } catch (LDAPException e) {
+            CMS.debug("UpdateSubsystemGroup: update " + e.toString());
+            if (e.getLDAPResultCode() != LDAPException.ENTRY_ALREADY_EXISTS) {
+                auditMessage = CMS.getLogMessage(
+                                   LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                   auditSubjectID,
+                                   ILogger.FAILURE,
+                                   auditParams);
+                audit(auditMessage);
+                throw new EProfileException(e.toString());
+            }
+        } catch (Exception e) {
+            CMS.debug("UpdateSubsystemGroup: update addUser " + e.toString());
+            auditMessage = CMS.getLogMessage(
+                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                               auditSubjectID,
+                               ILogger.FAILURE,
+                               auditParams);
+            audit(auditMessage);
+            throw new EProfileException(e.toString());
+        }
+
+        IGroup group = null;
+        String groupName = "Subsystem Group";
+        auditParams = "Scope;;groups+Operation;;OP_MODIFY+source;;SubsystemGroupUpdater" +
+                      "+Resource;;" + groupName;
+
+        try {
+            group = system.getGroupFromName(groupName);
+
+            auditParams += "+user;;";
+            Enumeration members = group.getMemberNames();
+            while (members.hasMoreElements()) {
+                auditParams += members.nextElement();
+                if (members.hasMoreElements()) {
+                    auditParams += ",";
+                }
+            }
+
+            if (!group.isMember(id)) {
+                auditParams += "," + id;
+                group.addMemberName(id);
+                system.modifyGroup(group);
+
+                auditMessage = CMS.getLogMessage(
+                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                               auditSubjectID,
+                               ILogger.SUCCESS,
+                               auditParams);
+                audit(auditMessage);
+
+                CMS.debug("UpdateSubsystemGroup: update: successfully added the user to the group.");
+            } else {
+                CMS.debug("UpdateSubsystemGroup: update: user already a member of the group");
+            }
+        } catch (Exception e) {
+            CMS.debug("UpdateSubsystemGroup update: modifyGroup " + e.toString());
+            auditMessage = CMS.getLogMessage(
+                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                               auditSubjectID,
+                               ILogger.FAILURE,
+                               auditParams);
+            audit(auditMessage);
+        }
+    }
+
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_UPDATER_SUBSYSTEM_NAME");
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_UPDATER_SUBSYSTEM_TEXT");
+    }
+
+    private void audit(String msg) {
+        if (mSignedAuditLogger == null) {
+            return;
+        }
+
+        mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
+                null,
+                ILogger.S_SIGNED_AUDIT,
+                ILogger.LL_SECURITY,
+                msg);
+    }
+
+    private String auditSubjectID() {
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String subjectID = null;
+
+        // Initialize subjectID
+        SessionContext auditContext = SessionContext.getExistingContext();
+
+        if (auditContext != null) {
+            subjectID = (String)
+                    auditContext.get(SessionContext.USER_ID);
+
+            if (subjectID != null) {
+                subjectID = subjectID.trim();
+            } else {
+                subjectID = ILogger.NONROLEUSER;
+            }
+        } else {
+            subjectID = ILogger.UNIDENTIFIED;
+        }
+        return subjectID;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/publish/mappers/AVAPattern.java b/base/common/src/com/netscape/cms/publish/mappers/AVAPattern.java
new file mode 100644
index 000000000..7f70722d0
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/mappers/AVAPattern.java
@@ -0,0 +1,594 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.cms.publish.mappers;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+/* cert server imports */
+import java.io.IOException;
+import java.io.PushbackReader;
+import java.io.StringReader;
+import java.util.Enumeration;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.ldap.LDAPDN;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.Extension;
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.GeneralNameInterface;
+import netscape.security.x509.GeneralNames;
+import netscape.security.x509.LdapV3DNStrConverter;
+import netscape.security.x509.OIDMap;
+import netscape.security.x509.SubjectAlternativeNameExtension;
+import netscape.security.x509.X500Name;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.publish.ECompSyntaxErr;
+import com.netscape.certsrv.request.IRequest;
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * avaPattern is a string representing an ldap
+ * attribute formulated from the certificate
+ * subject name, extension or request attributes.
+ * 

+ * 
+ * The syntax is
+ * 
+ * 
+ *     avaPattern := constant-value | 
+ *                   "$subj" "." attrName [ "." attrNumber ] | 
+ *                   "$req" "." [ prefix .] attrName [ "." attrNumber ] | 
+ *                   "$ext" "." extName [ "." nameType ] [ "." attrNumber ]
+ * 

+ * 
+ * 
+ * Example: $ext.SubjectAlternativeName.RFC822Name.1
+ * cert subjectAltName is rfc822Name: jjames@mcom.com
+ * 

+ * The ldap attribute formulated will be : 

+ *     jjames@mcom.com
+ * 

+ *     The first rfc822name value in the subjAltName extension.  

+ * 

+ * 

+ * 
+ * If a request attribute or subject DN component does not exist, the attribute is skipped.
+ * 
+ * @version $Revision$, $Date$
+ */
+class AVAPattern {
+    ////////////////
+    // parameters //
+    ////////////////
+
+    /* the value type of the dn component */
+    public static final String TYPE_REQ = "$req";
+    public static final String TYPE_SUBJ = "$subj";
+    public static final String TYPE_EXT = "$ext";
+    public static final String TYPE_CONSTANT = "constant";
+
+    public static final String[] GENERAL_NAME_TYPE = { "ANY",
+            "RFC822Name",
+            "DNSName",
+            "X400Name",
+            "DIRECTORYName",
+            "EDIName",
+            "URIName",
+            "IPAddress",
+            "OIDName" };
+
+    private static final char[] endChars = new char[] { '+', ',' };
+
+    private static final LdapV3DNStrConverter mLdapDNStrConverter =
+            new LdapV3DNStrConverter();
+
+    /* the list of request attributes needed by this AVA  */
+    protected String[] mReqAttrs = null;
+
+    /* the list of cert attributes needed by this AVA*/
+    protected String[] mCertAttrs = null;
+
+    /* value type */
+    protected String mType = null;
+
+    /* value - could be name of a request  attribute or 
+     * cert subject attribute or extension name.
+     */
+    protected String mValue = null;
+
+    /* value type - general name type of an 
+     *              extension attribute if any.
+     */
+    protected String mGNType = null;
+
+    /* prefix - prefix of a request attribute if any. */
+    protected String mPrefix = null;
+
+    /* nth value of the ldap or dn attribute */
+    protected int mElement = 0;
+
+    protected String mTestDN = null;
+
+    /////////////
+    // methods //
+    /////////////
+
+    public AVAPattern(String component)
+            throws ELdapException {
+        if (component == null || component.length() == 0) {
+            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", component));
+        }
+
+        parse(new PushbackReader(new StringReader(component)));
+    }
+
+    public AVAPattern(PushbackReader in)
+            throws ELdapException {
+        parse(in);
+    }
+
+    private void parse(PushbackReader in)
+            throws ELdapException {
+        int c;
+
+        // skip spaces
+        //System.out.println("============ AVAPattern Begin ===========");
+        //System.out.println("skip spaces");
+
+        try {
+            while ((c = in.read()) == ' ' || c == '\t') {//System.out.println("spaces read "+(char)c);
+                ;
+            }
+        } catch (IOException e) {
+            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank"));
+        }
+
+        if (c == -1) {
+            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank"));
+        }
+
+        if (c == '$') {
+            // check for $subj $ext or $req 
+            try {
+                c = in.read();
+            } catch (IOException e) {
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+            }
+
+            if (c == -1) {
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                            "expecting $subj $ext or $req in ava pattern"));
+            }
+
+            if (c == 'r') {
+                try {
+                    if (in.read() != 'e' ||
+                            in.read() != 'q' ||
+                            in.read() != '.') {
+                        throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                    "expecting $req in ava pattern"));
+                    }
+                } catch (IOException e) {
+                    throw new ELdapException(
+                            CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+                }
+
+                mType = TYPE_REQ;
+                //System.out.println("---- mtype $req");
+            } else if (c == 's') {
+                try {
+                    if (in.read() != 'u' ||
+                            in.read() != 'b' ||
+                            in.read() != 'j' ||
+                            in.read() != '.') {
+                        throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                    "expecting $subj in ava pattern"));
+                    }
+                } catch (IOException e) {
+                    throw new ELdapException(
+                            CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+                }
+
+                mType = TYPE_SUBJ;
+                //System.out.println("----- mtype $subj");
+            } else if (c == 'e') {
+                try {
+                    if (in.read() != 'x' ||
+                            in.read() != 't' ||
+                            in.read() != '.') {
+                        throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                    "expecting $ext in ava pattern"));
+                    }
+                } catch (IOException e) {
+                    throw new ELdapException(
+                            CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+                }
+
+                mType = TYPE_EXT;
+                //System.out.println("----- mtype $ext");
+            } else {
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                            "unknown keyword. expecting $subj $ext or $req."));
+            }
+
+            // get request attribute or
+            // cert subject or
+            // extension attribute
+
+            StringBuffer valueBuf = new StringBuffer();
+
+            try {
+                while ((c = in.read()) != ',' &&
+                        c != -1 && c != '.' && c != '+') {
+                    //System.out.println("mValue read "+(char)c);
+                    valueBuf.append((char) c);
+                }
+
+                if (c == '+' || c == ',') { // either ',' or '+'
+                    in.unread(c); // pushback last , or + 
+                }
+            } catch (IOException e) {
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+            }
+
+            mValue = valueBuf.toString().trim();
+            if (mValue.length() == 0) {
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                            "$subj $ext or $req attribute name expected"));
+            }
+            //System.out.println("----- mValue "+mValue);
+
+            // get nth dn xxx not nth request attribute .
+            if (c == '.') {
+                StringBuffer attrNumberBuf = new StringBuffer();
+
+                try {
+                    while ((c = in.read()) != ',' && c != -1 && c != '.'
+                            && c != '+') {
+                        //System.out.println("mElement read "+(char)c);
+                        attrNumberBuf.append((char) c);
+                    }
+
+                    if (c == ',' || c == '+') { // either ','  or '+'
+                        in.unread(c); // pushback last , or +
+                    }
+                } catch (IOException e) {
+                    throw new ELdapException(
+                            CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+                }
+
+                String attrNumber = attrNumberBuf.toString().trim();
+
+                if (attrNumber.length() == 0) {
+                    throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                "nth element $req $ext or $subj expected"));
+                }
+
+                try {
+                    mElement = Integer.parseInt(attrNumber) - 1;
+                } catch (NumberFormatException e) {
+
+                    if (TYPE_REQ.equals(mType)) {
+                        mPrefix = mValue;
+                        mValue = attrNumber;
+                    } else if (TYPE_EXT.equals(mType)) {
+                        mGNType = attrNumber;
+                    } else {
+                        throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                    "Invalid format in nth element " +
+                                            "$req $ext or $subj"));
+                    }
+
+                    // get nth request attribute .
+                    if (c == '.') {
+                        StringBuffer attrNumberBuf1 = new StringBuffer();
+
+                        try {
+                            while ((c = in.read()) != ',' &&
+                                    c != -1 && c != '+') {
+                                //System.out.println("mElement read "+
+                                //                   (char)c);
+                                attrNumberBuf1.append((char) c);
+                            }
+
+                            if (c != -1) { // either ',' or '+'
+                                in.unread(c); // pushback last , or +
+                            }
+                        } catch (IOException ex) {
+                            throw new ELdapException(
+                                    CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", ex.toString()));
+                        }
+
+                        String attrNumber1 =
+                                attrNumberBuf1.toString().trim();
+
+                        if (attrNumber1.length() == 0) {
+                            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                    "nth element $req or $ext expected"));
+                        }
+
+                        try {
+                            mElement = Integer.parseInt(attrNumber1) - 1;
+                        } catch (NumberFormatException ex) {
+                            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                        "Invalid format in nth element " +
+                                                "$req or $ext."));
+                        }
+                    }
+                }
+            }
+            //System.out.println("----- mElement "+mElement);
+        } else {
+            // value is constant. treat as regular ava.
+            mType = TYPE_CONSTANT;
+
+            // parse ava value. 
+            StringBuffer valueBuf = new StringBuffer();
+
+            valueBuf.append((char) c);
+
+            // read forward to get attribute value
+            try {
+                while ((c = in.read()) != ',' && c != -1) {
+                    valueBuf.append((char) c);
+                }
+
+                if (c == '+' || c == ',') { // either ',' or '+'
+                    in.unread(c); // pushback last , or + 
+                }
+            } catch (IOException e) {
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+            }
+
+            mValue = valueBuf.toString().trim();
+
+            /*  try { 
+             *      AVA ava = mLdapDNStrConverter.parseAVA(
+             *                    valueBuf.toString()); 
+             *      mValue = ava.toLdapDNString();
+             *      //System.out.println("----- mValue "+mValue);
+             *  } catch (IOException e) {
+             *      throw new ECompSyntaxErr(e.toString());
+             *  }
+             */
+        }
+    }
+
+    public String formAVA(IRequest req,
+            X500Name subject,
+            CertificateExtensions extensions)
+            throws ELdapException {
+        if (TYPE_CONSTANT.equals(mType)) {
+            return mValue;
+        }
+
+        if (TYPE_SUBJ.equals(mType)) {
+            String dn = subject.toString();
+
+            if (mTestDN != null) {
+                dn = mTestDN;
+            }
+
+            //System.out.println("AVAPattern Using dn "+mTestDN);
+            String[] rdns = LDAPDN.explodeDN(dn, false);
+
+            String value = null;
+
+            int nFound = -1;
+
+            for (int i = 0; i < rdns.length; i++) {
+                String[] avas = explodeRDN(rdns[i]);
+
+                for (int j = 0; j < avas.length; j++) {
+                    String[] exploded = explodeAVA(avas[j]);
+
+                    if (exploded[0].equalsIgnoreCase(mValue) &&
+                            ++nFound == mElement) {
+                        value = exploded[1];
+                        break;
+                    }
+                }
+            }
+
+            if (value == null) {
+                return null;
+            }
+
+            return value;
+        }
+
+        if (TYPE_EXT.equals(mType)) {
+
+            if (extensions != null) {
+
+                for (int i = 0; i < extensions.size(); i++) {
+                    Extension ext = (Extension)
+                            extensions.elementAt(i);
+
+                    String extName =
+                            OIDMap.getName(ext.getExtensionId());
+
+                    int index = extName.lastIndexOf(".");
+
+                    if (index != -1) {
+                        extName = extName.substring(index + 1);
+                    }
+
+                    if (extName.equals(mValue)) {
+                        // Check the extensions one by one.
+                        // For now, just give subjectAltName
+                        // as an example.
+                        if (mValue.equalsIgnoreCase(
+                                SubjectAlternativeNameExtension.NAME)) {
+                            try {
+                                GeneralNames subjectNames = (GeneralNames)
+                                        ((SubjectAlternativeNameExtension)
+                                        ext).get(
+                                                SubjectAlternativeNameExtension.SUBJECT_NAME);
+
+                                if (subjectNames.size() == 0) {
+                                    break;
+                                }
+
+                                int j = 0;
+
+                                for (Enumeration n =
+                                        subjectNames.elements(); n.hasMoreElements();) {
+
+                                    GeneralName gn = (GeneralName)
+                                            n.nextElement();
+
+                                    String gname = gn.toString();
+
+                                    index = gname.indexOf(":");
+
+                                    if (index == -1) {
+                                        break;
+                                    }
+
+                                    String gType =
+                                            gname.substring(0, index);
+
+                                    if (mGNType != null) {
+                                        if (mGNType.equalsIgnoreCase(gType)) {
+                                            if (mElement == j) {
+                                                gname =
+                                                        gname.substring(index + 2);
+                                                return gname;
+                                            } else {
+                                                j++;
+                                            }
+                                        }
+                                    } else {
+                                        if (mElement == j) {
+                                            gname =
+                                                    gname.substring(index + 2);
+                                            return gname;
+                                        }
+                                        j++;
+                                    }
+                                }
+                            } catch (IOException e) {
+                                CMS.debug(
+                                        "AVAPattern: Publishing attr not formed " +
+                                                "from extension " +
+                                                "-- no attr : " +
+                                                mValue);
+                            }
+                        }
+                    }
+                }
+            }
+
+            CMS.debug(
+                    "AVAPattern: Publishing:attr not formed " +
+                            "from extension " +
+                            "-- no attr : " +
+                            mValue);
+
+            return null;
+        }
+
+        if (TYPE_REQ.equals(mType)) {
+            // mPrefix and mValue are looked up case-insensitive
+            String reqAttr = req.getExtDataInString(mPrefix, mValue);
+            if (reqAttr == null) {
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_NO_REQUEST", mValue, ""));
+            }
+
+            return reqAttr;
+        }
+
+        return null;
+    }
+
+    public String getReqAttr() {
+        if (TYPE_REQ.equals(mType)) {
+            return mValue;
+        } else {
+            return null;
+        }
+    }
+
+    public String getCertAttr() {
+        if (TYPE_SUBJ.equals(mType)) {
+            return mValue;
+        } else {
+            return null;
+        }
+    }
+
+    /**
+     * Explode RDN into AVAs.
+     * Does not handle escaped '+'
+     * Java ldap library does not yet support multiple avas per rdn.
+     * If RDN is malformed returns empty array.
+     */
+    public static String[] explodeRDN(String rdn) {
+        int plus = rdn.indexOf('+');
+
+        if (plus == -1) {
+            return new String[] { rdn };
+        }
+
+        Vector avas = new Vector();
+
+        StringTokenizer token = new StringTokenizer(rdn, "+");
+
+        while (token.hasMoreTokens()) {
+            avas.addElement(token.nextToken());
+        }
+
+        String[] theAvas = new String[avas.size()];
+
+        avas.copyInto(theAvas);
+
+        return theAvas;
+    }
+
+    /**
+     * Explode AVA into name and value.
+     * Does not handle escaped '='
+     * If AVA is malformed empty array is returned.
+     */
+    public static String[] explodeAVA(String ava) {
+        int equals = ava.indexOf('=');
+
+        if (equals == -1) {
+            return null;
+        }
+
+        return new String[] { ava.substring(0, equals).trim(),
+                ava.substring(equals + 1).trim() };
+    }
+}
diff --git a/base/common/src/com/netscape/cms/publish/mappers/LdapCaSimpleMap.java b/base/common/src/com/netscape/cms/publish/mappers/LdapCaSimpleMap.java
new file mode 100644
index 000000000..bbf641540
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/mappers/LdapCaSimpleMap.java
@@ -0,0 +1,372 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.mappers;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPAttributeSet;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+import netscape.ldap.LDAPv3;
+import netscape.ldap.util.DN;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CRLImpl;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ELdapServerDownException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapMapper;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * Maps a request to an entry in the LDAP server.
+ * Takes a dnPattern to form the baseDN from the request attributes
+ * and certificate subject name.Do a base search for the entry
+ * in the directory to publish the cert or crl.
+ * The restriction of this mapper is that the ldap dn components must
+ * be part of certificate subject name or request attributes or constant.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LdapCaSimpleMap implements ILdapMapper, IExtendedPluginInfo {
+    protected static final String PROP_DNPATTERN = "dnPattern";
+    protected static final String PROP_CREATECA = "createCAEntry";
+    protected String mDnPattern = null;
+    protected boolean mCreateCAEntry = true;
+
+    private ILogger mLogger = CMS.getLogger();
+    private boolean mInited = false;
+    protected IConfigStore mConfig = null;
+
+    /* the subject DN pattern */
+    protected MapDNPattern mPattern = null;
+
+    /* the list of request attriubutes to retrieve*/
+    protected String[] mReqAttrs = null;
+
+    /* the list of cert attriubutes to retrieve*/
+    protected String[] mCertAttrs = null;
+
+    /* default dn pattern if left blank or not set in the config */
+    public static final String DEFAULT_DNPATTERN =
+            "UID=$req.HTTP_PARAMS.UID,  OU=people, O=$subj.o, C=$subj.c";
+
+    /**
+     * Constructor.
+     * 
+     * @param dnPattern The base DN.
+     */
+    public LdapCaSimpleMap(String dnPattern) {
+        try {
+            init(dnPattern);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+        }
+
+    }
+
+    /**
+     * constructor if initializing from config store.
+     */
+    public LdapCaSimpleMap() {
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String params[] = {
+                "dnPattern;string;Describes how to form the Ldap Subject name in" +
+                        " the directory.  Example 1:  'uid=CertMgr, o=Fedora'.  Example 2:" +
+                        " 'uid=$req.HTTP_PARAMS.uid, E=$ext.SubjectAlternativeName.RFC822Name, ou=$subj.ou'. " +
+                        "$req means: take the attribute from the request. " +
+                        "$subj means: take the attribute from the certificate subject name. " +
+                        "$ext means: take the attribute from the certificate extension",
+                "createCAEntry;boolean;If checked, CA entry will be created automatically",
+                IExtendedPluginInfo.HELP_TOKEN + ";configuration-ldappublish-mapper-casimplemapper",
+                IExtendedPluginInfo.HELP_TEXT + ";Describes how to form the LDAP DN of the entry to publish to"
+            };
+
+        return params;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    /**
+     * for initializing from config store.
+     */
+    public void init(IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+        String dnPattern = mConfig.getString(PROP_DNPATTERN);
+
+        mCreateCAEntry = mConfig.getBoolean(PROP_CREATECA, true);
+        init(dnPattern);
+    }
+
+    /**
+     * common initialization routine.
+     */
+    protected void init(String dnPattern)
+            throws EBaseException {
+        if (mInited)
+            return;
+
+        mDnPattern = dnPattern;
+        if (mDnPattern == null || mDnPattern.length() == 0)
+            mDnPattern = DEFAULT_DNPATTERN;
+        try {
+            mPattern = new MapDNPattern(mDnPattern);
+        } catch (ELdapException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_DN_PATTERN_INIT", dnPattern, e.toString()));
+            throw new EBaseException("falied to init with pattern " +
+                    dnPattern + " " + e);
+        }
+
+        mInited = true;
+    }
+
+    /**
+     * Maps a X500 subject name to LDAP entry.
+     * Uses DN pattern to form a DN for a LDAP base search.
+     * 
+     * @param conn the LDAP connection.
+     * @param obj the object to map.
+     * @exception ELdapException if any LDAP exceptions occured.
+     */
+    public String map(LDAPConnection conn, Object obj)
+            throws ELdapException {
+        return map(conn, null, obj);
+    }
+
+    /**
+     * Maps a X500 subject name to LDAP entry.
+     * Uses DN pattern to form a DN for a LDAP base search.
+     * 
+     * @param conn the LDAP connection.
+     * @param req the request to map.
+     * @param obj the object to map.
+     * @exception ELdapException if any LDAP exceptions occured.
+     */
+    public String map(LDAPConnection conn, IRequest req, Object obj)
+            throws ELdapException {
+        if (conn == null)
+            return null;
+        String dn = null;
+
+        try {
+            dn = formDN(req, obj);
+            if (dn == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_DN_NOT_FORMED"));
+                String s1 = "";
+
+                if (req != null)
+                    s1 = req.getRequestId().toString();
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_NO_DN_MATCH", s1));
+            }
+            int scope = LDAPv2.SCOPE_BASE;
+            String filter = "(objectclass=*)";
+
+            // search for entry
+            String[] attrs = new String[] { LDAPv3.NO_ATTRS };
+
+            log(ILogger.LL_INFO, "searching for dn: " + dn + " filter:"
+                    + filter + " scope: base");
+
+            LDAPSearchResults results =
+                    conn.search(dn, scope, filter, attrs, false);
+            LDAPEntry entry = results.next();
+
+            if (results.hasMoreElements()) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_MORE_THAN_ONE_ENTRY", dn,
+                                ((req == null) ? "" : req.getRequestId().toString())));
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_MORE_THAN_ONE_ENTRY",
+                                ((req == null) ? "" : req.getRequestId().toString())));
+            }
+            if (entry != null)
+                return entry.getDN();
+            else {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_ENTRY_NOT_FOUND", dn,
+                                ((req == null) ? "" : req.getRequestId().toString())));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_NO_MATCH_FOUND",
+                            "null entry"));
+            }
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else if (e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT && mCreateCAEntry) {
+                try {
+                    createCAEntry(conn, dn);
+                    log(ILogger.LL_INFO, "CA Entry " + dn + " Created");
+                    return dn;
+                } catch (LDAPException e1) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_DN_MAP_EXCEPTION", dn, e1.toString()));
+                    if (e1.getLDAPResultCode() == LDAPException.CONSTRAINT_VIOLATION) {
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CA_ENTRY_NOT_CREATED"));
+                    } else {
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CA_ENTRY_NOT_CREATED1"));
+                    }
+                    throw new ELdapException(CMS.getUserMessage("CMS_LDAP_CREATE_CA_FAILED", dn));
+                }
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_DN_MAP_EXCEPTION", dn, e.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_NO_MATCH_FOUND", e.toString()));
+            }
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_EXCEPTION_CAUGHT", e.toString()));
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_NO_MATCH_FOUND", e.toString()));
+        }
+    }
+
+    private void createCAEntry(LDAPConnection conn, String dn)
+            throws LDAPException {
+        LDAPAttributeSet attrs = new LDAPAttributeSet();
+        // OID 2.5.6.16
+        String caOc[] = new String[] { "top",
+                "person",
+                "organizationalPerson",
+                "inetOrgPerson" };
+
+        DN dnobj = new DN(dn);
+        String attrval[] = dnobj.explodeDN(true);
+
+        attrs.add(new LDAPAttribute("cn", attrval[0]));
+        attrs.add(new LDAPAttribute("sn", attrval[0]));
+        attrs.add(new LDAPAttribute("objectclass", caOc));
+        LDAPEntry entry = new LDAPEntry(dn, attrs);
+
+        conn.add(entry);
+    }
+
+    /**
+     * form a dn from component in the request and cert subject name
+     * 
+     * @param req The request
+     * @param obj The certificate or crl
+     */
+    private String formDN(IRequest req, Object obj) throws EBaseException {
+        X500Name subjectDN = null;
+        CertificateExtensions certExt = null;
+
+        try {
+            X509Certificate cert = (X509Certificate) obj;
+
+            subjectDN =
+                    (X500Name) ((X509Certificate) cert).getSubjectDN();
+
+            CMS.debug("LdapCaSimpleMap: cert subject dn:" + subjectDN.toString());
+            X509CertInfo info = (X509CertInfo)
+                    ((X509CertImpl) cert).get(
+                            X509CertImpl.NAME + "." + X509CertImpl.INFO);
+
+            certExt = (CertificateExtensions) info.get(
+                        CertificateExtensions.NAME);
+        } catch (java.security.cert.CertificateParsingException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CANT_GET_EXT", e.toString()));
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CANT_GET_EXT", e.toString()));
+        } catch (java.security.cert.CertificateException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CANT_GET_EXT", e.toString()));
+        } catch (ClassCastException e) {
+            try {
+                X509CRLImpl crl = (X509CRLImpl) obj;
+
+                subjectDN =
+                        (X500Name) ((X509CRLImpl) crl).getIssuerDN();
+
+                CMS.debug("LdapCaSimpleMap: crl issuer dn: " +
+                        subjectDN.toString());
+            } catch (ClassCastException ex) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_PUBLISH_OBJ_NOT_SUPPORTED",
+                        ((req == null) ? "" : req.getRequestId().toString())));
+                return null;
+            }
+        }
+        try {
+            String dn = mPattern.formDN(req, subjectDN, certExt);
+
+            return dn;
+        } catch (ELdapException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("PUBLISH_CANT_FORM_DN",
+                            ((req == null) ? "" : req.getRequestId().toString()), e.toString()));
+            throw new EBaseException("falied to form dn for request: " +
+                    ((req == null) ? "" : req.getRequestId().toString()) + " " + e);
+        }
+    }
+
+    public String getImplName() {
+        return "LdapCaSimpleMap";
+    }
+
+    public String getDescription() {
+        return "LdapCaSimpleMap";
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+
+        v.addElement(PROP_DNPATTERN + "=");
+        v.addElement(PROP_CREATECA + "=true");
+        return v;
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+
+        try {
+            if (mDnPattern == null) {
+                v.addElement(PROP_DNPATTERN + "=");
+            } else {
+                v.addElement(PROP_DNPATTERN + "=" +
+                        mConfig.getString(PROP_DNPATTERN));
+            }
+            v.addElement(PROP_CREATECA + "=" + mConfig.getBoolean(PROP_CREATECA, true));
+        } catch (Exception e) {
+        }
+        return v;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level,
+                "LdapCaSimpleMapper: " + msg);
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/publish/mappers/LdapCertCompsMap.java b/base/common/src/com/netscape/cms/publish/mappers/LdapCertCompsMap.java
new file mode 100644
index 000000000..2373e3c66
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/mappers/LdapCertCompsMap.java
@@ -0,0 +1,178 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.mappers;
+
+import java.security.cert.CRLException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.Vector;
+
+import netscape.ldap.LDAPConnection;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CRLImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapMapper;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * Maps a X509 certificate to a LDAP entry using AVAs in the certificate's
+ * subject name to form the ldap search dn and filter.
+ * Takes a optional root search dn.
+ * The DN comps are used to form a LDAP entry to begin a subtree search.
+ * The filter comps are used to form a search filter for the subtree.
+ * If none of the DN comps matched, baseDN is used for the subtree.
+ * If the baseDN is null and none of the DN comps matched, it is an error.
+ * If none of the DN comps and filter comps matched, it is an error.
+ * If just the filter comps is null, a base search is performed.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LdapCertCompsMap
+        extends LdapDNCompsMap implements ILdapMapper {
+    ILogger mLogger = CMS.getLogger();
+
+    public LdapCertCompsMap() {
+        // need to support baseDN, dnComps, and filterComps
+        // via configuration
+    }
+
+    /**
+     * Constructor.
+     * 
+     * The DN comps are used to form a LDAP entry to begin a subtree search.
+     * The filter comps are used to form a search filter for the subtree.
+     * If none of the DN comps matched, baseDN is used for the subtree.
+     * If the baseDN is null and none of the DN comps matched, it is an error.
+     * If none of the DN comps and filter comps matched, it is an error.
+     * If just the filter comps is null, a base search is performed.
+     * 
+     * @param baseDN The base DN.
+     * @param dnComps Components to form the LDAP base dn for search.
+     * @param filterComps Components to form the LDAP search filter.
+     */
+    public LdapCertCompsMap(String baseDN, ObjectIdentifier[] dnComps,
+            ObjectIdentifier[] filterComps) {
+        init(baseDN, dnComps, filterComps);
+    }
+
+    public String getImplName() {
+        return "LdapCertCompsMap";
+    }
+
+    public String getDescription() {
+        return "LdapCertCompsMap";
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = super.getDefaultParams();
+
+        return v;
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = super.getInstanceParams();
+
+        return v;
+    }
+
+    /**
+     * constructor using non-standard certificate attribute.
+     */
+    public LdapCertCompsMap(String certAttr, String baseDN,
+            ObjectIdentifier[] dnComps,
+            ObjectIdentifier[] filterComps) {
+        super(certAttr, baseDN, dnComps, filterComps);
+    }
+
+    protected void init(String baseDN, ObjectIdentifier[] dnComps,
+            ObjectIdentifier[] filterComps) {
+        super.init(baseDN, dnComps, filterComps);
+    }
+
+    /**
+     * Maps a certificate to LDAP entry.
+     * Uses DN components and filter components to form a DN and
+     * filter for a LDAP search.
+     * If the formed DN is null the baseDN will be used.
+     * If the formed DN is null and baseDN is null an error is thrown.
+     * If the filter is null a base search is performed.
+     * If both are null an error is thrown.
+     * 
+     * @param conn - the LDAP connection.
+     * @param obj - the X509Certificate.
+     */
+    public String
+            map(LDAPConnection conn, Object obj)
+                    throws ELdapException {
+        if (conn == null)
+            return null;
+        try {
+            X509Certificate cert = (X509Certificate) obj;
+            String result = null;
+            // form dn and filter for search.
+            X500Name subjectDN =
+                    (X500Name) ((X509Certificate) cert).getSubjectDN();
+
+            CMS.debug("LdapCertCompsMap: " + subjectDN.toString());
+
+            byte[] certbytes = cert.getEncoded();
+
+            result = super.map(conn, subjectDN, certbytes);
+            return result;
+        } catch (CertificateEncodingException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CANT_DECODE_CERT", e.toString()));
+            throw new ELdapException(
+                    CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
+        } catch (ClassCastException e) {
+            try {
+                X509CRLImpl crl = (X509CRLImpl) obj;
+                String result = null;
+                X500Name issuerDN =
+                        (X500Name) ((X509CRLImpl) crl).getIssuerDN();
+
+                CMS.debug("LdapCertCompsMap: " + issuerDN.toString());
+
+                byte[] crlbytes = crl.getEncoded();
+
+                result = super.map(conn, issuerDN, crlbytes);
+                return result;
+            } catch (CRLException ex) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CANT_DECODE_CRL", ex.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CRL_FAILED", ex.toString()));
+            } catch (ClassCastException ex) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_NOT_SUPPORTED_OBJECT"));
+                return null;
+            }
+        }
+    }
+
+    public String map(LDAPConnection conn, IRequest req, Object obj)
+            throws ELdapException {
+        return map(conn, obj);
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level,
+                "LdapCertCompsMap: " + msg);
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/publish/mappers/LdapCertExactMap.java b/base/common/src/com/netscape/cms/publish/mappers/LdapCertExactMap.java
new file mode 100644
index 000000000..11b53a797
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/mappers/LdapCertExactMap.java
@@ -0,0 +1,199 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.mappers;
+
+import java.security.cert.X509Certificate;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+import netscape.ldap.LDAPv3;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CRLImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ELdapServerDownException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapMapper;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * Maps a X509 certificate to a LDAP entry by using the subject name
+ * of the certificate as the LDAP entry DN.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LdapCertExactMap implements ILdapMapper, IExtendedPluginInfo {
+    private ILogger mLogger = CMS.getLogger();
+    protected IConfigStore mConfig = null;
+    boolean mInited = false;
+
+    /**
+     * constructs a certificate subject name mapper with search base.
+     */
+    public LdapCertExactMap() {
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public void init(IConfigStore config)
+            throws EBaseException {
+        if (mInited == true)
+            return;
+        mConfig = config;
+        mInited = true;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ldappublish-mapper-certexactmapper",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Literally uses the subject name of the certificate as the DN to publish to"
+            };
+
+        return params;
+    }
+
+    public String getImplName() {
+        return "LdapCertExactMap";
+    }
+
+    public String getDescription() {
+        return "LdapCertExactMap";
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+
+        return v;
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+
+        return v;
+    }
+
+    /**
+     * Finds the entry for the certificate by looking for the cert
+     * subject name in the subject name attribute.
+     * 
+     * @param conn - the LDAP connection.
+     * @param obj - the X509Certificate.
+     */
+    public String
+            map(LDAPConnection conn, Object obj)
+                    throws ELdapException {
+        if (conn == null)
+            return null;
+
+        X500Name subjectDN = null;
+
+        try {
+            X509Certificate cert = (X509Certificate) obj;
+
+            subjectDN =
+                    (X500Name) ((X509Certificate) cert).getSubjectDN();
+
+            CMS.debug("LdapCertExactMap: cert subject dn:" + subjectDN.toString());
+        } catch (ClassCastException e) {
+            try {
+                X509CRLImpl crl = (X509CRLImpl) obj;
+
+                subjectDN =
+                        (X500Name) ((X509CRLImpl) crl).getIssuerDN();
+
+                CMS.debug("LdapCertExactMap: crl issuer dn: " +
+                        subjectDN.toString());
+            } catch (ClassCastException ex) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_NOT_SUPPORTED_OBJECT"));
+                return null;
+            }
+        }
+        try {
+            String[] attrs = new String[] { LDAPv3.NO_ATTRS };
+
+            log(ILogger.LL_INFO, "Searching for " + subjectDN.toString());
+
+            LDAPSearchResults results =
+                    conn.search(subjectDN.toString(), LDAPv2.SCOPE_BASE,
+                            "(objectclass=*)", attrs, false);
+
+            LDAPEntry entry = results.next();
+
+            if (results.hasMoreElements()) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_MORE_THAN_ONE_ENTRY", "", subjectDN.toString()));
+            }
+            if (entry != null) {
+                log(ILogger.LL_INFO, "entry found");
+                return entry.getDN();
+            }
+            return null;
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_DN_MAP_EXCEPTION", e.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_NO_MATCH_FOUND", e.toString()));
+            }
+        }
+
+        /*
+         catch (IOException e) {
+         log(ILogger.LL_FAILURE, 
+         CMS.getLogMessage("PUBLISH_CANT_GET_SUBJECT", e.toString()));
+         throw new ELdapException(
+         LdapResources.GET_CERT_SUBJECT_DN_FAILED, e);
+         }
+         catch (CertificateEncodingException e) {
+         log(ILogger.LL_FAILURE, 
+         CMS.getLogMessage("PUBLISH_CANT_DECODE_CERT", e.toString()));
+         throw new ELdapException(
+         LdapResources.GET_DER_ENCODED_CERT_FAILED, e);
+         }
+         */
+    }
+
+    public String map(LDAPConnection conn, IRequest req, Object obj)
+            throws ELdapException {
+        return map(conn, obj);
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level,
+                "LdapCertExactMap: " + msg);
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/publish/mappers/LdapCertSubjMap.java b/base/common/src/com/netscape/cms/publish/mappers/LdapCertSubjMap.java
new file mode 100644
index 000000000..4d5ff38c8
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/mappers/LdapCertSubjMap.java
@@ -0,0 +1,343 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.mappers;
+
+import java.security.cert.X509Certificate;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+import netscape.ldap.LDAPv3;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CRLImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ELdapServerDownException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapMapper;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * Maps a X509 certificate to a LDAP entry by finding an LDAP entry
+ * which has an attribute whose contents are equal to the cert subject name.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LdapCertSubjMap implements ILdapMapper, IExtendedPluginInfo {
+    public static final String LDAP_CERTSUBJNAME_ATTR = "certSubjectName";
+    protected String mSearchBase = null;
+    protected String mCertSubjNameAttr = LDAP_CERTSUBJNAME_ATTR;
+    protected boolean mUseAllEntries = false;
+
+    private ILogger mLogger = CMS.getLogger();
+    protected IConfigStore mConfig = null;
+    boolean mInited = false;
+
+    public LdapCertSubjMap() {
+        // need to setup the mSearchBase via configuration
+    }
+
+    /**
+     * constructs a certificate subject name mapper with search base.
+     * 
+     * @param searchBase the dn to start searching for the certificate
+     *            subject name.
+     */
+    public LdapCertSubjMap(String searchBase) {
+        if (searchBase == null)
+            throw new IllegalArgumentException(
+                    "a null argument to constructor " + this.getClass().getName());
+        mSearchBase = searchBase;
+        mInited = true;
+    }
+
+    /**
+     * Constructor using non-ES cert map attribute name.
+     * 
+     * @param searchBase entry to start search.
+     * @param certSubjNameAttr attribute for certificate subject names.
+     * @param certAttr attribute to find certificate.
+     */
+    public LdapCertSubjMap(String searchBase,
+            String certSubjNameAttr, String certAttr) {
+        if (searchBase == null ||
+                certSubjNameAttr == null || certAttr == null)
+            throw new IllegalArgumentException(
+                    "a null argument to constructor " + this.getClass().getName());
+        mCertSubjNameAttr = certSubjNameAttr;
+        mSearchBase = searchBase;
+        mInited = true;
+    }
+
+    public LdapCertSubjMap(String searchBase,
+            String certSubjNameAttr, String certAttr, boolean useAllEntries) {
+        if (searchBase == null ||
+                certSubjNameAttr == null || certAttr == null)
+            throw new IllegalArgumentException(
+                    "a null argument to constructor " + this.getClass().getName());
+        mCertSubjNameAttr = certSubjNameAttr;
+        mSearchBase = searchBase;
+        mUseAllEntries = useAllEntries;
+        mInited = true;
+    }
+
+    public String getImplName() {
+        return "LdapCertSubjMap";
+    }
+
+    public String getDescription() {
+        return "LdapCertSubjMap";
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+
+        v.addElement("certSubjNameAttr=" + mCertSubjNameAttr);
+        v.addElement("searchBase=");
+        v.addElement("useAllEntries=" + mUseAllEntries);
+        return v;
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                "certSubjNameAttr;string;Name of Ldap attribute containing cert subject name",
+                "searchBase;string;Base DN to search from",
+                "useAllEntries;boolean;Use all entries for publishing",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ldappublish-mapper-certsubjmapper",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";This plugin assumes you want to publish to an LDAP entry which has " +
+                        "an attribute whose contents are equal to the cert subject name"
+            };
+
+        return params;
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+
+        if (mCertSubjNameAttr == null) {
+            v.addElement("certSubjNameAttr=");
+        } else {
+            v.addElement("certSubjNameAttr=" + mCertSubjNameAttr);
+        }
+        if (mSearchBase == null) {
+            v.addElement("searchBase=");
+        } else {
+            v.addElement("searchBase=" + mSearchBase);
+        }
+        v.addElement("useAllEntries=" + mUseAllEntries);
+        return v;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public void init(IConfigStore config)
+            throws EBaseException {
+        if (mInited == true)
+            return;
+        mConfig = config;
+        mCertSubjNameAttr = config.getString("certSubjNameAttr",
+                    LDAP_CERTSUBJNAME_ATTR);
+        mSearchBase = config.getString("searchBase");
+        mUseAllEntries = config.getBoolean("useAllEntries", false);
+        mInited = true;
+    }
+
+    /**
+     * Finds the entry for the certificate by looking for the cert
+     * subject name in the subject name attribute.
+     * 
+     * @param conn - the LDAP connection.
+     * @param obj - the X509Certificate.
+     */
+    public String
+            map(LDAPConnection conn, Object obj)
+                    throws ELdapException {
+        if (conn == null)
+            return null;
+        X500Name subjectDN = null;
+
+        try {
+            X509Certificate cert = (X509Certificate) obj;
+
+            subjectDN =
+                    (X500Name) ((X509Certificate) cert).getSubjectDN();
+
+            CMS.debug("LdapCertSubjMap: cert subject dn:" + subjectDN.toString());
+        } catch (ClassCastException e) {
+            try {
+                X509CRLImpl crl = (X509CRLImpl) obj;
+
+                subjectDN =
+                        (X500Name) ((X509CRLImpl) crl).getIssuerDN();
+
+                CMS.debug("LdapCertSubjMap: crl issuer dn: " +
+                        subjectDN.toString());
+            } catch (ClassCastException ex) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_NOT_SUPPORTED_OBJECT"));
+                return null;
+            }
+        }
+        try {
+            String[] attrs = new String[] { LDAPv3.NO_ATTRS };
+
+            log(ILogger.LL_INFO, "search " + mSearchBase +
+                    " (" + mCertSubjNameAttr + "=" + subjectDN + ") " + mCertSubjNameAttr);
+
+            LDAPSearchResults results =
+                    conn.search(mSearchBase, LDAPv2.SCOPE_SUB,
+                            "(" + mCertSubjNameAttr + "=" + subjectDN + ")", attrs, false);
+
+            LDAPEntry entry = results.next();
+
+            if (results.hasMoreElements()) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_MORE_THAN_ONE_ENTRY", "", subjectDN.toString()));
+            }
+            if (entry != null) {
+                log(ILogger.LL_INFO, "entry found");
+                return entry.getDN();
+            }
+            return null;
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_DN_MAP_EXCEPTION", "LDAPException", e.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_NO_MATCH_FOUND", e.toString()));
+            }
+        }
+
+        /*
+         catch (IOException e) {
+         log(ILogger.LL_FAILURE, 
+         CMS.getLogMessage("PUBLISH_CANT_GET_SUBJECT", e.toString()));
+         throw new ELdapException(
+         LdapResources.GET_CERT_SUBJECT_DN_FAILED, e);
+         }
+         catch (CertificateEncodingException e) {
+         log(ILogger.LL_FAILURE, 
+         CMS.getLogMessage("PUBLISH_CANT_DECODE_CERT", e.toString()));
+         throw new ELdapException(
+         LdapResources.GET_DER_ENCODED_CERT_FAILED, e);
+         }
+         */
+    }
+
+    public String map(LDAPConnection conn, IRequest req, Object obj)
+            throws ELdapException {
+        return map(conn, obj);
+    }
+
+    public Vector mapAll(LDAPConnection conn, Object obj)
+            throws ELdapException {
+        Vector v = new Vector();
+
+        if (conn == null)
+            return null;
+        X500Name subjectDN = null;
+
+        try {
+            X509Certificate cert = (X509Certificate) obj;
+            subjectDN = (X500Name) ((X509Certificate) cert).getSubjectDN();
+            CMS.debug("LdapCertSubjMap: cert subject dn:" + subjectDN.toString());
+        } catch (ClassCastException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_NOT_SUPPORTED_OBJECT"));
+            return v;
+        }
+        try {
+            String[] attrs = new String[] { LDAPv3.NO_ATTRS };
+
+            log(ILogger.LL_INFO, "search " + mSearchBase +
+                    " (" + mCertSubjNameAttr + "=" + subjectDN + ") " + mCertSubjNameAttr);
+
+            LDAPSearchResults results =
+                    conn.search(mSearchBase, LDAPv2.SCOPE_SUB,
+                            "(" + mCertSubjNameAttr + "=" + subjectDN + ")", attrs, false);
+
+            while (results.hasMoreElements()) {
+                LDAPEntry entry = results.next();
+                String dn = entry.getDN();
+                v.addElement(dn);
+                CMS.debug("LdapCertSubjMap: dn=" + dn);
+            }
+            CMS.debug("LdapCertSubjMap: Number of entries: " + v.size());
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_DN_MAP_EXCEPTION", "LDAPException", e.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_NO_MATCH_FOUND", e.toString()));
+            }
+        }
+
+        return v;
+    }
+
+    public Vector mapAll(LDAPConnection conn, IRequest req, Object obj)
+            throws ELdapException {
+        return mapAll(conn, obj);
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level,
+                "LdapCertSubjMap: " + msg);
+    }
+
+    /**
+     * return search base
+     */
+    public String getSearchBase() {
+        return mSearchBase;
+    }
+
+    /**
+     * return certificate subject attribute
+     */
+    public String getCertSubjNameAttr() {
+        return mCertSubjNameAttr;
+    }
+
+    public boolean useAllEntries() {
+        return mUseAllEntries;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/publish/mappers/LdapCrlIssuerCompsMap.java b/base/common/src/com/netscape/cms/publish/mappers/LdapCrlIssuerCompsMap.java
new file mode 100644
index 000000000..654de5d30
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/mappers/LdapCrlIssuerCompsMap.java
@@ -0,0 +1,156 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.mappers;
+
+import java.security.cert.CRLException;
+import java.util.Vector;
+
+import netscape.ldap.LDAPConnection;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CRLImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapMapper;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * Default crl mapper.
+ * maps the crl to a ldap entry by using components in the issuer name
+ * to find the CA's entry.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LdapCrlIssuerCompsMap
+        extends LdapDNCompsMap implements ILdapMapper {
+    ILogger mLogger = CMS.getLogger();
+
+    public LdapCrlIssuerCompsMap() {
+        // need to support baseDN, dnComps, and filterComps
+        // via configuration
+    }
+
+    /**
+     * Constructor.
+     * 
+     * The DN comps are used to form a LDAP entry to begin a subtree search.
+     * The filter comps are used to form a search filter for the subtree.
+     * If none of the DN comps matched, baseDN is used for the subtree.
+     * If the baseDN is null and none of the DN comps matched, it is an error.
+     * If none of the DN comps and filter comps matched, it is an error.
+     * If just the filter comps is null, a base search is performed.
+     * 
+     * @param baseDN The base DN.
+     * @param dnComps Components to form the LDAP base dn for search.
+     * @param filterComps Components to form the LDAP search filter.
+     */
+    public LdapCrlIssuerCompsMap(String baseDN, ObjectIdentifier[] dnComps,
+            ObjectIdentifier[] filterComps) {
+        init(baseDN, dnComps, filterComps);
+    }
+
+    /**
+     * constructor using non-standard certificate attribute.
+     */
+    public LdapCrlIssuerCompsMap(String crlAttr, String baseDN,
+            ObjectIdentifier[] dnComps,
+            ObjectIdentifier[] filterComps) {
+        super(crlAttr, baseDN, dnComps, filterComps);
+    }
+
+    public String getImplName() {
+        return "LdapCrlIssuerCompsMap";
+    }
+
+    public String getDescription() {
+        return "LdapCrlIssuerCompsMap";
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = super.getDefaultParams();
+
+        //v.addElement("crlAttr=" + LdapCrlPublisher.LDAP_CRL_ATTR);
+        return v;
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = super.getInstanceParams();
+
+        return v;
+    }
+
+    protected void init(String baseDN, ObjectIdentifier[] dnComps,
+            ObjectIdentifier[] filterComps) {
+        //mLdapAttr = LdapCrlPublisher.LDAP_CRL_ATTR;
+        super.init(baseDN, dnComps, filterComps);
+    }
+
+    /**
+     * Maps a crl to LDAP entry.
+     * Uses issuer DN components and filter components to form a DN and
+     * filter for a LDAP search.
+     * If the formed DN is null the baseDN will be used.
+     * If the formed DN is null and baseDN is null an error is thrown.
+     * If the filter is null a base search is performed.
+     * If both are null an error is thrown.
+     * 
+     * @param conn - the LDAP connection.
+     * @param obj - the X509Certificate.
+     * @return the result. LdapCertMapResult is also used for CRL.
+     */
+    public String
+            map(LDAPConnection conn, Object obj)
+                    throws ELdapException {
+        if (conn == null)
+            return null;
+        X509CRLImpl crl = (X509CRLImpl) obj;
+
+        try {
+            String result = null;
+            X500Name issuerDN =
+                    (X500Name) ((X509CRLImpl) crl).getIssuerDN();
+
+            CMS.debug("LdapCrlIssuerCompsMap: " + issuerDN.toString());
+
+            byte[] crlbytes = crl.getEncoded();
+
+            result = super.map(conn, issuerDN, crlbytes);
+            return result;
+        } catch (CRLException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("PUBLISH_CANT_DECODE_CRL", e.toString()));
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CRL_FAILED", e.toString()));
+        }
+    }
+
+    public String map(LDAPConnection conn, IRequest req, Object obj)
+            throws ELdapException {
+        return map(conn, obj);
+    }
+
+    /**
+     * overrides super's log().
+     */
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level,
+                "LdapCrlCompsMap: " + msg);
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/publish/mappers/LdapDNCompsMap.java b/base/common/src/com/netscape/cms/publish/mappers/LdapDNCompsMap.java
new file mode 100644
index 000000000..73549f1b5
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/mappers/LdapDNCompsMap.java
@@ -0,0 +1,457 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.mappers;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+import netscape.ldap.LDAPv3;
+import netscape.security.util.DerValue;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.AVA;
+import netscape.security.x509.RDN;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X500NameAttrMap;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ELdapServerDownException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapPlugin;
+
+/**
+ * Maps a Subject name to an entry in the LDAP server.
+ * subject name to form the ldap search dn and filter.
+ * Takes a optional root search dn.
+ * The DN comps are used to form a LDAP entry to begin a subtree search.
+ * The filter comps are used to form a search filter for the subtree.
+ * If none of the DN comps matched, baseDN is used for the subtree.
+ * If the baseDN is null and none of the DN comps matched, it is an error.
+ * If none of the DN comps and filter comps matched, it is an error.
+ * If just the filter comps is null, a base search is performed.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LdapDNCompsMap
+        implements ILdapPlugin, IExtendedPluginInfo {
+    //protected String mLdapAttr = null;
+    protected String mBaseDN = null;
+    protected ObjectIdentifier[] mDnComps = null;
+    protected ObjectIdentifier[] mFilterComps = null;
+
+    private ILogger mLogger = CMS.getLogger();
+    private boolean mInited = false;
+    protected IConfigStore mConfig = null;
+
+    /**
+     * Constructor.
+     * 
+     * The DN comps are used to form a LDAP entry to begin a subtree search.
+     * The filter comps are used to form a search filter for the subtree.
+     * If none of the DN comps matched, baseDN is used for the subtree.
+     * If the baseDN is null and none of the DN comps matched, it is an error.
+     * If none of the DN comps and filter comps matched, it is an error.
+     * If just the filter comps is null, a base search is performed.
+     * 
+     * @param baseDN The base DN.
+     * @param dnComps Components to form the LDAP base dn for search.
+     * @param filterComps Components to form the LDAP search filter.
+     */
+    public LdapDNCompsMap(String ldapAttr, String baseDN,
+            ObjectIdentifier[] dnComps,
+            ObjectIdentifier[] filterComps) {
+        //mLdapAttr = ldapAttr;
+        init(baseDN, dnComps, filterComps);
+    }
+
+    /**
+     * constructor if initializing from config store.
+     */
+    public LdapDNCompsMap() {
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    /**
+     * for initializing from config store.
+     */
+    public void init(IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+        String baseDN = mConfig.getString("baseDN");
+        ObjectIdentifier[] dnComps =
+                getCompsFromString(mConfig.getString("dnComps"));
+        ObjectIdentifier[] filterComps =
+                getCompsFromString(mConfig.getString("filterComps"));
+
+        init(baseDN, dnComps, filterComps);
+    }
+
+    public String getImplName() {
+        return "LdapDNCompsMap";
+    }
+
+    public String getDescription() {
+        return "LdapDNCompsMap";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] s = {
+                "baseDN;string;Base to search from. E.g ou=Engineering,o=Fedora",
+                "dnComps;string;Comma-separated list of attributes to put in the DN",
+                "filterComps;string;Comma-separated list of attributes to form the filter",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ldappublish-mapper-dncompsmapper",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";More complex mapper. Used when there is not enough information " +
+                        "in the cert request to form the complete LDAP DN. Using this " +
+                        "plugin, you can specify additional LDAP filters to narrow down the " +
+                        "search"
+            };
+
+        return s;
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+
+        v.addElement("baseDN=");
+        v.addElement("dnComps=");
+        v.addElement("filterComps=");
+        return v;
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+
+        try {
+            if (mBaseDN == null) {
+                v.addElement("baseDN=");
+            } else {
+                v.addElement("baseDN=" + mConfig.getString("baseDN"));
+            }
+            if (mDnComps == null) {
+                v.addElement("dnComps=");
+            } else {
+                v.addElement("dnComps=" +
+                        mConfig.getString("dnComps"));
+            }
+            if (mFilterComps == null) {
+                v.addElement("filterComps=");
+            } else {
+                v.addElement("filterComps=" +
+                        mConfig.getString("filterComps"));
+            }
+        } catch (Exception e) {
+        }
+        return v;
+    }
+
+    /**
+     * common initialization routine.
+     */
+    protected void init(String baseDN, ObjectIdentifier[] dnComps,
+            ObjectIdentifier[] filterComps) {
+        if (mInited)
+            return;
+
+        mBaseDN = baseDN;
+        if (dnComps != null)
+            mDnComps = (ObjectIdentifier[]) dnComps.clone();
+        if (filterComps != null)
+            mFilterComps = (ObjectIdentifier[]) filterComps.clone();
+
+        // log debug info.
+        for (int i = 0; i < mDnComps.length; i++) {
+            CMS.debug(
+                    "LdapDNCompsMap: dnComp " + X500NameAttrMap.getDefault().getName(mDnComps[i]));
+        }
+        for (int i = 0; i < mFilterComps.length; i++) {
+            CMS.debug("LdapDNCompsMap: filterComp " +
+                    X500NameAttrMap.getDefault().getName(mFilterComps[i]));
+        }
+        mInited = true;
+    }
+
+    /**
+     * Maps a X500 subject name to LDAP entry.
+     * Uses DN components and filter components to form a DN and
+     * filter for a LDAP search.
+     * If the formed DN is null the baseDN will be used.
+     * If the formed DN is null and baseDN is null an error is thrown.
+     * If the filter is null a base search is performed.
+     * If both are null an error is thrown.
+     * 
+     * @param conn the LDAP connection.
+     * @param x500name the dn to map.
+     * @param obj the object
+     * @exception ELdapException if any LDAP exceptions occured.
+     * @return the DN of the entry.
+     */
+    public String map(LDAPConnection conn, X500Name x500name,
+            byte[] obj)
+            throws ELdapException {
+        try {
+            if (conn == null)
+                return null;
+
+            CMS.debug("LdapDNCompsMap: " + x500name.toString());
+
+            String[] dnAndFilter = formDNandFilter(x500name);
+            String dn = dnAndFilter[0];
+            String filter = dnAndFilter[1];
+
+            if (dn == null) {
+                // #362332
+                // if (filter == null) {
+                //	log(ILogger.LL_FAILURE, "No dn and filter formed");
+                //	throw new ELdapException(
+                //		LdapResources.NO_DN_AND_FILTER_COMPS, 
+                //		x500name.toString()); 
+                // }
+                if (mBaseDN == null) {
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("PUBLISH_NO_BASE"));
+                    throw new ELdapException(
+                            CMS.getUserMessage("CMS_LDAP_NO_DN_COMPS_AND_BASEDN",
+                                    x500name.toString()));
+                }
+                dn = mBaseDN;
+            }
+            int scope = LDAPv2.SCOPE_SUB;
+
+            if (filter == null) {
+                scope = LDAPv2.SCOPE_BASE;
+                filter = "(objectclass=*)";
+            }
+
+            // search for entry
+            String[] attrs;
+
+            attrs = new String[] { LDAPv3.NO_ATTRS };
+
+            log(ILogger.LL_INFO, "searching for " + dn + " " + filter + " " +
+                    ((scope == LDAPv2.SCOPE_SUB) ? "sub" : "base"));
+
+            LDAPSearchResults results =
+                    conn.search(dn, scope, filter, attrs, false);
+            LDAPEntry entry = results.next();
+
+            if (results.hasMoreElements()) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_MORE_THAN_ONE_ENTRY", "", x500name.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_MORE_THAN_ONE_ENTRY",
+                            x500name.toString()));
+            }
+            if (entry != null) {
+                return entry.getDN();
+            } else {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_ENTRY_NOT_FOUND", "", x500name.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_NO_MATCH_FOUND",
+                            "null entry"));
+            }
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_DN_MAP_EXCEPTION", "LDAPException", e.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_NO_MATCH_FOUND", e.toString()));
+            }
+        }
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level,
+                "LdapDNCompsMap: " + msg);
+    }
+
+    /**
+     * form a dn and filter from component in the cert subject name
+     * 
+     * @param subjName subject name
+     */
+    public String[] formDNandFilter(X500Name subjName)
+            throws ELdapException {
+        Vector dnRdns = new Vector();
+        SearchFilter filter = new SearchFilter();
+        X500NameAttrMap attrMap = X500NameAttrMap.getDefault();
+        String dnStr = null, filterStr = null;
+        ObjectIdentifier EOid = attrMap.getOid("E");
+        ObjectIdentifier mailOid = attrMap.getOid("MAIL");
+
+        try {
+            // get the base DN & filter.
+            for (Enumeration n = subjName.getRDNs(); n.hasMoreElements();) {
+                RDN rdn = (RDN) n.nextElement();
+                // NOTE assumes one AVA per RDN.
+                AVA ava = rdn.getAssertion()[0];
+                ObjectIdentifier oid = ava.getOid();
+
+                for (int i = 0; i < mDnComps.length; i++) {
+                    if (mDnComps[i].equals(oid)) {
+                        if (oid == EOid) {
+                            DerValue val = ava.getValue();
+                            AVA newAVA = new AVA(mailOid, val);
+                            RDN newRDN = new RDN(new AVA[] { newAVA }
+                                    );
+
+                            CMS.debug(
+                                    "LdapDNCompsMap: Converted " + rdn.toLdapDNString() + " to " +
+                                            newRDN.toLdapDNString() + " in DN");
+                            rdn = newRDN;
+                        }
+                        dnRdns.addElement(rdn);
+                        CMS.debug(
+                                "LdapDNCompsMap: adding dn comp " + rdn.toLdapDNString());
+                        break;
+                    }
+                }
+                for (int i = 0; i < mFilterComps.length; i++) {
+                    if (mFilterComps[i].equals(oid)) {
+                        if (oid == EOid) {
+                            DerValue val = ava.getValue();
+                            AVA newAVA = new AVA(mailOid, val);
+
+                            CMS.debug(
+                                    "LdapDNCompsMap: Converted " + ava.toLdapDNString() + " to " +
+                                            newAVA.toLdapDNString() + " in filter");
+                            ava = newAVA;
+                        }
+                        filter.addElement(ava.toLdapDNString());
+                        CMS.debug(
+                                "LdapDNCompsMap: adding filter comp " + ava.toLdapDNString());
+                        break;
+                    }
+                }
+
+                // XXX should be an error when string is null? 
+                // return to caller to decide.
+                if (dnRdns.size() != 0) {
+                    dnStr = new X500Name(dnRdns).toLdapDNString();
+                }
+                if (filter.size() != 0) {
+                    filterStr = filter.toFilterString();
+                }
+            }
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("PUBLISH_FROM_SUBJ_TO_DN", e.toString()));
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_FORM_DN_COMPS_FAILED", e.toString()));
+        }
+
+        return new String[] { dnStr, filterStr };
+    }
+
+    public ObjectIdentifier[] getDnComps() {
+        return (ObjectIdentifier[]) mDnComps.clone();
+    }
+
+    public ObjectIdentifier[] getFilterComps() {
+        return (ObjectIdentifier[]) mFilterComps.clone();
+    }
+
+    /**
+     * class for forming search filters for ldap searching from
+     * name=value components. components are anded.
+     */
+
+    public static class SearchFilter extends Vector {
+        private static final long serialVersionUID = 4210302171279891828L;
+
+        public String toFilterString() {
+            StringBuffer buf = new StringBuffer();
+
+            if (elementCount == 0) {
+                return null;
+            }
+            if (elementCount == 1) {
+                buf.append("(" + (String) elementData[0] + ")");
+                return buf.toString();
+            }
+            buf.append("(&");
+            for (int i = 0; i < elementCount; i++) {
+                buf.append("(" + (String) elementData[i] + ")");
+            }
+            buf.append(")");
+            return buf.toString();
+        }
+    }
+
+    /**
+     * useful routine for parsing components given as string to
+     * arrays of objectidentifiers.
+     * The string is expected to be comma separated AVA attribute names.
+     * For example, "uid,cn,o,ou". Attribute names are case insensitive.
+     * 
+     * @param val the string specifying the comps
+     * @exception ELdapException if any error occurs.
+     */
+    public static ObjectIdentifier[] getCompsFromString(String val)
+            throws ELdapException {
+        StringTokenizer tokens;
+        ObjectIdentifier[] comps;
+        String attr;
+        ObjectIdentifier oid;
+
+        if (val == null || val.length() == 0)
+            return new ObjectIdentifier[0];
+
+        tokens = new StringTokenizer(val, ", \t\n\r");
+        comps = new ObjectIdentifier[tokens.countTokens()];
+        if (comps.length == 0) {
+            return new ObjectIdentifier[0];
+        }
+        int i = 0;
+
+        while (tokens.hasMoreTokens()) {
+            attr = tokens.nextToken().trim();
+            // mail -> E hack to look for E in subject names.
+            if (attr.equalsIgnoreCase("mail"))
+                attr = "E";
+            oid = X500NameAttrMap.getDefault().getOid(attr);
+            if (oid != null) {
+                comps[i++] = oid;
+            } else {
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_UNKNOWN_ATTR_IN_DN_FILTER_COMPS", attr));
+            }
+        }
+        return comps;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/publish/mappers/LdapEnhancedMap.java b/base/common/src/com/netscape/cms/publish/mappers/LdapEnhancedMap.java
new file mode 100644
index 000000000..c9a7f867c
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/mappers/LdapEnhancedMap.java
@@ -0,0 +1,640 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.cms.publish.mappers;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+/* cert server imports */
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPAttributeSet;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+import netscape.ldap.LDAPv3;
+import netscape.ldap.util.DN;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CRLImpl;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ELdapServerDownException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapMapper;
+import com.netscape.certsrv.request.IRequest;
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * Maps a request to an entry in the LDAP server.
+ * Takes a dnPattern to form the baseDN from the
+ * request attributes and certificate subject name.
+ * Does a base search for the entry in the directory
+ * to publish the cert or crl. The restriction of
+ * this mapper is that the ldap dn components must
+ * be part of certificate subject name or request
+ * attributes or constant. The difference of this
+ * mapper and LdapSimpleMap is that if the ldap
+ * entry is not found, it has the option to create
+ * the ldap entry given the dn and attributes
+ * formulated.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LdapEnhancedMap
+        implements ILdapMapper, IExtendedPluginInfo {
+    ////////////////////////
+    // default parameters //
+    ////////////////////////
+
+    //////////////////////////////////////
+    // local LdapEnhancedMap parameters //
+    //////////////////////////////////////
+
+    private boolean mInited = false;
+
+    // the subject DN pattern
+    protected MapDNPattern mPattern = null;
+
+    // the list of request attriubutes to retrieve
+    protected String[] mReqAttrs = null;
+
+    // the list of cert attributes to retrieve
+    protected String[] mCertAttrs = null;
+
+    protected String[] mLdapValues = null;
+
+    ////////////////////////////
+    // ILdapMapper parameters //
+    ////////////////////////////
+
+    /* mapper plug-in fields */
+    protected static final String PROP_DNPATTERN = "dnPattern";
+    protected static final String PROP_CREATE = "createEntry";
+    // the object class of the entry to be created. xxxx not done yet  
+    protected static final String PROP_OBJCLASS = "objectClass";
+    // req/cert/ext attribute --> directory attribute table
+    protected static final String PROP_ATTRNUM = "attrNum";
+    protected static final String PROP_ATTR_NAME = "attrName";
+    protected static final String PROP_ATTR_PATTERN = "attrPattern";
+
+    /* mapper plug-in fields initialization values */
+    private static final int DEFAULT_NUM_ATTRS = 1;
+
+    /* Holds mapper plug-in fields accepted by this implementation.
+     * This list is passed to the configuration console so configuration
+     * for instances of this implementation can be configured through the
+     * console.
+     */
+    private static Vector defaultParams = new Vector();
+
+    static {
+        defaultParams.addElement(PROP_DNPATTERN + "=");
+        defaultParams.addElement(PROP_CREATE + "=true");
+        defaultParams.addElement(PROP_ATTRNUM + "=" + DEFAULT_NUM_ATTRS);
+        for (int i = 0; i < DEFAULT_NUM_ATTRS; i++) {
+            defaultParams.addElement(PROP_ATTR_NAME + i + "=");
+            defaultParams.addElement(PROP_ATTR_PATTERN + i + "=");
+        }
+    }
+
+    /* mapper plug-in values */
+    protected String mDnPattern = null;
+    protected boolean mCreateEntry = true;
+    private int mNumAttrs = DEFAULT_NUM_ATTRS;
+    protected String[] mLdapNames = null;
+    protected String[] mLdapPatterns = null;
+
+    /* miscellaneous constants local to this mapper plug-in */
+    // default dn pattern if left blank or not set in the config
+    public static final String DEFAULT_DNPATTERN =
+            "UID=$req.HTTP_PARAMS.UID, " +
+                    "OU=people, O=$subj.o, C=$subj.c";
+    private static final int MAX_ATTRS = 10;
+    protected static final int DEFAULT_ATTRNUM = 1;
+
+    /* miscellaneous variables local to this mapper plug-in */
+    protected IConfigStore mConfig = null;
+    protected AVAPattern[] mPatterns = null;
+
+    ////////////////////////////////////
+    // IExtendedPluginInfo parameters //
+    ////////////////////////////////////
+
+    ///////////////////////
+    // Logger parameters //
+    ///////////////////////
+
+    private ILogger mLogger = CMS.getLogger();
+
+    /////////////////////
+    // default methods //
+    /////////////////////
+
+    /**
+     * Default constructor, initialization must follow.
+     */
+    public LdapEnhancedMap() {
+    }
+
+    ///////////////////////////////////
+    // local LdapEnhancedMap methods //
+    ///////////////////////////////////
+
+    /**
+     * common initialization routine.
+     */
+    protected void init(String dnPattern)
+            throws EBaseException {
+        if (mInited) {
+            return;
+        }
+
+        mDnPattern = dnPattern;
+        if (mDnPattern == null ||
+                mDnPattern.length() == 0) {
+            mDnPattern = DEFAULT_DNPATTERN;
+        }
+
+        try {
+            mPattern = new MapDNPattern(mDnPattern);
+        } catch (ELdapException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("PUBLISH_DN_PATTERN_INIT",
+                            dnPattern, e.toString()));
+            throw new EBaseException(
+                    "falied to init with pattern " +
+                            dnPattern + " " + e);
+        }
+
+        mInited = true;
+    }
+
+    /**
+     * form a dn from component in the request and cert subject name
+     * 
+     * @param req The request
+     * @param obj The certificate or crl
+     */
+    private String formDN(IRequest req, Object obj)
+            throws EBaseException {
+        CertificateExtensions certExt = null;
+        X500Name subjectDN = null;
+
+        try {
+            X509Certificate cert = (X509Certificate) obj;
+
+            subjectDN =
+                    (X500Name) ((X509Certificate) cert).getSubjectDN();
+            CMS.debug(
+                    "LdapEnhancedMap: cert subject dn:" +
+                            subjectDN.toString());
+
+            //certExt = (CertificateExtensions)
+            //          ((X509CertImpl)cert).get(
+            //              X509CertInfo.EXTENSIONS);
+            X509CertInfo info = (X509CertInfo)
+                    ((X509CertImpl) cert).get(
+                            X509CertImpl.NAME +
+                                    "." +
+                                    X509CertImpl.INFO);
+
+            certExt = (CertificateExtensions)
+                    info.get(CertificateExtensions.NAME);
+        } catch (java.security.cert.CertificateParsingException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("PUBLISH_CANT_GET_EXT", e.toString()));
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("PUBLISH_CANT_GET_EXT", e.toString()));
+        } catch (java.security.cert.CertificateException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("PUBLISH_CANT_GET_EXT", e.toString()));
+        } catch (ClassCastException e) {
+
+            try {
+                X509CRLImpl crl = (X509CRLImpl) obj;
+
+                subjectDN = (X500Name)
+                        ((X509CRLImpl) crl).getIssuerDN();
+
+                CMS.debug(
+                        "LdapEnhancedMap: crl issuer dn: " +
+
+                        subjectDN.toString());
+            } catch (ClassCastException ex) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_PUBLISH_OBJ_NOT_SUPPORTED",
+                                ((req == null) ? ""
+                                        : req.getRequestId().toString())));
+                return null;
+            }
+        }
+
+        try {
+            mLdapValues = new String[mNumAttrs];
+
+            for (int i = 0; i < mNumAttrs; i++) {
+                if (mPatterns[i] != null) {
+                    mLdapValues[i] = mPatterns[i].formAVA(
+                                req,
+                                subjectDN,
+                                certExt);
+                }
+            }
+
+            String dn = mPattern.formDN(req, subjectDN, certExt);
+
+            return dn;
+        } catch (ELdapException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("PUBLISH_CANT_FORM_DN",
+                            ((req == null) ? ""
+                                    : req.getRequestId().toString()), e.toString()));
+
+            throw new EBaseException(
+                    "failed to form dn for request: " +
+                            ((req == null) ? ""
+                                    : req.getRequestId().toString()) +
+                            " " + e);
+        }
+    }
+
+    private void createEntry(LDAPConnection conn, String dn)
+            throws LDAPException {
+        LDAPAttributeSet attrs = new LDAPAttributeSet();
+
+        // OID 2.5.6.16
+        String caOc[] = { "top",
+                "person",
+                "organizationalPerson",
+                "inetOrgPerson" };
+
+        DN dnobj = new DN(dn);
+        String attrval[] = dnobj.explodeDN(true);
+
+        attrs.add(new LDAPAttribute("cn", attrval[0]));
+        attrs.add(new LDAPAttribute("sn", attrval[0]));
+        attrs.add(new LDAPAttribute("objectclass", caOc));
+
+        for (int i = 0; i < mNumAttrs; i++) {
+            if (mLdapNames[i] != null &&
+                    !mLdapNames[i].trim().equals("") &&
+                    mLdapValues[i] != null &&
+                    !mLdapValues[i].trim().equals("")) {
+                attrs.add(new LDAPAttribute(mLdapNames[i],
+                        mLdapValues[i]));
+            }
+        }
+
+        LDAPEntry entry = new LDAPEntry(dn, attrs);
+
+        conn.add(entry);
+    }
+
+    /////////////////////////
+    // ILdapMapper methods //
+    /////////////////////////
+
+    /**
+     * for initializing from config store.
+     * 
+     * implementation for extended
+     * ILdapPlugin interface method
+     */
+    public void init(IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+
+        mDnPattern = mConfig.getString(PROP_DNPATTERN,
+                    DEFAULT_DNPATTERN);
+
+        mCreateEntry = mConfig.getBoolean(PROP_CREATE,
+                    true);
+
+        mNumAttrs = mConfig.getInteger(PROP_ATTRNUM,
+                    0);
+
+        mLdapNames = new String[mNumAttrs];
+
+        mLdapPatterns = new String[mNumAttrs];
+
+        mPatterns = new AVAPattern[mNumAttrs];
+        for (int i = 0; i < mNumAttrs; i++) {
+            mLdapNames[i] =
+                    mConfig.getString(PROP_ATTR_NAME +
+                            Integer.toString(i),
+                            "");
+
+            mLdapPatterns[i] =
+                    mConfig.getString(PROP_ATTR_PATTERN +
+                            Integer.toString(i),
+                            "");
+
+            if (mLdapPatterns[i] != null &&
+                    !mLdapPatterns[i].trim().equals("")) {
+                mPatterns[i] = new AVAPattern(mLdapPatterns[i]);
+            }
+        }
+
+        init(mDnPattern);
+    }
+
+    /**
+     * implementation for extended
+     * ILdapPlugin interface method
+     */
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public String getImplName() {
+        return "LdapEnhancedMap";
+    }
+
+    public String getDescription() {
+        return "LdapEnhancedMap";
+    }
+
+    public Vector getDefaultParams() {
+        return defaultParams;
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+
+        try {
+            if (mDnPattern == null) {
+                v.addElement(PROP_DNPATTERN + "=");
+            } else {
+                v.addElement(PROP_DNPATTERN + "=" +
+                        mConfig.getString(PROP_DNPATTERN));
+            }
+
+            v.addElement(PROP_CREATE + "=" +
+                    mConfig.getBoolean(PROP_CREATE,
+                            true));
+
+            v.addElement(PROP_ATTRNUM + "=" +
+                    mConfig.getInteger(PROP_ATTRNUM,
+                            DEFAULT_NUM_ATTRS));
+
+            for (int i = 0; i < mNumAttrs; i++) {
+                if (mLdapNames[i] != null) {
+                    v.addElement(PROP_ATTR_NAME + i +
+                            "=" + mLdapNames[i]);
+                } else {
+                    v.addElement(PROP_ATTR_NAME + i +
+                            "=");
+                }
+
+                if (mLdapPatterns[i] != null) {
+                    v.addElement(PROP_ATTR_PATTERN + i +
+                            "=" + mLdapPatterns[i]);
+                } else {
+                    v.addElement(PROP_ATTR_PATTERN + i +
+                            "=");
+                }
+            }
+        } catch (Exception e) {
+        }
+
+        return v;
+    }
+
+    /**
+     * Maps an X500 subject name to an LDAP entry.
+     * Uses DN pattern to form a DN for an LDAP base search.
+     * 
+     * @param conn the LDAP connection.
+     * @param obj the object to map.
+     * @exception ELdapException if any LDAP exceptions occurred.
+     */
+    public String map(LDAPConnection conn, Object obj)
+            throws ELdapException {
+        return map(conn, null, obj);
+    }
+
+    /**
+     * Maps an X500 subject name to an LDAP entry.
+     * Uses DN pattern to form a DN for an LDAP base search.
+     * 
+     * @param conn the LDAP connection.
+     * @param req the request to map.
+     * @param obj the object to map.
+     * @exception ELdapException if any LDAP exceptions occurred.
+     */
+    public String map(LDAPConnection conn, IRequest req, Object obj)
+            throws ELdapException {
+        if (conn == null) {
+            return null;
+        }
+
+        String dn = null;
+
+        try {
+            dn = formDN(req, obj);
+            if (dn == null) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_DN_NOT_FORMED"));
+
+                String s1 = "";
+
+                if (req != null)
+                    s1 = req.getRequestId().toString();
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_NO_DN_MATCH", s1));
+            }
+
+            int scope = LDAPv2.SCOPE_BASE;
+            String filter = "(objectclass=*)";
+
+            // search for entry
+            String[] attrs = new String[] { LDAPv3.NO_ATTRS };
+
+            log(ILogger.LL_INFO,
+                    "searching for dn: " +
+                            dn + " filter:" +
+                            filter + " scope: base");
+
+            LDAPSearchResults results = conn.search(dn,
+                    scope,
+                    filter,
+                    attrs,
+                    false);
+
+            LDAPEntry entry = results.next();
+
+            if (results.hasMoreElements()) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_MORE_THAN_ONE_ENTRY",
+                                dn +
+                                        ((req == null) ? ""
+                                                : req.getRequestId().toString())));
+
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_MORE_THAN_ONE_ENTRY",
+                                ((req == null) ? ""
+                                        : req.getRequestId().toString())));
+            }
+
+            if (entry != null) {
+                return entry.getDN();
+            } else {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_ENTRY_NOT_FOUND",
+                                dn +
+                                        ((req == null) ? ""
+                                                : req.getRequestId().toString())));
+
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_NO_MATCH_FOUND",
+                            "null entry"));
+            }
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else if (e.getLDAPResultCode() ==
+                    LDAPException.NO_SUCH_OBJECT && mCreateEntry) {
+
+                try {
+                    createEntry(conn, dn);
+
+                    log(ILogger.LL_INFO,
+                            "Entry " +
+                                    dn +
+                                    " Created");
+
+                    return dn;
+                } catch (LDAPException e1) {
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("PUBLISH_DN_MAP_EXCEPTION",
+                                    dn,
+                                    e.toString()));
+
+                    log(ILogger.LL_FAILURE,
+                            "Entry is not created. " +
+                                    "This may because there are " +
+                                    "entries in the directory " +
+                                    "hierachy not exit.");
+
+                    throw new ELdapException(
+                            CMS.getUserMessage("CMS_LDAP_CREATE_ENTRY", dn));
+                }
+            } else {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_DN_MAP_EXCEPTION",
+                                dn,
+                                e.toString()));
+
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_NO_MATCH_FOUND", e.toString()));
+            }
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("PUBLISH_EXCEPTION_CAUGHT",
+                            e.toString()));
+
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_NO_MATCH_FOUND", e.toString()));
+        }
+    }
+
+    /////////////////////////////////
+    // IExtendedPluginInfo methods //
+    /////////////////////////////////
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        Vector v = new Vector();
+
+        v.addElement(PROP_DNPATTERN +
+                ";string;Describes how to form the Ldap " +
+                "Subject name in the directory.  " +
+                "Example 1:  'uid=CertMgr, o=Fedora'.  " +
+                "Example 2:  'uid=$req.HTTP_PARAMS.uid, " +
+                "E=$ext.SubjectAlternativeName.RFC822Name, " +
+                "ou=$subj.ou'. " +
+                "$req means: take the attribute from the " +
+                "request. " +
+                "$subj means: take the attribute from the " +
+                "certificate subject name. " +
+                "$ext means: take the attribute from the " +
+                "certificate extension");
+        v.addElement(PROP_CREATE +
+                ";boolean;If checked, An entry will be " +
+                "created automatically");
+        v.addElement(PROP_ATTRNUM +
+                ";string;How many attributes to add.");
+        v.addElement(IExtendedPluginInfo.HELP_TOKEN +
+                ";configuration-ldappublish-mapper-enhancedmapper");
+        v.addElement(IExtendedPluginInfo.HELP_TEXT +
+                ";Describes how to form the LDAP DN of the " +
+                "entry to publish to");
+
+        for (int i = 0; i < MAX_ATTRS; i++) {
+            v.addElement(PROP_ATTR_NAME +
+                    Integer.toString(i) +
+                    ";string;" +
+                    "The name of LDAP attribute " +
+                    "to be added. e.g. mail");
+            v.addElement(PROP_ATTR_PATTERN +
+                    Integer.toString(i) +
+                    ";string;" +
+                    "How to create the LDAP attribute value. " +
+                    "e.g. $req.HTTP_PARAMS.csrRequestorEmail, " +
+                    "$subj.E or " +
+                    "$ext.SubjectAlternativeName.RFC822Name");
+        }
+
+        String params[] =
+                com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v);
+
+        return params;
+    }
+
+    ////////////////////
+    // Logger methods //
+    ////////////////////
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level,
+                "LdapEnhancedMapper: " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/publish/mappers/LdapSimpleMap.java b/base/common/src/com/netscape/cms/publish/mappers/LdapSimpleMap.java
new file mode 100644
index 000000000..642729673
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/mappers/LdapSimpleMap.java
@@ -0,0 +1,332 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.mappers;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+import netscape.ldap.LDAPv3;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CRLImpl;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ELdapServerDownException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapMapper;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * Maps a request to an entry in the LDAP server.
+ * Takes a dnPattern to form the baseDN from the request attributes
+ * and certificate subject name.Do a base search for the entry
+ * in the directory to publish the cert or crl.
+ * The restriction of this mapper is that the ldap dn components must
+ * be part of certificate subject name or request attributes or constant.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LdapSimpleMap implements ILdapMapper, IExtendedPluginInfo {
+    protected static final String PROP_DNPATTERN = "dnPattern";
+    protected String mDnPattern = null;
+
+    private ILogger mLogger = CMS.getLogger();
+    private boolean mInited = false;
+    protected IConfigStore mConfig = null;
+
+    /* the subject DN pattern */
+    protected MapDNPattern mPattern = null;
+
+    /* the list of request attriubutes to retrieve*/
+    protected String[] mReqAttrs = null;
+
+    /* the list of cert attriubutes to retrieve*/
+    protected String[] mCertAttrs = null;
+
+    /* default dn pattern if left blank or not set in the config */
+    public static final String DEFAULT_DNPATTERN =
+            "UID=$req.HTTP_PARAMS.UID,  OU=people, O=$subj.o, C=$subj.c";
+
+    /**
+     * Constructor.
+     * 
+     * @param dnPattern The base DN.
+     */
+    public LdapSimpleMap(String dnPattern) {
+        try {
+            init(dnPattern);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+        }
+
+    }
+
+    /**
+     * constructor if initializing from config store.
+     */
+    public LdapSimpleMap() {
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String params[] = {
+                "dnPattern;string;Describes how to form the Ldap Subject name in" +
+                        " the directory.  Example 1:  'uid=CertMgr, o=Fedora'.  Example 2:" +
+                        " 'uid=$req.HTTP_PARAMS.uid, E=$ext.SubjectAlternativeName.RFC822Name, ou=$subj.ou'. " +
+                        "$req means: take the attribute from the request. " +
+                        "$subj means: take the attribute from the certificate subject name. " +
+                        "$ext means: take the attribute from the certificate extension",
+                IExtendedPluginInfo.HELP_TOKEN + ";configuration-ldappublish-mapper-simplemapper",
+                IExtendedPluginInfo.HELP_TEXT + ";Describes how to form the LDAP DN of the entry to publish to"
+            };
+
+        return params;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    /**
+     * for initializing from config store.
+     */
+    public void init(IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+        String dnPattern = mConfig.getString(PROP_DNPATTERN);
+
+        init(dnPattern);
+    }
+
+    /**
+     * common initialization routine.
+     */
+    protected void init(String dnPattern)
+            throws EBaseException {
+        if (mInited)
+            return;
+
+        mDnPattern = dnPattern;
+        if (mDnPattern == null || mDnPattern.length() == 0)
+            mDnPattern = DEFAULT_DNPATTERN;
+        try {
+            mPattern = new MapDNPattern(mDnPattern);
+        } catch (ELdapException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_DN_PATTERN_INIT",
+                    dnPattern, e.toString()));
+            throw new EBaseException("falied to init with pattern " +
+                    dnPattern + " " + e);
+        }
+
+        mInited = true;
+    }
+
+    /**
+     * Maps a X500 subject name to LDAP entry.
+     * Uses DN pattern to form a DN for a LDAP base search.
+     * 
+     * @param conn the LDAP connection.
+     * @param obj the object to map.
+     * @exception ELdapException if any LDAP exceptions occured.
+     */
+    public String map(LDAPConnection conn, Object obj)
+            throws ELdapException {
+        return map(conn, null, obj);
+    }
+
+    /**
+     * Maps a X500 subject name to LDAP entry.
+     * Uses DN pattern to form a DN for a LDAP base search.
+     * 
+     * @param conn the LDAP connection.
+     * @param req the request to map.
+     * @param obj the object to map.
+     * @exception ELdapException if any LDAP exceptions occured.
+     */
+    public String map(LDAPConnection conn, IRequest req, Object obj)
+            throws ELdapException {
+        if (conn == null)
+            return null;
+        String dn = null;
+
+        try {
+            dn = formDN(req, obj);
+            if (dn == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_DN_NOT_FORMED"));
+                String s1 = "";
+
+                if (req != null)
+                    s1 = req.getRequestId().toString();
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_NO_DN_MATCH", s1));
+            }
+            int scope = LDAPv2.SCOPE_BASE;
+            String filter = "(objectclass=*)";
+
+            // search for entry
+            String[] attrs = new String[] { LDAPv3.NO_ATTRS };
+
+            log(ILogger.LL_INFO, "searching for dn: " + dn + " filter:"
+                    + filter + " scope: base");
+
+            LDAPSearchResults results =
+                    conn.search(dn, scope, filter, attrs, false);
+            LDAPEntry entry = results.next();
+
+            if (results.hasMoreElements()) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_MORE_THAN_ONE_ENTRY", dn, ((req == null) ? "" : 
+                        req.getRequestId().toString())));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_MORE_THAN_ONE_ENTRY",
+                            ((req == null) ? "" : req.getRequestId().toString())));
+            }
+            if (entry != null)
+                return entry.getDN();
+            else {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_ENTRY_NOT_FOUND", dn, ((req == null) ? "" : req.getRequestId()
+                                .toString())));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_NO_MATCH_FOUND",
+                            "null entry"));
+            }
+        } catch (ELdapException e) {
+            throw e;
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_DN_MAP_EXCEPTION", "", e.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_NO_MATCH_FOUND", e.toString()));
+            }
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_EXCEPTION_CAUGHT", e.toString()));
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_NO_MATCH_FOUND", e.toString()));
+        }
+    }
+
+    /**
+     * form a dn from component in the request and cert subject name
+     * 
+     * @param req The request
+     * @param obj The certificate or crl
+     */
+    private String formDN(IRequest req, Object obj) throws
+            EBaseException, ELdapException {
+        X500Name subjectDN = null;
+        CertificateExtensions certExt = null;
+
+        try {
+            X509Certificate cert = (X509Certificate) obj;
+
+            subjectDN =
+                    (X500Name) ((X509Certificate) cert).getSubjectDN();
+
+            CMS.debug("LdapSimpleMap: cert subject dn:" + subjectDN.toString());
+            //certExt = (CertificateExtensions)
+            //        ((X509CertImpl)cert).get(X509CertInfo.EXTENSIONS);
+            X509CertInfo info = (X509CertInfo)
+                    ((X509CertImpl) cert).get(
+                            X509CertImpl.NAME + "." + X509CertImpl.INFO);
+
+            certExt = (CertificateExtensions) info.get(
+                        CertificateExtensions.NAME);
+        } catch (java.security.cert.CertificateParsingException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CANT_GET_EXT", e.toString()));
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CANT_GET_EXT", e.toString()));
+        } catch (java.security.cert.CertificateException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CANT_GET_EXT", e.toString()));
+        } catch (ClassCastException e) {
+            try {
+                X509CRLImpl crl = (X509CRLImpl) obj;
+
+                subjectDN =
+                        (X500Name) ((X509CRLImpl) crl).getIssuerDN();
+
+                CMS.debug("LdapSimpleMap: crl issuer dn: " +
+                        subjectDN.toString());
+            } catch (ClassCastException ex) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_PUBLISH_OBJ_NOT_SUPPORTED",
+                                ((req == null) ? "" : req.getRequestId().toString())));
+                return null;
+            }
+        }
+        try {
+            String dn = mPattern.formDN(req, subjectDN, certExt);
+
+            return dn;
+        } catch (ELdapException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CANT_FORM_DN",
+                    ((req == null) ? "" : req.getRequestId().toString()), e.toString()));
+            throw e;
+        }
+    }
+
+    public String getImplName() {
+        return "LdapSimpleMap";
+    }
+
+    public String getDescription() {
+        return "LdapSimpleMap";
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+
+        v.addElement(PROP_DNPATTERN + "=");
+        return v;
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+
+        try {
+            if (mDnPattern == null) {
+                v.addElement(PROP_DNPATTERN + "=");
+            } else {
+                v.addElement(PROP_DNPATTERN + "=" +
+                        mConfig.getString(PROP_DNPATTERN));
+            }
+        } catch (Exception e) {
+        }
+        return v;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level,
+                "LdapSimpleMapper: " + msg);
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/publish/mappers/MapAVAPattern.java b/base/common/src/com/netscape/cms/publish/mappers/MapAVAPattern.java
new file mode 100644
index 000000000..7aeb672d0
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/mappers/MapAVAPattern.java
@@ -0,0 +1,652 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.mappers;
+
+import java.io.IOException;
+import java.io.PushbackReader;
+import java.io.StringReader;
+import java.util.Enumeration;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.ldap.LDAPDN;
+import netscape.security.x509.AVA;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.Extension;
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.GeneralNameInterface;
+import netscape.security.x509.GeneralNames;
+import netscape.security.x509.LdapV3DNStrConverter;
+import netscape.security.x509.OIDMap;
+import netscape.security.x509.SubjectAlternativeNameExtension;
+import netscape.security.x509.X500Name;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.publish.ECompSyntaxErr;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * class for parsing a DN pattern used to construct a ldap dn from
+ * request attributes and cert subject name.
+ * 

+ * 
+ * dnpattern is a string representing a ldap dn pattern to formulate from the certificate subject name attributes and
+ * request attributes . If empty or not set, the certificate subject name will be used as the ldap dn.
+ * 

+ * 
+ * The syntax is
+ * 
+ * 
+ * 	dnPattern := rdnPattern *[ "," rdnPattern ]
+ * 	rdnPattern := avaPattern *[ "+" avaPattern ]
+ * 		avaPattern := name "=" value | 
+ * 			      name "=" "$subj" "." attrName [ "." attrNumber ] | 
+ * 			      name "=" "$ext" "." extName [ "." nameType ] [ "." attrNumber ] 
+ * 			      name "=" "$req" "." attrName [ "." attrNumber ] | 
+ * 			 	  "$rdn" "." number
+ * 

+ * 
+ * 
+ * Example1: cn=Certificate Manager,ou=people,o=mcom.com
+ * cert subject name: dn:  CN=Certificate Manager, OU=people, O=mcom.com
+ * request attributes: uid: cmanager 
+ * 

+ * The dn formulated will be : 

+ *     CN=Certificate Manager, OU=people, O=mcom.com
+ * 

+ * note: Subordinate ca enrollment will use ca mapper. Use predicate
+ * to distinguish the ca itself and the subordinates.
+ * 
+ * Example2: UID=$req.HTTP_PARAMS.uid, OU=$subj.ou, OU=people, , O=mcom.com
+ * cert subject name: dn:  UID=jjames, OU=IS, OU=people, , O=mcom.com
+ * request attributes: uid: cmanager 
+ * 

+ * The dn formulated will be : 

+ *     UID=jjames, OU=IS, OU=people, O=mcom.com
+ * 
	
+ *     UID = the 'uid' attribute value in the request. 

+ *     OU = the 'ou' value in the cert subject name.  

+ *     O = the string mcom.com. 

+ * 

+ * Example3: UID=$req.HTTP_PARAMS.uid, E=$ext.SubjectAlternativeName.RFC822Name.1, O=mcom.com
+ * cert subject name: dn:  UID=jjames, OU=IS, OU=people, O=mcom.com
+ * cert subjectAltName is rfc822Name: jjames@mcom.com
+ * request attributes: uid: cmanager 
+ * 

+ * The dn formulated will be : 

+ *     UID=jjames, E=jjames@mcom.com, O=mcom.com
+ * 
	
+ *     UID = the 'uid' attribute value in the request. 

+ *     E = The first rfc822name value in the subjAltName extension.  

+ *     O = the string mcom.com. 

+ * 

+ * 

+ * 
+ * If an request attribute or subject DN component does not exist, the attribute is skipped. There is potential risk
+ * that a wrong dn will be mapped into.
+ * 
+ * @version $Revision$, $Date$
+ */
+class MapAVAPattern {
+
+    /* the value type of the dn component */
+    public static final String TYPE_REQ = "$req";
+    public static final String TYPE_SUBJ = "$subj";
+    public static final String TYPE_EXT = "$ext";
+    public static final String TYPE_RDN = "$rdn";
+    public static final String TYPE_CONSTANT = "constant";
+
+    public static final String[] GENERAL_NAME_TYPE = { "ANY",
+            "RFC822Name",
+            "DNSName",
+            "X400Name",
+            "DIRECTORYName",
+            "EDIName",
+            "URIName",
+            "IPAddress",
+            "OIDName" };
+    private static final char[] endChars = new char[] { '+', ',' };
+
+    private static final LdapV3DNStrConverter mLdapDNStrConverter =
+            new LdapV3DNStrConverter();
+
+    /* the list of request attributes needed by this AVA  */
+    protected String[] mReqAttrs = null;
+
+    /* the list of cert attributes needed by this AVA*/
+    protected String[] mCertAttrs = null;
+
+    /* value type */
+    protected String mType = null;
+
+    /* the attribute in the AVA pair */
+    protected String mAttr = null;
+
+    /* value - could be name of a request  attribute or 
+     * cert subject dn attribute. */
+    protected String mValue = null;
+
+    /* value type - general name type of an extension attribute if any. */
+    protected String mGNType = null;
+
+    /* prefix - prefix of a request attribute if any. */
+    protected String mPrefix = null;
+
+    /* nth value of the ldap or dn attribute */
+    protected int mElement = 0;
+
+    protected String mTestDN = null;
+
+    public MapAVAPattern(String component)
+            throws ELdapException {
+        if (component == null || component.length() == 0)
+            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", component));
+        parse(new PushbackReader(new StringReader(component)));
+    }
+
+    public MapAVAPattern(PushbackReader in)
+            throws ELdapException {
+        parse(in);
+    }
+
+    private void parse(PushbackReader in)
+            throws ELdapException {
+        int c;
+
+        // mark ava beginning.
+
+        // skip spaces
+        //System.out.println("============ AVAPattern Begin ===========");
+        //System.out.println("skip spaces");
+
+        try {
+            while ((c = in.read()) == ' ' || c == '\t') {//System.out.println("spaces read "+(char)c);
+                ;
+            }
+        } catch (IOException e) {
+            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank"));
+        }
+        if (c == -1)
+            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank"));
+
+        // $rdn "." number syntax. 
+
+        if (c == '$') {
+            //System.out.println("$rdn syntax");
+            mType = TYPE_RDN;
+            try {
+                if (in.read() != 'r' ||
+                        in.read() != 'd' ||
+                        in.read() != 'n' ||
+                        in.read() != '.')
+                    throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                            "Invalid $ syntax, expecting $rdn"));
+            } catch (IOException e) {
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                        "Invalid $ syntax, expecting $rdn"));
+            }
+
+            StringBuffer rdnNumberBuf = new StringBuffer();
+
+            try {
+                while ((c = in.read()) != ',' && c != -1 && c != '+') {
+                    //System.out.println("rdnNumber read "+(char)c);
+                    rdnNumberBuf.append((char) c);
+                }
+                if (c != -1) // either ',' or '+'
+                    in.unread(c);
+            } catch (IOException e) {
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+            }
+
+            String rdnNumber = rdnNumberBuf.toString().trim();
+
+            if (rdnNumber.length() == 0)
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                        "$rdn number not set in ava pattern"));
+            try {
+                mElement = Integer.parseInt(rdnNumber) - 1;
+            } catch (NumberFormatException e) {
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                        "Invalid $rdn number in ava pattern"));
+            }
+            return;
+        }
+
+        // name "=" ... syntax. 
+
+        // read name 
+        //System.out.println("reading name");
+
+        StringBuffer attrBuf = new StringBuffer();
+
+        try {
+            while (c != '=' && c != -1 && c != ',' && c != '+') {
+                attrBuf.append((char) c);
+                c = in.read();
+                //System.out.println("name read "+(char)c);
+            }
+            if (c == ',' || c == '+')
+                in.unread(c);
+        } catch (IOException e) {
+            throw new ELdapException(
+                    CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+        }
+        if (c != '=')
+            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                    "Missing \"=\" in ava pattern"));
+
+        // read value 
+        //System.out.println("reading value");
+
+        // skip spaces 
+        //System.out.println("skip spaces for value");
+        try {
+            while ((c = in.read()) == ' ' || c == '\t') {//System.out.println("spaces2 read "+(char)c);
+                ;
+            }
+        } catch (IOException e) {
+            throw new ELdapException(
+                    CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+        }
+        if (c == -1)
+            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                    "no value after = in ava pattern"));
+
+        if (c == '$') {
+            // check for $subj $ext or $req 
+            try {
+                c = in.read();
+                //System.out.println("check $dn or $attr read "+(char)c);
+            } catch (IOException e) {
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+            }
+            if (c == -1)
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                            "expecting $subj or $req in ava pattern"));
+            if (c == 'r') {
+                try {
+                    if (in.read() != 'e' ||
+                            in.read() != 'q' ||
+                            in.read() != '.')
+                        throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                    "expecting $req in ava pattern"));
+                } catch (IOException e) {
+                    throw new ELdapException(
+                            CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+                }
+                mType = TYPE_REQ;
+                //System.out.println("---- mtype $req");
+            } else if (c == 's') {
+                try {
+                    if (in.read() != 'u' ||
+                            in.read() != 'b' ||
+                            in.read() != 'j' ||
+                            in.read() != '.')
+                        throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                    "expecting $subj in ava pattern"));
+                } catch (IOException e) {
+                    throw new ELdapException(
+                            CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+                }
+                mType = TYPE_SUBJ;
+                //System.out.println("----- mtype $subj");
+            } else if (c == 'e') {
+                try {
+                    if (in.read() != 'x' ||
+                            in.read() != 't' ||
+                            in.read() != '.')
+                        throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                    "expecting $ext in ava pattern"));
+                } catch (IOException e) {
+                    throw new ELdapException(
+                            CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+                }
+                mType = TYPE_EXT;
+                //System.out.println("----- mtype $ext");
+            } else {
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                            "unknown keyword. expecting $subj $ext or $req."));
+            }
+
+            // get request attr name of subject dn pattern from above. 
+            String attrName = attrBuf.toString().trim();
+
+            //System.out.println("----- attrName "+attrName);
+            if (attrName.length() == 0)
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                        "attribute name expected"));
+            mAttr = attrName;
+
+            /*
+             try { 
+             ObjectIdentifier attrOid = 
+             mLdapDNStrConverter.parseAVAKeyword(attrName); 
+             mAttr = mLdapDNStrConverter.encodeOID(attrOid);		
+             //System.out.println("----- mAttr "+mAttr);
+             }
+             catch (IOException e) {
+             throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.toString()));
+             }
+             */
+
+            // get request attribute or cert subject dn attribute
+
+            StringBuffer valueBuf = new StringBuffer();
+
+            try {
+                while ((c = in.read()) != ',' &&
+                        c != -1 && c != '.' && c != '+') {
+                    //System.out.println("mValue read "+(char)c);
+                    valueBuf.append((char) c);
+                }
+                if (c == '+' || c == ',') // either ',' or '+'
+                    in.unread(c); // pushback last , or + 
+            } catch (IOException e) {
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+            }
+
+            mValue = valueBuf.toString().trim();
+            if (mValue.length() == 0)
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                            "$subj or $req attribute name expected"));
+            //System.out.println("----- mValue "+mValue);
+
+            // get nth dn xxx not nth request attribute .
+            if (c == '.') {
+                StringBuffer attrNumberBuf = new StringBuffer();
+
+                try {
+                    while ((c = in.read()) != ',' && c != -1 && c != '.'
+                            && c != '+') {
+                        //System.out.println("mElement read "+(char)c);
+                        attrNumberBuf.append((char) c);
+                    }
+                    if (c == ',' || c == '+') // either ','  or '+'
+                        in.unread(c); // pushback last , or +
+                } catch (IOException e) {
+                    throw new ELdapException(
+                            CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+                }
+                String attrNumber = attrNumberBuf.toString().trim();
+
+                if (attrNumber.length() == 0)
+                    throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                "nth element $req $ext or $subj expected"));
+                try {
+                    mElement = Integer.parseInt(attrNumber) - 1;
+                } catch (NumberFormatException e) {
+                    if (TYPE_REQ.equals(mType)) {
+                        mPrefix = mValue;
+                        mValue = attrNumber;
+                    } else if (TYPE_EXT.equals(mType)) {
+                        mGNType = attrNumber;
+                    } else
+                        throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                    "Invalid format in nth element $req $ext or $subj"));
+
+                    // get nth request attribute .
+                    if (c == '.') {
+                        StringBuffer attrNumberBuf1 = new StringBuffer();
+
+                        try {
+                            while ((c = in.read()) != ',' && c != -1 && c != '+') {
+                                //System.out.println("mElement read "+(char)c);
+                                attrNumberBuf1.append((char) c);
+                            }
+                            if (c != -1) // either ',' or '+'
+                                in.unread(c); // pushback last , or +
+                        } catch (IOException ex) {
+                            throw new ELdapException(
+                                    CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", ex.toString()));
+                        }
+                        String attrNumber1 = attrNumberBuf1.toString().trim();
+
+                        if (attrNumber1.length() == 0)
+                            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                        "nth element $req expected"));
+                        try {
+                            mElement = Integer.parseInt(attrNumber1) - 1;
+                        } catch (NumberFormatException ex) {
+                            throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX",
+                                        "Invalid format in nth element $req."));
+
+                        }
+                    }
+                }
+            }
+            //System.out.println("----- mElement "+mElement);
+        } else {
+            // value is constant. treat as regular ava.
+            mType = TYPE_CONSTANT;
+            //System.out.println("----- mType constant");
+            // parse ava value. 
+            StringBuffer valueBuf = new StringBuffer();
+
+            valueBuf.append((char) c);
+            // read forward to get attribute value
+            try {
+                while ((c = in.read()) != ',' &&
+                        c != -1) {
+                    valueBuf.append((char) c);
+                }
+                if (c == '+' || c == ',') { // either ',' or '+'
+                    in.unread(c); // pushback last , or + 
+                }
+            } catch (IOException e) {
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+            }
+            try {
+                AVA ava = mLdapDNStrConverter.parseAVA(attrBuf + "=" + valueBuf);
+
+                mValue = ava.toLdapDNString();
+                //System.out.println("----- mValue "+mValue);
+            } catch (IOException e) {
+                throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.toString()));
+            }
+        }
+    }
+
+    public String formAVA(IRequest req, X500Name subject, CertificateExtensions extensions)
+            throws ELdapException {
+        if (TYPE_CONSTANT.equals(mType))
+            return mValue;
+
+        if (TYPE_RDN.equals(mType)) {
+            String dn = subject.toString();
+
+            if (mTestDN != null)
+                dn = mTestDN;
+            //System.out.println("AVAPattern Using dn "+mTestDN);
+            String[] rdns = LDAPDN.explodeDN(dn, false);
+
+            if (mElement >= rdns.length)
+                return null;
+            return rdns[mElement];
+        }
+
+        if (TYPE_SUBJ.equals(mType)) {
+            String dn = subject.toString();
+
+            if (mTestDN != null)
+                dn = mTestDN;
+            //System.out.println("AVAPattern Using dn "+mTestDN);
+            String[] rdns = LDAPDN.explodeDN(dn, false);
+            String value = null;
+            int nFound = -1;
+
+            for (int i = 0; i < rdns.length; i++) {
+                String[] avas = explodeRDN(rdns[i]);
+
+                for (int j = 0; j < avas.length; j++) {
+                    String[] exploded = explodeAVA(avas[j]);
+
+                    if (exploded[0].equalsIgnoreCase(mValue) &&
+                            ++nFound == mElement) {
+                        value = exploded[1];
+                        break;
+                    }
+                }
+            }
+            if (value == null) {
+                CMS.debug(
+                        "MapAVAPattern: attr " + mAttr +
+                                " not formed from: cert subject " +
+                                dn +
+                                "-- no subject component : " + mValue);
+                return null;
+            }
+            return mAttr + "=" + value;
+        }
+
+        if (TYPE_EXT.equals(mType)) {
+            if (extensions != null) {
+                for (int i = 0; i < extensions.size(); i++) {
+                    Extension ext = (Extension)
+                            extensions.elementAt(i);
+                    String extName = OIDMap.getName(ext.getExtensionId());
+                    int index = extName.lastIndexOf(".");
+
+                    if (index != -1)
+                        extName = extName.substring(index + 1);
+                    if (extName.equals(mValue)) {
+                        // Check the extensions one by one.
+                        // For now, just give subjectAltName as an example.
+                        if (mValue.equalsIgnoreCase(SubjectAlternativeNameExtension.NAME)) {
+                            try {
+                                GeneralNames subjectNames =
+                                        (GeneralNames)
+                                        ((SubjectAlternativeNameExtension) ext)
+                                                .get(SubjectAlternativeNameExtension.SUBJECT_NAME);
+
+                                if (subjectNames.size() == 0)
+                                    break;
+                                int j = 0;
+
+                                for (Enumeration n = subjectNames.elements(); n.hasMoreElements();) {
+                                    GeneralName gn = (GeneralName) n.nextElement();
+                                    String gname = gn.toString();
+
+                                    index = gname.indexOf(":");
+                                    if (index == -1)
+                                        break;
+                                    String gType = gname.substring(0, index);
+
+                                    if (mGNType != null) {
+                                        if (mGNType.equalsIgnoreCase(gType)) {
+                                            if (mElement == j) {
+                                                gname =
+                                                        gname.substring(index + 2);
+                                                return mAttr + "=" + gname;
+                                            } else {
+                                                j++;
+                                            }
+                                        }
+                                    } else {
+                                        if (mElement == j) {
+                                            gname =
+                                                    gname.substring(index + 2);
+                                            return mAttr + "=" + gname;
+                                        }
+                                        j++;
+                                    }
+                                }
+                            } catch (IOException e) {
+                                CMS.debug(
+                                        "MapAVAPattern: Publishing attr not formed from extension." +
+                                                "-- no attr : " + mValue);
+                            }
+                        }
+                    }
+                }
+            }
+            CMS.debug(
+                    "MapAVAPattern: Publishing:attr not formed from extension " +
+                            "-- no attr : " + mValue);
+
+            return null;
+        }
+
+        if (TYPE_REQ.equals(mType)) {
+            // mPrefix and mValue are looked up case-insensitive
+            String reqAttr = req.getExtDataInString(mPrefix, mValue);
+            if (reqAttr == null) {
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_NO_REQUEST",
+                        mValue, mAttr));
+            }
+            return mAttr + "=" + reqAttr;
+        }
+
+        return null;
+    }
+
+    public String getReqAttr() {
+        if (TYPE_REQ.equals(mType))
+            return mValue;
+        else
+            return null;
+    }
+
+    public String getCertAttr() {
+        if (TYPE_SUBJ.equals(mType))
+            return mValue;
+        else
+            return null;
+    }
+
+    /**
+     * Explode RDN into AVAs.
+     * Does not handle escaped '+'
+     * Java ldap library does not yet support multiple avas per rdn.
+     * If RDN is malformed returns empty array.
+     */
+    public static String[] explodeRDN(String rdn) {
+        int plus = rdn.indexOf('+');
+
+        if (plus == -1)
+            return new String[] { rdn };
+        Vector avas = new Vector();
+        StringTokenizer token = new StringTokenizer(rdn, "+");
+
+        while (token.hasMoreTokens())
+            avas.addElement(token.nextToken());
+        String[] theAvas = new String[avas.size()];
+
+        avas.copyInto(theAvas);
+        return theAvas;
+    }
+
+    /**
+     * Explode AVA into name and value.
+     * Does not handle escaped '='
+     * If AVA is malformed empty array is returned.
+     */
+    public static String[] explodeAVA(String ava) {
+        int equals = ava.indexOf('=');
+
+        if (equals == -1)
+            return null;
+        return new String[] {
+                ava.substring(0, equals).trim(), ava.substring(equals + 1).trim() };
+    }
+}
diff --git a/base/common/src/com/netscape/cms/publish/mappers/MapDNPattern.java b/base/common/src/com/netscape/cms/publish/mappers/MapDNPattern.java
new file mode 100644
index 000000000..7a9025b1d
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/mappers/MapDNPattern.java
@@ -0,0 +1,201 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.mappers;
+
+import java.io.IOException;
+import java.io.PushbackReader;
+import java.io.StringReader;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X500Name;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * class for parsing a DN pattern used to construct a ldap dn from
+ * request attributes and cert subject name.
+ * 

+ * 
+ * dnpattern is a string representing a ldap dn pattern to formulate from the certificate subject name attributes and
+ * request attributes . If empty or not set, the certificate subject name will be used as the ldap dn.
+ * 

+ * 
+ * The syntax is
+ * 
+ * 
+ * 	dnPattern := rdnPattern *[ "," rdnPattern ]
+ * 	rdnPattern := avaPattern *[ "+" avaPattern ]
+ * 		avaPattern := name "=" value | 
+ * 			      name "=" "$subj" "." attrName [ "." attrNumber ] | 
+ * 			      name "=" "$req" "." attrName [ "." attrNumber ] | 
+ *     		 	  "$rdn" "." number
+ * 

+ * 
+ * 
+ * Example1: cn=Certificate Manager,ou=people,o=mcom.com
+ * cert subject name: dn:  CN=Certificate Manager, OU=people, O=mcom.com
+ * request attributes: uid: cmanager 
+ * 

+ * The dn formulated will be : 

+ *     CN=Certificate Manager, OU=people, O=mcom.com
+ * 

+ * note: Subordinate ca enrollment will use ca mapper. Use predicate
+ * to distinguish the ca itself and the subordinates.
+ * 
+ * Example2: UID=$req.HTTP_PARAMS.uid, OU=$subj.ou, O=people, , O=mcom.com
+ * cert subject name: dn:  UID=jjames, OU=IS, O=people, , O=mcom.com
+ * request attributes: uid: cmanager 
+ * 

+ * The dn formulated will be : 

+ *     UID=jjames, OU=IS, OU=people, O=mcom.com
+ * 
	
+ *     UID = the 'uid' attribute value in the request. 

+ *     OU = the 'ou' value in the cert subject name.  

+ *     O = the string people, mcom.com. 

+ * 

+ * 

+ * 
+ * If an request attribute or subject DN component does not exist, the attribute is skipped. There is potential risk
+ * that a wrong dn will be mapped into.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class MapDNPattern {
+
+    /* the list of request attriubutes to retrieve*/
+    protected String[] mReqAttrs = null;
+
+    /* the list of cert attriubutes to retrieve*/
+    protected String[] mCertAttrs = null;
+
+    /* rdn patterns */
+    protected MapRDNPattern[] mRDNPatterns = null;
+
+    /* original pattern string */
+    protected String mPatternString = null;
+
+    protected String mTestDN = null;
+
+    /**
+     * Construct a DN pattern by parsing a pattern string.
+     * 
+     * @param pattern the DN pattern
+     * @exception EBaseException If parsing error occurs.
+     */
+    public MapDNPattern(String pattern)
+            throws ELdapException {
+        if (pattern == null || pattern.equals("")) {
+            CMS.debug(
+                    "MapDNPattern: null pattern");
+        } else {
+            mPatternString = pattern;
+            PushbackReader in = new PushbackReader(new StringReader(pattern));
+
+            parse(in);
+        }
+    }
+
+    public MapDNPattern(PushbackReader in)
+            throws ELdapException {
+        parse(in);
+    }
+
+    private void parse(PushbackReader in)
+            throws ELdapException {
+        Vector rdnPatterns = new Vector();
+        MapRDNPattern rdnPattern = null;
+        int lastChar = -1;
+
+        do {
+            rdnPattern = new MapRDNPattern(in);
+            rdnPatterns.addElement(rdnPattern);
+            try {
+                lastChar = in.read();
+            } catch (IOException e) {
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+            }
+        } while (lastChar == ',');
+
+        mRDNPatterns = new MapRDNPattern[rdnPatterns.size()];
+        rdnPatterns.copyInto(mRDNPatterns);
+
+        Vector reqAttrs = new Vector();
+
+        for (int i = 0; i < mRDNPatterns.length; i++) {
+            String[] rdnAttrs = mRDNPatterns[i].getReqAttrs();
+
+            if (rdnAttrs != null && rdnAttrs.length > 0)
+                for (int j = 0; j < rdnAttrs.length; j++)
+                    reqAttrs.addElement(rdnAttrs[j]);
+        }
+        mReqAttrs = new String[reqAttrs.size()];
+        reqAttrs.copyInto(mReqAttrs);
+
+        Vector certAttrs = new Vector();
+
+        for (int i = 0; i < mRDNPatterns.length; i++) {
+            String[] rdnAttrs = mRDNPatterns[i].getCertAttrs();
+
+            if (rdnAttrs != null && rdnAttrs.length > 0)
+                for (int j = 0; j < rdnAttrs.length; j++)
+                    certAttrs.addElement(rdnAttrs[j]);
+        }
+        mCertAttrs = new String[certAttrs.size()];
+        certAttrs.copyInto(mCertAttrs);
+    }
+
+    /**
+     * Form a Ldap v3 DN string from a request and a cert subject name.
+     * 
+     * @param req the request for (un)publish
+     * @param subject the subjectDN of the certificate
+     * @return Ldap v3 DN string to use for base ldap search.
+     */
+    public String formDN(IRequest req, X500Name subject, CertificateExtensions ext)
+            throws ELdapException {
+        StringBuffer formedDN = new StringBuffer();
+
+        for (int i = 0; i < mRDNPatterns.length; i++) {
+            if (mTestDN != null)
+                mRDNPatterns[i].mTestDN = mTestDN;
+            String rdn = mRDNPatterns[i].formRDN(req, subject, ext);
+
+            if (rdn != null && rdn.length() != 0) {
+                if (formedDN.length() != 0)
+                    formedDN.append(",");
+                formedDN.append(rdn);
+            } else {
+                throw new ELdapException("pattern not matched");
+            }
+        }
+        return formedDN.toString();
+    }
+
+    public String[] getReqAttrs() {
+        return (String[]) mReqAttrs.clone();
+    }
+
+    public String[] getCertAttrs() {
+        return (String[]) mCertAttrs.clone();
+    }
+}
diff --git a/base/common/src/com/netscape/cms/publish/mappers/MapRDNPattern.java b/base/common/src/com/netscape/cms/publish/mappers/MapRDNPattern.java
new file mode 100644
index 000000000..c1688345b
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/mappers/MapRDNPattern.java
@@ -0,0 +1,217 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.mappers;
+
+import java.io.IOException;
+import java.io.PushbackReader;
+import java.io.StringReader;
+import java.util.Vector;
+
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X500Name;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * class for parsing a DN pattern used to construct a ldap dn from
+ * request attributes and cert subject name.
+ * 

+ * 
+ * dnpattern is a string representing a ldap dn pattern to formulate from the certificate subject name attributes and
+ * request attributes . If empty or not set, the certificate subject name will be used as the ldap dn.
+ * 

+ * 
+ * The syntax is
+ * 
+ * 
+ * 	dnPattern := rdnPattern *[ "," rdnPattern ]
+ * 	rdnPattern := avaPattern *[ "+" avaPattern ]
+ * 		avaPattern := name "=" value | 
+ * 			      name "=" "$subj" "." attrName [ "." attrNumber ] | 
+ * 			      name "=" "$req" "." attrName [ "." attrNumber ] | 
+ * 			 	  "$rdn" "." number
+ * 

+ * 
+ * 
+ * Example1: cn=Certificate Manager,ou=people,o=mcom.com
+ * cert subject name: dn:  CN=Certificate Manager, OU=people, O=mcom.com
+ * request attributes: uid: cmanager 
+ * 

+ * The dn formulated will be : 

+ *     CN=Certificate Manager, OU=people, O=mcom.com
+ * 

+ * note: Subordinate ca enrollment will use ca mapper. Use predicate
+ * to distinguish the ca itself and the subordinates.
+ * 
+ * Example2: UID=$req.HTTP_PARAMS.uid, OU=$subj.ou, O=people, , O=mcom.com
+ * cert subject name: dn:  UID=jjames, OU=IS, O=people, , O=mcom.com
+ * request attributes: uid: cmanager 
+ * 

+ * The dn formulated will be : 

+ *     UID=jjames, OU=IS, OU=people, O=mcom.com
+ * 
	
+ *     UID = the 'uid' attribute value in the request. 

+ *     OU = the 'ou' value in the cert subject name.  

+ *     O = the string people, mcom.com. 

