From ee70d6866360c28335fb2ea61a3e7c3d1c341ae9 Mon Sep 17 00:00:00 2001 From: mharmsen Date: Tue, 14 Dec 2010 22:23:31 +0000 Subject: Bugzilla Bug #586073 - Add new 'mod_revocator' runtime dependency to RA and TPS git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1624 c9f7a03b-bd48-0410-a16d-cbbf54688b0b --- pki/CMakeLists.txt | 125 +- pki/base/CMakeLists.txt | 28 +- pki/base/ca/CMakeLists.txt | 3 + pki/base/ca/shared/CMakeLists.txt | 11 - pki/base/ca/shared/conf/CMakeLists.txt | 12 + pki/base/ca/shared/conf/CS.cfg | 1070 --------------- pki/base/ca/shared/conf/CS.cfg.in | 1070 +++++++++++++++ pki/base/ca/src/CMakeLists.txt | 34 +- pki/base/console/src/CMakeLists.txt | 56 +- pki/base/kra/CMakeLists.txt | 3 + pki/base/kra/shared/conf/CMakeLists.txt | 12 + pki/base/kra/shared/conf/CS.cfg | 368 ------ pki/base/kra/shared/conf/CS.cfg.in | 368 ++++++ pki/base/kra/src/CMakeLists.txt | 79 +- pki/base/ocsp/CMakeLists.txt | 3 + pki/base/ocsp/shared/conf/CMakeLists.txt | 12 + pki/base/ocsp/shared/conf/CS.cfg | 324 ----- pki/base/ocsp/shared/conf/CS.cfg.in | 324 +++++ pki/base/ocsp/src/CMakeLists.txt | 79 +- pki/base/ra/CMakeLists.txt | 56 +- pki/base/ra/doc/CS.cfg | 256 ---- pki/base/ra/doc/CS.cfg.in | 26 +- pki/base/tks/CMakeLists.txt | 3 + pki/base/tks/shared/conf/CMakeLists.txt | 12 + pki/base/tks/shared/conf/CS.cfg | 343 ----- pki/base/tks/shared/conf/CS.cfg.in | 343 +++++ pki/base/tks/src/CMakeLists.txt | 79 +- pki/base/tps/CMakeLists.txt | 98 +- pki/base/tps/Makefile.am | 2 +- pki/base/tps/Makefile.in | 2 +- pki/base/tps/doc/CS.cfg | 1577 ----------------------- pki/base/tps/doc/CS.cfg.in | 94 +- pki/base/tps/src/CMakeLists.txt | 12 +- pki/base/tps/src/authentication/CMakeLists.txt | 6 +- pki/base/tps/src/modules/tokendb/CMakeLists.txt | 5 +- pki/base/tps/src/modules/tps/CMakeLists.txt | 7 +- pki/base/tps/src/tus/CMakeLists.txt | 4 +- pki/base/tps/tools/raclient/CMakeLists.txt | 2 +- pki/cmake/Modules/FindMozLDAP.cmake | 19 + pki/cmake/Modules/FindSvrcore.cmake | 67 + pki/dogtag/CMakeLists.txt | 8 +- pki/dogtag/ca/pki-ca.spec | 2 + pki/dogtag/console-ui/src/CMakeLists.txt | 6 +- pki/dogtag/kra/pki-kra.spec | 2 + pki/dogtag/ocsp/pki-ocsp.spec | 2 + pki/dogtag/ra/pki-ra.spec | 2 + pki/dogtag/tks/pki-tks.spec | 2 + pki/dogtag/tps/pki-tps.spec | 2 + pki/scripts/compose_pki_console_packages | 201 +++ pki/scripts/compose_pki_kra_packages | 201 +++ pki/scripts/compose_pki_migrate_packages | 201 +++ pki/scripts/compose_pki_ocsp_packages | 201 +++ pki/scripts/compose_pki_ra_packages | 201 +++ pki/scripts/compose_pki_tks_packages | 201 +++ pki/scripts/compose_pki_tps_packages | 201 +++ pki/specs/dogtag-pki-theme.spec | 4 +- pki/specs/ipa-pki-theme.spec | 4 +- pki/specs/pki-console.spec | 100 ++ pki/specs/pki-core.spec | 58 +- pki/specs/pki-kra.spec | 165 +++ pki/specs/pki-migrate.spec | 95 ++ pki/specs/pki-ocsp.spec | 172 +++ pki/specs/pki-ra.spec | 171 +++ pki/specs/pki-tks.spec | 166 +++ pki/specs/pki-tps.spec | 225 ++++ 65 files changed, 5382 insertions(+), 4205 deletions(-) delete mode 100644 pki/base/ca/shared/CMakeLists.txt create mode 100644 pki/base/ca/shared/conf/CMakeLists.txt delete mode 100644 pki/base/ca/shared/conf/CS.cfg create mode 100644 pki/base/ca/shared/conf/CS.cfg.in create mode 100644 pki/base/kra/shared/conf/CMakeLists.txt delete mode 100644 pki/base/kra/shared/conf/CS.cfg create mode 100644 pki/base/kra/shared/conf/CS.cfg.in create mode 100644 pki/base/ocsp/shared/conf/CMakeLists.txt delete mode 100644 pki/base/ocsp/shared/conf/CS.cfg create mode 100644 pki/base/ocsp/shared/conf/CS.cfg.in delete mode 100644 pki/base/ra/doc/CS.cfg create mode 100644 pki/base/tks/shared/conf/CMakeLists.txt delete mode 100644 pki/base/tks/shared/conf/CS.cfg create mode 100644 pki/base/tks/shared/conf/CS.cfg.in delete mode 100644 pki/base/tps/doc/CS.cfg create mode 100644 pki/cmake/Modules/FindSvrcore.cmake create mode 100755 pki/scripts/compose_pki_console_packages create mode 100755 pki/scripts/compose_pki_kra_packages create mode 100755 pki/scripts/compose_pki_migrate_packages create mode 100755 pki/scripts/compose_pki_ocsp_packages create mode 100755 pki/scripts/compose_pki_ra_packages create mode 100755 pki/scripts/compose_pki_tks_packages create mode 100755 pki/scripts/compose_pki_tps_packages create mode 100644 pki/specs/pki-console.spec create mode 100644 pki/specs/pki-kra.spec create mode 100644 pki/specs/pki-migrate.spec create mode 100644 pki/specs/pki-ocsp.spec create mode 100644 pki/specs/pki-ra.spec create mode 100644 pki/specs/pki-tks.spec create mode 100644 pki/specs/pki-tps.spec (limited to 'pki') diff --git a/pki/CMakeLists.txt b/pki/CMakeLists.txt index 1ec67b764..db633db48 100644 --- a/pki/CMakeLists.txt +++ b/pki/CMakeLists.txt @@ -6,39 +6,61 @@ cmake_minimum_required(VERSION 2.6.0) # global needed variables set(APPLICATION_NAME ${PROJECT_NAME}) if (BUILD_OSUTIL) - set(APPLICATION_FLAVOUR_OSUTIL TRUE) -elseif (BUILD_CORE) - set(APPLICATION_FLAVOUR_CORE TRUE) -elseif (BUILD_DOGTAG) - set(APPLICATION_FLAVOUR_CORE TRUE) - set(APPLICATION_FLAVOUR_DOGTAG TRUE) -elseif (BUILD_REDHAT) - set(APPLICATION_FLAVOUR_CORE TRUE) - set(APPLICATION_FLAVOUR_DOGTAG TRUE) - set(APPLICATION_FLAVOUR_REDHAT TRUE) -elseif (BUILD_NULL_THEME) - set(APPLICATION_FLAVOUR_NULL_THEME TRUE) -elseif (BUILD_DOGTAG_THEME) - set(APPLICATION_FLAVOUR_DOGTAG_THEME TRUE) -elseif (BUILD_REDHAT_THEME) - set(APPLICATION_FLAVOUR_REDHAT_THEME TRUE) -elseif (BUILD_CORE_COMPLETE) - set(APPLICATION_FLAVOUR_CORE TRUE) - set(APPLICATION_FLAVOUR_NULL_THEME TRUE) -elseif (BUILD_DOGTAG_COMPLETE) - set(APPLICATION_FLAVOUR_CORE TRUE) - set(APPLICATION_FLAVOUR_DOGTAG TRUE) - set(APPLICATION_FLAVOUR_DOGTAG_THEME TRUE) -elseif (BUILD_REDHAT_COMPLETE) - set(APPLICATION_FLAVOUR_CORE TRUE) - set(APPLICATION_FLAVOUR_DOGTAG TRUE) - set(APPLICATION_FLAVOUR_REDHAT TRUE) - set(APPLICATION_FLAVOUR_REDHAT_THEME TRUE) + set(APPLICATION_FLAVOR_OSUTIL TRUE) +elseif (BUILD_NULL_PKI_THEME) + set(APPLICATION_FLAVOR_NULL_PKI_THEME TRUE) +elseif (BUILD_DOGTAG_PKI_THEME) + set(APPLICATION_FLAVOR_DOGTAG_PKI_THEME TRUE) +elseif (BUILD_REDHAT_PKI_THEME) + set(APPLICATION_FLAVOR_REDHAT_PKI_THEME TRUE) +elseif (BUILD_PKI_CORE) + set(APPLICATION_FLAVOR_PKI_CORE TRUE) +elseif (BUILD_PKI_KRA) + set(APPLICATION_FLAVOR_PKI_KRA TRUE) +elseif (BUILD_PKI_OCSP) + set(APPLICATION_FLAVOR_PKI_OCSP TRUE) +elseif (BUILD_PKI_RA) + set(APPLICATION_FLAVOR_PKI_RA TRUE) +elseif (BUILD_PKI_TKS) + set(APPLICATION_FLAVOR_PKI_TKS TRUE) +elseif (BUILD_PKI_TPS) + set(APPLICATION_FLAVOR_PKI_TPS TRUE) +elseif (BUILD_PKI_CONSOLE) + set(APPLICATION_FLAVOR_PKI_CONSOLE TRUE) +elseif (BUILD_PKI_MIGRATE) + set(APPLICATION_FLAVOR_PKI_MIGRATE TRUE) +elseif (BUILD_IPA_PKI) + set(APPLICATION_FLAVOR_NULL_PKI_THEME TRUE) + set(APPLICATION_FLAVOR_PKI_CORE TRUE) +elseif (BUILD_DOGTAG_PKI) + set(APPLICATION_FLAVOR_DOGTAG_PKI_THEME TRUE) + set(APPLICATION_FLAVOR_PKI_CORE TRUE) + set(APPLICATION_FLAVOR_PKI_KRA TRUE) + set(APPLICATION_FLAVOR_PKI_OCSP TRUE) + set(APPLICATION_FLAVOR_PKI_RA TRUE) + set(APPLICATION_FLAVOR_PKI_TKS TRUE) + set(APPLICATION_FLAVOR_PKI_TPS TRUE) + set(APPLICATION_FLAVOR_PKI_CONSOLE TRUE) +elseif (BUILD_REDHAT_PKI) + set(APPLICATION_FLAVOR_REDHAT_PKI_THEME TRUE) + set(APPLICATION_FLAVOR_PKI_CORE TRUE) + set(APPLICATION_FLAVOR_PKI_KRA TRUE) + set(APPLICATION_FLAVOR_PKI_OCSP TRUE) + set(APPLICATION_FLAVOR_PKI_RA TRUE) + set(APPLICATION_FLAVOR_PKI_TKS TRUE) + set(APPLICATION_FLAVOR_PKI_TPS TRUE) + set(APPLICATION_FLAVOR_PKI_CONSOLE TRUE) + set(APPLICATION_FLAVOR_PKI_MIGRATE TRUE) else () - # By default, build complete Dogtag - set(APPLICATION_FLAVOUR_CORE TRUE) - set(APPLICATION_FLAVOUR_DOGTAG TRUE) - set(APPLICATION_FLAVOUR_DOGTAG_THEME TRUE) + # By default, build Dogtag PKI + set(APPLICATION_FLAVOR_DOGTAG_PKI_THEME TRUE) + set(APPLICATION_FLAVOR_PKI_CORE TRUE) + set(APPLICATION_FLAVOR_PKI_KRA TRUE) + set(APPLICATION_FLAVOR_PKI_OCSP TRUE) + set(APPLICATION_FLAVOR_PKI_RA TRUE) + set(APPLICATION_FLAVOR_PKI_TKS TRUE) + set(APPLICATION_FLAVOR_PKI_TPS TRUE) + set(APPLICATION_FLAVOR_PKI_CONSOLE TRUE) endif () set(APPLICATION_VERSION_MAJOR "9") @@ -75,6 +97,10 @@ find_package(NSS REQUIRED) find_package(Ldap REQUIRED) find_package(APR REQUIRED) +# required for TPS +find_package(Svrcore REQUIRED) +find_package(MozLDAP REQUIRED) + # Find out if we have threading available set(CMAKE_THREAD_PREFER_PTHREADS ON) find_package(Threads) @@ -86,29 +112,34 @@ configure_file(config.h.cmake ${CMAKE_CURRENT_BINARY_DIR}/config.h) add_definitions(-DHAVE_CONFIG_H) # uninstall target -configure_file( - "${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in" - "${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake" - IMMEDIATE @ONLY) +configure_file("${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in" + "${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake" + IMMEDIATE @ONLY) add_custom_target(uninstall - COMMAND ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake) + COMMAND ${CMAKE_COMMAND} + -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake) # check subdirectories -if (APPLICATION_FLAVOUR_OSUTIL) - add_subdirectory(base) -endif (APPLICATION_FLAVOUR_OSUTIL) -if (APPLICATION_FLAVOUR_CORE) +if (APPLICATION_FLAVOR_OSUTIL OR + APPLICATION_FLAVOR_PKI_CORE OR + APPLICATION_FLAVOR_PKI_KRA OR + APPLICATION_FLAVOR_PKI_OCSP OR + APPLICATION_FLAVOR_PKI_RA OR + APPLICATION_FLAVOR_PKI_TKS OR + APPLICATION_FLAVOR_PKI_TPS OR + APPLICATION_FLAVOR_PKI_CONSOLE OR + APPLICATION_FLAVOR_PKI_MIGRATE) add_subdirectory(base) -endif (APPLICATION_FLAVOUR_CORE) +endif () -# 'themes' must be mutually exclusive! -if (APPLICATION_FLAVOUR_NULL_THEME) +# 'Themes' MUST be "mutually-exclusive"! +if (APPLICATION_FLAVOR_NULL_PKI_THEME) add_subdirectory(dogtag) -elseif (APPLICATION_FLAVOUR_DOGTAG_THEME) +elseif (APPLICATION_FLAVOR_DOGTAG_PKI_THEME) add_subdirectory(dogtag) -elseif (APPLICATION_FLAVOUR_REDHAT_THEME) +elseif (APPLICATION_FLAVOR_REDHAT_PKI_THEME) add_subdirectory(redhat) -endif (APPLICATION_FLAVOUR_NULL_THEME) +endif () diff --git a/pki/base/CMakeLists.txt b/pki/base/CMakeLists.txt index fc96f785e..9f4131d3b 100644 --- a/pki/base/CMakeLists.txt +++ b/pki/base/CMakeLists.txt @@ -2,10 +2,10 @@ project(base) # The order is important! # add_subdirectory(osutil) -if (APPLICATION_FLAVOUR_OSUTIL) +if (APPLICATION_FLAVOR_OSUTIL) add_subdirectory(osutil) -endif (APPLICATION_FLAVOUR_OSUTIL) -if (APPLICATION_FLAVOUR_CORE) +endif (APPLICATION_FLAVOR_OSUTIL) +if (APPLICATION_FLAVOR_PKI_CORE) add_subdirectory(setup) add_subdirectory(symkey) add_subdirectory(native-tools) @@ -15,15 +15,25 @@ if (APPLICATION_FLAVOUR_CORE) add_subdirectory(selinux) add_subdirectory(ca) add_subdirectory(silent) -endif (APPLICATION_FLAVOUR_CORE) -if (APPLICATION_FLAVOUR_DOGTAG) +endif (APPLICATION_FLAVOR_PKI_CORE) +if (APPLICATION_FLAVOR_PKI_KRA) add_subdirectory(kra) +endif (APPLICATION_FLAVOR_PKI_KRA) +if (APPLICATION_FLAVOR_PKI_OCSP) add_subdirectory(ocsp) +endif (APPLICATION_FLAVOR_PKI_OCSP) +if (APPLICATION_FLAVOR_PKI_RA) + add_subdirectory(ra) +endif (APPLICATION_FLAVOR_PKI_RA) +if (APPLICATION_FLAVOR_PKI_TKS) add_subdirectory(tks) +endif (APPLICATION_FLAVOR_PKI_TKS) +if (APPLICATION_FLAVOR_PKI_TPS) add_subdirectory(tps) - add_subdirectory(ra) +endif (APPLICATION_FLAVOR_PKI_TPS) +if (APPLICATION_FLAVOR_PKI_CONSOLE) add_subdirectory(console) -endif (APPLICATION_FLAVOUR_DOGTAG) -if (APPLICATION_FLAVOUR_REDHAT) +endif (APPLICATION_FLAVOR_PKI_CONSOLE) +if (APPLICATION_FLAVOR_PKI_MIGRATE) add_subdirectory(migrate) -endif (APPLICATION_FLAVOUR_REDHAT) +endif (APPLICATION_FLAVOR_PKI_MIGRATE) diff --git a/pki/base/ca/CMakeLists.txt b/pki/base/ca/CMakeLists.txt index bab50004e..9ad04dadc 100644 --- a/pki/base/ca/CMakeLists.txt +++ b/pki/base/ca/CMakeLists.txt @@ -2,6 +2,7 @@ project(ca Java) add_subdirectory(src) add_subdirectory(setup) +add_subdirectory(shared/conf) # install init script install( @@ -25,6 +26,8 @@ install( "CMakeLists.txt" EXCLUDE PATTERN "etc/*" EXCLUDE + PATTERN + "conf/CS.cfg.in" EXCLUDE ) # install empty directories diff --git a/pki/base/ca/shared/CMakeLists.txt b/pki/base/ca/shared/CMakeLists.txt deleted file mode 100644 index 507395ff2..000000000 --- a/pki/base/ca/shared/CMakeLists.txt +++ /dev/null @@ -1,11 +0,0 @@ -# install init script -install( - FILES - etc/init.d/pki-cad - DESTINATION - ${SYSCONF_INSTALL_DIR}/init.d - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) diff --git a/pki/base/ca/shared/conf/CMakeLists.txt b/pki/base/ca/shared/conf/CMakeLists.txt new file mode 100644 index 000000000..e3cef5915 --- /dev/null +++ b/pki/base/ca/shared/conf/CMakeLists.txt @@ -0,0 +1,12 @@ +set(VERSION ${APPLICATION_VERSION}) +set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR}) +set(MINOR_VERSION ${APPLICATION_VERSION_MINOR}) + +configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY) + +install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg deleted file mode 100644 index 3ebd84d6a..000000000 --- a/pki/base/ca/shared/conf/CS.cfg +++ /dev/null @@ -1,1070 +0,0 @@ -# -#cs.state=0 (pre-operational) -#cs.state=1 (running) -# -pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] -pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] -pkicreate.ee_secure_client_auth_port=[PKI_EE_SECURE_CLIENT_AUTH_PORT] -pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] -pkicreate.secure_port=[PKI_SECURE_PORT] -pkicreate.unsecure_port=[PKI_UNSECURE_PORT] -pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] -pkicreate.user=[PKI_USER] -pkicreate.arg11.group=[PKI_GROUP] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -installDate=[INSTALL_TIME] -preop.wizard.name=CA Setup Wizard -preop.product.name=CS -preop.product.version= -preop.system.name=CA -preop.system.fullname=Certificate Authority -cs.state=0 -cs.type=CA -authType=pwd -admin.interface.uri=ca/admin/console/config/wizard -ee.interface.uri=ca/ee/ca -agent.interface.uri=ca/agent/ca -preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 -securitydomain.flushinterval=86400000 -securitydomain.source=ldap -securitydomain.checkinterval=300000 -instanceRoot=[PKI_INSTANCE_PATH] -machineName=[PKI_MACHINE_NAME] -instanceId=[PKI_INSTANCE_ID] -service.machineName=[PKI_MACHINE_NAME] -service.instanceDir=[PKI_INSTANCE_ROOT] -service.securePort=[PKI_AGENT_SECURE_PORT] -service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] -service.clientauth_securePort=[PKI_EE_SECURE_CLIENT_AUTH_PORT] -service.unsecurePort=[PKI_UNSECURE_PORT] -service.instanceID=[PKI_INSTANCE_ID] -preop.admin.name=Certificate System Administrator -preop.admin.group=Certificate Manager Agents -preop.admincert.profile=caAdminCert -preop.pin=[PKI_RANDOM_NUMBER] -ca.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing -preop.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing -preop.cert.signing.enable=true -preop.cert.ocsp_signing.enable=true -preop.cert.sslserver.enable=true -preop.cert.subsystem.enable=true -preop.cert.audit_signing.enable=true -preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.signing.dn=CN=Certificate Authority -preop.cert.signing.cncomponent.override=true -preop.cert.signing.keysize.size=2048 -preop.cert.signing.keysize.custom_size=2048 -preop.cert.signing.nickname=caSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.signing.profile=caCert.profile -preop.cert.signing.signing.required=true -preop.cert.signing.subsystem=ca -preop.cert.signing.type=selfsign -preop.cert.signing.userfriendlyname=CA Signing Certificate -preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.audit_signing.dn=CN=CA Audit Signing Certificate -preop.cert.audit_signing.keysize.custom_size=2048 -preop.cert.audit_signing.keysize.size=2048 -preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.audit_signing.profile=caAuditSigningCert.profile -preop.cert.audit_signing.signing.required=false -preop.cert.audit_signing.subsystem=ca -preop.cert.audit_signing.type=local -preop.cert.audit_signing.userfriendlyname=CA Audit Signing Certificate -preop.cert.audit_signing.cncomponent.override=true -preop.cert.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.ocsp_signing.dn=CN=OCSP Signing Certificate -preop.cert.ocsp_signing.keysize.custom_size=2048 -preop.cert.ocsp_signing.keysize.size=2048 -preop.cert.ocsp_signing.nickname=ocspSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.ocsp_signing.profile=caOCSPCert.profile -preop.cert.ocsp_signing.signing.required=true -preop.cert.ocsp_signing.subsystem=ca -preop.cert.ocsp_signing.type=local -preop.cert.ocsp_signing.userfriendlyname=OCSP Signing Certificate -preop.cert.ocsp_signing.cncomponent.override=true -preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA -preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] -preop.cert.sslserver.keysize.custom_size=2048 -preop.cert.sslserver.keysize.size=2048 -preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] -preop.cert.sslserver.profile=serverCert.profile -preop.cert.sslserver.signing.required=false -preop.cert.sslserver.subsystem=ca -preop.cert.sslserver.type=local -preop.cert.sslserver.userfriendlyname=SSL Server Certificate -preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA -preop.cert.subsystem.dn=CN=CA Subsystem Certificate -preop.cert.subsystem.keysize.custom_size=2048 -preop.cert.subsystem.keysize.size=2048 -preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -preop.cert.subsystem.profile=subsystemCert.profile -preop.cert.subsystem.signing.required=false -preop.cert.subsystem.subsystem=ca -preop.cert.subsystem.type=local -preop.cert.subsystem.userfriendlyname=Subsystem Certificate -preop.cert.subsystem.cncomponent.override=true -preop.cert.admin.defaultSigningAlgorithm=SHA256withRSA -preop.cert.admin.dn=uid=admin,cn=admin -preop.cert.admin.keysize.custom_size=2048 -preop.cert.admin.keysize.size=2048 -preop.cert.admin.profile=adminCert.profile -preop.hierarchy.profile=caCert.profile -preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module -preop.configModules.module0.commonName=NSS Internal PKCS #11 Module -preop.configModules.module0.imagePath=../img/clearpixel.gif -preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module -preop.configModules.module1.commonName=nfast -preop.configModules.module1.imagePath=../img/clearpixel.gif -preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module -preop.configModules.module2.commonName=lunasa -preop.configModules.module2.imagePath=../img/clearpixel.gif -preop.configModules.count=3 -preop.module.token=Internal Key Storage Token -preop.name.caDN=CN=Certificate Authority -preop.name.sslDN=CN=[PKI_MACHINE_NAME] -preop.name.ocspDN=CN=OCSP Signing Certificate -preop.name.subsystemDN=CN=CA Subsystem Certificate -preop.name.canickname=caSigningCert cert-[PKI_INSTANCE_ID] -preop.name.ocspnickname=ocspSigningCert cert-[PKI_INSTANCE_ID] -preop.name.subsystemnickname=subsystemCert cert-[PKI_INSTANCE_ID] -preop.name.sslnickname=Server-Cert cert-[PKI_INSTANCE_ID] -preop.subsystem.count=0 -subsystem.count=0 -passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf -passwordClass=com.netscape.cmsutil.password.PlainPasswordFile -CrossCertPair._000=## -CrossCertPair._001=## CrossCertPair Import -CrossCertPair._002=## -CrossCertPair.ldap=internaldb -accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator -accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator -accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator -accessEvaluator.impl.user_origreq.class=com.netscape.cms.evaluators.UserOrigReqAccessEvaluator -auths._000=## -auths._001=## new authentication -auths._002=## -auths.impl._000=## -auths.impl._001=## authentication manager implementations -auths.impl._002=## -auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication -auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth -auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth -auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll -auths.impl.SSLclientCertAuth.class=com.netscape.cms.authentication.SSLclientCertAuthentication -auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication -auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication -auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication -auths.impl.UidPwdGroupDirAuth.class=com.netscape.cms.authentication.UidPwdGroupDirAuthentication -auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication -auths.impl.FlatFileAuth.class=com.netscape.cms.authentication.FlatFileAuth -auths.instance.TokenAuth.pluginName=TokenAuth -auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents -auths.instance.AgentCertAuth.pluginName=AgentCertAuth -auths.instance.raCertAuth.agentGroup=Registration Manager Agents -auths.instance.raCertAuth.pluginName=AgentCertAuth -auths.instance.flatFileAuth.pluginName=FlatFileAuth -auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/flatfile.txt -auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth -auths.revocationChecking.bufferSize=50 -auths.revocationChecking.ca=ca -auths.revocationChecking.enabled=true -auths.revocationChecking.unknownStateInterval=0 -auths.revocationChecking.validityInterval=120 -authz._000=## -authz._001=## new authorizatioin -authz._002=## -authz.evaluateOrder=deny,allow -authz.sourceType=ldap -authz.impl._000=## -authz.impl._001=## authorization manager implementations -authz.impl._002=## -authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz -authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz -authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz -authz.instance.DirAclAuthz.ldap=internaldb -authz.instance.DirAclAuthz.pluginName=DirAclAuthz -authz.instance.DirAclAuthz.ldap._000=## -authz.instance.DirAclAuthz.ldap._001=## Internal Database -authz.instance.DirAclAuthz.ldap._002=## -ca.ocsp=true -ca.certdbInc=20 -ca.crldbInc=20 -ca.id=ca -ca.local=true -ca.ocspUseCache=false -ca.enableNonces=true -ca.maxNumberOfNonces=100 -ca.reqdbInc=20 -ca.transitMaxRecords=1000000 -ca.transitRecordPageSize=200 -# maxSearchReturns - limits number of search results returned by SearchReqs and SrchCerts -# ca.maxSearchReturns=1000 -ca.scep.enable=false -ca.scep.hashAlgorithm=SHA1 -ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 -ca.scep.encryptionAlgorithm=DES3 -ca.scep.allowedEncryptionAlgorithms=DES3 -ca.scep.nonceSizeLimit=16 -ca.Policy._000=## -ca.Policy._001=## Certificate Policy Framework (deprecated) -ca.Policy._002=## -ca.Policy._003=## Set 'ca.Policy.enable=true' to allow the following: -ca.Policy._004=## -ca.Policy._005=## SERVLET-NAME URL-PATTERN -ca.Policy._006=## ==================================================== -ca.Policy._007=## caadminEnroll ca/admin/ca/adminEnroll.html -ca.Policy._008=## cabulkissuance ca/agent/ca/bulkissuance.html -ca.Policy._009=## cacertbasedenrollment ca/certbasedenrollment.html -ca.Policy._010=## caenrollment ca/enrollment.html -ca.Policy._011=## capolicy ca/capolicy -ca.Policy._012=## -ca.Policy.enable=false -ca.Policy.order=KeyAlgRule, RSAKeyRule, DefaultValidityRule, RenewalConstraintsRule, DefaultRenewalValidityRule, RevocationConstraintsRule, NSCertTypeExt, CMCertKeyUsageExt, RMCertKeyUsageExt, ClientCertKeyUsageExt, ServerCertKeyUsageExt, ObjSignCertKeyUsageExt, CRLSignCertKeyUsageExt, SubjectKeyIdentifierExt, CertificatePoliciesExt, NSCCommentExt, OCSPNoCheckExt, OCSPSigningExt, CODESigningExt, GenericASN1Ext, CRLDistributionPointsExt, SubjectAltNameExt, SigningAlgRule, AuthorityKeyIdentifierExt, AuthInfoAccessExt, BasicConstraintsExt, UniqueSubjectNameConstraints, NameConstraintsExt, PolicyConstraintsExt, SubCANameConstraints, PolicyMappingsExt, IssuerRule -ca.Policy.processor=classic -ca.Policy.impl._000=## -ca.Policy.impl._001=## Policy Implementations -ca.Policy.impl._002=## -ca.Policy.impl.AttributePresentConstraints.class=com.netscape.cms.policy.constraints.AttributePresentConstraints -ca.Policy.impl.AuthInfoAccessExt.class=com.netscape.cms.policy.extensions.AuthInfoAccessExt -ca.Policy.impl.AuthorityKeyIdentifierExt.class=com.netscape.cms.policy.extensions.AuthorityKeyIdentifierExt -ca.Policy.impl.BasicConstraintsExt.class=com.netscape.cms.policy.extensions.BasicConstraintsExt -ca.Policy.impl.CRLDistributionPointsExt.class=com.netscape.cms.policy.extensions.CRLDistributionPointsExt -ca.Policy.impl.CertificatePoliciesExt.class=com.netscape.cms.policy.extensions.CertificatePoliciesExt -ca.Policy.impl.CertificateRenewalWindowExt.class=com.netscape.cms.policy.extensions.CertificateRenewalWindowExt -ca.Policy.impl.CertificateScopeOfUseExt.class=com.netscape.cms.policy.extensions.CertificateScopeOfUseExt -ca.Policy.impl.DSAKeyConstraints.class=com.netscape.cms.policy.constraints.DSAKeyConstraints -ca.Policy.impl.ExtendedKeyUsageExt.class=com.netscape.cms.policy.extensions.ExtendedKeyUsageExt -ca.Policy.impl.GenericASN1Ext.class=com.netscape.cms.policy.extensions.GenericASN1Ext -ca.Policy.impl.IssuerAltNameExt.class=com.netscape.cms.policy.extensions.IssuerAltNameExt -ca.Policy.impl.IssuerConstraints.class=com.netscape.cms.policy.constraints.IssuerConstraints -ca.Policy.impl.KeyAlgorithmConstraints.class=com.netscape.cms.policy.constraints.KeyAlgorithmConstraints -ca.Policy.impl.KeyUsageExt.class=com.netscape.cms.policy.extensions.KeyUsageExt -ca.Policy.impl.NSCCommentExt.class=com.netscape.cms.policy.extensions.NSCCommentExt -ca.Policy.impl.NSCertTypeExt.class=com.netscape.cms.policy.extensions.NSCertTypeExt -ca.Policy.impl.NameConstraintsExt.class=com.netscape.cms.policy.extensions.NameConstraintsExt -ca.Policy.impl.OCSPNoCheckExt.class=com.netscape.cms.policy.extensions.OCSPNoCheckExt -ca.Policy.impl.PolicyConstraintsExt.class=com.netscape.cms.policy.extensions.PolicyConstraintsExt -ca.Policy.impl.PolicyMappingsExt.class=com.netscape.cms.policy.extensions.PolicyMappingsExt -ca.Policy.impl.PrivateKeyUsagePeriodExt.class=com.netscape.cms.policy.extensions.PrivateKeyUsagePeriodExt -ca.Policy.impl.RSAKeyConstraints.class=com.netscape.cms.policy.constraints.RSAKeyConstraints -ca.Policy.impl.RemoveBasicConstraintsExt.class=com.netscape.cms.policy.extensions.RemoveBasicConstraintsExt -ca.Policy.impl.RenewalConstraints.class=com.netscape.cms.policy.constraints.RenewalConstraints -ca.Policy.impl.RenewalValidityConstraints.class=com.netscape.cms.policy.constraints.RenewalValidityConstraints -ca.Policy.impl.RevocationConstraints.class=com.netscape.cms.policy.constraints.RevocationConstraints -ca.Policy.impl.SigningAlgorithmConstraints.class=com.netscape.cms.policy.constraints.SigningAlgorithmConstraints -ca.Policy.impl.SubCANameConstraints.class=com.netscape.cms.policy.constraints.SubCANameConstraints -ca.Policy.impl.SubjectAltNameExt.class=com.netscape.cms.policy.extensions.SubjectAltNameExt -ca.Policy.impl.SubjectDirectoryAttributesExt.class=com.netscape.cms.policy.extensions.SubjectDirectoryAttributesExt -ca.Policy.impl.SubjectKeyIdentifierExt.class=com.netscape.cms.policy.extensions.SubjectKeyIdentifierExt -ca.Policy.impl.UniqueSubjectNameConstraints.class=com.netscape.cms.policy.constraints.UniqueSubjectNameConstraints -ca.Policy.impl.ValidityConstraints.class=com.netscape.cms.policy.constraints.ValidityConstraints -ca.Policy.rule.AuthInfoAccessExt.ad0_location=http://[PKI_MACHINE_NAME]:8080/ocsp -ca.Policy.rule.AuthInfoAccessExt.ad0_location_type=URL -ca.Policy.rule.AuthInfoAccessExt.ad0_method=ocsp -ca.Policy.rule.AuthInfoAccessExt.enable=false -ca.Policy.rule.AuthInfoAccessExt.implName=AuthInfoAccessExt -ca.Policy.rule.AuthInfoAccessExt.numADs=1 -ca.Policy.rule.AuthInfoAccessExt.predicate=HTTP_PARAMS.certType==client -ca.Policy.rule.AuthorityKeyIdentifierExt.enable=true -ca.Policy.rule.AuthorityKeyIdentifierExt.implName=AuthorityKeyIdentifierExt -ca.Policy.rule.AuthorityKeyIdentifierExt.predicate= -ca.Policy.rule.BasicConstraintsExt.critical=true -ca.Policy.rule.BasicConstraintsExt.enable=true -ca.Policy.rule.BasicConstraintsExt.implName=BasicConstraintsExt -ca.Policy.rule.BasicConstraintsExt.maxPathLen= -ca.Policy.rule.BasicConstraintsExt.predicate=HTTP_PARAMS.certType == ca -ca.Policy.rule.BasicConstraintsExt.removeBasicExt=true -ca.Policy.rule.CMCertKeyUsageExt.crlSign=true -ca.Policy.rule.CMCertKeyUsageExt.dataEncipherment=false -ca.Policy.rule.CMCertKeyUsageExt.decipherOnly=false -ca.Policy.rule.CMCertKeyUsageExt.digitalSignature=true -ca.Policy.rule.CMCertKeyUsageExt.enable=true -ca.Policy.rule.CMCertKeyUsageExt.encipherOnly=false -ca.Policy.rule.CMCertKeyUsageExt.implName=KeyUsageExt -ca.Policy.rule.CMCertKeyUsageExt.keyAgreement=false -ca.Policy.rule.CMCertKeyUsageExt.keyCertsign=true -ca.Policy.rule.CMCertKeyUsageExt.keyEncipherment=false -ca.Policy.rule.CMCertKeyUsageExt.nonRepudiation=true -ca.Policy.rule.CMCertKeyUsageExt.predicate=HTTP_PARAMS.certType==ca -ca.Policy.rule.CODESigningExt.critical=false -ca.Policy.rule.CODESigningExt.enable=true -ca.Policy.rule.CODESigningExt.id0=1.3.6.1.5.5.7.3.3 -ca.Policy.rule.CODESigningExt.implName=ExtendedKeyUsageExt -ca.Policy.rule.CODESigningExt.predicate=HTTP_PARAMS.certType==codeSignClient -ca.Policy.rule.CRLDistributionPointsExt.enable=false -ca.Policy.rule.CRLDistributionPointsExt.implName=CRLDistributionPointsExt -ca.Policy.rule.CRLDistributionPointsExt.issuerName0= -ca.Policy.rule.CRLDistributionPointsExt.issuerName1= -ca.Policy.rule.CRLDistributionPointsExt.issuerName2= -ca.Policy.rule.CRLDistributionPointsExt.issuerType0= -ca.Policy.rule.CRLDistributionPointsExt.issuerType1= -ca.Policy.rule.CRLDistributionPointsExt.issuerType2= -ca.Policy.rule.CRLDistributionPointsExt.numPoints=0 -ca.Policy.rule.CRLDistributionPointsExt.pointName0= -ca.Policy.rule.CRLDistributionPointsExt.pointName1= -ca.Policy.rule.CRLDistributionPointsExt.pointName2= -ca.Policy.rule.CRLDistributionPointsExt.pointType0= -ca.Policy.rule.CRLDistributionPointsExt.pointType1= -ca.Policy.rule.CRLDistributionPointsExt.pointType2= -ca.Policy.rule.CRLDistributionPointsExt.predicate= -ca.Policy.rule.CRLDistributionPointsExt.reasons0= -ca.Policy.rule.CRLDistributionPointsExt.reasons1= -ca.Policy.rule.CRLDistributionPointsExt.reasons2= -ca.Policy.rule.CRLSignCertKeyUsageExt.crlSign=true -ca.Policy.rule.CRLSignCertKeyUsageExt.dataEncipherment=false -ca.Policy.rule.CRLSignCertKeyUsageExt.decipherOnly=false -ca.Policy.rule.CRLSignCertKeyUsageExt.digitalSignature=false -ca.Policy.rule.CRLSignCertKeyUsageExt.enable=true -ca.Policy.rule.CRLSignCertKeyUsageExt.encipherOnly=false -ca.Policy.rule.CRLSignCertKeyUsageExt.implName=KeyUsageExt -ca.Policy.rule.CRLSignCertKeyUsageExt.keyAgreement=false -ca.Policy.rule.CRLSignCertKeyUsageExt.keyCertsign=false -ca.Policy.rule.CRLSignCertKeyUsageExt.keyEncipherment=false -ca.Policy.rule.CRLSignCertKeyUsageExt.nonRepudiation=false -ca.Policy.rule.CRLSignCertKeyUsageExt.predicate=HTTP_PARAMS.certType==caCrlSigning -ca.Policy.rule.CertificatePoliciesExt.critical=false -ca.Policy.rule.CertificatePoliciesExt.enable=false -ca.Policy.rule.CertificatePoliciesExt.implName=CertificatePoliciesExt -ca.Policy.rule.CertificatePoliciesExt.numCertPolicies=1 -ca.Policy.rule.CertificatePoliciesExt.predicate= -ca.Policy.rule.CertificatePoliciesExt.certPolicy0.cpsURI= -ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefNumbers= -ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefOrganization= -ca.Policy.rule.CertificatePoliciesExt.certPolicy0.policyId= -ca.Policy.rule.CertificatePoliciesExt.certPolicy0.userNoticeExplicitText= -ca.Policy.rule.ClientCertKeyUsageExt.crlSign=false -ca.Policy.rule.ClientCertKeyUsageExt.dataEncipherment=false -ca.Policy.rule.ClientCertKeyUsageExt.decipherOnly=false -ca.Policy.rule.ClientCertKeyUsageExt.digitalSignature=true -ca.Policy.rule.ClientCertKeyUsageExt.enable=true -ca.Policy.rule.ClientCertKeyUsageExt.encipherOnly=false -ca.Policy.rule.ClientCertKeyUsageExt.implName=KeyUsageExt -ca.Policy.rule.ClientCertKeyUsageExt.keyAgreement=false -ca.Policy.rule.ClientCertKeyUsageExt.keyCertsign=false -ca.Policy.rule.ClientCertKeyUsageExt.keyEncipherment=true -ca.Policy.rule.ClientCertKeyUsageExt.nonRepudiation=true -ca.Policy.rule.ClientCertKeyUsageExt.predicate=HTTP_PARAMS.certType==client -ca.Policy.rule.DSAKeyRule.enable=true -ca.Policy.rule.DSAKeyRule.implName=DSAKeyConstraints -ca.Policy.rule.DSAKeyRule.maxSize=1024 -ca.Policy.rule.DSAKeyRule.minSize=512 -ca.Policy.rule.DSAKeyRule.predicate= -ca.Policy.rule.DefaultRenewalValidityRule.enable=true -ca.Policy.rule.DefaultRenewalValidityRule.implName=RenewalValidityConstraints -ca.Policy.rule.DefaultRenewalValidityRule.maxValidity=365 -ca.Policy.rule.DefaultRenewalValidityRule.minValidity=30 -ca.Policy.rule.DefaultRenewalValidityRule.predicate= -ca.Policy.rule.DefaultRenewalValidityRule.renewalInterval=15 -ca.Policy.rule.DefaultValidityRule.enable=true -ca.Policy.rule.DefaultValidityRule.implName=ValidityConstraints -ca.Policy.rule.DefaultValidityRule.maxValidity=365 -ca.Policy.rule.DefaultValidityRule.minValidity=1 -ca.Policy.rule.DefaultValidityRule.predicate= -ca.Policy.rule.GenericASN1Ext.critical=false -ca.Policy.rule.GenericASN1Ext.enable=false -ca.Policy.rule.GenericASN1Ext.implName=GenericASN1Ext -ca.Policy.rule.GenericASN1Ext.name= -ca.Policy.rule.GenericASN1Ext.oid= -ca.Policy.rule.GenericASN1Ext.pattern= -ca.Policy.rule.GenericASN1Ext.predicate= -ca.Policy.rule.GenericASN1Ext.attribute.0.source= -ca.Policy.rule.GenericASN1Ext.attribute.0.type= -ca.Policy.rule.GenericASN1Ext.attribute.0.value= -ca.Policy.rule.GenericASN1Ext.attribute.1.source= -ca.Policy.rule.GenericASN1Ext.attribute.1.type= -ca.Policy.rule.GenericASN1Ext.attribute.1.value= -ca.Policy.rule.GenericASN1Ext.attribute.2.source= -ca.Policy.rule.GenericASN1Ext.attribute.2.type= -ca.Policy.rule.GenericASN1Ext.attribute.2.value= -ca.Policy.rule.GenericASN1Ext.attribute.3.source= -ca.Policy.rule.GenericASN1Ext.attribute.3.type= -ca.Policy.rule.GenericASN1Ext.attribute.3.value= -ca.Policy.rule.GenericASN1Ext.attribute.4.source= -ca.Policy.rule.GenericASN1Ext.attribute.4.type= -ca.Policy.rule.GenericASN1Ext.attribute.4.value= -ca.Policy.rule.GenericASN1Ext.attribute.5.source= -ca.Policy.rule.GenericASN1Ext.attribute.5.type= -ca.Policy.rule.GenericASN1Ext.attribute.5.value= -ca.Policy.rule.GenericASN1Ext.attribute.6.source= -ca.Policy.rule.GenericASN1Ext.attribute.6.type= -ca.Policy.rule.GenericASN1Ext.attribute.6.value= -ca.Policy.rule.GenericASN1Ext.attribute.7.source= -ca.Policy.rule.GenericASN1Ext.attribute.7.type= -ca.Policy.rule.GenericASN1Ext.attribute.7.value= -ca.Policy.rule.GenericASN1Ext.attribute.8.source= -ca.Policy.rule.GenericASN1Ext.attribute.8.type= -ca.Policy.rule.GenericASN1Ext.attribute.8.value= -ca.Policy.rule.GenericASN1Ext.attribute.9.source= -ca.Policy.rule.GenericASN1Ext.attribute.9.type= -ca.Policy.rule.GenericASN1Ext.attribute.9.value= -ca.Policy.rule.IssuerRule.enable=false -ca.Policy.rule.IssuerRule.implName=IssuerConstraints -ca.Policy.rule.IssuerRule.issuerDN= -ca.Policy.rule.IssuerRule.predicate=HTTP_PARAMS.certType==client AND certauthEnroll==on -ca.Policy.rule.KeyAlgRule.algorithms=RSA,DSA -ca.Policy.rule.KeyAlgRule.enable=true -ca.Policy.rule.KeyAlgRule.implName=KeyAlgorithmConstraints -ca.Policy.rule.KeyAlgRule.predicate= -ca.Policy.rule.NSCCommentExt.commentFile= -ca.Policy.rule.NSCCommentExt.enable=false -ca.Policy.rule.NSCCommentExt.implName=NSCCommentExt -ca.Policy.rule.NSCCommentExt.inputType=Text -ca.Policy.rule.NSCCommentExt.predicate= -ca.Policy.rule.NSCertTypeExt.enable=true -ca.Policy.rule.NSCertTypeExt.implName=NSCertTypeExt -ca.Policy.rule.NSCertTypeExt.predicate=HTTP_PARAMS.certType!=CEP-Request -ca.Policy.rule.NameConstraintsExt.critical=true -ca.Policy.rule.NameConstraintsExt.enable=false -ca.Policy.rule.NameConstraintsExt.implName=NameConstraintsExt -ca.Policy.rule.NameConstraintsExt.numExcludedSubtrees=3 -ca.Policy.rule.NameConstraintsExt.numPermittedSubtrees=3 -ca.Policy.rule.NameConstraintsExt.predicate=HTTP_PARAMS.certType == ca -ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.max=-1 -ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.min=0 -ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base.generalNameChoice= -ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base.generalNameValue= -ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.max=-1 -ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.min=0 -ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base.generalNameChoice= -ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base.generalNameValue= -ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.max=-1 -ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.min=0 -ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base.generalNameChoice= -ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base.generalNameValue= -ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.max=-1 -ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.min=0 -ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base.generalNameChoice= -ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base.generalNameValue= -ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.max=-1 -ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.min=0 -ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base.generalNameChoice= -ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base.generalNameValue= -ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.max=-1 -ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.min=0 -ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base.generalNameChoice= -ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base.generalNameValue= -ca.Policy.rule.OCSPNoCheckExt.critical=false -ca.Policy.rule.OCSPNoCheckExt.enable=true -ca.Policy.rule.OCSPNoCheckExt.implName=OCSPNoCheckExt -ca.Policy.rule.OCSPNoCheckExt.predicate=HTTP_PARAMS.certType==ocspResponder -ca.Policy.rule.OCSPSigningExt.critical=false -ca.Policy.rule.OCSPSigningExt.enable=true -ca.Policy.rule.OCSPSigningExt.id0=1.3.6.1.5.5.7.3.9 -ca.Policy.rule.OCSPSigningExt.implName=ExtendedKeyUsageExt -ca.Policy.rule.OCSPSigningExt.predicate=HTTP_PARAMS.certType==ocspResponder -ca.Policy.rule.ObjSignCertKeyUsageExt.crlSign=false -ca.Policy.rule.ObjSignCertKeyUsageExt.dataEncipherment=false -ca.Policy.rule.ObjSignCertKeyUsageExt.decipherOnly=false -ca.Policy.rule.ObjSignCertKeyUsageExt.digitalSignature=true -ca.Policy.rule.ObjSignCertKeyUsageExt.enable=true -ca.Policy.rule.ObjSignCertKeyUsageExt.encipherOnly=false -ca.Policy.rule.ObjSignCertKeyUsageExt.implName=KeyUsageExt -ca.Policy.rule.ObjSignCertKeyUsageExt.keyAgreement=false -ca.Policy.rule.ObjSignCertKeyUsageExt.keyCertsign=true -ca.Policy.rule.ObjSignCertKeyUsageExt.keyEncipherment=false -ca.Policy.rule.ObjSignCertKeyUsageExt.nonRepudiation=false -ca.Policy.rule.ObjSignCertKeyUsageExt.predicate=HTTP_PARAMS.certType==objSignClient -ca.Policy.rule.PolicyConstraintsExt.critical=false -ca.Policy.rule.PolicyConstraintsExt.enable=false -ca.Policy.rule.PolicyConstraintsExt.implName=PolicyConstraintsExt -ca.Policy.rule.PolicyConstraintsExt.inhibitPolicyMapping=0 -ca.Policy.rule.PolicyConstraintsExt.predicate=HTTP_PARAMS.certType==ca -ca.Policy.rule.PolicyConstraintsExt.reqExplicitPolicy=0 -ca.Policy.rule.PolicyMappingsExt.critical=false -ca.Policy.rule.PolicyMappingsExt.enable=false -ca.Policy.rule.PolicyMappingsExt.implName=PolicyMappingsExt -ca.Policy.rule.PolicyMappingsExt.numPolicyMappings=1 -ca.Policy.rule.PolicyMappingsExt.predicate=HTTP_PARAMS.certType==ca -ca.Policy.rule.PolicyMappingsExt.policyMap0.issuerDomainPolicy= -ca.Policy.rule.PolicyMappingsExt.policyMap0.subjectDomainPolicy= -ca.Policy.rule.RMCertKeyUsageExt.crlSign=false -ca.Policy.rule.RMCertKeyUsageExt.dataEncipherment=false -ca.Policy.rule.RMCertKeyUsageExt.decipherOnly=false -ca.Policy.rule.RMCertKeyUsageExt.digitalSignature=true -ca.Policy.rule.RMCertKeyUsageExt.enable=true -ca.Policy.rule.RMCertKeyUsageExt.encipherOnly=false -ca.Policy.rule.RMCertKeyUsageExt.implName=KeyUsageExt -ca.Policy.rule.RMCertKeyUsageExt.keyAgreement=false -ca.Policy.rule.RMCertKeyUsageExt.keyCertsign=false -ca.Policy.rule.RMCertKeyUsageExt.keyEncipherment=false -ca.Policy.rule.RMCertKeyUsageExt.nonRepudiation=true -ca.Policy.rule.RMCertKeyUsageExt.predicate=HTTP_PARAMS.certType==ra -ca.Policy.rule.RSAKeyRule.enable=false -ca.Policy.rule.RSAKeyRule.exponents=3,7,17,65537 -ca.Policy.rule.RSAKeyRule.implName=RSAKeyConstraints -ca.Policy.rule.RSAKeyRule.maxSize=2048 -ca.Policy.rule.RSAKeyRule.minSize=512 -ca.Policy.rule.RSAKeyRule.predicate= -ca.Policy.rule.RenewalConstraintsRule.enable=true -ca.Policy.rule.RenewalConstraintsRule.implName=RenewalConstraints -ca.Policy.rule.RenewalConstraintsRule.predicate= -ca.Policy.rule.RevocationConstraintsRule.enable=true -ca.Policy.rule.RevocationConstraintsRule.implName=RevocationConstraints -ca.Policy.rule.RevocationConstraintsRule.predicate= -ca.Policy.rule.ServerCertKeyUsageExt.crlSign=false -ca.Policy.rule.ServerCertKeyUsageExt.dataEncipherment=true -ca.Policy.rule.ServerCertKeyUsageExt.decipherOnly=false -ca.Policy.rule.ServerCertKeyUsageExt.digitalSignature=true -ca.Policy.rule.ServerCertKeyUsageExt.enable=true -ca.Policy.rule.ServerCertKeyUsageExt.encipherOnly=false -ca.Policy.rule.ServerCertKeyUsageExt.implName=KeyUsageExt -ca.Policy.rule.ServerCertKeyUsageExt.keyAgreement=false -ca.Policy.rule.ServerCertKeyUsageExt.keyCertsign=false -ca.Policy.rule.ServerCertKeyUsageExt.keyEncipherment=true -ca.Policy.rule.ServerCertKeyUsageExt.nonRepudiation=true -ca.Policy.rule.ServerCertKeyUsageExt.predicate=HTTP_PARAMS.certType==server -ca.Policy.rule.SigningAlgRule.algorithms=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC -ca.Policy.rule.SigningAlgRule.enable=true -ca.Policy.rule.SigningAlgRule.implName=SigningAlgorithmConstraints -ca.Policy.rule.SigningAlgRule.predicate= -ca.Policy.rule.SubCANameConstraints.enable=true -ca.Policy.rule.SubCANameConstraints.implName=SubCANameConstraints -ca.Policy.rule.SubCANameConstraints.predicate=HTTP_PARAMS.certType == ca -ca.Policy.rule.SubjectAltNameExt.enable=true -ca.Policy.rule.SubjectAltNameExt.implName=SubjectAltNameExt -ca.Policy.rule.SubjectAltNameExt.numGeneralNames=3 -ca.Policy.rule.SubjectAltNameExt.predicate=HTTP_PARAMS.certType!