+ * 

+ * 

+ * 
+ * If an request attribute or subject DN component does not exist, the attribute is skipped.There is potential risk that
+ * a wrong dn will be mapped into.
+ * 
+ * @version $Revision$, $Date$
+ */
+class MapRDNPattern {
+
+    /* the list of request attributes needed by this RDN  */
+    protected String[] mReqAttrs = null;
+
+    /* the list of cert attributes needed by this RDN  */
+    protected String[] mCertAttrs = null;
+
+    /* AVA patterns */
+    protected MapAVAPattern[] mAVAPatterns = null;
+
+    /* original pattern string */
+    protected String mPatternString = null;
+
+    protected String mTestDN = null;
+
+    /**
+     * Construct a DN pattern by parsing a pattern string.
+     * 
+     * @param pattenr the DN pattern
+     * @exception ELdapException If parsing error occurs.
+     */
+    public MapRDNPattern(String pattern)
+            throws ELdapException {
+        if (pattern == null || pattern.equals("")) {
+            CMS.debug(
+                    "MapDNPattern: null pattern");
+        } else {
+            mPatternString = pattern;
+            PushbackReader in = new PushbackReader(new StringReader(pattern));
+
+            parse(in);
+        }
+    }
+
+    /**
+     * Construct a DN pattern from a input stream of pattern
+     */
+    public MapRDNPattern(PushbackReader in)
+            throws ELdapException {
+        parse(in);
+    }
+
+    private void parse(PushbackReader in)
+            throws ELdapException {
+        //System.out.println("_________ begin rdn _________");
+        Vector avaPatterns = new Vector();
+        MapAVAPattern avaPattern = null;
+        int lastChar;
+
+        do {
+            avaPattern = new MapAVAPattern(in);
+            avaPatterns.addElement(avaPattern);
+            //System.out.println("added AVAPattern"+
+            //" mType "+avaPattern.mType+
+            //" mAttr "+avaPattern.mAttr+
+            //" mValue "+avaPattern.mValue+
+            //" mElement "+avaPattern.mElement);
+            try {
+                lastChar = in.read();
+            } catch (IOException e) {
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+            }
+        } while (lastChar == '+');
+
+        if (lastChar != -1) {
+            try {
+                in.unread(lastChar); // pushback last , 
+            } catch (IOException e) {
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+            }
+        }
+
+        mAVAPatterns = new MapAVAPattern[avaPatterns.size()];
+        avaPatterns.copyInto(mAVAPatterns);
+
+        Vector reqAttrs = new Vector();
+
+        for (int i = 0; i < mAVAPatterns.length; i++) {
+            String avaAttr = mAVAPatterns[i].getReqAttr();
+
+            if (avaAttr == null || avaAttr.length() == 0)
+                continue;
+            reqAttrs.addElement(avaAttr);
+        }
+        mReqAttrs = new String[reqAttrs.size()];
+        reqAttrs.copyInto(mReqAttrs);
+
+        Vector certAttrs = new Vector();
+
+        for (int i = 0; i < mAVAPatterns.length; i++) {
+            String avaAttr = mAVAPatterns[i].getCertAttr();
+
+            if (avaAttr == null || avaAttr.length() == 0)
+                continue;
+            certAttrs.addElement(avaAttr);
+        }
+        mCertAttrs = new String[certAttrs.size()];
+        certAttrs.copyInto(mCertAttrs);
+    }
+
+    /**
+     * Form a Ldap v3 DN string from a request and a cert subject name.
+     * 
+     * @param req the request for (un)publish
+     * @param subject the subjectDN of the certificate
+     * @return Ldap v3 DN string to use for base ldap search.
+     */
+    public String formRDN(IRequest req, X500Name subject, CertificateExtensions ext)
+            throws ELdapException {
+        StringBuffer formedRDN = new StringBuffer();
+
+        for (int i = 0; i < mAVAPatterns.length; i++) {
+            if (mTestDN != null)
+                mAVAPatterns[i].mTestDN = mTestDN;
+            String ava = mAVAPatterns[i].formAVA(req, subject, ext);
+
+            if (ava != null && ava.length() > 0) {
+                if (formedRDN.length() != 0)
+                    formedRDN.append("+");
+                formedRDN.append(ava);
+            }
+        }
+        //System.out.println("formed RDN "+formedRDN.toString());
+        return formedRDN.toString();
+    }
+
+    public String[] getReqAttrs() {
+        return (String[]) mReqAttrs.clone();
+    }
+
+    public String[] getCertAttrs() {
+        return (String[]) mCertAttrs.clone();
+    }
+}
diff --git a/base/common/src/com/netscape/cms/publish/mappers/NoMap.java b/base/common/src/com/netscape/cms/publish/mappers/NoMap.java
new file mode 100644
index 000000000..155c54ce0
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/mappers/NoMap.java
@@ -0,0 +1,104 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.mappers;
+
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPConnection;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.publish.ILdapMapper;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * No Map
+ * 
+ * @version $Revision$, $Date$
+ */
+public class NoMap implements ILdapMapper, IExtendedPluginInfo {
+
+    public IConfigStore mConfig = null;
+
+    /**
+     * constructor if initializing from config store.
+     */
+    public NoMap() {
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String params[] = {
+                IExtendedPluginInfo.HELP_TOKEN + ";configuration-ldappublish-mapper-simplemapper",
+                IExtendedPluginInfo.HELP_TEXT + ";Describes how to form the name of the entry to publish to"
+            };
+
+        return params;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    /**
+     * for initializing from config store.
+     */
+    public void init(IConfigStore config)
+            throws EBaseException {
+        mConfig = config;
+    }
+
+    /**
+     * Maps a X500 subject name to LDAP entry.
+     * Uses DN pattern to form a DN for a LDAP base search.
+     * 
+     * @param conn the LDAP connection.
+     * @param obj the object to map.
+     * @exception ELdapException if any LDAP exceptions occured.
+     */
+    public String map(LDAPConnection conn, Object obj)
+            throws ELdapException {
+        return null;
+    }
+
+    public String map(LDAPConnection conn, IRequest req, Object obj)
+            throws ELdapException {
+        return null;
+    }
+
+    public String getImplName() {
+        return "NoMap";
+    }
+
+    public String getDescription() {
+        return "NoMap";
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+        return v;
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+        return v;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/publish/publishers/FileBasedPublisher.java b/base/common/src/com/netscape/cms/publish/publishers/FileBasedPublisher.java
new file mode 100644
index 000000000..cb13b2452
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/publishers/FileBasedPublisher.java
@@ -0,0 +1,443 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.publishers;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.FilterOutputStream;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.math.BigInteger;
+import java.security.cert.CRLException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509CRL;
+import java.security.cert.X509Certificate;
+import java.util.Locale;
+import java.util.TimeZone;
+import java.util.Vector;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipOutputStream;
+
+import netscape.ldap.LDAPConnection;
+
+import org.mozilla.jss.util.Base64OutputStream;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapPublisher;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * This publisher writes certificate and CRL into
+ * a directory.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class FileBasedPublisher implements ILdapPublisher, IExtendedPluginInfo {
+    private static final String PROP_DIR = "directory";
+    private static final String PROP_DER = "Filename.der";
+    private static final String PROP_B64 = "Filename.b64";
+    private static final String PROP_LNK = "latestCrlLink";
+    private static final String PROP_GMT = "timeStamp";
+    private static final String PROP_EXT = "crlLinkExt";
+    private static final String PROP_ZIP = "zipCRLs";
+    private static final String PROP_LEV = "zipLevel";
+    private IConfigStore mConfig = null;
+    private String mDir = null;
+    private ILogger mLogger = CMS.getLogger();
+    private String mCrlIssuingPointId;
+    protected boolean mDerAttr = true;
+    protected boolean mB64Attr = false;
+    protected boolean mLatestCRL = false;
+    protected boolean mZipCRL = false;
+    protected String mTimeStamp = null;
+    protected String mLinkExt = null;
+    protected int mZipLevel = 9;
+
+    public void setIssuingPointId(String crlIssuingPointId) {
+        mCrlIssuingPointId = crlIssuingPointId;
+    }
+
+    /**
+     * Returns the implementation name.
+     */
+    public String getImplName() {
+        return "FileBasedPublisher";
+    }
+
+    /**
+     * Returns the description of the ldap publisher.
+     */
+
+    public String getDescription() {
+        return "This publisher writes the Certificates and CRLs into files.";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_DIR
+                        + ";string;Directory in which to put the files (absolute path or relative path to cert-* instance directory).",
+                PROP_DER + ";boolean;Store certificates or CRLs into *.der files.",
+                PROP_B64 + ";boolean;Store certificates or CRLs into *.b64 files.",
+                PROP_GMT
+                        + ";choice(LocalTime,GMT);Use local time or GMT to time stamp CRL file name with CRL's 'thisUpdate' field.",
+                PROP_LNK
+                        + ";boolean;Generate link to the latest binary CRL. It requires '" + PROP_DER
+                        + "' to be enabled.",
+                PROP_EXT
+                        + ";string;Name extension used by link to the latest CRL. Default name extension is 'der'.",
+                PROP_ZIP + ";boolean;Generate compressed CRLs.",
+                PROP_LEV + ";choice(0,1,2,3,4,5,6,7,8,9);Set compression level from 0 to 9.",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ldappublish-publisher-filepublisher",
+                IExtendedPluginInfo.HELP_TEXT
+                        +
+                        ";Stores the certificates or CRLs into files. Certificate is named as cert-.der or *.b64, and CRL is named as -.der or *.b64."
+        };
+
+        return params;
+    }
+
+    /**
+     * Returns the current instance parameters.
+     */
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+        String dir = "";
+        String ext = "";
+
+        try {
+            dir = mConfig.getString(PROP_DIR);
+        } catch (EBaseException e) {
+        }
+        try {
+            ext = mConfig.getString(PROP_EXT);
+        } catch (EBaseException e) {
+        }
+        try {
+            mTimeStamp = mConfig.getString(PROP_GMT);
+        } catch (EBaseException e) {
+        }
+        try {
+            mZipLevel = mConfig.getInteger(PROP_LEV, 9);
+        } catch (EBaseException e) {
+        }
+        try {
+            if (mTimeStamp == null || (!mTimeStamp.equals("GMT")))
+                mTimeStamp = "LocalTime";
+            v.addElement(PROP_DIR + "=" + dir);
+            v.addElement(PROP_DER + "=" + mConfig.getBoolean(PROP_DER, true));
+            v.addElement(PROP_B64 + "=" + mConfig.getBoolean(PROP_B64, false));
+            v.addElement(PROP_GMT + "=" + mTimeStamp);
+            v.addElement(PROP_LNK + "=" + mConfig.getBoolean(PROP_LNK, false));
+            v.addElement(PROP_EXT + "=" + ext);
+            v.addElement(PROP_ZIP + "=" + mConfig.getBoolean(PROP_ZIP, false));
+            v.addElement(PROP_LEV + "=" + mZipLevel);
+        } catch (Exception e) {
+        }
+        return v;
+    }
+
+    /**
+     * Returns the initial default parameters.
+     */
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+
+        v.addElement(PROP_DIR + "=");
+        v.addElement(PROP_DER + "=true");
+        v.addElement(PROP_B64 + "=false");
+        v.addElement(PROP_GMT + "=LocalTime");
+        v.addElement(PROP_LNK + "=false");
+        v.addElement(PROP_EXT + "=");
+        v.addElement(PROP_ZIP + "=false");
+        v.addElement(PROP_LEV + "=9");
+        return v;
+    }
+
+    /**
+     * Initializes this plugin.
+     */
+    public void init(IConfigStore config) {
+        mConfig = config;
+        String dir = null;
+
+        try {
+            dir = mConfig.getString(PROP_DIR, null);
+            mDerAttr = mConfig.getBoolean(PROP_DER, true);
+            mB64Attr = mConfig.getBoolean(PROP_B64, false);
+            mTimeStamp = mConfig.getString(PROP_GMT, "LocalTime");
+            mLatestCRL = mConfig.getBoolean(PROP_LNK, false);
+            mLinkExt = mConfig.getString(PROP_EXT, null);
+            mZipCRL = mConfig.getBoolean(PROP_ZIP, false);
+            mZipLevel = mConfig.getInteger(PROP_LEV, 9);
+        } catch (EBaseException e) {
+        }
+        if (dir == null) {
+            throw new RuntimeException("No Directory Specified");
+        }
+
+        // convert to forward slash
+        dir = dir.replace('\\', '/');
+        config.putString(PROP_DIR, dir);
+
+        File dirCheck = new File(dir);
+
+        if (dirCheck.isDirectory()) {
+            mDir = dir;
+        } else {
+            // maybe it is relative path
+            String mInstanceRoot = null;
+
+            try {
+                mInstanceRoot = CMS.getConfigStore().getString("instanceRoot");
+            } catch (Exception e) {
+                throw new RuntimeException("Invalid Instance Dir " + e);
+            }
+            dirCheck = new File(mInstanceRoot +
+                        File.separator + dir);
+            if (dirCheck.isDirectory()) {
+                mDir = mInstanceRoot + File.separator + dir;
+            } else {
+                throw new RuntimeException("Invalid Directory " + dir);
+            }
+        }
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    private String[] getCrlNamePrefix(X509CRL crl, boolean useGMT) {
+        String[] namePrefix = { "crl", "crl" };
+
+        if (mCrlIssuingPointId != null && mCrlIssuingPointId.length() != 0) {
+            namePrefix[0] = mCrlIssuingPointId;
+            namePrefix[1] = mCrlIssuingPointId;
+        }
+        java.text.SimpleDateFormat format = new java.text.SimpleDateFormat("yyyyMMdd-HHmmss");
+        TimeZone tz = TimeZone.getTimeZone("GMT");
+        if (useGMT)
+            format.setTimeZone(tz);
+        String timeStamp = format.format(crl.getThisUpdate()).toString();
+        namePrefix[0] += "-" + timeStamp;
+        if (((netscape.security.x509.X509CRLImpl) crl).isDeltaCRL()) {
+            namePrefix[0] += "-delta";
+            namePrefix[1] += "-delta";
+        }
+
+        return namePrefix;
+    }
+
+    private void createLink(String linkName, String fileName) {
+        String cmd = "ln -s " + fileName + " " + linkName + ".new";
+        if (com.netscape.cmsutil.util.Utils.exec(cmd)) {
+            File oldLink = new File(linkName + ".old");
+            if (oldLink.exists()) { // remove old link if exists
+                oldLink.delete();
+            }
+            File link = new File(linkName);
+            if (link.exists()) { // current link becomes an old link 
+                link.renameTo(new File(linkName + ".old"));
+            }
+            File newLink = new File(linkName + ".new");
+            if (newLink.exists()) { // new link becomes current link
+                newLink.renameTo(new File(linkName));
+            }
+            oldLink = new File(linkName + ".old");
+            if (oldLink.exists()) { // remove a new old link
+                oldLink.delete();
+            }
+        } else {
+            CMS.debug("FileBasedPublisher:  createLink: '" + cmd + "' --- failed");
+        }
+    }
+
+    /**
+     * Publishs a object to the ldap directory.
+     * 
+     * @param conn a Ldap connection
+     *            (null if LDAP publishing is not enabled)
+     * @param dn dn of the ldap entry to publish cert
+     *            (null if LDAP publishing is not enabled)
+     * @param object object to publish
+     *            (java.security.cert.X509Certificate or,
+     *            java.security.cert.X509CRL)
+     */
+    public void publish(LDAPConnection conn, String dn, Object object)
+            throws ELdapException {
+        CMS.debug("FileBasedPublisher: publish");
+        try {
+            if (object instanceof X509Certificate) {
+                X509Certificate cert = (X509Certificate) object;
+                BigInteger sno = cert.getSerialNumber();
+                String name = mDir +
+                        File.separator + "cert-" +
+                        sno.toString();
+                if (mDerAttr) {
+                    String fileName = name + ".der";
+                    FileOutputStream fos = new FileOutputStream(fileName);
+                    fos.write(cert.getEncoded());
+                    fos.close();
+                }
+                if (mB64Attr) {
+                    String fileName = name + ".b64";
+                    FileOutputStream fos = new FileOutputStream(fileName);
+                    ByteArrayOutputStream output = new ByteArrayOutputStream();
+                    Base64OutputStream b64 =
+                            new Base64OutputStream(new PrintStream(new FilterOutputStream(output)));
+                    b64.write(cert.getEncoded());
+                    b64.flush();
+                    (new PrintStream(fos)).print(output.toString("8859_1"));
+                    fos.close();
+                }
+            } else if (object instanceof X509CRL) {
+                X509CRL crl = (X509CRL) object;
+                String[] namePrefix = getCrlNamePrefix(crl, mTimeStamp.equals("GMT"));
+                String baseName = mDir + File.separator + namePrefix[0];
+                String tempFile = baseName + ".temp";
+                FileOutputStream fos;
+                ZipOutputStream zos;
+                byte[] encodedArray = null;
+                File destFile = null;
+                String destName = null;
+                File renameFile = null;
+
+                if (mDerAttr) {
+                    fos = new FileOutputStream(tempFile);
+                    encodedArray = crl.getEncoded();
+                    fos.write(encodedArray);
+                    fos.close();
+                    if (mZipCRL) {
+                        zos = new ZipOutputStream(new FileOutputStream(baseName + ".zip"));
+                        zos.setLevel(mZipLevel);
+                        zos.putNextEntry(new ZipEntry(baseName + ".der"));
+                        zos.write(encodedArray, 0, encodedArray.length);
+                        zos.closeEntry();
+                        zos.close();
+                    }
+                    destName = baseName + ".der";
+                    destFile = new File(destName);
+
+                    if (destFile.exists())
+                        destFile.delete();
+                    renameFile = new File(tempFile);
+                    renameFile.renameTo(destFile);
+
+                    if (mLatestCRL) {
+                        String linkExt = ".";
+                        if (mLinkExt != null && mLinkExt.length() > 0) {
+                            linkExt += mLinkExt;
+                        } else {
+                            linkExt += "der";
+                        }
+                        String linkName = mDir + File.separator + namePrefix[1] + linkExt;
+                        createLink(linkName, destName);
+                        if (mZipCRL) {
+                            linkName = mDir + File.separator + namePrefix[1] + ".zip";
+                            createLink(linkName, baseName + ".zip");
+                        }
+                    }
+                }
+
+                // output base64 file
+                if (mB64Attr == true) {
+                    if (encodedArray == null)
+                        encodedArray = crl.getEncoded();
+
+                    fos = new FileOutputStream(tempFile);
+                    fos.write(Utils.base64encode(encodedArray).getBytes());
+                    fos.close();
+                    destName = baseName + ".b64";
+                    destFile = new File(destName);
+
+                    if (destFile.exists())
+                        destFile.delete();
+                    renameFile = new File(tempFile);
+                    renameFile.renameTo(destFile);
+                }
+            }
+        } catch (IOException e) {
+            mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                    ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_FILE_PUBLISHER_ERROR", e.toString()));
+        } catch (CertificateEncodingException e) {
+            mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                    ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_FILE_PUBLISHER_ERROR", e.toString()));
+        } catch (CRLException e) {
+            mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                    ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_FILE_PUBLISHER_ERROR", e.toString()));
+        }
+    }
+
+    /**
+     * Unpublishs a object to the ldap directory.
+     * 
+     * @param conn the Ldap connection
+     *            (null if LDAP publishing is not enabled)
+     * @param dn dn of the ldap entry to unpublish cert
+     *            (null if LDAP publishing is not enabled)
+     * @param object object to unpublish
+     *            (java.security.cert.X509Certificate)
+     */
+    public void unpublish(LDAPConnection conn, String dn, Object object)
+            throws ELdapException {
+        CMS.debug("FileBasedPublisher: unpublish");
+        String name = mDir + File.separator;
+        String fileName;
+
+        if (object instanceof X509Certificate) {
+            X509Certificate cert = (X509Certificate) object;
+            BigInteger sno = cert.getSerialNumber();
+            name += "cert-" + sno.toString();
+        } else if (object instanceof X509CRL) {
+            X509CRL crl = (X509CRL) object;
+            String[] namePrefix = getCrlNamePrefix(crl, mTimeStamp.equals("GMT"));
+            name += namePrefix[0];
+
+            fileName = name + ".zip";
+            File f = new File(fileName);
+            f.delete();
+        }
+        fileName = name + ".der";
+        File f = new File(fileName);
+        f.delete();
+
+        fileName = name + ".b64";
+        f = new File(fileName);
+        f.delete();
+    }
+
+    /**
+     * returns the Der attribute where it'll be published.
+     */
+    public boolean getDerAttr() {
+        return mDerAttr;
+    }
+
+    /**
+     * returns the B64 attribute where it'll be published.
+     */
+    public boolean getB64Attr() {
+        return mB64Attr;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/publish/publishers/LdapCaCertPublisher.java b/base/common/src/com/netscape/cms/publish/publishers/LdapCaCertPublisher.java
new file mode 100644
index 000000000..e47318b76
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/publishers/LdapCaCertPublisher.java
@@ -0,0 +1,421 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.publishers;
+
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPModification;
+import netscape.ldap.LDAPModificationSet;
+import netscape.ldap.LDAPSSLSocketFactoryExt;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ELdapServerDownException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapPublisher;
+
+/**
+ * Interface for publishing a CA certificate to
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LdapCaCertPublisher
+        implements ILdapPublisher, IExtendedPluginInfo {
+    public static final String LDAP_CACERT_ATTR = "caCertificate;binary";
+    public static final String LDAP_CA_OBJECTCLASS = "pkiCA";
+    public static final String LDAP_ARL_ATTR = "authorityRevocationList;binary";
+    public static final String LDAP_CRL_ATTR = "certificateRevocationList;binary";
+
+    protected String mCaCertAttr = LDAP_CACERT_ATTR;
+    protected String mCaObjectclass = LDAP_CA_OBJECTCLASS;
+    protected String mObjAdded = "";
+    protected String mObjDeleted = "";
+
+    private ILogger mLogger = CMS.getLogger();
+    private boolean mInited = false;
+    protected IConfigStore mConfig = null;
+    private String mcrlIssuingPointId;
+
+    /**
+     * constructor constructs default values.
+     */
+    public LdapCaCertPublisher() {
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String s[] = {
+                "caCertAttr;string;Name of Ldap attribute in which to store certificate",
+                "caObjectClass;string;The name of the objectclasses which should be " +
+                        "added to this entry, if they do not already exist. This can be " +
+                        "'certificationAuthority' (if using RFC 2256) or 'pkiCA' (if using RFC 4523)",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ldappublish-publisher-cacertpublisher",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";This plugin knows how to publish the CA cert to " +
+                        "'certificateAuthority' and 'pkiCA' -type entries"
+            };
+
+        return s;
+    }
+
+    public String getImplName() {
+        return "LdapCaCertPublisher";
+    }
+
+    public String getDescription() {
+        return "LdapCaCertPublisher";
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+
+        v.addElement("caCertAttr=" + mCaCertAttr);
+        v.addElement("caObjectClass=" + mCaObjectclass);
+        return v;
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+
+        v.addElement("caCertAttr=" + mCaCertAttr);
+        v.addElement("caObjectClass=" + mCaObjectclass);
+        return v;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public void init(IConfigStore config)
+            throws EBaseException {
+        if (mInited)
+            return;
+        mConfig = config;
+        mCaCertAttr = mConfig.getString("caCertAttr", LDAP_CACERT_ATTR);
+        mCaObjectclass = mConfig.getString("caObjectClass",
+                    LDAP_CA_OBJECTCLASS);
+        mObjAdded = mConfig.getString("caObjectClassAdded", "");
+        mObjDeleted = mConfig.getString("caObjectClassDeleted", "");
+        mInited = true;
+    }
+
+    // don't think anyone would ever use this but just in case.
+    public LdapCaCertPublisher(String caCertAttr, String caObjectclass) {
+        mCaCertAttr = caCertAttr;
+        mCaObjectclass = caObjectclass;
+        mInited = true;
+    }
+
+    /**
+     * Gets the CA object class to convert to.
+     */
+    public String getCAObjectclass() {
+        return mCaObjectclass;
+    }
+
+    /**
+     * returns the ca cert attribute where it'll be published.
+     */
+    public String getCaCertAttrName() {
+        return mCaCertAttr;
+    }
+
+    /**
+     * publish a CA certificate
+     * Adds the cert to the multi-valued certificate attribute as a
+     * DER encoded binary blob. Does not check if cert already exists.
+     * Converts the class to certificateAuthority.
+     * 
+     * @param conn the LDAP connection
+     * @param dn dn of the entry to publish the certificate
+     * @param certObj the certificate object.
+     */
+    public void publish(LDAPConnection conn, String dn, Object certObj)
+            throws ELdapException {
+        if (conn == null) {
+            log(ILogger.LL_INFO, "LdapCaCertPublisher: no LDAP connection");
+            return;
+        }
+
+        try {
+            mCaCertAttr = mConfig.getString("caCertAttr", LDAP_CACERT_ATTR);
+            mCaObjectclass = mConfig.getString("caObjectClass", LDAP_CA_OBJECTCLASS);
+        } catch (EBaseException e) {
+        }
+
+        // Bugscape #56124 - support multiple publishing directory
+        // see if we should create local connection
+        LDAPConnection altConn = null;
+        try {
+            String host = mConfig.getString("host", null);
+            String port = mConfig.getString("port", null);
+            if (host != null && port != null) {
+                int portVal = Integer.parseInt(port);
+                int version = Integer.parseInt(mConfig.getString("version", "2"));
+                String cert_nick = mConfig.getString("clientCertNickname", null);
+                LDAPSSLSocketFactoryExt sslSocket = null;
+                if (cert_nick != null) {
+                    sslSocket = CMS.getLdapJssSSLSocketFactory(cert_nick);
+                }
+                String mgr_dn = mConfig.getString("bindDN", null);
+                String mgr_pwd = mConfig.getString("bindPWD", null);
+
+                altConn = CMS.getBoundConnection(host, portVal,
+                        version,
+                        sslSocket, mgr_dn, mgr_pwd);
+                conn = altConn;
+            }
+        } catch (LDAPException e) {
+            CMS.debug("Failed to create alt connection " + e);
+        } catch (EBaseException e) {
+            CMS.debug("Failed to create alt connection " + e);
+        }
+
+        if (!(certObj instanceof X509Certificate))
+            throw new IllegalArgumentException("Illegal arg to publish");
+
+        X509Certificate cert = (X509Certificate) certObj;
+
+        try {
+            byte[] certEnc = cert.getEncoded();
+
+            /* search for attribute names to determine existence of attributes */
+            LDAPSearchResults res =
+                    conn.search(dn, LDAPv2.SCOPE_BASE, "(objectclass=*)",
+                            new String[] { LDAP_CRL_ATTR, LDAP_ARL_ATTR }, true);
+            LDAPEntry entry = res.next();
+            LDAPAttribute arls = entry.getAttribute(LDAP_ARL_ATTR);
+            LDAPAttribute crls = entry.getAttribute(LDAP_CRL_ATTR);
+
+            /* search for objectclass and caCert values */
+            LDAPSearchResults res1 =
+                    conn.search(dn, LDAPv2.SCOPE_BASE, "(objectclass=*)",
+                            new String[] { "objectclass", mCaCertAttr }, false);
+            LDAPEntry entry1 = res1.next();
+            LDAPAttribute ocs = entry1.getAttribute("objectclass");
+            LDAPAttribute certs = entry1.getAttribute(mCaCertAttr);
+
+            boolean hasCert =
+                    LdapUserCertPublisher.ByteValueExists(certs, certEnc);
+
+            LDAPModificationSet modSet = new LDAPModificationSet();
+
+            if (hasCert) {
+                log(ILogger.LL_INFO, "publish: CA " + dn + " already has Cert");
+            } else {
+                /*
+                 fix for 360458 - if no cert, use add, if has cert but
+                 not equal, use replace
+                 */
+                if (certs == null) {
+                    modSet.add(LDAPModification.ADD,
+                            new LDAPAttribute(mCaCertAttr, certEnc));
+                    log(ILogger.LL_INFO, "CA cert added");
+                } else {
+                    modSet.add(LDAPModification.REPLACE,
+                            new LDAPAttribute(mCaCertAttr, certEnc));
+                    log(ILogger.LL_INFO, "CA cert replaced");
+                }
+            }
+
+            String[] oclist = mCaObjectclass.split(",");
+
+            boolean attrsAdded = false;
+            for (int i = 0; i < oclist.length; i++) {
+                String oc = oclist[i].trim();
+                boolean hasoc = LdapUserCertPublisher.StringValueExists(ocs, oc);
+                if (!hasoc) {
+                    log(ILogger.LL_INFO, "adding CA objectclass " + oc + " to " + dn);
+                    modSet.add(LDAPModification.ADD,
+                            new LDAPAttribute("objectclass", oc));
+
+                    if ((!attrsAdded) && oc.equalsIgnoreCase("certificationAuthority")) {
+                        // add MUST attributes
+                        if (arls == null)
+                            modSet.add(LDAPModification.ADD,
+                                    new LDAPAttribute(LDAP_ARL_ATTR, ""));
+                        if (crls == null)
+                            modSet.add(LDAPModification.ADD,
+                                    new LDAPAttribute(LDAP_CRL_ATTR, ""));
+                        attrsAdded = true;
+                    }
+                }
+            }
+
+            // delete objectclasses that have been deleted from config
+            String[] delList = mObjDeleted.split(",");
+            if (delList.length > 0) {
+                for (int i = 0; i < delList.length; i++) {
+                    String deloc = delList[i].trim();
+                    boolean hasoc = LdapUserCertPublisher.StringValueExists(ocs, deloc);
+                    boolean match = false;
+                    for (int j = 0; j < oclist.length; j++) {
+                        if ((oclist[j].trim()).equals(deloc)) {
+                            match = true;
+                            break;
+                        }
+                    }
+                    if (!match && hasoc) {
+                        log(ILogger.LL_INFO, "deleting CA objectclass " + deloc + " from " + dn);
+                        modSet.add(LDAPModification.DELETE,
+                                new LDAPAttribute("objectclass", deloc));
+                    }
+                }
+            }
+
+            // reset mObjAdded and mObjDeleted, if needed
+            if ((!mObjAdded.equals("")) || (!mObjDeleted.equals(""))) {
+                mObjAdded = "";
+                mObjDeleted = "";
+                mConfig.putString("caObjectClassAdded", "");
+                mConfig.putString("caObjectClassDeleted", "");
+                try {
+                    mConfig.commit(false);
+                } catch (Exception e) {
+                    log(ILogger.LL_INFO, "Failure in updating mObjAdded and mObjDeleted");
+                }
+            }
+
+            if (modSet.size() > 0)
+                conn.modify(dn, modSet);
+        } catch (CertificateEncodingException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CANT_DECODE_CERT", dn));
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_PUBLISHER_EXCEPTION", "", e.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_PUBLISH_CACERT_ERROR", e.toString()));
+            }
+        } finally {
+            if (altConn != null) {
+                try {
+                    altConn.disconnect();
+                } catch (LDAPException e) {
+                    // safely ignored
+                }
+            }
+        }
+
+        return;
+    }
+
+    /**
+     * deletes the certificate from CA's certificate attribute.
+     * if it's the last cert will also remove the certificateAuthority
+     * objectclass.
+     */
+    public void unpublish(LDAPConnection conn, String dn, Object certObj)
+            throws ELdapException {
+        if (!(certObj instanceof X509Certificate))
+            throw new IllegalArgumentException("Illegal arg to publish");
+
+        X509Certificate cert = (X509Certificate) certObj;
+
+        try {
+            mCaCertAttr = mConfig.getString("caCertAttr", LDAP_CACERT_ATTR);
+            mCaObjectclass = mConfig.getString("caObjectClass", LDAP_CA_OBJECTCLASS);
+        } catch (EBaseException e) {
+        }
+
+        try {
+            byte[] certEnc = cert.getEncoded();
+
+            LDAPSearchResults res =
+                    conn.search(dn, LDAPv2.SCOPE_BASE, "(objectclass=*)",
+                            new String[] { mCaCertAttr, "objectclass" }, false);
+
+            LDAPEntry entry = res.next();
+            LDAPAttribute certs = entry.getAttribute(mCaCertAttr);
+            LDAPAttribute ocs = entry.getAttribute("objectclass");
+
+            boolean hasCert =
+                    LdapUserCertPublisher.ByteValueExists(certs, certEnc);
+
+            if (!hasCert) {
+                log(ILogger.LL_INFO, "unpublish: " + dn + " has not cert already");
+                //throw new ELdapException(
+                //		  LdapResources.ALREADY_UNPUBLISHED_1, dn);
+                return;
+            }
+
+            LDAPModificationSet modSet = new LDAPModificationSet();
+
+            modSet.add(LDAPModification.DELETE,
+                    new LDAPAttribute(mCaCertAttr, certEnc));
+            if (certs.size() == 1) {
+                // if last ca cert, remove oc also.
+
+                String[] oclist = mCaObjectclass.split(",");
+                for (int i = 0; i < oclist.length; i++) {
+                    String oc = oclist[i].trim();
+                    boolean hasOC = LdapUserCertPublisher.StringValueExists(ocs, oc);
+                    if (hasOC) {
+                        log(ILogger.LL_INFO, "unpublish: deleting CA oc" + oc + " from " + dn);
+                        modSet.add(LDAPModification.DELETE,
+                                new LDAPAttribute("objectclass", oc));
+                    }
+                }
+            }
+            conn.modify(dn, modSet);
+        } catch (CertificateEncodingException e) {
+            CMS.debug("LdapCaCertPublisher: unpublish: Cannot decode cert for " + dn);
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_UNPUBLISH_CACERT_ERROR", e.toString()));
+            }
+        }
+        return;
+    }
+
+    /**
+     * handy routine for logging in this class.
+     */
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level,
+                "LdapCaPublisher: " + msg);
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/publish/publishers/LdapCertSubjPublisher.java b/base/common/src/com/netscape/cms/publish/publishers/LdapCertSubjPublisher.java
new file mode 100644
index 000000000..9000f6834
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/publishers/LdapCertSubjPublisher.java
@@ -0,0 +1,345 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.publishers;
+
+import java.io.IOException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Enumeration;
+import java.util.Vector;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPModification;
+import netscape.ldap.LDAPModificationSet;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ELdapServerDownException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapPublisher;
+
+/**
+ * Interface for mapping a X509 certificate to a LDAP entry
+ * Publishes a certificate as binary and its subject name.
+ * there is one subject name value for each certificate.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LdapCertSubjPublisher implements ILdapPublisher {
+    public static final String LDAP_CERTSUBJNAME_ATTR = "certSubjectName";
+    protected String mCertAttr = LdapUserCertPublisher.LDAP_USERCERT_ATTR;
+    protected String mSubjNameAttr = LDAP_CERTSUBJNAME_ATTR;
+
+    private ILogger mLogger = CMS.getLogger();
+    private boolean mInited = false;
+    protected IConfigStore mConfig = null;
+
+    /**
+     * constructor using default certificate subject name and attribute for
+     * publishing subject name.
+     */
+    public LdapCertSubjPublisher() {
+    }
+
+    public String getImplName() {
+        return "LdapCertSubjPublisher";
+    }
+
+    public String getDescription() {
+        return "LdapCertSubjPublisher";
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+
+        v.addElement("certAttr=" + mCertAttr);
+        v.addElement("subjectNameAttr=" + mSubjNameAttr);
+        return v;
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+
+        v.addElement("certAttr=" + mCertAttr);
+        v.addElement("subjectNameAttr=" + mSubjNameAttr);
+        return v;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public void init(IConfigStore config)
+            throws EBaseException {
+        if (mInited)
+            return;
+        mConfig = config;
+        mCertAttr = mConfig.getString("certAttr",
+                    LdapUserCertPublisher.LDAP_USERCERT_ATTR);
+        mSubjNameAttr = mConfig.getString("certSubjectName",
+                    LDAP_CERTSUBJNAME_ATTR);
+        mInited = true;
+    }
+
+    /**
+     * constrcutor using specified certificate attribute and
+     * certificate subject name attribute.
+     */
+    public LdapCertSubjPublisher(String certAttr, String subjNameAttr) {
+        mCertAttr = certAttr;
+        mSubjNameAttr = subjNameAttr;
+    }
+
+    public String getCertAttr() {
+        return mCertAttr;
+    }
+
+    public String getSubjNameAttr() {
+        return mSubjNameAttr;
+    }
+
+    public void setSubjNameAttr(String subjNameAttr) {
+        mSubjNameAttr = subjNameAttr;
+    }
+
+    public void setCertAttr(String certAttr) {
+        mCertAttr = certAttr;
+    }
+
+    /**
+     * publish a user certificate
+     * Adds the cert to the multi-valued certificate attribute as a
+     * DER encoded binary blob. Does not check if cert already exists.
+     * Then adds the subject name of the cert to the subject name attribute.
+     * 
+     * @param conn the LDAP connection
+     * @param dn dn of the entry to publish the certificate
+     * @param certObj the certificate object.
+     * @exception ELdapException if cert or subject name already exists,
+     *                if cert encoding fails, if getting cert subject name fails.
+     *                Use ELdapException.getException() to find underlying exception.
+     */
+    public void publish(LDAPConnection conn, String dn, Object certObj)
+            throws ELdapException {
+        if (conn == null) {
+            log(ILogger.LL_INFO, "LdapCertSubjPublisher: no LDAP connection");
+            return;
+        }
+
+        if (!(certObj instanceof X509Certificate))
+            throw new IllegalArgumentException("Illegal arg to publish");
+
+        X509Certificate cert = (X509Certificate) certObj;
+
+        try {
+            boolean hasCert = false, hasSubjname = false;
+            byte[] certEnc = cert.getEncoded();
+            String subjName = ((X500Name) cert.getSubjectDN()).toLdapDNString();
+
+            LDAPSearchResults res =
+                    conn.search(dn, LDAPv2.SCOPE_BASE, "(objectclass=*)",
+                            new String[] { mCertAttr, mSubjNameAttr }, false);
+
+            LDAPEntry entry = res.next();
+            LDAPAttribute certs = entry.getAttribute(mCertAttr);
+            LDAPAttribute subjnames = entry.getAttribute(mSubjNameAttr);
+
+            // check if has cert already.
+            if (certs != null) {
+                hasCert = LdapUserCertPublisher.ByteValueExists(certs, certEnc);
+            }
+
+            // check if has subject name already.
+            if (subjnames != null) {
+                hasSubjname =
+                        LdapUserCertPublisher.StringValueExists(subjnames, subjName);
+            }
+
+            // if has both, done.
+            if (hasCert && hasSubjname) {
+                log(ILogger.LL_INFO,
+                        "publish: " + subjName + " already has cert & subject name");
+                return;
+            }
+
+            // add cert if not already there.
+            LDAPModificationSet modSet = new LDAPModificationSet();
+
+            if (!hasCert) {
+                log(ILogger.LL_INFO, "publish: adding cert to " + subjName);
+                modSet.add(LDAPModification.ADD,
+                        new LDAPAttribute(mCertAttr, certEnc));
+            }
+            // add subject name if not already there.
+            if (!hasSubjname) {
+                log(ILogger.LL_INFO, "publish: adding " + subjName + " to " + dn);
+                modSet.add(LDAPModification.ADD,
+                        new LDAPAttribute(mSubjNameAttr, subjName));
+            }
+            conn.modify(dn, modSet);
+        } catch (CertificateEncodingException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_PUBLISH_ERROR", e.toString()));
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_PUBLISHER_EXCEPTION", "", e.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_PUBLISH_USERCERT_ERROR", e.toString()));
+            }
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_PUBLISH_ERROR", e.toString()));
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_PUBLISH_USERCERT_ERROR", e.toString()));
+        }
+    }
+
+    /**
+     * deletes the certificate from the list of certificates.
+     * does not check if certificate is already there.
+     * also takes out the subject name if no other certificate remain
+     * with the same subject name.
+     */
+    public void unpublish(LDAPConnection conn, String dn, Object certObj)
+            throws ELdapException {
+        if (!(certObj instanceof X509Certificate))
+            throw new IllegalArgumentException("Illegal arg to publish");
+
+        try {
+            boolean hasCert = false, hasSubjname = false;
+            boolean hasAnotherCert = false;
+            X509Certificate cert = (X509Certificate) certObj;
+            String subjName = ((X500Name) cert.getSubjectDN()).toLdapDNString();
+
+            byte[] certEnc = cert.getEncoded();
+
+            LDAPSearchResults res =
+                    conn.search(dn, LDAPv2.SCOPE_BASE, "(objectclass=*)",
+                            new String[] { mCertAttr, mSubjNameAttr }, false);
+
+            LDAPEntry entry = res.next();
+            LDAPAttribute certs = entry.getAttribute(mCertAttr);
+            LDAPAttribute subjnames = entry.getAttribute(mSubjNameAttr);
+
+            // check for cert and other certs with same subject name.
+            if (certs != null) {
+                hasCert = LdapUserCertPublisher.ByteValueExists(certs, certEnc);
+                // check for other certs with the same subject name
+                @SuppressWarnings("unchecked")
+                Enumeration vals = certs.getByteValues();
+                byte[] val = null;
+
+                while (vals.hasMoreElements()) {
+                    val = vals.nextElement();
+                    if (PublisherUtils.byteArraysAreEqual(certEnc, val)) {
+                        hasCert = true;
+                        continue;
+                    }
+                    try {
+                        X509CertImpl certval = new X509CertImpl(val);
+                        // XXX use some sort of X500name equals function here.
+                        String subjnam =
+                                ((X500Name) certval.getSubjectDN()).toLdapDNString();
+
+                        if (subjnam.equalsIgnoreCase(subjName)) {
+                            hasAnotherCert = true;
+                        }
+                    } catch (CertificateEncodingException e) {
+                        // ignore this certificate.
+                        CMS.debug(
+                                "LdapCertSubjPublisher: unpublish: an invalid cert in dn entry encountered");
+                    } catch (CertificateException e) {
+                        // ignore this certificate.
+                        CMS.debug(
+                                "LdapCertSubjPublisher: unpublish: an invalid cert in dn entry encountered");
+                    }
+                }
+            }
+
+            // check if doesn't have subject name already.
+            if (subjnames != null) {
+                hasSubjname =
+                        LdapUserCertPublisher.StringValueExists(subjnames, subjName);
+            }
+
+            // if doesn't have both, done.
+            if (!hasCert && !hasSubjname) {
+                log(ILogger.LL_INFO,
+                        "unpublish: " + subjName + " already has not cert & subjname");
+                return;
+            }
+
+            // delete cert if there. 
+            LDAPModificationSet modSet = new LDAPModificationSet();
+
+            if (hasCert) {
+                log(ILogger.LL_INFO,
+                        "unpublish: deleting cert " + subjName + " from " + dn);
+                modSet.add(LDAPModification.DELETE,
+                        new LDAPAttribute(mCertAttr, certEnc));
+            }
+            // delete subject name if no other cert has the same name.
+            if (hasSubjname && !hasAnotherCert) {
+                log(ILogger.LL_INFO,
+                        "unpublish: deleting subject name " + subjName + " from " + dn);
+                modSet.add(LDAPModification.DELETE,
+                        new LDAPAttribute(mSubjNameAttr, subjName));
+            }
+            conn.modify(dn, modSet);
+        } catch (CertificateEncodingException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString()));
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString()));
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_LDAP_DN_STRING_FAILED", e.toString()));
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_UNPUBLISH_USERCERT_ERROR", e.toString()));
+            }
+        }
+        return;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level,
+                "LdapCertSubjPublisher: " + msg);
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/publish/publishers/LdapCertificatePairPublisher.java b/base/common/src/com/netscape/cms/publish/publishers/LdapCertificatePairPublisher.java
new file mode 100644
index 000000000..c65ff79d5
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/publishers/LdapCertificatePairPublisher.java
@@ -0,0 +1,318 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.publishers;
+
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPModification;
+import netscape.ldap.LDAPModificationSet;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ELdapServerDownException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapPublisher;
+
+/**
+ * module for publishing a cross certificate pair to ldap
+ * crossCertificatePair attribute
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LdapCertificatePairPublisher
+        implements ILdapPublisher, IExtendedPluginInfo {
+    public static final String LDAP_CROSS_CERT_PAIR_ATTR = "crossCertificatePair;binary";
+    public static final String LDAP_CA_OBJECTCLASS = "pkiCA";
+    public static final String LDAP_ARL_ATTR = "authorityRevocationList;binary";
+    public static final String LDAP_CRL_ATTR = "certificateRevocationList;binary";
+    public static final String LDAP_CACERT_ATTR = "caCertificate;binary";
+
+    protected String mCrossCertPairAttr = LDAP_CROSS_CERT_PAIR_ATTR;
+    protected String mCaObjectclass = LDAP_CA_OBJECTCLASS;
+    protected String mObjAdded = "";
+    protected String mObjDeleted = "";
+
+    private ILogger mLogger = CMS.getLogger();
+    private boolean mInited = false;
+    protected IConfigStore mConfig = null;
+
+    /**
+     * constructor constructs default values.
+     */
+    public LdapCertificatePairPublisher() {
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String s[] = {
+                "crossCertPairAttr;string;Name of Ldap attribute in which to store cross certificates",
+                "caObjectClass;string;The name of the objectclasses which should be " +
+                        "added to this entry, if they do not already exist. This can be " +
+                        "'certificationAuthority' (if using RFC 2256) or 'pkiCA' (if using RFC 4523)",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ldappublish-publisher-crosscertpairpublisher",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";This plugin knows how to publish the CA cert to " +
+                        "'certificateAuthority' and 'pkiCA' -type entries"
+            };
+
+        return s;
+    }
+
+    public String getImplName() {
+        return "LdapCertificatePairPublisher";
+    }
+
+    public String getDescription() {
+        return "LdapCertificatePairPublisher";
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+
+        v.addElement("crossCertPairAttr=" + mCrossCertPairAttr);
+        v.addElement("caObjectClass=" + mCaObjectclass);
+        return v;
+    }
+
+    public Vector getInstanceParamsWithExtras() {
+        return getInstanceParams();
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+
+        v.addElement("crossCertPairAttr=" + mCrossCertPairAttr);
+        v.addElement("caObjectClass=" + mCaObjectclass);
+        return v;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public void init(IConfigStore config)
+            throws EBaseException {
+        if (mInited)
+            return;
+        mConfig = config;
+        mCrossCertPairAttr = mConfig.getString("crossCertPairAttr", LDAP_CROSS_CERT_PAIR_ATTR);
+        mCaObjectclass = mConfig.getString("caObjectClass",
+                    LDAP_CA_OBJECTCLASS);
+        mObjAdded = mConfig.getString("caObjectClassAdded", "");
+        mObjDeleted = mConfig.getString("caObjectClassDeleted", "");
+
+        mInited = true;
+    }
+
+    // don't think anyone would ever use this but just in case.
+    public LdapCertificatePairPublisher(String crossCertPairAttr, String caObjectclass) {
+        mCrossCertPairAttr = crossCertPairAttr;
+        mCaObjectclass = caObjectclass;
+        mInited = true;
+    }
+
+    /**
+     * Gets the Certificate Authority object class to convert to.
+     */
+    public String getCAObjectclass() {
+        return mCaObjectclass;
+    }
+
+    /**
+     * returns the cross cert pair attribute where it'll be published.
+     */
+    public String getXCertAttrName() {
+        return mCrossCertPairAttr;
+    }
+
+    /**
+     * publish a certificatePair
+     * -should not be called from listeners.
+     * 
+     * @param conn the LDAP connection
+     * @param dn dn of the entry to publish the XcertificatePair
+     * @param pair the Xcertificate bytes object.
+     */
+    public synchronized void publish(LDAPConnection conn, String dn, Object pair)
+            throws ELdapException {
+        publish(conn, dn, (byte[]) pair);
+    }
+
+    /**
+     * publish a certificatePair
+     * -should not be called from listeners.
+     * 
+     * @param conn the LDAP connection
+     * @param dn dn of the entry to publish the XcertificatePair
+     * @param pair the cross cert bytes
+     */
+    public synchronized void publish(LDAPConnection conn, String dn,
+            byte[] pair)
+            throws ELdapException {
+
+        if (conn == null) {
+            log(ILogger.LL_INFO, "LdapCertificatePairPublisher: no LDAP connection");
+            return;
+        }
+
+        try {
+            mCrossCertPairAttr = mConfig.getString("crossCertPairAttr", LDAP_CROSS_CERT_PAIR_ATTR);
+            mCaObjectclass = mConfig.getString("caObjectClass", LDAP_CA_OBJECTCLASS);
+        } catch (EBaseException e) {
+        }
+
+        try {
+            // search for attributes to determine if they exist
+            LDAPSearchResults res =
+                    conn.search(dn, LDAPv2.SCOPE_BASE, "(objectclass=*)",
+                            new String[] { LDAP_CACERT_ATTR, LDAP_CRL_ATTR, LDAP_ARL_ATTR }, true);
+            LDAPEntry entry = res.next();
+            LDAPAttribute certs = entry.getAttribute(LDAP_CACERT_ATTR);
+            LDAPAttribute arls = entry.getAttribute(LDAP_ARL_ATTR);
+            LDAPAttribute crls = entry.getAttribute(LDAP_CRL_ATTR);
+
+            // search for objectclass and crosscertpair attributes and values
+            LDAPSearchResults res1 =
+                    conn.search(dn, LDAPv2.SCOPE_BASE, "(objectclass=*)",
+                            new String[] { "objectclass", mCrossCertPairAttr }, false);
+            LDAPEntry entry1 = res1.next();
+            LDAPAttribute ocs = entry1.getAttribute("objectclass");
+            LDAPAttribute certPairs = entry1.getAttribute("crosscertificatepair;binary");
+
+            LDAPModificationSet modSet = new LDAPModificationSet();
+
+            boolean hasCert = LdapUserCertPublisher.ByteValueExists(certPairs, pair);
+            if (LdapUserCertPublisher.ByteValueExists(certPairs, pair)) {
+                CMS.debug("LdapCertificatePairPublisher: cross cert pair bytes exist in publishing directory, do not publish again.");
+                return;
+            }
+            if (hasCert) {
+                log(ILogger.LL_INFO, "publish: CA " + dn + " already has cross cert pair bytes");
+            } else {
+                modSet.add(LDAPModification.ADD,
+                        new LDAPAttribute(mCrossCertPairAttr, pair));
+                log(ILogger.LL_INFO, "cross cert pair published with dn=" + dn);
+            }
+
+            String[] oclist = mCaObjectclass.split(",");
+
+            boolean attrsAdded = false;
+            for (int i = 0; i < oclist.length; i++) {
+                String oc = oclist[i].trim();
+                boolean hasoc = LdapUserCertPublisher.StringValueExists(ocs, oc);
+                if (!hasoc) {
+                    log(ILogger.LL_INFO, "adding CA objectclass " + oc + " to " + dn);
+                    modSet.add(LDAPModification.ADD,
+                            new LDAPAttribute("objectclass", oc));
+
+                    if ((!attrsAdded) && oc.equalsIgnoreCase("certificationAuthority")) {
+                        // add MUST attributes
+                        if (arls == null)
+                            modSet.add(LDAPModification.ADD,
+                                    new LDAPAttribute(LDAP_ARL_ATTR, ""));
+                        if (crls == null)
+                            modSet.add(LDAPModification.ADD,
+                                    new LDAPAttribute(LDAP_CRL_ATTR, ""));
+                        if (certs == null)
+                            modSet.add(LDAPModification.ADD,
+                                    new LDAPAttribute(LDAP_CACERT_ATTR, ""));
+                        attrsAdded = true;
+                    }
+                }
+            }
+
+            // delete objectclasses that have been deleted from config
+            String[] delList = mObjDeleted.split(",");
+            if (delList.length > 0) {
+                for (int i = 0; i < delList.length; i++) {
+                    String deloc = delList[i].trim();
+                    boolean hasoc = LdapUserCertPublisher.StringValueExists(ocs, deloc);
+                    boolean match = false;
+                    for (int j = 0; j < oclist.length; j++) {
+                        if ((oclist[j].trim()).equals(deloc)) {
+                            match = true;
+                            break;
+                        }
+                    }
+                    if (!match && hasoc) {
+                        log(ILogger.LL_INFO, "deleting CRL objectclass " + deloc + " from " + dn);
+                        modSet.add(LDAPModification.DELETE,
+                                new LDAPAttribute("objectclass", deloc));
+                    }
+                }
+            }
+
+            // reset mObjAdded and mObjDeleted, if needed
+            if ((!mObjAdded.equals("")) || (!mObjDeleted.equals(""))) {
+                mObjAdded = "";
+                mObjDeleted = "";
+                mConfig.putString("caObjectClassAdded", "");
+                mConfig.putString("caObjectClassDeleted", "");
+                try {
+                    mConfig.commit(false);
+                } catch (Exception e) {
+                    log(ILogger.LL_INFO, "Failure in updating mObjAdded and mObjDeleted");
+                }
+            }
+
+            if (modSet.size() > 0)
+                conn.modify(dn, modSet);
+            CMS.debug("LdapCertificatePairPublisher: in publish() just published");
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_PUBLISHER_EXCEPTION", "", e.toString()));
+                throw new ELdapException("error publishing cross cert pair:" + e.toString());
+            }
+        }
+        return;
+    }
+
+    /**
+     * unsupported
+     */
+    public void unpublish(LDAPConnection conn, String dn, Object certObj)
+            throws ELdapException {
+        CMS.debug("LdapCertificatePairPublisher: unpublish() is unsupported in this revision");
+    }
+
+    /**
+     * handy routine for logging in this class.
+     */
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level,
+                "LdapCertificatePairPublisher: " + msg);
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/publish/publishers/LdapCrlPublisher.java b/base/common/src/com/netscape/cms/publish/publishers/LdapCrlPublisher.java
new file mode 100644
index 000000000..6826cc801
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/publishers/LdapCrlPublisher.java
@@ -0,0 +1,379 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.publishers;
+
+import java.security.cert.CRLException;
+import java.security.cert.X509CRL;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPModification;
+import netscape.ldap.LDAPModificationSet;
+import netscape.ldap.LDAPSSLSocketFactoryExt;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ELdapServerDownException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapPublisher;
+
+/**
+ * For publishing master or global CRL.
+ * Publishes (replaces) the CRL in the CA's LDAP entry.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LdapCrlPublisher implements ILdapPublisher, IExtendedPluginInfo {
+    private ILogger mLogger = CMS.getLogger();
+    protected IConfigStore mConfig = null;
+    boolean mInited = false;
+
+    public static final String LDAP_CACERT_ATTR = "caCertificate;binary";
+    public static final String LDAP_ARL_ATTR = "authorityRevocationList;binary";
+    public static final String LDAP_CRL_ATTR = "certificateRevocationList;binary";
+    public static final String LDAP_CRL_OBJECTCLASS = "pkiCA,deltaCRL";
+
+    protected String mCrlAttr = LDAP_CRL_ATTR;
+    protected String mCrlObjectClass = LDAP_CRL_OBJECTCLASS;
+    protected String mObjAdded = "";
+    protected String mObjDeleted = "";
+
+    /**
+     * constructs ldap crl publisher with default values
+     */
+    public LdapCrlPublisher() {
+    }
+
+    public String getImplName() {
+        return "LdapCrlPublisher";
+    }
+
+    public String getDescription() {
+        return "LdapCrlPublisher";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                "crlAttr;string;Name of Ldap attribute in which to store the CRL",
+                "crlObjectClass;string;The name of the objectclasses which should be " +
+                        "added to this entry, if they do not already exist. This can be a comma-" +
+                        "separated list such as 'certificationAuthority,certificationAuthority-V2' " +
+                        "(if using RFC 2256) or 'pkiCA, deltaCRL' (if using RFC 4523)",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ldappublish-publisher-crlpublisher",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";This plugin knows how to publish CRL's to " +
+                        "'certificateAuthority' and 'pkiCA' -type entries"
+            };
+
+        return params;
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+
+        v.addElement("crlAttr=" + mCrlAttr);
+        v.addElement("crlObjectClass=" + mCrlObjectClass);
+        return v;
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+
+        v.addElement("crlAttr=" + mCrlAttr);
+        v.addElement("crlObjectClass=" + mCrlObjectClass);
+        return v;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public void init(IConfigStore config)
+            throws EBaseException {
+        if (mInited)
+            return;
+        mConfig = config;
+        mCrlAttr = mConfig.getString("crlAttr", LDAP_CRL_ATTR);
+        mCrlObjectClass = mConfig.getString("crlObjectClass",
+                LDAP_CRL_OBJECTCLASS);
+        mObjAdded = mConfig.getString("crlObjectClassAdded", "");
+        mObjDeleted = mConfig.getString("crlObjectClassDeleted", "");
+
+        mInited = true;
+    }
+
+    public LdapCrlPublisher(String crlAttr, String crlObjectClass) {
+        mCrlAttr = crlAttr;
+        mCrlObjectClass = crlObjectClass;
+    }
+
+    /**
+     * Gets the CA object class to convert to.
+     */
+    public String getCRLObjectclass() {
+        return mCrlObjectClass;
+    }
+
+    /**
+     * Replaces the CRL in the certificateRevocationList attribute.
+     * CRL's are published as a DER encoded blob.
+     */
+    public void publish(LDAPConnection conn, String dn, Object crlObj)
+            throws ELdapException {
+        if (conn == null) {
+            log(ILogger.LL_INFO, "publish CRL: no LDAP connection");
+            return;
+        }
+
+        try {
+            mCrlAttr = mConfig.getString("crlAttr", LDAP_CRL_ATTR);
+            mCrlObjectClass = mConfig.getString("crlObjectClass", LDAP_CRL_OBJECTCLASS);
+        } catch (EBaseException e) {
+        }
+
+        // Bugscape #56124 - support multiple publishing directory
+        // see if we should create local connection
+        LDAPConnection altConn = null;
+        try {
+            String host = mConfig.getString("host", null);
+            String port = mConfig.getString("port", null);
+            if (host != null && port != null) {
+                int portVal = Integer.parseInt(port);
+                int version = Integer.parseInt(mConfig.getString("version", "2"));
+                String cert_nick = mConfig.getString("clientCertNickname", null);
+                LDAPSSLSocketFactoryExt sslSocket = null;
+                if (cert_nick != null) {
+                    sslSocket = CMS.getLdapJssSSLSocketFactory(cert_nick);
+                }
+                String mgr_dn = mConfig.getString("bindDN", null);
+                String mgr_pwd = mConfig.getString("bindPWD", null);
+
+                altConn = CMS.getBoundConnection(host, portVal,
+                        version,
+                        sslSocket, mgr_dn, mgr_pwd);
+                conn = altConn;
+            }
+        } catch (LDAPException e) {
+            CMS.debug("Failed to create alt connection " + e);
+        } catch (EBaseException e) {
+            CMS.debug("Failed to create alt connection " + e);
+        }
+
+        try {
+            byte[] crlEnc = ((X509CRL) crlObj).getEncoded();
+            log(ILogger.LL_INFO, "publish CRL: " + dn);
+
+            /* search for attribute names to determine existence of attributes */
+            LDAPSearchResults res = null;
+            if (mCrlAttr.equals(LDAP_CRL_ATTR)) {
+                res = conn.search(dn, LDAPv2.SCOPE_BASE, "(objectclass=*)",
+                        new String[] { LDAP_CACERT_ATTR, LDAP_ARL_ATTR }, true);
+            } else {
+                res = conn.search(dn, LDAPv2.SCOPE_BASE, "(objectclass=*)",
+                        new String[] { LDAP_CRL_ATTR, LDAP_CACERT_ATTR, LDAP_ARL_ATTR }, true);
+            }
+
+            LDAPEntry entry = res.next();
+            LDAPAttribute crls = entry.getAttribute(LDAP_CRL_ATTR);
+            LDAPAttribute certs = entry.getAttribute(LDAP_CACERT_ATTR);
+            LDAPAttribute arls = entry.getAttribute(LDAP_ARL_ATTR);
+
+            /* get object class values */
+            LDAPSearchResults res1 = null;
+            res1 = conn.search(dn, LDAPv2.SCOPE_BASE, "(objectclass=*)",
+                    new String[] { "objectclass" }, false);
+            LDAPEntry entry1 = res1.next();
+            LDAPAttribute ocs = entry1.getAttribute("objectclass");
+
+            LDAPModificationSet modSet = new LDAPModificationSet();
+
+            String[] oclist = mCrlObjectClass.split(",");
+            boolean attrsAdded = false;
+            for (int i = 0; i < oclist.length; i++) {
+                String oc = oclist[i].trim();
+                boolean hasoc = LdapUserCertPublisher.StringValueExists(ocs, oc);
+                if (!hasoc) {
+                    log(ILogger.LL_INFO, "adding CRL objectclass " + oc + " to " + dn);
+                    modSet.add(LDAPModification.ADD,
+                            new LDAPAttribute("objectclass", oc));
+
+                    if ((!attrsAdded) && oc.equalsIgnoreCase("certificationAuthority")) {
+                        // add MUST attributes
+                        if (arls == null)
+                            modSet.add(LDAPModification.ADD,
+                                    new LDAPAttribute(LDAP_ARL_ATTR, ""));
+                        if (certs == null)
+                            modSet.add(LDAPModification.ADD,
+                                    new LDAPAttribute(LDAP_CACERT_ATTR, ""));
+
+                        if ((crls == null) && (!mCrlAttr.equals(LDAP_CRL_ATTR)))
+                            modSet.add(LDAPModification.ADD,
+                                    new LDAPAttribute(LDAP_CRL_ATTR, ""));
+                        attrsAdded = true;
+                    }
+                }
+            }
+
+            modSet.add(LDAPModification.REPLACE, new LDAPAttribute(mCrlAttr, crlEnc));
+
+            // delete objectclasses that have been deleted from config
+            String[] delList = mObjDeleted.split(",");
+            if (delList.length > 0) {
+                for (int i = 0; i < delList.length; i++) {
+                    String deloc = delList[i].trim();
+                    boolean hasoc = LdapUserCertPublisher.StringValueExists(ocs, deloc);
+                    boolean match = false;
+                    for (int j = 0; j < oclist.length; j++) {
+                        if ((oclist[j].trim()).equals(deloc)) {
+                            match = true;
+                            break;
+                        }
+                    }
+                    if (!match && hasoc) {
+                        log(ILogger.LL_INFO, "deleting CRL objectclass " + deloc + " from " + dn);
+                        modSet.add(LDAPModification.DELETE,
+                                new LDAPAttribute("objectclass", deloc));
+                    }
+                }
+            }
+
+            // reset mObjAdded and mObjDeleted, if needed
+            if ((!mObjAdded.equals("")) || (!mObjDeleted.equals(""))) {
+                mObjAdded = "";
+                mObjDeleted = "";
+                mConfig.putString("crlObjectClassAdded", "");
+                mConfig.putString("crlObjectClassDeleted", "");
+                try {
+                    mConfig.commit(false);
+                } catch (Exception e) {
+                    log(ILogger.LL_INFO, "Failure in updating mObjAdded and mObjDeleted");
+                }
+            }
+
+            conn.modify(dn, modSet);
+        } catch (CRLException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_PUBLISH_ERROR", e.toString()));
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_PUBLISH_CRL_ERROR", e.toString()));
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_PUBLISH_ERROR", e.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_PUBLISH_CRL_ERROR", e.toString()));
+            }
+        } finally {
+            if (altConn != null) {
+                try {
+                    altConn.disconnect();
+                } catch (LDAPException e) {
+                    // safely ignored
+                }
+            }
+        }
+
+    }
+
+    /**
+     * There shouldn't be a need to call this.
+     * CRLs are always replaced but this is implemented anyway in case
+     * there is ever a reason to remove a global CRL.
+     */
+    public void unpublish(LDAPConnection conn, String dn, Object crlObj)
+            throws ELdapException {
+        try {
+            byte[] crlEnc = ((X509CRL) crlObj).getEncoded();
+
+            try {
+                mCrlAttr = mConfig.getString("crlAttr", LDAP_CRL_ATTR);
+                mCrlObjectClass = mConfig.getString("crlObjectClass", LDAP_CRL_OBJECTCLASS);
+            } catch (EBaseException e) {
+            }
+
+            LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE,
+                    "(objectclass=*)", new String[] { mCrlAttr, "objectclass" }, false);
+            LDAPEntry e = res.next();
+            LDAPAttribute crls = e.getAttribute(mCrlAttr);
+            LDAPAttribute ocs = e.getAttribute("objectclass");
+
+            LDAPModificationSet modSet = new LDAPModificationSet();
+
+            boolean hasOC = false;
+            boolean hasCRL =
+                    LdapUserCertPublisher.ByteValueExists(crls, crlEnc);
+
+            if (hasCRL) {
+                modSet.add(LDAPModification.DELETE,
+                        new LDAPAttribute(mCrlAttr, crlEnc));
+            }
+
+            String[] oclist = mCrlObjectClass.split(",");
+            for (int i = 0; i < oclist.length; i++) {
+                String oc = oclist[i].trim();
+                if (LdapUserCertPublisher.StringValueExists(ocs, oc)) {
+                    log(ILogger.LL_INFO, "unpublish: deleting CRL object class " + oc + " from " + dn);
+                    modSet.add(LDAPModification.DELETE,
+                            new LDAPAttribute("objectClass", oc));
+                    hasOC = true;
+                }
+            }
+
+            if (hasCRL || hasOC) {
+                conn.modify(dn, modSet);
+            } else {
+                log(ILogger.LL_INFO,
+                        "unpublish: " + dn + " already has not CRL");
+            }
+        } catch (CRLException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString()));
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_PUBLISH_CRL_ERROR", e.toString()));
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_UNPUBLISH_CRL_ERROR", e.toString()));
+            }
+        }
+        return;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level,
+                "LdapCrlPublisher: " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java b/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java
new file mode 100644
index 000000000..d2c488620
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java
@@ -0,0 +1,359 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.publishers;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPModification;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ca.ICAService;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ELdapServerDownException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapPublisher;
+
+/**
+ * Interface for mapping a X509 certificate to a LDAP entry
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPluginInfo {
+    public static final String LDAP_USERCERT_ATTR = "userCertificate;binary";
+    public static final String PROP_REVOKE_CERT = "revokeCert";
+
+    protected String mCertAttr = LDAP_USERCERT_ATTR;
+    private ILogger mLogger = CMS.getLogger();
+    private IConfigStore mConfig = null;
+    private boolean mInited = false;
+    private boolean mRevokeCert;
+
+    public LdapEncryptCertPublisher() {
+    }
+
+    public String getImplName() {
+        return "LdapEncryptCertPublisher";
+    }
+
+    public String getDescription() {
+        return "LdapEncryptCertPublisher";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                "certAttr;string;LDAP attribute in which to store the certificate",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ldappublish-publisher-usercertpublisher",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";This plugin knows how to publish user certificates"
+            };
+
+        return params;
+
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+
+        v.addElement("certAttr=" + mCertAttr);
+        return v;
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+
+        v.addElement("certAttr=" + mCertAttr);
+        return v;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public void init(IConfigStore config)
+            throws EBaseException {
+        if (mInited)
+            return;
+        mConfig = config;
+        mCertAttr = mConfig.getString("certAttr", LDAP_USERCERT_ATTR);
+        mRevokeCert = mConfig.getBoolean(PROP_REVOKE_CERT, true);
+        mInited = true;
+    }
+
+    public LdapEncryptCertPublisher(String certAttr) {
+        mCertAttr = certAttr;
+    }
+
+    /**
+     * publish a user certificate
+     * Adds the cert to the multi-valued certificate attribute as a
+     * DER encoded binary blob. Does not check if cert already exists.
+     * 
+     * @param conn the LDAP connection
+     * @param dn dn of the entry to publish the certificate
+     * @param certObj the certificate object.
+     */
+    public void publish(LDAPConnection conn, String dn, Object certObj)
+            throws ELdapException {
+        if (conn == null)
+            return;
+
+        if (!(certObj instanceof X509Certificate))
+            throw new IllegalArgumentException("Illegal arg to publish");
+
+        X509Certificate cert = (X509Certificate) certObj;
+
+        log(ILogger.LL_INFO, "Publishing " + cert);
+        try {
+            byte[] certEnc = cert.getEncoded();
+
+            // check if cert already exists.
+            LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE,
+                    "(objectclass=*)", new String[] { mCertAttr }, false);
+            LDAPEntry entry = res.next();
+            LDAPAttribute attr = getModificationAttribute(entry.getAttribute(mCertAttr), certEnc);
+
+            if (attr == null) {
+                log(ILogger.LL_INFO, "publish: " + dn + " already has cert.");
+                return;
+            }
+
+            // publish 
+            LDAPModification mod = new LDAPModification(LDAPModification.REPLACE, attr);
+
+            conn.modify(dn, mod);
+        } catch (CertificateEncodingException e) {
+            CMS.debug("LdapEncryptCertPublisher: error in publish: " + e.toString());
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_PUBLISH_ERROR", e.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_PUBLISH_USERCERT_ERROR", e.toString()));
+            }
+        }
+        return;
+    }
+
+    /**
+     * unpublish a user certificate
+     * deletes the certificate from the list of certificates.
+     * does not check if certificate is already there.
+     */
+    public void unpublish(LDAPConnection conn, String dn, Object certObj)
+            throws ELdapException {
+        if (!(certObj instanceof X509Certificate))
+            throw new IllegalArgumentException("Illegal arg to publish");
+
+        X509Certificate cert = (X509Certificate) certObj;
+
+        try {
+            byte[] certEnc = cert.getEncoded();
+
+            // check if cert already deleted.
+            LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE,
+                    "(objectclass=*)", new String[] { mCertAttr }, false);
+            LDAPEntry entry = res.next();
+
+            if (!ByteValueExists(entry.getAttribute(mCertAttr), certEnc)) {
+                log(ILogger.LL_INFO, dn + " already has not cert");
+                return;
+            }
+
+            LDAPModification mod = new LDAPModification(LDAPModification.DELETE,
+                    new LDAPAttribute(mCertAttr, certEnc));
+
+            conn.modify(dn, mod);
+        } catch (CertificateEncodingException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString()));
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_UNPUBLISH_USERCERT_ERROR", e.toString()));
+            }
+        }
+        return;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level,
+                "LdapUserCertPublisher: " + msg);
+    }
+
+    public LDAPAttribute getModificationAttribute(
+            LDAPAttribute attr, byte[] bval) {
+
+        LDAPAttribute at = new LDAPAttribute(attr.getName(), bval);
+        // determine if the given cert is a signing or an encryption
+        // certificate
+        X509CertImpl thisCert = null;
+
+        try {
+            thisCert = new X509CertImpl(bval);
+        } catch (Exception e) {
+        }
+        if (thisCert == null) {
+            return at;
+        }
+
+        @SuppressWarnings("unchecked")
+        Enumeration vals = attr.getByteValues();
+        byte[] val = null;
+
+        while (vals.hasMoreElements()) {
+            val = vals.nextElement();
+            try {
+                X509CertImpl cert = new X509CertImpl(val);
+
+                log(ILogger.LL_INFO, "Checking " + cert);
+                if (CMS.isEncryptionCert(thisCert) &&
+                        CMS.isEncryptionCert(cert)) {
+                    // skip
+                    log(ILogger.LL_INFO, "SKIP ENCRYPTION " + cert);
+                    revokeCert(cert);
+                } else if (CMS.isSigningCert(thisCert) &&
+                        CMS.isSigningCert(cert)) {
+                    // skip
+                    log(ILogger.LL_INFO, "SKIP SIGNING " + cert);
+                    revokeCert(cert);
+                } else {
+                    at.addValue(val);
+                }
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CHECK_FAILED", e.toString()));
+            }
+        }
+        return at;
+    }
+
+    private RevokedCertImpl formCRLEntry(
+            BigInteger serialNo, RevocationReason reason)
+            throws EBaseException {
+        CRLReasonExtension reasonExt = new CRLReasonExtension(reason);
+        CRLExtensions crlentryexts = new CRLExtensions();
+
+        try {
+            crlentryexts.set(CRLReasonExtension.NAME, reasonExt);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_SET_CRL_REASON", reason.toString(), e.toString()));
+
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+        }
+        RevokedCertImpl crlentry =
+                new RevokedCertImpl(serialNo, new Date(), crlentryexts);
+
+        return crlentry;
+    }
+
+    private void revokeCert(X509CertImpl cert)
+            throws EBaseException {
+        try {
+            if (mConfig.getBoolean(PROP_REVOKE_CERT, true) == false) {
+                return;
+            }
+        } catch (EBaseException e) {
+            return;
+        }
+        BigInteger serialNum = cert.getSerialNumber();
+        // need to revoke certificate also
+        ICertificateAuthority ca = (ICertificateAuthority)
+                CMS.getSubsystem("ca");
+        ICAService service = (ICAService) ca.getCAService();
+        RevokedCertImpl crlEntry = formCRLEntry(
+                serialNum, RevocationReason.KEY_COMPROMISE);
+
+        service.revokeCert(crlEntry);
+    }
+
+    /**
+     * checks if a byte attribute has a certain value.
+     */
+    public static boolean ByteValueExists(LDAPAttribute attr, byte[] bval) {
+        if (attr == null) {
+            return false;
+        }
+        @SuppressWarnings("unchecked")
+        Enumeration vals = attr.getByteValues();
+        byte[] val = null;
+
+        while (vals.hasMoreElements()) {
+            val = (byte[]) vals.nextElement();
+            if (PublisherUtils.byteArraysAreEqual(val, bval)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * checks if a attribute has a string value.
+     */
+    public static boolean StringValueExists(LDAPAttribute attr, String sval) {
+        if (attr == null) {
+            return false;
+        }
+        @SuppressWarnings("unchecked")
+        Enumeration vals = attr.getStringValues();
+        String val = null;
+
+        while (vals.hasMoreElements()) {
+            val = vals.nextElement();
+            if (val.equalsIgnoreCase(sval)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/publish/publishers/LdapUserCertPublisher.java b/base/common/src/com/netscape/cms/publish/publishers/LdapUserCertPublisher.java
new file mode 100644
index 000000000..e31ce674c
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/publishers/LdapUserCertPublisher.java
@@ -0,0 +1,333 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.publishers;
+
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPModification;
+import netscape.ldap.LDAPSSLSocketFactoryExt;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ELdapServerDownException;
+import com.netscape.certsrv.logging.AuditFormat;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapPublisher;
+
+/**
+ * Interface for mapping a X509 certificate to a LDAP entry
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LdapUserCertPublisher implements ILdapPublisher, IExtendedPluginInfo {
+    public static final String LDAP_USERCERT_ATTR = "userCertificate;binary";
+
+    protected String mCertAttr = LDAP_USERCERT_ATTR;
+    private ILogger mLogger = CMS.getLogger();
+    private IConfigStore mConfig = null;
+    private boolean mInited = false;
+
+    public LdapUserCertPublisher() {
+    }
+
+    public String getImplName() {
+        return "LdapUserCertPublisher";
+    }
+
+    public String getDescription() {
+        return "LdapUserCertPublisher";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                "certAttr;string;LDAP attribute in which to store the certificate",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ldappublish-publisher-usercertpublisher",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";This plugin knows how to publish user certificates"
+            };
+
+        return params;
+
+    }
+
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+
+        v.addElement("certAttr=" + mCertAttr);
+        return v;
+    }
+
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+
+        v.addElement("certAttr=" + mCertAttr);
+        return v;
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    public void init(IConfigStore config)
+            throws EBaseException {
+        if (mInited)
+            return;
+        mConfig = config;
+        mCertAttr = mConfig.getString("certAttr", LDAP_USERCERT_ATTR);
+        mInited = true;
+    }
+
+    public LdapUserCertPublisher(String certAttr) {
+        mCertAttr = certAttr;
+    }
+
+    /**
+     * publish a user certificate
+     * Adds the cert to the multi-valued certificate attribute as a
+     * DER encoded binary blob. Does not check if cert already exists.
+     * 
+     * @param conn the LDAP connection
+     * @param dn dn of the entry to publish the certificate
+     * @param certObj the certificate object.
+     */
+    public void publish(LDAPConnection conn, String dn, Object certObj)
+            throws ELdapException {
+        if (conn == null)
+            return;
+
+        // Bugscape #56124 - support multiple publishing directory
+        // see if we should create local connection
+        LDAPConnection altConn = null;
+        try {
+            String host = mConfig.getString("host", null);
+            String port = mConfig.getString("port", null);
+            if (host != null && port != null) {
+                int portVal = Integer.parseInt(port);
+                int version = Integer.parseInt(mConfig.getString("version", "2"));
+                String cert_nick = mConfig.getString("clientCertNickname", null);
+                LDAPSSLSocketFactoryExt sslSocket = null;
+                if (cert_nick != null) {
+                    sslSocket = CMS.getLdapJssSSLSocketFactory(cert_nick);
+                }
+                String mgr_dn = mConfig.getString("bindDN", null);
+                String mgr_pwd = mConfig.getString("bindPWD", null);
+
+                altConn = CMS.getBoundConnection(host, portVal,
+                        version,
+                        sslSocket, mgr_dn, mgr_pwd);
+                conn = altConn;
+            }
+        } catch (LDAPException e) {
+            CMS.debug("Failed to create alt connection " + e);
+        } catch (EBaseException e) {
+            CMS.debug("Failed to create alt connection " + e);
+        }
+
+        if (!(certObj instanceof X509Certificate))
+            throw new IllegalArgumentException("Illegal arg to publish");
+
+        X509Certificate cert = (X509Certificate) certObj;
+
+        boolean deleteCert = false;
+        try {
+            deleteCert = mConfig.getBoolean("deleteCert", false);
+        } catch (Exception e) {
+        }
+
+        try {
+            byte[] certEnc = cert.getEncoded();
+
+            // check if cert already exists.
+            LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE,
+                    "(objectclass=*)", new String[] { mCertAttr }, false);
+            LDAPEntry entry = res.next();
+
+            if (ByteValueExists(entry.getAttribute(mCertAttr), certEnc)) {
+                log(ILogger.LL_INFO, "publish: " + dn + " already has cert.");
+                return;
+            }
+
+            // publish 
+            LDAPModification mod = null;
+            if (deleteCert) {
+                mod = new LDAPModification(LDAPModification.REPLACE,
+                        new LDAPAttribute(mCertAttr, certEnc));
+            } else {
+                mod = new LDAPModification(LDAPModification.ADD,
+                        new LDAPAttribute(mCertAttr, certEnc));
+            }
+
+            conn.modify(dn, mod);
+
+            // log a successful message to the "transactions" log
+            mLogger.log(ILogger.EV_AUDIT,
+                         ILogger.S_LDAP,
+                         ILogger.LL_INFO,
+                         AuditFormat.LDAP_PUBLISHED_FORMAT,
+                         new Object[] { "LdapUserCertPublisher",
+                                        cert.getSerialNumber().toString(16),
+                                        cert.getSubjectDN() });
+        } catch (CertificateEncodingException e) {
+            CMS.debug("LdapUserCertPublisher: error in publish: " + e.toString());
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_PUBLISH_ERROR", e.toString()));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_PUBLISH_USERCERT_ERROR", e.toString()));
+            }
+        } finally {
+            if (altConn != null) {
+                try {
+                    altConn.disconnect();
+                } catch (LDAPException e) {
+                    // safely ignored
+                }
+            }
+        }
+        return;
+    }
+
+    /**
+     * unpublish a user certificate
+     * deletes the certificate from the list of certificates.
+     * does not check if certificate is already there.
+     */
+    public void unpublish(LDAPConnection conn, String dn, Object certObj)
+            throws ELdapException {
+
+        boolean disableUnpublish = false;
+        try {
+            disableUnpublish = mConfig.getBoolean("disableUnpublish", false);
+        } catch (Exception e) {
+        }
+
+        if (disableUnpublish) {
+            CMS.debug("UserCertPublisher: disable unpublish");
+            return;
+        }
+
+        if (!(certObj instanceof X509Certificate))
+            throw new IllegalArgumentException("Illegal arg to publish");
+
+        X509Certificate cert = (X509Certificate) certObj;
+
+        try {
+            byte[] certEnc = cert.getEncoded();
+
+            // check if cert already deleted.
+            LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE,
+                    "(objectclass=*)", new String[] { mCertAttr }, false);
+            LDAPEntry entry = res.next();
+
+            if (!ByteValueExists(entry.getAttribute(mCertAttr), certEnc)) {
+                log(ILogger.LL_INFO, dn + " already has not cert");
+                return;
+            }
+
+            LDAPModification mod = new LDAPModification(LDAPModification.DELETE,
+                    new LDAPAttribute(mCertAttr, certEnc));
+
+            conn.modify(dn, mod);
+        } catch (CertificateEncodingException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString()));
+            throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                // need to intercept this because message from LDAP is
+                // "DSA is unavailable" which confuses with DSA PKI.
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+                throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+                        + conn.getPort()));
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR"));
+                throw new ELdapException(CMS.getUserMessage("CMS_LDAP_UNPUBLISH_USERCERT_ERROR", e.toString()));
+            }
+        }
+        return;
+    }
+
+    private void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level,
+                "LdapUserCertPublisher: " + msg);
+    }
+
+    /**
+     * checks if a byte attribute has a certain value.
+     */
+    public static boolean ByteValueExists(LDAPAttribute attr, byte[] bval) {
+        if (attr == null) {
+            return false;
+        }
+        @SuppressWarnings("unchecked")
+        Enumeration vals = attr.getByteValues();
+        byte[] val = null;
+
+        while (vals.hasMoreElements()) {
+            val = vals.nextElement();
+            if (val.length == 0)
+                continue;
+            if (PublisherUtils.byteArraysAreEqual(val, bval)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * checks if a attribute has a string value.
+     */
+    public static boolean StringValueExists(LDAPAttribute attr, String sval) {
+        if (attr == null) {
+            return false;
+        }
+        @SuppressWarnings("unchecked")
+        Enumeration vals = attr.getStringValues();
+        String val = null;
+
+        while (vals.hasMoreElements()) {
+            val = vals.nextElement();
+            if (val.equalsIgnoreCase(sval)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/publish/publishers/OCSPPublisher.java b/base/common/src/com/netscape/cms/publish/publishers/OCSPPublisher.java
new file mode 100644
index 000000000..600bbd110
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/publishers/OCSPPublisher.java
@@ -0,0 +1,355 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.publishers;
+
+import java.io.DataInputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.net.Socket;
+import java.net.URLEncoder;
+import java.security.cert.CRLException;
+import java.security.cert.X509CRL;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.ldap.LDAPConnection;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapPublisher;
+import com.netscape.cmsutil.http.HttpRequest;
+import com.netscape.cmsutil.http.JssSSLSocketFactory;
+
+/**
+ * This publisher writes certificate and CRL into
+ * a directory.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class OCSPPublisher implements ILdapPublisher, IExtendedPluginInfo {
+    private static final String PROP_HOST = "host";
+    private static final String PROP_PORT = "port";
+    private static final String PROP_PATH = "path";
+    private static final String PROP_NICK = "nickName";
+    private static final String PROP_CLIENT_AUTH_ENABLE = "enableClientAuth";
+
+    private IConfigStore mConfig = null;
+    private String mHost = null;
+    private String mPort = null;
+    private String mPath = null;
+    private String mNickname = null;
+    private boolean mClientAuthEnabled = true;
+    private ILogger mLogger = CMS.getLogger();
+
+    /**
+     * Returns the implementation name.
+     */
+    public String getImplName() {
+        return "OCSPPublisher";
+    }
+
+    /**
+     * Returns the description of the ldap publisher.
+     */
+    public String getDescription() {
+        return "This publisher writes the CRL to CMS's OCSP server.";
+    }
+
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] params = {
+                PROP_HOST + ";string;Host of CMS's OCSP Secure agent service",
+                PROP_PORT + ";string;Port of CMS's OCSP Secure agent service",
+                PROP_PATH + ";string;URI of CMS's OCSP Secure agent service",
+                PROP_NICK + ";string;Nickname of cert used for client authentication",
+                PROP_CLIENT_AUTH_ENABLE + ";boolean;Client Authentication enabled",
+                IExtendedPluginInfo.HELP_TOKEN +
+                        ";configuration-ldappublish-publisher-ocsppublisher",
+                IExtendedPluginInfo.HELP_TEXT +
+                        ";Publishes CRLs to a Online Certificate Status Manager, an OCSP responder provided by CMS."
+            };
+
+        return params;
+    }
+
+    /**
+     * Returns the current instance parameters.
+     */
+    public Vector getInstanceParams() {
+        Vector v = new Vector();
+        String host = "";
+        String port = "";
+        String path = "";
+        String nickname = "";
+        String clientAuthEnabled = "";
+
+        try {
+            host = mConfig.getString(PROP_HOST);
+        } catch (EBaseException e) {
+        }
+        v.addElement(PROP_HOST + "=" + host);
+        try {
+            port = mConfig.getString(PROP_PORT);
+        } catch (EBaseException e) {
+        }
+        v.addElement(PROP_PORT + "=" + port);
+        try {
+            path = mConfig.getString(PROP_PATH);
+        } catch (EBaseException e) {
+        }
+        v.addElement(PROP_PATH + "=" + path);
+        try {
+            nickname = mConfig.getString(PROP_NICK);
+        } catch (EBaseException e) {
+        }
+        v.addElement(PROP_NICK + "=" + nickname);
+        try {
+            clientAuthEnabled = mConfig.getString(PROP_CLIENT_AUTH_ENABLE);
+        } catch (EBaseException e) {
+        }
+        v.addElement(PROP_CLIENT_AUTH_ENABLE + "=" + clientAuthEnabled);
+        return v;
+    }
+
+    /**
+     * Returns the initial default parameters.
+     */
+    public Vector getDefaultParams() {
+        Vector v = new Vector();
+
+        IConfigStore config = CMS.getConfigStore();
+        String nickname = "";
+        // get subsystem cert nickname as default for client auth
+        try {
+            nickname = config.getString("ca.subsystem.nickname", "");
+            String tokenname = config.getString("ca.subsystem.tokenname", "");
+            if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token"))
+                nickname = tokenname + ":" + nickname;
+        } catch (Exception e) {
+        }
+
+        v.addElement(PROP_HOST + "=");
+        v.addElement(PROP_PORT + "=");
+        v.addElement(PROP_PATH + "=/ocsp/agent/ocsp/addCRL");
+        v.addElement(PROP_CLIENT_AUTH_ENABLE + "=true");
+        v.addElement(PROP_NICK + "=" + nickname);
+        return v;
+    }
+
+    /**
+     * Initializes this plugin.
+     */
+    public void init(IConfigStore config) {
+        mConfig = config;
+        try {
+            mHost = mConfig.getString(PROP_HOST, "");
+            mPort = mConfig.getString(PROP_PORT, "");
+            mPath = mConfig.getString(PROP_PATH, "");
+            mNickname = mConfig.getString(PROP_NICK, "");
+            mClientAuthEnabled = mConfig.getBoolean(PROP_CLIENT_AUTH_ENABLE, true);
+        } catch (EBaseException e) {
+        }
+    }
+
+    public IConfigStore getConfigStore() {
+        return mConfig;
+    }
+
+    protected Socket Connect(String host, boolean secure, JssSSLSocketFactory factory) {
+        Socket socket = null;
+        StringTokenizer st = new StringTokenizer(host, " ");
+        while (st.hasMoreTokens()) {
+            String hp = st.nextToken(); // host:port
+            StringTokenizer st1 = new StringTokenizer(hp, ":");
+            String h = st1.nextToken();
+            int p = Integer.parseInt(st1.nextToken());
+            try {
+                if (secure) {
+                    socket = factory.makeSocket(h, p);
+                } else {
+                    socket = new Socket(h, p);
+                }
+                return socket;
+            } catch (Exception e) {
+            }
+            try {
+                Thread.sleep(5000); // 5 seconds delay
+            } catch (Exception e) {
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Publishs a object to the ldap directory.
+     * 
+     * @param conn a Ldap connection
+     *            (null if LDAP publishing is not enabled)
+     * @param dn dn of the ldap entry to publish cert
+     *            (null if LDAP publishing is not enabled)
+     * @param object object to publish
+     *            (java.security.cert.X509Certificate or,
+     *            java.security.cert.X509CRL)
+     */
+    public synchronized void publish(LDAPConnection conn, String dn, Object object)
+            throws ELdapException {
+        try {
+            if (!(object instanceof X509CRL))
+                return;
+            X509CRL crl = (X509CRL) object;
+
+            // talk to agent port of CMS
+
+            // open the connection and prepare it to POST
+            boolean secure = true;
+
+            String host = mHost;
+            int port = Integer.parseInt(mPort);
+            String path = mPath;
+
+            mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                    ILogger.LL_INFO, "OCSPPublisher: " +
+                            "Host='" + host + "' Port='" + port +
+                            "' URL='" + path + "'");
+            CMS.debug("OCSPPublisher: " +
+                    "Host='" + host + "' Port='" + port +
+                    "' URL='" + path + "'");
+
+            StringBuffer query = new StringBuffer();
+            query.append("crl=");
+            query.append(URLEncoder.encode("-----BEGIN CERTIFICATE REVOCATION LIST-----\n", "UTF-8"));
+            query.append(URLEncoder.encode(CMS.BtoA(crl.getEncoded()), "UTF-8"));
+            query.append(URLEncoder.encode("\n-----END CERTIFICATE REVOCATION LIST-----", "UTF-8"));
+            query.append("&noui=true");
+
+            Socket socket = null;
+            JssSSLSocketFactory factory;
+
+            if (mClientAuthEnabled) {
+                factory = new JssSSLSocketFactory(mNickname);
+            } else {
+                factory = new JssSSLSocketFactory();
+            }
+
+            if (mHost != null && mHost.indexOf(' ') != -1) {
+                // support failover hosts configuration
+                // host parameter can be
+                // "directory.knowledge.com:1050 people.catalog.com 199.254.1.2"
+                do {
+                    socket = Connect(mHost, secure, factory);
+                } while (socket == null);
+            } else {
+                if (secure) {
+                    socket = factory.makeSocket(host, port);
+                } else {
+                    socket = new Socket(host, port);
+                }
+            }
+
+            if (socket == null) {
+                CMS.debug("OCSPPublisher::publish() - socket is null!");
+                throw new ELdapException("socket is null");
+            }
+
+            // use HttpRequest and POST
+            HttpRequest httpReq = new HttpRequest();
+
+            httpReq.setMethod("POST");
+            httpReq.setURI(path);
+            httpReq.setHeader("Connection", "Keep-Alive");
+
+            httpReq.setHeader("Content-Type",
+                    "application/x-www-form-urlencoded");
+            httpReq.setHeader("Content-Transfer-Encoding", "7bit");
+
+            httpReq.setHeader("Content-Length",
+                    Integer.toString(query.length()));
+            httpReq.setContent(query.toString());
+            OutputStream os = socket.getOutputStream();
+            OutputStreamWriter outputStreamWriter = new OutputStreamWriter(os, "UTF8");
+
+            mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                    ILogger.LL_INFO, "OCSPPublisher: start sending CRL");
+            long startTime = CMS.getCurrentDate().getTime();
+            CMS.debug("OCSPPublisher: start CRL sending startTime=" + startTime);
+            httpReq.write(outputStreamWriter);
+            long endTime = CMS.getCurrentDate().getTime();
+            CMS.debug("OCSPPublisher: done CRL sending endTime=" + endTime + " diff=" + (endTime - startTime));
+
+            // Read the response
+            mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                    ILogger.LL_INFO, "OCSPPublisher: start getting response");
+            DataInputStream dis = new DataInputStream(socket.getInputStream());
+            String nextline;
+            String error = "";
+            boolean status = false;
+
+            while ((nextline = dis.readLine()) != null) {
+                if (nextline.startsWith("status=")) {
+                    if (nextline.substring(7, nextline.length()).equals("0")) {
+                        status = true;
+                    }
+                }
+                if (nextline.startsWith("error=")) {
+                    error = nextline.substring(6, nextline.length());
+                }
+            }
+            dis.close();
+            if (status) {
+                mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                        ILogger.LL_INFO, "OCSPPublisher: successful");
+            } else {
+                mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                        ILogger.LL_INFO, "OCSPPublisher: failed - " + error);
+            }
+
+        } catch (IOException e) {
+            CMS.debug("OCSPPublisher: publish failed " + e.toString());
+            mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                    ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_OCSP_PUBLISHER_ERROR", e.toString()));
+        } catch (CRLException e) {
+            CMS.debug("OCSPPublisher: publish failed " + e.toString());
+            mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                    ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_OCSP_PUBLISHER_ERROR", e.toString()));
+        } catch (Exception e) {
+            CMS.debug("OCSPPublisher: publish failed " + e.toString());
+            mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                    ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_OCSP_PUBLISHER_ERROR", e.toString()));
+        }
+    }
+
+    /**
+     * Unpublishs a object to the ldap directory.
+     * 
+     * @param conn the Ldap connection
+     *            (null if LDAP publishing is not enabled)
+     * @param dn dn of the ldap entry to unpublish cert
+     *            (null if LDAP publishing is not enabled)
+     * @param object object to unpublish
+     *            (java.security.cert.X509Certificate)
+     */
+    public void unpublish(LDAPConnection conn, String dn, Object object)
+            throws ELdapException {
+        // NOT USED
+    }
+}
diff --git a/base/common/src/com/netscape/cms/publish/publishers/PublisherUtils.java b/base/common/src/com/netscape/cms/publish/publishers/PublisherUtils.java
new file mode 100644
index 000000000..af8d283dd
--- /dev/null
+++ b/base/common/src/com/netscape/cms/publish/publishers/PublisherUtils.java
@@ -0,0 +1,136 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.publish.publishers;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Vector;
+
+/**
+ * Publisher utility class.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class PublisherUtils {
+    public static void checkHost(String hostname) throws UnknownHostException {
+        InetAddress.getByName(hostname);
+    }
+
+    public static void copyStream(InputStream in, OutputStream out) throws IOException {
+        byte[] buf = new byte[4096];
+        int len;
+
+        while ((len = in.read(buf)) != -1) {
+            out.write(buf, 0, len);
+        }
+    }
+
+    public static void copyStream(BufferedReader in, OutputStreamWriter out) throws IOException {
+        char[] buf = new char[4096];
+        int len;
+
+        while ((len = in.read(buf)) != -1) {
+            out.write(buf, 0, len);
+        }
+    }
+
+    /// Sorts an array of Strings.
+    // Java currently has no general sort function.  Sorting Strings is
+    // common enough that it's worth making a special case.
+    public static void sortStrings(String[] strings) {
+        // Just does a bubblesort.
+        for (int i = 0; i < strings.length - 1; ++i) {
+            for (int j = i + 1; j < strings.length; ++j) {
+                if (strings[i].compareTo(strings[j]) > 0) {
+                    String t = strings[i];
+
+                    strings[i] = strings[j];
+                    strings[j] = t;
+                }
+            }
+        }
+    }
+
+    /// Returns a date string formatted in Unix ls style - if it's within
+    // six months of now, Mmm dd hh:ss, else Mmm dd  yyyy.
+    public static String lsDateStr(Date date) {
+        long dateTime = date.getTime();
+
+        if (dateTime == -1L)
+            return "------------";
+        long nowTime = System.currentTimeMillis();
+        SimpleDateFormat formatter = new SimpleDateFormat();
+
+        if (Math.abs(nowTime - dateTime) < 183L * 24L * 60L * 60L * 1000L)
+            formatter.applyPattern("MMM dd hh:ss");
+        else
+            formatter.applyPattern("MMM dd yyyy");
+        return formatter.format(date);
+    }
+
+    /**
+     * compares contents two byte arrays returning true if exactly same.
+     */
+    static public boolean byteArraysAreEqual(byte[] a, byte[] b) {
+        if (a.length != b.length)
+            return false;
+        for (int i = 0; i < a.length; i++) {
+            if (a[i] != b[i])
+                return false;
+        }
+        return true;
+    }
+
+    /**
+     * strips out double quotes around String parameter
+     * 
+     * @param s the string potentially bracketed with double quotes
+     * @return string stripped of surrounding double quotes
+     */
+    public static String stripQuotes(String s) {
+        if (s == null) {
+            return s;
+        }
+
+        if ((s.startsWith("\"")) && (s.endsWith("\""))) {
+            return (s.substring(1, (s.length() - 1)));
+        }
+
+        return s;
+    }
+
+    /**
+     * returns an array of strings from a vector of Strings
+     * there'll be trouble if the Vector contains something other
+     * than just Strings
+     */
+    public static String[] getStringArrayFromVector(Vector v) {
+        String s[] = new String[v.size()];
+
+        v.copyInto(s);
+        return s;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/request/RequestScheduler.java b/base/common/src/com/netscape/cms/request/RequestScheduler.java
new file mode 100644
index 000000000..e0ebaefc4
--- /dev/null
+++ b/base/common/src/com/netscape/cms/request/RequestScheduler.java
@@ -0,0 +1,71 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.request;
+
+import java.util.Vector;
+
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestScheduler;
+
+/**
+ * This class represents a request scheduler that prioritizes
+ * the threads based on the request processing order.
+ * The request that enters the request queue first should
+ * be processed first.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class RequestScheduler implements IRequestScheduler {
+    private Vector mRequestThreads = new Vector();
+
+    /**
+     * Request entered the request queue processing.
+     * 
+     * @param r request
+     */
+    public synchronized void requestIn(IRequest r) {
+        Thread current = Thread.currentThread();
+
+        if (mRequestThreads.size() == 0) {
+            current.setPriority(Thread.MAX_PRIORITY);
+        }
+        mRequestThreads.addElement(current);
+    }
+
+    /**
+     * Request exited the request queue processing.
+     * 
+     * @param r request
+     */
+    public synchronized void requestOut(IRequest r) {
+        Thread current = Thread.currentThread();
+        Thread first = (Thread) mRequestThreads.elementAt(0);
+
+        if (current.equals(first)) {
+            // reprioritize
+            try {
+                Thread second = (Thread) mRequestThreads.elementAt(1);
+
+                second.setPriority(Thread.MAX_PRIORITY);
+            } catch (Exception e) {
+                // no second element; nothing to do
+            }
+        }
+        mRequestThreads.removeElement(current);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/selftests/ASelfTest.java b/base/common/src/com/netscape/cms/selftests/ASelfTest.java
new file mode 100644
index 000000000..cdd86ccaf
--- /dev/null
+++ b/base/common/src/com/netscape/cms/selftests/ASelfTest.java
@@ -0,0 +1,193 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.cms.selftests;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+import java.util.Locale;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.logging.ILogEventListener;
+import com.netscape.certsrv.selftests.EDuplicateSelfTestException;
+import com.netscape.certsrv.selftests.EInvalidSelfTestException;
+import com.netscape.certsrv.selftests.EMissingSelfTestException;
+import com.netscape.certsrv.selftests.ESelfTestException;
+import com.netscape.certsrv.selftests.ISelfTest;
+import com.netscape.certsrv.selftests.ISelfTestSubsystem;
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * This class implements an individual self test.
+ * 

+ * 
+ * @author mharmsen
+ * @author thomask
+ * @version $Revision$, $Date$
+ */
+public abstract class ASelfTest
+        implements ISelfTest {
+    ////////////////////////
+    // default parameters //
+    ////////////////////////
+
+    //////////////////////////
+    // ISelfTest parameters //
+    //////////////////////////
+
+    // parameter information
+    private static final String SELF_TEST_NAME = "ASelfTest";
+
+    // variables associated with this specific object
+    protected ISelfTestSubsystem mSelfTestSubsystem = null;
+    protected String mInstanceName = null;
+    protected IConfigStore mConfig = null;
+    protected String mPrefix = null;
+
+    /////////////////////
+    // default methods //
+    /////////////////////
+
+    ///////////////////////
+    // ISelfTest methods //
+    ///////////////////////
+
+    /**
+     * Initializes this subsystem with the configuration store
+     * associated with this instance name.
+     * 

+     * 
+     * @param subsystem the associated subsystem
+     * @param instanceName the name of this self test instance
+     * @param parameters configuration store (self test parameters)
+     * @exception EDuplicateSelfTestException subsystem has duplicate name/value
+     * @exception EInvalidSelfTestException subsystem has invalid name/value
+     * @exception EMissingSelfTestException subsystem has missing name/value
+     */
+    public void initSelfTest(ISelfTestSubsystem subsystem,
+            String instanceName,
+            IConfigStore parameters)
+            throws EDuplicateSelfTestException,
+            EInvalidSelfTestException,
+            EMissingSelfTestException {
+        // store individual self test class values for this instance
+        mSelfTestSubsystem = (ISelfTestSubsystem) subsystem;
+
+        // strip preceding/trailing whitespace
+        // from passed-in String parameters
+        if (instanceName != null) {
+            instanceName = instanceName.trim();
+        } else {
+            mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                    CMS.getLogMessage(
+                            "SELFTESTS_PARAMETER_WAS_NULL",
+                            SELF_TEST_NAME));
+
+            throw new EMissingSelfTestException();
+        }
+
+        // store additional individual self test class values for this instance
+        mInstanceName = instanceName;
+
+        // compose self test plugin parameter property prefix
+        String pluginPath = PROP_PLUGIN + "." + instanceName;
+
+        mConfig = parameters.getSubStore(pluginPath);
+
+        if ((mConfig != null) &&
+                (mConfig.getName() != null) &&
+                (mConfig.getName() != "")) {
+            mPrefix = mConfig.getName().trim();
+        } else {
+            mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                    CMS.getLogMessage(
+                            "SELFTESTS_PARAMETER_WAS_NULL",
+                            SELF_TEST_NAME));
+
+            throw new EMissingSelfTestException();
+        }
+
+        return;
+    }
+
+    /**
+     * Notifies this subsystem if it is in execution mode.
+     * 

+     * 
+     * @exception ESelfTestException failed to start
+     */
+    public abstract void startupSelfTest()
+            throws ESelfTestException;
+
+    /**
+     * Stops this subsystem. The subsystem may call shutdownSelfTest
+     * anytime after initialization.
+     * 

+     */
+    public abstract void shutdownSelfTest();
+
+    /**
+     * Returns the name associated with this self test. This method may
+     * return null if the self test has not been intialized.
+     * 

+     * 
+     * @return instanceName of this self test
+     */
+    public String getSelfTestName() {
+        return mInstanceName;
+    }
+
+    /**
+     * Returns the root configuration storage (self test parameters)
+     * associated with this subsystem.
+     * 

+     * 
+     * @return configuration store (self test parameters) of this subsystem
+     */
+    public IConfigStore getSelfTestConfigStore() {
+        return mConfig;
+    }
+
+    /**
+     * Retrieves description associated with an individual self test.
+     * This method may return null.
+     * 

+     * 
+     * @param locale locale of the client that requests the description
+     * @return description of self test
+     */
+    public abstract String getSelfTestDescription(Locale locale);
+
+    /**
+     * Execute an individual self test.
+     * 

+     * 
+     * @param logger specifies logging subsystem
+     * @exception ESelfTestException self test exception
+     */
+    public abstract void runSelfTest(ILogEventListener logger)
+            throws ESelfTestException;
+}
diff --git a/base/common/src/com/netscape/cms/selftests/ca/CAPresence.java b/base/common/src/com/netscape/cms/selftests/ca/CAPresence.java
new file mode 100644
index 000000000..c9c12bb42
--- /dev/null
+++ b/base/common/src/com/netscape/cms/selftests/ca/CAPresence.java
@@ -0,0 +1,262 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.cms.selftests.ca;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+import java.security.cert.CertificateParsingException;
+import java.util.Locale;
+
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509Key;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.logging.ILogEventListener;
+import com.netscape.certsrv.selftests.EDuplicateSelfTestException;
+import com.netscape.certsrv.selftests.EInvalidSelfTestException;
+import com.netscape.certsrv.selftests.EMissingSelfTestException;
+import com.netscape.certsrv.selftests.ESelfTestException;
+import com.netscape.certsrv.selftests.ISelfTestSubsystem;
+import com.netscape.cms.selftests.ASelfTest;
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * This class implements a self test to check for CA presence.
+ * 

+ * 
+ * @author mharmsen
+ * @author thomask
+ * @version $Revision$, $Date$
+ */
+public class CAPresence
+        extends ASelfTest {
+    ////////////////////////
+    // default parameters //
+    ////////////////////////
+
+    ///////////////////////////
+    // CAPresence parameters //
+    ///////////////////////////
+
+    // parameter information
+    public static final String PROP_CA_SUB_ID = "CaSubId";
+    private String mCaSubId = null;
+
+    /////////////////////
+    // default methods //
+    /////////////////////
+
+    ////////////////////////
+    // CAPresence methods //
+    ////////////////////////
+
+    /**
+     * Initializes this subsystem with the configuration store
+     * associated with this instance name.
+     * 

+     * 
+     * @param subsystem the associated subsystem
+     * @param instanceName the name of this self test instance
+     * @param parameters configuration store (self test parameters)
+     * @exception EDuplicateSelfTestException subsystem has duplicate name/value
+     * @exception EInvalidSelfTestException subsystem has invalid name/value
+     * @exception EMissingSelfTestException subsystem has missing name/value
+     */
+    public void initSelfTest(ISelfTestSubsystem subsystem,
+                              String instanceName,
+                              IConfigStore parameters)
+            throws EDuplicateSelfTestException,
+            EInvalidSelfTestException,
+            EMissingSelfTestException {
+        super.initSelfTest(subsystem, instanceName, parameters);
+
+        // retrieve mandatory parameter(s)
+        try {
+            mCaSubId = mConfig.getString(PROP_CA_SUB_ID);
+            if (mCaSubId != null) {
+                mCaSubId = mCaSubId.trim();
+            } else {
+                mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                        CMS.getLogMessage(
+                                                "SELFTESTS_MISSING_VALUES",
+                                                getSelfTestName(),
+                                                mPrefix
+                                                        + "."
+                                                        + PROP_CA_SUB_ID));
+
+                throw new EMissingSelfTestException(PROP_CA_SUB_ID);
+            }
+        } catch (EBaseException e) {
+            mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                    CMS.getLogMessage(
+                                            "SELFTESTS_MISSING_NAME",
+                                            getSelfTestName(),
+                                            mPrefix
+                                                    + "."
+                                                    + PROP_CA_SUB_ID));
+
+            throw new EMissingSelfTestException(mPrefix,
+                                                 PROP_CA_SUB_ID,
+                                                 null);
+        }
+
+        // retrieve optional parameter(s)
+
+        return;
+    }
+
+    /**
+     * Notifies this subsystem if it is in execution mode.
+     * 

+     * 
+     * @exception ESelfTestException failed to start
+     */
+    public void startupSelfTest()
+            throws ESelfTestException {
+        return;
+    }
+
+    /**
+     * Stops this subsystem. The subsystem may call shutdownSelfTest
+     * anytime after initialization.
+     * 

+     */
+    public void shutdownSelfTest() {
+        return;
+    }
+
+    /**
+     * Returns the name associated with this self test. This method may
+     * return null if the self test has not been intialized.
+     * 

+     * 
+     * @return instanceName of this self test
+     */
+    public String getSelfTestName() {
+        return super.getSelfTestName();
+    }
+
+    /**
+     * Returns the root configuration storage (self test parameters)
+     * associated with this subsystem.
+     * 

+     * 
+     * @return configuration store (self test parameters) of this subsystem
+     */
+    public IConfigStore getSelfTestConfigStore() {
+        return super.getSelfTestConfigStore();
+    }
+
+    /**
+     * Retrieves description associated with an individual self test.
+     * This method may return null.
+     * 

+     * 
+     * @param locale locale of the client that requests the description
+     * @return description of self test
+     */
+    public String getSelfTestDescription(Locale locale) {
+        return CMS.getUserMessage(locale,
+                                   "CMS_SELFTESTS_CA_PRESENCE_DESCRIPTION");
+    }
+
+    /**
+     * Execute an individual self test.
+     * 

+     * 
+     * @param logger specifies logging subsystem
+     * @exception ESelfTestException self test exception
+     */
+    public void runSelfTest(ILogEventListener logger)
+            throws ESelfTestException {
+        String logMessage = null;
+        ICertificateAuthority ca = null;
+        X509CertImpl caCert = null;
+        X509Key caPubKey = null;
+
+        ca = (ICertificateAuthority) CMS.getSubsystem(mCaSubId);
+
+        if (ca == null) {
+            // log that the CA is not installed
+            logMessage = CMS.getLogMessage("SELFTESTS_CA_IS_NOT_PRESENT",
+                                            getSelfTestName());
+
+            mSelfTestSubsystem.log(logger,
+                                    logMessage);
+
+            throw new ESelfTestException(logMessage);
+        } else {
+            // Retrieve the CA certificate
+            caCert = ca.getCACert();
+
+            if (caCert == null) {
+                // log that the CA is not yet initialized
+                logMessage = CMS.getLogMessage(
+                             "SELFTESTS_CA_IS_NOT_INITIALIZED",
+                             getSelfTestName());
+
+                mSelfTestSubsystem.log(logger,
+                                        logMessage);
+
+                throw new ESelfTestException(logMessage);
+            }
+
+            // Retrieve the CA certificate public key
+            try {
+                caPubKey = (X509Key) caCert.get(X509CertImpl.PUBLIC_KEY);
+
+                if (caPubKey == null) {
+                    // log that something is seriously wrong with the CA
+                    logMessage = CMS.getLogMessage("SELFTESTS_CA_IS_CORRUPT",
+                                                    getSelfTestName());
+
+                    mSelfTestSubsystem.log(logger,
+                                            logMessage);
+
+                    throw new ESelfTestException(logMessage);
+                }
+            } catch (CertificateParsingException e) {
+                // log that something is seriously wrong with the CA
+                mSelfTestSubsystem.log(logger,
+                                        e.toString());
+
+                throw new ESelfTestException(e.toString());
+            }
+
+            // log that the CA is present
+            logMessage = CMS.getLogMessage("SELFTESTS_CA_IS_PRESENT",
+                                            getSelfTestName());
+
+            mSelfTestSubsystem.log(logger,
+                                    logMessage);
+        }
+
+        return;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/selftests/ca/CAValidity.java b/base/common/src/com/netscape/cms/selftests/ca/CAValidity.java
new file mode 100644
index 000000000..9325208f9
--- /dev/null
+++ b/base/common/src/com/netscape/cms/selftests/ca/CAValidity.java
@@ -0,0 +1,262 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.cms.selftests.ca;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.util.Locale;
+
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.logging.ILogEventListener;
+import com.netscape.certsrv.selftests.EDuplicateSelfTestException;
+import com.netscape.certsrv.selftests.EInvalidSelfTestException;
+import com.netscape.certsrv.selftests.EMissingSelfTestException;
+import com.netscape.certsrv.selftests.ESelfTestException;
+import com.netscape.certsrv.selftests.ISelfTestSubsystem;
+import com.netscape.cms.selftests.ASelfTest;
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * This class implements a self test to check the validity of the CA.
+ * 

+ * 
+ * @author mharmsen
+ * @author thomask
+ * @version $Revision$, $Date$
+ */
+public class CAValidity
+        extends ASelfTest {
+    ////////////////////////
+    // default parameters //
+    ////////////////////////
+
+    ///////////////////////////
+    // CAValidity parameters //
+    ///////////////////////////
+
+    // parameter information
+    public static final String PROP_CA_SUB_ID = "CaSubId";
+    private String mCaSubId = null;
+
+    /////////////////////
+    // default methods //
+    /////////////////////
+
+    ////////////////////////
+    // CAValidity methods //
+    ////////////////////////
+
+    /**
+     * Initializes this subsystem with the configuration store
+     * associated with this instance name.
+     * 

+     * 
+     * @param subsystem the associated subsystem
+     * @param instanceName the name of this self test instance
+     * @param parameters configuration store (self test parameters)
+     * @exception EDuplicateSelfTestException subsystem has duplicate name/value
+     * @exception EInvalidSelfTestException subsystem has invalid name/value
+     * @exception EMissingSelfTestException subsystem has missing name/value
+     */
+    public void initSelfTest(ISelfTestSubsystem subsystem,
+                              String instanceName,
+                              IConfigStore parameters)
+            throws EDuplicateSelfTestException,
+            EInvalidSelfTestException,
+            EMissingSelfTestException {
+        super.initSelfTest(subsystem, instanceName, parameters);
+
+        // retrieve mandatory parameter(s)
+        try {
+            mCaSubId = mConfig.getString(PROP_CA_SUB_ID);
+            if (mCaSubId != null) {
+                mCaSubId = mCaSubId.trim();
+            } else {
+                mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                        CMS.getLogMessage(
+                                                "SELFTESTS_MISSING_VALUES",
+                                                getSelfTestName(),
+                                                mPrefix
+                                                        + "."
+                                                        + PROP_CA_SUB_ID));
+
+                throw new EMissingSelfTestException(PROP_CA_SUB_ID);
+            }
+        } catch (EBaseException e) {
+            mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                    CMS.getLogMessage(
+                                            "SELFTESTS_MISSING_NAME",
+                                            getSelfTestName(),
+                                            mPrefix
+                                                    + "."
+                                                    + PROP_CA_SUB_ID));
+
+            throw new EMissingSelfTestException(mPrefix,
+                                                 PROP_CA_SUB_ID,
+                                                 null);
+        }
+
+        // retrieve optional parameter(s)
+
+        return;
+    }
+
+    /**
+     * Notifies this subsystem if it is in execution mode.
+     * 

+     * 
+     * @exception ESelfTestException failed to start
+     */
+    public void startupSelfTest()
+            throws ESelfTestException {
+        return;
+    }
+
+    /**
+     * Stops this subsystem. The subsystem may call shutdownSelfTest
+     * anytime after initialization.
+     * 

+     */
+    public void shutdownSelfTest() {
+        return;
+    }
+
+    /**
+     * Returns the name associated with this self test. This method may
+     * return null if the self test has not been intialized.
+     * 

+     * 
+     * @return instanceName of this self test
+     */
+    public String getSelfTestName() {
+        return super.getSelfTestName();
+    }
+
+    /**
+     * Returns the root configuration storage (self test parameters)
+     * associated with this subsystem.
+     * 

+     * 
+     * @return configuration store (self test parameters) of this subsystem
+     */
+    public IConfigStore getSelfTestConfigStore() {
+        return super.getSelfTestConfigStore();
+    }
+
+    /**
+     * Retrieves description associated with an individual self test.
+     * This method may return null.
+     * 

+     * 
+     * @param locale locale of the client that requests the description
+     * @return description of self test
+     */
+    public String getSelfTestDescription(Locale locale) {
+        return CMS.getUserMessage(locale,
+                                   "CMS_SELFTESTS_CA_VALIDITY_DESCRIPTION");
+    }
+
+    /**
+     * Execute an individual self test.
+     * 

+     * 
+     * @param logger specifies logging subsystem
+     * @exception ESelfTestException self test exception
+     */
+    public void runSelfTest(ILogEventListener logger)
+            throws ESelfTestException {
+        String logMessage = null;
+        ICertificateAuthority ca = null;
+        X509CertImpl caCert = null;
+
+        ca = (ICertificateAuthority) CMS.getSubsystem(mCaSubId);
+
+        if (ca == null) {
+            // log that the CA is not installed
+            logMessage = CMS.getLogMessage("SELFTESTS_CA_IS_NOT_PRESENT",
+                                            getSelfTestName());
+
+            mSelfTestSubsystem.log(logger,
+                                    logMessage);
+
+            throw new ESelfTestException(logMessage);
+        } else {
+            // Retrieve the CA certificate
+            caCert = ca.getCACert();
+
+            if (caCert == null) {
+                // log that the CA is not yet initialized
+                logMessage = CMS.getLogMessage(
+                             "SELFTESTS_CA_IS_NOT_INITIALIZED",
+                             getSelfTestName());
+
+                mSelfTestSubsystem.log(logger,
+                                        logMessage);
+
+                throw new ESelfTestException(logMessage);
+            }
+
+            // Retrieve the CA validity period
+            try {
+                caCert.checkValidity();
+            } catch (CertificateNotYetValidException e) {
+                // log that the CA is not yet valid
+                logMessage = CMS.getLogMessage("SELFTESTS_CA_IS_NOT_YET_VALID",
+                                                getSelfTestName());
+
+                mSelfTestSubsystem.log(logger,
+                                        logMessage);
+
+                throw new ESelfTestException(logMessage);
+            } catch (CertificateExpiredException e) {
+                // log that the CA is expired
+                logMessage = CMS.getLogMessage("SELFTESTS_CA_IS_EXPIRED",
+                                                getSelfTestName());
+
+                mSelfTestSubsystem.log(logger,
+                                        logMessage);
+
+                throw new ESelfTestException(logMessage);
+            }
+
+            // log that the CA is valid
+            logMessage = CMS.getLogMessage("SELFTESTS_CA_IS_VALID",
+                                            getSelfTestName());
+
+            mSelfTestSubsystem.log(logger,
+                                    logMessage);
+        }
+
+        return;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/selftests/common/SystemCertsVerification.java b/base/common/src/com/netscape/cms/selftests/common/SystemCertsVerification.java
new file mode 100644
index 000000000..57afffdf2
--- /dev/null
+++ b/base/common/src/com/netscape/cms/selftests/common/SystemCertsVerification.java
@@ -0,0 +1,213 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2010 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.cms.selftests.common;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+import java.util.Locale;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.logging.ILogEventListener;
+import com.netscape.certsrv.selftests.EDuplicateSelfTestException;
+import com.netscape.certsrv.selftests.EInvalidSelfTestException;
+import com.netscape.certsrv.selftests.EMissingSelfTestException;
+import com.netscape.certsrv.selftests.ESelfTestException;
+import com.netscape.certsrv.selftests.ISelfTestSubsystem;
+import com.netscape.cms.selftests.ASelfTest;
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * This class implements a self test to check the system certs
+ * of the subsystem
+ * 

+ * 
+ * @version $Revision: $, $Date: $
+ */
+public class SystemCertsVerification
+        extends ASelfTest {
+    ////////////////////////
+    // default parameters //
+    ////////////////////////
+
+    ///////////////////////////
+    // SystemCertsVerification parameters //
+    ///////////////////////////
+
+    // parameter information
+    public static final String PROP_SUB_ID = "SubId";
+    private String mSubId = null;
+
+    /////////////////////
+    // default methods //
+    /////////////////////
+
+    ////////////////////////
+    // SystemCertsVerification methods //
+    ////////////////////////
+
+    /**
+     * Initializes this subsystem with the configuration store
+     * associated with this instance name.
+     * 

+     * 
+     * @param subsystem the associated subsystem
+     * @param instanceName the name of this self test instance
+     * @param parameters configuration store (self test parameters)
+     * @exception EDuplicateSelfTestException subsystem has duplicate name/value
+     * @exception EInvalidSelfTestException subsystem has invalid name/value
+     * @exception EMissingSelfTestException subsystem has missing name/value
+     */
+    public void initSelfTest(ISelfTestSubsystem subsystem,
+                              String instanceName,
+                              IConfigStore parameters)
+            throws EDuplicateSelfTestException,
+            EInvalidSelfTestException,
+            EMissingSelfTestException {
+        super.initSelfTest(subsystem, instanceName, parameters);
+
+        // retrieve mandatory parameter(s)
+        try {
+            mSubId = mConfig.getString(PROP_SUB_ID);
+            if (mSubId != null) {
+                mSubId = mSubId.trim();
+            } else {
+                mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                        CMS.getLogMessage(
+                                                "SELFTESTS_MISSING_VALUES",
+                                                getSelfTestName(),
+                                                mPrefix
+                                                        + "."
+                                                        + PROP_SUB_ID));
+
+                throw new EMissingSelfTestException(PROP_SUB_ID);
+            }
+        } catch (EBaseException e) {
+            mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                    CMS.getLogMessage(
+                                            "SELFTESTS_MISSING_NAME",
+                                            getSelfTestName(),
+                                            mPrefix
+                                                    + "."
+                                                    + PROP_SUB_ID));
+
+            throw new EMissingSelfTestException(mPrefix,
+                                                 PROP_SUB_ID,
+                                                 null);
+        }
+
+        // retrieve optional parameter(s)
+
+        return;
+    }
+
+    /**
+     * Notifies this subsystem if it is in execution mode.
+     * 

+     * 
+     * @exception ESelfTestException failed to start
+     */
+    public void startupSelfTest()
+            throws ESelfTestException {
+        return;
+    }
+
+    /**
+     * Stops this subsystem. The subsystem may call shutdownSelfTest
+     * anytime after initialization.
+     * 

+     */
+    public void shutdownSelfTest() {
+        return;
+    }
+
+    /**
+     * Returns the name associated with this self test. This method may
+     * return null if the self test has not been intialized.
+     * 

+     * 
+     * @return instanceName of this self test
+     */
+    public String getSelfTestName() {
+        return super.getSelfTestName();
+    }
+
+    /**
+     * Returns the root configuration storage (self test parameters)
+     * associated with this subsystem.
+     * 

+     * 
+     * @return configuration store (self test parameters) of this subsystem
+     */
+    public IConfigStore getSelfTestConfigStore() {
+        return super.getSelfTestConfigStore();
+    }
+
+    /**
+     * Retrieves description associated with an individual self test.
+     * This method may return null.
+     * 

+     * 
+     * @param locale locale of the client that requests the description
+     * @return description of self test
+     */
+    public String getSelfTestDescription(Locale locale) {
+        return CMS.getUserMessage(locale,
+                                   "CMS_SELFTESTS_SYSTEM_CERTS_VERIFICATION_DESCRIPTION");
+    }
+
+    /**
+     * Execute an individual self test.
+     * 

+     * 
+     * @param logger specifies logging subsystem
+     * @exception ESelfTestException self test exception
+     */
+    public void runSelfTest(ILogEventListener logger)
+            throws ESelfTestException {
+        String logMessage = null;
+        boolean rc = false;
+
+        rc = CMS.verifySystemCerts();
+        if (rc == true) {
+            logMessage = CMS.getLogMessage("SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_SUCCESS",
+                                                getSelfTestName());
+
+            mSelfTestSubsystem.log(logger,
+                                        logMessage);
+        } else {
+            logMessage = CMS.getLogMessage("SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_FAILURE",
+                                            getSelfTestName());
+
+            mSelfTestSubsystem.log(logger,
+                                    logMessage);
+            throw new ESelfTestException(logMessage);
+        }
+
+        return;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/selftests/kra/KRAPresence.java b/base/common/src/com/netscape/cms/selftests/kra/KRAPresence.java
new file mode 100644
index 000000000..01f5609bf
--- /dev/null
+++ b/base/common/src/com/netscape/cms/selftests/kra/KRAPresence.java
@@ -0,0 +1,251 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.cms.selftests.kra;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+import java.security.PublicKey;
+import java.util.Locale;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.ILogEventListener;
+import com.netscape.certsrv.selftests.EDuplicateSelfTestException;
+import com.netscape.certsrv.selftests.EInvalidSelfTestException;
+import com.netscape.certsrv.selftests.EMissingSelfTestException;
+import com.netscape.certsrv.selftests.ESelfTestException;
+import com.netscape.certsrv.selftests.ISelfTestSubsystem;
+import com.netscape.cms.selftests.ASelfTest;
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * This class implements a self test to check for KRA presence.
+ * 

+ * 
+ * @author mharmsen
+ * @author thomask
+ * @version $Revision$, $Date$
+ */
+public class KRAPresence
+        extends ASelfTest {
+    ////////////////////////
+    // default parameters //
+    ////////////////////////
+
+    ///////////////////////////
+    // KRAPresence parameters //
+    ///////////////////////////
+
+    // parameter information
+    public static final String PROP_KRA_SUB_ID = "SubId";
+    private String mSubId = null;
+
+    /////////////////////
+    // default methods //
+    /////////////////////
+
+    ////////////////////////
+    // KRAPresence methods //
+    ////////////////////////
+
+    /**
+     * Initializes this subsystem with the configuration store
+     * associated with this instance name.
+     * 

+     * 
+     * @param subsystem the associated subsystem
+     * @param instanceName the name of this self test instance
+     * @param parameters configuration store (self test parameters)
+     * @exception EDuplicateSelfTestException subsystem has duplicate name/value
+     * @exception EInvalidSelfTestException subsystem has invalid name/value
+     * @exception EMissingSelfTestException subsystem has missing name/value
+     */
+    public void initSelfTest(ISelfTestSubsystem subsystem,
+                              String instanceName,
+                              IConfigStore parameters)
+            throws EDuplicateSelfTestException,
+            EInvalidSelfTestException,
+            EMissingSelfTestException {
+        super.initSelfTest(subsystem, instanceName, parameters);
+
+        // retrieve mandatory parameter(s)
+        try {
+            mSubId = mConfig.getString(PROP_KRA_SUB_ID);
+            if (mSubId != null) {
+                mSubId = mSubId.trim();
+            } else {
+                mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                        CMS.getLogMessage(
+                                                "SELFTESTS_MISSING_VALUES",
+                                                getSelfTestName(),
+                                                mPrefix
+                                                        + "."
+                                                        + PROP_KRA_SUB_ID));
+
+                throw new EMissingSelfTestException(PROP_KRA_SUB_ID);
+            }
+        } catch (EBaseException e) {
+            mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                    CMS.getLogMessage(
+                                            "SELFTESTS_MISSING_NAME",
+                                            getSelfTestName(),
+                                            mPrefix
+                                                    + "."
+                                                    + PROP_KRA_SUB_ID));
+
+            throw new EMissingSelfTestException(mPrefix,
+                                                 PROP_KRA_SUB_ID,
+                                                 null);
+        }
+
+        // retrieve optional parameter(s)
+
+        return;
+    }
+
+    /**
+     * Notifies this subsystem if it is in execution mode.
+     * 

+     * 
+     * @exception ESelfTestException failed to start
+     */
+    public void startupSelfTest()
+            throws ESelfTestException {
+        return;
+    }
+
+    /**
+     * Stops this subsystem. The subsystem may call shutdownSelfTest
+     * anytime after initialization.
+     * 

+     */
+    public void shutdownSelfTest() {
+        return;
+    }
+
+    /**
+     * Returns the name associated with this self test. This method may
+     * return null if the self test has not been intialized.
+     * 

+     * 
+     * @return instanceName of this self test
+     */
+    public String getSelfTestName() {
+        return super.getSelfTestName();
+    }
+
+    /**
+     * Returns the root configuration storage (self test parameters)
+     * associated with this subsystem.
+     * 

+     * 
+     * @return configuration store (self test parameters) of this subsystem
+     */
+    public IConfigStore getSelfTestConfigStore() {
+        return super.getSelfTestConfigStore();
+    }
+
+    /**
+     * Retrieves description associated with an individual self test.
+     * This method may return null.
+     * 

+     * 
+     * @param locale locale of the client that requests the description
+     * @return description of self test
+     */
+    public String getSelfTestDescription(Locale locale) {
+        return CMS.getUserMessage(locale,
+                                   "CMS_SELFTESTS_KRA_PRESENCE_DESCRIPTION");
+    }
+
+    /**
+     * Execute an individual self test.
+     * 

+     * 
+     * @param logger specifies logging subsystem
+     * @exception ESelfTestException self test exception
+     */
+    public void runSelfTest(ILogEventListener logger)
+            throws ESelfTestException {
+        String logMessage = null;
+        IKeyRecoveryAuthority kra = null;
+        org.mozilla.jss.crypto.X509Certificate kraCert = null;
+        PublicKey kraPubKey = null;
+
+        kra = (IKeyRecoveryAuthority) CMS.getSubsystem(mSubId);
+
+        if (kra == null) {
+            // log that the KRA is not installed
+            logMessage = CMS.getLogMessage("SELFTESTS_KRA_IS_NOT_PRESENT",
+                                            getSelfTestName());
+
+            mSelfTestSubsystem.log(logger,
+                                    logMessage);
+
+            throw new ESelfTestException(logMessage);
+        } else {
+            // Retrieve the KRA certificate
+            kraCert = kra.getTransportCert();
+
+            if (kraCert == null) {
+                // log that the RA is not yet initialized
+                logMessage = CMS.getLogMessage(
+                             "SELFTESTS_KRA_IS_NOT_INITIALIZED",
+                             getSelfTestName());
+
+                mSelfTestSubsystem.log(logger,
+                                        logMessage);
+
+                throw new ESelfTestException(logMessage);
+            }
+
+            // Retrieve the KRA certificate public key
+            kraPubKey = (PublicKey) kraCert.getPublicKey();
+
+            if (kraPubKey == null) {
+                // log that something is seriously wrong with the KRA
+                logMessage = CMS.getLogMessage("SELFTESTS_KRA_IS_CORRUPT",
+                                                getSelfTestName());
+
+                mSelfTestSubsystem.log(logger,
+                                        logMessage);
+
+                throw new ESelfTestException(logMessage);
+            }
+
+            // log that the KRA is present
+            logMessage = CMS.getLogMessage("SELFTESTS_KRA_IS_PRESENT",
+                                            getSelfTestName());
+
+            mSelfTestSubsystem.log(logger,
+                                    logMessage);
+        }
+
+        return;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/selftests/ocsp/OCSPPresence.java b/base/common/src/com/netscape/cms/selftests/ocsp/OCSPPresence.java
new file mode 100644
index 000000000..c862362a2
--- /dev/null
+++ b/base/common/src/com/netscape/cms/selftests/ocsp/OCSPPresence.java
@@ -0,0 +1,280 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.cms.selftests.ocsp;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+import java.security.cert.CertificateParsingException;
+import java.util.Locale;
+
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509Key;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.logging.ILogEventListener;
+import com.netscape.certsrv.ocsp.IOCSPAuthority;
+import com.netscape.certsrv.security.ISigningUnit;
+import com.netscape.certsrv.selftests.EDuplicateSelfTestException;
+import com.netscape.certsrv.selftests.EInvalidSelfTestException;
+import com.netscape.certsrv.selftests.EMissingSelfTestException;
+import com.netscape.certsrv.selftests.ESelfTestException;
+import com.netscape.certsrv.selftests.ISelfTestSubsystem;
+import com.netscape.cms.selftests.ASelfTest;
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * This class implements a self test to check for OCSP presence.
+ * 

+ * 
+ * @author mharmsen
+ * @author thomask
+ * @version $Revision$, $Date$
+ */
+public class OCSPPresence
+        extends ASelfTest {
+    ////////////////////////
+    // default parameters //
+    ////////////////////////
+
+    /////////////////////////////
+    // OCSPPresence parameters //
+    /////////////////////////////
+
+    // parameter information
+    public static final String PROP_OCSP_SUB_ID = "OcspSubId";
+    private String mOcspSubId = null;
+
+    /////////////////////
+    // default methods //
+    /////////////////////
+
+    //////////////////////////
+    // OCSPPresence methods //
+    //////////////////////////
+
+    /**
+     * Initializes this subsystem with the configuration store
+     * associated with this instance name.
+     * 

+     * 
+     * @param subsystem the associated subsystem
+     * @param instanceName the name of this self test instance
+     * @param parameters configuration store (self test parameters)
+     * @exception EDuplicateSelfTestException subsystem has duplicate name/value
+     * @exception EInvalidSelfTestException subsystem has invalid name/value
+     * @exception EMissingSelfTestException subsystem has missing name/value
+     */
+    public void initSelfTest(ISelfTestSubsystem subsystem,
+                              String instanceName,
+                              IConfigStore parameters)
+            throws EDuplicateSelfTestException,
+            EInvalidSelfTestException,
+            EMissingSelfTestException {
+        super.initSelfTest(subsystem, instanceName, parameters);
+
+        // retrieve mandatory parameter(s)
+        try {
+            mOcspSubId = mConfig.getString(PROP_OCSP_SUB_ID);
+            if (mOcspSubId != null) {
+                mOcspSubId = mOcspSubId.trim();
+            } else {
+                mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                        CMS.getLogMessage(
+                                                "SELFTESTS_MISSING_VALUES",
+                                                getSelfTestName(),
+                                                mPrefix
+                                                        + "."
+                                                        + PROP_OCSP_SUB_ID));
+
+                throw new EMissingSelfTestException(PROP_OCSP_SUB_ID);
+            }
+        } catch (EBaseException e) {
+            mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                    CMS.getLogMessage(
+                                            "SELFTESTS_MISSING_NAME",
+                                            getSelfTestName(),
+                                            mPrefix
+                                                    + "."
+                                                    + PROP_OCSP_SUB_ID));
+
+            throw new EMissingSelfTestException(mPrefix,
+                                                 PROP_OCSP_SUB_ID,
+                                                 null);
+        }
+
+        // retrieve optional parameter(s)
+
+        return;
+    }
+
+    /**
+     * Notifies this subsystem if it is in execution mode.
+     * 

+     * 
+     * @exception ESelfTestException failed to start
+     */
+    public void startupSelfTest()
+            throws ESelfTestException {
+        return;
+    }
+
+    /**
+     * Stops this subsystem. The subsystem may call shutdownSelfTest
+     * anytime after initialization.
+     * 

+     */
+    public void shutdownSelfTest() {
+        return;
+    }
+
+    /**
+     * Returns the name associated with this self test. This method may
+     * return null if the self test has not been intialized.
+     * 

+     * 
+     * @return instanceName of this self test
+     */
+    public String getSelfTestName() {
+        return super.getSelfTestName();
+    }
+
+    /**
+     * Returns the root configuration storage (self test parameters)
+     * associated with this subsystem.
+     * 

+     * 
+     * @return configuration store (self test parameters) of this subsystem
+     */
+    public IConfigStore getSelfTestConfigStore() {
+        return super.getSelfTestConfigStore();
+    }
+
+    /**
+     * Retrieves description associated with an individual self test.
+     * This method may return null.
+     * 

+     * 
+     * @param locale locale of the client that requests the description
+     * @return description of self test
+     */
+    public String getSelfTestDescription(Locale locale) {
+        return CMS.getUserMessage(locale,
+                                   "CMS_SELFTESTS_OCSP_PRESENCE_DESCRIPTION");
+    }
+
+    /**
+     * Execute an individual self test.
+     * 

+     * 
+     * @param logger specifies logging subsystem
+     * @exception ESelfTestException self test exception
+     */
+    public void runSelfTest(ILogEventListener logger)
+            throws ESelfTestException {
+        String logMessage = null;
+        IOCSPAuthority ocsp = null;
+        ISigningUnit ocspSigningUnit = null;
+        X509CertImpl ocspCert = null;
+        X509Key ocspPubKey = null;
+
+        ocsp = (IOCSPAuthority) CMS.getSubsystem(mOcspSubId);
+
+        if (ocsp == null) {
+            // log that the OCSP is not installed
+            logMessage = CMS.getLogMessage("SELFTESTS_OCSP_IS_NOT_PRESENT",
+                                            getSelfTestName());
+
+            mSelfTestSubsystem.log(logger,
+                                    logMessage);
+
+            throw new ESelfTestException(logMessage);
+        } else {
+            // Retrieve the OCSP signing unit
+            ocspSigningUnit = ocsp.getSigningUnit();
+
+            if (ocspSigningUnit == null) {
+                // log that the OCSP is not yet initialized
+                logMessage = CMS.getLogMessage(
+                             "SELFTESTS_OCSP_IS_NOT_INITIALIZED",
+                             getSelfTestName());
+
+                mSelfTestSubsystem.log(logger,
+                                        logMessage);
+
+                throw new ESelfTestException(logMessage);
+            }
+
+            // Retrieve the OCSP certificate
+            ocspCert = ocspSigningUnit.getCertImpl();
+
+            if (ocspCert == null) {
+                // log that the OCSP is not yet initialized
+                logMessage = CMS.getLogMessage(
+                             "SELFTESTS_OCSP_IS_NOT_INITIALIZED",
+                             getSelfTestName());
+
+                mSelfTestSubsystem.log(logger,
+                                        logMessage);
+
+                throw new ESelfTestException(logMessage);
+            }
+
+            // Retrieve the OCSP certificate public key
+            try {
+                ocspPubKey = (X509Key)
+                             ocspCert.get(X509CertImpl.PUBLIC_KEY);
+
+                if (ocspPubKey == null) {
+                    // log that something is seriously wrong with the OCSP
+                    logMessage = CMS.getLogMessage("SELFTESTS_OCSP_IS_CORRUPT",
+                                                    getSelfTestName());
+
+                    mSelfTestSubsystem.log(logger,
+                                            logMessage);
+
+                    throw new ESelfTestException(logMessage);
+                }
+            } catch (CertificateParsingException e) {
+                // log that something is seriously wrong with the OCSP
+                mSelfTestSubsystem.log(logger,
+                                        e.toString());
+
+                throw new ESelfTestException(e.toString());
+            }
+
+            // log that the OCSP is present
+            logMessage = CMS.getLogMessage("SELFTESTS_OCSP_IS_PRESENT",
+                                            getSelfTestName());
+
+            mSelfTestSubsystem.log(logger,
+                                    logMessage);
+        }
+
+        return;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/selftests/ocsp/OCSPValidity.java b/base/common/src/com/netscape/cms/selftests/ocsp/OCSPValidity.java
new file mode 100644
index 000000000..478746827
--- /dev/null
+++ b/base/common/src/com/netscape/cms/selftests/ocsp/OCSPValidity.java
@@ -0,0 +1,280 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.cms.selftests.ocsp;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.util.Locale;
+
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.logging.ILogEventListener;
+import com.netscape.certsrv.ocsp.IOCSPAuthority;
+import com.netscape.certsrv.security.ISigningUnit;
+import com.netscape.certsrv.selftests.EDuplicateSelfTestException;
+import com.netscape.certsrv.selftests.EInvalidSelfTestException;
+import com.netscape.certsrv.selftests.EMissingSelfTestException;
+import com.netscape.certsrv.selftests.ESelfTestException;
+import com.netscape.certsrv.selftests.ISelfTestSubsystem;
+import com.netscape.cms.selftests.ASelfTest;
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * This class implements a self test to check the validity of the OCSP.
+ * 

+ * 
+ * @author mharmsen
+ * @author thomask
+ * @version $Revision$, $Date$
+ */
+public class OCSPValidity
+        extends ASelfTest {
+    ////////////////////////
+    // default parameters //
+    ////////////////////////
+
+    /////////////////////////////
+    // OCSPValidity parameters //
+    /////////////////////////////
+
+    // parameter information
+    public static final String PROP_OCSP_SUB_ID = "OcspSubId";
+    private String mOcspSubId = null;
+
+    /////////////////////
+    // default methods //
+    /////////////////////
+
+    //////////////////////////
+    // OCSPValidity methods //
+    //////////////////////////
+
+    /**
+     * Initializes this subsystem with the configuration store
+     * associated with this instance name.
+     * 

+     * 
+     * @param subsystem the associated subsystem
+     * @param instanceName the name of this self test instance
+     * @param parameters configuration store (self test parameters)
+     * @exception EDuplicateSelfTestException subsystem has duplicate name/value
+     * @exception EInvalidSelfTestException subsystem has invalid name/value
+     * @exception EMissingSelfTestException subsystem has missing name/value
+     */
+    public void initSelfTest(ISelfTestSubsystem subsystem,
+                              String instanceName,
+                              IConfigStore parameters)
+            throws EDuplicateSelfTestException,
+            EInvalidSelfTestException,
+            EMissingSelfTestException {
+        super.initSelfTest(subsystem, instanceName, parameters);
+
+        // retrieve mandatory parameter(s)
+        try {
+            mOcspSubId = mConfig.getString(PROP_OCSP_SUB_ID);
+            if (mOcspSubId != null) {
+                mOcspSubId = mOcspSubId.trim();
+            } else {
+                mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                        CMS.getLogMessage(
+                                                "SELFTESTS_MISSING_VALUES",
+                                                getSelfTestName(),
+                                                mPrefix
+                                                        + "."
+                                                        + PROP_OCSP_SUB_ID));
+
+                throw new EMissingSelfTestException(PROP_OCSP_SUB_ID);
+            }
+        } catch (EBaseException e) {
+            mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                    CMS.getLogMessage(
+                                            "SELFTESTS_MISSING_NAME",
+                                            getSelfTestName(),
+                                            mPrefix
+                                                    + "."
+                                                    + PROP_OCSP_SUB_ID));
+
+            throw new EMissingSelfTestException(mPrefix,
+                                                 PROP_OCSP_SUB_ID,
+                                                 null);
+        }
+
+        // retrieve optional parameter(s)
+
+        return;
+    }
+
+    /**
+     * Notifies this subsystem if it is in execution mode.
+     * 

+     * 
+     * @exception ESelfTestException failed to start
+     */
+    public void startupSelfTest()
+            throws ESelfTestException {
+        return;
+    }
+
+    /**
+     * Stops this subsystem. The subsystem may call shutdownSelfTest
+     * anytime after initialization.
+     * 

+     */
+    public void shutdownSelfTest() {
+        return;
+    }
+
+    /**
+     * Returns the name associated with this self test. This method may
+     * return null if the self test has not been intialized.
+     * 

+     * 
+     * @return instanceName of this self test
+     */
+    public String getSelfTestName() {
+        return super.getSelfTestName();
+    }
+
+    /**
+     * Returns the root configuration storage (self test parameters)
+     * associated with this subsystem.
+     * 

+     * 
+     * @return configuration store (self test parameters) of this subsystem
+     */
+    public IConfigStore getSelfTestConfigStore() {
+        return super.getSelfTestConfigStore();
+    }
+
+    /**
+     * Retrieves description associated with an individual self test.
+     * This method may return null.
+     * 

+     * 
+     * @param locale locale of the client that requests the description
+     * @return description of self test
+     */
+    public String getSelfTestDescription(Locale locale) {
+        return CMS.getUserMessage(locale,
+                                   "CMS_SELFTESTS_OCSP_VALIDITY_DESCRIPTION");
+    }
+
+    /**
+     * Execute an individual self test.
+     * 

+     * 
+     * @param logger specifies logging subsystem
+     * @exception ESelfTestException self test exception
+     */
+    public void runSelfTest(ILogEventListener logger)
+            throws ESelfTestException {
+        String logMessage = null;
+        IOCSPAuthority ocsp = null;
+        ISigningUnit ocspSigningUnit = null;
+        X509CertImpl ocspCert = null;
+
+        ocsp = (IOCSPAuthority) CMS.getSubsystem(mOcspSubId);
+
+        if (ocsp == null) {
+            // log that the OCSP is not installed
+            logMessage = CMS.getLogMessage("SELFTESTS_OCSP_IS_NOT_PRESENT",
+                                            getSelfTestName());
+
+            mSelfTestSubsystem.log(logger,
+                                    logMessage);
+
+            throw new ESelfTestException(logMessage);
+        } else {
+            // Retrieve the OCSP signing unit
+            ocspSigningUnit = ocsp.getSigningUnit();
+
+            if (ocspSigningUnit == null) {
+                // log that the OCSP is not yet initialized
+                logMessage = CMS.getLogMessage(
+                             "SELFTESTS_OCSP_IS_NOT_INITIALIZED",
+                             getSelfTestName());
+
+                mSelfTestSubsystem.log(logger,
+                                        logMessage);
+
+                throw new ESelfTestException(logMessage);
+            }
+
+            // Retrieve the OCSP certificate
+            ocspCert = ocspSigningUnit.getCertImpl();
+
+            if (ocspCert == null) {
+                // log that the OCSP is not yet initialized
+                logMessage = CMS.getLogMessage(
+                             "SELFTESTS_OCSP_IS_NOT_INITIALIZED",
+                             getSelfTestName());
+
+                mSelfTestSubsystem.log(logger,
+                                        logMessage);
+
+                throw new ESelfTestException(logMessage);
+            }
+
+            // Retrieve the OCSP validity period
+            try {
+                ocspCert.checkValidity();
+            } catch (CertificateNotYetValidException e) {
+                // log that the OCSP is not yet valid
+                logMessage = CMS.getLogMessage(
+                                 "SELFTESTS_OCSP_IS_NOT_YET_VALID",
+                                 getSelfTestName());
+
+                mSelfTestSubsystem.log(logger,
+                                        logMessage);
+
+                throw new ESelfTestException(logMessage);
+            } catch (CertificateExpiredException e) {
+                // log that the OCSP is expired
+                logMessage = CMS.getLogMessage("SELFTESTS_OCSP_IS_EXPIRED",
+                                                getSelfTestName());
+
+                mSelfTestSubsystem.log(logger,
+                                        logMessage);
+
+                throw new ESelfTestException(logMessage);
+            }
+
+            // log that the OCSP is valid
+            logMessage = CMS.getLogMessage("SELFTESTS_OCSP_IS_VALID",
+                                            getSelfTestName());
+
+            mSelfTestSubsystem.log(logger,
+                                    logMessage);
+        }
+
+        return;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/selftests/ra/RAPresence.java b/base/common/src/com/netscape/cms/selftests/ra/RAPresence.java
new file mode 100644
index 000000000..9790bf619
--- /dev/null
+++ b/base/common/src/com/netscape/cms/selftests/ra/RAPresence.java
@@ -0,0 +1,261 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.cms.selftests.ra;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+import java.security.PublicKey;
+import java.util.Locale;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.logging.ILogEventListener;
+import com.netscape.certsrv.ra.IRegistrationAuthority;
+import com.netscape.certsrv.selftests.EDuplicateSelfTestException;
+import com.netscape.certsrv.selftests.EInvalidSelfTestException;
+import com.netscape.certsrv.selftests.EMissingSelfTestException;
+import com.netscape.certsrv.selftests.ESelfTestException;
+import com.netscape.certsrv.selftests.ISelfTestSubsystem;
+import com.netscape.cms.selftests.ASelfTest;
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * This class implements a self test to check for RA presence.
+ * 

+ * 
+ * 
+ * NOTE:  This self-test is for Registration Authorities prior to
+ *        Netscape Certificate Management System 7.0.  It does NOT
+ *        apply to the Registration Authority found in
+ *        Red Hat Certificate System 7.3 or later (including
+ *        ALL versions of Dogtag Certificate System).
+ * 

+ * 

+ * 
+ * @deprecated
+ * @author mharmsen
+ * @author thomask
+ * @version $Revision$, $Date$
+ */
+public class RAPresence
+        extends ASelfTest {
+    ////////////////////////
+    // default parameters //
+    ////////////////////////
+
+    ///////////////////////////
+    // RAPresence parameters //
+    ///////////////////////////
+
+    // parameter information
+    public static final String PROP_RA_SUB_ID = "RaSubId";
+    private String mRaSubId = null;
+
+    /////////////////////
+    // default methods //
+    /////////////////////
+
+    ////////////////////////
+    // RAPresence methods //
+    ////////////////////////
+
+    /**
+     * Initializes this subsystem with the configuration store
+     * associated with this instance name.
+     * 

+     * 
+     * @param subsystem the associated subsystem
+     * @param instanceName the name of this self test instance
+     * @param parameters configuration store (self test parameters)
+     * @exception EDuplicateSelfTestException subsystem has duplicate name/value
+     * @exception EInvalidSelfTestException subsystem has invalid name/value
+     * @exception EMissingSelfTestException subsystem has missing name/value
+     */
+    public void initSelfTest(ISelfTestSubsystem subsystem,
+                              String instanceName,
+                              IConfigStore parameters)
+            throws EDuplicateSelfTestException,
+            EInvalidSelfTestException,
+            EMissingSelfTestException {
+        super.initSelfTest(subsystem, instanceName, parameters);
+
+        // retrieve mandatory parameter(s)
+        try {
+            mRaSubId = mConfig.getString(PROP_RA_SUB_ID);
+            if (mRaSubId != null) {
+                mRaSubId = mRaSubId.trim();
+            } else {
+                mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                        CMS.getLogMessage(
+                                                "SELFTESTS_MISSING_VALUES",
+                                                getSelfTestName(),
+                                                mPrefix
+                                                        + "."
+                                                        + PROP_RA_SUB_ID));
+
+                throw new EMissingSelfTestException(PROP_RA_SUB_ID);
+            }
+        } catch (EBaseException e) {
+            mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                    CMS.getLogMessage(
+                                            "SELFTESTS_MISSING_NAME",
+                                            getSelfTestName(),
+                                            mPrefix
+                                                    + "."
+                                                    + PROP_RA_SUB_ID));
+
+            throw new EMissingSelfTestException(mPrefix,
+                                                 PROP_RA_SUB_ID,
+                                                 null);
+        }
+
+        // retrieve optional parameter(s)
+
+        return;
+    }
+
+    /**
+     * Notifies this subsystem if it is in execution mode.
+     * 

+     * 
+     * @exception ESelfTestException failed to start
+     */
+    public void startupSelfTest()
+            throws ESelfTestException {
+        return;
+    }
+
+    /**
+     * Stops this subsystem. The subsystem may call shutdownSelfTest
+     * anytime after initialization.
+     * 

+     */
+    public void shutdownSelfTest() {
+        return;
+    }
+
+    /**
+     * Returns the name associated with this self test. This method may
+     * return null if the self test has not been intialized.
+     * 

+     * 
+     * @return instanceName of this self test
+     */
+    public String getSelfTestName() {
+        return super.getSelfTestName();
+    }
+
+    /**
+     * Returns the root configuration storage (self test parameters)
+     * associated with this subsystem.
+     * 

+     * 
+     * @return configuration store (self test parameters) of this subsystem
+     */
+    public IConfigStore getSelfTestConfigStore() {
+        return super.getSelfTestConfigStore();
+    }
+
+    /**
+     * Retrieves description associated with an individual self test.
+     * This method may return null.
+     * 

+     * 
+     * @param locale locale of the client that requests the description
+     * @return description of self test
+     */
+    public String getSelfTestDescription(Locale locale) {
+        return CMS.getUserMessage(locale,
+                                   "CMS_SELFTESTS_RA_PRESENCE_DESCRIPTION");
+    }
+
+    /**
+     * Execute an individual self test.
+     * 

+     * 
+     * @param logger specifies logging subsystem
+     * @exception ESelfTestException self test exception
+     */
+    public void runSelfTest(ILogEventListener logger)
+            throws ESelfTestException {
+        String logMessage = null;
+        IRegistrationAuthority ra = null;
+        org.mozilla.jss.crypto.X509Certificate raCert = null;
+        PublicKey raPubKey = null;
+
+        ra = (IRegistrationAuthority) CMS.getSubsystem(mRaSubId);
+
+        if (ra == null) {
+            // log that the RA is not installed
+            logMessage = CMS.getLogMessage("SELFTESTS_RA_IS_NOT_PRESENT",
+                                            getSelfTestName());
+
+            mSelfTestSubsystem.log(logger,
+                                    logMessage);
+
+            throw new ESelfTestException(logMessage);
+        } else {
+            // Retrieve the RA certificate
+            raCert = ra.getRACert();
+
+            if (raCert == null) {
+                // log that the RA is not yet initialized
+                logMessage = CMS.getLogMessage(
+                             "SELFTESTS_RA_IS_NOT_INITIALIZED",
+                             getSelfTestName());
+
+                mSelfTestSubsystem.log(logger,
+                                        logMessage);
+
+                throw new ESelfTestException(logMessage);
+            }
+
+            // Retrieve the RA certificate public key
+            raPubKey = (PublicKey) raCert.getPublicKey();
+
+            if (raPubKey == null) {
+                // log that something is seriously wrong with the RA
+                logMessage = CMS.getLogMessage("SELFTESTS_RA_IS_CORRUPT",
+                                                getSelfTestName());
+
+                mSelfTestSubsystem.log(logger,
+                                        logMessage);
+
+                throw new ESelfTestException(logMessage);
+            }
+
+            // log that the RA is present
+            logMessage = CMS.getLogMessage("SELFTESTS_RA_IS_PRESENT",
+                                            getSelfTestName());
+
+            mSelfTestSubsystem.log(logger,
+                                    logMessage);
+        }
+
+        return;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java b/base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java
new file mode 100644
index 000000000..69edeb24f
--- /dev/null
+++ b/base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java
@@ -0,0 +1,302 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+// package statement //
+///////////////////////
+
+package com.netscape.cms.selftests.tks;
+
+///////////////////////
+// import statements //
+///////////////////////
+
+import java.util.Arrays;
+import java.util.Locale;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.logging.ILogEventListener;
+import com.netscape.certsrv.selftests.EDuplicateSelfTestException;
+import com.netscape.certsrv.selftests.EInvalidSelfTestException;
+import com.netscape.certsrv.selftests.EMissingSelfTestException;
+import com.netscape.certsrv.selftests.ESelfTestException;
+import com.netscape.certsrv.selftests.ISelfTestSubsystem;
+import com.netscape.cms.selftests.ASelfTest;
+import com.netscape.symkey.SessionKey;
+
+//////////////////////
+// class definition //
+//////////////////////
+
+/**
+ * This class implements a self test to check for TKS known session key.
+ * 

+ * 
+ * @author mharmsen
+ * @author thomask
+ * @author awnuk
+ * @version $Revision$, $Date$
+ */
+public class TKSKnownSessionKey
+        extends ASelfTest {
+    // parameter information
+    public static final String PROP_TKS_SUB_ID = "TksSubId";
+    private String mTksSubId = null;
+    private String mToken = null;
+    private String mUseSoftToken = null;
+    private String mKeyName = null;
+    private byte[] mKeyInfo = null;
+    private byte[] mCardChallenge = null;
+    private byte[] mHostChallenge = null;
+    private byte[] mCUID = null;
+    private byte[] mMacKey = null;
+    private byte[] mSessionKey = null;
+
+    /**
+     * Initializes this subsystem with the configuration store
+     * associated with this instance name.
+     * 

+     * 
+     * @param subsystem the associated subsystem
+     * @param instanceName the name of this self test instance
+     * @param parameters configuration store (self test parameters)
+     * @exception EDuplicateSelfTestException subsystem has duplicate name/value
+     * @exception EInvalidSelfTestException subsystem has invalid name/value
+     * @exception EMissingSelfTestException subsystem has missing name/value
+     */
+    public void initSelfTest(ISelfTestSubsystem subsystem,
+                              String instanceName,
+                              IConfigStore parameters)
+            throws EDuplicateSelfTestException,
+            EInvalidSelfTestException,
+            EMissingSelfTestException {
+        ISubsystem tks = null;
+        IConfigStore tksConfig = null;
+
+        super.initSelfTest(subsystem, instanceName, parameters);
+
+        mTksSubId = getConfigString(PROP_TKS_SUB_ID);
+        mToken = getConfigString("token");
+        mKeyName = getConfigString("keyName");
+        mCardChallenge = getConfigByteArray("cardChallenge", 8);
+        mHostChallenge = getConfigByteArray("hostChallenge", 8);
+        mKeyInfo = getConfigByteArray("keyName", 2);
+        mCUID = getConfigByteArray("CUID", 10);
+        mMacKey = getConfigByteArray("macKey", 16);
+        mUseSoftToken = getConfigString("useSoftToken");
+
+        String defKeySetMacKey = null;
+        tks = (ISubsystem) CMS.getSubsystem(mTksSubId);
+        if (tks != null) {
+            tksConfig = tks.getConfigStore();
+            if (tksConfig != null) {
+                try {
+                    defKeySetMacKey = tksConfig.getString("defKeySet.mac_key");
+                    byte defMacKey[] = com.netscape.cmsutil.util.Utils.SpecialDecode(defKeySetMacKey);
+                    if (!Arrays.equals(mMacKey, defMacKey)) {
+                        defKeySetMacKey = null;
+                    }
+                } catch (EBaseException e) {
+                    defKeySetMacKey = null;
+                }
+            }
+        }
+        if (defKeySetMacKey == null) {
+            CMS.debug("TKSKnownSessionKey: invalid mac key");
+            CMS.debug("TKSKnownSessionKey self test FAILED");
+            mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                    CMS.getLogMessage("SELFTESTS_INVALID_VALUES",
+                                            getSelfTestName(), mPrefix + "." + "macKey"));
+            throw new EInvalidSelfTestException(mPrefix, "macKey", null);
+        }
+
+        try {
+            mSessionKey = getConfigByteArray("sessionKey", 16);
+        } catch (EMissingSelfTestException e) {
+            if (mSessionKey == null) {
+                mSessionKey = SessionKey.ComputeSessionKey(mToken, mKeyName,
+                                                            mCardChallenge, mHostChallenge,
+                                                            mKeyInfo, mCUID, mMacKey, mUseSoftToken, null, null);
+                if (mSessionKey == null || mSessionKey.length != 16) {
+                    mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                            CMS.getLogMessage("SELFTESTS_MISSING_VALUES",
+                                                    getSelfTestName(), mPrefix + ".sessionKey"));
+                    throw new EMissingSelfTestException("sessionKey");
+                }
+                String sessionKey = SpecialEncode(mSessionKey);
+                mConfig.putString("sessionKey", sessionKey);
+                try {
+                    CMS.getConfigStore().commit(true);
+                } catch (EBaseException be) {
+                    mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                            CMS.getLogMessage("SELFTESTS_MISSING_VALUES",
+                                                    getSelfTestName(), mPrefix + ".sessionKey"));
+                    throw new EMissingSelfTestException("sessionKey");
+                }
+            }
+        }
+
+        return;
+    }
+
+    private String SpecialEncode(byte data[]) {
+        StringBuffer sb = new StringBuffer();
+
+        for (int i = 0; i < data.length; i++) {
+            sb.append("#");
+            if ((data[i] & 0xff) < 16) {
+                sb.append("0");
+            }
+            sb.append(Integer.toHexString((data[i] & 0xff)));
+        }
+
+        return sb.toString();
+    }
+
+    private String getConfigString(String name) throws EMissingSelfTestException {
+        String value = null;
+
+        try {
+            value = mConfig.getString(name);
+            if (value != null) {
+                value = value.trim();
+            } else {
+                mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                        CMS.getLogMessage("SELFTESTS_MISSING_VALUES",
+                                                getSelfTestName(), mPrefix + "." + name));
+                throw new EMissingSelfTestException(name);
+            }
+        } catch (EBaseException e) {
+            mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                    CMS.getLogMessage("SELFTESTS_MISSING_NAME",
+                                            getSelfTestName(), mPrefix + "." + name));
+            throw new EMissingSelfTestException(mPrefix, name, null);
+        }
+
+        return value;
+    }
+
+    private byte[] getConfigByteArray(String name, int size) throws EMissingSelfTestException,
+                                                                     EInvalidSelfTestException {
+        String stringValue = getConfigString(name);
+
+        byte byteValue[] = com.netscape.cmsutil.util.Utils.SpecialDecode(stringValue);
+        if (byteValue == null) {
+            mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                    CMS.getLogMessage("SELFTESTS_MISSING_NAME",
+                                            getSelfTestName(), mPrefix + "." + name));
+            throw new EMissingSelfTestException(name);
+        }
+        if (byteValue.length != size) {
+            mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                                    CMS.getLogMessage("SELFTESTS_INVALID_VALUES",
+                                            getSelfTestName(), mPrefix + "." + name));
+            throw new EInvalidSelfTestException(mPrefix, name, stringValue);
+        }
+
+        return byteValue;
+    }
+
+    /**
+     * Notifies this subsystem if it is in execution mode.
+     * 

+     * 
+     * @exception ESelfTestException failed to start
+     */
+    public void startupSelfTest()
+            throws ESelfTestException {
+        return;
+    }
+
+    /**
+     * Stops this subsystem. The subsystem may call shutdownSelfTest
+     * anytime after initialization.
+     * 

+     */
+    public void shutdownSelfTest() {
+        return;
+    }
+
+    /**
+     * Returns the name associated with this self test. This method may
+     * return null if the self test has not been intialized.
+     * 

+     * 
+     * @return instanceName of this self test
+     */
+    public String getSelfTestName() {
+        return super.getSelfTestName();
+    }
+
+    /**
+     * Returns the root configuration storage (self test parameters)
+     * associated with this subsystem.
+     * 

+     * 
+     * @return configuration store (self test parameters) of this subsystem
+     */
+    public IConfigStore getSelfTestConfigStore() {
+        return super.getSelfTestConfigStore();
+    }
+
+    /**
+     * Retrieves description associated with an individual self test.
+     * This method may return null.
+     * 

+     * 
+     * @param locale locale of the client that requests the description
+     * @return description of self test
+     */
+    public String getSelfTestDescription(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_SELFTESTS_TKS_PRESENCE_DESCRIPTION");
+    }
+
+    /**
+     * Execute an individual self test.
+     * 

+     * 
+     * @param logger specifies logging subsystem
+     * @exception ESelfTestException self test exception
+     */
+    public void runSelfTest(ILogEventListener logger)
+            throws ESelfTestException {
+        String logMessage = null;
+        String keySet = "defKeySet";
+
+        byte[] sessionKey = SessionKey.ComputeSessionKey(mToken, mKeyName,
+                                                          mCardChallenge, mHostChallenge,
+                                                          mKeyInfo, mCUID, mMacKey, mUseSoftToken, keySet, null);
+
+        // Now we just see if we can successfully generate a session key.
+        // For FIPS compliance, the routine now returns a wrapped key, which can't be extracted and compared.
+        if (sessionKey == null) {
+            CMS.debug("TKSKnownSessionKey: generated no session key");
+            CMS.debug("TKSKnownSessionKey self test FAILED");
+            logMessage = CMS.getLogMessage("SELFTESTS_TKS_FAILED", getSelfTestName(), getSelfTestName());
+            mSelfTestSubsystem.log(logger, logMessage);
+            throw new ESelfTestException(logMessage);
+        } else {
+            logMessage = CMS.getLogMessage("SELFTESTS_TKS_SUCCEEDED", getSelfTestName(), getSelfTestName());
+            mSelfTestSubsystem.log(logger, logMessage);
+            CMS.debug("TKSKnownSessionKey self test SUCCEEDED");
+        }
+
+        return;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java
new file mode 100644
index 000000000..12575675c
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java
@@ -0,0 +1,905 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Hashtable;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.acls.ACL;
+import com.netscape.certsrv.acls.ACLEntry;
+import com.netscape.certsrv.acls.IACL;
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authorization.IAuthzManager;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.evaluators.IAccessEvaluator;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
+
+/**
+ * Manage Access Control List configuration
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ACLAdminServlet extends AdminServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -322237202045924779L;
+    private IUGSubsystem mUG = null;
+    private static final String PROP_ACLS = "acls";
+    private static final String PROP_EVAL = "accessEvaluator";
+    private final static String INFO = "ACLAdminServlet";
+    private IAuthzManager mAuthzMgr = null;
+
+    private final static String LOGGING_SIGNED_AUDIT_CONFIG_ACL =
+            "LOGGING_SIGNED_AUDIT_CONFIG_ACL_3";
+
+    /**
+     * Constructs servlet.
+     */
+    public ACLAdminServlet() {
+        super();
+        mUG = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+    }
+
+    /**
+     * initialize the servlet.
+     * 
    
+     * 
  • http.param OP_TYPE = OP_SEARCH,
+     * 
  • http.param OP_SCOPE - the scope of the request operation:
+     * 
      
+     * 
    • "impl" ACL implementations
+     * 
    • "acls" ACL rules
+     * 
    • "evaluatorTypes" ACL evaluators.
+     * 
    
+     * 

+     * 
+     * @param config servlet configuration, read from the web.xml file
+     */
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+        mAuthzMgr = mAuthz.get(mAclMethod);
+    }
+
+    /**
+     * Returns serlvet information.
+     */
+    public String getServletInfo() {
+        return INFO;
+    }
+
+    /**
+     * Process the HTTP request.
+     * 
+     * @param req the object holding the request information
+     * @param resp the object holding the response information
+     */
+
+    public void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+
+        String scope = super.getParameter(req, Constants.OP_SCOPE);
+        String op = super.getParameter(req, Constants.OP_TYPE);
+
+        if (op == null) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_INVALID_PROTOCOL"));
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PROTOCOL"),
+                    null, resp);
+            return;
+        }
+
+        try {
+            super.authenticate(req);
+        } catch (IOException e) {
+            log(ILogger.LL_SECURITY, CMS.getLogMessage("ADMIN_SRVLT_FAIL_AUTHS"));
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHS_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        try {
+            AUTHZ_RES_NAME = "certServer.acl.configuration";
+
+            if (op.equals(OpDef.OP_SEARCH)) {
+                mOp = "read";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_ACL)) {
+                    listResources(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_ACL_IMPLS)) {
+                    listACLsEvaluators(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_EVALUATOR_TYPES)) {
+                    listACLsEvaluatorTypes(req, resp);
+                    return;
+                }
+            } else if (op.equals(OpDef.OP_READ)) {
+                mOp = "read";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_ACL)) {
+                    getResourceACL(req, resp);
+                    return;
+                }
+            } else if (op.equals(OpDef.OP_MODIFY)) {
+                mOp = "modify";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_ACL)) {
+                    updateResources(req, resp);
+                    return;
+                }
+            } else if (op.equals(OpDef.OP_ADD)) {
+                mOp = "modify";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_ACL_IMPLS)) {
+                    addACLsEvaluator(req, resp, scope);
+                    return;
+                }
+            } else if (op.equals(OpDef.OP_DELETE)) {
+                mOp = "modify";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_ACL_IMPLS)) {
+                    deleteACLsEvaluator(req, resp, scope);
+                    return;
+                }
+            } else {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_INVALID_OP_SCOPE"));
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                        null, resp);
+                return;
+            }
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, e.toString());
+            sendResponse(ERROR, e.toString(getLocale(req)),
+                    null, resp);
+            return;
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE, e.toString());
+            log(ILogger.LL_DEBUG, "SRVLT_FAIL_PERFORM 2");
+
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_PERFORM_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        log(ILogger.LL_DEBUG, "SRVLT_FAIL_PERFORM 3");
+
+        sendResponse(ERROR,
+                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_PERFORM_FAILED"),
+                null, resp);
+        return;
+    }
+
+    /**
+     * list acls resources by name
+     */
+    private void listResources(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException, IOException,
+            EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+
+        Enumeration res = mAuthzMgr.getACLs();
+
+        while (res.hasMoreElements()) {
+            ACL acl = (ACL) res.nextElement();
+            String desc = acl.getDescription();
+
+            if (desc == null)
+                params.put(acl.getName(), "");
+            else
+                params.put(acl.getName(), desc);
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * get acls information for a resource
+     */
+    private void getResourceACL(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException, IOException,
+            EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        //get resource id first
+        String resourceId = super.getParameter(req, Constants.RS_ID);
+
+        if (resourceId == null) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        IACL acl = mAuthzMgr.getACL(resourceId);
+
+        if (acl != null) {
+            Enumeration rightsEnum = acl.rights();
+
+            StringBuffer rights = new StringBuffer();
+
+            if (rightsEnum.hasMoreElements()) {
+                while (rightsEnum.hasMoreElements()) {
+                    if (rights.length() != 0) {
+                        rights.append(",");
+                    }
+                    String right = rightsEnum.nextElement();
+
+                    rights.append(right);
+                }
+            }
+
+            params.put(Constants.PR_ACL_OPS, rights.toString());
+
+            Enumeration aclEntryEnum;
+            aclEntryEnum = acl.entries();
+            String acis = "";
+
+            if (aclEntryEnum.hasMoreElements()) {
+                while (aclEntryEnum.hasMoreElements()) {
+                    if (acis != "") {
+                        acis += ";";
+                    }
+                    ACLEntry aclEntry = (ACLEntry) aclEntryEnum.nextElement();
+                    String aci = aclEntry.getACLEntryString();
+
+                    acis += aci;
+                }
+            }
+
+            params.put(Constants.PR_ACI, acis);
+
+            sendResponse(SUCCESS, null, params, resp);
+            return;
+
+        } else {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("ACLS_SRVLT_RESOURCE_NOT_FOUND"));
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ACL_RESOURCE_NOT_FOUND"),
+                    null, resp);
+            return;
+        }
+    }
+
+    /**
+     * modify acls information for a resource
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ACL used when configuring Access Control List (ACL) information
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private void updateResources(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException, IOException,
+            EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            // get resource id first
+            String resourceId = super.getParameter(req, Constants.RS_ID);
+
+            if (resourceId == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            // get resource acls
+            String resourceACLs = super.getParameter(req, Constants.PR_ACI);
+            String rights = super.getParameter(req, Constants.PR_ACL_RIGHTS);
+            String desc = super.getParameter(req, Constants.PR_ACL_DESC);
+
+            try {
+                mAuthzMgr.updateACLs(resourceId, rights, resourceACLs, desc);
+
+                NameValuePairs params = new NameValuePairs();
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(SUCCESS, null, params, resp);
+                return;
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE, e.toString());
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ACL_UPDATE_FAIL"),
+                        null, resp);
+                return;
+            }
+            // } catch( EBaseException eAudit1 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * list access evaluators by types and class paths
+     */
+    private void listACLsEvaluators(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException, IOException,
+            EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        Enumeration res = mAuthzMgr.aclEvaluatorElements();
+
+        while (res.hasMoreElements()) {
+            IAccessEvaluator evaluator = res.nextElement();
+
+            // params.add(evaluator.getType(), evaluator.getDescription());
+            params.put(evaluator.getType(), evaluator.getClass().getName());
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void listACLsEvaluatorTypes(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException, IOException,
+            EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        Enumeration res = mAuthzMgr.aclEvaluatorElements();
+
+        while (res.hasMoreElements()) {
+            IAccessEvaluator evaluator = res.nextElement();
+            String[] operators = evaluator.getSupportedOperators();
+            StringBuffer str = new StringBuffer();
+
+            for (int i = 0; i < operators.length; i++) {
+                if (str.length() > 0)
+                    str.append(",");
+                str.append(operators[i]);
+            }
+
+            params.put(evaluator.getType(), str.toString());
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * add access evaluators
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ACL used when configuring Access Control List (ACL) information
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param scope string used to obtain the contents of this ACL evaluator's
+     *            substore
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void addACLsEvaluator(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            // get evaluator type first
+            String type = super.getParameter(req, Constants.RS_ID);
+
+            if (type == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            // is the evaluator type unique?
+            /*
+             if (!mACLs.isTypeUnique(type)) {
+             String infoMsg = "replacing existing type: "+ type;
+             log(ILogger.LL_WARN, infoMsg);
+             }
+             */
+
+            // get class
+            String classPath = super.getParameter(req, Constants.PR_ACL_CLASS);
+
+            IConfigStore destStore =
+                    mConfig.getSubStore(PROP_EVAL);
+            IConfigStore mStore =
+                    destStore.getSubStore(ScopeDef.SC_ACL_IMPLS);
+
+            // Does the class exist?
+            Class newImpl = null;
+
+            try {
+                newImpl = Class.forName(classPath);
+            } catch (ClassNotFoundException e) {
+                String errMsg = "class " + classPath + " not found";
+
+                log(ILogger.LL_FAILURE, errMsg);
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ACL_CLASS_LOAD_FAIL"),
+                        null, resp);
+                return;
+            }
+
+            // is the class an IAccessEvaluator?
+            try {
+                if (Class.forName("com.netscape.certsrv.evaluators.IAccessEvaluator").isAssignableFrom(newImpl) == false) {
+                    String errMsg = "class not com.netscape.certsrv.evaluators.IAccessEvaluator" +
+                            classPath;
+
+                    log(ILogger.LL_FAILURE, errMsg);
+
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ACL_ILL_CLASS"),
+                            null, resp);
+                    return;
+                }
+            } catch (Exception e) {
+                String errMsg = "class not com.netscape.certsrv.evaluators.IAccessEvaluator" +
+                        classPath;
+
+                log(ILogger.LL_FAILURE, errMsg);
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ACL_ILL_CLASS"),
+                        null, resp);
+                return;
+            }
+
+            IConfigStore substore = mStore.makeSubStore(type);
+
+            substore.put(Constants.PR_ACL_CLASS, classPath);
+
+            // commiting
+            try {
+                mConfig.commit(true);
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ACLS_SRVLT_FAIL_COMMIT"));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ACL_COMMIT_FAIL"),
+                        null, resp);
+                return;
+            }
+
+            // Instantiate an object for this implementation
+            IAccessEvaluator evaluator = null;
+
+            try {
+                evaluator = (IAccessEvaluator) Class.forName(classPath).newInstance();
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE, e.toString());
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ACL_INST_CLASS_FAIL"),
+                        null, resp);
+                return;
+            }
+
+            // initialize the access evaluator
+            if (evaluator != null) {
+                evaluator.init();
+                // add evaluator to list
+                mAuthzMgr.registerEvaluator(type, evaluator);
+            }
+
+            //...
+            NameValuePairs params = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, params, resp);
+            // } catch( EBaseException eAudit1 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * remove access evaluators
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ACL used when configuring Access Control List (ACL) information
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param scope string used to obtain the contents of this ACL evaluator's
+     *            substore
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void deleteACLsEvaluator(HttpServletRequest req,
+            HttpServletResponse resp, String scope) throws ServletException,
+            IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            NameValuePairs params = new NameValuePairs();
+            String id = req.getParameter(Constants.RS_ID);
+
+            if (id == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            // does the evaluator exist?
+            Hashtable mEvaluators = mAuthzMgr.getAccessEvaluators();
+
+            if (mEvaluators.containsKey(id) == false) {
+                log(ILogger.LL_FAILURE, "evaluator attempted to be removed not found");
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ACL_EVAL_NOT_FOUND"),
+                        null, resp);
+                return;
+            }
+
+            // it's possibl that it's being used...we have to assume that
+            // the administrator knows what she is doing, for now
+            mEvaluators.remove((Object) id);
+
+            try {
+                IConfigStore destStore =
+                        mConfig.getSubStore(PROP_EVAL);
+                IConfigStore mStore =
+                        destStore.getSubStore(ScopeDef.SC_ACL_IMPLS);
+
+                mStore.removeSubStore(id);
+            } catch (Exception eeee) {
+                //CMS.debugStackTrace(eeee);
+            }
+            // commiting
+            try {
+                mConfig.commit(true);
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ACLS_SRVLT_FAIL_COMMIT"));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ACL_COMMIT_FAIL"),
+                        null, resp);
+                return;
+            }
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, params, resp);
+            return;
+            // } catch( EBaseException eAudit1 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * Searchs for certificate requests.
+     */
+
+    /*
+     private void getACLs(HttpServletRequest req, 
+     HttpServletResponse resp) throws ServletException, IOException,
+     EBaseException {
+     NameValuePairs params = new NameValuePairs();
+     ByteArrayOutputStream bos = new ByteArrayOutputStream();
+     ObjectOutputStream oos = new ObjectOutputStream(bos);
+     String names = getParameter(req, Constants.PT_NAMES);
+     StringTokenizer st = new StringTokenizer(names, ",");
+     while (st.hasMoreTokens()) {
+     String target = st.nextToken();
+     ACL acl = AccessManager.getInstance().getACL(target);
+     oos.writeObject(acl);
+     }
+     // BASE64Encoder encoder = new BASE64Encoder();
+     // params.add(Constants.PT_ACLS, encoder.encodeBuffer(bos.toByteArray()));
+     params.add(Constants.PT_ACLS, CMS.BtoA(bos.toByteArray()));
+     sendResponse(SUCCESS, null, params, resp);
+     }
+     */
+
+    private void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS,
+                level, "ACLAdminServlet: " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/AdminResources.java b/base/common/src/com/netscape/cms/servlet/admin/AdminResources.java
new file mode 100644
index 000000000..a36c859d9
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/AdminResources.java
@@ -0,0 +1,42 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.util.ListResourceBundle;
+
+/**
+ * A class represents a resource bundle for the remote admin.
+ * 
+ * @version $Revision$, $Date$
+ * @see java.util.ListResourceBundle
+ */
+public class AdminResources extends ListResourceBundle {
+
+    /**
+     * Returns the content of this resource.
+     */
+    public Object[][] getContents() {
+        return contents;
+    }
+
+    /**
+     * Constants. The suffix represents the number of
+     * possible parameters.
+     */
+    static final Object[][] contents = {};
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java
new file mode 100644
index 000000000..ce4c966ad
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java
@@ -0,0 +1,1296 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.io.ByteArrayOutputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.Iterator;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.IAuthCredentials;
+import com.netscape.certsrv.authentication.IAuthManager;
+import com.netscape.certsrv.authentication.IAuthSubsystem;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.IAuthzSubsystem;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.usrgrp.EUsrGrpException;
+import com.netscape.certsrv.usrgrp.IGroup;
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
+import com.netscape.certsrv.usrgrp.IUser;
+import com.netscape.cms.servlet.base.UserInfo;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * A class represents an administration servlet that
+ * is responsible to serve administrative
+ * operation such as configuration parameter updates.
+ * 
+ * Since each administration servlet needs to perform
+ * authentication information parsing and response
+ * formulation, it makes sense to encapsulate the
+ * commonalities into this class.
+ * 
+ * By extending this serlvet, the subclass does not
+ * need to re-implement the request parsing code
+ * (i.e. authentication information parsing).
+ * 
+ * If a subsystem needs to expose configuration
+ * parameters management, it should create an
+ * administration servlet (i.e. CAAdminServlet)
+ * and register it to RemoteAdmin subsystem.
+ * 
+ * 
+ * public class CAAdminServlet extends AdminServlet {
+ *   ...
+ * }
+ * 
+ * 
+ * @version $Revision$, $Date$
+ */
+public class AdminServlet extends HttpServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 7740464244137421542L;
+    private final static String HDR_AUTHORIZATION = "Authorization";
+    private final static String HDR_LANG = "accept-language";
+    private final static String HDR_CONTENT_LEN = "Content-Length";
+
+    protected ILogger mLogger = CMS.getLogger();
+    protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+    private IUGSubsystem mUG = null;
+    protected IConfigStore mConfig = null;
+    protected IAuthzSubsystem mAuthz = null;
+
+    // we don't allow to switch authz db mid-way, for now
+    protected String mAclMethod = null;
+    protected String mOp = "";
+    protected static String AUTHZ_RES_NAME = "certServer";
+    protected AuthzToken mToken;
+
+    private String mServletID = null;
+    public final static String PROP_AUTHZ_MGR = "AuthzMgr";
+    public final static String PROP_ACL = "ACLinfo";
+
+    public final static String AUTHZ_MGR_BASIC = "BasicAclAuthz";
+    public final static String AUTHZ_MGR_LDAP = "DirAclAuthz";
+    public final static String PROP_ID = "ID";
+    public final static String AUTHZ_CONFIG_STORE = "authz";
+    public final static String AUTHZ_SRC_TYPE = "sourceType";
+    public final static String AUTHZ_SRC_LDAP = "ldap";
+    public final static String AUTHZ_SRC_XML = "web.xml";
+    public static final String CERT_ATTR =
+            "javax.servlet.request.X509Certificate";
+
+    public final static String SIGNED_AUDIT_SCOPE = "Scope";
+    public final static String SIGNED_AUDIT_OPERATION = "Operation";
+    public final static String SIGNED_AUDIT_RESOURCE = "Resource";
+    public final static String SIGNED_AUDIT_RULENAME = "RULENAME";
+    public final static String SIGNED_AUDIT_PASSWORD_VALUE = "********";
+    public final static String SIGNED_AUDIT_EMPTY_NAME_VALUE_PAIR = "Unknown";
+    public final static String SIGNED_AUDIT_NAME_VALUE_DELIMITER = ";;";
+    public final static String SIGNED_AUDIT_NAME_VALUE_PAIRS_DELIMITER = "+";
+
+    private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL =
+            "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4";
+    private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3";
+    private final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL =
+            "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4";
+    private final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4";
+    private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME =
+            "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
+    private final static String CERTUSERDB =
+            IAuthSubsystem.CERTUSERDB_AUTHMGR_ID;
+    private final static String PASSWDUSERDB =
+            IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID;
+
+    /**
+     * Constructs generic administration servlet.
+     */
+    public AdminServlet() {
+    }
+
+    /**
+     * Initializes the servlet.
+     */
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        mUG = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+        mConfig = CMS.getConfigStore();
+
+        String srcType = AUTHZ_SRC_LDAP;
+
+        try {
+            IConfigStore authzConfig = mConfig.getSubStore(AUTHZ_CONFIG_STORE);
+
+            srcType = authzConfig.getString(AUTHZ_SRC_TYPE, AUTHZ_SRC_LDAP);
+        } catch (EBaseException e) {
+            CMS.debug("AdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_FAIL_SRC_TYPE"));
+        }
+        mAuthz =
+                (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ);
+
+        mServletID = getSCparam(sc, PROP_ID, "servlet id unknown");
+        CMS.debug("AdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_AUTHZ_INITED", mServletID));
+
+        if (srcType.equalsIgnoreCase(AUTHZ_SRC_XML)) {
+            CMS.debug("AdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_AUTHZ_INITED", ""));
+            // get authz mgr from xml file;  if not specified, use
+            //			ldap by default
+            mAclMethod = getSCparam(sc, PROP_AUTHZ_MGR, AUTHZ_MGR_LDAP);
+
+            if (mAclMethod.equalsIgnoreCase(AUTHZ_MGR_BASIC)) {
+                String aclInfo = sc.getInitParameter(PROP_ACL);
+
+                if (aclInfo != null) {
+                    try {
+                        addACLInfo(aclInfo);
+                        //mAuthz.authzMgrAccessInit(mAclMethod, aclInfo);
+                    } catch (EBaseException e) {
+                        log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTHZ_MGR_INIT_FAIL"));
+                        throw new ServletException("failed to init authz info from xml config file");
+                    }
+                    CMS.debug("AdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_AUTHZ_MGR_INIT_DONE", mServletID));
+                } else { // PROP_AUTHZ_MGR not specified, use default authzmgr
+                    CMS.debug("AdminServlet: "
+                            + CMS.getLogMessage("ADMIN_SRVLT_PROP_ACL_NOT_SPEC", PROP_ACL, mServletID, AUTHZ_MGR_LDAP));
+                }
+            } else { // PROP_AUTHZ_MGR not specified, use default authzmgr
+                CMS.debug("AdminServlet: "
+                        + CMS.getLogMessage("ADMIN_SRVLT_PROP_ACL_NOT_SPEC", PROP_AUTHZ_MGR, mServletID, AUTHZ_MGR_LDAP));
+            }
+
+        } else {
+            mAclMethod = AUTHZ_MGR_LDAP;
+            CMS.debug("AdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_AUTH_LDAP_NOT_XML", mServletID));
+        }
+    }
+
+    public void outputHttpParameters(HttpServletRequest httpReq) {
+        CMS.debug("AdminServlet:service() uri = " + httpReq.getRequestURI());
+        @SuppressWarnings("unchecked")
+        Enumeration paramNames = httpReq.getParameterNames();
+        while (paramNames.hasMoreElements()) {
+            String pn = paramNames.nextElement();
+            // added this facility so that password can be hidden,
+            // all sensitive parameters should be prefixed with 
+            // __ (double underscores); however, in the event that
+            // a security parameter slips through, we perform multiple
+            // additional checks to insure that it is NOT displayed
+            if (pn.startsWith("__") ||
+                    pn.endsWith("password") ||
+                    pn.endsWith("passwd") ||
+                    pn.endsWith("pwd") ||
+                    pn.equalsIgnoreCase("admin_password_again") ||
+                    pn.equalsIgnoreCase("directoryManagerPwd") ||
+                    pn.equalsIgnoreCase("bindpassword") ||
+                    pn.equalsIgnoreCase("bindpwd") ||
+                    pn.equalsIgnoreCase("passwd") ||
+                    pn.equalsIgnoreCase("password") ||
+                    pn.equalsIgnoreCase("pin") ||
+                    pn.equalsIgnoreCase("pwd") ||
+                    pn.equalsIgnoreCase("pwdagain") ||
+                    pn.equalsIgnoreCase("uPasswd")) {
+                CMS.debug("AdminServlet::service() param name='" + pn +
+                         "' value='(sensitive)'");
+            } else {
+                CMS.debug("AdminServlet::service() param name='" + pn +
+                         "' value='" + httpReq.getParameter(pn) + "'");
+            }
+        }
+    }
+
+    /**
+     * Serves HTTP admin request.
+     */
+    public void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+        boolean running_state = CMS.isInRunningState();
+
+        if (!running_state)
+            throw new IOException(
+                    "CMS server is not ready to serve.");
+
+        if (CMS.debugOn()) {
+            outputHttpParameters(req);
+        }
+    }
+
+    private void addACLInfo(String info) throws EBaseException {
+        StringTokenizer tokenizer = new StringTokenizer(info, "#");
+
+        while (tokenizer.hasMoreTokens()) {
+            String acl = (String) tokenizer.nextToken();
+
+            mAuthz.authzMgrAccessInit(mAclMethod, acl);
+        }
+    }
+
+    private String getSCparam(ServletConfig sc, String param, String defVal) {
+        String val = sc.getInitParameter(param);
+
+        if (val == null)
+            return defVal;
+        else
+            return val;
+    }
+
+    /**
+     * Authenticates to the identity scope with the given
+     * userid and password via identity manager.
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_AUTH_FAIL used when authentication fails (in case of SSL-client auth, only
+     * webserver env can pick up the SSL violation; CMS authMgr can pick up cert mis-match, so this event is used)
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_AUTH_SUCCESS used when authentication succeeded
+     * 

+     * 
+     * @exception IOException an input/output error has occurred
+     */
+    protected void authenticate(HttpServletRequest req) throws
+            IOException {
+
+        String auditMessage = null;
+        String auditUID = ILogger.UNIDENTIFIED;
+        String authType = "";
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            try {
+                IConfigStore configStore = CMS.getConfigStore();
+
+                authType = configStore.getString("authType");
+            } catch (EBaseException e) {
+                // do nothing for now.
+            }
+            IAuthSubsystem auth = (IAuthSubsystem)
+                    CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
+            X509Certificate cert = null;
+
+            if (authType.equals("sslclientauth")) {
+                X509Certificate[] allCerts =
+                        (X509Certificate[]) req.getAttribute(CERT_ATTR);
+
+                if (allCerts == null || allCerts.length == 0) {
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                ILogger.UNIDENTIFIED,
+                                ILogger.FAILURE,
+                                CERTUSERDB,
+                                auditUID);
+
+                    audit(auditMessage);
+
+                    throw new IOException("No certificate");
+                }
+
+                cert = allCerts[0];
+                try {
+                    byte[] certEncoded = cert.getEncoded();
+
+                    cert = new X509CertImpl(certEncoded);
+
+                    // save the "Subject DN" of this certificate in case it
+                    // must be audited as an authentication failure
+                    String certUID = cert.getSubjectDN().getName();
+
+                    if (certUID != null) {
+                        certUID = certUID.trim();
+
+                        if (!(certUID.equals(""))) {
+                            auditUID = certUID;
+                        }
+                    }
+                } catch (Exception e) {
+                }
+            }
+
+            // create session (if we don't, identity will reject
+            // the authentication).
+            SessionContext sc = SessionContext.getContext();
+            IAuthToken token = null;
+
+            log(ILogger.LL_DEBUG, CMS.getLogMessage("ADMIN_SRVLT_ABOUT_AUTH",
+                    mServletID));
+            try {
+                if (authType.equals("sslclientauth")) {
+                    IAuthManager authMgr = auth.get(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID);
+                    IAuthCredentials authCreds =
+                            getAuthCreds(authMgr, cert);
+
+                    token = (AuthToken) authMgr.authenticate(authCreds);
+                } else {
+                    String authToken = req.getHeader(HDR_AUTHORIZATION);
+                    String b64s = authToken.substring(
+                            authToken.lastIndexOf(' ') + 1);
+                    String authCode = new String(Utils.base64decode(b64s));
+                    String userid = authCode.substring(0,
+                            authCode.indexOf(':'));
+                    String password = authCode.substring(
+                            authCode.indexOf(':') + 1);
+                    AuthCredentials cred = new AuthCredentials();
+
+                    // save the "userid" of this certificate in case it
+                    // must be audited as an authentication failure
+                    String pwdUID = userid;
+
+                    if (pwdUID != null) {
+                        pwdUID = pwdUID.trim();
+
+                        if (!(pwdUID.equals(""))) {
+                            auditUID = pwdUID;
+                        }
+                    }
+
+                    cred.set("uid", userid);
+                    cred.set("pwd", password);
+
+                    token = auth.authenticate(cred,
+                                IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID);
+                    CMS.debug("AdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FOR_SRVLT",
+                            mServletID));
+                }
+            } catch (EBaseException e) {
+                //will fix it later for authorization
+                /*
+                 String errMsg = "authenticate(): " +
+                 AdminResources.SRVLT_FAIL_AUTHS +": "+userid +":"+
+                 e.getMessage();
+                 log(ILogger.LL_FAILURE,
+                 CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAIL",
+                 CMS.getLogMessage("ADMIN_SRVLT_FAIL_AUTHS"),
+                 userid,e.getMessage()));
+                 */
+
+                if (authType.equals("sslclientauth")) {
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                ILogger.UNIDENTIFIED,
+                                ILogger.FAILURE,
+                                CERTUSERDB,
+                                auditUID);
+
+                    audit(auditMessage);
+                } else {
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                ILogger.UNIDENTIFIED,
+                                ILogger.FAILURE,
+                                PASSWDUSERDB,
+                                auditUID);
+
+                    audit(auditMessage);
+                }
+
+                throw new IOException("authentication failed");
+            }
+
+            try {
+                String tuserid = token.getInString("userid");
+
+                if (tuserid == null) {
+                    mLogger.log(
+                            ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE,
+                            CMS.getLogMessage("ADMIN_SRVLT_NO_AUTH_TOKEN",
+                                    tuserid));
+
+                    if (authType.equals("sslclientauth")) {
+                        // store a message in the signed audit log file
+                        auditMessage = CMS.getLogMessage(
+                                    LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                    ILogger.UNIDENTIFIED,
+                                    ILogger.FAILURE,
+                                    CERTUSERDB,
+                                    auditUID);
+
+                        audit(auditMessage);
+                    } else {
+                        // store a message in the signed audit log file
+                        auditMessage = CMS.getLogMessage(
+                                    LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                    ILogger.UNIDENTIFIED,
+                                    ILogger.FAILURE,
+                                    PASSWDUSERDB,
+                                    auditUID);
+
+                        audit(auditMessage);
+                    }
+
+                    throw new IOException("authentication failed");
+                }
+
+                // get user.
+                // this either returns null or
+                // throws exception when user not found
+                IUser user = mUG.getUser(tuserid);
+
+                if (user == null) {
+                    mLogger.log(
+                            ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE,
+                            CMS.getLogMessage("ADMIN_SRVLT_USER_NOT_FOUND",
+                                    tuserid));
+
+                    if (authType.equals("sslclientauth")) {
+                        // store a message in the signed audit log file
+                        auditMessage = CMS.getLogMessage(
+                                    LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                    ILogger.UNIDENTIFIED,
+                                    ILogger.FAILURE,
+                                    CERTUSERDB,
+                                    auditUID);
+
+                        audit(auditMessage);
+                    } else {
+                        // store a message in the signed audit log file
+                        auditMessage = CMS.getLogMessage(
+                                    LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                    ILogger.UNIDENTIFIED,
+                                    ILogger.FAILURE,
+                                    PASSWDUSERDB,
+                                    auditUID);
+
+                        audit(auditMessage);
+                    }
+
+                    throw new IOException("authentication failed");
+                }
+
+                // set session context to work with some agent servlets.
+                // XXX should see if this can be used for more things.
+                SessionContext sessionContext = SessionContext.getContext();
+
+                sessionContext.put(SessionContext.AUTH_TOKEN, token);
+                sessionContext.put(SessionContext.USER_ID, tuserid);
+                sessionContext.put(SessionContext.USER, user);
+            } catch (EUsrGrpException e) {
+                mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE,
+                        CMS.getLogMessage("ADMIN_SRVLT_USR_GRP_ERR", e.toString()));
+
+                if (authType.equals("sslclientauth")) {
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                ILogger.UNIDENTIFIED,
+                                ILogger.FAILURE,
+                                CERTUSERDB,
+                                auditUID);
+
+                    audit(auditMessage);
+                } else {
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                ILogger.UNIDENTIFIED,
+                                ILogger.FAILURE,
+                                PASSWDUSERDB,
+                                auditUID);
+
+                    audit(auditMessage);
+                }
+
+                throw new IOException("authentication failed");
+            }
+
+            // build locale based on the client language
+            Locale locale = getLocale(req);
+
+            sc.put(SessionContext.LOCALE, locale);
+
+            if (authType.equals("sslclientauth")) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
+                            auditSubjectID(),
+                            ILogger.SUCCESS,
+                            CERTUSERDB);
+
+                audit(auditMessage);
+            } else {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
+                            auditSubjectID(),
+                            ILogger.SUCCESS,
+                            PASSWDUSERDB);
+
+                audit(auditMessage);
+            }
+        } catch (IOException eAudit1) {
+            if (authType.equals("sslclientauth")) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                            ILogger.UNIDENTIFIED,
+                            ILogger.FAILURE,
+                            CERTUSERDB,
+                            auditUID);
+
+                audit(auditMessage);
+            } else {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                            ILogger.UNIDENTIFIED,
+                            ILogger.FAILURE,
+                            PASSWDUSERDB,
+                            auditUID);
+
+                audit(auditMessage);
+            }
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        }
+    }
+
+    public static AuthCredentials getAuthCreds(
+            IAuthManager authMgr, X509Certificate clientCert)
+            throws EBaseException {
+        // get credentials from http parameters.
+        String[] reqCreds = authMgr.getRequiredCreds();
+        AuthCredentials creds = new AuthCredentials();
+
+        for (int i = 0; i < reqCreds.length; i++) {
+            String reqCred = reqCreds[i];
+
+            if (reqCred.equals(IAuthManager.CRED_SSL_CLIENT_CERT)) {
+                // cert could be null;
+                creds.set(reqCred, new X509Certificate[] { clientCert }
+                        );
+            }
+        }
+        return creds;
+    }
+
+    /**
+     * Authorize must occur after Authenticate
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_AUTHZ_FAIL used when authorization has failed
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS used when authorization is successful
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_ROLE_ASSUME used when user assumes a role (in current CMS that's when one
+     * accesses a role port)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @return the authorization token
+     */
+    protected AuthzToken authorize(HttpServletRequest req) {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+        String auditACLResource = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        String auditOperation = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        String resource = null;
+        String operation = null;
+
+        // use session context to get auth token for now
+        SessionContext sc = SessionContext.getContext();
+        IAuthToken authToken = (IAuthToken) sc.get(SessionContext.AUTH_TOKEN);
+
+        AuthzToken authzTok = null;
+
+        CMS.debug("AdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_CHECK_AUTHZ_AUTH", mServletID));
+        // hardcoded for now .. just testing
+        try {
+            // we check both "read" and "write" for now. later within
+            //			each servlet, they can break it down
+            authzTok = mAuthz.authorize(mAclMethod, authToken, AUTHZ_RES_NAME, mOp);
+            // initialize the ACL resource, overwriting "auditACLResource"
+            // if it is not null
+            resource = (String)
+                    authzTok.get(AuthzToken.TOKEN_AUTHZ_RESOURCE);
+            if (resource != null) {
+                auditACLResource = resource.trim();
+            }
+
+            // initialize the operation, overwriting "auditOperation"
+            // if it is not null
+            operation = (String)
+                    authzTok.get(AuthzToken.TOKEN_AUTHZ_OPERATION);
+            if (operation != null) {
+                auditOperation = operation.trim();
+            }
+
+            CMS.debug(CMS.getLogMessage("ADMIN_SRVLT_AUTH_SUCCEED", mServletID));
+        } catch (EAuthzAccessDenied e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditACLResource,
+                        auditOperation);
+
+            audit(auditMessage);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditGroups(auditSubjectID));
+
+            audit(auditMessage);
+
+            return null;
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditACLResource,
+                        auditOperation);
+
+            audit(auditMessage);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditGroups(auditSubjectID));
+
+            audit(auditMessage);
+
+            return null;
+        } catch (Exception e) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditACLResource,
+                        auditOperation);
+
+            audit(auditMessage);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditGroups(auditSubjectID));
+
+            audit(auditMessage);
+
+            return null;
+        }
+
+        // store a message in the signed audit log file
+        auditMessage = CMS.getLogMessage(
+                    LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
+                    auditSubjectID,
+                    ILogger.SUCCESS,
+                    auditACLResource,
+                    auditOperation);
+
+        audit(auditMessage);
+
+        // store a message in the signed audit log file
+        auditMessage = CMS.getLogMessage(
+                    LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                    auditSubjectID,
+                    ILogger.SUCCESS,
+                    auditGroups(auditSubjectID));
+
+        audit(auditMessage);
+
+        return authzTok;
+    }
+
+    /**
+     * Retrieves locale based on the request.
+     */
+    protected Locale getLocale(HttpServletRequest req) {
+        Locale locale = null;
+        String lang = req.getHeader(HDR_LANG);
+
+        if (lang == null) {
+            // use server locale
+            locale = Locale.getDefault();
+        } else {
+            locale = new Locale(UserInfo.getUserLanguage(lang),
+                        UserInfo.getUserCountry(lang));
+        }
+        return locale;
+    }
+
+    public static int SUCCESS = 0;
+    public static int ERROR = 1;
+    public static int RESTART = -1;
+
+    /**
+     * Sends response.
+     * 
+     * @param returnCode return code
+     * @param errorMsg localized error message
+     * @param params result parameters
+     * @param resp HTTP servlet response
+     */
+    protected void sendResponse(int returnCode, String errorMsg,
+            NameValuePairs params, HttpServletResponse resp)
+            throws IOException {
+        ByteArrayOutputStream bos = new ByteArrayOutputStream();
+        DataOutputStream dos = new DataOutputStream(bos);
+
+        dos.writeInt(returnCode);
+        if (errorMsg != null) {
+            dos.writeUTF(errorMsg);
+        }
+        StringBuffer buf = new StringBuffer();
+
+        if (params != null) {
+            Collection names = params.keySet();
+
+            if (!names.isEmpty()) {
+                for (Iterator i = names.iterator(); i.hasNext(); ) {
+                    String name = i.next();
+                    String value = java.net.URLEncoder.encode(
+                            params.get(name), "UTF-8");
+
+                    buf.append(java.net.URLEncoder.encode(name, "UTF-8") +
+                            "=" + value);
+                    if (i.hasNext())
+                        buf.append("&");
+                }
+                byte content[] = buf.toString().getBytes();
+
+                dos.write(content, 0, content.length);
+            }
+        }
+        byte msg[] = bos.toByteArray();
+
+        resp.setContentLength(msg.length);
+        resp.getOutputStream().write(msg);
+        resp.getOutputStream().flush();
+    }
+
+    /**
+     * URL decodes the given string.
+     */
+    protected String URLdecode(String s) {
+        if (s == null)
+            return null;
+        ByteArrayOutputStream out = new ByteArrayOutputStream(s.length());
+
+        for (int i = 0; i < s.length(); i++) {
+            int c = (int) s.charAt(i);
+
+            if (c == '+') {
+                out.write(' ');
+            } else if (c == '%') {
+                int c1 = Character.digit(s.charAt(++i), 16);
+                int c2 = Character.digit(s.charAt(++i), 16);
+
+                out.write((char) (c1 * 16 + c2));
+            } else {
+                out.write(c);
+            }
+        } // end for
+        return out.toString();
+    }
+
+    protected String getParameter(HttpServletRequest req, String name) {
+        // Servlet framework already apply URLdecode
+        //   return URLdecode(req.getParameter(name));
+        return req.getParameter(name);
+    }
+
+    /**
+     * Generic configuration store get operation.
+     */
+    protected synchronized void getConfig(
+            IConfigStore config, HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+
+            //if (name.equals(Constants.PT_OP))
+            //	continue;
+            if (name.equals(Constants.OP_TYPE))
+                continue;
+            if (name.equals(Constants.RS_ID))
+                continue;
+            if (name.equals(Constants.OP_SCOPE))
+                continue;
+
+            //System.out.println(name);
+            //System.out.println(name+","+config.getString(name));
+            params.put(name, config.getString(name));
+        }
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * Generic configuration store set operation.
+     * The caller is responsible to do validiation before
+     * calling this, and commit changes after this call.
+     */
+    protected synchronized void setConfig(
+            IConfigStore config, HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+
+            //if (name.equals(Constants.PT_OP))
+            //	continue;
+            if (name.equals(Constants.OP_TYPE))
+                continue;
+            if (name.equals(Constants.RS_ID))
+                continue;
+            if (name.equals(Constants.OP_SCOPE))
+                continue;
+            // XXX Need validation...
+            // XXX what if update failed
+            config.putString(name, req.getParameter(name));
+        }
+        commit(true);
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * Lists configuration store.
+     */
+    protected synchronized void listConfig(
+            IConfigStore config, HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        Enumeration e = config.getPropertyNames();
+        NameValuePairs params = new NameValuePairs();
+
+        while (e.hasMoreElements()) {
+            String s = e.nextElement();
+
+            params.put(s, config.getString(s));
+        }
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * authorize a user based on its authentication credentials.
+     */
+    public boolean authorize(IAuthToken token) throws EBaseException {
+        String mGroupNames[] = { "Administrators" };
+        boolean mAnd = true;
+
+        try {
+            String userid = token.getInString("userid");
+
+            if (userid == null) {
+                mLogger.log(
+                        ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE,
+                        CMS.getLogMessage("ADMIN_SRVLT_GRP_AUTHZ_FAIL", userid));
+                return false;
+            }
+
+            // get user.
+            // this either returns null or throws exception when user not found
+            IUser user = mUG.getUser(userid);
+
+            if (user == null) {
+                mLogger.log(
+                        ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE,
+                        CMS.getLogMessage("ADMIN_SRVLT_USER_NOT_IN_DB", userid));
+                return false;
+            }
+
+            // set session context to work with some agent servlets.
+            // XXX should see if this can be used for more things.
+            SessionContext sessionContext = SessionContext.getContext();
+
+            sessionContext.put(SessionContext.AUTH_TOKEN, token);
+            sessionContext.put(SessionContext.USER_ID, userid);
+            sessionContext.put(SessionContext.USER, user);
+
+            // check group membership of user.
+            if (mAnd) {
+                for (int i = 0; i < mGroupNames.length; i++) {
+                    if (!mUG.isMemberOf(user, mGroupNames[i])) {
+                        mLogger.log(
+                                ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE,
+                                CMS.getLogMessage("ADMIN_SRVLT_USER_NOT_IN_GRP", userid,
+                                        mGroupNames[i]));
+                        return false;
+                    }
+                }
+                return true;
+            } else {
+                for (int i = 0; i < mGroupNames.length; i++) {
+                    if (mUG.isMemberOf(user, mGroupNames[i])) {
+                        mLogger.log(ILogger.EV_SYSTEM,
+                                ILogger.S_OTHER, ILogger.LL_INFO,
+                                CMS.getLogMessage("ADMIN_SRVLT_GRP_AUTH_SUCC_USER", userid,
+                                        mGroupNames[i]));
+                        return true;
+                    }
+                }
+                StringBuffer groups = new StringBuffer();
+                groups.append(mGroupNames[0]);
+
+                for (int j = 1; j < mGroupNames.length; j++) {
+                    groups.append(",");
+                    groups.append(mGroupNames[j]);
+                }
+                mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                        ILogger.LL_FAILURE,
+                        CMS.getLogMessage("ADMIN_SRVLT_USER_NOT_ANY_GRP", userid, groups.toString()));
+                return false;
+            }
+        } catch (EUsrGrpException e) {
+            mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE,
+                    CMS.getLogMessage("ADMIN_SRVLT_USR_GRP_ERR", e.toString()));
+            return false;
+        }
+    }
+
+    /**
+     * FileConfigStore functionality
+     * 
+     * The original config file is moved to ..
+     * Commits the current properties to the configuration file.
+     * 

+     * 
+     * @param createBackup true if a backup file should be created
+     */
+    protected void commit(boolean createBackup) throws EBaseException {
+        mConfig.commit(createBackup);
+    }
+
+    private void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ADMIN,
+                level, "AdminServlet: " + msg);
+    }
+
+    /**
+     * Signed Audit Log
+     * 
+     * This method is inherited by all extended admin servlets
+     * and is called to store messages to the signed audit log.
+     * 

+     * 
+     * @param msg signed audit log message
+     */
+    protected void audit(String msg) {
+        // in this case, do NOT strip preceding/trailing whitespace
+        // from passed-in String parameters
+
+        if (mSignedAuditLogger == null) {
+            return;
+        }
+
+        mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
+                null,
+                ILogger.S_SIGNED_AUDIT,
+                ILogger.LL_SECURITY,
+                msg);
+    }
+
+    /**
+     * Signed Audit Log Subject ID
+     * 
+     * This method is inherited by all extended "CMSServlet"s,
+     * and is called to obtain the "SubjectID" for
+     * a signed audit log message.
+     * 

+     * 
+     * @return id string containing the signed audit log message SubjectID
+     */
+    protected String auditSubjectID() {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String subjectID = null;
+
+        // Initialize subjectID
+        SessionContext auditContext = SessionContext.getExistingContext();
+
+        if (auditContext != null) {
+            subjectID = (String)
+                    auditContext.get(SessionContext.USER_ID);
+
+            if (subjectID != null) {
+                subjectID = subjectID.trim();
+            } else {
+                subjectID = ILogger.NONROLEUSER;
+            }
+        } else {
+            subjectID = ILogger.UNIDENTIFIED;
+        }
+
+        return subjectID;
+    }
+
+    /**
+     * Signed Audit Parameters
+     * 
+     * This method is inherited by all extended admin servlets and
+     * is called to extract parameters from the HttpServletRequest
+     * and return a string of name;;value pairs separated by a '+'
+     * if more than one name;;value pair exists.
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @return a delimited string of one or more delimited name/value pairs
+     */
+    protected String auditParams(HttpServletRequest req) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String parameters = SIGNED_AUDIT_EMPTY_NAME_VALUE_PAIR;
+        String value = null;
+
+        // always identify the scope of the request
+        if (req.getParameter(Constants.OP_SCOPE) != null) {
+            parameters = SIGNED_AUDIT_SCOPE
+                    + SIGNED_AUDIT_NAME_VALUE_DELIMITER
+                    + req.getParameter(Constants.OP_SCOPE);
+        }
+
+        // identify the operation type of the request
+        if (req.getParameter(Constants.OP_TYPE) != null) {
+            parameters += SIGNED_AUDIT_NAME_VALUE_PAIRS_DELIMITER;
+
+            parameters += SIGNED_AUDIT_OPERATION
+                    + SIGNED_AUDIT_NAME_VALUE_DELIMITER
+                    + req.getParameter(Constants.OP_TYPE);
+        }
+
+        // identify the resource type of the request
+        if (req.getParameter(Constants.RS_ID) != null) {
+            parameters += SIGNED_AUDIT_NAME_VALUE_PAIRS_DELIMITER;
+
+            parameters += SIGNED_AUDIT_RESOURCE
+                    + SIGNED_AUDIT_NAME_VALUE_DELIMITER
+                    + req.getParameter(Constants.RS_ID);
+        }
+
+        // identify any remaining request parameters
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+
+            // skip previously extracted parameters
+            if (name.equals(Constants.OP_SCOPE)) {
+                continue;
+            }
+            if (name.equals(Constants.OP_TYPE)) {
+                continue;
+            }
+            if (name.equals(Constants.RS_ID)) {
+                continue;
+            }
+
+            // skip "RULENAME" parameter
+            if (name.equals(SIGNED_AUDIT_RULENAME)) {
+                continue;
+            }
+
+            parameters += SIGNED_AUDIT_NAME_VALUE_PAIRS_DELIMITER;
+
+            value = req.getParameter(name);
+            if (value != null) {
+                value = value.trim();
+
+                if (value.equals("")) {
+                    parameters += name
+                            + SIGNED_AUDIT_NAME_VALUE_DELIMITER
+                            + ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+                } else {
+                    //
+                    // To fix Blackflag Bug # 613800:
+                    //
+                    //     Check "com.netscape.certsrv.common.Constants" for
+                    //     case-insensitive "password", "pwd", and "passwd"
+                    //     name fields, and hide any password values:
+                    //
+                    /* "password" */if (name.equals(Constants.PASSWORDTYPE) ||
+                            name.equals(Constants.TYPE_PASSWORD) ||
+                            name.equals(Constants.PR_USER_PASSWORD) ||
+                            name.equals(Constants.PT_OLD_PASSWORD) ||
+                            name.equals(Constants.PT_NEW_PASSWORD) ||
+                            name.equals(Constants.PT_DIST_STORE) ||
+                            name.equals(Constants.PT_DIST_EMAIL) ||
+                            /* "pwd" */name.equals(Constants.PR_AUTH_ADMIN_PWD) ||
+                            // ignore this one  name.equals( Constants.PR_BINDPWD_PROMPT )        ||
+                            name.equals(Constants.PR_DIRECTORY_MANAGER_PWD) ||
+                            name.equals(Constants.PR_OLD_AGENT_PWD) ||
+                            name.equals(Constants.PR_AGENT_PWD) ||
+                            name.equals(Constants.PT_PUBLISH_PWD) ||
+                            /* "passwd" */name.equals(Constants.PR_BIND_PASSWD) ||
+                            name.equals(Constants.PR_BIND_PASSWD_AGAIN) ||
+                            name.equals(Constants.PR_TOKEN_PASSWD)) {
+
+                        // hide password value
+                        parameters += name
+                                    + SIGNED_AUDIT_NAME_VALUE_DELIMITER
+                                    + SIGNED_AUDIT_PASSWORD_VALUE;
+                    } else {
+                        // process normally
+                        parameters += name
+                                    + SIGNED_AUDIT_NAME_VALUE_DELIMITER
+                                    + value;
+                    }
+                }
+            } else {
+                parameters += name
+                        + SIGNED_AUDIT_NAME_VALUE_DELIMITER
+                        + ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+            }
+        }
+
+        return parameters;
+    }
+
+    /**
+     * Signed Audit Groups
+     * 
+     * This method is called to extract all "groups" associated
+     * with the "auditSubjectID()".
+     * 

+     * 
+     * @param SubjectID string containing the signed audit log message SubjectID
+     * @return a delimited string of groups associated
+     *         with the "auditSubjectID()"
+     */
+    private String auditGroups(String SubjectID) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        if ((SubjectID == null) ||
+                (SubjectID.equals(ILogger.UNIDENTIFIED))) {
+            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        }
+
+        Enumeration groups = null;
+
+        try {
+            groups = mUG.findGroups("*");
+        } catch (Exception e) {
+            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        }
+
+        StringBuffer membersString = new StringBuffer();
+
+        while (groups.hasMoreElements()) {
+            IGroup group = groups.nextElement();
+
+            if (group.isMember(SubjectID) == true) {
+                if (membersString.length() != 0) {
+                    membersString.append(", ");
+                }
+
+                membersString.append(group.getGroupID());
+            }
+        }
+
+        if (membersString.length() != 0) {
+            return membersString.toString();
+        } else {
+            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        }
+    }
+
+    protected NameValuePairs convertStringArrayToNVPairs(String[] s) {
+        if (s == null)
+            return null;
+        NameValuePairs nvps = new NameValuePairs();
+        int i;
+
+        for (i = 0; i < s.length; i++) {
+            int j = s[i].indexOf(";");
+            String paramName = s[i].substring(0, j);
+            String args = s[i].substring(j + 1);
+
+            nvps.put(paramName, args);
+        }
+        return nvps;
+
+    }
+
+    protected static IExtendedPluginInfo getClassByNameAsExtendedPluginInfo(String className) {
+
+        IExtendedPluginInfo epi = null;
+
+        try {
+            // here is the new dummy obj created
+            Object o = Class.forName(className).newInstance();
+
+            epi = (IExtendedPluginInfo) o;
+        } catch (Exception e) {
+        }
+
+        return epi;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java
new file mode 100644
index 000000000..cacd0b5d0
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java
@@ -0,0 +1,1721 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthManagerProxy;
+import com.netscape.certsrv.authentication.AuthMgrPlugin;
+import com.netscape.certsrv.authentication.EAuthException;
+import com.netscape.certsrv.authentication.EAuthMgrNotFound;
+import com.netscape.certsrv.authentication.EAuthMgrPluginNotFound;
+import com.netscape.certsrv.authentication.IAuthManager;
+import com.netscape.certsrv.authentication.IAuthSubsystem;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.DestDef;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.ldap.ILdapAuthInfo;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * A class representing an administration servlet for the
+ * Authentication Management subsystem. This servlet is responsible
+ * to serve configuration requests for the Auths Management subsystem.
+ * 
+ * 
+ * @version $Revision$, $Date$
+ */
+public class AuthAdminServlet extends AdminServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -6258411211380144425L;
+    private final static String INFO = "AuthAdminServlet";
+    private IAuthSubsystem mAuths = null;
+
+    private final static String PW_PASSWORD_CACHE_ADD =
+            "PASSWORD_CACHE_ADD";
+    private final static String VIEW = ";" + Constants.VIEW;
+    private final static String EDIT = ";" + Constants.EDIT;
+
+    private final static String LOGGING_SIGNED_AUDIT_CONFIG_AUTH =
+            "LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3";
+
+    public AuthAdminServlet() {
+        super();
+    }
+
+    /**
+     * Initializes this servlet.
+     */
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+        mAuths = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
+        AUTHZ_RES_NAME = "certServer.auth.configuration";
+    }
+
+    /**
+     * Returns serlvet information.
+     */
+    public String getServletInfo() {
+        return INFO;
+    }
+
+    /**
+     * retrieve extended plugin info such as brief description, type info
+     * from policy, authentication,
+     * need to add: listener, mapper and publishing plugins
+     * --- same as policy, should we move this into extendedpluginhelper?
+     */
+    private void getExtendedPluginInfo(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String id = req.getParameter(Constants.RS_ID);
+
+        int colon = id.indexOf(':');
+
+        String implType = id.substring(0, colon);
+        String implName = id.substring(colon + 1);
+
+        NameValuePairs params =
+                getExtendedPluginInfo(getLocale(req), implType, implName);
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private NameValuePairs getExtendedPluginInfo(Locale locale, String implType, String implName) {
+        IExtendedPluginInfo ext_info = null;
+        Object impl = null;
+
+        impl = mAuths.getAuthManagerPlugin(implName);
+        if (impl != null) {
+            if (impl instanceof IExtendedPluginInfo) {
+                ext_info = (IExtendedPluginInfo) impl;
+            }
+        }
+
+        NameValuePairs nvps = null;
+
+        if (ext_info == null) {
+            nvps = new NameValuePairs();
+        } else {
+            nvps = convertStringArrayToNVPairs(ext_info.getExtendedPluginInfo(locale));
+        }
+
+        return nvps;
+
+    }
+
+    /**
+     * Serves HTTP admin request.
+     */
+    public void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+        super.service(req, resp);
+
+        String scope = req.getParameter(Constants.OP_SCOPE);
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (op == null) {
+            //System.out.println("SRVLT_INVALID_PROTOCOL");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PROTOCOL"),
+                    null, resp);
+            return;
+        }
+
+        // if it is not authentication, that means it is for CSC admin ping.
+        // the best way to do is to define another protocol for ping and move
+        // it to the generic servlet which is admin servlet.
+        if (!op.equals(OpDef.OP_AUTH)) {
+            if (scope.equals(ScopeDef.SC_AUTH)) {
+                String id = req.getParameter(Constants.RS_ID);
+
+                // for CSC admin ping only
+                if (op.equals(OpDef.OP_READ) &&
+                        id.equals(Constants.RS_ID_CONFIG)) {
+
+                    // no need to authenticate this. if we're alive, return true.
+                    NameValuePairs params = new NameValuePairs();
+
+                    params.put(Constants.PR_PING, Constants.TRUE);
+                    sendResponse(SUCCESS, null, params, resp);
+                    return;
+                } else {
+                    //System.out.println("SRVLT_INVALID_OP_TYPE");
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_TYPE", op),
+                            null, resp);
+                    return;
+                }
+            }
+        }
+
+        try {
+            if (op.equals(OpDef.OP_AUTH)) {
+                if (scope.equals(ScopeDef.SC_AUTHTYPE)) {
+                    IConfigStore configStore = CMS.getConfigStore();
+                    String val = configStore.getString("authType", "pwd");
+                    NameValuePairs params = new NameValuePairs();
+
+                    params.put("authType", val);
+                    sendResponse(SUCCESS, null, params, resp);
+                    return;
+                }
+            }
+        } catch (Exception e) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHS_FAILED"),
+                    null, resp);
+            return;
+        }
+        // for the rest					
+        try {
+            super.authenticate(req);
+            if (op.equals(OpDef.OP_AUTH)) { // for admin authentication only
+                sendResponse(SUCCESS, null, null, resp);
+                return;
+            }
+        } catch (IOException e) {
+            //System.out.println("SRVLT_FAIL_AUTHS");
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHS_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        try {
+            // perform operation based on scope
+            if (scope != null) {
+                AUTHZ_RES_NAME = "certServer.auth.configuration";
+                if (scope.equals(ScopeDef.SC_EXTENDED_PLUGIN_INFO)) {
+                    try {
+                        mOp = "read";
+                        if ((mToken = super.authorize(req)) == null) {
+                            sendResponse(ERROR,
+                                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                    null, resp);
+                            return;
+                        }
+                        getExtendedPluginInfo(req, resp);
+                        return;
+                    } catch (EBaseException e) {
+                        sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+                        return;
+                    }
+                }
+                if (op.equals(OpDef.OP_SEARCH)) {
+                    mOp = "read";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_AUTH_IMPLS)) {
+                        listAuthMgrPlugins(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_AUTH_MGR_INSTANCE)) {
+                        listAuthMgrInsts(req, resp);
+                        return;
+                    } else {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                                null, resp);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_READ)) {
+                    mOp = "read";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_AUTH_IMPLS)) {
+                        getConfig(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_AUTH_MGR_INSTANCE)) {
+                        getInstConfig(req, resp);
+                        return;
+                    } else {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                                null, resp);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_ADD)) {
+                    mOp = "modify";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_AUTH_IMPLS)) {
+                        addAuthMgrPlugin(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_AUTH_MGR_INSTANCE)) {
+                        addAuthMgrInst(req, resp, scope);
+                        return;
+                    } else {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                                null, resp);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_DELETE)) {
+                    mOp = "modify";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_AUTH_IMPLS)) {
+                        delAuthMgrPlugin(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_AUTH_MGR_INSTANCE)) {
+                        delAuthMgrInst(req, resp, scope);
+                        return;
+                    } else {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                                null, resp);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_MODIFY)) {
+                    mOp = "modify";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_AUTH_MGR_INSTANCE)) {
+                        modAuthMgrInst(req, resp, scope);
+                        return;
+                    }
+                } else {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                            null, resp);
+                    return;
+                }
+            }
+        } catch (EBaseException e) {
+            sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+            return;
+        }
+        sendResponse(ERROR,
+                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_PERFORM_FAILED"),
+                null, resp);
+        return;
+    }
+
+    private void putUserPWPair(String combo) {
+        int semicolon;
+
+        semicolon = combo.indexOf(";");
+        String user = combo.substring(0, semicolon);
+        String pw = combo.substring(semicolon + 1);
+
+        CMS.putPasswordCache(user, pw);
+    }
+
+    /**
+     * Add authentication manager plug-in
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_AUTH used when configuring authentication
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param scope string used to obtain the contents of this authentication
+     *            manager's substore
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+
+    private synchronized void addAuthMgrPlugin(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = req.getParameter(Constants.RS_ID);
+
+            if (id == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                //System.out.println("SRVLT_NULL_RS_ID");
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+            // is the manager id unique?
+            if (mAuths.getPlugins().containsKey((Object) id)) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(
+                        ERROR,
+                        new EAuthException(CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_DUP_MGR_PLUGIN_ID",
+                                id)).toString(),
+                        null, resp);
+                return;
+            }
+
+            String classPath = req.getParameter(Constants.PR_AUTH_CLASS);
+
+            if (classPath == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_NULL_AUTHMGR_CLASSNAME"),
+                        null, resp);
+                return;
+            }
+
+            if (classPath.equals("com.netscape.cmscore.authentication.PasswdUserDBAuthentication") ||
+                    classPath.equals("com.netscape.cmscore.authentication.CertUserDBAuthentication")) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_BASE_PERMISSION_DENIED"), null, resp);
+                return;
+            }
+
+            IConfigStore destStore =
+                    mConfig.getSubStore(DestDef.DEST_AUTH_ADMIN);
+            IConfigStore instancesConfig =
+                    destStore.getSubStore(scope);
+
+            // Does the class exist?
+
+            Class newImpl = null;
+
+            try {
+                @SuppressWarnings("unchecked")
+                Class tmpImpl = (Class) Class.forName(classPath);
+                newImpl = tmpImpl;
+            } catch (ClassNotFoundException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_AUTHMGR_PLUGIN_NOT_FOUND"),
+                        null, resp);
+                return;
+            } catch (IllegalArgumentException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_AUTHMGR_PLUGIN_NOT_FOUND"),
+                        null, resp);
+                return;
+            }
+
+            // is the class an IAuthManager?
+            try {
+                if (IAuthManager.class.isAssignableFrom(newImpl) == false) {
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_ILL_CLASS"),
+                            null, resp);
+                    return;
+                }
+            } catch (NullPointerException e) { // unlikely, only if newImpl null.
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_ILL_CLASS"),
+                        null, resp);
+                return;
+            }
+
+            IConfigStore substore = instancesConfig.makeSubStore(id);
+
+            substore.put(Constants.PR_AUTH_CLASS, classPath);
+
+            // commiting
+            try {
+                mConfig.commit(true);
+            } catch (EBaseException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                //System.out.println("SRVLT_FAIL_COMMIT");
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                        null, resp);
+                return;
+            }
+
+            // add manager to registry.
+            AuthMgrPlugin plugin = new AuthMgrPlugin(id, classPath);
+
+            mAuths.getPlugins().put(id, plugin);
+            mAuths.log(ILogger.LL_INFO,
+                    CMS.getLogMessage("ADMIN_SRVLT_PLUGIN_ADD", id));
+
+            NameValuePairs params = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, params, resp);
+            return;
+            // } catch( EBaseException eAudit1 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * Add authentication manager instance
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_AUTH used when configuring authentication
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param scope string used to obtain the contents of this authentication
+     *            manager's substore
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void addAuthMgrInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = req.getParameter(Constants.RS_ID);
+
+            if (id == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            // is the manager instance id unique?
+            if (mAuths.getInstances().containsKey((Object) id)) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_ILL_MGR_INST_ID"),
+                        null, resp);
+                return;
+            }
+
+            // get required parameters
+            // SC_AUTH_IMPL_NAME is absolutely required, the rest depend on
+            // on each authenticaton manager
+            String implname = req.getParameter(Constants.PR_AUTH_IMPL_NAME);
+
+            if (implname == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_MISSING_PARAMS"),
+                        null, resp);
+                return;
+            }
+
+            // prevent agent & admin creation.
+            if (implname.equals(IAuthSubsystem.PASSWDUSERDB_PLUGIN_ID) ||
+                    implname.equals(IAuthSubsystem.CERTUSERDB_PLUGIN_ID)) {
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_BASE_PERMISSION_DENIED"), null, resp);
+            }
+
+            // check if implementation exists.
+            AuthMgrPlugin plugin =
+                    (AuthMgrPlugin) mAuths.getPlugins().get(implname);
+
+            if (plugin == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(
+                        ERROR,
+                        new EAuthMgrPluginNotFound(CMS.getUserMessage(getLocale(req),
+                                "CMS_AUTHENTICATION_AUTHMGR_NOT_FOUND", implname)).toString(),
+                        null, resp);
+                return;
+            }
+
+            // now the rest of config parameters
+            // note that we only check to see if the required parameters
+            // are there, but not checking the values are valid
+            String[] configParams = mAuths.getConfigParams(implname);
+
+            IConfigStore destStore =
+                    mConfig.getSubStore(DestDef.DEST_AUTH_ADMIN);
+            IConfigStore instancesConfig =
+                    destStore.getSubStore(scope);
+            IConfigStore substore = instancesConfig.makeSubStore(id);
+
+            if (configParams != null) {
+                for (int i = 0; i < configParams.length; i++) {
+                    String key = configParams[i];
+                    String val = req.getParameter(key);
+
+                    if (val != null) {
+                        substore.put(key, val);
+                    }
+                }
+            }
+            substore.put(IAuthSubsystem.PROP_PLUGIN, implname);
+
+            String pwadd = req.getParameter(PW_PASSWORD_CACHE_ADD);
+
+            if (pwadd != null) {
+                putUserPWPair(pwadd);
+            }
+
+            // Instantiate an object for this implementation
+            String className = plugin.getClassPath();
+            IAuthManager authMgrInst = null;
+
+            try {
+                authMgrInst = (IAuthManager) Class.forName(className).newInstance();
+            } catch (ClassNotFoundException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                // cleanup
+                instancesConfig.removeSubStore(id);
+                sendResponse(
+                        ERROR,
+                        new EAuthException(CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_LOAD_CLASS_FAIL",
+                                className)).toString(),
+                        null, resp);
+                return;
+            } catch (InstantiationException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                instancesConfig.removeSubStore(id);
+                sendResponse(
+                        ERROR,
+                        new EAuthException(CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_LOAD_CLASS_FAIL",
+                                className)).toString(),
+                        null, resp);
+                return;
+            } catch (IllegalAccessException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                instancesConfig.removeSubStore(id);
+                sendResponse(
+                        ERROR,
+                        new EAuthException(CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_LOAD_CLASS_FAIL",
+                                className)).toString(),
+                        null, resp);
+                return;
+            }
+
+            // initialize the authentication manager
+            try {
+                authMgrInst.init(id, implname, substore);
+            } catch (EBaseException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                // don't commit in this case and cleanup the new substore.
+                instancesConfig.removeSubStore(id);
+                sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+                return;
+            }
+
+            // commiting
+            try {
+                mConfig.commit(true);
+            } catch (EBaseException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                // clean up.
+                instancesConfig.removeSubStore(id);
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                        null, resp);
+                return;
+            }
+
+            // inited and commited ok. now add manager instance to list.
+            mAuths.add(id, authMgrInst);
+
+            mAuths.log(ILogger.LL_INFO,
+                    CMS.getLogMessage("ADMIN_SRVLT_AUTH_MGR_ADD", id));
+
+            NameValuePairs params = new NameValuePairs();
+
+            params.put(Constants.PR_AUTH_IMPL_NAME, implname);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, params, resp);
+            return;
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    private synchronized void listAuthMgrPlugins(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        Enumeration e = mAuths.getPlugins().keys();
+
+        while (e.hasMoreElements()) {
+            String name = (String) e.nextElement();
+            AuthMgrPlugin value = (AuthMgrPlugin)
+                    mAuths.getPlugins().get(name);
+
+            if (value.isVisible()) {
+                params.put(name, value.getClassPath() + EDIT);
+            }
+        }
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void listAuthMgrInsts(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+
+        for (Enumeration e = mAuths.getInstances().keys(); e.hasMoreElements();) {
+            String name = (String) e.nextElement();
+            AuthManagerProxy proxy = (AuthManagerProxy) mAuths.getInstances().get(name);
+            IAuthManager value = proxy.getAuthManager();
+            String enableStr = "enabled";
+
+            if (!proxy.isEnable()) {
+                enableStr = "disabled";
+            }
+
+            AuthMgrPlugin amgrplugin = (AuthMgrPlugin)
+                    mAuths.getPlugins().get(value.getImplName());
+
+            if (!amgrplugin.isVisible()) {
+                params.put(name, value.getImplName() + ";invisible;" + enableStr);
+            } else {
+                params.put(name, value.getImplName() + ";visible;" + enableStr);
+            }
+        }
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    /**
+     * Delete authentication manager plug-in
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_AUTH used when configuring authentication
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param scope string used to obtain the contents of this authentication
+     *            manager's substore
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void delAuthMgrPlugin(HttpServletRequest req,
+            HttpServletResponse resp, String scope) throws ServletException,
+            IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            NameValuePairs params = new NameValuePairs();
+            String id = req.getParameter(Constants.RS_ID);
+
+            if (id == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                //System.out.println("SRVLT_NULL_RS_ID");
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            // prevent deletion of admin and agent.
+            if (id.equals(IAuthSubsystem.PASSWDUSERDB_PLUGIN_ID) ||
+                    id.equals(IAuthSubsystem.CERTUSERDB_PLUGIN_ID)) {
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_BASE_PERMISSION_DENIED"), null, resp);
+            }
+
+            // does auth manager exist?
+            if (mAuths.getPlugins().containsKey(id) == false) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(
+                        ERROR,
+                        new EAuthMgrPluginNotFound(CMS.getUserMessage(getLocale(req),
+                                "CMS_AUTHENTICATION_DUP_MGR_PLUGIN_ID", id)).toString(),
+                        null, resp);
+                return;
+            }
+
+            // first check if any instances from this auth manager
+            // DON'T remove auth manager if any instance
+            for (Enumeration e = mAuths.getInstances().keys(); e.hasMoreElements();) {
+                IAuthManager authMgr = (IAuthManager) mAuths.get((String) e.nextElement());
+
+                if (authMgr.getImplName() == id) {
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_MGR_IN_USE"),
+                            null, resp);
+                    return;
+                }
+            }
+
+            // then delete this auth manager
+            mAuths.getPlugins().remove((Object) id);
+
+            IConfigStore destStore =
+                    mConfig.getSubStore(DestDef.DEST_AUTH_ADMIN);
+            IConfigStore instancesConfig =
+                    destStore.getSubStore(scope);
+
+            instancesConfig.removeSubStore(id);
+            // commiting
+            try {
+                mConfig.commit(true);
+            } catch (EBaseException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                        null, resp);
+                return;
+            }
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, params, resp);
+            return;
+            // } catch( EBaseException eAudit1 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit1 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit1;
+        }
+    }
+
+    /**
+     * Delete authentication manager instance
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_AUTH used when configuring authentication
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param scope string used to obtain the contents of this authentication
+     *            manager's substore
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void delAuthMgrInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope) throws ServletException,
+            IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            NameValuePairs params = new NameValuePairs();
+            String id = req.getParameter(Constants.RS_ID);
+
+            if (id == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                //System.out.println("SRVLT_NULL_RS_ID");
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            // prevent deletion of admin and agent.
+            if (id.equals(IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID) ||
+                    id.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) {
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_BASE_PERMISSION_DENIED"), null, resp);
+            }
+
+            // does auth manager instance exist?
+            if (mAuths.getInstances().containsKey(id) == false) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(
+                        ERROR,
+                        new EAuthMgrNotFound(CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_AUTHMGR_NOT_FOUND",
+                                id)).toString(),
+                        null, resp);
+                return;
+            }
+
+            // only remove from memory
+            // cannot shutdown because we don't keep track of whether it's
+            // being used. 
+            mAuths.getInstances().remove(id);
+
+            // remove the configuration.
+            IConfigStore destStore =
+                    mConfig.getSubStore(DestDef.DEST_AUTH_ADMIN);
+            IConfigStore instancesConfig =
+                    destStore.getSubStore(scope);
+
+            instancesConfig.removeSubStore(id);
+            // commiting
+            try {
+                mConfig.commit(true);
+            } catch (EBaseException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                //System.out.println("SRVLT_FAIL_COMMIT");
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                        null, resp);
+                return;
+            }
+
+            //This only works in the fact that we only support one instance per
+            //auth plugin.
+            ILdapAuthInfo authInfo = CMS.getLdapAuthInfo();
+
+            authInfo.removePassword("Rule " + id);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, params, resp);
+            return;
+            // } catch( EBaseException eAudit1 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * used for getting the required configuration parameters (with
+     * possible default values) for a particular auth manager plugin
+     * implementation name specified in the RS_ID. Actually, there is
+     * no logic in here to set any default value here...there's no
+     * default value for any parameter in this authentication subsystem
+     * at this point. Later, if we do have one (or some), it can be
+     * added. The interface remains the same.
+     */
+    private synchronized void getConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+
+        String implname = req.getParameter(Constants.RS_ID);
+
+        if (implname == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        String[] configParams = mAuths.getConfigParams(implname);
+        NameValuePairs params = new NameValuePairs();
+
+        // implName is always required so always send it.
+        params.put(Constants.PR_AUTH_IMPL_NAME, "");
+        if (configParams != null) {
+            for (int i = 0; i < configParams.length; i++) {
+                params.put(configParams[i], "");
+            }
+        }
+        sendResponse(0, null, params, resp);
+        return;
+    }
+
+    private synchronized void getInstConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // does auth manager instance exist?
+        if (mAuths.getInstances().containsKey(id) == false) {
+            sendResponse(
+                    ERROR,
+                    new EAuthMgrNotFound(CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_AUTHMGR_NOT_FOUND", id))
+                            .toString(),
+                    null, resp);
+            return;
+        }
+
+        IAuthManager mgrInst = (IAuthManager) mAuths.get(id);
+        IConfigStore config = mgrInst.getConfigStore();
+        String[] configParams = mgrInst.getConfigParams();
+        NameValuePairs params = new NameValuePairs();
+
+        params.put(Constants.PR_AUTH_IMPL_NAME, mgrInst.getImplName());
+        // implName is always required so always send it.
+        if (configParams != null) {
+            for (int i = 0; i < configParams.length; i++) {
+                String key = configParams[i];
+                String val = (String) config.get(key);
+
+                if (val != null) {
+                    params.put(key, val);
+                } else {
+                    params.put(key, "");
+                }
+            }
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    /**
+     * Modify authentication manager instance
+     * This will actually create a new instance with new configuration
+     * parameters and replace the old instance if the new instance is
+     * created and initialized successfully.
+     * The old instance is left running, so this is very expensive.
+     * Restart of server recommended.
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_AUTH used when configuring authentication
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param scope string used to obtain the contents of this authentication
+     *            manager's substore
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void modAuthMgrInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+
+        // expensive operation.
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = req.getParameter(Constants.RS_ID);
+
+            if (id == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                //System.out.println("SRVLT_NULL_RS_ID");
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            // prevent modification of admin and agent.
+            if (id.equals(IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID) ||
+                    id.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) {
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_BASE_PERMISSION_DENIED"), null, resp);
+            }
+
+            // Does the manager instance exist?
+            if (!mAuths.getInstances().containsKey((Object) id)) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage("CMS_AUTHENTICATION_MGR_IMPL_NOT_FOUND"),
+                        null, resp);
+                return;
+            }
+
+            // get new implementation (same or different.)
+            String implname = req.getParameter(Constants.PR_AUTH_IMPL_NAME);
+
+            if (implname == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage("CMS_AUTHENTICATION_MISSING_PARAMS"),
+                        null, resp);
+                return;
+            }
+
+            // get plugin for implementation 
+            AuthMgrPlugin plugin =
+                    (AuthMgrPlugin) mAuths.getPlugins().get(implname);
+
+            if (plugin == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(
+                        ERROR,
+                        new EAuthMgrPluginNotFound(CMS.getUserMessage(getLocale(req),
+                                "CMS_AUTHENTICATION_AUTHMGR_NOT_FOUND", implname)).toString(),
+                        null, resp);
+                return;
+            }
+
+            // save old instance substore params in case new one fails. 
+
+            IAuthManager oldinst =
+                    (IAuthManager) mAuths.get(id);
+            IConfigStore oldConfig = oldinst.getConfigStore();
+
+            String[] oldConfigParms = oldinst.getConfigParams();
+            NameValuePairs saveParams = new NameValuePairs();
+
+            // implName is always required so always include it it.
+            saveParams.put(IAuthSubsystem.PROP_PLUGIN,
+                    (String) oldConfig.get(IAuthSubsystem.PROP_PLUGIN));
+            if (oldConfigParms != null) {
+                for (int i = 0; i < oldConfigParms.length; i++) {
+                    String key = oldConfigParms[i];
+                    Object val = oldConfig.get(key);
+
+                    if (val != null) {
+                        saveParams.put(key, (String) val);
+                    }
+                }
+            }
+
+            // on to the new instance.
+
+            // remove old substore.
+
+            IConfigStore destStore =
+                    mConfig.getSubStore(DestDef.DEST_AUTH_ADMIN);
+            IConfigStore instancesConfig =
+                    destStore.getSubStore(scope);
+
+            instancesConfig.removeSubStore(id);
+
+            // create new substore.
+
+            String[] configParams = mAuths.getConfigParams(implname);
+
+            IConfigStore substore = instancesConfig.makeSubStore(id);
+
+            substore.put(IAuthSubsystem.PROP_PLUGIN, implname);
+            if (configParams != null) {
+                for (int i = 0; i < configParams.length; i++) {
+                    String key = configParams[i];
+                    String val = req.getParameter(key);
+
+                    if (val != null) {
+                        substore.put(key, val);
+                    }
+                }
+            }
+
+            // Instantiate an object for new implementation
+
+            String className = plugin.getClassPath();
+            IAuthManager newMgrInst = null;
+
+            try {
+                newMgrInst = (IAuthManager) Class.forName(className).newInstance();
+            } catch (ClassNotFoundException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                // cleanup
+                restore(instancesConfig, id, saveParams);
+                sendResponse(
+                        ERROR,
+                        new EAuthException(CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_LOAD_CLASS_FAIL",
+                                className)).toString(),
+                        null, resp);
+                return;
+            } catch (InstantiationException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                restore(instancesConfig, id, saveParams);
+                sendResponse(
+                        ERROR,
+                        new EAuthException(CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_LOAD_CLASS_FAIL",
+                                className)).toString(),
+                        null, resp);
+                return;
+            } catch (IllegalAccessException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                restore(instancesConfig, id, saveParams);
+                sendResponse(
+                        ERROR,
+                        new EAuthException(CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_LOAD_CLASS_FAIL",
+                                className)).toString(),
+                        null, resp);
+                return;
+            }
+
+            // initialize the authentication manager
+
+            try {
+                newMgrInst.init(id, implname, substore);
+            } catch (EBaseException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                // don't commit in this case and cleanup the new substore.
+                restore(instancesConfig, id, saveParams);
+                sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+                return;
+            }
+
+            // initialized ok.  commiting
+            try {
+                mConfig.commit(true);
+            } catch (EBaseException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                // clean up.
+                restore(instancesConfig, id, saveParams);
+                //System.out.println("SRVLT_FAIL_COMMIT");
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                        null, resp);
+                return;
+            }
+
+            // commited ok. replace instance.
+
+            mAuths.add(id, newMgrInst);
+
+            mAuths.log(ILogger.LL_INFO,
+                    CMS.getLogMessage("ADMIN_SRVLT_AUTH_MGR_REPL", id));
+
+            NameValuePairs params = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, params, resp);
+            return;
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    // convenience routine.
+    private static void restore(IConfigStore store,
+            String id, NameValuePairs saveParams) {
+        store.removeSubStore(id);
+        IConfigStore rstore = store.makeSubStore(id);
+
+        for (String key : saveParams.keySet()) {
+            String value = saveParams.get(key);
+
+            if (value != null)
+                rstore.put(key, value);
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/AuthCredentials.java b/base/common/src/com/netscape/cms/servlet/admin/AuthCredentials.java
new file mode 100644
index 000000000..69cfd9aaf
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/AuthCredentials.java
@@ -0,0 +1,109 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.util.Enumeration;
+import java.util.Hashtable;
+
+import com.netscape.certsrv.authentication.IAuthCredentials;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+
+/**
+ * Authentication Credentials as input to the authMgr
+ * 

+ * 
+ * @version $Revision$, $Date$
+ */
+public class AuthCredentials implements IAuthCredentials {
+    /**
+     *
+     */
+    private static final long serialVersionUID = -6938644716486895814L;
+    private Hashtable authCreds = null;
+    // Inserted by bskim 
+    private IArgBlock argblk = null;
+
+    // Insert end
+
+    public AuthCredentials() {
+        authCreds = new Hashtable();
+    }
+
+    /**
+     * sets a credential with credential name and the credential
+     * 
+     * @param name credential name
+     * @param cred credential
+     * @exception com.netscape.certsrv.base.EBaseException NullPointerException
+     */
+    public void set(String name, Object cred) throws EBaseException {
+        if (cred == null) {
+            throw new EBaseException("AuthCredentials.set()");
+        }
+
+        authCreds.put(name, cred);
+    }
+
+    /**
+     * returns the credential to which the specified name is mapped in this
+     * credential set
+     * 
+     * @param name credential name
+     * @return the named authentication credential
+     */
+    public Object get(String name) {
+        return authCreds.get(name);
+    }
+
+    /**
+     * removes the name and its corresponding credential from this
+     * credential set. This method does nothing if the named
+     * credential is not in the credential set.
+     * 
+     * @param name credential name
+     */
+    public void delete(String name) {
+        authCreds.remove(name);
+    }
+
+    /**
+     * returns an enumeration of the credential names in this credential
+     * set. Use the Enumeration methods on the returned object to
+     * fetch the elements sequentially.
+     * 
+     * @return an enumeration of the names in this credential set
+     * @see java.util.Enumeration
+     */
+    public Enumeration getElements() {
+        return authCreds.keys();
+    }
+
+    // Inserted by bskim
+    public void setArgBlock(IArgBlock blk) {
+        argblk = blk;
+        return;
+    }
+
+    // Insert end
+
+    public IArgBlock getArgBlock() {
+        return argblk;
+    }
+    // Insert end
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java
new file mode 100644
index 000000000..e7b32e844
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java
@@ -0,0 +1,1582 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.UnknownHostException;
+import java.util.Enumeration;
+import java.util.Locale;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ca.ICMSCRLExtensions;
+import com.netscape.certsrv.ca.ICRLIssuingPoint;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.request.IRequestListener;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * A class representings an administration servlet for Certificate
+ * Authority. This servlet is responsible to serve CA
+ * administrative operations such as configuration parameter
+ * updates.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CAAdminServlet extends AdminServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 6200983242040946840L;
+
+    public final static String PROP_EMAIL_TEMPLATE = "emailTemplate";
+
+    private final static String INFO = "CAAdminServlet";
+
+    private final static String LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE =
+            "LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3";
+
+    private ICertificateAuthority mCA = null;
+    protected static final String PROP_ENABLED = "enabled";
+
+    /**
+     * Constructs CA servlet.
+     */
+    public CAAdminServlet() {
+        super();
+    }
+
+    /**
+     * Initializes this servlet.
+     */
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+        mCA = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+    }
+
+    /**
+     * Returns serlvet information.
+     */
+    public String getServletInfo() {
+        return INFO;
+    }
+
+    /**
+     * Serves HTTP request. Each request is authenticated to
+     * the authenticate manager.
+     */
+    public void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+        super.service(req, resp);
+
+        //get all operational flags
+        String op = req.getParameter(Constants.OP_TYPE);
+        String scope = req.getParameter(Constants.OP_SCOPE);
+
+        //check operational flags
+        if ((op == null) || (scope == null)) {
+            sendResponse(1, "Invalid Protocol", null, resp);
+            return;
+        }
+
+        super.authenticate(req);
+
+        try {
+            AUTHZ_RES_NAME = "certServer.ca.configuration";
+            if (scope.equals(ScopeDef.SC_EXTENDED_PLUGIN_INFO)) {
+                try {
+                    mOp = "read";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    getExtendedPluginInfo(req, resp);
+                    return;
+                } catch (EBaseException e) {
+                    sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+                }
+            }
+
+            if (op.equals(OpDef.OP_READ)) {
+                mOp = "read";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_GENERAL))
+                    getGeneralConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_CONNECTOR))
+                    getConnectorConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_CRLIPS))
+                    getCRLIPsConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_CRL))
+                    getCRLConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_NOTIFICATION_REQ_COMP))
+                    getNotificationReqCompConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_NOTIFICATION_REV_COMP))
+                    getNotificationRevCompConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_NOTIFICATION_RIQ))
+                    getNotificationRIQConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_CRLEXTS_RULES))
+                    getCRLExtsConfig(req, resp);
+            } else if (op.equals(OpDef.OP_MODIFY)) {
+                mOp = "modify";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_GENERAL))
+                    setGeneralConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_CONNECTOR))
+                    setConnectorConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_CRLIPS))
+                    setCRLIPsConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_CRL))
+                    setCRLConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_NOTIFICATION_REQ_COMP))
+                    setNotificationReqCompConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_NOTIFICATION_REV_COMP))
+                    setNotificationRevCompConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_NOTIFICATION_RIQ))
+                    setNotificationRIQConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_CRLEXTS_RULES))
+                    setCRLExtsConfig(req, resp);
+            } else if (op.equals(OpDef.OP_SEARCH)) {
+                mOp = "read";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_CRLEXTS_RULES))
+                    listCRLExtsConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_CRLIPS))
+                    listCRLIPsConfig(req, resp);
+            } else if (op.equals(OpDef.OP_ADD)) {
+                mOp = "modify";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_CRLIPS))
+                    addCRLIPsConfig(req, resp);
+            } else if (op.equals(OpDef.OP_DELETE)) {
+                mOp = "modify";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_CRLIPS))
+                    deleteCRLIPsConfig(req, resp);
+            } else {
+                sendResponse(1, "Unknown operation", null, resp);
+            }
+        } catch (Exception e) {
+            sendResponse(1, e.toString(), null, resp);
+            return;
+        }
+    }
+
+    /*==========================================================
+     * private methods
+     *==========================================================*/
+
+    /*
+     * handle request completion (cert issued) notification config requests
+     */
+    private void getNotificationCompConfig(HttpServletRequest req,
+            HttpServletResponse resp, IConfigStore rc) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+
+            if (name.equals(Constants.OP_TYPE))
+                continue;
+            if (name.equals(Constants.RS_ID))
+                continue;
+            if (name.equals(Constants.OP_SCOPE))
+                continue;
+            if (name.equals(Constants.PR_ENABLE))
+                continue;
+            params.put(name, rc.getString(name, ""));
+        }
+
+        params.put(Constants.PR_ENABLE,
+                rc.getString(PROP_ENABLED, Constants.FALSE));
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void getNotificationRevCompConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        IConfigStore config = mCA.getConfigStore();
+        IConfigStore nc =
+                config.getSubStore(ICertificateAuthority.PROP_NOTIFY_SUBSTORE);
+        IConfigStore rc = nc.getSubStore(ICertificateAuthority.PROP_CERT_REVOKED_SUBSTORE);
+
+        getNotificationCompConfig(req, resp, rc);
+    }
+
+    private void getNotificationReqCompConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        IConfigStore config = mCA.getConfigStore();
+        IConfigStore nc =
+                config.getSubStore(ICertificateAuthority.PROP_NOTIFY_SUBSTORE);
+        IConfigStore rc = nc.getSubStore(ICertificateAuthority.PROP_CERT_ISSUED_SUBSTORE);
+
+        getNotificationCompConfig(req, resp, rc);
+    }
+
+    /*
+     * handle getting request in queue notification config info
+     */
+    private void getNotificationRIQConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+
+        IConfigStore config = mCA.getConfigStore();
+        IConfigStore nc =
+                config.getSubStore(ICertificateAuthority.PROP_NOTIFY_SUBSTORE);
+
+        IConfigStore riq = nc.getSubStore(ICertificateAuthority.PROP_REQ_IN_Q_SUBSTORE);
+
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+
+            if (name.equals(Constants.OP_TYPE))
+                continue;
+            if (name.equals(Constants.RS_ID))
+                continue;
+            if (name.equals(Constants.OP_SCOPE))
+                continue;
+            if (name.equals(Constants.PR_ENABLE))
+                continue;
+            params.put(name, riq.getString(name, ""));
+        }
+
+        params.put(Constants.PR_ENABLE,
+                riq.getString(PROP_ENABLED, Constants.FALSE));
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /*
+     * handle setting request in queue notification config info
+     */
+    private void setNotificationRIQConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        IConfigStore config = mCA.getConfigStore();
+        IConfigStore nc =
+                config.getSubStore(ICertificateAuthority.PROP_NOTIFY_SUBSTORE);
+
+        IConfigStore riq = nc.getSubStore(ICertificateAuthority.PROP_REQ_IN_Q_SUBSTORE);
+
+        //set rest of the parameters
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+
+            if (name.equals(Constants.OP_TYPE))
+                continue;
+            if (name.equals(Constants.RS_ID))
+                continue;
+            if (name.equals(Constants.OP_SCOPE))
+                continue;
+            if (name.equals(Constants.PR_ENABLE))
+                continue;
+            String val = req.getParameter(name);
+
+            // if it's emailTemplate, check to see if the path exists
+            if (name.equalsIgnoreCase(PROP_EMAIL_TEMPLATE)) {
+                File template = new File(val);
+
+                if ((!template.exists()) || (!template.canRead())
+                        || (template.isDirectory())) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_INVALID_PATH"));
+
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PATH"),
+                            null, resp);
+                    return;
+                }
+            }
+            riq.putString(name, val);
+            mCA.getRequestInQListener().set(name, val);
+        }
+
+        // set enable flag
+        String enabledString = req.getParameter(Constants.PR_ENABLE);
+
+        riq.putString(PROP_ENABLED, enabledString);
+        mCA.getRequestInQListener().set(PROP_ENABLED, enabledString);
+
+        commit(true);
+
+        sendResponse(SUCCESS, null, null, resp);
+    }
+
+    /*
+     * handle setting request complete notification config info
+     */
+    private void setNotificationCompConfig(HttpServletRequest req,
+            HttpServletResponse resp, IConfigStore rc, IRequestListener thisListener) throws ServletException,
+            IOException, EBaseException {
+
+        //set rest of the parameters
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+
+            if (name.equals(Constants.OP_TYPE))
+                continue;
+            if (name.equals(Constants.RS_ID))
+                continue;
+            if (name.equals(Constants.OP_SCOPE))
+                continue;
+            if (name.equals(Constants.PR_ENABLE))
+                continue;
+            String val = req.getParameter(name);
+
+            // if it's emailTemplate, check to see if the path exists
+            if (name.equalsIgnoreCase(PROP_EMAIL_TEMPLATE)) {
+                File template = new File(val);
+
+                if ((!template.exists()) || (!template.canRead())
+                        || (template.isDirectory())) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_INVALID_PATH"));
+
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PATH"),
+                            null, resp);
+                    return;
+                }
+            }
+            rc.putString(name, val);
+            thisListener.set(name, val);
+        }
+
+        // set enable flag
+        String enabledString = req.getParameter(Constants.PR_ENABLE);
+
+        rc.putString(PROP_ENABLED, enabledString);
+        thisListener.set(PROP_ENABLED, enabledString);
+
+        commit(true);
+
+        sendResponse(SUCCESS, null, null, resp);
+    }
+
+    private void setNotificationRevCompConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        IConfigStore config = mCA.getConfigStore();
+        IConfigStore nc =
+                config.getSubStore(ICertificateAuthority.PROP_NOTIFY_SUBSTORE);
+
+        IConfigStore rc = nc.getSubStore(ICertificateAuthority.PROP_CERT_REVOKED_SUBSTORE);
+
+        setNotificationCompConfig(req, resp, rc, mCA.getCertRevokedListener());
+    }
+
+    private void setNotificationReqCompConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        IConfigStore config = mCA.getConfigStore();
+        IConfigStore nc =
+                config.getSubStore(ICertificateAuthority.PROP_NOTIFY_SUBSTORE);
+
+        IConfigStore rc = nc.getSubStore(ICertificateAuthority.PROP_CERT_ISSUED_SUBSTORE);
+
+        setNotificationCompConfig(req, resp, rc, mCA.getCertIssuedListener());
+
+    }
+
+    private void listCRLIPsConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+
+        Enumeration ips = mCA.getCRLIssuingPoints();
+
+        while (ips.hasMoreElements()) {
+            ICRLIssuingPoint ip = ips.nextElement();
+
+            if (ip != null) {
+                String ipId = ip.getId();
+
+                if (ipId != null && ipId.length() > 0)
+                    params.put(ipId, ip.getDescription());
+                params.put(ipId + "." + Constants.PR_ENABLED,
+                        (Boolean.valueOf(ip.isCRLIssuingPointEnabled())).toString());
+            }
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void getCRLIPsConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id != null && id.length() > 0) {
+            ICRLIssuingPoint ip = mCA.getCRLIssuingPoint(id);
+
+            if (ip != null) {
+
+                @SuppressWarnings("unchecked")
+                Enumeration e = req.getParameterNames();
+                String value = "";
+
+                while (e.hasMoreElements()) {
+                    String name = e.nextElement();
+
+                    if (name.equals(Constants.PR_ENABLED)) {
+                        if (ip.isCRLIssuingPointEnabled()) {
+                            value = Constants.TRUE;
+                        } else {
+                            value = Constants.FALSE;
+                        }
+                    }
+                    if (name.equals(Constants.PR_ID))
+                        value = id;
+                    if (name.equals(Constants.PR_DESCRIPTION))
+                        value = ip.getDescription();
+                    if (name.equals(Constants.PR_CLASS))
+                        value = ip.getClass().getName();
+
+                    params.put(name, value);
+                }
+            }
+        }
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * Add CRL issuing points configuration
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE used when configuring CRL profile (extensions,
+     * frequency, CRL format)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private void addCRLIPsConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            NameValuePairs params = new NameValuePairs();
+
+            String ipId = req.getParameter(Constants.PR_ID);
+
+            if (ipId == null || ipId.length() == 0) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, "Missing CRL IP name", null, resp);
+                return;
+            }
+            params.put(Constants.PR_ID, ipId);
+
+            String desc = req.getParameter(Constants.PR_DESCRIPTION);
+
+            if (desc == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, "Missing CRL IP description", null, resp);
+                return;
+            }
+            params.put(Constants.PR_DESCRIPTION, desc);
+
+            String sEnable = req.getParameter(Constants.PR_ENABLED);
+            boolean enable = true;
+
+            if (sEnable != null && sEnable.length() > 0 &&
+                    sEnable.equalsIgnoreCase(Constants.FALSE)) {
+                enable = false;
+                params.put(Constants.PR_ENABLED, Constants.FALSE);
+            } else {
+                params.put(Constants.PR_ENABLED, Constants.TRUE);
+            }
+
+            IConfigStore crlSubStore =
+                    mCA.getConfigStore().getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE);
+            Enumeration crlNames = crlSubStore.getSubStoreNames();
+
+            while (crlNames.hasMoreElements()) {
+                String name = crlNames.nextElement();
+
+                if (ipId.equals(name)) {
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+
+                    sendResponse(ERROR, ipId + " CRL IP already exists", null, resp);
+                    return;
+                }
+            }
+            if (!mCA.addCRLIssuingPoint(crlSubStore, ipId, enable, desc)) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, "Cannot add or edit CRL IP", null, resp);
+                return;
+            }
+            commit(true);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, params, resp);
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * Set CRL issuing points configuration
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE used when configuring CRL profile (extensions,
+     * frequency, CRL format)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private void setCRLIPsConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            NameValuePairs params = new NameValuePairs();
+
+            String ipId = req.getParameter(Constants.PR_ID);
+
+            if (ipId == null || ipId.length() == 0) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, "Missing CRL IP name", null, resp);
+                return;
+            }
+            params.put(Constants.PR_ID, ipId);
+
+            String desc = req.getParameter(Constants.PR_DESCRIPTION);
+
+            if (desc == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, "Missing CRL IP description", null, resp);
+                return;
+            }
+            params.put(Constants.PR_DESCRIPTION, desc);
+
+            String sEnable = req.getParameter(Constants.PR_ENABLED);
+            boolean enable = true;
+
+            if (sEnable != null && sEnable.length() > 0 &&
+                    sEnable.equalsIgnoreCase(Constants.FALSE)) {
+                enable = false;
+                params.put(Constants.PR_ENABLED, Constants.FALSE);
+            } else {
+                params.put(Constants.PR_ENABLED, Constants.TRUE);
+            }
+
+            IConfigStore crlSubStore =
+                    mCA.getConfigStore().getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE);
+            boolean done = false;
+            Enumeration crlNames = crlSubStore.getSubStoreNames();
+
+            while (crlNames.hasMoreElements()) {
+                String name = crlNames.nextElement();
+
+                if (ipId.equals(name)) {
+                    ICRLIssuingPoint ip = mCA.getCRLIssuingPoint(ipId);
+
+                    if (ip != null) {
+                        ip.setDescription(desc);
+                        ip.enableCRLIssuingPoint(enable);
+                    }
+                    IConfigStore c = crlSubStore.getSubStore(ipId);
+
+                    if (c != null) {
+                        c.putString(Constants.PR_DESCRIPTION, desc);
+                        c.putString(Constants.PR_ENABLED,
+                                (enable) ? Constants.TRUE : Constants.FALSE);
+                    }
+                    done = true;
+                    break;
+                }
+            }
+            if (!done) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, "Missing CRL IP " + ipId, null, resp);
+                return;
+            }
+            commit(true);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, params, resp);
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * Delete CRL issuing points configuration
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE used when configuring CRL profile (extensions,
+     * frequency, CRL format)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private void deleteCRLIPsConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            NameValuePairs params = new NameValuePairs();
+
+            String id = req.getParameter(Constants.RS_ID);
+
+            if (id != null && id.length() > 0) {
+                IConfigStore crlSubStore =
+                        mCA.getConfigStore().getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE);
+                boolean done = false;
+                Enumeration crlNames = crlSubStore.getSubStoreNames();
+
+                while (crlNames.hasMoreElements()) {
+                    String name = crlNames.nextElement();
+
+                    if (id.equals(name)) {
+                        mCA.deleteCRLIssuingPoint(crlSubStore, id);
+                        done = true;
+                        break;
+                    }
+                }
+                if (!done) {
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+
+                    sendResponse(ERROR, "Missing CRL IP " + id, null, resp);
+                    return;
+                }
+                commit(true);
+            }
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, params, resp);
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    private void getCRLExtsConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+
+        String ipId = null;
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+
+            if (name.equals(Constants.OP_TYPE))
+                continue;
+            if (name.equals(Constants.RS_ID))
+                continue;
+            if (name.equals(Constants.OP_SCOPE))
+                continue;
+            ipId = name;
+        }
+        if (ipId == null || ipId.length() <= 0) {
+            ipId = ICertificateAuthority.PROP_MASTER_CRL;
+        }
+
+        ICRLIssuingPoint ip = mCA.getCRLIssuingPoint(ipId);
+        ICMSCRLExtensions crlExts = ip.getCRLExtensions();
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id != null) {
+            params = crlExts.getConfigParams(id);
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * Delete CRL extensions configuration
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE used when configuring CRL profile (extensions,
+     * frequency, CRL format)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private void setCRLExtsConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            NameValuePairs params = new NameValuePairs();
+
+            String ipId = req.getParameter(Constants.PR_ID);
+
+            if (ipId == null || ipId.length() <= 0) {
+                ipId = ICertificateAuthority.PROP_MASTER_CRL;
+            }
+
+            ICRLIssuingPoint ip = mCA.getCRLIssuingPoint(ipId);
+            ICMSCRLExtensions crlExts = ip.getCRLExtensions();
+
+            IConfigStore config = mCA.getConfigStore();
+            IConfigStore crlsSubStore =
+                    config.getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE);
+            IConfigStore crlSubStore = crlsSubStore.getSubStore(ipId);
+            IConfigStore crlExtsSubStore =
+                    crlSubStore.getSubStore(ICertificateAuthority.PROP_CRLEXT_SUBSTORE);
+
+            String id = req.getParameter(Constants.RS_ID);
+
+            if (id != null) {
+                IConfigStore crlExtSubStore = crlExtsSubStore.getSubStore(id);
+
+                @SuppressWarnings("unchecked")
+                Enumeration e = req.getParameterNames();
+
+                while (e.hasMoreElements()) {
+                    String name = e.nextElement();
+
+                    if (name.equals(Constants.OP_TYPE))
+                        continue;
+                    if (name.equals(Constants.RS_ID))
+                        continue;
+                    if (name.equals(Constants.OP_SCOPE))
+                        continue;
+                    if (name.equals(Constants.PR_CRLEXT_IMPL_NAME))
+                        continue;
+                    if (name.equals("RULENAME"))
+                        continue;
+                    String value = req.getParameter(name);
+
+                    params.put(name, value);
+                }
+                crlExts.setConfigParams(id, params, crlExtSubStore);
+                commit(true);
+                ip.clearCRLCache();
+                ip.updateCRLCacheRepository();
+            }
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, null, resp);
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    private void listCRLExtsConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+
+        String id = req.getParameter(Constants.PR_ID);
+
+        if (id == null || id.length() <= 0) {
+            id = ICertificateAuthority.PROP_MASTER_CRL;
+        }
+
+        IConfigStore config = mCA.getConfigStore();
+        IConfigStore crlsSubStore = config.getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE);
+        IConfigStore crlSubStore = crlsSubStore.getSubStore(id);
+        IConfigStore crlExtsSubStore = crlSubStore.getSubStore(ICertificateAuthority.PROP_CRLEXT_SUBSTORE);
+
+        if (crlExtsSubStore != null) {
+            Enumeration enumExts = crlExtsSubStore.getSubStoreNames();
+
+            while (enumExts.hasMoreElements()) {
+                String extName = enumExts.nextElement();
+                boolean crlExtEnabled = false;
+                IConfigStore crlExtSubStore = crlExtsSubStore.getSubStore(extName);
+                Enumeration properties = crlExtSubStore.getPropertyNames();
+
+                while (properties.hasMoreElements()) {
+                    String name = properties.nextElement();
+
+                    if (name.equals(Constants.PR_ENABLE)) {
+                        crlExtEnabled = crlExtSubStore.getBoolean(name, false);
+                    }
+                }
+                params.put(extName, extName + ";visible;" + ((crlExtEnabled) ? "enabled" : "disabled"));
+            }
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * retrieve extended plugin info such as brief description,
+     * type info from CRL extensions
+     */
+    private void getExtendedPluginInfo(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        String id = req.getParameter(Constants.RS_ID);
+        int colon = id.indexOf(':');
+
+        String implType = id.substring(0, colon);
+        String implName = id.substring(colon + 1);
+
+        NameValuePairs params =
+                getExtendedPluginInfo(getLocale(req), implType, implName);
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private NameValuePairs getExtendedPluginInfo(Locale locale, String implType, String implName) {
+        IExtendedPluginInfo ext_info = null;
+        Object impl = null;
+
+        String ipId = null;
+        String name = null;
+
+        Enumeration ips = mCA.getCRLIssuingPoints();
+        if (ips.hasMoreElements()) {
+            ICRLIssuingPoint ip = ips.nextElement();
+            if (ip != null) {
+                ipId = ip.getId();
+            }
+        }
+        if (ipId != null) {
+            ICRLIssuingPoint ip = mCA.getCRLIssuingPoint(ipId);
+            ICMSCRLExtensions crlExts = ip.getCRLExtensions();
+            name = crlExts.getClassPath(implName);
+        }
+        if (name != null) {
+            impl = getClassByNameAsExtendedPluginInfo(name);
+        }
+        if (impl != null) {
+            if (impl instanceof IExtendedPluginInfo) {
+                ext_info = (IExtendedPluginInfo) impl;
+            }
+        }
+
+        NameValuePairs nvps = null;
+
+        if (ext_info == null) {
+            nvps = new NameValuePairs();
+        } else {
+            nvps = convertStringArrayToNVPairs(ext_info.getExtendedPluginInfo(locale));
+        }
+
+        return nvps;
+    }
+
+    /**
+     * Set CRL configuration
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE used when configuring CRL profile (extensions,
+     * frequency, CRL format)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private void setCRLConfig(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            NameValuePairs params = new NameValuePairs();
+
+            String id = req.getParameter(Constants.RS_ID);
+
+            if (id == null || id.length() <= 0 ||
+                    id.equals(Constants.RS_ID_CONFIG)) {
+                id = ICertificateAuthority.PROP_MASTER_CRL;
+            }
+            ICRLIssuingPoint ip = mCA.getCRLIssuingPoint(id);
+
+            //Save New Settings to the config file
+            IConfigStore config = mCA.getConfigStore();
+            IConfigStore crlsSubStore = config.getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE);
+            IConfigStore crlSubStore = crlsSubStore.getSubStore(id);
+
+            //set reset of the parameters
+            @SuppressWarnings("unchecked")
+            Enumeration e = req.getParameterNames();
+
+            while (e.hasMoreElements()) {
+                String name = e.nextElement();
+
+                if (name.equals(Constants.OP_TYPE))
+                    continue;
+                if (name.equals(Constants.RS_ID))
+                    continue;
+                if (name.equals(Constants.OP_SCOPE))
+                    continue;
+                if (name.equals(Constants.PR_ENABLE))
+                    continue;
+                String value = req.getParameter(name);
+
+                params.put(name, value);
+                crlSubStore.putString(name, value);
+            }
+            boolean noRestart = ip.updateConfig(params);
+
+            commit(true);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            if (noRestart)
+                sendResponse(SUCCESS, null, null, resp);
+            else
+                sendResponse(RESTART, null, null, resp);
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    private void getCRLConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null || id.length() <= 0 ||
+                id.equals(Constants.RS_ID_CONFIG)) {
+            id = ICertificateAuthority.PROP_MASTER_CRL;
+        }
+        IConfigStore crlsSubStore =
+                mCA.getConfigStore().getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE);
+        IConfigStore crlSubStore = crlsSubStore.getSubStore(id);
+
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+
+            if (name.equals(Constants.OP_TYPE))
+                continue;
+            if (name.equals(Constants.RS_ID))
+                continue;
+            if (name.equals(Constants.OP_SCOPE))
+                continue;
+            if (name.equals(Constants.PR_ENABLE))
+                continue;
+            params.put(name, crlSubStore.getString(name, ""));
+        }
+
+        getSigningAlgConfig(params);
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void getConnectorConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        IConfigStore caConfig = mCA.getConfigStore();
+        IConfigStore connectorConfig = caConfig.getSubStore("connector");
+        IConfigStore caConnectorConfig = null;
+
+        if (isKRAConnector(req)) {
+            caConnectorConfig = connectorConfig.getSubStore("KRA");
+        } else if (isCLAConnector(req)) {
+            caConnectorConfig = connectorConfig.getSubStore("CLA");
+        }
+
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+        NameValuePairs params = new NameValuePairs();
+
+        if (caConnectorConfig != null) {
+            while (enum1.hasMoreElements()) {
+                String name = enum1.nextElement();
+
+                if (name.equals(Constants.RS_ID))
+                    continue;
+                if (name.equals(Constants.OP_SCOPE))
+                    continue;
+                if (name.equals(Constants.OP_TYPE))
+                    continue;
+
+                params.put(name, caConnectorConfig.getString(name, ""));
+            }
+        }
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void setConnectorConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        IConfigStore caConfig = mCA.getConfigStore();
+        IConfigStore connectorConfig = caConfig.getSubStore("connector");
+        IConfigStore caConnectorConfig = null;
+
+        //        String nickname = CMS.getServerCertNickname();
+
+        if (isKRAConnector(req)) {
+            caConnectorConfig = connectorConfig.getSubStore("KRA");
+        } else if (isCLAConnector(req)) {
+            caConnectorConfig = connectorConfig.getSubStore("CLA");
+        }
+
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+
+        if (caConnectorConfig != null) {
+            while (enum1.hasMoreElements()) {
+                String name = enum1.nextElement();
+
+                if (name.equals(Constants.OP_TYPE))
+                    continue;
+                if (name.equals(Constants.RS_ID))
+                    continue;
+                if (name.equals(Constants.OP_SCOPE))
+                    continue;
+                /*
+                                if (name.equals("nickName")) {
+                                    caConnectorConfig.putString(name, nickname);
+                                    continue;
+                                }
+                */
+                if (name.equals("host")) {
+                    try {
+                        Utils.checkHost(req.getParameter("host"));
+                    } catch (UnknownHostException e) {
+                        sendResponse(ERROR, "Unknown Host " + req.getParameter("host"), null, resp);
+                        return;
+                    }
+                }
+                caConnectorConfig.putString(name, req.getParameter(name));
+            }
+        }
+
+        commit(true);
+        sendResponse(RESTART, null, null, resp);
+    }
+
+    private boolean isKRAConnector(HttpServletRequest req) {
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+
+        while (enum1.hasMoreElements()) {
+            String key = enum1.nextElement();
+
+            if (key.equals("RS_ID")) {
+                String val = req.getParameter(key);
+
+                if (val.equals("Data Recovery Manager Connector"))
+                    return true;
+                else
+                    return false;
+            }
+        }
+        return false;
+    }
+
+    private boolean isCLAConnector(HttpServletRequest req) {
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+
+        while (enum1.hasMoreElements()) {
+            String key = enum1.nextElement();
+
+            if (key.equals("RS_ID")) {
+                String val = req.getParameter(key);
+
+                if (val.equals("Clone Master Manager Connector"))
+                    return true;
+                else
+                    return false;
+            }
+        }
+        return false;
+    }
+
+    private void getGeneralConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        String value = "false";
+
+        /*
+         ISubsystem eeGateway = 
+         SubsystemRegistry.getInstance().get("eeGateway");
+         if (eeGateway != null) {
+         IConfigStore eeConfig = eeGateway.getConfigStore();
+         if (eeConfig != null) 
+         value = eeConfig.getString("enabled", "true");
+         String ocspValue = "true";
+         ocspValue = eeConfig.getString("enableOCSP", "true");
+         params.add(Constants.PR_OCSP_ENABLED, ocspValue);
+         }
+         params.add(Constants.PR_EE_ENABLED, value);
+         */
+
+        IConfigStore caConfig = mCA.getConfigStore();
+
+        value = caConfig.getString(ICertificateAuthority.PROP_ENABLE_PAST_CATIME, "false");
+        params.put(Constants.PR_VALIDITY, value);
+
+        getSigningAlgConfig(params);
+        getSerialConfig(params);
+        getMaxSerialConfig(params);
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void getSigningAlgConfig(NameValuePairs params) {
+        params.put(Constants.PR_DEFAULT_ALGORITHM,
+                mCA.getDefaultAlgorithm());
+        String[] algorithms = mCA.getCASigningAlgorithms();
+        StringBuffer algorStr = new StringBuffer();
+
+        for (int i = 0; i < algorithms.length; i++) {
+            if (i == 0)
+                algorStr.append(algorithms[i]);
+            else {
+                algorStr.append(":");
+                algorStr.append(algorithms[i]);
+            }
+        }
+        params.put(Constants.PR_ALL_ALGORITHMS, algorStr.toString());
+    }
+
+    private void getSerialConfig(NameValuePairs params) {
+        params.put(Constants.PR_SERIAL,
+                mCA.getStartSerial());
+    }
+
+    private void getMaxSerialConfig(NameValuePairs params) {
+        params.put(Constants.PR_MAXSERIAL,
+                mCA.getMaxSerial());
+    }
+
+    private void setGeneralConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        /*
+         ISubsystem eeGateway = 
+         SubsystemRegistry.getInstance().get("eeGateway");
+         */
+
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+        boolean restart = false;
+
+        //mCA.setMaxSerial("");
+        while (enum1.hasMoreElements()) {
+            String key = enum1.nextElement();
+            String value = req.getParameter(key);
+
+            if (key.equals(Constants.PR_EE_ENABLED)) {
+
+                /*
+                 if (eeConfig != null) {
+                 if (((EEGateway)eeGateway).isEnabled() &&
+                 value.equals("false") || 
+                 !((EEGateway)eeGateway).isEnabled() &&
+                 value.equals("true")) {
+                 restart=true;;
+                 }
+                 eeConfig.putString("enabled", value);
+                 }
+                 */
+            } else if (key.equals(Constants.PR_VALIDITY)) {
+                mCA.setValidity(value);
+            } else if (key.equals(Constants.PR_DEFAULT_ALGORITHM)) {
+                mCA.setDefaultAlgorithm(value);
+            } else if (key.equals(Constants.PR_SERIAL)) {
+                mCA.setStartSerial(value);
+            } else if (key.equals(Constants.PR_MAXSERIAL)) {
+                mCA.setMaxSerial(value);
+            }
+        }
+
+        commit(true);
+        if (restart)
+            sendResponse(RESTART, null, null, resp);
+        else
+            sendResponse(SUCCESS, null, null, resp);
+    }
+
+    private void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_OTHER,
+                level, "CAAdminServlet: " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
new file mode 100644
index 000000000..3a2ae0a11
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
@@ -0,0 +1,3449 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.PrintStream;
+import java.io.PrintWriter;
+import java.io.StringWriter;
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.crypto.PQGParams;
+import org.mozilla.jss.crypto.SignatureAlgorithm;
+import org.mozilla.jss.crypto.X509Certificate;
+import org.mozilla.jss.util.ConsolePasswordCallback;
+import org.mozilla.jss.util.PasswordCallback;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.cert.ICrossCertPairSubsystem;
+import com.netscape.certsrv.common.ConfigConstants;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.ocsp.IOCSPAuthority;
+import com.netscape.certsrv.ra.IRegistrationAuthority;
+import com.netscape.certsrv.security.ICryptoSubsystem;
+import com.netscape.certsrv.security.ISigningUnit;
+import com.netscape.certsrv.security.KeyCertData;
+import com.netscape.certsrv.selftests.EMissingSelfTestException;
+import com.netscape.certsrv.selftests.ESelfTestException;
+import com.netscape.certsrv.selftests.ISelfTest;
+import com.netscape.certsrv.selftests.ISelfTestSubsystem;
+import com.netscape.certsrv.tks.ITKSAuthority;
+import com.netscape.cmsutil.util.Cert;
+import com.netscape.cmsutil.util.Utils;
+import com.netscape.symkey.SessionKey;
+
+/**
+ * A class representings an administration servlet. This
+ * servlet is responsible to serve Certificate Server
+ * level administrative operations such as configuration
+ * parameter updates.
+ * 
+ * @version $Revision$, $Date$
+ */
+public final class CMSAdminServlet extends AdminServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 714370238027440050L;
+    private final static String INFO = "CMSAdminServlet";
+    private final static String BEGIN_HEADER = "-----BEGIN CERTIFICATE-----";
+    private final static String END_HEADER = "-----END CERTIFICATE-----";
+
+    private final static String PROP_DB = "dbs";
+    private final static String PROP_SMTP = "smtp";
+    private final static String PROP_RADM = "radm";
+    private final static String PROP_GATEWAY = "cmsgateway";
+    private final static String PROP_INTERNAL_DB = "internaldb";
+
+    private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+    private final static byte EOL[] = { Character.LINE_SEPARATOR };
+    private final static String LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION =
+            "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3";
+    private final static String LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY =
+            "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3";
+    private final static String LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC =
+            "LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3";
+    private final static String LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION =
+            "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2";
+    private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION =
+            "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3";
+
+    // CMS must be instantiated before this admin servlet.
+
+    /**
+     * Constructs CA servlet.
+     */
+    public CMSAdminServlet() {
+        super();
+    }
+
+    /**
+     * Initializes this servlet.
+     */
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+    }
+
+    /**
+     * Returns serlvet information.
+     */
+    public String getServletInfo() {
+        return INFO;
+    }
+
+    /**
+     * Serves HTTP request.
+     */
+    public void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+        super.service(req, resp);
+        try {
+            super.authenticate(req);
+        } catch (IOException e) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHS_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        String scope = req.getParameter(Constants.OP_SCOPE);
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        try {
+            AUTHZ_RES_NAME = "certServer.general.configuration";
+            if (scope.equals(ScopeDef.SC_PLATFORM)) {
+                mOp = "read";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                getEnv(req, resp);
+                return;
+            }
+            if (op.equals(OpDef.OP_READ)) {
+                mOp = "read";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_LDAP))
+                    getDBConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_SMTP))
+                    readSMTPConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_STAT))
+                    readStat(req, resp);
+                else if (scope.equals(ScopeDef.SC_ENCRYPTION))
+                    readEncryption(req, resp);
+                else if (scope.equals(ScopeDef.SC_TOKEN))
+                    getAllTokenNames(req, resp);
+                else if (scope.equals(ScopeDef.SC_SUBJECT_NAME))
+                    getSubjectName(req, resp);
+                else if (scope.equals(ScopeDef.SC_GET_NICKNAMES))
+                    getAllNicknames(req, resp);
+                else if (scope.equals(ScopeDef.SC_CERT_PRETTY_PRINT))
+                    getCertPrettyPrint(req, resp);
+            } else if (op.equals(OpDef.OP_MODIFY)) {
+                mOp = "modify";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_LDAP))
+                    setDBConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_SMTP))
+                    modifySMTPConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_TASKS))
+                    performTasks(req, resp);
+                else if (scope.equals(ScopeDef.SC_ENCRYPTION))
+                    modifyEncryption(req, resp);
+                else if (scope.equals(ScopeDef.SC_ISSUE_IMPORT_CERT))
+                    issueImportCert(req, resp);
+                else if (scope.equals(ScopeDef.SC_INSTALL_CERT))
+                    installCert(req, resp);
+                else if (scope.equals(ScopeDef.SC_IMPORT_CROSS_CERT))
+                    importXCert(req, resp);
+                else if (scope.equals(ScopeDef.SC_DELETE_CERTS))
+                    deleteCerts(req, resp);
+                else if (scope.equals(ScopeDef.SC_TRUST))
+                    trustCACert(req, resp);
+                else if (scope.equals(ScopeDef.SC_TOKEN_LOGON))
+                    loggedInToken(req, resp);
+                else if (scope.equals(ScopeDef.SC_ROOTCERT_TRUSTBIT))
+                    setRootCertTrust(req, resp);
+            } else if (op.equals(OpDef.OP_SEARCH)) {
+                mOp = "read";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_SUBSYSTEM))
+                    readSubsystem(req, resp);
+                else if (scope.equals(ScopeDef.SC_CA_CERTLIST))
+                    getCACerts(req, resp);
+                else if (scope.equals(ScopeDef.SC_ALL_CERTLIST))
+                    getAllCertsManage(req, resp);
+                else if (scope.equals(ScopeDef.SC_USERCERTSLIST))
+                    getUserCerts(req, resp);
+                else if (scope.equals(ScopeDef.SC_TKSKEYSLIST))
+                    getTKSKeys(req, resp);
+                else if (scope.equals(ScopeDef.SC_TOKEN))
+                    getAllTokenNames(req, resp);
+                else if (scope.equals(ScopeDef.SC_ROOTCERTSLIST))
+                    getRootCerts(req, resp);
+            } else if (op.equals(OpDef.OP_DELETE)) {
+                mOp = "delete";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_ROOTCERTSLIST)) {
+                    deleteRootCert(req, resp);
+                } else if (scope.equals(ScopeDef.SC_USERCERTSLIST)) {
+                    deleteUserCert(req, resp);
+                }
+            } else if (op.equals(OpDef.OP_PROCESS)) {
+                mOp = "modify";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_CERT_REQUEST))
+                    getCertRequest(req, resp);
+                else if (scope.equals(ScopeDef.SC_SUBJECT_NAME))
+                    processSubjectName(req, resp);
+                else if (scope.equals(ScopeDef.SC_CERTINFO))
+                    getCertInfo(req, resp);
+                else if (scope.equals(ScopeDef.SC_CERT_PRETTY_PRINT))
+                    getCertPrettyPrint(req, resp);
+                else if (scope.equals(ScopeDef.SC_ROOTCERT_TRUSTBIT))
+                    getRootCertTrustBit(req, resp);
+                else if (scope.equals(ScopeDef.SC_TOKEN_STATUS))
+                    checkTokenStatus(req, resp);
+                else if (scope.equals(ScopeDef.SC_SELFTESTS))
+                    runSelfTestsOnDemand(req, resp);
+                else if (scope.equals(ScopeDef.SC_TKSKEYSLIST))
+                    createMasterKey(req, resp);
+            } else if (op.equals(OpDef.OP_VALIDATE)) {
+                mOp = "modify";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_SUBJECT_NAME))
+                    validateSubjectName(req, resp);
+                else if (scope.equals(ScopeDef.SC_KEY_LENGTH))
+                    validateKeyLength(req, resp);
+                else if (scope.equals(ScopeDef.SC_CERTIFICATE_EXTENSION))
+                    validateCertExtension(req, resp);
+                else if (scope.equals(ScopeDef.SC_KEY_CURVENAME))
+                    validateCurveName(req, resp);
+            }
+        } catch (EBaseException e) {
+            sendResponse(ERROR, e.toString(getLocale(req)),
+                    null, resp);
+            return;
+        } catch (Exception e) {
+            StringWriter sw = new StringWriter();
+
+            e.printStackTrace(new PrintWriter(sw));
+
+            sendResponse(1, "operation failure", null, resp);
+            return;
+        }
+    }
+
+    private void getEnv(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+
+        if (File.separator.equals("\\"))
+            params.put(Constants.PR_NT, Constants.TRUE);
+        else
+            params.put(Constants.PR_NT, Constants.FALSE);
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void getAllTokenNames(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+        NameValuePairs params = new NameValuePairs();
+
+        params.put(Constants.PR_TOKEN_LIST, jssSubSystem.getTokenList());
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void getAllNicknames(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+
+        params.put(Constants.PR_ALL_NICKNAMES, jssSubSystem.getAllCerts());
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private boolean isSubsystemInstalled(String subsystem) {
+        Enumeration e = CMS.getSubsystems();
+
+        while (e.hasMoreElements()) {
+            ISubsystem sys = (ISubsystem) e.nextElement();
+
+            //get subsystem type
+            if ((sys instanceof IKeyRecoveryAuthority) &&
+                    subsystem.equals("kra"))
+                return true;
+            else if ((sys instanceof IRegistrationAuthority) &&
+                    subsystem.equals("ra"))
+                return true;
+            else if ((sys instanceof ICertificateAuthority) &&
+                    subsystem.equals("ca"))
+                return true;
+            else if ((sys instanceof IOCSPAuthority) &&
+                    subsystem.equals("ocsp"))
+                return true;
+        }
+
+        return false;
+    }
+
+    private void readEncryption(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        Enumeration e = CMS.getSubsystems();
+        boolean isCAInstalled = false;
+        boolean isRAInstalled = false;
+        boolean isKRAInstalled = false;
+
+        while (e.hasMoreElements()) {
+            ISubsystem sys = (ISubsystem) e.nextElement();
+
+            //get subsystem type
+            if (sys instanceof IKeyRecoveryAuthority)
+                isKRAInstalled = true;
+            else if (sys instanceof IRegistrationAuthority)
+                isRAInstalled = true;
+            else if (sys instanceof ICertificateAuthority)
+                isCAInstalled = true;
+
+        }
+
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+        String caTokenName = "";
+
+        NameValuePairs params = new NameValuePairs();
+
+        params.put(Constants.PR_CIPHER_VERSION,
+                jssSubSystem.getCipherVersion());
+        params.put(Constants.PR_CIPHER_FORTEZZA, jssSubSystem.isCipherFortezza());
+        params.put(Constants.PR_CIPHER_PREF, jssSubSystem.getCipherPreferences());
+
+        String tokenList = jssSubSystem.getTokenList();
+
+        String tokenNewList = "";
+        StringTokenizer tokenizer = new StringTokenizer(tokenList, ",");
+
+        while (tokenizer.hasMoreElements()) {
+            String tokenName = (String) tokenizer.nextElement();
+            String certs = jssSubSystem.getCertListWithoutTokenName(tokenName);
+
+            if (certs.equals(""))
+                continue;
+            if (tokenNewList.equals(""))
+                tokenNewList = tokenNewList + tokenName;
+            else
+                tokenNewList = tokenNewList + "," + tokenName;
+            tokenName = escapeString(tokenName);
+            params.put(Constants.PR_TOKEN_PREFIX + tokenName, certs);
+        }
+
+        params.put(Constants.PR_TOKEN_LIST, tokenNewList);
+
+        if (isCAInstalled) {
+            ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+            ISigningUnit signingUnit = ca.getSigningUnit();
+
+            caTokenName = signingUnit.getTokenName();
+
+            if (caTokenName.equals(jssSubSystem.getInternalTokenName()))
+                caTokenName = Constants.PR_INTERNAL_TOKEN;
+
+            String caNickName = signingUnit.getNickname();
+
+            //params.add(Constants.PR_CERT_CA, caTokenName+","+caNickName);
+            params.put(Constants.PR_CERT_CA, getCertNickname(caNickName));
+        }
+
+        if (isRAInstalled) {
+            IRegistrationAuthority ra = (IRegistrationAuthority)
+                    CMS.getSubsystem(CMS.SUBSYSTEM_RA);
+            String raNickname = ra.getNickname();
+
+            params.put(Constants.PR_CERT_RA, getCertNickname(raNickname));
+        }
+
+        if (isKRAInstalled) {
+            IKeyRecoveryAuthority kra = (IKeyRecoveryAuthority)
+                    CMS.getSubsystem(CMS.SUBSYSTEM_KRA);
+            String kraNickname = kra.getNickname();
+
+            params.put(Constants.PR_CERT_TRANS, getCertNickname(kraNickname));
+        }
+
+        String nickName = CMS.getServerCertNickname();
+
+        params.put(Constants.PR_CERT_SERVER, getCertNickname(nickName));
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private String escapeString(String name) {
+        StringTokenizer tokenizer = new StringTokenizer(name, " ");
+        StringBuffer tokenname = new StringBuffer();
+
+        if (tokenizer.countTokens() == 1)
+            return name;
+        while (tokenizer.hasMoreElements()) {
+            if (tokenizer.countTokens() == 1)
+                tokenname.append((String) tokenizer.nextElement());
+            else {
+                tokenname.append((String) tokenizer.nextElement());
+                tokenname.append("%20");
+            }
+        }
+
+        return tokenname.toString();
+    }
+
+    private String getCertNickname(String nickName) {
+        if (!nickName.equals("")) {
+            StringTokenizer tokenizer = new StringTokenizer(nickName, ":");
+            String tokenName = "";
+
+            if (tokenizer.countTokens() > 1) {
+                tokenName = (String) tokenizer.nextElement();
+            } else {
+                tokenName = Constants.PR_INTERNAL_TOKEN;
+            }
+            return tokenName + "," + ((String) tokenizer.nextElement());
+        }
+        return "";
+    }
+
+    /**
+     * Modify encryption configuration
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION used when configuring encryption (cert settings and SSL
+     * cipher preferences)
+     * 

+     * 
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException failed to modify encryption configuration
+     */
+    private void modifyEncryption(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            @SuppressWarnings("unchecked")
+            Enumeration enum1 = req.getParameterNames();
+            NameValuePairs params = new NameValuePairs();
+            ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                    CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+
+            jssSubSystem.getInternalTokenName();
+            Enumeration e = CMS.getSubsystems();
+            boolean isCAInstalled = false;
+            boolean isRAInstalled = false;
+            boolean isKRAInstalled = false;
+
+            while (e.hasMoreElements()) {
+                ISubsystem sys = (ISubsystem) e.nextElement();
+
+                //get subsystem type
+                if (sys instanceof IKeyRecoveryAuthority)
+                    isKRAInstalled = true;
+                else if (sys instanceof IRegistrationAuthority)
+                    isRAInstalled = true;
+                else if (sys instanceof ICertificateAuthority)
+                    isCAInstalled = true;
+            }
+
+            ICertificateAuthority ca = null;
+            IRegistrationAuthority ra = null;
+            IKeyRecoveryAuthority kra = null;
+
+            if (isCAInstalled)
+                ca = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+            if (isRAInstalled)
+                ra = (IRegistrationAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_RA);
+            if (isKRAInstalled)
+                kra = (IKeyRecoveryAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_KRA);
+
+            boolean isCACert = true;
+
+            while (enum1.hasMoreElements()) {
+                String name = (String) enum1.nextElement();
+                String val = req.getParameter(name);
+
+                if (name.equals(Constants.PR_CIPHER_PREF)) {
+                    jssSubSystem.setCipherPreferences(val);
+                } else if (name.equals(Constants.PR_CERT_CA)) {
+                    ISigningUnit signingUnit = ca.getSigningUnit();
+
+                    if ((val != null) && (!val.equals(""))) {
+                        StringTokenizer tokenizer = new StringTokenizer(val, ",");
+
+                        if (tokenizer.countTokens() != 2) {
+                            // store a message in the signed audit log file
+                            auditMessage = CMS.getLogMessage(
+                                        LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION,
+                                        auditSubjectID,
+                                        ILogger.FAILURE,
+                                        auditParams(req));
+
+                            audit(auditMessage);
+
+                            throw new EBaseException(CMS.getLogMessage("BASE_INVALID_UI_INFO"));
+                        }
+
+                        String tokenName = (String) tokenizer.nextElement();
+                        String nickName = (String) tokenizer.nextElement();
+
+                        if (tokenName.equals(Constants.PR_INTERNAL_TOKEN)) {
+                            tokenName = jssSubSystem.getInternalTokenName();
+                        } else {
+                            nickName = tokenName + ":" + nickName;
+                        }
+
+                        isCACert = jssSubSystem.isCACert(nickName);
+                        if (isCACert) {
+                            signingUnit.updateConfig(nickName, tokenName);
+                        } else
+                            // store a message in the signed audit log file
+                            auditMessage = CMS.getLogMessage(
+                                        LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION,
+                                        auditSubjectID,
+                                        ILogger.FAILURE,
+                                        auditParams(req));
+
+                        audit(auditMessage);
+
+                        throw new EBaseException(CMS.getLogMessage("BASE_NOT_CA_CERT"));
+                    }
+                } else if (name.equals(Constants.PR_CERT_RA)) {
+                    if ((val != null) && (!val.equals(""))) {
+                        String nickName = getCertConfigNickname(val);
+
+                        ra.setNickname(nickName);
+                    }
+                } else if (name.equals(Constants.PR_CERT_TRANS)) {
+                    if ((val != null) && (!val.equals(""))) {
+                        String nickName = getCertConfigNickname(val);
+
+                        kra.setNickname(nickName);
+                    }
+                } else if (name.equals(Constants.PR_CERT_SERVER)) {
+                    if ((val != null) && (!val.equals(""))) {
+                        String nickName = getCertConfigNickname(val);
+
+                        modifyRADMCert(nickName);
+                        modifyAgentGatewayCert(nickName);
+                        if (isRAInstalled)
+                            modifyEEGatewayCert(ra, nickName);
+                        if (isCAInstalled)
+                            modifyCAGatewayCert(ca, nickName);
+                    }
+                }
+            }
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(RESTART, null, params, resp);
+            mConfig.commit(true);
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    private String getCertConfigNickname(String val) throws EBaseException {
+        StringTokenizer tokenizer = new StringTokenizer(val, ",");
+
+        if (tokenizer.countTokens() != 2) {
+            throw new EBaseException(CMS.getLogMessage("BASE_INVALID_UI_INFO"));
+        }
+        String tokenName = (String) tokenizer.nextElement();
+
+        if (tokenName.equals(Constants.PR_INTERNAL_TOKEN))
+            tokenName = "";
+        else
+            tokenName = tokenName + ":";
+        return (tokenName + (String) tokenizer.nextElement());
+    }
+
+    private void modifyRADMCert(String nickName) {
+        CMS.setServerCertNickname(nickName);
+
+        /*
+         RemoteAdmin raAdmin = (RemoteAdmin)RemoteAdmin.getInstance();
+         HTTPService httpsService = raAdmin.getHttpsService();
+         httpsService.setNickName(nickName);
+         */
+    }
+
+    private void modifyAgentGatewayCert(String nickName) {
+        CMS.setServerCertNickname(nickName);
+
+        /*
+         AgentGateway gateway = (AgentGateway)mReg.get(AgentGateway.ID);
+         HTTPService httpsService = gateway.getHttpsService();
+         httpsService.setNickName(nickName);
+         */
+    }
+
+    private void modifyEEGatewayCert(IRegistrationAuthority ra, String nickName) {
+        CMS.setServerCertNickname(nickName);
+
+        /*
+         HTTPSubsystem eeGateway = ra.getHTTPSubsystem();
+         HTTPService httpsService = eeGateway.getHttpsService();
+         httpsService.setNickName(nickName);
+         */
+    }
+
+    private void modifyCAGatewayCert(ICertificateAuthority ca, String nickName) {
+        CMS.setServerCertNickname(nickName);
+
+        /*
+         HTTPSubsystem caGateway = ca.getHTTPSubsystem();
+         HTTPService httpsService = caGateway.getHttpsService();
+         httpsService.setNickName(nickName);
+         */
+    }
+
+    /**
+     * Performs Server Tasks: RESTART/STOP operation
+     */
+    private void performTasks(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        String restart = req.getParameter(Constants.PR_SERVER_RESTART);
+        String stop = req.getParameter(Constants.PR_SERVER_STOP);
+        NameValuePairs params = new NameValuePairs();
+
+        if (restart != null) {
+            //XXX Uncommented afetr watchdog is implemented
+            sendResponse(SUCCESS, null, params, resp);
+            //mServer.restart();
+            return;
+        }
+
+        if (stop != null) {
+            //XXX Send response first then shutdown
+            sendResponse(SUCCESS, null, params, resp);
+            CMS.shutdown();
+            return;
+        }
+
+        sendResponse(ERROR, "Unknown operation", null, resp);
+
+    }
+
+    /**
+     * Reads subsystems that server has loaded with.
+     */
+    private void readSubsystem(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        Enumeration e = CMS.getSubsystems();
+
+        while (e.hasMoreElements()) {
+            String type = "";
+            ISubsystem sys = (ISubsystem) e.nextElement();
+
+            //get subsystem type
+            if (sys instanceof IKeyRecoveryAuthority)
+                type = Constants.PR_KRA_INSTANCE;
+            if (sys instanceof IRegistrationAuthority)
+                type = Constants.PR_RA_INSTANCE;
+            if (sys instanceof ICertificateAuthority)
+                type = Constants.PR_CA_INSTANCE;
+            if (sys instanceof IOCSPAuthority)
+                type = Constants.PR_OCSP_INSTANCE;
+            if (sys instanceof ITKSAuthority)
+                type = Constants.PR_TKS_INSTANCE;
+            if (!type.trim().equals(""))
+                params.put(sys.getId(), type);
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * Reads server statistics.
+     */
+    private void readStat(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        IConfigStore cs = CMS.getConfigStore();
+        try {
+            String installdate = cs.getString(Constants.PR_STAT_INSTALLDATE, "");
+            params.put(Constants.PR_STAT_INSTALLDATE, installdate);
+        } catch (Exception e) {
+        }
+
+        try {
+            String version = cs.getString(Constants.PR_STAT_VERSION, "");
+            params.put(Constants.PR_STAT_VERSION, version);
+        } catch (Exception e) {
+        }
+
+        try {
+            String instanceId = cs.getString(Constants.PR_STAT_INSTANCEID, "");
+            params.put(Constants.PR_STAT_INSTANCEID, instanceId);
+        } catch (Exception e) {
+        }
+
+        params.put(Constants.PR_STAT_STARTUP,
+                (new Date(CMS.getStartupTime())).toString());
+        params.put(Constants.PR_STAT_TIME,
+                (new Date(System.currentTimeMillis())).toString());
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * Modifies database information.
+     */
+    private void setDBConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        IConfigStore dbConfig = mConfig.getSubStore(PROP_INTERNAL_DB);
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+
+        while (enum1.hasMoreElements()) {
+            String key = (String) enum1.nextElement();
+
+            if (key.equals(Constants.OP_TYPE))
+                continue;
+            if (key.equals(Constants.RS_ID))
+                continue;
+            if (key.equals(Constants.OP_SCOPE))
+                continue;
+
+            dbConfig.putString(key, req.getParameter(key));
+        }
+
+        sendResponse(RESTART, null, null, resp);
+        mConfig.commit(true);
+    }
+
+    /**
+     * Create Master Key
+     */
+    private void createMasterKey(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+        String newKeyName = null, selectedToken = null;
+        while (e.hasMoreElements()) {
+            String name = (String) e.nextElement();
+
+            if (name.equals(Constants.PR_KEY_LIST)) {
+                newKeyName = req.getParameter(name);
+            }
+            if (name.equals(Constants.PR_TOKEN_LIST)) {
+                selectedToken = req.getParameter(name);
+            }
+
+        }
+        if (selectedToken != null && newKeyName != null) {
+            SessionKey.GenMasterKey(selectedToken, newKeyName); // check for errors
+            CMS.getConfigStore().putString("tks.defaultSlot", selectedToken);
+            String masterKeyPrefix = CMS.getConfigStore().getString("tks.master_key_prefix", null);
+
+            SessionKey.SetDefaultPrefix(masterKeyPrefix);
+            params.put(Constants.PR_KEY_LIST, newKeyName);
+            params.put(Constants.PR_TOKEN_LIST, selectedToken);
+        }
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * Reads secmod.db
+     */
+    private void getTKSKeys(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+
+        while (e.hasMoreElements()) {
+            String name = (String) e.nextElement();
+
+            if (name.equals(Constants.PR_TOKEN_LIST)) {
+                String selectedToken = req.getParameter(name);
+
+                ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+
+                CryptoToken token = null;
+                CryptoManager mCryptoManager = null;
+                try {
+                    mCryptoManager = CryptoManager.getInstance();
+                } catch (Exception e2) {
+                }
+
+                if (!jssSubSystem.isTokenLoggedIn(selectedToken)) {
+                    PasswordCallback cpcb = new ConsolePasswordCallback();
+                    while (true) {
+                        try {
+                            token = mCryptoManager.getTokenByName(selectedToken);
+                            token.login(cpcb);
+                            break;
+                        } catch (Exception e3) {
+                            //log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_INCORRECT_PWD"));
+                            continue;
+                        }
+                    }
+                }
+                // String symKeys = new String("key1,key2"); 
+                String symKeys = SessionKey.ListSymmetricKeys(selectedToken);
+                params.put(Constants.PR_TOKEN_LIST, symKeys);
+
+            }
+        }
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * Reads database information.
+     */
+    private void getDBConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        IConfigStore dbConfig = mConfig.getSubStore(PROP_DB);
+        IConfigStore ldapConfig = dbConfig.getSubStore("ldap");
+        NameValuePairs params = new NameValuePairs();
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+
+        while (e.hasMoreElements()) {
+            String name = (String) e.nextElement();
+
+            if (name.equals(Constants.OP_TYPE))
+                continue;
+            if (name.equals(Constants.RS_ID))
+                continue;
+            if (name.equals(Constants.OP_SCOPE))
+                continue;
+            if (name.equals(Constants.PR_SECURE_PORT_ENABLED))
+                params.put(name, ldapConfig.getString(name, "Constants.FALSE"));
+            else
+                params.put(name, ldapConfig.getString(name, ""));
+        }
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * Modifies SMTP configuration.
+     */
+    private void modifySMTPConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        // XXX
+        IConfigStore sConfig = mConfig.getSubStore(PROP_SMTP);
+
+        String host = req.getParameter(Constants.PR_SERVER_NAME);
+
+        if (host != null)
+            sConfig.putString("host", host);
+
+        String port = req.getParameter(Constants.PR_PORT);
+
+        if (port != null)
+            sConfig.putString("port", port);
+
+        commit(true);
+
+        sendResponse(SUCCESS, null, null, resp);
+    }
+
+    /**
+     * Reads SMTP configuration.
+     */
+    private void readSMTPConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        IConfigStore dbConfig = mConfig.getSubStore(PROP_SMTP);
+        NameValuePairs params = new NameValuePairs();
+
+        params.put(Constants.PR_SERVER_NAME,
+                dbConfig.getString("host"));
+        params.put(Constants.PR_PORT,
+                dbConfig.getString("port"));
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void loggedInToken(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+        String tokenName = "";
+        String pwd = "";
+
+        while (enum1.hasMoreElements()) {
+            String key = (String) enum1.nextElement();
+            String value = req.getParameter(key);
+
+            if (key.equals(Constants.PR_TOKEN_NAME)) {
+                tokenName = value;
+            } else if (key.equals(Constants.PR_TOKEN_PASSWD)) {
+                pwd = value;
+            }
+        }
+
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+
+        jssSubSystem.loggedInToken(tokenName, pwd);
+
+        /* Do a "PUT" of the new pw to the watchdog" */
+        CMS.putPasswordCache(tokenName, pwd);
+        sendResponse(SUCCESS, null, null, resp);
+    }
+
+    private void checkTokenStatus(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+        String key = "";
+        String value = "";
+
+        while (enum1.hasMoreElements()) {
+            key = (String) enum1.nextElement();
+            value = req.getParameter(key);
+            if (key.equals(Constants.PR_TOKEN_NAME)) {
+                break;
+            }
+        }
+
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+        boolean status = jssSubSystem.isTokenLoggedIn(value);
+
+        NameValuePairs params = new NameValuePairs();
+
+        params.put(Constants.PR_LOGGED_IN, "" + status);
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * Retrieve a certificate request
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC used when asymmetric keys are generated
+     * 