=CEP-Request -ca.Policy.rule.SubjectAltNameExt.generalName0.generalNameChoice=rfc822Name -ca.Policy.rule.SubjectAltNameExt.generalName0.requestAttr=AUTH_TOKEN.mail -ca.Policy.rule.SubjectAltNameExt.generalName1.generalNameChoice=rfc822Name -ca.Policy.rule.SubjectAltNameExt.generalName1.requestAttr=AUTH_TOKEN.mailalternateaddress -ca.Policy.rule.SubjectAltNameExt.generalName2.generalNameChoice=rfc822Name -ca.Policy.rule.SubjectAltNameExt.generalName2.requestAttr=HTTP_PARAMS.csrRequestorEmail -ca.Policy.rule.SubjectKeyIdentifierExt.enable=true -ca.Policy.rule.SubjectKeyIdentifierExt.implName=SubjectKeyIdentifierExt -ca.Policy.rule.SubjectKeyIdentifierExt.predicate=HTTP_PARAMS.certType==ca -ca.Policy.rule.UniqueSubjectNameConstraints.enable=false -ca.Policy.rule.UniqueSubjectNameConstraints.implName=UniqueSubjectNameConstraints -ca.Policy.rule.UniqueSubjectNameConstraints.predicate= -ca.crl._000=## -ca.crl._001=## CA CRL -ca.crl._002=## -ca.crl.pageSize=100 -ca.crl.MasterCRL.allowExtensions=true -ca.crl.MasterCRL.alwaysUpdate=false -ca.crl.MasterCRL.autoUpdateInterval=240 -ca.crl.MasterCRL.caCertsOnly=false -ca.crl.MasterCRL.cacheUpdateInterval=15 -ca.crl.MasterCRL.class=com.netscape.ca.CRLIssuingPoint -ca.crl.MasterCRL.dailyUpdates=1:00 -ca.crl.MasterCRL.description=CA's complete Certificate Revocation List -ca.crl.MasterCRL.enable=true -ca.crl.MasterCRL.enableCRLCache=true -ca.crl.MasterCRL.enableCRLUpdates=true -ca.crl.MasterCRL.enableCacheRecovery=true -ca.crl.MasterCRL.enableDailyUpdates=true -ca.crl.MasterCRL.enableUpdateInterval=true -ca.crl.MasterCRL.extendedNextUpdate=true -ca.crl.MasterCRL.includeExpiredCerts=false -ca.crl.MasterCRL.minUpdateInterval=0 -ca.crl.MasterCRL.nextUpdateGracePeriod=0 -ca.crl.MasterCRL.publishOnStart=false -ca.crl.MasterCRL.signingAlgorithm=SHA256withRSA -ca.crl.MasterCRL.updateSchema=1 -ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessLocation0= -ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessLocationType0=URI -ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessMethod0=caIssuers -ca.crl.MasterCRL.extension.AuthorityInformationAccess.class=com.netscape.cms.crl.CMSAuthInfoAccessExtension -ca.crl.MasterCRL.extension.AuthorityInformationAccess.critical=false -ca.crl.MasterCRL.extension.AuthorityInformationAccess.enable=false -ca.crl.MasterCRL.extension.AuthorityInformationAccess.numberOfAccessDescriptions=1 -ca.crl.MasterCRL.extension.AuthorityInformationAccess.type=CRLExtension -ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.class=com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension -ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.critical=false -ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable=false -ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.type=CRLExtension -ca.crl.MasterCRL.extension.CRLNumber.class=com.netscape.cms.crl.CMSCRLNumberExtension -ca.crl.MasterCRL.extension.CRLNumber.critical=false -ca.crl.MasterCRL.extension.CRLNumber.enable=true -ca.crl.MasterCRL.extension.CRLNumber.type=CRLExtension -ca.crl.MasterCRL.extension.CRLReason.class=com.netscape.cms.crl.CMSCRLReasonExtension -ca.crl.MasterCRL.extension.CRLReason.critical=false -ca.crl.MasterCRL.extension.CRLReason.enable=true -ca.crl.MasterCRL.extension.CRLReason.type=CRLEntryExtension -ca.crl.MasterCRL.extension.DeltaCRLIndicator.class=com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension -ca.crl.MasterCRL.extension.DeltaCRLIndicator.critical=true -ca.crl.MasterCRL.extension.DeltaCRLIndicator.enable=false -ca.crl.MasterCRL.extension.DeltaCRLIndicator.type=CRLExtension -ca.crl.MasterCRL.extension.FreshestCRL.class=com.netscape.cms.crl.CMSFreshestCRLExtension -ca.crl.MasterCRL.extension.FreshestCRL.critical=false -ca.crl.MasterCRL.extension.FreshestCRL.enable=false -ca.crl.MasterCRL.extension.FreshestCRL.numPoints=0 -ca.crl.MasterCRL.extension.FreshestCRL.pointName0= -ca.crl.MasterCRL.extension.FreshestCRL.pointType0= -ca.crl.MasterCRL.extension.FreshestCRL.type=CRLExtension -ca.crl.MasterCRL.extension.InvalidityDate.class=com.netscape.cms.crl.CMSInvalidityDateExtension -ca.crl.MasterCRL.extension.InvalidityDate.critical=false -ca.crl.MasterCRL.extension.InvalidityDate.enable=true -ca.crl.MasterCRL.extension.InvalidityDate.type=CRLEntryExtension -ca.crl.MasterCRL.extension.IssuerAlternativeName.class=com.netscape.cms.crl.CMSIssuerAlternativeNameExtension -ca.crl.MasterCRL.extension.IssuerAlternativeName.critical=false -ca.crl.MasterCRL.extension.IssuerAlternativeName.enable=false -ca.crl.MasterCRL.extension.IssuerAlternativeName.name0= -ca.crl.MasterCRL.extension.IssuerAlternativeName.nameType0= -ca.crl.MasterCRL.extension.IssuerAlternativeName.numNames=0 -ca.crl.MasterCRL.extension.IssuerAlternativeName.type=CRLExtension -ca.crl.MasterCRL.extension.IssuingDistributionPoint.class=com.netscape.cms.crl.CMSIssuingDistributionPointExtension -ca.crl.MasterCRL.extension.IssuingDistributionPoint.critical=true -ca.crl.MasterCRL.extension.IssuingDistributionPoint.enable=false -ca.crl.MasterCRL.extension.IssuingDistributionPoint.indirectCRL=false -ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsCACerts=false -ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsUserCerts=false -ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlySomeReasons= -ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointName= -ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointType= -ca.crl.MasterCRL.extension.IssuingDistributionPoint.type=CRLExtension -ca.notification.certIssued.emailSubject=Your Certificate Request -ca.notification.certIssued.emailTemplate=[PKI_INSTANCE_PATH]/emails/certIssued_CA.html -ca.notification.certIssued.enabled=false -ca.notification.certIssued.senderEmail= -ca.notification.certRevoked.emailSubject=Your Certificate Revoked -ca.notification.certRevoked.emailTemplate=[PKI_INSTANCE_PATH]/emails/certRevoked_CA.html -ca.notification.certRevoked.enabled=false -ca.notification.certRevoked.senderEmail= -ca.notification.requestInQ.emailSubject=Certificate Request in Queue -ca.notification.requestInQ.emailTemplate=[PKI_INSTANCE_PATH]/emails/reqInQueue_CA.html -ca.notification.requestInQ.enabled=false -ca.notification.requestInQ.recipientEmail= -ca.notification.requestInQ.senderEmail= -ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_ID] -ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA -ca.ocsp_signing.tokenname=internal -ca.publish.createOwnDNEntry=false -ca.publish.queue.enable=true -ca.publish.queue.maxNumberOfThreads=3 -ca.publish.queue.pageSize=40 -ca.publish.queue.priorityLevel=0 -ca.publish.mapper.impl.LdapCaSimpleMap.class=com.netscape.cms.publish.mappers.LdapCaSimpleMap -ca.publish.mapper.impl.LdapDNCompsMap.class=com.netscape.cms.publish.mappers.LdapCertCompsMap -ca.publish.mapper.impl.LdapDNExactMap.class=com.netscape.cms.publish.mappers.LdapCertExactMap -ca.publish.mapper.impl.LdapEnhancedMap.class=com.netscape.cms.publish.mappers.LdapEnhancedMap -ca.publish.mapper.impl.LdapSimpleMap.class=com.netscape.cms.publish.mappers.LdapSimpleMap -ca.publish.mapper.impl.LdapSubjAttrMap.class=com.netscape.cms.publish.mappers.LdapCertSubjMap -ca.publish.mapper.impl.NoMap.class=com.netscape.cms.publish.mappers.NoMap -ca.publish.mapper.instance.LdapCaCertMap.createCAEntry=true -ca.publish.mapper.instance.LdapCaCertMap.dnPattern=UID=$subj.cn,OU=people,O=$subj.o -ca.publish.mapper.instance.LdapCaCertMap.pluginName=LdapCaSimpleMap -ca.publish.mapper.instance.LdapCrlMap.createCAEntry=true -ca.publish.mapper.instance.LdapCrlMap.dnPattern=UID=$subj.cn,OU=people,O=$subj.o -ca.publish.mapper.instance.LdapCrlMap.pluginName=LdapCaSimpleMap -ca.publish.mapper.instance.LdapUserCertMap.dnPattern=UID=$subj.UID,OU=people,O=$subj.o -ca.publish.mapper.instance.LdapUserCertMap.pluginName=LdapSimpleMap -ca.publish.mapper.instance.NoMap.pluginName=NoMap -ca.publish.publisher.impl.FileBasedPublisher.class=com.netscape.cms.publish.publishers.FileBasedPublisher -ca.publish.publisher.impl.LdapCaCertPublisher.class=com.netscape.cms.publish.publishers.LdapCaCertPublisher -ca.publish.publisher.impl.LdapCertificatePairPublisher.class=com.netscape.cms.publish.publishers.LdapCertificatePairPublisher -ca.publish.publisher.impl.LdapCrlPublisher.class=com.netscape.cms.publish.publishers.LdapCrlPublisher -ca.publish.publisher.impl.LdapDeltaCrlPublisher.class=com.netscape.cms.publish.publishers.LdapCrlPublisher -ca.publish.publisher.impl.LdapUserCertPublisher.class=com.netscape.cms.publish.publishers.LdapUserCertPublisher -ca.publish.publisher.impl.OCSPPublisher.class=com.netscape.cms.publish.publishers.OCSPPublisher -ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr=caCertificate;binary -ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass=certificationAuthority -ca.publish.publisher.instance.LdapCaCertPublisher.pluginName=LdapCaCertPublisher -ca.publish.publisher.instance.LdapCrlPublisher.crlAttr=certificateRevocationList;binary -ca.publish.publisher.instance.LdapCrlPublisher.pluginName=LdapCrlPublisher -ca.publish.publisher.instance.LdapCrossCertPairPublisher.caObjectClass=certificationAuthority -ca.publish.publisher.instance.LdapCrossCertPairPublisher.crossCertPairAttr=crossCertificatePair;binary -ca.publish.publisher.instance.LdapCrossCertPairPublisher.pluginName=LdapCertificatePairPublisher -ca.publish.publisher.instance.LdapDeltaCrlPublisher.crlAttr=deltaRevocationList;binary -ca.publish.publisher.instance.LdapDeltaCrlPublisher.pluginName=LdapDeltaCrlPublisher -ca.publish.publisher.instance.LdapUserCertPublisher.certAttr=userCertificate;binary -ca.publish.publisher.instance.LdapUserCertPublisher.pluginName=LdapUserCertPublisher -ca.publish.rule.impl.Rule.class=com.netscape.cmscore.ldap.LdapRule -ca.publish.rule.instance.LdapCaCertRule.enable=false -ca.publish.rule.instance.LdapCaCertRule.mapper=LdapCaCertMap -ca.publish.rule.instance.LdapCaCertRule.pluginName=Rule -ca.publish.rule.instance.LdapCaCertRule.predicate= -ca.publish.rule.instance.LdapCaCertRule.publisher=LdapCaCertPublisher -ca.publish.rule.instance.LdapCaCertRule.type=cacert -ca.publish.rule.instance.LdapCrlRule.enable=false -ca.publish.rule.instance.LdapCrlRule.mapper=LdapCrlMap -ca.publish.rule.instance.LdapCrlRule.pluginName=Rule -ca.publish.rule.instance.LdapCrlRule.predicate= -ca.publish.rule.instance.LdapCrlRule.publisher=LdapCrlPublisher -ca.publish.rule.instance.LdapCrlRule.type=crl -ca.publish.rule.instance.LdapUserCertRule.enable=false -ca.publish.rule.instance.LdapUserCertRule.mapper=LdapUserCertMap -ca.publish.rule.instance.LdapUserCertRule.pluginName=Rule -ca.publish.rule.instance.LdapUserCertRule.predicate= -ca.publish.rule.instance.LdapUserCertRule.publisher=LdapUserCertPublisher -ca.publish.rule.instance.LdapUserCertRule.type=certs -ca.publish.rule.instance.LdapXCertRule.enable=false -ca.publish.rule.instance.LdapXCertRule.mapper=LdapCaCertMap -ca.publish.rule.instance.LdapXCertRule.pluginName=Rule -ca.publish.rule.instance.LdapXCertRule.predicate= -ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher -ca.publish.rule.instance.LdapXCertRule.type=xcert -cmc.cert.confirmRequired=false -cmc.lraPopWitness.verify.allow=true -cmc.revokeCert.verify=true -cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cms.passwordlist=internaldb,replicationdb -cms.password.ignore.publishing.failure=true -cms.version= -cmsgateway._000=## -cmsgateway._001=## In the event that all Admin Certificates have been lost -cmsgateway._002=## for a given instance, perform the following steps to -cmsgateway._003=## re-enroll for a new Admin Certificate: -cmsgateway._004=## -cmsgateway._005=## (1) Become 'root' -cmsgateway._006=## (2) Type: 'service [PKI_INSTANCE_ID] stop' -cmsgateway._007=## (3) Edit '[PKI_INSTANCE_ROOT]/[PKI_INSTANCE_ID]/conf/CS.cfg' -cmsgateway._008=## and set the following name-value pairs (if necessary): -cmsgateway._009=## -cmsgateway._010=## ca.Policy.enable=true -cmsgateway._011=## cmsgateway.enableAdminEnroll=true -cmsgateway._012=## -cmsgateway._013=## (4) Type: 'service [PKI_INSTANCE_ID] start' -cmsgateway._014=## (5) Launch a browser and re-enroll for -cmsgateway._015=## a new Admin Certificate by typing: -cmsgateway._016=## -cmsgateway._017=## https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ca/admin/ca/adminEnroll.html -cmsgateway._018=## -cmsgateway._019=## (6) Verify that the browser contains the new -cmsgateway._020=## Admin Certificate by successfully navigating to: -cmsgateway._021=## -cmsgateway._022=## https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/ca/agent/ca/ -cmsgateway._023=## -cmsgateway._024=## (7) Optionally, disable the Certificate Policies Framework -cmsgateway._025=## by following steps (1) - (4), but ONLY resetting -cmsgateway._026=## 'ca.Policy.enable=false', as -cmsgateway._027=## 'cmsgateway.enableAdminEnroll=false' should have -cmsgateway._028=## already been reset. -cmsgateway._029=## -cmsgateway.enableAdminEnroll=false -https.port=8443 -http.port=8080 -dbs.enableSerialManagement=false -dbs.beginRequestNumber=1 -dbs.endRequestNumber=10000000 -dbs.requestIncrement=10000000 -dbs.requestLowWaterMark=2000000 -dbs.requestCloneTransferNumber=10000 -dbs.requestDN=ou=ca, ou=requests -dbs.requestRangeDN=ou=requests, ou=ranges -dbs.beginSerialNumber=1 -dbs.endSerialNumber=10000000 -dbs.serialIncrement=10000000 -dbs.serialLowWaterMark=2000000 -dbs.serialCloneTransferNumber=10000 -dbs.serialDN=ou=certificateRepository, ou=ca -dbs.serialRangeDN=ou=certificateRepository, ou=ranges -dbs.beginReplicaNumber=1 -dbs.endReplicaNumber=100 -dbs.replicaIncrement=100 -dbs.replicaLowWaterMark=20 -dbs.replicaCloneTransferNumber=5 -dbs.replicaDN=ou=replica -dbs.replicaRangeDN=ou=replica, ou=ranges -dbs.ldap=internaldb -dbs.newSchemaEntryAdded=true -debug.append=true -debug.enabled=true -debug.filename=[PKI_INSTANCE_PATH]/logs/debug -debug.hashkeytypes= -debug.level=0 -debug.showcaller=false -keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 -keys.ecc.curve.default=nistp521 -keys.rsa.keysize.default=2048 -internaldb._000=## -internaldb._001=## Internal Database -internaldb._002=## -internaldb.basedn= -internaldb.maxConns=15 -internaldb.minConns=3 -internaldb.ldapauth.authtype=BasicAuth -internaldb.ldapauth.bindDN=cn=Directory Manager -internaldb.ldapauth.bindPWPrompt=Internal LDAP Database -internaldb.ldapauth.clientCertNickname= -internaldb.ldapconn.host= -internaldb.ldapconn.port= -internaldb.ldapconn.secureConn=false -preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/schema.ldif -preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/database.ldif -preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/acl.ldif -preop.internaldb.index_ldif= -preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/index.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlvtasks.ldif -preop.internaldb.wait_dn=cn=index1160589769, cn=index, cn=tasks, cn=config -internaldb.multipleSuffix.enable=false -jobsScheduler._000=## -jobsScheduler._001=## jobScheduler -jobsScheduler._002=## -jobsScheduler.enabled=false -jobsScheduler.interval=1 -jobsScheduler.impl.PublishCertsJob.class=com.netscape.cms.jobs.PublishCertsJob -jobsScheduler.impl.RenewalNotificationJob.class=com.netscape.cms.jobs.RenewalNotificationJob -jobsScheduler.impl.RequestInQueueJob.class=com.netscape.cms.jobs.RequestInQueueJob -jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.cms.jobs.UnpublishExpiredJob -jobsScheduler.job.certRenewalNotifier.cron=0 3 * * 1-5 -jobsScheduler.job.certRenewalNotifier.emailSubject=Certificate Renewal Notification -jobsScheduler.job.certRenewalNotifier.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1.txt -jobsScheduler.job.certRenewalNotifier.enabled=false -jobsScheduler.job.certRenewalNotifier.notifyEndOffset=30 -jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=30 -jobsScheduler.job.certRenewalNotifier.pluginName=RenewalNotificationJob -jobsScheduler.job.certRenewalNotifier.senderEmail= -jobsScheduler.job.certRenewalNotifier.summary.emailSubject=Certificate Renewal Notification Summary -jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Summary.txt -jobsScheduler.job.certRenewalNotifier.summary.enabled=true -jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Item.txt -jobsScheduler.job.certRenewalNotifier.summary.recipientEmail= -jobsScheduler.job.certRenewalNotifier.summary.senderEmail= -jobsScheduler.job.publishCerts.cron=0 0 * * 2 -jobsScheduler.job.publishCerts.enabled=false -jobsScheduler.job.publishCerts.pluginName=PublishCertsJob -jobsScheduler.job.publishCerts.summary.emailSubject=Certs Publishing Summary -jobsScheduler.job.publishCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/publishCerts.html -jobsScheduler.job.publishCerts.summary.enabled=true -jobsScheduler.job.publishCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/publishCertsItem.html -jobsScheduler.job.publishCerts.summary.recipientEmail= -jobsScheduler.job.publishCerts.summary.senderEmail= -jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0 -jobsScheduler.job.requestInQueueNotifier.enabled=false -jobsScheduler.job.requestInQueueNotifier.pluginName=RequestInQueueJob -jobsScheduler.job.requestInQueueNotifier.subsystemId=ca -jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=Requests in Queue Summary Report -jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/riq1Summary.html -jobsScheduler.job.requestInQueueNotifier.summary.enabled=true -jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail= -jobsScheduler.job.requestInQueueNotifier.summary.senderEmail= -jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6 -jobsScheduler.job.unpublishExpiredCerts.enabled=false -jobsScheduler.job.unpublishExpiredCerts.pluginName=UnpublishExpiredJob -jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=Expired Certs Unpublished Summary -jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/euJob1.html -jobsScheduler.job.unpublishExpiredCerts.summary.enabled=true -jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/euJob1Item.html -jobsScheduler.job.unpublishExpiredCerts.summary.recipientEmail= -jobsScheduler.job.unpublishExpiredCerts.summary.senderEmail= -jss._000=## -jss._001=## JSS -jss._002=## -jss.configDir=[PKI_INSTANCE_PATH]/alias/ -jss.enable=true -jss.secmodName=secmod.db -jss.ocspcheck.enable=false -jss.ssl.cipherfortezza=true -jss.ssl.cipherpref= -jss.ssl.cipherversion=cipherdomestic -log._000=## -log._001=## Logging -log._002=## -log.impl.file.class=com.netscape.cms.logging.RollingLogFile -log.instance.SignedAudit._000=## -log.instance.SignedAudit._001=## Signed Audit Logging -log.instance.SignedAudit._002=## -log.instance.SignedAudit.bufferSize=512 -log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events._000=## -log.instance.SignedAudit.events._001=## Available Audit events: -log.instance.SignedAudit.events._002=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.events._003=## -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.expirationTime=0 -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ca_audit -log.instance.SignedAudit.flushInterval=5 -log.instance.SignedAudit.level=1 -log.instance.SignedAudit.logSigning=false -log.instance.SignedAudit.maxFileSize=2000 -log.instance.SignedAudit.pluginName=file -log.instance.SignedAudit.rolloverInterval=2592000 -log.instance.SignedAudit.signedAudit=_002=## -log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] -log.instance.SignedAudit.type=signedAudit -log.instance.System._000=## -log.instance.System._001=## System Logging -log.instance.System._002=## -log.instance.System.bufferSize=512 -log.instance.System.enable=true -log.instance.System.expirationTime=0 -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system -log.instance.System.flushInterval=5 -log.instance.System.level=3 -log.instance.System.maxFileSize=2000 -log.instance.System.pluginName=file -log.instance.System.rolloverInterval=2592000 -log.instance.System.type=system -log.instance.Transactions._000=## -log.instance.Transactions._001=## Transaction Logging -log.instance.Transactions._002=## -log.instance.Transactions.bufferSize=512 -log.instance.Transactions.enable=true -log.instance.Transactions.expirationTime=0 -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions -log.instance.Transactions.flushInterval=5 -log.instance.Transactions.level=1 -log.instance.Transactions.maxFileSize=2000 -log.instance.Transactions.pluginName=file -log.instance.Transactions.rolloverInterval=2592000 -log.instance.Transactions.type=transaction -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access -logError.fileName=[PKI_INSTANCE_PATH]/logs/error -oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension -oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 -oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword -oidmap.challenge_password.oid=1.2.840.113549.1.9.7 -oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension -oidmap.extended_key_usage.oid=2.5.29.37 -oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested -oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 -oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested -oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 -oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension -oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 -oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension -oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 -oidmap.pse.class=netscape.security.extensions.PresenceServerExtension -oidmap.pse.oid=2.16.840.1.113730.1.18 -oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension -oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 -os.userid=nobody -profile.list=caUserCert,caUserSMIMEcapCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caJarSigningCert,caIPAserviceCert -profile.caUUIDdeviceCert.class_id=caEnrollImpl -profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUUIDdeviceCert.cfg -profile.caManualRenewal.class_id=caEnrollImpl -profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caManualRenewal.cfg -profile.caDirUserRenewal.class_id=caEnrollImpl -profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserRenewal.cfg -profile.caSSLClientSelfRenewal.class_id=caEnrollImpl -profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caSSLClientSelfRenewal.cfg -profile.DomainController.class_id=caEnrollImpl -profile.DomainController.config=[PKI_INSTANCE_PATH]/profiles/ca/DomainController.cfg -profile.caAgentFileSigning.class_id=caEnrollImpl -profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentFileSigning.cfg -profile.caAgentServerCert.class_id=caEnrollImpl -profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentServerCert.cfg -profile.caRAserverCert.class_id=caEnrollImpl -profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAserverCert.cfg -profile.caCACert.class_id=caEnrollImpl -profile.caCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCACert.cfg -profile.caInstallCACert.class_id=caEnrollImpl -profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInstallCACert.cfg -profile.caCMCUserCert.class_id=caEnrollImpl -profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCMCUserCert.cfg -profile.caDirUserCert.class_id=caEnrollImpl -profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserCert.cfg -profile.caDualCert.class_id=caEnrollImpl -profile.caDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualCert.cfg -profile.caDualRAuserCert.class_id=caEnrollImpl -profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualRAuserCert.cfg -profile.caRAagentCert.class_id=caEnrollImpl -profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAagentCert.cfg -profile.caFullCMCUserCert.class_id=caEnrollImpl -profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caFullCMCUserCert.cfg -profile.caInternalAuthOCSPCert.class_id=caEnrollImpl -profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthOCSPCert.cfg -profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl -profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthAuditSigningCert.cfg -profile.caInternalAuthServerCert.class_id=caEnrollImpl -profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthServerCert.cfg -profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl -profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthSubsystemCert.cfg -profile.caInternalAuthDRMstorageCert.class_id=caEnrollImpl -profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthDRMstorageCert.cfg -profile.caInternalAuthTransportCert.class_id=caEnrollImpl -profile.caInternalAuthTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthTransportCert.cfg -profile.caOCSPCert.class_id=caEnrollImpl -profile.caOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOCSPCert.cfg -profile.caOtherCert.class_id=caEnrollImpl -profile.caOtherCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOtherCert.cfg -profile.caRACert.class_id=caEnrollImpl -profile.caRACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRACert.cfg -profile.caRARouterCert.class_id=caEnrollImpl -profile.caRARouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRARouterCert.cfg -profile.caRouterCert.class_id=caEnrollImpl -profile.caRouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRouterCert.cfg -profile.caServerCert.class_id=caEnrollImpl -profile.caServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caServerCert.cfg -profile.caSignedLogCert.class_id=caEnrollImpl -profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSignedLogCert.cfg -profile.caSimpleCMCUserCert.class_id=caEnrollImpl -profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSimpleCMCUserCert.cfg -profile.caTPSCert.class_id=caEnrollImpl -profile.caTPSCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTPSCert.cfg -profile.caAdminCert.class_id=caEnrollImpl -profile.caAdminCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAdminCert.cfg -profile.caTempTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg -profile.caTempTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTempTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg -profile.caTokenUserEncryptionKeyRenewal.class_id=caUserCertEnrollImpl -profile.caTokenUserEncryptionKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg -profile.caTempTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg -profile.caTokenUserSigningKeyRenewal.class_id=caUserCertEnrollImpl -profile.caTokenUserSigningKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyRenewal.cfg -profile.caTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenDeviceKeyEnrollment.cfg -profile.caTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg -profile.caTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyEnrollment.cfg -profile.caTokenMSLoginEnrollment.class_id=caUserCertEnrollImpl -profile.caTokenMSLoginEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenMSLoginEnrollment.cfg -profile.caTransportCert.class_id=caEnrollImpl -profile.caTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTransportCert.cfg -profile.caUserCert.class_id=caEnrollImpl -profile.caUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserCert.cfg -profile.caUserSMIMEcapCert.class_id=caEnrollImpl -profile.caUserSMIMEcapCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserSMIMEcapCert.cfg -profile.caJarSigningCert.class_id=caEnrollImpl -profile.caJarSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caJarSigningCert.cfg -profile.caIPAserviceCert.class_id=caEnrollImpl -profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caIPAserviceCert.cfg -registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg -request.assignee.enable=true -selftests._000=## -selftests._001=## Self Tests -selftests._002=## -selftests._003=## The Self-Test plugin SystemCertsVerification uses the -selftests._004=## following parameters (where certusage is optional): -selftests._005=## ca.cert.list = -selftests._006=## ca.cert..nickname -selftests._007=## ca.cert..certusage -selftests._008=## -selftests.container.instance.CAPresence=com.netscape.cms.selftests.ca.CAPresence -selftests.container.instance.CAValidity=com.netscape.cms.selftests.ca.CAValidity -selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification -selftests.container.logger.bufferSize=512 -selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile -selftests.container.logger.enable=true -selftests.container.logger.expirationTime=0 -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log -selftests.container.logger.flushInterval=5 -selftests.container.logger.level=1 -selftests.container.logger.maxFileSize=2000 -selftests.container.logger.register=false -selftests.container.logger.rolloverInterval=2592000 -selftests.container.logger.type=transaction -selftests.container.order.onDemand=CAPresence:critical, SystemCertsVerification:critical, CAValidity:critical -selftests.container.order.startup=CAPresence:critical, SystemCertsVerification:critical -selftests.plugin.CAPresence.CaSubId=ca -selftests.plugin.CAValidity.CaSubId=ca -selftests.plugin.SystemCertsVerification.SubId=ca -smtp.host=localhost -smtp.port=25 -subsystem.0.class=com.netscape.ca.CertificateAuthority -subsystem.0.id=ca -subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem -subsystem.1.id=profile -subsystem.2.class=com.netscape.cmscore.selftests.SelfTestSubsystem -subsystem.2.id=selftests -subsystem.3.class=com.netscape.cmscore.cert.CrossCertPairSubsystem -subsystem.3.id=CrossCertPair -subsystem.4.class=com.netscape.cmscore.util.StatsSubsystem -subsystem.4.id=stats -usrgrp._000=## -usrgrp._001=## User/Group -usrgrp._002=## -usrgrp.ldap=internaldb -multiroles._000=## -multiroles._001=## multiroles -multiroles._002=## -multiroles.enable=true -multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group diff --git a/pki/base/ca/shared/conf/CS.cfg.in b/pki/base/ca/shared/conf/CS.cfg.in new file mode 100644 index 000000000..e9b265f76 --- /dev/null +++ b/pki/base/ca/shared/conf/CS.cfg.in @@ -0,0 +1,1070 @@ +# +#cs.state=0 (pre-operational) +#cs.state=1 (running) +# +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] +pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] +pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] +pkicreate.ee_secure_client_auth_port=[PKI_EE_SECURE_CLIENT_AUTH_PORT] +pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] +pkicreate.secure_port=[PKI_SECURE_PORT] +pkicreate.unsecure_port=[PKI_UNSECURE_PORT] +pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] +pkicreate.user=[PKI_USER] +pkicreate.arg11.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +installDate=[INSTALL_TIME] +preop.wizard.name=CA Setup Wizard +preop.product.name=CS +preop.product.version=@VERSION@ +preop.system.name=CA +preop.system.fullname=Certificate Authority +cs.state=0 +cs.type=CA +authType=pwd +admin.interface.uri=ca/admin/console/config/wizard +ee.interface.uri=ca/ee/ca +agent.interface.uri=ca/agent/ca +preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 +securitydomain.flushinterval=86400000 +securitydomain.source=ldap +securitydomain.checkinterval=300000 +instanceRoot=[PKI_INSTANCE_PATH] +machineName=[PKI_MACHINE_NAME] +instanceId=[PKI_INSTANCE_ID] +service.machineName=[PKI_MACHINE_NAME] +service.instanceDir=[PKI_INSTANCE_ROOT] +service.securePort=[PKI_AGENT_SECURE_PORT] +service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] +service.clientauth_securePort=[PKI_EE_SECURE_CLIENT_AUTH_PORT] +service.unsecurePort=[PKI_UNSECURE_PORT] +service.instanceID=[PKI_INSTANCE_ID] +preop.admin.name=Certificate System Administrator +preop.admin.group=Certificate Manager Agents +preop.admincert.profile=caAdminCert +preop.pin=[PKI_RANDOM_NUMBER] +ca.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing +preop.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing +preop.cert.signing.enable=true +preop.cert.ocsp_signing.enable=true +preop.cert.sslserver.enable=true +preop.cert.subsystem.enable=true +preop.cert.audit_signing.enable=true +preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.signing.dn=CN=Certificate Authority +preop.cert.signing.cncomponent.override=true +preop.cert.signing.keysize.size=2048 +preop.cert.signing.keysize.custom_size=2048 +preop.cert.signing.nickname=caSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.signing.profile=caCert.profile +preop.cert.signing.signing.required=true +preop.cert.signing.subsystem=ca +preop.cert.signing.type=selfsign +preop.cert.signing.userfriendlyname=CA Signing Certificate +preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.audit_signing.dn=CN=CA Audit Signing Certificate +preop.cert.audit_signing.keysize.custom_size=2048 +preop.cert.audit_signing.keysize.size=2048 +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.audit_signing.profile=caAuditSigningCert.profile +preop.cert.audit_signing.signing.required=false +preop.cert.audit_signing.subsystem=ca +preop.cert.audit_signing.type=local +preop.cert.audit_signing.userfriendlyname=CA Audit Signing Certificate +preop.cert.audit_signing.cncomponent.override=true +preop.cert.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.ocsp_signing.dn=CN=OCSP Signing Certificate +preop.cert.ocsp_signing.keysize.custom_size=2048 +preop.cert.ocsp_signing.keysize.size=2048 +preop.cert.ocsp_signing.nickname=ocspSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.ocsp_signing.profile=caOCSPCert.profile +preop.cert.ocsp_signing.signing.required=true +preop.cert.ocsp_signing.subsystem=ca +preop.cert.ocsp_signing.type=local +preop.cert.ocsp_signing.userfriendlyname=OCSP Signing Certificate +preop.cert.ocsp_signing.cncomponent.override=true +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] +preop.cert.sslserver.keysize.custom_size=2048 +preop.cert.sslserver.keysize.size=2048 +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.cert.sslserver.profile=serverCert.profile +preop.cert.sslserver.signing.required=false +preop.cert.sslserver.subsystem=ca +preop.cert.sslserver.type=local +preop.cert.sslserver.userfriendlyname=SSL Server Certificate +preop.cert.sslserver.cncomponent.override=false +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=CA Subsystem Certificate +preop.cert.subsystem.keysize.custom_size=2048 +preop.cert.subsystem.keysize.size=2048 +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.cert.subsystem.profile=subsystemCert.profile +preop.cert.subsystem.signing.required=false +preop.cert.subsystem.subsystem=ca +preop.cert.subsystem.type=local +preop.cert.subsystem.userfriendlyname=Subsystem Certificate +preop.cert.subsystem.cncomponent.override=true +preop.cert.admin.defaultSigningAlgorithm=SHA256withRSA +preop.cert.admin.dn=uid=admin,cn=admin +preop.cert.admin.keysize.custom_size=2048 +preop.cert.admin.keysize.size=2048 +preop.cert.admin.profile=adminCert.profile +preop.hierarchy.profile=caCert.profile +preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module +preop.configModules.module0.commonName=NSS Internal PKCS #11 Module +preop.configModules.module0.imagePath=../img/clearpixel.gif +preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module +preop.configModules.module1.commonName=nfast +preop.configModules.module1.imagePath=../img/clearpixel.gif +preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module +preop.configModules.module2.commonName=lunasa +preop.configModules.module2.imagePath=../img/clearpixel.gif +preop.configModules.count=3 +preop.module.token=Internal Key Storage Token +preop.name.caDN=CN=Certificate Authority +preop.name.sslDN=CN=[PKI_MACHINE_NAME] +preop.name.ocspDN=CN=OCSP Signing Certificate +preop.name.subsystemDN=CN=CA Subsystem Certificate +preop.name.canickname=caSigningCert cert-[PKI_INSTANCE_ID] +preop.name.ocspnickname=ocspSigningCert cert-[PKI_INSTANCE_ID] +preop.name.subsystemnickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.name.sslnickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.subsystem.count=0 +subsystem.count=0 +passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf +passwordClass=com.netscape.cmsutil.password.PlainPasswordFile +CrossCertPair._000=## +CrossCertPair._001=## CrossCertPair Import +CrossCertPair._002=## +CrossCertPair.ldap=internaldb +accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator +accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator +accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator +accessEvaluator.impl.user_origreq.class=com.netscape.cms.evaluators.UserOrigReqAccessEvaluator +auths._000=## +auths._001=## new authentication +auths._002=## +auths.impl._000=## +auths.impl._001=## authentication manager implementations +auths.impl._002=## +auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication +auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth +auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth +auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll +auths.impl.SSLclientCertAuth.class=com.netscape.cms.authentication.SSLclientCertAuthentication +auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication +auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication +auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication +auths.impl.UidPwdGroupDirAuth.class=com.netscape.cms.authentication.UidPwdGroupDirAuthentication +auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication +auths.impl.FlatFileAuth.class=com.netscape.cms.authentication.FlatFileAuth +auths.instance.TokenAuth.pluginName=TokenAuth +auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents +auths.instance.AgentCertAuth.pluginName=AgentCertAuth +auths.instance.raCertAuth.agentGroup=Registration Manager Agents +auths.instance.raCertAuth.pluginName=AgentCertAuth +auths.instance.flatFileAuth.pluginName=FlatFileAuth +auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/flatfile.txt +auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth +auths.revocationChecking.bufferSize=50 +auths.revocationChecking.ca=ca +auths.revocationChecking.enabled=true +auths.revocationChecking.unknownStateInterval=0 +auths.revocationChecking.validityInterval=120 +authz._000=## +authz._001=## new authorizatioin +authz._002=## +authz.evaluateOrder=deny,allow +authz.sourceType=ldap +authz.impl._000=## +authz.impl._001=## authorization manager implementations +authz.impl._002=## +authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz +authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz +authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz +authz.instance.DirAclAuthz.ldap=internaldb +authz.instance.DirAclAuthz.pluginName=DirAclAuthz +authz.instance.DirAclAuthz.ldap._000=## +authz.instance.DirAclAuthz.ldap._001=## Internal Database +authz.instance.DirAclAuthz.ldap._002=## +ca.ocsp=true +ca.certdbInc=20 +ca.crldbInc=20 +ca.id=ca +ca.local=true +ca.ocspUseCache=false +ca.enableNonces=true +ca.maxNumberOfNonces=100 +ca.reqdbInc=20 +ca.transitMaxRecords=1000000 +ca.transitRecordPageSize=200 +# maxSearchReturns - limits number of search results returned by SearchReqs and SrchCerts +# ca.maxSearchReturns=1000 +ca.scep.enable=false +ca.scep.hashAlgorithm=SHA1 +ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 +ca.scep.encryptionAlgorithm=DES3 +ca.scep.allowedEncryptionAlgorithms=DES3 +ca.scep.nonceSizeLimit=16 +ca.Policy._000=## +ca.Policy._001=## Certificate Policy Framework (deprecated) +ca.Policy._002=## +ca.Policy._003=## Set 'ca.Policy.enable=true' to allow the following: +ca.Policy._004=## +ca.Policy._005=## SERVLET-NAME URL-PATTERN +ca.Policy._006=## ==================================================== +ca.Policy._007=## caadminEnroll ca/admin/ca/adminEnroll.html +ca.Policy._008=## cabulkissuance ca/agent/ca/bulkissuance.html +ca.Policy._009=## cacertbasedenrollment ca/certbasedenrollment.html +ca.Policy._010=## caenrollment ca/enrollment.html +ca.Policy._011=## capolicy ca/capolicy +ca.Policy._012=## +ca.Policy.enable=false +ca.Policy.order=KeyAlgRule, RSAKeyRule, DefaultValidityRule, RenewalConstraintsRule, DefaultRenewalValidityRule, RevocationConstraintsRule, NSCertTypeExt, CMCertKeyUsageExt, RMCertKeyUsageExt, ClientCertKeyUsageExt, ServerCertKeyUsageExt, ObjSignCertKeyUsageExt, CRLSignCertKeyUsageExt, SubjectKeyIdentifierExt, CertificatePoliciesExt, NSCCommentExt, OCSPNoCheckExt, OCSPSigningExt, CODESigningExt, GenericASN1Ext, CRLDistributionPointsExt, SubjectAltNameExt, SigningAlgRule, AuthorityKeyIdentifierExt, AuthInfoAccessExt, BasicConstraintsExt, UniqueSubjectNameConstraints, NameConstraintsExt, PolicyConstraintsExt, SubCANameConstraints, PolicyMappingsExt, IssuerRule +ca.Policy.processor=classic +ca.Policy.impl._000=## +ca.Policy.impl._001=## Policy Implementations +ca.Policy.impl._002=## +ca.Policy.impl.AttributePresentConstraints.class=com.netscape.cms.policy.constraints.AttributePresentConstraints +ca.Policy.impl.AuthInfoAccessExt.class=com.netscape.cms.policy.extensions.AuthInfoAccessExt +ca.Policy.impl.AuthorityKeyIdentifierExt.class=com.netscape.cms.policy.extensions.AuthorityKeyIdentifierExt +ca.Policy.impl.BasicConstraintsExt.class=com.netscape.cms.policy.extensions.BasicConstraintsExt +ca.Policy.impl.CRLDistributionPointsExt.class=com.netscape.cms.policy.extensions.CRLDistributionPointsExt +ca.Policy.impl.CertificatePoliciesExt.class=com.netscape.cms.policy.extensions.CertificatePoliciesExt +ca.Policy.impl.CertificateRenewalWindowExt.class=com.netscape.cms.policy.extensions.CertificateRenewalWindowExt +ca.Policy.impl.CertificateScopeOfUseExt.class=com.netscape.cms.policy.extensions.CertificateScopeOfUseExt +ca.Policy.impl.DSAKeyConstraints.class=com.netscape.cms.policy.constraints.DSAKeyConstraints +ca.Policy.impl.ExtendedKeyUsageExt.class=com.netscape.cms.policy.extensions.ExtendedKeyUsageExt +ca.Policy.impl.GenericASN1Ext.class=com.netscape.cms.policy.extensions.GenericASN1Ext +ca.Policy.impl.IssuerAltNameExt.class=com.netscape.cms.policy.extensions.IssuerAltNameExt +ca.Policy.impl.IssuerConstraints.class=com.netscape.cms.policy.constraints.IssuerConstraints +ca.Policy.impl.KeyAlgorithmConstraints.class=com.netscape.cms.policy.constraints.KeyAlgorithmConstraints +ca.Policy.impl.KeyUsageExt.class=com.netscape.cms.policy.extensions.KeyUsageExt +ca.Policy.impl.NSCCommentExt.class=com.netscape.cms.policy.extensions.NSCCommentExt +ca.Policy.impl.NSCertTypeExt.class=com.netscape.cms.policy.extensions.NSCertTypeExt +ca.Policy.impl.NameConstraintsExt.class=com.netscape.cms.policy.extensions.NameConstraintsExt +ca.Policy.impl.OCSPNoCheckExt.class=com.netscape.cms.policy.extensions.OCSPNoCheckExt +ca.Policy.impl.PolicyConstraintsExt.class=com.netscape.cms.policy.extensions.PolicyConstraintsExt +ca.Policy.impl.PolicyMappingsExt.class=com.netscape.cms.policy.extensions.PolicyMappingsExt +ca.Policy.impl.PrivateKeyUsagePeriodExt.class=com.netscape.cms.policy.extensions.PrivateKeyUsagePeriodExt +ca.Policy.impl.RSAKeyConstraints.class=com.netscape.cms.policy.constraints.RSAKeyConstraints +ca.Policy.impl.RemoveBasicConstraintsExt.class=com.netscape.cms.policy.extensions.RemoveBasicConstraintsExt +ca.Policy.impl.RenewalConstraints.class=com.netscape.cms.policy.constraints.RenewalConstraints +ca.Policy.impl.RenewalValidityConstraints.class=com.netscape.cms.policy.constraints.RenewalValidityConstraints +ca.Policy.impl.RevocationConstraints.class=com.netscape.cms.policy.constraints.RevocationConstraints +ca.Policy.impl.SigningAlgorithmConstraints.class=com.netscape.cms.policy.constraints.SigningAlgorithmConstraints +ca.Policy.impl.SubCANameConstraints.class=com.netscape.cms.policy.constraints.SubCANameConstraints +ca.Policy.impl.SubjectAltNameExt.class=com.netscape.cms.policy.extensions.SubjectAltNameExt +ca.Policy.impl.SubjectDirectoryAttributesExt.class=com.netscape.cms.policy.extensions.SubjectDirectoryAttributesExt +ca.Policy.impl.SubjectKeyIdentifierExt.class=com.netscape.cms.policy.extensions.SubjectKeyIdentifierExt +ca.Policy.impl.UniqueSubjectNameConstraints.class=com.netscape.cms.policy.constraints.UniqueSubjectNameConstraints +ca.Policy.impl.ValidityConstraints.class=com.netscape.cms.policy.constraints.ValidityConstraints +ca.Policy.rule.AuthInfoAccessExt.ad0_location=http://[PKI_MACHINE_NAME]:8080/ocsp +ca.Policy.rule.AuthInfoAccessExt.ad0_location_type=URL +ca.Policy.rule.AuthInfoAccessExt.ad0_method=ocsp +ca.Policy.rule.AuthInfoAccessExt.enable=false +ca.Policy.rule.AuthInfoAccessExt.implName=AuthInfoAccessExt +ca.Policy.rule.AuthInfoAccessExt.numADs=1 +ca.Policy.rule.AuthInfoAccessExt.predicate=HTTP_PARAMS.certType==client +ca.Policy.rule.AuthorityKeyIdentifierExt.enable=true +ca.Policy.rule.AuthorityKeyIdentifierExt.implName=AuthorityKeyIdentifierExt +ca.Policy.rule.AuthorityKeyIdentifierExt.predicate= +ca.Policy.rule.BasicConstraintsExt.critical=true +ca.Policy.rule.BasicConstraintsExt.enable=true +ca.Policy.rule.BasicConstraintsExt.implName=BasicConstraintsExt +ca.Policy.rule.BasicConstraintsExt.maxPathLen= +ca.Policy.rule.BasicConstraintsExt.predicate=HTTP_PARAMS.certType == ca +ca.Policy.rule.BasicConstraintsExt.removeBasicExt=true +ca.Policy.rule.CMCertKeyUsageExt.crlSign=true +ca.Policy.rule.CMCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.CMCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.CMCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.CMCertKeyUsageExt.enable=true +ca.Policy.rule.CMCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.CMCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.CMCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.CMCertKeyUsageExt.keyCertsign=true +ca.Policy.rule.CMCertKeyUsageExt.keyEncipherment=false +ca.Policy.rule.CMCertKeyUsageExt.nonRepudiation=true +ca.Policy.rule.CMCertKeyUsageExt.predicate=HTTP_PARAMS.certType==ca +ca.Policy.rule.CODESigningExt.critical=false +ca.Policy.rule.CODESigningExt.enable=true +ca.Policy.rule.CODESigningExt.id0=1.3.6.1.5.5.7.3.3 +ca.Policy.rule.CODESigningExt.implName=ExtendedKeyUsageExt +ca.Policy.rule.CODESigningExt.predicate=HTTP_PARAMS.certType==codeSignClient +ca.Policy.rule.CRLDistributionPointsExt.enable=false +ca.Policy.rule.CRLDistributionPointsExt.implName=CRLDistributionPointsExt +ca.Policy.rule.CRLDistributionPointsExt.issuerName0= +ca.Policy.rule.CRLDistributionPointsExt.issuerName1= +ca.Policy.rule.CRLDistributionPointsExt.issuerName2= +ca.Policy.rule.CRLDistributionPointsExt.issuerType0= +ca.Policy.rule.CRLDistributionPointsExt.issuerType1= +ca.Policy.rule.CRLDistributionPointsExt.issuerType2= +ca.Policy.rule.CRLDistributionPointsExt.numPoints=0 +ca.Policy.rule.CRLDistributionPointsExt.pointName0= +ca.Policy.rule.CRLDistributionPointsExt.pointName1= +ca.Policy.rule.CRLDistributionPointsExt.pointName2= +ca.Policy.rule.CRLDistributionPointsExt.pointType0= +ca.Policy.rule.CRLDistributionPointsExt.pointType1= +ca.Policy.rule.CRLDistributionPointsExt.pointType2= +ca.Policy.rule.CRLDistributionPointsExt.predicate= +ca.Policy.rule.CRLDistributionPointsExt.reasons0= +ca.Policy.rule.CRLDistributionPointsExt.reasons1= +ca.Policy.rule.CRLDistributionPointsExt.reasons2= +ca.Policy.rule.CRLSignCertKeyUsageExt.crlSign=true +ca.Policy.rule.CRLSignCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.CRLSignCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.CRLSignCertKeyUsageExt.digitalSignature=false +ca.Policy.rule.CRLSignCertKeyUsageExt.enable=true +ca.Policy.rule.CRLSignCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.CRLSignCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.CRLSignCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.CRLSignCertKeyUsageExt.keyCertsign=false +ca.Policy.rule.CRLSignCertKeyUsageExt.keyEncipherment=false +ca.Policy.rule.CRLSignCertKeyUsageExt.nonRepudiation=false +ca.Policy.rule.CRLSignCertKeyUsageExt.predicate=HTTP_PARAMS.certType==caCrlSigning +ca.Policy.rule.CertificatePoliciesExt.critical=false +ca.Policy.rule.CertificatePoliciesExt.enable=false +ca.Policy.rule.CertificatePoliciesExt.implName=CertificatePoliciesExt +ca.Policy.rule.CertificatePoliciesExt.numCertPolicies=1 +ca.Policy.rule.CertificatePoliciesExt.predicate= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.cpsURI= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefNumbers= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefOrganization= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.policyId= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.userNoticeExplicitText= +ca.Policy.rule.ClientCertKeyUsageExt.crlSign=false +ca.Policy.rule.ClientCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.ClientCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.ClientCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.ClientCertKeyUsageExt.enable=true +ca.Policy.rule.ClientCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.ClientCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.ClientCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.ClientCertKeyUsageExt.keyCertsign=false +ca.Policy.rule.ClientCertKeyUsageExt.keyEncipherment=true +ca.Policy.rule.ClientCertKeyUsageExt.nonRepudiation=true +ca.Policy.rule.ClientCertKeyUsageExt.predicate=HTTP_PARAMS.certType==client +ca.Policy.rule.DSAKeyRule.enable=true +ca.Policy.rule.DSAKeyRule.implName=DSAKeyConstraints +ca.Policy.rule.DSAKeyRule.maxSize=1024 +ca.Policy.rule.DSAKeyRule.minSize=512 +ca.Policy.rule.DSAKeyRule.predicate= +ca.Policy.rule.DefaultRenewalValidityRule.enable=true +ca.Policy.rule.DefaultRenewalValidityRule.implName=RenewalValidityConstraints +ca.Policy.rule.DefaultRenewalValidityRule.maxValidity=365 +ca.Policy.rule.DefaultRenewalValidityRule.minValidity=30 +ca.Policy.rule.DefaultRenewalValidityRule.predicate= +ca.Policy.rule.DefaultRenewalValidityRule.renewalInterval=15 +ca.Policy.rule.DefaultValidityRule.enable=true +ca.Policy.rule.DefaultValidityRule.implName=ValidityConstraints +ca.Policy.rule.DefaultValidityRule.maxValidity=365 +ca.Policy.rule.DefaultValidityRule.minValidity=1 +ca.Policy.rule.DefaultValidityRule.predicate= +ca.Policy.rule.GenericASN1Ext.critical=false +ca.Policy.rule.GenericASN1Ext.enable=false +ca.Policy.rule.GenericASN1Ext.implName=GenericASN1Ext +ca.Policy.rule.GenericASN1Ext.name= +ca.Policy.rule.GenericASN1Ext.oid= +ca.Policy.rule.GenericASN1Ext.pattern= +ca.Policy.rule.GenericASN1Ext.predicate= +ca.Policy.rule.GenericASN1Ext.attribute.0.source= +ca.Policy.rule.GenericASN1Ext.attribute.0.type= +ca.Policy.rule.GenericASN1Ext.attribute.0.value= +ca.Policy.rule.GenericASN1Ext.attribute.1.source= +ca.Policy.rule.GenericASN1Ext.attribute.1.type= +ca.Policy.rule.GenericASN1Ext.attribute.1.value= +ca.Policy.rule.GenericASN1Ext.attribute.2.source= +ca.Policy.rule.GenericASN1Ext.attribute.2.type= +ca.Policy.rule.GenericASN1Ext.attribute.2.value= +ca.Policy.rule.GenericASN1Ext.attribute.3.source= +ca.Policy.rule.GenericASN1Ext.attribute.3.type= +ca.Policy.rule.GenericASN1Ext.attribute.3.value= +ca.Policy.rule.GenericASN1Ext.attribute.4.source= +ca.Policy.rule.GenericASN1Ext.attribute.4.type= +ca.Policy.rule.GenericASN1Ext.attribute.4.value= +ca.Policy.rule.GenericASN1Ext.attribute.5.source= +ca.Policy.rule.GenericASN1Ext.attribute.5.type= +ca.Policy.rule.GenericASN1Ext.attribute.5.value= +ca.Policy.rule.GenericASN1Ext.attribute.6.source= +ca.Policy.rule.GenericASN1Ext.attribute.6.type= +ca.Policy.rule.GenericASN1Ext.attribute.6.value= +ca.Policy.rule.GenericASN1Ext.attribute.7.source= +ca.Policy.rule.GenericASN1Ext.attribute.7.type= +ca.Policy.rule.GenericASN1Ext.attribute.7.value= +ca.Policy.rule.GenericASN1Ext.attribute.8.source= +ca.Policy.rule.GenericASN1Ext.attribute.8.type= +ca.Policy.rule.GenericASN1Ext.attribute.8.value= +ca.Policy.rule.GenericASN1Ext.attribute.9.source= +ca.Policy.rule.GenericASN1Ext.attribute.9.type= +ca.Policy.rule.GenericASN1Ext.attribute.9.value= +ca.Policy.rule.IssuerRule.enable=false +ca.Policy.rule.IssuerRule.implName=IssuerConstraints +ca.Policy.rule.IssuerRule.issuerDN= +ca.Policy.rule.IssuerRule.predicate=HTTP_PARAMS.certType==client AND certauthEnroll==on +ca.Policy.rule.KeyAlgRule.algorithms=RSA,DSA +ca.Policy.rule.KeyAlgRule.enable=true +ca.Policy.rule.KeyAlgRule.implName=KeyAlgorithmConstraints +ca.Policy.rule.KeyAlgRule.predicate= +ca.Policy.rule.NSCCommentExt.commentFile= +ca.Policy.rule.NSCCommentExt.enable=false +ca.Policy.rule.NSCCommentExt.implName=NSCCommentExt +ca.Policy.rule.NSCCommentExt.inputType=Text +ca.Policy.rule.NSCCommentExt.predicate= +ca.Policy.rule.NSCertTypeExt.enable=true +ca.Policy.rule.NSCertTypeExt.implName=NSCertTypeExt +ca.Policy.rule.NSCertTypeExt.predicate=HTTP_PARAMS.certType!=CEP-Request +ca.Policy.rule.NameConstraintsExt.critical=true +ca.Policy.rule.NameConstraintsExt.enable=false +ca.Policy.rule.NameConstraintsExt.implName=NameConstraintsExt +ca.Policy.rule.NameConstraintsExt.numExcludedSubtrees=3 +ca.Policy.rule.NameConstraintsExt.numPermittedSubtrees=3 +ca.Policy.rule.NameConstraintsExt.predicate=HTTP_PARAMS.certType == ca +ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.max=-1 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.min=0 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.max=-1 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.min=0 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.max=-1 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.min=0 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.max=-1 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.min=0 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.max=-1 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.min=0 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.max=-1 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.min=0 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base.generalNameValue= +ca.Policy.rule.OCSPNoCheckExt.critical=false +ca.Policy.rule.OCSPNoCheckExt.enable=true +ca.Policy.rule.OCSPNoCheckExt.implName=OCSPNoCheckExt +ca.Policy.rule.OCSPNoCheckExt.predicate=HTTP_PARAMS.certType==ocspResponder +ca.Policy.rule.OCSPSigningExt.critical=false +ca.Policy.rule.OCSPSigningExt.enable=true +ca.Policy.rule.OCSPSigningExt.id0=1.3.6.1.5.5.7.3.9 +ca.Policy.rule.OCSPSigningExt.implName=ExtendedKeyUsageExt +ca.Policy.rule.OCSPSigningExt.predicate=HTTP_PARAMS.certType==ocspResponder +ca.Policy.rule.ObjSignCertKeyUsageExt.crlSign=false +ca.Policy.rule.ObjSignCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.ObjSignCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.ObjSignCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.ObjSignCertKeyUsageExt.enable=true +ca.Policy.rule.ObjSignCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.ObjSignCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.ObjSignCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.ObjSignCertKeyUsageExt.keyCertsign=true +ca.Policy.rule.ObjSignCertKeyUsageExt.keyEncipherment=false +ca.Policy.rule.ObjSignCertKeyUsageExt.nonRepudiation=false +ca.Policy.rule.ObjSignCertKeyUsageExt.predicate=HTTP_PARAMS.certType==objSignClient +ca.Policy.rule.PolicyConstraintsExt.critical=false +ca.Policy.rule.PolicyConstraintsExt.enable=false +ca.Policy.rule.PolicyConstraintsExt.implName=PolicyConstraintsExt +ca.Policy.rule.PolicyConstraintsExt.inhibitPolicyMapping=0 +ca.Policy.rule.PolicyConstraintsExt.predicate=HTTP_PARAMS.certType==ca +ca.Policy.rule.PolicyConstraintsExt.reqExplicitPolicy=0 +ca.Policy.rule.PolicyMappingsExt.critical=false +ca.Policy.rule.PolicyMappingsExt.enable=false +ca.Policy.rule.PolicyMappingsExt.implName=PolicyMappingsExt +ca.Policy.rule.PolicyMappingsExt.numPolicyMappings=1 +ca.Policy.rule.PolicyMappingsExt.predicate=HTTP_PARAMS.certType==ca +ca.Policy.rule.PolicyMappingsExt.policyMap0.issuerDomainPolicy= +ca.Policy.rule.PolicyMappingsExt.policyMap0.subjectDomainPolicy= +ca.Policy.rule.RMCertKeyUsageExt.crlSign=false +ca.Policy.rule.RMCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.RMCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.RMCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.RMCertKeyUsageExt.enable=true +ca.Policy.rule.RMCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.RMCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.RMCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.RMCertKeyUsageExt.keyCertsign=false +ca.Policy.rule.RMCertKeyUsageExt.keyEncipherment=false +ca.Policy.rule.RMCertKeyUsageExt.nonRepudiation=true +ca.Policy.rule.RMCertKeyUsageExt.predicate=HTTP_PARAMS.certType==ra +ca.Policy.rule.RSAKeyRule.enable=false +ca.Policy.rule.RSAKeyRule.exponents=3,7,17,65537 +ca.Policy.rule.RSAKeyRule.implName=RSAKeyConstraints +ca.Policy.rule.RSAKeyRule.maxSize=2048 +ca.Policy.rule.RSAKeyRule.minSize=512 +ca.Policy.rule.RSAKeyRule.predicate= +ca.Policy.rule.RenewalConstraintsRule.enable=true +ca.Policy.rule.RenewalConstraintsRule.implName=RenewalConstraints +ca.Policy.rule.RenewalConstraintsRule.predicate= +ca.Policy.rule.RevocationConstraintsRule.enable=true +ca.Policy.rule.RevocationConstraintsRule.implName=RevocationConstraints +ca.Policy.rule.RevocationConstraintsRule.predicate= +ca.Policy.rule.ServerCertKeyUsageExt.crlSign=false +ca.Policy.rule.ServerCertKeyUsageExt.dataEncipherment=true +ca.Policy.rule.ServerCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.ServerCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.ServerCertKeyUsageExt.enable=true +ca.Policy.rule.ServerCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.ServerCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.ServerCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.ServerCertKeyUsageExt.keyCertsign=false +ca.Policy.rule.ServerCertKeyUsageExt.keyEncipherment=true +ca.Policy.rule.ServerCertKeyUsageExt.nonRepudiation=true +ca.Policy.rule.ServerCertKeyUsageExt.predicate=HTTP_PARAMS.certType==server +ca.Policy.rule.SigningAlgRule.algorithms=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +ca.Policy.rule.SigningAlgRule.enable=true +ca.Policy.rule.SigningAlgRule.implName=SigningAlgorithmConstraints +ca.Policy.rule.SigningAlgRule.predicate= +ca.Policy.rule.SubCANameConstraints.enable=true +ca.Policy.rule.SubCANameConstraints.implName=SubCANameConstraints +ca.Policy.rule.SubCANameConstraints.predicate=HTTP_PARAMS.certType == ca +ca.Policy.rule.SubjectAltNameExt.enable=true +ca.Policy.rule.SubjectAltNameExt.implName=SubjectAltNameExt +ca.Policy.rule.SubjectAltNameExt.numGeneralNames=3 +ca.Policy.rule.SubjectAltNameExt.predicate=HTTP_PARAMS.certType!=CEP-Request +ca.Policy.rule.SubjectAltNameExt.generalName0.generalNameChoice=rfc822Name +ca.Policy.rule.SubjectAltNameExt.generalName0.requestAttr=AUTH_TOKEN.mail +ca.Policy.rule.SubjectAltNameExt.generalName1.generalNameChoice=rfc822Name +ca.Policy.rule.SubjectAltNameExt.generalName1.requestAttr=AUTH_TOKEN.mailalternateaddress +ca.Policy.rule.SubjectAltNameExt.generalName2.generalNameChoice=rfc822Name +ca.Policy.rule.SubjectAltNameExt.generalName2.requestAttr=HTTP_PARAMS.csrRequestorEmail +ca.Policy.rule.SubjectKeyIdentifierExt.enable=true +ca.Policy.rule.SubjectKeyIdentifierExt.implName=SubjectKeyIdentifierExt +ca.Policy.rule.SubjectKeyIdentifierExt.predicate=HTTP_PARAMS.certType==ca +ca.Policy.rule.UniqueSubjectNameConstraints.enable=false +ca.Policy.rule.UniqueSubjectNameConstraints.implName=UniqueSubjectNameConstraints +ca.Policy.rule.UniqueSubjectNameConstraints.predicate= +ca.crl._000=## +ca.crl._001=## CA CRL +ca.crl._002=## +ca.crl.pageSize=100 +ca.crl.MasterCRL.allowExtensions=true +ca.crl.MasterCRL.alwaysUpdate=false +ca.crl.MasterCRL.autoUpdateInterval=240 +ca.crl.MasterCRL.caCertsOnly=false +ca.crl.MasterCRL.cacheUpdateInterval=15 +ca.crl.MasterCRL.class=com.netscape.ca.CRLIssuingPoint +ca.crl.MasterCRL.dailyUpdates=1:00 +ca.crl.MasterCRL.description=CA's complete Certificate Revocation List +ca.crl.MasterCRL.enable=true +ca.crl.MasterCRL.enableCRLCache=true +ca.crl.MasterCRL.enableCRLUpdates=true +ca.crl.MasterCRL.enableCacheRecovery=true +ca.crl.MasterCRL.enableDailyUpdates=true +ca.crl.MasterCRL.enableUpdateInterval=true +ca.crl.MasterCRL.extendedNextUpdate=true +ca.crl.MasterCRL.includeExpiredCerts=false +ca.crl.MasterCRL.minUpdateInterval=0 +ca.crl.MasterCRL.nextUpdateGracePeriod=0 +ca.crl.MasterCRL.publishOnStart=false +ca.crl.MasterCRL.signingAlgorithm=SHA256withRSA +ca.crl.MasterCRL.updateSchema=1 +ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessLocation0= +ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessLocationType0=URI +ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessMethod0=caIssuers +ca.crl.MasterCRL.extension.AuthorityInformationAccess.class=com.netscape.cms.crl.CMSAuthInfoAccessExtension +ca.crl.MasterCRL.extension.AuthorityInformationAccess.critical=false +ca.crl.MasterCRL.extension.AuthorityInformationAccess.enable=false +ca.crl.MasterCRL.extension.AuthorityInformationAccess.numberOfAccessDescriptions=1 +ca.crl.MasterCRL.extension.AuthorityInformationAccess.type=CRLExtension +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.class=com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.critical=false +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable=false +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.type=CRLExtension +ca.crl.MasterCRL.extension.CRLNumber.class=com.netscape.cms.crl.CMSCRLNumberExtension +ca.crl.MasterCRL.extension.CRLNumber.critical=false +ca.crl.MasterCRL.extension.CRLNumber.enable=true +ca.crl.MasterCRL.extension.CRLNumber.type=CRLExtension +ca.crl.MasterCRL.extension.CRLReason.class=com.netscape.cms.crl.CMSCRLReasonExtension +ca.crl.MasterCRL.extension.CRLReason.critical=false +ca.crl.MasterCRL.extension.CRLReason.enable=true +ca.crl.MasterCRL.extension.CRLReason.type=CRLEntryExtension +ca.crl.MasterCRL.extension.DeltaCRLIndicator.class=com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension +ca.crl.MasterCRL.extension.DeltaCRLIndicator.critical=true +ca.crl.MasterCRL.extension.DeltaCRLIndicator.enable=false +ca.crl.MasterCRL.extension.DeltaCRLIndicator.type=CRLExtension +ca.crl.MasterCRL.extension.FreshestCRL.class=com.netscape.cms.crl.CMSFreshestCRLExtension +ca.crl.MasterCRL.extension.FreshestCRL.critical=false +ca.crl.MasterCRL.extension.FreshestCRL.enable=false +ca.crl.MasterCRL.extension.FreshestCRL.numPoints=0 +ca.crl.MasterCRL.extension.FreshestCRL.pointName0= +ca.crl.MasterCRL.extension.FreshestCRL.pointType0= +ca.crl.MasterCRL.extension.FreshestCRL.type=CRLExtension +ca.crl.MasterCRL.extension.InvalidityDate.class=com.netscape.cms.crl.CMSInvalidityDateExtension +ca.crl.MasterCRL.extension.InvalidityDate.critical=false +ca.crl.MasterCRL.extension.InvalidityDate.enable=true +ca.crl.MasterCRL.extension.InvalidityDate.type=CRLEntryExtension +ca.crl.MasterCRL.extension.IssuerAlternativeName.class=com.netscape.cms.crl.CMSIssuerAlternativeNameExtension +ca.crl.MasterCRL.extension.IssuerAlternativeName.critical=false +ca.crl.MasterCRL.extension.IssuerAlternativeName.enable=false +ca.crl.MasterCRL.extension.IssuerAlternativeName.name0= +ca.crl.MasterCRL.extension.IssuerAlternativeName.nameType0= +ca.crl.MasterCRL.extension.IssuerAlternativeName.numNames=0 +ca.crl.MasterCRL.extension.IssuerAlternativeName.type=CRLExtension +ca.crl.MasterCRL.extension.IssuingDistributionPoint.class=com.netscape.cms.crl.CMSIssuingDistributionPointExtension +ca.crl.MasterCRL.extension.IssuingDistributionPoint.critical=true +ca.crl.MasterCRL.extension.IssuingDistributionPoint.enable=false +ca.crl.MasterCRL.extension.IssuingDistributionPoint.indirectCRL=false +ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsCACerts=false +ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsUserCerts=false +ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlySomeReasons= +ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointName= +ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointType= +ca.crl.MasterCRL.extension.IssuingDistributionPoint.type=CRLExtension +ca.notification.certIssued.emailSubject=Your Certificate Request +ca.notification.certIssued.emailTemplate=[PKI_INSTANCE_PATH]/emails/certIssued_CA.html +ca.notification.certIssued.enabled=false +ca.notification.certIssued.senderEmail= +ca.notification.certRevoked.emailSubject=Your Certificate Revoked +ca.notification.certRevoked.emailTemplate=[PKI_INSTANCE_PATH]/emails/certRevoked_CA.html +ca.notification.certRevoked.enabled=false +ca.notification.certRevoked.senderEmail= +ca.notification.requestInQ.emailSubject=Certificate Request in Queue +ca.notification.requestInQ.emailTemplate=[PKI_INSTANCE_PATH]/emails/reqInQueue_CA.html +ca.notification.requestInQ.enabled=false +ca.notification.requestInQ.recipientEmail= +ca.notification.requestInQ.senderEmail= +ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_ID] +ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA +ca.ocsp_signing.tokenname=internal +ca.publish.createOwnDNEntry=false +ca.publish.queue.enable=true +ca.publish.queue.maxNumberOfThreads=3 +ca.publish.queue.pageSize=40 +ca.publish.queue.priorityLevel=0 +ca.publish.mapper.impl.LdapCaSimpleMap.class=com.netscape.cms.publish.mappers.LdapCaSimpleMap +ca.publish.mapper.impl.LdapDNCompsMap.class=com.netscape.cms.publish.mappers.LdapCertCompsMap +ca.publish.mapper.impl.LdapDNExactMap.class=com.netscape.cms.publish.mappers.LdapCertExactMap +ca.publish.mapper.impl.LdapEnhancedMap.class=com.netscape.cms.publish.mappers.LdapEnhancedMap +ca.publish.mapper.impl.LdapSimpleMap.class=com.netscape.cms.publish.mappers.LdapSimpleMap +ca.publish.mapper.impl.LdapSubjAttrMap.class=com.netscape.cms.publish.mappers.LdapCertSubjMap +ca.publish.mapper.impl.NoMap.class=com.netscape.cms.publish.mappers.NoMap +ca.publish.mapper.instance.LdapCaCertMap.createCAEntry=true +ca.publish.mapper.instance.LdapCaCertMap.dnPattern=UID=$subj.cn,OU=people,O=$subj.o +ca.publish.mapper.instance.LdapCaCertMap.pluginName=LdapCaSimpleMap +ca.publish.mapper.instance.LdapCrlMap.createCAEntry=true +ca.publish.mapper.instance.LdapCrlMap.dnPattern=UID=$subj.cn,OU=people,O=$subj.o +ca.publish.mapper.instance.LdapCrlMap.pluginName=LdapCaSimpleMap +ca.publish.mapper.instance.LdapUserCertMap.dnPattern=UID=$subj.UID,OU=people,O=$subj.o +ca.publish.mapper.instance.LdapUserCertMap.pluginName=LdapSimpleMap +ca.publish.mapper.instance.NoMap.pluginName=NoMap +ca.publish.publisher.impl.FileBasedPublisher.class=com.netscape.cms.publish.publishers.FileBasedPublisher +ca.publish.publisher.impl.LdapCaCertPublisher.class=com.netscape.cms.publish.publishers.LdapCaCertPublisher +ca.publish.publisher.impl.LdapCertificatePairPublisher.class=com.netscape.cms.publish.publishers.LdapCertificatePairPublisher +ca.publish.publisher.impl.LdapCrlPublisher.class=com.netscape.cms.publish.publishers.LdapCrlPublisher +ca.publish.publisher.impl.LdapDeltaCrlPublisher.class=com.netscape.cms.publish.publishers.LdapCrlPublisher +ca.publish.publisher.impl.LdapUserCertPublisher.class=com.netscape.cms.publish.publishers.LdapUserCertPublisher +ca.publish.publisher.impl.OCSPPublisher.class=com.netscape.cms.publish.publishers.OCSPPublisher +ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr=caCertificate;binary +ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass=certificationAuthority +ca.publish.publisher.instance.LdapCaCertPublisher.pluginName=LdapCaCertPublisher +ca.publish.publisher.instance.LdapCrlPublisher.crlAttr=certificateRevocationList;binary +ca.publish.publisher.instance.LdapCrlPublisher.pluginName=LdapCrlPublisher +ca.publish.publisher.instance.LdapCrossCertPairPublisher.caObjectClass=certificationAuthority +ca.publish.publisher.instance.LdapCrossCertPairPublisher.crossCertPairAttr=crossCertificatePair;binary +ca.publish.publisher.instance.LdapCrossCertPairPublisher.pluginName=LdapCertificatePairPublisher +ca.publish.publisher.instance.LdapDeltaCrlPublisher.crlAttr=deltaRevocationList;binary +ca.publish.publisher.instance.LdapDeltaCrlPublisher.pluginName=LdapDeltaCrlPublisher +ca.publish.publisher.instance.LdapUserCertPublisher.certAttr=userCertificate;binary +ca.publish.publisher.instance.LdapUserCertPublisher.pluginName=LdapUserCertPublisher +ca.publish.rule.impl.Rule.class=com.netscape.cmscore.ldap.LdapRule +ca.publish.rule.instance.LdapCaCertRule.enable=false +ca.publish.rule.instance.LdapCaCertRule.mapper=LdapCaCertMap +ca.publish.rule.instance.LdapCaCertRule.pluginName=Rule +ca.publish.rule.instance.LdapCaCertRule.predicate= +ca.publish.rule.instance.LdapCaCertRule.publisher=LdapCaCertPublisher +ca.publish.rule.instance.LdapCaCertRule.type=cacert +ca.publish.rule.instance.LdapCrlRule.enable=false +ca.publish.rule.instance.LdapCrlRule.mapper=LdapCrlMap +ca.publish.rule.instance.LdapCrlRule.pluginName=Rule +ca.publish.rule.instance.LdapCrlRule.predicate= +ca.publish.rule.instance.LdapCrlRule.publisher=LdapCrlPublisher +ca.publish.rule.instance.LdapCrlRule.type=crl +ca.publish.rule.instance.LdapUserCertRule.enable=false +ca.publish.rule.instance.LdapUserCertRule.mapper=LdapUserCertMap +ca.publish.rule.instance.LdapUserCertRule.pluginName=Rule +ca.publish.rule.instance.LdapUserCertRule.predicate= +ca.publish.rule.instance.LdapUserCertRule.publisher=LdapUserCertPublisher +ca.publish.rule.instance.LdapUserCertRule.type=certs +ca.publish.rule.instance.LdapXCertRule.enable=false +ca.publish.rule.instance.LdapXCertRule.mapper=LdapCaCertMap +ca.publish.rule.instance.LdapXCertRule.pluginName=Rule +ca.publish.rule.instance.LdapXCertRule.predicate= +ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher +ca.publish.rule.instance.LdapXCertRule.type=xcert +cmc.cert.confirmRequired=false +cmc.lraPopWitness.verify.allow=true +cmc.revokeCert.verify=true +cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cms.passwordlist=internaldb,replicationdb +cms.password.ignore.publishing.failure=true +cms.version=@MAJOR_VERSION@.@MINOR_VERSION@ +cmsgateway._000=## +cmsgateway._001=## In the event that all Admin Certificates have been lost +cmsgateway._002=## for a given instance, perform the following steps to +cmsgateway._003=## re-enroll for a new Admin Certificate: +cmsgateway._004=## +cmsgateway._005=## (1) Become 'root' +cmsgateway._006=## (2) Type: 'service [PKI_INSTANCE_ID] stop' +cmsgateway._007=## (3) Edit '[PKI_INSTANCE_ROOT]/[PKI_INSTANCE_ID]/conf/CS.cfg' +cmsgateway._008=## and set the following name-value pairs (if necessary): +cmsgateway._009=## +cmsgateway._010=## ca.Policy.enable=true +cmsgateway._011=## cmsgateway.enableAdminEnroll=true +cmsgateway._012=## +cmsgateway._013=## (4) Type: 'service [PKI_INSTANCE_ID] start' +cmsgateway._014=## (5) Launch a browser and re-enroll for +cmsgateway._015=## a new Admin Certificate by typing: +cmsgateway._016=## +cmsgateway._017=## https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ca/admin/ca/adminEnroll.html +cmsgateway._018=## +cmsgateway._019=## (6) Verify that the browser contains the new +cmsgateway._020=## Admin Certificate by successfully navigating to: +cmsgateway._021=## +cmsgateway._022=## https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/ca/agent/ca/ +cmsgateway._023=## +cmsgateway._024=## (7) Optionally, disable the Certificate Policies Framework +cmsgateway._025=## by following steps (1) - (4), but ONLY resetting +cmsgateway._026=## 'ca.Policy.enable=false', as +cmsgateway._027=## 'cmsgateway.enableAdminEnroll=false' should have +cmsgateway._028=## already been reset. +cmsgateway._029=## +cmsgateway.enableAdminEnroll=false +https.port=8443 +http.port=8080 +dbs.enableSerialManagement=false +dbs.beginRequestNumber=1 +dbs.endRequestNumber=10000000 +dbs.requestIncrement=10000000 +dbs.requestLowWaterMark=2000000 +dbs.requestCloneTransferNumber=10000 +dbs.requestDN=ou=ca, ou=requests +dbs.requestRangeDN=ou=requests, ou=ranges +dbs.beginSerialNumber=1 +dbs.endSerialNumber=10000000 +dbs.serialIncrement=10000000 +dbs.serialLowWaterMark=2000000 +dbs.serialCloneTransferNumber=10000 +dbs.serialDN=ou=certificateRepository, ou=ca +dbs.serialRangeDN=ou=certificateRepository, ou=ranges +dbs.beginReplicaNumber=1 +dbs.endReplicaNumber=100 +dbs.replicaIncrement=100 +dbs.replicaLowWaterMark=20 +dbs.replicaCloneTransferNumber=5 +dbs.replicaDN=ou=replica +dbs.replicaRangeDN=ou=replica, ou=ranges +dbs.ldap=internaldb +dbs.newSchemaEntryAdded=true +debug.append=true +debug.enabled=true +debug.filename=[PKI_INSTANCE_PATH]/logs/debug +debug.hashkeytypes= +debug.level=0 +debug.showcaller=false +keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 +keys.ecc.curve.default=nistp521 +keys.rsa.keysize.default=2048 +internaldb._000=## +internaldb._001=## Internal Database +internaldb._002=## +internaldb.basedn= +internaldb.maxConns=15 +internaldb.minConns=3 +internaldb.ldapauth.authtype=BasicAuth +internaldb.ldapauth.bindDN=cn=Directory Manager +internaldb.ldapauth.bindPWPrompt=Internal LDAP Database +internaldb.ldapauth.clientCertNickname= +internaldb.ldapconn.host= +internaldb.ldapconn.port= +internaldb.ldapconn.secureConn=false +preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/schema.ldif +preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/database.ldif +preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/acl.ldif +preop.internaldb.index_ldif= +preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/index.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlvtasks.ldif +preop.internaldb.wait_dn=cn=index1160589769, cn=index, cn=tasks, cn=config +internaldb.multipleSuffix.enable=false +jobsScheduler._000=## +jobsScheduler._001=## jobScheduler +jobsScheduler._002=## +jobsScheduler.enabled=false +jobsScheduler.interval=1 +jobsScheduler.impl.PublishCertsJob.class=com.netscape.cms.jobs.PublishCertsJob +jobsScheduler.impl.RenewalNotificationJob.class=com.netscape.cms.jobs.RenewalNotificationJob +jobsScheduler.impl.RequestInQueueJob.class=com.netscape.cms.jobs.RequestInQueueJob +jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.cms.jobs.UnpublishExpiredJob +jobsScheduler.job.certRenewalNotifier.cron=0 3 * * 1-5 +jobsScheduler.job.certRenewalNotifier.emailSubject=Certificate Renewal Notification +jobsScheduler.job.certRenewalNotifier.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1.txt +jobsScheduler.job.certRenewalNotifier.enabled=false +jobsScheduler.job.certRenewalNotifier.notifyEndOffset=30 +jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=30 +jobsScheduler.job.certRenewalNotifier.pluginName=RenewalNotificationJob +jobsScheduler.job.certRenewalNotifier.senderEmail= +jobsScheduler.job.certRenewalNotifier.summary.emailSubject=Certificate Renewal Notification Summary +jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Summary.txt +jobsScheduler.job.certRenewalNotifier.summary.enabled=true +jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Item.txt +jobsScheduler.job.certRenewalNotifier.summary.recipientEmail= +jobsScheduler.job.certRenewalNotifier.summary.senderEmail= +jobsScheduler.job.publishCerts.cron=0 0 * * 2 +jobsScheduler.job.publishCerts.enabled=false +jobsScheduler.job.publishCerts.pluginName=PublishCertsJob +jobsScheduler.job.publishCerts.summary.emailSubject=Certs Publishing Summary +jobsScheduler.job.publishCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/publishCerts.html +jobsScheduler.job.publishCerts.summary.enabled=true +jobsScheduler.job.publishCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/publishCertsItem.html +jobsScheduler.job.publishCerts.summary.recipientEmail= +jobsScheduler.job.publishCerts.summary.senderEmail= +jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0 +jobsScheduler.job.requestInQueueNotifier.enabled=false +jobsScheduler.job.requestInQueueNotifier.pluginName=RequestInQueueJob +jobsScheduler.job.requestInQueueNotifier.subsystemId=ca +jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=Requests in Queue Summary Report +jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/riq1Summary.html +jobsScheduler.job.requestInQueueNotifier.summary.enabled=true +jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail= +jobsScheduler.job.requestInQueueNotifier.summary.senderEmail= +jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6 +jobsScheduler.job.unpublishExpiredCerts.enabled=false +jobsScheduler.job.unpublishExpiredCerts.pluginName=UnpublishExpiredJob +jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=Expired Certs Unpublished Summary +jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/euJob1.html +jobsScheduler.job.unpublishExpiredCerts.summary.enabled=true +jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/euJob1Item.html +jobsScheduler.job.unpublishExpiredCerts.summary.recipientEmail= +jobsScheduler.job.unpublishExpiredCerts.summary.senderEmail= +jss._000=## +jss._001=## JSS +jss._002=## +jss.configDir=[PKI_INSTANCE_PATH]/alias/ +jss.enable=true +jss.secmodName=secmod.db +jss.ocspcheck.enable=false +jss.ssl.cipherfortezza=true +jss.ssl.cipherpref= +jss.ssl.cipherversion=cipherdomestic +log._000=## +log._001=## Logging +log._002=## +log.impl.file.class=com.netscape.cms.logging.RollingLogFile +log.instance.SignedAudit._000=## +log.instance.SignedAudit._001=## Signed Audit Logging +log.instance.SignedAudit._002=## +log.instance.SignedAudit.bufferSize=512 +log.instance.SignedAudit.enable=true +log.instance.SignedAudit.events._000=## +log.instance.SignedAudit.events._001=## Available Audit events: +log.instance.SignedAudit.events._002=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.events._003=## +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.expirationTime=0 +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ca_audit +log.instance.SignedAudit.flushInterval=5 +log.instance.SignedAudit.level=1 +log.instance.SignedAudit.logSigning=false +log.instance.SignedAudit.maxFileSize=2000 +log.instance.SignedAudit.pluginName=file +log.instance.SignedAudit.rolloverInterval=2592000 +log.instance.SignedAudit.signedAudit=_002=## +log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] +log.instance.SignedAudit.type=signedAudit +log.instance.System._000=## +log.instance.System._001=## System Logging +log.instance.System._002=## +log.instance.System.bufferSize=512 +log.instance.System.enable=true +log.instance.System.expirationTime=0 +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system +log.instance.System.flushInterval=5 +log.instance.System.level=3 +log.instance.System.maxFileSize=2000 +log.instance.System.pluginName=file +log.instance.System.rolloverInterval=2592000 +log.instance.System.type=system +log.instance.Transactions._000=## +log.instance.Transactions._001=## Transaction Logging +log.instance.Transactions._002=## +log.instance.Transactions.bufferSize=512 +log.instance.Transactions.enable=true +log.instance.Transactions.expirationTime=0 +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions +log.instance.Transactions.flushInterval=5 +log.instance.Transactions.level=1 +log.instance.Transactions.maxFileSize=2000 +log.instance.Transactions.pluginName=file +log.instance.Transactions.rolloverInterval=2592000 +log.instance.Transactions.type=transaction +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access +logError.fileName=[PKI_INSTANCE_PATH]/logs/error +oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension +oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 +oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword +oidmap.challenge_password.oid=1.2.840.113549.1.9.7 +oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension +oidmap.extended_key_usage.oid=2.5.29.37 +oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 +oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 +oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension +oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 +oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension +oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 +oidmap.pse.class=netscape.security.extensions.PresenceServerExtension +oidmap.pse.oid=2.16.840.1.113730.1.18 +oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension +oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 +os.userid=nobody +profile.list=caUserCert,caUserSMIMEcapCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caJarSigningCert,caIPAserviceCert +profile.caUUIDdeviceCert.class_id=caEnrollImpl +profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUUIDdeviceCert.cfg +profile.caManualRenewal.class_id=caEnrollImpl +profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caManualRenewal.cfg +profile.caDirUserRenewal.class_id=caEnrollImpl +profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserRenewal.cfg +profile.caSSLClientSelfRenewal.class_id=caEnrollImpl +profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caSSLClientSelfRenewal.cfg +profile.DomainController.class_id=caEnrollImpl +profile.DomainController.config=[PKI_INSTANCE_PATH]/profiles/ca/DomainController.cfg +profile.caAgentFileSigning.class_id=caEnrollImpl +profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentFileSigning.cfg +profile.caAgentServerCert.class_id=caEnrollImpl +profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentServerCert.cfg +profile.caRAserverCert.class_id=caEnrollImpl +profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAserverCert.cfg +profile.caCACert.class_id=caEnrollImpl +profile.caCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCACert.cfg +profile.caInstallCACert.class_id=caEnrollImpl +profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInstallCACert.cfg +profile.caCMCUserCert.class_id=caEnrollImpl +profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCMCUserCert.cfg +profile.caDirUserCert.class_id=caEnrollImpl +profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserCert.cfg +profile.caDualCert.class_id=caEnrollImpl +profile.caDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualCert.cfg +profile.caDualRAuserCert.class_id=caEnrollImpl +profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualRAuserCert.cfg +profile.caRAagentCert.class_id=caEnrollImpl +profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAagentCert.cfg +profile.caFullCMCUserCert.class_id=caEnrollImpl +profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caFullCMCUserCert.cfg +profile.caInternalAuthOCSPCert.class_id=caEnrollImpl +profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthOCSPCert.cfg +profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl +profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthAuditSigningCert.cfg +profile.caInternalAuthServerCert.class_id=caEnrollImpl +profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthServerCert.cfg +profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl +profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthSubsystemCert.cfg +profile.caInternalAuthDRMstorageCert.class_id=caEnrollImpl +profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthDRMstorageCert.cfg +profile.caInternalAuthTransportCert.class_id=caEnrollImpl +profile.caInternalAuthTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthTransportCert.cfg +profile.caOCSPCert.class_id=caEnrollImpl +profile.caOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOCSPCert.cfg +profile.caOtherCert.class_id=caEnrollImpl +profile.caOtherCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOtherCert.cfg +profile.caRACert.class_id=caEnrollImpl +profile.caRACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRACert.cfg +profile.caRARouterCert.class_id=caEnrollImpl +profile.caRARouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRARouterCert.cfg +profile.caRouterCert.class_id=caEnrollImpl +profile.caRouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRouterCert.cfg +profile.caServerCert.class_id=caEnrollImpl +profile.caServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caServerCert.cfg +profile.caSignedLogCert.class_id=caEnrollImpl +profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSignedLogCert.cfg +profile.caSimpleCMCUserCert.class_id=caEnrollImpl +profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSimpleCMCUserCert.cfg +profile.caTPSCert.class_id=caEnrollImpl +profile.caTPSCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTPSCert.cfg +profile.caAdminCert.class_id=caEnrollImpl +profile.caAdminCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAdminCert.cfg +profile.caTempTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg +profile.caTempTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTempTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg +profile.caTokenUserEncryptionKeyRenewal.class_id=caUserCertEnrollImpl +profile.caTokenUserEncryptionKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg +profile.caTempTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg +profile.caTokenUserSigningKeyRenewal.class_id=caUserCertEnrollImpl +profile.caTokenUserSigningKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyRenewal.cfg +profile.caTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenDeviceKeyEnrollment.cfg +profile.caTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg +profile.caTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyEnrollment.cfg +profile.caTokenMSLoginEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenMSLoginEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenMSLoginEnrollment.cfg +profile.caTransportCert.class_id=caEnrollImpl +profile.caTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTransportCert.cfg +profile.caUserCert.class_id=caEnrollImpl +profile.caUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserCert.cfg +profile.caUserSMIMEcapCert.class_id=caEnrollImpl +profile.caUserSMIMEcapCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserSMIMEcapCert.cfg +profile.caJarSigningCert.class_id=caEnrollImpl +profile.caJarSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caJarSigningCert.cfg +profile.caIPAserviceCert.class_id=caEnrollImpl +profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caIPAserviceCert.cfg +registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg +request.assignee.enable=true +selftests._000=## +selftests._001=## Self Tests +selftests._002=## +selftests._003=## The Self-Test plugin SystemCertsVerification uses the +selftests._004=## following parameters (where certusage is optional): +selftests._005=## ca.cert.list = +selftests._006=## ca.cert..nickname +selftests._007=## ca.cert..certusage +selftests._008=## +selftests.container.instance.CAPresence=com.netscape.cms.selftests.ca.CAPresence +selftests.container.instance.CAValidity=com.netscape.cms.selftests.ca.CAValidity +selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification +selftests.container.logger.bufferSize=512 +selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile +selftests.container.logger.enable=true +selftests.container.logger.expirationTime=0 +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log +selftests.container.logger.flushInterval=5 +selftests.container.logger.level=1 +selftests.container.logger.maxFileSize=2000 +selftests.container.logger.register=false +selftests.container.logger.rolloverInterval=2592000 +selftests.container.logger.type=transaction +selftests.container.order.onDemand=CAPresence:critical, SystemCertsVerification:critical, CAValidity:critical +selftests.container.order.startup=CAPresence:critical, SystemCertsVerification:critical +selftests.plugin.CAPresence.CaSubId=ca +selftests.plugin.CAValidity.CaSubId=ca +selftests.plugin.SystemCertsVerification.SubId=ca +smtp.host=localhost +smtp.port=25 +subsystem.0.class=com.netscape.ca.CertificateAuthority +subsystem.0.id=ca +subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem +subsystem.1.id=profile +subsystem.2.class=com.netscape.cmscore.selftests.SelfTestSubsystem +subsystem.2.id=selftests +subsystem.3.class=com.netscape.cmscore.cert.CrossCertPairSubsystem +subsystem.3.id=CrossCertPair +subsystem.4.class=com.netscape.cmscore.util.StatsSubsystem +subsystem.4.id=stats +usrgrp._000=## +usrgrp._001=## User/Group +usrgrp._002=## +usrgrp.ldap=internaldb +multiroles._000=## +multiroles._001=## multiroles +multiroles._002=## +multiroles.enable=true +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group diff --git a/pki/base/ca/src/CMakeLists.txt b/pki/base/ca/src/CMakeLists.txt index ab40e63b7..f8e68c4f6 100644 --- a/pki/base/ca/src/CMakeLists.txt +++ b/pki/base/ca/src/CMakeLists.txt @@ -1,21 +1,31 @@ project(ca_java Java) +# '/usr/share/java' jars +find_file(LDAPJDK_JAR + NAMES + ldapjdk.jar + PATHS + /usr/share/java +) + + +# '/usr/lib/java' jars find_file(JSS_JAR NAMES jss4.jar PATHS /usr/lib/java - /usr/share/java ) -find_file(LDAPJDK_JAR +find_file(OSUTIL_JAR NAMES - ldapjdk.jar + osutil.jar PATHS /usr/lib/java - /usr/share/java ) + +# identify java sources set(ca_java_SRCS com/netscape/ca/CMSCRLExtensions.java com/netscape/ca/CAService.java @@ -26,13 +36,21 @@ set(ca_java_SRCS com/netscape/ca/CertificateAuthority.java ) + +# set classpath set(CMAKE_JAVA_INCLUDE_PATH - ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} ${CMSUTIL_JAR} - ${OSUTIL_JAR} ${SYMKEY_JAR} ${CMS_JAR} ${CMSCORE_JAR} - ${CERTSRV_JAR}) + ${CERTSRV_JAR} ${CMS_JAR} ${CMSCORE_JAR} ${CMSUTIL_JAR} ${NSUTIL_JAR} + ${LDAPJDK_JAR} + ${JSS_JAR} ${OSUTIL_JAR} ${SYMKEY_JAR}) + + +# set version set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) + +# build ca.jar add_jar(ca ${ca_java_SRCS}) -add_dependencies(ca nsutil cmsutil osutil symkey cms cmscore certsrv) +add_dependencies(ca osutil symkey nsutil cmsutil certsrv cms cmscore) install_jar(ca ${JAVA_JAR_INSTALL_DIR}) set(CA_JAR ${ca_JAR_FILE} CACHE INTERNAL "ca jar file") + diff --git a/pki/base/console/src/CMakeLists.txt b/pki/base/console/src/CMakeLists.txt index ff17efc0f..076f18078 100644 --- a/pki/base/console/src/CMakeLists.txt +++ b/pki/base/console/src/CMakeLists.txt @@ -1,24 +1,27 @@ -project(console_java Java) +project(pki_console_java Java) -find_file(JSS_JAR +# '/usr/share/java/pki' jars +find_file(NSUTIL_JAR NAMES - jss4.jar + nsutil.jar PATHS /usr/lib/java - /usr/share/java + /usr/share/java/pki ) -find_file(LDAPJDK_JAR + +# '/usr/share/java' jars +find_file(BASE_JAR NAMES - ldapjdk.jar + idm-console-base.jar PATHS /usr/lib/java /usr/share/java ) -find_file(BASE_JAR +find_file(LDAPJDK_JAR NAMES - idm-console-base.jar + ldapjdk.jar PATHS /usr/lib/java /usr/share/java @@ -56,7 +59,19 @@ find_file(NMCLF_EN_JAR /usr/share/java ) -set(console_java_SRCS + +# '/usr/lib/java' jars +find_file(JSS_JAR + NAMES + jss4.jar + PATHS + /usr/lib/java + /usr/share/java +) + + +# identify java sources +set(pki_console_java_SRCS com/netscape/certsrv/common/TaskId.java com/netscape/certsrv/common/DestDef.java com/netscape/certsrv/common/NameValuePairs.java @@ -578,13 +593,22 @@ set(console_java_SRCS com/netscape/admin/certsrv/IUIMapper.java ) + +# set classpath set(CMAKE_JAVA_INCLUDE_PATH - ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} - ${BASE_JAR} ${MMC_JAR} ${MMC_EN_JAR} - ${NMCLF_JAR} ${NMCLF_EN_JAR}) + ${BASE_JAR} ${LDAPJDK_JAR} ${MMC_JAR} + ${MMC_EN_JAR} ${NMCLF_JAR} ${NMCLF_EN_JAR} + ${NSUTIL_JAR} + ${JSS_JAR}) + + +# set version set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) -add_jar(console ${console_java_SRCS}) -add_dependencies(console nsutil) -install_jar(console ${JAVA_JAR_INSTALL_DIR}/pki) -set(CONSOLE_JAR ${console_JAR_FILE} CACHE INTERNAL "console jar file") + +# build pki-console.jar +add_jar(pki-console ${pki_console_java_SRCS}) +add_dependencies(pki-console nsutil) +install_jar(pki-console ${JAVA_JAR_INSTALL_DIR}) +set(PKI_CONSOLE_JAR ${pki_console_JAR_FILE} CACHE INTERNAL "pki-console jar file") + diff --git a/pki/base/kra/CMakeLists.txt b/pki/base/kra/CMakeLists.txt index 5155a84ef..dc2564c92 100644 --- a/pki/base/kra/CMakeLists.txt +++ b/pki/base/kra/CMakeLists.txt @@ -2,6 +2,7 @@ project(kra Java) add_subdirectory(src) add_subdirectory(setup) +add_subdirectory(shared/conf) # install init script install( @@ -25,6 +26,8 @@ install( "CMakeLists.txt" EXCLUDE PATTERN "etc/*" EXCLUDE + PATTERN + "conf/CS.cfg.in" EXCLUDE ) # install empty directories diff --git a/pki/base/kra/shared/conf/CMakeLists.txt b/pki/base/kra/shared/conf/CMakeLists.txt new file mode 100644 index 000000000..e3cef5915 --- /dev/null +++ b/pki/base/kra/shared/conf/CMakeLists.txt @@ -0,0 +1,12 @@ +set(VERSION ${APPLICATION_VERSION}) +set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR}) +set(MINOR_VERSION ${APPLICATION_VERSION_MINOR}) + +configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY) + +install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) diff --git a/pki/base/kra/shared/conf/CS.cfg b/pki/base/kra/shared/conf/CS.cfg deleted file mode 100644 index 56944d5fc..000000000 --- a/pki/base/kra/shared/conf/CS.cfg +++ /dev/null @@ -1,368 +0,0 @@ -pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] -pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] -pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] -pkicreate.secure_port=[PKI_SECURE_PORT] -pkicreate.unsecure_port=[PKI_UNSECURE_PORT] -pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] -pkicreate.user=[PKI_USER] -pkicreate.group=[PKI_GROUP] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -installDate=[INSTALL_TIME] -preop.wizard.name=DRM Setup Wizard -preop.product.name=CS -preop.product.version= -preop.system.name=DRM -preop.system.fullname=Data Recovery Manager -cs.state=0 -cs.type=KRA -admin.interface.uri=kra/admin/console/config/wizard -agent.interface.uri=kra/agent/kra -authType=pwd -preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 -instanceRoot=[PKI_INSTANCE_PATH] -machineName=[PKI_MACHINE_NAME] -instanceId=[PKI_INSTANCE_ID] -service.machineName=[PKI_MACHINE_NAME] -service.instanceDir=[PKI_INSTANCE_ROOT] -service.securePort=[PKI_AGENT_SECURE_PORT] -service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] -service.unsecurePort=[PKI_UNSECURE_PORT] -service.instanceID=[PKI_INSTANCE_ID] -preop.admin.name=Data Recovery Manager Administrator -preop.admin.group=Data Recovery Manager Agents -preop.admincert.profile=caAdminCert -preop.pin=[PKI_RANDOM_NUMBER] -kra.cert.list=transport,storage,sslserver,subsystem,audit_signing -preop.cert.list=transport,storage,sslserver,subsystem,audit_signing -preop.cert.transport.enable=true -preop.cert.storage.enable=true -preop.cert.sslserver.enable=true -preop.cert.subsystem.enable=true -preop.cert.audit_signing.enable=true -preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.audit_signing.dn=CN=DRM Audit Signing Certificate -preop.cert.audit_signing.keysize.custom_size=2048 -preop.cert.audit_signing.keysize.size=2048 -preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert -preop.cert.audit_signing.signing.required=false -preop.cert.audit_signing.subsystem=kra -preop.cert.audit_signing.type=remote -preop.cert.audit_signing.userfriendlyname=DRM Audit Signing Certificate -preop.cert.audit_signing.cncomponent.override=true -preop.cert.storage.defaultSigningAlgorithm=SHA256withRSA -preop.cert.storage.dn=CN=DRM Storage Certificate -preop.cert.storage.keysize.custom_size=2048 -preop.cert.storage.keysize.size=2048 -preop.cert.storage.nickname=storageCert cert-[PKI_INSTANCE_ID] -preop.cert.storage.profile=caInternalAuthDRMstorageCert -preop.cert.storage.signing.required=false -preop.cert.storage.subsystem=kra -preop.cert.storage.type=remote -preop.cert.storage.userfriendlyname=Storage Certificate -preop.cert.storage.cncomponent.override=true -preop.cert.transport.defaultSigningAlgorithm=SHA256withRSA -preop.cert.transport.dn=CN=DRM Transport Certificate -preop.cert.transport.keysize.custom_size=2048 -preop.cert.transport.keysize.size=2048 -preop.cert.transport.nickname=transportCert cert-[PKI_INSTANCE_ID] -preop.cert.transport.profile=caInternalAuthTransportCert -preop.cert.transport.signing.required=true -preop.cert.transport.subsystem=kra -preop.cert.transport.type=remote -preop.cert.transport.userfriendlyname=Transport Certificate -preop.cert.transport.cncomponent.override=true -preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA -preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] -preop.cert.sslserver.keysize.custom_size=2048 -preop.cert.sslserver.keysize.size=2048 -preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] -preop.cert.sslserver.profile=caInternalAuthServerCert -preop.cert.sslserver.signing.required=false -preop.cert.sslserver.subsystem=kra -preop.cert.sslserver.type=remote -preop.cert.sslserver.userfriendlyname=SSL Server Certificate -preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA -preop.cert.subsystem.dn=CN=DRM Subsystem Certificate -preop.cert.subsystem.keysize.custom_size=2048 -preop.cert.subsystem.keysize.size=2048 -preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -preop.cert.subsystem.profile=caInternalAuthSubsystemCert -preop.cert.subsystem.signing.required=false -preop.cert.subsystem.subsystem=kra -preop.cert.subsystem.type=remote -preop.cert.subsystem.userfriendlyname=Subsystem Certificate -preop.cert.subsystem.cncomponent.override=true -preop.hierarchy.profile=caCert.profile -preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module -preop.configModules.module0.commonName=NSS Internal PKCS #11 Module -preop.configModules.module0.imagePath=../img/clearpixel.gif -preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module -preop.configModules.module1.commonName=nfast -preop.configModules.module1.imagePath=../img/clearpixel.gif -preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module -preop.configModules.module2.commonName=lunasa -preop.configModules.module2.imagePath=../img/clearpixel.gif -preop.configModules.count=3 -preop.module.token=Internal Key Storage Token -passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf -passwordClass=com.netscape.cmsutil.password.PlainPasswordFile -multiroles=true -multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group -CrossCertPair._000=## -CrossCertPair._001=## CrossCertPair Import -CrossCertPair._002=## -CrossCertPair.ldap=internaldb -accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator -accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator -accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator -auths._000=## -auths._001=## new authentication -auths._002=## -auths.impl._000=## -auths.impl._001=## authentication manager implementations -auths.impl._002=## -auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication -auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth -auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth -auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll -auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication -auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication -auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication -auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication -auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents -auths.instance.AgentCertAuth.pluginName=AgentCertAuth -auths.instance.TokenAuth.pluginName=TokenAuth -auths.revocationChecking.bufferSize=50 -auths.revocationChecking.enabled=false -auths.revocationChecking.kra=kra -authz._000=## -authz._001=## new authorizatioin -authz._002=## -authz.evaluateOrder=deny,allow -authz.sourceType=ldap -authz.impl._000=## -authz.impl._001=## authorization manager implementations -authz.impl._002=## -authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz -authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz -authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz -authz.instance.DirAclAuthz.ldap=internaldb -authz.instance.DirAclAuthz.pluginName=DirAclAuthz -authz.instance.DirAclAuthz.ldap._000=## -authz.instance.DirAclAuthz.ldap._001=## Internal Database -authz.instance.DirAclAuthz.ldap._002=## -cmc.cert.confirmRequired=false -cmc.lraPopWitness.verify.allow=true -cmc.revokeCert.verify=true -cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cms.version= -dbs.enableSerialManagement=false -dbs.beginRequestNumber=1 -dbs.endRequestNumber=10000000 -dbs.requestIncrement=10000000 -dbs.requestLowWaterMark=2000000 -dbs.requestCloneTransferNumber=10000 -dbs.requestDN=ou=kra, ou=requests -dbs.requestRangeDN=ou=requests, ou=ranges -dbs.beginSerialNumber=1 -dbs.endSerialNumber=10000000 -dbs.serialIncrement=10000000 -dbs.serialLowWaterMark=2000000 -dbs.serialCloneTransferNumber=10000 -dbs.serialDN=ou=keyRepository, ou=kra -dbs.serialRangeDN=ou=keyRepository, ou=ranges -dbs.beginReplicaNumber=1 -dbs.endReplicaNumber=100 -dbs.replicaIncrement=100 -dbs.replicaLowWaterMark=20 -dbs.replicaCloneTransferNumber=5 -dbs.replicaDN=ou=replica -dbs.replicaRangeDN=ou=replica, ou=ranges -dbs.ldap=internaldb -dbs.newSchemaEntryAdded=true -debug.append=true -debug.enabled=true -debug.filename=[PKI_INSTANCE_PATH]/logs/debug -debug.hashkeytypes= -debug.level=0 -debug.showcaller=false -keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 -keys.ecc.curve.default=nistp521 -keys.rsa.keysize.default=2048 -internaldb._000=## -internaldb._001=## Internal Database -internaldb._002=## -internaldb.maxConns=15 -internaldb.minConns=3 -internaldb.ldapauth.authtype=BasicAuth -internaldb.ldapauth.bindDN=cn=Directory Manager -internaldb.ldapauth.bindPWPrompt=Internal LDAP Database -internaldb.ldapauth.clientCertNickname= -internaldb.ldapconn.host= -internaldb.ldapconn.port= -internaldb.ldapconn.secureConn=false -preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/schema.ldif -preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/database.ldif -preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/db.