+     * 
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException failed to retrieve certificate request
+     */
+    private void getCertRequest(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+        String auditPublicKey = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            NameValuePairs params = new NameValuePairs();
+            @SuppressWarnings("unchecked")
+            Enumeration enum1 = req.getParameterNames();
+            String tokenName = Constants.PR_INTERNAL_TOKEN_NAME;
+            String keyType = "";
+            int keyLength = 512;
+            String subjectName = "";
+            String certType = Constants.PR_CA_SIGNING_CERT;
+            String dir = "";
+            String pathname = "";
+            String otherNickname = "";
+            String keyCurveName = "";
+
+            while (enum1.hasMoreElements()) {
+                String key = (String) enum1.nextElement();
+                String value = req.getParameter(key);
+
+                if (key.equals(Constants.PR_TOKEN_NAME)) {
+                    if (!value.equals(Constants.PR_INTERNAL_TOKEN))
+                        tokenName = value;
+                } else if (key.equals(Constants.PR_KEY_LENGTH)) {
+                    keyLength = Integer.parseInt(value);
+                } else if (key.equals(Constants.PR_KEY_TYPE)) {
+                    keyType = value;
+                } else if (key.equals(Constants.RS_ID)) {
+                    certType = value;
+                } else if (key.equals(Constants.PR_SUBJECT_NAME)) {
+                    subjectName = value;
+                } else if (key.equals(Constants.PR_NICKNAME)) {
+                    otherNickname = value;
+                } else if (key.equals(Constants.PR_KEY_CURVENAME)) {
+                    keyCurveName = value;
+                }
+            }
+
+            pathname = mConfig.getString("instanceRoot", "")
+                    + File.separator + "conf" + File.separator;
+            dir = pathname;
+            ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                    CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+
+            KeyPair keypair = null;
+            PQGParams pqgParams = null;
+            String nickname = "";
+
+            // other cert and has the existing key
+            if (certType.equals(Constants.PR_OTHER_CERT) && keyType.equals(""))
+                nickname = otherNickname;
+            else if (!certType.equals(Constants.PR_OTHER_CERT))
+                nickname = getNickname(certType);
+
+            String nicknameWithoutTokenName = "";
+
+            if (nickname != null && !nickname.equals("")) {
+                int index = nickname.indexOf(":");
+
+                nicknameWithoutTokenName = nickname;
+                if (index >= 0)
+                    nicknameWithoutTokenName = nickname.substring(index + 1);
+            }
+
+            if (keyType.equals("")) {
+                if (nickname.equals("")) {
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditPublicKey);
+
+                    audit(auditMessage);
+
+                    throw new EBaseException(
+                            CMS.getLogMessage("BASE_CERT_NOT_FOUND"));
+                }
+                keypair = jssSubSystem.getKeyPair(nickname);
+            } else {
+                if (keyType.equals("ECC")) {
+                    // get ECC keypair
+                    keypair = jssSubSystem.getECCKeyPair(tokenName, keyCurveName, certType);
+                } else { //DSA or RSA
+                    if (keyType.equals("DSA"))
+                        pqgParams = jssSubSystem.getPQG(keyLength);
+                    keypair = jssSubSystem.getKeyPair(tokenName, keyType, keyLength, pqgParams);
+                }
+            }
+
+            // reset the "auditPublicKey"
+            auditPublicKey = auditPublicKey(keypair);
+
+            if (certType.equals(Constants.PR_CA_SIGNING_CERT)) {
+                pathname = pathname + File.separator + "cacsr.txt";
+                if (!keyType.equals(""))
+                    setCANewnickname(tokenName, nicknameWithoutTokenName);
+            } else if (certType.equals(Constants.PR_RA_SIGNING_CERT)) {
+                pathname = pathname + File.separator + "racsr.txt";
+                if (!keyType.equals(""))
+                    setRANewnickname(tokenName, nicknameWithoutTokenName);
+            } else if (certType.equals(Constants.PR_OCSP_SIGNING_CERT)) {
+                pathname = pathname + File.separator + "ocspcsr.txt";
+                if (!keyType.equals(""))
+                    setOCSPNewnickname(tokenName, nicknameWithoutTokenName);
+            } else if (certType.equals(Constants.PR_KRA_TRANSPORT_CERT)) {
+                pathname = pathname + File.separator + "kracsr.txt";
+                if (!keyType.equals(""))
+                    setKRANewnickname(tokenName, nicknameWithoutTokenName);
+            } else if (certType.equals(Constants.PR_SERVER_CERT)) {
+                pathname = pathname + File.separator + "sslcsr.txt";
+                if (!keyType.equals(""))
+                    setAgentNewnickname(tokenName, nicknameWithoutTokenName);
+            } else if (certType.equals(Constants.PR_SERVER_CERT_RADM)) {
+                pathname = pathname + File.separator + "sslcsrradm.txt";
+                if (!keyType.equals(""))
+                    setRADMNewnickname(tokenName, nicknameWithoutTokenName);
+            } else if (certType.equals(Constants.PR_OTHER_CERT)) {
+                pathname = pathname + File.separator + "othercsr.txt";
+            }
+            String certReq = jssSubSystem.getCertRequest(subjectName, keypair);
+
+            params.put(Constants.PR_CSR, certReq);
+            params.put(Constants.PR_CERT_REQUEST_DIR, dir);
+            PrintStream ps = new PrintStream(new FileOutputStream(pathname));
+
+            ps.println(certReq);
+            ps.close();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditPublicKey);
+
+            audit(auditMessage);
+
+            mConfig.commit(true);
+            sendResponse(SUCCESS, null, params, resp);
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditPublicKey);
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditPublicKey);
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditPublicKey );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    private void setCANewnickname(String tokenName, String nickname)
+            throws EBaseException {
+        ICertificateAuthority ca = (ICertificateAuthority)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+        ISigningUnit signingUnit = ca.getSigningUnit();
+
+        if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME))
+            signingUnit.setNewNickName(nickname);
+        else {
+            if (tokenName.equals("") && nickname.equals(""))
+                signingUnit.setNewNickName("");
+            else
+                signingUnit.setNewNickName(tokenName + ":" + nickname);
+        }
+    }
+
+    private String getCANewnickname() throws EBaseException {
+        ICertificateAuthority ca = (ICertificateAuthority)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+        ISigningUnit signingUnit = ca.getSigningUnit();
+
+        return signingUnit.getNewNickName();
+    }
+
+    private void setRANewnickname(String tokenName, String nickname)
+            throws EBaseException {
+        IRegistrationAuthority ra = (IRegistrationAuthority)
+                CMS.getSubsystem(CMS.SUBSYSTEM_RA);
+
+        if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME))
+            ra.setNewNickName(nickname);
+        else {
+            if (tokenName.equals("") && nickname.equals(""))
+                ra.setNewNickName("");
+            else
+                ra.setNewNickName(tokenName + ":" + nickname);
+        }
+    }
+
+    private String getRANewnickname() throws EBaseException {
+        IRegistrationAuthority ra = (IRegistrationAuthority)
+                CMS.getSubsystem(CMS.SUBSYSTEM_RA);
+
+        return ra.getNewNickName();
+    }
+
+    private void setOCSPNewnickname(String tokenName, String nickname)
+            throws EBaseException {
+        IOCSPAuthority ocsp = (IOCSPAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_OCSP);
+
+        if (ocsp != null) {
+            ISigningUnit signingUnit = ocsp.getSigningUnit();
+
+            if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME))
+                signingUnit.setNewNickName(nickname);
+            else {
+                if (tokenName.equals("") && nickname.equals(""))
+                    signingUnit.setNewNickName("");
+                else
+                    signingUnit.setNewNickName(tokenName + ":" + nickname);
+            }
+        } else {
+            ICertificateAuthority ca = (ICertificateAuthority)
+                    CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+            ISigningUnit signingUnit = ca.getOCSPSigningUnit();
+
+            if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME))
+                signingUnit.setNewNickName(nickname);
+            else {
+                if (tokenName.equals("") && nickname.equals(""))
+                    signingUnit.setNewNickName("");
+                else
+                    signingUnit.setNewNickName(tokenName + ":" + nickname);
+            }
+        }
+    }
+
+    private String getOCSPNewnickname() throws EBaseException {
+        IOCSPAuthority ocsp = (IOCSPAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_OCSP);
+
+        if (ocsp != null) {
+            ISigningUnit signingUnit = ocsp.getSigningUnit();
+
+            return signingUnit.getNewNickName();
+        } else {
+            ICertificateAuthority ca = (ICertificateAuthority)
+                    CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+            ISigningUnit signingUnit = ca.getOCSPSigningUnit();
+
+            return signingUnit.getNewNickName();
+        }
+    }
+
+    private void setKRANewnickname(String tokenName, String nickname)
+            throws EBaseException {
+        IKeyRecoveryAuthority kra = (IKeyRecoveryAuthority)
+                CMS.getSubsystem(CMS.SUBSYSTEM_KRA);
+
+        if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME))
+            kra.setNewNickName(nickname);
+        else {
+            if (tokenName.equals("") && nickname.equals(""))
+                kra.setNewNickName("");
+            else
+                kra.setNewNickName(tokenName + ":" + nickname);
+        }
+    }
+
+    private String getKRANewnickname() throws EBaseException {
+        IKeyRecoveryAuthority kra = (IKeyRecoveryAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_KRA);
+
+        return kra.getNewNickName();
+    }
+
+    private void setRADMNewnickname(String tokenName, String nickName)
+            throws EBaseException {
+        CMS.setServerCertNickname(tokenName, nickName);
+
+        /*
+         RemoteAdmin raAdmin = (RemoteAdmin)RemoteAdmin.getInstance();
+         HTTPService httpsService = raAdmin.getHttpsService();
+         if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME))
+         httpsService.setNewNickName(nickName);
+         else {
+         if (tokenName.equals("") && nickName.equals(""))
+         httpsService.setNewNickName("");
+         else
+         httpsService.setNewNickName(tokenName+":"+nickName);
+         }
+         */
+    }
+
+    private String getRADMNewnickname()
+            throws EBaseException {
+        // assuming the nickname does not change.
+        return CMS.getServerCertNickname();
+
+        /*
+         RemoteAdmin raAdmin = (RemoteAdmin)RemoteAdmin.getInstance();
+         HTTPService httpsService = raAdmin.getHttpsService();
+         return httpsService.getNewNickName();
+         */
+    }
+
+    private void setAgentNewnickname(String tokenName, String nickName)
+            throws EBaseException {
+        CMS.setServerCertNickname(tokenName, nickName);
+
+        /*
+         AgentGateway gateway = (AgentGateway)mReg.get(AgentGateway.ID);
+         HTTPService httpsService = gateway.getHttpsService();
+         if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME))
+         httpsService.setNewNickName(nickName);
+         else {
+         if (tokenName.equals("") && nickName.equals(""))
+         httpsService.setNewNickName("");
+         else
+         httpsService.setNewNickName(tokenName+":"+nickName);
+         }
+         */
+    }
+
+    private String getAgentNewnickname()
+            throws EBaseException {
+        // assuming the nickname does not change.
+        return CMS.getServerCertNickname();
+
+        /*
+         AgentGateway gateway = (AgentGateway)mReg.get(AgentGateway.ID);
+         HTTPService httpsService = gateway.getHttpsService();
+         return httpsService.getNewNickName();
+         */
+    }
+
+    /**
+     * Issue import certificate
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY used when "Certificate Setup Wizard" is used to
+     * import CA certs into the certificate database
+     * 

+     * 
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException failed to issue an import certificate
+     */
+    private void issueImportCert(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            @SuppressWarnings("unchecked")
+            Enumeration enum1 = req.getParameterNames();
+            String tokenName = Constants.PR_INTERNAL_TOKEN_NAME;
+            String keyType = "RSA";
+            KeyCertData properties = new KeyCertData();
+
+            String newtokenname = null;
+
+            while (enum1.hasMoreElements()) {
+                String key = (String) enum1.nextElement();
+                String value = req.getParameter(key);
+
+                if (!key.equals("pathname")) {
+                    if (key.equals(Constants.PR_TOKEN_NAME))
+                        newtokenname = value;
+                    properties.put(key, value);
+                }
+            }
+
+            String certType = (String) properties.get(Constants.RS_ID);
+
+            ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                    CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+            ICertificateAuthority ca = (ICertificateAuthority)
+                    CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+            ICertificateRepository repository =
+                    (ICertificateRepository) ca.getCertificateRepository();
+            ISigningUnit signingUnit = ca.getSigningUnit();
+            String oldtokenname = null;
+            //this is the old nick name
+            String nickname = getNickname(certType);
+            String nicknameWithoutTokenName = "";
+            String oldcatokenname = signingUnit.getTokenName();
+            String canickname = getNickname(Constants.PR_CA_SIGNING_CERT);
+            String canicknameWithoutTokenName = "";
+
+            int index = nickname.indexOf(":");
+
+            if (index == -1) {
+                nicknameWithoutTokenName = nickname;
+                oldtokenname = Constants.PR_INTERNAL_TOKEN_NAME;
+            } else if (index > 0 && (index < (nickname.length() - 1))) {
+                nicknameWithoutTokenName = nickname.substring(index + 1);
+                oldtokenname = nickname.substring(0, index);
+            } else {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                throw new EBaseException(CMS.getLogMessage("BASE_CERT_NOT_FOUND"));
+            }
+
+            if (newtokenname == null)
+                newtokenname = oldtokenname;
+            index = canickname.indexOf(":");
+            if (index == -1) {
+                canicknameWithoutTokenName = canickname;
+            } else if (index > 0 && (index < (canickname.length() - 1))) {
+                canicknameWithoutTokenName = canickname.substring(index + 1);
+            } else {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                throw new EBaseException(CMS.getLogMessage("BASE_CERT_NOT_FOUND"));
+            }
+
+            //xxx renew ca ,use old issuer?
+            properties.setIssuerName(
+                    jssSubSystem.getCertSubjectName(oldcatokenname,
+                                                canicknameWithoutTokenName));
+
+            KeyPair pair = null;
+
+            if (nickname.equals("")) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                throw new EBaseException(CMS.getLogMessage("BASE_CERT_NOT_FOUND"));
+            }
+
+            //xxx set to old nickname?
+            properties.setCertNickname(nickname);
+            if (!certType.equals(Constants.PR_CA_SIGNING_CERT)) {
+                CertificateExtensions exts = jssSubSystem.getExtensions(
+                        oldcatokenname, canicknameWithoutTokenName);
+
+                properties.setCAExtensions(exts);
+            }
+
+            KeyPair caKeyPair = null;
+            String defaultSigningAlg = null;
+            String defaultOCSPSigningAlg = null;
+
+            if (properties.getHashType() != null) {
+                if (certType.equals(Constants.PR_CA_SIGNING_CERT)) {
+                    defaultSigningAlg = properties.getHashType();
+                }
+                if (certType.equals(Constants.PR_OCSP_SIGNING_CERT)) {
+                    defaultOCSPSigningAlg = properties.getHashType();
+                }
+            }
+
+            // create a new CA certificate or ssl server cert
+            if (properties.getKeyCurveName() != null) { //new ECC
+                CMS.debug("CMSAdminServlet: issueImportCert: generating ECC keys");
+                pair = jssSubSystem.getECCKeyPair(properties);
+                if (certType.equals(Constants.PR_CA_SIGNING_CERT))
+                    caKeyPair = pair;
+            } else if (properties.getKeyLength() != null) { //new RSA or DSA
+                keyType = properties.getKeyType();
+                String keyLen = properties.getKeyLength();
+
+                if (keyType.equals("DSA")) {
+                    @SuppressWarnings("unused")
+                    PQGParams pqgParams =
+                            jssSubSystem.getCAPQG(Integer.parseInt(keyLen), mConfig); // check for errors
+                    //properties.put(Constants.PR_PQGPARAMS, pqgParams);
+                }
+                pair = jssSubSystem.getKeyPair(properties);
+                if (certType.equals(Constants.PR_CA_SIGNING_CERT))
+                    caKeyPair = pair;
+                // renew the CA certificate or ssl server cert
+            } else {
+                pair = jssSubSystem.getKeyPair(nickname);
+                // should get it from the CA signing certificate
+                if (certType.equals(Constants.PR_CA_SIGNING_CERT)) {
+                    updateCASignature(nickname, properties, jssSubSystem);
+                    caKeyPair = pair;
+                    defaultSigningAlg = signingUnit.getDefaultAlgorithm();
+                }
+
+                /*
+                 String alg = jssSubSystem.getSignatureAlgorithm(nickname);
+                 SignatureAlgorithm sigAlg = SigningUnit.mapAlgorithmToJss(alg);
+                 properties.setSignatureAlgorithm(sigAlg);
+                 properties.setAlgorithmId(
+                 jssSubSystem.getAlgorithmId(alg, mConfig));
+                 */
+            }
+
+            String alg = properties.getSignedBy();
+            if (!certType.equals(Constants.PR_CA_SIGNING_CERT)) {
+                caKeyPair = jssSubSystem.getKeyPair(canickname);
+                updateCASignature(canickname, properties, jssSubSystem);
+            } else if (alg != null) {
+                // self signed CA signing cert, new keys
+                // value provided for signedBy
+                SignatureAlgorithm sigAlg = Cert.mapAlgorithmToJss(alg);
+                properties.setSignatureAlgorithm(sigAlg);
+                properties.setAlgorithmId(jssSubSystem.getAlgorithmId(alg, mConfig));
+            }
+
+            if (pair == null)
+                CMS.debug("CMSAdminServlet: issueImportCert: key pair is null");
+
+            BigInteger nextSerialNo = repository.getNextSerialNumber();
+
+            properties.setSerialNumber(nextSerialNo);
+            properties.setKeyPair(pair);
+            properties.setConfigFile(mConfig);
+            //        properties.put(Constants.PR_CA_KEYPAIR, pair);
+            properties.put(Constants.PR_CA_KEYPAIR, caKeyPair);
+
+            X509CertImpl signedCert =
+                    jssSubSystem.getSignedCert(properties, certType,
+                                           caKeyPair.getPrivate());
+
+            if (signedCert == null)
+                CMS.debug("CMSAdminServlet: issueImportCert: signedCert is null");
+
+            /* bug 600124
+             try {
+                 jssSubSystem.deleteTokenCertificate(nickname, pathname);
+             } catch (Throwable e) {
+                 //skip it
+             }
+             */
+
+            boolean nicknameChanged = false;
+
+            //xxx import cert with nickname without token name?
+            //jss adds the token prefix!!!
+            //log(ILogger.LL_DEBUG,"import as alias"+ nicknameWithoutTokenName);
+            try {
+                CMS.debug("CMSAdminServlet: issueImportCert: Importing cert: " + nicknameWithoutTokenName);
+                jssSubSystem.importCert(signedCert, nicknameWithoutTokenName,
+                                        certType);
+            } catch (EBaseException e) {
+                // if it fails, let use a different nickname to try
+                Date now = new Date();
+                String newNickname = nicknameWithoutTokenName
+                                   + "-" + now.getTime();
+
+                CMS.debug("CMSAdminServlet: issueImportCert: Importing cert with nickname: " + newNickname);
+                jssSubSystem.importCert(signedCert, newNickname,
+                                        certType);
+                nicknameWithoutTokenName = newNickname;
+                nicknameChanged = true;
+                if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME)) {
+                    nickname = newNickname;
+                } else {
+                    nickname = tokenName + ":" + newNickname;
+                }
+            }
+
+            ICertRecord certRecord = repository.createCertRecord(
+                                         signedCert.getSerialNumber(),
+                                         signedCert, null);
+
+            repository.addCertificateRecord(certRecord);
+
+            if (certType.equals(Constants.PR_CA_SIGNING_CERT)) {
+                try {
+                    X509CertInfo certInfo = (X509CertInfo) signedCert.get(
+                            X509CertImpl.NAME + "." + X509CertImpl.INFO);
+                    CertificateExtensions extensions = (CertificateExtensions)
+                            certInfo.get(X509CertInfo.EXTENSIONS);
+
+                    if (extensions != null) {
+                        BasicConstraintsExtension basic =
+                                (BasicConstraintsExtension)
+                                extensions.get(BasicConstraintsExtension.NAME);
+
+                        if (basic == null)
+                            log(CMS.getLogMessage("ADMIN_SRVLT_BASIC_CONSTRAIN_NULL"));
+                        else {
+                            Integer pathlen = (Integer)
+                                    basic.get(BasicConstraintsExtension.PATH_LEN);
+                            int num = pathlen.intValue();
+
+                            if (num == 0)
+                                ca.setBasicConstraintMaxLen(num);
+                            else if (num > 0) {
+                                num = num - 1;
+                                ca.setBasicConstraintMaxLen(num);
+                            }
+                        }
+                    } else
+                        log(CMS.getLogMessage("ADMIN_SRVLT_CERT_NO_EXT"));
+                } catch (Exception eee) {
+                    log("CMSAdminServlet: Exception caught: " + eee.toString());
+                }
+            }
+
+            CMS.debug("CMSAdminServlet: oldtoken:" + oldtokenname
+                    + " newtoken:" + newtokenname + " nickname:" + nickname);
+            if ((newtokenname != null &&
+                    !newtokenname.equals(oldtokenname)) || nicknameChanged) {
+                if (certType.equals(Constants.PR_CA_SIGNING_CERT)) {
+                    if (newtokenname.equals(Constants.PR_INTERNAL_TOKEN_NAME)) {
+                        signingUnit.updateConfig(nicknameWithoutTokenName,
+                                                 newtokenname);
+                    } else {
+                        signingUnit.updateConfig(newtokenname + ":" +
+                                                 nicknameWithoutTokenName,
+                                                 newtokenname);
+                    }
+                } else if (certType.equals(Constants.PR_SERVER_CERT)) {
+                    if (newtokenname.equals(Constants.PR_INTERNAL_TOKEN_NAME)) {
+                        nickname = nicknameWithoutTokenName;
+                    } else {
+                        nickname = newtokenname + ":"
+                                 + nicknameWithoutTokenName;
+                    }
+
+                    //setRADMNewnickname("","");
+                    //modifyRADMCert(nickname);
+                    modifyAgentGatewayCert(nickname);
+                    if (isSubsystemInstalled("ra")) {
+                        IRegistrationAuthority ra =
+                                (IRegistrationAuthority)
+                                CMS.getSubsystem(CMS.SUBSYSTEM_RA);
+
+                        modifyEEGatewayCert(ra, nickname);
+                    }
+                    if (isSubsystemInstalled("ca")) {
+                        modifyCAGatewayCert(ca, nickname);
+                    }
+                } else if (certType.equals(Constants.PR_SERVER_CERT_RADM)) {
+                    if (newtokenname.equals(Constants.PR_INTERNAL_TOKEN_NAME)) {
+                        nickname = nicknameWithoutTokenName;
+                    } else {
+                        nickname = newtokenname + ":"
+                                 + nicknameWithoutTokenName;
+                    }
+
+                    modifyRADMCert(nickname);
+                } else if (certType.equals(Constants.PR_OCSP_SIGNING_CERT)) {
+                    if (ca != null) {
+                        ISigningUnit ocspSigningUnit = ca.getOCSPSigningUnit();
+
+                        if (newtokenname.equals(Constants.PR_INTERNAL_TOKEN_NAME)) {
+                            ocspSigningUnit.updateConfig(
+                                    nicknameWithoutTokenName, newtokenname);
+                        } else {
+                            ocspSigningUnit.updateConfig(newtokenname + ":" +
+                                    nicknameWithoutTokenName,
+                                    newtokenname);
+                        }
+                    }
+                }
+            }
+
+            // set signing algorithms if needed
+            if (certType.equals(Constants.PR_CA_SIGNING_CERT))
+                signingUnit.setDefaultAlgorithm(defaultSigningAlg);
+
+            if (defaultOCSPSigningAlg != null) {
+                ISigningUnit ocspSigningUnit = ca.getOCSPSigningUnit();
+                ocspSigningUnit.setDefaultAlgorithm(defaultOCSPSigningAlg);
+            }
+
+            properties.clear();
+            properties = null;
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            mConfig.commit(true);
+            sendResponse(SUCCESS, null, null, resp);
+        } catch (EBaseException eAudit1) {
+            CMS.debug("CMSAdminServlet: issueImportCert: EBaseException thrown: " + eAudit1.toString());
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            CMS.debug("CMSAdminServlet: issueImportCert: IOException thrown: " + eAudit2.toString());
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    private void updateCASignature(String nickname, KeyCertData properties,
+            ICryptoSubsystem jssSubSystem) throws EBaseException {
+        String alg = jssSubSystem.getSignatureAlgorithm(nickname);
+        SignatureAlgorithm sigAlg = Cert.mapAlgorithmToJss(alg);
+
+        properties.setSignatureAlgorithm(sigAlg);
+        properties.setAlgorithmId(
+                jssSubSystem.getAlgorithmId(alg, mConfig));
+    }
+
+    /**
+     * Install certificates
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY used when "Certificate Setup Wizard" is used to
+     * import CA certs into the certificate database
+     * 

+     * 
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException failed to install a certificate
+     */
+    private void installCert(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String tokenName = Constants.PR_INTERNAL_TOKEN_NAME;
+            String pkcs = "";
+            String certType = "";
+            String nickname = "";
+            String pathname = "";
+            String serverRoot = "";
+            String serverID = "";
+            String certpath = "";
+            @SuppressWarnings("unchecked")
+            Enumeration enum1 = req.getParameterNames();
+
+            while (enum1.hasMoreElements()) {
+                String key = (String) enum1.nextElement();
+                String value = req.getParameter(key);
+
+                if (key.equals(Constants.PR_PKCS10))
+                    pkcs = value;
+                else if (key.equals(Constants.RS_ID))
+                    certType = value;
+                else if (key.equals(Constants.PR_NICKNAME))
+                    nickname = value;
+                else if (key.equals("pathname"))
+                    pathname = value;
+                else if (key.equals(Constants.PR_SERVER_ROOT))
+                    serverRoot = value;
+                else if (key.equals(Constants.PR_SERVER_ID))
+                    serverID = value;
+                else if (key.equals(Constants.PR_CERT_FILEPATH))
+                    certpath = value;
+            }
+
+            try {
+                if (pkcs == null || pkcs.equals("")) {
+                    if (certpath == null || certpath.equals("")) {
+                        // store a message in the signed audit log file
+                        auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                        audit(auditMessage);
+
+                        EBaseException ex = new EBaseException(
+                                CMS.getLogMessage("BASE_INVALID_FILE_PATH"));
+
+                        throw ex;
+                    } else {
+                        FileInputStream in = new FileInputStream(certpath);
+                        BufferedReader d =
+                                new BufferedReader(new InputStreamReader(in));
+                        String content = "";
+
+                        pkcs = "";
+                        StringBuffer sb = new StringBuffer();
+                        while ((content = d.readLine()) != null) {
+                            sb.append(content);
+                            sb.append("\n");
+                        }
+
+                        pkcs = sb.toString();
+                        if (d != null) {
+                            d.close();
+                        }
+                        pkcs = pkcs.substring(0, pkcs.length() - 1);
+                    }
+                }
+            } catch (IOException ee) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                throw new EBaseException(
+                        CMS.getLogMessage("BASE_OPEN_FILE_FAILED"));
+            }
+
+            pkcs = pkcs.trim();
+            pathname = serverRoot + File.separator + serverID
+                     + File.separator + "config" + File.separator + pathname;
+
+            ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                    CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+            //String nickname = getNickname(certType);
+            String nicknameWithoutTokenName = "";
+
+            int index = nickname.indexOf(":");
+
+            if (index == -1)
+                nicknameWithoutTokenName = nickname;
+            else if (index > 0 && (index < (nickname.length() - 1))) {
+                tokenName = nickname.substring(0, index);
+                nicknameWithoutTokenName = nickname.substring(index + 1);
+            } else {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                throw new EBaseException(
+                        CMS.getLogMessage("BASE_CERT_NOT_FOUND"));
+            }
+
+            /*
+            if (certType.equals(Constants.PR_CA_SIGNING_CERT) ||
+                certType.equals(Constants.PR_RA_SIGNING_CERT) ||
+                certType.equals(Constants.PR_OCSP_SIGNING_CERT) ||
+                certType.equals(Constants.PR_KRA_TRANSPORT_CERT) ||
+                certType.equals(Constants.PR_SERVER_CERT) ||
+                certType.equals(Constants.PR_SERVER_CERT_RADM)) {
+                    String oldnickname = getNickname(certType);
+                    try {
+                        jssSubsystem.deleteTokenCertificate(oldnickname,
+                                                            pathname);
+                        //jssSubsystem.deleteTokenCertificate(nickname,
+                                                              pathname);
+                    } catch (EBaseException e) {
+                        // skip it
+                    }
+            } else {
+                try {
+                    jssSubsystem.deleteTokenCertificate(nickname, pathname);
+                } catch (EBaseException e) {
+                    // skip it
+                }
+            }
+            */
+
+            // 600124 - renewal of SSL crash the server
+            // we now do not delete previously installed certificates.
+
+            // Same Subject   | Same Nickname |  Same Key  |     Legal 
+            // ----------------------------------------------------------- 
+            // 1.   Yes             Yes            No              Yes 
+            // 2.   Yes             Yes            Yes             Yes 
+            // 3.   No              No             Yes             Yes 
+            // 4.   No              No             No              Yes 
+            // 5.   No              Yes            Yes             No 
+            // 6.   No              Yes            No              No 
+            // 7.   Yes             No             Yes             No 
+            // 8.   Yes             No             No              No
+
+            // Based on above table, the following cases are permitted:
+            // Existing Key:
+            // 	(a) Same Subject & Same Nickname	        --- (2)
+            // 	(b) Different Subject & Different Nickname	--- (3)
+            //          (In order to support Case b., we need to use a different
+            //		nickname).
+            // New Key:
+            //      (c) Same Subject & Same Nickname                --- (1)
+            // 	(d) Different Subject & Different Nickname	--- (4)
+            //          (In order to support Case b., we need to use a different
+            //		nickname).
+            //
+
+            CMS.debug("CMSAdminServlet.installCert(): About to try jssSubSystem.importCert: "
+                    + nicknameWithoutTokenName);
+            try {
+                jssSubSystem.importCert(pkcs, nicknameWithoutTokenName,
+                        certType);
+            } catch (EBaseException e) {
+
+                boolean certFound = false;
+
+                String eString = e.toString();
+                if (eString.contains("Failed to find certificate that was just imported")) {
+                    CMS.debug("CMSAdminServlet.installCert(): nickname="
+                            + nicknameWithoutTokenName + " TokenException: " + eString);
+
+                    X509Certificate cert = null;
+                    try {
+                        cert = CryptoManager.getInstance().findCertByNickname(nickname);
+                        if (cert != null) {
+                            certFound = true;
+                        }
+                        CMS.debug("CMSAdminServlet.installCert() Found cert just imported: " + nickname);
+                    } catch (Exception ex) {
+                        CMS.debug("CMSAdminServlet.installCert() Can't find cert just imported: " + ex.toString());
+                    }
+                }
+
+                if (!certFound) {
+                    // if it fails, let use a different nickname to try
+                    Date now = new Date();
+                    String newNickname = nicknameWithoutTokenName + "-" +
+                                     now.getTime();
+
+                    jssSubSystem.importCert(pkcs, newNickname, certType);
+                    nicknameWithoutTokenName = newNickname;
+                    if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME)) {
+                        nickname = newNickname;
+                    } else {
+                        nickname = tokenName + ":" + newNickname;
+                    }
+                    CMS.debug("CMSAdminServlet: installCert():  After second install attempt following initial error: nickname="
+                            + nickname);
+                }
+            }
+
+            if (certType.equals(Constants.PR_CA_SIGNING_CERT)) {
+                ICertificateAuthority ca =
+                        (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+                ISigningUnit signingUnit = ca.getSigningUnit();
+                String signatureAlg =
+                        jssSubSystem.getSignatureAlgorithm(nickname);
+
+                signingUnit.setDefaultAlgorithm(signatureAlg);
+                setCANewnickname("", "");
+                try {
+                    CertificateExtensions extensions = null;
+
+                    if (nickname.equals(nicknameWithoutTokenName)) {
+                        signingUnit.updateConfig(nickname,
+                                Constants.PR_INTERNAL_TOKEN_NAME);
+                        extensions = jssSubSystem.getExtensions(
+                                Constants.PR_INTERNAL_TOKEN_NAME, nickname);
+                    } else {
+                        String tokenname1 = nickname.substring(0, index);
+
+                        signingUnit.updateConfig(nickname, tokenname1);
+                        extensions = jssSubSystem.getExtensions(tokenname1,
+                                nicknameWithoutTokenName);
+                    }
+                    if (extensions != null) {
+                        BasicConstraintsExtension basic =
+                                (BasicConstraintsExtension)
+                                extensions.get(BasicConstraintsExtension.NAME);
+
+                        if (basic == null)
+                            log(CMS.getLogMessage("ADMIN_SRVLT_BASIC_CONSTRAIN_NULL"));
+                        else {
+                            Integer pathlen = (Integer)
+                                    basic.get(BasicConstraintsExtension.PATH_LEN);
+                            int num = pathlen.intValue();
+
+                            if (num == 0)
+                                ca.setBasicConstraintMaxLen(num);
+                            else if (num > 0) {
+                                num = num - 1;
+                                ca.setBasicConstraintMaxLen(num);
+                            }
+                        }
+                    } else {
+                        log(CMS.getLogMessage("ADMIN_SRVLT_CERT_NO_EXT"));
+                    }
+                } catch (Exception eee) {
+                    log("CMSAdminServlet: Exception: " + eee.toString());
+                }
+            } else if (certType.equals(Constants.PR_RA_SIGNING_CERT)) {
+                setRANewnickname("", "");
+                IRegistrationAuthority ra =
+                        (IRegistrationAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_RA);
+
+                ra.setNickname(nickname);
+            } else if (certType.equals(Constants.PR_OCSP_SIGNING_CERT)) {
+                setOCSPNewnickname("", "");
+                IOCSPAuthority ocsp =
+                        (IOCSPAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_OCSP);
+
+                if (ocsp != null) {
+                    ISigningUnit signingUnit = ocsp.getSigningUnit();
+
+                    if (nickname.equals(nicknameWithoutTokenName)) {
+                        signingUnit.updateConfig(nickname,
+                                Constants.PR_INTERNAL_TOKEN_NAME);
+                    } else {
+                        String tokenname1 = nickname.substring(0, index);
+
+                        signingUnit.updateConfig(nickname, tokenname1);
+                    }
+                } else {
+                    ICertificateAuthority ca =
+                            (ICertificateAuthority)
+                            CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+                    ISigningUnit signingUnit = ca.getOCSPSigningUnit();
+
+                    if (nickname.equals(nicknameWithoutTokenName)) {
+                        signingUnit.updateConfig(nickname,
+                                Constants.PR_INTERNAL_TOKEN_NAME);
+                    } else {
+                        String tokenname1 = nickname.substring(0, index);
+
+                        signingUnit.updateConfig(nickname, tokenname1);
+                    }
+                }
+            } else if (certType.equals(Constants.PR_KRA_TRANSPORT_CERT)) {
+                setKRANewnickname("", "");
+                IKeyRecoveryAuthority kra =
+                        (IKeyRecoveryAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_KRA);
+
+                kra.setNickname(nickname);
+            } else if (certType.equals(Constants.PR_SERVER_CERT)) {
+                setAgentNewnickname("", "");
+                //modifyRADMCert(nickname);
+                modifyAgentGatewayCert(nickname);
+                if (isSubsystemInstalled("ra")) {
+                    IRegistrationAuthority ra =
+                            (IRegistrationAuthority)
+                            CMS.getSubsystem(CMS.SUBSYSTEM_RA);
+
+                    modifyEEGatewayCert(ra, nickname);
+                }
+                if (isSubsystemInstalled("ca")) {
+                    ICertificateAuthority ca =
+                            (ICertificateAuthority)
+                            CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+
+                    modifyCAGatewayCert(ca, nickname);
+                }
+            } else if (certType.equals(Constants.PR_SERVER_CERT_RADM)) {
+                setRADMNewnickname("", "");
+                modifyRADMCert(nickname);
+            }
+
+            boolean verified = CMS.verifySystemCertByNickname(nickname, null);
+            if (verified == true) {
+                CMS.debug("CMSAdminServlet: installCert(): verifySystemCertByNickname() succeeded:" + nickname);
+                auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                                nickname);
+
+                audit(auditMessage);
+            } else {
+                CMS.debug("CMSAdminServlet: installCert(): verifySystemCertByNickname() failed:" + nickname);
+                auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                nickname);
+
+                audit(auditMessage);
+            }
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            mConfig.commit(true);
+            if (verified == true) {
+                sendResponse(SUCCESS, null, null, resp);
+            } else {
+                sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_CERT_VALIDATE_FAILED"),
+                        null, resp);
+            }
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * For "importing" cross-signed cert into internal db for further
+     * cross pair matching and publishing
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY used when "Certificate Setup Wizard" is used to
+     * import a CA cross-signed certificate into the database
+     * 

+     * 
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException failed to import a cross-certificate pair
+     */
+    private void importXCert(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String b64Cert = "";
+            String pathname = "";
+            String serverRoot = "";
+            String serverID = "";
+            String certpath = "";
+            @SuppressWarnings("unchecked")
+            Enumeration enum1 = req.getParameterNames();
+            NameValuePairs results = new NameValuePairs();
+
+            while (enum1.hasMoreElements()) {
+                String key = (String) enum1.nextElement();
+                String value = req.getParameter(key);
+
+                // really should be PR_CERT_CONTENT
+                if (key.equals(Constants.PR_PKCS10))
+                    b64Cert = value;
+                else if (key.equals("pathname"))
+                    pathname = value;
+                else if (key.equals(Constants.PR_SERVER_ROOT))
+                    serverRoot = value;
+                else if (key.equals(Constants.PR_SERVER_ID))
+                    serverID = value;
+                else if (key.equals(Constants.PR_CERT_FILEPATH))
+                    certpath = value;
+            }
+
+            try {
+                if (b64Cert == null || b64Cert.equals("")) {
+                    if (certpath == null || certpath.equals("")) {
+                        // store a message in the signed audit log file
+                        auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                        audit(auditMessage);
+
+                        EBaseException ex = new EBaseException(
+                                CMS.getLogMessage("BASE_INVALID_FILE_PATH"));
+
+                        throw ex;
+                    } else {
+                        FileInputStream in = new FileInputStream(certpath);
+                        BufferedReader d =
+                                new BufferedReader(new InputStreamReader(in));
+                        String content = "";
+
+                        b64Cert = "";
+                        StringBuffer sb = new StringBuffer();
+                        while ((content = d.readLine()) != null) {
+                            sb.append(content);
+                            sb.append("\n");
+                        }
+                        b64Cert = sb.toString();
+                        if (d != null) {
+                            d.close();
+                        }
+                        b64Cert = b64Cert.substring(0, b64Cert.length() - 1);
+                    }
+                }
+            } catch (IOException ee) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                throw new EBaseException(
+                        CMS.getLogMessage("BASE_OPEN_FILE_FAILED"));
+            }
+            CMS.debug("CMSAdminServlet: got b64Cert");
+            b64Cert = Cert.stripBrackets(b64Cert.trim());
+
+            // Base64 decode cert
+            byte[] bCert = null;
+
+            try {
+                bCert = Utils.base64decode(b64Cert);
+            } catch (Exception e) {
+                CMS.debug("CMSAdminServlet: exception: " + e.toString());
+            }
+
+            pathname = serverRoot + File.separator + serverID
+                     + File.separator + "config" + File.separator + pathname;
+
+            ICrossCertPairSubsystem ccps =
+                    (ICrossCertPairSubsystem) CMS.getSubsystem("CrossCertPair");
+
+            try {
+                //this will import into internal ldap crossCerts entry
+                ccps.importCert(bCert);
+            } catch (Exception e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(1, "xcert importing failure:" + e.toString(),
+                             null, resp);
+                return;
+            }
+
+            try {
+                // this will publish all of the cross cert pairs from internal
+                // db to publishing directory, if turned on
+                ccps.publishCertPairs();
+            } catch (EBaseException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(1, "xcerts publishing failure:" + e.toString(), null, resp);
+                return;
+            }
+
+            ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                    CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+            String content = jssSubSystem.getCertPrettyPrint(b64Cert,
+                    super.getLocale(req));
+
+            results.put(Constants.PR_NICKNAME, "FBCA cross-signed cert");
+            results.put(Constants.PR_CERT_CONTENT, content);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, results, resp);
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    private String getNickname(String certType) throws EBaseException {
+        String nickname = "";
+
+        if (certType.equals(Constants.PR_CA_SIGNING_CERT)) {
+            ICertificateAuthority ca =
+                    (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+            ISigningUnit signingUnit = ca.getSigningUnit();
+
+            nickname = signingUnit.getNickname();
+        } else if (certType.equals(Constants.PR_OCSP_SIGNING_CERT)) {
+            IOCSPAuthority ocsp =
+                    (IOCSPAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_OCSP);
+
+            if (ocsp == null) {
+                // this is a local CA service
+                ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+                ISigningUnit signingUnit = ca.getOCSPSigningUnit();
+
+                nickname = signingUnit.getNickname();
+            } else {
+                ISigningUnit signingUnit = ocsp.getSigningUnit();
+
+                nickname = signingUnit.getNickname();
+            }
+        } else if (certType.equals(Constants.PR_RA_SIGNING_CERT)) {
+            IRegistrationAuthority ra =
+                    (IRegistrationAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_RA);
+
+            nickname = ra.getNickname();
+        } else if (certType.equals(Constants.PR_KRA_TRANSPORT_CERT)) {
+            IKeyRecoveryAuthority kra =
+                    (IKeyRecoveryAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_KRA);
+
+            nickname = kra.getNickname();
+        } else if (certType.equals(Constants.PR_SERVER_CERT)) {
+            nickname = CMS.getServerCertNickname();
+        } else if (certType.equals(Constants.PR_SERVER_CERT_RADM)) {
+            nickname = CMS.getServerCertNickname();
+        }
+
+        return nickname;
+    }
+
+    private void getCertInfo(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+        NameValuePairs results = new NameValuePairs();
+        String pkcs = "";
+        String path = "";
+        String certType = "";
+        String otherNickname = "";
+
+        while (enum1.hasMoreElements()) {
+            String key = (String) enum1.nextElement();
+            String value = req.getParameter(key);
+
+            if (key.equals(Constants.PR_PKCS10)) {
+                pkcs = value;
+            } else if (key.equals(Constants.RS_ID)) {
+                certType = value;
+            } else if (key.equals(Constants.PR_CERT_FILEPATH)) {
+                path = value;
+            } else if (key.equals(Constants.PR_NICKNAME)) {
+                otherNickname = value;
+            }
+        }
+
+        try {
+            if (pkcs == null || pkcs.equals("")) {
+
+                if (path == null || path.equals("")) {
+                    EBaseException ex = new EBaseException(
+                            CMS.getLogMessage("BASE_INVALID_FILE_PATH"));
+
+                    throw ex;
+                } else {
+                    FileInputStream in = new FileInputStream(path);
+                    BufferedReader d =
+                            new BufferedReader(new InputStreamReader(in));
+                    String content = "";
+
+                    pkcs = "";
+                    StringBuffer sb = new StringBuffer();
+                    while ((content = d.readLine()) != null) {
+                        sb.append(content);
+                        sb.append("\n");
+                    }
+                    pkcs = sb.toString();
+                    if (d != null) {
+                        d.close();
+                    }
+                    pkcs = pkcs.substring(0, pkcs.length() - 1);
+                }
+            }
+        } catch (IOException ee) {
+            throw new EBaseException(CMS.getLogMessage("BASE_OPEN_FILE_FAILED"));
+        }
+
+        pkcs = pkcs.trim();
+        int totalLen = pkcs.length();
+
+        if (pkcs.indexOf(BEGIN_HEADER) != 0 ||
+                pkcs.indexOf(END_HEADER) != (totalLen - 25)) {
+            throw (new EBaseException(CMS.getLogMessage("BASE_INVALID_CERT_FORMAT")));
+        }
+
+        String nickname = "";
+
+        if (certType.equals(Constants.PR_CA_SIGNING_CERT)) {
+            nickname = getCANewnickname();
+        } else if (certType.equals(Constants.PR_RA_SIGNING_CERT)) {
+            nickname = getRANewnickname();
+        } else if (certType.equals(Constants.PR_KRA_TRANSPORT_CERT)) {
+            nickname = getKRANewnickname();
+        } else if (certType.equals(Constants.PR_SERVER_CERT)) {
+            nickname = getAgentNewnickname();
+        } else if (certType.equals(Constants.PR_SERVER_CERT_RADM)) {
+            nickname = getRADMNewnickname();
+        } else if (certType.equals(Constants.PR_OTHER_CERT)) {
+            nickname = otherNickname;
+        } else if (certType.equals(Constants.PR_OCSP_SIGNING_CERT)) {
+            nickname = getOCSPNewnickname();
+        }
+        if (nickname.equals(""))
+            nickname = getNickname(certType);
+
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+        String content = jssSubSystem.getCertPrettyPrint(pkcs,
+                super.getLocale(req));
+
+        if (nickname != null && !nickname.equals(""))
+            results.put(Constants.PR_NICKNAME, nickname);
+        results.put(Constants.PR_CERT_CONTENT, content);
+        //results = jssSubSystem.getCertInfo(value);
+
+        sendResponse(SUCCESS, null, results, resp);
+    }
+
+    private void getCertPrettyPrint(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+        String nickname = "";
+        String serialno = "";
+        String issuername = "";
+        Locale locale = super.getLocale(req);
+        NameValuePairs pairs = new NameValuePairs();
+
+        while (enum1.hasMoreElements()) {
+            String key = (String) enum1.nextElement();
+            String value = req.getParameter(key);
+
+            if (key.equals(Constants.OP_TYPE))
+                continue;
+            if (key.equals(Constants.RS_ID))
+                continue;
+            if (key.equals(Constants.OP_SCOPE))
+                continue;
+            if (key.equals(Constants.PR_NICK_NAME)) {
+                nickname = value;
+                continue;
+            }
+            if (key.equals(Constants.PR_SERIAL_NUMBER)) {
+                serialno = value;
+                continue;
+            }
+            if (key.equals(Constants.PR_ISSUER_NAME)) {
+                issuername = value;
+                continue;
+            }
+        }
+
+        String print = jssSubSystem.getCertPrettyPrintAndFingerPrint(nickname,
+                serialno, issuername, locale);
+        pairs.put(nickname, print);
+
+        sendResponse(SUCCESS, null, pairs, resp);
+    }
+
+    private void getRootCertTrustBit(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+        String nickname = "";
+        String serialno = "";
+        String issuername = "";
+        NameValuePairs pairs = new NameValuePairs();
+
+        while (enum1.hasMoreElements()) {
+            String key = (String) enum1.nextElement();
+            String value = req.getParameter(key);
+
+            if (key.equals(Constants.OP_TYPE))
+                continue;
+            if (key.equals(Constants.RS_ID))
+                continue;
+            if (key.equals(Constants.OP_SCOPE))
+                continue;
+            if (key.equals(Constants.PR_NICK_NAME)) {
+                nickname = value;
+                continue;
+            }
+            if (key.equals(Constants.PR_SERIAL_NUMBER)) {
+                serialno = value;
+                continue;
+            }
+            if (key.equals(Constants.PR_ISSUER_NAME)) {
+                issuername = value;
+                continue;
+            }
+        }
+
+        String trustbit = jssSubSystem.getRootCertTrustBit(nickname,
+                serialno, issuername);
+        pairs.put(nickname, trustbit);
+
+        sendResponse(SUCCESS, null, pairs, resp);
+    }
+
+    private void getCACerts(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+        NameValuePairs pairs = jssSubSystem.getCACerts();
+
+        sendResponse(SUCCESS, null, pairs, resp);
+    }
+
+    private void deleteRootCert(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String id = req.getParameter(Constants.RS_ID);
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+        int mindex = id.indexOf(":SERIAL#<");
+        String nickname = id.substring(0, mindex);
+        String sstr1 = id.substring(mindex);
+        int lindex = sstr1.indexOf(">");
+        String serialno = sstr1.substring(9, lindex);
+        String issuername = sstr1.substring(lindex + 1);
+        jssSubSystem.deleteRootCert(nickname, serialno, issuername);
+        sendResponse(SUCCESS, null, null, resp);
+    }
+
+    private void deleteUserCert(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String id = req.getParameter(Constants.RS_ID);
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+        int mindex = id.indexOf(":SERIAL#<");
+        String nickname = id.substring(0, mindex);
+        String sstr1 = id.substring(mindex);
+        int lindex = sstr1.indexOf(">");
+        String serialno = sstr1.substring(9, lindex);
+        String issuername = sstr1.substring(lindex + 1);
+        jssSubSystem.deleteUserCert(nickname, serialno, issuername);
+        sendResponse(SUCCESS, null, null, resp);
+    }
+
+    private void getRootCerts(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+        NameValuePairs pairs = jssSubSystem.getRootCerts();
+
+        sendResponse(SUCCESS, null, pairs, resp);
+    }
+
+    private void getAllCertsManage(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+        NameValuePairs pairs = jssSubSystem.getAllCertsManage();
+
+        sendResponse(SUCCESS, null, pairs, resp);
+    }
+
+    private void getUserCerts(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+        NameValuePairs pairs = jssSubSystem.getUserCerts();
+        sendResponse(SUCCESS, null, pairs, resp);
+    }
+
+    private void deleteCerts(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+        String nickname = "";
+        String date = "";
+
+        while (enum1.hasMoreElements()) {
+            String key = (String) enum1.nextElement();
+            String value = req.getParameter(key);
+
+            if (key.equals(Constants.OP_TYPE))
+                continue;
+            if (key.equals(Constants.RS_ID))
+                continue;
+            if (key.equals(Constants.OP_SCOPE))
+                continue;
+            int index = value.indexOf(";");
+
+            nickname = value.substring(0, index);
+            date = value.substring(index + 1);
+            // cant use this one now since jss doesnt have the interface to 
+            // do it.
+            jssSubSystem.deleteCert(nickname, date);
+            //            jssSubsystem.deleteCACert(nickname, date);
+        }
+
+        sendResponse(SUCCESS, null, null, resp);
+    }
+
+    private void validateSubjectName(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+
+        while (enum1.hasMoreElements()) {
+            String key = (String) enum1.nextElement();
+            String value = req.getParameter(key);
+
+            if (key.equals(Constants.PR_SUBJECT_NAME)) {
+                ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                        CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+
+                jssSubSystem.isX500DN(value);
+            }
+        }
+
+        sendResponse(SUCCESS, null, null, resp);
+    }
+
+    private void validateKeyLength(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        sendResponse(SUCCESS, null, null, resp);
+    }
+
+    private void validateCurveName(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+        String curveName = null;
+
+        while (enum1.hasMoreElements()) {
+            String key = (String) enum1.nextElement();
+            String value = req.getParameter(key);
+
+            if (key.equals(Constants.PR_KEY_CURVENAME)) {
+                curveName = value;
+            }
+        }
+        // check that the curvename is in the list of supported curves
+        String curveList = mConfig.getString("keys.ecc.curve.list", "nistp521");
+        String[] curves = curveList.split(",");
+        boolean match = false;
+        for (int i = 0; i < curves.length; i++) {
+            if (curves[i].equals(curveName)) {
+                match = true;
+            }
+        }
+        if (!match) {
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ECC_CURVE_NAME"));
+        }
+
+        sendResponse(SUCCESS, null, null, resp);
+    }
+
+    private void validateCertExtension(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+        String certExt = "";
+
+        while (enum1.hasMoreElements()) {
+            String key = (String) enum1.nextElement();
+            String value = req.getParameter(key);
+
+            if (key.equals(ConfigConstants.PR_CERTIFICATE_EXTENSION)) {
+                certExt = value;
+                break;
+            }
+        }
+
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+
+        jssSubSystem.checkCertificateExt(certExt);
+        sendResponse(SUCCESS, null, null, resp);
+    }
+
+    private void getSubjectName(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+
+        String nickname = "";
+
+        while (enum1.hasMoreElements()) {
+            String key = (String) enum1.nextElement();
+            String value = req.getParameter(key);
+
+            if (key.equals(Constants.RS_ID)) {
+                nickname = getNickname(value);
+                break;
+            }
+        }
+
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+        String subjectName = jssSubSystem.getSubjectDN(nickname);
+
+        params.put(Constants.PR_SUBJECT_NAME, subjectName);
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void processSubjectName(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+
+        String nickname = "";
+
+        while (enum1.hasMoreElements()) {
+            String key = (String) enum1.nextElement();
+            String value = req.getParameter(key);
+
+            if (key.equals(Constants.PR_NICKNAME)) {
+                nickname = value;
+            }
+        }
+
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+        String subjectName = jssSubSystem.getSubjectDN(nickname);
+
+        params.put(Constants.PR_SUBJECT_NAME, subjectName);
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    public void setRootCertTrust(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+        String nickname = req.getParameter(Constants.PR_NICK_NAME);
+        String serialno = req.getParameter(Constants.PR_SERIAL_NUMBER);
+        String issuername = req.getParameter(Constants.PR_ISSUER_NAME);
+        String trust = req.getParameter("trustbit");
+
+        CMS.debug("CMSAdminServlet: setRootCertTrust()");
+
+        ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+        try {
+            jssSubSystem.setRootCertTrust(nickname, serialno, issuername, trust);
+        } catch (EBaseException e) {
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+            // rethrow the specific exception to be handled later
+            throw e;
+        }
+
+        // store a message in the signed audit log file
+        auditMessage = CMS.getLogMessage(
+                    LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                    auditSubjectID,
+                    ILogger.SUCCESS,
+                    auditParams(req));
+
+        audit(auditMessage);
+
+        sendResponse(SUCCESS, null, null, resp);
+    }
+
+    /**
+     * Establish trust of a CA certificate
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY used when "Manage Certificate" is used to edit
+     * the trustness of certs and deletion of certs
+     * 

+     * 
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException failed to establish CA certificate trust
+     */
+    private void trustCACert(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        CMS.debug("CMSAdminServlet: trustCACert()");
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            @SuppressWarnings("unchecked")
+            Enumeration enum1 = req.getParameterNames();
+            ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)
+                    CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+            String trust = "";
+
+            while (enum1.hasMoreElements()) {
+                String key = (String) enum1.nextElement();
+                String value = req.getParameter(key);
+
+                if (key.equals(Constants.RS_ID)) {
+                    trust = value;
+                } else if (key.equals("certName0")) {
+                    int index = value.indexOf(";");
+                    String nickname = value.substring(0, index);
+                    String date = value.substring(index + 1);
+
+                    jssSubSystem.trustCert(nickname, date, trust);
+                }
+            }
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            //sendResponse(SUCCESS, null, null, resp);
+            sendResponse(RESTART, null, null, resp);
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * Execute all self tests specified to be run on demand.
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION used when self tests are run on demand
+     * 

+     * 
+     * @exception EMissingSelfTestException a self test plugin instance
+     *                property name was missing
+     * @exception ESelfTestException a self test is missing a required
+     *                configuration parameter
+     * @exception IOException an input/output error has occurred
+     */
+    private synchronized void
+            runSelfTestsOnDemand(HttpServletRequest req,
+                    HttpServletResponse resp)
+                    throws EMissingSelfTestException,
+                    ESelfTestException,
+                    IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            if (CMS.debugOn()) {
+                CMS.debug("CMSAdminServlet::runSelfTestsOnDemand():"
+                        + "  ENTERING . . .");
+            }
+            @SuppressWarnings("unchecked")
+            Enumeration enum1 = req.getParameterNames();
+            String request = "";
+            NameValuePairs results = new NameValuePairs();
+            String content = "";
+            String instanceName = null;
+            String instanceFullName = null;
+            String logMessage = null;
+
+            while (enum1.hasMoreElements()) {
+                String key = (String) enum1.nextElement();
+                String value = req.getParameter(key);
+
+                if (key.equals(Constants.PR_RUN_SELFTESTS_ON_DEMAND)) {
+                    request = value;
+                }
+            }
+
+            ISelfTestSubsystem mSelfTestSubsystem = (ISelfTestSubsystem)
+                    CMS.getSubsystem(CMS.SUBSYSTEM_SELFTESTS);
+
+            if ((request == null) ||
+                    (request.equals(""))) {
+                // self test plugin run on demand request parameter was missing
+                // log the error
+                logMessage = CMS.getLogMessage("SELFTESTS_RUN_ON_DEMAND_REQUEST",
+                            getServletInfo(),
+                            Constants.PR_RUN_SELFTESTS_ON_DEMAND
+                        );
+
+                mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                        logMessage);
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                            auditSubjectID,
+                            ILogger.FAILURE);
+
+                audit(auditMessage);
+
+                // notify console of FAILURE
+                content += logMessage
+                        + "\n";
+                sendResponse(ERROR, content, null, resp);
+
+                // raise an exception
+                throw new ESelfTestException(logMessage);
+            }
+
+            // run all self test plugin instances (designated on-demand)
+            String[] selftests = mSelfTestSubsystem.listSelfTestsEnabledOnDemand();
+
+            if (selftests != null && selftests.length > 0) {
+                // log that execution of on-demand self tests has begun
+                logMessage = CMS.getLogMessage("SELFTESTS_RUN_ON_DEMAND",
+                            getServletInfo());
+
+                mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                        logMessage);
+
+                // store this information for console notification
+                content += logMessage
+                        + "\n";
+
+                for (int i = 0; i < selftests.length; i++) {
+                    if (selftests[i] != null) {
+                        instanceName = selftests[i].trim();
+                        instanceFullName = ISelfTestSubsystem.ID
+                                + "."
+                                + ISelfTestSubsystem.PROP_CONTAINER
+                                + "."
+                                + ISelfTestSubsystem.PROP_INSTANCE
+                                + "."
+                                + instanceName;
+                    } else {
+                        // self test plugin instance property name was missing
+                        // log the error
+                        logMessage = CMS.getLogMessage(
+                                    "SELFTESTS_PARAMETER_WAS_NULL",
+                                    getServletInfo());
+
+                        mSelfTestSubsystem.log(
+                                mSelfTestSubsystem.getSelfTestLogger(),
+                                logMessage);
+
+                        // store a message in the signed audit log file
+                        auditMessage = CMS.getLogMessage(
+                                    LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                                    auditSubjectID,
+                                    ILogger.FAILURE);
+
+                        audit(auditMessage);
+
+                        // notify console of FAILURE
+                        content += logMessage
+                                + "\n";
+                        sendResponse(ERROR, content, null, resp);
+
+                        // raise an exception
+                        throw new EMissingSelfTestException();
+                    }
+
+                    ISelfTest test = (ISelfTest)
+                            mSelfTestSubsystem.getSelfTest(instanceName);
+
+                    if (test == null) {
+                        // self test plugin instance property name is not present
+                        // log the error
+                        logMessage = CMS.getLogMessage("SELFTESTS_MISSING_NAME",
+                                    getServletInfo(),
+                                    instanceFullName);
+
+                        mSelfTestSubsystem.log(
+                                mSelfTestSubsystem.getSelfTestLogger(),
+                                logMessage);
+
+                        // store a message in the signed audit log file
+                        auditMessage = CMS.getLogMessage(
+                                    LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                                    auditSubjectID,
+                                    ILogger.FAILURE);
+
+                        audit(auditMessage);
+
+                        // notify console of FAILURE
+                        content += logMessage
+                                + "\n";
+                        sendResponse(ERROR, content, null, resp);
+
+                        // raise an exception
+                        throw new EMissingSelfTestException(instanceFullName);
+                    }
+
+                    try {
+                        if (CMS.debugOn()) {
+                            CMS.debug("CMSAdminServlet::runSelfTestsOnDemand():"
+                                    + "    running \""
+                                    + test.getSelfTestName()
+                                    + "\"");
+                        }
+
+                        // store this information for console notification
+                        content += "CMSAdminServlet::runSelfTestsOnDemand():"
+                                + "    running \""
+                                + test.getSelfTestName()
+                                + "\" . . .\n";
+
+                        test.runSelfTest(mSelfTestSubsystem.getSelfTestLogger());
+
+                        // store this information for console notification
+                        content += "COMPLETED SUCCESSFULLY\n";
+                    } catch (ESelfTestException e) {
+                        // Check to see if the self test was critical:
+                        if (mSelfTestSubsystem.isSelfTestCriticalOnDemand(
+                                instanceName)) {
+                            // log the error
+                            logMessage = CMS.getLogMessage(
+                                        "SELFTESTS_RUN_ON_DEMAND_FAILED",
+                                        getServletInfo(),
+                                        instanceFullName);
+
+                            mSelfTestSubsystem.log(
+                                    mSelfTestSubsystem.getSelfTestLogger(),
+                                    logMessage);
+
+                            // store a message in the signed audit log file
+                            auditMessage = CMS.getLogMessage(
+                                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                                        auditSubjectID,
+                                        ILogger.FAILURE);
+
+                            audit(auditMessage);
+
+                            // notify console of FAILURE
+                            content += "FAILED WITH CRITICAL ERROR\n";
+                            content += logMessage
+                                    + "\n";
+                            sendResponse(ERROR, content, null, resp);
+
+                            // shutdown the system gracefully
+                            CMS.shutdown();
+
+                            return;
+                        } else {
+                            // store this information for console notification
+                            content += "FAILED WITH NON-CRITICAL ERROR\n";
+                        }
+                    }
+                }
+
+                // log that execution of all "critical" on-demand self tests
+                // has completed "successfully"
+                logMessage = CMS.getLogMessage("SELFTESTS_RUN_ON_DEMAND_SUCCEEDED",
+                            getServletInfo());
+                mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                        logMessage);
+
+                // store this information for console notification
+                content += logMessage
+                        + "\n";
+            } else {
+                // log this fact
+                logMessage = CMS.getLogMessage("SELFTESTS_NOT_RUN_ON_DEMAND",
+                            getServletInfo());
+
+                mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(),
+                        logMessage);
+
+                // store this information for console notification
+                content += logMessage
+                        + "\n";
+            }
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                        auditSubjectID,
+                        ILogger.SUCCESS);
+
+            audit(auditMessage);
+
+            // notify console of SUCCESS
+            results.put(Constants.PR_RUN_SELFTESTS_ON_DEMAND_CLASS,
+                    CMSAdminServlet.class.getName());
+            results.put(Constants.PR_RUN_SELFTESTS_ON_DEMAND_CONTENT,
+                    content);
+            sendResponse(SUCCESS, null, results, resp);
+
+            if (CMS.debugOn()) {
+                CMS.debug("CMSAdminServlet::runSelfTestsOnDemand():"
+                        + "  EXITING.");
+            }
+        } catch (EMissingSelfTestException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                        auditSubjectID,
+                        ILogger.FAILURE);
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (ESelfTestException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                        auditSubjectID,
+                        ILogger.FAILURE);
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+        } catch (IOException eAudit3) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                        auditSubjectID,
+                        ILogger.FAILURE);
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit3;
+        }
+    }
+
+    public void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER, level, "CMSAdminServlet: " + msg);
+    }
+
+    /**
+     * Signed Audit Log Public Key
+     * 
+     * This method is called to obtain the public key from the passed in
+     * "KeyPair" object for a signed audit log message.
+     * 

+     * 
+     * @param object a Key Pair Object
+     * @return key string containing the public key
+     */
+    private String auditPublicKey(KeyPair object) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        if (object == null) {
+            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        }
+
+        byte rawData[] = null;
+
+        rawData = object.getPublic().getEncoded();
+
+        String key = null;
+        StringBuffer sb = new StringBuffer();
+
+        // convert "rawData" into "base64Data"
+        if (rawData != null) {
+            String base64Data = null;
+
+            base64Data = Utils.base64encode(rawData).trim();
+
+            // extract all line separators from the "base64Data"
+            for (int i = 0; i < base64Data.length(); i++) {
+                if (base64Data.substring(i, i).getBytes() != EOL) {
+                    sb.append(base64Data.substring(i, i));
+                }
+            }
+        }
+        key = sb.toString();
+
+        if (key != null) {
+            key = key.trim();
+
+            if (key.equals("")) {
+                return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+            } else {
+                return key;
+            }
+        } else {
+            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/JobsAdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/JobsAdminServlet.java
new file mode 100644
index 000000000..42ff32ebe
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/JobsAdminServlet.java
@@ -0,0 +1,1007 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.DestDef;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.jobs.EJobsException;
+import com.netscape.certsrv.jobs.IJob;
+import com.netscape.certsrv.jobs.IJobsScheduler;
+import com.netscape.certsrv.jobs.JobPlugin;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * A class representing an administration servlet for the
+ * Jobs Scheduler and it's scheduled jobs.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class JobsAdminServlet extends AdminServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = 561767449283982015L;
+    // ... remove later
+    private final static String EDIT = ";edit";
+    private final static String VISIBLE = ";visible";
+    private final static String ENABLED = ";enabled";
+    private final static String DISABLED = ";disabled";
+
+    private final static String INFO = "JobsAdminServlet";
+    private IJobsScheduler mJobsSched = null;
+
+    /**
+     * Constructs JobsAdminServlet.
+     */
+    public JobsAdminServlet() {
+        super();
+    }
+
+    /**
+     * Initializes this servlet.
+     */
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+        mJobsSched = (IJobsScheduler)
+                CMS.getSubsystem(CMS.SUBSYSTEM_JOBS);
+    }
+
+    /**
+     * Returns serlvet information.
+     */
+    public String getServletInfo() {
+        return INFO;
+    }
+
+    /**
+     * retrieve extended plugin info such as brief description, type info
+     * from jobs
+     */
+    private void getExtendedPluginInfo(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        String id = req.getParameter(Constants.RS_ID);
+
+        int colon = id.indexOf(':');
+
+        String implType = id.substring(0, colon);
+        String implName = id.substring(colon + 1);
+
+        NameValuePairs params =
+                getExtendedPluginInfo(getLocale(req), implType, implName);
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private NameValuePairs getExtendedPluginInfo(Locale locale, String implType, String implName) {
+        IExtendedPluginInfo ext_info = null;
+        Object impl = null;
+
+        JobPlugin jp =
+                (JobPlugin) mJobsSched.getPlugins().get(implName);
+
+        if (jp != null)
+            impl = getClassByNameAsExtendedPluginInfo(jp.getClassPath());
+        if (impl != null) {
+            if (impl instanceof IExtendedPluginInfo) {
+                ext_info = (IExtendedPluginInfo) impl;
+            }
+        }
+
+        NameValuePairs nvps = null;
+
+        if (ext_info == null) {
+            nvps = new NameValuePairs();
+        } else {
+            nvps = convertStringArrayToNVPairs(ext_info.getExtendedPluginInfo(locale));
+        }
+
+        return nvps;
+
+    }
+
+    /**
+     * Serves HTTP admin request.
+     */
+    public void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+        super.service(req, resp);
+
+        String scope = req.getParameter(Constants.OP_SCOPE);
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (op == null) {
+            //System.out.println("SRVLT_INVALID_PROTOCOL");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PROTOCOL"),
+                    null, resp);
+            return;
+        }
+
+        try {
+            super.authenticate(req);
+        } catch (IOException e) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHS_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        try {
+            AUTHZ_RES_NAME = "certServer.job.configuration";
+            if (op.equals(OpDef.OP_READ)) {
+                mOp = "read";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_JOBS))
+                    getSettings(req, resp);
+                else if (scope.equals(ScopeDef.SC_JOBS_IMPLS))
+                    getConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_JOBS_INSTANCE))
+                    getInstConfig(req, resp);
+                else if (scope.equals(ScopeDef.SC_EXTENDED_PLUGIN_INFO)) {
+                    try {
+                        getExtendedPluginInfo(req, resp);
+                    } catch (EBaseException e) {
+                        sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+                        return;
+                    }
+                } else {
+                    //System.out.println("SRVLT_INVALID_OP_SCOPE");
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                            null, resp);
+                    return;
+                }
+            } else if (op.equals(OpDef.OP_MODIFY)) {
+                mOp = "modify";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_JOBS)) {
+                    setSettings(req, resp);
+                } else if (scope.equals(ScopeDef.SC_JOBS_INSTANCE)) {
+                    modJobsInst(req, resp, scope);
+                } else {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                            null, resp);
+                    return;
+                }
+            } else if (op.equals(OpDef.OP_SEARCH)) {
+                mOp = "read";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_JOBS_IMPLS))
+                    listJobPlugins(req, resp);
+                else if (scope.equals(ScopeDef.SC_JOBS_INSTANCE))
+                    listJobsInsts(req, resp);
+                else {
+                    //System.out.println("SRVLT_INVALID_OP_SCOPE");
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                            null, resp);
+                    return;
+                }
+            } else if (op.equals(OpDef.OP_ADD)) {
+                mOp = "modify";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_JOBS_IMPLS))
+                    addJobPlugin(req, resp, scope);
+                else if (scope.equals(ScopeDef.SC_JOBS_INSTANCE))
+                    addJobsInst(req, resp, scope);
+                else {
+                    //System.out.println("SRVLT_INVALID_OP_SCOPE");
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                            null, resp);
+                    return;
+                }
+            } else if (op.equals(OpDef.OP_DELETE)) {
+                mOp = "modify";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_JOBS_IMPLS))
+                    delJobPlugin(req, resp, scope);
+                else if (scope.equals(ScopeDef.SC_JOBS_INSTANCE))
+                    delJobsInst(req, resp, scope);
+                else {
+                    //System.out.println("SRVLT_INVALID_OP_SCOPE");
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                            null, resp);
+                    return;
+                }
+            } else {
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_TYPE", op),
+                        null, resp);
+                return;
+            }
+        } catch (EBaseException e) {
+            sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+            return;
+        }
+    }
+
+    private synchronized void addJobPlugin(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+        // is the job plugin id unique?
+        if (mJobsSched.getPlugins().containsKey((Object) id)) {
+            sendResponse(ERROR,
+                    new EJobsException(CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_ILL_JOB_PLUGIN_ID", id))
+                            .toString(),
+                    null, resp);
+            return;
+        }
+
+        String classPath = req.getParameter(Constants.PR_JOBS_CLASS);
+
+        if (classPath == null) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_NULL_CLASS"),
+                    null, resp);
+            return;
+        }
+
+        IConfigStore destStore =
+                mConfig.getSubStore(DestDef.DEST_JOBS_ADMIN);
+        IConfigStore instancesConfig =
+                destStore.getSubStore(scope);
+
+        // Does the class exist?
+        Class newImpl = null;
+
+        try {
+            newImpl = Class.forName(classPath);
+        } catch (ClassNotFoundException e) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_NO_CLASS"),
+                    null, resp);
+            return;
+        } catch (IllegalArgumentException e) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_NO_CLASS"),
+                    null, resp);
+            return;
+        }
+
+        // is the class an IJob?
+        try {
+            if (IJob.class.isAssignableFrom(newImpl) == false) {
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_ILL_CLASS"),
+                        null, resp);
+                return;
+            }
+        } catch (NullPointerException e) { // unlikely, only if newImpl null.
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_ILL_CLASS"),
+                    null, resp);
+            return;
+        }
+
+        IConfigStore substore = instancesConfig.makeSubStore(id);
+
+        substore.put(Constants.PR_JOBS_CLASS, classPath);
+
+        // commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            //System.out.println("SRVLT_FAIL_COMMIT");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        // add manager to registry.
+        JobPlugin plugin = new JobPlugin(id, classPath);
+
+        mJobsSched.getPlugins().put(id, plugin);
+        mJobsSched.log(ILogger.LL_INFO,
+                CMS.getLogMessage("ADMIN_SRVLT_JS_PLUGIN_ADD", id));
+
+        NameValuePairs params = new NameValuePairs();
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void addJobsInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // is the job instance id unique?
+        if (mJobsSched.getInstances().containsKey((Object) id)) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_ILL_JOB_INST_ID"),
+                    null, resp);
+            return;
+        }
+
+        // get required parameters
+        // SC_JOBS_IMPL_NAME is absolutely required, the rest depend on
+        // on each job plugin
+        String implname = req.getParameter(Constants.PR_JOBS_IMPL_NAME);
+
+        if (implname == null) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_ADD_MISSING_PARAMS"),
+                    null, resp);
+            return;
+        }
+
+        // check if implementation exists.
+        JobPlugin plugin =
+                (JobPlugin) mJobsSched.getPlugins().get(implname);
+
+        if (plugin == null) {
+            sendResponse(ERROR,
+                    new
+                    EJobsException(CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_JOB_PLUGIN_NOT_FOUND",
+                            id)).toString(),
+                    null, resp);
+            return;
+        }
+
+        // now the rest of config parameters
+        // note that we only check to see if the required parameters
+        // are there, but not checking the values are valid
+        String[] configParams = mJobsSched.getConfigParams(implname);
+
+        IConfigStore destStore =
+                mConfig.getSubStore(DestDef.DEST_JOBS_ADMIN);
+        IConfigStore instancesConfig =
+                destStore.getSubStore(scope);
+        IConfigStore substore = instancesConfig.makeSubStore(id);
+
+        if (configParams != null) {
+            for (int i = 0; i < configParams.length; i++) {
+                String key = configParams[i];
+                String val = req.getParameter(key);
+
+                if (val != null && !val.equals("")) {
+                    substore.put(key, val);
+                } else if (!key.equals("profileId")) {
+                    sendResponse(ERROR,
+                            new
+                            EJobsException(CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_MISSING_INST_PARAM_VAL",
+                                    key)).toString(),
+                            null, resp);
+                    return;
+                }
+            }
+        }
+
+        substore.put(IJobsScheduler.PROP_PLUGIN, implname);
+
+        // Instantiate an object for this implementation
+        String className = plugin.getClassPath();
+        IJob jobsInst = null;
+
+        try {
+            jobsInst = (IJob) Class.forName(className).newInstance();
+        } catch (ClassNotFoundException e) {
+            // cleanup
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR,
+                    new EJobsException(
+                            CMS.getUserMessage(getLocale(req), "CMS_JOB_LOAD_CLASS_FAILED", className)).toString(),
+                    null, resp);
+            return;
+        } catch (InstantiationException e) {
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR,
+                    new EJobsException(
+                            CMS.getUserMessage(getLocale(req), "CMS_JOB_LOAD_CLASS_FAILED", className)).toString(),
+                    null, resp);
+            return;
+        } catch (IllegalAccessException e) {
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR,
+                    new EJobsException(
+                            CMS.getUserMessage(getLocale(req), "CMS_JOB_LOAD_CLASS_FAILED", className)).toString(),
+                    null, resp);
+            return;
+        }
+
+        IJobsScheduler scheduler = (IJobsScheduler)
+                CMS.getSubsystem(CMS.SUBSYSTEM_JOBS);
+
+        // initialize the job plugin
+        try {
+            jobsInst.init(scheduler, id, implname, substore);
+        } catch (EBaseException e) {
+            // don't commit in this case and cleanup the new substore.
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+            return;
+        }
+
+        // commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            // clean up.
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        // inited and commited ok. now add manager instance to list.
+        mJobsSched.getInstances().put(id, jobsInst);
+
+        mJobsSched.log(ILogger.LL_INFO,
+                CMS.getLogMessage("ADMIN_SRVLT_JOB_INST_ADD", id));
+
+        NameValuePairs params = new NameValuePairs();
+
+        params.put(Constants.PR_JOBS_IMPL_NAME, implname);
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void listJobPlugins(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        Enumeration e = mJobsSched.getPlugins().keys();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+            JobPlugin value = mJobsSched.getPlugins().get(name);
+
+            params.put(name, value.getClassPath());
+            //				params.add(name, value.getClassPath()+EDIT);
+        }
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void listJobsInsts(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+
+        for (Enumeration e = mJobsSched.getInstances().keys(); e.hasMoreElements();) {
+            String name = e.nextElement();
+            IJob value = mJobsSched.getInstances().get((Object) name);
+
+            //				params.add(name, value.getImplName());
+            params.put(name, value.getImplName() + VISIBLE +
+                    (value.isEnabled() ? ENABLED : DISABLED)
+            );
+        }
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void delJobPlugin(HttpServletRequest req,
+            HttpServletResponse resp, String scope) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // does this job plugin exist?
+        if (mJobsSched.getPlugins().containsKey(id) == false) {
+            sendResponse(ERROR,
+                    new
+                    EJobsException(CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_JOB_PLUGIN_NOT_FOUND",
+                            id)).toString(),
+                    null, resp);
+            return;
+        }
+
+        // first check if any instances from this job plugin
+        // DON'T remove job plugin if any instance
+        for (Enumeration e = mJobsSched.getInstances().elements(); e.hasMoreElements();) {
+            IJob jobs = e.nextElement();
+
+            if ((jobs.getImplName()).equals(id)) {
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_JOB_IN_USE"),
+                        null, resp);
+                return;
+            }
+        }
+
+        // then delete this job plugin
+        mJobsSched.getPlugins().remove((Object) id);
+
+        IConfigStore destStore =
+                mConfig.getSubStore(DestDef.DEST_JOBS_ADMIN);
+        IConfigStore instancesConfig =
+                destStore.getSubStore(scope);
+
+        instancesConfig.removeSubStore(id);
+        // commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void delJobsInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // does job plugin instance exist?
+        if (mJobsSched.getInstances().containsKey(id) == false) {
+            sendResponse(ERROR,
+                    new EJobsException(CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_JOB_NOT_FOUND",
+                            id)).toString(),
+                    null, resp);
+            return;
+        }
+
+        // only remove from memory
+        // cannot shutdown because we don't keep track of whether it's
+        // being used. 
+        mJobsSched.getInstances().remove(id);
+
+        // remove the configuration.
+        IConfigStore destStore =
+                mConfig.getSubStore(DestDef.DEST_JOBS_ADMIN);
+        IConfigStore instancesConfig =
+                destStore.getSubStore(scope);
+
+        instancesConfig.removeSubStore(id);
+        // commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            //System.out.println("SRVLT_FAIL_COMMIT");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    /**
+     * used for getting the required configuration parameters (with
+     * possible default values) for a particular job plugin
+     * implementation name specified in the RS_ID. Actually, there is
+     * no logic in here to set any default value here...there's no
+     * default value for any parameter in this job scheduler subsystem
+     * at this point. Later, if we do have one (or some), it can be
+     * added. The interface remains the same.
+     */
+    private synchronized void getConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+
+        String implname = req.getParameter(Constants.RS_ID);
+
+        if (implname == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        String[] configParams = mJobsSched.getConfigParams(implname);
+        NameValuePairs params = new NameValuePairs();
+
+        // implName is always required so always send it.
+        params.put(Constants.PR_JOBS_IMPL_NAME, "");
+        if (configParams != null) {
+            for (int i = 0; i < configParams.length; i++) {
+                params.put(configParams[i], "");
+            }
+        }
+        sendResponse(0, null, params, resp);
+        return;
+    }
+
+    private synchronized void getInstConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // does job plugin instance exist?
+        if (mJobsSched.getInstances().containsKey(id) == false) {
+            sendResponse(ERROR,
+                    new EJobsException(CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_JOB_NOT_FOUND",
+                            id)).toString(),
+                    null, resp);
+            return;
+        }
+
+        IJob jobInst = (IJob) mJobsSched.getInstances().get(id);
+        IConfigStore config = jobInst.getConfigStore();
+        String[] configParams = jobInst.getConfigParams();
+        NameValuePairs params = new NameValuePairs();
+
+        params.put(Constants.PR_JOBS_IMPL_NAME, jobInst.getImplName());
+
+        // implName is always required so always send it.
+        if (configParams != null) {
+            for (int i = 0; i < configParams.length; i++) {
+                String key = configParams[i];
+
+                String val = (String) config.get(key);
+
+                if (val != null && !val.equals("")) {
+                    params.put(key, val);
+                } else {
+                    params.put(key, "");
+                }
+            }
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    /**
+     * Modify job plugin instance.
+     * This will actually create a new instance with new configuration
+     * parameters and replace the old instance, if the new instance
+     * created and initialized successfully.
+     * The old instance is left running. so this is very expensive.
+     * Restart of server recommended.
+     */
+    private synchronized void modJobsInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+
+        // expensive operation.
+
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // Does the job instance exist?
+        if (!mJobsSched.getInstances().containsKey((Object) id)) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_ILL_JOB_INST_ID"),
+                    null, resp);
+            return;
+        }
+
+        // get new implementation (same or different.)
+        String implname = req.getParameter(Constants.PR_JOBS_IMPL_NAME);
+
+        if (implname == null) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_ADD_MISSING_PARAMS"),
+                    null, resp);
+            return;
+        }
+
+        // get plugin for implementation 
+        JobPlugin plugin =
+                (JobPlugin) mJobsSched.getPlugins().get(implname);
+
+        if (plugin == null) {
+            sendResponse(ERROR,
+                    new EJobsException(CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_JOB_PLUGIN_NOT_FOUND",
+                            id)).toString(),
+                    null, resp);
+            return;
+        }
+
+        // save old instance substore params in case new one fails. 
+
+        IJob oldinst =
+                (IJob) mJobsSched.getInstances().get((Object) id);
+        IConfigStore oldConfig = oldinst.getConfigStore();
+
+        String[] oldConfigParms = oldinst.getConfigParams();
+        NameValuePairs saveParams = new NameValuePairs();
+
+        // implName is always required so always include it it.
+        saveParams.put(IJobsScheduler.PROP_PLUGIN,
+                (String) oldConfig.get(IJobsScheduler.PROP_PLUGIN));
+        if (oldConfigParms != null) {
+            for (int i = 0; i < oldConfigParms.length; i++) {
+                String key = oldConfigParms[i];
+                Object val = oldConfig.get(key);
+
+                if (val != null) {
+                    saveParams.put(key, (String) val);
+                }
+            }
+        }
+
+        // on to the new instance.
+
+        // remove old substore.
+
+        IConfigStore destStore =
+                mConfig.getSubStore(DestDef.DEST_JOBS_ADMIN);
+        IConfigStore instancesConfig =
+                destStore.getSubStore(scope);
+
+        instancesConfig.removeSubStore(id);
+
+        // create new substore.
+
+        String[] configParams = mJobsSched.getConfigParams(implname);
+
+        IConfigStore substore = instancesConfig.makeSubStore(id);
+
+        substore.put(IJobsScheduler.PROP_PLUGIN, implname);
+        if (configParams != null) {
+            for (int i = 0; i < configParams.length; i++) {
+                String key = configParams[i];
+                String val = req.getParameter(key);
+
+                if (val != null && !val.equals("")) {
+                    substore.put(key, val);
+                } else if (!key.equals("profileId")) {
+                    restore(instancesConfig, id, saveParams);
+                    sendResponse(ERROR,
+                            new
+                            EJobsException(CMS.getUserMessage(getLocale(req), "CMS_JOB_SRVLT_MISSING_INST_PARAM_VAL",
+                                    key)).toString(),
+                            null, resp);
+                    return;
+                }
+            }
+        }
+        // Instantiate an object for new implementation
+
+        String className = plugin.getClassPath();
+        IJob newJobInst = null;
+
+        try {
+            newJobInst = (IJob) Class.forName(className).newInstance();
+        } catch (ClassNotFoundException e) {
+            // cleanup
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR,
+                    new EJobsException(
+                            CMS.getUserMessage(getLocale(req), "CMS_JOB_LOAD_CLASS_FAILED", className)).toString(),
+                    null, resp);
+            return;
+        } catch (InstantiationException e) {
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR,
+                    new EJobsException(
+                            CMS.getUserMessage(getLocale(req), "CMS_JOB_LOAD_CLASS_FAILED", className)).toString(),
+                    null, resp);
+            return;
+        } catch (IllegalAccessException e) {
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR,
+                    new EJobsException(
+                            CMS.getUserMessage(getLocale(req), "CMS_JOB_LOAD_CLASS_FAILED", className)).toString(),
+                    null, resp);
+            return;
+        }
+
+        // initialize the job plugin
+
+        IJobsScheduler scheduler = (IJobsScheduler)
+                CMS.getSubsystem(CMS.SUBSYSTEM_JOBS);
+
+        try {
+            newJobInst.init(scheduler, id, implname, substore);
+        } catch (EBaseException e) {
+            // don't commit in this case and cleanup the new substore.
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+            return;
+        } catch (Exception e) {
+            CMS.debug("JobsAdminServlet: modJobsInst: " + e);
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR, "unidentified error" + e, null, resp);
+            return;
+        }
+
+        // initialized ok.  commiting
+        try {
+            mConfig.commit(true);
+
+        } catch (EBaseException e) {
+            // clean up.
+            restore(instancesConfig, id, saveParams);
+            //System.out.println("SRVLT_FAIL_COMMIT");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        // commited ok. replace instance.
+
+        mJobsSched.getInstances().put(id, newJobInst);
+
+        mJobsSched.log(ILogger.LL_INFO,
+                CMS.getLogMessage("ADMIN_SRVLT_JOB_INST_REP", id));
+
+        NameValuePairs params = new NameValuePairs();
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private void getSettings(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        IConfigStore config = mConfig.getSubStore(DestDef.DEST_JOBS_ADMIN);
+
+        params.put(Constants.PR_ENABLE,
+                config.getString(IJobsScheduler.PROP_ENABLED,
+                        Constants.FALSE));
+        // default 1 minute
+        params.put(Constants.PR_JOBS_FREQUENCY,
+                config.getString(IJobsScheduler.PROP_INTERVAL, "1"));
+
+        //System.out.println("Send: "+params.toString());
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void setSettings(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+        //Save New Settings to the config file
+        IConfigStore config = mConfig.getSubStore(DestDef.DEST_JOBS_ADMIN);
+
+        String enabled = config.getString(IJobsScheduler.PROP_ENABLED);
+        String enabledSetTo = req.getParameter(Constants.PR_ENABLE);
+        boolean enabledChanged = false;
+
+        if (!enabled.equalsIgnoreCase(enabledSetTo)) {
+            enabledChanged = true;
+            // set enable flag
+            config.putString(IJobsScheduler.PROP_ENABLED, enabledSetTo);
+        }
+
+        //set frequency
+        String interval =
+                req.getParameter(Constants.PR_JOBS_FREQUENCY);
+
+        if (interval != null) {
+            config.putString(IJobsScheduler.PROP_INTERVAL, interval);
+            mJobsSched.setInterval(
+                    config.getInteger(IJobsScheduler.PROP_INTERVAL));
+        }
+
+        if (enabledChanged == true) {
+            if (enabled.equalsIgnoreCase("false")) { // turned on
+                mJobsSched.startDaemon();
+            }
+        }
+        mConfig.commit(true);
+
+        sendResponse(SUCCESS, null, null, resp);
+    }
+
+    // convenience routine.
+    private static void restore(IConfigStore store,
+            String id, NameValuePairs saveParams) {
+        store.removeSubStore(id);
+        IConfigStore rstore = store.makeSubStore(id);
+
+        for (String key : saveParams.keySet()) {
+            String value = saveParams.get(key);
+
+            if (!value.equals(""))
+                rstore.put(key, value);
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java
new file mode 100644
index 000000000..eaa5a95c4
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java
@@ -0,0 +1,234 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.io.IOException;
+import java.util.Enumeration;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.ILogger;
+
+/**
+ * A class representings an administration servlet for Key
+ * Recovery Authority. This servlet is responsible to serve
+ * KRA administrative operation such as configuration
+ * parameter updates.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class KRAAdminServlet extends AdminServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = -5794220348195666729L;
+
+    protected static final String PROP_ENABLED = "enabled";
+
+    private final static String INFO = "KRAAdminServlet";
+
+    private IKeyRecoveryAuthority mKRA = null;
+
+    private final static String LOGGING_SIGNED_AUDIT_CONFIG_DRM =
+            "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3";
+
+    /**
+     * Constructs KRA servlet.
+     */
+    public KRAAdminServlet() {
+        super();
+    }
+
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+        mKRA = (IKeyRecoveryAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_KRA);
+    }
+
+    /**
+     * Returns serlvet information.
+     * 
+     * @return name of this servlet
+     */
+    public String getServletInfo() {
+        return INFO;
+    }
+
+    /**
+     * Serves HTTP admin request.
+     * 
+     * @param req HTTP request
+     * @param resp HTTP response
+     */
+    public void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+        super.service(req, resp);
+
+        super.authenticate(req);
+        String scope = req.getParameter(Constants.OP_SCOPE);
+
+        if (scope == null) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                    null, resp);
+            return;
+        }
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (op == null) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_TYPE", op),
+                    null, resp);
+            return;
+        }
+
+        try {
+            AUTHZ_RES_NAME = "certServer.kra.configuration";
+            if (op.equals(OpDef.OP_READ)) {
+                mOp = "read";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                /* Functions not implemented in console
+                if (scope.equals(ScopeDef.SC_AUTO_RECOVERY)) {
+                    readAutoRecoveryConfig(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_RECOVERY)) {
+                    readRecoveryConfig(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_NOTIFICATION_RIQ)) {
+                    getNotificationRIQConfig(req, resp);
+                    return;
+                } else
+                */
+                if (scope.equals(ScopeDef.SC_GENERAL)) {
+                    getGeneralConfig(req, resp);
+                    return;
+                }
+            } else if (op.equals(OpDef.OP_MODIFY)) {
+                mOp = "modify";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                /* Functions not implemented in console
+                if (scope.equals(ScopeDef.SC_AUTO_RECOVERY)) {
+                    modifyAutoRecoveryConfig(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_AGENT_PWD)) {
+                    changeAgentPwd(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_MNSCHEME)) {
+                    changeMNScheme(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_NOTIFICATION_RIQ)) {
+                    setNotificationRIQConfig(req, resp);
+                    return;
+                } else 
+                */
+                if (scope.equals(ScopeDef.SC_GENERAL)) {
+                    setGeneralConfig(req, resp);
+                }
+            }
+        } catch (EBaseException e) {
+            // convert exception into locale-specific message
+            sendResponse(ERROR, e.toString(getLocale(req)),
+                    null, resp);
+            return;
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        sendResponse(ERROR,
+                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PROTOCOL"),
+                null, resp);
+    }
+
+    private void getGeneralConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        int value = 1;
+
+        value = mKRA.getNoOfRequiredAgents();
+        params.put(Constants.PR_NO_OF_REQUIRED_RECOVERY_AGENTS, Integer.toString(value));
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void setGeneralConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+        boolean restart = false;
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        while (enum1.hasMoreElements()) {
+            String key = enum1.nextElement();
+            String value = req.getParameter(key);
+
+            if (key.equals(Constants.PR_NO_OF_REQUIRED_RECOVERY_AGENTS)) {
+                try {
+                    int number = Integer.parseInt(value);
+                    mKRA.setNoOfRequiredAgents(number);
+                } catch (NumberFormatException e) {
+                    auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_DRM,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                    audit(auditMessage);
+                    throw new EBaseException("Number of agents must be an integer");
+                }
+            }
+        }
+
+        commit(true);
+
+        auditMessage = CMS.getLogMessage(
+                LOGGING_SIGNED_AUDIT_CONFIG_DRM,
+                auditSubjectID,
+                ILogger.SUCCESS,
+                auditParams(req));
+
+        audit(auditMessage);
+
+        if (restart)
+            sendResponse(RESTART, null, null, resp);
+        else
+            sendResponse(SUCCESS, null, null, resp);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
new file mode 100644
index 000000000..1b32018bc
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
@@ -0,0 +1,2361 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.Vector;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.ELogException;
+import com.netscape.certsrv.logging.ELogNotFound;
+import com.netscape.certsrv.logging.ELogPluginNotFound;
+import com.netscape.certsrv.logging.ILogEventListener;
+import com.netscape.certsrv.logging.ILogSubsystem;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.LogPlugin;
+
+/**
+ * A class representings an administration servlet for logging
+ * subsystem. This servlet is responsible to serve
+ * logging administrative operation such as configuration
+ * parameter updates and log retriever.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class LogAdminServlet extends AdminServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -99699953656847603L;
+
+    private final static String INFO = "LogAdminServlet";
+
+    private ILogSubsystem mSys = null;
+
+    private final static String VIEW = ";" + Constants.VIEW;
+    private final static String EDIT = ";" + Constants.EDIT;
+
+    private final static String SIGNED_AUDIT_LOG_TYPE = "SignedAudit";
+    private final static String LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT =
+            "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3";
+    private final static String LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE =
+            "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4";
+    private final static String LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE =
+            "LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4";
+
+    /**
+     * Constructs Log servlet.
+     */
+    public LogAdminServlet() {
+        super();
+    }
+
+    public static Hashtable toHashtable(HttpServletRequest req) {
+        Hashtable httpReqHash = new Hashtable();
+        Enumeration names = req.getParameterNames();
+
+        while (names.hasMoreElements()) {
+            String name = (String) names.nextElement();
+
+            httpReqHash.put(name, req.getParameter(name));
+        }
+        return httpReqHash;
+    }
+
+    /**
+     * Initializes this servlet.
+     */
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+        mSys = (ILogSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_LOG);
+    }
+
+    /**
+     * Returns serlvet information.
+     */
+    public String getServletInfo() {
+        return INFO;
+    }
+
+    /**
+     * Serves HTTP admin request.
+     */
+    public void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+        super.service(req, resp);
+
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (op == null) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PROTOCOL"),
+                    null, resp);
+            return;
+        }
+
+        super.authenticate(req);
+
+        try {
+            // perform operation based on scope
+            String scope = req.getParameter(Constants.OP_SCOPE);
+
+            if (scope != null) {
+                AUTHZ_RES_NAME = "certServer.log.configuration";
+                if (scope.equals(ScopeDef.SC_EXTENDED_PLUGIN_INFO)) {
+                    mOp = "read";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    try {
+                        getExtendedPluginInfo(req, resp);
+                        return;
+                    } catch (EBaseException e) {
+                        sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+                        return;
+                    }
+                }
+
+                if (op.equals(OpDef.OP_READ)) {
+                    mOp = "read";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+
+                    if (scope.equals(ScopeDef.SC_LOG_IMPLS)) {
+                        getConfig(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_LOG_RULES)) {
+                        getInstConfig(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_GENERAL)) {
+                        getGeneralConfig(req, resp);
+                    } else {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                                null, resp);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_DELETE)) {
+                    mOp = "modify";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+
+                    if (scope.equals(ScopeDef.SC_LOG_IMPLS)) {
+                        delLogPlugin(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_LOG_RULES)) {
+                        delLogInst(req, resp, scope);
+                        return;
+                    } else {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                                null, resp);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_ADD)) {
+                    mOp = "modify";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+
+                    if (scope.equals(ScopeDef.SC_LOG_IMPLS)) {
+                        addLogPlugin(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_LOG_RULES)) {
+                        addLogInst(req, resp, scope);
+                        return;
+                    } else {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                                null, resp);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_MODIFY)) {
+                    AUTHZ_RES_NAME = "certServer.log.configuration";
+                    mOp = "modify";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+
+                    if (scope.equals(ScopeDef.SC_LOG_RULES)) {
+                        modLogInst(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_GENERAL)) {
+                        setGeneralConfig(req, resp);
+                    } else {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                                null, resp);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_SEARCH)) {
+                    mOp = "read";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_LOG_IMPLS)) {
+                        listLogPlugins(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_LOG_RULES)) {
+                        listLogInsts(req, resp, true);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_LOG_INSTANCES)) {
+                        listLogInsts(req, resp, false);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_LOG_CONTENT)) {
+                        String instName = req.getParameter(Constants.PR_LOG_INSTANCE);
+
+                        if (instName.equals("System")) {
+                            AUTHZ_RES_NAME = "certServer.log.content.system";
+                        } else if (instName.equals("Transactions")) {
+                            AUTHZ_RES_NAME = "certServer.log.content.transactions";
+                        } else if (instName.equals(Constants.PR_LOG_SIGNED_AUDIT)) {
+                            AUTHZ_RES_NAME = "certServer.log.content.signedAudit";
+                        }
+
+                        mOp = "read";
+                        if ((mToken = super.authorize(req)) == null) {
+                            sendResponse(ERROR,
+                                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                    null, resp);
+                            return;
+                        }
+
+                        ILogEventListener loginst =
+                                mSys.getLogInstance(instName);
+
+                        if (loginst != null) {
+                            NameValuePairs nvps = loginst.retrieveLogContent(toHashtable(req));
+
+                            sendResponse(SUCCESS, null, nvps, resp);
+                        }
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_LOG_ARCH)) {
+                        String instName = req.getParameter(Constants.PR_LOG_INSTANCE);
+
+                        if (instName.equals("System")) {
+                            AUTHZ_RES_NAME = "certServer.log.content.system";
+                        } else if (instName.equals("Transactions")) {
+                            AUTHZ_RES_NAME = "certServer.log.content.transactions";
+                        } else if (instName.equals(Constants.PR_LOG_SIGNED_AUDIT)) {
+                            AUTHZ_RES_NAME = "certServer.log.content.signedAudit";
+                        }
+
+                        mOp = "read";
+                        if ((mToken = super.authorize(req)) == null) {
+                            sendResponse(ERROR,
+                                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                    null, resp);
+                            return;
+                        }
+                        ILogEventListener loginst =
+                                mSys.getLogInstance(instName);
+
+                        if (loginst != null) {
+                            NameValuePairs nvps = loginst.retrieveLogList(toHashtable(req));
+
+                            sendResponse(SUCCESS, null, nvps, resp);
+                        }
+                        return;
+                    } else {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                                null, resp);
+                        return;
+                    }
+                } else {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_TYPE", op),
+                            null, resp);
+                    return;
+                }
+            }
+        } catch (EBaseException e) {
+            // if it is EBaseException, we can output better
+            sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+        } catch (Exception e) {
+            System.out.println("XXX >>>" + e.toString() + "<<<");
+            e.printStackTrace();
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PROTOCOL"),
+                    null, resp);
+        }
+
+        return;
+    }
+
+    private synchronized void listLogInsts(HttpServletRequest req,
+            HttpServletResponse resp, boolean all) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        Enumeration e = mSys.getLogInsts().keys();
+
+        for (; e.hasMoreElements();) {
+            String name = (String) e.nextElement();
+            ILogEventListener value = ((ILogSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_LOG)).getLogInstance(name);
+
+            if (value == null)
+                continue;
+            String pName = mSys.getLogPluginName(value);
+            LogPlugin pClass = (LogPlugin)
+                    mSys.getLogPlugins().get(pName);
+            String c = pClass.getClassPath();
+
+            // not show ntEventlog here
+            if (all || (!all && !c.endsWith("NTEventLog")))
+                params.put(name, pName + ";visible");
+        }
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    /**
+     * retrieve extended plugin info such as brief description, type info
+     * from logging
+     */
+    private void getExtendedPluginInfo(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        String id = req.getParameter(Constants.RS_ID);
+
+        int colon = id.indexOf(':');
+
+        String implType = id.substring(0, colon);
+        String implName = id.substring(colon + 1);
+        NameValuePairs params = getExtendedPluginInfo(getLocale(req), implType, implName);
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private NameValuePairs getExtendedPluginInfo(Locale locale, String implType, String implName) {
+        IExtendedPluginInfo ext_info = null;
+        Object impl = null;
+        LogPlugin lp = (LogPlugin) mSys.getLogPlugins().get(implName);
+
+        if (lp != null) {
+            impl = getClassByNameAsExtendedPluginInfo(lp.getClassPath());
+        }
+        if (impl != null) {
+            if (impl instanceof IExtendedPluginInfo) {
+                ext_info = (IExtendedPluginInfo) impl;
+            }
+        }
+
+        NameValuePairs nvps = null;
+
+        if (ext_info == null) {
+            nvps = new NameValuePairs();
+        } else {
+            nvps = convertStringArrayToNVPairs(ext_info.getExtendedPluginInfo(locale));
+        }
+
+        return nvps;
+
+    }
+
+    /**
+     * Add log plug-in
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT used when configuring signedAudit
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param scope string used to obtain the contents of the log's substore
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    @SuppressWarnings("unchecked")
+    private synchronized void addLogPlugin(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String logType = null;
+            String id = req.getParameter(Constants.RS_ID);
+
+            // if this "required" parameter is not present,
+            // always log messages to the signed audit log
+            logType = id;
+            if (logType == null) {
+                logType = SIGNED_AUDIT_LOG_TYPE;
+            }
+
+            if (id == null) {
+                //System.out.println("SRVLT_NULL_RS_ID");
+
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            // is the log id unique?
+            if (mSys.getLogPlugins().containsKey((Object) id)) {
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        new ELogException(CMS.getUserMessage(getLocale(req), "CMS_LOG_SRVLT_ILL_PLUGIN_ID", id))
+                                .toString(),
+                        null, resp);
+                return;
+            }
+
+            String classPath = req.getParameter(Constants.PR_LOG_CLASS);
+
+            if (classPath == null) {
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_LOG_SRVLT_NULL_CLASS"),
+                        null, resp);
+                return;
+            }
+
+            IConfigStore destStore = null;
+
+            destStore = mConfig.getSubStore("log");
+            IConfigStore instancesConfig =
+                    destStore.getSubStore("impl");
+
+            // Does the class exist?
+            Class newImpl = null;
+
+            try {
+                newImpl = (Class) Class.forName(classPath);
+            } catch (ClassNotFoundException e) {
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_LOG_SRVLT_NO_CLASS"),
+                        null, resp);
+                return;
+            } catch (IllegalArgumentException e) {
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_LOG_SRVLT_NO_CLASS"),
+                        null, resp);
+                return;
+            }
+
+            // is the class an ILogEventListner?
+            try {
+                if (ILogEventListener.class.isAssignableFrom(newImpl) == false) {
+                    // store a message in the signed audit log file
+                    if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                        auditMessage = CMS.getLogMessage(
+                                    LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                    auditSubjectID,
+                                    ILogger.FAILURE,
+                                    auditParams(req));
+
+                        audit(auditMessage);
+                    }
+
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_LOG_SRVLT_ILL_CLASS"),
+                            null, resp);
+                    return;
+                }
+            } catch (NullPointerException e) { // unlikely, only if newImpl null.
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_LOG_SRVLT_ILL_CLASS"),
+                        null, resp);
+                return;
+            }
+
+            IConfigStore substore = instancesConfig.makeSubStore(id);
+
+            substore.put(Constants.PR_LOG_CLASS, classPath);
+
+            // commiting
+            try {
+                mConfig.commit(true);
+            } catch (EBaseException e) {
+                //System.out.println("SRVLT_FAIL_COMMIT");
+
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                        null, resp);
+                return;
+            }
+
+            // add log to registry.
+            LogPlugin plugin = new LogPlugin(id, classPath);
+
+            mSys.getLogPlugins().put(id, plugin);
+
+            NameValuePairs params = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+            }
+
+            sendResponse(SUCCESS, null, params, resp);
+            return;
+            // } catch( EBaseException eAudit1 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    private boolean isValidID(String id) {
+        if (id == null)
+            return false;
+        for (int i = 0; i < id.length(); i++) {
+            if (!Character.isLetterOrDigit(id.charAt(i)))
+                return false;
+        }
+        return true;
+    }
+
+    /**
+     * Add log instance
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT used when configuring signedAudit
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param scope string used to obtain the contents of the log's substore
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void addLogInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String logType = null;
+            String id = req.getParameter(Constants.RS_ID);
+
+            // if this "required" parameter is not present,
+            // always log messages to the signed audit log
+            logType = id;
+            if (logType == null) {
+                logType = SIGNED_AUDIT_LOG_TYPE;
+            }
+
+            if (id == null) {
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            if (!isValidID(id)) {
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR, "Invalid ID '" + id + "'",
+                        null, resp);
+                return;
+            }
+
+            if (mSys.getLogInsts().containsKey((Object) id)) {
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_LOG_SRVLT_ILL_INST_ID"),
+                        null, resp);
+                return;
+            }
+
+            // get required parameters
+            String implname = req.getParameter(
+                    Constants.PR_LOG_IMPL_NAME);
+
+            if (implname == null) {
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_LOG_SRVLT_ADD_MISSING_PARAMS"),
+                        null, resp);
+                return;
+            }
+
+            // check if implementation exists.
+            LogPlugin plugin =
+                    (LogPlugin) mSys.getLogPlugins().get(
+                            implname);
+
+            if (plugin == null) {
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(
+                        ERROR,
+                        new ELogPluginNotFound(CMS.getUserMessage(getLocale(req), "CMS_LOG_PLUGIN_NOT_FOUND", implname))
+                                .toString(),
+                        null, resp);
+                return;
+            }
+
+            Vector configParams = mSys.getLogDefaultParams(implname);
+
+            IConfigStore destStore =
+                    mConfig.getSubStore("log");
+            IConfigStore instancesConfig =
+                    destStore.getSubStore("instance");
+            IConfigStore substore = instancesConfig.makeSubStore(id);
+
+            if (configParams != null) {
+                for (int i = 0; i < configParams.size(); i++) {
+                    String kv = (String) configParams.elementAt(i);
+                    int index = kv.indexOf('=');
+                    String val = req.getParameter(kv.substring(0, index));
+
+                    if (val == null) {
+                        substore.put(kv.substring(0, index),
+                                kv.substring(index + 1));
+                    } else {
+                        substore.put(kv.substring(0, index),
+                                val);
+                    }
+                }
+            }
+            substore.put("pluginName", implname);
+
+            // Fix Blackflag Bug #615603:  Currently, although expiring log
+            // files is no longer supported, it is still a required parameter
+            // that must be present during the creation and modification of
+            // custom log plugins.
+            substore.put("expirationTime", "0");
+
+            // Instantiate an object for this implementation
+            String className = plugin.getClassPath();
+            ILogEventListener logInst = null;
+
+            try {
+                logInst = (ILogEventListener) Class.forName(className).newInstance();
+            } catch (ClassNotFoundException e) {
+                // cleanup
+                instancesConfig.removeSubStore(id);
+
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        new ELogException(CMS.getUserMessage(getLocale(req), "CMS_LOG_LOAD_CLASS_FAIL", className))
+                                .toString(),
+                        null, resp);
+                return;
+            } catch (InstantiationException e) {
+                instancesConfig.removeSubStore(id);
+
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        new ELogException(CMS.getUserMessage(getLocale(req), "CMS_LOG_LOAD_CLASS_FAIL", className))
+                                .toString(),
+                        null, resp);
+                return;
+            } catch (IllegalAccessException e) {
+                instancesConfig.removeSubStore(id);
+
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        new ELogException(CMS.getUserMessage(getLocale(req), "CMS_LOG_LOAD_CLASS_FAIL", className))
+                                .toString(),
+                        null, resp);
+                return;
+            }
+
+            // initialize the log
+            try {
+                logInst.init(mSys, substore);
+            } catch (EBaseException e) {
+                // don't commit in this case and cleanup the new substore.
+                instancesConfig.removeSubStore(id);
+
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+                return;
+            } catch (Throwable e) {
+                instancesConfig.removeSubStore(id);
+
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR, e.toString(), null, resp);
+                return;
+            }
+
+            // commiting
+            try {
+                mConfig.commit(true);
+            } catch (EBaseException e) {
+                // clean up.
+                instancesConfig.removeSubStore(id);
+
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                        null, resp);
+                return;
+            }
+
+            // inited and commited ok. now add log instance to list.
+            mSys.getLogInsts().put(id, logInst);
+
+            NameValuePairs params = new NameValuePairs();
+
+            params.put(Constants.PR_LOG_IMPL_NAME, implname);
+
+            // store a message in the signed audit log file
+            if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+            }
+
+            sendResponse(SUCCESS, null, params, resp);
+            return;
+            // } catch( EBaseException eAudit1 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    private synchronized void listLogPlugins(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        Enumeration e = mSys.getLogPlugins().keys();
+
+        while (e.hasMoreElements()) {
+            String name = (String) e.nextElement();
+            LogPlugin value = (LogPlugin)
+                    mSys.getLogPlugins().get(name);
+            // get Description
+            String c = value.getClassPath();
+            String desc = "unknown";
+
+            try {
+                ILogEventListener lp = (ILogEventListener)
+                        Class.forName(c).newInstance();
+
+                desc = lp.getDescription();
+            } catch (Exception exp) {
+                sendResponse(ERROR, exp.toString(), null,
+                        resp);
+                return;
+            }
+            params.put(name, value.getClassPath() + "," + desc);
+        }
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    public String getLogPluginName(ILogEventListener log) {
+        IConfigStore cs = log.getConfigStore();
+
+        try {
+            return cs.getString("pluginName", "");
+        } catch (EBaseException e) {
+            return "";
+        }
+    }
+
+    /**
+     * Delete log instance
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT used when configuring signedAudit
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param scope string used to obtain the contents of the log's substore
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void delLogInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String logType = null;
+            NameValuePairs params = new NameValuePairs();
+            String id = req.getParameter(Constants.RS_ID);
+
+            // if this "required" parameter is not present,
+            // always log messages to the signed audit log
+            logType = id;
+            if (logType == null) {
+                logType = SIGNED_AUDIT_LOG_TYPE;
+            }
+
+            if (id == null) {
+                //System.out.println("SRVLT_NULL_RS_ID");
+
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            // Does the log instance exist?
+            if (mSys.getLogInsts().containsKey(id) == false) {
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        new ELogNotFound(CMS.getUserMessage(getLocale(req), "CMS_LOG_INSTANCE_NOT_FOUND", id))
+                                .toString(),
+                        null, resp);
+                return;
+            }
+
+            // only remove from memory
+            // cannot shutdown because we don't keep track of whether it's
+            // being used. 
+            mSys.getLogInsts().remove(id);
+
+            // remove the configuration.
+            IConfigStore destStore =
+                    mConfig.getSubStore("log");
+            IConfigStore instancesConfig =
+                    destStore.getSubStore("instance");
+
+            instancesConfig.removeSubStore(id);
+            // commiting
+            try {
+                mConfig.commit(true);
+            } catch (EBaseException e) {
+                //System.out.println("SRVLT_FAIL_COMMIT");
+
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                        null, resp);
+                return;
+            }
+
+            // store a message in the signed audit log file
+            if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+            }
+
+            sendResponse(SUCCESS, null, params, resp);
+            return;
+            // } catch( EBaseException eAudit1 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * Delete log plug-in
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT used when configuring signedAudit
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param scope string used to obtain the contents of the log's substore
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void delLogPlugin(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String logType = null;
+            NameValuePairs params = new NameValuePairs();
+            String id = req.getParameter(Constants.RS_ID);
+
+            // if this "required" parameter is not present,
+            // always log messages to the signed audit log
+            logType = id;
+            if (logType == null) {
+                logType = SIGNED_AUDIT_LOG_TYPE;
+            }
+
+            if (id == null) {
+                //System.out.println("SRVLT_NULL_RS_ID");
+
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            if (mSys.getLogPlugins().containsKey(id) == false) {
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        new ELogPluginNotFound(CMS.getUserMessage(getLocale(req), "CMS_LOG_PLUGIN_NOT_FOUND", id))
+                                .toString(),
+                        null, resp);
+                return;
+            }
+
+            // first check if any instances from this log
+            // DON'T remove log if any instance
+            for (Enumeration e = mSys.getLogInsts().keys(); e.hasMoreElements();) {
+                String name = (String) e.nextElement();
+                ILogEventListener log = mSys.getLogInstance(name);
+
+                if (getLogPluginName(log) == id) {
+                    // store a message in the signed audit log file
+                    if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                        auditMessage = CMS.getLogMessage(
+                                    LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                    auditSubjectID,
+                                    ILogger.FAILURE,
+                                    auditParams(req));
+
+                        audit(auditMessage);
+                    }
+
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_LOG_SRVLT_IN_USE"),
+                            null, resp);
+                    return;
+                }
+            }
+
+            // then delete this log
+            mSys.getLogPlugins().remove((Object) id);
+
+            IConfigStore destStore =
+                    mConfig.getSubStore("log");
+            IConfigStore instancesConfig =
+                    destStore.getSubStore("impl");
+
+            instancesConfig.removeSubStore(id);
+            // commiting
+            try {
+                mConfig.commit(true);
+            } catch (EBaseException e) {
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                        null, resp);
+                return;
+            }
+
+            // store a message in the signed audit log file
+            if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+            }
+
+            sendResponse(SUCCESS, null, params, resp);
+            return;
+            // } catch( EBaseException eAudit1 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * Modify log instance
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT used when configuring signedAudit
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE used when log file name (including any path changes) for
+     * any of audit, system, transaction, or other customized log file change is attempted (authorization should not
+     * allow, but make sure it's written after the attempt)
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE used when log expiration time change is attempted
+     * (authorization should not allow, but make sure it's written after the attempt)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param scope string used to obtain the contents of the log's substore
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void modLogInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+        String logType = null;
+        String origLogPath = req.getParameter(Constants.PR_LOG_FILENAME);
+        String newLogPath = origLogPath;
+        String origExpirationTime = req.getParameter(
+                Constants.PR_LOG_EXPIRED_TIME);
+        String newExpirationTime = origExpirationTime;
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = req.getParameter(Constants.RS_ID);
+
+            // if this "required" parameter is not present,
+            // always log messages to the signed audit log
+            logType = id;
+            if (logType == null) {
+                logType = SIGNED_AUDIT_LOG_TYPE;
+            }
+
+            if (origLogPath != null) {
+                origLogPath = origLogPath.trim();
+                newLogPath = newLogPath.trim();
+            } else {
+                origLogPath = "";
+                newLogPath = "";
+            }
+
+            if (origExpirationTime != null) {
+                origExpirationTime = origExpirationTime.trim();
+                newExpirationTime = newExpirationTime.trim();
+            } else {
+                origExpirationTime = "";
+                newExpirationTime = "";
+            }
+
+            if (id == null) {
+                //System.out.println("SRVLT_NULL_RS_ID");
+
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            // Does the manager instance exist?
+            if (!mSys.getLogInsts().containsKey((Object) id)) {
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_LOG_SRVLT_ILL_INST_ID"),
+                        null, resp);
+                return;
+            }
+
+            // get new implementation (same or different.)
+            String implname = req.getParameter(Constants.PR_LOG_IMPL_NAME);
+
+            if (implname == null) {
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_LOG_SRVLT_ADD_MISSING_PARAMS"),
+
+                        null, resp);
+                return;
+            }
+            // get plugin for implementation
+            LogPlugin plugin =
+                    (LogPlugin) mSys.getLogPlugins().get(implname);
+
+            if (plugin == null) {
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(
+                        ERROR,
+                        new ELogPluginNotFound(CMS.getUserMessage(getLocale(req), "CMS_LOG_PLUGIN_NOT_FOUND", implname))
+                                .toString(), null, resp);
+                return;
+            }
+
+            // save old instance substore params in case new one fails.
+
+            ILogEventListener oldinst =
+                    (ILogEventListener) mSys.getLogInstance(id);
+            Vector oldConfigParms = oldinst.getInstanceParams();
+            NameValuePairs saveParams = new NameValuePairs();
+
+            // implName is always required so always include it it.
+            saveParams.put("pluginName", implname);
+            if (oldConfigParms != null) {
+                for (int i = 0; i < oldConfigParms.size(); i++) {
+                    String kv = (String) oldConfigParms.elementAt(i);
+                    int index = kv.indexOf('=');
+
+                    saveParams.put(kv.substring(0, index),
+                            kv.substring(index + 1));
+                }
+            }
+
+            // on to the new instance.
+
+            // remove old substore.
+
+            IConfigStore destStore =
+                    mConfig.getSubStore("log");
+            IConfigStore instancesConfig =
+                    destStore.getSubStore("instance");
+
+            // create new substore.
+
+            Vector configParams = mSys.getLogInstanceParams(id);
+
+            //instancesConfig.removeSubStore(id);
+
+            IConfigStore substore = instancesConfig.makeSubStore(id);
+
+            substore.put("pluginName", implname);
+
+            // Fix Blackflag Bug #615603:  Currently, although expiring log
+            // files is no longer supported, it is still a required parameter
+            // that must be present during the creation and modification of
+            // custom log plugins.
+            substore.put("expirationTime", "0");
+
+            // IMPORTANT:  save a copy of the original log file path
+            origLogPath = substore.getString(Constants.PR_LOG_FILENAME);
+            newLogPath = origLogPath;
+
+            if (origLogPath != null) {
+                origLogPath = origLogPath.trim();
+                newLogPath = newLogPath.trim();
+            } else {
+                origLogPath = "";
+                newLogPath = "";
+            }
+
+            // IMPORTANT:  save a copy of the original log expiration time
+            origExpirationTime = substore.getString(
+                        Constants.PR_LOG_EXPIRED_TIME);
+            newExpirationTime = origExpirationTime;
+
+            if (origExpirationTime != null) {
+                origExpirationTime = origExpirationTime.trim();
+                newExpirationTime = newExpirationTime.trim();
+            } else {
+                origExpirationTime = "";
+                newExpirationTime = "";
+            }
+
+            if (configParams != null) {
+                for (int i = 0; i < configParams.size(); i++) {
+                    AUTHZ_RES_NAME =
+                            "certServer.log.configuration";
+                    String kv = (String) configParams.elementAt(i);
+                    int index = kv.indexOf('=');
+                    String key = kv.substring(0, index);
+                    String val = req.getParameter(key);
+
+                    if (key.equals("level")) {
+                        if (val.equals(ILogger.LL_DEBUG_STRING))
+                            val = "0";
+                        else if (val.equals(ILogger.LL_INFO_STRING))
+                            val = "1";
+                        else if (val.equals(ILogger.LL_WARN_STRING))
+                            val = "2";
+                        else if (val.equals(ILogger.LL_FAILURE_STRING))
+                            val = "3";
+                        else if (val.equals(ILogger.LL_MISCONF_STRING))
+                            val = "4";
+                        else if (val.equals(ILogger.LL_CATASTRPHE_STRING))
+                            val = "5";
+                        else if (val.equals(ILogger.LL_SECURITY_STRING))
+                            val = "6";
+
+                    }
+
+                    if (key.equals("rolloverInterval")) {
+                        if (val.equals("Hourly"))
+                            val = Integer.toString(60 * 60);
+                        else if (val.equals("Daily"))
+                            val = Integer.toString(60 * 60 * 24);
+                        else if (val.equals("Weekly"))
+                            val = Integer.toString(60 * 60 * 24 * 7);
+                        else if (val.equals("Monthly"))
+                            val = Integer.toString(60 * 60 * 24 * 30);
+                        else if (val.equals("Yearly"))
+                            val = Integer.toString(60 * 60 * 24 * 365);
+                    }
+
+                    if (val != null) {
+                        if (key.equals("fileName")) {
+                            String origVal = substore.getString(key);
+
+                            val = val.trim();
+                            newLogPath = val;
+                            if (!val.equals(origVal.trim())) {
+                                AUTHZ_RES_NAME =
+                                        "certServer.log.configuration.fileName";
+                                mOp = "modify";
+                                if ((mToken = super.authorize(req)) == null) {
+                                    // store a message in the signed audit log
+                                    // file (regardless of logType)
+                                    if (!(newLogPath.equals(origLogPath))) {
+                                        auditMessage = CMS.getLogMessage(
+                                                    LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+                                                    auditSubjectID,
+                                                    ILogger.FAILURE,
+                                                    logType,
+                                                    newLogPath);
+
+                                        audit(auditMessage);
+                                    }
+
+                                    // store a message in the signed audit log
+                                    // file
+                                    if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                                        auditMessage = CMS.getLogMessage(
+                                                    LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                                    auditSubjectID,
+                                                    ILogger.FAILURE,
+                                                    auditParams(req));
+
+                                        audit(auditMessage);
+                                    }
+
+                                    sendResponse(ERROR,
+                                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                            null, resp);
+                                    return;
+                                }
+                            }
+                        }
+                        /*
+                                                if (key.equals("expirationTime")) {
+                                                    String origVal = substore.getString(key);
+
+                                                    val = val.trim();
+                                                    newExpirationTime = val;
+                                                    if (!val.equals(origVal.trim())) {
+                                                        if (id.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                                                            AUTHZ_RES_NAME = 
+                                                                    "certServer.log.configuration.signedAudit.expirationTime";
+                                                        }
+                                                        mOp = "modify";
+                                                        if ((mToken = super.authorize(req)) == null) {
+                                                            // store a message in the signed audit log
+                                                            // file (regardless of logType)
+                                                            if (!(newExpirationTime.equals(origExpirationTime))) {
+                                                                auditMessage = CMS.getLogMessage(
+                                                                            LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE,
+                                                                            auditSubjectID,
+                                                                            ILogger.FAILURE,
+                                                                            logType,
+                                                                            newExpirationTime);
+
+                                                                audit(auditMessage);
+                                                            }
+
+                                                            // store a message in the signed audit log
+                                                            // file
+                                                            if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                                                                auditMessage = CMS.getLogMessage(
+                                                                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                                                            auditSubjectID,
+                                                                            ILogger.FAILURE,
+                                                                            auditParams(req));
+
+                                                                audit(auditMessage);
+                                                            }
+
+                                                            sendResponse(ERROR,
+                                                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                                                null, resp);
+                                                            return;
+                                                        }
+                                                    }
+                                                }
+                        */
+                        substore.put(key, val);
+                    }
+                }
+            }
+
+            // Instantiate an object for new implementation
+
+            String className = plugin.getClassPath();
+            @SuppressWarnings("unused")
+            ILogEventListener newMgrInst = null;
+
+            try {
+                newMgrInst = (ILogEventListener)
+                        Class.forName(className).newInstance();
+            } catch (ClassNotFoundException e) {
+                // check to see if the log file path parameter was changed
+                newLogPath = auditCheckLogPath(req);
+
+                // check to see if the log expiration time parameter was changed
+                // newExpirationTime = auditCheckLogExpirationTime(req);
+
+                // cleanup
+                restore(instancesConfig, id, saveParams);
+
+                // store a message in the signed audit log file
+                // (regardless of logType)
+                if (!(newLogPath.equals(origLogPath))) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                logType,
+                                newLogPath);
+
+                    audit(auditMessage);
+                }
+
+                // store a message in the signed audit log file
+                // (regardless of logType)
+                /*
+                if (!(newExpirationTime.equals(origExpirationTime))) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                logType,
+                                newExpirationTime);
+
+                    audit(auditMessage);
+                }*/
+
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        new ELogException(CMS.getUserMessage(getLocale(req), "CMS_LOG_LOAD_CLASS_FAIL", className))
+                                .toString(),
+                        null, resp);
+                return;
+            } catch (InstantiationException e) {
+                // check to see if the log file path parameter was changed
+                newLogPath = auditCheckLogPath(req);
+
+                // check to see if the log expiration time parameter was changed
+                //newExpirationTime = auditCheckLogExpirationTime(req);
+
+                restore(instancesConfig, id, saveParams);
+
+                // store a message in the signed audit log file
+                // (regardless of logType)
+                if (!(newLogPath.equals(origLogPath))) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                logType,
+                                newLogPath);
+
+                    audit(auditMessage);
+                }
+
+                // store a message in the signed audit log file
+                // (regardless of logType)
+                /*if (!(newExpirationTime.equals(origExpirationTime))) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                logType,
+                                newExpirationTime);
+
+                    audit(auditMessage);
+                }*/
+
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        new ELogException(CMS.getUserMessage(getLocale(req), "CMS_LOG_LOAD_CLASS_FAIL", className))
+                                .toString(),
+                        null, resp);
+                return;
+            } catch (IllegalAccessException e) {
+                // check to see if the log file path parameter was changed
+                newLogPath = auditCheckLogPath(req);
+
+                // check to see if the log expiration time parameter was changed
+                //newExpirationTime = auditCheckLogExpirationTime(req);
+
+                restore(instancesConfig, id, saveParams);
+
+                // store a message in the signed audit log file
+                // (regardless of logType)
+                if (!(newLogPath.equals(origLogPath))) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                logType,
+                                newLogPath);
+
+                    audit(auditMessage);
+                }
+
+                // store a message in the signed audit log file
+                // (regardless of logType)
+                /* if (!(newExpirationTime.equals(origExpirationTime))) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                logType,
+                                newExpirationTime);
+
+                    audit(auditMessage);
+                } */
+
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        new ELogException(CMS.getUserMessage(getLocale(req), "CMS_LOG_LOAD_CLASS_FAIL", className))
+                                .toString(),
+                        null, resp);
+                return;
+            }
+            // initialize the log
+
+            // initialized ok.  commiting
+            try {
+                mConfig.commit(true);
+            } catch (EBaseException e) {
+                // check to see if the log file path parameter was changed
+                newLogPath = auditCheckLogPath(req);
+
+                // check to see if the log expiration time parameter was changed
+                // newExpirationTime = auditCheckLogExpirationTime(req);
+
+                // clean up.
+                restore(instancesConfig, id, saveParams);
+                //System.out.println("SRVLT_FAIL_COMMIT");
+
+                // store a message in the signed audit log file
+                // (regardless of logType)
+                if (!(newLogPath.equals(origLogPath))) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                logType,
+                                newLogPath);
+
+                    audit(auditMessage);
+                }
+
+                // store a message in the signed audit log file
+                // (regardless of logType)
+                /* if (!(newExpirationTime.equals(origExpirationTime))) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                logType,
+                                newExpirationTime);
+
+                    audit(auditMessage);
+                }*/
+
+                // store a message in the signed audit log file
+                if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+                }
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                        null, resp);
+                return;
+            }
+
+            // commited ok. replace instance.
+
+            // REMOVED - we didn't do anything to shut off the old instance
+            // so, it will still be running at this point. You'd have two
+            // log isntances writing to the same file - this would be a big PROBLEM!!!
+
+            //mSys.getLogInsts().put(id, newMgrInst);
+
+            NameValuePairs params = new NameValuePairs();
+
+            // check to see if the log file path parameter was changed
+            newLogPath = auditCheckLogPath(req);
+
+            // check to see if the log expiration time parameter was changed
+            //newExpirationTime = auditCheckLogExpirationTime(req);
+
+            // store a message in the signed audit log file
+            // (regardless of logType)
+            if (!(newLogPath.equals(origLogPath))) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            logType,
+                            newLogPath);
+
+                audit(auditMessage);
+            }
+
+            // store a message in the signed audit log file
+            // (regardless of logType)
+            /*if (!(newExpirationTime.equals(origExpirationTime))) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            logType,
+                            newExpirationTime);
+
+                audit(auditMessage);
+            }*/
+
+            // store a message in the signed audit log file
+            if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+            }
+
+            sendResponse(RESTART, null, params, resp);
+            return;
+        } catch (EBaseException eAudit1) {
+            // check to see if the log file path parameter was changed
+            newLogPath = auditCheckLogPath(req);
+
+            // check to see if the log expiration time parameter was changed
+            // newExpirationTime = auditCheckLogExpirationTime(req);
+
+            // store a message in the signed audit log file
+            // (regardless of logType)
+            if (!(newLogPath.equals(origLogPath))) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            logType,
+                            newLogPath);
+
+                audit(auditMessage);
+            }
+
+            // store a message in the signed audit log file
+            // (regardless of logType)
+            /* if (!(newExpirationTime.equals(origExpirationTime))) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            logType,
+                            newExpirationTime);
+
+                audit(auditMessage);
+            } */
+
+            // store a message in the signed audit log file
+            if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+            }
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // check to see if the log file path parameter was changed
+            newLogPath = auditCheckLogPath(req);
+
+            // check to see if the log expiration time parameter was changed
+            // newExpirationTime = auditCheckLogExpirationTime(req);
+
+            // store a message in the signed audit log file
+            // (regardless of logType)
+            if (!(newLogPath.equals(origLogPath))) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            logType,
+                            newLogPath);
+
+                audit(auditMessage);
+            }
+
+            // store a message in the signed audit log file
+            // (regardless of logType)
+            /*if (!(newExpirationTime.equals(origExpirationTime))) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            logType,
+                            newExpirationTime);
+
+                audit(auditMessage);
+            }*/
+
+            // store a message in the signed audit log file
+            if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+            }
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // check to see if the log file path parameter was changed
+            //     newLogPath = auditCheckLogPath( req );
+            //
+            //     // check to see if the log expiration time parameter was changed
+            //     newExpirationTime = auditCheckLogExpirationTime( req );
+            //
+            //     // store a message in the signed audit log file
+            //     // (regardless of logType)
+            //     if( !( newLogPath.equals( origLogPath ) ) ) {
+            //         auditMessage = CMS.getLogMessage(
+            //                            LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+            //                            auditSubjectID,
+            //                            ILogger.FAILURE,
+            //                            logType,
+            //                            newLogPath );
+            //
+            //         audit( auditMessage );
+            //     }
+            //
+            //     // store a message in the signed audit log file
+            //     // (regardless of logType)
+            //     if( !( newExpirationTime.equals( origExpirationTime ) ) ) {
+            //         auditMessage = CMS.getLogMessage(
+            //                            LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE,
+            //                            auditSubjectID,
+            //                            ILogger.FAILURE,
+            //                            logType,
+            //                            newExpirationTime );
+            //
+            //         audit( auditMessage );
+            //     }
+            //
+            //     // store a message in the signed audit log file
+            //     if( logType.equals( SIGNED_AUDIT_LOG_TYPE ) ) {
+            //         auditMessage = CMS.getLogMessage(
+            //                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+            //                            auditSubjectID,
+            //                            ILogger.FAILURE,
+            //                            auditParams( req ) );
+            //
+            //         audit( auditMessage );
+            //     }
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * used for getting the required configuration parameters (with
+     * possible default values) for a particular plugin
+     * implementation name specified in the RS_ID. Actually, there is
+     * no logic in here to set any default value here...there's no
+     * default value for any parameter in this log subsystem
+     * at this point. Later, if we do have one (or some), it can be
+     * added. The interface remains the same.
+     */
+    private synchronized void getConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+
+        String implname = req.getParameter(Constants.RS_ID);
+
+        if (implname == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        Vector configParams = mSys.getLogDefaultParams(implname);
+        NameValuePairs params = new NameValuePairs();
+
+        // implName is always required so always send it.
+        params.put(Constants.PR_LOG_IMPL_NAME, "");
+        if (configParams != null) {
+            for (int i = 0; i < configParams.size(); i++) {
+                String kv = (String) configParams.elementAt(i);
+                int index = kv.indexOf('=');
+
+                if (index == -1) {
+                    params.put(kv, "");
+                } else {
+                    params.put(kv.substring(0, index),
+                            kv.substring(index + 1));
+                }
+            }
+        }
+        sendResponse(0, null, params, resp);
+        return;
+    }
+
+    private synchronized void getInstConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // does log instance exist?
+        if (mSys.getLogInsts().containsKey(id) == false) {
+            sendResponse(ERROR,
+                    new ELogNotFound(CMS.getUserMessage(getLocale(req), "CMS_LOG_INSTANCE_NOT_FOUND", id)).toString(),
+                    null, resp);
+            return;
+        }
+
+        ILogEventListener logInst = (ILogEventListener)
+                mSys.getLogInstance(id);
+        Vector configParams = logInst.getInstanceParams();
+        NameValuePairs params = new NameValuePairs();
+
+        params.put(Constants.PR_LOG_IMPL_NAME,
+                getLogPluginName(logInst));
+        // implName is always required so always send it.
+        if (configParams != null) {
+            for (int i = 0; i < configParams.size(); i++) {
+                String kv = (String) configParams.elementAt(i);
+                int index = kv.indexOf('=');
+
+                params.put(kv.substring(0, index),
+                        kv.substring(index + 1));
+            }
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    // convenience routine.
+    private static void restore(IConfigStore store,
+            String id, NameValuePairs saveParams) {
+        store.removeSubStore(id);
+        IConfigStore rstore = store.makeSubStore(id);
+
+        for (String key : saveParams.keySet()) {
+            String value = saveParams.get(key);
+
+            if (value != null)
+                rstore.put(key, value);
+        }
+    }
+
+    /**
+     * Signed Audit Check Log Path
+     * 
+     * This method is called to extract the log file path.
+     * 