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/acl.ldif -preop.internaldb.index_ldif= -preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/index.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlvtasks.ldif -preop.internaldb.wait_dn=cn=index1160527115, cn=index, cn=tasks, cn=config -internaldb.multipleSuffix.enable=false -jobsScheduler._000=## -jobsScheduler._001=## jobScheduler -jobsScheduler._002=## -jobsScheduler.enabled=false -jobsScheduler.interval=1 -jss._000=## -jss._001=## JSS -jss._002=## -jss.configDir=[PKI_INSTANCE_PATH]/alias/ -jss.enable=true -jss.secmodName=secmod.db -jss.ocspcheck.enable=false -jss.ssl.cipherfortezza=true -jss.ssl.cipherpref= -jss.ssl.cipherversion=cipherdomestic -kra.Policy._000=## -kra.Policy._001=## Certificate Policy Framework (deprecated) -kra.Policy._002=## -kra.Policy._003=## Set 'kra.Policy.enable=true' to allow the following: -kra.Policy._004=## -kra.Policy._005=## SERVLET-NAME URL-PATTERN -kra.Policy._006=## ==================================================== -kra.Policy._007=## krapolicy kra/krapolicy -kra.Policy._008=## -kra.Policy.enable=false -kra.keySplitting=false -kra.noOfRequiredRecoveryAgents=1 -kra.recoveryAgentGroup=Data Recovery Manager Agents -kra.reqdbInc=20 -kra.entropy.bitsperkeypair=0 -kra.entropy.blockwarnms=0 -kra.storageUnit.nickName=storageCert cert-[PKI_INSTANCE_ID] -kra.transportUnit.nickName=transportCert cert-[PKI_INSTANCE_ID] -log._000=## -log._001=## Logging -log._002=## -log.impl.file.class=com.netscape.cms.logging.RollingLogFile -log.instance.SignedAudit._000=## -log.instance.SignedAudit._001=## Signed Audit Logging -log.instance.SignedAudit._002=## -log.instance.SignedAudit.bufferSize=512 -log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events._000=## -log.instance.SignedAudit.events._001=## Available Audit events: -log.instance.SignedAudit.events._002=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.events._003=## -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.expirationTime=0 -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/kra_cert-kra_audit -log.instance.SignedAudit.flushInterval=5 -log.instance.SignedAudit.level=1 -log.instance.SignedAudit.logSigning=false -log.instance.SignedAudit.maxFileSize=2000 -log.instance.SignedAudit.pluginName=file -log.instance.SignedAudit.rolloverInterval=2592000 -log.instance.SignedAudit.signedAudit:_000=## -log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow KRA audit logs to be signed -log.instance.SignedAudit.signedAudit:_002=## -log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] -log.instance.SignedAudit.type=signedAudit -log.instance.System._000=## -log.instance.System._001=## System Logging -log.instance.System._002=## -log.instance.System.bufferSize=512 -log.instance.System.enable=true -log.instance.System.expirationTime=0 -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system -log.instance.System.flushInterval=5 -log.instance.System.level=3 -log.instance.System.maxFileSize=2000 -log.instance.System.pluginName=file -log.instance.System.rolloverInterval=2592000 -log.instance.System.type=system -log.instance.Transactions._000=## -log.instance.Transactions._001=## Transaction Logging -log.instance.Transactions._002=## -log.instance.Transactions.bufferSize=512 -log.instance.Transactions.enable=true -log.instance.Transactions.expirationTime=0 -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions -log.instance.Transactions.flushInterval=5 -log.instance.Transactions.level=1 -log.instance.Transactions.maxFileSize=2000 -log.instance.Transactions.pluginName=file -log.instance.Transactions.rolloverInterval=2592000 -log.instance.Transactions.type=transaction -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access -logError.fileName=[PKI_INSTANCE_PATH]/logs/error -oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension -oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 -oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword -oidmap.challenge_password.oid=1.2.840.113549.1.9.7 -oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension -oidmap.extended_key_usage.oid=2.5.29.37 -oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested -oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 -oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested -oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 -oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension -oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 -oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension -oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 -oidmap.pse.class=netscape.security.extensions.PresenceServerExtension -oidmap.pse.oid=2.16.840.1.113730.1.18 -oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension -oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 -os.serverName=cert-[PKI_INSTANCE_ID] -os.userid=nobody -registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg -selftests._000=## -selftests._001=## Self Tests -selftests._002=## -selftests._003=## The Self-Test plugin SystemCertsVerification uses the -selftests._004=## following parameters (where certusage is optional): -selftests._005=## kra.cert.list = -selftests._006=## kra.cert..nickname -selftests._007=## kra.cert..certusage -selftests._008=## -selftests.container.instance.KRAPresence=com.netscape.cms.selftests.kra.KRAPresence -selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification -selftests.container.logger.bufferSize=512 -selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile -selftests.container.logger.enable=true -selftests.container.logger.expirationTime=0 -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log -selftests.container.logger.flushInterval=5 -selftests.container.logger.level=1 -selftests.container.logger.maxFileSize=2000 -selftests.container.logger.register=false -selftests.container.logger.rolloverInterval=2592000 -selftests.container.logger.type=transaction -selftests.container.order.onDemand=KRAPresence:critical -selftests.container.order.startup=SystemCertsVerification:critical -selftests.plugin.KRAPresence.SubId=kra -selftests.plugin.SystemCertsVerification.SubId=kra -smtp.host=localhost -smtp.port=25 -subsystem.0.class=com.netscape.kra.KeyRecoveryAuthority -subsystem.0.id=kra -subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem -subsystem.1.id=selftests -subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem -subsystem.2.id=stats -usrgrp._000=## -usrgrp._001=## User/Group -usrgrp._002=## -usrgrp.ldap=internaldb -multiroles._000=## -multiroles._001=## multiroles -multiroles._002=## -multiroles.enable=true -multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group diff --git a/pki/base/kra/shared/conf/CS.cfg.in b/pki/base/kra/shared/conf/CS.cfg.in new file mode 100644 index 000000000..05ed8ce09 --- /dev/null +++ b/pki/base/kra/shared/conf/CS.cfg.in @@ -0,0 +1,368 @@ +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] +pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] +pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] +pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] +pkicreate.secure_port=[PKI_SECURE_PORT] +pkicreate.unsecure_port=[PKI_UNSECURE_PORT] +pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +installDate=[INSTALL_TIME] +preop.wizard.name=DRM Setup Wizard +preop.product.name=CS +preop.product.version=@VERSION@ +preop.system.name=DRM +preop.system.fullname=Data Recovery Manager +cs.state=0 +cs.type=KRA +admin.interface.uri=kra/admin/console/config/wizard +agent.interface.uri=kra/agent/kra +authType=pwd +preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 +instanceRoot=[PKI_INSTANCE_PATH] +machineName=[PKI_MACHINE_NAME] +instanceId=[PKI_INSTANCE_ID] +service.machineName=[PKI_MACHINE_NAME] +service.instanceDir=[PKI_INSTANCE_ROOT] +service.securePort=[PKI_AGENT_SECURE_PORT] +service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] +service.unsecurePort=[PKI_UNSECURE_PORT] +service.instanceID=[PKI_INSTANCE_ID] +preop.admin.name=Data Recovery Manager Administrator +preop.admin.group=Data Recovery Manager Agents +preop.admincert.profile=caAdminCert +preop.pin=[PKI_RANDOM_NUMBER] +kra.cert.list=transport,storage,sslserver,subsystem,audit_signing +preop.cert.list=transport,storage,sslserver,subsystem,audit_signing +preop.cert.transport.enable=true +preop.cert.storage.enable=true +preop.cert.sslserver.enable=true +preop.cert.subsystem.enable=true +preop.cert.audit_signing.enable=true +preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.audit_signing.dn=CN=DRM Audit Signing Certificate +preop.cert.audit_signing.keysize.custom_size=2048 +preop.cert.audit_signing.keysize.size=2048 +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert +preop.cert.audit_signing.signing.required=false +preop.cert.audit_signing.subsystem=kra +preop.cert.audit_signing.type=remote +preop.cert.audit_signing.userfriendlyname=DRM Audit Signing Certificate +preop.cert.audit_signing.cncomponent.override=true +preop.cert.storage.defaultSigningAlgorithm=SHA256withRSA +preop.cert.storage.dn=CN=DRM Storage Certificate +preop.cert.storage.keysize.custom_size=2048 +preop.cert.storage.keysize.size=2048 +preop.cert.storage.nickname=storageCert cert-[PKI_INSTANCE_ID] +preop.cert.storage.profile=caInternalAuthDRMstorageCert +preop.cert.storage.signing.required=false +preop.cert.storage.subsystem=kra +preop.cert.storage.type=remote +preop.cert.storage.userfriendlyname=Storage Certificate +preop.cert.storage.cncomponent.override=true +preop.cert.transport.defaultSigningAlgorithm=SHA256withRSA +preop.cert.transport.dn=CN=DRM Transport Certificate +preop.cert.transport.keysize.custom_size=2048 +preop.cert.transport.keysize.size=2048 +preop.cert.transport.nickname=transportCert cert-[PKI_INSTANCE_ID] +preop.cert.transport.profile=caInternalAuthTransportCert +preop.cert.transport.signing.required=true +preop.cert.transport.subsystem=kra +preop.cert.transport.type=remote +preop.cert.transport.userfriendlyname=Transport Certificate +preop.cert.transport.cncomponent.override=true +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] +preop.cert.sslserver.keysize.custom_size=2048 +preop.cert.sslserver.keysize.size=2048 +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.cert.sslserver.profile=caInternalAuthServerCert +preop.cert.sslserver.signing.required=false +preop.cert.sslserver.subsystem=kra +preop.cert.sslserver.type=remote +preop.cert.sslserver.userfriendlyname=SSL Server Certificate +preop.cert.sslserver.cncomponent.override=false +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=DRM Subsystem Certificate +preop.cert.subsystem.keysize.custom_size=2048 +preop.cert.subsystem.keysize.size=2048 +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.cert.subsystem.profile=caInternalAuthSubsystemCert +preop.cert.subsystem.signing.required=false +preop.cert.subsystem.subsystem=kra +preop.cert.subsystem.type=remote +preop.cert.subsystem.userfriendlyname=Subsystem Certificate +preop.cert.subsystem.cncomponent.override=true +preop.hierarchy.profile=caCert.profile +preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module +preop.configModules.module0.commonName=NSS Internal PKCS #11 Module +preop.configModules.module0.imagePath=../img/clearpixel.gif +preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module +preop.configModules.module1.commonName=nfast +preop.configModules.module1.imagePath=../img/clearpixel.gif +preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module +preop.configModules.module2.commonName=lunasa +preop.configModules.module2.imagePath=../img/clearpixel.gif +preop.configModules.count=3 +preop.module.token=Internal Key Storage Token +passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf +passwordClass=com.netscape.cmsutil.password.PlainPasswordFile +multiroles=true +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group +CrossCertPair._000=## +CrossCertPair._001=## CrossCertPair Import +CrossCertPair._002=## +CrossCertPair.ldap=internaldb +accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator +accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator +accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator +auths._000=## +auths._001=## new authentication +auths._002=## +auths.impl._000=## +auths.impl._001=## authentication manager implementations +auths.impl._002=## +auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication +auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth +auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth +auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll +auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication +auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication +auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication +auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication +auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents +auths.instance.AgentCertAuth.pluginName=AgentCertAuth +auths.instance.TokenAuth.pluginName=TokenAuth +auths.revocationChecking.bufferSize=50 +auths.revocationChecking.enabled=false +auths.revocationChecking.kra=kra +authz._000=## +authz._001=## new authorizatioin +authz._002=## +authz.evaluateOrder=deny,allow +authz.sourceType=ldap +authz.impl._000=## +authz.impl._001=## authorization manager implementations +authz.impl._002=## +authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz +authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz +authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz +authz.instance.DirAclAuthz.ldap=internaldb +authz.instance.DirAclAuthz.pluginName=DirAclAuthz +authz.instance.DirAclAuthz.ldap._000=## +authz.instance.DirAclAuthz.ldap._001=## Internal Database +authz.instance.DirAclAuthz.ldap._002=## +cmc.cert.confirmRequired=false +cmc.lraPopWitness.verify.allow=true +cmc.revokeCert.verify=true +cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cms.version=@MAJOR_VERSION@.@MINOR_VERSION@ +dbs.enableSerialManagement=false +dbs.beginRequestNumber=1 +dbs.endRequestNumber=10000000 +dbs.requestIncrement=10000000 +dbs.requestLowWaterMark=2000000 +dbs.requestCloneTransferNumber=10000 +dbs.requestDN=ou=kra, ou=requests +dbs.requestRangeDN=ou=requests, ou=ranges +dbs.beginSerialNumber=1 +dbs.endSerialNumber=10000000 +dbs.serialIncrement=10000000 +dbs.serialLowWaterMark=2000000 +dbs.serialCloneTransferNumber=10000 +dbs.serialDN=ou=keyRepository, ou=kra +dbs.serialRangeDN=ou=keyRepository, ou=ranges +dbs.beginReplicaNumber=1 +dbs.endReplicaNumber=100 +dbs.replicaIncrement=100 +dbs.replicaLowWaterMark=20 +dbs.replicaCloneTransferNumber=5 +dbs.replicaDN=ou=replica +dbs.replicaRangeDN=ou=replica, ou=ranges +dbs.ldap=internaldb +dbs.newSchemaEntryAdded=true +debug.append=true +debug.enabled=true +debug.filename=[PKI_INSTANCE_PATH]/logs/debug +debug.hashkeytypes= +debug.level=0 +debug.showcaller=false +keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 +keys.ecc.curve.default=nistp521 +keys.rsa.keysize.default=2048 +internaldb._000=## +internaldb._001=## Internal Database +internaldb._002=## +internaldb.maxConns=15 +internaldb.minConns=3 +internaldb.ldapauth.authtype=BasicAuth +internaldb.ldapauth.bindDN=cn=Directory Manager +internaldb.ldapauth.bindPWPrompt=Internal LDAP Database +internaldb.ldapauth.clientCertNickname= +internaldb.ldapconn.host= +internaldb.ldapconn.port= +internaldb.ldapconn.secureConn=false +preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/schema.ldif +preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/database.ldif +preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/db.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/acl.ldif +preop.internaldb.index_ldif= +preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/index.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlvtasks.ldif +preop.internaldb.wait_dn=cn=index1160527115, cn=index, cn=tasks, cn=config +internaldb.multipleSuffix.enable=false +jobsScheduler._000=## +jobsScheduler._001=## jobScheduler +jobsScheduler._002=## +jobsScheduler.enabled=false +jobsScheduler.interval=1 +jss._000=## +jss._001=## JSS +jss._002=## +jss.configDir=[PKI_INSTANCE_PATH]/alias/ +jss.enable=true +jss.secmodName=secmod.db +jss.ocspcheck.enable=false +jss.ssl.cipherfortezza=true +jss.ssl.cipherpref= +jss.ssl.cipherversion=cipherdomestic +kra.Policy._000=## +kra.Policy._001=## Certificate Policy Framework (deprecated) +kra.Policy._002=## +kra.Policy._003=## Set 'kra.Policy.enable=true' to allow the following: +kra.Policy._004=## +kra.Policy._005=## SERVLET-NAME URL-PATTERN +kra.Policy._006=## ==================================================== +kra.Policy._007=## krapolicy kra/krapolicy +kra.Policy._008=## +kra.Policy.enable=false +kra.keySplitting=false +kra.noOfRequiredRecoveryAgents=1 +kra.recoveryAgentGroup=Data Recovery Manager Agents +kra.reqdbInc=20 +kra.entropy.bitsperkeypair=0 +kra.entropy.blockwarnms=0 +kra.storageUnit.nickName=storageCert cert-[PKI_INSTANCE_ID] +kra.transportUnit.nickName=transportCert cert-[PKI_INSTANCE_ID] +log._000=## +log._001=## Logging +log._002=## +log.impl.file.class=com.netscape.cms.logging.RollingLogFile +log.instance.SignedAudit._000=## +log.instance.SignedAudit._001=## Signed Audit Logging +log.instance.SignedAudit._002=## +log.instance.SignedAudit.bufferSize=512 +log.instance.SignedAudit.enable=true +log.instance.SignedAudit.events._000=## +log.instance.SignedAudit.events._001=## Available Audit events: +log.instance.SignedAudit.events._002=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.events._003=## +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.expirationTime=0 +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/kra_cert-kra_audit +log.instance.SignedAudit.flushInterval=5 +log.instance.SignedAudit.level=1 +log.instance.SignedAudit.logSigning=false +log.instance.SignedAudit.maxFileSize=2000 +log.instance.SignedAudit.pluginName=file +log.instance.SignedAudit.rolloverInterval=2592000 +log.instance.SignedAudit.signedAudit:_000=## +log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow KRA audit logs to be signed +log.instance.SignedAudit.signedAudit:_002=## +log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] +log.instance.SignedAudit.type=signedAudit +log.instance.System._000=## +log.instance.System._001=## System Logging +log.instance.System._002=## +log.instance.System.bufferSize=512 +log.instance.System.enable=true +log.instance.System.expirationTime=0 +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system +log.instance.System.flushInterval=5 +log.instance.System.level=3 +log.instance.System.maxFileSize=2000 +log.instance.System.pluginName=file +log.instance.System.rolloverInterval=2592000 +log.instance.System.type=system +log.instance.Transactions._000=## +log.instance.Transactions._001=## Transaction Logging +log.instance.Transactions._002=## +log.instance.Transactions.bufferSize=512 +log.instance.Transactions.enable=true +log.instance.Transactions.expirationTime=0 +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions +log.instance.Transactions.flushInterval=5 +log.instance.Transactions.level=1 +log.instance.Transactions.maxFileSize=2000 +log.instance.Transactions.pluginName=file +log.instance.Transactions.rolloverInterval=2592000 +log.instance.Transactions.type=transaction +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access +logError.fileName=[PKI_INSTANCE_PATH]/logs/error +oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension +oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 +oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword +oidmap.challenge_password.oid=1.2.840.113549.1.9.7 +oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension +oidmap.extended_key_usage.oid=2.5.29.37 +oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 +oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 +oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension +oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 +oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension +oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 +oidmap.pse.class=netscape.security.extensions.PresenceServerExtension +oidmap.pse.oid=2.16.840.1.113730.1.18 +oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension +oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 +os.serverName=cert-[PKI_INSTANCE_ID] +os.userid=nobody +registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg +selftests._000=## +selftests._001=## Self Tests +selftests._002=## +selftests._003=## The Self-Test plugin SystemCertsVerification uses the +selftests._004=## following parameters (where certusage is optional): +selftests._005=## kra.cert.list = +selftests._006=## kra.cert..nickname +selftests._007=## kra.cert..certusage +selftests._008=## +selftests.container.instance.KRAPresence=com.netscape.cms.selftests.kra.KRAPresence +selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification +selftests.container.logger.bufferSize=512 +selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile +selftests.container.logger.enable=true +selftests.container.logger.expirationTime=0 +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log +selftests.container.logger.flushInterval=5 +selftests.container.logger.level=1 +selftests.container.logger.maxFileSize=2000 +selftests.container.logger.register=false +selftests.container.logger.rolloverInterval=2592000 +selftests.container.logger.type=transaction +selftests.container.order.onDemand=KRAPresence:critical +selftests.container.order.startup=SystemCertsVerification:critical +selftests.plugin.KRAPresence.SubId=kra +selftests.plugin.SystemCertsVerification.SubId=kra +smtp.host=localhost +smtp.port=25 +subsystem.0.class=com.netscape.kra.KeyRecoveryAuthority +subsystem.0.id=kra +subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem +subsystem.1.id=selftests +subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem +subsystem.2.id=stats +usrgrp._000=## +usrgrp._001=## User/Group +usrgrp._002=## +usrgrp.ldap=internaldb +multiroles._000=## +multiroles._001=## multiroles +multiroles._002=## +multiroles.enable=true +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group diff --git a/pki/base/kra/src/CMakeLists.txt b/pki/base/kra/src/CMakeLists.txt index d483a0a3a..6e9734383 100644 --- a/pki/base/kra/src/CMakeLists.txt +++ b/pki/base/kra/src/CMakeLists.txt @@ -1,21 +1,76 @@ project(kra_java Java) -find_file(JSS_JAR +# '/usr/share/java/pki' jars +find_file(CERTSRV_JAR NAMES - jss4.jar + certsrv.jar + PATHS + /usr/share/java/pki +) + +find_file(CMS_JAR + NAMES + cms.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSCORE_JAR + NAMES + cmscore.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSUTIL_JAR + NAMES + cmsutil.jar + PATHS + /usr/share/java/pki +) + +find_file(NSUTIL_JAR + NAMES + nsutil.jar PATHS /usr/lib/java - /usr/share/java + /usr/share/java/pki ) + +# '/usr/share/java' jars find_file(LDAPJDK_JAR NAMES ldapjdk.jar PATHS - /usr/lib/java /usr/share/java ) + +# '/usr/lib/java' jars +find_file(JSS_JAR + NAMES + jss4.jar + PATHS + /usr/lib/java +) + +find_file(OSUTIL_JAR + NAMES + osutil.jar + PATHS + /usr/lib/java +) + +find_file(SYMKEY_JAR + NAMES + symkey.jar + PATHS + /usr/lib/java +) + + +# identify java sources set(kra_java_SRCS com/netscape/kra/KeyRecoveryAuthority.java com/netscape/kra/EnrollmentService.java @@ -30,13 +85,21 @@ set(kra_java_SRCS com/netscape/kra/StorageKeyUnit.java ) + +# set classpath set(CMAKE_JAVA_INCLUDE_PATH - ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} ${CMSUTIL_JAR} - ${OSUTIL_JAR} ${SYMKEY_JAR} ${CMS_JAR} ${CMSCORE_JAR} - ${CERTSRV_JAR}) + ${CERTSRV_JAR} ${CMS_JAR} ${CMSCORE_JAR} ${CMSUTIL_JAR} ${NSUTIL_JAR} + ${LDAPJDK_JAR} + ${JSS_JAR} ${OSUTIL_JAR} ${SYMKEY_JAR}) + + +# set version set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) + +# build kra.jar add_jar(kra ${kra_java_SRCS}) -add_dependencies(kra nsutil cmsutil osutil symkey cms cmscore certsrv) +add_dependencies(kra osutil symkey nsutil cmsutil certsrv cms cmscore) install_jar(kra ${JAVA_JAR_INSTALL_DIR}) set(KRA_JAR ${kra_JAR_FILE} CACHE INTERNAL "kra jar file") + diff --git a/pki/base/ocsp/CMakeLists.txt b/pki/base/ocsp/CMakeLists.txt index 373fb4d18..1a7809074 100644 --- a/pki/base/ocsp/CMakeLists.txt +++ b/pki/base/ocsp/CMakeLists.txt @@ -2,6 +2,7 @@ project(ocsp Java) add_subdirectory(src) add_subdirectory(setup) +add_subdirectory(shared/conf) # install init script install( @@ -25,6 +26,8 @@ install( "CMakeLists.txt" EXCLUDE PATTERN "etc/*" EXCLUDE + PATTERN + "CS.cfg.in" EXCLUDE ) # install empty directories diff --git a/pki/base/ocsp/shared/conf/CMakeLists.txt b/pki/base/ocsp/shared/conf/CMakeLists.txt new file mode 100644 index 000000000..e3cef5915 --- /dev/null +++ b/pki/base/ocsp/shared/conf/CMakeLists.txt @@ -0,0 +1,12 @@ +set(VERSION ${APPLICATION_VERSION}) +set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR}) +set(MINOR_VERSION ${APPLICATION_VERSION_MINOR}) + +configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY) + +install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) diff --git a/pki/base/ocsp/shared/conf/CS.cfg b/pki/base/ocsp/shared/conf/CS.cfg deleted file mode 100644 index e4f0d2d7b..000000000 --- a/pki/base/ocsp/shared/conf/CS.cfg +++ /dev/null @@ -1,324 +0,0 @@ -# --- BEGIN COPYRIGHT BLOCK --- -# Copyright (C) 2006 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] -pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] -pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] -pkicreate.secure_port=[PKI_SECURE_PORT] -pkicreate.unsecure_port=[PKI_UNSECURE_PORT] -pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] -pkicreate.user=[PKI_USER] -pkicreate.group=[PKI_GROUP] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -installDate=[INSTALL_TIME] -cs.type=OCSP -admin.interface.uri=ocsp/admin/console/config/wizard -agent.interface.uri=ocsp/agent/ocsp -preop.admin.name=Online Certificate Status Manager Administrator -preop.admin.group=Online Certificate Status Manager Agents -preop.admincert.profile=caAdminCert -preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 -preop.wizard.name=OCSP Setup Wizard -preop.product.name=CS -preop.product.version= -preop.system.name=OCSP -preop.system.fullname=OCSP Responder -preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module -preop.configModules.module0.commonName=NSS Internal PKCS #11 Module -preop.configModules.module0.imagePath=../img/clearpixel.gif -preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module -preop.configModules.module1.commonName=nfast -preop.configModules.module1.imagePath=../img/clearpixel.gif -preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module -preop.configModules.module2.commonName=lunasa -preop.configModules.module2.imagePath=../img/clearpixel.gif -preop.configModules.count=3 -preop.module.token=Internal Key Storage Token -ocsp.cert.list=signing,sslserver,subsystem,audit_signing -preop.cert.list=signing,sslserver,subsystem,audit_signing -preop.cert.ocsp_signing.enable=true -preop.cert.sslserver.enable=true -preop.cert.subsystem.enable=true -preop.cert.audit_signing.enable=true -preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.audit_signing.dn=CN=OCSP Audit Signing Certificate -preop.cert.audit_signing.keysize.custom_size=2048 -preop.cert.audit_signing.keysize.size=2048 -preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert -preop.cert.audit_signing.signing.required=false -preop.cert.audit_signing.subsystem=ocsp -preop.cert.audit_signing.type=remote -preop.cert.audit_signing.userfriendlyname=OCSP Audit Signing Certificate -preop.cert.audit_signing.cncomponent.override=true -preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.signing.dn=CN=OCSP Signing Certificate -preop.cert.signing.keysize.custom_size=2048 -preop.cert.signing.keysize.size=2048 -preop.cert.signing.nickname=ocspSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.signing.profile=caInternalAuthOCSPCert -preop.cert.signing.signing.required=true -preop.cert.signing.subsystem=ocsp -preop.cert.signing.type=remote -preop.cert.signing.userfriendlyname=OCSP Signing Certificate -preop.cert.signing.cncomponent.override=true -preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA -preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] -preop.cert.sslserver.keysize.custom_size=2048 -preop.cert.sslserver.keysize.size=2048 -preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] -preop.cert.sslserver.profile=caInternalAuthServerCert -preop.cert.sslserver.signing.required=false -preop.cert.sslserver.subsystem=ocsp -preop.cert.sslserver.type=remote -preop.cert.sslserver.userfriendlyname=SSL Server Certificate -preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA -preop.cert.subsystem.dn=CN=OCSP Subsystem Certificate -preop.cert.subsystem.keysize.custom_size=2048 -preop.cert.subsystem.keysize.size=2048 -preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -preop.cert.subsystem.profile=caInternalAuthSubsystemCert -preop.cert.subsystem.signing.required=false -preop.cert.subsystem.subsystem=ocsp -preop.cert.subsystem.type=remote -preop.cert.subsystem.userfriendlyname=Subsystem Certificate -preop.cert.subsystem.cncomponent.override=true -cs.state=0 -authType=pwd -instanceRoot=[PKI_INSTANCE_PATH] -machineName=[PKI_MACHINE_NAME] -instanceId=[PKI_INSTANCE_ID] -service.machineName=[PKI_MACHINE_NAME] -service.instanceDir=[PKI_INSTANCE_ROOT] -service.securePort=[PKI_AGENT_SECURE_PORT] -service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] -service.unsecurePort=[PKI_UNSECURE_PORT] -service.instanceID=[PKI_INSTANCE_ID] -preop.pin=[PKI_RANDOM_NUMBER] -passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf -passwordClass=com.netscape.cmsutil.password.PlainPasswordFile -multiroles=true -multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group -CrossCertPair._000=## -CrossCertPair._001=## CrossCertPair Import -CrossCertPair._002=## -CrossCertPair.ldap=internaldb -accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator -accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator -accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator -auths._000=## -auths._001=## new authentication -auths._002=## -auths.impl._000=## -auths.impl._001=## authentication manager implementations -auths.impl._002=## -auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication -auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth -auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth -auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll -auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication -auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication -auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication -auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication -auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents -auths.instance.AgentCertAuth.pluginName=AgentCertAuth -auths.instance.TokenAuth.pluginName=TokenAuth -auths.revocationChecking.bufferSize=50 -authz._000=## -authz._001=## new authorizatioin -authz._002=## -authz.evaluateOrder=deny,allow -authz.sourceType=ldap -authz.impl._000=## -authz.impl._001=## authorization manager implementations -authz.impl._002=## -authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz -authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz -authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz -authz.instance.DirAclAuthz.ldap=internaldb -authz.instance.DirAclAuthz.pluginName=DirAclAuthz -authz.instance.DirAclAuthz.ldap._000=## -authz.instance.DirAclAuthz.ldap._001=## Internal Database -authz.instance.DirAclAuthz.ldap._002=## -cmc.cert.confirmRequired=false -cmc.lraPopWitness.verify.allow=true -cmc.revokeCert.verify=true -cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cms.version= -dbs.ldap=internaldb -dbs.newSchemaEntryAdded=true -debug.append=true -debug.enabled=true -debug.filename=[PKI_INSTANCE_PATH]/logs/debug -debug.hashkeytypes= -debug.level=0 -debug.showcaller=false -keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 -keys.ecc.curve.default=nistp521 -keys.rsa.keysize.default=2048 -internaldb._000=## -internaldb._001=## Internal Database -internaldb._002=## -internaldb.maxConns=15 -internaldb.minConns=3 -internaldb.ldapauth.authtype=BasicAuth -internaldb.ldapauth.bindDN=cn=Directory Manager -internaldb.ldapauth.bindPWPrompt=Internal LDAP Database -internaldb.ldapauth.clientCertNickname= -internaldb.ldapconn.host= -internaldb.ldapconn.port= -internaldb.ldapconn.secureConn=false -preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/schema.ldif -preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/database.ldif -preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ocsp/conf/acl.ldif -preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/index.ldif -preop.internaldb.post_ldif= -preop.internaldb.wait_dn= -internaldb.multipleSuffix.enable=false -jss._000=## -jss._001=## JSS -jss._002=## -jss.configDir=[PKI_INSTANCE_PATH]/alias/ -jss.enable=true -jss.secmodName=secmod.db -jss.ocspcheck.enable=false -jss.ssl.cipherfortezza=true -jss.ssl.cipherpref= -jss.ssl.cipherversion=cipherdomestic -log._000=## -log._001=## Logging -log._002=## -log.impl.file.class=com.netscape.cms.logging.RollingLogFile -log.instance.SignedAudit._000=## -log.instance.SignedAudit._001=## Signed Audit Logging -log.instance.SignedAudit._002=## -log.instance.SignedAudit.bufferSize=512 -log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events._000=## -log.instance.SignedAudit.events._001=## Available Audit events: -log.instance.SignedAudit.events._002=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.events._003=## -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.expirationTime=0 -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ocsp_cert-ocsp_audit -log.instance.SignedAudit.flushInterval=5 -log.instance.SignedAudit.level=1 -log.instance.SignedAudit.logSigning=false -log.instance.SignedAudit.maxFileSize=2000 -log.instance.SignedAudit.pluginName=file -log.instance.SignedAudit.rolloverInterval=2592000 -log.instance.SignedAudit.signedAudit:_000=## -log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow OCSP audit logs to be signed -log.instance.SignedAudit.signedAudit:_002=## -log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] -log.instance.SignedAudit.type=signedAudit -log.instance.System._000=## -log.instance.System._001=## System Logging -log.instance.System._002=## -log.instance.System.bufferSize=512 -log.instance.System.enable=true -log.instance.System.expirationTime=0 -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system -log.instance.System.flushInterval=5 -log.instance.System.level=3 -log.instance.System.maxFileSize=2000 -log.instance.System.pluginName=file -log.instance.System.rolloverInterval=2592000 -log.instance.System.type=system -log.instance.Transactions._000=## -log.instance.Transactions._001=## Transaction Logging -log.instance.Transactions._002=## -log.instance.Transactions.bufferSize=512 -log.instance.Transactions.enable=true -log.instance.Transactions.expirationTime=0 -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions -log.instance.Transactions.flushInterval=5 -log.instance.Transactions.level=1 -log.instance.Transactions.maxFileSize=2000 -log.instance.Transactions.pluginName=file -log.instance.Transactions.rolloverInterval=2592000 -log.instance.Transactions.type=transaction -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access -logError.fileName=[PKI_INSTANCE_PATH]/logs/error -ocsp.certNickname= -ocsp.storeId=defStore -ocsp.signing.certnickname= -ocsp.signing.defaultSigningAlgorithm=SHA256withRSA -ocsp.signing.tokenname=internal -ocsp.store.defStore.class=com.netscape.cms.ocsp.DefStore -ocsp.store.defStore.includeNextUpdate=false -ocsp.store.defStore.notFoundAsGood=true -ocsp.store.ldapStore.class=com.netscape.cms.ocsp.LDAPStore -oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension -oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 -oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword -oidmap.challenge_password.oid=1.2.840.113549.1.9.7 -oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension -oidmap.extended_key_usage.oid=2.5.29.37 -oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested -oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 -oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested -oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 -oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension -oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 -oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension -oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 -oidmap.pse.class=netscape.security.extensions.PresenceServerExtension -oidmap.pse.oid=2.16.840.1.113730.1.18 -oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension -oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 -os.serverName=cert-[PKI_INSTANCE_ID] -os.userid=nobody -registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg -selftests._000=## -selftests._001=## Self Tests -selftests._002=## -selftests._003=## The Self-Test plugin SystemCertsVerification uses the -selftests._004=## following parameters (where certusage is optional): -selftests._005=## ocsp.cert.list = -selftests._006=## ocsp.cert..nickname -selftests._007=## ocsp.cert..certusage -selftests._008=## -selftests.container.instance.OCSPPresence=com.netscape.cms.selftests.ocsp.OCSPPresence -selftests.container.instance.OCSPValidity=com.netscape.cms.selftests.ocsp.OCSPValidity -selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification -selftests.container.logger.bufferSize=512 -selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile -selftests.container.logger.enable=true -selftests.container.logger.expirationTime=0 -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log -selftests.container.logger.flushInterval=5 -selftests.container.logger.level=1 -selftests.container.logger.maxFileSize=2000 -selftests.container.logger.register=false -selftests.container.logger.rolloverInterval=2592000 -selftests.container.logger.type=transaction -selftests.container.order.onDemand=OCSPPresence:critical, SystemCertsVerification:critical, OCSPValidity:critical -selftests.container.order.startup=OCSPPresence:critical, SystemCertsVerification:critical -selftests.plugin.OCSPPresence.OcspSubId=ocsp -selftests.plugin.OCSPValidity.OcspSubId=ocsp -selftests.plugin.SystemCertsVerification.SubId=ocsp -smtp.host=localhost -smtp.port=25 -subsystem.0.class=com.netscape.ocsp.OCSPAuthority -subsystem.0.id=ocsp -subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem -subsystem.1.id=selftests -subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem -subsystem.2.id=stats -usrgrp._000=## -usrgrp._001=## User/Group -usrgrp._002=## -usrgrp.ldap=internaldb -multiroles._000=## -multiroles._001=## multiroles -multiroles._002=## -multiroles.enable=true -multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group diff --git a/pki/base/ocsp/shared/conf/CS.cfg.in b/pki/base/ocsp/shared/conf/CS.cfg.in new file mode 100644 index 000000000..84553d3fc --- /dev/null +++ b/pki/base/ocsp/shared/conf/CS.cfg.in @@ -0,0 +1,324 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] +pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] +pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] +pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] +pkicreate.secure_port=[PKI_SECURE_PORT] +pkicreate.unsecure_port=[PKI_UNSECURE_PORT] +pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +installDate=[INSTALL_TIME] +cs.type=OCSP +admin.interface.uri=ocsp/admin/console/config/wizard +agent.interface.uri=ocsp/agent/ocsp +preop.admin.name=Online Certificate Status Manager Administrator +preop.admin.group=Online Certificate Status Manager Agents +preop.admincert.profile=caAdminCert +preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 +preop.wizard.name=OCSP Setup Wizard +preop.product.name=CS +preop.product.version=@VERSION@ +preop.system.name=OCSP +preop.system.fullname=OCSP Responder +preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module +preop.configModules.module0.commonName=NSS Internal PKCS #11 Module +preop.configModules.module0.imagePath=../img/clearpixel.gif +preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module +preop.configModules.module1.commonName=nfast +preop.configModules.module1.imagePath=../img/clearpixel.gif +preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module +preop.configModules.module2.commonName=lunasa +preop.configModules.module2.imagePath=../img/clearpixel.gif +preop.configModules.count=3 +preop.module.token=Internal Key Storage Token +ocsp.cert.list=signing,sslserver,subsystem,audit_signing +preop.cert.list=signing,sslserver,subsystem,audit_signing +preop.cert.ocsp_signing.enable=true +preop.cert.sslserver.enable=true +preop.cert.subsystem.enable=true +preop.cert.audit_signing.enable=true +preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.audit_signing.dn=CN=OCSP Audit Signing Certificate +preop.cert.audit_signing.keysize.custom_size=2048 +preop.cert.audit_signing.keysize.size=2048 +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert +preop.cert.audit_signing.signing.required=false +preop.cert.audit_signing.subsystem=ocsp +preop.cert.audit_signing.type=remote +preop.cert.audit_signing.userfriendlyname=OCSP Audit Signing Certificate +preop.cert.audit_signing.cncomponent.override=true +preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.signing.dn=CN=OCSP Signing Certificate +preop.cert.signing.keysize.custom_size=2048 +preop.cert.signing.keysize.size=2048 +preop.cert.signing.nickname=ocspSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.signing.profile=caInternalAuthOCSPCert +preop.cert.signing.signing.required=true +preop.cert.signing.subsystem=ocsp +preop.cert.signing.type=remote +preop.cert.signing.userfriendlyname=OCSP Signing Certificate +preop.cert.signing.cncomponent.override=true +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] +preop.cert.sslserver.keysize.custom_size=2048 +preop.cert.sslserver.keysize.size=2048 +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.cert.sslserver.profile=caInternalAuthServerCert +preop.cert.sslserver.signing.required=false +preop.cert.sslserver.subsystem=ocsp +preop.cert.sslserver.type=remote +preop.cert.sslserver.userfriendlyname=SSL Server Certificate +preop.cert.sslserver.cncomponent.override=false +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=OCSP Subsystem Certificate +preop.cert.subsystem.keysize.custom_size=2048 +preop.cert.subsystem.keysize.size=2048 +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.cert.subsystem.profile=caInternalAuthSubsystemCert +preop.cert.subsystem.signing.required=false +preop.cert.subsystem.subsystem=ocsp +preop.cert.subsystem.type=remote +preop.cert.subsystem.userfriendlyname=Subsystem Certificate +preop.cert.subsystem.cncomponent.override=true +cs.state=0 +authType=pwd +instanceRoot=[PKI_INSTANCE_PATH] +machineName=[PKI_MACHINE_NAME] +instanceId=[PKI_INSTANCE_ID] +service.machineName=[PKI_MACHINE_NAME] +service.instanceDir=[PKI_INSTANCE_ROOT] +service.securePort=[PKI_AGENT_SECURE_PORT] +service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] +service.unsecurePort=[PKI_UNSECURE_PORT] +service.instanceID=[PKI_INSTANCE_ID] +preop.pin=[PKI_RANDOM_NUMBER] +passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf +passwordClass=com.netscape.cmsutil.password.PlainPasswordFile +multiroles=true +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group +CrossCertPair._000=## +CrossCertPair._001=## CrossCertPair Import +CrossCertPair._002=## +CrossCertPair.ldap=internaldb +accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator +accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator +accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator +auths._000=## +auths._001=## new authentication +auths._002=## +auths.impl._000=## +auths.impl._001=## authentication manager implementations +auths.impl._002=## +auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication +auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth +auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth +auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll +auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication +auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication +auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication +auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication +auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents +auths.instance.AgentCertAuth.pluginName=AgentCertAuth +auths.instance.TokenAuth.pluginName=TokenAuth +auths.revocationChecking.bufferSize=50 +authz._000=## +authz._001=## new authorizatioin +authz._002=## +authz.evaluateOrder=deny,allow +authz.sourceType=ldap +authz.impl._000=## +authz.impl._001=## authorization manager implementations +authz.impl._002=## +authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz +authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz +authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz +authz.instance.DirAclAuthz.ldap=internaldb +authz.instance.DirAclAuthz.pluginName=DirAclAuthz +authz.instance.DirAclAuthz.ldap._000=## +authz.instance.DirAclAuthz.ldap._001=## Internal Database +authz.instance.DirAclAuthz.ldap._002=## +cmc.cert.confirmRequired=false +cmc.lraPopWitness.verify.allow=true +cmc.revokeCert.verify=true +cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cms.version=@MAJOR_VERSION@.@MINOR_VERSION@ +dbs.ldap=internaldb +dbs.newSchemaEntryAdded=true +debug.append=true +debug.enabled=true +debug.filename=[PKI_INSTANCE_PATH]/logs/debug +debug.hashkeytypes= +debug.level=0 +debug.showcaller=false +keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 +keys.ecc.curve.default=nistp521 +keys.rsa.keysize.default=2048 +internaldb._000=## +internaldb._001=## Internal Database +internaldb._002=## +internaldb.maxConns=15 +internaldb.minConns=3 +internaldb.ldapauth.authtype=BasicAuth +internaldb.ldapauth.bindDN=cn=Directory Manager +internaldb.ldapauth.bindPWPrompt=Internal LDAP Database +internaldb.ldapauth.clientCertNickname= +internaldb.ldapconn.host= +internaldb.ldapconn.port= +internaldb.ldapconn.secureConn=false +preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/schema.ldif +preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/database.ldif +preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ocsp/conf/acl.ldif +preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/index.ldif +preop.internaldb.post_ldif= +preop.internaldb.wait_dn= +internaldb.multipleSuffix.enable=false +jss._000=## +jss._001=## JSS +jss._002=## +jss.configDir=[PKI_INSTANCE_PATH]/alias/ +jss.enable=true +jss.secmodName=secmod.db +jss.ocspcheck.enable=false +jss.ssl.cipherfortezza=true +jss.ssl.cipherpref= +jss.ssl.cipherversion=cipherdomestic +log._000=## +log._001=## Logging +log._002=## +log.impl.file.class=com.netscape.cms.logging.RollingLogFile +log.instance.SignedAudit._000=## +log.instance.SignedAudit._001=## Signed Audit Logging +log.instance.SignedAudit._002=## +log.instance.SignedAudit.bufferSize=512 +log.instance.SignedAudit.enable=true +log.instance.SignedAudit.events._000=## +log.instance.SignedAudit.events._001=## Available Audit events: +log.instance.SignedAudit.events._002=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.events._003=## +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.expirationTime=0 +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ocsp_cert-ocsp_audit +log.instance.SignedAudit.flushInterval=5 +log.instance.SignedAudit.level=1 +log.instance.SignedAudit.logSigning=false +log.instance.SignedAudit.maxFileSize=2000 +log.instance.SignedAudit.pluginName=file +log.instance.SignedAudit.rolloverInterval=2592000 +log.instance.SignedAudit.signedAudit:_000=## +log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow OCSP audit logs to be signed +log.instance.SignedAudit.signedAudit:_002=## +log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] +log.instance.SignedAudit.type=signedAudit +log.instance.System._000=## +log.instance.System._001=## System Logging +log.instance.System._002=## +log.instance.System.bufferSize=512 +log.instance.System.enable=true +log.instance.System.expirationTime=0 +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system +log.instance.System.flushInterval=5 +log.instance.System.level=3 +log.instance.System.maxFileSize=2000 +log.instance.System.pluginName=file +log.instance.System.rolloverInterval=2592000 +log.instance.System.type=system +log.instance.Transactions._000=## +log.instance.Transactions._001=## Transaction Logging +log.instance.Transactions._002=## +log.instance.Transactions.bufferSize=512 +log.instance.Transactions.enable=true +log.instance.Transactions.expirationTime=0 +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions +log.instance.Transactions.flushInterval=5 +log.instance.Transactions.level=1 +log.instance.Transactions.maxFileSize=2000 +log.instance.Transactions.pluginName=file +log.instance.Transactions.rolloverInterval=2592000 +log.instance.Transactions.type=transaction +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access +logError.fileName=[PKI_INSTANCE_PATH]/logs/error +ocsp.certNickname= +ocsp.storeId=defStore +ocsp.signing.certnickname= +ocsp.signing.defaultSigningAlgorithm=SHA256withRSA +ocsp.signing.tokenname=internal +ocsp.store.defStore.class=com.netscape.cms.ocsp.DefStore +ocsp.store.defStore.includeNextUpdate=false +ocsp.store.defStore.notFoundAsGood=true +ocsp.store.ldapStore.class=com.netscape.cms.ocsp.LDAPStore +oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension +oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 +oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword +oidmap.challenge_password.oid=1.2.840.113549.1.9.7 +oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension +oidmap.extended_key_usage.oid=2.5.29.37 +oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 +oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 +oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension +oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 +oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension +oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 +oidmap.pse.class=netscape.security.extensions.PresenceServerExtension +oidmap.pse.oid=2.16.840.1.113730.1.18 +oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension +oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 +os.serverName=cert-[PKI_INSTANCE_ID] +os.userid=nobody +registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg +selftests._000=## +selftests._001=## Self Tests +selftests._002=## +selftests._003=## The Self-Test plugin SystemCertsVerification uses the +selftests._004=## following parameters (where certusage is optional): +selftests._005=## ocsp.cert.list = +selftests._006=## ocsp.cert..nickname +selftests._007=## ocsp.cert..certusage +selftests._008=## +selftests.container.instance.OCSPPresence=com.netscape.cms.selftests.ocsp.OCSPPresence +selftests.container.instance.OCSPValidity=com.netscape.cms.selftests.ocsp.OCSPValidity +selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification +selftests.container.logger.bufferSize=512 +selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile +selftests.container.logger.enable=true +selftests.container.logger.expirationTime=0 +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log +selftests.container.logger.flushInterval=5 +selftests.container.logger.level=1 +selftests.container.logger.maxFileSize=2000 +selftests.container.logger.register=false +selftests.container.logger.rolloverInterval=2592000 +selftests.container.logger.type=transaction +selftests.container.order.onDemand=OCSPPresence:critical, SystemCertsVerification:critical, OCSPValidity:critical +selftests.container.order.startup=OCSPPresence:critical, SystemCertsVerification:critical +selftests.plugin.OCSPPresence.OcspSubId=ocsp +selftests.plugin.OCSPValidity.OcspSubId=ocsp +selftests.plugin.SystemCertsVerification.SubId=ocsp +smtp.host=localhost +smtp.port=25 +subsystem.0.class=com.netscape.ocsp.OCSPAuthority +subsystem.0.id=ocsp +subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem +subsystem.1.id=selftests +subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem +subsystem.2.id=stats +usrgrp._000=## +usrgrp._001=## User/Group +usrgrp._002=## +usrgrp.ldap=internaldb +multiroles._000=## +multiroles._001=## multiroles +multiroles._002=## +multiroles.enable=true +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group diff --git a/pki/base/ocsp/src/CMakeLists.txt b/pki/base/ocsp/src/CMakeLists.txt index 53f2dc58a..f707654e5 100644 --- a/pki/base/ocsp/src/CMakeLists.txt +++ b/pki/base/ocsp/src/CMakeLists.txt @@ -1,21 +1,76 @@ project(ocsp_java Java) -find_file(JSS_JAR +# '/usr/share/java/pki' jars +find_file(CERTSRV_JAR NAMES - jss4.jar + certsrv.jar + PATHS + /usr/share/java/pki +) + +find_file(CMS_JAR + NAMES + cms.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSCORE_JAR + NAMES + cmscore.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSUTIL_JAR + NAMES + cmsutil.jar + PATHS + /usr/share/java/pki +) + +find_file(NSUTIL_JAR + NAMES + nsutil.jar PATHS /usr/lib/java - /usr/share/java + /usr/share/java/pki ) + +# '/usr/share/java' jars find_file(LDAPJDK_JAR NAMES ldapjdk.jar PATHS - /usr/lib/java /usr/share/java ) + +# '/usr/lib/java' jars +find_file(JSS_JAR + NAMES + jss4.jar + PATHS + /usr/lib/java +) + +find_file(OSUTIL_JAR + NAMES + osutil.jar + PATHS + /usr/lib/java +) + +find_file(SYMKEY_JAR + NAMES + symkey.jar + PATHS + /usr/lib/java +) + + +# identify java sources set(ocsp_java_SRCS com/netscape/ocsp/OCSPResources.java com/netscape/ocsp/OCSPAuthority.java @@ -23,13 +78,21 @@ set(ocsp_java_SRCS com/netscape/ocsp/EOCSPException.java ) + +# set classpath set(CMAKE_JAVA_INCLUDE_PATH - ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} ${CMSUTIL_JAR} - ${OSUTIL_JAR} ${SYMKEY_JAR} ${CMS_JAR} ${CMSCORE_JAR} - ${CERTSRV_JAR}) + ${CERTSRV_JAR} ${CMS_JAR} ${CMSCORE_JAR} ${CMSUTIL_JAR} ${NSUTIL_JAR} + ${LDAPJDK_JAR} + ${JSS_JAR} ${OSUTIL_JAR} ${SYMKEY_JAR}) + + +# set version set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) + +# build ocsp.jar add_jar(ocsp ${ocsp_java_SRCS}) -add_dependencies(ocsp nsutil cmsutil osutil symkey cms cmscore certsrv) +add_dependencies(ocsp osutil symkey nsutil cmsutil certsrv cms cmscore) install_jar(ocsp ${JAVA_JAR_INSTALL_DIR}) set(OCSP_JAR ${ocsp_JAR_FILE} CACHE INTERNAL "ocsp jar file") + diff --git a/pki/base/ra/CMakeLists.txt b/pki/base/ra/CMakeLists.txt index f5aaa1479..59910fe95 100644 --- a/pki/base/ra/CMakeLists.txt +++ b/pki/base/ra/CMakeLists.txt @@ -1,7 +1,7 @@ project(ra) -add_subdirectory(setup) add_subdirectory(doc) +add_subdirectory(setup) # install init script install( @@ -13,69 +13,52 @@ install( OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ - PATTERN - "CMakeLists.txt" EXCLUDE -) - -install( - FILES - scripts/nss_pcache - DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME} - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - -install( - FILES - scripts/schema.sql - DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME} ) -# install directories install( DIRECTORY - alias/ + apache/conf/ DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/alias + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf ) install( DIRECTORY - lib/ + emails/ DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/lib + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf ) install( DIRECTORY - logs/ + forms/ DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/logs + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot ) install( DIRECTORY - forms/ + lib/ DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot/forms + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/lib ) install( - DIRECTORY - emails/ + FILES + scripts/nss_pcache DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/emails + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ ) install( - DIRECTORY - apache/conf/ + FILES + scripts/schema.sql DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/apache/conf + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts ) # install empty directories @@ -90,3 +73,4 @@ install( DESTINATION ${VAR_INSTALL_DIR}/run/pki/ra ) + diff --git a/pki/base/ra/doc/CS.cfg b/pki/base/ra/doc/CS.cfg deleted file mode 100644 index 0fc0efb36..000000000 --- a/pki/base/ra/doc/CS.cfg +++ /dev/null @@ -1,256 +0,0 @@ -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.secure_port=[SECURE_PORT] -pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] -pkicreate.unsecure_port=[PORT] -pkicreate.user=[PKI_USER] -pkicreate.group=[PKI_GROUP] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -request._000=######################################### -request._001=# Request Queue Parameters -request._002=######################################### -agent.authorized_groups=administrators,agents -admin.authorized_groups=administrators -database.dbfile=[SERVER_ROOT]/conf/dbfile -database.lockfile=[SERVER_ROOT]/conf/dblock -request.renewal.approve_request.0.ca=ca1 -request.renewal.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA -request.renewal.approve_request.0.profileId=caDualRAuserCert -request.renewal.approve_request.0.reqType=crmf -request.renewal.approve_request.1.mailTo=$created_by -request.renewal.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.renewal.approve_request.1.templateDir=/usr/share/pki/ra/conf -request.renewal.approve_request.1.templateFile=mail_approve_request.vm -request.renewal.approve_request.num_plugins=2 -request.renewal.reject_request.num_plugins=0 -request.renewal.create_request.0.assignTo=agents -request.renewal.create_request.0.plugin=PKI::Request::Plugin::AutoAssign -request.renewal.create_request.1.mailTo=$created_by -request.renewal.create_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.renewal.create_request.1.templateDir=/usr/share/pki/ra/conf -request.renewal.create_request.1.templateFile=mail_create_request.vm -request.renewal.create_request.num_plugins=2 -request.scep.profileId=caRARouterCert -request.scep.reqType=pkcs10 -request.scep.create_request.num_plugins=2 -request.scep.create_request.0.plugin=PKI::Request::Plugin::AutoAssign -request.scep.create_request.0.assignTo=agents -request.scep.create_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.scep.create_request.1.mailTo= -request.scep.create_request.1.templateDir=/usr/share/pki/ra/conf -request.scep.create_request.1.templateFile=mail_create_request.vm -request.scep.approve_request.num_plugins=1 -request.scep.approve_request.0.plugin=PKI::Request::Plugin::CreatePin -request.scep.approve_request.0.pinFormat=$site_id -request.scep.reject_request.num_plugins=0 -request.agent.profileId=caRAagentCert -request.agent.reqType=crmf -request.agent.create_request.num_plugins=2 -request.agent.create_request.0.plugin=PKI::Request::Plugin::AutoAssign -request.agent.create_request.0.assignTo=agents -request.agent.create_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.agent.create_request.1.mailTo= -request.agent.create_request.1.templateDir=/usr/share/pki/ra/conf -request.agent.create_request.1.templateFile=mail_create_request.vm -request.agent.approve_request.num_plugins=1 -request.agent.approve_request.0.plugin=PKI::Request::Plugin::CreatePin -request.agent.approve_request.0.pinFormat=$uid -request.agent.reject_request.num_plugins=0 -request.user.create_request.num_plugins=2 -request.user.create_request.0.plugin=PKI::Request::Plugin::AutoAssign -request.user.create_request.0.assignTo=agents -request.user.create_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.user.create_request.1.templateDir=/usr/share/pki/ra/conf -request.user.create_request.1.templateFile=mail_create_request.vm -request.user.create_request.1.mailTo= -request.user.approve_request.num_plugins=2 -request.user.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA -request.user.approve_request.0.ca=ca1 -request.user.approve_request.0.profileId=caDualRAuserCert -request.user.approve_request.0.reqType=crmf -request.user.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.user.approve_request.1.mailTo=$created_by -request.user.approve_request.1.templateDir=/usr/share/pki/ra/conf -request.user.approve_request.1.templateFile=mail_approve_request.vm -request.user.reject_request.num_plugins=0 -request.server.create_request.num_plugins=2 -request.server.create_request.0.plugin=PKI::Request::Plugin::AutoAssign -request.server.create_request.0.assignTo=agents -request.server.create_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.server.create_request.1.mailTo= -request.server.create_request.1.templateDir=/usr/share/pki/ra/conf -request.server.create_request.1.templateFile=mail_create_request.vm -request.server.approve_request.num_plugins=2 -request.server.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA -request.server.approve_request.0.ca=ca1 -request.server.approve_request.0.profileId=caRAserverCert -request.server.approve_request.0.reqType=pkcs10 -request.server.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.server.approve_request.1.mailTo=$created_by -request.server.approve_request.1.templateDir=/usr/share/pki/ra/conf -request.server.approve_request.1.templateFile=mail_approve_request.vm -request.server.reject_request.num_plugins=0 -cs.type=RA -service.machineName=[SERVER_NAME] -service.instanceDir=[SERVER_ROOT] -service.securePort=[SECURE_PORT] -service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] -service.unsecurePort=[PORT] -service.instanceID=[PKI_INSTANCE_ID] -logging._000=######################################### -logging._001=# RA configuration File -logging._002=# -logging._003=# All <...> must be replaced with -logging._004=# appropriate values. -logging._005=######################################### -logging._006=######################################## -logging._007=# logging -logging._008=# -logging._009=# logging.debug.enable: -logging._010=# logging.audit.enable: -logging._011=# logging.error.enable: -logging._012=# - enable or disable the corresponding logging -logging._013=# logging.debug.filename: -logging._014=# logging.audit.filename: -logging._015=# logging.error.filename: -logging._016=# - name of the log file -logging._017=# logging.debug.level: -logging._018=# logging.audit.level: -logging._019=# logging.error.level: -logging._020=# - level of logging. (0-10) -logging._021=# 0 - no logging, -logging._022=# 4 - LL_PER_SERVER these messages will occur only once -logging._023=# during the entire invocation of the -logging._024=# server, e. g. at startup or shutdown -logging._025=# time., reading the conf parameters. -logging._026=# Perhaps other infrequent events -logging._027=# relating to failing over of CA, TKS, -logging._028=# too -logging._029=# 6 - LL_PER_CONNECTION these messages happen once per -logging._030=# connection - most of the log events -logging._031=# will be at this level -logging._032=# 8 - LL_PER_PDU these messages relate to PDU -logging._033=# processing. If you have something that -logging._034=# is done for every PDU, such as -logging._035=# applying the MAC, it should be logged -logging._036=# at this level -logging._037=# 9 - LL_ALL_DATA_IN_PDU dump all the data in the PDU - a more -logging._038=# chatty version of the above -logging._039=# 10 - all logging -logging._040=######################################### -logging.debug.enable=true -logging.debug.filename=[SERVER_ROOT]/logs/ra-debug.log -logging.debug.level=7 -logging.audit.enable=true -logging.audit.filename=[SERVER_ROOT]/logs/ra-audit.log -logging.audit.level=10 -logging.error.enable=true -logging.error.filename=[SERVER_ROOT]/logs/ra-error.log -logging.error.level=10 -conn.ca1._000=######################################### -conn.ca1._001=# CA connection -conn.ca1._002=# -conn.ca1._003=# conn.ca.hostport: -conn.ca1._004=# - host name and port number of your CA, format is host:port -conn.ca1._005=# conn.ca.clientNickname: -conn.ca1._006=# - nickname of the client certificate for -conn.ca1._007=# authentication -conn.ca1._008=# conn.ca.servlet.enrollment: -conn.ca1._009=# - servlet to contact in CA -conn.ca1._010=# - must be '/ca/ee/ca/profileSubmitSSLClient' -conn.ca1._008=# conn.ca.servlet.addagent: -conn.ca1._009=# - servlet to add ra agent on CA -conn.ca1._010=# - must be '/ca/admin/ca/registerRaUser -conn.ca1._011=# conn.ca.retryConnect: -conn.ca1._012=# - number of reconnection attempts on failure -conn.ca1._013=# conn.ca.timeout: -conn.ca1._014=# - connection timeout -conn.ca1._015=# conn.ca.SSLOn: -conn.ca1._016=# - enable SSL or not -conn.ca1._017=# conn.ca.keepAlive: -conn.ca1._018=# - enable keep alive or not -conn.ca1._019=# -conn.ca1._020=# where -conn.ca1._021=# - CA connection ID -conn.ca1._022=######################################### -failover.pod.enable=false -conn.ca1.hostport=[CA_HOST]:[CA_PORT] -conn.ca1.clientNickname=[HSM_LABEL][NICKNAME] -conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient -conn.ca1.servlet.addagent=/ca/admin/ca/registerRaUser -conn.ca1.servlet.revoke=/ca/subsystem/ca/doRevoke -conn.ca1.servlet.unrevoke=/ca/subsystem/ca/doUnrevoke -conn.ca1.retryConnect=3 -conn.ca1.timeout=100 -conn.ca1.SSLOn=true -conn.ca1.keepAlive=true -preop.pin=[PKI_RANDOM_NUMBER] -preop.product.version= -preop.cert._000=######################################### -preop.cert._001=# Installation configuration "preop" certs parameters -preop.cert._002=######################################### -preop.cert.list=sslserver,subsystem -preop.cert.sslserver.enable=true -preop.cert.subsystem.enable=true -preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA -preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] -preop.cert.sslserver.keysize.customsize=2048 -preop.cert.sslserver.keysize.size=2048 -preop.cert.sslserver.keysize.select=custom -preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] -preop.cert.sslserver.profile=caInternalAuthServerCert -preop.cert.sslserver.subsystem=ra -preop.cert._003=#preop.cert.sslserver.type=local -preop.cert.sslserver.userfriendlyname=SSL Server Certificate -preop.cert._004=#preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA -preop.cert.subsystem.dn=CN=RA Subsystem Certificate, OU=[PKI_INSTANCE_ID] -preop.cert.subsystem.keysize.customsize=2048 -preop.cert.subsystem.keysize.size=2048 -preop.cert.subsystem.keysize.select=custom -preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -preop.cert.subsystem.profile=caInternalAuthSubsystemCert -preop.cert.subsystem.subsystem=ra -preop.cert._005=#preop.cert.subsystem.type=local -preop.cert.subsystem.userfriendlyname=Subsystem Certificate -preop.cert._006=#preop.cert.subsystem.cncomponent.override=true -preop.configModules._000=######################################### -preop.configModules._001=# Installation configuration "preop" module parameters -preop.configModules._002=######################################### -preop.configModules.count=3 -preop.configModules.module0.commonName=NSS Internal PKCS #11 Module -preop.configModules.module0.imagePath=../img/clearpixel.gif -preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module -preop.configModules.module1.commonName=nfast -preop.configModules.module1.imagePath=../img/clearpixel.gif -preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module -preop.configModules.module2.commonName=lunasa -preop.configModules.module2.imagePath=../img/clearpixel.gif -preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module -preop.module.token=NSS Certificate DB -preop.keysize._000=######################################### -preop.keysize._001=# Installation configuration "preop" keysize parameters -preop.keysize._002=######################################### -preop.keysize.customsize=2048 -preop.keysize.select=default -preop.keysize.size=2048 -preop.keysize.ecc.size=256 diff --git a/pki/base/ra/doc/CS.cfg.in b/pki/base/ra/doc/CS.cfg.in index fd564abbc..4fea4674f 100644 --- a/pki/base/ra/doc/CS.cfg.in +++ b/pki/base/ra/doc/CS.cfg.in @@ -16,15 +16,15 @@ # All rights reserved. # --- END COPYRIGHT BLOCK --- # -pkicreate.pki_instance_root=[INSTANCE_ROOT] -pkicreate.pki_instance_name=[INSTANCE_ID] -pkicreate.subsystem_type=[SUBSYSTEM_TYPE] +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] pkicreate.secure_port=[SECURE_PORT] pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] pkicreate.unsecure_port=[PORT] -pkicreate.user=[USERID] -pkicreate.group=[GROUPID] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] request._000=######################################### request._001=# Request Queue Parameters request._002=######################################### @@ -115,7 +115,7 @@ service.instanceDir=[SERVER_ROOT] service.securePort=[SECURE_PORT] service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] service.unsecurePort=[PORT] -service.instanceID=[INSTANCE_ID] +service.instanceID=[PKI_INSTANCE_ID] logging._000=######################################### logging._001=# RA configuration File logging._002=# @@ -211,23 +211,23 @@ preop.cert._002=######################################### preop.cert.list=sslserver,subsystem preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true -preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA -preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[INSTANCE_ID] +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] preop.cert.sslserver.keysize.customsize=2048 preop.cert.sslserver.keysize.size=2048 preop.cert.sslserver.keysize.select=custom -preop.cert.sslserver.nickname=Server-Cert cert-[INSTANCE_ID] +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] preop.cert.sslserver.profile=caInternalAuthServerCert preop.cert.sslserver.subsystem=ra preop.cert._003=#preop.cert.sslserver.type=local preop.cert.sslserver.userfriendlyname=SSL Server Certificate preop.cert._004=#preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA1withRSA -preop.cert.subsystem.dn=CN=RA Subsystem Certificate, OU=[INSTANCE_ID] +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=RA Subsystem Certificate, OU=[PKI_INSTANCE_ID] preop.cert.subsystem.keysize.customsize=2048 preop.cert.subsystem.keysize.size=2048 preop.cert.subsystem.keysize.select=custom -preop.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] preop.cert.subsystem.profile=caInternalAuthSubsystemCert preop.cert.subsystem.subsystem=ra preop.cert._005=#preop.cert.subsystem.type=local diff --git a/pki/base/tks/CMakeLists.txt b/pki/base/tks/CMakeLists.txt index 023aaa020..0f1221eaa 100644 --- a/pki/base/tks/CMakeLists.txt +++ b/pki/base/tks/CMakeLists.txt @@ -2,6 +2,7 @@ project(tks Java) add_subdirectory(src) add_subdirectory(setup) +add_subdirectory(shared/conf) # install init script install( @@ -25,6 +26,8 @@ install( "CMakeLists.txt" EXCLUDE PATTERN "etc/*" EXCLUDE + PATTERN + "CS.cfg.in" EXCLUDE ) # install empty directories diff --git a/pki/base/tks/shared/conf/CMakeLists.txt b/pki/base/tks/shared/conf/CMakeLists.txt new file mode 100644 index 000000000..e3cef5915 --- /dev/null +++ b/pki/base/tks/shared/conf/CMakeLists.txt @@ -0,0 +1,12 @@ +set(VERSION ${APPLICATION_VERSION}) +set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR}) +set(MINOR_VERSION ${APPLICATION_VERSION_MINOR}) + +configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY) + +install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) diff --git a/pki/base/tks/shared/conf/CS.cfg b/pki/base/tks/shared/conf/CS.cfg deleted file mode 100644 index 55689d701..000000000 --- a/pki/base/tks/shared/conf/CS.cfg +++ /dev/null @@ -1,343 +0,0 @@ -# --- BEGIN COPYRIGHT BLOCK --- -# Copyright (C) 2006 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -_000=## -_001=## File Created On : Mon Oct 10 15:57:03 PDT 2005 -_002=## -pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] -pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] -pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] -pkicreate.secure_port=[PKI_SECURE_PORT] -pkicreate.unsecure_port=[PKI_UNSECURE_PORT] -pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] -pkicreate.user=[PKI_USER] -pkicreate.group=[PKI_GROUP] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -installDate=[INSTALL_TIME] -cs.type=TKS -admin.interface.uri=tks/admin/console/config/wizard -preop.admin.name=Token Key Service Manager Administrator -preop.admin.group=Token Key Service Manager Agents -preop.admincert.profile=caAdminCert -preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 -preop.wizard.name=TKS Setup Wizard -preop.system.name=TKS -preop.product.name=CS -preop.product.version= -preop.system.fullname=Token Key Service -tks.cert.list=sslserver,subsystem,audit_signing -preop.cert.list=sslserver,subsystem,audit_signing -preop.cert.sslserver.enable=true -preop.cert.subsystem.enable=true -preop.cert.audit_signing.enable=true -preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.audit_signing.dn=CN=TKS Audit Signing Certificate -preop.cert.audit_signing.keysize.custom_size=2048 -preop.cert.audit_signing.keysize.size=2048 -preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert -preop.cert.audit_signing.signing.required=false -preop.cert.audit_signing.subsystem=tks -preop.cert.audit_signing.type=remote -preop.cert.audit_signing.userfriendlyname=TKS Audit Signing Certificate -preop.cert.audit_signing.cncomponent.override=true -preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA -preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] -preop.cert.sslserver.keysize.custom_size=2048 -preop.cert.sslserver.keysize.size=2048 -preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] -preop.cert.sslserver.profile=caInternalAuthServerCert -preop.cert.sslserver.signing.required=false -preop.cert.sslserver.subsystem=tks -preop.cert.sslserver.type=remote -preop.cert.sslserver.userfriendlyname=SSL Server Certificate -preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA -preop.cert.subsystem.dn=CN=TKS Subsystem Certificate -preop.cert.subsystem.keysize.custom_size=2048 -preop.cert.subsystem.keysize.size=2048 -preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -preop.cert.subsystem.profile=caInternalAuthSubsystemCert -preop.cert.subsystem.signing.required=false -preop.cert.subsystem.subsystem=tks -preop.cert.subsystem.type=remote -preop.cert.subsystem.userfriendlyname=Subsystem Certificate -preop.cert.subsystem.cncomponent.override=true -preop.cert.admin.defaultSigningAlgorithm=SHA256withRSA -preop.cert.admin.dn=uid=admin,cn=admin -preop.cert.admin.keysize.custom_size=2048 -preop.cert.admin.keysize.size=2048 -preop.cert.admin.profile=adminCert.profile -preop.hierarchy.profile=caCert.profile -preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module -preop.configModules.module0.commonName=NSS Internal PKCS #11 Module -preop.configModules.module0.imagePath=../img/clearpixel.gif -preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module -preop.configModules.module1.commonName=nfast -preop.configModules.module1.imagePath=../img/clearpixel.gif -preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module -preop.configModules.module2.commonName=lunasa -preop.configModules.module2.imagePath=../img/clearpixel.gif -preop.configModules.count=3 -preop.module.token=Internal Key Storage Token -cs.state=0 -authType=pwd -instanceRoot=[PKI_INSTANCE_PATH] -machineName=[PKI_MACHINE_NAME] -instanceId=[PKI_INSTANCE_ID] -preop.pin=[PKI_RANDOM_NUMBER] -service.machineName=[PKI_MACHINE_NAME] -service.instanceDir=[PKI_INSTANCE_ROOT] -service.securePort=[PKI_AGENT_SECURE_PORT] -service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] -service.unsecurePort=[PKI_UNSECURE_PORT] -service.instanceID=[PKI_INSTANCE_ID] -passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf -passwordClass=com.netscape.cmsutil.password.PlainPasswordFile -multiroles=true -multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group -CrossCertPair._000=## -CrossCertPair._001=## CrossCertPair Import -CrossCertPair._002=## -CrossCertPair.ldap=internaldb -accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator -accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator -accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator -auths._000=## -auths._001=## new authentication -auths._002=## -auths.impl._000=## -auths.impl._001=## authentication manager implementations -auths.impl._002=## -auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication -auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth -auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth -auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll -auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication -auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication -auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication -auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication -auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents -auths.instance.AgentCertAuth.pluginName=AgentCertAuth -auths.instance.TokenAuth.pluginName=TokenAuth -auths.revocationChecking.bufferSize=50 -authz._000=## -authz._001=## new authorizatioin -authz._002=## -authz.evaluateOrder=deny,allow -authz.sourceType=ldap -authz.impl._000=## -authz.impl._001=## authorization manager implementations -authz.impl._002=## -authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz -authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz -authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz -authz.instance.DirAclAuthz.ldap=internaldb -authz.instance.DirAclAuthz.pluginName=DirAclAuthz -authz.instance.DirAclAuthz.ldap._000=## -authz.instance.DirAclAuthz.ldap._001=## Internal Database -authz.instance.DirAclAuthz.ldap._002=## -cardcryptogram.validate.enable=true -cmc.cert.confirmRequired=false -cmc.lraPopWitness.verify.allow=true -cmc.revokeCert.verify=true -cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cms.version= -dbs.ldap=internaldb -dbs.newSchemaEntryAdded=true -debug.append=true -debug.enabled=true -debug.filename=[PKI_INSTANCE_PATH]/logs/debug -debug.hashkeytypes= -debug.level=0 -debug.showcaller=false -keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 -keys.ecc.curve.default=nistp521 -keys.rsa.keysize.default=2048 -internaldb._000=## -internaldb._001=## Internal Database -internaldb._002=## -internaldb.maxConns=15 -internaldb.minConns=3 -internaldb.ldapauth.authtype=BasicAuth -internaldb.ldapauth.bindDN=cn=Directory Manager -internaldb.ldapauth.bindPWPrompt=Internal LDAP Database -internaldb.ldapauth.clientCertNickname= -internaldb.ldapconn.host= -internaldb.ldapconn.port= -internaldb.ldapconn.secureConn=false -preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/schema.ldif -preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/database.ldif -preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/db.ldif,/usr/share/[PKI_FLAVOR]/tks/conf/acl.ldif -preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/index.ldif -preop.internaldb.post_ldif= -preop.internaldb.wait_dn= -internaldb.multipleSuffix.enable=false -jss._000=## -jss._001=## JSS -jss._002=## -jss.configDir=[PKI_INSTANCE_PATH]/alias/ -jss.enable=true -jss.secmodName=secmod.db -jss.ocspcheck.enable=false -jss.ssl.cipherfortezza=true -jss.ssl.cipherpref= -jss.ssl.cipherversion=cipherdomestic -log._000=## -log._001=## Logging -log._002=## -log.impl.file.class=com.netscape.cms.logging.RollingLogFile -log.instance.SignedAudit._000=## -log.instance.SignedAudit._001=## Signed Audit Logging -log.instance.SignedAudit._002=## -log.instance.SignedAudit.bufferSize=512 -log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events._000=## -log.instance.SignedAudit.events._001=## Available Audit events: -log.instance.SignedAudit.events._002=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.events._003=## -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.expirationTime=0 -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/tks_cert-tks_audit -log.instance.SignedAudit.flushInterval=5 -log.instance.SignedAudit.level=1 -log.instance.SignedAudit.logSigning=false -log.instance.SignedAudit.maxFileSize=2000 -log.instance.SignedAudit.pluginName=file -log.instance.SignedAudit.rolloverInterval=2592000 -log.instance.SignedAudit.signedAudit:_000=## -log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow TKS audit logs to be signed -log.instance.SignedAudit.signedAudit:_002=## -log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] -log.instance.SignedAudit.type=signedAudit -log.instance.System._000=## -log.instance.System._001=## System Logging -log.instance.System._002=## -log.instance.System.bufferSize=512 -log.instance.System.enable=true -log.instance.System.expirationTime=0 -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system -log.instance.System.flushInterval=5 -log.instance.System.level=3 -log.instance.System.maxFileSize=2000 -log.instance.System.pluginName=file -log.instance.System.rolloverInterval=2592000 -log.instance.System.type=system -log.instance.Transactions._000=## -log.instance.Transactions._001=## Transaction Logging -log.instance.Transactions._002=## -log.instance.Transactions.bufferSize=512 -log.instance.Transactions.enable=true -log.instance.Transactions.expirationTime=0 -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions -log.instance.Transactions.flushInterval=5 -log.instance.Transactions.level=1 -log.instance.Transactions.maxFileSize=2000 -log.instance.Transactions.pluginName=file -log.instance.Transactions.rolloverInterval=2592000 -log.instance.Transactions.type=transaction -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access -logError.fileName=[PKI_INSTANCE_PATH]/logs/error -oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension -oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 -oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword -oidmap.challenge_password.oid=1.2.840.113549.1.9.7 -oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension -oidmap.extended_key_usage.oid=2.5.29.37 -oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested -oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 -oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested -oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 -oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension -oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 -oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension -oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 -oidmap.pse.class=netscape.security.extensions.PresenceServerExtension -oidmap.pse.oid=2.16.840.1.113730.1.18 -oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension -oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 -os.serverName=cert-[PKI_INSTANCE_ID] -os.userid=nobody -registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg -selftests._000=## -selftests._001=## Self Tests -selftests._002=## -selftests._003=## The Self-Test plugin SystemCertsVerification uses the -selftests._004=## following parameters (where certusage is optional): -selftests._005=## tks.cert.list = -selftests._006=## tks.cert..nickname -selftests._007=## tks.cert..certusage -selftests._008=## -selftests.container.instance.TKSKnownSessionKey=com.netscape.cms.selftests.tks.TKSKnownSessionKey -selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification -selftests.container.logger.bufferSize=512 -selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile -selftests.container.logger.enable=true -selftests.container.logger.expirationTime=0 -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log -selftests.container.logger.flushInterval=5 -selftests.container.logger.level=1 -selftests.container.logger.maxFileSize=2000 -selftests.container.logger.register=false -selftests.container.logger.rolloverInterval=2592000 -selftests.container.logger.type=transaction -selftests.container.order.onDemand=TKSKnownSessionKey:critical, SystemCertsVerification:critical -selftests.container.order.startup=TKSKnownSessionKey:critical, SystemCertsVerification:critical -selftests.plugin.TKSKnownSessionKey.CUID=#a0#01#92#03#04#05#06#07#08#c9 -selftests.plugin.TKSKnownSessionKey.TksSubId=tks -selftests.plugin.TKSKnownSessionKey.cardChallenge=#bd#6d#19#85#6e#54#0f#cd -selftests.plugin.TKSKnownSessionKey.hostChallenge=#77#57#62#e4#5e#23#66#7d -selftests.plugin.TKSKnownSessionKey.keyName=#01#01 -selftests.plugin.TKSKnownSessionKey.macKey=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f -selftests.plugin.TKSKnownSessionKey.sessionKey=#d1#be#b8#26#dc#56#20#25#8c#93#e7#de#f0#ab#4f#5b -selftests.plugin.TKSKnownSessionKey.token=Internal Key Storage Token -selftests.plugin.TKSKnownSessionKey.useSoftToken=true -selftests.plugin.SystemCertsVerification.SubId=tks -smtp.host=localhost -smtp.port=25 -subsystem.0.class=com.netscape.tks.TKSAuthority -subsystem.0.id=tks -subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem -subsystem.1.id=selftests -subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem -subsystem.2.id=stats -tks._000=## -tks._001=## TKS -tks._002=## -tks._003=## -tks.debug=false -tks.defaultSlot=Internal Key Storage Token -tks.drm_transport_cert_nickname= -tks.master_key_prefix= -tks.useDefaultSlot=true -usrgrp._000=## -usrgrp._001=## User/Group -usrgrp._002=## -usrgrp.ldap=internaldb -tks.defKeySet._000=## -tks.defKeySet._001=## Axalto default key set: -tks.defKeySet._002=## -tks.defKeySet._003=## tks.defKeySet.mk_mappings.