+     * 
+     * @param req http servlet request
+     * @return a string containing the log file path
+     */
+    private String auditCheckLogPath(HttpServletRequest req) {
+        // check to see if the log file path parameter was changed
+        String logPath = req.getParameter(Constants.PR_LOG_FILENAME);
+
+        if (logPath == null) {
+            logPath = "";
+        }
+
+        logPath = logPath.trim();
+
+        return logPath;
+    }
+
+    private void getGeneralConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        String value = "false";
+
+        value = mConfig.getString(Constants.PR_DEBUG_LOG_ENABLE, "false");
+        params.put(Constants.PR_DEBUG_LOG_ENABLE, value);
+
+        value = mConfig.getString(Constants.PR_DEBUG_LOG_LEVEL, "0");
+        params.put(Constants.PR_DEBUG_LOG_LEVEL, value);
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void setGeneralConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+        boolean restart = false;
+
+        while (enum1.hasMoreElements()) {
+            String key = enum1.nextElement();
+            String value = req.getParameter(key);
+
+            if (key.equals(Constants.PR_DEBUG_LOG_ENABLE)) {
+                if (value.equals("true") || value.equals("false")) {
+                    mConfig.putString(Constants.PR_DEBUG_LOG_ENABLE, value);
+                } else {
+                    CMS.debug("setGeneralConfig: Invalid value for " + Constants.PR_DEBUG_LOG_ENABLE + ": " + value);
+                    throw new EBaseException("Invalid value for " + Constants.PR_DEBUG_LOG_ENABLE);
+                }
+            } else if (key.equals(Constants.PR_DEBUG_LOG_LEVEL)) {
+                try {
+                    Integer.parseInt(value); // check for errors
+                    mConfig.putString(Constants.PR_DEBUG_LOG_LEVEL, value);
+                } catch (NumberFormatException e) {
+                    CMS.debug("setGeneralConfig: Invalid value for " + Constants.PR_DEBUG_LOG_LEVEL + ": " + value);
+                    throw new EBaseException("Invalid value for " + Constants.PR_DEBUG_LOG_LEVEL);
+                }
+            }
+        }
+
+        mConfig.commit(true);
+
+        if (restart)
+            sendResponse(RESTART, null, null, resp);
+        else
+            sendResponse(SUCCESS, null, null, resp);
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java
new file mode 100644
index 000000000..0e6784413
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java
@@ -0,0 +1,543 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.ocsp.IOCSPAuthority;
+import com.netscape.certsrv.ocsp.IOCSPStore;
+
+/**
+ * A class representings an administration servlet for Certificate
+ * Authority. This servlet is responsible to serve OCSP
+ * administrative operations such as configuration parameter
+ * updates.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class OCSPAdminServlet extends AdminServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -3349635369730415767L;
+
+    protected static final String PROP_ENABLED = "enabled";
+
+    private final static String INFO = "OCSPAdminServlet";
+
+    private final static String LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE =
+            "LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3";
+
+    private IOCSPAuthority mOCSP = null;
+
+    public OCSPAdminServlet() {
+        super();
+    }
+
+    /**
+     * Initializes this servlet.
+     */
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+        mOCSP = (IOCSPAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_OCSP);
+    }
+
+    /**
+     * Returns serlvet information.
+     */
+    public String getServletInfo() {
+        return INFO;
+    }
+
+    /**
+     * Serves HTTP request. Each request is authenticated to
+     * the authenticate manager.
+     */
+    public void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+        super.service(req, resp);
+
+        //get all operational flags
+        String op = req.getParameter(Constants.OP_TYPE);
+        String scope = req.getParameter(Constants.OP_SCOPE);
+
+        //check operational flags
+        if ((op == null) || (scope == null)) {
+            sendResponse(1, "Invalid Protocol", null, resp);
+            return;
+        }
+
+        super.authenticate(req);
+
+        try {
+            AUTHZ_RES_NAME = "certServer.ocsp.configuration";
+            if (scope.equals(ScopeDef.SC_EXTENDED_PLUGIN_INFO)) {
+                mOp = "read";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                try {
+                    getExtendedPluginInfo(req, resp);
+                    return;
+                } catch (EBaseException e) {
+                    sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+                }
+            }
+
+            if (scope.equals(ScopeDef.SC_OCSPSTORE_DEFAULT)) {
+                if (op.equals(OpDef.OP_MODIFY)) {
+                    mOp = "modify";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    setDefaultStore(req, resp);
+                    return;
+                }
+            }
+
+            if (op.equals(OpDef.OP_READ)) {
+                mOp = "read";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_GENERAL)) {
+                    getGeneralConfig(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_OCSPSTORES_RULES)) {
+                    getOCSPStoresConfig(req, resp);
+                    return;
+                }
+            } else if (op.equals(OpDef.OP_MODIFY)) {
+                mOp = "modify";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_GENERAL)) {
+                    setGeneralConfig(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_OCSPSTORES_RULES)) {
+                    setOCSPStoresConfig(req, resp);
+                    return;
+                }
+            } else if (op.equals(OpDef.OP_SEARCH)) {
+                mOp = "read";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_OCSPSTORES_RULES)) {
+                    listOCSPStoresConfig(req, resp);
+                    return;
+                }
+            }
+        } catch (Exception e) {
+            sendResponse(1, e.toString(), null, resp);
+            return;
+        }
+    }
+
+    /**
+     * retrieve extended plugin info such as brief description,
+     * type info from CRL extensions
+     */
+    private void getExtendedPluginInfo(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        String id = req.getParameter(Constants.RS_ID);
+        int colon = id.indexOf(':');
+
+        String implType = id.substring(0, colon);
+        String implName = id.substring(colon + 1);
+
+        NameValuePairs params =
+                getExtendedPluginInfo(getLocale(req), implType, implName);
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private NameValuePairs getExtendedPluginInfo(Locale locale, String implType, String implName) {
+        IExtendedPluginInfo ext_info = null;
+        Object impl = null;
+
+        impl = getClassByNameAsExtendedPluginInfo(implName);
+        if (impl != null) {
+            if (impl instanceof IExtendedPluginInfo) {
+                ext_info = (IExtendedPluginInfo) impl;
+            }
+        }
+
+        NameValuePairs nvps = null;
+
+        if (ext_info == null) {
+            nvps = new NameValuePairs();
+        } else {
+            nvps = convertStringArrayToNVPairs(ext_info.getExtendedPluginInfo(locale));
+        }
+
+        return nvps;
+
+    }
+
+    /**
+     * Set default OCSP store
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE used when configuring OCSP profile (everything under
+     * Online Certificate Status Manager)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private void setDefaultStore(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = req.getParameter(Constants.RS_ID);
+
+            mOCSP.getConfigStore().putString(IOCSPAuthority.PROP_DEF_STORE_ID,
+                    id);
+            commit(true);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, null, resp);
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    private void getOCSPStoresConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+        String id = req.getParameter(Constants.RS_ID);
+
+        IOCSPStore store = mOCSP.getOCSPStore(id);
+        NameValuePairs params = store.getConfigParameters();
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * Set OCSP store configuration
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE used when configuring OCSP profile (everything under
+     * Online Certificate Status Manager)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private void setOCSPStoresConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            NameValuePairs params = new NameValuePairs();
+
+            String id = req.getParameter(Constants.RS_ID);
+
+            IOCSPStore store = mOCSP.getOCSPStore(id);
+
+            @SuppressWarnings("unchecked")
+            Enumeration e = req.getParameterNames();
+
+            while (e.hasMoreElements()) {
+                String name = e.nextElement();
+
+                if (name.equals(Constants.OP_TYPE))
+                    continue;
+                if (name.equals(Constants.RS_ID))
+                    continue;
+                if (name.equals(Constants.OP_SCOPE))
+                    continue;
+                if (name.equals(Constants.PR_CRLEXT_IMPL_NAME))
+                    continue;
+                if (name.equals("RULENAME"))
+                    continue;
+                String value = req.getParameter(name);
+
+                params.put(name, value);
+            }
+            store.setConfigParameters(params);
+            commit(true);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, null, resp);
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    private void listOCSPStoresConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        IConfigStore config = mOCSP.getConfigStore();
+        String defStore = config.getString(IOCSPAuthority.PROP_DEF_STORE_ID);
+        IConfigStore SubStore = config.getSubStore(IOCSPAuthority.PROP_STORE);
+        Enumeration enumStores = SubStore.getSubStoreNames();
+
+        while (enumStores.hasMoreElements()) {
+            String storeName = enumStores.nextElement();
+            boolean storeEnabled = false;
+
+            if (storeName.equals(defStore)) {
+                storeEnabled = true;
+            }
+            params.put(storeName, storeName + ";visible;" + ((storeEnabled) ? "enabled" : "disabled"));
+        }
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void getGeneralConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+
+        getSigningAlgConfig(params);
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void getSigningAlgConfig(NameValuePairs params) {
+        params.put(Constants.PR_DEFAULT_ALGORITHM,
+                mOCSP.getDefaultAlgorithm());
+        String[] algorithms = mOCSP.getOCSPSigningAlgorithms();
+        StringBuffer algorStr = new StringBuffer();
+
+        for (int i = 0; i < algorithms.length; i++) {
+            if (i == 0)
+                algorStr.append(algorithms[i]);
+            else
+                algorStr.append(":");
+            algorStr.append(algorithms[i]);
+        }
+        params.put(Constants.PR_ALL_ALGORITHMS, algorStr.toString());
+    }
+
+    /**
+     * Set general OCSP configuration
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE used when configuring OCSP profile (everything under
+     * Online Certificate Status Manager)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private void setGeneralConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            @SuppressWarnings("unchecked")
+            Enumeration enum1 = req.getParameterNames();
+
+            while (enum1.hasMoreElements()) {
+                String key = (String) enum1.nextElement();
+                String value = req.getParameter(key);
+
+                if (key.equals(Constants.PR_DEFAULT_ALGORITHM)) {
+                    mOCSP.setDefaultAlgorithm(value);
+                }
+            }
+
+            commit(true);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, null, resp);
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java
new file mode 100644
index 000000000..0bcb962ea
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java
@@ -0,0 +1,1258 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.Vector;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.IAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.policy.IPolicyRule;
+import com.netscape.certsrv.ra.IRegistrationAuthority;
+
+/**
+ * This class is an administration servlet for policy management.
+ * 
+ * Each service (CA, KRA, RA) should be responsible
+ * for registering an instance of this with the remote
+ * administration subsystem.
+ * 
+ * @deprecated
+ * @version $Revision$, $Date$
+ */
+public class PolicyAdminServlet extends AdminServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = 8850646362111106656L;
+
+    public final static String PROP_AUTHORITY = "authority";
+
+    private final static String INFO = "PolicyAdminServlet";
+    private final static String PW_PASSWORD_CACHE_ADD =
+            "PASSWORD_CACHE_ADD";
+
+    public final static String PROP_PREDICATE = "predicate";
+    private IPolicyProcessor mProcessor = null;
+    private IAuthority mAuthority = null;
+
+    // These will be moved to PolicyResources
+    public static String INVALID_POLICY_SCOPE = "Invalid policy administration scope";
+    public static String INVALID_POLICY_IMPL_OP = "Invalid operation for policy implementation management";
+    public static String NYI = "Not Yet Implemented";
+    public static String INVALID_POLICY_IMPL_CONFIG = "Invalid policy implementation configuration";
+    public static String INVALID_POLICY_INSTANCE_CONFIG = "Invalid policy instance configuration";
+    public static String MISSING_POLICY_IMPL_ID = "Missing policy impl id in request";
+    public static String MISSING_POLICY_IMPL_CLASS = "Missing policy impl class in request";
+    public static String INVALID_POLICY_IMPL_ID = "Invalid policy impl id in request";
+    public static String MISSING_POLICY_INST_ID = "Missing policy impl id in request";
+    public static String INVALID_POLICY_INST_ID = "Invalid policy impl id in request";
+    public static String COMMA = ",";
+    public static String MISSING_POLICY_ORDERING = "Missing policy ordering";
+
+    private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY =
+            "LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3";
+
+    /**
+     * Constructs administration servlet.
+     */
+    public PolicyAdminServlet() {
+        super();
+    }
+
+    /**
+     * Initializes this servlet.
+     */
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+        String authority = config.getInitParameter(PROP_AUTHORITY);
+        String policyStatus = null;
+
+        CMS.debug("PolicyAdminServlet: In Policy Admin Servlet init!");
+
+        // CMS 6.1 began utilizing the "Certificate Profiles" framework
+        // instead of the legacy "Certificate Policies" framework.
+        //
+        // Beginning with CS 8.1, to meet the Common Criteria evaluation
+        // performed on this version of the product, it was determined
+        // that this legacy "Certificate Policies" framework would be
+        // deprecated and disabled by default (see Bugzilla Bug #472597).
+        //
+        // NOTE:  The "Certificate Policies" framework ONLY applied to
+        //        to CA, KRA, and legacy RA (pre-CMS 7.0) subsystems.
+        //
+        //        Further, the "PolicyAdminServlet.java" servlet is ONLY used 
+        //        by the CA Console for the following:
+        //
+        //            SERVLET-NAME           URL-PATTERN
+        //            ====================================================
+        //            capolicy               ca/capolicy
+        //
+        //        Finally, the "PolicyAdminServlet.java" servlet is ONLY used 
+        //        by the KRA Console for the following:
+        //
+        //            SERVLET-NAME           URL-PATTERN
+        //            ====================================================
+        //            krapolicy              kra/krapolicy
+        //
+        if (authority != null)
+            mAuthority = (IAuthority) CMS.getSubsystem(authority);
+        if (mAuthority != null)
+            if (mAuthority instanceof ICertificateAuthority) {
+                mProcessor = ((ICertificateAuthority) mAuthority).getPolicyProcessor();
+                try {
+                    policyStatus = ICertificateAuthority.ID
+                                 + "." + "Policy"
+                                 + "." + IPolicyProcessor.PROP_ENABLE;
+                    if (mConfig.getBoolean(policyStatus, true) == true) {
+                        // NOTE:  If "ca.Policy.enable=" is missing,
+                        //        then the referenced instance existed prior
+                        //        to this name=value pair existing in its
+                        //        'CS.cfg' file, and thus we err on the
+                        //        side that the user may still need to
+                        //        use the policy framework.
+                        CMS.debug("PolicyAdminServlet::init "
+                                 + "Certificate Policy Framework (deprecated) "
+                                 + "is ENABLED");
+                    } else {
+                        // CS 8.1 Default:  ca.Policy.enable=false
+                        CMS.debug("PolicyAdminServlet::init "
+                                 + "Certificate Policy Framework (deprecated) "
+                                 + "is DISABLED");
+                        return;
+                    }
+                } catch (EBaseException e) {
+                    throw new ServletException(authority
+                                              + " does not have a "
+                                              + "master policy switch called '"
+                                              + policyStatus + "'");
+                }
+            } else if (mAuthority instanceof IRegistrationAuthority) {
+                // this refers to the legacy RA (pre-CMS 7.0)
+                mProcessor = ((IRegistrationAuthority) mAuthority).getPolicyProcessor();
+            } else if (mAuthority instanceof IKeyRecoveryAuthority) {
+                mProcessor = ((IKeyRecoveryAuthority) mAuthority).getPolicyProcessor();
+                try {
+                    policyStatus = IKeyRecoveryAuthority.ID
+                                + "." + "Policy"
+                                + "." + IPolicyProcessor.PROP_ENABLE;
+                    if (mConfig.getBoolean(policyStatus, true) == true) {
+                        // NOTE:  If "kra.Policy.enable=" is missing,
+                        //        then the referenced instance existed prior
+                        //        to this name=value pair existing in its
+                        //        'CS.cfg' file, and thus we err on the
+                        //        side that the user may still need to
+                        //        use the policy framework.
+                        CMS.debug("PolicyAdminServlet::init "
+                                 + "Certificate Policy Framework (deprecated) "
+                                 + "is ENABLED");
+                    } else {
+                        // CS 8.1 Default:  kra.Policy.enable=false
+                        CMS.debug("PolicyAdminServlet::init "
+                                 + "Certificate Policy Framework (deprecated) "
+                                 + "is DISABLED");
+                        return;
+                    }
+                } catch (EBaseException e) {
+                    throw new ServletException(authority
+                                              + " does not have a "
+                                              + "master policy switch called '"
+                                              + policyStatus + "'");
+                }
+            } else
+                throw new ServletException(authority + "  does not have policy processor!");
+    }
+
+    /**
+     * Returns serlvet information.
+     */
+    public String getServletInfo() {
+        return INFO;
+    }
+
+    /**
+     * retrieve extended plugin info such as brief description, type info
+     * from policy, authentication,
+     * need to add: listener, mapper and publishing plugins
+     */
+    private void getExtendedPluginInfo(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        if (!readAuthorize(req, resp))
+            return;
+        String id = req.getParameter(Constants.RS_ID);
+        NameValuePairs params = null;
+
+        int colon = id.indexOf(':');
+
+        String implType = id.substring(0, colon);
+        String implName1 = id.substring(colon + 1);
+        String implName = implName1;
+        String instName = null;
+
+        colon = implName1.indexOf(':');
+        if (colon > -1) {
+            implName = implName1.substring(0, colon);
+            instName = implName1.substring(colon + 1);
+            params = getExtendedPluginInfo(getLocale(req), implType, implName, instName);
+        } else {
+            params = getExtendedPluginInfo(getLocale(req), implType, implName);
+        }
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private NameValuePairs getExtendedPluginInfo(Locale locale, String implType, String implName) {
+        IExtendedPluginInfo ext_info = null;
+        Object impl = null;
+        IPolicyRule policy = mProcessor.getPolicyImpl(implName);
+
+        impl = policy;
+
+        if (impl != null) {
+            if (impl instanceof IExtendedPluginInfo) {
+                ext_info = (IExtendedPluginInfo) impl;
+            }
+        }
+
+        NameValuePairs nvps = null;
+
+        if (ext_info == null) {
+            nvps = new NameValuePairs();
+        } else {
+            nvps = convertStringArrayToNVPairs(ext_info.getExtendedPluginInfo(locale));
+        }
+
+        return nvps;
+    }
+
+    public NameValuePairs getExtendedPluginInfo(Locale locale, String pluginType,
+            String implName,
+            String instName) {
+        IExtendedPluginInfo ext_info = null;
+
+        Object impl = null;
+
+        IPolicyRule policy = mProcessor.getPolicyInstance(instName);
+
+        impl = policy;
+        if (impl == null) {
+            impl = mProcessor.getPolicyImpl(implName);
+        }
+        if (impl != null) {
+            if (impl instanceof IExtendedPluginInfo) {
+                ext_info = (IExtendedPluginInfo) impl;
+            }
+        }
+
+        NameValuePairs nvps = null;
+
+        if (ext_info == null) {
+            nvps = new NameValuePairs();
+        } else {
+            nvps = convertStringArrayToNVPairs(ext_info.getExtendedPluginInfo(locale));
+
+        }
+
+        if (nvps != null) {
+            addDefaultParams(impl, nvps);
+        }
+
+        return nvps;
+    }
+
+    private void addDefaultParams(Object ext_info, NameValuePairs nvps) {
+
+        /* make sure policy rules have 'enable' and 'predicate' */
+
+        if (ext_info instanceof IPolicyRule) {
+            if (nvps.get(IPolicyRule.PROP_ENABLE) == null) {
+                nvps.put(IPolicyRule.PROP_ENABLE, "boolean;Enable this policy rule");
+            }
+            if (nvps.get(PROP_PREDICATE) == null) {
+                nvps.put(PROP_PREDICATE, "string;Rules describing when this policy should run.");
+            }
+        }
+    }
+
+    /**
+     * Serves HTTP admin request.
+     */
+    public void service(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        super.service(req, resp);
+
+        super.authenticate(req);
+
+        AUTHZ_RES_NAME = "certServer.policy.configuration";
+        String scope = req.getParameter(Constants.OP_SCOPE);
+
+        if (scope.equals(ScopeDef.SC_POLICY_RULES))
+            processPolicyRuleMgmt(req, resp);
+        else if (scope.equals(ScopeDef.SC_POLICY_IMPLS))
+            processPolicyImplMgmt(req, resp);
+        else if (scope.equals(ScopeDef.SC_EXTENDED_PLUGIN_INFO)) {
+            try {
+                getExtendedPluginInfo(req, resp);
+            } catch (EBaseException e) {
+                sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+                return;
+            }
+        } else
+            sendResponse(ERROR, INVALID_POLICY_SCOPE, null, resp);
+    }
+
+    private boolean readAuthorize(HttpServletRequest req,
+            HttpServletResponse resp) throws IOException {
+        mOp = "read";
+        if ((mToken = super.authorize(req)) == null) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                    null, resp);
+            return false;
+        }
+        return true;
+    }
+
+    private boolean modifyAuthorize(HttpServletRequest req,
+            HttpServletResponse resp) throws IOException {
+        mOp = "modify";
+        if ((mToken = super.authorize(req)) == null) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                    null, resp);
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * Process Policy Implementation Management.
+     */
+    public void processPolicyImplMgmt(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        // Get operation type
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (op.equals(OpDef.OP_SEARCH)) {
+            if (!readAuthorize(req, resp))
+                return;
+            listPolicyImpls(req, resp);
+        } else if (op.equals(OpDef.OP_DELETE)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            deletePolicyImpl(req, resp);
+        } else if (op.equals(OpDef.OP_READ)) {
+            if (!readAuthorize(req, resp))
+                return;
+            getPolicyImplConfig(req, resp);
+        } else if (op.equals(OpDef.OP_ADD)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            addPolicyImpl(req, resp);
+        } else
+            sendResponse(ERROR, INVALID_POLICY_IMPL_OP,
+                    null, resp);
+    }
+
+    public void processPolicyRuleMgmt(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        // Get operation type
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (op.equals(OpDef.OP_SEARCH)) {
+            if (!readAuthorize(req, resp))
+                return;
+            listPolicyInstances(req, resp);
+        } else if (op.equals(OpDef.OP_DELETE)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            deletePolicyInstance(req, resp);
+        } else if (op.equals(OpDef.OP_READ)) {
+            if (!readAuthorize(req, resp))
+                return;
+            getPolicyInstanceConfig(req, resp);
+        } else if (op.equals(OpDef.OP_ADD)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            addPolicyInstance(req, resp);
+        } else if (op.equals(OpDef.OP_MODIFY)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            String id = req.getParameter(Constants.RS_ID);
+
+            if (id.equalsIgnoreCase(Constants.RS_ID_ORDER))
+                changePolicyInstanceOrdering(req, resp);
+            else
+                modifyPolicyInstance(req, resp);
+        } else
+            sendResponse(ERROR, INVALID_POLICY_IMPL_OP,
+                    null, resp);
+    }
+
+    public void listPolicyImpls(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        Enumeration policyImplNames = mProcessor.getPolicyImplsInfo();
+        Enumeration policyImpls = mProcessor.getPolicyImpls();
+
+        if (policyImplNames == null ||
+                policyImpls == null) {
+            sendResponse(ERROR, INVALID_POLICY_IMPL_CONFIG, null, resp);
+            return;
+        }
+
+        // Assemble a name value pair;
+        NameValuePairs nvp = new NameValuePairs();
+
+        while (policyImplNames.hasMoreElements() &&
+                policyImpls.hasMoreElements()) {
+            String id = policyImplNames.nextElement();
+            IPolicyRule impl = policyImpls.nextElement();
+            String className =
+                    impl.getClass().getName();
+            String desc = impl.getDescription();
+
+            nvp.put(id, className + "," + desc);
+        }
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    public void listPolicyInstances(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        Enumeration instancesInfo = mProcessor.getPolicyInstancesInfo();
+
+        if (instancesInfo == null) {
+            sendResponse(ERROR, INVALID_POLICY_INSTANCE_CONFIG, null, resp);
+            return;
+        }
+
+        // Assemble name value pairs
+        NameValuePairs nvp = new NameValuePairs();
+
+        while (instancesInfo.hasMoreElements()) {
+            String info = instancesInfo.nextElement();
+            int i = info.indexOf(";");
+
+            nvp.put(info.substring(0, i), info.substring(i + 1));
+
+        }
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    /**
+     * Delete policy implementation
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY used when configuring cert policy constraints and
+     * extensions
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void deletePolicyImpl(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            // Get the policy impl id.
+            String id = req.getParameter(Constants.RS_ID).trim();
+
+            if (id == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp);
+                return;
+            }
+
+            try {
+                mProcessor.deletePolicyImpl(id);
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(SUCCESS, null, null, resp);
+            } catch (Exception e) {
+                //e.printStackTrace();
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, e.toString(), null, resp);
+            }
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    public void getPolicyImplConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        // Get the policy impl id.
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp);
+            return;
+        }
+
+        Vector v = mProcessor.getPolicyImplConfig(id);
+
+        if (v == null) {
+            sendResponse(ERROR, INVALID_POLICY_IMPL_ID, null, resp);
+            return;
+        }
+        NameValuePairs nvp = new NameValuePairs();
+
+        for (Enumeration e = v.elements(); e.hasMoreElements();) {
+            String nv = e.nextElement();
+            int index = nv.indexOf("=");
+
+            nvp.put(nv.substring(0, index), nv.substring(index + 1));
+        }
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    /**
+     * Add policy implementation
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY used when configuring cert policy constraints and
+     * extensions
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void addPolicyImpl(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            // Get the policy impl id and class path.
+            String id = req.getParameter(Constants.RS_ID);
+
+            if (id == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp);
+                return;
+            }
+
+            String classPath = req.getParameter(Constants.PR_POLICY_CLASS);
+
+            if (classPath == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, MISSING_POLICY_IMPL_CLASS, null, resp);
+                return;
+            }
+            try {
+                mProcessor.addPolicyImpl(id, classPath);
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(SUCCESS, null, null, resp);
+            } catch (Exception e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, e.toString(), null, resp);
+            }
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    /**
+     * Delete policy instance
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY used when configuring cert policy constraints and
+     * extensions
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void deletePolicyInstance(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            // Get the policy impl id.
+            String id = req.getParameter(Constants.RS_ID).trim();
+
+            if (id == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, MISSING_POLICY_INST_ID, null, resp);
+                return;
+            }
+
+            try {
+                mProcessor.deletePolicyInstance(id);
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(SUCCESS, null, null, resp);
+            } catch (Exception e) {
+                //e.printStackTrace();
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, e.toString(), null, resp);
+            }
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    public void getPolicyInstanceConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        // Get the policy rule id.
+        String id = req.getParameter(Constants.RS_ID).trim();
+
+        if (id == null) {
+            sendResponse(ERROR, MISSING_POLICY_INST_ID, null, resp);
+            return;
+        }
+
+        Vector v = mProcessor.getPolicyInstanceConfig(id);
+
+        if (v == null) {
+            sendResponse(ERROR, INVALID_POLICY_INST_ID, null, resp);
+            return;
+        }
+        NameValuePairs nvp = new NameValuePairs();
+
+        for (Enumeration e = v.elements(); e.hasMoreElements();) {
+            String nv = e.nextElement();
+            int index = nv.indexOf("=");
+            String name = nv.substring(0, index);
+            String value = nv.substring(index + 1);
+
+            if (value == null) {
+                value = "";
+            }
+
+            nvp.put(name, value);
+
+        }
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    public void
+            putUserPWPair(String combo) {
+        int semicolon;
+
+        semicolon = combo.indexOf(";");
+        String user = combo.substring(0, semicolon);
+        String pw = combo.substring(semicolon + 1);
+
+        CMS.putPasswordCache(user, pw);
+    }
+
+    /**
+     * Add policy instance
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY used when configuring cert policy constraints and
+     * extensions
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void addPolicyInstance(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            // Get the policy impl id and class path.
+            String id = req.getParameter(Constants.RS_ID);
+
+            if (id == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, MISSING_POLICY_INST_ID, null, resp);
+                return;
+            }
+
+            // Get the default config params for the implementation.
+            String implName = req.getParameter(IPolicyRule.PROP_IMPLNAME);
+
+            if (implName == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp);
+                return;
+            }
+
+            // We need to fetch parameters: enable, predicate and implname
+            // always, and any additional parameters as required by the
+            // implementation.
+            Hashtable ht = new Hashtable();
+            String val = req.getParameter(IPolicyRule.PROP_ENABLE).trim();
+
+            if (val == null)
+                val = "true";
+            ht.put(IPolicyRule.PROP_ENABLE, val);
+
+            val = req.getParameter(IPolicyRule.PROP_PREDICATE);
+            if (val != null)
+                ht.put(IPolicyRule.PROP_PREDICATE, val);
+            ht.put(IPolicyRule.PROP_IMPLNAME, implName);
+
+            Vector v = mProcessor.getPolicyImplConfig(implName);
+
+            if (v == null) {
+                // Invalid impl id
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, INVALID_POLICY_IMPL_ID, null, resp);
+                return;
+            }
+            for (Enumeration e = v.elements(); e.hasMoreElements();) {
+                String nv = e.nextElement();
+                int index = nv.indexOf("=");
+                String key = nv.substring(0, index);
+
+                val = req.getParameter(key).trim();
+                if (val != null)
+                    ht.put(key, val);
+            }
+
+            String pwadd = req.getParameter(PW_PASSWORD_CACHE_ADD);
+
+            if (pwadd != null) {
+                putUserPWPair(pwadd);
+            }
+
+            try {
+                mProcessor.addPolicyInstance(id, ht);
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(SUCCESS, null, null, resp);
+            } catch (Exception e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, e.toString(), null, resp);
+            }
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    /**
+     * Change ordering of policy instances
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY used when configuring cert policy constraints and
+     * extensions
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void changePolicyInstanceOrdering(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String policyOrder =
+                    req.getParameter(Constants.PR_POLICY_ORDER);
+
+            if (policyOrder == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, MISSING_POLICY_ORDERING, null, resp);
+                return;
+            }
+            try {
+                mProcessor.changePolicyInstanceOrdering(policyOrder);
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(SUCCESS, null, null, resp);
+            } catch (Exception e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, e.toString(), null, resp);
+            }
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    /**
+     * Modify policy instance
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY used when configuring cert policy constraints and
+     * extensions
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void modifyPolicyInstance(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            // Get the policy impl id and class path.
+            String id = req.getParameter(Constants.RS_ID);
+
+            if (id == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, MISSING_POLICY_INST_ID, null, resp);
+                return;
+            }
+
+            // Get the default config params for the implementation.
+            String implName = req.getParameter(IPolicyRule.PROP_IMPLNAME).trim();
+
+            if (implName == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp);
+                return;
+            }
+
+            // We need to fetch parameters: enable, predicate and implname
+            // always, and any additional parameters as required by the
+            // implementation.
+            Hashtable ht = new Hashtable();
+            String val = req.getParameter(IPolicyRule.PROP_ENABLE).trim();
+
+            if (val == null)
+                val = "true";
+            ht.put(IPolicyRule.PROP_ENABLE, val);
+
+            val = req.getParameter(IPolicyRule.PROP_PREDICATE);
+            if (val != null)
+                ht.put(IPolicyRule.PROP_PREDICATE, val);
+            ht.put(IPolicyRule.PROP_IMPLNAME, implName);
+            Vector v = mProcessor.getPolicyImplConfig(implName);
+
+            if (v == null) {
+                // Invalid impl id
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, INVALID_POLICY_IMPL_ID, null, resp);
+                return;
+            }
+            // XXX 
+            for (@SuppressWarnings("unchecked")
+            Enumeration n = req.getParameterNames(); n.hasMoreElements();) {
+                String p = n.nextElement();
+                String l = req.getParameter(p);
+
+                if (l != null)
+                    ht.put(p, l);
+            }
+
+            /*
+             for(Enumeration e = v.elements(); e.hasMoreElements(); )
+             {
+             String nv = (String)e.nextElement();
+             int index = nv.indexOf("=");
+             String key = nv.substring(0, index);
+             val = req.getParameter(key);
+             if (val != null)
+             ht.put(key, val);
+             }
+             */
+
+            try {
+                mProcessor.modifyPolicyInstance(id, ht);
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(SUCCESS, null, null, resp);
+            } catch (Exception e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, e.toString(), null, resp);
+            }
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java
new file mode 100644
index 000000000..94235f532
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java
@@ -0,0 +1,2682 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.StringTokenizer;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.IAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IPolicyConstraint;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileEx;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.profile.IProfileOutput;
+import com.netscape.certsrv.profile.IProfilePolicy;
+import com.netscape.certsrv.profile.IProfileSubsystem;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.registry.IPluginInfo;
+import com.netscape.certsrv.registry.IPluginRegistry;
+import com.netscape.cms.profile.common.ProfilePolicy;
+
+/**
+ * This class is an administration servlet for policy management.
+ * 
+ * Each service (CA, KRA, RA) should be responsible
+ * for registering an instance of this with the remote
+ * administration subsystem.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ProfileAdminServlet extends AdminServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = 4828203666899891742L;
+
+    public final static String PROP_AUTHORITY = "authority";
+
+    private final static String INFO = "ProfileAdminServlet";
+    private final static String PW_PASSWORD_CACHE_ADD =
+            "PASSWORD_CACHE_ADD";
+
+    public final static String PROP_PREDICATE = "predicate";
+    private IAuthority mAuthority = null;
+    private IPluginRegistry mRegistry = null;
+    private IProfileSubsystem mProfileSub = null;
+
+    // These will be moved to PolicyResources
+    public static String INVALID_POLICY_SCOPE = "Invalid policy administration scope";
+    public static String INVALID_POLICY_IMPL_OP = "Invalid operation for policy implementation management";
+    public static String NYI = "Not Yet Implemented";
+    public static String INVALID_POLICY_IMPL_CONFIG = "Invalid policy implementation configuration";
+    public static String INVALID_POLICY_INSTANCE_CONFIG = "Invalid policy instance configuration";
+    public static String MISSING_POLICY_IMPL_ID = "Missing policy impl id in request";
+    public static String MISSING_POLICY_IMPL_CLASS = "Missing policy impl class in request";
+    public static String INVALID_POLICY_IMPL_ID = "Invalid policy impl id in request";
+    public static String MISSING_POLICY_INST_ID = "Missing policy id in request";
+    public static String POLICY_INST_ID_ALREADY_USED = "policy id already used";
+    public static String INVALID_POLICY_INST_ID = "Invalid policy id in request";
+    public static String COMMA = ",";
+    public static String MISSING_POLICY_ORDERING = "Missing policy ordering";
+    public static String BAD_CONFIGURATION_VAL = "Invalid configuration value.";
+
+    private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE =
+            "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3";
+
+    /**
+     * Constructs administration servlet.
+     */
+    public ProfileAdminServlet() {
+        super();
+    }
+
+    /**
+     * Initializes this servlet.
+     */
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+        String authority = config.getInitParameter(PROP_AUTHORITY);
+
+        if (authority != null)
+            mAuthority = (IAuthority) CMS.getSubsystem(authority);
+        mRegistry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY);
+        mProfileSub = (IProfileSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_PROFILE);
+    }
+
+    /**
+     * Returns serlvet information.
+     */
+    public String getServletInfo() {
+        return INFO;
+    }
+
+    /**
+     * Serves HTTP admin request.
+     */
+    public void service(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        super.service(req, resp);
+
+        super.authenticate(req);
+
+        AUTHZ_RES_NAME = "certServer.profile.configuration";
+        String scope = req.getParameter(Constants.OP_SCOPE);
+
+        CMS.debug("ProfileAdminServlet: service scope: " + scope);
+        if (scope.equals(ScopeDef.SC_PROFILE_RULES)) {
+            processProfileRuleMgmt(req, resp);
+        } else if (scope.equals(ScopeDef.SC_PROFILE_POLICIES)) {
+            processProfilePolicy(req, resp);
+        } else if (scope.equals(ScopeDef.SC_PROFILE_DEFAULT_POLICY)) {
+            processPolicyDefaultConfig(req, resp);
+        } else if (scope.equals(ScopeDef.SC_PROFILE_CONSTRAINT_POLICY)) {
+            processPolicyConstraintConfig(req, resp);
+        } else if (scope.equals(ScopeDef.SC_POLICY_IMPLS)) {
+            processPolicyImplMgmt(req, resp);
+        } else if (scope.equals(ScopeDef.SC_PROFILE_INPUT)) {
+            processProfileInput(req, resp);
+        } else if (scope.equals(ScopeDef.SC_PROFILE_OUTPUT)) {
+            processProfileOutput(req, resp);
+        } else if (scope.equals(ScopeDef.SC_PROFILE_INPUT_CONFIG)) {
+            processProfileInputConfig(req, resp);
+        } else if (scope.equals(ScopeDef.SC_PROFILE_OUTPUT_CONFIG)) {
+            processProfileOutputConfig(req, resp);
+        } else
+            sendResponse(ERROR, INVALID_POLICY_SCOPE, null, resp);
+    }
+
+    private boolean readAuthorize(HttpServletRequest req,
+            HttpServletResponse resp) throws IOException {
+        mOp = "read";
+        if ((mToken = super.authorize(req)) == null) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                    null, resp);
+            return false;
+        }
+        return true;
+    }
+
+    private boolean modifyAuthorize(HttpServletRequest req,
+            HttpServletResponse resp) throws IOException {
+        mOp = "modify";
+        if ((mToken = super.authorize(req)) == null) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                    null, resp);
+            return false;
+        }
+        return true;
+    }
+
+    public void processProfilePolicy(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        // Get operation type
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (op.equals(OpDef.OP_READ)) {
+            if (!readAuthorize(req, resp))
+                return;
+            getProfilePolicy(req, resp);
+        } else if (op.equals(OpDef.OP_ADD)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            addProfilePolicy(req, resp);
+        } else if (op.equals(OpDef.OP_DELETE)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            deleteProfilePolicy(req, resp);
+        }
+    }
+
+    public void processProfileInput(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        // Get operation type
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (op.equals(OpDef.OP_READ)) {
+            if (!readAuthorize(req, resp))
+                return;
+            getProfileInput(req, resp);
+        } else if (op.equals(OpDef.OP_ADD)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            addProfileInput(req, resp);
+        } else if (op.equals(OpDef.OP_DELETE)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            deleteProfileInput(req, resp);
+        }
+    }
+
+    public void processProfileOutput(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        // Get operation type
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (op.equals(OpDef.OP_READ)) {
+            if (!readAuthorize(req, resp))
+                return;
+            getProfileOutput(req, resp);
+        } else if (op.equals(OpDef.OP_ADD)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            addProfileOutput(req, resp);
+        } else if (op.equals(OpDef.OP_DELETE)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            deleteProfileOutput(req, resp);
+        }
+    }
+
+    public void processProfileInputConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        // Get operation type
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (op.equals(OpDef.OP_READ)) {
+            if (!readAuthorize(req, resp))
+                return;
+            getInputConfig(req, resp);
+        } else if (op.equals(OpDef.OP_MODIFY)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            modifyInputConfig(req, resp);
+        }
+    }
+
+    public void processProfileOutputConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        // Get operation type
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (op.equals(OpDef.OP_READ)) {
+            if (!readAuthorize(req, resp))
+                return;
+            getOutputConfig(req, resp);
+        } else if (op.equals(OpDef.OP_MODIFY)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            modifyOutputConfig(req, resp);
+        }
+    }
+
+    public void processPolicyDefaultConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        // Get operation type
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (op.equals(OpDef.OP_READ)) {
+            if (!readAuthorize(req, resp))
+                return;
+            getPolicyDefaultConfig(req, resp);
+        } else if (op.equals(OpDef.OP_ADD)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            addPolicyDefaultConfig(req, resp);
+        } else if (op.equals(OpDef.OP_MODIFY)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            modifyPolicyDefaultConfig(req, resp);
+        }
+    }
+
+    public void processPolicyConstraintConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        // Get operation type
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        CMS.debug("ProfileAdminServlet: processPolicyConstraintConfig op " + op);
+        if (op.equals(OpDef.OP_READ)) {
+            if (!readAuthorize(req, resp))
+                return;
+            getPolicyConstraintConfig(req, resp);
+        } else if (op.equals(OpDef.OP_ADD)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            addPolicyConstraintConfig(req, resp);
+        } else if (op.equals(OpDef.OP_MODIFY)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            modifyPolicyConstraintConfig(req, resp);
+        }
+    }
+
+    /**
+     * Process Policy Implementation Management.
+     */
+    public void processPolicyImplMgmt(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        // Get operation type
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (op.equals(OpDef.OP_SEARCH)) {
+            if (!readAuthorize(req, resp))
+                return;
+            listProfileImpls(req, resp);
+        } else
+            sendResponse(ERROR, INVALID_POLICY_IMPL_OP,
+                    null, resp);
+    }
+
+    public void processProfileRuleMgmt(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        // Get operation type
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (op.equals(OpDef.OP_SEARCH)) {
+            if (!readAuthorize(req, resp))
+                return;
+            listProfileInstances(req, resp);
+        } else if (op.equals(OpDef.OP_DELETE)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            deleteProfileInstance(req, resp);
+        } else if (op.equals(OpDef.OP_READ)) {
+            if (!readAuthorize(req, resp))
+                return;
+            getProfileInstanceConfig(req, resp);
+        } else if (op.equals(OpDef.OP_ADD)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            addProfileInstance(req, resp);
+        } else if (op.equals(OpDef.OP_MODIFY)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            modifyProfileInstance(req, resp);
+        } else
+            sendResponse(ERROR, INVALID_POLICY_IMPL_OP,
+                    null, resp);
+    }
+
+    /**
+     * Lists all registered profile impementations
+     */
+    public void listProfileImpls(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+
+        Enumeration impls = mRegistry.getIds("profile");
+        NameValuePairs nvp = new NameValuePairs();
+
+        while (impls.hasMoreElements()) {
+            String id = (String) impls.nextElement();
+            IPluginInfo info = mRegistry.getPluginInfo("profile", id);
+
+            nvp.put(id, info.getClassName() + "," +
+                    info.getDescription(getLocale(req)));
+        }
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    /**
+     * Add policy profile
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when configuring cert profile (general settings
+     * and cert profile; obsoletes extensions and constraints policies)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void addProfilePolicy(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        CMS.debug("ProfileAdminServlet: in addProfilePolicy");
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = req.getParameter(Constants.RS_ID);
+
+            StringTokenizer st = new StringTokenizer(id, ";");
+            String profileId = st.nextToken();
+            String policyId = st.nextToken();
+            String defImpl = st.nextToken();
+            String conImpl = st.nextToken();
+
+            IProfile profile = null;
+
+            try {
+                profile = mProfileSub.getProfile(profileId);
+            } catch (EBaseException e1) {
+                // error
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            if (mProfileSub.isProfileEnable(profileId)) {
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req),
+                                "CMS_PROFILE_CREATE_POLICY_FAILED",
+                                "Profile is currently enabled"),
+                        null, resp);
+                return;
+            }
+
+            StringTokenizer ss = new StringTokenizer(policyId, ":");
+            String setId = ss.nextToken();
+            String pId = ss.nextToken();
+
+            try {
+                if (!isValidId(setId)) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req),
+                                    "CMS_PROFILE_CREATE_POLICY_FAILED",
+                                    "Invalid set id " + setId),
+                            null, resp);
+                    return;
+                }
+                if (!isValidId(pId)) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req),
+                                    "CMS_PROFILE_CREATE_POLICY_FAILED",
+                                    "Invalid policy id " + pId),
+                            null, resp);
+                    return;
+                }
+                profile.createProfilePolicy(setId, pId,
+                            defImpl, conImpl);
+            } catch (EBaseException e1) {
+                // error
+                CMS.debug("ProfileAdminServlet: addProfilePolicy " +
+                        e1.toString());
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_PROFILE_CREATE_POLICY_FAILED",
+                                e1.toString()),
+                        null, resp);
+                return;
+            }
+            NameValuePairs nvp = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, nvp, resp);
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    /**
+     * Add profile input
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when configuring cert profile (general settings
+     * and cert profile; obsoletes extensions and constraints policies)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void addProfileInput(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = req.getParameter(Constants.RS_ID);
+
+            StringTokenizer st = new StringTokenizer(id, ";");
+            String profileId = st.nextToken();
+            String inputId = st.nextToken();
+            String inputImpl = st.nextToken();
+
+            IProfile profile = null;
+
+            try {
+                profile = mProfileSub.getProfile(profileId);
+            } catch (EBaseException e1) {
+                // error
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            @SuppressWarnings("unchecked")
+            Enumeration names = req.getParameterNames();
+            NameValuePairs nvps = new NameValuePairs();
+
+            while (names.hasMoreElements()) {
+                String name = names.nextElement();
+
+                if (name.equals("OP_SCOPE"))
+                    continue;
+                if (name.equals("OP_TYPE"))
+                    continue;
+                if (name.equals("RS_ID"))
+                    continue;
+                nvps.put(name, req.getParameter(name));
+            }
+
+            try {
+                profile.createProfileInput(inputId, inputImpl, nvps);
+            } catch (EBaseException e1) {
+                // error
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_PROFILE_CREATE_INPUT_FAILED",
+                                e1.toString()),
+                        null, resp);
+
+                return;
+            }
+
+            NameValuePairs nvp = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, nvp, resp);
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    /**
+     * Add profile output
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when configuring cert profile (general settings
+     * and cert profile; obsoletes extensions and constraints policies)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void addProfileOutput(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = req.getParameter(Constants.RS_ID);
+
+            StringTokenizer st = new StringTokenizer(id, ";");
+            String profileId = st.nextToken();
+            String outputId = st.nextToken();
+            String outputImpl = st.nextToken();
+
+            IProfile profile = null;
+
+            try {
+                profile = mProfileSub.getProfile(profileId);
+            } catch (EBaseException e1) {
+                // error
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            @SuppressWarnings("unchecked")
+            Enumeration names = req.getParameterNames();
+            NameValuePairs nvps = new NameValuePairs();
+
+            while (names.hasMoreElements()) {
+                String name = names.nextElement();
+
+                if (name.equals("OP_SCOPE"))
+                    continue;
+                if (name.equals("OP_TYPE"))
+                    continue;
+                if (name.equals("RS_ID"))
+                    continue;
+                nvps.put(name, req.getParameter(name));
+            }
+
+            try {
+                profile.createProfileOutput(outputId, outputImpl,
+                            nvps);
+            } catch (EBaseException e1) {
+                // error
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_PROFILE_CREATE_OUTPUT_FAILED",
+                                e1.toString()),
+                        null, resp);
+
+                return;
+            }
+
+            NameValuePairs nvp = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, nvp, resp);
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    /**
+     * Delete policy profile
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when configuring cert profile (general settings
+     * and cert profile; obsoletes extensions and constraints policies)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void deleteProfilePolicy(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String profileId = "";
+            String policyId = "";
+            @SuppressWarnings("unchecked")
+            Enumeration names = req.getParameterNames();
+
+            while (names.hasMoreElements()) {
+                String name = names.nextElement();
+
+                if (name.equals("OP_SCOPE"))
+                    continue;
+                if (name.equals("OP_TYPE"))
+                    continue;
+                if (name.equals("RS_ID"))
+                    profileId = req.getParameter(name);
+                if (name.equals("POLICYID"))
+                    policyId = req.getParameter(name);
+            }
+            IProfile profile = null;
+
+            try {
+                profile = mProfileSub.getProfile(profileId);
+            } catch (EBaseException e1) {
+                // error
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            StringTokenizer ss = new StringTokenizer(policyId, ":");
+            String setId = ss.nextToken();
+            String pId = ss.nextToken();
+
+            try {
+                profile.deleteProfilePolicy(setId, pId);
+            } catch (EBaseException e1) {
+                CMS.debug("ProfileAdminServlet: " + e1.toString());
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            NameValuePairs nvp = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, nvp, resp);
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    /**
+     * Delete profile input
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when configuring cert profile (general settings
+     * and cert profile; obsoletes extensions and constraints policies)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void deleteProfileInput(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String profileId = "";
+            String inputId = "";
+            @SuppressWarnings("unchecked")
+            Enumeration names = req.getParameterNames();
+
+            while (names.hasMoreElements()) {
+                String name = names.nextElement();
+
+                if (name.equals("OP_SCOPE"))
+                    continue;
+                if (name.equals("OP_TYPE"))
+                    continue;
+                if (name.equals("RS_ID"))
+                    profileId = req.getParameter(name);
+                if (name.equals("INPUTID"))
+                    inputId = req.getParameter(name);
+            }
+            CMS.debug("ProfileAdminServlet: deleteProfileInput profileId -> " + profileId);
+            CMS.debug("ProfileAdminServlet: deleteProfileInput inputId -> " + inputId);
+            IProfile profile = null;
+
+            try {
+                profile = mProfileSub.getProfile(profileId);
+            } catch (EBaseException e1) {
+                // error
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            CMS.debug("deleteProfileInput profile -> " + profile);
+            try {
+                profile.deleteProfileInput(inputId);
+            } catch (EBaseException e1) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            NameValuePairs nvp = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, nvp, resp);
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    /**
+     * Delete profile output
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when configuring cert profile (general settings
+     * and cert profile; obsoletes extensions and constraints policies)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void deleteProfileOutput(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String profileId = "";
+            String outputId = "";
+            @SuppressWarnings("unchecked")
+            Enumeration names = req.getParameterNames();
+
+            while (names.hasMoreElements()) {
+                String name = (String) names.nextElement();
+
+                if (name.equals("OP_SCOPE"))
+                    continue;
+                if (name.equals("OP_TYPE"))
+                    continue;
+                if (name.equals("RS_ID"))
+                    profileId = req.getParameter(name);
+                if (name.equals("OUTPUTID"))
+                    outputId = req.getParameter(name);
+            }
+            CMS.debug("ProfileAdminServlet: deleteProfileOutput profileId -> " + profileId);
+            CMS.debug("ProfileAdminServlet: deleteProfileOutput outputId -> " + outputId);
+            IProfile profile = null;
+
+            try {
+                profile = mProfileSub.getProfile(profileId);
+            } catch (EBaseException e1) {
+                // error
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            CMS.debug("ProfileAdminServlet: deleteProfileOutput profile -> " + profile);
+            try {
+                profile.deleteProfileOutput(outputId);
+            } catch (EBaseException e1) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            NameValuePairs nvp = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, nvp, resp);
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    /**
+     * Add default policy profile configuration
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when configuring cert profile (general settings
+     * and cert profile; obsoletes extensions and constraints policies)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void addPolicyDefaultConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = req.getParameter(Constants.RS_ID);
+
+            StringTokenizer st = new StringTokenizer(id, ";");
+            String profileId = st.nextToken();
+            String policyId = st.nextToken();
+
+            IProfile profile = null;
+
+            try {
+                profile = mProfileSub.getProfile(profileId);
+            } catch (EBaseException e1) {
+                // error
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            StringTokenizer ss = new StringTokenizer(policyId, ":");
+            String setId = ss.nextToken();
+            String pId = ss.nextToken();
+
+            IProfilePolicy policy = profile.getProfilePolicy(setId, pId);
+            IPolicyDefault def = policy.getDefault();
+
+            @SuppressWarnings("unchecked")
+            Enumeration names = req.getParameterNames();
+
+            while (names.hasMoreElements()) {
+                String name = (String) names.nextElement();
+
+                if (name.equals("OP_SCOPE"))
+                    continue;
+                if (name.equals("OP_TYPE"))
+                    continue;
+                if (name.equals("RS_ID"))
+                    continue;
+                try {
+                    def.setConfig(name, req.getParameter(name));
+
+                } catch (EPropertyException e) {
+
+                    CMS.debug("ProfileAdminServlet: modifyPolicyDefConfig setConfig exception.");
+                    try {
+                        profile.deleteProfilePolicy(setId, pId);
+                    } catch (Exception e11) {
+                    }
+                    sendResponse(ERROR, BAD_CONFIGURATION_VAL, null, resp);
+                    return;
+                }
+                // defConfig.putString("params." + name, req.getParameter(name));
+            }
+            try {
+                profile.getConfigStore().commit(false);
+            } catch (Exception e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+            NameValuePairs nvp = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, nvp, resp);
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    /**
+     * Add policy constraints profile configuration
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when configuring cert profile (general settings
+     * and cert profile; obsoletes extensions and constraints policies)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void addPolicyConstraintConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = req.getParameter(Constants.RS_ID);
+
+            StringTokenizer st = new StringTokenizer(id, ";");
+            String profileId = st.nextToken();
+            String policyId = st.nextToken();
+
+            IProfile profile = null;
+
+            try {
+                profile = mProfileSub.getProfile(profileId);
+            } catch (EBaseException e1) {
+                // error
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            StringTokenizer ss = new StringTokenizer(policyId, ":");
+            String setId = ss.nextToken();
+            String pId = ss.nextToken();
+
+            IProfilePolicy policy = profile.getProfilePolicy(setId, pId);
+            IPolicyConstraint con = policy.getConstraint();
+
+            @SuppressWarnings("unchecked")
+            Enumeration names = req.getParameterNames();
+
+            while (names.hasMoreElements()) {
+                String name = names.nextElement();
+
+                if (name.equals("OP_SCOPE"))
+                    continue;
+                if (name.equals("OP_TYPE"))
+                    continue;
+                if (name.equals("RS_ID"))
+                    continue;
+
+                try {
+                    con.setConfig(name, req.getParameter(name));
+
+                } catch (EPropertyException e) {
+
+                    CMS.debug("ProfileAdminServlet: addPolicyConstraintsConfig setConfig exception.");
+                    try {
+                        profile.deleteProfilePolicy(setId, pId);
+                    } catch (Exception e11) {
+                    }
+                    sendResponse(ERROR, BAD_CONFIGURATION_VAL, null, resp);
+                    return;
+                }
+                // conConfig.putString("params." + name, req.getParameter(name));
+            }
+            try {
+                profile.getConfigStore().commit(false);
+            } catch (Exception e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            NameValuePairs nvp = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, nvp, resp);
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    /**
+     * Modify default policy profile configuration
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when configuring cert profile (general settings
+     * and cert profile; obsoletes extensions and constraints policies)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void modifyPolicyDefaultConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = req.getParameter(Constants.RS_ID);
+
+            StringTokenizer st = new StringTokenizer(id, ";");
+            String profileId = st.nextToken();
+            String policyId = st.nextToken();
+
+            IProfile profile = null;
+
+            try {
+                profile = mProfileSub.getProfile(profileId);
+            } catch (EBaseException e1) {
+                // error
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            StringTokenizer ss = new StringTokenizer(policyId, ":");
+            String setId = ss.nextToken();
+            String pId = ss.nextToken();
+            IProfilePolicy policy = profile.getProfilePolicy(setId, pId);
+            IPolicyDefault def = policy.getDefault();
+
+            @SuppressWarnings("unchecked")
+            Enumeration names = req.getParameterNames();
+
+            while (names.hasMoreElements()) {
+                String name = (String) names.nextElement();
+
+                if (name.equals("OP_SCOPE"))
+                    continue;
+                if (name.equals("OP_TYPE"))
+                    continue;
+                if (name.equals("RS_ID"))
+                    continue;
+                try {
+                    def.setConfig(name, req.getParameter(name));
+
+                } catch (EPropertyException e) {
+
+                    CMS.debug("ProfileAdminServlet: modifyPolicyDefConfig setConfig exception.");
+                    sendResponse(ERROR, BAD_CONFIGURATION_VAL, null, resp);
+                    return;
+                }
+                //  defConfig.putString("params." + name, req.getParameter(name));
+            }
+            try {
+                profile.getConfigStore().commit(false);
+            } catch (Exception e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+            NameValuePairs nvp = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, nvp, resp);
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    /**
+     * Modify profile input configuration
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when configuring cert profile (general settings
+     * and cert profile; obsoletes extensions and constraints policies)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void modifyInputConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = req.getParameter(Constants.RS_ID);
+
+            StringTokenizer st = new StringTokenizer(id, ";");
+            String profileId = st.nextToken();
+            String inputId = st.nextToken();
+
+            IProfile profile = null;
+
+            try {
+                profile = mProfileSub.getProfile(profileId);
+            } catch (EBaseException e1) {
+                // error
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            IProfileInput input = profile.getProfileInput(inputId);
+            IConfigStore inputConfig = input.getConfigStore();
+
+            @SuppressWarnings("unchecked")
+            Enumeration names = req.getParameterNames();
+
+            while (names.hasMoreElements()) {
+                String name = (String) names.nextElement();
+
+                if (name.equals("OP_SCOPE"))
+                    continue;
+                if (name.equals("OP_TYPE"))
+                    continue;
+                if (name.equals("RS_ID"))
+                    continue;
+                inputConfig.putString("params." + name, req.getParameter(name));
+            }
+            try {
+                profile.getConfigStore().commit(false);
+            } catch (Exception e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+            NameValuePairs nvp = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, nvp, resp);
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    /**
+     * Modify profile output configuration
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when configuring cert profile (general settings
+     * and cert profile; obsoletes extensions and constraints policies)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void modifyOutputConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = req.getParameter(Constants.RS_ID);
+
+            StringTokenizer st = new StringTokenizer(id, ";");
+            String profileId = st.nextToken();
+            String outputId = st.nextToken();
+
+            IProfile profile = null;
+
+            try {
+                profile = mProfileSub.getProfile(profileId);
+            } catch (EBaseException e1) {
+                // error
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            IProfileOutput output = profile.getProfileOutput(outputId);
+            IConfigStore outputConfig = output.getConfigStore();
+
+            @SuppressWarnings("unchecked")
+            Enumeration names = req.getParameterNames();
+
+            while (names.hasMoreElements()) {
+                String name = (String) names.nextElement();
+
+                if (name.equals("OP_SCOPE"))
+                    continue;
+                if (name.equals("OP_TYPE"))
+                    continue;
+                if (name.equals("RS_ID"))
+                    continue;
+                outputConfig.putString("params." + name,
+                        req.getParameter(name));
+            }
+            try {
+                profile.getConfigStore().commit(false);
+            } catch (Exception e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+            NameValuePairs nvp = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, nvp, resp);
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    /**
+     * Modify policy constraints profile configuration
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when configuring cert profile (general settings
+     * and cert profile; obsoletes extensions and constraints policies)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void modifyPolicyConstraintConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = req.getParameter(Constants.RS_ID);
+
+            StringTokenizer st = new StringTokenizer(id, ";");
+            String profileId = st.nextToken();
+            String policyId = st.nextToken();
+
+            IProfile profile = null;
+
+            try {
+                profile = mProfileSub.getProfile(profileId);
+            } catch (EBaseException e1) {
+                // error
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            StringTokenizer ss = new StringTokenizer(policyId, ":");
+            String setId = ss.nextToken();
+            String pId = ss.nextToken();
+            IProfilePolicy policy = profile.getProfilePolicy(setId, pId);
+            IPolicyConstraint con = policy.getConstraint();
+
+            @SuppressWarnings("unchecked")
+            Enumeration names = req.getParameterNames();
+
+            CMS.debug("ProfileAdminServlet: modifyPolicyConstraintConfig policy " + policy + " con " + con);
+            while (names.hasMoreElements()) {
+                String name = (String) names.nextElement();
+
+                if (name.equals("OP_SCOPE"))
+                    continue;
+                if (name.equals("OP_TYPE"))
+                    continue;
+                if (name.equals("RS_ID"))
+                    continue;
+
+                //   CMS.debug("ProfileAdminServlet: modifyPolicyConstraintConfig name" + name  + " val " + req.getParameter(name));
+                try {
+                    con.setConfig(name, req.getParameter(name));
+
+                } catch (EPropertyException e) {
+
+                    CMS.debug("ProfileAdminServlet: modifyPolicyConstraintsConfig setConfig exception.");
+                    sendResponse(ERROR, BAD_CONFIGURATION_VAL, null, resp);
+                    return;
+                }
+                //conConfig.putString("params." + name, req.getParameter(name));
+            }
+            try {
+                profile.getConfigStore().commit(false);
+            } catch (Exception e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            NameValuePairs nvp = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, nvp, resp);
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    public void getPolicyDefaultConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String id = req.getParameter(Constants.RS_ID);
+
+        StringTokenizer st = new StringTokenizer(id, ";");
+        String profileId = st.nextToken();
+        String policyId = st.nextToken();
+
+        IProfile profile = null;
+
+        try {
+            profile = mProfileSub.getProfile(profileId);
+        } catch (EBaseException e1) {
+            CMS.debug("ProfileAdminServlet::getPolicyDefaultConfig() - " +
+                       "profile is null!");
+            throw new ServletException(e1.toString());
+        }
+
+        IProfilePolicy policy = null;
+        IPolicyDefault rule = null;
+
+        StringTokenizer ss = new StringTokenizer(policyId, ":");
+        String setId = ss.nextToken();
+        String pId = ss.nextToken();
+
+        policy = profile.getProfilePolicy(setId, pId);
+        rule = policy.getDefault();
+
+        NameValuePairs nvp = new NameValuePairs();
+        Enumeration names = rule.getConfigNames();
+
+        while (names.hasMoreElements()) {
+            String name = names.nextElement();
+            IDescriptor desc = rule.getConfigDescriptor(getLocale(req), name);
+
+            if (desc == null) {
+                nvp.put(name, ";" + ";" + rule.getConfig(name));
+            } else {
+                nvp.put(name,
+                        desc.getSyntax()
+                                + ";" + ";" + getNonNull(desc.getConstraint()) + ";"
+                                + desc.getDescription(getLocale(req)) + ";" + rule.getConfig(name));
+            }
+        }
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    public void getPolicyConstraintConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String id = req.getParameter(Constants.RS_ID);
+        String constraintsList = req.getParameter(Constants.PR_CONSTRAINTS_LIST);
+
+        // this one gets called when one of the elements in the default list get
+        // selected, then it returns the list of supported constraintsPolicy
+        if (constraintsList != null) {
+
+        }
+
+        StringTokenizer st = new StringTokenizer(id, ";");
+        String profileId = st.nextToken();
+        String policyId = st.nextToken();
+
+        IProfile profile = null;
+
+        try {
+            profile = mProfileSub.getProfile(profileId);
+        } catch (EBaseException e1) {
+            CMS.debug("ProfileAdminServlet::getPolicyConstraintConfig() - " +
+                       "profile is null!");
+            throw new ServletException(e1.toString());
+        }
+
+        StringTokenizer ss = new StringTokenizer(policyId, ":");
+        String setId = ss.nextToken();
+        String pId = ss.nextToken();
+        IProfilePolicy policy = profile.getProfilePolicy(setId, pId);
+        IPolicyConstraint rule = policy.getConstraint();
+
+        NameValuePairs nvp = new NameValuePairs();
+        Enumeration names = rule.getConfigNames();
+
+        while (names.hasMoreElements()) {
+            String name = names.nextElement();
+            IDescriptor desc = rule.getConfigDescriptor(getLocale(req), name);
+
+            if (desc == null) {
+                nvp.put(name, ";" + rule.getConfig(name));
+            } else {
+                nvp.put(name,
+                        desc.getSyntax()
+                                + ";" + getNonNull(desc.getConstraint()) + ";" + desc.getDescription(getLocale(req))
+                                + ";" + rule.getConfig(name));
+            }
+        }
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    public void getProfilePolicy(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String id = req.getParameter(Constants.RS_ID);
+
+        // only allow profile retrival if it is disabled
+
+        IProfile profile = null;
+
+        try {
+            profile = mProfileSub.getProfile(id);
+        } catch (EBaseException e1) {
+            CMS.debug("ProfileAdminServlet::getProfilePolicy() - " +
+                       "profile is null!");
+            throw new ServletException(e1.toString());
+        }
+
+        NameValuePairs nvp = new NameValuePairs();
+        Enumeration setIds = profile.getProfilePolicySetIds();
+
+        if (!setIds.hasMoreElements()) {
+            // no set id; this is a brand new profile
+            sendResponse(SUCCESS, null, nvp, resp);
+            return;
+        }
+        while (setIds.hasMoreElements()) {
+            String setId = (String) setIds.nextElement();
+            Enumeration policies = profile.getProfilePolicies(setId);
+
+            while (policies.hasMoreElements()) {
+                IProfilePolicy policy = (IProfilePolicy) policies.nextElement();
+                IPolicyDefault def = policy.getDefault();
+                IPolicyConstraint con = policy.getConstraint();
+
+                nvp.put(setId + ":" + policy.getId(),
+                        def.getName(getLocale(req)) + ";" +
+                                con.getName(getLocale(req)));
+            }
+        }
+
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    public void getProfileOutput(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String id = req.getParameter(Constants.RS_ID);
+        IProfile profile = null;
+
+        try {
+            profile = mProfileSub.getProfile(id);
+        } catch (EBaseException e1) {
+            CMS.debug("ProfileAdminServlet::getProfileOutput() - " +
+                       "profile is null!");
+            throw new ServletException(e1.toString());
+        }
+
+        NameValuePairs nvp = new NameValuePairs();
+        Enumeration outputs = profile.getProfileOutputIds();
+
+        while (outputs.hasMoreElements()) {
+            String outputId = (String) outputs.nextElement();
+            IProfileOutput output = profile.getProfileOutput(outputId);
+
+            nvp.put(outputId, output.getName(getLocale(req)));
+        }
+
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    public void getProfileInput(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String id = req.getParameter(Constants.RS_ID);
+        IProfile profile = null;
+
+        try {
+            profile = mProfileSub.getProfile(id);
+        } catch (EBaseException e1) {
+            CMS.debug("ProfileAdminServlet::getProfileInput() - " +
+                       "profile is null!");
+            throw new ServletException(e1.toString());
+        }
+
+        NameValuePairs nvp = new NameValuePairs();
+        Enumeration inputs = profile.getProfileInputIds();
+
+        while (inputs.hasMoreElements()) {
+            String inputId = (String) inputs.nextElement();
+            IProfileInput input = profile.getProfileInput(inputId);
+
+            nvp.put(inputId, input.getName(getLocale(req)));
+        }
+
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    public void getInputConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+
+        String id = req.getParameter(Constants.RS_ID);
+        StringTokenizer st = new StringTokenizer(id, ";");
+        String profileId = st.nextToken();
+        String inputId = st.nextToken();
+        IProfile profile = null;
+
+        try {
+            profile = mProfileSub.getProfile(profileId);
+        } catch (EBaseException e1) {
+            CMS.debug("ProfileAdminServlet::getInputConfig() - " +
+                       "profile is null!");
+            throw new ServletException(e1.toString());
+        }
+
+        IProfileInput profileInput = null;
+        NameValuePairs nvp = new NameValuePairs();
+
+        profileInput = profile.getProfileInput(inputId);
+        Enumeration names = profileInput.getConfigNames();
+
+        while (names.hasMoreElements()) {
+            String name = names.nextElement();
+            IDescriptor desc = profileInput.getConfigDescriptor(
+                    getLocale(req), name);
+            if (desc == null) {
+                nvp.put(name, ";" + ";" + profileInput.getConfig(name));
+            } else {
+                nvp.put(name, desc.getSyntax() + ";" +
+                        getNonNull(desc.getConstraint()) + ";" +
+                        desc.getDescription(getLocale(req)) + ";" +
+                        profileInput.getConfig(name));
+            }
+        }
+
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    public void getOutputConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+
+        String id = req.getParameter(Constants.RS_ID);
+        StringTokenizer st = new StringTokenizer(id, ";");
+        String profileId = st.nextToken();
+        String outputId = st.nextToken();
+        IProfile profile = null;
+
+        try {
+            profile = mProfileSub.getProfile(profileId);
+        } catch (EBaseException e1) {
+            CMS.debug("ProfileAdminServlet::getOutputConfig() - " +
+                       "profile is null!");
+            throw new ServletException(e1.toString());
+        }
+
+        IProfileOutput profileOutput = null;
+        NameValuePairs nvp = new NameValuePairs();
+
+        profileOutput = profile.getProfileOutput(outputId);
+        Enumeration names = profileOutput.getConfigNames();
+
+        while (names.hasMoreElements()) {
+            String name = names.nextElement();
+            IDescriptor desc = profileOutput.getConfigDescriptor(
+                    getLocale(req), name);
+            if (desc == null) {
+                nvp.put(name, ";" + ";" + profileOutput.getConfig(name));
+            } else {
+                nvp.put(name, desc.getSyntax() + ";" +
+                        getNonNull(desc.getConstraint()) + ";" +
+                        desc.getDescription(getLocale(req)) + ";" +
+                        profileOutput.getConfig(name));
+            }
+        }
+
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    public void listProfileInstances(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+
+        NameValuePairs nvp = new NameValuePairs();
+        Enumeration e = mProfileSub.getProfileIds();
+
+        while (e.hasMoreElements()) {
+            String profileId = e.nextElement();
+
+            String status = null;
+
+            if (mProfileSub.isProfileEnable(profileId)) {
+                status = "enabled";
+            } else {
+                status = "disabled";
+            }
+
+            // mInstanceId + ";visible;" + enabled
+            nvp.put(profileId, profileId + ";visible;" + status);
+        }
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    public void getProfileInstanceConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+
+        String id = req.getParameter(Constants.RS_ID);
+        IProfile profile = null;
+
+        try {
+            profile = mProfileSub.getProfile(id);
+        } catch (EBaseException e1) {
+            CMS.debug("ProfileAdminServlet::getProfileInstanceConfig() - " +
+                       "profile is null!");
+            throw new ServletException(e1.toString());
+        }
+
+        NameValuePairs nvp = new NameValuePairs();
+
+        nvp.put("name", profile.getName(getLocale(req)));
+        nvp.put("desc", profile.getDescription(getLocale(req)));
+        nvp.put("visible", Boolean.toString(profile.isVisible()));
+        nvp.put("enable", Boolean.toString(
+                mProfileSub.isProfileEnable(id)));
+
+        String authid = profile.getAuthenticatorId();
+
+        if (authid == null) {
+            nvp.put("auth", "");
+        } else {
+            nvp.put("auth", authid);
+        }
+        CMS.debug("ProfileAdminServlet: authid=" + authid);
+        nvp.put("plugin", mProfileSub.getProfileClassId(id));
+
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    /**
+     * Delete profile instance
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when configuring cert profile (general settings
+     * and cert profile; obsoletes extensions and constraints policies)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void deleteProfileInstance(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            // Get the policy impl id and class path.
+            String id = req.getParameter(Constants.RS_ID);
+
+            if (id == null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, MISSING_POLICY_INST_ID, null, resp);
+                return;
+            }
+
+            String config = null;
+
+            ISubsystem subsystem = CMS.getSubsystem("ca");
+            String subname = "ca";
+
+            if (subsystem == null)
+                subname = "ra";
+
+            try {
+                config = CMS.getConfigStore().getString("instanceRoot") +
+                        "/profiles/" + subname + "/" + id + ".cfg";
+            } catch (EBaseException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            try {
+                mProfileSub.deleteProfile(id, config);
+            } catch (EProfileException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, CMS.getUserMessage(getLocale(req), e.toString(), id), null, resp);
+                return;
+            }
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, null, resp);
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    public void
+            putUserPWPair(String combo) {
+        int semicolon;
+
+        semicolon = combo.indexOf(";");
+        String user = combo.substring(0, semicolon);
+        String pw = combo.substring(semicolon + 1);
+
+        CMS.putPasswordCache(user, pw);
+    }
+
+    public boolean isValidId(String id) {
+        for (int i = 0; i < id.length(); i++) {
+            char c = id.charAt(i);
+            if (!Character.isLetterOrDigit(c))
+                return false;
+        }
+        return true;
+    }
+
+    /**
+     * Add profile instance
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when configuring cert profile (general settings
+     * and cert profile; obsoletes extensions and constraints policies)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void addProfileInstance(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            // Get the policy impl id and class path.
+            String id = req.getParameter(Constants.RS_ID);
+
+            if (id == null || id.trim().equals("") || !isValidId(id)) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, MISSING_POLICY_INST_ID, null, resp);
+                return;
+            }
+
+            // see if profile id already used
+            IProfile p = null;
+
+            try {
+                p = mProfileSub.getProfile(id);
+            } catch (EProfileException e1) {
+            }
+            if (p != null) {
+                sendResponse(ERROR, POLICY_INST_ID_ALREADY_USED, null, resp);
+                return;
+            }
+
+            String impl = req.getParameter("impl");
+            String name = req.getParameter("name");
+            String visible = req.getParameter("visible");
+            String auth = req.getParameter("auth");
+            String config = null;
+
+            ISubsystem subsystem = CMS.getSubsystem("ca");
+            String subname = "ca";
+
+            if (subsystem == null)
+                subname = "ra";
+
+            try {
+                config = CMS.getConfigStore().getString("instanceRoot") + "/profiles/" + subname + "/" + id + ".cfg";
+            } catch (EBaseException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            IPluginInfo info = mRegistry.getPluginInfo("profile", impl);
+
+            IProfile profile = null;
+
+            // create configuration file
+            File configFile = new File(config);
+
+            configFile.createNewFile();
+
+            // create profile
+            try {
+                profile = mProfileSub.createProfile(id, impl,
+                            info.getClassName(),
+                            config);
+                profile.setName(getLocale(req), name);
+                profile.setDescription(getLocale(req), name);
+                if (visible != null && visible.equals("true")) {
+                    profile.setVisible(true);
+                } else {
+                    profile.setVisible(false);
+                }
+                profile.setAuthenticatorId(auth);
+                profile.getConfigStore().commit(false);
+
+                mProfileSub.createProfileConfig(id, impl, config);
+                if (profile instanceof IProfileEx) {
+                    // populates profile specific plugins such as
+                    // policies, inputs and outputs
+                    ((IProfileEx) profile).populate();
+                }
+            } catch (Exception e) {
+                CMS.debug("ProfileAdminServlet: " + e.toString());
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, null, resp);
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    /**
+     * Modify profile instance
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when configuring cert profile (general settings
+     * and cert profile; obsoletes extensions and constraints policies)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     */
+    public void modifyProfileInstance(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            // Get the policy impl id and class path.
+            String id = req.getParameter(Constants.RS_ID);
+
+            IProfile profile = null;
+
+            try {
+                profile = mProfileSub.getProfile(id);
+            } catch (EBaseException e1) {
+                // error
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, null, null, resp);
+                return;
+            }
+            String name = req.getParameter("name");
+            String desc = req.getParameter("desc");
+            String auth = req.getParameter("auth");
+            String visible = req.getParameter("visible");
+
+            // String config = req.getParameter("config");
+
+            profile.setAuthenticatorId(auth);
+            profile.setName(getLocale(req), name);
+            profile.setDescription(getLocale(req), desc);
+            if (visible != null && visible.equals("true")) {
+                profile.setVisible(true);
+            } else {
+                profile.setVisible(false);
+            }
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            try {
+                profile.getConfigStore().commit(false);
+            } catch (Exception e) {
+            }
+
+            sendResponse(SUCCESS, null, null, resp);
+        } catch (IOException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+            // } catch( ServletException eAudit2 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit2;
+        }
+    }
+
+    protected String getNonNull(String s) {
+        if (s == null)
+            return "";
+        return s;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java
new file mode 100644
index 000000000..483ac42ef
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java
@@ -0,0 +1,3127 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPException;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.IAuthority;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.ExtendedPluginInfo;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.Plugin;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.common.ConfigConstants;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ILdapAuthInfo;
+import com.netscape.certsrv.ldap.ILdapBoundConnFactory;
+import com.netscape.certsrv.ldap.ILdapConnInfo;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.EMapperNotFound;
+import com.netscape.certsrv.publish.EMapperPluginNotFound;
+import com.netscape.certsrv.publish.EPublisherNotFound;
+import com.netscape.certsrv.publish.EPublisherPluginNotFound;
+import com.netscape.certsrv.publish.ERuleNotFound;
+import com.netscape.certsrv.publish.ERulePluginNotFound;
+import com.netscape.certsrv.publish.ILdapMapper;
+import com.netscape.certsrv.publish.ILdapPublisher;
+import com.netscape.certsrv.publish.ILdapRule;
+import com.netscape.certsrv.publish.IPublisherProcessor;
+import com.netscape.certsrv.publish.MapperPlugin;
+import com.netscape.certsrv.publish.MapperProxy;
+import com.netscape.certsrv.publish.PublisherPlugin;
+import com.netscape.certsrv.publish.PublisherProxy;
+import com.netscape.certsrv.publish.RulePlugin;
+import com.netscape.certsrv.security.ICryptoSubsystem;
+import com.netscape.cmsutil.password.IPasswordStore;
+
+/**
+ * A class representing an publishing servlet for the
+ * Publishing subsystem. This servlet is responsible
+ * to serve configuration requests for the Publishing subsystem.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class PublisherAdminServlet extends AdminServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = 7055088618787207262L;
+
+    public final static String PROP_AUTHORITY = "authority";
+
+    private final static String INFO = "PublisherAdminServlet";
+    private final static String PW_TAG_CA_LDAP_PUBLISHING =
+            "CA LDAP Publishing";
+    public final static String NOMAPPER = "";
+    private IPublisherProcessor mProcessor = null;
+    private IAuthority mAuth = null;
+
+    private final static String VIEW = ";" + Constants.VIEW;
+    private final static String EDIT = ";" + Constants.EDIT;
+
+    public PublisherAdminServlet() {
+        super();
+    }
+
+    /**
+     * Initializes this servlet.
+     */
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+        String authority = config.getInitParameter(PROP_AUTHORITY);
+
+        if (authority != null)
+            mAuth = (IAuthority) CMS.getSubsystem(authority);
+        if (mAuth != null)
+            if (mAuth instanceof ICertificateAuthority) {
+                mProcessor = ((ICertificateAuthority) mAuth).getPublisherProcessor();
+            } else
+                throw new ServletException(authority + "  does not have publishing processor!");
+    }
+
+    /**
+     * Returns serlvet information.
+     */
+    public String getServletInfo() {
+        return INFO;
+    }
+
+    /**
+     * Serves HTTP admin request.
+     */
+    public void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+        super.service(req, resp);
+
+        CMS.debug("PublisherAdminServlet: in service");
+        String scope = req.getParameter(Constants.OP_SCOPE);
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (op == null) {
+            //System.out.println("SRVLT_INVALID_PROTOCOL");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PROTOCOL"),
+                    null, resp);
+            return;
+        }
+
+        // for the rest					
+        try {
+            super.authenticate(req);
+
+            if (op.equals(OpDef.OP_AUTH)) { // for admin authentication only
+                sendResponse(SUCCESS, null, null, resp);
+                return;
+            }
+        } catch (IOException e) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHS_FAILED"),
+                    null, resp);
+            return;
+        }
+        try {
+            AUTHZ_RES_NAME = "certServer.publisher.configuration";
+            if (scope != null) {
+                if (op.equals(OpDef.OP_READ)) {
+                    mOp = "read";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_LDAP)) {
+                        getLDAPDest(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_PUBLISHER_IMPLS)) {
+                        getConfig(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_PUBLISHER_RULES)) {
+                        getInstConfig(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_MAPPER_IMPLS)) {
+                        getMapperConfig(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_MAPPER_RULES)) {
+                        getMapperInstConfig(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_RULE_IMPLS)) {
+                        getRuleConfig(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_EXTENDED_PLUGIN_INFO)) {
+                        getExtendedPluginInfo(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_RULE_RULES)) {
+                        getRuleInstConfig(req, resp);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_MODIFY)) {
+                    mOp = "modify";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_LDAP)) {
+                        setLDAPDest(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_PUBLISHER_RULES)) {
+                        modPublisherInst(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_MAPPER_RULES)) {
+                        modMapperInst(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_RULE_RULES)) {
+                        modRuleInst(req, resp, scope);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_PROCESS)) {
+                    mOp = "modify";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_LDAP)) {
+                        testSetLDAPDest(req, resp);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_SEARCH)) {
+                    mOp = "read";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_PUBLISHER_IMPLS)) {
+                        listPublisherPlugins(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_PUBLISHER_RULES)) {
+                        listPublisherInsts(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_MAPPER_IMPLS)) {
+                        listMapperPlugins(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_MAPPER_RULES)) {
+                        listMapperInsts(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_RULE_IMPLS)) {
+                        listRulePlugins(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_RULE_RULES)) {
+                        listRuleInsts(req, resp);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_ADD)) {
+                    mOp = "modify";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_PUBLISHER_IMPLS)) {
+                        addPublisherPlugin(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_PUBLISHER_RULES)) {
+                        addPublisherInst(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_MAPPER_IMPLS)) {
+                        addMapperPlugin(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_MAPPER_RULES)) {
+                        addMapperInst(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_RULE_IMPLS)) {
+                        addRulePlugin(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_RULE_RULES)) {
+                        addRuleInst(req, resp, scope);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_DELETE)) {
+                    mOp = "modify";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_PUBLISHER_IMPLS)) {
+                        delPublisherPlugin(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_PUBLISHER_RULES)) {
+                        delPublisherInst(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_MAPPER_IMPLS)) {
+                        delMapperPlugin(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_MAPPER_RULES)) {
+                        delMapperInst(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_RULE_IMPLS)) {
+                        delRulePlugin(req, resp, scope);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_RULE_RULES)) {
+                        delRuleInst(req, resp, scope);
+                        return;
+                    }
+                } else {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_TYPE", op),
+                            null, resp);
+                    return;
+                }
+            } else {
+                //System.out.println("SRVLT_INVALID_OP_SCOPE");
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                        null, resp);
+                return;
+            }
+        } catch (EBaseException e) {
+            sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+            return;
+        }
+        //System.out.println("SRVLT_FAIL_PERFORM 2");
+        sendResponse(ERROR,
+                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_PERFORM_FAILED"),
+                null, resp);
+        return;
+    }
+
+    private IExtendedPluginInfo getExtendedPluginInfo(IPublisherProcessor
+            p) {
+        Enumeration mappers = p.getMapperInsts().keys();
+        Enumeration publishers = p.getPublisherInsts().keys();
+
+        StringBuffer map = new StringBuffer();
+
+        for (; mappers.hasMoreElements();) {
+            String name = mappers.nextElement();
+
+            if (map.length() == 0) {
+                map.append(name);
+            } else {
+                map.append(",");
+                map.append(name);
+            }
+        }
+        StringBuffer publish = new StringBuffer();
+
+        for (; publishers.hasMoreElements();) {
+            String name = (String) publishers.nextElement();
+
+            publish.append(",");
+            publish.append(name);
+        }
+
+        String epi[] = new String[] {
+                "type;choice(cacert,crl,certs,xcert);The certType of the request",
+                "mapper;choice("
+                        + map.toString()
+                        + ");Use the mapper to find the ldap dn to publish the certificate or crl",
+                "publisher;choice("
+                        + publish.toString()
+                        + ");Use the publisher to publish the certificate or crl a directory etc",
+                "enable;boolean;",
+                "predicate;string;"
+        };
+
+        return new ExtendedPluginInfo(epi);
+    }
+
+    private NameValuePairs getExtendedPluginInfo(Locale locale, String implType, String implName) {
+        IExtendedPluginInfo ext_info = null;
+        Object impl = null;
+
+        if (implType.equals(Constants.PR_EXT_PLUGIN_IMPLTYPE_PUBLISHRULE)) {
+            IPublisherProcessor p_processor = mProcessor;
+
+            // Should get the registered rules from processor
+            // instead of plugin
+            // OLD: impl = getClassByNameAsExtendedPluginInfo(plugin.getClassPath());
+            impl = getExtendedPluginInfo(p_processor);
+        } else if (implType.equals(Constants.PR_EXT_PLUGIN_IMPLTYPE_MAPPER)) {
+            IPublisherProcessor p_processor = mProcessor;
+            Plugin plugin = (Plugin) p_processor.getMapperPlugins().get(implName
+                    );
+
+            impl = getClassByNameAsExtendedPluginInfo(plugin.getClassPath());
+
+        } else if (implType.equals(Constants.PR_EXT_PLUGIN_IMPLTYPE_PUBLISHER)) {
+            IPublisherProcessor p_processor = mProcessor;
+            Plugin plugin = (Plugin) p_processor.getPublisherPlugins().get(implName);
+
+            impl = getClassByNameAsExtendedPluginInfo(plugin.getClassPath());
+        }
+        if (impl != null) {
+            if (impl instanceof IExtendedPluginInfo) {
+                ext_info = (IExtendedPluginInfo) impl;
+            }
+        }
+
+        NameValuePairs nvps = null;
+
+        if (ext_info == null) {
+            nvps = new NameValuePairs();
+        } else {
+            nvps = convertStringArrayToNVPairs(ext_info.getExtendedPluginInfo(locale));
+        }
+
+        return nvps;
+
+    }
+
+    /**
+     * retrieve extended plugin info such as brief description, type info
+     * from policy, authentication,
+     * need to add: listener, mapper and publishing plugins
+     */
+    private void getExtendedPluginInfo(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        String id = req.getParameter(Constants.RS_ID);
+
+        int colon = id.indexOf(':');
+
+        String implType = id.substring(0, colon);
+        String implName = id.substring(colon + 1);
+
+        NameValuePairs params =
+                getExtendedPluginInfo(getLocale(req), implType, implName);
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void getLDAPDest(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        IConfigStore config = mAuth.getConfigStore();
+        IConfigStore publishcfg = config.getSubStore(IPublisherProcessor.PROP_PUBLISH_SUBSTORE);
+        IConfigStore ldapcfg = publishcfg.getSubStore(IPublisherProcessor.PROP_LDAP_PUBLISH_SUBSTORE);
+        IConfigStore ldap = ldapcfg.getSubStore(IPublisherProcessor.PROP_LDAP);
+
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+
+            if (name.equals(Constants.OP_TYPE))
+                continue;
+            if (name.equals(Constants.RS_ID))
+                continue;
+            if (name.equals(Constants.OP_SCOPE))
+                continue;
+            if (name.equals(Constants.PR_ENABLE))
+                continue;
+            if (name.equals(Constants.PR_PUBLISHING_ENABLE))
+                continue;
+            if (name.equals(Constants.PR_PUBLISHING_QUEUE_ENABLE))
+                continue;
+            if (name.equals(Constants.PR_PUBLISHING_QUEUE_THREADS))
+                continue;
+            if (name.equals(Constants.PR_PUBLISHING_QUEUE_PAGE_SIZE))
+                continue;
+            if (name.equals(Constants.PR_PUBLISHING_QUEUE_PRIORITY))
+                continue;
+            if (name.equals(Constants.PR_PUBLISHING_QUEUE_STATUS))
+                continue;
+            if (name.equals(Constants.PR_CERT_NAMES)) {
+                ICryptoSubsystem jss = (ICryptoSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO);
+
+                params.put(name, jss.getAllCerts());
+            } else {
+                String value = ldap.getString(name, "");
+
+                if (value == null || value.equals("")) {
+                    if (name.equals(ILdapBoundConnFactory.PROP_LDAPCONNINFO + "." + ILdapConnInfo.PROP_HOST)) {
+                        value = mConfig.getString(ConfigConstants.PR_MACHINE_NAME, null);
+                    } else if (name.equals(ILdapBoundConnFactory.PROP_LDAPCONNINFO + "." + ILdapConnInfo.PROP_PORT)) {
+                        value = ILdapConnInfo.PROP_PORT_DEFAULT;
+                    } else if (name.equals(ILdapBoundConnFactory.PROP_LDAPAUTHINFO + "." + ILdapAuthInfo.PROP_BINDDN)) {
+                        value = ILdapAuthInfo.PROP_BINDDN_DEFAULT;
+                    }
+                }
+                params.put(name, value);
+            }
+        }
+        params.put(Constants.PR_PUBLISHING_ENABLE,
+                publishcfg.getString(IPublisherProcessor.PROP_ENABLE, Constants.FALSE));
+        params.put(Constants.PR_PUBLISHING_QUEUE_ENABLE,
+                publishcfg.getString(Constants.PR_PUBLISHING_QUEUE_ENABLE, Constants.TRUE));
+        params.put(Constants.PR_PUBLISHING_QUEUE_THREADS,
+                publishcfg.getString(Constants.PR_PUBLISHING_QUEUE_THREADS, "3"));
+        params.put(Constants.PR_PUBLISHING_QUEUE_PAGE_SIZE,
+                publishcfg.getString(Constants.PR_PUBLISHING_QUEUE_PAGE_SIZE, "40"));
+        params.put(Constants.PR_PUBLISHING_QUEUE_PRIORITY,
+                publishcfg.getString(Constants.PR_PUBLISHING_QUEUE_PRIORITY, "0"));
+        params.put(Constants.PR_PUBLISHING_QUEUE_STATUS,
+                publishcfg.getString(Constants.PR_PUBLISHING_QUEUE_STATUS, "200"));
+        params.put(Constants.PR_ENABLE,
+                ldapcfg.getString(IPublisherProcessor.PROP_ENABLE, Constants.FALSE));
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void setLDAPDest(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+
+        //Save New Settings to the config file
+        IConfigStore config = mAuth.getConfigStore();
+        IConfigStore publishcfg = config.getSubStore(IPublisherProcessor.PROP_PUBLISH_SUBSTORE);
+        IConfigStore ldapcfg = publishcfg.getSubStore(IPublisherProcessor.PROP_LDAP_PUBLISH_SUBSTORE);
+        IConfigStore ldap = ldapcfg.getSubStore(IPublisherProcessor.PROP_LDAP);
+
+        //set enable flag
+        publishcfg.putString(IPublisherProcessor.PROP_ENABLE, req.getParameter(Constants.PR_PUBLISHING_ENABLE));
+        String enable = req.getParameter(Constants.PR_ENABLE);
+
+        ldapcfg.putString(IPublisherProcessor.PROP_ENABLE, enable);
+        if (enable.equals("false")) {
+            // need to disable the ldap module here
+            mProcessor.setLdapConnModule(null);
+        }
+
+        //set reset of the parameters
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+        String pwd = null;
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+
+            if (name.equals(Constants.OP_TYPE))
+                continue;
+            if (name.equals(Constants.RS_ID))
+                continue;
+            if (name.equals(Constants.OP_SCOPE))
+                continue;
+            if (name.equals(Constants.PR_ENABLE))
+                continue;
+            if (name.equals(Constants.PR_PUBLISHING_ENABLE))
+                continue;
+            // don't store password in the config file.
+            if (name.equals(Constants.PR_BIND_PASSWD))
+                continue; // old style password read from config.
+            if (name.equals(Constants.PR_DIRECTORY_MANAGER_PWD)) {
+                pwd = req.getParameter(name);
+                continue;
+            }
+            if (name.equals(Constants.PR_PUBLISHING_QUEUE_ENABLE)) {
+                publishcfg.putString(name, req.getParameter(name));
+                continue;
+            }
+            if (name.equals(Constants.PR_PUBLISHING_QUEUE_THREADS)) {
+                publishcfg.putString(name, req.getParameter(name));
+                continue;
+            }
+            if (name.equals(Constants.PR_PUBLISHING_QUEUE_PAGE_SIZE)) {
+                publishcfg.putString(name, req.getParameter(name));
+                continue;
+            }
+            if (name.equals(Constants.PR_PUBLISHING_QUEUE_PRIORITY)) {
+                publishcfg.putString(name, req.getParameter(name));
+                continue;
+            }
+            if (name.equals(Constants.PR_PUBLISHING_QUEUE_STATUS)) {
+                publishcfg.putString(name, req.getParameter(name));
+                continue;
+            }
+
+            /* Don't enter the publishing pw into the config store */
+            ldap.putString(name, req.getParameter(name));
+        }
+
+        commit(true);
+
+        /* Do a "PUT" of the new pw to the watchdog" 
+         ** do not remove - cfu
+        if (pwd != null)
+            CMS.putPasswordCache(PW_TAG_CA_LDAP_PUBLISHING, pwd);
+         */
+
+        // support publishing dirsrv with different pwd than internaldb
+        // update passwordFile
+        String prompt = ldap.getString(Constants.PR_BINDPWD_PROMPT);
+        IPasswordStore pwdStore = CMS.getPasswordStore();
+        CMS.debug("PublisherAdminServlet: setLDAPDest(): saving password for " + prompt + " to password file");
+        pwdStore.putPassword(prompt, pwd);
+        pwdStore.commit();
+        CMS.debug("PublisherAdminServlet: setLDAPDest(): password saved");
+
+        /* we'll shut down and restart the PublisherProcessor instead
+                // what a hack to  do this without require restart server
+        //        ILdapAuthInfo authInfo = CMS.getLdapAuthInfo();
+                ILdapConnModule connModule = mProcessor.getLdapConnModule();
+                ILdapAuthInfo authInfo = null;
+                if (connModule != null) {
+                    authInfo = connModule.getLdapAuthInfo();
+                }
+
+        //        authInfo.addPassword(PW_TAG_CA_LDAP_PUBLISHING, pwd);
+                if (authInfo != null) {
+                    CMS.debug("PublisherAdminServlet: setLDAPDest(): adding password to memory cache");
+                    authInfo.addPassword(prompt, pwd);
+                } else
+                    CMS.debug("PublisherAdminServlet: setLDAPDest(): authInfo null");
+        */
+
+        try {
+            CMS.debug("PublisherAdminServlet: setLDAPDest(): restarting publishing processor");
+            mProcessor.shutdown();
+            mProcessor.startup();
+            CMS.debug("PublisherAdminServlet: setLDAPDest(): publishing processor restarted");
+        } catch (Exception ex) {
+            // force to save the config even there is error
+            // ignore any exception
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_FAIL_RES_LDAP", ex.toString()));
+        }
+
+        //XXX See if we can dynamically in B2
+        sendResponse(SUCCESS, null, null, resp);
+    }
+
+    private void testSetLDAPDest(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+
+        CMS.debug("PublisherAdmineServlet: in testSetLDAPDest");
+        //Save New Settings to the config file
+        IConfigStore config = mAuth.getConfigStore();
+        IConfigStore publishcfg = config.getSubStore(IPublisherProcessor.PROP_PUBLISH_SUBSTORE);
+        IConfigStore ldapcfg = publishcfg.getSubStore(IPublisherProcessor.PROP_LDAP_PUBLISH_SUBSTORE);
+        IConfigStore ldap = ldapcfg.getSubStore(IPublisherProcessor.PROP_LDAP);
+
+        //set enable flag
+        publishcfg.putString(IPublisherProcessor.PROP_ENABLE,
+                req.getParameter(Constants.PR_PUBLISHING_ENABLE));
+        String ldapPublish = req.getParameter(Constants.PR_ENABLE);
+
+        ldapcfg.putString(IPublisherProcessor.PROP_ENABLE, ldapPublish);
+        if (ldapPublish.equals("false")) {
+            // need to disable the ldap module here
+            mProcessor.setLdapConnModule(null);
+        }
+
+        //set reset of the parameters
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+        String pwd = null;
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+
+            if (name.equals(Constants.OP_TYPE))
+                continue;
+            if (name.equals(Constants.RS_ID))
+                continue;
+            if (name.equals(Constants.OP_SCOPE))
+                continue;
+            if (name.equals(Constants.PR_ENABLE))
+                continue;
+            if (name.equals(Constants.PR_PUBLISHING_ENABLE))
+                continue;
+            // don't store password in the config file.
+            if (name.equals(Constants.PR_BIND_PASSWD))
+                continue; // old style password read from config.
+            if (name.equals(Constants.PR_DIRECTORY_MANAGER_PWD)) {
+                pwd = req.getParameter(name);
+                continue;
+            }
+            if (name.equals(Constants.PR_PUBLISHING_QUEUE_ENABLE)) {
+                publishcfg.putString(name, req.getParameter(name));
+                continue;
+            }
+            if (name.equals(Constants.PR_PUBLISHING_QUEUE_THREADS)) {
+                publishcfg.putString(name, req.getParameter(name));
+                continue;
+            }
+            if (name.equals(Constants.PR_PUBLISHING_QUEUE_PAGE_SIZE)) {
+                publishcfg.putString(name, req.getParameter(name));
+                continue;
+            }
+            if (name.equals(Constants.PR_PUBLISHING_QUEUE_PRIORITY)) {
+                publishcfg.putString(name, req.getParameter(name));
+                continue;
+            }
+            if (name.equals(Constants.PR_PUBLISHING_QUEUE_STATUS)) {
+                publishcfg.putString(name, req.getParameter(name));
+                continue;
+            }
+
+            /* Don't enter the publishing pw into the config store */
+            ldap.putString(name, req.getParameter(name));
+        }
+
+        // test before commit
+        if (publishcfg.getBoolean(IPublisherProcessor.PROP_ENABLE) &&
+                ldapcfg.getBoolean(IPublisherProcessor.PROP_ENABLE)) {
+            params.put("title",
+                    "You've attempted to configure CMS to connect" +
+                            " to a LDAP directory. The connection status is" +
+                            " as follows:\n \n");
+            LDAPConnection conn = null;
+            ILdapConnInfo connInfo =
+                    CMS.getLdapConnInfo(ldap.getSubStore(
+                            ILdapBoundConnFactory.PROP_LDAPCONNINFO));
+            //LdapAuthInfo authInfo =
+            //new LdapAuthInfo(ldap.getSubStore(
+            //			   ILdapBoundConnFactory.PROP_LDAPAUTHINFO));
+            String host = connInfo.getHost();
+            int port = connInfo.getPort();
+            boolean secure = connInfo.getSecure();
+            //int authType = authInfo.getAuthType();
+            String authType = ldap.getSubStore(
+                    ILdapBoundConnFactory.PROP_LDAPAUTHINFO).getString(ILdapAuthInfo.PROP_LDAPAUTHTYPE);
+            int version = connInfo.getVersion();
+            String bindAs = null;
+            String certNickName = null;
+
+            if (authType.equals(ILdapAuthInfo.LDAP_SSLCLIENTAUTH_STR)) {
+                try {
+                    //certNickName = authInfo.getParms()[0];
+                    certNickName =
+                            ldap.getSubStore(
+                                    ILdapBoundConnFactory.PROP_LDAPAUTHINFO).getString(
+                                    ILdapAuthInfo.PROP_CLIENTCERTNICKNAME);
+                    conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory(
+                                    certNickName));
+                    CMS.debug("Publishing Test certNickName=" + certNickName);
+                    params.put(Constants.PR_CONN_INITED,
+                            "Create ssl LDAPConnection with certificate: " +
+                                    certNickName + dashes(70 - 44 - certNickName.length()) + " Success");
+                } catch (Exception ex) {
+                    params.put(Constants.PR_CONN_INIT_FAIL,
+                            "Create ssl LDAPConnection with certificate: "
+                                    +
+                                    certNickName + dashes(70 - 44 - certNickName.length()) + " failure\n"
+                                    + " exception: " + ex);
+                    params.put(Constants.PR_SAVE_NOT,
+                            "\n \nIf the problem is not fixed then LDAP publishing will fail.\n" +
+                                    "Do you want to save the configuration anyway?");
+                    sendResponse(SUCCESS, null, params, resp);
+                    return;
+                }
+                try {
+                    conn.connect(host, port);
+                    params.put(Constants.PR_CONN_OK,
+                            "Connect to directory server "
+                                    +
+                                    host + " at port " + port +
+                                    dashes(70 - 37 - host.length() - (Integer.valueOf(port)).toString().length())
+                                    + " Success");
+                    params.put(Constants.PR_AUTH_OK,
+                            "Authentication: SSL client authentication" +
+                                    dashes(70 - 41) + " Success" +
+                                    "\nBind to the directory as: " + certNickName +
+                                    dashes(70 - 26 - certNickName.length()) + " Success");
+                } catch (LDAPException ex) {
+                    if (ex.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                        // need to intercept this because message from LDAP is
+                        // "DSA is unavailable" which confuses with DSA PKI.
+                        params.put(Constants.PR_CONN_FAIL,
+                                "Connect to directory server " +
+                                        host + " at port " + port +
+                                        dashes(70 - 37 - host.length() - (Integer.valueOf(port)).toString().length()) +
+                                        " Failure\n" +
+                                        " error: server unavailable");
+                    } else {
+                        params.put(Constants.PR_CONN_FAIL,
+                                "Connect to directory server " +
+                                        host + " at port " + port +
+                                        dashes(70 - 37 - host.length() - (Integer.valueOf(port)).toString().length()) +
+                                        " Failure");
+                    }
+                    params.put(Constants.PR_SAVE_NOT,
+                            "\n \nIf the problem is not fixed then " +
+                                    "LDAP publishing will fail.\n" +
+                                    "Do you want to save the configuration anyway?");
+                    sendResponse(SUCCESS, null, params, resp);
+                    return;
+                }
+            } else {
+                try {
+                    if (secure) {
+                        conn = new LDAPConnection(
+                                    CMS.getLdapJssSSLSocketFactory());
+                        params.put(Constants.PR_CONN_INITED,
+                                "Create ssl LDAPConnection" +
+                                        dashes(70 - 25) + " Success");
+                    } else {
+                        conn = new LDAPConnection();
+                        params.put(Constants.PR_CONN_INITED,
+                                "Create LDAPConnection" +
+                                        dashes(70 - 21) + " Success");
+                    }
+                } catch (Exception ex) {
+                    params.put(Constants.PR_CONN_INIT_FAIL,
+                            "Create LDAPConnection" +
+                                    dashes(70 - 21) + " Failure\n" +
+                                    "exception: " + ex);
+                    params.put(Constants.PR_SAVE_NOT,
+                            "\n \nIf the problem is not fixed then " +
+                                    "LDAP publishing will fail.\n" +
+                                    "Do you want to save the configuration anyway?");
+                    sendResponse(SUCCESS, null, params, resp);
+                    return;
+                }
+                try {
+                    conn.connect(host, port);
+                    params.put(Constants.PR_CONN_OK,
+                            "Connect to directory server "
+                                    +
+                                    host + " at port " + port +
+                                    dashes(70 - 37 - host.length() - (Integer.valueOf(port)).toString().length())
+                                    + " Success");
+                } catch (LDAPException ex) {
+                    if (ex.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
+                        // need to intercept this because message from LDAP is
+                        // "DSA is unavailable" which confuses with DSA PKI.
+                        params.put(Constants.PR_CONN_FAIL,
+                                "Connect to directory server "
+                                        +
+                                        host + " at port " + port +
+                                        dashes(70 - 37 - host.length() - (Integer.valueOf(port)).toString().length())
+                                        + " Failure" +
+                                        "\nerror: server unavailable");
+                    } else {
+                        params.put(Constants.PR_CONN_FAIL,
+                                "Connect to directory server "
+                                        +
+                                        host + " at port " + port +
+                                        dashes(70 - 37 - host.length() - (Integer.valueOf(port)).toString().length())
+                                        + " Failure" +
+                                        "\nexception: " + ex);
+                    }
+                    params.put(Constants.PR_SAVE_NOT,
+                            "\n \nIf the problem is not fixed then " +
+                                    "LDAP publishing will fail.\n" +
+                                    "Do you want to save the configuration anyway?");
+                    sendResponse(SUCCESS, null, params, resp);
+                    return;
+                }
+                try {
+                    //bindAs = authInfo.getParms()[0];
+                    bindAs = ldap.getSubStore(
+                                ILdapBoundConnFactory.PROP_LDAPAUTHINFO).getString(ILdapAuthInfo.PROP_BINDDN);
+                    conn.authenticate(version, bindAs, pwd);
+                    params.put(Constants.PR_AUTH_OK,
+                            "Authentication: Basic authentication" +
+                                    dashes(70 - 36) + " Success" +
+                                    "\nBind to the directory as: " + bindAs +
+                                    dashes(70 - 26 - bindAs.length()) + " Success");
+                } catch (LDAPException ex) {
+                    if (ex.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT) {
+                        params.put(Constants.PR_AUTH_FAIL,
+                                "Authentication: Basic authentication" +
+                                        dashes(70 - 36) + "Failure" +
+                                        "\nBind to the directory as: " + bindAs +
+                                        dashes(70 - 26 - bindAs.length()) +
+                                        "Failure" + "\nThe object doesn't exist. " +
+                                        "Please correct the value assigned in the" +
+                                        " \"Directory manager DN\" field.");
+                    } else if (ex.getLDAPResultCode() == LDAPException.INVALID_CREDENTIALS) {
+                        params.put(Constants.PR_AUTH_FAIL,
+                                "Authentication: Basic authentication" +
+                                        dashes(70 - 36) + " Failure" +
+                                        "\nBind to the directory as: " + bindAs +
+                                        dashes(70 - 26 - bindAs.length()) +
+                                        " Failure" + "\nInvalid password. " +
+                                        "Please correct the value assigned in the" +
+                                        " \"Password\" field.");
+                    } else {
+                        params.put(Constants.PR_AUTH_FAIL,
+                                "Authentication: Basic authentication" +
+                                        dashes(70 - 36) + " Failure" +
+                                        "\nBind to the directory as: " + bindAs +
+                                        dashes(70 - 26 - bindAs.length()) +
+                                        " Failure");
+                    }
+                    params.put(Constants.PR_SAVE_NOT,
+                            "\n \nIf the problem is not fixed then " +
+                                    "LDAP publishing will fail.\n" +
+                                    "Do you want to save the configuration anyway?");
+                    sendResponse(SUCCESS, null, params, resp);
+                    return;
+                }
+            }
+
+        }
+
+        //commit(true);
+        if (ldapcfg.getBoolean(IPublisherProcessor.PROP_ENABLE) &&
+                pwd != null) {
+
+            /* Do a "PUT" of the new pw to the watchdog"
+             ** do not remove - cfu
+            CMS.putPasswordCache(PW_TAG_CA_LDAP_PUBLISHING, pwd);
+             */
+
+            // support publishing dirsrv with different pwd than internaldb
+            // update passwordFile
+            String prompt = ldap.getString(Constants.PR_BINDPWD_PROMPT);
+            IPasswordStore pwdStore = CMS.getPasswordStore();
+            CMS.debug("PublisherAdminServlet: testSetLDAPDest(): saving password for " +
+                    prompt + " to password file");
+            pwdStore.putPassword(prompt, pwd);
+            pwdStore.commit();
+            CMS.debug("PublisherAdminServlet: testSetLDAPDest(): password saved");
+            /* we'll shut down and restart the PublisherProcessor instead
+                         // what a hack to  do this without require restart server
+            //        ILdapAuthInfo authInfo = CMS.getLdapAuthInfo();
+                        ILdapConnModule connModule = mProcessor.getLdapConnModule();
+                        ILdapAuthInfo authInfo = null;
+                        if (connModule != null) {
+                            authInfo = connModule.getLdapAuthInfo();
+                        } else
+                            CMS.debug("PublisherAdminServlet: testSetLDAPDest(): connModule null");
+
+            //        authInfo.addPassword(PW_TAG_CA_LDAP_PUBLISHING, pwd);
+                        if (authInfo != null) {
+                            CMS.debug("PublisherAdminServlet: testSetLDAPDest(): adding password to memory cache");
+                            authInfo.addPassword(prompt, pwd);
+                        } else
+                            CMS.debug("PublisherAdminServlet: testSetLDAPDest(): authInfo null");
+            */
+        }
+        //params.add(Constants.PR_SAVE_OK, 
+        //		   "\n \nConfiguration changes are now committed.");
+
+        mProcessor.shutdown();
+
+        if (publishcfg.getBoolean(IPublisherProcessor.PROP_ENABLE)) {
+            mProcessor.startup();
+            //params.add("restarted", "Publishing is restarted.");
+
+            if (ldapcfg.getBoolean(IPublisherProcessor.PROP_ENABLE)) {
+                ICertAuthority authority = (ICertAuthority) mProcessor.getAuthority();
+
+                if (!(authority instanceof ICertificateAuthority))
+                    return;
+                ICertificateAuthority ca = (ICertificateAuthority) authority;
+
+                // publish ca cert
+                try {
+                    mProcessor.publishCACert(ca.getCACert());
+                    CMS.debug("PublisherAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_PUB_CA_CERT"));
+                    params.put("publishCA",
+                            "CA certificate is published.");
+                } catch (Exception ex) {
+                    // exception not thrown - not seen as a fatal error.
+                    log(ILogger.LL_FAILURE,
+                            CMS.getLogMessage("ADMIN_SRVLT_NO_PUB_CA_CERT", ex.toString()));
+                    params.put("publishCA",
+                            "Failed to publish CA certificate.");
+                    int index = ex.toString().indexOf("Failed to create CA");
+
+                    if (index > -1) {
+                        params.put("createError",
+                                ex.toString().substring(index));
+                    }
+                    mProcessor.shutdown();
+                    // Do you want to enable LDAP publishing anyway
+                    params.put(Constants.PR_SAVE_NOT,
+                            "\n \nIf the problem is not fixed then " +
+                                    "the CA certificate won't be published.\n" +
+                                    "Do you want to enable LDAP publishing anyway?");
+                    sendResponse(SUCCESS, null, params, resp);
+                    return;
+
+                }
+                // publish crl
+                try {
+                    CMS.debug("PublisherAdminServlet: about to update CRL");
+                    ca.publishCRLNow();
+                    CMS.debug(CMS.getLogMessage("ADMIN_SRVLT_PUB_CRL"));
+                    params.put("publishCRL",
+                            "CRL is published.");
+                } catch (Exception ex) {
+                    // exception not thrown - not seen as a fatal error.
+                    log(ILogger.LL_FAILURE,
+                            "Could not publish crl " + ex.toString());
+                    params.put("publishCRL",
+                            "Failed to publish CRL.");
+                    mProcessor.shutdown();
+                    // Do you want to enable LDAP publishing anyway
+                    params.put(Constants.PR_SAVE_NOT,
+                            "\n \nIf the problem is not fixed then " +
+                                    "the CRL won't be published.\n" +
+                                    "Do you want to enable LDAP publishing anyway?");
+                    sendResponse(SUCCESS, null, params, resp);
+                    return;
+                }
+            }
+            commit(true);
+            params.put(Constants.PR_SAVE_OK,
+                    "\n \nConfiguration changes are now committed.");
+            params.put("restarted", "Publishing is restarted.");
+        } else {
+            commit(true);
+            params.put(Constants.PR_SAVE_OK,
+                    "\n \nConfiguration changes are now committed.");
+            params.put("stopped",
+                    "Publishing is stopped.");
+        }
+
+        //XXX See if we can dynamically in B2
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private synchronized void addMapperPlugin(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // is the manager id unique?
+        if (mProcessor.getMapperPlugins().containsKey((Object) id)) {
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_PLUGIN_ID", id))
+                            .toString(),
+                    null, resp);
+            return;
+        }
+
+        String classPath = req.getParameter(Constants.PR_MAPPER_CLASS);
+
+        if (classPath == null) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_NULL_CLASS"), null, resp);
+            return;
+        }
+
+        IConfigStore destStore = null;
+
+        destStore = mConfig.getSubStore(mAuth.getId() + ".publish.mapper");
+        IConfigStore instancesConfig = destStore.getSubStore("impl");
+
+        // Does the class exist?
+        Class newImpl = null;
+
+        try {
+            newImpl = Class.forName(classPath);
+        } catch (ClassNotFoundException e) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_NO_CLASS"), null, resp);
+            return;
+        } catch (IllegalArgumentException e) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_NO_CLASS"), null, resp);
+            return;
+        }
+
+        // is the class an ILdapMapper?
+        try {
+            if (ILdapMapper.class.isAssignableFrom(newImpl) == false) {
+                sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_CLASS", classPath), null,
+                        resp);
+                return;
+            }
+        } catch (NullPointerException e) { // unlikely, only if newImpl null.
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_CLASS", classPath), null, resp);
+            return;
+        }
+
+        IConfigStore substore = instancesConfig.makeSubStore(id);
+
+        substore.put(Constants.PR_MAPPER_CLASS, classPath);
+
+        // commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            //System.out.println("SRVLT_FAIL_COMMIT");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        // add mapper to registry.
+        MapperPlugin plugin = new MapperPlugin(id, classPath);
+
+        mProcessor.getMapperPlugins().put(id, plugin);
+        mProcessor.log(ILogger.LL_INFO,
+                CMS.getLogMessage("ADMIN_SRVLT_MAPPER_ADDED", ""));
+
+        NameValuePairs params = new NameValuePairs();
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private boolean isValidID(String id) {
+        if (id == null)
+            return false;
+        for (int i = 0; i < id.length(); i++) {
+            if (!Character.isLetterOrDigit(id.charAt(i)))
+                return false;
+        }
+        return true;
+    }
+
+    private synchronized void addMapperInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        if (!isValidID(id)) {
+            sendResponse(ERROR, "Invalid ID '" + id + "'",
+                    null, resp);
+            return;
+        }
+
+        if (mProcessor.getMapperInsts().containsKey((Object) id)) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_INST_ID", id),
+                    null, resp);
+            return;
+        }
+
+        // get required parameters
+        String implname = req.getParameter(
+                Constants.PR_MAPPER_IMPL_NAME);
+
+        if (implname == null) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ADD_MISSING_PARAMS"), null, resp);
+            return;
+        }
+
+        // check if implementation exists.
+        MapperPlugin plugin =
+                (MapperPlugin) mProcessor.getMapperPlugins().get(
+                        implname);
+
+        if (plugin == null) {
+            sendResponse(
+                    ERROR,
+                    new EMapperPluginNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_MAPPER_PLUGIN_NOT_FOUND",
+                            implname)).toString(),
+                    null, resp);
+            return;
+        }
+
+        Vector configParams = mProcessor.getMapperDefaultParams(implname);
+
+        IConfigStore destStore = mConfig.getSubStore(mAuth.getId() + ".publish.mapper");
+        IConfigStore instancesConfig = destStore.getSubStore("instance");
+        IConfigStore substore = instancesConfig.makeSubStore(id);
+
+        if (configParams != null) {
+            for (int i = 0; i < configParams.size(); i++) {
+                String kv = (String) configParams.elementAt(i);
+                int index = kv.indexOf('=');
+                String val = req.getParameter(kv.substring(0, index));
+
+                if (val == null) {
+                    substore.put(kv.substring(0, index),
+                            kv.substring(index + 1));
+                } else {
+                    substore.put(kv.substring(0, index),
+                            val);
+                }
+            }
+        }
+        substore.put("pluginName", implname);
+
+        // Instantiate an object for this implementation
+        String className = plugin.getClassPath();
+        ILdapMapper mapperInst = null;
+
+        try {
+            mapperInst = (ILdapMapper) Class.forName(className).newInstance();
+        } catch (ClassNotFoundException e) {
+            // cleanup
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        } catch (InstantiationException e) {
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        } catch (IllegalAccessException e) {
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        }
+
+        // initialize the mapper
+        try {
+            mapperInst.init(substore);
+        } catch (EBaseException e) {
+            // don't commit in this case and cleanup the new substore.
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+            return;
+        } catch (Throwable e) {
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR, e.toString(), null, resp);
+            return;
+        }
+
+        // commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            // clean up.
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        // inited and commited ok. now add mapper instance to list.
+        mProcessor.getMapperInsts().put(id, new MapperProxy(true, mapperInst));
+
+        mProcessor.log(ILogger.LL_INFO,
+                CMS.getLogMessage("ADMIN_SRVLT_MAPPER_INST_ADDED", id));
+
+        NameValuePairs params = new NameValuePairs();
+
+        params.put(Constants.PR_MAPPER_IMPL_NAME, implname);
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void listMapperPlugins(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        Enumeration e = mProcessor.getMapperPlugins().keys();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+            MapperPlugin value = (MapperPlugin)
+                    mProcessor.getMapperPlugins().get(name);
+            // get Description
+            String c = value.getClassPath();
+            String desc = "unknown";
+
+            try {
+                ILdapMapper lp = (ILdapMapper)
+                        Class.forName(c).newInstance();
+
+                desc = lp.getDescription();
+            } catch (Exception exp) {
+                sendResponse(ERROR, exp.toString(), null,
+                        resp);
+                return;
+            }
+            params.put(name, value.getClassPath() + "," + desc);
+        }
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    public String getMapperPluginName(ILdapMapper mapper) {
+        IConfigStore cs = mapper.getConfigStore();
+
+        try {
+            return cs.getString("pluginName", "");
+        } catch (EBaseException e) {
+            return "";
+        }
+    }
+
+    private synchronized void listMapperInsts(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        Enumeration e = mProcessor.getMapperInsts().keys();
+
+        for (; e.hasMoreElements();) {
+            String name = e.nextElement();
+            ILdapMapper value = mProcessor.getMapperInstance(name);
+
+            params.put(name, getMapperPluginName(value) + ";visible");
+        }
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void delMapperInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // does a`mapper instance exist?
+        if (mProcessor.getMapperInsts().containsKey(id) == false) {
+            sendResponse(
+                    ERROR,
+                    new EMapperNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_MAPPER_NOT_FOUND", id)).toString(),
+                    null, resp);
+            return;
+        }
+
+        // only remove from memory
+        // cannot shutdown because we don't keep track of whether it's
+        // being used. 
+        mProcessor.getMapperInsts().remove(id);
+
+        // remove the configuration.
+        IConfigStore destStore =
+                mConfig.getSubStore(
+                        mAuth.getId() + ".publish.mapper");
+        IConfigStore instancesConfig = destStore.getSubStore("instance");
+
+        instancesConfig.removeSubStore(id);
+        // commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            //System.out.println("SRVLT_FAIL_COMMIT");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void delMapperPlugin(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        if (mProcessor.getMapperPlugins().containsKey(id) == false) {
+            sendResponse(
+                    ERROR,
+                    new EMapperPluginNotFound(CMS
+                            .getUserMessage(getLocale(req), "CMS_LDAP_MAPPER_PLUGIN_NOT_FOUND", id)).toString(),
+                    null, resp);
+            return;
+        }
+
+        // first check if any instances from this mapper
+        // DON'T remove mapper if any instance
+        for (Enumeration e = mProcessor.getMapperInsts().keys(); e.hasMoreElements();) {
+            String name = (String) e.nextElement();
+            ILdapMapper mapper = mProcessor.getMapperInstance(name);
+
+            if (id.equals(getMapperPluginName(mapper))) {
+                sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_IN_USE"), null, resp);
+                return;
+            }
+        }
+
+        // then delete this mapper
+        mProcessor.getMapperPlugins().remove((Object) id);
+
+        IConfigStore destStore =
+                mConfig.getSubStore(
+                        mAuth.getId() + ".publish.mapper");
+        IConfigStore instancesConfig =
+                destStore.getSubStore("impl");
+
+        instancesConfig.removeSubStore(id);
+        // commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void getMapperConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+
+        String implname = req.getParameter(Constants.RS_ID);
+
+        if (implname == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        Vector configParams = mProcessor.getMapperDefaultParams(implname);
+        NameValuePairs params = new NameValuePairs();
+
+        // implName is always required so always send it.
+        params.put(Constants.PR_MAPPER_IMPL_NAME, "");
+        if (configParams != null) {
+            for (int i = 0; i < configParams.size(); i++) {
+                String kv = configParams.elementAt(i);
+                int index = kv.indexOf('=');
+
+                params.put(kv.substring(0, index),
+                        kv.substring(index + 1));
+            }
+        }
+        sendResponse(0, null, params, resp);
+        return;
+    }
+
+    private synchronized void getMapperInstConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // does mapper instance exist?
+        if (mProcessor.getMapperInsts().containsKey(id) == false) {
+            sendResponse(
+                    ERROR,
+                    new EMapperNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_MAPPER_NOT_FOUND", id)).toString(),
+                    null, resp);
+            return;
+        }
+
+        ILdapMapper mapperInst = (ILdapMapper)
+                mProcessor.getMapperInstance(id);
+        Vector configParams = mapperInst.getInstanceParams();
+        NameValuePairs params = new NameValuePairs();
+
+        params.put(Constants.PR_MAPPER_IMPL_NAME,
+                getMapperPluginName(mapperInst));
+        // implName is always required so always send it.
+        if (configParams != null) {
+            for (int i = 0; i < configParams.size(); i++) {
+                String kv = configParams.elementAt(i);
+                int index = kv.indexOf('=');
+
+                params.put(kv.substring(0, index),
+                        kv.substring(index + 1));
+            }
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void modMapperInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // Does the manager instance exist?
+        if (!mProcessor.getMapperInsts().containsKey((Object) id)) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_INST_ID", id),
+                    null, resp);
+            return;
+        }
+
+        // get new implementation (same or different.)
+        String implname = req.getParameter(Constants.PR_MAPPER_IMPL_NAME);
+
+        if (implname == null) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ADD_MISSING_PARAMS"), null, resp);
+            return;
+        }
+        // get plugin for implementation
+        MapperPlugin plugin =
+                (MapperPlugin) mProcessor.getMapperPlugins().get(implname);
+
+        if (plugin == null) {
+            sendResponse(
+                    ERROR,
+                    new EMapperPluginNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_MAPPER_PLUGIN_NOT_FOUND",
+                            implname)).toString(),
+                    null, resp);
+            return;
+        }
+
+        // save old instance substore params in case new one fails.
+
+        ILdapMapper oldinst =
+                (ILdapMapper) mProcessor.getMapperInstance(id);
+        Vector oldConfigParms = oldinst.getInstanceParams();
+        NameValuePairs saveParams = new NameValuePairs();
+
+        // implName is always required so always include it it.
+        saveParams.put("pluginName", implname);
+        if (oldConfigParms != null) {
+            for (int i = 0; i < oldConfigParms.size(); i++) {
+                String kv = oldConfigParms.elementAt(i);
+                int index = kv.indexOf('=');
+
+                saveParams.put(kv.substring(0, index),
+                        kv.substring(index + 1));
+            }
+        }
+
+        // on to the new instance.
+
+        // remove old substore.
+
+        IConfigStore destStore =
+                mConfig.getSubStore(mAuth.getId() +
+                        ".publish.mapper");
+        IConfigStore instancesConfig = destStore.getSubStore("instance");
+
+        // create new substore.
+
+        Vector configParams = mProcessor.getMapperInstanceParams(id);
+
+        instancesConfig.removeSubStore(id);
+
+        IConfigStore substore = instancesConfig.makeSubStore(id);
+
+        substore.put("pluginName", implname);
+        if (configParams != null) {
+            for (int i = 0; i < configParams.size(); i++) {
+                String kv = configParams.elementAt(i);
+                int index = kv.indexOf('=');
+                String key = kv.substring(0, index);
+                String val = req.getParameter(key);
+
+                if (val != null) {
+                    substore.put(key, val);
+                }
+            }
+        }
+
+        // Instantiate an object for new implementation
+
+        String className = plugin.getClassPath();
+        ILdapMapper newMgrInst = null;
+
+        try {
+            newMgrInst = (ILdapMapper)
+                    Class.forName(className).newInstance();
+        } catch (ClassNotFoundException e) {
+            // cleanup
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        } catch (InstantiationException e) {
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        } catch (IllegalAccessException e) {
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        }
+        // initialize the mapper
+
+        try {
+            newMgrInst.init(substore);
+        } catch (EBaseException e) {
+            // don't commit in this case and cleanup the new substore.
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR, e.toString(getLocale(req)), null,
+                    resp);
+            return;
+        } catch (Throwable e) {
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR, e.toString(), null,
+                    resp);
+            return;
+        }
+
+        // initialized ok.  commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            // clean up.
+            restore(instancesConfig, id, saveParams);
+            //System.out.println("SRVLT_FAIL_COMMIT");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        // commited ok. replace instance.
+
+        mProcessor.getMapperInsts().put(id, new MapperProxy(true, newMgrInst));
+
+        mProcessor.log(ILogger.LL_INFO,
+                CMS.getLogMessage("ADMIN_SRVLT_MAPPER_REPLACED", id));
+        NameValuePairs params = new NameValuePairs();
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void addRulePlugin(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // is the rule id unique?
+        if (mProcessor.getRulePlugins().containsKey((Object) id)) {
+            sendResponse(
+                    ERROR,
+                    new ELdapException(CMS.getUserMessage("CMS_LDAP_SRVLT_ILL_PLUGIN_ID", id)).toString(getLocale(req)),
+                    null, resp);
+            return;
+        }
+
+        String classPath = req.getParameter(Constants.PR_RULE_CLASS);
+
+        if (classPath == null) {
+            sendResponse(ERROR, CMS.getUserMessage("CMS_LDAP_SRVLT_NULL_CLASS"), null, resp);
+            return;
+        }
+
+        IConfigStore destStore = null;
+
+        destStore = mConfig.getSubStore(
+                    mAuth.getId() + ".publish.rule");
+        IConfigStore instancesConfig = destStore.getSubStore("impl");
+
+        // Does the class exist?
+        Class newImpl = null;
+
+        try {
+            newImpl = Class.forName(classPath);
+        } catch (ClassNotFoundException e) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_NO_CLASS"), null, resp);
+            return;
+        } catch (IllegalArgumentException e) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_NO_CLASS"), null, resp);
+            return;
+        }
+
+        // is the class an ILdapRule?
+        try {
+            if (ILdapRule.class.isAssignableFrom(newImpl) == false) {
+                sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_CLASS", classPath), null,
+                        resp);
+                return;
+            }
+        } catch (NullPointerException e) { // unlikely, only if newImpl null.
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_CLASS", classPath), null, resp);
+            return;
+        }
+
+        IConfigStore substore = instancesConfig.makeSubStore(id);
+
+        substore.put(Constants.PR_RULE_CLASS, classPath);
+
+        // commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            //System.out.println("SRVLT_FAIL_COMMIT");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        // add rule to registry.
+        RulePlugin plugin = new RulePlugin(id, classPath);
+
+        mProcessor.getRulePlugins().put(id, plugin);
+        mProcessor.log(ILogger.LL_INFO,
+                CMS.getLogMessage("ADMIN_SRVLT_RULE_PLUG_ADDED", id));
+
+        NameValuePairs params = new NameValuePairs();
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void addRuleInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+        if (!isValidID(id)) {
+            sendResponse(ERROR, "Invalid ID '" + id + "'",
+                    null, resp);
+            return;
+        }
+
+        if (mProcessor.getRuleInsts().containsKey((Object) id)) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_INST_ID", id),
+                    null, resp);
+            return;
+        }
+
+        // get required parameters
+        String implname = req.getParameter(
+                Constants.PR_RULE_IMPL_NAME);
+
+        if (implname == null) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ADD_MISSING_PARAMS"), null, resp);
+            return;
+        }
+
+        // check if implementation exists.
+        RulePlugin plugin =
+                (RulePlugin) mProcessor.getRulePlugins().get(
+                        implname);
+
+        if (plugin == null) {
+            sendResponse(
+                    ERROR,
+                    new EPublisherPluginNotFound(CMS.getUserMessage(getLocale(req),
+                            "CMS_LDAP_PUBLISHER_PLUGIN_NOT_FOUND", implname)).toString(),
+                    null, resp);
+            return;
+        }
+
+        Vector configParams = mProcessor.getRuleDefaultParams(implname);
+
+        IConfigStore destStore =
+                mConfig.getSubStore(mAuth.getId()
+                        + ".publish.rule");
+        IConfigStore instancesConfig =
+                destStore.getSubStore("instance");
+        IConfigStore substore = instancesConfig.makeSubStore(id);
+
+        if (configParams != null) {
+            for (int i = 0; i < configParams.size(); i++) {
+                String kv = configParams.elementAt(i);
+                int index = kv.indexOf('=');
+                String val = req.getParameter(kv.substring(0, index));
+
+                if (val == null) {
+                    substore.put(kv.substring(0, index),
+                            kv.substring(index + 1));
+                } else {
+                    if (val.equals(NOMAPPER))
+                        val = "";
+                    substore.put(kv.substring(0, index),
+                            val);
+                }
+            }
+        }
+        substore.put("pluginName", implname);
+
+        // Instantiate an object for this implementation
+        String className = plugin.getClassPath();
+        ILdapRule ruleInst = null;
+
+        try {
+            ruleInst = (ILdapRule) Class.forName(className).newInstance();
+        } catch (ClassNotFoundException e) {
+            // cleanup
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        } catch (InstantiationException e) {
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        } catch (IllegalAccessException e) {
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        }
+
+        // initialize the rule
+        try {
+            ruleInst.init(mProcessor, substore);
+            ruleInst.setInstanceName(id);
+        } catch (EBaseException e) {
+            // don't commit in this case and cleanup the new substore.
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+            return;
+        } catch (Throwable e) {
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR, e.toString(), null, resp);
+            return;
+        }
+
+        // commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            // clean up.
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+        // inited and commited ok. now add manager instance to list.
+        mProcessor.getRuleInsts().put(id, ruleInst);
+
+        mProcessor.log(ILogger.LL_INFO,
+                CMS.getLogMessage("ADMIN_SRVLT_RULE_INST_ADDED", id));
+
+        NameValuePairs params = new NameValuePairs();
+
+        params.put(Constants.PR_RULE_IMPL_NAME, implname);
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void listRulePlugins(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        Enumeration e = mProcessor.getRulePlugins().keys();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+            RulePlugin value = (RulePlugin)
+                    mProcessor.getRulePlugins().get(name);
+            // get Description
+            String c = value.getClassPath();
+            String desc = "unknown";
+
+            try {
+                ILdapRule lp = (ILdapRule)
+                        Class.forName(c).newInstance();
+
+                desc = lp.getDescription();
+            } catch (Exception exp) {
+            }
+            params.put(name, value.getClassPath() + "," + desc);
+        }
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void listRuleInsts(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        Enumeration e = mProcessor.getRuleInsts().keys();
+
+        for (; e.hasMoreElements();) {
+            String name = e.nextElement();
+            ILdapRule value = (ILdapRule)
+                    mProcessor.getRuleInsts().get((Object) name);
+            String enabled = value.enabled() ? "enabled" : "disabled";
+
+            params.put(name, value.getInstanceName() + ";visible;" + enabled);
+        }
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    public String getRulePluginName(ILdapRule rule) {
+        IConfigStore cs = rule.getConfigStore();
+
+        try {
+            return cs.getString("pluginName", "");
+        } catch (EBaseException e) {
+            return "";
+        }
+    }
+
+    private synchronized void delRulePlugin(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // does rule exist?
+        if (mProcessor.getRulePlugins().containsKey(id) == false) {
+            sendResponse(ERROR,
+                    new ERulePluginNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_RULE_PLUGIN_NOT_FOUND", id))
+                            .toString(),
+                    null, resp);
+            return;
+        }
+
+        // first check if any instances from this rule
+        // DON'T remove rule if any instance
+        for (Enumeration e = mProcessor.getRuleInsts().elements(); e.hasMoreElements();) {
+            ILdapRule rule = e.nextElement();
+
+            if (id.equals(getRulePluginName(rule))) {
+                sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_IN_USE"), null, resp);
+                return;
+            }
+        }
+
+        // then delete this rule
+        mProcessor.getRulePlugins().remove((Object) id);
+
+        IConfigStore destStore =
+                mConfig.getSubStore(
+                        mAuth.getId() + ".rule");
+        IConfigStore instancesConfig = destStore.getSubStore("impl");
+
+        instancesConfig.removeSubStore(id);
+        // commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void delRuleInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // prevent deletion of admin and agent.
+
+        // does rule instance exist?
+        if (mProcessor.getRuleInsts().containsKey(id) == false) {
+            sendResponse(ERROR,
+                    new ERuleNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_RULE_NOT_FOUND", id)).toString(),
+                    null, resp);
+            return;
+        }
+
+        // only remove from memory
+        // cannot shutdown because we don't keep track of whether it's
+        // being used. 
+        mProcessor.getRuleInsts().remove(id);
+
+        // remove the configuration.
+        IConfigStore destStore =
+                mConfig.getSubStore(
+                        mAuth.getId() + ".publish.rule");
+        IConfigStore instancesConfig = destStore.getSubStore("instance");
+
+        instancesConfig.removeSubStore(id);
+        // commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            //System.out.println("SRVLT_FAIL_COMMIT");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void getRuleConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+        String implname = req.getParameter(Constants.RS_ID);
+
+        if (implname == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        Vector configParams = mProcessor.getRuleDefaultParams(implname);
+        NameValuePairs params = new NameValuePairs();
+
+        // implName is always required so always send it.
+        params.put(Constants.PR_RULE_IMPL_NAME, "");
+        if (configParams != null) {
+            for (int i = 0; i < configParams.size(); i++) {
+                String kv = (String) configParams.elementAt(i);
+                int index = kv.indexOf('=');
+
+                params.put(kv.substring(0, index),
+                        kv.substring(index + 1));
+            }
+        }
+        sendResponse(0, null, params, resp);
+        return;
+    }
+
+    private synchronized void getRuleInstConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // does rule instance exist?
+        if (mProcessor.getRuleInsts().containsKey(id) == false) {
+            sendResponse(ERROR,
+                    new ERuleNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_RULE_NOT_FOUND", id)).toString(),
+                    null, resp);
+            return;
+        }
+
+        ILdapRule ruleInst = (ILdapRule)
+                mProcessor.getRuleInsts().get(id);
+        Vector configParams = ruleInst.getInstanceParams();
+        NameValuePairs params = new NameValuePairs();
+
+        params.put(Constants.PR_RULE_IMPL_NAME,
+                getRulePluginName(ruleInst));
+        // implName is always required so always send it.
+        if (configParams != null) {
+            for (int i = 0; i < configParams.size(); i++) {
+                String kv = (String) configParams.elementAt(i);
+                int index = kv.indexOf('=');
+
+                params.put(kv.substring(0, index),
+                        kv.substring(index + 1));
+            }
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void modRuleInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // Does the manager instance exist?
+        if (!mProcessor.getRuleInsts().containsKey((Object) id)) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_INST_ID", id),
+                    null, resp);
+            return;
+        }
+
+        // get new implementation (same or different.)
+        String implname = req.getParameter(Constants.PR_RULE_IMPL_NAME);
+
+        if (implname == null) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ADD_MISSING_PARAMS"), null, resp);
+            return;
+        }
+
+        // get plugin for implementation 
+        RulePlugin plugin =
+                (RulePlugin) mProcessor.getRulePlugins().get(implname);
+
+        if (plugin == null) {
+            sendResponse(ERROR,
+                    //new ERulePluginNotFound(implname).toString(getLocale(req)),
+                    "",
+                    null, resp);
+            return;
+        }
+
+        // save old instance substore params in case new one fails. 
+
+        ILdapRule oldinst =
+                (ILdapRule) mProcessor.getRuleInsts().get((Object) id);
+        Vector oldConfigParms = oldinst.getInstanceParams();
+        NameValuePairs saveParams = new NameValuePairs();
+
+        // implName is always required so always include it it.
+        saveParams.put("pluginName", implname);
+        if (oldConfigParms != null) {
+            for (int i = 0; i < oldConfigParms.size(); i++) {
+                String kv = oldConfigParms.elementAt(i);
+                int index = kv.indexOf('=');
+
+                saveParams.put(kv.substring(0, index),
+                        kv.substring(index + 1));
+            }
+        }
+
+        // on to the new instance.
+
+        // remove old substore.
+
+        IConfigStore destStore =
+                mConfig.getSubStore(
+                        mAuth.getId() + ".publish.rule");
+        IConfigStore instancesConfig = destStore.getSubStore("instance");
+
+        // create new substore.
+
+        Vector configParams = mProcessor.getRuleDefaultParams(implname);
+
+        instancesConfig.removeSubStore(id);
+
+        IConfigStore substore = instancesConfig.makeSubStore(id);
+
+        substore.put("pluginName", implname);
+        if (configParams != null) {
+            for (int i = 0; i < configParams.size(); i++) {
+                String kv = configParams.elementAt(i);
+                int index = kv.indexOf('=');
+                String key = kv.substring(0, index);
+                String val = req.getParameter(key);
+
+                if (val == null) {
+                    substore.put(key,
+                            kv.substring(index + 1));
+                } else {
+                    if (val.equals(NOMAPPER))
+                        val = "";
+                    substore.put(key, val);
+                }
+            }
+        }
+
+        // Instantiate an object for new implementation
+
+        String className = plugin.getClassPath();
+        ILdapRule newRuleInst = null;
+
+        try {
+            newRuleInst = (ILdapRule) Class.forName(className).newInstance();
+        } catch (ClassNotFoundException e) {
+            // cleanup
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        } catch (InstantiationException e) {
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        } catch (IllegalAccessException e) {
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        }
+
+        // initialize the rule
+
+        try {
+            newRuleInst.init(mProcessor, substore);
+        } catch (EBaseException e) {
+            // don't commit in this case and cleanup the new substore.
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+            return;
+        } catch (Throwable e) {
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR, e.toString(), null, resp);
+            return;
+        }
+
+        // initialized ok.  commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            // clean up.
+            restore(instancesConfig, id, saveParams);
+            //System.out.println("SRVLT_FAIL_COMMIT");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        // commited ok. replace instance.
+
+        mProcessor.getRuleInsts().put(id, newRuleInst);
+
+        mProcessor.log(ILogger.LL_INFO,
+                CMS.getLogMessage("ADMIN_SRVLT_RULE_INST_REP", id));
+        NameValuePairs params = new NameValuePairs();
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void addPublisherPlugin(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // is the manager id unique?
+        if (mProcessor.getPublisherPlugins().containsKey((Object) id)) {
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_PLUGIN_ID", id))
+                            .toString(),
+                    null, resp);
+            return;
+        }
+
+        String classPath = req.getParameter(Constants.PR_PUBLISHER_CLASS);
+
+        if (classPath == null) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_NULL_CLASS"), null, resp);
+            return;
+        }
+
+        IConfigStore destStore = null;
+
+        destStore = mConfig.getSubStore(
+                    mAuth.getId() + ".publish.publisher");
+        IConfigStore instancesConfig = destStore.getSubStore("impl");
+
+        // Does the class exist?
+        Class newImpl = null;
+
+        try {
+            newImpl = Class.forName(classPath);
+        } catch (ClassNotFoundException e) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_NO_CLASS"), null, resp);
+            return;
+        } catch (IllegalArgumentException e) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_NO_CLASS"), null, resp);
+            return;
+        }
+
+        // is the class an ILdapPublisher?
+        try {
+            if (ILdapPublisher.class.isAssignableFrom(newImpl) == false) {
+                sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_CLASS", classPath), null,
+                        resp);
+                return;
+            }
+        } catch (NullPointerException e) { // unlikely, only if newImpl null.
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_CLASS", classPath), null, resp);
+            return;
+        }
+
+        IConfigStore substore = instancesConfig.makeSubStore(id);
+
+        substore.put(Constants.PR_PUBLISHER_CLASS, classPath);
+
+        // commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            //System.out.println("SRVLT_FAIL_COMMIT");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        // add publisher to registry.
+        PublisherPlugin plugin = new PublisherPlugin(id, classPath);
+
+        mProcessor.getPublisherPlugins().put(id, plugin);
+        mProcessor.log(ILogger.LL_INFO,
+                CMS.getLogMessage("ADMIN_SRVLT_PUB_PLUG_ADDED", id));
+
+        NameValuePairs params = new NameValuePairs();
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void addPublisherInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        if (!isValidID(id)) {
+            sendResponse(ERROR, "Invalid ID '" + id + "'",
+                    null, resp);
+            return;
+        }
+
+        if (mProcessor.getPublisherInsts().containsKey((Object) id)) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_INST_ID", id),
+                    null, resp);
+            return;
+        }
+
+        // get required parameters
+        String implname = req.getParameter(
+                Constants.PR_PUBLISHER_IMPL_NAME);
+
+        if (implname == null) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ADD_MISSING_PARAMS"), null, resp);
+            return;
+        }
+
+        // check if implementation exists.
+        PublisherPlugin plugin =
+                (PublisherPlugin) mProcessor.getPublisherPlugins().get(
+                        implname);
+
+        if (plugin == null) {
+            sendResponse(
+                    ERROR,
+                    new EPublisherPluginNotFound(CMS.getUserMessage(getLocale(req),
+                            "CMS_LDAP_PUBLISHER_PLUGIN_NOT_FOUND", implname)).toString(),
+                    null, resp);
+            return;
+        }
+
+        Vector configParams = mProcessor.getPublisherDefaultParams(implname);
+
+        IConfigStore destStore =
+                mConfig.getSubStore(mAuth.getId() + ".publish.publisher");
+        IConfigStore instancesConfig = destStore.getSubStore("instance");
+        IConfigStore substore = instancesConfig.makeSubStore(id);
+
+        if (configParams != null) {
+            for (int i = 0; i < configParams.size(); i++) {
+                String kv = configParams.elementAt(i);
+                int index = kv.indexOf('=');
+                String val = null;
+
+                if (index == -1) {
+                    val = req.getParameter(kv);
+                } else {
+                    val = req.getParameter(kv.substring(0, index));
+                }
+                if (val == null) {
+                    if (index == -1) {
+                        substore.put(kv, "");
+                    } else {
+                        substore.put(kv.substring(0, index),
+                                kv.substring(index + 1));
+                    }
+                } else {
+                    if (index == -1) {
+                        substore.put(kv, val);
+                    } else {
+                        substore.put(kv.substring(0, index),
+                                val);
+                    }
+                }
+            }
+        }
+        substore.put("pluginName", implname);
+
+        // Instantiate an object for this implementation
+        String className = plugin.getClassPath();
+        ILdapPublisher publisherInst = null;
+
+        try {
+            publisherInst = (ILdapPublisher) Class.forName(className).newInstance();
+        } catch (ClassNotFoundException e) {
+            // cleanup
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        } catch (InstantiationException e) {
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        } catch (IllegalAccessException e) {
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        }
+
+        // initialize the publisher
+        try {
+            publisherInst.init(substore);
+        } catch (EBaseException e) {
+            // don't commit in this case and cleanup the new substore.
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+            return;
+        } catch (Throwable e) {
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR, e.toString(), null, resp);
+            return;
+        }
+
+        // commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            // clean up.
+            instancesConfig.removeSubStore(id);
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        // inited and commited ok. now add manager instance to list.
+        mProcessor.getPublisherInsts().put(id, new PublisherProxy(true, publisherInst));
+
+        mProcessor.log(ILogger.LL_INFO,
+                CMS.getLogMessage("ADMIN_SRVLT_PUB_INST_ADDED", id));
+
+        NameValuePairs params = new NameValuePairs();
+
+        params.put(Constants.PR_PUBLISHER_IMPL_NAME, implname);
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void listPublisherPlugins(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        Enumeration e = mProcessor.getPublisherPlugins().keys();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+            PublisherPlugin value = (PublisherPlugin)
+                    mProcessor.getPublisherPlugins().get(name);
+            // get Description
+            String c = value.getClassPath();
+            String desc = "unknown";
+
+            try {
+                ILdapPublisher lp = (ILdapPublisher)
+                        Class.forName(c).newInstance();
+
+                desc = lp.getDescription();
+            } catch (Exception exp) {
+            }
+            params.put(name, value.getClassPath() + "," + desc);
+        }
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    public String getPublisherPluginName(ILdapPublisher pub) {
+        IConfigStore cs = pub.getConfigStore();
+
+        try {
+            return cs.getString("pluginName", "");
+        } catch (EBaseException e) {
+            return "";
+        }
+    }
+
+    private synchronized void listPublisherInsts(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        Enumeration e = mProcessor.getPublisherInsts().keys();
+
+        for (; e.hasMoreElements();) {
+            String name = e.nextElement();
+            ILdapPublisher value = mProcessor.getPublisherInstance(name);
+
+            if (value == null)
+                continue;
+            params.put(name, getPublisherPluginName(value) + ";visible");
+        }
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void delPublisherPlugin(HttpServletRequest req,
+            HttpServletResponse resp, String scope) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // does publisher exist?
+        if (mProcessor.getPublisherPlugins().containsKey(id) == false) {
+            sendResponse(
+                    ERROR,
+                    new EPublisherPluginNotFound(CMS.getUserMessage(getLocale(req),
+                            "CMS_LDAP_PUBLISHER_PLUGIN_NOT_FOUND", id)).toString(),
+                    null, resp);
+            return;
+        }
+
+        // first check if any instances from this publisher
+        // DON'T remove publisher if any instance
+        for (Enumeration e = mProcessor.getPublisherInsts().keys(); e.hasMoreElements();) {
+            String name = e.nextElement();
+            ILdapPublisher publisher =
+                    mProcessor.getPublisherInstance(name);
+
+            if (id.equals(getPublisherPluginName(publisher))) {
+                sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_IN_USE"), null, resp);
+                return;
+            }
+        }
+
+        // then delete this publisher
+        mProcessor.getPublisherPlugins().remove((Object) id);
+
+        IConfigStore destStore =
+                mConfig.getSubStore(mAuth.getId() + ".publish.publisher");
+        IConfigStore instancesConfig = destStore.getSubStore("impl");
+
+        instancesConfig.removeSubStore(id);
+        // commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    private synchronized void delPublisherInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // prevent deletion of admin and agent.
+
+        // does publisher instance exist?
+        if (mProcessor.getPublisherInsts().containsKey(id) == false) {
+            sendResponse(ERROR,
+                    new EPublisherNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_PUBLISHER_NOT_FOUND", id))
+                            .toString(),
+                    null, resp);
+            return;
+        }
+
+        // only remove from memory
+        // cannot shutdown because we don't keep track of whether it's
+        // being used. 
+        mProcessor.getPublisherInsts().remove(id);
+
+        // remove the configuration.
+        IConfigStore destStore =
+                mConfig.getSubStore(mAuth.getId() + ".publish.publisher");
+        IConfigStore instancesConfig = destStore.getSubStore("instance");
+
+        instancesConfig.removeSubStore(id);
+        // commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            //System.out.println("SRVLT_FAIL_COMMIT");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    /**
+     * used for getting the required configuration parameters (with
+     * possible default values) for a particular plugin
+     * implementation name specified in the RS_ID. Actually, there is
+     * no logic in here to set any default value here...there's no
+     * default value for any parameter in this publishing subsystem
+     * at this point. Later, if we do have one (or some), it can be
+     * added. The interface remains the same.
+     */
+    private synchronized void getConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException, EBaseException {
+
+        String implname = req.getParameter(Constants.RS_ID);
+
+        if (implname == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        Vector configParams = mProcessor.getPublisherDefaultParams(implname);
+        NameValuePairs params = new NameValuePairs();
+
+        // implName is always required so always send it.
+        params.put(Constants.PR_PUBLISHER_IMPL_NAME, "");
+        if (configParams != null) {
+            for (int i = 0; i < configParams.size(); i++) {
+                String kv = (String) configParams.elementAt(i);
+                int index = kv.indexOf('=');
+
+                if (index == -1) {
+                    params.put(kv, "");
+                } else {
+                    params.put(kv.substring(0, index),
+                            kv.substring(index + 1));
+                }
+            }
+        }
+        sendResponse(0, null, params, resp);
+        return;
+    }
+
+    private synchronized void getInstConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // does publisher instance exist?
+        if (mProcessor.getPublisherInsts().containsKey(id) == false) {
+            sendResponse(ERROR,
+                    new EPublisherNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_PUBLISHER_NOT_FOUND", id))
+                            .toString(),
+                    null, resp);
+            return;
+        }
+
+        ILdapPublisher publisherInst = (ILdapPublisher)
+                mProcessor.getPublisherInstance(id);
+        Vector configParams = publisherInst.getInstanceParams();
+        NameValuePairs params = new NameValuePairs();
+
+        params.put(Constants.PR_PUBLISHER_IMPL_NAME,
+                getPublisherPluginName(publisherInst));
+        // implName is always required so always send it.
+        if (configParams != null) {
+            for (int i = 0; i < configParams.size(); i++) {
+                String kv = (String) configParams.elementAt(i);
+                int index = kv.indexOf('=');
+
+                params.put(kv.substring(0, index),
+                        kv.substring(index + 1));
+            }
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    /**
+     * Modify publisher instance.
+     * This will actually create a new instance with new configuration
+     * parameters and replace the old instance, if the new instance
+     * created and initialized successfully.
+     * The old instance is left running. so this is very expensive.
+     * Restart of server recommended.
+     */
+    private synchronized void modPublisherInst(HttpServletRequest req,
+            HttpServletResponse resp, String scope)
+            throws ServletException, IOException, EBaseException {
+
+        // expensive operation.
+
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            //System.out.println("SRVLT_NULL_RS_ID");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        // Does the manager instance exist?
+        if (!mProcessor.getPublisherInsts().containsKey((Object) id)) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_INST_ID", id),
+                    null, resp);
+            return;
+        }
+
+        // get new implementation (same or different.)
+        String implname = req.getParameter(Constants.PR_PUBLISHER_IMPL_NAME);
+
+        if (implname == null) {
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ADD_MISSING_PARAMS"), null, resp);
+            return;
+        }
+
+        // get plugin for implementation 
+        PublisherPlugin plugin =
+                (PublisherPlugin) mProcessor.getPublisherPlugins().get(implname);
+
+        if (plugin == null) {
+            sendResponse(
+                    ERROR,
+                    new EPublisherPluginNotFound(CMS.getUserMessage(getLocale(req),
+                            "CMS_LDAP_PUBLISHER_PLUGIN_NOT_FOUND", implname)).toString(),
+                    null, resp);
+            return;
+        }
+
+        // save old instance substore params in case new one fails. 
+
+        ILdapPublisher oldinst = mProcessor.getPublisherInstance(id);
+        Vector oldConfigParms = oldinst.getInstanceParams();
+        NameValuePairs saveParams = new NameValuePairs();
+        String pubType = "";
+
+        // implName is always required so always include it it.
+        saveParams.put("pluginName", implname);
+        if (oldConfigParms != null) {
+            for (int i = 0; i < oldConfigParms.size(); i++) {
+                String kv = (String) oldConfigParms.elementAt(i);
+                int index = kv.indexOf('=');
+                if (index > -1) {
+                    if (kv.substring(0, index).equalsIgnoreCase("caObjectClass")) {
+                        pubType = "cacert";
+                    } else if (kv.substring(0, index).equalsIgnoreCase("crlObjectClass")) {
+                        pubType = "crl";
+                    }
+
+                    saveParams.put(kv.substring(0, index),
+                            kv.substring(index + 1));
+                }
+            }
+        }
+
+        // on to the new instance.
+
+        // remove old substore.
+
+        IConfigStore destStore =
+                mConfig.getSubStore(mAuth.getId() + ".publish.publisher");
+        IConfigStore instancesConfig = destStore.getSubStore("instance");
+
+        // get objects added and deleted
+        if (pubType.equals("cacert")) {
+            saveParams.put("caObjectClassAdded", instancesConfig.getString(id + ".caObjectClassAdded", ""));
+            saveParams.put("caObjectClassDeleted", instancesConfig.getString(id + ".caObjectClassDeleted", ""));
+        } else if (pubType.equals("crl")) {
+            saveParams.put("crlObjectClassAdded", instancesConfig.getString(id + ".crlObjectClassAdded", ""));
+            saveParams.put("crlObjectClassDeleted", instancesConfig.getString(id + ".crlObjectClassDeleted", ""));
+        }
+
+        // create new substore.
+
+        Vector configParams = mProcessor.getPublisherInstanceParams(id);
+
+        instancesConfig.removeSubStore(id);
+
+        IConfigStore substore = instancesConfig.makeSubStore(id);
+
+        substore.put("pluginName", implname);
+        if (configParams != null) {
+            for (int i = 0; i < configParams.size(); i++) {
+                String kv = (String) configParams.elementAt(i);
+                int index = kv.indexOf('=');
+                String key = kv.substring(0, index);
+                String val = req.getParameter(key);
+
+                if (val != null) {
+                    substore.put(key, val);
+                }
+            }
+        }
+
+        // process any changes to the ldap object class definitions
+        if (pubType.equals("cacert")) {
+            processChangedOC(saveParams, substore, "caObjectClass");
+            substore.put("pubtype", "cacert");
+        }
+
+        if (pubType.equals("crl")) {
+            processChangedOC(saveParams, substore, "crlObjectClass");
+            substore.put("pubtype", "crl");
+        }
+
+        // Instantiate an object for new implementation
+
+        String className = plugin.getClassPath();
+        ILdapPublisher newMgrInst = null;
+
+        try {
+            newMgrInst = (ILdapPublisher) Class.forName(className).newInstance();
+        } catch (ClassNotFoundException e) {
+            // cleanup
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        } catch (InstantiationException e) {
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        } catch (IllegalAccessException e) {
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR,
+                    new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className))
+                            .toString(),
+                    null, resp);
+            return;
+        }
+
+        // initialize the publisher
+
+        try {
+            newMgrInst.init(substore);
+        } catch (EBaseException e) {
+            // don't commit in this case and cleanup the new substore.
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+            return;
+        } catch (Throwable e) {
+            restore(instancesConfig, id, saveParams);
+            sendResponse(ERROR, e.toString(), null, resp);
+            return;
+        }
+
+        // initialized ok.  commiting
+        try {
+            mConfig.commit(true);
+        } catch (EBaseException e) {
+            // clean up.
+            restore(instancesConfig, id, saveParams);
+            //System.out.println("SRVLT_FAIL_COMMIT");
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        // commited ok. replace instance.
+
+        mProcessor.getPublisherInsts().put(id, new PublisherProxy(true, newMgrInst));
+
+        mProcessor.log(ILogger.LL_INFO,
+                CMS.getLogMessage("ADMIN_SRVLT_PUB_INST_REP", id));
+
+        NameValuePairs params = new NameValuePairs();
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    // convenience function - takes list1, list2.  Returns what is in list1
+    // but not in list2
+    private String[] getExtras(String[] list1, String[] list2) {
+        Vector extras = new Vector();
+        for (int i = 0; i < list1.length; i++) {
+            boolean match = false;
+            for (int j = 0; j < list2.length; j++) {
+                if ((list1[i].trim()).equalsIgnoreCase(list2[j].trim())) {
+                    match = true;
+                    break;
+                }
+            }
+            if (!match)
+                extras.add(list1[i].trim());
+        }
+
+        return (String[]) extras.toArray(new String[extras.size()]);
+    }
+
+    // convenience function - takes list1, list2.  Concatenates the two
+    // lists removing duplicates
+    private String[] joinLists(String[] list1, String[] list2) {
+        Vector sum = new Vector();
+        for (int i = 0; i < list1.length; i++) {
+            sum.add(list1[i]);
+        }
+
+        for (int i = 0; i < list2.length; i++) {
+            boolean match = false;
+            for (int j = 0; j < list1.length; j++) {
+                if ((list2[i].trim()).equalsIgnoreCase(list1[j].trim())) {
+                    match = true;
+                    break;
+                }
+            }
+            if (!match)
+                sum.add(list2[i].trim());
+        }
+
+        return (String[]) sum.toArray(new String[sum.size()]);
+    }
+
+    // convenience funtion. Takes a string array and delimiter
+    // and returns a String with the concatenation
+    private static String join(String[] s, String delimiter) {
+        if (s.length == 0)
+            return "";
+
+        StringBuffer buffer = new StringBuffer(s[0]);
+        if (s.length > 1) {
+            for (int i = 1; i < s.length; i++) {
+                buffer.append(delimiter).append(s[i].trim());
+            }
+        }
+        return buffer.toString();
+    }
+
+    private void processChangedOC(NameValuePairs saveParams, IConfigStore newstore, String objName) {
+        String newOC = null, oldOC = null;
+        String oldAdded = null, oldDeleted = null;
+
+        try {
+            newOC = newstore.getString(objName);
+        } catch (Exception e) {
+        }
+
+        oldOC = saveParams.get(objName);
+        oldAdded = saveParams.get(objName + "Added");
+        oldDeleted = saveParams.get(objName + "Deleted");
+
+        if ((oldOC == null) || (newOC == null))
+            return;
+        if (oldOC.equalsIgnoreCase(newOC))
+            return;
+
+        String[] oldList = oldOC.split(",");
+        String[] newList = newOC.split(",");
+        String[] deletedList = getExtras(oldList, newList);
+        String[] addedList = getExtras(newList, oldList);
+
+        // CMS.debug("addedList = " + join(addedList, ","));
+        // CMS.debug("deletedList = " + join(deletedList, ","));
+
+        if ((addedList.length == 0) && (deletedList.length == 0))
+            return; // no changes
+
+        if (oldAdded != null) {
+            // CMS.debug("oldAdded is " + oldAdded);
+            String[] oldAddedList = oldAdded.split(",");
+            addedList = joinLists(addedList, oldAddedList);
+        }
+
+        if (oldDeleted != null) {
+            // CMS.debug("oldDeleted is " + oldDeleted);
+            String[] oldDeletedList = oldDeleted.split(",");
+            deletedList = joinLists(deletedList, oldDeletedList);
+        }
+
+        String[] addedList1 = getExtras(addedList, deletedList);
+        String[] deletedList1 = getExtras(deletedList, addedList);
+
+        //create the final strings and write to config
+        String addedListStr = join(addedList1, ",");
+        String deletedListStr = join(deletedList1, ",");
+
+        CMS.debug("processChangedOC: added list is " + addedListStr);
+        CMS.debug("processChangedOC: deleted list is " + deletedListStr);
+
+        newstore.put(objName + "Added", addedListStr);
+        newstore.put(objName + "Deleted", deletedListStr);
+    }
+
+    // convenience routine.
+    private static void restore(IConfigStore store,
+            String id, NameValuePairs saveParams) {
+        store.removeSubStore(id);
+        IConfigStore rstore = store.makeSubStore(id);
+
+        for (String key : saveParams.keySet()) {
+            String value = saveParams.get(key);
+
+            if (value != null)
+                rstore.put(key, value);
+        }
+    }
+
+    private String dashes(int len) {
+        String dashes = "...................................................";
+
+        if (len <= 0)
+            return "";
+        String new1 = dashes.substring(0, len);
+
+        return new1;
+    }
+
+    /**
+     * logs an entry in the log file.
+     */
+    public void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM,
+                ILogger.S_LDAP, level, "PublishingAdminServlet: " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/RAAdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/RAAdminServlet.java
new file mode 100644
index 000000000..5bdb14177
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/RAAdminServlet.java
@@ -0,0 +1,584 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.io.IOException;
+import java.util.Enumeration;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.ra.IRegistrationAuthority;
+import com.netscape.certsrv.request.IRequestListener;
+
+/**
+ * A class representings an administration servlet for Registration
+ * Authority. This servlet is responsible to serve RA
+ * administrative operations such as configuration parameter
+ * updates.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class RAAdminServlet extends AdminServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = 8417319111438832435L;
+
+    protected static final String PROP_ENABLED = "enabled";
+
+    /*==========================================================
+     * variables
+     *==========================================================*/
+    private final static String INFO = "RAAdminServlet";
+    private IRegistrationAuthority mRA = null;
+
+    /*==========================================================
+     * constructors
+     *==========================================================*/
+
+    /**
+     * Constructs RA servlet.
+     */
+    public RAAdminServlet() {
+        super();
+    }
+
+    /*==========================================================
+     * public methods
+     *==========================================================*/
+
+    /**
+     * Initializes this servlet.
+     */
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+        mRA = (IRegistrationAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_RA);
+    }
+
+    /**
+     * Returns serlvet information.
+     */
+    public String getServletInfo() {
+        return INFO;
+    }
+
+    /**
+     * Serves HTTP request. Each request is authenticated to
+     * the authenticate manager.
+     */
+    public void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+        super.service(req, resp);
+
+        //get all operational flags
+        String op = req.getParameter(Constants.OP_TYPE);
+        String scope = req.getParameter(Constants.OP_SCOPE);
+
+        //check operational flags
+        if ((op == null) || (scope == null)) {
+            sendResponse(1, "Invalid Protocol", null, resp);
+            return;
+        }
+
+        //authenticate the user
+        super.authenticate(req);
+
+        //perform services
+        try {
+            AUTHZ_RES_NAME = "certServer.ra.configuration";
+            if (op.equals(OpDef.OP_READ)) {
+                mOp = "read";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_GENERAL)) {
+                    readGeneralConfig(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_CONNECTOR)) {
+                    getConnectorConfig(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_NOTIFICATION_REQ_COMP)) {
+                    getNotificationReqCompConfig(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_NOTIFICATION_REV_COMP)) {
+                    getNotificationRevCompConfig(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_NOTIFICATION_RIQ)) {
+                    getNotificationRIQConfig(req, resp);
+                    return;
+                } else {
+                    sendResponse(1, "Unknown operation", null, resp);
+                    return;
+                }
+            } else if (op.equals(OpDef.OP_MODIFY)) {
+                mOp = "modify";
+                if ((mToken = super.authorize(req)) == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                            null, resp);
+                    return;
+                }
+                if (scope.equals(ScopeDef.SC_GENERAL)) {
+                    modifyGeneralConfig(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_CONNECTOR)) {
+                    setConnectorConfig(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_NOTIFICATION_REQ_COMP)) {
+                    setNotificationReqCompConfig(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_NOTIFICATION_REV_COMP)) {
+                    setNotificationRevCompConfig(req, resp);
+                    return;
+                } else if (scope.equals(ScopeDef.SC_NOTIFICATION_RIQ)) {
+                    setNotificationRIQConfig(req, resp);
+                    return;
+                } else {
+                    sendResponse(1, "Unknown operation", null, resp);
+                    return;
+                }
+            }
+        } catch (Exception e) {
+            //System.out.println("XXX >>>" + e.toString() + "<<<");
+            sendResponse(1, "Unknown operation", null, resp);
+        }
+
+        return;
+    }
+
+    /*==========================================================
+     * private methods
+     *==========================================================*/
+
+    /*
+     * handle getting completion (cert issued) notification config info
+     */
+    private void getNotificationCompConfig(HttpServletRequest req,
+            HttpServletResponse resp, IConfigStore rc) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+
+            if (name.equals(Constants.OP_TYPE))
+                continue;
+            if (name.equals(Constants.RS_ID))
+                continue;
+            if (name.equals(Constants.OP_SCOPE))
+                continue;
+            if (name.equals(Constants.PR_ENABLE))
+                continue;
+            params.put(name, rc.getString(name, ""));
+        }
+
+        params.put(Constants.PR_ENABLE,
+                rc.getString(PROP_ENABLED, Constants.FALSE));
+        //System.out.println("Send: "+params.toString());
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void getNotificationReqCompConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        IConfigStore config = mRA.getConfigStore();
+        IConfigStore nc =
+                config.getSubStore(IRegistrationAuthority.PROP_NOTIFY_SUBSTORE);
+
+        IConfigStore rc = nc.getSubStore(IRegistrationAuthority.PROP_CERT_ISSUED_SUBSTORE);
+
+        getNotificationCompConfig(req, resp, rc);
+
+    }
+
+    private void getNotificationRevCompConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        IConfigStore config = mRA.getConfigStore();
+        IConfigStore nc =
+                config.getSubStore(IRegistrationAuthority.PROP_NOTIFY_SUBSTORE);
+
+        IConfigStore rc = nc.getSubStore(IRegistrationAuthority.PROP_CERT_REVOKED_SUBSTORE);
+
+        getNotificationCompConfig(req, resp, rc);
+
+    }
+
+    /*
+     * handle getting request in queue notification config info
+     */
+    private void getNotificationRIQConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+
+        IConfigStore config = mRA.getConfigStore();
+        IConfigStore nc =
+                config.getSubStore(IRegistrationAuthority.PROP_NOTIFY_SUBSTORE);
+
+        IConfigStore riq = nc.getSubStore(IRegistrationAuthority.PROP_REQ_IN_Q_SUBSTORE);
+
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+
+            if (name.equals(Constants.OP_TYPE))
+                continue;
+            if (name.equals(Constants.RS_ID))
+                continue;
+            if (name.equals(Constants.OP_SCOPE))
+                continue;
+            if (name.equals(Constants.PR_ENABLE))
+                continue;
+            params.put(name, riq.getString(name, ""));
+        }
+
+        params.put(Constants.PR_ENABLE,
+                riq.getString(PROP_ENABLED, Constants.FALSE));
+        //System.out.println("Send: "+params.toString());
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /*
+     * handle setting request in queue notification config info
+     */
+    private void setNotificationRIQConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        IConfigStore config = mRA.getConfigStore();
+        IConfigStore nc =
+                config.getSubStore(IRegistrationAuthority.PROP_NOTIFY_SUBSTORE);
+
+        IConfigStore riq = nc.getSubStore(IRegistrationAuthority.PROP_REQ_IN_Q_SUBSTORE);
+
+        //set rest of the parameters
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+
+            if (name.equals(Constants.OP_TYPE))
+                continue;
+            if (name.equals(Constants.RS_ID))
+                continue;
+            if (name.equals(Constants.OP_SCOPE))
+                continue;
+            if (name.equals(Constants.PR_ENABLE))
+                continue;
+            String val = req.getParameter(name);
+
+            riq.putString(name, val);
+            mRA.getRequestInQListener().set(name, val);
+        }
+
+        // set enable flag
+        String enabledString = req.getParameter(Constants.PR_ENABLE);
+
+        riq.putString(PROP_ENABLED, enabledString);
+        mRA.getRequestInQListener().set(PROP_ENABLED, enabledString);
+
+        commit(true);
+
+        sendResponse(SUCCESS, null, null, resp);
+    }
+
+    /*
+     * handle setting request complete notification config info
+     */
+    private void setNotificationCompConfig(HttpServletRequest req,
+            HttpServletResponse resp, IConfigStore rc, IRequestListener thisListener) throws ServletException,
+            IOException, EBaseException {
+        //set rest of the parameters
+        @SuppressWarnings("unchecked")
+        Enumeration e = req.getParameterNames();
+
+        while (e.hasMoreElements()) {
+            String name = e.nextElement();
+
+            if (name.equals(Constants.OP_TYPE))
+                continue;
+            if (name.equals(Constants.RS_ID))
+                continue;
+            if (name.equals(Constants.OP_SCOPE))
+                continue;
+            if (name.equals(Constants.PR_ENABLE))
+                continue;
+            String val = req.getParameter(name);
+
+            rc.putString(name, val);
+            thisListener.set(name, val);
+        }
+
+        // set enable flag
+        String enabledString = req.getParameter(Constants.PR_ENABLE);
+
+        rc.putString(PROP_ENABLED, enabledString);
+        thisListener.set(PROP_ENABLED, enabledString);
+
+        commit(true);
+
+        sendResponse(SUCCESS, null, null, resp);
+    }
+
+    private void setNotificationReqCompConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        IConfigStore config = mRA.getConfigStore();
+        IConfigStore nc =
+                config.getSubStore(IRegistrationAuthority.PROP_NOTIFY_SUBSTORE);
+
+        IConfigStore rc = nc.getSubStore(IRegistrationAuthority.PROP_CERT_ISSUED_SUBSTORE);
+
+        setNotificationCompConfig(req, resp, rc, mRA.getCertIssuedListener());
+
+    }
+
+    private void setNotificationRevCompConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        IConfigStore config = mRA.getConfigStore();
+        IConfigStore nc =
+                config.getSubStore(IRegistrationAuthority.PROP_NOTIFY_SUBSTORE);
+
+        IConfigStore rc = nc.getSubStore(IRegistrationAuthority.PROP_CERT_REVOKED_SUBSTORE);
+
+        setNotificationCompConfig(req, resp, rc, mRA.getCertRevokedListener());
+    }
+
+    private void getConnectorConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        IConfigStore raConfig = mRA.getConfigStore();
+        IConfigStore connectorConfig = raConfig.getSubStore("connector");
+        IConfigStore caConnectorConfig = null;
+
+        if (isCAConnector(req)) {
+            caConnectorConfig = connectorConfig.getSubStore("CA");
+        } else if (isRAConnector(req)) {
+            caConnectorConfig = connectorConfig.getSubStore("RA");
+        } else if (isKRAConnector(req)) {
+            caConnectorConfig = connectorConfig.getSubStore("KRA");
+        }
+
+        /*
+         Enumeration enum = req.getParameterNames();
+         NameValuePairs params = new NameValuePairs();
+         while (enum.hasMoreElements()) {
+         String key = (String)enum.nextElement();
+         if (key.equals("RS_ID")) {
+         String val = req.getParameter(key);
+         if (val.equals("CA Connector"))
+         }
+         }
+         */
+
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+        NameValuePairs params = new NameValuePairs();
+
+        if (caConnectorConfig != null) {
+            while (enum1.hasMoreElements()) {
+                String name = enum1.nextElement();
+
+                if (name.equals(Constants.RS_ID))
+                    continue;
+                if (name.equals(Constants.OP_SCOPE))
+                    continue;
+                if (name.equals(Constants.OP_TYPE))
+                    continue;
+
+                params.put(name, caConnectorConfig.getString(name, ""));
+            }
+        }
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    private void setConnectorConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        IConfigStore raConfig = mRA.getConfigStore();
+        IConfigStore connectorConfig = raConfig.getSubStore("connector");
+        IConfigStore caConnectorConfig = null;
+        //       String nickname = raConfig.getString("certNickname", "");
+
+        if (isCAConnector(req)) {
+            caConnectorConfig = connectorConfig.getSubStore("CA");
+        } else if (isRAConnector(req)) {
+            caConnectorConfig = connectorConfig.getSubStore("RA");
+        } else if (isKRAConnector(req)) {
+            caConnectorConfig = connectorConfig.getSubStore("KRA");
+        }
+
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+
+        if (caConnectorConfig != null) {
+            while (enum1.hasMoreElements()) {
+                String name = enum1.nextElement();
+
+                if (name.equals(Constants.OP_TYPE))
+                    continue;
+                if (name.equals(Constants.RS_ID))
+                    continue;
+                if (name.equals(Constants.OP_SCOPE))
+                    continue;
+                /*
+                                if (name.equals("nickName")) {
+                                    caConnectorConfig.putString(name, nickname);
+                                    continue;
+                                }
+                */
+                caConnectorConfig.putString(name, req.getParameter(name));
+            }
+        }
+
+        commit(true);
+        sendResponse(RESTART, null, null, resp);
+    }
+
+    private boolean isCAConnector(HttpServletRequest req) {
+
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+
+        while (enum1.hasMoreElements()) {
+            String key = enum1.nextElement();
+
+            if (key.equals("RS_ID")) {
+                String val = req.getParameter(key);
+
+                if (val.equals("Certificate Manager Connector"))
+                    return true;
+                else
+                    return false;
+            }
+        }
+        return false;
+    }
+
+    private boolean isRAConnector(HttpServletRequest req) {
+
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+
+        while (enum1.hasMoreElements()) {
+            String key = enum1.nextElement();
+
+            if (key.equals("RS_ID")) {
+                String val = req.getParameter(key);
+
+                if (val.equals("Registration Manager Connector"))
+                    return true;
+                else
+                    return false;
+            }
+        }
+        return false;
+    }
+
+    private boolean isKRAConnector(HttpServletRequest req) {
+
+        @SuppressWarnings("unchecked")
+        Enumeration enum1 = req.getParameterNames();
+
+        while (enum1.hasMoreElements()) {
+            String key = enum1.nextElement();
+
+            if (key.equals("RS_ID")) {
+                String val = req.getParameter(key);
+
+                if (val.equals("Data Recovery Manager Connector"))
+                    return true;
+                else
+                    return false;
+            }
+        }
+        return false;
+    }
+
+    //reading the RA general information
+    private void readGeneralConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+
+        /*
+         ISubsystem eeGateway =
+         SubsystemRegistry.getInstance().get("eeGateway");
+         String value = "false";
+         if (eeGateway != null) {
+         IConfigStore eeConfig = eeGateway.getConfigStore();
+         if (eeConfig != null)
+         value = eeConfig.getString("enabled", "true");
+         }
+         params.add(Constants.PR_EE_ENABLED, value);
+         */
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    //mdify RA General Information
+    private void modifyGeneralConfig(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        /*
+         ISubsystem eeGateway =
+         SubsystemRegistry.getInstance().get("eeGateway");
+         IConfigStore eeConfig = null;
+         if (eeGateway != null)
+         eeConfig = eeGateway.getConfigStore();
+
+         Enumeration enum = req.getParameterNames();
+         while (enum.hasMoreElements()) {
+         String key = (String)enum.nextElement();
+         if (key.equals(Constants.PR_EE_ENABLED)) {
+         if (eeConfig != null) 
+         eeConfig.putString("enabled",
+         req.getParameter(Constants.PR_EE_ENABLED));
+         } 
+         }
+
+         */
+        sendResponse(RESTART, null, null, resp);
+        commit(true);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/RegistryAdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/RegistryAdminServlet.java
new file mode 100644
index 000000000..4bebe85d3
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/RegistryAdminServlet.java
@@ -0,0 +1,373 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.io.IOException;
+import java.util.Enumeration;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authority.IAuthority;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.profile.IPolicyConstraint;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.property.IConfigTemplate;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.registry.IPluginInfo;
+import com.netscape.certsrv.registry.IPluginRegistry;
+
+/**
+ * This implements the administration servlet for registry subsystem.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class RegistryAdminServlet extends AdminServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = 2104924641665675578L;
+
+    public final static String PROP_AUTHORITY = "authority";
+
+    private final static String INFO = "RegistryAdminServlet";
+    private final static String PW_PASSWORD_CACHE_ADD =
+            "PASSWORD_CACHE_ADD";
+
+    public final static String PROP_PREDICATE = "predicate";
+    private IAuthority mAuthority = null;
+    private IPluginRegistry mRegistry = null;
+
+    // These will be moved to PolicyResources
+    public static String INVALID_POLICY_SCOPE = "Invalid policy administration scope";
+    public static String INVALID_POLICY_IMPL_OP = "Invalid operation for policy implementation management";
+    public static String NYI = "Not Yet Implemented";
+    public static String INVALID_POLICY_IMPL_CONFIG = "Invalid policy implementation configuration";
+    public static String INVALID_POLICY_INSTANCE_CONFIG = "Invalid policy instance configuration";
+    public static String MISSING_POLICY_IMPL_ID = "Missing policy impl id in request";
+    public static String MISSING_POLICY_IMPL_CLASS = "Missing policy impl class in request";
+    public static String INVALID_POLICY_IMPL_ID = "Invalid policy impl id in request";
+    public static String MISSING_POLICY_INST_ID = "Missing policy impl id in request";
+    public static String INVALID_POLICY_INST_ID = "Invalid policy impl id in request";
+    public static String COMMA = ",";
+    public static String MISSING_POLICY_ORDERING = "Missing policy ordering";
+
+    /**
+     * Constructs administration servlet.
+     */
+    public RegistryAdminServlet() {
+        super();
+    }
+
+    /**
+     * Initializes this servlet.
+     */
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+        String authority = config.getInitParameter(PROP_AUTHORITY);
+
+        if (authority != null)
+            mAuthority = (IAuthority) CMS.getSubsystem(authority);
+        mRegistry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY);
+    }
+
+    /**
+     * Returns serlvet information.
+     */
+    public String getServletInfo() {
+        return INFO;
+    }
+
+    /**
+     * Serves HTTP admin request.
+     */
+    public void service(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        super.service(req, resp);
+
+        super.authenticate(req);
+
+        AUTHZ_RES_NAME = "certServer.registry.configuration";
+        String scope = req.getParameter(Constants.OP_SCOPE);
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (scope.equals(ScopeDef.SC_SUPPORTED_CONSTRAINTPOLICIES)) {
+            if (op.equals(OpDef.OP_READ))
+                if (!readAuthorize(req, resp))
+                    return;
+            getSupportedConstraintPolicies(req, resp);
+        } else {
+            processImplMgmt(req, resp);
+        }
+    }
+
+    private boolean readAuthorize(HttpServletRequest req,
+            HttpServletResponse resp) throws IOException {
+        mOp = "read";
+        if ((mToken = super.authorize(req)) == null) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                    null, resp);
+            return false;
+        }
+        return true;
+    }
+
+    private boolean modifyAuthorize(HttpServletRequest req,
+            HttpServletResponse resp) throws IOException {
+        mOp = "modify";
+        if ((mToken = super.authorize(req)) == null) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                    null, resp);
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * Process Policy Implementation Management.
+     */
+    public void processImplMgmt(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+        // Get operation type
+        String op = req.getParameter(Constants.OP_TYPE);
+
+        if (op.equals(OpDef.OP_SEARCH)) {
+            if (!readAuthorize(req, resp))
+                return;
+            listImpls(req, resp);
+        } else if (op.equals(OpDef.OP_READ)) {
+            if (!readAuthorize(req, resp))
+                return;
+            getProfileImplConfig(req, resp);
+        } else if (op.equals(OpDef.OP_DELETE)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            deleteImpl(req, resp);
+        } else if (op.equals(OpDef.OP_ADD)) {
+            if (!modifyAuthorize(req, resp))
+                return;
+            addImpl(req, resp);
+        } else
+            sendResponse(ERROR, INVALID_POLICY_IMPL_OP,
+                    null, resp);
+    }
+
+    public void addImpl(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+
+        // Get the policy impl id.
+        String id = req.getParameter(Constants.RS_ID);
+        String scope = req.getParameter(Constants.OP_SCOPE);
+        String classPath = req.getParameter(Constants.PR_POLICY_CLASS);
+        String desc = req.getParameter(Constants.PR_POLICY_DESC);
+
+        if (id == null) {
+            sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp);
+            return;
+        }
+
+        NameValuePairs nvp = new NameValuePairs();
+
+        IPluginInfo info = mRegistry.createPluginInfo(id, desc, classPath);
+        try {
+            mRegistry.addPluginInfo(scope, id, info);
+        } catch (Exception e) {
+            CMS.debug(e.toString());
+        }
+
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    public void deleteImpl(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+
+        // Get the policy impl id.
+        String id = req.getParameter(Constants.RS_ID);
+        String scope = req.getParameter(Constants.OP_SCOPE);
+
+        if (id == null) {
+            sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp);
+            return;
+        }
+
+        IPluginInfo info = mRegistry.getPluginInfo(scope, id);
+
+        if (info == null) {
+            sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp);
+            return;
+        }
+
+        NameValuePairs nvp = new NameValuePairs();
+
+        try {
+            mRegistry.removePluginInfo(scope, id);
+        } catch (Exception e) {
+            CMS.debug(e.toString());
+        }
+
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    /**
+     * Lists all registered profile impementations
+     */
+    public void listImpls(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+
+        String scope = req.getParameter(Constants.OP_SCOPE);
+        Enumeration impls = mRegistry.getIds(scope);
+        NameValuePairs nvp = new NameValuePairs();
+
+        while (impls.hasMoreElements()) {
+            String id = impls.nextElement();
+            IPluginInfo info = mRegistry.getPluginInfo(scope, id);
+
+            nvp.put(id, info.getClassName() + "," +
+                    info.getDescription(getLocale(req)) + "," + info.getName(getLocale(req)));
+        }
+
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    public void getSupportedConstraintPolicies(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException, IOException {
+        String id = req.getParameter(Constants.RS_ID);
+
+        if (id == null) {
+            sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp);
+            return;
+        }
+        NameValuePairs nvp = new NameValuePairs();
+
+        try {
+            IPluginInfo info = mRegistry.getPluginInfo("defaultPolicy", id);
+            String className = info.getClassName();
+            IPolicyDefault policyDefaultClass = (IPolicyDefault)
+                    Class.forName(className).newInstance();
+
+            if (policyDefaultClass != null) {
+                Enumeration impls = mRegistry.getIds("constraintPolicy");
+
+                while (impls.hasMoreElements()) {
+                    String constraintID = (String) impls.nextElement();
+                    IPluginInfo constraintInfo = mRegistry.getPluginInfo(
+                            "constraintPolicy", constraintID);
+                    IPolicyConstraint policyConstraintClass = (IPolicyConstraint)
+                            Class.forName(constraintInfo.getClassName()).newInstance();
+
+                    CMS.debug("RegistryAdminServlet: getSUpportedConstraint " + constraintInfo.getClassName());
+
+                    if (policyConstraintClass.isApplicable(policyDefaultClass)) {
+                        CMS.debug("RegistryAdminServlet: getSUpportedConstraint isApplicable "
+                                + constraintInfo.getClassName());
+                        nvp.put(constraintID,
+                                constraintInfo.getClassName()
+                                        + "," +
+                                        constraintInfo.getDescription(getLocale(req)) + ","
+                                        + constraintInfo.getName(getLocale(req)));
+                    }
+                }
+            }
+        } catch (Exception ex) {
+            CMS.debug("RegistyAdminServlet: getSupportConstraintPolicies: " + ex.toString());
+            CMS.debug(ex);
+        }
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    public void getProfileImplConfig(HttpServletRequest req,
+            HttpServletResponse resp)
+            throws ServletException, IOException {
+
+        // Get the policy impl id.
+        String id = req.getParameter(Constants.RS_ID);
+        String scope = req.getParameter(Constants.OP_SCOPE);
+
+        if (id == null) {
+            sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp);
+            return;
+        }
+
+        IPluginInfo info = mRegistry.getPluginInfo(scope, id);
+
+        if (info == null) {
+            sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp);
+            return;
+        }
+
+        NameValuePairs nvp = new NameValuePairs();
+
+        String className = info.getClassName();
+        IConfigTemplate template = null;
+
+        try {
+            template = (IConfigTemplate)
+                    Class.forName(className).newInstance();
+        } catch (Exception e) {
+        }
+        if (template != null) {
+            Enumeration names = template.getConfigNames();
+
+            if (names != null) {
+                while (names.hasMoreElements()) {
+                    String name = names.nextElement();
+                    CMS.debug("RegistryAdminServlet: getProfileImpl descriptor " + name);
+                    IDescriptor desc = template.getConfigDescriptor(getLocale(req), name);
+
+                    if (desc != null) {
+                        try {
+                            String value =
+                                    getNonNull(desc.getSyntax())
+                                            + ";" + getNonNull(desc.getConstraint()) + ";"
+                                            + desc.getDescription(getLocale(req)) + ";"
+                                            + getNonNull(desc.getDefaultValue());
+
+                            CMS.debug("RegistryAdminServlet: getProfileImpl " + value);
+                            nvp.put(name, value);
+                        } catch (Exception e) {
+
+                            CMS.debug("RegistryAdminServlet: getProfileImpl skipped descriptor for " + name);
+                        }
+                    } else {
+                        CMS.debug("RegistryAdminServlet: getProfileImpl cannot find descriptor for " + name);
+                    }
+                }
+            }
+        }
+        sendResponse(SUCCESS, null, nvp, resp);
+    }
+
+    protected String getNonNull(String s) {
+        if (s == null)
+            return "";
+        return s;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/SystemCertificateResource.java b/base/common/src/com/netscape/cms/servlet/admin/SystemCertificateResource.java
new file mode 100644
index 000000000..d4cfcd296
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/SystemCertificateResource.java
@@ -0,0 +1,25 @@
+package com.netscape.cms.servlet.admin;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+import org.jboss.resteasy.annotations.ClientResponseType;
+
+import com.netscape.cms.servlet.cert.model.CertificateData;
+
+@Path("/config/cert")
+public interface SystemCertificateResource {
+
+    /**
+     * Used to retrieve the transport certificate
+     */
+    @GET
+    @Path("/transport")
+    @ClientResponseType(entityType=CertificateData.class)
+    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, MediaType.TEXT_XML })
+    public Response getTransportCert();
+
+}
\ No newline at end of file
diff --git a/base/common/src/com/netscape/cms/servlet/admin/SystemCertificateResourceService.java b/base/common/src/com/netscape/cms/servlet/admin/SystemCertificateResourceService.java
new file mode 100644
index 000000000..48f410c73
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/SystemCertificateResourceService.java
@@ -0,0 +1,80 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.servlet.admin;
+
+import java.security.cert.CertificateEncodingException;
+
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.Request;
+import javax.ws.rs.core.Response;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.security.ITransportKeyUnit;
+import com.netscape.cms.servlet.base.CMSResourceService;
+import com.netscape.cms.servlet.cert.model.CertificateData;
+
+/**
+ * This is the class used to list, retrieve and modify system certificates for all Java subsystems.
+ * 
+ * @author alee
+ * 
+ */
+public class SystemCertificateResourceService extends CMSResourceService implements SystemCertificateResource {
+
+    @Context
+    Request request;
+
+    /**
+     * Used to retrieve the transport certificate
+     */
+    public Response getTransportCert() {
+        CertificateData cert = null;
+        IKeyRecoveryAuthority kra = null;
+
+        // auth and authz
+
+        kra = (IKeyRecoveryAuthority) CMS.getSubsystem("kra");
+        if (kra == null) {
+            // no KRA
+            throw new WebApplicationException(Response.Status.NOT_FOUND);
+        }
+
+        ITransportKeyUnit tu = kra.getTransportKeyUnit();
+        if (tu == null) {
+            CMS.debug("getTransportCert: transport key unit is null");
+            throw new WebApplicationException(Response.Status.INTERNAL_SERVER_ERROR);
+        }
+        org.mozilla.jss.crypto.X509Certificate transportCert = tu.getCertificate();
+        if (transportCert == null) {
+            CMS.debug("getTransportCert: transport cert is null");
+            throw new WebApplicationException(Response.Status.INTERNAL_SERVER_ERROR);
+        }
+        try {
+            cert = createCertificateData(transportCert);
+        } catch (CertificateEncodingException e) {
+            CMS.debug("getTransportCert: certificate encoding exception with transport cert");
+            e.printStackTrace();
+            throw new WebApplicationException(Response.Status.INTERNAL_SERVER_ERROR);
+        }
+        return sendConditionalGetResponse(DEFAULT_LONG_CACHE_LIFETIME, cert, request);
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
new file mode 100644
index 000000000..e5a6dd3c4
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
@@ -0,0 +1,2313 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.admin;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import netscape.ldap.LDAPException;
+import netscape.security.pkcs.PKCS7;
+import netscape.security.x509.X509CertImpl;
+
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.crypto.InternalCertificate;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authorization.IAuthzSubsystem;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.ICertPrettyPrint;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.AuditFormat;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.password.IPasswordCheck;
+import com.netscape.certsrv.usrgrp.EUsrGrpException;
+import com.netscape.certsrv.usrgrp.IGroup;
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
+import com.netscape.certsrv.usrgrp.IUser;
+import com.netscape.cmsutil.util.Cert;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * A class representing an administration servlet for
+ * User/Group Manager. It communicates with client
+ * SDK to allow remote administration of User/Group
+ * manager.
+ * 
+ * This servlet will be registered to remote
+ * administration subsystem by usrgrp manager.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class UsrGrpAdminServlet extends AdminServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -4341817607402387714L;
+    private final static String INFO = "UsrGrpAdminServlet";
+    private final static String RES_CA_GROUP = "certServer.ca.group";
+    private final static String RES_RA_GROUP = "certServer.ra.group";
+    private final static String RES_KRA_GROUP = "certServer.kra.group";
+    private final static String RES_OCSP_GROUP = "certServer.ocsp.group";
+    private final static String RES_TKS_GROUP = "certServer.tks.group";
+    private final static String SYSTEM_USER = "$System$";
+    //	private final static String RES_GROUP = "root.common.goldfish";
+
+    private final static String BACK_SLASH = "\\";
+
+    private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE =
+            "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
+
+    private IUGSubsystem mMgr = null;
+
+    private static String[] mMultiRoleGroupEnforceList = null;
+    private final static String MULTI_ROLE_ENABLE = "multiroles.enable";
+    private final static String MULTI_ROLE_ENFORCE_GROUP_LIST = "multiroles.false.groupEnforceList";
+
+    /**
+     * Constructs User/Group manager servlet.
+     */
+    public UsrGrpAdminServlet() {
+        super();
+        mAuthz = (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ);
+    }
+
+    /**
+     * Initializes this servlet.
+     */
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+        mMgr = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+    }
+
+    /**
+     * Returns serlvet information.
+     */
+    public String getServletInfo() {
+        return INFO;
+    }
+
+    /**
+     * Serves incoming User/Group management request.
+     */
+    public void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+        super.service(req, resp);
+
+        String scope = super.getParameter(req, Constants.OP_SCOPE);
+        String op = super.getParameter(req, Constants.OP_TYPE);
+
+        if (op == null) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_INVALID_PROTOCOL"));
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PROTOCOL"),
+                    null, resp);
+            return;
+        }
+
+        Locale clientLocale = super.getLocale(req);
+
+        try {
+            super.authenticate(req);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_FAIL_AUTHS"));
+
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHS_FAILED"),
+                    null, resp);
+            return;
+        }
+
+        // authorization
+        // temporary test before servlets are exposed with authtoken
+        /*
+         SessionContext sc = SessionContext.getContext();
+         AuthToken authToken = (AuthToken) sc.get(SessionContext.AUTH_TOKEN);
+
+         AuthzToken authzTok = null;
+         CMS.debug("UserGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_CHECK_AUTHZ_SUB"));
+         // hardcoded for now .. just testing
+         try {
+         authzTok = mAuthz.authorize("DirAclAuthz", authToken, RES_GROUP, "read");
+         } catch (EBaseException e) {
+         log(ILogger.LL_FAILURE,  CMS.getLogMessage("ADMIN_SRVLT_AUTH_CALL_FAIL",e.toString()));
+         }
+         if (AuthzToken.AUTHZ_STATUS_FAIL.equals(authzTok.get(AuthzToken.TOKEN_AUTHZ_STATUS))) {
+         // audit would have been needed here if this weren't just a test...
+
+         log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_FAIL_AUTHS"));
+
+         sendResponse(ERROR, 
+         MessageFormatter.getLocalizedString(
+         getLocale(req),
+         AdminResources.class.getName(),
+         AdminResources.SRVLT_FAIL_AUTHS), 
+         null, resp);
+         return;
+         }
+         */
+
+        try {
+            ISubsystem subsystem = CMS.getSubsystem("ca");
+            if (subsystem != null)
+                AUTHZ_RES_NAME = RES_CA_GROUP;
+            subsystem = CMS.getSubsystem("ra");
+            if (subsystem != null)
+                AUTHZ_RES_NAME = RES_RA_GROUP;
+            subsystem = CMS.getSubsystem("kra");
+            if (subsystem != null)
+                AUTHZ_RES_NAME = RES_KRA_GROUP;
+            subsystem = CMS.getSubsystem("ocsp");
+            if (subsystem != null)
+                AUTHZ_RES_NAME = RES_OCSP_GROUP;
+            subsystem = CMS.getSubsystem("tks");
+            if (subsystem != null)
+                AUTHZ_RES_NAME = RES_TKS_GROUP;
+            if (scope != null) {
+                if (scope.equals(ScopeDef.SC_USER_TYPE)) {
+                    mOp = "read";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+
+                    getUserType(req, resp);
+                    return;
+                }
+
+                if (op.equals(OpDef.OP_READ)) {
+                    mOp = "read";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_GROUPS)) {
+                        findGroup(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_USERS)) {
+                        findUser(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_USER_CERTS)) {
+                        findUserCerts(req, resp, clientLocale);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_MODIFY)) {
+                    mOp = "modify";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_GROUPS)) {
+                        modifyGroup(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_USERS)) {
+                        modifyUser(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_USER_CERTS)) {
+                        modifyUserCert(req, resp);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_ADD)) {
+                    mOp = "modify";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_GROUPS)) {
+                        addGroup(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_USERS)) {
+                        addUser(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_USER_CERTS)) {
+                        addUserCert(req, resp);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_DELETE)) {
+                    mOp = "modify";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_GROUPS)) {
+                        removeGroup(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_USERS)) {
+                        removeUser(req, resp);
+                        return;
+                    }
+                } else if (op.equals(OpDef.OP_SEARCH)) {
+                    mOp = "read";
+                    if ((mToken = super.authorize(req)) == null) {
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"),
+                                null, resp);
+                        return;
+                    }
+                    if (scope.equals(ScopeDef.SC_GROUPS)) {
+                        findGroups(req, resp);
+                        return;
+                    } else if (scope.equals(ScopeDef.SC_USERS)) {
+                        findUsers(req, resp);
+                        return;
+                    } else {
+                        log(ILogger.LL_FAILURE,
+                                CMS.getLogMessage("ADMIN_SRVLT_INVALID_OP_SCOPE"));
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"),
+                                null, resp);
+                        return;
+                    }
+                }
+            } // if
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, e.toString());
+            sendResponse(ERROR, e.toString(getLocale(req)),
+                    null, resp);
+            return;
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE, e.toString());
+            log(ILogger.LL_FAILURE, CMS.getLogMessage(" ADMIN_SRVLT_FAIL_PERFORM"));
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_PERFORM_FAILED"),
+                    null, resp);
+            return;
+        }
+    }
+
+    private void getUserType(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String id = super.getParameter(req, Constants.RS_ID);
+        IUser user = mMgr.getUser(id);
+        String val = user.getUserType();
+
+        if (val == null || val.equals(""))
+            val = "noType";
+        NameValuePairs params = new NameValuePairs();
+
+        params.put(Constants.PR_USER_TYPE, val);
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * Searches for users in LDAP directory. List uids only
+     * 
+     * Request/Response Syntax:
+     * http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     */
+    private synchronized void findUsers(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        NameValuePairs params = new NameValuePairs();
+
+        Enumeration e = null;
+
+        try {
+            e = mMgr.listUsers("*");
+        } catch (Exception ex) {
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_INTERNAL_ERROR"), null, resp);
+            return;
+        }
+
+        StringBuffer sb = new StringBuffer();
+        int i = 0;
+
+        while (e.hasMoreElements()) {
+            IUser user = e.nextElement();
+
+            if (i > 0) {
+                sb.append(";");
+                sb.append(user.getUserID());
+                sb.append(":");
+                sb.append(user.getFullName());
+            } else {
+                sb.append(user.getUserID());
+                sb.append(":");
+                sb.append(user.getFullName());
+            }
+            i++;
+        }
+        params.put("userInfo", sb.toString());
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * List user information. Certificates covered in a separate
+     * protocol for findUserCerts(). List of group memberships are
+     * also provided.
+     * 
+     * Request/Response Syntax:
+     * http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     */
+    private synchronized void findUser(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        //get id first
+        String id = super.getParameter(req, Constants.RS_ID);
+
+        if (id == null) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        NameValuePairs params = new NameValuePairs();
+
+        IUser user = null;
+
+        try {
+            user = mMgr.getUser(id);
+        } catch (Exception e) {
+            e.printStackTrace();
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_INTERNAL_ERROR"), null, resp);
+            return;
+        }
+
+        if (user != null) {
+            params.put(Constants.PR_USER_FULLNAME, user.getFullName());
+            params.put(Constants.PR_USER_EMAIL, user.getEmail());
+            params.put(Constants.PR_USER_PHONE, user.getPhone());
+            params.put(Constants.PR_USER_STATE, user.getState());
+
+            // get list of groups, and get a list of those that this
+            //			uid belongs to
+            Enumeration e = null;
+
+            try {
+                e = mMgr.findGroups("*");
+            } catch (Exception ex) {
+                ex.printStackTrace();
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_INTERNAL_ERROR"), null, resp);
+                return;
+            }
+
+            StringBuffer grpString = new StringBuffer();
+
+            while (e.hasMoreElements()) {
+                IGroup group = e.nextElement();
+
+                if (group.isMember(id) == true) {
+                    if (grpString.length() != 0) {
+                        grpString.append(",");
+                    }
+                    grpString.append(group.getGroupID());
+                }
+            }
+
+            params.put(Constants.PR_USER_GROUP, grpString.toString());
+
+            sendResponse(SUCCESS, null, params, resp);
+            return;
+        }
+
+        log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_USER_NOT_EXIST"));
+
+        sendResponse(ERROR,
+                CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_USER_NOT_EXIST"), null, resp);
+        return;
+    }
+
+    /**
+     * List user certificate(s)
+     * 
+     * Request/Response Syntax:
+     * http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     */
+    private synchronized void findUserCerts(HttpServletRequest req,
+            HttpServletResponse resp, Locale clientLocale)
+            throws ServletException,
+            IOException, EBaseException {
+
+        //get id first
+        String id = super.getParameter(req, Constants.RS_ID);
+
+        if (id == null) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        NameValuePairs params = new NameValuePairs();
+
+        IUser user = null;
+
+        try {
+            user = mMgr.getUser(id);
+        } catch (Exception e) {
+            e.printStackTrace();
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_USER_NOT_EXIST"), null, resp);
+            return;
+        }
+
+        if (user == null) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_USER_NOT_EXIST"));
+
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_USER_NOT_EXIST"), null, resp);
+            return;
+        }
+
+        X509Certificate[] certs =
+                (X509Certificate[]) user.getX509Certificates();
+
+        if (certs != null) {
+            for (int i = 0; i < certs.length; i++) {
+                ICertPrettyPrint print = CMS.getCertPrettyPrint(certs[i]);
+
+                // add base64 encoding
+                String base64 = CMS.getEncodedCert(certs[i]);
+
+                // pretty print certs
+                params.put(getCertificateString(certs[i]),
+                        print.toString(clientLocale) + "\n" + base64);
+            }
+            sendResponse(SUCCESS, null, params, resp);
+            return;
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+        return;
+    }
+
+    /**
+     * Converts certificate into string format.
+     */
+    protected String getCertificateString(X509Certificate cert) {
+        if (cert == null) {
+            return null;
+        }
+
+        // note that it did not represent a certificate fully
+        return cert.getVersion() + ";" + cert.getSerialNumber().toString() +
+                ";" + cert.getIssuerDN() + ";" + cert.getSubjectDN();
+    }
+
+    /**
+     * Searchess for groups in LDAP server
+     * 
+     * Request/Response Syntax:
+     * http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#group
+     */
+    private synchronized void findGroups(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+
+        Enumeration e = null;
+
+        try {
+            e = mMgr.listGroups("*");
+        } catch (Exception ex) {
+            ex.printStackTrace();
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_INTERNAL_ERROR"), null, resp);
+            return;
+        }
+
+        while (e.hasMoreElements()) {
+            IGroup group = e.nextElement();
+            String desc = group.getDescription();
+
+            if (desc != null) {
+                params.put(group.getGroupID(), desc);
+            } else {
+                params.put(group.getGroupID(), "");
+            }
+        }
+
+        sendResponse(SUCCESS, null, params, resp);
+    }
+
+    /**
+     * finds a group
+     * Request/Response Syntax:
+     * http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     */
+    private synchronized void findGroup(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+        NameValuePairs params = new NameValuePairs();
+
+        //get id first
+        String id = super.getParameter(req, Constants.RS_ID);
+
+        if (id == null) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                    null, resp);
+            return;
+        }
+
+        Enumeration e = null;
+
+        try {
+            e = mMgr.findGroups(id);
+        } catch (Exception ex) {
+            ex.printStackTrace();
+            sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_INTERNAL_ERROR"), null, resp);
+            return;
+        }
+
+        if (e.hasMoreElements()) {
+            IGroup group = e.nextElement();
+
+            params.put(Constants.PR_GROUP_GROUP, group.getGroupID());
+            params.put(Constants.PR_GROUP_DESC,
+                    group.getDescription());
+
+            Enumeration members = group.getMemberNames();
+            StringBuffer membersString = new StringBuffer();
+
+            if (members != null) {
+                while (members.hasMoreElements()) {
+                    if (membersString.length() != 0) {
+                        membersString.append(", ");
+                    }
+
+                    String mn = members.nextElement();
+
+                    membersString.append(mn);
+                }
+            }
+
+            params.put(Constants.PR_GROUP_USER, membersString.toString());
+
+            sendResponse(SUCCESS, null, params, resp);
+            return;
+        } else {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_GROUP_NOT_EXIST"));
+
+            sendResponse(ERROR,
+                    CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_GROUP_NOT_EXIST"), null, resp);
+            return;
+
+        }
+    }
+
+    /**
+     * Adds a new user to LDAP server
+     * 