#02#01=: -tks.defKeySet._004=## -tks.defKeySet.auth_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f -tks.defKeySet.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f -tks.defKeySet.kek_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f -tks.jForte._000=## -tks.jForte._001=## SAFLink's jForte default key set: -tks.jForte._002=## -tks.jForte._003=## tks.jForte.mk_mappings.#02#01=: -tks.jForte._004=## -tks.jForte.auth_key=#30#31#32#33#34#35#36#37#38#39#3a#3b#3c#3d#3e#3f -tks.jForte.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f -tks.jForte.kek_key=#50#51#52#53#54#55#56#57#58#59#5a#5b#5c#5d#5e#5f -multiroles._000=## -multiroles._001=## multiroles -multiroles._002=## -multiroles.enable=true -multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group diff --git a/pki/base/tks/shared/conf/CS.cfg.in b/pki/base/tks/shared/conf/CS.cfg.in new file mode 100644 index 000000000..1b5d89ea3 --- /dev/null +++ b/pki/base/tks/shared/conf/CS.cfg.in @@ -0,0 +1,343 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +_000=## +_001=## File Created On : Mon Oct 10 15:57:03 PDT 2005 +_002=## +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] +pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] +pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] +pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] +pkicreate.secure_port=[PKI_SECURE_PORT] +pkicreate.unsecure_port=[PKI_UNSECURE_PORT] +pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +installDate=[INSTALL_TIME] +cs.type=TKS +admin.interface.uri=tks/admin/console/config/wizard +preop.admin.name=Token Key Service Manager Administrator +preop.admin.group=Token Key Service Manager Agents +preop.admincert.profile=caAdminCert +preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 +preop.wizard.name=TKS Setup Wizard +preop.system.name=TKS +preop.product.name=CS +preop.product.version=@VERSION@ +preop.system.fullname=Token Key Service +tks.cert.list=sslserver,subsystem,audit_signing +preop.cert.list=sslserver,subsystem,audit_signing +preop.cert.sslserver.enable=true +preop.cert.subsystem.enable=true +preop.cert.audit_signing.enable=true +preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.audit_signing.dn=CN=TKS Audit Signing Certificate +preop.cert.audit_signing.keysize.custom_size=2048 +preop.cert.audit_signing.keysize.size=2048 +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert +preop.cert.audit_signing.signing.required=false +preop.cert.audit_signing.subsystem=tks +preop.cert.audit_signing.type=remote +preop.cert.audit_signing.userfriendlyname=TKS Audit Signing Certificate +preop.cert.audit_signing.cncomponent.override=true +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] +preop.cert.sslserver.keysize.custom_size=2048 +preop.cert.sslserver.keysize.size=2048 +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.cert.sslserver.profile=caInternalAuthServerCert +preop.cert.sslserver.signing.required=false +preop.cert.sslserver.subsystem=tks +preop.cert.sslserver.type=remote +preop.cert.sslserver.userfriendlyname=SSL Server Certificate +preop.cert.sslserver.cncomponent.override=false +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=TKS Subsystem Certificate +preop.cert.subsystem.keysize.custom_size=2048 +preop.cert.subsystem.keysize.size=2048 +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.cert.subsystem.profile=caInternalAuthSubsystemCert +preop.cert.subsystem.signing.required=false +preop.cert.subsystem.subsystem=tks +preop.cert.subsystem.type=remote +preop.cert.subsystem.userfriendlyname=Subsystem Certificate +preop.cert.subsystem.cncomponent.override=true +preop.cert.admin.defaultSigningAlgorithm=SHA256withRSA +preop.cert.admin.dn=uid=admin,cn=admin +preop.cert.admin.keysize.custom_size=2048 +preop.cert.admin.keysize.size=2048 +preop.cert.admin.profile=adminCert.profile +preop.hierarchy.profile=caCert.profile +preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module +preop.configModules.module0.commonName=NSS Internal PKCS #11 Module +preop.configModules.module0.imagePath=../img/clearpixel.gif +preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module +preop.configModules.module1.commonName=nfast +preop.configModules.module1.imagePath=../img/clearpixel.gif +preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module +preop.configModules.module2.commonName=lunasa +preop.configModules.module2.imagePath=../img/clearpixel.gif +preop.configModules.count=3 +preop.module.token=Internal Key Storage Token +cs.state=0 +authType=pwd +instanceRoot=[PKI_INSTANCE_PATH] +machineName=[PKI_MACHINE_NAME] +instanceId=[PKI_INSTANCE_ID] +preop.pin=[PKI_RANDOM_NUMBER] +service.machineName=[PKI_MACHINE_NAME] +service.instanceDir=[PKI_INSTANCE_ROOT] +service.securePort=[PKI_AGENT_SECURE_PORT] +service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] +service.unsecurePort=[PKI_UNSECURE_PORT] +service.instanceID=[PKI_INSTANCE_ID] +passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf +passwordClass=com.netscape.cmsutil.password.PlainPasswordFile +multiroles=true +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group +CrossCertPair._000=## +CrossCertPair._001=## CrossCertPair Import +CrossCertPair._002=## +CrossCertPair.ldap=internaldb +accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator +accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator +accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator +auths._000=## +auths._001=## new authentication +auths._002=## +auths.impl._000=## +auths.impl._001=## authentication manager implementations +auths.impl._002=## +auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication +auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth +auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth +auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll +auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication +auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication +auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication +auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication +auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents +auths.instance.AgentCertAuth.pluginName=AgentCertAuth +auths.instance.TokenAuth.pluginName=TokenAuth +auths.revocationChecking.bufferSize=50 +authz._000=## +authz._001=## new authorizatioin +authz._002=## +authz.evaluateOrder=deny,allow +authz.sourceType=ldap +authz.impl._000=## +authz.impl._001=## authorization manager implementations +authz.impl._002=## +authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz +authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz +authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz +authz.instance.DirAclAuthz.ldap=internaldb +authz.instance.DirAclAuthz.pluginName=DirAclAuthz +authz.instance.DirAclAuthz.ldap._000=## +authz.instance.DirAclAuthz.ldap._001=## Internal Database +authz.instance.DirAclAuthz.ldap._002=## +cardcryptogram.validate.enable=true +cmc.cert.confirmRequired=false +cmc.lraPopWitness.verify.allow=true +cmc.revokeCert.verify=true +cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cms.version=@MAJOR_VERSION@.@MINOR_VERSION@ +dbs.ldap=internaldb +dbs.newSchemaEntryAdded=true +debug.append=true +debug.enabled=true +debug.filename=[PKI_INSTANCE_PATH]/logs/debug +debug.hashkeytypes= +debug.level=0 +debug.showcaller=false +keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 +keys.ecc.curve.default=nistp521 +keys.rsa.keysize.default=2048 +internaldb._000=## +internaldb._001=## Internal Database +internaldb._002=## +internaldb.maxConns=15 +internaldb.minConns=3 +internaldb.ldapauth.authtype=BasicAuth +internaldb.ldapauth.bindDN=cn=Directory Manager +internaldb.ldapauth.bindPWPrompt=Internal LDAP Database +internaldb.ldapauth.clientCertNickname= +internaldb.ldapconn.host= +internaldb.ldapconn.port= +internaldb.ldapconn.secureConn=false +preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/schema.ldif +preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/database.ldif +preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/db.ldif,/usr/share/[PKI_FLAVOR]/tks/conf/acl.ldif +preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/index.ldif +preop.internaldb.post_ldif= +preop.internaldb.wait_dn= +internaldb.multipleSuffix.enable=false +jss._000=## +jss._001=## JSS +jss._002=## +jss.configDir=[PKI_INSTANCE_PATH]/alias/ +jss.enable=true +jss.secmodName=secmod.db +jss.ocspcheck.enable=false +jss.ssl.cipherfortezza=true +jss.ssl.cipherpref= +jss.ssl.cipherversion=cipherdomestic +log._000=## +log._001=## Logging +log._002=## +log.impl.file.class=com.netscape.cms.logging.RollingLogFile +log.instance.SignedAudit._000=## +log.instance.SignedAudit._001=## Signed Audit Logging +log.instance.SignedAudit._002=## +log.instance.SignedAudit.bufferSize=512 +log.instance.SignedAudit.enable=true +log.instance.SignedAudit.events._000=## +log.instance.SignedAudit.events._001=## Available Audit events: +log.instance.SignedAudit.events._002=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.events._003=## +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.expirationTime=0 +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/tks_cert-tks_audit +log.instance.SignedAudit.flushInterval=5 +log.instance.SignedAudit.level=1 +log.instance.SignedAudit.logSigning=false +log.instance.SignedAudit.maxFileSize=2000 +log.instance.SignedAudit.pluginName=file +log.instance.SignedAudit.rolloverInterval=2592000 +log.instance.SignedAudit.signedAudit:_000=## +log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow TKS audit logs to be signed +log.instance.SignedAudit.signedAudit:_002=## +log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] +log.instance.SignedAudit.type=signedAudit +log.instance.System._000=## +log.instance.System._001=## System Logging +log.instance.System._002=## +log.instance.System.bufferSize=512 +log.instance.System.enable=true +log.instance.System.expirationTime=0 +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system +log.instance.System.flushInterval=5 +log.instance.System.level=3 +log.instance.System.maxFileSize=2000 +log.instance.System.pluginName=file +log.instance.System.rolloverInterval=2592000 +log.instance.System.type=system +log.instance.Transactions._000=## +log.instance.Transactions._001=## Transaction Logging +log.instance.Transactions._002=## +log.instance.Transactions.bufferSize=512 +log.instance.Transactions.enable=true +log.instance.Transactions.expirationTime=0 +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions +log.instance.Transactions.flushInterval=5 +log.instance.Transactions.level=1 +log.instance.Transactions.maxFileSize=2000 +log.instance.Transactions.pluginName=file +log.instance.Transactions.rolloverInterval=2592000 +log.instance.Transactions.type=transaction +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access +logError.fileName=[PKI_INSTANCE_PATH]/logs/error +oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension +oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 +oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword +oidmap.challenge_password.oid=1.2.840.113549.1.9.7 +oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension +oidmap.extended_key_usage.oid=2.5.29.37 +oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 +oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 +oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension +oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 +oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension +oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 +oidmap.pse.class=netscape.security.extensions.PresenceServerExtension +oidmap.pse.oid=2.16.840.1.113730.1.18 +oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension +oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 +os.serverName=cert-[PKI_INSTANCE_ID] +os.userid=nobody +registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg +selftests._000=## +selftests._001=## Self Tests +selftests._002=## +selftests._003=## The Self-Test plugin SystemCertsVerification uses the +selftests._004=## following parameters (where certusage is optional): +selftests._005=## tks.cert.list = +selftests._006=## tks.cert..nickname +selftests._007=## tks.cert..certusage +selftests._008=## +selftests.container.instance.TKSKnownSessionKey=com.netscape.cms.selftests.tks.TKSKnownSessionKey +selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification +selftests.container.logger.bufferSize=512 +selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile +selftests.container.logger.enable=true +selftests.container.logger.expirationTime=0 +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log +selftests.container.logger.flushInterval=5 +selftests.container.logger.level=1 +selftests.container.logger.maxFileSize=2000 +selftests.container.logger.register=false +selftests.container.logger.rolloverInterval=2592000 +selftests.container.logger.type=transaction +selftests.container.order.onDemand=TKSKnownSessionKey:critical, SystemCertsVerification:critical +selftests.container.order.startup=TKSKnownSessionKey:critical, SystemCertsVerification:critical +selftests.plugin.TKSKnownSessionKey.CUID=#a0#01#92#03#04#05#06#07#08#c9 +selftests.plugin.TKSKnownSessionKey.TksSubId=tks +selftests.plugin.TKSKnownSessionKey.cardChallenge=#bd#6d#19#85#6e#54#0f#cd +selftests.plugin.TKSKnownSessionKey.hostChallenge=#77#57#62#e4#5e#23#66#7d +selftests.plugin.TKSKnownSessionKey.keyName=#01#01 +selftests.plugin.TKSKnownSessionKey.macKey=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f +selftests.plugin.TKSKnownSessionKey.sessionKey=#d1#be#b8#26#dc#56#20#25#8c#93#e7#de#f0#ab#4f#5b +selftests.plugin.TKSKnownSessionKey.token=Internal Key Storage Token +selftests.plugin.TKSKnownSessionKey.useSoftToken=true +selftests.plugin.SystemCertsVerification.SubId=tks +smtp.host=localhost +smtp.port=25 +subsystem.0.class=com.netscape.tks.TKSAuthority +subsystem.0.id=tks +subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem +subsystem.1.id=selftests +subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem +subsystem.2.id=stats +tks._000=## +tks._001=## TKS +tks._002=## +tks._003=## +tks.debug=false +tks.defaultSlot=Internal Key Storage Token +tks.drm_transport_cert_nickname= +tks.master_key_prefix= +tks.useDefaultSlot=true +usrgrp._000=## +usrgrp._001=## User/Group +usrgrp._002=## +usrgrp.ldap=internaldb +tks.defKeySet._000=## +tks.defKeySet._001=## Axalto default key set: +tks.defKeySet._002=## +tks.defKeySet._003=## tks.defKeySet.mk_mappings.#02#01=: +tks.defKeySet._004=## +tks.defKeySet.auth_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f +tks.defKeySet.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f +tks.defKeySet.kek_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f +tks.jForte._000=## +tks.jForte._001=## SAFLink's jForte default key set: +tks.jForte._002=## +tks.jForte._003=## tks.jForte.mk_mappings.#02#01=: +tks.jForte._004=## +tks.jForte.auth_key=#30#31#32#33#34#35#36#37#38#39#3a#3b#3c#3d#3e#3f +tks.jForte.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f +tks.jForte.kek_key=#50#51#52#53#54#55#56#57#58#59#5a#5b#5c#5d#5e#5f +multiroles._000=## +multiroles._001=## multiroles +multiroles._002=## +multiroles.enable=true +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group diff --git a/pki/base/tks/src/CMakeLists.txt b/pki/base/tks/src/CMakeLists.txt index ac7acb885..6178dd3f9 100644 --- a/pki/base/tks/src/CMakeLists.txt +++ b/pki/base/tks/src/CMakeLists.txt @@ -1,32 +1,95 @@ project(tks_java Java) -find_file(JSS_JAR +# '/usr/share/java/pki' jars +find_file(CERTSRV_JAR NAMES - jss4.jar + certsrv.jar + PATHS + /usr/share/java/pki +) + +find_file(CMS_JAR + NAMES + cms.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSCORE_JAR + NAMES + cmscore.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSUTIL_JAR + NAMES + cmsutil.jar + PATHS + /usr/share/java/pki +) + +find_file(NSUTIL_JAR + NAMES + nsutil.jar PATHS /usr/lib/java - /usr/share/java + /usr/share/java/pki ) + +# '/usr/share/java' jars find_file(LDAPJDK_JAR NAMES ldapjdk.jar PATHS - /usr/lib/java /usr/share/java ) + +# '/usr/lib/java' jars +find_file(JSS_JAR + NAMES + jss4.jar + PATHS + /usr/lib/java +) + +find_file(OSUTIL_JAR + NAMES + osutil.jar + PATHS + /usr/lib/java +) + +find_file(SYMKEY_JAR + NAMES + symkey.jar + PATHS + /usr/lib/java +) + + +# identify java sources set(tks_java_SRCS com/netscape/tks/TKSAuthority.java ) + +# set classpath set(CMAKE_JAVA_INCLUDE_PATH - ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} ${CMSUTIL_JAR} - ${OSUTIL_JAR} ${SYMKEY_JAR} ${CMS_JAR} ${CMSCORE_JAR} - ${CERTSRV_JAR}) + ${CERTSRV_JAR} ${CMS_JAR} ${CMSCORE_JAR} ${CMSUTIL_JAR} ${NSUTIL_JAR} + ${LDAPJDK_JAR} + ${JSS_JAR} ${OSUTIL_JAR} ${SYMKEY_JAR}) + + +# set version set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) + +# build tks.jar add_jar(tks ${tks_java_SRCS}) -add_dependencies(tks nsutil cmsutil osutil symkey cms cmscore certsrv) +add_dependencies(tks osutil symkey nsutil cmsutil certsrv cms cmscore) install_jar(tks ${JAVA_JAR_INSTALL_DIR}) set(TKS_JAR ${tks_JAR_FILE} CACHE INTERNAL "tks jar file") + diff --git a/pki/base/tps/CMakeLists.txt b/pki/base/tps/CMakeLists.txt index 05c3a0ac0..0ccce6335 100644 --- a/pki/base/tps/CMakeLists.txt +++ b/pki/base/tps/CMakeLists.txt @@ -12,18 +12,47 @@ install( FILES etc/init.d/pki-tpsd DESTINATION - ${SYSCONF_INSTALL_DIR}/init.d + ${SYSCONF_INSTALL_DIR}/rc.d/init.d PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ - PATTERN - "CMakeLists.txt" EXCLUDE ) install( + FILES + applets/1.3.44724DDE.ijc + applets/1.4.499dc06c.ijc + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/applets +) + +install( + DIRECTORY + forms/esc/cgi-bin + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME} +) + +install( + DIRECTORY + apache/conf + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME} +) + +install( + FILES + forms/index.html + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot +) + +install( + FILES + forms/index.cgi DESTINATION - ${LIB_INSTALL_DIR}/${APPLICATION_NAME}/${PROJECT_NAME} + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_EXECUTE GROUP_READ @@ -31,44 +60,60 @@ install( ) install( - FILES - forms/index.cgi - forms/index.html + DIRECTORY + forms/esc/demo + forms/esc/home + forms/esc/so + forms/esc/sow + forms/tps DESTINATION ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot + PATTERN + "forms/esc/sow/css" EXCLUDE + PATTERN + "forms/esc/sow/images"EXCLUDE + PATTERN + "forms/esc/sow/js"EXCLUDE + PATTERN + "forms/tps/admin/console/css"EXCLUDE ) install( DIRECTORY - apache/conf DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot/tokendb ) install( DIRECTORY - forms/esc/cgi-bin + lib DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/cgi-bin + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME} ) -# install directories -set(INSTALL_DIRS - alias - applets - lib - logs - scripts +install( + FILES + scripts/nss_pcache + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ ) -foreach(INSTALL_DIR ${INSTALL_DIRS}) - install( - DIRECTORY - ${INSTALL_DIR} - DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/${INSTALL_DIR} - ) -endforeach(INSTALL_DIR ${INSTALL_DIRS}) +install( + FILES + scripts/addAgents.ldif + scripts/addIndexes.ldif + scripts/addTokens.ldif + scripts/addVLVIndexes.ldif + scripts/database.ldif + scripts/schemaMods.ldif + scripts/vlvtasks.ldif + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts +) # install empty directories install( @@ -82,3 +127,4 @@ install( DESTINATION ${VAR_INSTALL_DIR}/run/pki/tps ) + diff --git a/pki/base/tps/Makefile.am b/pki/base/tps/Makefile.am index be1061847..fb97a8a0c 100644 --- a/pki/base/tps/Makefile.am +++ b/pki/base/tps/Makefile.am @@ -163,7 +163,7 @@ conf_DATA = $(srcdir)/apache/conf/httpd.conf \ $(srcdir)/apache/conf/mime.types \ $(srcdir)/apache/conf/nss.conf \ $(srcdir)/apache/conf/perl.conf \ - $(srcdir)/doc/CS.cfg + $(srcdir)/doc/CS.cfg.in docroot_DATA = $(srcdir)/forms/index.cgi \ $(srcdir)/forms/index.html diff --git a/pki/base/tps/Makefile.in b/pki/base/tps/Makefile.in index 0a2581e6f..ec02c5602 100644 --- a/pki/base/tps/Makefile.in +++ b/pki/base/tps/Makefile.in @@ -657,7 +657,7 @@ conf_DATA = $(srcdir)/apache/conf/httpd.conf \ $(srcdir)/apache/conf/mime.types \ $(srcdir)/apache/conf/nss.conf \ $(srcdir)/apache/conf/perl.conf \ - $(srcdir)/doc/CS.cfg + $(srcdir)/doc/CS.cfg.in docroot_DATA = $(srcdir)/forms/index.cgi \ $(srcdir)/forms/index.html diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg deleted file mode 100644 index 0bcf905cc..000000000 --- a/pki/base/tps/doc/CS.cfg +++ /dev/null @@ -1,1577 +0,0 @@ -# --- BEGIN COPYRIGHT BLOCK --- -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; -# version 2.1 of the License. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301 USA -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.secure_port=[SECURE_PORT] -pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] -pkicreate.unsecure_port=[PORT] -pkicreate.user=[PKI_USER] -pkicreate.group=[PKI_GROUP] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -cs.type=TPS -selftests._000=## -selftests._001=## Self Tests -selftests._002=## -selftests._003=## The Self-Test plugin TPSSystemCertsVerification uses the -selftests._004=## following parameters (where certusage is optional): -selftests._005=## tps.cert.list = -selftests._006=## tps.cert..nickname -selftests._007=## tps.cert..certusage -selftests._008=## -selftests.container.logger.enable=true -selftests.container.logger.expirationTime=0 -selftests.container.logger.file.type=RollingLogFile -selftests.container.logger.fileName=[SERVER_ROOT]/logs/selftests.log -selftests.container.logger.level=10 -selftests.container.logger.maxFileSize=2000 -selftests.container.logger.rolloverInterval=2592000 -selftests.container.order.startup=TPSPresence:critical, TPSSystemCertsVerification:critical -selftests.container.order.onDemand=TPSPresence:critical, TPSValidity:critical, TPSSystemCertsVerification:critical -selftests.plugin.TPSPresence.nickname=[HSM_LABEL][NICKNAME] -selftests.plugin.TPSValidity.nickname=[HSM_LABEL][NICKNAME] -service.machineName=[SERVER_NAME] -service.instanceDir=[SERVER_ROOT] -service.securePort=[SECURE_PORT] -service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] -service.unsecurePort=[PORT] -service.instanceID=[PKI_INSTANCE_ID] -logging._000=######################################### -logging._001=# RA configuration File -logging._002=# -logging._003=# All <...> must be replaced with -logging._004=# appropriate values. -logging._005=######################################### -logging._006=######################################## -logging._007=# logging -logging._008=# -logging._009=# logging.debug.enable: -logging._010=# logging.audit.enable: -logging._011=# logging.error.enable: -logging._012=# - enable or disable the corresponding logging -logging._013=# logging.debug.filename: -logging._014=# logging.audit.filename: -logging._015=# logging.error.filename: -logging._016=# - name of the log file -logging._017=# logging.debug.level: -logging._018=# logging.audit.level: -logging._019=# logging.error.level: -logging._020=# - level of logging. (0-10) -logging._021=# 0 - no logging, -logging._022=# 4 - LL_PER_SERVER these messages will occur only once -logging._023=# during the entire invocation of the -logging._024=# server, e. g. at startup or shutdown -logging._025=# time., reading the conf parameters. -logging._026=# Perhaps other infrequent events -logging._027=# relating to failing over of CA, TKS, -logging._028=# too -logging._029=# 6 - LL_PER_CONNECTION these messages happen once per -logging._030=# connection - most of the log events -logging._031=# will be at this level -logging._032=# 8 - LL_PER_PDU these messages relate to PDU -logging._033=# processing. If you have something that -logging._034=# is done for every PDU, such as -logging._035=# applying the MAC, it should be logged -logging._036=# at this level -logging._037=# 9 - LL_ALL_DATA_IN_PDU dump all the data in the PDU - a more -logging._038=# chatty version of the above -logging._039=# 10 - all logging -logging._040=# logging.audit.buffer.size: # in bytes -logging._041=# logging.audit.flush.interval: # in seconds, 0 disables flush thread -logging._042=# logging.*.file.type: -logging._043=# - file type: RollingLogFile or LogFile -logging._044=# logging.*.rolloverInterval: -logging._045=# - interval to roll over logs (seconds), 0 to disable rollover -logging._046=# logging.*.maxFileSize: -logging._047=# - size at which file rollover occurs, in kB -logging._048=# logging.*.expirationTime: -logging._049=# - maximum age of log, older unmodified logs are deleted( in seconds, 0 to disable) -logging._050=######################################### -logging.debug.enable=true -logging.debug.filename=[SERVER_ROOT]/logs/tps-debug.log -logging.debug.level=10 -logging.debug.file.type=RollingLogFile -logging.debug.maxFileSize=2000 -logging.debug.rolloverInterval=2592000 -logging.debug.expirationTime=0 -logging.audit.enable=true -logging.audit.filename=[SERVER_ROOT]/logs/tps-audit.log -logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit -logging.audit.level=10 -logging.audit.logSigning=false -logging.audit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] -logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION -logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION -logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING -logging.audit.buffer.size=512 -logging.audit.flush.interval=5 -logging.audit.file.type=RollingLogFile -logging.audit.maxFileSize=2000 -logging.audit.rolloverInterval=2592000 -logging.audit.expirationTime=0 -logging.error.enable=true -logging.error.filename=[SERVER_ROOT]/logs/tps-error.log -logging.error.level=10 -logging.error.file.type=RollingLogFile -logging.error.maxFileSize=2000 -logging.error.rolloverInterval=2592000 -logging.error.expirationTime=0 -conn.ca1._000=######################################### -conn.ca1._001=# CA connection -conn.ca1._002=# -conn.ca1._003=# conn.ca.hostport: -conn.ca1._004=# - host name and port number of your CA, format is host:port -conn.ca1._005=# conn.ca.clientNickname: -conn.ca1._006=# - nickname of the client certificate for -conn.ca1._007=# authentication -conn.ca1._008=# conn.ca.servlet.enrollment: -conn.ca1._009=# - servlet to contact in CA -conn.ca1._010=# - must be '/ca/profileSubmitSSLClient' -conn.ca1._011=# conn.ca.retryConnect: -conn.ca1._012=# - number of reconnection attempts on failure -conn.ca1._013=# conn.ca.timeout: -conn.ca1._014=# - connection timeout -conn.ca1._015=# conn.ca.SSLOn: -conn.ca1._016=# - enable SSL or not -conn.ca1._017=# conn.ca.keepAlive: -conn.ca1._018=# - enable keep alive or not -conn.ca1._019=# -conn.ca1._020=# where -conn.ca1._021=# - CA connection ID -conn.ca1._022=######################################### -failover.pod.enable=false -conn.ca1.hostport=[CA_HOST]:[CA_PORT] -conn.ca1.clientNickname=[HSM_LABEL][NICKNAME] -conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient -conn.ca1.servlet.renewal=/ca/ee/ca/profileSubmitSSLClient -conn.ca1.servlet.revoke=/ca/ee/subsystem/ca/doRevoke -conn.ca1.servlet.unrevoke=/ca/ee/subsystem/ca/doUnrevoke -conn.ca1.retryConnect=3 -conn.ca1.timeout=100 -conn.ca1.SSLOn=true -conn.ca1.keepAlive=true -conn.tks1._000=######################################### -conn.tks1._001=# TKS connection -conn.tks1._002=# -conn.tks1._003=# conn.tks.hostport: -conn.tks1._004=# - host name and port number of your TKS, the format is host:port -conn.tks1._005=# conn.tks.clientNickname: -conn.tks1._006=# - nickname of the client certificate for -conn.tks1._007=# authentication -conn.tks1._008=# conn.tks.servlet.computeSessionKey: -conn.tks1._009=# - servlet to compute session key -conn.tks1._010=# - must be '/tks/computeSessionKey' -conn.tks1._011=# conn.tks.servlet.encryptData: -conn.tks1._012=# - servlet to encrypt data -conn.tks1._013=# - must be '/tks/encryptData' -conn.tks1._014=# conn.tks.servlet.createKeySetData: -conn.tks1._015=# - servlet to create key set data -conn.tks1._016=# - must be '/tks/createKeySetData' -conn.tks1._017=# conn.tks.retryConnect: -conn.tks1._018=# - number of reconnection attempts on failure -conn.tks1._019=# conn.tks.SSLOn -conn.tks1._020=# - enable SSL or not -conn.tks1._021=# conn.tks.keepAlive: -conn.tks1._022=# - enable keep alive or not -conn.tks1._023=# -conn.tks1._024=# where -conn.tks1._025=# - TKS connection ID -conn.tks1._026=######################################### -conn.tks1.hostport=[TKS_HOST]:[TKS_PORT] -conn.tks1.clientNickname=[HSM_LABEL][NICKNAME] -conn.tks1.servlet.computeSessionKey=/tks/agent/tks/computeSessionKey -conn.tks1.servlet.encryptData=/tks/agent/tks/encryptData -conn.tks1.servlet.createKeySetData=/tks/agent/tks/createKeySetData -conn.tks1.servlet.computeRandomData=/tks/agent/tks/computeRandomData -conn.tks1.retryConnect=3 -conn.tks1.timeout=100 -conn.tks1.generateHostChallenge=true -conn.tks1.SSLOn=true -conn.tks1.keepAlive=false -conn.tks1.keySet=defKeySet -conn.tks1.serverKeygen=[SERVER_KEYGEN] -conn.drm1._000=######################################### -conn.drm1._001=# DRM connection -conn.drm1._002=# -conn.drm1._003=#conn.drm.totalConns -conn.drm1._004=# - # of DRM connections -conn.drm1._005=#conn.drm.hostport -conn.drm1._006=# - host name and port number of your DRM, the format is host:port -conn.drm1._007=#conn.drm.clientNickname -conn.drm1._008=# - nickname of the client certificate for -conn.drm1._009=# authentication -conn.drm1._010=#conn.drm.servlet.GenerateKeyPair -conn.drm1._011=# - servlet to generate key pairs and archive keys on DRM -conn.drm1._012=# - must be '/kra/GenerateKeyPair' -conn.drm1._013=#conn.drm.servlet.TokenKeyRecovery=/kra/TokenKeyRecovery -conn.drm1._014=# - servlet to handle key recovery -conn.drm1._015=# - must be '/kra/TokenKeyRecovery' -conn.drm1._016=#conn.drm.retryConnect=3 -conn.drm1._017=# - number of reconnection attempts on failure -conn.drm1._018=#conn.drm.SSLOn=true -conn.drm1._019=# - enable SSL or not -conn.drm1._020=#conn.drm.keepAlive=false -conn.drm1._021=# - enable keep alive or not -conn.drm1._022=# -conn.drm1._023=# where -conn.drm1._024=# - DRM connection ID -conn.drm1._025=######################################### -conn.drm.totalConns=1 -conn.drm1.hostport=[DRM_HOST]:[DRM_PORT] -conn.drm1.clientNickname=[HSM_LABEL][NICKNAME] -conn.drm1.servlet.GenerateKeyPair=/kra/agent/kra/GenerateKeyPair -conn.drm1.servlet.TokenKeyRecovery=/kra/agent/kra/TokenKeyRecovery -conn.drm1.retryConnect=3 -conn.drm1.timeout=100 -conn.drm1.SSLOn=true -conn.drm1.keepAlive=false -auth.instance._000=######################################## -auth.instance._001=# publishing -auth.instance._002=# -auth.instance._003=# publisher.instance..libraryName: -auth.instance._004=# - name of the library specified with a fully qualified path name -auth.instance._005=# publisher.instance..libraryFactory: -auth.instance._006=# - the name of the function which instantiates the publisher -auth.instance._007=# publisher.instance..publisherId: -auth.instance._008=# - the publisher ID -auth.instance._009=# -auth.instance._010=# where -auth.instance._011=# - publisher connection ID -auth.instance._012=######################################## -auth.instance._013=######################################### -auth.instance._014=# authentication -auth.instance._015=# -auth.instance._016=# auth.instance..libraryName: -auth.instance._017=# - name of the library specified with a fully qualified path name -auth.instance._018=# auth.instance..libraryFactory: -auth.instance._019=# - the name of the function which instantiates the authentication -auth.instance._020=# auth.instance..authId -auth.instance._021=# - the authentication ID -auth.instance._022=# auth.instance..hostport -auth.instance._023=# - parameter specific to the given authentication, -auth.instance._024=# i. e., LDAPAuthentication (id=ldap1) -auth.instance._025=# - host name and port number, host:port -auth.instance._026=# - for failover, provide multiple host:port designations -auth.instance._027=# separated by " " -auth.instance._028=# auth.instance..SSLOn: -auth.instance._029=# - parameter specific to the given authentication, -auth.instance._030=# i. e., LDAPAuthentication (id=ldap1) -auth.instance._031=# - use SSL or not for LDAP service -auth.instance._032=# auth.instance..retries: -auth.instance._033=# - parameter specific to the given authentication, -auth.instance._034=# i. e., LDAPAuthentication (id=ldap1) -auth.instance._035=# - number of authentication re-attempts when authentication failed -auth.instance._036=# auth.instance..retryConnect: -auth.instance._037=# - parameter specific to the given authentication, -auth.instance._038=# i. e., LDAPAuthentication (id=ldap1) -auth.instance._039=# - number of connection re-attempts when connection failed -auth.instance._040=# -auth.instance._041=# where -auth.instance._042=# - authentication connection ID -auth.instance._043=######################################### -auth.instance.0.type=LDAP_Authentication -auth.instance.0.libraryName=[SYSTEM_USER_LIBRARIES]/[LIB_PREFIX]ldapauth[OBJ_EXT] -auth.instance.0.libraryFactory=GetAuthentication -auth.instance.0.authId=ldap1 -auth.instance.0.hostport=[LDAP_HOST]:[LDAP_PORT] -auth.instance.0.SSLOn=false -auth.instance.0.retries=1 -auth.instance.0.retryConnect=3 -auth.instance.0.baseDN=[LDAP_ROOT] -auth.instance.0.ssl=false -auth.instance.0.attributes._001=############################################## -auth.instance.0.attributes._002=# attributes will be available -auth.instance.0.attributes._003=# as $auth.$ -auth.instance.0.attributes._004=############################################## -auth.instance.0.attributes=mail,cn,uid -auth.instance.0.ui.title.en=LDAP Authentication -auth.instance.0.ui.description.en=This authenticates user against the LDAP directory. -auth.instance.0.ui.id.UID.name.en=LDAP User ID -auth.instance.0.ui.id.PASSWORD.name.en=LDAP Password -auth.instance.0.ui.id.UID.description.en=LDAP User ID -auth.instance.0.ui.id.PASSWORD.description.en=LDAP Password -auth.instance.1.type=LDAP_Authentication -auth.instance.1.libraryName=[SYSTEM_USER_LIBRARIES]/[LIB_PREFIX]ldapauth[OBJ_EXT] -auth.instance.1.libraryFactory=GetAuthentication -auth.instance.1.authId=ldap2 -auth.instance.1.bindDN=cn=Directory Manager -auth.instance.1.bindPWD=[SERVER_ROOT]/conf/password.conf -auth.instance.1.hostport=[TOKENDB_HOST]:[TOKENDB_PORT] -auth.instance.1.SSLOn=false -auth.instance.1.retries=1 -auth.instance.1.retryConnect=3 -auth.instance.1.baseDN=[TOKENDB_ROOT] -auth.instance.1.ssl=false -auth.instance.1.attributes._001=############################################## -auth.instance.1.attributes._002=# attributes will be available -auth.instance.1.attributes._003=# as $auth.$ -auth.instance.1.attributes._004=############################################## -auth.instance.1.attributes=mail,cn,uid -auth.instance.1.ui.title.en=LDAP Authentication -auth.instance.1.ui.description.en=This authenticates user against the LDAP directory. -auth.instance.1.ui.id.UID.name.en=LDAP User ID -auth.instance.1.ui.id.PASSWORD.name.en=LDAP Password -auth.instance.1.ui.id.UID.description.en=LDAP User ID -auth.instance.1.ui.id.PASSWORD.description.en=LDAP Password -applet._000=######################################### -applet._001=# applet information -applet._002=# SAF Key: -applet._003=# applet.aid.cardmgr_instance=A0000001510000 -applet._004=######################################### -applet.aid.cardmgr_instance=A0000000030000 -applet.aid.netkey_instance=627601FF000000 -applet.aid.netkey_file=627601FF0000 -applet.aid.netkey_old_instance=A00000000101 -applet.aid.netkey_old_file=A000000001 -applet.so_pin=000000000000 -applet.delete_old=true -general.verifyProof=1 -general.applet_ext=ijc -general.search.sizelimit.max=2000 -general.search.sizelimit.default=100 -general.search.timelimit.max=10 -general.search.timelimit.default=10 -general.pwlength.min=16 -channel._000=######################################### -channel._001=# channel.encryption: -channel._002=# -channel._003=# - enable encryption for all operation commands to token -channel._004=# - default is true -channel._005=# channel.blocksize=242 -channel._006=# channel.defKeyVersion=0 -channel._007=# channel.defKeyIndex=0 -channel._008=######################################### -channel.encryption=true -channel.blocksize=248 -channel.defKeyVersion=0 -channel.defKeyIndex=0 -#Config the size of memory managed memory in the applet -#Default is 5000, try not go get close to the instanceSize -#Which defaults to 18000 -#channel.instanceSize=18000 -#channel.appletMemorySize=5000 -preop.pin=[PKI_RANDOM_NUMBER] -preop.product.version= -preop.cert._000=######################################### -preop.cert._001=# Installation configuration "preop" certs parameters -preop.cert._002=######################################### -preop.cert.list=sslserver,subsystem,audit_signing -preop.cert.sslserver.enable=true -preop.cert.subsystem.enable=true -preop.cert.audit_signing.enable=false -preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA -preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] -preop.cert.sslserver.keysize.customsize=2048 -preop.cert.sslserver.keysize.size=2048 -preop.cert.sslserver.keysize.select=custom -preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] -preop.cert.sslserver.profile=caInternalAuthServerCert -preop.cert.sslserver.subsystem=tps -preop.cert._003=#preop.cert.sslserver.type=local -preop.cert.sslserver.userfriendlyname=SSL Server Certificate -preop.cert._004=#preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA -preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[PKI_INSTANCE_ID] -preop.cert.subsystem.keysize.customsize=2048 -preop.cert.subsystem.keysize.size=2048 -preop.cert.subsystem.keysize.select=custom -preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -preop.cert.subsystem.profile=caInternalAuthSubsystemCert -preop.cert.subsystem.subsystem=tps -preop.cert._005=#preop.cert.subsystem.type=local -preop.cert.subsystem.userfriendlyname=Subsystem Certificate -preop.cert._006=#preop.cert.subsystem.cncomponent.override=true -preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[PKI_INSTANCE_ID] -preop.cert.audit_signing.keysize.customsize=2048 -preop.cert.audit_signing.keysize.size=2048 -preop.cert.audit_signing.keysize.select=custom -preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert -preop.cert.audit_signing.subsystem=tps -preop.cert._005=#preop.cert.audit_signing.type=local -preop.cert.audit_signing.userfriendlyname=Audit Log Signing Certificate -preop.cert._006=#preop.cert.audit_signing.cncomponent.override=true -preop.configModules._000=######################################### -preop.configModules._001=# Installation configuration "preop" module parameters -preop.configModules._002=######################################### -preop.configModules.count=3 -preop.configModules.module0.commonName=NSS Internal PKCS #11 Module -preop.configModules.module0.imagePath=../img/clearpixel.gif -preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module -preop.configModules.module1.commonName=nfast -preop.configModules.module1.imagePath=../img/clearpixel.gif -preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module -preop.configModules.module2.commonName=lunasa -preop.configModules.module2.imagePath=../img/clearpixel.gif -preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module -preop.module.token=NSS Certificate DB -preop.keysize._000=######################################### -preop.keysize._001=# Installation configuration "preop" keysize parameters -preop.keysize._002=######################################### -preop.keysize.customsize=2048 -preop.keysize.select=default -preop.keysize.size=2048 -preop.keysize.ecc.size=256 -preop.adminauth.done=false -preop.adminpanel.done=false -preop.agentauth.done=false -preop.authdb.done=false -preop.cainfo.done=false -preop.certprettyprint.done=false -preop.certrequest.done=false -preop.confighsmlogin.done=false -preop.confighsm.done=false -preop.database.done=false -preop.displaycertchain2.done=false -preop.displaycertchain.done=false -preop.donepanel.done=false -preop.drminfo.done=false -preop.importadmincert.done=false -preop.loginpanel.done=false -preop.ModulePanel.done=false -preop.namepanel.done=false -preop.securitydomain.done=false -preop.SizePanel.done=false -preop.subsystemtype.done=false -preop.tksinfo.done=false -preop.welcome.done=false -op.enroll._000=######################################### -op.enroll._001=# Default Operations -op.enroll._002=# -op.enroll._003=# op..mapping.order=,, -op.enroll._004=# - contains at least one value or a series -op.enroll._005=# of comma-separated mapping values which -op.enroll._006=# are checked in sequential order -op.enroll._007=# op..mapping..filter.tokenType=userKey -op.enroll._008=# - can be either empty or token type -op.enroll._009=# specified by the client -op.enroll._010=# op..mapping..filter.tokenATR= -op.enroll._011=# - can be either empty or token ATR -op.enroll._012=# specified by the client -op.enroll._013=# op..mapping..filter.appletMajorVersion=1 -op.enroll._014=# - can be either empty or applet major version -op.enroll._015=# specified by the client -op.enroll._016=# op..mapping..filter.appletMinorVersion= -op.enroll._017=# - can be either empty or applet minor version -op.enroll._018=# specified by the client -op.enroll._019=# - if major and minor versions are both zero, this -op.enroll._020=# indicate there is no applet on the token. -op.enroll._021=# op..mapping..target.tokenType=userKey -op.enroll._022=# - if tokenType, tokenATR, appletMajorVersion, -op.enroll._023=# and appletMinorVersion are matched, value in -op.enroll._024=# targetTokenType will be used to locate -op.enroll._025=# the corresponding token profile to -op.enroll._026=# process the request. -op.enroll._027=# -op.enroll._028=# where -op.enroll._029=# - operation; enroll,pinReset,format -op.enroll._030=# - mapping ID; order is specifiable -op.enroll._031=# -op.enroll._032=# Token ATR: -op.enroll._033=# Web Store - 3B759400006202020201 -op.enroll._034=######################################### -op.enroll.mapping.order=0,1,2 -op.enroll.mapping.0.filter.tokenType=userKey -op.enroll.mapping.0.filter.tokenATR= -op.enroll.mapping.0.filter.tokenCUID.start= -op.enroll.mapping.0.filter.tokenCUID.end= -op.enroll.mapping.0.filter.appletMajorVersion=1 -op.enroll.mapping.0.filter.appletMinorVersion= -op.enroll.mapping.0.target.tokenType=userKey -op.enroll.mapping.1.filter.tokenType=soKey -op.enroll.mapping.1.filter.tokenATR= -op.enroll.mapping.1.filter.tokenCUID.start= -op.enroll.mapping.1.filter.tokenCUID.end= -op.enroll.mapping.1.filter.appletMajorVersion= -op.enroll.mapping.1.filter.appletMinorVersion= -op.enroll.mapping.1.target.tokenType=soKey -op.enroll.mapping.2.filter.tokenType= -op.enroll.mapping.2.filter.tokenATR= -op.enroll.mapping.2.filter.tokenCUID.start= -op.enroll.mapping.2.filter.tokenCUID.end= -op.enroll.mapping.2.filter.appletMajorVersion= -op.enroll.mapping.2.filter.appletMinorVersion= -op.enroll.mapping.2.target.tokenType=userKey -op.pinReset.mapping.order=0 -op.pinReset.mapping.0.filter.tokenType= -op.pinReset.mapping.0.filter.tokenATR= -op.pinReset.mapping.0.filter.tokenCUID.start= -op.pinReset.mapping.0.filter.tokenCUID.end= -op.pinReset.mapping.0.filter.appletMajorVersion= -op.pinReset.mapping.0.filter.appletMinorVersion= -op.pinReset.mapping.0.target.tokenType=userKey -op.format.mapping.order=0,1,2,3,4,5,6 -op.format.mapping.0.filter.tokenType=soCleanUserToken -op.format.mapping.0.filter.tokenATR= -op.format.mapping.0.filter.tokenCUID.start= -op.format.mapping.0.filter.tokenCUID.end= -op.format.mapping.0.filter.appletMajorVersion= -op.format.mapping.0.filter.appletMinorVersion= -op.format.mapping.0.target.tokenType=soCleanUserToken -op.format.mapping.1.filter.tokenType=soUserKey -op.format.mapping.1.filter.tokenATR= -op.format.mapping.1.filter.tokenCUID.start= -op.format.mapping.1.filter.tokenCUID.end= -op.format.mapping.1.filter.appletMajorVersion= -op.format.mapping.1.filter.appletMinorVersion= -op.format.mapping.1.target.tokenType=soUserKey -op.format.mapping.2.filter.tokenType=soKey -op.format.mapping.2.filter.tokenATR= -op.format.mapping.2.filter.tokenCUID.start= -op.format.mapping.2.filter.tokenCUID.end= -op.format.mapping.2.filter.appletMajorVersion= -op.format.mapping.2.filter.appletMinorVersion= -op.format.mapping.2.target.tokenType=soKey -op.format.mapping.3.filter.tokenType=userKey -op.format.mapping.3.filter.tokenATR= -op.format.mapping.3.filter.tokenCUID.start= -op.format.mapping.3.filter.tokenCUID.end= -op.format.mapping.3.filter.appletMajorVersion= -op.format.mapping.3.filter.appletMinorVersion= -op.format.mapping.3.target.tokenType=userKey -op.format.mapping.4.filter.tokenType=soCleanSOToken -op.format.mapping.4.filter.tokenATR= -op.format.mapping.4.filter.tokenCUID.start= -op.format.mapping.4.filter.tokenCUID.end= -op.format.mapping.4.filter.appletMajorVersion= -op.format.mapping.4.filter.appletMinorVersion= -op.format.mapping.5.filter.tokenType=cleanToken -op.format.mapping.5.filter.tokenATR= -op.format.mapping.5.filter.tokenCUID.start= -op.format.mapping.5.filter.tokenCUID.end= -op.format.mapping.5.filter.appletMajorVersion= -op.format.mapping.5.filter.appletMinorVersion= -op.format.mapping.5.target.tokenType=cleanToken -op.format.mapping.4.target.tokenType=soCleanSOToken -op.format.mapping.6.filter.tokenATR= -op.format.mapping.6.filter.tokenCUID.start= -op.format.mapping.6.filter.tokenCUID.end= -op.format.mapping.6.filter.appletMajorVersion= -op.format.mapping.6.filter.appletMinorVersion= -op.format.mapping.6.target.tokenType=tokenKey -op.enroll.userKey._000=######################################### -op.enroll.userKey._001=# Enrollment Operation For CoolKey -op.enroll.userKey._002=# -op.enroll.userKey._003=# op.enroll..keyGen..keySize=1024 -op.enroll.userKey._004=# - size of the key the token should generate -op.enroll.userKey._005=# - max value: 1024 -op.enroll.userKey._006=# -op.enroll.userKey._007=# op.enroll..keyGen..keyCapabilities.encrypt=false -op.enroll.userKey._008=# op.enroll..keyGen..keyCapabilities.sign=true -op.enroll.userKey._009=# op.enroll..keyGen..keyCapabilities.signRecover=true -op.enroll.userKey._010=# op.enroll..keyGen..keyCapabilities.decrypt=false -op.enroll.userKey._011=# op.enroll..keyGen..keyCapabilities.derive=false -op.enroll.userKey._012=# op.enroll..keyGen..keyCapabilities.unwrap=false -op.enroll.userKey._013=# op.enroll..keyGen..keyCapabilities.wrap=false -op.enroll.userKey._014=# op.enroll..keyGen..keyCapabilities.verifyRecover=true -op.enroll.userKey._015=# op.enroll..keyGen..keyCapabilities.verify=true -op.enroll.userKey._016=# op.enroll..keyGen..keyCapabilities.sensitive=true -op.enroll.userKey._017=# op.enroll..keyGen..keyCapabilities.private=true -op.enroll.userKey._018=# op.enroll..keyGen..keyCapabilities.token=true -op.enroll.userKey._019=# - specify the PKCS11 attributes to set on the token -op.enroll.userKey._020=# -op.enroll.userKey._021=# op.enroll.userKey.keyGen.signing.cuid_label -op.enroll.userKey._022=# - specify the CUID shown in the certificate -op.enroll.userKey._023=# -op.enroll.userKey._024=# op.enroll.userKey.keyGen.signing.label -op.enroll.userKey._025=# - specify the token name. all resulting labels for co-existing keys -op.enroll.userKey._026=# on the same token must be unique -op.enroll.userKey._027=# - $pretty_cuid$ - Pretty Print CUID (i.e. 4090-0062-FF02-0000-0B9C) -op.enroll.userKey._028=# - $cuid$ - CUID (i.e. 40900062FF0200000B9C) -op.enroll.userKey._029=# - $msn$ - MSN -op.enroll.userKey._030=# - $userid$ - User ID -op.enroll.userKey._031=# - $profileId$ - Profile ID -op.enroll.userKey._032=# -op.enroll.userKey._033=# op.enroll..keyGen..overwrite=true|false -op.enroll.userKey._034=# - if key and certificate exist, should RA overwrite them -op.enroll.userKey._035=# -op.enroll.userKey._036=# op.enroll..keyGen..certId=C1 -op.enroll.userKey._037=# op.enroll..keyGen..certAttrId=c1 -op.enroll.userKey._038=# op.enroll..keyGen..privateKeyAttrId=k2 -op.enroll.userKey._039=# op.enroll..keyGen..publicKeyAttrId=k3 -op.enroll.userKey._040=# op.enroll..keyGen..privateKeyNumber=2 -op.enroll.userKey._041=# op.enroll..keyGen..publicKeyNumber=3 -op.enroll.userKey._042=# - specify name PKCS11 object IDs -op.enroll.userKey._043=# - Lower case letters signify objects containing PKCS11 object attributes, -op.enroll.userKey._044=# in the format described below. -op.enroll.userKey._045=# 'c' An object containing PKCS11 attributes for a certificate. -op.enroll.userKey._046=# 'k' An object containing PKCS11 attributes for a public or private key -op.enroll.userKey._047=# 'r' An object containing PKCS11 attributes for an "reader". -op.enroll.userKey._048=# - Upper case letters signify objects containing raw data corresponding to -op.enroll.userKey._049=# the lower case letters described above. For example, object "C0" -op.enroll.userKey._050=# contains raw data corresponding to object "c0". -op.enroll.userKey._051=# 'C' This object contains an entire DER cert, and nothing else. -op.enroll.userKey._052=# 'K' This object contains a MUSCLE "key blob". TPS does not use this. -op.enroll.userKey._053=# -op.enroll.userKey._054=# op.enroll..keyGen..keyUsage=0 -op.enroll.userKey._055=# op.enroll..keyGen..keyUser=0 -op.enroll.userKey._056=# - user specifies which PIN user should be granted -op.enroll.userKey._057=# use privilege of the generated private key, or -op.enroll.userKey._058=# 15 if all users have use privilege for the private key -op.enroll.userKey._059=# - Valid uage: (only specifies the usage for the private key) -op.enroll.userKey._060=# 0 - default usage (Signing only for this APDU) -op.enroll.userKey._061=# 1 - signing only -op.enroll.userKey._062=# 2 - decryption only -op.enroll.userKey._063=# 3 - signing and decryption -op.enroll.userKey._064=# -op.enroll.userKey._065=# op.enroll..pkcs11obj.enable=true|false -op.enroll.userKey._066=# - enable writing of PKCS11 cache object to the token -op.enroll.userKey._067=# -op.enroll.userKey._068=# op.enroll..pkcs11obj.compress.enable=true|false -op.enroll.userKey._069=# - enable compression for writing of PKCS11 cache object to the token -op.enroll.userKey._070=# -op.enroll.userKey._071=# op.enroll..pinReset.pin.maxRetries=127 -op.enroll.userKey._072=# - max number of retries before blocking the token -op.enroll.userKey._073=# - max value: 127 -op.enroll.userKey._074=# -op.enroll.userKey._075=# There is a special case of tokenType userKeyTemporary. -op.enroll.userKey._076=# Make sure the profile specified by the profileId to have -op.enroll.userKey._077=# short validity period (eg, 7 days) for the certificate. -op.enroll.userKey._078=######################################### -op.enroll.allowUnknownToken=true -#The three recovery schemes supported are: -# GenerateNewKey - Generate a new cert for the encryption cert. -# RecoverLast - Recover the most recent cert for the encryption cert. -# GenerateNewKeyandRecoverLast - Generate new cert AND recover last for encryption cert. -op.enroll.userKey.temporaryToken.tokenType=userKeyTemporary -op.enroll.userKey.keyGen.recovery.destroyed.keyType.num=2 -op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.0=signing -op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.1=encryption -op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey -op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert=true -op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0 -op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast -op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false -op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0 -op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.num=2 -op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.0=signing -op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.1=encryption -op.enroll.userKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey -op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert=true -op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1 -op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey -op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true -op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1 -op.enroll.userKey.keyGen.recovery.onHold.keyType.num=2 -op.enroll.userKey.keyGen.recovery.onHold.keyType.value.0=signing -op.enroll.userKey.keyGen.recovery.onHold.keyType.value.1=encryption -op.enroll.userKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey -op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert=true -op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert.reason=6 -op.enroll.userKey.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey -op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert=true -op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6 -op.enroll.userKey.keyGen.tokenName=$auth.cn$ -op.enroll.userKey.keyGen.keyType.num=2 -op.enroll.userKey.keyGen.keyType.value.0=signing -op.enroll.userKey.keyGen.keyType.value.1=encryption -op.enroll.userKey.keyGen.signing.keySize=1024 -op.enroll.userKey.keyGen.signing.public.keyCapabilities.encrypt=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.sign=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.signRecover=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.decrypt=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.derive=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.unwrap=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.wrap=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.verifyRecover=true -op.enroll.userKey.keyGen.signing.public.keyCapabilities.verify=true -op.enroll.userKey.keyGen.signing.public.keyCapabilities.sensitive=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.private=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.token=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.encrypt=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.sign=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.signRecover=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.decrypt=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.derive=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.unwrap=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.wrap=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.verifyRecover=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.verify=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.sensitive=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.private=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.token=true -op.enroll.userKey.keyGen.signing.label=signing key for $userid$ -op.enroll.userKey.keyGen.signing.cuid_label=$cuid$ -op.enroll.userKey.keyGen.signing.overwrite=true -op.enroll.userKey.keyGen.signing.certId=C1 -op.enroll.userKey.keyGen.signing.certAttrId=c1 -op.enroll.userKey.keyGen.signing.privateKeyAttrId=k2 -op.enroll.userKey.keyGen.signing.publicKeyAttrId=k3 -op.enroll.userKey.keyGen.signing.keyUsage=0 -op.enroll.userKey.keyGen.signing.keyUser=0 -op.enroll.userKey.keyGen.signing.privateKeyNumber=2 -op.enroll.userKey.keyGen.signing.publicKeyNumber=3 -op.enroll.userKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment -op.enroll.userKey.keyGen.signing.ca.conn=ca1 -op.enroll.userKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher -op.enroll.userKey.keyGen.encryption.keySize=1024 -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.encrypt=true -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.sign=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.signRecover=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.decrypt=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.derive=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.unwrap=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.wrap=true -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.verifyRecover=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.verify=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.sensitive=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.private=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.token=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.encrypt=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.sign=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.signRecover=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.decrypt=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.derive=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.unwrap=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.wrap=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.verifyRecover=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.verify=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.sensitive=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.private=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.token=true -op.enroll.userKey.keyGen.encryption.label=encryption key for $userid$ -op.enroll.userKey.keyGen.encryption.cuid_label=$cuid$ -op.enroll.userKey.keyGen.encryption.overwrite=true -op.enroll.userKey.keyGen.encryption.certId=C2 -op.enroll.userKey.keyGen.encryption.certAttrId=c2 -op.enroll.userKey.keyGen.encryption.privateKeyAttrId=k4 -op.enroll.userKey.keyGen.encryption.publicKeyAttrId=k5 -op.enroll.userKey.keyGen.encryption.keyUsage=0 -op.enroll.userKey.keyGen.encryption.keyUser=0 -op.enroll.userKey.keyGen.encryption.privateKeyNumber=4 -op.enroll.userKey.keyGen.encryption.publicKeyNumber=5 -op.enroll.userKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment -op.enroll.userKey.keyGen.encryption.ca.conn=ca1 -op.enroll.userKey.pkcs11obj.enable=true -op.enroll.userKey.pkcs11obj.compress.enable=true -op.enroll.userKey.update.applet.emptyToken.enable=true -op.enroll.userKey.update.applet.enable=true -op.enroll.userKey.update.applet.requiredVersion=1.4.499dc06c -op.enroll.userKey.update.applet.directory=[TPS_DIR]/applets -op.enroll.userKey.update.applet.encryption=true -op.enroll.userKey.update.symmetricKeys.enable=false -op.enroll.userKey.update.symmetricKeys.requiredVersion=1 -op.enroll.userKey.loginRequest.enable=true -op.enroll.userKey.pinReset.enable=true -op.enroll.userKey.pinReset.pin.maxRetries=127 -op.enroll.userKey.pinReset.pin.minLen=4 -op.enroll.userKey.pinReset.pin.maxLen=10 -op.enroll.userKey.cardmgr_instance=A0000000030000 -op.enroll.userKey.tks.conn=tks1 -op.enroll.userKey.auth.id=ldap1 -op.enroll.userKey.auth.enable=true -op.enroll.userKey.issuerinfo.enable=true -op.enroll.userKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/home/index.cgi -op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.num=2 -op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing -op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption -op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey -op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true -op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0 -op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast -op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true -op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert.reason=0 -op.enroll.userKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] -op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=drm1 -op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true -op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable=true -op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=drm1 -op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.archive=true -op.enroll.userKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary) -op.enroll.userKeyTemporary.keyGen.keyType.num=3 -op.enroll.userKeyTemporary.keyGen.keyType.value.0=auth -op.enroll.userKeyTemporary.keyGen.keyType.value.1=signing -op.enroll.userKeyTemporary.keyGen.keyType.value.2=encryption -op.enroll.userKeyTemporary.keyGen.auth.keySize=1024 -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.sign=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.signRecover=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.sensitive=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.private=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.sign=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.signRecover=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.verifyRecover=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.verify=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.sensitive=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.private=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.auth.label=Temporary Key for $userid$ -op.enroll.userKeyTemporary.keyGen.auth.cuid_label=$cuid$ -op.enroll.userKeyTemporary.keyGen.auth.overwrite=false -op.enroll.userKeyTemporary.keyGen.auth.certId=C0 -op.enroll.userKeyTemporary.keyGen.auth.certAttrId=c0 -op.enroll.userKeyTemporary.keyGen.auth.privateKeyAttrId=k0 -op.enroll.userKeyTemporary.keyGen.auth.publicKeyAttrId=k1 -op.enroll.userKeyTemporary.keyGen.auth.keyUsage=0 -op.enroll.userKeyTemporary.keyGen.auth.keyUser=15 -op.enroll.userKeyTemporary.keyGen.auth.privateKeyNumber=0 -op.enroll.userKeyTemporary.keyGen.auth.publicKeyNumber=1 -op.enroll.userKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment -op.enroll.userKeyTemporary.keyGen.auth.ca.conn=ca1 -op.enroll.userKeyTemporary.keyGen.signing.keySize=1024 -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.signRecover=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.verifyRecover=true -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.verify=true -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sensitive=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.private=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.sign=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.signRecover=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.verifyRecover=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.verify=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.sensitive=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.private=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.signing.label=signing key for $userid$ -op.enroll.userKeyTemporary.keyGen.signing.cuid_label=$cuid$ -op.enroll.userKeyTemporary.keyGen.signing.overwrite=true -op.enroll.userKeyTemporary.keyGen.signing.certId=C1 -op.enroll.userKeyTemporary.keyGen.signing.certAttrId=c1 -op.enroll.userKeyTemporary.keyGen.signing.privateKeyAttrId=k2 -op.enroll.userKeyTemporary.keyGen.signing.publicKeyAttrId=k3 -op.enroll.userKeyTemporary.keyGen.signing.keyUsage=0 -op.enroll.userKeyTemporary.keyGen.signing.keyUser=0 -op.enroll.userKeyTemporary.keyGen.signing.privateKeyNumber=2 -op.enroll.userKeyTemporary.keyGen.signing.publicKeyNumber=3 -op.enroll.userKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment -op.enroll.userKeyTemporary.keyGen.signing.ca.conn=ca1 -op.enroll.userKey._080=#op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher -op.enroll.userKeyTemporary.keyGen.encryption.keySize=1024 -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.signRecover=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.wrap=true -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.verifyRecover=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.verify=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.sensitive=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.private=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.sign=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.signRecover=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.decrypt=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.unwrap=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.verifyRecover=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.verify=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.sensitive=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.private=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.encryption.label=encryption key for $userid$ -op.enroll.userKeyTemporary.keyGen.encryption.cuid_label=$cuid$ -op.enroll.userKeyTemporary.keyGen.encryption.overwrite=true -op.enroll.userKeyTemporary.keyGen.encryption.certId=C2 -op.enroll.userKeyTemporary.keyGen.encryption.certAttrId=c2 -op.enroll.userKeyTemporary.keyGen.encryption.privateKeyAttrId=k4 -op.enroll.userKeyTemporary.keyGen.encryption.publicKeyAttrId=k5 -op.enroll.userKeyTemporary.keyGen.encryption.keyUsage=0 -op.enroll.userKeyTemporary.keyGen.encryption.keyUser=0 -op.enroll.userKeyTemporary.keyGen.encryption.privateKeyNumber=4 -op.enroll.userKeyTemporary.keyGen.encryption.publicKeyNumber=5 -op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment -op.enroll.userKeyTemporary.keyGen.encryption.ca.conn=ca1 -op.enroll.userKeyTemporary.pkcs11obj.enable=true -op.enroll.userKeyTemporary.pkcs11obj.compress.enable=true -op.enroll.userKeyTemporary.update.applet.emptyToken.enable=true -op.enroll.userKeyTemporary.update.applet.enable=true -op.enroll.userKeyTemporary.update.applet.requiredVersion=1.4.499dc06c -op.enroll.userKeyTemporary.update.applet.directory=[TPS_DIR]/applets -op.enroll.userKeyTemporary.update.applet.encryption=true -op.enroll.userKeyTemporary.update.symmetricKeys.enable=false -op.enroll.userKeyTemporary.update.symmetricKeys.requiredVersion=1 -op.enroll.userKeyTemporary.loginRequest.enable=true -op.enroll.userKeyTemporary.pinReset.enable=true -op.enroll.userKeyTemporary.pinReset.pin.maxRetries=127 -op.enroll.userKeyTemporary.pinReset.pin.minLen=4 -op.enroll.userKeyTemporary.pinReset.pin.maxLen=10 -op.enroll.userKeyTemporary.tks.conn=tks1 -op.enroll.userKeyTemporary.cardmgr_instance=A0000000030000 -op.enroll.userKeyTemporary.auth.id=ldap1 -op.enroll.userKeyTemporary.auth.enable=true -# Token Renewal. -# For each token in TPS UI set the following: -# RENEW=YES -# To trigger renewal operations. -op.enroll.userKey.renewal.keyType.num=2 -op.enroll.userKey.renewal.keyType.value.0=signing -op.enroll.userKey.renewal.keyType.value.1=encryption -op.enroll.userKey.renewal.signing.enable=true -#optional grace period enforcement -#must coincide exactly with what the CA enforces -op.enroll.userKey.renewal.signing.gracePeriod.enable=false -op.enroll.userKey.renewal.signing.gracePeriod.before=30 -op.enroll.userKey.renewal.signing.gracePeriod.after=30 -op.enroll.userKey.renewal.signing.certId=C1 -#in case of renewal, encryption certId values for completeness only -#server code calculates actual values used. -op.enroll.userKey.renewal.encryption.certId=C2 -op.enroll.userKey.renewal.signing.certAttrId=c1 -op.enroll.userKey.renewal.encryption.certAttrId=c2 -op.enroll.userKey.renewal.encryption.enable=true -#optional grace period enforcement -#must coincide exactly with what the CA enforces -op.enroll.userKey.renewal.encryption.gracePeriod.enable=false -op.enroll.userKey.renewal.encryption.gracePeriod.before=30 -op.enroll.userKey.renewal.encryption.gracePeriod.after=30 -op.enroll.userKey.renewal.signing.ca.conn=ca1 -op.enroll.userKey.renewal.encryption.ca.conn=ca1 -op.enroll.userKey.renewal.signing.ca.profileId=caTokenUserSigningKeyRenewal -op.enroll.userKey.renewal.encryption.ca.profileId=caTokenUserEncryptionKeyRenewal -op.enroll.soKey.temporaryToken.tokenType=soKeyTemporary -op.enroll.soKey.keyGen.recovery.destroyed.keyType.num=2 -op.enroll.soKey.keyGen.recovery.destroyed.keyType.value.0=signing -op.enroll.soKey.keyGen.recovery.destroyed.keyType.value.1=encryption -op.enroll.soKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey -op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeCert=true -op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0 -op.enroll.soKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast -op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert=false -op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0 -op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.num=2 -op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.value.0=signing -op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.value.1=encryption -op.enroll.soKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey -op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeCert=true -op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1 -op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey -op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true -op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1 -op.enroll.soKey.keyGen.recovery.onHold.keyType.num=2 -op.enroll.soKey.keyGen.recovery.onHold.keyType.value.0=signing -op.enroll.soKey.keyGen.recovery.onHold.keyType.value.1=encryption -op.enroll.soKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey -op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert=true -op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert.reason=6 -op.enroll.soKey.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey -op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeCert=true -op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6 -op.enroll.soKey.keyGen.tokenName=$auth.cn$ -op.enroll.soKey.keyGen.keyType.num=2 -op.enroll.soKey.keyGen.keyType.value.0=signing -op.enroll.soKey.keyGen.keyType.value.1=encryption -op.enroll.soKey.keyGen.signing.keySize=1024 -op.enroll.soKey.keyGen.signing.public.keyCapabilities.encrypt=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.sign=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.signRecover=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.decrypt=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.derive=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.unwrap=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.wrap=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.verifyRecover=true -op.enroll.soKey.keyGen.signing.public.keyCapabilities.verify=true -op.enroll.soKey.keyGen.signing.public.keyCapabilities.sensitive=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.private=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.token=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.encrypt=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.sign=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.signRecover=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.decrypt=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.derive=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.unwrap=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.wrap=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.verifyRecover=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.verify=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.sensitive=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.private=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.token=true -op.enroll.soKey.keyGen.signing.label=signing key for $userid$ -op.enroll.soKey.keyGen.signing.cuid_label=$cuid$ -op.enroll.soKey.keyGen.signing.overwrite=true -op.enroll.soKey.keyGen.signing.certId=C1 -op.enroll.soKey.keyGen.signing.certAttrId=c1 -op.enroll.soKey.keyGen.signing.privateKeyAttrId=k2 -op.enroll.soKey.keyGen.signing.publicKeyAttrId=k3 -op.enroll.soKey.keyGen.signing.keyUsage=0 -op.enroll.soKey.keyGen.signing.keyUser=0 -op.enroll.soKey.keyGen.signing.privateKeyNumber=2 -op.enroll.soKey.keyGen.signing.publicKeyNumber=3 -op.enroll.soKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment -op.enroll.soKey.keyGen.signing.ca.conn=ca1 -op.enroll.soKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher -op.enroll.soKey.keyGen.encryption.keySize=1024 -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.encrypt=true -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.sign=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.signRecover=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.decrypt=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.derive=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.unwrap=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.wrap=true -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.verifyRecover=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.verify=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.sensitive=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.private=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.token=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.encrypt=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.sign=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.signRecover=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.decrypt=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.derive=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.unwrap=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.wrap=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.verifyRecover=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.verify=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.sensitive=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.private=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.token=true -op.enroll.soKey.keyGen.encryption.label=encryption key for $userid$ -op.enroll.soKey.keyGen.encryption.cuid_label=$cuid$ -op.enroll.soKey.keyGen.encryption.overwrite=true -op.enroll.soKey.keyGen.encryption.certId=C2 -op.enroll.soKey.keyGen.encryption.certAttrId=c2 -op.enroll.soKey.keyGen.encryption.privateKeyAttrId=k4 -op.enroll.soKey.keyGen.encryption.publicKeyAttrId=k5 -op.enroll.soKey.keyGen.encryption.keyUsage=0 -op.enroll.soKey.keyGen.encryption.keyUser=0 -op.enroll.soKey.keyGen.encryption.privateKeyNumber=4 -op.enroll.soKey.keyGen.encryption.publicKeyNumber=5 -op.enroll.soKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment -op.enroll.soKey.keyGen.encryption.ca.conn=ca1 -op.enroll.soKey.pkcs11obj.enable=true -op.enroll.soKey.pkcs11obj.compress.enable=true -op.enroll.soKey.update.applet.emptyToken.enable=true -op.enroll.soKey.update.applet.enable=true -op.enroll.soKey.update.applet.requiredVersion=1.4.499dc06c -op.enroll.soKey.update.applet.directory=[TPS_DIR]/applets -op.enroll.soKey.update.applet.encryption=true -op.enroll.soKey.update.symmetricKeys.enable=false -op.enroll.soKey.update.symmetricKeys.requiredVersion=1 -op.enroll.soKey.loginRequest.enable=true -op.enroll.soKey.pinReset.enable=true -op.enroll.soKey.pinReset.pin.maxRetries=127 -op.enroll.soKey.pinReset.pin.minLen=4 -op.enroll.soKey.pinReset.pin.maxLen=10 -op.enroll.soKey.cardmgr_instance=A0000000030000 -op.enroll.soKey.tks.conn=tks1 -op.enroll.soKey.auth.id=ldap2 -op.enroll.soKey.auth.enable=true -op.enroll.soKey.issuerinfo.enable=true -op.enroll.soKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/so/index.cgi -op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.num=2 -op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing -op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption -op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey -op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true -op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0 -op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast -op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true -op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert.reason=0 -op.enroll.soKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] -op.enroll.soKey.keyGen.encryption.serverKeygen.drm.conn=drm1 -op.enroll.soKey.keyGen.encryption.serverKeygen.archive=true -op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable=true -op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=drm1 -op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.archive=true -op.enroll.soKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary) -op.enroll.soKeyTemporary.keyGen.keyType.num=3 -op.enroll.soKeyTemporary.keyGen.keyType.value.0=auth -op.enroll.soKeyTemporary.keyGen.keyType.value.1=signing -op.enroll.soKeyTemporary.keyGen.keyType.value.2=encryption -op.enroll.soKeyTemporary.keyGen.auth.keySize=1024 -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.sign=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.signRecover=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.sensitive=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.private=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.sign=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.signRecover=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.verifyRecover=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.verify=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.sensitive=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.private=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.auth.label=Temporary Key for $userid$ -op.enroll.soKeyTemporary.keyGen.auth.cuid_label=$cuid$ -op.enroll.soKeyTemporary.keyGen.auth.overwrite=false -op.enroll.soKeyTemporary.keyGen.auth.certId=C0 -op.enroll.soKeyTemporary.keyGen.auth.certAttrId=c0 -op.enroll.soKeyTemporary.keyGen.auth.privateKeyAttrId=k0 -op.enroll.soKeyTemporary.keyGen.auth.publicKeyAttrId=k1 -op.enroll.soKeyTemporary.keyGen.auth.keyUsage=0 -op.enroll.soKeyTemporary.keyGen.auth.keyUser=15 -op.enroll.soKeyTemporary.keyGen.auth.privateKeyNumber=0 -op.enroll.soKeyTemporary.keyGen.auth.publicKeyNumber=1 -op.enroll.soKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment -op.enroll.soKeyTemporary.keyGen.auth.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.signing.keySize=1024 -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.signRecover=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.verifyRecover=true -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.verify=true -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sensitive=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.private=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.sign=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.signRecover=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.verifyRecover=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.verify=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.sensitive=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.private=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.signing.label=signing key for $userid$ -op.enroll.soKeyTemporary.keyGen.signing.cuid_label=$cuid$ -op.enroll.soKeyTemporary.keyGen.signing.overwrite=true -op.enroll.soKeyTemporary.keyGen.signing.certId=C1 -op.enroll.soKeyTemporary.keyGen.signing.certAttrId=c1 -op.enroll.soKeyTemporary.keyGen.signing.privateKeyAttrId=k2 -op.enroll.soKeyTemporary.keyGen.signing.publicKeyAttrId=k3 -op.enroll.soKeyTemporary.keyGen.signing.keyUsage=0 -op.enroll.soKeyTemporary.keyGen.signing.keyUser=0 -op.enroll.soKeyTemporary.keyGen.signing.privateKeyNumber=2 -op.enroll.soKeyTemporary.keyGen.signing.publicKeyNumber=3 -op.enroll.soKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment -op.enroll.soKeyTemporary.keyGen.signing.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.encryption.keySize=1024 -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.signRecover=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.wrap=true -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.verifyRecover=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.verify=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sensitive=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.private=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.sign=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.signRecover=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.decrypt=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.unwrap=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.verifyRecover=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.verify=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.sensitive=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.private=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.encryption.label=encryption key for $userid$ -op.enroll.soKeyTemporary.keyGen.encryption.cuid_label=$cuid$ -op.enroll.soKeyTemporary.keyGen.encryption.overwrite=true -op.enroll.soKeyTemporary.keyGen.encryption.certId=C2 -op.enroll.soKeyTemporary.keyGen.encryption.certAttrId=c2 -op.enroll.soKeyTemporary.keyGen.encryption.privateKeyAttrId=k4 -op.enroll.soKeyTemporary.keyGen.encryption.publicKeyAttrId=k5 -op.enroll.soKeyTemporary.keyGen.encryption.keyUsage=0 -op.enroll.soKeyTemporary.keyGen.encryption.keyUser=0 -op.enroll.soKeyTemporary.keyGen.encryption.privateKeyNumber=4 -op.enroll.soKeyTemporary.keyGen.encryption.publicKeyNumber=5 -op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment -op.enroll.soKeyTemporary.keyGen.encryption.ca.conn=ca1 -op.enroll.soKeyTemporary.pkcs11obj.enable=true -op.enroll.soKeyTemporary.pkcs11obj.compress.enable=true -op.enroll.soKeyTemporary.update.applet.emptyToken.enable=true -op.enroll.soKeyTemporary.update.applet.enable=true -op.enroll.soKeyTemporary.update.applet.requiredVersion=1.4.499dc06c -op.enroll.soKeyTemporary.update.applet.directory=[TPS_DIR]/applets -op.enroll.soKeyTemporary.update.applet.encryption=true -op.enroll.soKeyTemporary.update.symmetricKeys.enable=false -op.enroll.soKeyTemporary.update.symmetricKeys.requiredVersion=1 -op.enroll.soKeyTemporary.loginRequest.enable=true -op.enroll.soKeyTemporary.pinReset.enable=true -op.enroll.soKeyTemporary.pinReset.pin.maxRetries=127 -op.enroll.soKeyTemporary.pinReset.pin.minLen=4 -op.enroll.soKeyTemporary.pinReset.pin.maxLen=10 -op.enroll.soKeyTemporary.cardmgr_instance=A0000000030000 -op.enroll.soKeyTemporary.tks.conn=tks1 -op.enroll.soKeyTemporary.tks.keySet=defKeyset -op.enroll.soKeyTemporary.auth.id=ldap2 -op.enroll.soKeyTemporary.auth.enable=true -op.pinReset._000=######################################### -op.pinReset._001=# Certificate Chain Imports -op.pinReset._002=# -op.pinReset._003=# op.enroll.certificates.num=1 -op.pinReset._004=# op.enroll.certificates.value.0=caCert -op.pinReset._005=# op.enroll.certificates.caCert.nickName=caCert0 pki-tps -op.pinReset._006=# op.enroll.certificates.caCert.certId=C5 -op.pinReset._007=# op.enroll.certificates.caCert.certAttrId=c5 -op.pinReset._008=# op.enroll.certificates.caCert.label=caCert Label -op.pinReset._009=######################################### -op.pinReset._010=######################################### -op.pinReset._011=# Pin Reset Operation For CoolKey -op.pinReset._012=# -op.pinReset._013=# op.pinReset.userKey.update.applet.emptyToken.enable=false -op.pinReset._014=# - update applet or not if token is empty -op.pinReset._015=# -op.pinReset._016=# - N/A for HouseKey -op.pinReset._017=# - N/A for HouseKey with Legacy Applet -op.pinReset._018=######################################### -op.pinReset.userKey.update.applet.emptyToken.enable=true -op.pinReset.userKey.update.applet.enable=false -op.pinReset.userKey.update.applet.requiredVersion=1.4.499dc06c -op.pinReset.userKey.update.applet.directory=[TPS_DIR]/applets -op.pinReset.userKey.update.applet.encryption=true -op.pinReset.userKey.update.symmetricKeys.enable=false -op.pinReset.userKey.update.symmetricKeys.requiredVersion=1 -op.pinReset.userKey.loginRequest.enable=true -op.pinReset.userKey.pinReset.pin.minLen=4 -op.pinReset.userKey.pinReset.pin.maxLen=10 -op.pinReset.userKey.tks.conn=tks1 -op.pinReset.userKey.cardmgr_instance=A0000000030000 -op.pinReset.userKey.auth.id=ldap1 -op.pinReset.userKey.auth.enable=true -op.format._000=######################################### -op.format._001=# Format Operation For tokenKey -op.format._002=# -op.format._003=# op.format.tokenKey.update.applet.emptyToken.enable=false -op.format._004=# - update applet or not if token is empty -op.format._005=# -op.format._006=# - applicable to CoolKey -op.format._007=# - applicable to HouseKey -op.format._008=# - applicable to HouseKey with Legacy Applet -op.format._009=######################################### -op.format.allowUnknownToken=true -op.format.soCleanUserToken.update.applet.emptyToken.enable=true -op.format.soCleanUserToken.update.applet.requiredVersion=1.4.499dc06c -op.format.soCleanUserToken.update.applet.directory=[TPS_DIR]/applets -op.format.soCleanUserToken.update.applet.encryption=true -op.format.soCleanUserToken.update.symmetricKeys.enable=false -op.format.soCleanUserToken.update.symmetricKeys.requiredVersion=1 -op.format.soCleanUserToken.revokeCert=true -op.format.soCleanUserToken.ca.conn=ca1 -op.format.soCleanUserToken.loginRequest.enable=false -op.format.soCleanUserToken.cardmgr_instance=A0000000030000 -op.format.soCleanUserToken.tks.conn=tks1 -op.format.soCleanUserToken.auth.id=ldap1 -op.format.soCleanUserToken.auth.enable=false -op.format.soCleanUserToken.issuerinfo.enable=true -op.format.soCleanUserToken.issuerinfo.value= -op.format.soCleanSOToken.update.applet.emptyToken.enable=true -op.format.soCleanSOToken.update.applet.requiredVersion=1.4.499dc06c -op.format.soCleanSOToken.update.applet.directory=[TPS_DIR]/applets -op.format.soCleanSOToken.update.applet.encryption=true -op.format.soCleanSOToken.update.symmetricKeys.enable=false -op.format.soCleanSOToken.update.symmetricKeys.requiredVersion=1 -op.format.soCleanSOToken.revokeCert=true -op.format.soCleanSOToken.ca.conn=ca1 -op.format.soCleanSOToken.loginRequest.enable=false -op.format.soCleanSOToken.cardmgr_instance=A0000000030000 -op.format.soCleanSOToken.tks.conn=tks1 -op.format.soCleanSOToken.auth.id=ldap1 -op.format.soCleanSOToken.auth.enable=false -op.format.soCleanSOToken.issuerinfo.enable=true -op.format.soCleanSOToken.issuerinfo.value= -op.format.cleanToken.update.applet.emptyToken.enable=true -op.format.cleanToken.update.applet.requiredVersion=1.4.499dc06c -op.format.cleanToken.update.applet.directory=[TPS_DIR]/applets -op.format.cleanToken.update.applet.encryption=true -op.format.cleanToken.update.symmetricKeys.enable=false -op.format.cleanToken.update.symmetricKeys.requiredVersion=1 -op.format.cleanToken.revokeCert=true -op.format.cleanToken.ca.conn=ca1 -op.format.cleanToken.loginRequest.enable=true -op.format.cleanToken.cardmgr_instance=A0000000030000 -op.format.cleanToken.tks.conn=tks1 -op.format.cleanToken.auth.id=ldap1 -op.format.cleanToken.auth.enable=false -op.format.cleanToken.issuerinfo.enable=true -op.format.cleanToken.issuerinfo.value= -op.format.soUserKey.update.applet.emptyToken.enable=true -op.format.soUserKey.update.applet.requiredVersion=1.4.499dc06c -op.format.soUserKey.update.applet.directory=[TPS_DIR]/applets -op.format.soUserKey.update.applet.encryption=true -op.format.soUserKey.update.symmetricKeys.enable=false -op.format.soUserKey.update.symmetricKeys.requiredVersion=1 -op.format.soUserKey.revokeCert=true -op.format.soUserKey.ca.conn=ca1 -op.format.soUserKey.loginRequest.enable=false -op.format.soUserKey.cardmgr_instance=A0000000030000 -op.format.soUserKey.tks.conn=tks1 -op.format.soUserKey.auth.id=ldap1 -op.format.soUserKey.auth.enable=false -op.format.soUserKey.issuerinfo.enable=true -op.format.soUserKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/home/index.cgi -op.format.soKey.update.applet.emptyToken.enable=true -op.format.soKey.update.applet.requiredVersion=1.4.499dc06c -op.format.soKey.update.applet.directory=[TPS_DIR]/applets -op.format.soKey.update.applet.encryption=true -op.format.soKey.update.symmetricKeys.enable=false -op.format.soKey.update.symmetricKeys.requiredVersion=1 -op.format.soKey.revokeCert=true -op.format.soKey.ca.conn=ca1 -op.format.soKey.loginRequest.enable=true -op.format.soKey.cardmgr_instance=A0000000030000 -op.format.soKey.tks.conn=tks1 -op.format.soKey.auth.id=ldap2 -op.format.soKey.auth.enable=true -op.format.soKey.issuerinfo.enable=true -op.format.soKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/so/index.cgi -op.format.userKey.update.applet.emptyToken.enable=true -op.format.userKey.update.applet.requiredVersion=1.4.499dc06c -op.format.userKey.update.applet.directory=[TPS_DIR]/applets -op.format.userKey.update.applet.encryption=true -op.format.userKey.update.symmetricKeys.enable=false -op.format.userKey.update.symmetricKeys.requiredVersion=1 -op.format.userKey.revokeCert=true -op.format.userKey.ca.conn=ca1 -op.format.userKey.loginRequest.enable=true -op.format.userKey.cardmgr_instance=A0000000030000 -op.format.userKey.tks.conn=tks1 -op.format.userKey.auth.id=ldap1 -op.format.userKey.auth.enable=true -op.format.userKey.issuerinfo.enable=true -op.format.userKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/home/index.cgi -op.format.tokenKey.update.applet.emptyToken.enable=true -op.format.tokenKey.update.applet.requiredVersion=1.4.499dc06c -op.format.tokenKey.update.applet.directory=[TPS_DIR]/applets -op.format.tokenKey.update.applet.encryption=true -op.format.tokenKey.update.symmetricKeys.enable=false -op.format.tokenKey.update.symmetricKeys.requiredVersion=1 -op.format.tokenKey.revokeCert=true -op.format.tokenKey.ca.conn=ca1 -op.format.tokenKey.loginRequest.enable=true -op.format.tokenKey.cardmgr_instance=A0000000030000 -op.format.tokenKey.tks.conn=tks1 -op.format.tokenKey.auth.id=ldap1 -op.format.tokenKey.auth.enable=true -op.format.tokenKey.issuerinfo.enable=true -op.format.tokenKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/home/index.cgi -tokendb._000=######################################### -tokendb._001=# tokendb.auditLog: -tokendb._002=# - audit log path -tokendb._003=# tokendb.host: -tokendb._004=# - tokendb host name -tokendb._005=# tokendb.port: -tokendb._006=# - tokendb port number -tokendb._007=# tokendb.bindDN: -tokendb._008=# - tokendb administration DN (i.e. cn=Directory Manager) -tokendb._009=# tokendb.bindPassPath: -tokendb._010=# - tokendb administration password file path -tokendb._011=# tokendb.templateDir -tokendb._012=# - directory where all the tokendb templates are located -tokendb._013=# tokendb.userBaseDN: -tokendb._014=# - directory base DN for users and groups -tokendb._015=# tokendb.baseDN: -tokendb._016=# - directory base DN for tokens -tokendb._017=# tokendb.activityBaseDN: -tokendb._018=# - directory base DN for activities -tokendb._019=# tokendb.indexTemplate=index.template -tokendb._020=# - index template -tokendb._021=# tokendb.newTemplate=new.template -tokendb._022=# - add template -tokendb._023=# tokendb.showTemplate=show.template -tokendb._024=# - show template -tokendb._025=# tokendb.errorTemplate=error.template -tokendb._026=# - error template -tokendb._027=# tokendb.searchTemplate=search.template -tokendb._028=# - search template -tokendb._029=# tokendb.searchResultTemplate=searchResults.template -tokendb._030=# - search result template -tokendb._031=# tokendb.editTemplate=edit.template -tokendb._032=# - edit template -tokendb._033=# tokendb.editResultTemplate=editResults.template -tokendb._034=# - edit result template -tokendb._035=# tokendb.addResultTemplate=addResults.template -tokendb._036=# - add result template -tokendb._037=# tokendb.deleteResultTemplate=deleteResults.template -tokendb._038=# - delete result template -tokendb._039=# tokendb.searchActivityTemplate=searchActivity.template -tokendb._040=# - search activity template -tokendb._041=# tokendb.searchActivityResultTemplate=searchActivityResults.template -tokendb._042=# - search activity result template -tokendb._043=# tokendb.showAdminTemplate=showAdmin.template -tokendb._044=# - show admin template -tokendb._045=# tokendb.editAdminTemplate=editAdmin.template -tokendb._046=# - edit admin template -tokendb._047=# tokendb.editAdminResultTemplate=editAdminResults.template -tokendb._048=# - edit admin result template -tokendb._049=# tokendb.searchAdminTemplate=searchAdmin.template -tokendb._050=# - search admin template -tokendb._051=# tokendb.searchAdminResultTemplate=searchAdminResults.template -tokendb._052=# - search admin result template -tokendb._053=# tokendb.defaultPolicy: -tokendb._054=# Supported Policy (Separated by ; [Semicolon]): -tokendb._055=# For example, PIN_RESET=YES|NO;RE_ENROLL=YES|NO -tokendb._056=# PIN_RESET=YES|NO -tokendb._057=# - If not present, pin reset by user is allowed. -tokendb._058=# - If present and agent change PIN_RESET from NO -tokendb._059=# to YES, user is allowed to do pin reset. This -tokendb._060=# policy will be changed back to NO after pin reset. -tokendb._061=# RE_ENROLL=YES|NO -tokendb._062=# - If not present, re-enrollment is allowed. -tokendb._063=# - If present, re-enrollment is allowed when RE_ENROLL -tokendb._064=# is set to YES. Otherwise, re-enrollment is not -tokendb._065=# allowed. -tokendb._066=# tokendb.allowedTransitions: -tokendb._067=# - has transitions between the following states -tokendb._068=# TOKEN_UNINITIALIZED = 0, -tokendb._069=# TOKEN_DAMAGED =1, -tokendb._070=# TOKEN_PERM_LOST=2, -tokendb._071=# TOKEN_TEMP_LOST=3, -tokendb._072=# TOKEN_FOUND =4, -tokendb._073=# TOKEN_TEMP_LOST_PERM_LOST =5, -tokendb._074=# TOKEN_TERMINATED = 6 -tokendb._075=######################################### -tokendb.auditLog=[SERVER_ROOT]/logs/tokendb-audit.log -tokendb.hostport=[TOKENDB_HOST]:[TOKENDB_PORT] -tokendb.ssl=false -tokendb.bindDN=cn=Directory Manager -tokendb.bindPassPath=[SERVER_ROOT]/conf/password.conf -tokendb.templateDir=[SERVER_ROOT]/docroot/tus -tokendb.userBaseDN=[TOKENDB_ROOT] -tokendb.baseDN=ou=Tokens,[TOKENDB_ROOT] -tokendb.activityBaseDN=ou=Activities,[TOKENDB_ROOT] -tokendb.certBaseDN=ou=Certificates,[TOKENDB_ROOT] -tokendb.indexTemplate=index.template -tokendb.indexAdminTemplate=indexAdmin.template -tokendb.newTemplate=new.template -tokendb.showTemplate=show.template -tokendb.showCertTemplate=showCert.template -tokendb.errorTemplate=error.template -tokendb.searchTemplate=search.template -tokendb.searchResultTemplate=searchResults.template -tokendb.searchCertificateResultTemplate=searchCertificateResults.template -tokendb.editTemplate=edit.template -tokendb.editResultTemplate=editResults.template -tokendb.addResultTemplate=addResults.template -tokendb.deleteTemplate=delete.template -tokendb.deleteResultTemplate=deleteResults.template -tokendb.searchActivityTemplate=searchActivity.template -tokendb.searchCertificateTemplate=searchCertificate.template -tokendb.searchActivityResultTemplate=searchActivityResults.template -tokendb.searchActivityAdminTemplate=searchActivityAdmin.template -tokendb.searchActivityAdminResultTemplate=searchActivityAdminResults.template -tokendb.showAdminTemplate=showAdmin.template -tokendb.doTokenTemplate=doToken.template -tokendb.doTokenConfirmTemplate=doTokenConfirm.template -tokendb.revokeTemplate=revoke.template -tokendb.searchAdminTemplate=searchAdmin.template -tokendb.searchAdminResultTemplate=searchAdminResults.template -tokendb.defaultPolicy=RE_ENROLL=YES -tokendb.newUserTemplate=newUser.template -tokendb.userDeleteTemplate=userDelete.template -tokendb.searchUserResultTemplate=searchUserResults.template -tokendb.searchUserTemplate=searchUser.template -tokendb.editUserTemplate=editUser.template -tokendb.indexOperatorTemplate=indexOperator.template -tokendb.selfTestTemplate=selfTest.template -tokendb.selfTestResultsTemplate=selfTestResults.template -tokendb.auditAdminTemplate=auditAdmin.template -tokendb.selectConfigTemplate=selectConfig.template -tokendb.agentSelectConfigTemplate=agentSelectConfig.template -tokendb.editConfigTemplate=editConfig.template -tokendb.agentViewConfigTemplate=agentViewConfig.template -tokendb.addConfigTemplate=addConfig.template -tokendb.confirmConfigChangesTemplate=confirmConfigChanges.template -tokendb.confirmDeleteConfigTemplate=confirmDeleteConfig.template -log.instance.SignedAudit.selected.