+     * 
+     * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+     * users/groups)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void addUser(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = super.getParameter(req, Constants.RS_ID);
+
+            if (id == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            if (id.indexOf(BACK_SLASH) != -1) {
+                // backslashes (BS) are not allowed
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_RS_ID_BS"));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_RS_ID_BS"),
+                        null, resp);
+                return;
+            }
+
+            if (id.equals(SYSTEM_USER)) {
+                // backslashes (BS) are not allowed
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_SPECIAL_ID", id));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_SPECIAL_ID", id),
+                        null, resp);
+                return;
+            }
+
+            IUser user = mMgr.createUser(id);
+            String fname = super.getParameter(req, Constants.PR_USER_FULLNAME);
+
+            if ((fname == null) || (fname.length() == 0)) {
+                String msg = CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED_1", "full name");
+
+                log(ILogger.LL_FAILURE, msg);
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, msg, null, resp);
+                return;
+            } else
+                user.setFullName(fname);
+
+            String email = super.getParameter(req, Constants.PR_USER_EMAIL);
+
+            if (email != null) {
+                user.setEmail(email);
+            } else {
+                user.setEmail("");
+            }
+            String pword = super.getParameter(req, Constants.PR_USER_PASSWORD);
+
+            if (pword != null && !pword.equals("")) {
+                IPasswordCheck passwdCheck = CMS.getPasswordChecker();
+
+                if (!passwdCheck.isGoodPassword(pword)) {
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+
+                    throw new EUsrGrpException(passwdCheck.getReason(pword));
+
+                    //UsrGrpResources.BAD_PASSWD);
+                }
+
+                user.setPassword(pword);
+            } else {
+                user.setPassword("");
+            }
+            String phone = super.getParameter(req, Constants.PR_USER_PHONE);
+
+            if (phone != null) {
+                user.setPhone(phone);
+            } else {
+                user.setPhone("");
+            }
+            String userType = super.getParameter(req, Constants.PR_USER_TYPE);
+
+            if (userType != null) {
+                user.setUserType(userType);
+            } else {
+                user.setUserType("");
+            }
+            String userState = super.getParameter(req, Constants.PR_USER_STATE);
+
+            if (userState != null) {
+                user.setState(userState);
+            }
+
+            try {
+                mMgr.addUser(user);
+
+                // if group is specified, add user to group
+                String groupName = super.getParameter(req,
+                        Constants.PR_USER_GROUP);
+
+                if (groupName != null) {
+                    Enumeration e = null;
+
+                    try {
+                        e = mMgr.findGroups(groupName);
+                    } catch (Exception ex) {
+                        ex.printStackTrace();
+
+                        // store a message in the signed audit log file
+                        auditMessage = CMS.getLogMessage(
+                                    LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                    auditSubjectID,
+                                    ILogger.FAILURE,
+                                    auditParams(req));
+
+                        audit(auditMessage);
+
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp);
+                        return;
+                    }
+
+                    if (e.hasMoreElements()) {
+                        IGroup group = e.nextElement();
+
+                        group.addMemberName(id);
+                        try {
+                            mMgr.modifyGroup(group);
+                        } catch (Exception ex) {
+                            log(ILogger.LL_FAILURE, ex.toString());
+
+                            // store a message in the signed audit log file
+                            auditMessage = CMS.getLogMessage(
+                                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                        auditSubjectID,
+                                        ILogger.FAILURE,
+                                        auditParams(req));
+
+                            audit(auditMessage);
+
+                            sendResponse(ERROR,
+                                    CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp);
+                            return;
+                        }
+                    }
+                    // for audit log
+                    SessionContext sContext = SessionContext.getContext();
+                    String adminId = (String) sContext.get(SessionContext.USER_ID);
+
+                    mLogger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP,
+                            AuditFormat.LEVEL, AuditFormat.ADDUSERGROUPFORMAT,
+                            new Object[] { adminId, id, groupName }
+                            );
+                }
+
+                NameValuePairs params = new NameValuePairs();
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(SUCCESS, null, params, resp);
+                return;
+            } catch (EUsrGrpException e) {
+                log(ILogger.LL_FAILURE, e.toString());
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                if (user.getUserID() == null) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED_1", "uid"), null, resp);
+                } else {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp);
+                }
+                return;
+            } catch (LDAPException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_ADD_USER_FAIL", e.toString()));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp);
+                return;
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE, e.toString());
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp);
+                return;
+            }
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * Adds a certificate to a user
+     * 

+     * 
+     * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+     * users/groups)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void addUserCert(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = super.getParameter(req, Constants.RS_ID);
+
+            if (id == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            IUser user = mMgr.createUser(id);
+            String certS = super.getParameter(req, Constants.PR_USER_CERT);
+            String certsString = Cert.stripBrackets(certS);
+
+            // no cert is a success
+            if (certsString == null) {
+                NameValuePairs params = new NameValuePairs();
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(SUCCESS, null, params, resp);
+                return;
+            }
+
+            // only one cert added per operation
+            X509Certificate certs[] = null;
+
+            // Base64 decode cert
+
+            try {
+                byte bCert[] = Utils.base64decode(certsString);
+                X509Certificate cert = new X509CertImpl(bCert);
+
+                certs = new X509Certificate[1];
+                certs[0] = cert;
+            } catch (CertificateException e) {
+                // cert chain direction
+                boolean assending = true;
+
+                // could it be a pkcs7 blob?
+                CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_IS_PK_BLOB"));
+                byte p7Cert[] = Utils.base64decode(certsString);
+
+                try {
+                    CryptoManager manager = CryptoManager.getInstance();
+
+                    PKCS7 pkcs7 = new PKCS7(p7Cert);
+
+                    X509Certificate p7certs[] = pkcs7.getCertificates();
+
+                    if (p7certs.length == 0) {
+                        // store a message in the signed audit log file
+                        auditMessage = CMS.getLogMessage(
+                                    LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                    auditSubjectID,
+                                    ILogger.FAILURE,
+                                    auditParams(req));
+
+                        audit(auditMessage);
+
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_ERROR"), null, resp);
+                        return;
+                    }
+                    // fix for 370099 - cert ordering can not be assumed
+                    // find out the ordering ...
+                    certs = new X509Certificate[p7Cert.length];
+
+                    // self-signed and alone? take it. otherwise test
+                    // the ordering
+                    if (p7certs[0].getSubjectDN().toString().equals(
+                            p7certs[0].getIssuerDN().toString()) &&
+                            (p7certs.length == 1)) {
+                        certs[0] = p7certs[0];
+                        CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_SINGLE_CERT_IMPORT"));
+                    } else if (p7certs[0].getIssuerDN().toString().equals(p7certs[1].getSubjectDN().toString())) {
+                        certs[0] = p7certs[0];
+                        CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_CHAIN_ACEND_ORD"));
+                    } else if (p7certs[1].getIssuerDN().toString().equals(p7certs[0].getSubjectDN().toString())) {
+                        assending = false;
+                        CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_CHAIN_DESC_ORD"));
+                        certs[0] = p7certs[p7certs.length - 1];
+                    } else {
+                        // not a chain, or in random order
+                        CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_BAD_CHAIN"));
+
+                        // store a message in the signed audit log file
+                        auditMessage = CMS.getLogMessage(
+                                    LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                    auditSubjectID,
+                                    ILogger.FAILURE,
+                                    auditParams(req));
+
+                        audit(auditMessage);
+
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_ERROR"), null, resp);
+                        return;
+                    }
+
+                    CMS.debug("UsrGrpAdminServlet: "
+                            + CMS.getLogMessage("ADMIN_SRVLT_CHAIN_STORED_DB", String.valueOf(p7certs.length)));
+
+                    int j = 0;
+                    int jBegin = 0;
+                    int jEnd = 0;
+
+                    if (assending == true) {
+                        jBegin = 1;
+                        jEnd = p7certs.length;
+                    } else {
+                        jBegin = 0;
+                        jEnd = p7certs.length - 1;
+                    }
+                    // store the chain into cert db, except for the user cert
+                    for (j = jBegin; j < jEnd; j++) {
+                        CMS.debug("UsrGrpAdminServlet: "
+                                + CMS.getLogMessage("ADMIN_SRVLT_CERT_IN_CHAIN", String.valueOf(j),
+                                        String.valueOf(p7certs[j].getSubjectDN())));
+                        org.mozilla.jss.crypto.X509Certificate leafCert =
+                                null;
+
+                        leafCert =
+                                manager.importCACertPackage(p7certs[j].getEncoded());
+
+                        if (leafCert == null) {
+                            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_LEAF_CERT_NULL"));
+                        } else {
+                            CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_LEAF_CERT_NON_NULL"));
+                        }
+
+                        if (leafCert instanceof InternalCertificate) {
+                            ((InternalCertificate) leafCert).setSSLTrust(
+                                    InternalCertificate.VALID_CA |
+                                            InternalCertificate.TRUSTED_CA |
+                                            InternalCertificate.TRUSTED_CLIENT_CA);
+                        } else {
+                            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NOT_INTERNAL_CERT",
+                                    String.valueOf(p7certs[j].getSubjectDN())));
+                        }
+                    }
+
+                    /*
+                     } catch (CryptoManager.UserCertConflictException ex) {
+                     // got a "user cert" in the chain, most likely the CA
+                    // cert of this instance, which has a private key.  Ignore
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_PKS7_IGNORED", ex.toString()));
+                    */
+                } catch (Exception ex) {
+                    //-----
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_ERROR", ex.toString()));
+
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_ERROR"), null, resp);
+                    return;
+                }
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_O_ERROR", e.toString()));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_O_ERROR"), null, resp);
+                return;
+            }
+
+            try {
+                CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_BEFORE_VALIDITY"));
+                certs[0].checkValidity(); // throw exception if fails
+
+                user.setX509Certificates(certs);
+                mMgr.addUserCert(user);
+                NameValuePairs params = new NameValuePairs();
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(SUCCESS, null, params, resp);
+                return;
+
+            } catch (CertificateExpiredException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_ADD_CERT_EXPIRED",
+                        String.valueOf(certs[0].getSubjectDN())));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_EXPIRED"), null, resp);
+                return;
+            } catch (CertificateNotYetValidException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_NOT_YET_VALID",
+                        String.valueOf(certs[0].getSubjectDN())));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_NOT_YET_VALID"), null, resp);
+                return;
+
+            } catch (LDAPException e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                if (e.getLDAPResultCode() == LDAPException.ATTRIBUTE_OR_VALUE_EXISTS) {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_USER_CERT_EXISTS"), null, resp);
+                } else {
+                    sendResponse(ERROR,
+                            CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp);
+                }
+                return;
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE, e.toString());
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp);
+                return;
+            }
+            // } catch( EBaseException eAudit1 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * Removes a certificate for a user
+     * 

+     * 
+     * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     * 

+     * 
+     * In this method, "certDN" is actually a combination of version, serialNumber, issuerDN, and SubjectDN.
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+     * users/groups)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void modifyUserCert(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String id = super.getParameter(req, Constants.RS_ID);
+
+            if (id == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            IUser user = mMgr.createUser(id);
+            String certDN = super.getParameter(req, Constants.PR_USER_CERT);
+
+            // no certDN is a success
+            if (certDN == null) {
+                NameValuePairs params = new NameValuePairs();
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(SUCCESS, null, params, resp);
+                return;
+            }
+
+            user.setCertDN(certDN);
+            try {
+                mMgr.removeUserCert(user);
+                NameValuePairs params = new NameValuePairs();
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(SUCCESS, null, params, resp);
+                return;
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE, e.toString());
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp);
+                return;
+            }
+            // } catch( EBaseException eAudit1 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * removes a user. user not removed if belongs to any group
+     * (Administrators should remove the user from "uniquemember" of
+     * any group he/she belongs to before trying to remove the user
+     * itself.
+     * 

+     * 
+     * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+     * users/groups)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void removeUser(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            //get id first
+            String id = super.getParameter(req, Constants.RS_ID);
+            boolean mustDelete = false;
+            int index = 0;
+
+            if ((index = id.lastIndexOf(":true")) != -1) {
+                id = id.substring(0, index);
+                mustDelete = true;
+            }
+
+            if (id == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+            // get list of groups, and see if uid belongs to any
+            Enumeration e = null;
+
+            try {
+                e = mMgr.findGroups("*");
+            } catch (Exception ex) {
+                ex.printStackTrace();
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_INTERNAL_ERROR"), null, resp);
+                return;
+            }
+
+            while (e.hasMoreElements()) {
+                IGroup group = (IGroup) e.nextElement();
+
+                if (group.isMember(id) == true) {
+                    if (mustDelete) {
+                        mMgr.removeUserFromGroup(group, id);
+                    } else {
+                        // store a message in the signed audit log file
+                        auditMessage = CMS.getLogMessage(
+                                    LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                    auditSubjectID,
+                                    ILogger.FAILURE,
+                                    auditParams(req));
+
+                        audit(auditMessage);
+
+                        sendResponse(ERROR,
+                                CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_FAIL_USER_RMV_G"),
+                                null, resp);
+                        return;
+                    }
+                }
+            }
+
+            // comes out clean of group membership...now remove user
+            try {
+                mMgr.removeUser(id);
+                NameValuePairs params = new NameValuePairs();
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(SUCCESS, null, params, resp);
+                return;
+            } catch (Exception ex) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_FAIL_USER_RMV"), null, resp);
+                return;
+            }
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * Adds a new group in local scope.
+     * 

+     * 
+     * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#group
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+     * users/groups)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void addGroup(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            //get id first
+            String id = super.getParameter(req, Constants.RS_ID);
+
+            if (id == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            IGroup group = mMgr.createGroup(id);
+            String members = super.getParameter(req,
+                    Constants.PR_GROUP_USER);
+            String desc = super.getParameter(req,
+                    Constants.PR_GROUP_DESC);
+
+            if (desc != null) {
+                group.set("description", (Object) desc);
+            } else {
+                group.set("description", (Object) "");
+            }
+
+            if (members != null) {
+                StringTokenizer st = new StringTokenizer(members, ",");
+
+                while (st.hasMoreTokens()) {
+                    group.addMemberName(st.nextToken());
+                }
+            }
+
+            // allow adding a group with no members
+            try {
+                mMgr.addGroup(group);
+                NameValuePairs params = new NameValuePairs();
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(SUCCESS, null, params, resp);
+                return;
+            } catch (Exception e) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_USRGRP_GROUP_ADD_FAILED"),
+                        null, resp);
+                return;
+            }
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * removes a group
+     * 

+     * 
+     * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#group
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+     * users/groups)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void removeGroup(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            //get id first
+            String id = super.getParameter(req, Constants.RS_ID);
+
+            if (id == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            // if fails, let the exception fall through
+            mMgr.removeGroup(id);
+            NameValuePairs params = new NameValuePairs();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            sendResponse(SUCCESS, null, params, resp);
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    /**
+     * modifies a group
+     * 

+     * 
+     * last person of the super power group "Certificate Server Administrators" can never be removed.
+     * 

+     * 
+     * http://warp.mcom.com/server/certificate/columbo/design/ ui/admin-protocol-definition.html#group
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+     * users/groups)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void modifyGroup(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            //get id first
+            String id = super.getParameter(req, Constants.RS_ID);
+
+            if (id == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            IGroup group = mMgr.createGroup(id);
+
+            String desc = super.getParameter(req,
+                    Constants.PR_GROUP_DESC);
+
+            if (desc != null) {
+                group.set("description", (Object) desc);
+            }
+
+            String members = super.getParameter(req, Constants.PR_GROUP_USER);
+
+            if (members != null) {
+                StringTokenizer st = new StringTokenizer(members, ",");
+
+                String groupName = group.getName();
+                boolean multiRole = true;
+
+                try {
+                    multiRole = mConfig.getBoolean(MULTI_ROLE_ENABLE);
+                } catch (Exception eee) {
+                }
+                while (st.hasMoreTokens()) {
+                    String memberName = st.nextToken();
+                    if (multiRole) {
+                        group.addMemberName(memberName);
+                    } else {
+                        if (isGroupInMultiRoleEnforceList(groupName)) {
+                            if (!isDuplicate(groupName, memberName)) {
+                                group.addMemberName(memberName);
+                            } else {
+                                // store a message in the signed audit log file
+                                auditMessage = CMS.getLogMessage(
+                                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                            auditSubjectID,
+                                            ILogger.FAILURE,
+                                            auditParams(req));
+
+                                audit(auditMessage);
+
+                                throw new EBaseException(CMS.getUserMessage("CMS_BASE_DUPLICATE_ROLES", memberName));
+                            }
+                        } else {
+                            group.addMemberName(memberName);
+                        }
+                    }
+                }
+            }
+
+            // allow adding a group with no members, except "Certificate
+            // Server Administrators"
+            try {
+                mMgr.modifyGroup(group);
+                NameValuePairs params = new NameValuePairs();
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(SUCCESS, null, params, resp);
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE, e.toString());
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_USRGRP_GROUP_MODIFY_FAILED"),
+                        null, resp);
+                return;
+            }
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    private boolean isGroupInMultiRoleEnforceList(String groupName) {
+        String groupList = null;
+
+        if (groupName == null || groupName.equals("")) {
+            return true;
+        }
+        if (mMultiRoleGroupEnforceList == null) {
+            try {
+                groupList = mConfig.getString(MULTI_ROLE_ENFORCE_GROUP_LIST);
+            } catch (Exception e) {
+            }
+
+            if (groupList != null && !groupList.equals("")) {
+                mMultiRoleGroupEnforceList = groupList.split(",");
+                for (int j = 0; j < mMultiRoleGroupEnforceList.length; j++) {
+                    mMultiRoleGroupEnforceList[j] = mMultiRoleGroupEnforceList[j].trim();
+                }
+            }
+        }
+
+        if (mMultiRoleGroupEnforceList == null)
+            return true;
+
+        for (int i = 0; i < mMultiRoleGroupEnforceList.length; i++) {
+            if (groupName.equals(mMultiRoleGroupEnforceList[i])) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private boolean isDuplicate(String groupName, String memberName) {
+        Enumeration groups = null;
+
+        // Let's not mess with users that are already a member of this group
+        boolean isMember = false;
+        try {
+            isMember = mMgr.isMemberOf(memberName, groupName);
+        } catch (Exception e) {
+        }
+
+        if (isMember == true) {
+            return false;
+        }
+        try {
+            groups = mMgr.listGroups("*");
+            while (groups.hasMoreElements()) {
+                IGroup group = groups.nextElement();
+                String name = group.getName();
+                Enumeration g = mMgr.findGroups(name);
+                IGroup g1 = g.nextElement();
+                if (!name.equals(groupName)) {
+                    if (isGroupInMultiRoleEnforceList(name)) {
+                        Enumeration members = g1.getMemberNames();
+                        while (members.hasMoreElements()) {
+                            String m1 = members.nextElement();
+                            if (m1.equals(memberName))
+                                return true;
+                        }
+                    }
+                }
+            }
+        } catch (Exception e) {
+        }
+
+        return false;
+    }
+
+    /**
+     * Modifies an existing user in local scope.
+     * 

+     * 
+     * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+     * users/groups)
+     * 

+     * 
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @exception ServletException a servlet error has occurred
+     * @exception IOException an input/output error has occurred
+     * @exception EBaseException an error has occurred
+     */
+    private synchronized void modifyUser(HttpServletRequest req,
+            HttpServletResponse resp) throws ServletException,
+            IOException, EBaseException {
+
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            //get id first
+            String id = super.getParameter(req, Constants.RS_ID);
+
+            if (id == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+                        null, resp);
+                return;
+            }
+
+            IUser user = mMgr.createUser(id);
+            String fname = super.getParameter(req, Constants.PR_USER_FULLNAME);
+
+            if ((fname == null) || (fname.length() == 0)) {
+                String msg =
+                        CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED", "full name");
+
+                log(ILogger.LL_FAILURE, msg);
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR, msg, null, resp);
+                return;
+            } else
+                user.setFullName(fname);
+
+            String email = super.getParameter(req, Constants.PR_USER_EMAIL);
+
+            if (email != null) {
+                user.setEmail(email);
+            }
+            String pword = super.getParameter(req, Constants.PR_USER_PASSWORD);
+
+            if ((pword != null) && (!pword.equals(""))) {
+                IPasswordCheck passwdCheck = CMS.getPasswordChecker();
+
+                if (!passwdCheck.isGoodPassword(pword)) {
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams(req));
+
+                    audit(auditMessage);
+
+                    throw new EUsrGrpException(passwdCheck.getReason(pword));
+
+                    //UsrGrpResources.BAD_PASSWD);
+                }
+
+                user.setPassword(pword);
+            }
+            String phone = super.getParameter(req, Constants.PR_USER_PHONE);
+
+            if (phone != null) {
+                user.setPhone(phone);
+            }
+
+            String userState = super.getParameter(req, Constants.PR_USER_STATE);
+            if (userState != null) {
+                user.setState(userState);
+            }
+
+            try {
+                mMgr.modifyUser(user);
+                NameValuePairs params = new NameValuePairs();
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(SUCCESS, null, params, resp);
+                return;
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE, e.toString());
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditParams(req));
+
+                audit(auditMessage);
+
+                sendResponse(ERROR,
+                        CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp);
+                return;
+            }
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        } catch (IOException eAudit2) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditParams(req));
+
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit2;
+            // } catch( ServletException eAudit3 ) {
+            //     // store a message in the signed audit log file
+            //     auditMessage = CMS.getLogMessage(
+            //                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+            //                        auditSubjectID,
+            //                        ILogger.FAILURE,
+            //                        auditParams( req ) );
+            //
+            //     audit( auditMessage );
+            //
+            //     // rethrow the specific exception to be handled later
+            //     throw eAudit3;
+        }
+    }
+
+    private void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_USRGRP,
+                level, "UsrGrpAdminServlet: " + msg);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/base/CMSResourceService.java b/base/common/src/com/netscape/cms/servlet/base/CMSResourceService.java
new file mode 100644
index 000000000..acddba559
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/base/CMSResourceService.java
@@ -0,0 +1,69 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.base;
+
+import java.security.cert.CertificateEncodingException;
+
+import javax.ws.rs.core.CacheControl;
+import javax.ws.rs.core.EntityTag;
+import javax.ws.rs.core.Request;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.ResponseBuilder;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.cms.servlet.cert.model.CertificateData;
+
+/**
+ * Base class for CMS RESTful resources
+ * 
+ * @author alee
+ * 
+ */
+public class CMSResourceService {
+    public static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----";
+    public static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----";
+
+    // caching parameters
+    protected static final int DEFAULT_LONG_CACHE_LIFETIME = 1000;
+
+    protected Response sendConditionalGetResponse(int ctime, Object object, Request request) {
+        CacheControl cc = new CacheControl();
+        cc.setMaxAge(ctime);
+        EntityTag tag = new EntityTag(Integer.toString(object.hashCode()));
+
+        ResponseBuilder builder = request.evaluatePreconditions(tag);
+        if (builder != null) {
+            builder.cacheControl(cc);
+            return builder.build();
+        }
+
+        builder = Response.ok(object);
+        builder.cacheControl(cc);
+        builder.tag(tag);
+        return builder.build();
+    }
+
+    public CertificateData createCertificateData(org.mozilla.jss.crypto.X509Certificate cert)
+            throws CertificateEncodingException {
+        CertificateData data = new CertificateData();
+        String b64 = HEADER + CMS.BtoA(cert.getEncoded()) + TRAILER;
+        data.setB64(b64);
+        return data;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java
new file mode 100644
index 000000000..c0931ee2f
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java
@@ -0,0 +1,2294 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.base;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.PrintStream;
+import java.math.BigInteger;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.Random;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import netscape.security.pkcs.ContentInfo;
+import netscape.security.pkcs.PKCS7;
+import netscape.security.pkcs.SignerInfo;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.X509CertImpl;
+
+import org.w3c.dom.Node;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.apps.ICommandQueue;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.IAuthManager;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authority.IAuthority;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.authorization.IAuthzSubsystem;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.ra.IRegistrationAuthority;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.certsrv.usrgrp.IGroup;
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
+import com.netscape.cms.servlet.common.AuthCredentials;
+import com.netscape.cms.servlet.common.CMSFileLoader;
+import com.netscape.cms.servlet.common.CMSGateway;
+import com.netscape.cms.servlet.common.CMSLoadTemplate;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.CMSTemplateParams;
+import com.netscape.cms.servlet.common.ECMSGWException;
+import com.netscape.cms.servlet.common.GenErrorTemplateFiller;
+import com.netscape.cms.servlet.common.GenPendingTemplateFiller;
+import com.netscape.cms.servlet.common.GenRejectedTemplateFiller;
+import com.netscape.cms.servlet.common.GenSuccessTemplateFiller;
+import com.netscape.cms.servlet.common.GenSvcPendingTemplateFiller;
+import com.netscape.cms.servlet.common.GenUnexpectedErrorTemplateFiller;
+import com.netscape.cms.servlet.common.ICMSTemplateFiller;
+import com.netscape.cms.servlet.common.ServletUtils;
+import com.netscape.cmsutil.util.Utils;
+import com.netscape.cmsutil.xml.XMLObject;
+
+/**
+ * This is the base class of all CS servlet.
+ * 
+ * @version $Revision$, $Date$
+ */
+public abstract class CMSServlet extends HttpServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = -3886300199374147160L;
+    // servlet init params
+    // xxxx todo:Should enforce init param value checking!
+    public final static String SUCCESS = "0";
+    public final static String FAILURE = "1";
+    public final static String AUTH_FAILURE = "2";
+
+    public final static String PROP_ID = "ID";
+    public final static String PROP_AUTHORITY = "authority";
+    public final static String PROP_AUTHMGR = "AuthMgr";
+    public final static String PROP_CLIENTAUTH = "GetClientCert";
+    public final static String PROP_RESOURCEID = "resourceID";
+
+    public final static String AUTHZ_SRC_LDAP = "ldap";
+    public final static String AUTHZ_SRC_TYPE = "sourceType";
+    public final static String AUTHZ_CONFIG_STORE = "authz";
+    public final static String AUTHZ_SRC_XML = "web.xml";
+    public final static String PROP_AUTHZ_MGR = "AuthzMgr";
+    public final static String PROP_ACL = "ACLinfo";
+    public final static String AUTHZ_MGR_BASIC = "BasicAclAuthz";
+    public final static String AUTHZ_MGR_LDAP = "DirAclAuthz";
+    private final static String FAILED = "1";
+    private final static String HDR_LANG = "accept-language";
+
+    // final error message - if error and exception templates don't work 
+    // send out this text string directly to output.
+
+    public final static String PROP_FINAL_ERROR_MSG = "finalErrorMsg";
+    public final static String ERROR_MSG_TOKEN = "$ERROR_MSG";
+    public final static String FINAL_ERROR_MSG =
+            "\n" +
+                    "\n" +
+                    "
\n" +
+                    "The Certificate System has encountered " +
+                    "an unrecoverable error.\n" +
+                    "
\n" +
+                    "Error Message:
\n" +
+                    "$ERROR_MSG\n" +
+                    "
\n" +
+                    "Please contact your local administrator for assistance.\n" +
+                    "\n" +
+                    "\n";
+
+    // properties from configuration.
+
+    protected final static String PROP_UNAUTHORIZED_TEMPLATE = "unauthorizedTemplate";
+    protected final static String UNAUTHORIZED_TEMPLATE = "/GenUnauthorized.template";
+    protected final static String PROP_SUCCESS_TEMPLATE = "successTemplate";
+    protected final static String SUCCESS_TEMPLATE = "/GenSuccess.template";
+    protected final static String PROP_PENDING_TEMPLATE = "pendingTemplate";
+    protected final static String PENDING_TEMPLATE = "/GenPending.template";
+    protected final static String PROP_SVC_PENDING_TEMPLATE = "svcpendingTemplate";
+    protected final static String SVC_PENDING_TEMPLATE = "/GenSvcPending.template";
+    protected final static String PROP_REJECTED_TEMPLATE = "rejectedTemplate";
+    protected final static String REJECTED_TEMPLATE = "/GenRejected.template";
+    protected final static String PROP_ERROR_TEMPLATE = "errorTemplate";
+    protected final static String ERROR_TEMPLATE = "/GenError.template";
+    protected final static String PROP_EXCEPTION_TEMPLATE = "unexpectedErrorTemplate";
+    protected final static String EXCEPTION_TEMPLATE = "/GenUnexpectedError.template";
+
+    private final static String PROP_UNAUTHOR_TEMPLATE_FILLER = "unauthorizedTemplateFiller";
+    protected final static String PROP_SUCCESS_TEMPLATE_FILLER = "successTemplateFiller";
+    private final static String PROP_ERROR_TEMPLATE_FILLER = "errorTemplateFiller";
+    private final static String PROP_PENDING_TEMPLATE_FILLER = "pendingTemplateFiller";
+    private final static String PROP_SVC_PENDING_TEMPLATE_FILLER = "svcpendingTemplateFiller";
+    private final static String PROP_REJECTED_TEMPLATE_FILLER = "rejectedTemplateFiller";
+    private final static String PROP_EXCEPTION_TEMPLATE_FILLER = "exceptionTemplateFiller";
+
+    protected final static String RA_AGENT_GROUP = "Registration Manager Agents";
+    protected final static String CA_AGENT_GROUP = "Certificate Manager Agents";
+    protected final static String KRA_AGENT_GROUP = "Data Recovery Manager Agents";
+    protected final static String OCSP_AGENT_GROUP = "Online Certificate Status Manager Agents";
+    protected final static String TRUSTED_RA_GROUP = "Trusted Managers";
+    protected final static String ADMIN_GROUP = "Administrators";
+
+    // default http params NOT to save in request.(config values added to list )
+    private static final String PROP_DONT_SAVE_HTTP_PARAMS = "dontSaveHttpParams";
+    private static final String[] DONT_SAVE_HTTP_PARAMS = { "pwd", "password", "passwd",
+            "challengePassword", "confirmChallengePassword" };
+
+    // default http headers to save in request. (config values added to list)
+    private static final String PROP_SAVE_HTTP_HEADERS = "saveHttpHeaders";
+    private static final String[] SAVE_HTTP_HEADERS = { "accept-language", "user-agent", };
+
+    // request prefixes to distinguish from other request attributes.
+    public static final String PFX_HTTP_HEADER = "HTTP_HEADER";
+    public static final String PFX_HTTP_PARAM = "HTTP_PARAM";
+    public static final String PFX_AUTH_TOKEN = "AUTH_TOKEN";
+
+    /* input http params */
+    protected final static String AUTHMGR_PARAM = "authenticator";
+
+    /* fixed credential passed to auth managers */
+    protected final static String CERT_AUTH_CRED = "sslClientCert";
+
+    public static final String CERT_ATTR =
+            "javax.servlet.request.X509Certificate";
+
+    // members. 
+
+    protected boolean mRenderResult = true;
+    protected String mFinalErrorMsg = FINAL_ERROR_MSG;
+    protected Hashtable mTemplates = new Hashtable();
+
+    protected ServletConfig mServletConfig = null;
+    protected ServletContext mServletContext = null;
+    private CMSFileLoader mFileLoader = null;
+
+    protected Vector mDontSaveHttpParams = new Vector();
+    protected Vector mSaveHttpHeaders = new Vector();
+
+    protected String mId = null;
+    protected IConfigStore mConfig = null;
+
+    // the authority, RA, CA, KRA this servlet is serving. 
+    protected IAuthority mAuthority = null;
+    protected IRequestQueue mRequestQueue = null;
+
+    // system logger.
+    protected ILogger mLogger = CMS.getLogger();
+    protected int mLogCategory = ILogger.S_OTHER;
+    private MessageDigest mSHADigest = null;
+
+    protected String mGetClientCert = "false";
+    protected String mAuthMgr = null;
+    protected IAuthzSubsystem mAuthz = null;
+
+    protected String mAclMethod = null;
+    protected String mAuthzResourceName = null;
+
+    protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+    protected String mOutputTemplatePath = null;
+    private IUGSubsystem mUG = (IUGSubsystem)
+            CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+
+    private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL =
+            "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4";
+    private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3";
+    private final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL =
+            "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4";
+    private final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4";
+    private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME =
+            "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
+
+    public CMSServlet() {
+    }
+
+    public static Hashtable toHashtable(HttpServletRequest req) {
+        Hashtable httpReqHash = new Hashtable();
+        Enumeration names = req.getParameterNames();
+
+        while (names.hasMoreElements()) {
+            String name = (String) names.nextElement();
+
+            httpReqHash.put(name, req.getParameter(name));
+        }
+        return httpReqHash;
+    }
+
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        mAuthz = (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ);
+        mId = sc.getInitParameter(PROP_ID);
+
+        try {
+            mAclMethod = ServletUtils.initializeAuthz(sc, mAuthz, mId);
+        } catch (ServletException e) {
+            log(ILogger.LL_FAILURE, e.toString());
+            throw e;
+        }
+
+        mConfig = CMS.getConfigStore().getSubStore(CMSGateway.PROP_CMSGATEWAY);
+        mServletConfig = sc;
+        mServletContext = sc.getServletContext();
+        mFileLoader = new CMSFileLoader();
+
+        mGetClientCert = sc.getInitParameter(PROP_CLIENTAUTH);
+        mAuthMgr = sc.getInitParameter(PROP_AUTHMGR);
+        mAuthzResourceName = sc.getInitParameter(PROP_RESOURCEID);
+        mOutputTemplatePath = sc.getInitParameter("templatePath");
+
+        String authority = sc.getInitParameter(PROP_AUTHORITY);
+
+        if (authority != null)
+            mAuthority = (IAuthority)
+                    CMS.getSubsystem(authority);
+        if (mAuthority != null)
+            mRequestQueue = mAuthority.getRequestQueue();
+
+        // set default templates.
+        setDefaultTemplates(sc);
+
+        // for logging to the right authority category.
+        if (mAuthority == null) {
+            mLogCategory = ILogger.S_OTHER;
+        } else {
+            if (mAuthority instanceof ICertificateAuthority)
+                mLogCategory = ILogger.S_CA;
+            else if (mAuthority instanceof IRegistrationAuthority)
+                mLogCategory = ILogger.S_RA;
+            else if (mAuthority instanceof IKeyRecoveryAuthority)
+                mLogCategory = ILogger.S_KRA;
+            else
+                mLogCategory = ILogger.S_OTHER;
+        }
+
+        try {
+            // get final error message. 
+            // used when templates can't even be loaded.
+            String eMsg =
+                    sc.getInitParameter(PROP_FINAL_ERROR_MSG);
+
+            if (eMsg != null)
+                mFinalErrorMsg = eMsg;
+
+            // get any configured templates.
+            Enumeration templs = mTemplates.elements();
+
+            while (templs.hasMoreElements()) {
+                CMSLoadTemplate templ = (CMSLoadTemplate) templs.nextElement();
+
+                if (templ == null || templ.mPropName == null) {
+                    continue;
+                }
+                String tName =
+                        sc.getInitParameter(templ.mPropName);
+
+                if (tName != null)
+                    templ.mTemplateName = tName;
+                String fillerName =
+                        sc.getInitParameter(templ.mFillerPropName);
+
+                if (fillerName != null) {
+                    ICMSTemplateFiller filler = newFillerObject(fillerName);
+
+                    if (filler != null)
+                        templ.mFiller = filler;
+                }
+            }
+
+            // get http params NOT to store in a IRequest and  
+            // get http headers TO store in a IRequest. 
+            getDontSaveHttpParams(sc);
+            getSaveHttpHeaders(sc);
+        } catch (Exception e) {
+            // should never occur since we provide defaults above. 
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_CONF_TEMP_PARAMS",
+                            e.toString()));
+            throw new ServletException(e.toString());
+        }
+
+        try {
+            mSHADigest = MessageDigest.getInstance("SHA1");
+        } catch (NoSuchAlgorithmException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_CONF_TEMP_PARAMS",
+                            e.toString()));
+            throw new ServletException(e.toString());
+        }
+    }
+
+    public String getId() {
+        return mId;
+    }
+
+    public String getAuthMgr() {
+        return mAuthMgr;
+    }
+
+    public boolean isClientCertRequired() {
+        if (mGetClientCert != null && mGetClientCert.equals("true"))
+            return true;
+        else
+            return false;
+    }
+
+    public void outputHttpParameters(HttpServletRequest httpReq) {
+        CMS.debug("CMSServlet:service() uri = " + httpReq.getRequestURI());
+        Enumeration paramNames = httpReq.getParameterNames();
+        while (paramNames.hasMoreElements()) {
+            String pn = (String) paramNames.nextElement();
+            // added this facility so that password can be hidden,
+            // all sensitive parameters should be prefixed with 
+            // __ (double underscores); however, in the event that
+            // a security parameter slips through, we perform multiple
+            // additional checks to insure that it is NOT displayed
+            if (pn.startsWith("__") ||
+                    pn.endsWith("password") ||
+                    pn.endsWith("passwd") ||
+                    pn.endsWith("pwd") ||
+                    pn.equalsIgnoreCase("admin_password_again") ||
+                    pn.equalsIgnoreCase("directoryManagerPwd") ||
+                    pn.equalsIgnoreCase("bindpassword") ||
+                    pn.equalsIgnoreCase("bindpwd") ||
+                    pn.equalsIgnoreCase("passwd") ||
+                    pn.equalsIgnoreCase("password") ||
+                    pn.equalsIgnoreCase("pin") ||
+                    pn.equalsIgnoreCase("pwd") ||
+                    pn.equalsIgnoreCase("pwdagain") ||
+                    pn.startsWith("p12Password") ||
+                    pn.equalsIgnoreCase("uPasswd")) {
+                CMS.debug("CMSServlet::service() param name='" + pn +
+                        "' value='(sensitive)'");
+            } else {
+                CMS.debug("CMSServlet::service() param name='" + pn +
+                        "' value='" + httpReq.getParameter(pn) + "'");
+            }
+        }
+    }
+
+    public void service(HttpServletRequest httpReq,
+            HttpServletResponse httpResp)
+            throws ServletException, IOException {
+
+        boolean running_state = CMS.isInRunningState();
+
+        if (!running_state)
+            throw new IOException(
+                    "CS server is not ready to serve.");
+
+        try {
+            if (CMS.getConfigStore().getBoolean("useThreadNaming", false)) {
+                String currentName = Thread.currentThread().getName();
+
+                Thread.currentThread().setName(currentName + "-" + httpReq.getServletPath());
+            }
+        } catch (Exception e) {
+        }
+
+        httpReq.setCharacterEncoding("UTF-8");
+
+        if (CMS.debugOn()) {
+            outputHttpParameters(httpReq);
+        }
+        CMS.debug("CMSServlet: " + mId + " start to service.");
+
+        // get a cms request 
+        CMSRequest cmsRequest = newCMSRequest();
+
+        // set argblock 
+        cmsRequest.setHttpParams(CMS.createArgBlock("http-request-params", toHashtable(httpReq)));
+
+        // set http request
+        cmsRequest.setHttpReq(httpReq);
+
+        // set http response
+        cmsRequest.setHttpResp(httpResp);
+
+        // set servlet config.
+        cmsRequest.setServletConfig(mServletConfig);
+
+        // set servlet context.
+        cmsRequest.setServletContext(mServletContext);
+
+        IArgBlock httpArgs = cmsRequest.getHttpParams();
+
+        // authenticator value from http overrides the value in web.xml.
+        String authMgr_http = httpArgs.getValueAsString(AUTHMGR_PARAM, null);
+
+        if (authMgr_http != null) {
+            mAuthMgr = authMgr_http;
+        } else {
+            mAuthMgr = mServletConfig.getInitParameter(PROP_AUTHMGR);
+        }
+
+        // process request.
+        ICommandQueue iCommandQueue = CMS.getCommandQueue();
+
+        try {
+            if (iCommandQueue.registerProcess(cmsRequest, this) == false) {
+                cmsRequest.setStatus(CMSRequest.ERROR);
+                renderResult(cmsRequest);
+                SessionContext.releaseContext();
+                return;
+            }
+            long startTime = CMS.getCurrentDate().getTime();
+            process(cmsRequest);
+            renderResult(cmsRequest);
+            Date endDate = CMS.getCurrentDate();
+            long endTime = endDate.getTime();
+            if (CMS.debugOn()) {
+                CMS.debug(CMS.DEBUG_INFORM, "CMSServlet: curDate="
+                        + endDate + " id=" + mId + " time=" + (endTime - startTime));
+            }
+            iCommandQueue.unRegisterProccess((Object) cmsRequest, (Object) this);
+        } catch (EBaseException e) {
+            iCommandQueue.unRegisterProccess((Object) cmsRequest, (Object) this);
+            // ByteArrayOutputStream os = new ByteArrayOutputStream(); for debugging only
+            // PrintStream ps = new PrintStream(os);
+            //e.printStackTrace(ps);
+            log(e.toString());
+            renderException(cmsRequest, e);
+        } catch (Exception ex) {
+            iCommandQueue.unRegisterProccess((Object) cmsRequest, (Object) this);
+            ByteArrayOutputStream os = new ByteArrayOutputStream();
+            PrintStream ps = new PrintStream(os);
+
+            ex.printStackTrace(ps);
+            log(os.toString());
+            renderFinalError(cmsRequest, ex);
+        }
+
+        // destroy SessionContext
+        SessionContext.releaseContext();
+
+        return;
+    }
+
+    /**
+     * Create a new CMSRequest object. This should be overriden by servlets
+     * implementing different types of request
+     * 
+     * @return a new CMSRequest object
+     */
+    protected CMSRequest newCMSRequest() {
+        return new CMSRequest();
+    }
+
+    /**
+     * process an HTTP request. Servlets must override this with their
+     * own implementation
+     * 
+     * @throws EBaseException if the servlet was unable to satisfactorily
+     *             process the request
+     */
+    protected void process(CMSRequest cmsRequest)
+            throws EBaseException {
+    }
+
+    /**
+     * Output a template.
+     * If an error occurs while outputing the template the exception template
+     * is used to display the error.
+     * 
+     * @param cmsReq the CS request
+     */
+    protected void renderResult(CMSRequest cmsReq)
+            throws IOException {
+
+        if (!mRenderResult)
+            return;
+        Integer status = cmsReq.getStatus();
+
+        CMSLoadTemplate ltempl = (CMSLoadTemplate) mTemplates.get(status);
+
+        if (ltempl == null || ltempl.mTemplateName == null) {
+            // result is previously outputed.
+            return;
+        }
+        ICMSTemplateFiller filler = ltempl.mFiller;
+
+        renderTemplate(cmsReq, ltempl.mTemplateName, filler);
+    }
+
+    private static final String PRESERVED = "preserved";
+    public static final String TEMPLATE_NAME = "templateName";
+
+    protected void outputArgBlockAsXML(XMLObject xmlObj, Node parent,
+                                       String argBlockName, IArgBlock argBlock) {
+        Node argBlockContainer = xmlObj.createContainer(parent, argBlockName);
+
+        if (argBlock != null) {
+            Enumeration names = argBlock.getElements();
+            while (names.hasMoreElements()) {
+                String name = (String) names.nextElement();
+                String val = argBlock.get(name).toString();
+                val = val.trim();
+                xmlObj.addItemToContainer(argBlockContainer, name, val);
+            }
+        }
+    }
+
+    protected void outputXML(HttpServletResponse httpResp, CMSTemplateParams params) {
+        XMLObject xmlObj = null;
+        try {
+            xmlObj = new XMLObject();
+
+            Node root = xmlObj.createRoot("xml");
+            outputArgBlockAsXML(xmlObj, root, "header", params.getHeader());
+            outputArgBlockAsXML(xmlObj, root, "fixed", params.getFixed());
+
+            Enumeration records = params.queryRecords();
+            Node recordsNode = xmlObj.createContainer(root, "records");
+            if (records != null) {
+                while (records.hasMoreElements()) {
+                    IArgBlock record = (IArgBlock) records.nextElement();
+                    outputArgBlockAsXML(xmlObj, recordsNode, "record", record);
+                }
+            }
+
+            byte[] cb = xmlObj.toByteArray();
+            OutputStream os = httpResp.getOutputStream();
+            httpResp.setContentType("application/xml");
+            httpResp.setContentLength(cb.length);
+            os.write(cb);
+            os.flush();
+        } catch (Exception e) {
+            CMS.debug("failed in outputing XML " + e);
+        }
+    }
+
+    protected void renderTemplate(
+            CMSRequest cmsReq, String templateName, ICMSTemplateFiller filler)
+            throws IOException {
+        try {
+            IArgBlock httpParams = cmsReq.getHttpParams();
+
+            Locale[] locale = new Locale[1];
+            CMSTemplate template =
+                    getTemplate(templateName, cmsReq.getHttpReq(), locale);
+            CMSTemplateParams templateParams = null;
+
+            if (filler != null) {
+                templateParams = filler.getTemplateParams(
+                            cmsReq, mAuthority, locale[0], null);
+            }
+
+            // just output arg blocks as XML
+            CMS.debug("CMSServlet.java: renderTemplate");
+            String xmlOutput = cmsReq.getHttpReq().getParameter("xml");
+            if (xmlOutput != null && xmlOutput.equals("true")) {
+                CMS.debug("CMSServlet.java: xml parameter detected, returning xml");
+                outputXML(cmsReq.getHttpResp(), templateParams);
+                return;
+            }
+
+            if (httpParams != null) {
+                String httpTemplateName =
+                        httpParams.getValueAsString(
+                                TEMPLATE_NAME, null);
+
+                if (httpTemplateName != null) {
+                    templateName = httpTemplateName;
+                }
+            }
+
+            if (templateParams == null)
+                templateParams = new CMSTemplateParams(null, null);
+
+            // #359630
+            // inject preserved http parameter into the template
+            if (httpParams != null) {
+                String preserved = httpParams.getValueAsString(
+                        PRESERVED, null);
+
+                if (preserved != null) {
+                    IArgBlock fixed = templateParams.getFixed();
+
+                    if (fixed != null) {
+                        fixed.set(PRESERVED, preserved);
+                    }
+                }
+            }
+
+            ByteArrayOutputStream bos = new ByteArrayOutputStream();
+
+            template.renderOutput(bos, templateParams);
+            cmsReq.getHttpResp().setContentType("text/html");
+            cmsReq.getHttpResp().setContentLength(bos.size());
+            bos.writeTo(cmsReq.getHttpResp().getOutputStream());
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_OUT_TEMPLATE", templateName, e.toString()));
+            renderException(cmsReq,
+                    new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")));
+            return;
+        }
+    }
+
+    /**
+     * Output exception (unexpected error) template
+     * This is different from other templates in that if an exception occurs
+     * while rendering the exception a message is printed out directly.
+     * If the message gets an error an IOException is thrown.
+     * In others if an exception occurs while rendering the template the
+     * exception template (this) is called.
+     * 

+     * 
+     * @param cmsReq the CS request to pass to template filler if any.
+     * @param e the unexpected exception
+     */
+    protected void renderException(CMSRequest cmsReq, EBaseException e)
+            throws IOException {
+        try {
+            Locale[] locale = new Locale[1];
+            CMSLoadTemplate loadTempl =
+                    (CMSLoadTemplate) mTemplates.get(CMSRequest.EXCEPTION);
+            CMSTemplate template = getTemplate(loadTempl.mTemplateName,
+                    cmsReq.getHttpReq(), locale);
+            ICMSTemplateFiller filler = loadTempl.mFiller;
+            CMSTemplateParams templateParams = null;
+
+            // When an exception occurs the exit is non-local which probably
+            // will leave the requestStatus value set to something other
+            // than CMSRequest.EXCEPTION, so force the requestStatus to 
+            // EXCEPTION since it must be that if we're here. 
+            cmsReq.setStatus(CMSRequest.EXCEPTION);
+
+            if (filler != null) {
+                templateParams = filler.getTemplateParams(
+                            cmsReq, mAuthority, locale[0], e);
+            }
+            if (templateParams == null) {
+                templateParams = new CMSTemplateParams(null, CMS.createArgBlock());
+            }
+            if (e != null) {
+                templateParams.getFixed().set(
+                        ICMSTemplateFiller.EXCEPTION, e.toString(locale[0]));
+            }
+
+            // just output arg blocks as XML
+            CMS.debug("CMSServlet.java: renderTemplate");
+            String xmlOutput = cmsReq.getHttpReq().getParameter("xml");
+            if (xmlOutput != null && xmlOutput.equals("true")) {
+                CMS.debug("CMSServlet.java: xml parameter detected, returning xml");
+                outputXML(cmsReq.getHttpResp(), templateParams);
+                return;
+            }
+
+            ByteArrayOutputStream bos = new ByteArrayOutputStream();
+
+            template.renderOutput(bos, templateParams);
+            cmsReq.getHttpResp().setContentType("text/html");
+            cmsReq.getHttpResp().setContentLength(bos.size());
+            bos.writeTo(cmsReq.getHttpResp().getOutputStream());
+        } catch (Exception ex) {
+            renderFinalError(cmsReq, ex);
+        }
+    }
+
+    public void renderFinalError(CMSRequest cmsReq, Exception ex)
+            throws IOException {
+        // this template is the last resort for all other unexpected 
+        // errors in other templates so we can only output text. 
+        HttpServletResponse httpResp = cmsReq.getHttpResp();
+
+        httpResp.setContentType("text/html");
+        ServletOutputStream out = httpResp.getOutputStream();
+
+        // replace $ERRORMSG with exception message if included. 
+        String finalErrMsg = mFinalErrorMsg;
+        int tokenIdx = mFinalErrorMsg.indexOf(ERROR_MSG_TOKEN);
+
+        if (tokenIdx != -1) {
+            finalErrMsg =
+                    mFinalErrorMsg.substring(0, tokenIdx) +
+                            ex.toString() +
+                            mFinalErrorMsg.substring(
+                                    tokenIdx + ERROR_MSG_TOKEN.length());
+        }
+        out.println(finalErrMsg);
+        return;
+    }
+
+    /**
+     * Invalidates a SSL Session. So client auth will happen again.
+     */
+    protected static void invalidateSSLSession(HttpServletRequest httpReq) {
+
+        /*
+         try {
+         s = (SSLSocket) ((HTTPRequest) httpReq).getConnection().getSocket(); 
+         } catch (ClassCastException e) {
+         CMS.getLogger().log(
+         ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_WARN, 
+         CMS.getLogMessage("CMSGW_SSL_NO_INVALIDATE"));
+         // ignore.
+         return;
+         }
+         try {
+         s.invalidateSession();
+         s.resetHandshake();
+         }catch (SocketException se) {
+         }
+         */
+        return;
+    }
+
+    /**
+     * construct a authentication credentials to pass into authentication
+     * manager.
+     */
+    public static AuthCredentials getAuthCreds(
+            IAuthManager authMgr, IArgBlock argBlock, X509Certificate clientCert)
+            throws EBaseException {
+        // get credentials from http parameters.
+        String[] reqCreds = authMgr.getRequiredCreds();
+        AuthCredentials creds = new AuthCredentials();
+
+        for (int i = 0; i < reqCreds.length; i++) {
+            String reqCred = reqCreds[i];
+
+            if (reqCred.equals(IAuthManager.CRED_SSL_CLIENT_CERT)) {
+                // cert could be null;
+                creds.set(reqCred, new X509Certificate[] { clientCert }
+                        );
+            } else {
+                String value = argBlock.getValueAsString(reqCred);
+
+                creds.set(reqCred, value); // value could be null;
+            }
+        }
+        // Inserted by bskim
+        creds.setArgBlock(argBlock);
+        // Insert end
+        return creds;
+    }
+
+    /**
+     * get ssl client authenticated certificate
+     */
+    protected X509Certificate
+            getSSLClientCertificate(HttpServletRequest httpReq)
+                    throws EBaseException {
+
+        X509Certificate cert = null;
+
+        mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_INFO,
+                CMS.getLogMessage("CMSGW_GETTING_SSL_CLIENT_CERT"));
+
+        // iws60 support Java Servlet Spec V2.2, attribute 
+        // javax.servlet.request.X509Certificate now contains array
+        // of X509Certificates instead of one X509Certificate object
+        X509Certificate[] allCerts = (X509Certificate[]) httpReq.getAttribute(CERT_ATTR);
+
+        if (allCerts == null || allCerts.length == 0) {
+            throw new EBaseException("You did not provide a valid certificate for this operation");
+        }
+
+        cert = allCerts[0];
+
+        if (cert == null) {
+            // just don't have a cert.
+            mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_SSL_CL_CERT_FAIL"));
+            return null;
+        }
+
+        // convert to sun's x509 cert interface.
+        try {
+            byte[] certEncoded = cert.getEncoded();
+
+            cert = new X509CertImpl(certEncoded);
+        } catch (CertificateEncodingException e) {
+            mLogger.log(
+                    ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_SSL_CL_CERT_FAIL_ENCODE", e.getMessage()));
+            return null;
+        } catch (CertificateException e) {
+            mLogger.log(
+                    ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_SSL_CL_CERT_FAIL_DECODE", e.getMessage()));
+            return null;
+        }
+        return cert;
+    }
+
+    /**
+     * get a template based on result status.
+     */
+    protected CMSTemplate getTemplate(
+            String templateName, HttpServletRequest httpReq, Locale[] locale)
+            throws EBaseException, IOException {
+        // this converts to system dependent file seperator char.
+        if (mServletConfig == null) {
+            CMS.debug("CMSServlet:getTemplate() - mServletConfig is null!");
+            return null;
+        }
+        if (mServletConfig.getServletContext() == null) {
+        }
+        if (templateName == null) {
+        }
+        String realpath =
+                mServletConfig.getServletContext().getRealPath("/" + templateName);
+
+        if (realpath == null) {
+            mLogger.log(
+                    ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_NO_FIND_TEMPLATE", templateName));
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        }
+
+        File realpathFile = new File(realpath);
+        File templateFile =
+                getLangFile(httpReq, realpathFile, locale);
+        String charSet = httpReq.getCharacterEncoding();
+
+        if (charSet == null) {
+            charSet = "UTF8";
+        }
+        CMSTemplate template =
+                (CMSTemplate) mFileLoader.getCMSFile(templateFile, charSet);
+
+        return template;
+    }
+
+    /**
+     * log according to authority category.
+     */
+    protected void log(int event, int level, String msg) {
+        mLogger.log(event, mLogCategory, level,
+                "Servlet " + mId + ": " + msg);
+    }
+
+    protected void log(int level, String msg) {
+        mLogger.log(ILogger.EV_SYSTEM, mLogCategory, level,
+                "Servlet " + mId + ": " + msg);
+    }
+
+    /**
+     * get http parameters not to save from configuration.
+     */
+    protected void getDontSaveHttpParams(ServletConfig sc) {
+        String dontSaveParams = null;
+
+        try {
+            for (int i = 0; i < DONT_SAVE_HTTP_PARAMS.length; i++) {
+                mDontSaveHttpParams.addElement(DONT_SAVE_HTTP_PARAMS[i]);
+            }
+            dontSaveParams = sc.getInitParameter(
+                        PROP_DONT_SAVE_HTTP_PARAMS);
+            if (dontSaveParams != null) {
+                StringTokenizer params =
+                        new StringTokenizer(dontSaveParams, ",");
+
+                while (params.hasMoreTokens()) {
+                    String param = params.nextToken();
+
+                    mDontSaveHttpParams.addElement(param);
+                }
+            }
+        } catch (Exception e) {
+            // should never happen
+            log(ILogger.LL_WARN,
+                    CMS.getLogMessage("CMSGW_NO_CONFIG_VALUE", PROP_DONT_SAVE_HTTP_PARAMS, e.toString()));
+            // default just in case.
+            for (int i = 0; i < DONT_SAVE_HTTP_PARAMS.length; i++) {
+                mDontSaveHttpParams.addElement(DONT_SAVE_HTTP_PARAMS[i]);
+            }
+            return;
+        }
+    }
+
+    /**
+     * get http headers to save from configuration.
+     */
+    protected void getSaveHttpHeaders(ServletConfig sc) {
+        try {
+            // init save http headers. default will always be saved.
+            for (int i = 0; i < SAVE_HTTP_HEADERS.length; i++) {
+                mSaveHttpHeaders.addElement(SAVE_HTTP_HEADERS[i]);
+            }
+
+            // now get from config file if there's more.
+            String saveHeaders =
+                    sc.getInitParameter(PROP_SAVE_HTTP_HEADERS);
+
+            if (saveHeaders != null) {
+                StringTokenizer headers =
+                        new StringTokenizer(saveHeaders, ",");
+
+                while (headers.hasMoreTokens()) {
+                    String hdr = headers.nextToken();
+
+                    mSaveHttpHeaders.addElement(hdr);
+                }
+            }
+        } catch (Exception e) {
+            // should never happen
+            log(ILogger.LL_WARN, CMS.getLogMessage("CMSGW_NO_CONFIG_VALUE", PROP_SAVE_HTTP_HEADERS, e.toString()));
+            return;
+        }
+    }
+
+    /**
+     * save http headers in a IRequest.
+     */
+    protected void saveHttpHeaders(
+            HttpServletRequest httpReq, IRequest req)
+            throws EBaseException {
+        Hashtable headers = new Hashtable();
+        Enumeration hdrs = mSaveHttpHeaders.elements();
+
+        while (hdrs.hasMoreElements()) {
+            String hdr = hdrs.nextElement();
+            String val = httpReq.getHeader(hdr);
+
+            if (val != null) {
+                headers.put(hdr, val);
+            }
+        }
+        req.setExtData(IRequest.HTTP_HEADERS, headers);
+    }
+
+    /**
+     * save http headers in a IRequest.
+     */
+    protected void saveHttpParams(
+            IArgBlock httpParams, IRequest req) {
+        Hashtable saveParams = new Hashtable();
+
+        Enumeration names = httpParams.elements();
+
+        while (names.hasMoreElements()) {
+            String name = names.nextElement();
+            Enumeration params = mDontSaveHttpParams.elements();
+            boolean dosave = true;
+
+            while (params.hasMoreElements()) {
+                String param = params.nextElement();
+
+                if (name.equalsIgnoreCase(param)) {
+                    dosave = false;
+                    break;
+                }
+            }
+            if (dosave) {
+                // kmccarth
+                // fear not - service() calls toHashtable() which only
+                // retrieves string values.
+                // TODO - when we can use JDK5 features we should typecast
+                // the params until they get here
+                saveParams.put(name, (String) httpParams.get(name));
+            }
+        }
+        req.setExtData(IRequest.HTTP_PARAMS, saveParams);
+    }
+
+    /**
+     * handy routine for getting a cert record given a serial number.
+     */
+    protected ICertRecord getCertRecord(BigInteger serialNo) {
+        if (mAuthority == null ||
+                !(mAuthority instanceof ICertificateAuthority)) {
+            log(ILogger.LL_WARN,
+                    CMS.getLogMessage("CMSGW_NON_CERT_AUTH"));
+            return null;
+        }
+        ICertificateRepository certdb =
+                ((ICertificateAuthority) mAuthority).getCertificateRepository();
+
+        if (certdb == null) {
+            log(ILogger.LL_WARN, CMS.getLogMessage("CMSGW_CERT_DB_NULL", mAuthority.toString()));
+            return null;
+        }
+        ICertRecord certRecord = null;
+
+        try {
+            certRecord = certdb.readCertificateRecord(serialNo);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_NO_CERT_REC", serialNo.toString(16), e.toString()));
+            return null;
+        }
+        return certRecord;
+    }
+
+    /**
+     * handy routine for validating if a cert is from this CA.
+     * mAuthority must be a CA.
+     */
+    protected boolean isCertFromCA(X509Certificate cert) {
+        BigInteger serialno = cert.getSerialNumber();
+        X509CertImpl certInDB = (X509CertImpl) getX509Certificate(serialno);
+
+        if (certInDB == null || !certInDB.equals(cert))
+            return false;
+        return true;
+    }
+
+    /**
+     * handy routine for checking if a list of certs is from this CA.
+     * mAuthortiy must be a CA.
+     */
+    protected boolean areCertsFromCA(X509Certificate[] certs) {
+        for (int i = certs.length - 1; i >= 0; i--) {
+            if (!isCertFromCA(certs[i]))
+                return false;
+        }
+        return true;
+    }
+
+    /**
+     * handy routine for getting a certificate from the certificate
+     * repository. mAuthority must be a CA.
+     */
+    protected X509Certificate getX509Certificate(BigInteger serialNo) {
+        if (mAuthority == null ||
+                !(mAuthority instanceof ICertificateAuthority)) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_NOT_CERT_AUTH"));
+            return null;
+        }
+        ICertificateRepository certdb =
+                ((ICertificateAuthority) mAuthority).getCertificateRepository();
+
+        if (certdb == null) {
+            log(ILogger.LL_WARN, CMS.getLogMessage("CMSGW_CERT_DB_NULL", mAuthority.toString()));
+            return null;
+        }
+        X509Certificate cert = null;
+
+        try {
+            cert = certdb.getX509Certificate(serialNo);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_NO_CERT_REC", serialNo.toString(16), e.toString()));
+            return null;
+        }
+        return cert;
+    }
+
+    /**
+     * instantiate a new filler from a class name,
+     * 
+     * @return null if can't be instantiated, new instance otherwise.
+     */
+    protected ICMSTemplateFiller newFillerObject(String fillerClass) {
+        ICMSTemplateFiller filler = null;
+
+        try {
+            filler = (ICMSTemplateFiller)
+                    Class.forName(fillerClass).newInstance();
+        } catch (Exception e) {
+            if ((e instanceof RuntimeException)) {
+                throw (RuntimeException) e;
+            } else {
+                log(ILogger.LL_WARN,
+                        CMS.getLogMessage("CMSGW_CANT_LOAD_FILLER", fillerClass, e.toString()));
+                return null;
+            }
+        }
+        return filler;
+    }
+
+    /**
+     * set default templates.
+     * subclasses can override, and should override at least the success
+     * template
+     */
+    protected void setDefaultTemplates(ServletConfig sc) {
+        // Subclasses should override these for diff templates and params in
+        // their constructors. 
+        // Set a template name to null to not use these standard ones. 
+        // When template name is set to null nothing will be displayed. 
+        // Servlet is assumed to have rendered its own output.
+        // The only exception is the unexpected error template where the 
+        // default one will always be used if template name is null. 
+        String successTemplate = null;
+        String errorTemplate = null;
+        String unauthorizedTemplate = null;
+        String pendingTemplate = null;
+        String svcpendingTemplate = null;
+        String rejectedTemplate = null;
+        String unexpectedErrorTemplate = null;
+
+        String gateway = sc.getInitParameter("interface");
+        String authority = sc.getInitParameter(PROP_AUTHORITY);
+        if (authority == null) {
+            authority = sc.getInitParameter("authorityId");
+        }
+
+        try {
+            successTemplate = sc.getInitParameter(
+                        PROP_SUCCESS_TEMPLATE);
+            if (successTemplate == null) {
+                successTemplate = SUCCESS_TEMPLATE;
+                if (gateway != null)
+                    //successTemplate = "/"+gateway+successTemplate;
+                    successTemplate = "/" + gateway + successTemplate;
+            }
+
+            errorTemplate = sc.getInitParameter(
+                        PROP_ERROR_TEMPLATE);
+            if (errorTemplate == null) {
+                errorTemplate = ERROR_TEMPLATE;
+                if (gateway != null)
+                    //errorTemplate = "/"+gateway+errorTemplate;
+                    errorTemplate = "/" + gateway + errorTemplate;
+            }
+
+            unauthorizedTemplate = sc.getInitParameter(
+                        PROP_UNAUTHORIZED_TEMPLATE);
+            if (unauthorizedTemplate == null) {
+                unauthorizedTemplate = UNAUTHORIZED_TEMPLATE;
+                if (gateway != null)
+                    //unauthorizedTemplate = "/"+gateway+unauthorizedTemplate;
+                    unauthorizedTemplate = "/" + gateway + unauthorizedTemplate;
+            }
+
+            pendingTemplate = sc.getInitParameter(
+                        PROP_PENDING_TEMPLATE);
+            if (pendingTemplate == null) {
+                pendingTemplate = PENDING_TEMPLATE;
+                if (gateway != null)
+                    //pendingTemplate = "/"+gateway+pendingTemplate;
+                    pendingTemplate = "/" + gateway + pendingTemplate;
+            }
+
+            svcpendingTemplate = sc.getInitParameter(
+                        PROP_SVC_PENDING_TEMPLATE);
+            if (svcpendingTemplate == null) {
+                svcpendingTemplate = SVC_PENDING_TEMPLATE;
+                if (gateway != null)
+                    //svcpendingTemplate = "/"+gateway+svcpendingTemplate;
+                    svcpendingTemplate = "/" + gateway + svcpendingTemplate;
+            }
+
+            rejectedTemplate = sc.getInitParameter(
+                        PROP_REJECTED_TEMPLATE);
+            if (rejectedTemplate == null) {
+                rejectedTemplate = REJECTED_TEMPLATE;
+                if (gateway != null)
+                    //rejectedTemplate = "/"+gateway+rejectedTemplate;
+                    rejectedTemplate = "/" + gateway + rejectedTemplate;
+            }
+
+            unexpectedErrorTemplate = sc.getInitParameter(
+                        PROP_EXCEPTION_TEMPLATE);
+            if (unexpectedErrorTemplate == null) {
+                unexpectedErrorTemplate = EXCEPTION_TEMPLATE;
+                if (gateway != null)
+                    //unexpectedErrorTemplate = "/"+gateway+unexpectedErrorTemplate;
+                    unexpectedErrorTemplate = "/" + gateway + unexpectedErrorTemplate;
+            }
+        } catch (Exception e) {
+            // this should never happen. 
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_IMP_INIT_SERV_ERR", e.toString(),
+                            mId));
+        }
+
+        mTemplates.put(
+                CMSRequest.UNAUTHORIZED,
+                new CMSLoadTemplate(
+                        PROP_UNAUTHORIZED_TEMPLATE, PROP_UNAUTHOR_TEMPLATE_FILLER,
+                        unauthorizedTemplate, null));
+        mTemplates.put(
+                CMSRequest.SUCCESS,
+                new CMSLoadTemplate(
+                        PROP_SUCCESS_TEMPLATE, PROP_SUCCESS_TEMPLATE_FILLER,
+                        successTemplate, new GenSuccessTemplateFiller()));
+        mTemplates.put(
+                CMSRequest.PENDING,
+                new CMSLoadTemplate(
+                        PROP_PENDING_TEMPLATE, PROP_PENDING_TEMPLATE_FILLER,
+                        pendingTemplate, new GenPendingTemplateFiller()));
+        mTemplates.put(
+                CMSRequest.SVC_PENDING,
+                new CMSLoadTemplate(
+                        PROP_SVC_PENDING_TEMPLATE, PROP_SVC_PENDING_TEMPLATE_FILLER,
+                        svcpendingTemplate, new GenSvcPendingTemplateFiller()));
+        mTemplates.put(
+                CMSRequest.REJECTED,
+                new CMSLoadTemplate(
+                        PROP_REJECTED_TEMPLATE, PROP_REJECTED_TEMPLATE_FILLER,
+                        rejectedTemplate, new GenRejectedTemplateFiller()));
+        mTemplates.put(
+                CMSRequest.ERROR,
+                new CMSLoadTemplate(
+                        PROP_ERROR_TEMPLATE, PROP_ERROR_TEMPLATE_FILLER,
+                        errorTemplate, new GenErrorTemplateFiller()));
+        mTemplates.put(
+                CMSRequest.EXCEPTION,
+                new CMSLoadTemplate(
+                        PROP_EXCEPTION_TEMPLATE, PROP_EXCEPTION_TEMPLATE_FILLER,
+                        unexpectedErrorTemplate, new GenUnexpectedErrorTemplateFiller()));
+    }
+
+    /**
+     * handy routine to check if client is navigator based on user-agent.
+     */
+    public static boolean clientIsNav(HttpServletRequest httpReq) {
+        String useragent = httpReq.getHeader("user-agent");
+
+        if (useragent.startsWith("Mozilla") &&
+                useragent.indexOf("MSIE") == -1)
+            return true;
+        return false;
+    }
+
+    /**
+     * handy routine to check if client is msie based on user-agent.
+     */
+    public static boolean clientIsMSIE(HttpServletRequest httpReq) {
+        String useragent = httpReq.getHeader("user-agent");
+
+        if (useragent != null && useragent.indexOf("MSIE") != -1)
+            return true;
+        return false;
+    }
+
+    /**
+     * handy routine to check if client is cartman based on hidden http input
+     * set using cartman JS. (no other way to tell)
+     */
+    private static String CMMF_RESPONSE = "cmmfResponse";
+
+    public static boolean doCMMFResponse(IArgBlock httpParams) {
+        if (httpParams.getValueAsBoolean(CMMF_RESPONSE, false))
+            return true;
+        else
+            return false;
+    }
+
+    private static final String IMPORT_CERT = "importCert";
+    private static final String IMPORT_CHAIN = "importCAChain";
+    private static final String IMPORT_CERT_MIME_TYPE = "importCertMimeType";
+    // default mime type 
+    private static final String NS_X509_USER_CERT = "application/x-x509-user-cert";
+    private static final String NS_X509_EMAIL_CERT = "application/x-x509-email-cert";
+
+    // CMC mime types
+    public static final String SIMPLE_ENROLLMENT_REQUEST = "application/pkcs10";
+    public static final String SIMPLE_ENROLLMENT_RESPONSE = "application/pkcs7-mime";
+    public static final String FULL_ENROLLMENT_REQUEST = "application/pkcs7-mime";
+    public static final String FULL_ENROLLMENT_RESPONSE = "application/pkcs7-mime";
+
+    /**
+     * handy routine to check if client want full enrollment response
+     */
+    public static String FULL_RESPONSE = "fullResponse";
+
+    public static boolean doFullResponse(IArgBlock httpParams) {
+        if (httpParams.getValueAsBoolean(FULL_RESPONSE, false))
+            return true;
+        else
+            return false;
+    }
+
+    /**
+     * @return false if import cert directly set to false.
+     * @return true if import cert directly is true and import cert.
+     */
+    protected boolean checkImportCertToNav(
+            HttpServletResponse httpResp, IArgBlock httpParams, X509CertImpl cert)
+            throws EBaseException {
+        if (!httpParams.getValueAsBoolean(IMPORT_CERT, false)) {
+            return false;
+        }
+        boolean importCAChain =
+                httpParams.getValueAsBoolean(IMPORT_CHAIN, true);
+        // XXX Temporary workaround because of problem with passing Mime type
+        boolean emailCert =
+                httpParams.getValueAsBoolean("emailCert", false);
+        String importMimeType = (emailCert) ?
+                httpParams.getValueAsString(IMPORT_CERT_MIME_TYPE, NS_X509_EMAIL_CERT) :
+                httpParams.getValueAsString(IMPORT_CERT_MIME_TYPE, NS_X509_USER_CERT);
+
+        //		String importMimeType =
+        //			httpParams.getValueAsString(
+        //				IMPORT_CERT_MIME_TYPE, NS_X509_USER_CERT);
+        importCertToNav(httpResp, cert, importMimeType, importCAChain);
+        return true;
+    }
+
+    /**
+     * handy routine to import cert to old navigator in nav mime type.
+     */
+    public void importCertToNav(
+            HttpServletResponse httpResp, X509CertImpl cert,
+            String contentType, boolean importCAChain)
+            throws EBaseException {
+        ServletOutputStream out = null;
+        byte[] encoding = null;
+
+        CMS.debug("CMSServlet: importCertToNav " +
+                       "contentType=" + contentType + " " +
+                       "importCAChain=" + importCAChain);
+        try {
+            out = httpResp.getOutputStream();
+            // CA chain.
+            if (importCAChain) {
+                CertificateChain caChain = null;
+                X509Certificate[] caCerts = null;
+                PKCS7 p7 = null;
+
+                caChain = ((ICertAuthority) mAuthority).getCACertChain();
+                caCerts = caChain.getChain();
+
+                // set user + CA cert chain in pkcs7 
+                X509CertImpl[] userChain =
+                        new X509CertImpl[caCerts.length + 1];
+
+                userChain[0] = cert;
+                int m = 1, n = 0;
+
+                for (; n < caCerts.length; m++, n++) {
+                    userChain[m] = (X509CertImpl) caCerts[n];
+
+                    /*
+                     System.out.println(
+                     m+"th Cert "+userChain[m].toString());
+                     */
+                }
+                p7 = new PKCS7(new AlgorithmId[0],
+                            new ContentInfo(new byte[0]),
+                            userChain,
+                            new SignerInfo[0]);
+                ByteArrayOutputStream bos = new ByteArrayOutputStream();
+
+                p7.encodeSignedData(bos, false);
+                encoding = bos.toByteArray();
+                CMS.debug("CMServlet: return P7 " + CMS.BtoA(encoding));
+            } else {
+                encoding = cert.getEncoded();
+                CMS.debug("CMServlet: return Certificate " + CMS.BtoA(encoding));
+            }
+            httpResp.setContentType(contentType);
+            out.write(encoding);
+        } catch (IOException e) {
+            mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                    ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_RET_CERT_IMPORT_ERR", e.toString()));
+            throw new ECMSGWException(
+                    CMS.getLogMessage("CMSGW_ERROR_RETURNING_CERT"));
+        } catch (CertificateEncodingException e) {
+            mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
+                    ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_NO_ENCODED_IMP_CERT", e.toString()));
+            throw new ECMSGWException(
+                    CMS.getLogMessage("CMSGW_ERROR_ENCODING_ISSUED_CERT"));
+        }
+    }
+
+    protected static void saveAuthToken(IAuthToken token, IRequest req) {
+        if (token != null && req != null)
+            req.setExtData(IRequest.AUTH_TOKEN, token);
+
+        // # 56230 - expose auth token parameters to the policy predicate
+        if (token != null && req != null) {
+            Enumeration e = token.getElements();
+            while (e.hasMoreElements()) {
+                String n = e.nextElement();
+                String[] x1 = token.getInStringArray(n);
+                if (x1 != null) {
+                    for (int i = 0; i < x1.length; i++) {
+                        CMS.debug("Setting " + IRequest.AUTH_TOKEN + "-" + n +
+                                "(" + i + ")=" + x1[i]);
+                        req.setExtData(IRequest.AUTH_TOKEN + "-" + n + "(" + i + ")",
+                                x1[i]);
+                    }
+                } else {
+                    String x = token.getInString(n);
+                    if (x != null) {
+                        CMS.debug("Setting " + IRequest.AUTH_TOKEN + "-" + n + "=" + x);
+                        req.setExtData(IRequest.AUTH_TOKEN + "-" + n, x);
+                    }
+                }
+            } // while
+        } // if
+    }
+
+    protected IAuthToken getAuthToken(IRequest req) {
+        return req.getExtDataInAuthToken(IRequest.AUTH_TOKEN);
+    }
+
+    protected static boolean connectionIsSSL(HttpServletRequest httpReq) {
+        return httpReq.isSecure();
+    }
+
+    /**
+     * handy routine for getting agent's relative path
+     */
+    protected String getRelPath(IAuthority authority) {
+        if (authority instanceof ICertificateAuthority)
+            return "ca/";
+        else if (authority instanceof IRegistrationAuthority)
+            return "ra/";
+        else if (authority instanceof IKeyRecoveryAuthority)
+            return "kra/";
+        else
+            return "/";
+    }
+
+    /**
+     * A system certificate such as the CA signing certificate
+     * should not be allowed to delete.
+     * The main purpose is to avoid revoking the self signed
+     * CA certificate accidentially.
+     */
+    protected boolean isSystemCertificate(BigInteger serialNo) {
+        if (!(mAuthority instanceof ICertificateAuthority)) {
+            return false;
+        }
+        X509Certificate caCert =
+                ((ICertificateAuthority) mAuthority).getCACert();
+        if (caCert != null) {
+            /* only check this if we are self-signed */
+            if (caCert.getSubjectDN().equals(caCert.getIssuerDN())) {
+                if (caCert.getSerialNumber().equals(serialNo)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    /**
+     * make a CRL entry from a serial number and revocation reason.
+     * 
+     * @return a RevokedCertImpl that can be entered in a CRL.
+     */
+    protected RevokedCertImpl formCRLEntry(
+            BigInteger serialNo, RevocationReason reason)
+            throws EBaseException {
+        CRLReasonExtension reasonExt = new CRLReasonExtension(reason);
+        CRLExtensions crlentryexts = new CRLExtensions();
+
+        try {
+            crlentryexts.set(CRLReasonExtension.NAME, reasonExt);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_CRL_REASON", reason.toString(), e.toString()));
+            throw new ECMSGWException(
+                    CMS.getLogMessage("CMSGW_ERROR_SETTING_CRLREASON"));
+        }
+        RevokedCertImpl crlentry =
+                new RevokedCertImpl(serialNo, CMS.getCurrentDate(), crlentryexts);
+
+        return crlentry;
+    }
+
+    /**
+     * check if a certificate (serial number) is revoked on a CA.
+     * 
+     * @return true if cert is marked revoked in the CA's database.
+     * @return false if cert is not marked revoked.
+     */
+    protected boolean certIsRevoked(BigInteger serialNum)
+            throws EBaseException {
+        ICertRecord certRecord = getCertRecord(serialNum);
+
+        if (certRecord == null) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_BAD_CERT_SER_NUM", String.valueOf(serialNum)));
+            throw new ECMSGWException(
+                    CMS.getLogMessage("CMSGW_INVALID_CERT"));
+        }
+        if (certRecord.getStatus().equals(ICertRecord.STATUS_REVOKED))
+            return true;
+        return false;
+    }
+
+    public static String generateSalt() {
+        Random rnd = new Random();
+        String salt = new Integer(rnd.nextInt()).toString();
+        return salt;
+    }
+
+    protected String hashPassword(String pwd) {
+        String salt = generateSalt();
+        byte[] pwdDigest = mSHADigest.digest((salt + pwd).getBytes());
+        String b64E = Utils.base64encode(pwdDigest);
+
+        return "{SHA}" + salt + ";" + b64E;
+    }
+
+    /**
+     * @param req http servlet request
+     * @param realpathFile the file to get.
+     * @param locale array of at least one to be filled with locale found.
+     */
+    public static File getLangFile(
+            HttpServletRequest req, File realpathFile, Locale[] locale)
+            throws IOException {
+        File file = null;
+        String acceptLang = req.getHeader("accept-language");
+
+        if (acceptLang != null && !acceptLang.equals("")) {
+            StringTokenizer tokenizer = new StringTokenizer(acceptLang, ",");
+            int numLangs = tokenizer.countTokens();
+
+            if (numLangs > 0) {
+                // languages are searched in order.
+                String parent = realpathFile.getParent();
+
+                if (parent == null) {
+                    parent = "." + File.separatorChar;
+                }
+                String name = realpathFile.getName();
+
+                if (name == null) { // filename should never be null.
+                    throw new IOException("file has no name");
+                }
+                int i;
+
+                for (i = 0; i < numLangs; i++) {
+                    String lang = null;
+                    String token = tokenizer.nextToken();
+
+                    int semicolon = token.indexOf(';');
+
+                    if (semicolon == -1) {
+                        lang = token.trim();
+                    } else {
+                        if (semicolon < 2)
+                            continue; // protocol error.
+                        lang = token.substring(0, semicolon).trim();
+                    }
+                    // if browser locale is the same as default locale,
+                    // use the default form. (is this the right thing to do ?)
+                    Locale l = getLocale(lang);
+
+                    if (Locale.getDefault().equals(l)) {
+                        locale[0] = l;
+                        file = realpathFile;
+                        break;
+                    }
+
+                    String langfilepath =
+                            parent + File.separatorChar +
+                                    lang + File.separatorChar + name;
+
+                    file = new File(langfilepath);
+                    if (file.exists()) {
+                        locale[0] = getLocale(lang);
+                        break;
+                    }
+                }
+                // if no file for lang was found use default
+                if (i == numLangs) {
+                    file = realpathFile;
+                    locale[0] = Locale.getDefault();
+                }
+            }
+        } else {
+            // use default if accept-language is not availabe
+            file = realpathFile;
+            locale[0] = Locale.getDefault();
+        }
+        return file;
+    }
+
+    public static Locale getLocale(String lang) {
+        int dash = lang.indexOf('-');
+
+        if (dash == -1)
+            return new Locale(lang, "");
+        else
+            return new Locale(lang.substring(0, dash), lang.substring(dash + 1));
+    }
+
+    public IAuthToken authenticate(CMSRequest req)
+            throws EBaseException {
+        return authenticate(req, mAuthMgr);
+    }
+
+    public IAuthToken authenticate(HttpServletRequest httpReq)
+            throws EBaseException {
+        return authenticate(httpReq, mAuthMgr);
+    }
+
+    public IAuthToken authenticate(CMSRequest req, String authMgrName)
+            throws EBaseException {
+        IAuthToken authToken = authenticate(req.getHttpReq(),
+                authMgrName);
+
+        saveAuthToken(authToken, req.getIRequest());
+        return authToken;
+    }
+
+    /**
+     * Authentication
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_AUTH_FAIL used when authentication fails (in case of SSL-client auth, only
+     * webserver env can pick up the SSL violation; CS authMgr can pick up cert mis-match, so this event is used)
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_AUTH_SUCCESS used when authentication succeeded
+     * 

+     * 
+     * @exception EBaseException an error has occurred
+     */
+    public IAuthToken authenticate(HttpServletRequest httpReq, String authMgrName)
+            throws EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = ILogger.UNIDENTIFIED;
+        String auditAuthMgrID = ILogger.UNIDENTIFIED;
+        String auditUID = ILogger.UNIDENTIFIED;
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            String getClientCert = mGetClientCert;
+
+            IArgBlock httpArgs = CMS.createArgBlock(toHashtable(httpReq));
+            SessionContext ctx = SessionContext.getContext();
+            String ip = httpReq.getRemoteAddr();
+            CMS.debug("IP: " + ip);
+
+            if (ip != null) {
+                ctx.put(SessionContext.IPADDRESS, ip);
+            }
+            if (authMgrName != null) {
+                CMS.debug("AuthMgrName: " + authMgrName);
+                ctx.put(SessionContext.AUTH_MANAGER_ID, authMgrName);
+            }
+            // put locale into session context
+            ctx.put(SessionContext.LOCALE, getLocale(httpReq));
+
+            //
+            // check ssl client authentication if specified.
+            //
+            X509Certificate clientCert = null;
+
+            if (getClientCert != null && getClientCert.equals("true")) {
+                CMS.debug("CMSServlet: retrieving SSL certificate");
+                clientCert = getSSLClientCertificate(httpReq);
+            }
+
+            //
+            // check authentication by auth manager if any.
+            // 
+            if (authMgrName == null) {
+
+                // Fixed Blackflag Bug #613900:  Since this code block does
+                // NOT actually constitute an authentication failure, but
+                // rather the case in which a given servlet has been correctly
+                // configured to NOT require an authentication manager, the
+                // audit message called LOGGING_SIGNED_AUDIT_AUTH_FAIL has
+                // been removed.
+
+                CMS.debug("CMSServlet: no authMgrName");
+                return null;
+            } else {
+                // save the "Subject DN" of this certificate in case it
+                // must be audited as an authentication failure
+                if (clientCert == null) {
+                    CMS.debug("CMSServlet: no client certificate found");
+                } else {
+                    String certUID = clientCert.getSubjectDN().getName();
+                    CMS.debug("CMSServlet: certUID=" + certUID);
+
+                    if (certUID != null) {
+                        certUID = certUID.trim();
+
+                        if (!(certUID.equals(""))) {
+                            // reset the "auditUID"
+                            auditUID = certUID;
+                        }
+                    }
+                }
+
+                // reset the "auditAuthMgrID"
+                auditAuthMgrID = authMgrName;
+            }
+            AuthToken authToken = CMSGateway.checkAuthManager(httpReq,
+                    httpArgs,
+                    clientCert,
+                    authMgrName);
+            if (authToken == null) {
+                return null;
+            }
+            String userid = authToken.getInString(IAuthToken.USER_ID);
+
+            CMS.debug("CMSServlet: userid=" + userid);
+
+            if (userid != null) {
+                ctx.put(SessionContext.USER_ID, userid);
+            }
+
+            // reset the "auditSubjectID"
+            auditSubjectID = auditSubjectID();
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditAuthMgrID);
+
+            audit(auditMessage);
+
+            return authToken;
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditAuthMgrID,
+                        auditUID);
+            audit(auditMessage);
+
+            // rethrow the specific exception to be handled later
+            throw eAudit1;
+        }
+    }
+
+    public AuthzToken authorize(String authzMgrName, String resource, IAuthToken authToken,
+            String exp) throws EBaseException {
+        AuthzToken authzToken = null;
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+        String auditGroupID = auditGroupID();
+        String auditACLResource = resource;
+        String auditOperation = "enroll";
+
+        try {
+            authzToken = mAuthz.authorize(authzMgrName, authToken, exp);
+            if (authzToken != null) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditACLResource,
+                            auditOperation);
+
+                audit(auditMessage);
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditGroupID);
+
+                audit(auditMessage);
+            } else {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditACLResource,
+                            auditOperation);
+
+                audit(auditMessage);
+
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditGroupID);
+
+                audit(auditMessage);
+            }
+            return authzToken;
+        } catch (Exception e) {
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditACLResource,
+                        auditOperation);
+
+            audit(auditMessage);
+
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditGroupID);
+
+            audit(auditMessage);
+            throw new EBaseException(e.toString());
+        }
+    }
+
+    /**
+     * Authorize must occur after Authenticate
+     * 

+     * 
+     * 
    
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_AUTHZ_FAIL used when authorization has failed
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS used when authorization is successful
+     * 
  • signed.audit LOGGING_SIGNED_AUDIT_ROLE_ASSUME used when user assumes a role (in current CS that's when one
+     * accesses a role port)
+     * 

+     * 
+     * @param authzMgrName string representing the name of the authorization
+     *            manager
+     * @param authToken the authentication token
+     * @param resource a string representing the ACL resource id as defined in
+     *            the ACL resource list
+     * @param operation a string representing one of the operations as defined
+     *            within the ACL statement (e. g. - "read" for an ACL statement containing
+     *            "(read,write)")
+     * @exception EBaseException an error has occurred
+     * @return the authorization token
+     */
+    public AuthzToken authorize(String authzMgrName, IAuthToken authToken,
+            String resource, String operation)
+            throws EBaseException {
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+        String auditGroupID = auditGroupID();
+        String auditID = auditSubjectID;
+        String auditACLResource = resource;
+        String auditOperation = operation;
+
+        SessionContext auditContext = SessionContext.getExistingContext();
+        String authManagerId = null;
+
+        if (auditContext != null) {
+            authManagerId = (String) auditContext.get(SessionContext.AUTH_MANAGER_ID);
+
+            if (authManagerId != null && authManagerId.equals("TokenAuth")) {
+                if (auditSubjectID.equals(ILogger.NONROLEUSER) ||
+                        auditSubjectID.equals(ILogger.UNIDENTIFIED)) {
+                    CMS.debug("CMSServlet: in authorize... TokenAuth auditSubjectID unavailable, changing to auditGroupID");
+                    auditID = auditGroupID;
+                }
+            }
+        }
+
+        // "normalize" the "auditACLResource" value
+        if (auditACLResource != null) {
+            auditACLResource = auditACLResource.trim();
+        }
+
+        // "normalize" the "auditOperation" value
+        if (auditOperation != null) {
+            auditOperation = auditOperation.trim();
+        }
+
+        if (authzMgrName == null) {
+            // Fixed Blackflag Bug #613900:  Since this code block does
+            // NOT actually constitute an authorization failure, but
+            // rather the case in which a given servlet has been correctly
+            // configured to NOT require an authorization manager, the
+            // audit message called LOGGING_SIGNED_AUDIT_AUTHZ_FAIL and
+            // the audit message called LOGGING_SIGNED_AUDIT_ROLE_ASSUME
+            // (marked as a failure) have been removed.
+
+            return null;
+        }
+
+        try {
+            AuthzToken authzTok = mAuthz.authorize(authzMgrName,
+                    authToken,
+                    resource,
+                    operation);
+
+            if (authzTok != null) {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditACLResource,
+                            auditOperation);
+
+                audit(auditMessage);
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                            auditID,
+                            ILogger.SUCCESS,
+                            auditGroups(auditSubjectID));
+
+                audit(auditMessage);
+            } else {
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditACLResource,
+                            auditOperation);
+
+                audit(auditMessage);
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                            auditID,
+                            ILogger.FAILURE,
+                            auditGroups(auditSubjectID));
+
+                audit(auditMessage);
+            }
+
+            return authzTok;
+        } catch (EBaseException eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditACLResource,
+                        auditOperation);
+
+            audit(auditMessage);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                        auditID,
+                        ILogger.FAILURE,
+                        auditGroups(auditSubjectID));
+
+            audit(auditMessage);
+
+            return null;
+        } catch (Exception eAudit1) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditACLResource,
+                        auditOperation);
+
+            audit(auditMessage);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditGroups(auditSubjectID));
+
+            audit(auditMessage);
+
+            return null;
+        }
+    }
+
+    /**
+     * Signed Audit Log
+     * 
+     * This method is inherited by all extended "CMSServlet"s,
+     * and is called to store messages to the signed audit log.
+     * 

+     * 
+     * @param msg signed audit log message
+     */
+    protected void audit(String msg) {
+        // in this case, do NOT strip preceding/trailing whitespace
+        // from passed-in String parameters
+
+        if (mSignedAuditLogger == null) {
+            return;
+        }
+
+        mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
+                null,
+                ILogger.S_SIGNED_AUDIT,
+                ILogger.LL_SECURITY,
+                msg);
+    }
+
+    /**
+     * Signed Audit Log Subject ID
+     * 
+     * This method is inherited by all extended "CMSServlet"s,
+     * and is called to obtain the "SubjectID" for
+     * a signed audit log message.
+     * 

+     * 
+     * @return id string containing the signed audit log message SubjectID
+     */
+    protected String auditSubjectID() {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        CMS.debug("CMSServlet: in auditSubjectID");
+        String subjectID = null;
+
+        // Initialize subjectID
+        SessionContext auditContext = SessionContext.getExistingContext();
+
+        CMS.debug("CMSServlet: auditSubjectID auditContext " + auditContext);
+        if (auditContext != null) {
+            subjectID = (String)
+                    auditContext.get(SessionContext.USER_ID);
+
+            CMS.debug("CMSServlet auditSubjectID: subjectID: " + subjectID);
+            if (subjectID != null) {
+                subjectID = subjectID.trim();
+            } else {
+                subjectID = ILogger.NONROLEUSER;
+            }
+        } else {
+            subjectID = ILogger.UNIDENTIFIED;
+        }
+
+        return subjectID;
+    }
+
+    /**
+     * Signed Audit Log Group ID
+     * 
+     * This method is inherited by all extended "CMSServlet"s,
+     * and is called to obtain the "gid" for
+     * a signed audit log message.
+     * 

+     * 
+     * @return id string containing the signed audit log message SubjectID
+     */
+    protected String auditGroupID() {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        CMS.debug("CMSServlet: in auditGroupID");
+        String groupID = null;
+
+        // Initialize groupID
+        SessionContext auditContext = SessionContext.getExistingContext();
+
+        CMS.debug("CMSServlet: auditGroupID auditContext " + auditContext);
+        if (auditContext != null) {
+            groupID = (String)
+                    auditContext.get(SessionContext.GROUP_ID);
+
+            CMS.debug("CMSServlet auditGroupID: groupID: " + groupID);
+            if (groupID != null) {
+                groupID = groupID.trim();
+            } else {
+                groupID = ILogger.NONROLEUSER;
+            }
+        } else {
+            groupID = ILogger.UNIDENTIFIED;
+        }
+
+        return groupID;
+    }
+
+    /**
+     * Signed Audit Groups
+     * 
+     * This method is called to extract all "groups" associated
+     * with the "auditSubjectID()".
+     * 

+     * 
+     * @param SubjectID string containing the signed audit log message SubjectID
+     * @return a delimited string of groups associated
+     *         with the "auditSubjectID()"
+     */
+    private String auditGroups(String SubjectID) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        if ((SubjectID == null) ||
+                (SubjectID.equals(ILogger.UNIDENTIFIED))) {
+            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        }
+
+        Enumeration groups = null;
+
+        try {
+            groups = mUG.findGroups("*");
+        } catch (Exception e) {
+            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        }
+
+        StringBuffer membersString = new StringBuffer();
+
+        while (groups.hasMoreElements()) {
+            IGroup group = groups.nextElement();
+
+            if (group.isMember(SubjectID) == true) {
+                if (membersString.length() != 0) {
+                    membersString.append(", ");
+                }
+
+                membersString.append(group.getGroupID());
+            }
+        }
+
+        if (membersString.length() != 0) {
+            return membersString.toString();
+        } else {
+            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        }
+    }
+
+    /**
+     * Retrieves locale based on the request.
+     */
+    protected Locale getLocale(HttpServletRequest req) {
+        Locale locale = null;
+        String lang = req.getHeader(HDR_LANG);
+
+        if (lang == null) {
+            // use server locale
+            locale = Locale.getDefault();
+        } else {
+            locale = new Locale(UserInfo.getUserLanguage(lang),
+                        UserInfo.getUserCountry(lang));
+        }
+        return locale;
+    }
+
+    protected void outputResult(HttpServletResponse httpResp,
+            String contentType, byte[] content) {
+        try {
+            OutputStream os = httpResp.getOutputStream();
+
+            httpResp.setContentType(contentType);
+            httpResp.setContentLength(content.length);
+            os.write(content);
+            os.flush();
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", "", e.toString()));
+            return;
+        }
+    }
+
+    protected void outputError(HttpServletResponse httpResp, String errorString) {
+        outputError(httpResp, FAILURE, errorString, null);
+    }
+
+    protected void outputError(HttpServletResponse httpResp, String errorString, String requestId) {
+        outputError(httpResp, FAILURE, errorString, null);
+    }
+
+    protected void outputError(HttpServletResponse httpResp, String status, String errorString, String requestId) {
+        XMLObject xmlObj = null;
+        try {
+            xmlObj = new XMLObject();
+            Node root = xmlObj.createRoot("XMLResponse");
+            xmlObj.addItemToContainer(root, "Status", status);
+            xmlObj.addItemToContainer(root, "Error", errorString);
+            if (requestId != null) {
+                xmlObj.addItemToContainer(root, "RequestId", requestId);
+            }
+            byte[] cb = xmlObj.toByteArray();
+
+            OutputStream os = httpResp.getOutputStream();
+            httpResp.setContentType("application/xml");
+            httpResp.setContentLength(cb.length);
+            os.write(cb);
+            os.flush();
+            return;
+        } catch (Exception ee) {
+            CMS.debug("Failed to send XML output to the server.");
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", "", ee.toString()));
+        }
+    }
+
+    protected StringBuffer escapeValueRfc1779(String v, boolean doubleEscape) {
+        StringBuffer result = new StringBuffer();
+
+        // Do we need to escape any characters
+        for (int i = 0; i < v.length(); i++) {
+            int c = v.charAt(i);
+            if (c == ',' || c == '=' || c == '+' || c == '<' ||
+                    c == '>' || c == '#' || c == ';' || c == '\r' ||
+                    c == '\n' || c == '\\' || c == '"') {
+                if ((c == 0x5c) && ((i + 1) < v.length())) {
+                    int nextC = v.charAt(i + 1);
+                    if ((c == 0x5c) && (nextC == ',' || nextC == '=' || nextC == '+' ||
+                                        nextC == '<' || nextC == '>' || nextC == '#' ||
+                                        nextC == ';' || nextC == '\r' || nextC == '\n' ||
+                                        nextC == '\\' || nextC == '"')) {
+                        if (doubleEscape)
+                            result.append('\\');
+                    } else {
+                        result.append('\\');
+                        if (doubleEscape)
+                            result.append('\\');
+                    }
+                } else {
+                    result.append('\\');
+                    if (doubleEscape)
+                        result.append('\\');
+                }
+            }
+            if (c == '\r') {
+                result.append("0D");
+            } else if (c == '\n') {
+                result.append("0A");
+            } else {
+                result.append((char) c);
+            }
+        }
+        return result;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java b/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java
new file mode 100644
index 000000000..4bfc74607
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java
@@ -0,0 +1,117 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.base;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.PrintWriter;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * This servlet is started by the web server at startup, and
+ * it starts the CMS framework.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CMSStartServlet extends HttpServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = 515623839479425172L;
+    public final static String PROP_CMS_CFG = "cfgPath";
+
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+        String path = config.getInitParameter(PROP_CMS_CFG);
+
+        File f = new File(path);
+        String old_path = "";
+        if (!f.exists()) {
+            int index = path.lastIndexOf("CS.cfg");
+            if (index != -1) {
+                old_path = path.substring(0, index) + "CMS.cfg";
+            }
+            File f1 = new File(old_path);
+            if (f1.exists()) {
+                // The following block of code moves "CMS.cfg" to "CS.cfg".
+                try {
+                    if (Utils.isNT()) {
+                        // NT is very picky on the path
+                        Utils.exec("copy " +
+                                    f1.getAbsolutePath().replace('/', '\\') +
+                                    " " +
+                                    f.getAbsolutePath().replace('/', '\\'));
+                    } else {
+                        // Create a copy of the original file which
+                        // preserves the original file permissions.
+                        Utils.exec("cp -p " + f1.getAbsolutePath() + " " +
+                                    f.getAbsolutePath());
+                    }
+
+                    // Remove the original file if and only if
+                    // the backup copy was successful.
+                    if (f.exists()) {
+                        f1.delete();
+
+                        // Make certain that the new file has
+                        // the correct permissions.
+                        if (!Utils.isNT()) {
+                            Utils.exec("chmod 00660 " + f.getAbsolutePath());
+                        }
+                    }
+                } catch (Exception e) {
+                }
+            }
+        }
+        try {
+            CMS.start(path);
+        } catch (EBaseException e) {
+        }
+    }
+
+    public void doGet(HttpServletRequest req, HttpServletResponse res)
+            throws ServletException, IOException {
+        res.setContentType("text/html");
+
+        PrintWriter out = res.getWriter();
+
+        out.print("");
+        out.print("CMS is started!");
+        out.print("");
+        out.print("
CMS is started!
");
+        out.print("");
+    }
+
+    public String getServletInfo() {
+        return "CMS startup servlet";
+    }
+
+    public void destroy() {
+        CMS.shutdown();
+        super.destroy();
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/base/DisplayHtmlServlet.java b/base/common/src/com/netscape/cms/servlet/base/DisplayHtmlServlet.java
new file mode 100644
index 000000000..54e453f30
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/base/DisplayHtmlServlet.java
@@ -0,0 +1,97 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.base;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.ECMSGWException;
+
+/**
+ * This is the servlet that displays the html page for the corresponding input id.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class DisplayHtmlServlet extends CMSServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = -4343458180370708327L;
+    public final static String PROP_TEMPLATE = "template";
+    public final static String PROP_HTML_PATH = "htmlPath";
+
+    private String mHTMLPath = null;
+
+    public DisplayHtmlServlet() {
+        super();
+    }
+
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        mHTMLPath = sc.getInitParameter(PROP_HTML_PATH);
+        mTemplates.remove(CMSRequest.SUCCESS);
+    }
+
+    /**
+     * Serves HTTP request.
+     */
+    public void process(CMSRequest cmsReq) throws EBaseException {
+        CMS.debug("DisplayHtmlServlet about to service ");
+
+        authenticate(cmsReq);
+
+        try {
+            String realpath =
+                    mServletConfig.getServletContext().getRealPath("/" + mHTMLPath);
+
+            if (realpath == null) {
+                mLogger.log(
+                        ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE,
+                        CMS.getLogMessage("CMSGW_NO_FIND_TEMPLATE", mHTMLPath));
+                throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+            }
+            File file = new File(realpath);
+            long flen = file.length();
+            byte[] bin = new byte[(int) flen];
+            FileInputStream ins = new FileInputStream(file);
+
+            int len = 0;
+            if (ins.available() > 0) {
+                len = ins.read(bin);
+            }
+            ByteArrayOutputStream bos = new ByteArrayOutputStream();
+            bos.write(bin, 0, len);
+            bos.writeTo(cmsReq.getHttpResp().getOutputStream());
+            ins.close();
+            bos.close();
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_OUT_TEMPLATE", mHTMLPath, e.toString()));
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/base/DynamicVariablesServlet.java b/base/common/src/com/netscape/cms/servlet/base/DynamicVariablesServlet.java
new file mode 100644
index 000000000..0bf726879
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/base/DynamicVariablesServlet.java
@@ -0,0 +1,333 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.base;
+
+import java.io.IOException;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.StringTokenizer;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthMgrPlugin;
+import com.netscape.certsrv.authentication.IAuthManager;
+import com.netscape.certsrv.authentication.IAuthSubsystem;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+
+/**
+ * Return some javascript to the request which contains the list of
+ * dynamic data in the CMS system.
+ * 

+ * This allows the requestor (browser) to make decisions about what to present in the UI, depending on how CMS is
+ * configured
+ * 
+ * @version $Revision$, $Date$
+ */
+public class DynamicVariablesServlet extends CMSServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = 7246774978153039460L;
+    public final static String PROP_ACCESS = "ServletAccess";
+    public final static String PROP_AUTHMGR = "AuthMgr";
+    public final static String PROP_CLIENTAUTH = "GetClientCert";
+
+    public final static String PROP_AUTHORITY = "authority";
+    public final static String PROP_CLONING = "cloning";
+
+    private final static String INFO = "dynamicVariables";
+
+    private static final String PROP_DYNVAR = "dynamicVariables";
+    private static final String PROP_CRLURL = "cloneMasterCrlUrl";
+    private static final String VAR_SERVERDATE_STRING = "serverdate()";
+    private static final Integer VAR_SERVERDATE = Integer.valueOf(1);
+
+    private static final String VAR_SUBSYSTEMNAME_STRING = "subsystemname()";
+    private static final Integer VAR_SUBSYSTEMNAME = Integer.valueOf(2);
+    private String VAR_SUBSYSTEMNAME_VALUE = null;
+
+    private static final String VAR_HTTP_STRING = "http()";
+    private static final Integer VAR_HTTP = Integer.valueOf(3);
+    private String VAR_HTTP_VALUE = null;
+
+    private static final String VAR_AUTHMGRS_STRING = "authmgrs()";
+    private static final Integer VAR_AUTHMGRS = Integer.valueOf(4);
+    private String VAR_AUTHMGRS_VALUE = null;
+
+    private static final String VAR_CLA_CRL_URL_STRING = "clacrlurl()";
+    private static final Integer VAR_CLA_CRL_URL = Integer.valueOf(6);
+    private String VAR_CLA_CRL_URL_VALUE = null;
+
+    private String mAuthMgrCacheString = "";
+    private long mAuthMgrCacheTime = 0;
+    private final int AUTHMGRCACHE = 10; //number of seconds to cache list of
+    // authmanagers for
+    private Hashtable dynvars = null;
+    private String mGetClientCert = "false";
+    private String mAuthMgr = null;
+
+    private ServletConfig mServletCfg = null;
+    private ServletContext mServletCtx = null;
+    private static String mCrlurl = "";
+    static {
+        IConfigStore config = CMS.getConfigStore().getSubStore(PROP_CLONING);
+
+        try {
+            mCrlurl =
+                    config.getString(PROP_CRLURL, "");
+        } catch (EBaseException e) {
+        }
+    }
+
+    public DynamicVariablesServlet() {
+        super();
+    }
+
+    /**
+     * Returns serlvet information.
+     */
+    public String getServletInfo() {
+        return INFO;
+    }
+
+    /**
+     * Reads the following variables from the servlet config:
+     * 
    
+     * 
  • AuthMgr - the authentication manager to use to authenticate the request
+     * 
  • GetClientCert - whether to request client auth for this request
+     * 
  • authority - the authority (ca, ra, drm) to return to the client
+     * 
  • dynamicVariables - a string of the form:
+     * serverdate=serverdate(),subsystemname=subsystemname(), http=http(),authmgrs=authmgrs(),clacrlurl=clacrlurl()
+     * 

+     * The dynamicVariables string is parsed by splitting on commas.
+     * When services, the HTTP request provides a piece of javascript
+     * code as follows.
+     * 

+     * Each sub expression "lhs=rhs()" forms a javascript statement of the form lhs=xxx; Where lhs is xxx is the
+     * result of 'evaluating' the rhs. The possible values for the rhs() function are:
+     * 
    
+     * 
  • serverdate() - the timestamp of the server (used to ensure that the client clock is set
+     * correctly)
+     * 
  • subsystemname()
+     * 
  • http() - "true" or "false" - is this an http connection (as opposed to https)
+     * 
  • authmgrs() - a comma separated list of authentication managers
+     * 
  • clacrlurl() - the URL to get the CRL from, in the case of a Clone CA. This is defined in the CMS
+     * configuration parameter 'cloning.cloneMasterCrlUrl'
+     * 

+     * 
+     * @see javax.servlet.Servlet#init(ServletConfig)
+     */
+
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        mAuthMgr = sc.getInitParameter(PROP_AUTHMGR);
+        mGetClientCert = sc.getInitParameter(PROP_CLIENTAUTH);
+        mServletCfg = sc;
+
+        mServletCtx = sc.getServletContext();
+
+        VAR_SUBSYSTEMNAME_VALUE = sc.getInitParameter(PROP_AUTHORITY);
+
+        try {
+            String dynvarconfig = sc.getInitParameter(PROP_DYNVAR);
+            StringTokenizer s = new StringTokenizer(dynvarconfig, ",");
+
+            dynvars = new Hashtable();
+
+            while (s.hasMoreTokens()) {
+                String token = s.nextToken();
+
+                int i = token.indexOf('=');
+                String varname = token.substring(0, i);
+                String varvalue = token.substring(i + 1);
+
+                Integer varcode = null;
+
+                if (varvalue.equalsIgnoreCase(VAR_SERVERDATE_STRING)) {
+                    varcode = VAR_SERVERDATE;
+                } else if (varvalue.equalsIgnoreCase(VAR_SUBSYSTEMNAME_STRING)) {
+                    varcode = VAR_SUBSYSTEMNAME;
+                } else if (varvalue.equalsIgnoreCase(VAR_HTTP_STRING)) {
+                    varcode = VAR_HTTP;
+                } else if (varvalue.equalsIgnoreCase(VAR_AUTHMGRS_STRING)) {
+                    varcode = VAR_AUTHMGRS;
+                } else if (varvalue.equalsIgnoreCase(VAR_CLA_CRL_URL_STRING)) {
+                    varcode = VAR_CLA_CRL_URL;
+                } else {
+                    throw new ServletException("bad configuration parameter in " + PROP_DYNVAR);
+                }
+                if (varcode != null) {
+                    dynvars.put(varcode, varname);
+                }
+            }
+        } catch (Exception e) {
+            dynvars = null;
+        }
+    }
+
+    public void service(HttpServletRequest httpReq,
+            HttpServletResponse httpResp)
+            throws ServletException, IOException {
+        boolean running_state = CMS.isInRunningState();
+
+        if (!running_state)
+            throw new IOException(
+                    "CMS server is not ready to serve.");
+
+        if (mAuthMgr != null) {
+            try {
+                authenticate(httpReq);
+            } catch (EBaseException e) {
+                mServletCtx.log(CMS.getLogMessage("CMSGW_FILE_NO_ACCESS", e.toString()));
+                httpResp.sendError(HttpServletResponse.SC_FORBIDDEN);
+                return;
+            }
+        }
+
+        httpResp.setContentType("application/x-javascript");
+        httpResp.setHeader("Pragma", "no-cache");
+
+        try {
+            ServletOutputStream os = httpResp.getOutputStream();
+
+            if (os != null) {
+                if (dynvars != null) {
+                    Enumeration k = dynvars.keys();
+
+                    while (k.hasMoreElements()) {
+                        String toBeWritten;
+                        Integer varcode = k.nextElement();
+
+                        if (varcode.equals(VAR_SERVERDATE)) {
+                            toBeWritten = dynvars.get(varcode) +
+                                    "=" +
+                                    getServerDate() +
+                                    ";\n";
+
+                            os.print(toBeWritten);
+                        }
+
+                        if (varcode.equals(VAR_SUBSYSTEMNAME)) {
+                            if (getSubsystemName() != null) {
+                                toBeWritten = dynvars.get(varcode) +
+                                        "=" + "\"" +
+                                        getSubsystemName() + "\"" +
+                                        ";\n";
+                                os.print(toBeWritten);
+                            }
+                        }
+
+                        if (varcode.equals(VAR_HTTP)) {
+                            if (getHttp(httpReq) != null) {
+                                toBeWritten = dynvars.get(varcode) +
+                                        "=" + "\"" +
+                                        getHttp(httpReq) + "\"" +
+                                        ";\n";
+                                os.print(toBeWritten);
+                            }
+                        }
+
+                        if (varcode.equals(VAR_CLA_CRL_URL)) {
+                            if (getImportCrlUrl() != null) {
+                                toBeWritten = dynvars.get(varcode) +
+                                        "=" + "\"" +
+                                        getImportCrlUrl() + "\"" +
+                                        ";\n";
+                                os.print(toBeWritten);
+                            }
+                        }
+
+                        if (varcode.equals(VAR_AUTHMGRS)) {
+                            toBeWritten = "";
+                            IAuthSubsystem as = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
+                            Enumeration ame = as.getAuthManagers();
+
+                            Date d = CMS.getCurrentDate();
+                            long now = d.getTime();
+
+                            if (now > (mAuthMgrCacheTime + 1000 * AUTHMGRCACHE)) {
+                                int i = 0;
+
+                                StringBuffer sb = new StringBuffer();
+                                while (ame.hasMoreElements()) {
+                                    IAuthManager am = ame.nextElement();
+                                    String amName = am.getImplName();
+
+                                    AuthMgrPlugin ap = as.getAuthManagerPluginImpl(amName);
+
+                                    if (ap.isVisible()) {
+                                        sb.append("authmanager[");
+                                        sb.append(i);
+                                        sb.append("]=\"");
+                                        sb.append(amName);
+                                        sb.append("\";\n");
+                                        i++;
+                                    }
+                                }
+                                toBeWritten = sb.toString();
+                                mAuthMgrCacheString = toBeWritten;
+                                mAuthMgrCacheTime = now;
+                            } else {
+                                toBeWritten = mAuthMgrCacheString;
+                            }
+                            if (toBeWritten.length() != 0) {
+                                os.print("authmanager = new Array();\n");
+                                os.print(toBeWritten);
+                            }
+                        }
+
+                    }
+                }
+                os.close();
+            }
+
+        } catch (IOException e) {
+            throw new ServletException("couldn't get outputstream");
+        }
+    }
+
+    private String getServerDate() {
+        Date d = new Date();
+        String now = Long.toString(d.getTime());
+
+        return now;
+    }
+
+    private String getSubsystemName() {
+        return VAR_SUBSYSTEMNAME_VALUE;
+    }
+
+    private String getHttp(HttpServletRequest httpReq) {
+        if (httpReq.isSecure())
+            return "false";
+        else
+            return "true";
+    }
+
+    private String getImportCrlUrl() {
+        return mCrlurl;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/base/GetStats.java b/base/common/src/com/netscape/cms/servlet/base/GetStats.java
new file mode 100644
index 000000000..c21b56835
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/base/GetStats.java
@@ -0,0 +1,184 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.base;
+
+import java.io.IOException;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Locale;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.util.IStatsSubsystem;
+import com.netscape.certsrv.util.StatsEvent;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.CMSTemplateParams;
+import com.netscape.cms.servlet.common.ECMSGWException;
+
+/**
+ * Retrieve information.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class GetStats extends CMSServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = -3336253558044271816L;
+    private final static String TPL_FILE = "getStats.template";
+    private String mFormPath = null;
+
+    public GetStats() {
+        super();
+    }
+
+    /**
+     * initialize the servlet. This servlet uses the template
+     * file "getOCSPInfo.template" to render the result page.
+     * 
+     * @param sc servlet configuration, read from the web.xml file
+     */
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        // override success to display own output.
+
+        // coming from agent
+        mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE;
+        if (mOutputTemplatePath != null)
+            mFormPath = mOutputTemplatePath;
+
+        mTemplates.remove(CMSRequest.SUCCESS);
+    }
+
+    /**
+     * Process the HTTP request.
+     * 
+     * @param cmsReq the object holding the request and response information
+     */
+    protected void process(CMSRequest cmsReq)
+            throws EBaseException {
+        HttpServletRequest httpReq = cmsReq.getHttpReq();
+        HttpServletResponse httpResp = cmsReq.getHttpResp();
+
+        IAuthToken authToken = authenticate(cmsReq);
+        AuthzToken authzToken = null;
+
+        try {
+            authzToken = authorize(mAclMethod, authToken,
+                        mAuthzResourceName, "read");
+        } catch (EAuthzAccessDenied e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+        }
+
+        if (authzToken == null) {
+            cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+            return;
+        }
+
+        CMSTemplate form = null;
+        Locale[] locale = new Locale[1];
+
+        try {
+            form = getTemplate(mFormPath, httpReq, locale);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString()));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+            return;
+        }
+
+        IArgBlock header = CMS.createArgBlock();
+        IArgBlock fixed = CMS.createArgBlock();
+        CMSTemplateParams argSet = new CMSTemplateParams(header, fixed);
+
+        IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats");
+        StatsEvent st = statsSub.getMainStatsEvent();
+
+        String op = httpReq.getParameter("op");
+        if (op != null && op.equals("clear")) {
+            statsSub.resetCounters();
+        }
+
+        header.addStringValue("startTime", statsSub.getStartTime().toString());
+        header.addStringValue("curTime", (new Date()).toString());
+        parse(argSet, st, 0);
+
+        try {
+            ServletOutputStream out = httpResp.getOutputStream();
+
+            httpResp.setContentType("text/html");
+            form.renderOutput(out, argSet);
+            cmsReq.setStatus(CMSRequest.SUCCESS);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_STREAM_TEMPLATE", e.toString()));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+        }
+        cmsReq.setStatus(CMSRequest.SUCCESS);
+        return;
+    }
+
+    public String getSep(int level) {
+        StringBuffer s = new StringBuffer();
+        for (int i = 0; i < level; i++) {
+            s.append("-");
+        }
+        return s.toString();
+    }
+
+    public void parse(CMSTemplateParams argSet, StatsEvent st, int level) {
+        Enumeration names = st.getSubEventNames();
+        while (names.hasMoreElements()) {
+            String name = names.nextElement();
+            StatsEvent subSt = st.getSubEvent(name);
+
+            IArgBlock rarg = CMS.createArgBlock();
+            rarg.addStringValue("name", getSep(level) + " " + subSt.getName());
+            rarg.addLongValue("noOfOp", subSt.getNoOfOperations());
+            rarg.addLongValue("timeTaken", subSt.getTimeTaken());
+            rarg.addLongValue("max", subSt.getMax());
+            rarg.addLongValue("min", subSt.getMin());
+            rarg.addLongValue("percentage", subSt.getPercentage());
+            rarg.addLongValue("avg", subSt.getAvg());
+            rarg.addLongValue("stddev", subSt.getStdDev());
+            argSet.addRepeatRecord(rarg);
+
+            parse(argSet, subSt, level + 1);
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/base/IndexServlet.java b/base/common/src/com/netscape/cms/servlet/base/IndexServlet.java
new file mode 100644
index 000000000..95dbf2abf
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/base/IndexServlet.java
@@ -0,0 +1,118 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.base;
+
+import java.io.IOException;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.cms.servlet.common.CMSGateway;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.ECMSGWException;
+import com.netscape.cms.servlet.common.IndexTemplateFiller;
+
+/**
+ * This is the servlet that builds the index page in
+ * various ports.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class IndexServlet extends CMSServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = -8632685610380549L;
+
+    public final static String PROP_TEMPLATE = "template";
+
+    private final static String INFO = "indexServlet";
+
+    // input parameters
+
+    // output parameters
+    private final static String OUT_TYPE = "type";
+    private final static String OUT_ID = "id";
+    private final static String OUT_TOTAL_COUNT = "totalCount";
+    private final static String OUT_ERROR = "errorDetails";
+
+    private String mTemplateName = null;
+
+    public IndexServlet() {
+        super();
+    }
+
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        mTemplateName = sc.getInitParameter(PROP_TEMPLATE);
+
+        /*
+         mTemplates.put(CMSRequest.SUCCESS,
+         new CMSLoadTemplate(
+         PROP_SUCCESS_TEMPLATE, PROP_SUCCESS_TEMPLATE_FILLER,
+         mTemplateName, new IndexTemplateFiller()));
+         */
+        mTemplates.remove(CMSRequest.SUCCESS);
+    }
+
+    public CMSRequest newCMSRequest() {
+        return new CMSRequest();
+    }
+
+    /**
+     * Returns serlvet information.
+     */
+    public String getServletInfo() {
+        return INFO;
+    }
+
+    /**
+     * Serves HTTP request.
+     */
+    public void process(CMSRequest cmsReq) throws EBaseException {
+        if (CMSGateway.getEnableAdminEnroll() &&
+                mAuthority != null &&
+                mAuthority instanceof ICertificateAuthority) {
+            try {
+                cmsReq.getHttpResp().sendRedirect("/ca/adminEnroll.html");
+            } catch (IOException e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("CMSGW_FAIL_REDIRECT_ADMIN_ENROLL", e.toString()));
+                throw new ECMSGWException(
+                        CMS.getLogMessage("CMSGW_ERROR_REDIRECTING_ADMINENROLL1",
+                                e.toString()));
+            }
+            return;
+        } else {
+            try {
+                renderTemplate(
+                        cmsReq, mTemplateName, new IndexTemplateFiller());
+            } catch (IOException e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("CMSGW_FAIL_RENDER_TEMPLATE", mTemplateName, e.toString()));
+                throw new ECMSGWException(
+                        CMS.getLogMessage("CMSG_ERROR_DISPLAY_TEMPLATE"));
+            }
+        }
+        cmsReq.setStatus(CMSRequest.SUCCESS);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/base/PortsServlet.java b/base/common/src/com/netscape/cms/servlet/base/PortsServlet.java
new file mode 100644
index 000000000..fced583a2
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/base/PortsServlet.java
@@ -0,0 +1,90 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.base;
+
+import java.io.IOException;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.w3c.dom.Node;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cmsutil.xml.XMLObject;
+
+/**
+ * This servlet returns port information.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class PortsServlet extends CMSServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -3750153734073658934L;
+    private final static String INFO = "ports";
+
+    public PortsServlet() {
+    }
+
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        // override these to output directly ourselves. 
+        mTemplates.remove(CMSRequest.SUCCESS);
+        mTemplates.remove(CMSRequest.ERROR);
+    }
+
+    /**
+     * Serves HTTP request.
+     */
+    public void process(CMSRequest cmsReq) throws EBaseException {
+        // process query if authentication is successful
+        HttpServletRequest req = cmsReq.getHttpReq();
+        HttpServletResponse resp = cmsReq.getHttpResp();
+
+        String secure = req.getParameter("secure");
+        String port = null;
+
+        if (secure.equals("true"))
+            port = CMS.getEESSLPort();
+        else
+            port = CMS.getEENonSSLPort();
+
+        try {
+            XMLObject xmlObj = null;
+            xmlObj = new XMLObject();
+
+            Node root = xmlObj.createRoot("XMLResponse");
+            xmlObj.addItemToContainer(root, "Status", SUCCESS);
+            xmlObj.addItemToContainer(root, "Port", port);
+            byte[] cb = xmlObj.toByteArray();
+            outputResult(resp, "application/xml", cb);
+        } catch (Exception e) {
+            CMS.debug("Failed to send the XML output");
+        }
+    }
+
+    protected void renderResult(CMSRequest cmsReq) throws IOException {
+        // do nothing, ie, it will not return the default javascript.
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/base/ProxyServlet.java b/base/common/src/com/netscape/cms/servlet/base/ProxyServlet.java
new file mode 100644
index 000000000..41666ab31
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/base/ProxyServlet.java
@@ -0,0 +1,248 @@
+/* CMS_SDK_LICENSE_TEXT */
+
+package com.netscape.cms.servlet.base;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Set;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import javax.servlet.RequestDispatcher;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+
+/**
+ * This is a servlet that proxies request to another servlet.
+ * 
+ * SERVLET REDIRECTION
+ * Specify the URL of a servlet to forward the request to
+ * destServlet: /ee/ca/newservlet
+ * 
+ * PARAMETER MAPPING
+ * In the servlet configuration (as an init-param in web.xml) you
+ * can optionally specify a value for the parameter 'parameterMap'
+ * which contains a list of HTTP parameters which should be
+ * translated to new names.
+ * 
+ * parameterMap: name1->newname1,name2->newname2
+ * 
+ * Optionally, names can be set to static values:
+ * 
+ * parameterMap: name1->name2=value
+ * 
+ * Examples:
+ * Consider the following HTTP input parameters:
+ * vehicle:car make:ford model:explorer
+ * 
+ * The following config strings will have this effect:
+ * parameterMap: make->manufacturer,model->name=expedition,->suv=true
+ * output: vehicle:car manufactuer:ford model:expedition suv:true
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ProxyServlet extends HttpServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -2535349161521094539L;
+    private String mDest = null;
+    private String mDestContext = null;
+    private String mSrcContext = null;
+    private String mAppendPathInfo = null;
+    private Vector mMatchStrings = new Vector();
+    private String mDestServletOnNoMatch = null;
+    private String mAppendPathInfoOnNoMatch = null;
+    private Map mParamMap = new HashMap();
+    private Map mParamValue = new HashMap();
+
+    public ProxyServlet() {
+    }
+
+    private void parseParamTable(String s) {
+        if (s == null)
+            return;
+
+        String[] params = s.split(",");
+        for (int i = 0; i < params.length; i++) {
+            String p = params[i];
+            if (p != null) {
+                String[] paramNames = p.split("->");
+                if (paramNames.length != 2) {
+                }
+                String from = paramNames[0];
+                String to = paramNames[1];
+                if (from != null && to != null) {
+                    String[] splitTo = to.split("=");
+                    String toName = splitTo[0];
+                    if (from.length() > 0) {
+                        mParamMap.put(from, toName);
+                    }
+                    if (splitTo.length == 2) {
+                        String toValue = splitTo[1];
+                        String toValues[] = new String[1];
+                        toValues[0] = toValue;
+                        mParamValue.put(toName, toValues);
+                    }
+                }
+            }
+        }
+    }
+
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        String mMatchStrs = sc.getInitParameter("matchURIStrings");
+        if (mMatchStrs != null && (!mMatchStrs.equals(""))) {
+            StringTokenizer st = new StringTokenizer(mMatchStrs, ",");
+            while (st.hasMoreTokens()) {
+                mMatchStrings.addElement(st.nextToken());
+            }
+        }
+        mDestServletOnNoMatch = sc.getInitParameter("destServletOnNoMatch");
+        mDestContext = sc.getInitParameter("destContext");
+        mDest = sc.getInitParameter("destServlet");
+        mSrcContext = sc.getInitParameter("srcContext");
+        mAppendPathInfo = sc.getInitParameter("appendPathInfo");
+        mAppendPathInfoOnNoMatch = sc.getInitParameter("appendPathInfoOnNoMatch");
+        String map = sc.getInitParameter("parameterMap");
+        if (map != null) {
+            parseParamTable(map);
+        }
+    }
+
+    public void service(HttpServletRequest req, HttpServletResponse res) throws
+            IOException, ServletException {
+        RequestDispatcher dispatcher = null;
+        String dest = mDest;
+        String uri = req.getRequestURI();
+
+        // check if match strings are specified. If it is, we need
+        // to deal with the alternate dest
+        if (mMatchStrings.size() != 0) {
+            boolean matched = false;
+            for (int i = 0; i < mMatchStrings.size(); i++) {
+                String t = mMatchStrings.elementAt(i);
+                if (uri.indexOf(t) != -1) {
+                    matched = true;
+                }
+            }
+            if (!matched) {
+                dest = mDestServletOnNoMatch;
+                // append Path info for OCSP request in Get method
+                if (mAppendPathInfoOnNoMatch != null &&
+                        !mAppendPathInfoOnNoMatch.equals("")) {
+                    dest = dest + uri.replace(mAppendPathInfoOnNoMatch, "");
+                }
+            }
+        }
+        if (dest == null || dest.equals("")) {
+            // mapping everything
+            dest = uri;
+            dest = dest.replaceFirst(mSrcContext, "");
+        }
+        if (mAppendPathInfo != null && !mAppendPathInfo.equals("")) {
+            dest = dest + uri.replace(mAppendPathInfo, "");
+        }
+        if (mDestContext != null && !mDestContext.equals("")) {
+            dispatcher = getServletContext().getContext(mDestContext).getRequestDispatcher(dest);
+        } else {
+            dispatcher = req.getRequestDispatcher(dest);
+        }
+
+        // If a parameter map was specified
+        if (mParamMap != null && !mParamMap.isEmpty()) {
+            // Make a new wrapper with the new parameters
+            ProxyWrapper r = new ProxyWrapper(req);
+            r.setParameterMapAndValue(mParamMap, mParamValue);
+            req = r;
+        }
+
+        dispatcher.forward(req, res);
+    }
+}
+
+class ProxyWrapper extends HttpServletRequestWrapper {
+    private Map mMap = null;
+    private Map mValueMap = null;
+
+    public ProxyWrapper(HttpServletRequest req) {
+        super(req);
+    }
+
+    public void setParameterMapAndValue(Map m, Map v) {
+        if (m != null)
+            mMap = m;
+        if (v != null)
+            mValueMap = v;
+    }
+
+    @SuppressWarnings("unchecked")
+    public Map getParameterMap() {
+        try {
+            // If we haven't specified any parameter mapping, just
+            // use the regular implementation
+            if (mMap == null)
+                return super.getParameterMap();
+            else {
+                // Make a new Map for us to put stuff in
+                Map n = new HashMap();
+                // get the HTTP parameters the user supplied.
+                Map m = super.getParameterMap();
+                Set> s = m.entrySet();
+                Iterator> i = s.iterator();
+                while (i.hasNext()) {
+                    Map.Entry me = i.next();
+                    String name = me.getKey();
+                    String[] values = me.getValue();
+                    String newname = null;
+                    if (name != null) {
+                        newname = (String) mMap.get(name);
+                    }
+
+                    // No mapping specified, just use existing name/value
+                    if (newname == null || mValueMap == null) {
+                        n.put(name, values);
+                    } else { // new name specified
+                        Object o = mValueMap.get(newname);
+                        // check if new (static) value specified
+                        if (o == null) {
+                            n.put(newname, values);
+                        } else {
+                            String newvalues[] = (String[]) mValueMap.get(newname);
+                            n.put(newname, newvalues);
+                        }
+                    }
+                }
+                // Now, deal with static values set in the config 
+                // which weren't set in the HTTP request
+                Set> s2 = mValueMap.entrySet();
+                Iterator> i2 = s2.iterator();
+                // Cycle through all the static values
+                while (i2.hasNext()) {
+                    Map.Entry me2 = i2.next();
+                    String name2 = me2.getKey();
+                    if (n.get(name2) == null) {
+                        String[] values2 = me2.getValue();
+                        // If the parameter is not set in the map
+                        // Set it now
+                        n.put(name2, values2);
+                    }
+                }
+
+                return n;
+            }
+        } catch (NullPointerException npe) {
+            CMS.debug(npe);
+            return null;
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/base/SystemInfoServlet.java b/base/common/src/com/netscape/cms/servlet/base/SystemInfoServlet.java
new file mode 100644
index 000000000..f883fd373
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/base/SystemInfoServlet.java
@@ -0,0 +1,287 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.base;
+
+import java.io.IOException;
+import java.util.Date;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+
+/**
+ * Displays detailed information about java VM internals, including
+ * current JVM memory usage, and detailed information about each
+ * thread.
+ * 

+ * Also allows user to trigger a new garbage collection
+ * 
+ * @version $Revision$, $Date$
+ */
+public class SystemInfoServlet extends HttpServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -438134935001530607L;
+
+    public SystemInfoServlet() {
+    }
+
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+    }
+
+    /**
+     * service the request, returning HTML to the client.
+     * This method has different behaviour depending on the
+     * value of the 'op' HTTP parameter.
+     * 
    
+     * 
  • op = undefined - display a menu with links to the other functionality of this servlet
+     * 
  • op = gc - tell the JVM that we want to do a garbage collection and to run finalizers (@see
+     * java.lang.Runtime.getRuntime#gc() )
+     * 
  • op = general - display information about memory, and other JVM informatino
+     * 
  • op = thread - display details about each thread.
+     * 

+     * 
+     * @see javax.servlet.http.HttpServlet#service(HttpServletRequest, HttpServletResponse)
+     */
+    public void service(HttpServletRequest request,
+            HttpServletResponse response)
+            throws ServletException, IOException {
+        String op = request.getParameter("op");
+
+        response.setContentType("text/html");
+        if (op == null) {
+            mainMenu(request, response);
+        } else if (op.equals("gc")) {
+            gc(request, response);
+        } else if (op.equals("general")) {
+            general(request, response);
+        } else if (op.equals("thread")) {
+            thread(request, response);
+        }
+    }
+
+    private void mainMenu(HttpServletRequest request,
+            HttpServletResponse response)
+            throws ServletException, IOException {
+        response.getWriter().println("");
+        response.getWriter().println("
");
+        response.getWriter().println("");
+        response.getWriter().println("Main");
+        response.getWriter().println("");
+        response.getWriter().println("
");
+        response.getWriter().println("
");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("
");
+        response.getWriter().println("
  • ");
+        response.getWriter().println("");
+        response.getWriter().println("General");
+        response.getWriter().println("");
+        response.getWriter().println("
    • ");
+        response.getWriter().println("
  • ");
+        response.getWriter().println("");
+        response.getWriter().println("Garbage Collection");
+        response.getWriter().println("");
+        response.getWriter().println("
    • ");
+        response.getWriter().println("
  • ");
+        response.getWriter().println("");
+        response.getWriter().println("Thread Listing");
+        response.getWriter().println("");
+        response.getWriter().println("
    • ");
+        response.getWriter().println("");
+    }
+
+    private void gc(HttpServletRequest request,
+            HttpServletResponse response)
+            throws ServletException, IOException {
+        java.lang.Runtime.getRuntime().gc();
+        java.lang.Runtime.getRuntime().runFinalization();
+        response.getWriter().println("");
+        response.getWriter().println("
    ");
+        response.getWriter().println("");
+        response.getWriter().println("Main");
+        response.getWriter().println("");
+        response.getWriter().println(" : ");
+        response.getWriter().println("Garbage Collection");
+        response.getWriter().println("
    ");
+        response.getWriter().println("
    ");
+        response.getWriter().println("The garbage collector has been executed.");
+        response.getWriter().println("");
+    }
+
+    private void general(HttpServletRequest request,
+            HttpServletResponse response)
+            throws ServletException, IOException {
+        response.getWriter().println("");
+        response.getWriter().println("
    ");
+        response.getWriter().println("");
+        response.getWriter().println("Main");
+        response.getWriter().println("");
+        response.getWriter().println(" : ");
+        response.getWriter().println("General");
+        response.getWriter().println("
    ");
+        response.getWriter().println("
    ");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("
    ");
+        response.getWriter().println("Server Started Time:");
+        response.getWriter().println("");
+        response.getWriter().println(new Date(CMS.getStartupTime()));
+        response.getWriter().println("
    ");
+        response.getWriter().println("Current Time:");
+        response.getWriter().println("");
+        response.getWriter().println(new Date());
+        response.getWriter().println("
    ");
+        response.getWriter().println("Available Processors:");
+        response.getWriter().println("");
+        response.getWriter().println(Runtime.getRuntime().availableProcessors());
+        response.getWriter().println("
    ");
+        response.getWriter().println("Active Threads:");
+        response.getWriter().println("");
+        response.getWriter().println(Thread.activeCount());
+        response.getWriter().println("
    ");
+        response.getWriter().println("Max Memory (in Bytes):");
+        response.getWriter().println("");
+        response.getWriter().println(Runtime.getRuntime().maxMemory());
+        response.getWriter().println("
    ");
+        response.getWriter().println("Total Memory (in Bytes):");
+        response.getWriter().println("");
+        response.getWriter().println(Runtime.getRuntime().totalMemory());
+        response.getWriter().println("
    ");
+        response.getWriter().println("Free Memory (in Bytes):");
+        response.getWriter().println("");
+        response.getWriter().println(Runtime.getRuntime().freeMemory());
+        response.getWriter().println("
    ");
+        response.getWriter().println("Free Memory / Total Memory:");
+        response.getWriter().println("");
+        response.getWriter().println(
+                (Runtime.getRuntime().freeMemory() * 100) / Runtime.getRuntime().totalMemory() + "%");
+        response.getWriter().println("
    ");
+        response.getWriter().println("");
+    }
+
+    private void thread(HttpServletRequest request,
+            HttpServletResponse response)
+            throws ServletException, IOException {
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("
    ");
+        response.getWriter().println("");
+        response.getWriter().println("Main");
+        response.getWriter().println("");
+        response.getWriter().println(" : ");
+        response.getWriter().println("Thread Listing");
+        response.getWriter().println("
    ");
+        response.getWriter().println("
    ");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        int active = Thread.activeCount();
+        Thread threads[] = new Thread[active];
+        int c = Thread.enumerate(threads);
+
+        for (int i = 0; i < c; i++) {
+            response.getWriter().println("");
+            response.getWriter().println("");
+            response.getWriter().println("");
+            response.getWriter().println("");
+            response.getWriter().println("");
+            response.getWriter().println("");
+        }
+        response.getWriter().println("
    ");
+        response.getWriter().println("");
+        response.getWriter().println("#");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("Name");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("Priority");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("");
+        response.getWriter().println("isDaemon");
+        response.getWriter().println("");
+        response.getWriter().println("
    ");
+            response.getWriter().println(i);
+            response.getWriter().println("");
+            response.getWriter().println(threads[i].getName());
+            response.getWriter().println("");
+            response.getWriter().println(threads[i].getPriority());
+            response.getWriter().println("");
+            if (threads[i].isDaemon()) {
+                response.getWriter().println("true");
+            } else {
+                response.getWriter().println("false");
+            }
+            response.getWriter().println("
    ");
+        response.getWriter().println("");
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/base/UserInfo.java b/base/common/src/com/netscape/cms/servlet/base/UserInfo.java
new file mode 100644
index 000000000..dd8f69613
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/base/UserInfo.java
@@ -0,0 +1,90 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.base;
+
+/**
+ * This class represents information about the client e.g. version,
+ * langauge, vendor.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class UserInfo {
+    public final static String MSIE = "MSIE";
+    public final static String MOZILLA = "Mozilla";
+
+    /**
+     * Constructs a user information object.
+     */
+    public UserInfo() {
+    }
+
+    /**
+     * Returns the user language.
+     * 
+     * @param s user language info from the browser
+     * @return user language
+     */
+    public static String getUserLanguage(String s) {
+        // Does this contain a country code?
+        int pos = s.indexOf("-");
+
+        if (pos != -1) {
+            // Yes it does
+            return s.substring(0, pos);
+        }
+        return s;
+    }
+
+    /**
+     * Returns the user country.
+     * 
+     * @param s user language info from the browser
+     * @return user country
+     */
+    public static String getUserCountry(String s) {
+        // Does this contain a country code?
+        int pos = s.indexOf("-");
+
+        if (pos != -1) {
+            // Yes it does
+            return s.substring(pos + 1);
+        }
+        return "";
+    }
+
+    /**
+     * Returns the users agent.
+     * 
+     * @param s user language info from the browser
+     * @return user agent
+     */
+    public static String getUserAgent(String s) {
+        // Check for MSIE
+        if (s.indexOf(MSIE) != -1) {
+            return MSIE;
+        }
+
+        // Check for Netscape i.e. Mozilla
+        if (s.indexOf(MOZILLA) != -1) {
+            return MOZILLA;
+        }
+
+        // Don't know agent. Return empty string.
+        return "";
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/base/model/Link.java b/base/common/src/com/netscape/cms/servlet/base/model/Link.java
new file mode 100644
index 000000000..7fd850a22
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/base/model/Link.java
@@ -0,0 +1,88 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2011 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---/**
+package com.netscape.cms.servlet.base.model;
+
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlRootElement;
+
+/**
+ * @author alee
+ * 
+ */
+@XmlRootElement(name = "Link")
+public class Link {
+    protected String relationship;
+    protected String href;
+    protected String type;
+
+    public Link() {
+        // required for jaxb
+    }
+
+    public Link(String relationship, String href, String type) {
+        this.relationship = relationship;
+        this.href = href;
+        this.type = type;
+    }
+
+    /**
+     * @return the relationship
+     */
+    @XmlAttribute(name = "rel")
+    public String getRelationship() {
+        return relationship;
+    }
+
+    /**
+     * @param relationship the relationship to set
+     */
+    public void setRelationship(String relationship) {
+        this.relationship = relationship;
+    }
+
+    /**
+     * @return the href
+     */
+    @XmlAttribute
+    public String getHref() {
+        return href;
+    }
+
+    /**
+     * @param href the href to set
+     */
+    public void setHref(String href) {
+        this.href = href;
+    }
+
+    /**
+     * @return the type
+     */
+    @XmlAttribute
+    public String getType() {
+        return type;
+    }
+
+    /**
+     * @param type the type to set
+     */
+    public void setType(String type) {
+        this.type = type;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java b/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java
new file mode 100644
index 000000000..5af09ad0d
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java
@@ -0,0 +1,1056 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.cert;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.cert.CertificateException;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.InvalidityDateExtension;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.EMissingCredential;
+import com.netscape.certsrv.authentication.IAuthManager;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.ca.ICRLIssuingPoint;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertRecordList;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.logging.AuditFormat;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.IPublisherProcessor;
+import com.netscape.certsrv.ra.IRegistrationAuthority;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.certsrv.request.RequestId;
+import com.netscape.certsrv.request.RequestStatus;
+import com.netscape.cms.servlet.base.CMSServlet;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.CMSTemplateParams;
+import com.netscape.cms.servlet.common.ECMSGWException;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * Revoke a certificate with a CMC-formatted revocation request
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CMCRevReqServlet extends CMSServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = 4731070386698127770L;
+    public final static String GETCERTS_FOR_CHALLENGE_REQUEST = "getCertsForChallenge";
+    public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke";
+    // revocation templates.
+    private final static String TPL_FILE = "revocationResult.template";
+    public static final String CRED_CMC = "cmcRequest";
+
+    private ICertificateRepository mCertDB = null;
+    private String mFormPath = null;
+    private IRequestQueue mQueue = null;
+    private IPublisherProcessor mPublisherProcessor = null;
+    private String mRequestID = null;
+    private final static String REVOKE = "revoke";
+    private final static String ON_HOLD = "on-hold";
+    private final static int ON_HOLD_REASON = 6;
+    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST =
+            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
+    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
+
+    // http params 
+    public static final String SERIAL_NO = TOKEN_CERT_SERIAL;
+    public static final String REASON_CODE = "reasonCode";
+    public static final String CHALLENGE_PHRASE = "challengePhrase";
+
+    // request attributes
+    public static final String SERIALNO_ARRAY = "serialNoArray";
+
+    public CMCRevReqServlet() {
+        super();
+    }
+
+    /**
+     * initialize the servlet.
+     * 
+     * @param sc servlet configuration, read from the web.xml file
+     */
+    public void init(ServletConfig sc) throws ServletException {
+
+        super.init(sc);
+
+        String authorityId = mAuthority.getId();
+
+        mFormPath = "/" + authorityId + "/" + TPL_FILE;
+
+        mTemplates.remove(CMSRequest.SUCCESS);
+        if (mAuthority instanceof ICertificateAuthority) {
+            mCertDB = ((ICertificateAuthority) mAuthority).getCertificateRepository();
+        }
+
+        if (mAuthority instanceof ICertAuthority) {
+            mPublisherProcessor = ((ICertAuthority) mAuthority).getPublisherProcessor();
+        }
+        mQueue = mAuthority.getRequestQueue();
+        if (mOutputTemplatePath != null)
+            mFormPath = mOutputTemplatePath;
+    }
+
+    /**
+     * Process the HTTP request.
+     * 
+     * 
      
+     * 
    • http.param cmcRequest the base-64 encoded CMC request
+     * 
    
+     * 
+     * @param cmsReq the object holding the request and response information
+     */
+    protected void process(CMSRequest cmsReq) throws EBaseException {
+
+        String cmcAgentSerialNumber = null;
+        IArgBlock httpParams = cmsReq.getHttpParams();
+        HttpServletRequest req = cmsReq.getHttpReq();
+        HttpServletResponse resp = cmsReq.getHttpResp();
+
+        CMSTemplate form = null;
+        Locale[] locale = new Locale[1];
+
+        CMS.debug("**** mFormPath = " + mFormPath);
+        try {
+            form = getTemplate(mFormPath, req, locale);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        }
+
+        IArgBlock header = CMS.createArgBlock();
+        IArgBlock ctx = CMS.createArgBlock();
+        CMSTemplateParams argSet = new CMSTemplateParams(header, ctx);
+
+        String cmc = (String) httpParams.get(CRED_CMC);
+        if (cmc == null) {
+            throw new EMissingCredential(
+                    CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CMC));
+        }
+
+        IAuthToken authToken = authenticate(cmsReq);
+
+        AuthzToken authzToken = null;
+        try {
+            authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, "revoke");
+        } catch (Exception e) {
+            // do nothing for now
+        }
+
+        if (authzToken == null) {
+            cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+            return;
+        }
+
+        //IAuthToken authToken = getAuthToken(cmsReq);
+        //Object subject = authToken.get(CMCAuth.TOKEN_CERT_SERIAL);
+        //Object uid = authToken.get("uid");
+        //===========================
+        String authMgr = AuditFormat.NOAUTH;
+        BigInteger[] serialNoArray = null;
+
+        if (authToken != null) {
+            serialNoArray = authToken.getInBigIntegerArray(TOKEN_CERT_SERIAL);
+        }
+
+        Integer reasonCode = Integer.valueOf(0);
+        if (authToken != null) {
+            reasonCode = authToken.getInInteger(REASON_CODE);
+        }
+
+        String comments = "";
+        Date invalidityDate = null;
+        String revokeAll = null;
+        int verifiedRecordCount = 0;
+        int totalRecordCount = 0;
+
+        if (serialNoArray != null) {
+            totalRecordCount = serialNoArray.length;
+            verifiedRecordCount = serialNoArray.length;
+        }
+
+        X509CertImpl[] certs = null;
+
+        //for audit log.
+        String initiative = null;
+
+        if (mAuthMgr != null && mAuthMgr.equals("CMCAuth")) {
+            // request is from agent
+            if (authToken != null) {
+                authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+                String agentID = authToken.getInString("userid");
+
+                initiative = AuditFormat.FROMAGENT + " agentID: " + agentID +
+                        " authenticated by " + authMgr;
+            }
+        } else {
+            initiative = AuditFormat.FROMUSER;
+        }
+
+        if ((serialNoArray != null) && (serialNoArray.length > 0)) {
+            if (mAuthority instanceof ICertificateAuthority) {
+                certs = new X509CertImpl[serialNoArray.length];
+
+                for (int i = 0; i < serialNoArray.length; i++) {
+                    certs[i] =
+                            ((ICertificateAuthority) mAuthority).getCertificateRepository().getX509Certificate(
+                                    serialNoArray[i]);
+                }
+
+            } else if (mAuthority instanceof IRegistrationAuthority) {
+                IRequest getCertsChallengeReq = null;
+
+                getCertsChallengeReq = mQueue.newRequest(
+                            GETCERTS_FOR_CHALLENGE_REQUEST);
+                getCertsChallengeReq.setExtData(SERIALNO_ARRAY, serialNoArray);
+                mQueue.processRequest(getCertsChallengeReq);
+                RequestStatus status = getCertsChallengeReq.getRequestStatus();
+
+                if (status == RequestStatus.COMPLETE) {
+                    certs = getCertsChallengeReq.getExtDataInCertArray(IRequest.OLD_CERTS);
+                    header.addStringValue("request", getCertsChallengeReq.getRequestId().toString());
+                    mRequestID = getCertsChallengeReq.getRequestId().toString();
+                } else {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_FAIL_GET_CERT_CHALL_PWRD"));
+                }
+            }
+
+            header.addIntegerValue("totalRecordCount", serialNoArray.length);
+            header.addIntegerValue("verifiedRecordCount", serialNoArray.length);
+
+            for (int i = 0; i < serialNoArray.length; i++) {
+                IArgBlock rarg = CMS.createArgBlock();
+
+                rarg.addBigIntegerValue("serialNumber",
+                        serialNoArray[i], 16);
+                rarg.addStringValue("subject",
+                        certs[i].getSubjectDN().toString());
+                rarg.addLongValue("validNotBefore",
+                        certs[i].getNotBefore().getTime() / 1000);
+                rarg.addLongValue("validNotAfter",
+                        certs[i].getNotAfter().getTime() / 1000);
+                //argSet.addRepeatRecord(rarg);
+            }
+
+            revokeAll = "(|(certRecordId=" + serialNoArray[0].toString() + "))";
+            cmcAgentSerialNumber = authToken.getInString(IAuthManager.CRED_SSL_CLIENT_CERT);
+            process(argSet, header, reasonCode.intValue(), invalidityDate, initiative, req, resp,
+                    verifiedRecordCount, revokeAll, totalRecordCount,
+                    comments, locale[0], cmcAgentSerialNumber);
+
+        } else {
+            header.addIntegerValue("totalRecordCount", 0);
+            header.addIntegerValue("verifiedRecordCount", 0);
+        }
+
+        try {
+            ServletOutputStream out = resp.getOutputStream();
+
+            if ((serialNoArray == null) || (serialNoArray.length == 0)) {
+                cmsReq.setStatus(CMSRequest.ERROR);
+                EBaseException ee = new EBaseException("No matched certificate is found");
+
+                cmsReq.setError(ee);
+            } else {
+                String xmlOutput = req.getParameter("xml");
+                if (xmlOutput != null && xmlOutput.equals("true")) {
+                    outputXML(resp, argSet);
+                } else {
+                    resp.setContentType("text/html");
+                    form.renderOutput(out, argSet);
+                    cmsReq.setStatus(CMSRequest.SUCCESS);
+                }
+            }
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", e.toString()));
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        }
+    }
+
+    /**
+     * Process cert status change request using the Certificate Management
+     * protocol using CMS (CMC)
+     * 
    
+     * 
+     * (Certificate Request - an "EE" cert status change request)
+     * 
    
+     * 
+     * (Certificate Request Processed - an "EE" cert status change request)
+     * 
    
+     * 
+     * 
      
+     * 
    • signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST used when a cert status change request (e. g. -
+     * "revocation") is made (before approval process)
+     * 
    • signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED used when a certificate status is
+     * changed (revoked, expired, on-hold, off-hold)
+     * 
    
+     * 
+     * @param argSet CMS template parameters
+     * @param header argument block
+     * @param reason revocation reason (0 - Unspecified, 1 - Key compromised,
+     *            2 - CA key compromised; should not be used, 3 - Affiliation changed,
+     *            4 - Certificate superceded, 5 - Cessation of operation, or
+     *            6 - Certificate is on hold)
+     * @param invalidityDate certificate validity date
+     * @param initiative string containing the audit format
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param verifiedRecordCount number of verified records
+     * @param revokeAll string containing information on all of the
+     *            certificates to be revoked
+     * @param totalRecordCount total number of records (verified and unverified)
+     * @param comments string containing certificate comments
+     * @param locale the system locale
+     * @exception EBaseException an error has occurred
+     */
+    private void process(CMSTemplateParams argSet, IArgBlock header,
+            int reason, Date invalidityDate,
+            String initiative,
+            HttpServletRequest req,
+            HttpServletResponse resp,
+            int verifiedRecordCount,
+            String revokeAll,
+            int totalRecordCount,
+            String comments,
+            Locale locale, String cmcAgentSerialNumber)
+            throws EBaseException {
+        String eeSerialNumber = null;
+        if (cmcAgentSerialNumber != null) {
+            eeSerialNumber = cmcAgentSerialNumber;
+        } else {
+            X509CertImpl sslCert = (X509CertImpl) getSSLClientCertificate(req);
+            if (sslCert != null) {
+                eeSerialNumber = sslCert.getSerialNumber().toString();
+            }
+        }
+
+        boolean auditRequest = true;
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+        String auditRequesterID = auditRequesterID(req);
+        String auditSerialNumber = auditSerialNumber(eeSerialNumber);
+        String auditRequestType = auditRequestType(reason);
+        String auditApprovalStatus = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        String auditReasonNum = String.valueOf(reason);
+
+        try {
+            int count = 0;
+            Vector oldCertsV = new Vector();
+            Vector revCertImplsV = new Vector();
+
+            // Construct a CRL reason code extension.
+            RevocationReason revReason = RevocationReason.fromInt(reason);
+            CRLReasonExtension crlReasonExtn = new CRLReasonExtension(revReason);
+
+            // Construct a CRL invalidity date extension.
+            InvalidityDateExtension invalidityDateExtn = null;
+
+            if (invalidityDate != null) {
+                invalidityDateExtn = new InvalidityDateExtension(invalidityDate);
+            }
+
+            // Construct a CRL extension for this request.
+            CRLExtensions entryExtn = new CRLExtensions();
+
+            if (crlReasonExtn != null) {
+                entryExtn.set(crlReasonExtn.getName(), crlReasonExtn);
+            }
+            if (invalidityDateExtn != null) {
+                entryExtn.set(invalidityDateExtn.getName(), invalidityDateExtn);
+            }
+
+            if (mAuthority instanceof ICertificateAuthority) {
+                ICertRecordList list = (ICertRecordList) mCertDB.findCertRecordsInList(
+                        revokeAll, null, totalRecordCount);
+                Enumeration e = list.getCertRecords(0, totalRecordCount - 1);
+
+                while (e != null && e.hasMoreElements()) {
+                    ICertRecord rec = e.nextElement();
+                    X509CertImpl cert = rec.getCertificate();
+                    IArgBlock rarg = CMS.createArgBlock();
+
+                    rarg.addBigIntegerValue("serialNumber",
+                            cert.getSerialNumber(), 16);
+
+                    if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) {
+                        rarg.addStringValue("error", "Certificate " +
+                                cert.getSerialNumber().toString() +
+                                " is already revoked.");
+                    } else {
+                        oldCertsV.addElement(cert);
+
+                        RevokedCertImpl revCertImpl =
+                                new RevokedCertImpl(cert.getSerialNumber(),
+                                        CMS.getCurrentDate(), entryExtn);
+
+                        revCertImplsV.addElement(revCertImpl);
+                        count++;
+                        rarg.addStringValue("error", null);
+                    }
+                    argSet.addRepeatRecord(rarg);
+                }
+
+            } else if (mAuthority instanceof IRegistrationAuthority) {
+                String reqIdStr = null;
+
+                if (mRequestID != null && mRequestID.length() > 0)
+                    reqIdStr = mRequestID;
+                Vector serialNumbers = new Vector();
+
+                if (revokeAll != null && revokeAll.length() > 0) {
+                    for (int i = revokeAll.indexOf('='); i < revokeAll.length() && i > -1; i =
+                            revokeAll.indexOf('=', i)) {
+                        if (i > -1) {
+                            i++;
+                            while (i < revokeAll.length() && revokeAll.charAt(i) == ' ') {
+                                i++;
+                            }
+                            String legalDigits = "0123456789";
+                            int j = i;
+
+                            while (j < revokeAll.length() &&
+                                    legalDigits.indexOf(revokeAll.charAt(j)) != -1) {
+                                j++;
+                            }
+                            if (j > i) {
+                                serialNumbers.addElement(revokeAll.substring(i, j));
+                            }
+                        }
+                    }
+                }
+                if (reqIdStr != null && reqIdStr.length() > 0 && serialNumbers.size() > 0) {
+                    IRequest certReq = mRequestQueue.findRequest(new RequestId(reqIdStr));
+                    X509CertImpl[] certs = certReq.getExtDataInCertArray(IRequest.OLD_CERTS);
+
+                    for (int i = 0; i < certs.length; i++) {
+                        boolean addToList = false;
+
+                        for (int j = 0; j < serialNumbers.size(); j++) {
+                            if (certs[i].getSerialNumber().toString().equals(
+                                    (String) serialNumbers.elementAt(j))) {
+                                addToList = true;
+                                break;
+                            }
+                        }
+                        if (addToList) {
+                            IArgBlock rarg = CMS.createArgBlock();
+
+                            rarg.addBigIntegerValue("serialNumber",
+                                    certs[i].getSerialNumber(), 16);
+                            oldCertsV.addElement(certs[i]);
+
+                            RevokedCertImpl revCertImpl =
+                                    new RevokedCertImpl(certs[i].getSerialNumber(),
+                                            CMS.getCurrentDate(), entryExtn);
+
+                            revCertImplsV.addElement(revCertImpl);
+                            count++;
+                            rarg.addStringValue("error", null);
+                            argSet.addRepeatRecord(rarg);
+                        }
+                    }
+                } else {
+                    String b64eCert = req.getParameter("b64eCertificate");
+
+                    if (b64eCert != null) {
+                        byte[] certBytes = Utils.base64decode(b64eCert);
+                        X509CertImpl cert = new X509CertImpl(certBytes);
+                        IArgBlock rarg = CMS.createArgBlock();
+
+                        rarg.addBigIntegerValue("serialNumber",
+                                cert.getSerialNumber(), 16);
+                        oldCertsV.addElement(cert);
+
+                        RevokedCertImpl revCertImpl =
+                                new RevokedCertImpl(cert.getSerialNumber(),
+                                        CMS.getCurrentDate(), entryExtn);
+
+                        revCertImplsV.addElement(revCertImpl);
+                        count++;
+                        rarg.addStringValue("error", null);
+                        argSet.addRepeatRecord(rarg);
+                    }
+                }
+            }
+
+            header.addIntegerValue("totalRecordCount", count);
+
+            X509CertImpl[] oldCerts = new X509CertImpl[count];
+            RevokedCertImpl[] revCertImpls = new RevokedCertImpl[count];
+
+            for (int i = 0; i < count; i++) {
+                oldCerts[i] = (X509CertImpl) oldCertsV.elementAt(i);
+                revCertImpls[i] = (RevokedCertImpl) revCertImplsV.elementAt(i);
+            }
+
+            IRequest revReq =
+                    mQueue.newRequest(IRequest.REVOCATION_REQUEST);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditRequesterID,
+                        auditSerialNumber,
+                        auditRequestType);
+
+            audit(auditMessage);
+
+            revReq.setExtData(IRequest.CERT_INFO, revCertImpls);
+            revReq.setExtData(IRequest.REQ_TYPE, IRequest.REVOCATION_REQUEST);
+            revReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_AGENT);
+            revReq.setExtData(IRequest.REVOKED_REASON, reason);
+            revReq.setExtData(IRequest.OLD_CERTS, oldCerts);
+            if (comments != null) {
+                revReq.setExtData(IRequest.REQUESTOR_COMMENTS, comments);
+            }
+
+            // change audit processing from "REQUEST" to "REQUEST_PROCESSED"
+            // to distinguish which type of signed audit log message to save
+            // as a failure outcome in case an exception occurs
+            auditRequest = false;
+
+            mQueue.processRequest(revReq);
+
+            // retrieve the request status
+            auditApprovalStatus = revReq.getRequestStatus().toString();
+
+            RequestStatus stat = revReq.getRequestStatus();
+
+            if (stat == RequestStatus.COMPLETE) {
+                // audit log the error
+                Integer result = revReq.getExtDataInInteger(IRequest.RESULT);
+
+                if (result.equals(IRequest.RES_ERROR)) {
+                    String[] svcErrors =
+                            revReq.getExtDataInStringArray(IRequest.SVCERRORS);
+
+                    if (svcErrors != null && svcErrors.length > 0) {
+                        for (int i = 0; i < svcErrors.length; i++) {
+                            String err = svcErrors[i];
+
+                            if (err != null) {
+                                //cmsReq.setErrorDescription(err);
+                                for (int j = 0; j < count; j++) {
+                                    if (oldCerts[j] != null) {
+                                        mLogger.log(ILogger.EV_AUDIT,
+                                                ILogger.S_OTHER,
+                                                AuditFormat.LEVEL,
+                                                AuditFormat.DOREVOKEFORMAT,
+                                                new Object[] {
+                                                        revReq.getRequestId(),
+                                                        initiative,
+                                                        "completed with error: " +
+                                                                err,
+                                                        oldCerts[j].getSubjectDN(),
+                                                        oldCerts[j].getSerialNumber().toString(16),
+                                                        RevocationReason.fromInt(reason).toString() }
+                                                );
+                                    }
+                                }
+                            }
+                        }
+                    }
+                    return;
+                }
+
+                // audit log the success.
+                for (int j = 0; j < count; j++) {
+                    if (oldCerts[j] != null) {
+                        mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+                                AuditFormat.LEVEL,
+                                AuditFormat.DOREVOKEFORMAT,
+                                new Object[] {
+                                        revReq.getRequestId(),
+                                        initiative,
+                                        "completed",
+                                        oldCerts[j].getSubjectDN(),
+                                        oldCerts[j].getSerialNumber().toString(16),
+                                        RevocationReason.fromInt(reason).toString() }
+                                );
+                    }
+                }
+
+                header.addStringValue("revoked", "yes");
+
+                Integer updateCRLResult =
+                        revReq.getExtDataInInteger(IRequest.CRL_UPDATE_STATUS);
+
+                if (updateCRLResult != null) {
+                    header.addStringValue("updateCRL", "yes");
+                    if (updateCRLResult.equals(IRequest.RES_SUCCESS)) {
+                        header.addStringValue("updateCRLSuccess", "yes");
+                    } else {
+                        header.addStringValue("updateCRLSuccess", "no");
+                        String crlError =
+                                revReq.getExtDataInString(IRequest.CRL_UPDATE_ERROR);
+
+                        if (crlError != null)
+                            header.addStringValue("updateCRLError",
+                                    crlError);
+                    }
+                    // let known crl publishing status too.
+                    Integer publishCRLResult =
+                            revReq.getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS);
+
+                    if (publishCRLResult != null) {
+                        if (publishCRLResult.equals(IRequest.RES_SUCCESS)) {
+                            header.addStringValue("publishCRLSuccess", "yes");
+                        } else {
+                            header.addStringValue("publishCRLSuccess", "no");
+                            String publError =
+                                    revReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR);
+
+                            if (publError != null)
+                                header.addStringValue("publishCRLError",
+                                        publError);
+                        }
+                    }
+                }
+                if (mAuthority instanceof ICertificateAuthority) {
+                    // let known update and publish status of all crls.
+                    Enumeration otherCRLs =
+                            ((ICertificateAuthority) mAuthority).getCRLIssuingPoints();
+
+                    while (otherCRLs.hasMoreElements()) {
+                        ICRLIssuingPoint crl = (ICRLIssuingPoint)
+                                otherCRLs.nextElement();
+                        String crlId = crl.getId();
+
+                        if (crlId.equals(ICertificateAuthority.PROP_MASTER_CRL))
+                            continue;
+                        String updateStatusStr = crl.getCrlUpdateStatusStr();
+                        Integer updateResult = revReq.getExtDataInInteger(updateStatusStr);
+
+                        if (updateResult != null) {
+                            if (updateResult.equals(IRequest.RES_SUCCESS)) {
+                                CMS.debug("CMCRevReqServlet: " + CMS.getLogMessage("ADMIN_SRVLT_ADDING_HEADER",
+                                        updateStatusStr));
+                                header.addStringValue(updateStatusStr, "yes");
+                            } else {
+                                String updateErrorStr = crl.getCrlUpdateErrorStr();
+
+                                CMS.debug("CMCRevReqServlet: " + CMS.getLogMessage("ADMIN_SRVLT_ADDING_HEADER_NO",
+                                        updateStatusStr));
+                                header.addStringValue(updateStatusStr, "no");
+                                String error =
+                                        revReq.getExtDataInString(updateErrorStr);
+
+                                if (error != null)
+                                    header.addStringValue(updateErrorStr,
+                                            error);
+                            }
+                            String publishStatusStr = crl.getCrlPublishStatusStr();
+                            Integer publishResult =
+                                    revReq.getExtDataInInteger(publishStatusStr);
+
+                            if (publishResult == null)
+                                continue;
+                            if (publishResult.equals(IRequest.RES_SUCCESS)) {
+                                header.addStringValue(publishStatusStr, "yes");
+                            } else {
+                                String publishErrorStr =
+                                        crl.getCrlPublishErrorStr();
+
+                                header.addStringValue(publishStatusStr, "no");
+                                String error =
+                                        revReq.getExtDataInString(publishErrorStr);
+
+                                if (error != null)
+                                    header.addStringValue(
+                                            publishErrorStr, error);
+                            }
+                        }
+                    }
+                }
+
+                if (mPublisherProcessor != null && mPublisherProcessor.ldapEnabled()) {
+                    header.addStringValue("dirEnabled", "yes");
+                    Integer[] ldapPublishStatus =
+                            revReq.getExtDataInIntegerArray("ldapPublishStatus");
+                    int certsToUpdate = 0;
+                    int certsUpdated = 0;
+
+                    if (ldapPublishStatus != null) {
+                        certsToUpdate = ldapPublishStatus.length;
+                        for (int i = 0; i < certsToUpdate; i++) {
+                            if (ldapPublishStatus[i] == IRequest.RES_SUCCESS) {
+                                certsUpdated++;
+                            }
+                        }
+                    }
+                    header.addIntegerValue("certsUpdated", certsUpdated);
+                    header.addIntegerValue("certsToUpdate", certsToUpdate);
+
+                    // add crl publishing status.
+                    String publError =
+                            revReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR);
+
+                    if (publError != null) {
+                        header.addStringValue("crlPublishError",
+                                publError);
+                    }
+                } else {
+                    header.addStringValue("dirEnabled", "no");
+                }
+                header.addStringValue("error", null);
+
+            } else if (stat == RequestStatus.PENDING) {
+                header.addStringValue("error", "Request Pending");
+                header.addStringValue("revoked", "pending");
+                // audit log the pending
+                for (int j = 0; j < count; j++) {
+                    if (oldCerts[j] != null) {
+                        mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+                                AuditFormat.LEVEL,
+                                AuditFormat.DOREVOKEFORMAT,
+                                new Object[] {
+                                        revReq.getRequestId(),
+                                        initiative,
+                                        "pending",
+                                        oldCerts[j].getSubjectDN(),
+                                        oldCerts[j].getSerialNumber().toString(16),
+                                        RevocationReason.fromInt(reason).toString() }
+                                );
+                    }
+                }
+
+            } else {
+                Vector errors = revReq.getExtDataInStringVector(IRequest.ERRORS);
+                StringBuffer errorStr = new StringBuffer();
+
+                if (errors != null && errors.size() > 0) {
+                    for (int ii = 0; ii < errors.size(); ii++) {
+                        errorStr.append(errors.elementAt(ii));
+                        ;
+                    }
+                }
+                header.addStringValue("error", errorStr.toString());
+                header.addStringValue("revoked", "no");
+                // audit log the error
+                for (int j = 0; j < count; j++) {
+                    if (oldCerts[j] != null) {
+                        mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+                                AuditFormat.LEVEL,
+                                AuditFormat.DOREVOKEFORMAT,
+                                new Object[] {
+                                        revReq.getRequestId(),
+                                        initiative,
+                                        stat.toString(),
+                                        oldCerts[j].getSubjectDN(),
+                                        oldCerts[j].getSerialNumber().toString(16),
+                                        RevocationReason.fromInt(reason).toString() }
+                                );
+                    }
+                }
+            }
+
+            // store a message in the signed audit log file
+            // if and only if "auditApprovalStatus" is
+            // "complete", "revoked", or "canceled"
+            if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING))
+                    || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING))
+                    || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING))) {
+                auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditRequesterID,
+                        auditSerialNumber,
+                        auditRequestType,
+                        auditReasonNum,
+                        auditApprovalStatus);
+
+                audit(auditMessage);
+            }
+
+        } catch (CertificateException e) {
+            if (auditRequest) {
+                // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                // message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditRequesterID,
+                        auditSerialNumber,
+                        auditRequestType);
+
+                audit(auditMessage);
+            } else {
+                // store a "CERT_STATUS_CHANGE_REQUEST_PROCESSED" failure
+                // message in the signed audit log file
+                // if and only if "auditApprovalStatus" is
+                // "complete", "revoked", or "canceled"
+                if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING))
+                        || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING))
+                        || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING))) {
+                    auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType,
+                            auditReasonNum,
+                            auditApprovalStatus);
+
+                    audit(auditMessage);
+                }
+            }
+
+            log(ILogger.LL_FAILURE, "error " + e);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, "error " + e);
+
+            if (auditRequest) {
+                // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                // message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditRequesterID,
+                        auditSerialNumber,
+                        auditRequestType);
+
+                audit(auditMessage);
+            } else {
+                // store a "CERT_STATUS_CHANGE_REQUEST_PROCESSED" failure
+                // message in the signed audit log file
+                // if and only if "auditApprovalStatus" is
+                // "complete", "revoked", or "canceled"
+                if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING))
+                        || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING))
+                        || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING))) {
+                    auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType,
+                            auditReasonNum,
+                            auditApprovalStatus);
+
+                    audit(auditMessage);
+                }
+            }
+
+            throw e;
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED", e.toString()));
+
+            if (auditRequest) {
+                // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                // message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditRequesterID,
+                        auditSerialNumber,
+                        auditRequestType);
+
+                audit(auditMessage);
+            } else {
+                // store a "CERT_STATUS_CHANGE_REQUEST_PROCESSED" failure
+                // message in the signed audit log file
+                // if and only if "auditApprovalStatus" is
+                // "complete", "revoked", or "canceled"
+                if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING))
+                        || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING))
+                        || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING))) {
+                    auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType,
+                            auditReasonNum,
+                            auditApprovalStatus);
+
+                    audit(auditMessage);
+                }
+            }
+
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED"));
+        } catch (Exception e) {
+            if (auditRequest) {
+                // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                // message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        auditRequesterID,
+                        auditSerialNumber,
+                        auditRequestType);
+
+                audit(auditMessage);
+            } else {
+                // store a "CERT_STATUS_CHANGE_REQUEST_PROCESSED" failure
+                // message in the signed audit log file
+                // if and only if "auditApprovalStatus" is
+                // "complete", "revoked", or "canceled"
+                if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING))
+                        || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING))
+                        || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING))) {
+                    auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType,
+                            auditReasonNum,
+                            auditApprovalStatus);
+
+                    audit(auditMessage);
+                }
+            }
+
+            e.printStackTrace();
+        }
+
+        return;
+    }
+
+    /**
+     * Signed Audit Log Requester ID
+     * 
+     * This method is called to obtain the "RequesterID" for
+     * a signed audit log message.
+     * 
    
+     * 
+     * @param req HTTP request
+     * @return id string containing the signed audit log message RequesterID
+     */
+    private String auditRequesterID(HttpServletRequest req) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String requesterID = null;
+
+        // Obtain the requesterID
+        requesterID = req.getParameter("requestId");
+
+        if (requesterID != null) {
+            requesterID = requesterID.trim();
+        } else {
+            requesterID = ILogger.UNIDENTIFIED;
+        }
+
+        return requesterID;
+    }
+
+    /**
+     * Signed Audit Log Serial Number
+     * 
+     * This method is called to obtain the serial number of the certificate
+     * whose status is to be changed for a signed audit log message.
+     * 
    
+     * 
+     * @param eeSerialNumber a string containing the un-normalized serialNumber
+     * @return id string containing the signed audit log message RequesterID
+     */
+    private String auditSerialNumber(String eeSerialNumber) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String serialNumber = null;
+
+        // Normalize the serialNumber
+        if (eeSerialNumber != null) {
+            serialNumber = eeSerialNumber.trim();
+
+            // convert it to hexadecimal
+            serialNumber = "0x"
+                    + Integer.toHexString(
+                            Integer.valueOf(serialNumber).intValue());
+        } else {
+            serialNumber = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        }
+
+        return serialNumber;
+    }
+
+    /**
+     * Signed Audit Log Request Type
+     * 
+     * This method is called to obtain the "Request Type" for
+     * a signed audit log message.
+     * 
    
+     * 
+     * @param reason an integer denoting the revocation reason
+     * @return string containing REVOKE or ON_HOLD
+     */
+    private String auditRequestType(int reason) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String requestType = null;
+
+        // Determine the revocation type based upon the revocation reason
+        if (reason == ON_HOLD_REASON) {
+            requestType = ON_HOLD;
+        } else {
+            requestType = REVOKE;
+        }
+
+        return requestType;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/cert/ChallengeRevocationServlet1.java b/base/common/src/com/netscape/cms/servlet/cert/ChallengeRevocationServlet1.java
new file mode 100644
index 000000000..f056047cc
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/cert/ChallengeRevocationServlet1.java
@@ -0,0 +1,716 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.cert;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.cert.CertificateException;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.InvalidityDateExtension;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.IAuthSubsystem;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.ca.ICRLIssuingPoint;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertRecordList;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.logging.AuditFormat;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.IPublisherProcessor;
+import com.netscape.certsrv.ra.IRegistrationAuthority;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.certsrv.request.RequestId;
+import com.netscape.certsrv.request.RequestStatus;
+import com.netscape.cms.servlet.base.CMSServlet;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.CMSTemplateParams;
+import com.netscape.cms.servlet.common.ECMSGWException;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * Takes the certificate info (serial number) and optional challenge phrase, creates a
+ * revocation request and submits it to the authority subsystem for processing
+ * 
+ * @version $Revision$, $Date$
+ */
+public class ChallengeRevocationServlet1 extends CMSServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = 1253319999546210407L;
+    public final static String GETCERTS_FOR_CHALLENGE_REQUEST = "getCertsForChallenge";
+    public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke";
+    // revocation templates.
+    private final static String TPL_FILE = "revocationResult.template";
+
+    private ICertificateRepository mCertDB = null;
+    private String mFormPath = null;
+    private IRequestQueue mQueue = null;
+    private IPublisherProcessor mPublisherProcessor = null;
+    private String mRequestID = null;
+
+    // http params 
+    public static final String SERIAL_NO = TOKEN_CERT_SERIAL;
+    public static final String REASON_CODE = "reasonCode";
+    public static final String CHALLENGE_PHRASE = "challengePhrase";
+
+    // request attributes
+    public static final String SERIALNO_ARRAY = "serialNoArray";
+
+    public ChallengeRevocationServlet1() {
+        super();
+    }
+
+    /**
+     * Initialize the servlet. This servlet uses the file
+     * revocationResult.template for the response
+     * 
+     * @param sc servlet configuration, read from the web.xml file
+     */
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+
+        String authorityId = mAuthority.getId();
+
+        mFormPath = "/" + authorityId + "/" + TPL_FILE;
+
+        mTemplates.remove(CMSRequest.SUCCESS);
+        if (mAuthority instanceof ICertificateAuthority) {
+            mCertDB = ((ICertificateAuthority) mAuthority).getCertificateRepository();
+        }
+
+        if (mAuthority instanceof ICertAuthority) {
+            mPublisherProcessor = ((ICertAuthority) mAuthority).getPublisherProcessor();
+        }
+        mQueue = mAuthority.getRequestQueue();
+    }
+
+    /**
+     * Process the HTTP request.
+     * 
      
+     * 
    • http.param REASON_CODE the revocation reason
+     * 
    • http.param b64eCertificate the base-64 encoded certificate to revoke
+     * 
    
+     * 
+     * @param cmsReq the object holding the request and response information
+     */
+    protected void process(CMSRequest cmsReq)
+            throws EBaseException {
+        IArgBlock httpParams = cmsReq.getHttpParams();
+        HttpServletRequest req = cmsReq.getHttpReq();
+        HttpServletResponse resp = cmsReq.getHttpResp();
+
+        CMSTemplate form = null;
+        Locale[] locale = new Locale[1];
+
+        try {
+            form = getTemplate(mFormPath, req, locale);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        }
+
+        IArgBlock header = CMS.createArgBlock();
+        IArgBlock ctx = CMS.createArgBlock();
+        CMSTemplateParams argSet = new CMSTemplateParams(header, ctx);
+
+        // for audit log
+        IAuthToken authToken = authenticate(cmsReq);
+        String authMgr = AuditFormat.NOAUTH;
+
+        BigInteger[] serialNoArray = null;
+
+        if (authToken != null) {
+            serialNoArray = authToken.getInBigIntegerArray(SERIAL_NO);
+        }
+        // set revocation reason, default to unspecified if not set.
+        int reasonCode =
+                httpParams.getValueAsInt(REASON_CODE, 0);
+        //        header.addIntegerValue("reason", reasonCode);
+
+        String comments = req.getParameter(IRequest.REQUESTOR_COMMENTS);
+        Date invalidityDate = null;
+        String revokeAll = null;
+        int totalRecordCount = (serialNoArray != null) ? serialNoArray.length : 0;
+        int verifiedRecordCount = (serialNoArray != null) ? serialNoArray.length : 0;
+
+        X509CertImpl[] certs = null;
+
+        //for audit log.
+        String initiative = null;
+
+        if (mAuthMgr != null && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) {
+            // request is from agent
+            if (authToken != null) {
+                authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+                String agentID = authToken.getInString("userid");
+
+                initiative = AuditFormat.FROMAGENT + " agentID: " + agentID +
+                        " authenticated by " + authMgr;
+            }
+        } else {
+            initiative = AuditFormat.FROMUSER;
+        }
+
+        AuthzToken authzToken = null;
+
+        try {
+            authzToken = authorize(mAclMethod, authToken,
+                        mAuthzResourceName, "revoke");
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+        }
+
+        if (authzToken == null) {
+            cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+            return;
+        }
+
+        if (serialNoArray != null && serialNoArray.length > 0) {
+            if (mAuthority instanceof ICertificateAuthority) {
+                certs = new X509CertImpl[serialNoArray.length];
+
+                for (int i = 0; i < serialNoArray.length; i++) {
+                    certs[i] =
+                            ((ICertificateAuthority) mAuthority).getCertificateRepository().getX509Certificate(
+                                    serialNoArray[i]);
+                }
+
+            } else if (mAuthority instanceof IRegistrationAuthority) {
+                IRequest getCertsChallengeReq = null;
+
+                getCertsChallengeReq = mQueue.newRequest(
+                            GETCERTS_FOR_CHALLENGE_REQUEST);
+                getCertsChallengeReq.setExtData(SERIALNO_ARRAY, serialNoArray);
+                mQueue.processRequest(getCertsChallengeReq);
+                RequestStatus status = getCertsChallengeReq.getRequestStatus();
+
+                if (status == RequestStatus.COMPLETE) {
+                    certs = getCertsChallengeReq.getExtDataInCertArray(IRequest.OLD_CERTS);
+                    header.addStringValue("request", getCertsChallengeReq.getRequestId().toString());
+                    mRequestID = getCertsChallengeReq.getRequestId().toString();
+                } else {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_FAIL_GET_CERT_CHALL_PWRD"));
+                }
+            }
+
+            header.addIntegerValue("totalRecordCount", serialNoArray.length);
+            header.addIntegerValue("verifiedRecordCount", serialNoArray.length);
+
+            for (int i = 0; i < serialNoArray.length; i++) {
+                IArgBlock rarg = CMS.createArgBlock();
+
+                rarg.addBigIntegerValue("serialNumber",
+                        serialNoArray[i], 16);
+                rarg.addStringValue("subject",
+                        certs[i].getSubjectDN().toString());
+                rarg.addLongValue("validNotBefore",
+                        certs[i].getNotBefore().getTime() / 1000);
+                rarg.addLongValue("validNotAfter",
+                        certs[i].getNotAfter().getTime() / 1000);
+                //argSet.addRepeatRecord(rarg);
+            }
+
+            revokeAll = "(|(certRecordId=" + serialNoArray[0].toString() + "))";
+            process(argSet, header, reasonCode, invalidityDate, initiative, req, resp,
+                    verifiedRecordCount, revokeAll, totalRecordCount,
+                    comments, locale[0]);
+        } else {
+            header.addIntegerValue("totalRecordCount", 0);
+            header.addIntegerValue("verifiedRecordCount", 0);
+        }
+
+        try {
+            ServletOutputStream out = resp.getOutputStream();
+
+            if (serialNoArray == null) {
+                CMS.debug("ChallengeRevcationServlet1::process() - " +
+                           " serialNoArray is null!");
+                EBaseException ee = new EBaseException("No matched certificate is found");
+
+                cmsReq.setError(ee);
+                return;
+            }
+
+            if (serialNoArray.length == 0) {
+                cmsReq.setStatus(CMSRequest.ERROR);
+                EBaseException ee = new EBaseException("No matched certificate is found");
+
+                cmsReq.setError(ee);
+            } else {
+                String xmlOutput = req.getParameter("xml");
+                if (xmlOutput != null && xmlOutput.equals("true")) {
+                    outputXML(resp, argSet);
+                } else {
+                    resp.setContentType("text/html");
+                    form.renderOutput(out, argSet);
+                    cmsReq.setStatus(CMSRequest.SUCCESS);
+                }
+            }
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", e.toString()));
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        }
+    }
+
+    private void process(CMSTemplateParams argSet, IArgBlock header,
+            int reason, Date invalidityDate,
+            String initiative,
+            HttpServletRequest req,
+            HttpServletResponse resp,
+            int verifiedRecordCount,
+            String revokeAll,
+            int totalRecordCount,
+            String comments,
+            Locale locale)
+            throws EBaseException {
+        try {
+            int count = 0;
+            Vector oldCertsV = new Vector();
+            Vector revCertImplsV = new Vector();
+
+            // Construct a CRL reason code extension.
+            RevocationReason revReason = RevocationReason.fromInt(reason);
+            CRLReasonExtension crlReasonExtn = new CRLReasonExtension(revReason);
+
+            // Construct a CRL invalidity date extension.
+            InvalidityDateExtension invalidityDateExtn = null;
+
+            if (invalidityDate != null) {
+                invalidityDateExtn = new InvalidityDateExtension(invalidityDate);
+            }
+
+            // Construct a CRL extension for this request.
+            CRLExtensions entryExtn = new CRLExtensions();
+
+            if (crlReasonExtn != null) {
+                entryExtn.set(crlReasonExtn.getName(), crlReasonExtn);
+            }
+            if (invalidityDateExtn != null) {
+                entryExtn.set(invalidityDateExtn.getName(), invalidityDateExtn);
+            }
+
+            if (mAuthority instanceof ICertificateAuthority) {
+                ICertRecordList list = (ICertRecordList) mCertDB.findCertRecordsInList(
+                        revokeAll, null, totalRecordCount);
+                Enumeration e = list.getCertRecords(0, totalRecordCount - 1);
+
+                while (e != null && e.hasMoreElements()) {
+                    ICertRecord rec = e.nextElement();
+                    X509CertImpl cert = rec.getCertificate();
+                    IArgBlock rarg = CMS.createArgBlock();
+
+                    rarg.addBigIntegerValue("serialNumber",
+                            cert.getSerialNumber(), 16);
+
+                    if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) {
+                        rarg.addStringValue("error", "Certificate " +
+                                cert.getSerialNumber().toString() +
+                                " is already revoked.");
+                    } else {
+                        oldCertsV.addElement(cert);
+
+                        RevokedCertImpl revCertImpl =
+                                new RevokedCertImpl(cert.getSerialNumber(),
+                                        CMS.getCurrentDate(), entryExtn);
+
+                        revCertImplsV.addElement(revCertImpl);
+                        count++;
+                        rarg.addStringValue("error", null);
+                    }
+                    argSet.addRepeatRecord(rarg);
+                }
+
+            } else if (mAuthority instanceof IRegistrationAuthority) {
+                String reqIdStr = null;
+
+                if (mRequestID != null && mRequestID.length() > 0)
+                    reqIdStr = mRequestID;
+                Vector serialNumbers = new Vector();
+
+                if (revokeAll != null && revokeAll.length() > 0) {
+                    for (int i = revokeAll.indexOf('='); i < revokeAll.length() && i > -1; 
+                            i = revokeAll.indexOf('=', i)) {
+                        if (i > -1) {
+                            i++;
+                            while (i < revokeAll.length() && revokeAll.charAt(i) == ' ') {
+                                i++;
+                            }
+                            String legalDigits = "0123456789";
+                            int j = i;
+
+                            while (j < revokeAll.length() &&
+                                    legalDigits.indexOf(revokeAll.charAt(j)) != -1) {
+                                j++;
+                            }
+                            if (j > i) {
+                                serialNumbers.addElement(revokeAll.substring(i, j));
+                            }
+                        }
+                    }
+                }
+                if (reqIdStr != null && reqIdStr.length() > 0 && serialNumbers.size() > 0) {
+                    IRequest certReq = mRequestQueue.findRequest(new RequestId(reqIdStr));
+                    X509CertImpl[] certs = certReq.getExtDataInCertArray(IRequest.OLD_CERTS);
+
+                    for (int i = 0; i < certs.length; i++) {
+                        boolean addToList = false;
+
+                        for (int j = 0; j < serialNumbers.size(); j++) {
+                            if (certs[i].getSerialNumber().toString().equals(
+                                    (String) serialNumbers.elementAt(j))) {
+                                addToList = true;
+                                break;
+                            }
+                        }
+                        if (addToList) {
+                            IArgBlock rarg = CMS.createArgBlock();
+
+                            rarg.addBigIntegerValue("serialNumber",
+                                    certs[i].getSerialNumber(), 16);
+                            oldCertsV.addElement(certs[i]);
+
+                            RevokedCertImpl revCertImpl =
+                                    new RevokedCertImpl(certs[i].getSerialNumber(),
+                                            CMS.getCurrentDate(), entryExtn);
+
+                            revCertImplsV.addElement(revCertImpl);
+                            count++;
+                            rarg.addStringValue("error", null);
+                            argSet.addRepeatRecord(rarg);
+                        }
+                    }
+                } else {
+                    String b64eCert = req.getParameter("b64eCertificate");
+
+                    if (b64eCert != null) {
+                        byte[] certBytes = Utils.base64decode(b64eCert);
+                        X509CertImpl cert = new X509CertImpl(certBytes);
+                        IArgBlock rarg = CMS.createArgBlock();
+
+                        rarg.addBigIntegerValue("serialNumber",
+                                cert.getSerialNumber(), 16);
+                        oldCertsV.addElement(cert);
+
+                        RevokedCertImpl revCertImpl =
+                                new RevokedCertImpl(cert.getSerialNumber(),
+                                        CMS.getCurrentDate(), entryExtn);
+
+                        revCertImplsV.addElement(revCertImpl);
+                        count++;
+                        rarg.addStringValue("error", null);
+                        argSet.addRepeatRecord(rarg);
+                    }
+                }
+            }
+
+            header.addIntegerValue("totalRecordCount", count);
+
+            X509CertImpl[] oldCerts = new X509CertImpl[count];
+            RevokedCertImpl[] revCertImpls = new RevokedCertImpl[count];
+
+            for (int i = 0; i < count; i++) {
+                oldCerts[i] = (X509CertImpl) oldCertsV.elementAt(i);
+                revCertImpls[i] = (RevokedCertImpl) revCertImplsV.elementAt(i);
+            }
+
+            IRequest revReq =
+                    mQueue.newRequest(IRequest.REVOCATION_REQUEST);
+
+            revReq.setExtData(IRequest.CERT_INFO, revCertImpls);
+            revReq.setExtData(IRequest.REQ_TYPE, IRequest.REVOCATION_REQUEST);
+            revReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_AGENT);
+
+            revReq.setExtData(IRequest.OLD_CERTS, oldCerts);
+            if (comments != null) {
+                revReq.setExtData(IRequest.REQUESTOR_COMMENTS, comments);
+            }
+
+            mQueue.processRequest(revReq);
+            RequestStatus stat = revReq.getRequestStatus();
+
+            if (stat == RequestStatus.COMPLETE) {
+                // audit log the error
+                Integer result = revReq.getExtDataInInteger(IRequest.RESULT);
+
+                if (result.equals(IRequest.RES_ERROR)) {
+                    String[] svcErrors =
+                            revReq.getExtDataInStringArray(IRequest.SVCERRORS);
+
+                    if (svcErrors != null && svcErrors.length > 0) {
+                        for (int i = 0; i < svcErrors.length; i++) {
+                            String err = svcErrors[i];
+
+                            if (err != null) {
+                                //cmsReq.setErrorDescription(err);
+                                for (int j = 0; j < count; j++) {
+                                    if (oldCerts[j] != null) {
+                                        mLogger.log(ILogger.EV_AUDIT,
+                                                ILogger.S_OTHER,
+                                                AuditFormat.LEVEL,
+                                                AuditFormat.DOREVOKEFORMAT,
+                                                new Object[] {
+                                                        revReq.getRequestId(),
+                                                        initiative,
+                                                        "completed with error: " +
+                                                                err,
+                                                        oldCerts[j].getSubjectDN(),
+                                                        oldCerts[j].getSerialNumber().toString(16),
+                                                        RevocationReason.fromInt(reason).toString() }
+                                                );
+                                    }
+                                }
+                            }
+                        }
+                    }
+                    return;
+                }
+
+                // audit log the success.
+                for (int j = 0; j < count; j++) {
+                    if (oldCerts[j] != null) {
+                        mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+                                AuditFormat.LEVEL,
+                                AuditFormat.DOREVOKEFORMAT,
+                                new Object[] {
+                                        revReq.getRequestId(),
+                                        initiative,
+                                        "completed",
+                                        oldCerts[j].getSubjectDN(),
+                                        oldCerts[j].getSerialNumber().toString(16),
+                                        RevocationReason.fromInt(reason).toString() }
+                                );
+                    }
+                }
+
+                header.addStringValue("revoked", "yes");
+
+                Integer updateCRLResult =
+                        revReq.getExtDataInInteger(IRequest.CRL_UPDATE_STATUS);
+
+                if (updateCRLResult != null) {
+                    header.addStringValue("updateCRL", "yes");
+                    if (updateCRLResult.equals(IRequest.RES_SUCCESS)) {
+                        header.addStringValue("updateCRLSuccess", "yes");
+                    } else {
+                        header.addStringValue("updateCRLSuccess", "no");
+                        String crlError =
+                                revReq.getExtDataInString(IRequest.CRL_UPDATE_ERROR);
+
+                        if (crlError != null)
+                            header.addStringValue("updateCRLError",
+                                    crlError);
+                    }
+                    // let known crl publishing status too.
+                    Integer publishCRLResult =
+                            revReq.getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS);
+
+                    if (publishCRLResult != null) {
+                        if (publishCRLResult.equals(IRequest.RES_SUCCESS)) {
+                            header.addStringValue("publishCRLSuccess", "yes");
+                        } else {
+                            header.addStringValue("publishCRLSuccess", "no");
+                            String publError =
+                                    revReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR);
+
+                            if (publError != null)
+                                header.addStringValue("publishCRLError",
+                                        publError);
+                        }
+                    }
+                }
+                if (mAuthority instanceof ICertificateAuthority) {
+                    // let known update and publish status of all crls.
+                    Enumeration otherCRLs =
+                            ((ICertificateAuthority) mAuthority).getCRLIssuingPoints();
+
+                    while (otherCRLs.hasMoreElements()) {
+                        ICRLIssuingPoint crl = (ICRLIssuingPoint)
+                                otherCRLs.nextElement();
+                        String crlId = crl.getId();
+
+                        if (crlId.equals(ICertificateAuthority.PROP_MASTER_CRL))
+                            continue;
+                        String updateStatusStr = crl.getCrlUpdateStatusStr();
+                        Integer updateResult = revReq.getExtDataInInteger(updateStatusStr);
+
+                        if (updateResult != null) {
+                            if (updateResult.equals(IRequest.RES_SUCCESS)) {
+                                CMS.debug("ChallengeRevcationServlet1: "
+                                        + CMS.getLogMessage("ADMIN_SRVLT_ADDING_HEADER",
+                                                updateStatusStr));
+                                header.addStringValue(updateStatusStr, "yes");
+                            } else {
+                                String updateErrorStr = crl.getCrlUpdateErrorStr();
+
+                                CMS.debug("ChallengeRevcationServlet1: "
+                                        + CMS.getLogMessage("ADMIN_SRVLT_ADDING_HEADER_NO",
+                                                updateStatusStr));
+                                header.addStringValue(updateStatusStr, "no");
+                                String error =
+                                        revReq.getExtDataInString(updateErrorStr);
+
+                                if (error != null)
+                                    header.addStringValue(updateErrorStr,
+                                            error);
+                            }
+                            String publishStatusStr = crl.getCrlPublishStatusStr();
+                            Integer publishResult =
+                                    revReq.getExtDataInInteger(publishStatusStr);
+
+                            if (publishResult == null)
+                                continue;
+                            if (publishResult.equals(IRequest.RES_SUCCESS)) {
+                                header.addStringValue(publishStatusStr, "yes");
+                            } else {
+                                String publishErrorStr =
+                                        crl.getCrlPublishErrorStr();
+
+                                header.addStringValue(publishStatusStr, "no");
+                                String error =
+                                        revReq.getExtDataInString(publishErrorStr);
+
+                                if (error != null)
+                                    header.addStringValue(
+                                            publishErrorStr, error);
+                            }
+                        }
+                    }
+                }
+
+                if (mPublisherProcessor != null && mPublisherProcessor.ldapEnabled()) {
+                    header.addStringValue("dirEnabled", "yes");
+                    Integer[] ldapPublishStatus =
+                            revReq.getExtDataInIntegerArray("ldapPublishStatus");
+                    int certsToUpdate = 0;
+                    int certsUpdated = 0;
+
+                    if (ldapPublishStatus != null) {
+                        certsToUpdate = ldapPublishStatus.length;
+                        for (int i = 0; i < certsToUpdate; i++) {
+                            if (ldapPublishStatus[i] == IRequest.RES_SUCCESS) {
+                                certsUpdated++;
+                            }
+                        }
+                    }
+                    header.addIntegerValue("certsUpdated", certsUpdated);
+                    header.addIntegerValue("certsToUpdate", certsToUpdate);
+
+                    // add crl publishing status.
+                    String publError =
+                            revReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR);
+
+                    if (publError != null) {
+                        header.addStringValue("crlPublishError",
+                                publError);
+                    }
+                } else {
+                    header.addStringValue("dirEnabled", "no");
+                }
+                header.addStringValue("error", null);
+
+            } else if (stat == RequestStatus.PENDING) {
+                header.addStringValue("error", "Request Pending");
+                header.addStringValue("revoked", "pending");
+                // audit log the pending
+                for (int j = 0; j < count; j++) {
+                    if (oldCerts[j] != null) {
+                        mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+                                AuditFormat.LEVEL,
+                                AuditFormat.DOREVOKEFORMAT,
+                                new Object[] {
+                                        revReq.getRequestId(),
+                                        initiative,
+                                        "pending",
+                                        oldCerts[j].getSubjectDN(),
+                                        oldCerts[j].getSerialNumber().toString(16),
+                                        RevocationReason.fromInt(reason).toString() }
+                                );
+                    }
+                }
+
+            } else {
+                Vector errors = revReq.getExtDataInStringVector(IRequest.ERRORS);
+                StringBuffer errorStr = new StringBuffer();
+
+                if (errors != null && errors.size() > 0) {
+                    for (int ii = 0; ii < errors.size(); ii++) {
+                        errorStr.append(errors.elementAt(ii));
+                    }
+                }
+                header.addStringValue("error", errorStr.toString());
+                header.addStringValue("revoked", "no");
+                // audit log the error
+                for (int j = 0; j < count; j++) {
+                    if (oldCerts[j] != null) {
+                        mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+                                AuditFormat.LEVEL,
+                                AuditFormat.DOREVOKEFORMAT,
+                                new Object[] {
+                                        revReq.getRequestId(),
+                                        initiative,
+                                        stat.toString(),
+                                        oldCerts[j].getSubjectDN(),
+                                        oldCerts[j].getSerialNumber().toString(16),
+                                        RevocationReason.fromInt(reason).toString() }
+                                );
+                    }
+                }
+            }
+        } catch (CertificateException e) {
+            log(ILogger.LL_FAILURE, "error " + e);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, "error " + e);
+            throw e;
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED", e.toString()));
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED"));
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+        return;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/cert/CloneRedirect.java b/base/common/src/com/netscape/cms/servlet/cert/CloneRedirect.java
new file mode 100644
index 000000000..d17fd959b
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/cert/CloneRedirect.java
@@ -0,0 +1,142 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.cert;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.cms.servlet.base.CMSServlet;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.CMSTemplateParams;
+import com.netscape.cms.servlet.common.ECMSGWException;
+
+/**
+ * Redirect a request to the Master. This servlet is used in
+ * a clone when a requested service (such as CRL) is not available.
+ * It redirects the user to the master.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class CloneRedirect extends CMSServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 3217967115281965166L;
+    private final static String PROP_REDIRECT_URL = "masterURL";
+    private final static String TPL_FILE = "cloneRedirect.template";
+
+    private String mNewUrl = null;
+    private String mFormPath = null;
+
+    private ICertificateAuthority mCA = null;
+
+    /**
+     * Constructs CloneRedirect servlet.
+     */
+    public CloneRedirect() {
+        super();
+
+    }
+
+    /**
+     * Initialize the servlet.
+     * 
+     * @param sc servlet configuration, read from the web.xml file
+     */
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE;
+
+        if (mAuthority instanceof ICertificateAuthority) {
+            mCA = (ICertificateAuthority) mAuthority;
+            IConfigStore authConfig = mCA.getConfigStore();
+
+            if (authConfig != null) {
+                try {
+                    mNewUrl = authConfig.getString(PROP_REDIRECT_URL,
+                                "*** master URL unavailable, check your configuration ***");
+                } catch (EBaseException e) {
+                    // do nothing
+                }
+            }
+        }
+
+        if (mAuthority instanceof ICertificateAuthority)
+            mCA = (ICertificateAuthority) mAuthority;
+
+        // override success to do output with our own template.
+        mTemplates.remove(CMSRequest.SUCCESS);
+    }
+
+    /**
+     * Serves HTTP request.
+     */
+    public void process(CMSRequest cmsReq) throws EBaseException {
+        HttpServletRequest req = cmsReq.getHttpReq();
+        HttpServletResponse resp = cmsReq.getHttpResp();
+
+        IArgBlock header = CMS.createArgBlock();
+        IArgBlock fixed = CMS.createArgBlock();
+        CMSTemplateParams argSet = new CMSTemplateParams(header, fixed);
+
+        CMSTemplate form = null;
+        Locale[] locale = new Locale[1];
+
+        try {
+            form = getTemplate(mFormPath, req, locale);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+            throw new ECMSGWException(
+                    CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        }
+
+        CMS.debug("CloneRedirect: " + CMS.getLogMessage("ADMIN_SRVLT_ADD_MASTER_URL", mNewUrl));
+        header.addStringValue("masterURL", mNewUrl);
+        try {
+            ServletOutputStream out = resp.getOutputStream();
+
+            String xmlOutput = req.getParameter("xml");
+            if (xmlOutput != null && xmlOutput.equals("true")) {
+                outputXML(resp, argSet);
+            } else {
+                resp.setContentType("text/html");
+                form.renderOutput(out, argSet);
+                cmsReq.setStatus(CMSRequest.SUCCESS);
+            }
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", e.toString()));
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/cert/DirAuthServlet.java b/base/common/src/com/netscape/cms/servlet/cert/DirAuthServlet.java
new file mode 100644
index 000000000..ced92ba85
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/cert/DirAuthServlet.java
@@ -0,0 +1,241 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.cert;
+
+import java.io.IOException;
+import java.util.Date;
+import java.util.Locale;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthManager;
+import com.netscape.certsrv.authentication.IAuthSubsystem;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.ra.IRegistrationAuthority;
+import com.netscape.cms.authentication.HashAuthentication;
+import com.netscape.cms.servlet.base.CMSServlet;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.CMSTemplateParams;
+import com.netscape.cms.servlet.common.ECMSGWException;
+
+/**
+ * 'Face-to-face' certificate enrollment.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class DirAuthServlet extends CMSServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = 3906057586972768401L;
+    private final static String TPL_FILE = "/ra/hashEnrollmentSubmit.template";
+    private final static String TPL_ERROR_FILE = "/ra/GenErrorHashDirEnroll.template";
+    private String mFormPath = null;
+
+    public DirAuthServlet() {
+        super();
+    }
+
+    /**
+     * initialize the servlet.
+     * 
+     * @param sc servlet configuration, read from the web.xml file
+     */
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        try {
+            mFormPath = sc.getInitParameter(
+                        PROP_SUCCESS_TEMPLATE);
+            if (mFormPath == null)
+                mFormPath = TPL_FILE;
+        } catch (Exception e) {
+        }
+
+        mTemplates.remove(CMSRequest.SUCCESS);
+    }
+
+    /**
+     * Process the HTTP request. This servlet reads configuration information
+     * from the hashDirEnrollment configuration substore
+     * 
+     * @param cmsReq the object holding the request and response information
+     */
+    protected void process(CMSRequest cmsReq)
+            throws EBaseException {
+        HttpServletRequest httpReq = cmsReq.getHttpReq();
+        HttpServletResponse httpResp = cmsReq.getHttpResp();
+
+        String reqHost = httpReq.getRemoteHost();
+
+        // Construct an ArgBlock
+        IArgBlock args = cmsReq.getHttpParams();
+
+        if (!(mAuthority instanceof IRegistrationAuthority)) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_CA_FROM_RA_NOT_IMP"));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getLogMessage("CMSGW_NOT_YET_IMPLEMENTED")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+            return;
+        }
+
+        CMSTemplate form = null;
+        Locale[] locale = new Locale[1];
+
+        try {
+            form = getTemplate(mFormPath, httpReq, locale);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+            return;
+        }
+
+        IArgBlock header = CMS.createArgBlock();
+        IArgBlock fixed = CMS.createArgBlock();
+
+        CMSTemplateParams argSet = new CMSTemplateParams(header, fixed);
+        IAuthToken authToken = authenticate(cmsReq);
+
+        AuthzToken authzToken = null;
+
+        try {
+            authzToken = authorize(mAclMethod, authToken,
+                        mAuthzResourceName, "submit");
+        } catch (Exception e) {
+            // do nothing for now
+        }
+
+        if (authzToken == null) {
+            cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+            return;
+        }
+
+        IConfigStore configStore = CMS.getConfigStore();
+        String val = configStore.getString("hashDirEnrollment.name");
+        IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
+        IAuthManager authMgr = authSS.get(val);
+        HashAuthentication mgr = (HashAuthentication) authMgr;
+
+        Date date = new Date();
+        long currTime = date.getTime();
+        long timeout = mgr.getTimeout(reqHost);
+        long lastlogin = mgr.getLastLogin(reqHost);
+        long diff = currTime - lastlogin;
+
+        boolean enable = mgr.isEnable(reqHost);
+
+        if (!enable) {
+            printError(cmsReq, "0");
+            cmsReq.setStatus(CMSRequest.SUCCESS);
+            return;
+        }
+        if (lastlogin == 0)
+            mgr.setLastLogin(reqHost, currTime);
+        else if (diff > timeout) {
+            mgr.disable(reqHost);
+            printError(cmsReq, "2");
+            cmsReq.setStatus(CMSRequest.SUCCESS);
+            return;
+        }
+
+        mgr.setLastLogin(reqHost, currTime);
+
+        String uid = args.getValueAsString("uid");
+        long pageid = mgr.getPageID();
+        String pageID = pageid + "";
+
+        mgr.addAuthToken(pageID, authToken);
+
+        header.addStringValue("pageID", pageID);
+        header.addStringValue("uid", uid);
+        header.addStringValue("fingerprint", mgr.hashFingerprint(reqHost, pageID, uid));
+        header.addStringValue("hostname", reqHost);
+
+        try {
+            ServletOutputStream out = httpResp.getOutputStream();
+
+            httpResp.setContentType("text/html");
+            form.renderOutput(out, argSet);
+            cmsReq.setStatus(CMSRequest.SUCCESS);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", e.toString()));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+        }
+        cmsReq.setStatus(CMSRequest.SUCCESS);
+        return;
+    }
+
+    private void printError(CMSRequest cmsReq, String errorCode)
+            throws EBaseException {
+        HttpServletRequest httpReq = cmsReq.getHttpReq();
+        HttpServletResponse httpResp = cmsReq.getHttpResp();
+        IArgBlock header = CMS.createArgBlock();
+        IArgBlock fixed = CMS.createArgBlock();
+        CMSTemplateParams argSet = new CMSTemplateParams(header, fixed);
+
+        mTemplates.remove(CMSRequest.SUCCESS);
+        header.addStringValue("authority", "Registration Manager");
+        header.addStringValue("errorCode", errorCode);
+        String formPath = TPL_ERROR_FILE;
+
+        CMSTemplate form = null;
+        Locale[] locale = new Locale[1];
+
+        try {
+            form = getTemplate(formPath, httpReq, locale);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("ADMIN_SRVLT_ERR_GET_TEMPLATE", formPath, e.toString()));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+            return;
+        }
+
+        try {
+            ServletOutputStream out = httpResp.getOutputStream();
+
+            httpResp.setContentType("text/html");
+            form.renderOutput(out, argSet);
+            cmsReq.setStatus(CMSRequest.SUCCESS);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", e.toString()));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+        }
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/servlet/cert/DisableEnrollResult.java b/base/common/src/com/netscape/cms/servlet/cert/DisableEnrollResult.java
new file mode 100644
index 000000000..a5cdc98e8
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/cert/DisableEnrollResult.java
@@ -0,0 +1,173 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.cert;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+import java.util.Locale;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthManager;
+import com.netscape.certsrv.authentication.IAuthSubsystem;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.ra.IRegistrationAuthority;
+import com.netscape.cms.authentication.HashAuthentication;
+import com.netscape.cms.servlet.base.CMSServlet;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.CMSTemplateParams;
+import com.netscape.cms.servlet.common.ECMSGWException;
+
+/**
+ * For Face-to-face enrollment, disable EE enrollment feature
+ * 
+ * @version $Revision$, $Date$
+ * @see com.netscape.cms.servlet.cert.EnableEnrollResult
+ */
+public class DisableEnrollResult extends CMSServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = 4307655310299723974L;
+    private final static String TPL_FILE = "enableEnrollResult.template";
+    private String mFormPath = null;
+
+    public DisableEnrollResult() {
+        super();
+    }
+
+    /**
+     * Initializes the servlet.
+     */
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        // coming from agent
+        mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE;
+
+        mTemplates.remove(CMSRequest.SUCCESS);
+    }
+
+    protected CMSRequest newCMSRequest() {
+        return new CMSRequest();
+    }
+
+    /**
+     * Services the request
+     */
+    protected void process(CMSRequest cmsReq)
+            throws EBaseException {
+        HttpServletRequest httpReq = cmsReq.getHttpReq();
+        HttpServletResponse httpResp = cmsReq.getHttpResp();
+
+        IAuthToken token = authenticate(cmsReq);
+
+        AuthzToken authzToken = null;
+
+        try {
+            authzToken = authorize(mAclMethod, token,
+                        mAuthzResourceName, "disable");
+        } catch (Exception e) {
+            // do nothing for now
+        }
+
+        if (authzToken == null) {
+            cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+            return;
+        }
+
+        X509Certificate sslClientCert = null;
+
+        sslClientCert = getSSLClientCertificate(httpReq);
+        String dn = (String) sslClientCert.getSubjectDN().toString();
+
+        // Construct an ArgBlock
+        IArgBlock args = cmsReq.getHttpParams();
+
+        if (!(mAuthority instanceof IRegistrationAuthority)) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_CA_FROM_RA_NOT_IMP"));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getLogMessage("CMSGW_NOT_YET_IMPLEMENTED")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+            return;
+        }
+
+        CMSTemplate form = null;
+        Locale[] locale = new Locale[1];
+
+        try {
+            form = getTemplate(mFormPath, httpReq, locale);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("ADMIN_SRVLT_ERR_GET_TEMPLATE", mFormPath, e.toString()));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+            return;
+        }
+
+        IArgBlock header = CMS.createArgBlock();
+        IArgBlock fixed = CMS.createArgBlock();
+        CMSTemplateParams argSet = new CMSTemplateParams(header, fixed);
+
+        IConfigStore configStore = CMS.getConfigStore();
+        String val = configStore.getString("hashDirEnrollment.name");
+        IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
+        IAuthManager authMgr = authSS.get(val);
+        HashAuthentication mgr = (HashAuthentication) authMgr;
+
+        String host = args.getValueAsString("hosts", null);
+        String name = mgr.getAgentName(host);
+
+        if (name == null) {
+            header.addStringValue("code", "2");
+        } else if (name.equals(dn)) {
+            mgr.disable(host);
+            header.addStringValue("code", "2");
+        } else {
+            header.addStringValue("code", "3");
+        }
+
+        try {
+            ServletOutputStream out = httpResp.getOutputStream();
+
+            httpResp.setContentType("text/html");
+            form.renderOutput(out, argSet);
+            cmsReq.setStatus(CMSRequest.SUCCESS);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", e.toString()));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+        }
+        cmsReq.setStatus(CMSRequest.SUCCESS);
+        return;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/servlet/cert/DisplayBySerial.java b/base/common/src/com/netscape/cms/servlet/cert/DisplayBySerial.java
new file mode 100644
index 000000000..5a1e4ed65
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/cert/DisplayBySerial.java
@@ -0,0 +1,488 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.cert;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.Enumeration;
+import java.util.Locale;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import netscape.security.extensions.NSCertTypeExtension;
+import netscape.security.pkcs.ContentInfo;
+import netscape.security.pkcs.PKCS7;
+import netscape.security.pkcs.SignerInfo;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.Extension;
+import netscape.security.x509.KeyUsageExtension;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.base.ICertPrettyPrint;
+import com.netscape.certsrv.base.MetaInfo;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.EDBRecordNotFoundException;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.dbs.certdb.IRevocationInfo;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.RequestId;
+import com.netscape.cms.servlet.base.CMSServlet;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.CMSTemplateParams;
+import com.netscape.cms.servlet.common.ECMSGWException;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * Display detailed information about a certificate
+ * 
+ * The template 'displayBySerial.template' is used to
+ * render the response for this servlet.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class DisplayBySerial extends CMSServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -4143700762995036597L;
+    private final static String INFO = "DisplayBySerial";
+    private final static String TPL_FILE1 = "displayBySerial.template";
+    private final static BigInteger MINUS_ONE = new BigInteger("-1");
+
+    private ICertificateRepository mCertDB = null;
+    private String mForm1Path = null;
+    private X509Certificate mCACerts[] = null;
+
+    /**
+     * Constructs DisplayBySerial servlet.
+     */
+    public DisplayBySerial() {
+        super();
+    }
+
+    /**
+     * initialize the servlet.
+     * 
+     * @param sc servlet configuration, read from the web.xml file
+     */
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        if (mAuthority instanceof ICertificateAuthority) {
+            mCertDB = ((ICertificateAuthority) mAuthority).getCertificateRepository();
+        }
+        try {
+            mCACerts = ((ICertAuthority) mAuthority).getCACertChain().getChain();
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_CA_CHAIN_NOT_AVAILABLE"));
+        }
+        // coming from ee
+        mForm1Path = "/" + mAuthority.getId() + "/" + TPL_FILE1;
+
+        if (mOutputTemplatePath != null)
+            mForm1Path = mOutputTemplatePath;
+
+        // override success and error templates to null - 
+        // handle templates locally.
+        mTemplates.remove(CMSRequest.SUCCESS);
+    }
+
+    /**
+     * Serves HTTP request. The format of this request is as follows:
+     * 
      
+     * 
    • http.param serialNumber Decimal serial number of certificate to display (or hex if serialNumber preceded by
+     * 0x)
+     * 
    
+     */
+    public void process(CMSRequest cmsReq) throws EBaseException {
+        BigInteger serialNumber = MINUS_ONE;
+        EBaseException error = null;
+        String certType[] = new String[1];
+
+        HttpServletRequest req = cmsReq.getHttpReq();
+        HttpServletResponse resp = cmsReq.getHttpResp();
+
+        IAuthToken authToken = authenticate(cmsReq);
+
+        CMSTemplate form = null;
+        Locale[] locale = new Locale[1];
+
+        try {
+            AuthzToken authzToken = null;
+
+            try {
+                authzToken = authorize(mAclMethod, authToken,
+                            mAuthzResourceName, "read");
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+            }
+
+            if (authzToken == null) {
+                cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+                return;
+            }
+
+            serialNumber = getSerialNumber(req);
+            getCertRecord(serialNumber, certType); //throw exception on error
+
+            if (certType[0].equalsIgnoreCase("x509")) {
+                form = getTemplate(mForm1Path, req, locale);
+            }
+        } catch (NumberFormatException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT_1", String.valueOf(serialNumber)));
+
+            error = new ECMSGWException(CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT"));
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mForm1Path, e.toString()));
+            throw new ECMSGWException(
+                    CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        } catch (EDBRecordNotFoundException e) {
+            throw new ECMSGWException(
+                    CMS.getLogMessage("CMSGW_CERT_SERIAL_NOT_FOUND_1", "0x" + serialNumber.toString(16)));
+        }
+
+        IArgBlock header = CMS.createArgBlock();
+        IArgBlock fixed = CMS.createArgBlock();
+        CMSTemplateParams argSet = new CMSTemplateParams(header, fixed);
+
+        try {
+            if (serialNumber.compareTo(MINUS_ONE) > 0) {
+                process(argSet, header, serialNumber,
+                        req, resp, locale[0]);
+            } else {
+                error = new ECMSGWException(
+                            CMS.getLogMessage("CMSGW_INVALID_SERIAL_NUMBER"));
+            }
+        } catch (EBaseException e) {
+            error = e;
+        }
+
+        try {
+            ServletOutputStream out = resp.getOutputStream();
+
+            if (error == null) {
+                String xmlOutput = req.getParameter("xml");
+                if (xmlOutput != null && xmlOutput.equals("true")) {
+                    outputXML(resp, argSet);
+                } else {
+                    resp.setContentType("text/html");
+                    form.renderOutput(out, argSet);
+                    cmsReq.setStatus(CMSRequest.SUCCESS);
+                }
+            } else {
+                cmsReq.setStatus(CMSRequest.ERROR);
+                cmsReq.setError(error);
+            }
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", e.toString()));
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        }
+
+    }
+
+    /**
+     * Display information about a particular certificate
+     */
+    private void process(CMSTemplateParams argSet, IArgBlock header,
+            BigInteger seq, HttpServletRequest req,
+            HttpServletResponse resp,
+            Locale locale)
+            throws EBaseException {
+        String certType[] = new String[1];
+
+        try {
+            getCertRecord(seq, certType); // throw exception on error
+
+            if (certType[0].equalsIgnoreCase("x509")) {
+                processX509(argSet, header, seq, req, resp, locale);
+                return;
+            }
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_DISP_BY_SERIAL", e.toString()));
+            throw e;
+        }
+
+        return;
+    }
+
+    private void processX509(CMSTemplateParams argSet, IArgBlock header,
+            BigInteger seq, HttpServletRequest req,
+            HttpServletResponse resp,
+            Locale locale)
+            throws EBaseException {
+        try {
+            ICertRecord rec = (ICertRecord) mCertDB.readCertificateRecord(seq);
+            if (rec == null) {
+                CMS.debug("DisplayBySerial: failed to read record");
+                throw new ECMSGWException(
+                        CMS.getLogMessage("CMSGW_ERROR_ENCODING_ISSUED_CERT"));
+            }
+            X509CertImpl cert = rec.getCertificate();
+            if (cert == null) {
+                CMS.debug("DisplayBySerial: no certificate in record");
+                throw new ECMSGWException(
+                        CMS.getLogMessage("CMSGW_ERROR_ENCODING_ISSUED_CERT"));
+            }
+
+            try {
+                X509CertInfo info = (X509CertInfo) cert.get(X509CertImpl.NAME + "." + X509CertImpl.INFO);
+                if (info == null) {
+                    CMS.debug("DisplayBySerial: no info found");
+                    throw new ECMSGWException(
+                            CMS.getLogMessage("CMSGW_ERROR_ENCODING_ISSUED_CERT"));
+                }
+                CertificateExtensions extensions = (CertificateExtensions) info.get(X509CertInfo.EXTENSIONS);
+
+                boolean emailCert = false;
+
+                if (extensions != null) {
+                    for (int i = 0; i < extensions.size(); i++) {
+                        Extension ext = (Extension) extensions.elementAt(i);
+
+                        if (ext instanceof NSCertTypeExtension) {
+                            NSCertTypeExtension type = (NSCertTypeExtension) ext;
+
+                            if (((Boolean) type.get(NSCertTypeExtension.EMAIL)).booleanValue())
+                                emailCert = true;
+                        }
+                        if (ext instanceof KeyUsageExtension) {
+                            KeyUsageExtension usage =
+                                    (KeyUsageExtension) ext;
+
+                            try {
+                                if (((Boolean) usage.get(KeyUsageExtension.DIGITAL_SIGNATURE)).booleanValue() ||
+                                        ((Boolean) usage.get(KeyUsageExtension.DATA_ENCIPHERMENT)).booleanValue())
+                                    emailCert = true;
+                            } catch (ArrayIndexOutOfBoundsException e) {
+                                // bug356108:
+                                // In case there is only DIGITAL_SIGNATURE,
+                                // don't report error
+                            }
+                        }
+                    }
+                }
+                header.addBooleanValue("emailCert", emailCert);
+
+                boolean noCertImport = true;
+                MetaInfo metaInfo = (MetaInfo) rec.get(ICertRecord.ATTR_META_INFO);
+
+                if (metaInfo != null) {
+                    String rid = (String) metaInfo.get(ICertRecord.META_REQUEST_ID);
+
+                    if (rid != null && mAuthority instanceof ICertificateAuthority) {
+                        IRequest r =
+                                ((ICertificateAuthority) mAuthority).getRequestQueue().findRequest(new RequestId(rid));
+                        String certType = r.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE);
+
+                        if (certType != null && certType.equals(IRequest.CLIENT_CERT)) {
+                            noCertImport = false;
+                        }
+                    }
+                }
+                header.addBooleanValue("noCertImport", noCertImport);
+
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("CMSGW_ERROR_PARSING_EXTENS", e.toString()));
+            }
+
+            IRevocationInfo revocationInfo = rec.getRevocationInfo();
+
+            if (revocationInfo != null) {
+                CRLExtensions crlExts = revocationInfo.getCRLEntryExtensions();
+
+                if (crlExts != null) {
+                    Enumeration enumx = crlExts.getElements();
+                    int reason = 0;
+
+                    while (enumx.hasMoreElements()) {
+                        Extension ext = (Extension) enumx.nextElement();
+
+                        if (ext instanceof CRLReasonExtension) {
+                            reason = ((CRLReasonExtension) ext).getReason().toInt();
+                        }
+                    }
+                    header.addIntegerValue("revocationReason", reason);
+                }
+            }
+
+            ICertPrettyPrint certDetails = CMS.getCertPrettyPrint(cert);
+
+            header.addStringValue("certPrettyPrint",
+                    certDetails.toString(locale));
+
+            /*
+             String scheme = req.getScheme();
+             if (scheme.equals("http") && connectionIsSSL(req)) 
+             scheme = "https";
+             String requestURI = req.getRequestURI();
+             int i = requestURI.indexOf('?');
+             String newRequestURI = 
+             (i > -1)? requestURI.substring(0, i): requestURI;
+             header.addStringValue("serviceURL", scheme +"://"+
+             req.getServerName() + ":"+
+             req.getServerPort() + newRequestURI);
+             */
+            header.addStringValue("authorityid", mAuthority.getId());
+
+            String certFingerprints = "";
+
+            try {
+                certFingerprints = CMS.getFingerPrints(cert);
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("CMSGW_ERR_DIGESTING_CERT", e.toString()));
+            }
+            if (certFingerprints.length() > 0)
+                header.addStringValue("certFingerprint", certFingerprints);
+
+            byte[] ba = cert.getEncoded();
+            // Do base 64 encoding
+
+            header.addStringValue("certChainBase64", Utils.base64encode(ba));
+            header.addStringValue("serialNumber", seq.toString(16));
+
+            /*
+             String userAgent = req.getHeader("user-agent");
+             String agent = 
+             (userAgent != null)? UserInfo.getUserAgent(userAgent): "";
+             */
+            // Now formulate a PKCS#7 blob
+            X509CertImpl[] certsInChain = new X509CertImpl[1];
+            ;
+            if (mCACerts != null) {
+                for (int i = 0; i < mCACerts.length; i++) {
+                    if (cert.equals(mCACerts[i])) {
+                        certsInChain = new
+                                X509CertImpl[mCACerts.length];
+                        break;
+                    }
+                    certsInChain = new X509CertImpl[mCACerts.length + 1];
+                }
+            }
+
+            // Set the EE cert
+            certsInChain[0] = cert;
+
+            // Set the Ca certificate chain
+            if (mCACerts != null) {
+                for (int i = 0; i < mCACerts.length; i++) {
+                    if (!cert.equals(mCACerts[i]))
+                        certsInChain[i + 1] = (X509CertImpl) mCACerts[i];
+                }
+            }
+
+            // Wrap the chain into a degenerate P7 object
+            String p7Str;
+
+            try {
+                PKCS7 p7 = new PKCS7(new AlgorithmId[0],
+                        new ContentInfo(new byte[0]),
+                        certsInChain,
+                        new SignerInfo[0]);
+                ByteArrayOutputStream bos = new ByteArrayOutputStream();
+
+                p7.encodeSignedData(bos, false);
+                byte[] p7Bytes = bos.toByteArray();
+
+                p7Str = Utils.base64encode(p7Bytes);
+                header.addStringValue("pkcs7ChainBase64", p7Str);
+            } catch (Exception e) {
+                //p7Str = "PKCS#7 B64 Encoding error - " + e.toString() 
+                //+ "; Please contact your administrator";
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("CMSGW_ERROR_FORMING_PKCS7_1", e.toString()));
+                throw new ECMSGWException(
+                        CMS.getLogMessage("CMSGW_ERROR_FORMING_PKCS7"));
+            }
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("MSGW_ERR_DISP_BY_SERIAL", e.toString()));
+            throw e;
+        } catch (CertificateEncodingException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_ENCODE_CERT", e.toString()));
+            throw new ECMSGWException(
+                    CMS.getLogMessage("CMSGW_ERROR_ENCODING_ISSUED_CERT"));
+        }
+
+        return;
+    }
+
+    private ICertRecord getCertRecord(BigInteger seq, String certtype[])
+            throws EBaseException {
+        ICertRecord rec = null;
+
+        try {
+            rec = (ICertRecord) mCertDB.readCertificateRecord(seq);
+            X509CertImpl x509cert = rec.getCertificate();
+
+            if (x509cert != null) {
+                certtype[0] = "x509";
+                return rec;
+            }
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_DISP_BY_SERIAL", e.toString()));
+            throw e;
+        }
+
+        return rec;
+    }
+
+    private BigInteger getSerialNumber(HttpServletRequest req)
+            throws NumberFormatException {
+        String serialNumString = req.getParameter("serialNumber");
+
+        if (serialNumString != null) {
+            serialNumString = serialNumString.trim();
+            if (serialNumString.startsWith("0x") || serialNumString.startsWith("0X")) {
+                return new BigInteger(serialNumString.substring(2), 16);
+            } else {
+                return new BigInteger(serialNumString);
+            }
+        } else {
+            throw new NumberFormatException();
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/cert/DisplayCRL.java b/base/common/src/com/netscape/cms/servlet/cert/DisplayCRL.java
new file mode 100644
index 000000000..ad503272a
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/cert/DisplayCRL.java
@@ -0,0 +1,481 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.cert;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.cert.CRLException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import netscape.security.x509.X509CRLImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.base.ICRLPrettyPrint;
+import com.netscape.certsrv.ca.ICRLIssuingPoint;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord;
+import com.netscape.certsrv.dbs.crldb.ICRLRepository;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.cms.servlet.base.CMSServlet;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.CMSTemplateParams;
+import com.netscape.cms.servlet.common.ECMSGWException;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * Decode the CRL and display it to the requester.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class DisplayCRL extends CMSServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 1152016798229054027L;
+    private final static String INFO = "DisplayCRL";
+    private final static String TPL_FILE = "displayCRL.template";
+    //private final static String E_TPL_FILE = "error.template";
+    //private final static String OUT_ERROR = "errorDetails";
+
+    private String mFormPath = null;
+    private ICertificateAuthority mCA = null;
+
+    /**
+     * Constructs DisplayCRL servlet.
+     */
+    public DisplayCRL() {
+        super();
+    }
+
+    /**
+     * Initialize the servlet. This servlet uses the 'displayCRL.template' file to
+     * to render the response to the client.
+     * 
+     * @param sc servlet configuration, read from the web.xml file
+     */
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        if (mAuthority instanceof ICertificateAuthority) {
+            mCA = (ICertificateAuthority) mAuthority;
+        }
+        mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE;
+
+        if (mOutputTemplatePath != null)
+            mFormPath = mOutputTemplatePath;
+
+        mTemplates.remove(CMSRequest.SUCCESS);
+    }
+
+    /**
+     * Process the HTTP request
+     * 
      
+     * 
    • http.param crlIssuingPoint number
+     * 
    • http.param crlDisplayType entireCRL or crlHeader or base64Encoded or deltaCRL
+     * 
    • http.param pageStart which page to start displaying from
+     * 
    • http.param pageSize number of entries to show per page
+     * 
    
+     * 
+     * @param cmsReq the Request to service.
+     */
+    public void process(CMSRequest cmsReq) throws EBaseException {
+        HttpServletRequest req = cmsReq.getHttpReq();
+        HttpServletResponse resp = cmsReq.getHttpResp();
+
+        IAuthToken authToken = authenticate(cmsReq);
+
+        AuthzToken authzToken = null;
+
+        try {
+            authzToken = authorize(mAclMethod, authToken,
+                        mAuthzResourceName, "read");
+        } catch (Exception e) {
+            // do nothing for now
+        }
+
+        if (authzToken == null) {
+            cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+            return;
+        }
+
+        CMSTemplate form = null;
+        Locale[] locale = new Locale[1];
+
+        try {
+            form = getTemplate(mFormPath, req, locale);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE_1", mFormPath, e.toString()));
+            throw new ECMSGWException(
+                    CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        }
+
+        IArgBlock header = CMS.createArgBlock();
+        IArgBlock fixed = CMS.createArgBlock();
+        CMSTemplateParams argSet = new CMSTemplateParams(header, fixed);
+
+        // Note error is covered in the same template as success.
+
+        String crlIssuingPointId = req.getParameter("crlIssuingPoint");
+
+        process(argSet, header, req, resp, crlIssuingPointId,
+                locale[0]);
+
+        try {
+            ServletOutputStream out = resp.getOutputStream();
+
+            String xmlOutput = req.getParameter("xml");
+            if (xmlOutput != null && xmlOutput.equals("true")) {
+                outputXML(resp, argSet);
+            } else {
+                resp.setContentType("text/html");
+                form.renderOutput(out, argSet);
+                cmsReq.setStatus(CMSRequest.SUCCESS);
+            }
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", e.toString()));
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        }
+    }
+
+    /**
+     * Display information about a particular CRL.
+     */
+    private void process(CMSTemplateParams argSet, IArgBlock header,
+                         HttpServletRequest req,
+                         HttpServletResponse resp,
+                         String crlIssuingPointId,
+                         Locale locale) {
+        ICRLIssuingPoint crlIP = null;
+        X509CRLImpl crl = null;
+        boolean clonedCA = false;
+        boolean isCRLCacheEnabled = false;
+        String masterHost = null;
+        String masterPort = null;
+        Vector ipNames = null;
+        String ipId = crlIssuingPointId;
+        ICRLRepository crlRepository = mCA.getCRLRepository();
+
+        try {
+            masterHost = CMS.getConfigStore().getString("master.ca.agent.host", "");
+            masterPort = CMS.getConfigStore().getString("master.ca.agent.port", "");
+            if (masterHost != null && masterHost.length() > 0 &&
+                    masterPort != null && masterPort.length() > 0) {
+                clonedCA = true;
+                ipNames = crlRepository.getIssuingPointsNames();
+            }
+        } catch (EBaseException e) {
+        }
+
+        if (clonedCA) {
+            if (crlIssuingPointId != null) {
+                if (ipNames != null && ipNames.size() > 0) {
+                    int i;
+                    for (i = 0; i < ipNames.size(); i++) {
+                        String ipName = ipNames.elementAt(i);
+                        if (crlIssuingPointId.equals(ipName)) {
+                            break;
+                        }
+                    }
+                    if (i >= ipNames.size())
+                        crlIssuingPointId = null;
+                } else {
+                    crlIssuingPointId = null;
+                }
+            }
+        } else {
+            if (crlIssuingPointId != null) {
+                Enumeration ips = mCA.getCRLIssuingPoints();
+
+                while (ips.hasMoreElements()) {
+                    ICRLIssuingPoint ip = ips.nextElement();
+
+                    if (crlIssuingPointId.equals(ip.getId())) {
+                        crlIP = ip;
+                        isCRLCacheEnabled = ip.isCRLCacheEnabled();
+                        break;
+                    }
+                    if (!ips.hasMoreElements())
+                        crlIssuingPointId = null;
+                }
+            }
+        }
+        if (crlIssuingPointId == null) {
+            header.addStringValue("error",
+                    "Request to unspecified or non-existing CRL issuing point: " + ipId);
+            return;
+        }
+
+        ICRLIssuingPointRecord crlRecord = null;
+
+        String crlDisplayType = req.getParameter("crlDisplayType");
+
+        if (crlDisplayType == null)
+            crlDisplayType = "cachedCRL";
+        header.addStringValue("crlDisplayType", crlDisplayType);
+
+        try {
+            crlRecord =
+                    (ICRLIssuingPointRecord) mCA.getCRLRepository().readCRLIssuingPointRecord(crlIssuingPointId);
+        } catch (EBaseException e) {
+            header.addStringValue("error", e.toString(locale));
+            return;
+        }
+        if (crlRecord == null) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_CRL_NOT_YET_UPDATED_1", crlIssuingPointId));
+            header.addStringValue("error",
+                    new ECMSGWException(CMS.getUserMessage(locale, "CMS_GW_CRL_NOT_YET_UPDATED")).toString());
+            return;
+        }
+
+        header.addStringValue("crlIssuingPoint", crlIssuingPointId);
+        if (crlDisplayType.equals("deltaCRL")) {
+            if (clonedCA) {
+                header.addStringValue("crlNumber", crlRecord.getDeltaCRLNumber().toString());
+            } else {
+                header.addStringValue("crlNumber", crlIP.getDeltaCRLNumber().toString());
+            }
+        } else {
+            if (clonedCA) {
+                header.addStringValue("crlNumber", crlRecord.getCRLNumber().toString());
+            } else {
+                header.addStringValue("crlNumber", crlIP.getCRLNumber().toString());
+            }
+        }
+        long lCRLSize = crlRecord.getCRLSize().longValue();
+        header.addLongValue("crlSize", lCRLSize);
+
+        if (crlIP != null) {
+            header.addStringValue("crlDescription", crlIP.getDescription());
+        }
+
+        if (!crlDisplayType.equals("cachedCRL")) {
+            byte[] crlbytes = crlRecord.getCRL();
+
+            if (crlbytes == null) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("CMSGW_CRL_NOT_YET_UPDATED_1", crlIssuingPointId));
+                header.addStringValue("error",
+                        new ECMSGWException(CMS.getUserMessage(locale, "CMS_GW_CRL_NOT_YET_UPDATED")).toString());
+                return;
+            }
+
+            try {
+                if (crlDisplayType.equals("crlHeader")) {
+                    crl = new X509CRLImpl(crlbytes, false);
+                } else {
+                    crl = new X509CRLImpl(crlbytes);
+                }
+
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_DECODE_CRL", e.toString()));
+                header.addStringValue("error",
+                        new ECMSGWException(CMS.getUserMessage(locale, "CMS_GW_DECODE_CRL_FAILED")).toString());
+            }
+        }
+
+        if (crl != null || (isCRLCacheEnabled && crlDisplayType.equals("cachedCRL"))) {
+            if (crlDisplayType.equals("entireCRL") || crlDisplayType.equals("cachedCRL")) {
+                ICRLPrettyPrint crlDetails = null;
+                if (crlDisplayType.equals("entireCRL")) {
+                    crlDetails = CMS.getCRLPrettyPrint(crl);
+                } else {
+                    crlDetails = CMS.getCRLCachePrettyPrint(crlIP);
+                }
+
+                String pageStart = req.getParameter("pageStart");
+                String pageSize = req.getParameter("pageSize");
+
+                if (pageStart != null && pageSize != null) {
+                    long lPageStart = new Long(pageStart).longValue();
+                    long lPageSize = new Long(pageSize).longValue();
+
+                    if (lPageStart < 1)
+                        lPageStart = 1;
+                    // if (lPageStart + lPageSize - lCRLSize > 1)
+                    //     lPageStart = lCRLSize - lPageSize + 1;
+
+                    header.addStringValue(
+                            "crlPrettyPrint", crlDetails.toString(locale,
+                                    lCRLSize, lPageStart, lPageSize));
+                    header.addLongValue("pageStart", lPageStart);
+                    header.addLongValue("pageSize", lPageSize);
+                } else {
+                    header.addStringValue(
+                            "crlPrettyPrint", crlDetails.toString(locale));
+                }
+            } else if (crlDisplayType.equals("crlHeader")) {
+                ICRLPrettyPrint crlDetails = CMS.getCRLPrettyPrint(crl);
+
+                header.addStringValue(
+                        "crlPrettyPrint", crlDetails.toString(locale, lCRLSize, 0, 0));
+            } else if (crlDisplayType.equals("base64Encoded")) {
+                try {
+                    byte[] ba = crl.getEncoded();
+                    String crlBase64Encoded = Utils.base64encode(ba);
+                    int length = crlBase64Encoded.length();
+                    int i = 0;
+                    int j = 0;
+                    int n = 1;
+
+                    while (i < length) {
+                        int k = crlBase64Encoded.indexOf('\n', i);
+
+                        if (n < 100 && k > -1) {
+                            n++;
+                            i = k + 1;
+                            if (i >= length) {
+                                IArgBlock rarg = CMS.createArgBlock();
+
+                                rarg.addStringValue("crlBase64Encoded", crlBase64Encoded.substring(j, k));
+                                argSet.addRepeatRecord(rarg);
+                            }
+                        } else {
+                            n = 1;
+                            IArgBlock rarg = CMS.createArgBlock();
+
+                            if (k > -1) {
+                                rarg.addStringValue("crlBase64Encoded", crlBase64Encoded.substring(j, k));
+                                i = k + 1;
+                                j = i;
+                            } else {
+                                rarg.addStringValue("crlBase64Encoded", crlBase64Encoded.substring(j, length));
+                                i = length;
+                            }
+                            argSet.addRepeatRecord(rarg);
+                        }
+                    }
+                } catch (CRLException e) {
+                }
+            } else if (crlDisplayType.equals("deltaCRL")) {
+                if ((clonedCA && crlRecord.getDeltaCRLSize() != null &&
+                        crlRecord.getDeltaCRLSize().longValue() > -1) ||
+                        (crlIP != null && crlIP.isDeltaCRLEnabled())) {
+                    byte[] deltaCRLBytes = crlRecord.getDeltaCRL();
+
+                    if (deltaCRLBytes == null) {
+                        log(ILogger.LL_FAILURE,
+                                CMS.getLogMessage("CMSGW_ERR_NO_DELTA_CRL", crlIssuingPointId));
+                        header.addStringValue("error", "Delta CRL is not available");
+                    } else {
+                        X509CRLImpl deltaCRL = null;
+
+                        try {
+                            deltaCRL = new X509CRLImpl(deltaCRLBytes);
+                        } catch (Exception e) {
+                            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_DECODE_DELTA_CRL", e.toString()));
+                            header.addStringValue("error",
+                                    new ECMSGWException(CMS.getUserMessage(locale, "CMS_GW_DECODE_CRL_FAILED"))
+                                            .toString());
+                        }
+                        if (deltaCRL != null) {
+                            BigInteger crlNumber = crlRecord.getCRLNumber();
+                            BigInteger deltaNumber = crlRecord.getDeltaCRLNumber();
+                            if ((clonedCA && crlNumber != null && deltaNumber != null &&
+                                    deltaNumber.compareTo(crlNumber) >= 0) ||
+                                    (crlIP != null && crlIP.isThisCurrentDeltaCRL(deltaCRL))) {
+
+                                header.addIntegerValue("deltaCRLSize",
+                                        deltaCRL.getNumberOfRevokedCertificates());
+
+                                ICRLPrettyPrint crlDetails = CMS.getCRLPrettyPrint(deltaCRL);
+
+                                header.addStringValue(
+                                        "crlPrettyPrint", crlDetails.toString(locale, 0, 0, 0));
+
+                                try {
+                                    byte[] ba = deltaCRL.getEncoded();
+                                    String crlBase64Encoded = Utils.base64encode(ba);
+                                    int length = crlBase64Encoded.length();
+                                    int i = 0;
+                                    int j = 0;
+                                    int n = 1;
+
+                                    while (i < length) {
+                                        int k = crlBase64Encoded.indexOf('\n', i);
+
+                                        if (n < 100 && k > -1) {
+                                            n++;
+                                            i = k + 1;
+                                            if (i >= length) {
+                                                IArgBlock rarg = CMS.createArgBlock();
+
+                                                rarg.addStringValue("crlBase64Encoded",
+                                                        crlBase64Encoded.substring(j, k));
+                                                argSet.addRepeatRecord(rarg);
+                                            }
+                                        } else {
+                                            n = 1;
+                                            IArgBlock rarg = CMS.createArgBlock();
+
+                                            if (k > -1) {
+                                                rarg.addStringValue("crlBase64Encoded",
+                                                        crlBase64Encoded.substring(j, k));
+                                                i = k + 1;
+                                                j = i;
+                                            } else {
+                                                rarg.addStringValue("crlBase64Encoded",
+                                                        crlBase64Encoded.substring(j, length));
+                                                i = length;
+                                            }
+                                            argSet.addRepeatRecord(rarg);
+                                        }
+                                    }
+                                } catch (CRLException e) {
+                                }
+                            } else {
+                                header.addStringValue("error", "Current Delta CRL is not available.");
+                            }
+                        }
+                    }
+                } else {
+                    header.addStringValue("error", "Delta CRL is not enabled for " +
+                            crlIssuingPointId +
+                            " issuing point");
+                }
+            }
+
+        } else if (!isCRLCacheEnabled && crlDisplayType.equals("cachedCRL")) {
+            header.addStringValue("error",
+                    CMS.getUserMessage(locale, "CMS_GW_CRL_CACHE_IS_NOT_ENABLED", crlIssuingPointId));
+            header.addStringValue("crlPrettyPrint",
+                    CMS.getUserMessage(locale, "CMS_GW_CRL_CACHE_IS_NOT_ENABLED", crlIssuingPointId));
+        } else {
+            header.addStringValue("error",
+                    new ECMSGWException(CMS.getUserMessage(locale, "CMS_GW_DECODE_CRL_FAILED")).toString());
+            header.addStringValue("crlPrettyPrint",
+                    new ECMSGWException(CMS.getUserMessage(locale, "CMS_GW_DECODE_CRL_FAILED")).toString());
+        }
+        return;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/cert/DisplayHashUserEnroll.java b/base/common/src/com/netscape/cms/servlet/cert/DisplayHashUserEnroll.java
new file mode 100644
index 000000000..99082d4c5
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/cert/DisplayHashUserEnroll.java
@@ -0,0 +1,227 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.cert;
+
+import java.io.IOException;
+import java.util.Date;
+import java.util.Locale;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthManager;
+import com.netscape.certsrv.authentication.IAuthSubsystem;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.ra.IRegistrationAuthority;
+import com.netscape.cms.authentication.HashAuthentication;
+import com.netscape.cms.servlet.base.CMSServlet;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.CMSTemplateParams;
+import com.netscape.cms.servlet.common.ECMSGWException;
+
+/**
+ * Servlet to report the status, ie, the agent-initiated user
+ * enrollment is enabled or disabled.
+ * 
+ * @version $Revision$, $Date$
+ */
+public class DisplayHashUserEnroll extends CMSServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = -7063912475278810362L;
+    private final static String TPL_FILE = "/ra/hashDirUserEnroll.template";
+    private final static String TPL_ERROR_FILE = "/ra/GenErrorHashDirEnroll.template";
+    private String mFormPath = null;
+
+    public DisplayHashUserEnroll() {
+        super();
+    }
+
+    /**
+     * Initializes the servlet.
+     */
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+
+        try {
+            mFormPath = sc.getInitParameter(
+                        PROP_SUCCESS_TEMPLATE);
+            if (mFormPath == null)
+                mFormPath = TPL_FILE;
+        } catch (Exception e) {
+        }
+
+        mTemplates.remove(CMSRequest.SUCCESS);
+    }
+
+    protected CMSRequest newCMSRequest() {
+        return new CMSRequest();
+    }
+
+    /**
+     * Services the request
+     */
+    protected void process(CMSRequest cmsReq)
+            throws EBaseException {
+        HttpServletRequest httpReq = cmsReq.getHttpReq();
+        HttpServletResponse httpResp = cmsReq.getHttpResp();
+
+        IAuthToken authToken = authenticate(cmsReq);
+        AuthzToken authzToken = null;
+
+        try {
+            authzToken = authorize(mAclMethod, authToken,
+                        mAuthzResourceName, "read");
+        } catch (Exception e) {
+            // do nothing for now
+        }
+
+        if (authzToken == null) {
+            cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+            return;
+        }
+
+        String reqHost = httpReq.getRemoteHost();
+
+        if (!(mAuthority instanceof IRegistrationAuthority)) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_ERR_GET_TEMPLATE"));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getUserMessage("CMS_GW_NOT_YET_IMPLEMENTED")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+            return;
+        }
+
+        IArgBlock header = CMS.createArgBlock();
+        IArgBlock fixed = CMS.createArgBlock();
+        CMSTemplateParams argSet = new CMSTemplateParams(header, fixed);
+
+        IConfigStore configStore = CMS.getConfigStore();
+        String val = configStore.getString("hashDirEnrollment.name");
+        IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
+        IAuthManager authMgr = authSS.get(val);
+        HashAuthentication mgr = (HashAuthentication) authMgr;
+        boolean isEnable = mgr.isEnable(reqHost);
+
+        if (!isEnable) {
+            printError(cmsReq, "0");
+            cmsReq.setStatus(CMSRequest.SUCCESS);
+            return;
+        }
+
+        Date date = new Date();
+        long currTime = date.getTime();
+        long timeout = mgr.getTimeout(reqHost);
+        long lastlogin = mgr.getLastLogin(reqHost);
+        long diff = currTime - lastlogin;
+
+        if (lastlogin == 0)
+            mgr.setLastLogin(reqHost, currTime);
+        else if (diff > timeout) {
+            mgr.disable(reqHost);
+            printError(cmsReq, "2");
+            cmsReq.setStatus(CMSRequest.SUCCESS);
+            return;
+        }
+
+        mgr.setLastLogin(reqHost, currTime);
+
+        CMSTemplate form = null;
+        Locale[] locale = new Locale[1];
+
+        try {
+            form = getTemplate(mFormPath, httpReq, locale);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("ADMIN_SRVLT_ERR_GET_TEMPLATE", mFormPath, e.toString()));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+            return;
+        }
+
+        try {
+            ServletOutputStream out = httpResp.getOutputStream();
+
+            httpResp.setContentType("text/html");
+            form.renderOutput(out, argSet);
+            cmsReq.setStatus(CMSRequest.SUCCESS);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString()));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+        }
+        cmsReq.setStatus(CMSRequest.SUCCESS);
+        return;
+    }
+
+    private void printError(CMSRequest cmsReq, String errorCode)
+            throws EBaseException {
+        HttpServletRequest httpReq = cmsReq.getHttpReq();
+        HttpServletResponse httpResp = cmsReq.getHttpResp();
+        IArgBlock header = CMS.createArgBlock();
+        IArgBlock fixed = CMS.createArgBlock();
+        CMSTemplateParams argSet = new CMSTemplateParams(header, fixed);
+
+        mTemplates.remove(CMSRequest.SUCCESS);
+        header.addStringValue("authority", "Registration Manager");
+        header.addStringValue("errorCode", errorCode);
+        String formPath = TPL_ERROR_FILE;
+
+        CMSTemplate form = null;
+        Locale[] locale = new Locale[1];
+
+        try {
+            form = getTemplate(formPath, httpReq, locale);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("ADMIN_SRVLT_ERR_GET_TEMPLATE", formPath, e.toString()));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+            return;
+        }
+
+        try {
+            ServletOutputStream out = httpResp.getOutputStream();
+
+            httpResp.setContentType("text/html");
+            form.renderOutput(out, argSet);
+            cmsReq.setStatus(CMSRequest.SUCCESS);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", "", e.toString()));
+
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/cert/DoRevoke.java b/base/common/src/com/netscape/cms/servlet/cert/DoRevoke.java
new file mode 100644
index 000000000..1594c5323
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/cert/DoRevoke.java
@@ -0,0 +1,1221 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.cert;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+import java.math.BigInteger;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.InvalidityDateExtension;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.IAuthSubsystem;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.base.Nonces;
+import com.netscape.certsrv.ca.ICRLIssuingPoint;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.logging.AuditFormat;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.IPublisherProcessor;
+import com.netscape.certsrv.ra.IRegistrationAuthority;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.certsrv.request.RequestId;
+import com.netscape.certsrv.request.RequestStatus;
+import com.netscape.certsrv.usrgrp.Certificates;
+import com.netscape.certsrv.usrgrp.ICertUserLocator;
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
+import com.netscape.certsrv.usrgrp.IUser;
+import com.netscape.cms.servlet.base.CMSServlet;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.CMSTemplateParams;
+import com.netscape.cms.servlet.common.ECMSGWException;
+
+/**
+ * Revoke a Certificate
+ * 
+ * @version $Revision$, $Date$
+ */
+public class DoRevoke extends CMSServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 1693115906265904238L;
+    private final static String INFO = "DoRevoke";
+    private final static String TPL_FILE = "revocationResult.template";
+
+    private ICertificateRepository mCertDB = null;
+    private String mFormPath = null;
+    private IRequestQueue mQueue = null;
+    private IPublisherProcessor mPublisherProcessor = null;
+    private Nonces mNonces = null;
+    private int mTimeLimits = 30; /* in seconds */
+    private IUGSubsystem mUG = null;
+    private ICertUserLocator mUL = null;
+
+    private final static String REVOKE = "revoke";
+    private final static String ON_HOLD = "on-hold";
+    private final static int ON_HOLD_REASON = 6;
+    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST =
+            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
+    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
+
+    public DoRevoke() {
+        super();
+    }
+
+    /**
+     * initialize the servlet. This servlet uses the template
+     * file "revocationResult.template" to render the result
+     * 
+     * @param sc servlet configuration, read from the web.xml file
+     */
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE;
+
+        mUG = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+        mUL = mUG.getCertUserLocator();
+
+        if (mAuthority instanceof ICertificateAuthority) {
+            mCertDB = ((ICertificateAuthority) mAuthority).getCertificateRepository();
+            if (((ICertificateAuthority) mAuthority).noncesEnabled()) {
+                mNonces = ((ICertificateAuthority) mAuthority).getNonces();
+            }
+        }
+        if (mAuthority instanceof ICertAuthority) {
+            mPublisherProcessor = ((ICertAuthority) mAuthority).getPublisherProcessor();
+        }
+        mQueue = mAuthority.getRequestQueue();
+
+        mTemplates.remove(CMSRequest.SUCCESS);
+        if (mOutputTemplatePath != null)
+            mFormPath = mOutputTemplatePath;
+
+        /* Server-Side time limit */
+        try {
+            mTimeLimits = Integer.parseInt(sc.getInitParameter("timeLimits"));
+        } catch (Exception e) {
+            /* do nothing, just use the default if integer parsing failed */
+        }
+    }
+
+    /**
+     * Serves HTTP request. The http parameters used by this request are as follows:
+     * 
+     * 
    +     * serialNumber Serial number of certificate to revoke (in HEX)
+     * revocationReason Revocation reason (Described below)
+     * totalRecordCount [number]
+     * verifiedRecordCount [number]
+     * invalidityDate [number of seconds in Jan 1,1970]
+     * 
+     * 
    
+     * 
+     * revocationReason can be one of these values:
+     * 
+     * 
    +     * 0 = Unspecified   (default)
+     * 1 = Key compromised
+     * 2 = CA key compromised
+     * 3 = Affiliation changed
+     * 4 = Certificate superseded
+     * 5 = Cessation of operation
+     * 6 = Certificate is on hold
+     * 
    
+     */
+    public void process(CMSRequest cmsReq) throws EBaseException {
+        HttpServletRequest req = cmsReq.getHttpReq();
+        HttpServletResponse resp = cmsReq.getHttpResp();
+
+        IAuthToken authToken = authenticate(cmsReq);
+
+        String revokeAll = null;
+        int totalRecordCount = -1;
+        int verifiedRecordCount = -1;
+        EBaseException error = null;
+        int reason = -1;
+        boolean authorized = true;
+        Date invalidityDate = null;
+        CMSTemplate form = null;
+        Locale[] locale = new Locale[1];
+
+        try {
+            form = getTemplate(mFormPath, req, locale);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString()));
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        }
+
+        IArgBlock header = CMS.createArgBlock();
+        IArgBlock ctx = CMS.createArgBlock();
+        CMSTemplateParams argSet = new CMSTemplateParams(header, ctx);
+
+        try {
+            if (req.getParameter("revocationReason") != null) {
+                reason = Integer.parseInt(req.getParameter(
+                                "revocationReason"));
+            }
+            if (req.getParameter("totalRecordCount") != null) {
+                totalRecordCount = Integer.parseInt(req.getParameter(
+                                "totalRecordCount"));
+            }
+            if (req.getParameter("verifiedRecordCount") != null) {
+                verifiedRecordCount = Integer.parseInt(
+                            req.getParameter(
+                                    "verifiedRecordCount"));
+            }
+            if (req.getParameter("invalidityDate") != null) {
+                long l = Long.parseLong(req.getParameter(
+                            "invalidityDate"));
+
+                if (l > 0) {
+                    invalidityDate = new Date(l);
+                }
+            }
+            revokeAll = req.getParameter("revokeAll");
+
+            if (mNonces != null) {
+                boolean nonceVerified = false;
+                boolean skipNonceVerification = false;
+
+                X509Certificate cert2 = getSSLClientCertificate(req);
+                if (cert2 != null) {
+                    X509Certificate certChain[] = new X509Certificate[1];
+                    certChain[0] = cert2;
+                    IUser user = null;
+                    try {
+                        user = (IUser) mUL.locateUser(new Certificates(certChain));
+                    } catch (Exception e) {
+                        CMS.debug("DoRevoke:  Failed to map certificate '" +
+                                   cert2.getSubjectDN().getName() + "' to user.");
+                    }
+                    if (mUG.isMemberOf(user, "Subsystem Group")) {
+                        skipNonceVerification = true;
+                    }
+                }
+
+                String nonceStr = req.getParameter("nonce");
+                if (nonceStr != null) {
+                    long nonce = Long.parseLong(nonceStr.trim());
+                    X509Certificate cert1 = mNonces.getCertificate(nonce);
+                    if (cert1 == null) {
+                        CMS.debug("DoRevoke:  Unknown nonce");
+                    } else if (cert1 != null && cert2 != null && cert1.equals(cert2)) {
+                        nonceVerified = true;
+                        mNonces.removeNonce(nonce);
+                    }
+                } else {
+                    CMS.debug("DoRevoke:  Missing nonce");
+                }
+                CMS.debug("DoRevoke:  nonceVerified=" + nonceVerified);
+                CMS.debug("DoRevoke:  skipNonceVerification=" + skipNonceVerification);
+                if ((!nonceVerified) && (!skipNonceVerification)) {
+                    cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+                    return;
+                }
+            }
+
+            String comments = req.getParameter(IRequest.REQUESTOR_COMMENTS);
+            String eeSubjectDN = null;
+            String eeSerialNumber = null;
+
+            //for audit log.
+            String initiative = null;
+
+            String authMgr = AuditFormat.NOAUTH;
+
+            authToken = authenticate(req);
+
+            AuthzToken authzToken = null;
+
+            try {
+                authzToken = authorize(mAclMethod, authToken,
+                            mAuthzResourceName, "revoke");
+            } catch (EAuthzAccessDenied e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+            }
+
+            if (authzToken == null) {
+                cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+                return;
+            }
+
+            if (mAuthMgr != null && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) {
+                if (authToken != null) {
+
+                    String serialNumber = req.getParameter("serialNumber");
+                    getSSLClientCertificate(req); // throw exception on error
+
+                    if (serialNumber != null) {
+                        eeSerialNumber = serialNumber;
+                    }
+
+                    authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+                    String agentID = authToken.getInString("userid");
+
+                    initiative = AuditFormat.FROMAGENT + " agentID: " + agentID +
+                            " authenticated by " + authMgr;
+                }
+            } else {
+                // request is fromUser.
+                initiative = AuditFormat.FROMUSER;
+
+                String serialNumber = req.getParameter("serialNumber");
+                X509CertImpl sslCert = (X509CertImpl) getSSLClientCertificate(req);
+
+                if (serialNumber == null || sslCert == null ||
+                        !(serialNumber.equals(sslCert.getSerialNumber().toString(16)))) {
+                    authorized = false;
+                } else {
+                    eeSubjectDN = sslCert.getSubjectDN().toString();
+                    eeSerialNumber = sslCert.getSerialNumber().toString();
+                }
+
+            }
+
+            if (authorized) {
+                process(argSet, header, reason, invalidityDate, initiative,
+                        req, resp, verifiedRecordCount, revokeAll,
+                        totalRecordCount, eeSerialNumber, eeSubjectDN,
+                        comments, locale[0]);
+            }
+
+        } catch (NumberFormatException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT"));
+            error = new EBaseException(CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT"));
+        } catch (EBaseException e) {
+            error = e;
+        }
+
+        /*
+         catch (Exception e) {
+         noError = false;
+         header.addStringValue(OUT_ERROR,
+         MessageFormatter.getLocalizedString(
+         errorlocale[0],
+         BaseResources.class.getName(),
+         BaseResources.INTERNAL_ERROR_1,
+         e.toString()));
+         }
+         */
+
+        try {
+            ServletOutputStream out = resp.getOutputStream();
+
+            if (error == null && authorized) {
+                String xmlOutput = req.getParameter("xml");
+                if (xmlOutput != null && xmlOutput.equals("true")) {
+                    outputXML(resp, argSet);
+                } else {
+                    resp.setContentType("text/html");
+                    form.renderOutput(out, argSet);
+                    cmsReq.setStatus(CMSRequest.SUCCESS);
+                }
+            } else if (!authorized) {
+                cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+            } else {
+                cmsReq.setStatus(CMSRequest.ERROR);
+                cmsReq.setError(error);
+            }
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString()));
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        }
+    }
+
+    /**
+     * Process cert status change request
+     * 
    
+     * 
+     * (Certificate Request - either an "agent" cert status change request, or an "EE" cert status change request)
+     * 
    
+     * 
+     * (Certificate Request Processed - either an "agent" cert status change request, or an "EE" cert status change
+     * request)
+     * 
    
+     * 
+     * 
      
+     * 
    • signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST used when a cert status change request (e. g. -
+     * "revocation") is made (before approval process)
+     * 
    • signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED used when a certificate status is
+     * changed (revoked, expired, on-hold, off-hold)
+     * 
    
+     * 
+     * @param argSet CMS template parameters
+     * @param header argument block
+     * @param reason revocation reason (0 - Unspecified, 1 - Key compromised,
+     *            2 - CA key compromised; should not be used, 3 - Affiliation changed,
+     *            4 - Certificate superceded, 5 - Cessation of operation, or
+     *            6 - Certificate is on hold)
+     * @param invalidityDate certificate validity date
+     * @param initiative string containing the audit format
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param verifiedRecordCount number of verified records
+     * @param revokeAll string containing information on all of the
+     *            certificates to be revoked
+     * @param totalRecordCount total number of records (verified and unverified)
+     * @param eeSerialNumber string containing the end-entity certificate
+     *            serial number
+     * @param eeSubjectDN string containing the end-entity certificate subject
+     *            distinguished name (DN)
+     * @param comments string containing certificate comments
+     * @param locale the system locale
+     * @exception EBaseException an error has occurred
+     */
+    private void process(CMSTemplateParams argSet, IArgBlock header,
+            int reason, Date invalidityDate,
+            String initiative,
+            HttpServletRequest req,
+            HttpServletResponse resp,
+            int verifiedRecordCount,
+            String revokeAll,
+            int totalRecordCount,
+            String eeSerialNumber,
+            String eeSubjectDN,
+            String comments,
+            Locale locale)
+            throws EBaseException {
+        boolean auditRequest = true;
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+        String auditRequesterID = auditRequesterID(req);
+        String auditSerialNumber = auditSerialNumber(eeSerialNumber);
+        String auditRequestType = auditRequestType(reason);
+        String auditApprovalStatus = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        String auditReasonNum = String.valueOf(reason);
+
+        CMS.debug("DoRevoke: eeSerialNumber: " + eeSerialNumber + " auditSerialNumber: " + auditSerialNumber);
+        long startTime = CMS.getCurrentDate().getTime();
+
+        try {
+            int count = 0;
+            Vector oldCertsV = new Vector();
+            Vector revCertImplsV = new Vector();
+
+            // Construct a CRL reason code extension.
+            RevocationReason revReason = RevocationReason.fromInt(reason);
+            CRLReasonExtension crlReasonExtn = new CRLReasonExtension(revReason);
+
+            // Construct a CRL invalidity date extension.
+            InvalidityDateExtension invalidityDateExtn = null;
+
+            if (invalidityDate != null) {
+                invalidityDateExtn = new InvalidityDateExtension(invalidityDate);
+            }
+
+            // Construct a CRL extension for this request.
+            CRLExtensions entryExtn = new CRLExtensions();
+
+            if (crlReasonExtn != null) {
+                entryExtn.set(crlReasonExtn.getName(), crlReasonExtn);
+            }
+            if (invalidityDateExtn != null) {
+                entryExtn.set(invalidityDateExtn.getName(), invalidityDateExtn);
+            }
+
+            if (mAuthority instanceof ICertificateAuthority) {
+
+                Enumeration e = mCertDB.searchCertificates(revokeAll,
+                        totalRecordCount, mTimeLimits);
+
+                while (e != null && e.hasMoreElements()) {
+                    ICertRecord rec = e.nextElement();
+
+                    if (rec == null)
+                        continue;
+                    X509CertImpl xcert = rec.getCertificate();
+                    IArgBlock rarg = CMS.createArgBlock();
+
+                    // we do not want to revoke the CA certificate accidentially
+                    if (xcert != null && isSystemCertificate(xcert.getSerialNumber())) {
+                        CMS.debug("DoRevoke: skipped revocation request for system certificate "
+                                + xcert.getSerialNumber());
+                        continue;
+                    }
+
+                    if (xcert != null) {
+                        rarg.addStringValue("serialNumber",
+                                xcert.getSerialNumber().toString(16));
+
+                        if (eeSerialNumber != null &&
+                                (eeSerialNumber.equals(xcert.getSerialNumber().toString())) &&
+                                rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) {
+                            log(ILogger.LL_FAILURE,
+                                    CMS.getLogMessage("CA_CERTIFICATE_ALREADY_REVOKED_1", xcert.getSerialNumber()
+                                            .toString(16)));
+
+                            // store a message in the signed audit log file
+                            auditMessage = CMS.getLogMessage(
+                                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                                        auditSubjectID,
+                                        ILogger.FAILURE,
+                                        auditRequesterID,
+                                        auditSerialNumber,
+                                        auditRequestType);
+
+                            audit(auditMessage);
+
+                            throw new ECMSGWException(CMS.getLogMessage("CMSGW_UNAUTHORIZED"));
+                        } else if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) {
+                            rarg.addStringValue("error", "Certificate 0x" +
+                                    xcert.getSerialNumber().toString(16) +
+                                    " is already revoked.");
+                        } else if (eeSubjectDN != null &&
+                                (!eeSubjectDN.equals(xcert.getSubjectDN().toString()))) {
+                            rarg.addStringValue("error", "Certificate 0x" +
+                                    xcert.getSerialNumber().toString(16) +
+                                    " belongs to different subject.");
+                        } else {
+                            oldCertsV.addElement(xcert);
+
+                            RevokedCertImpl revCertImpl =
+                                    new RevokedCertImpl(xcert.getSerialNumber(),
+                                            CMS.getCurrentDate(), entryExtn);
+
+                            revCertImplsV.addElement(revCertImpl);
+                            count++;
+                            rarg.addStringValue("error", null);
+                        }
+                        argSet.addRepeatRecord(rarg);
+                    }
+                }
+
+            } else if (mAuthority instanceof IRegistrationAuthority) {
+                String reqIdStr = req.getParameter("requestId");
+                Vector serialNumbers = new Vector();
+
+                if (revokeAll != null && revokeAll.length() > 0) {
+                    for (int i = revokeAll.indexOf('='); i < revokeAll.length() && i > -1; 
+                            i = revokeAll.indexOf('=', i)) {
+                        if (i > -1) {
+                            i++;
+                            while (i < revokeAll.length() && revokeAll.charAt(i) == ' ') {
+                                i++;
+                            }
+                            // xxxx decimal serial number?
+                            String legalDigits = "0123456789";
+                            int j = i;
+
+                            while (j < revokeAll.length() && legalDigits.indexOf(revokeAll.charAt(j)) != -1) {
+                                j++;
+                            }
+                            if (j > i) {
+                                serialNumbers.addElement(revokeAll.substring(i, j));
+                            }
+                        }
+                    }
+                }
+                if (reqIdStr != null && reqIdStr.length() > 0 && serialNumbers.size() > 0) {
+                    IRequest certReq = mRequestQueue.findRequest(new RequestId(reqIdStr));
+                    X509CertImpl[] certs = certReq.getExtDataInCertArray(IRequest.OLD_CERTS);
+                    boolean authorized = false;
+
+                    for (int i = 0; i < certs.length; i++) {
+                        boolean addToList = false;
+
+                        for (int j = 0; j < serialNumbers.size(); j++) {
+                            //xxxxx serial number in decimal? 
+                            if (certs[i].getSerialNumber().toString().equals((String) serialNumbers.elementAt(j)) &&
+                                    eeSubjectDN != null && eeSubjectDN.equals(certs[i].getSubjectDN().toString())) {
+                                addToList = true;
+                                break;
+                            }
+                        }
+                        if (eeSerialNumber != null &&
+                                eeSerialNumber.equals(certs[i].getSerialNumber().toString())) {
+                            authorized = true;
+                        }
+                        if (addToList) {
+                            IArgBlock rarg = CMS.createArgBlock();
+
+                            rarg.addStringValue("serialNumber",
+                                    certs[i].getSerialNumber().toString(16));
+                            oldCertsV.addElement(certs[i]);
+
+                            RevokedCertImpl revCertImpl =
+                                    new RevokedCertImpl(certs[i].getSerialNumber(),
+                                            CMS.getCurrentDate(), entryExtn);
+
+                            revCertImplsV.addElement(revCertImpl);
+                            count++;
+                            rarg.addStringValue("error", null);
+                            argSet.addRepeatRecord(rarg);
+                        }
+                    }
+                    if (!authorized) {
+                        log(ILogger.LL_FAILURE,
+                                CMS.getLogMessage("CMSGW_REQ_AUTH_REVOKED_CERT"));
+
+                        // store a message in the signed audit log file
+                        auditMessage = CMS.getLogMessage(
+                                    LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                                    auditSubjectID,
+                                    ILogger.FAILURE,
+                                    auditRequesterID,
+                                    auditSerialNumber,
+                                    auditRequestType);
+
+                        audit(auditMessage);
+
+                        throw new ECMSGWException(CMS.getLogMessage("CMSGW_UNAUTHORIZED"));
+                    }
+                } else {
+                    String b64eCert = req.getParameter("b64eCertificate");
+
+                    if (b64eCert != null) {
+                        //  BASE64Decoder decoder = new BASE64Decoder();
+                        //  byte[] certBytes = decoder.decodeBuffer(b64eCert);
+                        byte[] certBytes = CMS.AtoB(b64eCert);
+                        X509CertImpl cert = new X509CertImpl(certBytes);
+                        IArgBlock rarg = CMS.createArgBlock();
+
+                        rarg.addStringValue("serialNumber",
+                                cert.getSerialNumber().toString(16));
+                        oldCertsV.addElement(cert);
+
+                        RevokedCertImpl revCertImpl =
+                                new RevokedCertImpl(cert.getSerialNumber(),
+                                        CMS.getCurrentDate(), entryExtn);
+
+                        revCertImplsV.addElement(revCertImpl);
+                        count++;
+                        rarg.addStringValue("error", null);
+                        argSet.addRepeatRecord(rarg);
+                    }
+                }
+            }
+            if (count == 0) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_REV_CERTS_ZERO"));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType);
+
+                audit(auditMessage);
+
+                throw new ECMSGWException(CMS.getLogMessage("CMSGW_REVOCATION_ERROR_CERT_NOT_FOUND"));
+            }
+
+            header.addIntegerValue("totalRecordCount", count);
+
+            X509CertImpl[] oldCerts = new X509CertImpl[count];
+            //Certificate[] oldCerts = new Certificate[count];
+            RevokedCertImpl[] revCertImpls = new RevokedCertImpl[count];
+
+            for (int i = 0; i < count; i++) {
+                oldCerts[i] = (X509CertImpl) oldCertsV.elementAt(i);
+                revCertImpls[i] = (RevokedCertImpl) revCertImplsV.elementAt(i);
+            }
+
+            IRequest revReq =
+                    mQueue.newRequest(IRequest.REVOCATION_REQUEST);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditRequesterID,
+                        auditSerialNumber,
+                        auditRequestType);
+
+            audit(auditMessage);
+
+            revReq.setExtData(IRequest.CERT_INFO, revCertImpls);
+            revReq.setExtData(IRequest.REQ_TYPE, IRequest.REVOCATION_REQUEST);
+            if (initiative.equals(AuditFormat.FROMUSER))
+                revReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_EE);
+            else
+                revReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_AGENT);
+            revReq.setExtData(IRequest.OLD_CERTS, oldCerts);
+            if (comments != null) {
+                revReq.setExtData(IRequest.REQUESTOR_COMMENTS, comments);
+            }
+            revReq.setExtData(IRequest.REVOKED_REASON,
+                    Integer.valueOf(reason));
+
+            // change audit processing from "REQUEST" to "REQUEST_PROCESSED"
+            // to distinguish which type of signed audit log message to save
+            // as a failure outcome in case an exception occurs
+            auditRequest = false;
+
+            mQueue.processRequest(revReq);
+
+            // retrieve the request status
+            auditApprovalStatus = revReq.getRequestStatus().toString();
+
+            RequestStatus stat = revReq.getRequestStatus();
+            String type = revReq.getRequestType();
+
+            // The SVC_PENDING check has been added for the Cloned CA request
+            // that is meant for the Master CA. From Clone's point of view
+            // the request is complete
+            if ((stat == RequestStatus.COMPLETE)
+                    || ((type.equals(IRequest.CLA_CERT4CRL_REQUEST)) && (stat == RequestStatus.SVC_PENDING))) {
+                // audit log the error 
+                Integer result = revReq.getExtDataInInteger(IRequest.RESULT);
+
+                if (result.equals(IRequest.RES_ERROR)) {
+                    String[] svcErrors =
+                            revReq.getExtDataInStringArray(IRequest.SVCERRORS);
+
+                    if (svcErrors != null && svcErrors.length > 0) {
+                        for (int i = 0; i < svcErrors.length; i++) {
+                            String err = svcErrors[i];
+
+                            if (err != null) {
+                                //cmsReq.setErrorDescription(err);
+                                for (int j = 0; j < count; j++) {
+                                    if (oldCerts[j] instanceof X509CertImpl) {
+                                        X509CertImpl cert = (X509CertImpl) oldCerts[j];
+
+                                        if (oldCerts[j] != null) {
+                                            mLogger.log(ILogger.EV_AUDIT,
+                                                    ILogger.S_OTHER,
+                                                    AuditFormat.LEVEL,
+                                                    AuditFormat.DOREVOKEFORMAT,
+                                                    new Object[] {
+                                                            revReq.getRequestId(),
+                                                            initiative,
+                                                            "completed with error: " +
+                                                                    err,
+                                                            cert.getSubjectDN(),
+                                                            cert.getSerialNumber().toString(16),
+                                                            RevocationReason.fromInt(reason).toString() }
+                                                    );
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+
+                    // store a message in the signed audit log file
+                    // if and only if "auditApprovalStatus" is
+                    // "complete", "revoked", or "canceled"
+                    if ((auditApprovalStatus.equals(
+                                RequestStatus.COMPLETE_STRING)) ||
+                            (auditApprovalStatus.equals(
+                                    RequestStatus.REJECTED_STRING)) ||
+                            (auditApprovalStatus.equals(
+                                    RequestStatus.CANCELED_STRING))) {
+                        auditMessage = CMS.getLogMessage(
+                                    LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                    auditSubjectID,
+                                    ILogger.FAILURE,
+                                    auditRequesterID,
+                                    auditSerialNumber,
+                                    auditRequestType,
+                                    auditReasonNum,
+                                    auditApprovalStatus);
+
+                        audit(auditMessage);
+                    }
+
+                    return;
+                }
+
+                long endTime = CMS.getCurrentDate().getTime();
+
+                // audit log the success.
+                for (int j = 0; j < count; j++) {
+                    if (oldCerts[j] != null) {
+                        if (oldCerts[j] instanceof X509CertImpl) {
+                            X509CertImpl cert = (X509CertImpl) oldCerts[j];
+
+                            mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+                                    AuditFormat.LEVEL,
+                                    AuditFormat.DOREVOKEFORMAT,
+                                    new Object[] {
+                                            revReq.getRequestId(),
+                                            initiative,
+                                            "completed",
+                                            cert.getSubjectDN(),
+                                            cert.getSerialNumber().toString(16),
+                                            RevocationReason.fromInt(reason).toString()
+                                                    + " time: " + (endTime - startTime) }
+                                    );
+                        }
+                    }
+                }
+
+                header.addStringValue("revoked", "yes");
+
+                Integer updateCRLResult =
+                        revReq.getExtDataInInteger(IRequest.CRL_UPDATE_STATUS);
+
+                if (updateCRLResult != null) {
+                    header.addStringValue("updateCRL", "yes");
+                    if (updateCRLResult.equals(IRequest.RES_SUCCESS)) {
+                        header.addStringValue("updateCRLSuccess", "yes");
+                    } else {
+                        header.addStringValue("updateCRLSuccess", "no");
+                        String crlError =
+                                revReq.getExtDataInString(IRequest.CRL_UPDATE_ERROR);
+
+                        if (crlError != null)
+                            header.addStringValue("updateCRLError",
+                                    crlError);
+                    }
+                    // let known crl publishing status too.
+                    Integer publishCRLResult =
+                            revReq.getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS);
+
+                    if (publishCRLResult != null) {
+                        if (publishCRLResult.equals(IRequest.RES_SUCCESS)) {
+                            header.addStringValue("publishCRLSuccess", "yes");
+                        } else {
+                            header.addStringValue("publishCRLSuccess", "no");
+                            String publError =
+                                    revReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR);
+
+                            if (publError != null)
+                                header.addStringValue("publishCRLError",
+                                        publError);
+                        }
+                    }
+                }
+
+                if (mAuthority instanceof ICertificateAuthority) {
+                    // let known update and publish status of all crls. 
+                    Enumeration otherCRLs =
+                            ((ICertificateAuthority) mAuthority).getCRLIssuingPoints();
+
+                    while (otherCRLs.hasMoreElements()) {
+                        ICRLIssuingPoint crl = (ICRLIssuingPoint)
+                                otherCRLs.nextElement();
+                        String crlId = crl.getId();
+
+                        if (crlId.equals(ICertificateAuthority.PROP_MASTER_CRL))
+                            continue;
+                        String updateStatusStr = crl.getCrlUpdateStatusStr();
+                        Integer updateResult = revReq.getExtDataInInteger(updateStatusStr);
+
+                        if (updateResult != null) {
+                            if (updateResult.equals(IRequest.RES_SUCCESS)) {
+                                CMS.debug("DoRevoke: "
+                                        + CMS.getLogMessage("ADMIN_SRVLT_ADDING_HEADER", updateStatusStr));
+                                header.addStringValue(updateStatusStr, "yes");
+                            } else {
+                                String updateErrorStr = crl.getCrlUpdateErrorStr();
+
+                                CMS.debug("DoRevoke: " + CMS.getLogMessage("ADMIN_SRVLT_ADDING_HEADER_NO",
+                                        updateStatusStr));
+                                header.addStringValue(updateStatusStr, "no");
+                                String error =
+                                        revReq.getExtDataInString(updateErrorStr);
+
+                                if (error != null)
+                                    header.addStringValue(updateErrorStr,
+                                            error);
+                            }
+                            String publishStatusStr = crl.getCrlPublishStatusStr();
+                            Integer publishResult =
+                                    revReq.getExtDataInInteger(publishStatusStr);
+
+                            if (publishResult == null)
+                                continue;
+                            if (publishResult.equals(IRequest.RES_SUCCESS)) {
+                                header.addStringValue(publishStatusStr, "yes");
+                            } else {
+                                String publishErrorStr =
+                                        crl.getCrlPublishErrorStr();
+
+                                header.addStringValue(publishStatusStr, "no");
+                                String error =
+                                        revReq.getExtDataInString(publishErrorStr);
+
+                                if (error != null)
+                                    header.addStringValue(
+                                            publishErrorStr, error);
+                            }
+                        }
+                    }
+                }
+
+                if (mPublisherProcessor != null && mPublisherProcessor.ldapEnabled()) {
+                    header.addStringValue("dirEnabled", "yes");
+                    Integer[] ldapPublishStatus =
+                            revReq.getExtDataInIntegerArray("ldapPublishStatus");
+                    int certsToUpdate = 0;
+                    int certsUpdated = 0;
+
+                    if (ldapPublishStatus != null) {
+                        certsToUpdate = ldapPublishStatus.length;
+                        for (int i = 0; i < certsToUpdate; i++) {
+                            if (ldapPublishStatus[i] == IRequest.RES_SUCCESS) {
+                                certsUpdated++;
+                            }
+                        }
+                    }
+                    header.addIntegerValue("certsUpdated", certsUpdated);
+                    header.addIntegerValue("certsToUpdate", certsToUpdate);
+
+                    // add crl publishing status. 
+                    String publError =
+                            revReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR);
+
+                    if (publError != null) {
+                        header.addStringValue("crlPublishError",
+                                publError);
+                    }
+                } else {
+                    header.addStringValue("dirEnabled", "no");
+                }
+                header.addStringValue("error", null);
+
+            } else {
+                if (stat == RequestStatus.PENDING || stat == RequestStatus.REJECTED) {
+                    header.addStringValue("revoked", stat.toString());
+                } else {
+                    header.addStringValue("revoked", "no");
+                }
+                Vector errors = revReq.getExtDataInStringVector(IRequest.ERRORS);
+                if (errors != null) {
+                    StringBuffer errInfo = new StringBuffer();
+                    for (int i = 0; i < errors.size(); i++) {
+                        errInfo.append(errors.elementAt(i));
+                        errInfo.append("\n");
+                    }
+                    header.addStringValue("error", errInfo.toString());
+
+                } else if (stat == RequestStatus.PENDING) {
+                    header.addStringValue("error", "Request Pending");
+                } else {
+                    header.addStringValue("error", null);
+                }
+
+                // audit log the pending, revoked and rest
+                for (int j = 0; j < count; j++) {
+                    if (oldCerts[j] != null) {
+                        if (oldCerts[j] instanceof X509CertImpl) {
+                            X509CertImpl cert = (X509CertImpl) oldCerts[j];
+
+                            mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+                                    AuditFormat.LEVEL,
+                                    AuditFormat.DOREVOKEFORMAT,
+                                    new Object[] {
+                                            revReq.getRequestId(),
+                                            initiative,
+                                            stat.toString(),
+                                            cert.getSubjectDN(),
+                                            cert.getSerialNumber().toString(16),
+                                            RevocationReason.fromInt(reason).toString() }
+                                    );
+                        }
+                    }
+                }
+            }
+
+            // store a message in the signed audit log file
+            // if and only if "auditApprovalStatus" is
+            // "complete", "revoked", or "canceled"
+            if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING))
+                    || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING))
+                    || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING))) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType,
+                            auditReasonNum,
+                            auditApprovalStatus);
+
+                audit(auditMessage);
+            }
+
+        } catch (CertificateException e) {
+            if (auditRequest) {
+                // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                // message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType);
+
+                audit(auditMessage);
+            } else {
+                // store a "CERT_STATUS_CHANGE_REQUEST_PROCESSED" failure
+                // message in the signed audit log file
+                // if and only if "auditApprovalStatus" is
+                // "complete", "revoked", or "canceled"
+                if ((auditApprovalStatus.equals(
+                            RequestStatus.COMPLETE_STRING)) ||
+                        (auditApprovalStatus.equals(
+                                RequestStatus.REJECTED_STRING)) ||
+                        (auditApprovalStatus.equals(
+                                RequestStatus.CANCELED_STRING))) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditRequesterID,
+                                auditSerialNumber,
+                                auditRequestType,
+                                auditReasonNum,
+                                auditApprovalStatus);
+
+                    audit(auditMessage);
+                }
+            }
+
+            log(ILogger.LL_FAILURE, "error " + e);
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, "error " + e);
+
+            if (auditRequest) {
+                // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                // message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType);
+
+                audit(auditMessage);
+            } else {
+                // store a "CERT_STATUS_CHANGE_REQUEST_PROCESSED" failure
+                // message in the signed audit log file
+                // if and only if "auditApprovalStatus" is
+                // "complete", "revoked", or "canceled"
+                if ((auditApprovalStatus.equals(
+                            RequestStatus.COMPLETE_STRING)) ||
+                        (auditApprovalStatus.equals(
+                                RequestStatus.REJECTED_STRING)) ||
+                        (auditApprovalStatus.equals(
+                                RequestStatus.CANCELED_STRING))) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditRequesterID,
+                                auditSerialNumber,
+                                auditRequestType,
+                                auditReasonNum,
+                                auditApprovalStatus);
+
+                    audit(auditMessage);
+                }
+            }
+
+            throw e;
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED_1", e.toString()));
+
+            if (auditRequest) {
+                // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                // message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType);
+
+                audit(auditMessage);
+            } else {
+                // store a "CERT_STATUS_CHANGE_REQUEST_PROCESSED" failure
+                // message in the signed audit log file
+                // if and only if "auditApprovalStatus" is
+                // "complete", "revoked", or "canceled"
+                if ((auditApprovalStatus.equals(
+                            RequestStatus.COMPLETE_STRING)) ||
+                        (auditApprovalStatus.equals(
+                                RequestStatus.REJECTED_STRING)) ||
+                        (auditApprovalStatus.equals(
+                                RequestStatus.CANCELED_STRING))) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditRequesterID,
+                                auditSerialNumber,
+                                auditRequestType,
+                                auditReasonNum,
+                                auditApprovalStatus);
+
+                    audit(auditMessage);
+                }
+            }
+
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED"));
+        }
+
+        return;
+    }
+
+    /**
+     * Signed Audit Log Requester ID
+     * 
+     * This method is called to obtain the "RequesterID" for
+     * a signed audit log message.
+     * 
    
+     * 
+     * @param req HTTP request
+     * @return id string containing the signed audit log message RequesterID
+     */
+    private String auditRequesterID(HttpServletRequest req) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String requesterID = null;
+
+        // Obtain the requesterID
+        requesterID = req.getParameter("requestId");
+
+        if (requesterID != null) {
+            requesterID = requesterID.trim();
+        } else {
+            requesterID = ILogger.UNIDENTIFIED;
+        }
+
+        return requesterID;
+    }
+
+    /**
+     * Signed Audit Log Serial Number
+     * 
+     * This method is called to obtain the serial number of the certificate
+     * whose status is to be changed for a signed audit log message.
+     * 
    
+     * 
+     * @param eeSerialNumber a string containing the un-normalized serialNumber
+     * @return id string containing the signed audit log message RequesterID
+     */
+    private String auditSerialNumber(String eeSerialNumber) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String serialNumber = null;
+
+        // Normalize the serialNumber
+        if (eeSerialNumber != null) {
+            serialNumber = eeSerialNumber.trim();
+
+            // find out if the value is hex or decimal
+
+            BigInteger value = BigInteger.ONE.negate();
+
+            //try int 
+            try {
+                value = new BigInteger(serialNumber, 10);
+            } catch (NumberFormatException e) {
+            }
+
+            //try hex
+            if (value.compareTo(BigInteger.ONE.negate()) == 0) {
+                try {
+                    value = new BigInteger(serialNumber, 16);
+                } catch (NumberFormatException e) {
+                }
+            }
+            // give up if it isn't hex or dec
+            if (value.compareTo(BigInteger.ONE.negate()) == 0) {
+                throw new NumberFormatException();
+            }
+
+            // convert it to hexadecimal
+            serialNumber = "0x" + value.toString(16);
+        } else {
+            serialNumber = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        }
+
+        return serialNumber;
+    }
+
+    /**
+     * Signed Audit Log Request Type
+     * 
+     * This method is called to obtain the "Request Type" for
+     * a signed audit log message.
+     * 
    
+     * 
+     * @param reason an integer denoting the revocation reason
+     * @return string containing REVOKE or ON_HOLD
+     */
+    private String auditRequestType(int reason) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String requestType = null;
+
+        // Determine the revocation type based upon the revocation reason
+        if (reason == ON_HOLD_REASON) {
+            requestType = ON_HOLD;
+        } else {
+            requestType = REVOKE;
+        }
+
+        return requestType;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/base/common/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
new file mode 100644
index 000000000..c4603dd51
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
@@ -0,0 +1,940 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.cert;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+import java.math.BigInteger;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.InvalidityDateExtension;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.IAuthSubsystem;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.ca.ICRLIssuingPoint;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.logging.AuditFormat;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.IPublisherProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.certsrv.request.RequestStatus;
+import com.netscape.cms.servlet.base.CMSServlet;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.CMSTemplateParams;
+import com.netscape.cms.servlet.common.ECMSGWException;
+
+/**
+ * Revoke a Certificate
+ * 
+ * @version $Revision$, $Date$
+ */
+public class DoRevokeTPS extends CMSServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -2980600514636454836L;
+    private final static String INFO = "DoRevoke";
+    private final static String TPL_FILE = "revocationResult.template";
+
+    private ICertificateRepository mCertDB = null;
+    private String mFormPath = null;
+    private IRequestQueue mQueue = null;
+    private IPublisherProcessor mPublisherProcessor = null;
+    private String errorString = "error=";
+    private String o_status = "status=0";
+    private int mTimeLimits = 30; /* in seconds */
+
+    private final static String REVOKE = "revoke";
+    private final static String ON_HOLD = "on-hold";
+    private final static int ON_HOLD_REASON = 6;
+    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST =
+            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
+    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
+
+    public DoRevokeTPS() {
+        super();
+    }
+
+    /**
+     * initialize the servlet. This servlet uses the template
+     * file "revocationResult.template" to render the result
+     * 
+     * @param sc servlet configuration, read from the web.xml file
+     */
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE;
+
+        if (mAuthority instanceof ICertificateAuthority) {
+            mCertDB = ((ICertificateAuthority) mAuthority).getCertificateRepository();
+        }
+        if (mAuthority instanceof ICertAuthority) {
+            mPublisherProcessor = ((ICertAuthority) mAuthority).getPublisherProcessor();
+        }
+        mQueue = mAuthority.getRequestQueue();
+
+        mTemplates.remove(CMSRequest.SUCCESS);
+        if (mOutputTemplatePath != null)
+            mFormPath = mOutputTemplatePath;
+        mRenderResult = false;
+
+        /* Server-Side time limit */
+        try {
+            mTimeLimits = Integer.parseInt(sc.getInitParameter("timeLimits"));
+        } catch (Exception e) {
+            /* do nothing, just use the default if integer parsing failed */
+        }
+    }
+
+    /**
+     * Serves HTTP request. The http parameters used by this request are as follows:
+     * 
+     * 
    +     * serialNumber Serial number of certificate to revoke (in HEX)
+     * revocationReason Revocation reason (Described below)
+     * totalRecordCount [number]
+     * verifiedRecordCount [number]
+     * invalidityDate [number of seconds in Jan 1,1970]
+     * 
+     * 
    
+     * 
+     * revocationReason can be one of these values:
+     * 
+     * 
    +     * 0 = Unspecified   (default)
+     * 1 = Key compromised
+     * 2 = CA key compromised
+     * 3 = Affiliation changed
+     * 4 = Certificate superseded
+     * 5 = Cessation of operation
+     * 6 = Certificate is on hold
+     * 
    
+     */
+    public void process(CMSRequest cmsReq) throws EBaseException {
+        HttpServletRequest req = cmsReq.getHttpReq();
+        HttpServletResponse resp = cmsReq.getHttpResp();
+
+        IAuthToken authToken = authenticate(cmsReq);
+        CMS.debug("DoRevokeTPS after authenticate");
+
+        String revokeAll = null;
+        int totalRecordCount = -1;
+        EBaseException error = null;
+        int reason = -1;
+        boolean authorized = true;
+        Date invalidityDate = null;
+        Locale[] locale = new Locale[1];
+
+        CMS.debug("DoRevokeTPS before getTemplate");
+        try {
+            @SuppressWarnings("unused")
+            CMSTemplate form = getTemplate(mFormPath, req, locale); // check for errors
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString()));
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        } catch (Exception e) {
+            CMS.debug("DoRevokeTPS getTemplate failed");
+            throw new EBaseException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        }
+
+        CMS.debug("DoRevokeTPS after getTemplate");
+        IArgBlock header = CMS.createArgBlock();
+        IArgBlock ctx = CMS.createArgBlock();
+        CMSTemplateParams argSet = new CMSTemplateParams(header, ctx);
+
+        try {
+            if (req.getParameter("revocationReason") != null) {
+                reason = Integer.parseInt(req.getParameter(
+                                "revocationReason"));
+            }
+            if (req.getParameter("totalRecordCount") != null) {
+                totalRecordCount = Integer.parseInt(req.getParameter(
+                                "totalRecordCount"));
+            }
+            if (req.getParameter("invalidityDate") != null) {
+                long l = Long.parseLong(req.getParameter(
+                            "invalidityDate"));
+
+                if (l > 0) {
+                    invalidityDate = new Date(l);
+                }
+            }
+            revokeAll = req.getParameter("revokeAll");
+            String comments = req.getParameter(IRequest.REQUESTOR_COMMENTS);
+
+            //for audit log.
+            String initiative = null;
+
+            String authMgr = AuditFormat.NOAUTH;
+
+            AuthzToken authzToken = null;
+
+            try {
+                authzToken = authorize(mAclMethod, authToken,
+                            mAuthzResourceName, "revoke");
+            } catch (EAuthzAccessDenied e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+            }
+
+            if (authzToken == null) {
+                cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+                return;
+            }
+
+            if (mAuthMgr != null && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) {
+                if (authToken != null) {
+                    authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+                    String agentID = authToken.getInString("userid");
+
+                    initiative = AuditFormat.FROMAGENT + " agentID: " + agentID +
+                            " authenticated by " + authMgr;
+                }
+            } else {
+                CMS.debug("DoRevokeTPS: Missing authentication manager");
+                o_status = "status=1";
+                errorString = "errorString=Missing authentication manager.";
+            }
+
+            if (authorized) {
+                process(argSet, header, reason, invalidityDate, initiative, req,
+                        resp, revokeAll, totalRecordCount, comments, locale[0]);
+            }
+        } catch (NumberFormatException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT"));
+            error = new EBaseException(CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT"));
+        } catch (EBaseException e) {
+            error = e;
+        }
+
+        try {
+            if (!authorized) {
+                o_status = "status=3";
+                errorString = "error=unauthorized";
+            } else if (error != null) {
+                o_status = "status=3";
+                errorString = "error=" + error.toString();
+            }
+
+            String pp = o_status + "\n" + errorString;
+            byte[] b = pp.getBytes();
+            resp.setContentType("text/html");
+            resp.setContentLength(b.length);
+            OutputStream os = resp.getOutputStream();
+            os.write(b);
+            os.flush();
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString()));
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
+        }
+    }
+
+    /**
+     * Process cert status change request
+     * 
    
+     * 
+     * (Certificate Request - either an "agent" cert status change request, or an "EE" cert status change request)
+     * 
    
+     * 
+     * (Certificate Request Processed - either an "agent" cert status change request, or an "EE" cert status change
+     * request)
+     * 
    
+     * 
+     * 
      
+     * 
    • signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST used when a cert status change request (e. g. -
+     * "revocation") is made (before approval process)
+     * 
    • signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED used when a certificate status is
+     * changed (revoked, expired, on-hold, off-hold)
+     * 
    
+     * 
+     * @param argSet CMS template parameters
+     * @param header argument block
+     * @param reason revocation reason (0 - Unspecified, 1 - Key compromised,
+     *            2 - CA key compromised; should not be used, 3 - Affiliation changed,
+     *            4 - Certificate superceded, 5 - Cessation of operation, or
+     *            6 - Certificate is on hold)
+     * @param invalidityDate certificate validity date
+     * @param initiative string containing the audit format
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param revokeAll string containing information on all of the
+     *            certificates to be revoked
+     * @param totalRecordCount total number of records (verified and unverified)
+     * @param comments string containing certificate comments
+     * @param locale the system locale
+     * @exception EBaseException an error has occurred
+     */
+    private void process(CMSTemplateParams argSet, IArgBlock header,
+            int reason, Date invalidityDate,
+            String initiative,
+            HttpServletRequest req,
+            HttpServletResponse resp,
+            String revokeAll,
+            int totalRecordCount,
+            String comments,
+            Locale locale)
+            throws EBaseException {
+        boolean auditRequest = true;
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+        String auditRequesterID = auditRequesterID(req);
+        String auditSerialNumber = auditSerialNumber(null);
+        String auditRequestType = auditRequestType(reason);
+        String auditApprovalStatus = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        String auditReasonNum = String.valueOf(reason);
+
+        if (revokeAll != null) {
+            CMS.debug("DoRevokeTPS.process revokeAll" + revokeAll);
+
+            String serial = "";
+            String[] tokens;
+            tokens = revokeAll.split("=");
+
+            if (tokens.length == 2) {
+                serial = tokens[1];
+                //remove the trailing paren
+                if (serial.endsWith(")")) {
+                    serial = serial.substring(0, serial.length() - 1);
+                }
+                auditSerialNumber = serial;
+            }
+        }
+
+        long startTime = CMS.getCurrentDate().getTime();
+
+        try {
+            int count = 0;
+            Vector oldCertsV = new Vector();
+            Vector revCertImplsV = new Vector();
+
+            // Construct a CRL reason code extension.
+            RevocationReason revReason = RevocationReason.fromInt(reason);
+            CRLReasonExtension crlReasonExtn = new CRLReasonExtension(revReason);
+
+            // Construct a CRL invalidity date extension.
+            InvalidityDateExtension invalidityDateExtn = null;
+
+            if (invalidityDate != null) {
+                invalidityDateExtn = new InvalidityDateExtension(invalidityDate);
+            }
+
+            // Construct a CRL extension for this request.
+            CRLExtensions entryExtn = new CRLExtensions();
+
+            if (crlReasonExtn != null) {
+                entryExtn.set(crlReasonExtn.getName(), crlReasonExtn);
+            }
+            if (invalidityDateExtn != null) {
+                entryExtn.set(invalidityDateExtn.getName(), invalidityDateExtn);
+            }
+
+            Enumeration e = mCertDB.searchCertificates(revokeAll,
+                    totalRecordCount, mTimeLimits);
+
+            boolean alreadyRevokedCertFound = false;
+            boolean badCertsRequested = false;
+            while (e != null && e.hasMoreElements()) {
+                ICertRecord rec = (ICertRecord) e.nextElement();
+
+                if (rec == null) {
+                    badCertsRequested = true;
+                    continue;
+                }
+                X509CertImpl xcert = rec.getCertificate();
+                IArgBlock rarg = CMS.createArgBlock();
+
+                // we do not want to revoke the CA certificate accidentially
+                if (xcert != null && isSystemCertificate(xcert.getSerialNumber())) {
+                    CMS.debug("DoRevokeTPS: skipped revocation request for system certificate "
+                            + xcert.getSerialNumber());
+                    badCertsRequested = true;
+                    continue;
+                }
+
+                if (xcert != null) {
+                    rarg.addStringValue("serialNumber",
+                            xcert.getSerialNumber().toString(16));
+
+                    if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) {
+                        alreadyRevokedCertFound = true;
+                        CMS.debug("Certificate 0x" + xcert.getSerialNumber().toString(16) + " has been revoked.");
+                    } else {
+                        oldCertsV.addElement(xcert);
+
+                        RevokedCertImpl revCertImpl =
+                                new RevokedCertImpl(xcert.getSerialNumber(),
+                                        CMS.getCurrentDate(), entryExtn);
+
+                        revCertImplsV.addElement(revCertImpl);
+                        CMS.debug("Certificate 0x" + xcert.getSerialNumber().toString(16) + " is going to be revoked.");
+                        count++;
+                    }
+                } else {
+                    badCertsRequested = true;
+                }
+            }
+
+            if (count == 0) {
+                // Situation where no certs were reoked here, but some certs
+                // requested happened to be already revoked. Don't return error.
+                if (alreadyRevokedCertFound == true && badCertsRequested == false) {
+                    CMS.debug("Only have previously revoked certs in the list.");
+                    // store a message in the signed audit log file
+                    auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType);
+
+                    audit(auditMessage);
+                    return;
+                }
+
+                errorString = "error=No certificates are revoked.";
+                o_status = "status=2";
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_REV_CERTS_ZERO"));
+
+                // store a message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType);
+
+                audit(auditMessage);
+
+                throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED"));
+            }
+
+            X509CertImpl[] oldCerts = new X509CertImpl[count];
+            RevokedCertImpl[] revCertImpls = new RevokedCertImpl[count];
+
+            for (int i = 0; i < count; i++) {
+                oldCerts[i] = (X509CertImpl) oldCertsV.elementAt(i);
+                revCertImpls[i] = (RevokedCertImpl) revCertImplsV.elementAt(i);
+            }
+
+            IRequest revReq =
+                    mQueue.newRequest(IRequest.REVOCATION_REQUEST);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditRequesterID,
+                        auditSerialNumber,
+                        auditRequestType);
+
+            audit(auditMessage);
+
+            revReq.setExtData(IRequest.CERT_INFO, revCertImpls);
+            revReq.setExtData(IRequest.REQ_TYPE, IRequest.REVOCATION_REQUEST);
+            if (initiative.equals(AuditFormat.FROMUSER)) {
+                revReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_EE);
+            } else {
+                revReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_AGENT);
+            }
+            revReq.setExtData(IRequest.OLD_CERTS, oldCerts);
+            if (comments != null) {
+                revReq.setExtData(IRequest.REQUESTOR_COMMENTS, comments);
+            }
+            revReq.setExtData(IRequest.REVOKED_REASON,
+                    Integer.valueOf(reason));
+
+            // change audit processing from "REQUEST" to "REQUEST_PROCESSED"
+            // to distinguish which type of signed audit log message to save
+            // as a failure outcome in case an exception occurs
+            auditRequest = false;
+
+            mQueue.processRequest(revReq);
+
+            // retrieve the request status
+            auditApprovalStatus = revReq.getRequestStatus().toString();
+
+            RequestStatus stat = revReq.getRequestStatus();
+            String type = revReq.getRequestType();
+
+            // The SVC_PENDING check has been added for the Cloned CA request
+            // that is meant for the Master CA. From Clone's point of view
+            // the request is complete
+            if ((stat == RequestStatus.COMPLETE)
+                    || ((type.equals(IRequest.CLA_CERT4CRL_REQUEST)) && (stat == RequestStatus.SVC_PENDING))) {
+                // audit log the error 
+                Integer result = revReq.getExtDataInInteger(IRequest.RESULT);
+
+                if (result.equals(IRequest.RES_ERROR)) {
+                    String[] svcErrors =
+                            revReq.getExtDataInStringArray(IRequest.SVCERRORS);
+
+                    if (svcErrors != null && svcErrors.length > 0) {
+                        for (int i = 0; i < svcErrors.length; i++) {
+                            String err = svcErrors[i];
+
+                            if (err != null) {
+                                //cmsReq.setErrorDescription(err);
+                                for (int j = 0; j < count; j++) {
+                                    if (oldCerts[j] instanceof X509CertImpl) {
+                                        X509CertImpl cert = (X509CertImpl) oldCerts[j];
+
+                                        if (oldCerts[j] != null) {
+                                            mLogger.log(ILogger.EV_AUDIT,
+                                                    ILogger.S_OTHER,
+                                                    AuditFormat.LEVEL,
+                                                    AuditFormat.DOREVOKEFORMAT,
+                                                    new Object[] {
+                                                            revReq.getRequestId(),
+                                                            initiative,
+                                                            "completed with error: " +
+                                                                    err,
+                                                            cert.getSubjectDN(),
+                                                            cert.getSerialNumber().toString(16),
+                                                            RevocationReason.fromInt(reason).toString() }
+                                                    );
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+
+                    // store a message in the signed audit log file
+                    // if and only if "auditApprovalStatus" is
+                    // "complete", "revoked", or "canceled"
+                    if ((auditApprovalStatus.equals(
+                                RequestStatus.COMPLETE_STRING)) ||
+                            (auditApprovalStatus.equals(
+                                    RequestStatus.REJECTED_STRING)) ||
+                            (auditApprovalStatus.equals(
+                                    RequestStatus.CANCELED_STRING))) {
+                        auditMessage = CMS.getLogMessage(
+                                    LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                    auditSubjectID,
+                                    ILogger.FAILURE,
+                                    auditRequesterID,
+                                    auditSerialNumber,
+                                    auditRequestType,
+                                    auditReasonNum,
+                                    auditApprovalStatus);
+
+                        audit(auditMessage);
+                    }
+
+                    return;
+                }
+
+                long endTime = CMS.getCurrentDate().getTime();
+
+                // audit log the success.
+                for (int j = 0; j < count; j++) {
+                    if (oldCerts[j] != null) {
+                        if (oldCerts[j] instanceof X509CertImpl) {
+                            X509CertImpl cert = (X509CertImpl) oldCerts[j];
+
+                            mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+                                    AuditFormat.LEVEL,
+                                    AuditFormat.DOREVOKEFORMAT,
+                                    new Object[] {
+                                            revReq.getRequestId(),
+                                            initiative,
+                                            "completed",
+                                            cert.getSubjectDN(),
+                                            cert.getSerialNumber().toString(16),
+                                            RevocationReason.fromInt(reason).toString()
+                                                    + " time: " + (endTime - startTime) }
+                                    );
+                        }
+                    }
+                }
+
+                header.addStringValue("revoked", "yes");
+
+                Integer updateCRLResult =
+                        revReq.getExtDataInInteger(IRequest.CRL_UPDATE_STATUS);
+
+                if (updateCRLResult != null) {
+                    if (!updateCRLResult.equals(IRequest.RES_SUCCESS)) {
+
+                        o_status = "status=3";
+                        if (revReq.getExtDataInString(IRequest.CRL_UPDATE_ERROR) != null) {
+                            errorString = "error=Update CRL Error.";
+                            // 3 means miscellaneous
+                        }
+                    }
+                    // let known crl publishing status too.
+                    Integer publishCRLResult =
+                            revReq.getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS);
+
+                    if (publishCRLResult != null) {
+                        if (!publishCRLResult.equals(IRequest.RES_SUCCESS)) {
+                            String publError =
+                                    revReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR);
+
+                            o_status = "status=3";
+                            if (publError != null) {
+                                errorString = "error=" + publError;
+                            }
+                        }
+                    }
+                }
+
+                if (mAuthority instanceof ICertificateAuthority) {
+                    // let known update and publish status of all crls. 
+                    Enumeration otherCRLs =
+                            ((ICertificateAuthority) mAuthority).getCRLIssuingPoints();
+
+                    while (otherCRLs.hasMoreElements()) {
+                        ICRLIssuingPoint crl = (ICRLIssuingPoint)
+                                otherCRLs.nextElement();
+                        String crlId = crl.getId();
+
+                        if (crlId.equals(ICertificateAuthority.PROP_MASTER_CRL))
+                            continue;
+                        String updateStatusStr = crl.getCrlUpdateStatusStr();
+                        Integer updateResult = revReq.getExtDataInInteger(updateStatusStr);
+
+                        if (updateResult != null) {
+                            if (!updateResult.equals(IRequest.RES_SUCCESS)) {
+                                String updateErrorStr = crl.getCrlUpdateErrorStr();
+
+                                CMS.debug("DoRevoke: " + CMS.getLogMessage("ADMIN_SRVLT_ADDING_HEADER_NO",
+                                        updateStatusStr));
+                                String error =
+                                        revReq.getExtDataInString(updateErrorStr);
+
+                                o_status = "status=3";
+                                if (error != null) {
+                                    errorString = "error=" + error;
+                                }
+                            }
+                            String publishStatusStr = crl.getCrlPublishStatusStr();
+                            Integer publishResult =
+                                    revReq.getExtDataInInteger(publishStatusStr);
+
+                            if (publishResult == null)
+                                continue;
+                            if (!publishResult.equals(IRequest.RES_SUCCESS)) {
+                                String publishErrorStr =
+                                        crl.getCrlPublishErrorStr();
+
+                                String error =
+                                        revReq.getExtDataInString(publishErrorStr);
+
+                                o_status = "status=3";
+                                if (error != null) {
+                                    errorString = "error=Publish CRL Status Error.";
+                                }
+                            }
+                        }
+                    }
+                }
+
+                if (mPublisherProcessor != null && mPublisherProcessor.ldapEnabled()) {
+                    header.addStringValue("dirEnabled", "yes");
+
+                    // add crl publishing status. 
+                    String publError =
+                            revReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR);
+
+                    if (publError != null) {
+                        errorString = "error=" + publError;
+                        o_status = "status=3";
+                    }
+                } else if (mPublisherProcessor == null && mPublisherProcessor.ldapEnabled()) {
+                    errorString = "error=LDAP publishing not enabled.";
+                    o_status = "status=3";
+                }
+            } else {
+                if (stat == RequestStatus.PENDING || stat == RequestStatus.REJECTED) {
+                    o_status = "status=2";
+                    errorString = "error=" + stat.toString();
+                } else {
+                    o_status = "status=2";
+                    errorString = "error=Undefined request status";
+                }
+                Vector errors = revReq.getExtDataInStringVector(IRequest.ERRORS);
+                if (errors != null) {
+                    StringBuffer errInfo = new StringBuffer();
+
+                    for (int i = 0; i < errors.size(); i++) {
+                        errInfo.append(errors.elementAt(i));
+                        errInfo.append("\n");
+                    }
+                    o_status = "status=2";
+                    errorString = "error=" + errInfo.toString();
+
+                } else if (stat == RequestStatus.PENDING) {
+                    o_status = "status=2";
+                    errorString = "error=Request pending";
+                } else {
+                    o_status = "status=2";
+                    errorString = "error=Undefined request status";
+                }
+
+                // audit log the pending, revoked and rest
+                for (int j = 0; j < count; j++) {
+                    if (oldCerts[j] != null) {
+                        if (oldCerts[j] instanceof X509CertImpl) {
+                            X509CertImpl cert = (X509CertImpl) oldCerts[j];
+
+                            mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+                                    AuditFormat.LEVEL,
+                                    AuditFormat.DOREVOKEFORMAT,
+                                    new Object[] {
+                                            revReq.getRequestId(),
+                                            initiative,
+                                            stat.toString(),
+                                            cert.getSubjectDN(),
+                                            cert.getSerialNumber().toString(16),
+                                            RevocationReason.fromInt(reason).toString() }
+                                    );
+                        }
+                    }
+                }
+            }
+
+            // store a message in the signed audit log file
+            // if and only if "auditApprovalStatus" is
+            // "complete", "revoked", or "canceled"
+            if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING))
+                    || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING))
+                    || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING))) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType,
+                            auditReasonNum,
+                            auditApprovalStatus);
+
+                audit(auditMessage);
+            }
+        } catch (EBaseException e) {
+            log(ILogger.LL_FAILURE, "error " + e);
+
+            if (auditRequest) {
+                // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                // message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType);
+
+                audit(auditMessage);
+            } else {
+                // store a "CERT_STATUS_CHANGE_REQUEST_PROCESSED" failure
+                // message in the signed audit log file
+                // if and only if "auditApprovalStatus" is
+                // "complete", "revoked", or "canceled"
+                if ((auditApprovalStatus.equals(
+                            RequestStatus.COMPLETE_STRING)) ||
+                        (auditApprovalStatus.equals(
+                                RequestStatus.REJECTED_STRING)) ||
+                        (auditApprovalStatus.equals(
+                                RequestStatus.CANCELED_STRING))) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditRequesterID,
+                                auditSerialNumber,
+                                auditRequestType,
+                                auditReasonNum,
+                                auditApprovalStatus);
+
+                    audit(auditMessage);
+                }
+            }
+
+            throw e;
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED_1", e.toString()));
+
+            if (auditRequest) {
+                // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                // message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType);
+
+                audit(auditMessage);
+            } else {
+                // store a "CERT_STATUS_CHANGE_REQUEST_PROCESSED" failure
+                // message in the signed audit log file
+                // if and only if "auditApprovalStatus" is
+                // "complete", "revoked", or "canceled"
+                if ((auditApprovalStatus.equals(
+                            RequestStatus.COMPLETE_STRING)) ||
+                        (auditApprovalStatus.equals(
+                                RequestStatus.REJECTED_STRING)) ||
+                        (auditApprovalStatus.equals(
+                                RequestStatus.CANCELED_STRING))) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditRequesterID,
+                                auditSerialNumber,
+                                auditRequestType,
+                                auditReasonNum,
+                                auditApprovalStatus);
+
+                    audit(auditMessage);
+                }
+            }
+
+            throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED"));
+        }
+
+        return;
+    }
+
+    /**
+     * Signed Audit Log Requester ID
+     * 
+     * This method is called to obtain the "RequesterID" for
+     * a signed audit log message.
+     * 
    
+     * 
+     * @param req HTTP request
+     * @return id string containing the signed audit log message RequesterID
+     */
+    private String auditRequesterID(HttpServletRequest req) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String requesterID = null;
+
+        // Obtain the requesterID
+        requesterID = req.getParameter("requestId");
+
+        if (requesterID != null) {
+            requesterID = requesterID.trim();
+        } else {
+            requesterID = ILogger.UNIDENTIFIED;
+        }
+
+        return requesterID;
+    }
+
+    /**
+     * Signed Audit Log Serial Number
+     * 
+     * This method is called to obtain the serial number of the certificate
+     * whose status is to be changed for a signed audit log message.
+     * 
    
+     * 
+     * @param eeSerialNumber a string containing the un-normalized serialNumber
+     * @return id string containing the signed audit log message RequesterID
+     */
+    private String auditSerialNumber(String eeSerialNumber) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String serialNumber = null;
+
+        // Normalize the serialNumber
+        if (eeSerialNumber != null) {
+            serialNumber = eeSerialNumber.trim();
+
+            // convert it to hexadecimal
+            serialNumber = "0x" + (new BigInteger(serialNumber)).toString(16);
+        } else {
+            serialNumber = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        }
+
+        return serialNumber;
+    }
+
+    /**
+     * Signed Audit Log Request Type
+     * 
+     * This method is called to obtain the "Request Type" for
+     * a signed audit log message.
+     * 
    
+     * 
+     * @param reason an integer denoting the revocation reason
+     * @return string containing REVOKE or ON_HOLD
+     */
+    private String auditRequestType(int reason) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String requestType = null;
+
+        // Determine the revocation type based upon the revocation reason
+        if (reason == ON_HOLD_REASON) {
+            requestType = ON_HOLD;
+        } else {
+            requestType = REVOKE;
+        }
+
+        return requestType;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java b/base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java
new file mode 100644
index 000000000..c6b6065b4
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java
@@ -0,0 +1,671 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.cert;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.ca.ICRLIssuingPoint;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.logging.AuditFormat;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.IPublisherProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.certsrv.request.RequestStatus;
+import com.netscape.cms.servlet.base.CMSServlet;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.CMSTemplateParams;
+import com.netscape.cms.servlet.common.ECMSGWException;
+
+/**
+ * 'Unrevoke' a certificate. (For certificates that are on-hold only,
+ * take them off-hold)
+ * 
+ * @version $Revision$, $Date$
+ */
+public class DoUnrevoke extends CMSServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -7978703730006036625L;
+    private final static String INFO = "DoUnrevoke";
+    private final static String TPL_FILE = "unrevocationResult.template";
+    private final static BigInteger MINUS_ONE = new BigInteger("-1");
+
+    private ICertificateRepository mCertDB = null;
+    private String mFormPath = null;
+    private IRequestQueue mQueue = null;
+    private IPublisherProcessor mPublisherProcessor = null;
+
+    private final static String OFF_HOLD = "off-hold";
+    private final static int OFF_HOLD_REASON = 6;
+    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST =
+            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
+    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
+
+    public DoUnrevoke() {
+        super();
+    }
+
+    /**
+     * initialize the servlet.
+     * 
+     * @param sc servlet configuration, read from the web.xml file
+     */
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE;
+        if (mAuthority instanceof ICertificateAuthority) {
+            mCertDB = ((ICertificateAuthority) mAuthority).getCertificateRepository();
+        }
+        if (mAuthority instanceof ICertAuthority) {
+            mPublisherProcessor = ((ICertAuthority) mAuthority).getPublisherProcessor();
+        }
+        mQueue = mAuthority.getRequestQueue();
+
+        mTemplates.remove(CMSRequest.SUCCESS);
+        if (mOutputTemplatePath != null)
+            mFormPath = mOutputTemplatePath;
+    }
+
+    /**
+     * Process the HTTP request.
+     * 
      
+     * 
    • http.param serialNumber Decimal serial number of certificate to unrevoke. The certificate must be revoked
+     * with a revovcation reason 'on hold' for this operation to succeed. The serial number may be expressed as a hex
+     * number by prefixing '0x' to the serialNumber string
+     * 
    
+     * 
+     * @param cmsReq the object holding the request and response information
+     */
+    public void process(CMSRequest cmsReq) throws EBaseException {
+        HttpServletRequest req = cmsReq.getHttpReq();
+        HttpServletResponse resp = cmsReq.getHttpResp();
+
+        BigInteger[] serialNumber;
+        EBaseException error = null;
+
+        CMSTemplate form = null;
+
+        Locale[] locale = new Locale[1];
+
+        try {
+            form = getTemplate(mFormPath, req, locale);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", e.toString()));
+            throw new ECMSGWException(
+                    CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"));
+        }
+
+        IArgBlock header = CMS.createArgBlock();
+        IArgBlock ctx = CMS.createArgBlock();
+        CMSTemplateParams argSet = new CMSTemplateParams(header, ctx);
+
+        try {
+            serialNumber = getSerialNumbers(req);
+
+            //for audit log.
+            IAuthToken authToken = authenticate(cmsReq);
+            String authMgr = AuditFormat.NOAUTH;
+
+            if (authToken != null) {
+                authMgr =
+                        authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+            } else {
+                CMS.debug("DoUnrevoke::process() -  authToken is null!");
+                return;
+            }
+            String agentID = authToken.getInString("userid");
+            String initiative = AuditFormat.FROMAGENT + " agentID: " + agentID
+                    + " authenticated by " + authMgr;
+
+            AuthzToken authzToken = null;
+
+            try {
+                authzToken = authorize(mAclMethod, authToken,
+                            mAuthzResourceName, "unrevoke");
+            } catch (EAuthzAccessDenied e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+            }
+
+            if (authzToken == null) {
+                cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+                return;
+            }
+
+            process(argSet, header, serialNumber, req, resp, locale[0], initiative);
+
+        } catch (NumberFormatException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_INVALID_SERIAL_NUM_FORMAT"));
+            error = new EBaseException(CMS.getUserMessage(getLocale(req), "CMS_BASE_INVALID_NUMBER_FORMAT"));
+        } catch (EBaseException e) {
+            error = e;
+        }
+
+        try {
+            ServletOutputStream out = resp.getOutputStream();
+
+            if (error == null) {
+                String xmlOutput = req.getParameter("xml");
+                if (xmlOutput != null && xmlOutput.equals("true")) {
+                    outputXML(resp, argSet);
+                } else {
+                    resp.setContentType("text/html");
+                    form.renderOutput(out, argSet);
+                    cmsReq.setStatus(CMSRequest.SUCCESS);
+                }
+            } else {
+                cmsReq.setStatus(CMSRequest.ERROR);
+                cmsReq.setError(error);
+            }
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", e.toString()));
+            throw new ECMSGWException(
+                    CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"));
+        }
+    }
+
+    /**
+     * Process X509 cert status change request
+     * 
    
+     * 
+     * (Certificate Request - an "agent" cert status change request to take a certificate off-hold)
+     * 
    
+     * 
+     * (Certificate Request Processed - an "agent" cert status change request to take a certificate off-hold)
+     * 
    
+     * 
+     * 
      
+     * 
    • signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST used when a cert status change request (e. g. -
+     * "revocation") is made (before approval process)
+     * 
    • signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED used when a certificate status is
+     * changed (taken off-hold)
+     * 
    
+     * 
+     * @param argSet CMS template parameters
+     * @param header argument block
+     * @param serialNumbers the serial number of the certificate
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param locale the system locale
+     * @param initiative string containing the audit format
+     * @exception EBaseException an error has occurred
+     */
+    private void process(CMSTemplateParams argSet, IArgBlock header,
+            BigInteger[] serialNumbers,
+            HttpServletRequest req,
+            HttpServletResponse resp,
+            Locale locale, String initiative)
+            throws EBaseException {
+        boolean auditRequest = true;
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+        String auditRequesterID = auditRequesterID(req);
+        String auditSerialNumber = auditSerialNumber(serialNumbers[0].toString());
+        String auditRequestType = OFF_HOLD;
+        String auditApprovalStatus = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        String auditReasonNum = String.valueOf(OFF_HOLD_REASON);
+
+        try {
+            StringBuffer snList = new StringBuffer();
+
+            // certs are for old cloning and they should be removed as soon as possible
+            X509CertImpl[] certs = new X509CertImpl[serialNumbers.length];
+            for (int i = 0; i < serialNumbers.length; i++) {
+                certs[i] = (X509CertImpl) getX509Certificate(serialNumbers[i]);
+                if (snList.length() > 0)
+                    snList.append(", ");
+                snList.append("0x");
+                snList.append(serialNumbers[i].toString(16));
+            }
+            header.addStringValue("serialNumber", snList.toString());
+
+            IRequest unrevReq = mQueue.newRequest(IRequest.UNREVOCATION_REQUEST);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditRequesterID,
+                        auditSerialNumber,
+                        auditRequestType);
+
+            audit(auditMessage);
+
+            unrevReq.setExtData(IRequest.REQ_TYPE, IRequest.UNREVOCATION_REQUEST);
+            unrevReq.setExtData(IRequest.OLD_SERIALS, serialNumbers);
+            unrevReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_AGENT);
+
+            // change audit processing from "REQUEST" to "REQUEST_PROCESSED"
+            // to distinguish which type of signed audit log message to save
+            // as a failure outcome in case an exception occurs
+            auditRequest = false;
+
+            mQueue.processRequest(unrevReq);
+
+            // retrieve the request status
+            auditApprovalStatus = unrevReq.getRequestStatus().toString();
+
+            RequestStatus status = unrevReq.getRequestStatus();
+            String type = unrevReq.getRequestType();
+
+            if ((status == RequestStatus.COMPLETE)
+                    || ((type.equals(IRequest.CLA_UNCERT4CRL_REQUEST)) && (status == RequestStatus.SVC_PENDING))) {
+
+                Integer result = unrevReq.getExtDataInInteger(IRequest.RESULT);
+
+                if (result != null && result.equals(IRequest.RES_SUCCESS)) {
+                    header.addStringValue("unrevoked", "yes");
+                    if (certs[0] != null) {
+                        mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+                                AuditFormat.LEVEL,
+                                AuditFormat.DOUNREVOKEFORMAT,
+                                new Object[] {
+                                        unrevReq.getRequestId(),
+                                        initiative,
+                                        "completed",
+                                        certs[0].getSubjectDN(),
+                                        "0x" + serialNumbers[0].toString(16) }
+                                );
+                    }
+                } else {
+                    header.addStringValue("unrevoked", "no");
+                    String error = unrevReq.getExtDataInString(IRequest.ERROR);
+
+                    if (error != null) {
+                        header.addStringValue("error", error);
+                        if (certs[0] != null) {
+                            mLogger.log(ILogger.EV_AUDIT,
+                                    ILogger.S_OTHER,
+                                    AuditFormat.LEVEL,
+                                    AuditFormat.DOUNREVOKEFORMAT,
+                                    new Object[] {
+                                            unrevReq.getRequestId(),
+                                            initiative,
+                                            "completed with error: " +
+                                                    error,
+                                            certs[0].getSubjectDN(),
+                                            "0x" + serialNumbers[0].toString(16) }
+                                    );
+                        }
+
+                        /****************************************************/
+
+                        /* IMPORTANT:  In the event that the following      */
+
+                        /*             "throw error;" statement is          */
+
+                        /*             uncommented, uncomment the following */
+
+                        /*             signed audit log message, also!!!    */
+
+                        /****************************************************/
+
+                        //                  // store a message in the signed audit log file
+                        //                  // if and only if "auditApprovalStatus" is
+                        //                  // "complete", "revoked", or "canceled"
+                        //                  if( ( auditApprovalStatus.equals(
+                        //                            RequestStatus.COMPLETE_STRING ) ) ||
+                        //                      ( auditApprovalStatus.equals(
+                        //                            RequestStatus.REJECTED_STRING ) ) ||
+                        //                      ( auditApprovalStatus.equals(
+                        //                            RequestStatus.CANCELED_STRING ) ) ) {
+                        //                          auditMessage = CMS.getLogMessage(
+                        //                              LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                        //                              auditSubjectID,
+                        //                              ILogger.FAILURE,
+                        //                              auditRequesterID,
+                        //                              auditSerialNumber,
+                        //                              auditRequestType,
+                        //                              auditReasonNum,
+                        //                              auditApprovalStatus );
+                        //
+                        //                          audit( auditMessage );
+                        //                      }
+
+                        //                      throw error;
+                    }
+                }
+
+                Integer updateCRLResult =
+                        unrevReq.getExtDataInInteger(IRequest.CRL_UPDATE_STATUS);
+
+                if (updateCRLResult != null) {
+                    header.addStringValue("updateCRL", "yes");
+                    if (updateCRLResult.equals(IRequest.RES_SUCCESS)) {
+                        header.addStringValue("updateCRLSuccess", "yes");
+                    } else {
+                        header.addStringValue("updateCRLSuccess", "no");
+                        String crlError =
+                                unrevReq.getExtDataInString(IRequest.CRL_UPDATE_ERROR);
+
+                        if (crlError != null)
+                            header.addStringValue("updateCRLError",
+                                    crlError);
+                    }
+                    // let known crl publishing status too.
+                    Integer publishCRLResult =
+                            unrevReq.getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS);
+
+                    if (publishCRLResult != null) {
+                        if (publishCRLResult.equals(IRequest.RES_SUCCESS)) {
+                            header.addStringValue("publishCRLSuccess", "yes");
+                        } else {
+                            header.addStringValue("publishCRLSuccess", "no");
+                            String publError =
+                                    unrevReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR);
+
+                            if (publError != null)
+                                header.addStringValue("publishCRLError",
+                                        publError);
+                        }
+                    }
+                }
+
+                // let known update and publish status of all crls. 
+                Enumeration otherCRLs =
+                        ((ICertificateAuthority) mAuthority).getCRLIssuingPoints();
+
+                while (otherCRLs.hasMoreElements()) {
+                    ICRLIssuingPoint crl = otherCRLs.nextElement();
+                    String crlId = crl.getId();
+
+                    if (crlId.equals(ICertificateAuthority.PROP_MASTER_CRL))
+                        continue;
+                    String updateStatusStr = crl.getCrlUpdateStatusStr();
+                    Integer updateResult = unrevReq.getExtDataInInteger(updateStatusStr);
+
+                    if (updateResult != null) {
+                        if (updateResult.equals(IRequest.RES_SUCCESS)) {
+                            CMS.debug("DoUnrevoke: adding header " +
+                                    updateStatusStr + " yes ");
+                            header.addStringValue(updateStatusStr, "yes");
+                        } else {
+                            String updateErrorStr = crl.getCrlUpdateErrorStr();
+
+                            CMS.debug("DoUnrevoke: adding header " +
+                                    updateStatusStr + " no ");
+                            header.addStringValue(updateStatusStr, "no");
+                            String error =
+                                    unrevReq.getExtDataInString(updateErrorStr);
+
+                            if (error != null)
+                                header.addStringValue(
+                                        updateErrorStr, error);
+                        }
+                        String publishStatusStr = crl.getCrlPublishStatusStr();
+                        Integer publishResult =
+                                unrevReq.getExtDataInInteger(publishStatusStr);
+
+                        if (publishResult == null)
+                            continue;
+                        if (publishResult.equals(IRequest.RES_SUCCESS)) {
+                            header.addStringValue(publishStatusStr, "yes");
+                        } else {
+                            String publishErrorStr =
+                                    crl.getCrlPublishErrorStr();
+
+                            header.addStringValue(publishStatusStr, "no");
+                            String error =
+                                    unrevReq.getExtDataInString(publishErrorStr);
+
+                            if (error != null)
+                                header.addStringValue(
+                                        publishErrorStr, error);
+                        }
+                    }
+                }
+
+                if (mPublisherProcessor != null && mPublisherProcessor.ldapEnabled()) {
+                    header.addStringValue("dirEnabled", "yes");
+                    Integer[] ldapPublishStatus =
+                            unrevReq.getExtDataInIntegerArray("ldapPublishStatus");
+
+                    if (ldapPublishStatus != null) {
+                        if (ldapPublishStatus[0] == IRequest.RES_SUCCESS) {
+                            header.addStringValue("dirUpdated", "yes");
+                        } else {
+                            header.addStringValue("dirUpdated", "no");
+                        }
+                    }
+                } else {
+                    header.addStringValue("dirEnabled", "no");
+                }
+
+            } else if (status == RequestStatus.PENDING) {
+                header.addStringValue("error", "Request Pending");
+                header.addStringValue("unrevoked", "pending");
+                if (certs[0] != null) {
+                    mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+                            AuditFormat.LEVEL,
+                            AuditFormat.DOUNREVOKEFORMAT,
+                            new Object[] {
+                                    unrevReq.getRequestId(),
+                                    initiative,
+                                    "pending",
+                                    certs[0].getSubjectDN(),
+                                    "0x" + serialNumbers[0].toString(16) }
+                            );
+                }
+            } else {
+                header.addStringValue("error", "Request Status.Error");
+                header.addStringValue("unrevoked", "no");
+                if (certs[0] != null) {
+                    mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+                            AuditFormat.LEVEL,
+                            AuditFormat.DOUNREVOKEFORMAT,
+                            new Object[] {
+                                    unrevReq.getRequestId(),
+                                    initiative,
+                                    status.toString(),
+                                    certs[0].getSubjectDN(),
+                                    "0x" + serialNumbers[0].toString(16) }
+                            );
+                }
+            }
+
+            // store a message in the signed audit log file
+            // if and only if "auditApprovalStatus" is
+            // "complete", "revoked", or "canceled"
+            if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING))
+                    || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING))
+                    || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING))) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType,
+                            auditReasonNum,
+                            auditApprovalStatus);
+
+                audit(auditMessage);
+            }
+
+        } catch (EBaseException eAudit1) {
+            if (auditRequest) {
+                // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                // message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType);
+
+                audit(auditMessage);
+            } else {
+                // store a "CERT_STATUS_CHANGE_REQUEST_PROCESSED" failure
+                // message in the signed audit log file
+                // if and only if "auditApprovalStatus" is
+                // "complete", "revoked", or "canceled"
+                if ((auditApprovalStatus.equals(
+                            RequestStatus.COMPLETE_STRING)) ||
+                        (auditApprovalStatus.equals(
+                                RequestStatus.REJECTED_STRING)) ||
+                        (auditApprovalStatus.equals(
+                                RequestStatus.CANCELED_STRING))) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditRequesterID,
+                                auditSerialNumber,
+                                auditRequestType,
+                                auditReasonNum,
+                                auditApprovalStatus);
+
+                    audit(auditMessage);
+                }
+            }
+        }
+
+        return;
+    }
+
+    private BigInteger[] getSerialNumbers(HttpServletRequest req)
+            throws NumberFormatException {
+        String serialNumString = req.getParameter("serialNumber");
+
+        StringTokenizer snList = new StringTokenizer(serialNumString, " ");
+        Vector biList = new Vector();
+        while (snList.hasMoreTokens()) {
+            String snStr = snList.nextToken();
+            if (snStr != null) {
+                snStr = snStr.trim();
+                BigInteger bi;
+                if (snStr.startsWith("0x") || snStr.startsWith("0X")) {
+                    bi = new BigInteger(snStr.substring(2), 16);
+                } else {
+                    bi = new BigInteger(snStr);
+                }
+                if (bi.compareTo(BigInteger.ZERO) < 0) {
+                    throw new NumberFormatException();
+                }
+                biList.addElement(bi);
+            } else {
+                throw new NumberFormatException();
+            }
+        }
+        if (biList.size() < 1) {
+            throw new NumberFormatException();
+        }
+
+        BigInteger[] biNumbers = new BigInteger[biList.size()];
+        for (int i = 0; i < biList.size(); i++) {
+            biNumbers[i] = (BigInteger) biList.elementAt(i);
+        }
+
+        return biNumbers;
+    }
+
+    /**
+     * Signed Audit Log Requester ID
+     * 
+     * This method is called to obtain the "RequesterID" for
+     * a signed audit log message.
+     * 
    
+     * 
+     * @param req HTTP request
+     * @return id string containing the signed audit log message RequesterID
+     */
+    private String auditRequesterID(HttpServletRequest req) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String requesterID = null;
+
+        // Obtain the requesterID
+        requesterID = req.getParameter("requestId");
+
+        if (requesterID != null) {
+            requesterID = requesterID.trim();
+        } else {
+            requesterID = ILogger.UNIDENTIFIED;
+        }
+
+        return requesterID;
+    }
+
+    /**
+     * Signed Audit Log Serial Number
+     * 
+     * This method is called to obtain the serial number of the certificate
+     * whose status is to be changed for a signed audit log message.
+     * 
    
+     * 
+     * @param eeSerialNumber a string containing the un-normalized serialNumber
+     * @return id string containing the signed audit log message RequesterID
+     */
+    private String auditSerialNumber(String eeSerialNumber) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String serialNumber = null;
+
+        // Normalize the serialNumber
+        if (eeSerialNumber != null) {
+            serialNumber = eeSerialNumber.trim();
+
+            // convert it to hexadecimal
+            serialNumber = "0x" + (new BigInteger(serialNumber)).toString(16);
+        } else {
+            serialNumber = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        }
+
+        return serialNumber;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java b/base/common/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java
new file mode 100644
index 000000000..5d096aff3
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java
@@ -0,0 +1,618 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.cert;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.math.BigInteger;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.ca.ICRLIssuingPoint;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.logging.AuditFormat;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.IPublisherProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.certsrv.request.RequestStatus;
+import com.netscape.cms.servlet.base.CMSServlet;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.ECMSGWException;
+
+/**
+ * 'Unrevoke' a certificate. (For certificates that are on-hold only,
+ * take them off-hold)
+ * 
+ * @version $Revision$, $Date$
+ */
+public class DoUnrevokeTPS extends CMSServlet {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -6245049221697655642L;
+    private final static String INFO = "DoUnrevoke";
+    private final static String TPL_FILE = "unrevocationResult.template";
+    private final static BigInteger MINUS_ONE = new BigInteger("-1");
+
+    private ICertificateRepository mCertDB = null;
+    private String mFormPath = null;
+    private IRequestQueue mQueue = null;
+    private IPublisherProcessor mPublisherProcessor = null;
+    private String errorString = "error=";
+    private String o_status = "status=0";
+
+    private final static String OFF_HOLD = "off-hold";
+    private final static int OFF_HOLD_REASON = 6;
+    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST =
+            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
+    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
+
+    public DoUnrevokeTPS() {
+        super();
+    }
+
+    /**
+     * initialize the servlet.
+     * 
+     * @param sc servlet configuration, read from the web.xml file
+     */
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE;
+        if (mAuthority instanceof ICertificateAuthority) {
+            mCertDB = ((ICertificateAuthority) mAuthority).getCertificateRepository();
+        }
+        if (mAuthority instanceof ICertAuthority) {
+            mPublisherProcessor = ((ICertAuthority) mAuthority).getPublisherProcessor();
+        }
+        mQueue = mAuthority.getRequestQueue();
+
+        mTemplates.remove(CMSRequest.SUCCESS);
+        mRenderResult = false;
+    }
+
+    /**
+     * Process the HTTP request.
+     * 
      
+     * 
    • http.param serialNumber Decimal serial number of certificate to unrevoke. The certificate must be revoked
+     * with a revovcation reason 'on hold' for this operation to succeed. The serial number may be expressed as a hex
+     * number by prefixing '0x' to the serialNumber string
+     * 
    
+     * 
+     * @param cmsReq the object holding the request and response information
+     */
+    public void process(CMSRequest cmsReq) throws EBaseException {
+        HttpServletRequest req = cmsReq.getHttpReq();
+        HttpServletResponse resp = cmsReq.getHttpResp();
+
+        BigInteger[] serialNumbers;
+        EBaseException error = null;
+
+        Locale[] locale = new Locale[1];
+
+        /*
+                try {
+                    form = getTemplate(mFormPath, req, locale);
+                } catch (IOException e) {
+                    log(ILogger.LL_FAILURE, 
+                        CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", e.toString()));
+                    throw new ECMSGWException(
+                      CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"));
+                }
+        */
+
+        try {
+            serialNumbers = getSerialNumbers(req);
+
+            //for audit log.
+            IAuthToken authToken = authenticate(cmsReq);
+            String authMgr = AuditFormat.NOAUTH;
+
+            if (authToken != null) {
+                authMgr =
+                        authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+            } else {
+                CMS.debug("DoUnrevokeTPS::process() -  authToken is null!");
+                return;
+            }
+            String agentID = authToken.getInString("userid");
+            String initiative = AuditFormat.FROMAGENT + " agentID: " + agentID
+                    + " authenticated by " + authMgr;
+
+            AuthzToken authzToken = null;
+
+            try {
+                authzToken = authorize(mAclMethod, authToken,
+                            mAuthzResourceName, "unrevoke");
+            } catch (EAuthzAccessDenied e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE,
+                        CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+            }
+
+            if (authzToken == null) {
+                cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+                o_status = "status=3";
+                errorString = "error=unauthorized";
+                String pp = o_status + "\n" + errorString;
+                byte[] b = pp.getBytes();
+                resp.setContentType("text/html");
+                resp.setContentLength(b.length);
+                OutputStream os = resp.getOutputStream();
+                os.write(b);
+                os.flush();
+                return;
+            }
+
+            process(serialNumbers, req, resp, locale[0], initiative);
+        } catch (NumberFormatException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_INVALID_SERIAL_NUM_FORMAT"));
+            error = new EBaseException(CMS.getUserMessage(getLocale(req), "CMS_BASE_INVALID_NUMBER_FORMAT"));
+        } catch (EBaseException e) {
+            error = e;
+        } catch (IOException e) {
+        }
+
+        try {
+            if (error == null) {
+                o_status = "status=0";
+                errorString = "error=";
+            } else {
+                o_status = "status=3";
+                errorString = "error=" + error.toString();
+            }
+
+            String pp = o_status + "\n" + errorString;
+            byte[] b = pp.getBytes();
+            resp.setContentType("text/html");
+            resp.setContentLength(b.length);
+            OutputStream os = resp.getOutputStream();
+            os.write(b);
+            os.flush();
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", e.toString()));
+            throw new ECMSGWException(
+                    CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"));
+        }
+    }
+
+    /**
+     * Process X509 cert status change request
+     * 
    
+     * 
+     * (Certificate Request - an "agent" cert status change request to take a certificate off-hold)
+     * 
    
+     * 
+     * (Certificate Request Processed - an "agent" cert status change request to take a certificate off-hold)
+     * 
    
+     * 
+     * 
      
+     * 
    • signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST used when a cert status change request (e. g. -
+     * "revocation") is made (before approval process)
+     * 
    • signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED used when a certificate status is
+     * changed (taken off-hold)
+     * 
    
+     * 
+     * @param serialNumbers the serial number of the certificate
+     * @param req HTTP servlet request
+     * @param resp HTTP servlet response
+     * @param locale the system locale
+     * @param initiative string containing the audit format
+     * @exception EBaseException an error has occurred
+     */
+    private void process(BigInteger[] serialNumbers,
+            HttpServletRequest req,
+            HttpServletResponse resp,
+            Locale locale, String initiative)
+            throws EBaseException {
+        boolean auditRequest = true;
+        String auditMessage = null;
+        String auditSubjectID = auditSubjectID();
+        String auditRequesterID = auditRequesterID(req);
+        String auditSerialNumber = auditSerialNumber(serialNumbers[0].toString());
+        String auditRequestType = OFF_HOLD;
+        String auditApprovalStatus = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        String auditReasonNum = String.valueOf(OFF_HOLD_REASON);
+
+        try {
+            String snList = "";
+
+            // certs are for old cloning and they should be removed as soon as possible
+            X509CertImpl[] certs = new X509CertImpl[serialNumbers.length];
+            for (int i = 0; i < serialNumbers.length; i++) {
+                certs[i] = (X509CertImpl) getX509Certificate(serialNumbers[i]);
+                if (snList.length() > 0)
+                    snList += ", ";
+                snList += "0x" + serialNumbers[i].toString(16);
+            }
+
+            IRequest unrevReq = mQueue.newRequest(IRequest.UNREVOCATION_REQUEST);
+
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        auditRequesterID,
+                        auditSerialNumber,
+                        auditRequestType);
+
+            audit(auditMessage);
+
+            unrevReq.setExtData(IRequest.REQ_TYPE, IRequest.UNREVOCATION_REQUEST);
+            unrevReq.setExtData(IRequest.OLD_SERIALS, serialNumbers);
+            unrevReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_AGENT);
+
+            // change audit processing from "REQUEST" to "REQUEST_PROCESSED"
+            // to distinguish which type of signed audit log message to save
+            // as a failure outcome in case an exception occurs
+            auditRequest = false;
+
+            mQueue.processRequest(unrevReq);
+
+            // retrieve the request status
+            auditApprovalStatus = unrevReq.getRequestStatus().toString();
+
+            RequestStatus status = unrevReq.getRequestStatus();
+            String type = unrevReq.getRequestType();
+
+            if ((status == RequestStatus.COMPLETE)
+                    || ((type.equals(IRequest.CLA_UNCERT4CRL_REQUEST)) && (status == RequestStatus.SVC_PENDING))) {
+
+                Integer result = unrevReq.getExtDataInInteger(IRequest.RESULT);
+
+                if (result != null && result.equals(IRequest.RES_SUCCESS)) {
+                    if (certs[0] != null) {
+                        mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+                                AuditFormat.LEVEL,
+                                AuditFormat.DOUNREVOKEFORMAT,
+                                new Object[] {
+                                        unrevReq.getRequestId(),
+                                        initiative,
+                                        "completed",
+                                        certs[0].getSubjectDN(),
+                                        "0x" + serialNumbers[0].toString(16) }
+                                );
+                    }
+                } else {
+                    String error = unrevReq.getExtDataInString(IRequest.ERROR);
+
+                    if (error != null) {
+                        o_status = "status=3";
+                        errorString = "error=" + error;
+                        if (certs[0] != null) {
+                            mLogger.log(ILogger.EV_AUDIT,
+                                    ILogger.S_OTHER,
+                                    AuditFormat.LEVEL,
+                                    AuditFormat.DOUNREVOKEFORMAT,
+                                    new Object[] {
+                                            unrevReq.getRequestId(),
+                                            initiative,
+                                            "completed with error: " +
+                                                    error,
+                                            certs[0].getSubjectDN(),
+                                            "0x" + serialNumbers[0].toString(16) }
+                                    );
+                        }
+                    }
+                }
+
+                Integer updateCRLResult =
+                        unrevReq.getExtDataInInteger(IRequest.CRL_UPDATE_STATUS);
+
+                if (updateCRLResult != null) {
+                    if (!updateCRLResult.equals(IRequest.RES_SUCCESS)) {
+                        String crlError =
+                                unrevReq.getExtDataInString(IRequest.CRL_UPDATE_ERROR);
+
+                        if (crlError != null) {
+                            o_status = "status=3";
+                            errorString = "error=" + crlError;
+                        }
+                    }
+                    // let known crl publishing status too.
+                    Integer publishCRLResult =
+                            unrevReq.getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS);
+
+                    if (publishCRLResult != null) {
+                        if (!publishCRLResult.equals(IRequest.RES_SUCCESS)) {
+                            String publError =
+                                    unrevReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR);
+
+                            if (publError != null) {
+                                o_status = "status=3";
+                                errorString = "error=" + publError;
+                            }
+                        }
+                    }
+                }
+
+                // let known update and publish status of all crls. 
+                Enumeration otherCRLs =
+                        ((ICertificateAuthority) mAuthority).getCRLIssuingPoints();
+
+                while (otherCRLs.hasMoreElements()) {
+                    ICRLIssuingPoint crl = otherCRLs.nextElement();
+                    String crlId = crl.getId();
+
+                    if (crlId.equals(ICertificateAuthority.PROP_MASTER_CRL))
+                        continue;
+                    String updateStatusStr = crl.getCrlUpdateStatusStr();
+                    Integer updateResult = unrevReq.getExtDataInInteger(updateStatusStr);
+
+                    if (updateResult != null) {
+                        if (!updateResult.equals(IRequest.RES_SUCCESS)) {
+                            String updateErrorStr = crl.getCrlUpdateErrorStr();
+                            String error =
+                                    unrevReq.getExtDataInString(updateErrorStr);
+
+                            if (error != null) {
+                                o_status = "status=3";
+                                errorString = "error=" + error;
+                            }
+                        }
+                        String publishStatusStr = crl.getCrlPublishStatusStr();
+                        Integer publishResult =
+                                unrevReq.getExtDataInInteger(publishStatusStr);
+
+                        if (publishResult == null)
+                            continue;
+                        if (!publishResult.equals(IRequest.RES_SUCCESS)) {
+                            String publishErrorStr =
+                                    crl.getCrlPublishErrorStr();
+
+                            String error =
+                                    unrevReq.getExtDataInString(publishErrorStr);
+
+                            if (error != null) {
+                                o_status = "status=3";
+                                errorString = "error=" + error;
+                            }
+                        }
+                    }
+                }
+
+                if (mPublisherProcessor != null && mPublisherProcessor.ldapEnabled()) {
+                    Integer[] ldapPublishStatus =
+                            unrevReq.getExtDataInIntegerArray("ldapPublishStatus");
+
+                    if (ldapPublishStatus != null) {
+                        if (ldapPublishStatus[0] != IRequest.RES_SUCCESS) {
+                            o_status = "status=3";
+                            errorString = "error=Problem in publishing to LDAP";
+                        }
+                    }
+                } else if (mPublisherProcessor == null || (!mPublisherProcessor.ldapEnabled())) {
+                    o_status = "status=3";
+                    errorString = "error=LDAP Publisher not enabled";
+                }
+
+            } else if (status == RequestStatus.PENDING) {
+                o_status = "status=2";
+                errorString = "error=" + status.toString();
+                if (certs[0] != null) {
+                    mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+                            AuditFormat.LEVEL,
+                            AuditFormat.DOUNREVOKEFORMAT,
+                            new Object[] {
+                                    unrevReq.getRequestId(),
+                                    initiative,
+                                    "pending",
+                                    certs[0].getSubjectDN(),
+                                    "0x" + serialNumbers[0].toString(16) }
+                            );
+                }
+            } else {
+                o_status = "status=2";
+                errorString = "error=Undefined request status";
+
+                if (certs[0] != null) {
+                    mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+                            AuditFormat.LEVEL,
+                            AuditFormat.DOUNREVOKEFORMAT,
+                            new Object[] {
+                                    unrevReq.getRequestId(),
+                                    initiative,
+                                    status.toString(),
+                                    certs[0].getSubjectDN(),
+                                    "0x" + serialNumbers[0].toString(16) }
+                            );
+                }
+            }
+
+            // store a message in the signed audit log file
+            // if and only if "auditApprovalStatus" is
+            // "complete", "revoked", or "canceled"
+            if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING))
+                    || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING))
+                    || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING))) {
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                            auditSubjectID,
+                            ILogger.SUCCESS,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType,
+                            auditReasonNum,
+                            auditApprovalStatus);
+
+                audit(auditMessage);
+            }
+
+        } catch (EBaseException eAudit1) {
+            if (auditRequest) {
+                // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                // message in the signed audit log file
+                auditMessage = CMS.getLogMessage(
+                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                            auditSubjectID,
+                            ILogger.FAILURE,
+                            auditRequesterID,
+                            auditSerialNumber,
+                            auditRequestType);
+
+                audit(auditMessage);
+            } else {
+                // store a "CERT_STATUS_CHANGE_REQUEST_PROCESSED" failure
+                // message in the signed audit log file
+                // if and only if "auditApprovalStatus" is
+                // "complete", "revoked", or "canceled"
+                if ((auditApprovalStatus.equals(
+                            RequestStatus.COMPLETE_STRING)) ||
+                        (auditApprovalStatus.equals(
+                                RequestStatus.REJECTED_STRING)) ||
+                        (auditApprovalStatus.equals(
+                                RequestStatus.CANCELED_STRING))) {
+                    auditMessage = CMS.getLogMessage(
+                                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditRequesterID,
+                                auditSerialNumber,
+                                auditRequestType,
+                                auditReasonNum,
+                                auditApprovalStatus);
+
+                    audit(auditMessage);
+                }
+            }
+        }
+
+        return;
+    }
+
+    private BigInteger[] getSerialNumbers(HttpServletRequest req)
+            throws NumberFormatException {
+        String serialNumString = req.getParameter("serialNumber");
+
+        StringTokenizer snList = new StringTokenizer(serialNumString, " ");
+        Vector biList = new Vector();
+        while (snList.hasMoreTokens()) {
+            String snStr = snList.nextToken();
+            if (snStr != null) {
+                snStr = snStr.trim();
+                BigInteger bi;
+                if (snStr.startsWith("0x") || snStr.startsWith("0X")) {
+                    bi = new BigInteger(snStr.substring(2), 16);
+                } else {
+                    bi = new BigInteger(snStr);
+                }
+                if (bi.compareTo(BigInteger.ZERO) < 0) {
+                    throw new NumberFormatException();
+                }
+                biList.addElement(bi);
+            } else {
+                throw new NumberFormatException();
+            }
+        }
+        if (biList.size() < 1) {
+            throw new NumberFormatException();
+        }
+
+        BigInteger[] biNumbers = new BigInteger[biList.size()];
+        for (int i = 0; i < biList.size(); i++) {
+            biNumbers[i] = (BigInteger) biList.elementAt(i);
+        }
+
+        return biNumbers;
+    }
+
+    /**
+     * Signed Audit Log Requester ID
+     * 
+     * This method is called to obtain the "RequesterID" for
+     * a signed audit log message.
+     * 
    
+     * 
+     * @param req HTTP request
+     * @return id string containing the signed audit log message RequesterID
+     */
+    private String auditRequesterID(HttpServletRequest req) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String requesterID = null;
+
+        // Obtain the requesterID
+        requesterID = req.getParameter("requestId");
+
+        if (requesterID != null) {
+            requesterID = requesterID.trim();
+        } else {
+            requesterID = ILogger.UNIDENTIFIED;
+        }
+
+        return requesterID;
+    }
+
+    /**
+     * Signed Audit Log Serial Number
+     * 
+     * This method is called to obtain the serial number of the certificate
+     * whose status is to be changed for a signed audit log message.
+     * 
    
+     * 
+     * @param eeSerialNumber a string containing the un-normalized serialNumber
+     * @return id string containing the signed audit log message RequesterID
+     */
+    private String auditSerialNumber(String eeSerialNumber) {
+        // if no signed audit object exists, bail
+        if (mSignedAuditLogger == null) {
+            return null;
+        }
+
+        String serialNumber = null;
+
+        // Normalize the serialNumber
+        if (eeSerialNumber != null) {
+            serialNumber = eeSerialNumber.trim();
+
+            // convert it to hexadecimal
+            serialNumber = "0x" + (new BigInteger(serialNumber)).toString(16);
+        } else {
+            serialNumber = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+        }
+
+        return serialNumber;
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/cert/EnableEnrollResult.java b/base/common/src/com/netscape/cms/servlet/cert/EnableEnrollResult.java
new file mode 100644
index 000000000..2a143b668
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/cert/EnableEnrollResult.java
@@ -0,0 +1,184 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.cert;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+import java.util.Locale;
+import java.util.Random;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthManager;
+import com.netscape.certsrv.authentication.IAuthSubsystem;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.ra.IRegistrationAuthority;
+import com.netscape.cms.authentication.HashAuthentication;
+import com.netscape.cms.servlet.base.CMSServlet;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.CMSTemplateParams;
+import com.netscape.cms.servlet.common.ECMSGWException;
+
+/**
+ * For Face-to-face enrollment, enable EE enrollment feature
+ * 
+ * @version $Revision$, $Date$
+ * @see com.netscape.cms.servlet.cert.DisableEnrollResult
+ */
+public class EnableEnrollResult extends CMSServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = -2646998784859783012L;
+    private final static String TPL_FILE = "enableEnrollResult.template";
+    private String mFormPath = null;
+    private Random random = null;
+
+    public EnableEnrollResult() {
+        super();
+    }
+
+    /**
+     * Initializes the servlet.
+     */
+    public void init(ServletConfig sc) throws ServletException {
+        super.init(sc);
+        // override success to display own output.
+
+        // coming from agent
+        mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE;
+
+        mTemplates.remove(CMSRequest.SUCCESS);
+        random = new Random();
+    }
+
+    protected CMSRequest newCMSRequest() {
+        return new CMSRequest();
+    }
+
+    /**
+     * Services the request
+     */
+    protected void process(CMSRequest cmsReq)
+            throws EBaseException {
+        HttpServletRequest httpReq = cmsReq.getHttpReq();
+        HttpServletResponse httpResp = cmsReq.getHttpResp();
+
+        IAuthToken authToken = authenticate(cmsReq);
+
+        AuthzToken authzToken = null;
+
+        try {
+            authzToken = authorize(mAclMethod, authToken,
+                        mAuthzResourceName, "enable");
+        } catch (Exception e) {
+            // do nothing for now
+        }
+
+        if (authzToken == null) {
+            cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+            return;
+        }
+
+        X509Certificate sslClientCert = null;
+
+        sslClientCert = getSSLClientCertificate(httpReq);
+        String dn = (String) sslClientCert.getSubjectDN().toString();
+
+        // Construct an ArgBlock
+        IArgBlock args = cmsReq.getHttpParams();
+
+        if (!(mAuthority instanceof IRegistrationAuthority)) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_CA_FROM_RA_NOT_IMP"));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getUserMessage("CMS_GW_NOT_YET_IMPLEMENTED")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+            return;
+        }
+
+        CMSTemplate form = null;
+        Locale[] locale = new Locale[1];
+
+        try {
+            form = getTemplate(mFormPath, httpReq, locale);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString()));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+            return;
+        }
+
+        IArgBlock header = CMS.createArgBlock();
+        IArgBlock fixed = CMS.createArgBlock();
+        CMSTemplateParams argSet = new CMSTemplateParams(header, fixed);
+
+        IConfigStore configStore = CMS.getConfigStore();
+        String machine = configStore.getString("machineName");
+        String port = CMS.getEESSLPort();
+
+        header.addStringValue("machineName", machine);
+        header.addStringValue("port", port);
+        String val = configStore.getString("hashDirEnrollment.name");
+        IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
+        IAuthManager authMgr = authSS.get(val);
+        HashAuthentication mgr = (HashAuthentication) authMgr;
+
+        String host = args.getValueAsString("hostname", null);
+        boolean isEnable = mgr.isEnable(host);
+
+        if (isEnable) {
+            header.addStringValue("code", "1");
+        } else {
+            String timeout = args.getValueAsString("timeout", "600");
+
+            mgr.createEntry(host, dn, Long.parseLong(timeout) * 1000,
+                    random.nextLong() + "", 0);
+            header.addStringValue("code", "0");
+        }
+
+        try {
+            ServletOutputStream out = httpResp.getOutputStream();
+
+            httpResp.setContentType("text/html");
+            form.renderOutput(out, argSet);
+            cmsReq.setStatus(CMSRequest.SUCCESS);
+        } catch (IOException e) {
+            log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSGW_ERR_STREAM_TEMPLATE", e.toString()));
+            cmsReq.setError(new ECMSGWException(
+                    CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")));
+            cmsReq.setStatus(CMSRequest.ERROR);
+        }
+        cmsReq.setStatus(CMSRequest.SUCCESS);
+        return;
+    }
+
+}
diff --git a/base/common/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/base/common/src/com/netscape/cms/servlet/cert/EnrollServlet.java
new file mode 100644
index 000000000..a73a8146c
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/cert/EnrollServlet.java
@@ -0,0 +1,1768 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.cert;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.X509Certificate;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Vector;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import netscape.security.pkcs.PKCS10;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CertificateAlgorithmId;
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.IAuthSubsystem;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.KeyGenInfo;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertRecordList;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.logging.AuditFormat;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.RequestStatus;
+import com.netscape.certsrv.usrgrp.IGroup;
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
+import com.netscape.certsrv.usrgrp.IUser;
+import com.netscape.cms.servlet.base.CMSServlet;
+import com.netscape.cms.servlet.common.CMSGateway;
+import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.ECMSGWException;
+import com.netscape.cms.servlet.common.ICMSTemplateFiller;
+import com.netscape.cms.servlet.processors.CMCProcessor;
+import com.netscape.cms.servlet.processors.CRMFProcessor;
+import com.netscape.cms.servlet.processors.KeyGenProcessor;
+import com.netscape.cms.servlet.processors.PKCS10Processor;
+import com.netscape.cms.servlet.processors.PKIProcessor;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * Submit a Certificate Enrollment request
+ * 
+ * @version $Revision$, $Date$
+ */
+public class EnrollServlet extends CMSServlet {
+    /**
+     *
+     */
+    private static final long serialVersionUID = -6983729702665630013L;
+
+    public final static String ADMIN_ENROLL_SERVLET_ID = "caadminEnroll";
+
+    // enrollment templates.
+    public static final String ENROLL_SUCCESS_TEMPLATE = "EnrollSuccess.template";
+
+    // http params 
+    public static final String OLD_CERT_TYPE = "csrCertType";
+    public static final String CERT_TYPE = "certType";
+    // same as in ConfigConstant.java
+    public static final String REQUEST_FORMAT = "reqFormat";
+    public static final String REQUEST_FORMAT_PKCS10 = "PKCS10";
+    public static final String REQUEST_FORMAT_CMC = "CMC";
+    public static final String REQUEST_CONTENT = "requestContent";
+    public static final String SUBJECT_KEYGEN_INFO = "subjectKeyGenInfo";
+    public static final String PKCS10_REQUEST = "pkcs10Request";
+    public static final String CMC_REQUEST = "cmcRequest";
+    public static final String CRMF_REQUEST = "CRMFRequest";
+    public static final String SUBJECT_NAME = "subject";
+    public static final String CRMF_REQID = "crmfReqId";
+    public static final String CHALLENGE_PASSWORD = "challengePhrase";
+
+    private static final String CERT_AUTH_DUAL = "dual";
+    private static final String CERT_AUTH_ENCRYPTION = "encryption";
+    private static final String CERT_AUTH_SINGLE = "single";
+    private static final String CLIENT_ISSUER = "clientIssuer";
+
+    private boolean mAuthTokenOverride = true;
+    private String mEnrollSuccessTemplate = null;
+    private ICMSTemplateFiller mEnrollSuccessFiller = new ImportCertsTemplateFiller();
+
+    ICertificateAuthority mCa = null;
+    ICertificateRepository mRepository = null;
+
+    private boolean enforcePop = false;
+
+    private String auditServiceID = ILogger.UNIDENTIFIED;
+    private final static String ADMIN_CA_ENROLLMENT_SERVLET =
+            "caadminEnroll";
+    private final static String AGENT_CA_BULK_ENROLLMENT_SERVLET =
+            "cabulkissuance";
+    private final static String AGENT_RA_BULK_ENROLLMENT_SERVLET =
+            "rabulkissuance";
+    private final static String EE_CA_CERT_BASED_ENROLLMENT_SERVLET =
+            "cacertbasedenrollment";
+    private final static String EE_CA_ENROLLMENT_SERVLET =
+            "caenrollment";
+    private final static String EE_RA_CERT_BASED_ENROLLMENT_SERVLET =
+            "racertbasedenrollment";
+    private final static String EE_RA_ENROLLMENT_SERVLET =
+            "raenrollment";
+    private final static byte EOL[] = { Character.LINE_SEPARATOR };
+    private final static String[] SIGNED_AUDIT_AUTOMATED_REJECTION_REASON = new String[] {
+
+    /* 0 */"automated non-profile cert request rejection:  "
+            + "unable to render OLD_CERT_TYPE response",
+
+    /* 1 */"automated non-profile cert request rejection:  "
+            + "unable to complete handleEnrollAuditLog() method",
+
+    /* 2 */"automated non-profile cert request rejection:  "
+            + "unable to render success template",
+
+    /* 3 */"automated non-profile cert request rejection:  "
+            + "indeterminate reason for inability to process "
+            + "cert request due to an EBaseException"
+        };
+    private final static String LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST =
+            "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5";
+    private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
+
+    private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----";
+    private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----";
+
+    public EnrollServlet() {
+        super();
+    }
+
+    /**
+     * initialize the servlet.
+     * 
    
+     * the following parameters are read from the servlet config:
+     *