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL -log.instance.SignedAudit.selectable.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE,PRIVATE_KEY_ARCHIVE_PROCESSED,KEY_RECOVERY_REQUEST,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_PROCESSED,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL -log.instance.SignedAudit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST -tokendb.allowedTransitions=0:1,0:2,0:3,0:4,0:5,0:6,3:4,3:5,3:6,4:1,4:2,4:3,4:6 -target._000=######################################### -target._001=# entries to enable configuration of parameter sets through the TPS UI agent and admin tabs -target._002=# -target._003=# target.configure.list = comma separated lists of all parameter sets that can be configured by the admin. -target._004=# Each entry will show up (with underscore replaced by space) under Advanced Configuration on the admin tab. -target._005=# -target._006=# target.agent_approve.list = comma separated subset of above list. Parameter sets in this list -target._007=# will show up in the agent tab (under advanced configuration) and will require agent involvement -target._008=# (enable/ disable) to be edited. -target._009=# -target._010=# For the wording to display correctly, the values in the above list should be plurals. -target._011=# -target._012=# Each parameter set in the lists above requires three parameters: -target._013=# target..list : list of choices of this parameter set type (will display in the drop down box) -target._014=# target..pattern : the regular expression to select parameters in CS.cfg for this parameter set. -target._015=# target..displayname: used in the UI display text. This should be the singular form of . -target._016=# -target._017=# The exception is the parameter set Generals, which has only a pattern and displayname defined. -target._018=# -target._019=######################################## -target.configure.list=Profiles,Subsystem_Connections,Profile_Mappings,Authentication_Sources -target.agent_approve.list=Profiles -target.Profiles.list=userKey,soKey,soCleanUserToken,soUserKey,cleanToken,soCleanSoToken,tokenKey -target.Profiles.pattern=op\..*\.$name\..* -target.Profiles.displayname=Profile -target.Subsystem_Connections.list=ca1,drm1,tks1 -target.Subsystem_Connections.pattern=conn\.$name\..* -target.Subsystem_Connections.displayname=Subsystem Connection -target.Profile_Mappings.list=enroll,format,pinReset -target.Profile_Mappings.pattern=op\.$name\.mapping\..* -target.Profile_Mappings.displayname=Profile Mapping -target.Authentication_Sources.list=0,1 -target.Authentication_Sources.pattern=auth\.instance\.$name\..* -target.Authentication_Sources.displayname=Authentication Source -target.Generals.displayname=General -target.Generals.pattern=^applet\..*\|^general\..*\|^failover.pod.enable\|^channel\..* -config.Generals.General.state=Enabled -config.Generals.General.timestamp=1280283607424406 -tps._000=######################################## -tps._001=# For verifying system certificates -tps._002=# tps.cert.list=sslserver,subsystem,audit_signing -tps._003=# tps.cert.sslserver.nickname=xxx -tps._005=# tps.cert.subsystem.nickname=xxx -tps._007=# tps.cert.audit_signing.nickname=xxx -tps._009=######################################## -tps.cert.list=sslserver,subsystem,audit_signing -tps.cert.sslserver.nickname=[HSM_LABEL][NICKNAME] -tps.cert.subsystem.nickname=[HSM_LABEL][NICKNAME] -tps.cert.audit_signing.nickname=[HSM_LABEL][NICKNAME] diff --git a/pki/base/tps/doc/CS.cfg.in b/pki/base/tps/doc/CS.cfg.in index 896bcbc14..2c7ec6020 100644 --- a/pki/base/tps/doc/CS.cfg.in +++ b/pki/base/tps/doc/CS.cfg.in @@ -18,19 +18,25 @@ # All rights reserved. # --- END COPYRIGHT BLOCK --- # -pkicreate.pki_instance_root=[INSTANCE_ROOT] -pkicreate.pki_instance_name=[INSTANCE_ID] -pkicreate.subsystem_type=[SUBSYSTEM_TYPE] +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] pkicreate.secure_port=[SECURE_PORT] pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] pkicreate.unsecure_port=[PORT] -pkicreate.user=[USERID] -pkicreate.group=[GROUPID] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] cs.type=TPS selftests._000=## selftests._001=## Self Tests selftests._002=## +selftests._003=## The Self-Test plugin TPSSystemCertsVerification uses the +selftests._004=## following parameters (where certusage is optional): +selftests._005=## tps.cert.list = +selftests._006=## tps.cert..nickname +selftests._007=## tps.cert..certusage +selftests._008=## selftests.container.logger.enable=true selftests.container.logger.expirationTime=0 selftests.container.logger.file.type=RollingLogFile @@ -38,8 +44,8 @@ selftests.container.logger.fileName=[SERVER_ROOT]/logs/selftests.log selftests.container.logger.level=10 selftests.container.logger.maxFileSize=2000 selftests.container.logger.rolloverInterval=2592000 -selftests.container.order.startup=TPSPresence:critical, TPSValidity:critical -selftests.container.order.onDemand=TPSPresence:critical, TPSValidity:critical +selftests.container.order.startup=TPSPresence:critical, TPSSystemCertsVerification:critical +selftests.container.order.onDemand=TPSPresence:critical, TPSValidity:critical, TPSSystemCertsVerification:critical selftests.plugin.TPSPresence.nickname=[HSM_LABEL][NICKNAME] selftests.plugin.TPSValidity.nickname=[HSM_LABEL][NICKNAME] service.machineName=[SERVER_NAME] @@ -47,7 +53,7 @@ service.instanceDir=[SERVER_ROOT] service.securePort=[SECURE_PORT] service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] service.unsecurePort=[PORT] -service.instanceID=[INSTANCE_ID] +service.instanceID=[PKI_INSTANCE_ID] logging._000=######################################### logging._001=# RA configuration File logging._002=# @@ -111,9 +117,9 @@ logging.audit.filename=[SERVER_ROOT]/logs/tps-audit.log logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit logging.audit.level=10 logging.audit.logSigning=false -logging.audit.signedAuditCertNickname=auditSigningCert cert-[INSTANCE_ID] -logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL -logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL +logging.audit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] +logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION +logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING logging.audit.buffer.size=512 logging.audit.flush.interval=5 @@ -156,8 +162,8 @@ conn.ca1.hostport=[CA_HOST]:[CA_PORT] conn.ca1.clientNickname=[HSM_LABEL][NICKNAME] conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient conn.ca1.servlet.renewal=/ca/ee/ca/profileSubmitSSLClient -conn.ca1.servlet.revoke=/ca/subsystem/ca/doRevoke -conn.ca1.servlet.unrevoke=/ca/subsystem/ca/doUnrevoke +conn.ca1.servlet.revoke=/ca/ee/subsystem/ca/doRevoke +conn.ca1.servlet.unrevoke=/ca/ee/subsystem/ca/doUnrevoke conn.ca1.retryConnect=3 conn.ca1.timeout=100 conn.ca1.SSLOn=true @@ -343,6 +349,7 @@ general.search.sizelimit.max=2000 general.search.sizelimit.default=100 general.search.timelimit.max=10 general.search.timelimit.default=10 +general.pwlength.min=16 channel._000=######################################### channel._001=# channel.encryption: channel._002=# @@ -370,34 +377,34 @@ preop.cert.list=sslserver,subsystem,audit_signing preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true preop.cert.audit_signing.enable=false -preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA -preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[INSTANCE_ID] +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] preop.cert.sslserver.keysize.customsize=2048 preop.cert.sslserver.keysize.size=2048 preop.cert.sslserver.keysize.select=custom -preop.cert.sslserver.nickname=Server-Cert cert-[INSTANCE_ID] +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] preop.cert.sslserver.profile=caInternalAuthServerCert preop.cert.sslserver.subsystem=tps preop.cert._003=#preop.cert.sslserver.type=local preop.cert.sslserver.userfriendlyname=SSL Server Certificate preop.cert._004=#preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA1withRSA -preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[INSTANCE_ID] +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[PKI_INSTANCE_ID] preop.cert.subsystem.keysize.customsize=2048 preop.cert.subsystem.keysize.size=2048 preop.cert.subsystem.keysize.select=custom -preop.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] preop.cert.subsystem.profile=caInternalAuthSubsystemCert preop.cert.subsystem.subsystem=tps preop.cert._005=#preop.cert.subsystem.type=local preop.cert.subsystem.userfriendlyname=Subsystem Certificate preop.cert._006=#preop.cert.subsystem.cncomponent.override=true -preop.cert.audit_signing.defaultSigningAlgorithm=SHA1withRSA -preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[INSTANCE_ID] +preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[PKI_INSTANCE_ID] preop.cert.audit_signing.keysize.customsize=2048 preop.cert.audit_signing.keysize.size=2048 preop.cert.audit_signing.keysize.select=custom -preop.cert.audit_signing.nickname=auditSigningCert cert-[INSTANCE_ID] +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert preop.cert.audit_signing.subsystem=tps preop.cert._005=#preop.cert.audit_signing.type=local @@ -715,7 +722,6 @@ op.enroll.userKey.keyGen.signing.privateKeyNumber=2 op.enroll.userKey.keyGen.signing.publicKeyNumber=3 op.enroll.userKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment op.enroll.userKey.keyGen.signing.ca.conn=ca1 -op.enroll.userKey.keyGen.signing.revokeCert=true op.enroll.userKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher op.enroll.userKey.keyGen.encryption.keySize=1024 op.enroll.userKey.keyGen.encryption.public.keyCapabilities.encrypt=true @@ -755,7 +761,6 @@ op.enroll.userKey.keyGen.encryption.privateKeyNumber=4 op.enroll.userKey.keyGen.encryption.publicKeyNumber=5 op.enroll.userKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment op.enroll.userKey.keyGen.encryption.ca.conn=ca1 -op.enroll.userKey.keyGen.encryption.revokeCert=true op.enroll.userKey.pkcs11obj.enable=true op.enroll.userKey.pkcs11obj.compress.enable=true op.enroll.userKey.update.applet.emptyToken.enable=true @@ -834,7 +839,6 @@ op.enroll.userKeyTemporary.keyGen.auth.privateKeyNumber=0 op.enroll.userKeyTemporary.keyGen.auth.publicKeyNumber=1 op.enroll.userKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment op.enroll.userKeyTemporary.keyGen.auth.ca.conn=ca1 -op.enroll.userKeyTemporary.keyGen.auth.revokeCert=true op.enroll.userKeyTemporary.keyGen.signing.keySize=1024 op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false @@ -873,7 +877,6 @@ op.enroll.userKeyTemporary.keyGen.signing.privateKeyNumber=2 op.enroll.userKeyTemporary.keyGen.signing.publicKeyNumber=3 op.enroll.userKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment op.enroll.userKeyTemporary.keyGen.signing.ca.conn=ca1 -op.enroll.userKeyTemporary.keyGen.signing.revokeCert=true op.enroll.userKey._080=#op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher op.enroll.userKeyTemporary.keyGen.encryption.keySize=1024 op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true @@ -913,7 +916,6 @@ op.enroll.userKeyTemporary.keyGen.encryption.privateKeyNumber=4 op.enroll.userKeyTemporary.keyGen.encryption.publicKeyNumber=5 op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment op.enroll.userKeyTemporary.keyGen.encryption.ca.conn=ca1 -op.enroll.userKeyTemporary.keyGen.encryption.revokeCert=true op.enroll.userKeyTemporary.pkcs11obj.enable=true op.enroll.userKeyTemporary.pkcs11obj.compress.enable=true op.enroll.userKeyTemporary.update.applet.emptyToken.enable=true @@ -1031,7 +1033,6 @@ op.enroll.soKey.keyGen.signing.privateKeyNumber=2 op.enroll.soKey.keyGen.signing.publicKeyNumber=3 op.enroll.soKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment op.enroll.soKey.keyGen.signing.ca.conn=ca1 -op.enroll.soKey.keyGen.signing.revokeCert=true op.enroll.soKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher op.enroll.soKey.keyGen.encryption.keySize=1024 op.enroll.soKey.keyGen.encryption.public.keyCapabilities.encrypt=true @@ -1071,7 +1072,6 @@ op.enroll.soKey.keyGen.encryption.privateKeyNumber=4 op.enroll.soKey.keyGen.encryption.publicKeyNumber=5 op.enroll.soKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment op.enroll.soKey.keyGen.encryption.ca.conn=ca1 -op.enroll.soKey.keyGen.encryption.revokeCert=true op.enroll.soKey.pkcs11obj.enable=true op.enroll.soKey.pkcs11obj.compress.enable=true op.enroll.soKey.update.applet.emptyToken.enable=true @@ -1150,7 +1150,6 @@ op.enroll.soKeyTemporary.keyGen.auth.privateKeyNumber=0 op.enroll.soKeyTemporary.keyGen.auth.publicKeyNumber=1 op.enroll.soKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment op.enroll.soKeyTemporary.keyGen.auth.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.auth.revokeCert=true op.enroll.soKeyTemporary.keyGen.signing.keySize=1024 op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false @@ -1189,7 +1188,6 @@ op.enroll.soKeyTemporary.keyGen.signing.privateKeyNumber=2 op.enroll.soKeyTemporary.keyGen.signing.publicKeyNumber=3 op.enroll.soKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment op.enroll.soKeyTemporary.keyGen.signing.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.signing.revokeCert=true op.enroll.soKeyTemporary.keyGen.encryption.keySize=1024 op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false @@ -1228,7 +1226,6 @@ op.enroll.soKeyTemporary.keyGen.encryption.privateKeyNumber=4 op.enroll.soKeyTemporary.keyGen.encryption.publicKeyNumber=5 op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment op.enroll.soKeyTemporary.keyGen.encryption.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.encryption.revokeCert=true op.enroll.soKeyTemporary.pkcs11obj.enable=true op.enroll.soKeyTemporary.pkcs11obj.compress.enable=true op.enroll.soKeyTemporary.update.applet.emptyToken.enable=true @@ -1539,23 +1536,42 @@ target._006=# target.agent_approve.list = comma separated subset of above list. target._007=# will show up in the agent tab (under advanced configuration) and will require agent involvement target._008=# (enable/ disable) to be edited. target._009=# -target._010=# Each parameter set in the lists above requires two parameters: -target._011=# target..list : list of choices of this parameter set type (will display in the drop down box) -target._012=# target..pattern : the regular expression to select parameters in CS.cfg for this parameter set. -target._013=# -target._014=# The exception is the parameter set Generals, which only has a pattern defined. ie. target.Generals.pattern +target._010=# For the wording to display correctly, the values in the above list should be plurals. +target._011=# +target._012=# Each parameter set in the lists above requires three parameters: +target._013=# target..list : list of choices of this parameter set type (will display in the drop down box) +target._014=# target..pattern : the regular expression to select parameters in CS.cfg for this parameter set. +target._015=# target..displayname: used in the UI display text. This should be the singular form of . target._016=# -target._017=######################################## +target._017=# The exception is the parameter set Generals, which has only a pattern and displayname defined. +target._018=# +target._019=######################################## target.configure.list=Profiles,Subsystem_Connections,Profile_Mappings,Authentication_Sources target.agent_approve.list=Profiles target.Profiles.list=userKey,soKey,soCleanUserToken,soUserKey,cleanToken,soCleanSoToken,tokenKey target.Profiles.pattern=op\..*\.$name\..* +target.Profiles.displayname=Profile target.Subsystem_Connections.list=ca1,drm1,tks1 target.Subsystem_Connections.pattern=conn\.$name\..* +target.Subsystem_Connections.displayname=Subsystem Connection target.Profile_Mappings.list=enroll,format,pinReset target.Profile_Mappings.pattern=op\.$name\.mapping\..* +target.Profile_Mappings.displayname=Profile Mapping target.Authentication_Sources.list=0,1 target.Authentication_Sources.pattern=auth\.instance\.$name\..* +target.Authentication_Sources.displayname=Authentication Source +target.Generals.displayname=General target.Generals.pattern=^applet\..*\|^general\..*\|^failover.pod.enable\|^channel\..* config.Generals.General.state=Enabled config.Generals.General.timestamp=1280283607424406 +tps._000=######################################## +tps._001=# For verifying system certificates +tps._002=# tps.cert.list=sslserver,subsystem,audit_signing +tps._003=# tps.cert.sslserver.nickname=xxx +tps._005=# tps.cert.subsystem.nickname=xxx +tps._007=# tps.cert.audit_signing.nickname=xxx +tps._009=######################################## +tps.cert.list=sslserver,subsystem,audit_signing +tps.cert.sslserver.nickname=[HSM_LABEL][NICKNAME] +tps.cert.subsystem.nickname=[HSM_LABEL][NICKNAME] +tps.cert.audit_signing.nickname=[HSM_LABEL][NICKNAME] diff --git a/pki/base/tps/src/CMakeLists.txt b/pki/base/tps/src/CMakeLists.txt index fe27b3e63..7f7859ba4 100644 --- a/pki/base/tps/src/CMakeLists.txt +++ b/pki/base/tps/src/CMakeLists.txt @@ -1,10 +1,11 @@ project(tps_library CXX) +set(TPS_LIBRARY_VERSION ${APPLICATION_VERSION}) +set(TPS_LIBRARY_SOVERSION 9) + set(TPS_INCLUDE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/include) -add_subdirectory(authentication) add_subdirectory(tus) -add_subdirectory(modules) set(TPS_PUBLIC_INCLUDE_DIRS ${CMAKE_CURRENT_BINARY_DIR} @@ -19,6 +20,7 @@ set(TPS_PRIVATE_INCLUDE_DIRS ${NSS_INCLUDE_DIRS} ${NSPR_INCLUDE_DIRS} ${APR_INCLUDE_DIRS} + ${SVRCORE_INCLUDE_DIRS} ${MOZLDAP_INCLUDE_DIRS} ) @@ -31,6 +33,7 @@ set(TPS_LINK_LIBRARIES ${NSPR_LIBRARIES} ${NSS_LIBRARIES} ${APR_LIBRARIES} + ${SVRCORE_LIBRARIES} ${MOZLDAP_LIBRARIES} ${TOKENDB_SHARED_LIBRARY} ) @@ -121,6 +124,7 @@ set(tps_library_SRCS processor/RA_Format_Processor.cpp selftests/SelfTest.cpp selftests/TPSPresence.cpp + selftests/TPSSystemCertsVerification.cpp selftests/TPSValidity.cpp ) @@ -144,3 +148,7 @@ install( ${TPS_SHARED_LIBRARY} LIBRARY DESTINATION ${LIB_INSTALL_DIR} ) + +add_subdirectory(authentication) +add_subdirectory(modules) + diff --git a/pki/base/tps/src/authentication/CMakeLists.txt b/pki/base/tps/src/authentication/CMakeLists.txt index 5dec1b5c7..25cb4720b 100644 --- a/pki/base/tps/src/authentication/CMakeLists.txt +++ b/pki/base/tps/src/authentication/CMakeLists.txt @@ -1,7 +1,7 @@ project(ldapauth_library CXX) set(LDAPAUTH_LIBRARY_VERSION ${APPLICATION_VERSION}) -set(LDAPAUTH_LIBRARY_SOVERSION 1) +set(LDAPAUTH_LIBRARY_SOVERSION 9) set(LDAPAUTH_PUBLIC_INCLUDE_DIRS ${CMAKE_CURRENT_BINARY_DIR} @@ -15,6 +15,7 @@ set(LDAPAUTH_PRIVATE_INCLUDE_DIRS ${CMAKE_BINARY_DIR} ${NSPR_INCLUDE_DIRS} ${NSS_INCLUDE_DIRS} + ${SVRCORE_INCLUDE_DIRS} ${MOZLDAP_INCLUDE_DIRS} ) @@ -26,7 +27,10 @@ set(LDAPAUTH_SHARED_LIBRARY set(LDAPAUTH_LINK_LIBRARIES ${NSPR_LIBRARIES} ${NSS_LIBRARIES} + ${SVRCORE_LIBRARIES} ${MOZLDAP_LIBRARIES} + ${TOKENDB_SHARED_LIBRARY} + ${TPS_SHARED_LIBRARY} ) set(ldapauth_library_SRCS diff --git a/pki/base/tps/src/modules/tokendb/CMakeLists.txt b/pki/base/tps/src/modules/tokendb/CMakeLists.txt index 927d2ff7f..c152d80e7 100644 --- a/pki/base/tps/src/modules/tokendb/CMakeLists.txt +++ b/pki/base/tps/src/modules/tokendb/CMakeLists.txt @@ -6,6 +6,7 @@ set(TOKENDB_PRIVATE_INCLUDE_DIRS ${NSPR_INCLUDE_DIRS} ${NSS_INCLUDE_DIRS} ${APR_INCLUDE_DIRS} + ${SVRCORE_INCLUDE_DIRS} ${MOZLDAP_INCLUDE_DIRS} ) @@ -19,6 +20,7 @@ set(TOKENDB_LINK_LIBRARIES ${NSPR_LIBRARIES} ${NSS_LIBRARIES} ${APR_LIBRARIES} + ${SVRCORE_LIBRARIES} ${MOZLDAP_LIBRARIES} ) @@ -33,7 +35,6 @@ target_link_libraries(${TOKENDB_MODULE} ${TOKENDB_LINK_LIBRARIES}) set_target_properties(${TOKENDB_MODULE} PROPERTIES - ${TOKENDB_LIBRARY_SOVERSION} OUTPUT_NAME mod_tokendb PREFIX "" @@ -43,5 +44,5 @@ install( TARGETS ${TOKENDB_MODULE} DESTINATION - ${SYSCONF_INSTALL_DIR}/httpd/modules + ${LIB_INSTALL_DIR}/httpd/modules ) diff --git a/pki/base/tps/src/modules/tps/CMakeLists.txt b/pki/base/tps/src/modules/tps/CMakeLists.txt index ecc99ff0e..069c87f89 100644 --- a/pki/base/tps/src/modules/tps/CMakeLists.txt +++ b/pki/base/tps/src/modules/tps/CMakeLists.txt @@ -6,6 +6,7 @@ set(TPS_PRIVATE_INCLUDE_DIRS ${NSPR_INCLUDE_DIRS} ${NSS_INCLUDE_DIRS} ${APR_INCLUDE_DIRS} + ${SVRCORE_INCLUDE_DIRS} ${MOZLDAP_INCLUDE_DIRS} ) @@ -19,7 +20,10 @@ set(TPS_LINK_LIBRARIES ${NSPR_LIBRARIES} ${NSS_LIBRARIES} ${APR_LIBRARIES} + ${SVRCORE_LIBRARIES} ${MOZLDAP_LIBRARIES} + ${TOKENDB_SHARED_LIBRARY} + ${TPS_SHARED_LIBRARY} ) set(tps_module_SRCS @@ -35,7 +39,6 @@ target_link_libraries(${TPS_MODULE} ${TPS_LINK_LIBRARIES}) set_target_properties(${TPS_MODULE} PROPERTIES - ${TPS_LIBRARY_SOVERSION} OUTPUT_NAME mod_tps PREFIX "" @@ -45,5 +48,5 @@ install( TARGETS ${TPS_MODULE} DESTINATION - ${SYSCONF_INSTALL_DIR}/httpd/modules + ${LIB_INSTALL_DIR}/httpd/modules ) diff --git a/pki/base/tps/src/tus/CMakeLists.txt b/pki/base/tps/src/tus/CMakeLists.txt index 6785ed625..7cff9d73b 100644 --- a/pki/base/tps/src/tus/CMakeLists.txt +++ b/pki/base/tps/src/tus/CMakeLists.txt @@ -1,7 +1,7 @@ project(tokendb_library C) set(TOKENDB_LIBRARY_VERSION ${APPLICATION_VERSION}) -set(TOKENDB_LIBRARY_SOVERSION 1) +set(TOKENDB_LIBRARY_SOVERSION 9) set(TOKENDB_PUBLIC_INCLUDE_DIRS ${CMAKE_CURRENT_BINARY_DIR} @@ -15,6 +15,7 @@ set(TOKENDB_PRIVATE_INCLUDE_DIRS ${CMAKE_BINARY_DIR} ${NSPR_INCLUDE_DIRS} ${NSS_INCLUDE_DIRS} + ${SVRCORE_INCLUDE_DIRS} ${MOZLDAP_INCLUDE_DIRS} ) @@ -26,6 +27,7 @@ set(TOKENDB_SHARED_LIBRARY set(TOKENDB_LINK_LIBRARIES ${NSPR_LIBRARIES} ${NSS_LIBRARIES} + ${SVRCORE_LIBRARIES} ${MOZLDAP_LIBRARIES} ) diff --git a/pki/base/tps/tools/raclient/CMakeLists.txt b/pki/base/tps/tools/raclient/CMakeLists.txt index e28a40d5d..9f4020b31 100644 --- a/pki/base/tps/tools/raclient/CMakeLists.txt +++ b/pki/base/tps/tools/raclient/CMakeLists.txt @@ -43,5 +43,5 @@ install( format.tps reset_pin.tps DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/samples + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/tps/samples ) diff --git a/pki/cmake/Modules/FindMozLDAP.cmake b/pki/cmake/Modules/FindMozLDAP.cmake index 4f728c36b..634241ce1 100644 --- a/pki/cmake/Modules/FindMozLDAP.cmake +++ b/pki/cmake/Modules/FindMozLDAP.cmake @@ -26,6 +26,7 @@ else (MOZLDAP_LIBRARIES AND MOZLDAP_INCLUDE_DIRS) find_path(MOZLDAP_INCLUDE_DIR NAMES ldap.h + ldif.h PATHS ${_MOZLDAP_INCLUDEDIR} /usr/include @@ -69,6 +70,17 @@ else (MOZLDAP_LIBRARIES AND MOZLDAP_INCLUDE_DIRS) /sw/lib ) + find_library(LDIF60_LIBRARY + NAMES + ldif60 + PATHS + ${_MOZLDAP_LIBDIR} + /usr/lib + /usr/local/lib + /opt/local/lib + /sw/lib + ) + set(MOZLDAP_INCLUDE_DIRS ${MOZLDAP_INCLUDE_DIR} ) @@ -94,6 +106,13 @@ else (MOZLDAP_LIBRARIES AND MOZLDAP_INCLUDE_DIRS) ) endif (LDAP60_LIBRARY) + if (LDIF60_LIBRARY) + set(MOZLDAP_LIBRARIES + ${MOZLDAP_LIBRARIES} + ${LDIF60_LIBRARY} + ) + endif (LDIF60_LIBRARY) + include(FindPackageHandleStandardArgs) find_package_handle_standard_args(MozLDAP DEFAULT_MSG MOZLDAP_LIBRARIES MOZLDAP_INCLUDE_DIRS) diff --git a/pki/cmake/Modules/FindSvrcore.cmake b/pki/cmake/Modules/FindSvrcore.cmake new file mode 100644 index 000000000..cfb073301 --- /dev/null +++ b/pki/cmake/Modules/FindSvrcore.cmake @@ -0,0 +1,67 @@ +# - Try to find Svrcore +# Once done this will define +# +# SVRCORE_FOUND - system has Svrcore +# SVRCORE_INCLUDE_DIRS - the Svrcore include directory +# SVRCORE_LIBRARIES - Link these to use Svrcore +# SVRCORE_DEFINITIONS - Compiler switches required for using Svrcore +# +# Copyright (c) 2010 Matthew Harmsen +# +# Redistribution and use is allowed according to the terms of the New +# BSD license. +# For details see the accompanying COPYING-CMAKE-SCRIPTS file. +# + + +if (SVRCORE_LIBRARIES AND SVRCORE_INCLUDE_DIRS) + # in cache already + set(SVRCORE_FOUND TRUE) +else (SVRCORE_LIBRARIES AND SVRCORE_INCLUDE_DIRS) + find_package(PkgConfig) + if (PKG_CONFIG_FOUND) + pkg_check_modules(_SVRCORE svrcore) + endif (PKG_CONFIG_FOUND) + + find_path(SVRCORE_INCLUDE_DIR + NAMES + svrcore.h + PATHS + ${_SVRCORE_INCLUDEDIR} + /usr/include + /usr/local/include + /opt/local/include + /sw/include + PATH_SUFFIXES + svrcore + ) + + find_library(SVRCORE_LIBRARY + NAMES + svrcore + PATHS + ${_SVRCORE_LIBDIR} + /usr/lib + /usr/local/lib + /opt/local/lib + /sw/lib + ) + + set(SVRCORE_INCLUDE_DIRS + ${SVRCORE_INCLUDE_DIR} + ) + + if (SVRCORE_LIBRARY) + set(SVRCORE_LIBRARIES + ${SVRCORE_LIBRARIES} + ${SVRCORE_LIBRARY} + ) + endif (SVRCORE_LIBRARY) + + include(FindPackageHandleStandardArgs) + find_package_handle_standard_args(Svrcore DEFAULT_MSG SVRCORE_LIBRARIES SVRCORE_INCLUDE_DIRS) + + # show the SVRCORE_INCLUDE_DIRS and SVRCORE_LIBRARIES variables only in the advanced view + mark_as_advanced(SVRCORE_INCLUDE_DIRS SVRCORE_LIBRARIES) + +endif (SVRCORE_LIBRARIES AND SVRCORE_INCLUDE_DIRS) diff --git a/pki/dogtag/CMakeLists.txt b/pki/dogtag/CMakeLists.txt index fd04debf9..5e7771de1 100644 --- a/pki/dogtag/CMakeLists.txt +++ b/pki/dogtag/CMakeLists.txt @@ -1,10 +1,10 @@ project(dogtag) -if (APPLICATION_FLAVOUR_NULL_THEME) +if (APPLICATION_FLAVOR_NULL_PKI_THEME) add_subdirectory(common-ui) add_subdirectory(ca-ui) -endif (APPLICATION_FLAVOUR_NULL_THEME) -if (APPLICATION_FLAVOUR_DOGTAG_THEME) +endif (APPLICATION_FLAVOR_NULL_PKI_THEME) +if (APPLICATION_FLAVOR_DOGTAG_PKI_THEME) add_subdirectory(common-ui) add_subdirectory(ca-ui) add_subdirectory(kra-ui) @@ -13,4 +13,4 @@ if (APPLICATION_FLAVOUR_DOGTAG_THEME) add_subdirectory(tks-ui) add_subdirectory(tps-ui) add_subdirectory(console-ui) -endif (APPLICATION_FLAVOUR_DOGTAG_THEME) +endif (APPLICATION_FLAVOR_DOGTAG_PKI_THEME) diff --git a/pki/dogtag/ca/pki-ca.spec b/pki/dogtag/ca/pki-ca.spec index f9f47c23d..000a101d1 100644 --- a/pki/dogtag/ca/pki-ca.spec +++ b/pki/dogtag/ca/pki-ca.spec @@ -60,6 +60,8 @@ ant \ rm -rf %{buildroot} cd dist/binary unzip %{name}-%{version}.zip -d %{buildroot} +cd %{buildroot}%{_datadir}/pki/ca/conf +mv CS.cfg.in CS.cfg sed -i 's/^preop.product.version=.*$/preop.product.version=%{version}/' %{buildroot}%{_datadir}/pki/ca/conf/CS.cfg sed -i 's/^cms.version=.*$/cms.version=%{major_version}.%{minor_version}/' %{buildroot}%{_datadir}/pki/ca/conf/CS.cfg mkdir -p %{buildroot}%{_localstatedir}/lock/pki/ca diff --git a/pki/dogtag/console-ui/src/CMakeLists.txt b/pki/dogtag/console-ui/src/CMakeLists.txt index e13ced8e9..2ff647440 100644 --- a/pki/dogtag/console-ui/src/CMakeLists.txt +++ b/pki/dogtag/console-ui/src/CMakeLists.txt @@ -12,8 +12,8 @@ set(console_ui_java_SRCS set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) -add_jar(pki-console-theme ${console_ui_java_SRCS}) -install_jar(pki-console-theme ${JAVA_JAR_INSTALL_DIR}) +add_jar(pki-console-theme_en ${console_ui_java_SRCS}) +install_jar(pki-console-theme_en ${JAVA_JAR_INSTALL_DIR}) -set(CONSOLE_UI_JAR ${pki-console-theme_JAR_FILE} CACHE INTERNAL "console-ui jar file") +set(CONSOLE_UI_JAR ${pki-console-theme_en_JAR_FILE} CACHE INTERNAL "console-ui jar file") diff --git a/pki/dogtag/kra/pki-kra.spec b/pki/dogtag/kra/pki-kra.spec index 808353632..ba9e8b615 100644 --- a/pki/dogtag/kra/pki-kra.spec +++ b/pki/dogtag/kra/pki-kra.spec @@ -69,6 +69,8 @@ ant \ rm -rf %{buildroot} cd dist/binary unzip %{name}-%{version}.zip -d %{buildroot} +cd %{buildroot}%{_datadir}/pki/kra/conf +mv CS.cfg.in CS.cfg sed -i 's/^preop.product.version=.*$/preop.product.version=%{version}/' %{buildroot}%{_datadir}/pki/kra/conf/CS.cfg sed -i 's/^cms.version=.*$/cms.version=%{major_version}.%{minor_version}/' %{buildroot}%{_datadir}/pki/kra/conf/CS.cfg mkdir -p %{buildroot}%{_localstatedir}/lock/pki/kra diff --git a/pki/dogtag/ocsp/pki-ocsp.spec b/pki/dogtag/ocsp/pki-ocsp.spec index 0844d3947..63ab5e225 100644 --- a/pki/dogtag/ocsp/pki-ocsp.spec +++ b/pki/dogtag/ocsp/pki-ocsp.spec @@ -78,6 +78,8 @@ ant \ rm -rf %{buildroot} cd dist/binary unzip %{name}-%{version}.zip -d %{buildroot} +cd %{buildroot}%{_datadir}/pki/ocsp/conf +mv CS.cfg.in CS.cfg sed -i 's/^preop.product.version=.*$/preop.product.version=%{version}/' %{buildroot}%{_datadir}/pki/ocsp/conf/CS.cfg sed -i 's/^cms.version=.*$/cms.version=%{major_version}.%{minor_version}/' %{buildroot}%{_datadir}/pki/ocsp/conf/CS.cfg mkdir -p %{buildroot}%{_localstatedir}/lock/pki/ocsp diff --git a/pki/dogtag/ra/pki-ra.spec b/pki/dogtag/ra/pki-ra.spec index 964d56ef2..d9559d8fc 100644 --- a/pki/dogtag/ra/pki-ra.spec +++ b/pki/dogtag/ra/pki-ra.spec @@ -75,6 +75,8 @@ ant \ rm -rf %{buildroot} cd dist/binary unzip %{name}-%{version}.zip -d %{buildroot} +cd %{buildroot}%{_datadir}/pki/ra/conf +mv CS.cfg.in CS.cfg sed -i 's/^preop.product.version=.*$/preop.product.version=%{version}/' %{buildroot}%{_datadir}/pki/ra/conf/CS.cfg mkdir -p %{buildroot}%{_localstatedir}/lock/pki/ra mkdir -p %{buildroot}%{_localstatedir}/run/pki/ra diff --git a/pki/dogtag/tks/pki-tks.spec b/pki/dogtag/tks/pki-tks.spec index f861dfd5f..4c64da5ef 100644 --- a/pki/dogtag/tks/pki-tks.spec +++ b/pki/dogtag/tks/pki-tks.spec @@ -71,6 +71,8 @@ ant \ rm -rf %{buildroot} cd dist/binary unzip %{name}-%{version}.zip -d %{buildroot} +cd %{buildroot}%{_datadir}/pki/tks/conf +mv CS.cfg.in CS.cfg sed -i 's/^preop.product.version=.*$/preop.product.version=%{version}/' %{buildroot}%{_datadir}/pki/tks/conf/CS.cfg sed -i 's/^cms.version=.*$/cms.version=%{major_version}.%{minor_version}/' %{buildroot}%{_datadir}/pki/tks/conf/CS.cfg mkdir -p %{buildroot}%{_localstatedir}/lock/pki/tks diff --git a/pki/dogtag/tps/pki-tps.spec b/pki/dogtag/tps/pki-tps.spec index 6b00141ca..ee6d65421 100644 --- a/pki/dogtag/tps/pki-tps.spec +++ b/pki/dogtag/tps/pki-tps.spec @@ -156,6 +156,8 @@ cd %{buildroot}%{_datadir}/pki/tps/docroot ln -s tokendb tus # fix version information in primary configuration file +cd %{buildroot}%{_datadir}/pki/tps/conf +mv CS.cfg.in CS.cfg sed -i 's/^preop.product.version=.*$/preop.product.version=%{version}/' %{buildroot}%{_datadir}/pki/tps/conf/CS.cfg # rename config.desktop.in --> config.desktop diff --git a/pki/scripts/compose_pki_console_packages b/pki/scripts/compose_pki_console_packages new file mode 100755 index 000000000..b84c3585e --- /dev/null +++ b/pki/scripts/compose_pki_console_packages @@ -0,0 +1,201 @@ +#!/bin/bash +# BEGIN COPYRIGHT BLOCK +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + +## Always switch into the base directory three levels +## above this shell script prior to executing it so +## that all of its output is written to this directory + +cd `dirname $0`/../.. + + +## +## Retrieve the name of this base directory +## + +PKI_PWD=`pwd` + + +## +## Establish the 'pki-console' name and version information +## + +PKI_CONSOLE="pki-console" +PKI_CONSOLE_VERSION="9.0.0" + + +## +## Establish the SOURCE files/directories of the 'pki-console' source directory +## + +PKI_DIR="pki" +PKI_BASE_DIR="${PKI_DIR}/base" +PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_CONSOLE}.spec" +PKI_FILE_LIST="CMakeLists.txt COPYING CPackConfig.cmake ConfigureChecks.cmake DefineOptions.cmake README cmake_uninstall.cmake.in config.h.cmake" +PKI_CMAKE_DIR="cmake" +PKI_BASE_MANIFEST="CMakeLists.txt" +PKI_COMPONENT_LIST="console" + + +## +## Establish the TARGET files/directories of the 'pki-console' source/spec files +## + +PKI_PACKAGES="${PKI_PWD}/packages" +PKI_CONSOLE_BUILD_DIR="${PKI_PACKAGES}/BUILD" +PKI_CONSOLE_RPMS_DIR="${PKI_PACKAGES}/RPMS" +PKI_CONSOLE_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" +PKI_CONSOLE_SPECS_DIR="${PKI_PACKAGES}/SPECS" +PKI_CONSOLE_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" + +PKI_CONSOLE_TARBALL="${PKI_CONSOLE}-${PKI_CONSOLE_VERSION}.tar.gz" +PKI_CONSOLE_SPEC_FILE="${PKI_CONSOLE_SPECS_DIR}/${PKI_CONSOLE}.spec" +PKI_CONSOLE_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_CONSOLE}" +PKI_CONSOLE_PACKAGE_COMMAND="rpmbuild --define \"_topdir \`pwd\`\" -ba SPECS/${PKI_CONSOLE}.spec" + +PKI_CONSOLE_STAGING_DIR="${PKI_PACKAGES}/staging" +PKI_CONSOLE_DIR="${PKI_CONSOLE_STAGING_DIR}/${PKI_CONSOLE}-${PKI_CONSOLE_VERSION}" +PKI_CONSOLE_BASE_DIR="${PKI_CONSOLE_DIR}/base" + + +## +## Always create a top-level 'packages' directory +## + +mkdir -p ${PKI_PACKAGES} + + +## +## Always create 'pki-console' package directories +## + +mkdir -p ${PKI_CONSOLE_BUILD_DIR} +mkdir -p ${PKI_CONSOLE_RPMS_DIR} +mkdir -p ${PKI_CONSOLE_SOURCES_DIR} +mkdir -p ${PKI_CONSOLE_SPECS_DIR} +mkdir -p ${PKI_CONSOLE_SRPMS_DIR} + + +## +## Always start with new 'pki-console' package files +## + +rm -rf ${PKI_CONSOLE_BUILD_DIR}/${PKI_CONSOLE}-${PKI_CONSOLE_VERSION} +rm -f ${PKI_CONSOLE_RPMS_DIR}/${PKI_CONSOLE}-${PKI_CONSOLE_VERSION}*.rpm +rm -f ${PKI_CONSOLE_SOURCES_DIR}/${PKI_CONSOLE_TARBALL} +rm -f ${PKI_CONSOLE_SPEC_FILE} +rm -f ${PKI_CONSOLE_SRPMS_DIR}/${PKI_CONSOLE}-${PKI_CONSOLE_VERSION}*.rpm + + +## +## Copy a new 'pki-console' spec file from the +## current contents of the PKI working repository +## + +cp -p ${PKI_SPECS_FILE} ${PKI_CONSOLE_SPECS_DIR} + + +## +## Always start with a new 'pki-console' staging directory +## + +rm -rf ${PKI_CONSOLE_STAGING_DIR} + + +## +## To generate the 'pki-console' tarball, construct a staging area +## consisting of the 'pki-console' source components from the +## current contents of the PKI working repository +## + +mkdir -p ${PKI_CONSOLE_DIR} +cd ${PKI_DIR} +for file in "${PKI_FILE_LIST}" ; +do + cp -p ${file} ${PKI_CONSOLE_DIR} +done +find ${PKI_CMAKE_DIR} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -print | cpio -pdum ${PKI_CONSOLE_DIR} > /dev/null 2>&1 +cd - > /dev/null 2>&1 + +mkdir -p ${PKI_CONSOLE_BASE_DIR} +cd ${PKI_BASE_DIR} +cp -p ${PKI_BASE_MANIFEST} ${PKI_CONSOLE_BASE_DIR} +for component in "${PKI_COMPONENT_LIST}" ; +do + find ${component} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -name Makefile.am -prune -o \ + -name Makefile.in -prune -o \ + -name aclocal.m4 -prune -o \ + -name autogen.sh -prune -o \ + -name build.xml -prune -o \ + -name compile -prune -o \ + -name config.guess -prune -o \ + -name config.h.in -prune -o \ + -name config.sub -prune -o \ + -name configure -prune -o \ + -name configure.ac -prune -o \ + -name depcomp -prune -o \ + -name install-sh -prune -o \ + -name ltmain.sh -prune -o \ + -name m4 -prune -o \ + -name missing -prune -o \ + -name setup_package -prune -o \ + -print | cpio -pdum ${PKI_CONSOLE_BASE_DIR} > /dev/null 2>&1 +done +cd - > /dev/null 2>&1 + + +## +## Due to the following lower-level 'config' subdirectories, +## INDEPENDENTLY remove ALL top-level 'config' directories: +## +## * ./console/src/com/netscape/admin/certsrv/config (N/A 'pki-console') +## * ./tps/forms/tps/admin/console/config (N/A 'pki-console') +## + +rm -rf ${PKI_CONSOLE_BASE_DIR}/*/config + + +## +## Create the 'pki-console' tarball +## + +mkdir -p ${PKI_CONSOLE_SOURCES_DIR} +cd ${PKI_CONSOLE_STAGING_DIR} +gtar -zcvf ${PKI_CONSOLE_TARBALL} \ + "${PKI_CONSOLE}-${PKI_CONSOLE_VERSION}" > /dev/null 2>&1 +mv ${PKI_CONSOLE_TARBALL} ${PKI_CONSOLE_SOURCES_DIR} +cd - > /dev/null 2>&1 + + +## +## Always remove the PKI staging area +## + +rm -rf ${PKI_CONSOLE_STAGING_DIR} + + +## +## Always generate a fresh 'pki-console' package script +## + +rm -rf ${PKI_CONSOLE_PACKAGE_SCRIPT} +printf "#!/bin/bash\n\n" > ${PKI_CONSOLE_PACKAGE_SCRIPT} +printf "${PKI_CONSOLE_PACKAGE_COMMAND}\n\n" >> ${PKI_CONSOLE_PACKAGE_SCRIPT} +chmod 775 ${PKI_CONSOLE_PACKAGE_SCRIPT} + + +## +## Automatically invoke RPM/SRPM creation +## + +cd ${PKI_PACKAGES} ; +script -c package_${PKI_CONSOLE} package_${PKI_CONSOLE}.log + diff --git a/pki/scripts/compose_pki_kra_packages b/pki/scripts/compose_pki_kra_packages new file mode 100755 index 000000000..ef8c37ce6 --- /dev/null +++ b/pki/scripts/compose_pki_kra_packages @@ -0,0 +1,201 @@ +#!/bin/bash +# BEGIN COPYRIGHT BLOCK +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + +## Always switch into the base directory three levels +## above this shell script prior to executing it so +## that all of its output is written to this directory + +cd `dirname $0`/../.. + + +## +## Retrieve the name of this base directory +## + +PKI_PWD=`pwd` + + +## +## Establish the 'pki-kra' name and version information +## + +PKI_KRA="pki-kra" +PKI_KRA_VERSION="9.0.0" + + +## +## Establish the SOURCE files/directories of the 'pki-kra' source directory +## + +PKI_DIR="pki" +PKI_BASE_DIR="${PKI_DIR}/base" +PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_KRA}.spec" +PKI_FILE_LIST="CMakeLists.txt COPYING CPackConfig.cmake ConfigureChecks.cmake DefineOptions.cmake README cmake_uninstall.cmake.in config.h.cmake" +PKI_CMAKE_DIR="cmake" +PKI_BASE_MANIFEST="CMakeLists.txt" +PKI_COMPONENT_LIST="kra" + + +## +## Establish the TARGET files/directories of the 'pki-kra' source/spec files +## + +PKI_PACKAGES="${PKI_PWD}/packages" +PKI_KRA_BUILD_DIR="${PKI_PACKAGES}/BUILD" +PKI_KRA_RPMS_DIR="${PKI_PACKAGES}/RPMS" +PKI_KRA_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" +PKI_KRA_SPECS_DIR="${PKI_PACKAGES}/SPECS" +PKI_KRA_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" + +PKI_KRA_TARBALL="${PKI_KRA}-${PKI_KRA_VERSION}.tar.gz" +PKI_KRA_SPEC_FILE="${PKI_KRA_SPECS_DIR}/${PKI_KRA}.spec" +PKI_KRA_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_KRA}" +PKI_KRA_PACKAGE_COMMAND="rpmbuild --define \"_topdir \`pwd\`\" -ba SPECS/${PKI_KRA}.spec" + +PKI_KRA_STAGING_DIR="${PKI_PACKAGES}/staging" +PKI_KRA_DIR="${PKI_KRA_STAGING_DIR}/${PKI_KRA}-${PKI_KRA_VERSION}" +PKI_KRA_BASE_DIR="${PKI_KRA_DIR}/base" + + +## +## Always create a top-level 'packages' directory +## + +mkdir -p ${PKI_PACKAGES} + + +## +## Always create 'pki-kra' package directories +## + +mkdir -p ${PKI_KRA_BUILD_DIR} +mkdir -p ${PKI_KRA_RPMS_DIR} +mkdir -p ${PKI_KRA_SOURCES_DIR} +mkdir -p ${PKI_KRA_SPECS_DIR} +mkdir -p ${PKI_KRA_SRPMS_DIR} + + +## +## Always start with new 'pki-kra' package files +## + +rm -rf ${PKI_KRA_BUILD_DIR}/${PKI_KRA}-${PKI_KRA_VERSION} +rm -f ${PKI_KRA_RPMS_DIR}/${PKI_KRA}-${PKI_KRA_VERSION}*.rpm +rm -f ${PKI_KRA_SOURCES_DIR}/${PKI_KRA_TARBALL} +rm -f ${PKI_KRA_SPEC_FILE} +rm -f ${PKI_KRA_SRPMS_DIR}/${PKI_KRA}-${PKI_KRA_VERSION}*.rpm + + +## +## Copy a new 'pki-kra' spec file from the +## current contents of the PKI working repository +## + +cp -p ${PKI_SPECS_FILE} ${PKI_KRA_SPECS_DIR} + + +## +## Always start with a new 'pki-kra' staging directory +## + +rm -rf ${PKI_KRA_STAGING_DIR} + + +## +## To generate the 'pki-kra' tarball, construct a staging area +## consisting of the 'pki-kra' source components from the +## current contents of the PKI working repository +## + +mkdir -p ${PKI_KRA_DIR} +cd ${PKI_DIR} +for file in "${PKI_FILE_LIST}" ; +do + cp -p ${file} ${PKI_KRA_DIR} +done +find ${PKI_CMAKE_DIR} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -print | cpio -pdum ${PKI_KRA_DIR} > /dev/null 2>&1 +cd - > /dev/null 2>&1 + +mkdir -p ${PKI_KRA_BASE_DIR} +cd ${PKI_BASE_DIR} +cp -p ${PKI_BASE_MANIFEST} ${PKI_KRA_BASE_DIR} +for component in "${PKI_COMPONENT_LIST}" ; +do + find ${component} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -name Makefile.am -prune -o \ + -name Makefile.in -prune -o \ + -name aclocal.m4 -prune -o \ + -name autogen.sh -prune -o \ + -name build.xml -prune -o \ + -name compile -prune -o \ + -name config.guess -prune -o \ + -name config.h.in -prune -o \ + -name config.sub -prune -o \ + -name configure -prune -o \ + -name configure.ac -prune -o \ + -name depcomp -prune -o \ + -name install-sh -prune -o \ + -name ltmain.sh -prune -o \ + -name m4 -prune -o \ + -name missing -prune -o \ + -name setup_package -prune -o \ + -print | cpio -pdum ${PKI_KRA_BASE_DIR} > /dev/null 2>&1 +done +cd - > /dev/null 2>&1 + + +## +## Due to the following lower-level 'config' subdirectories, +## INDEPENDENTLY remove ALL top-level 'config' directories: +## +## * ./console/src/com/netscape/admin/certsrv/config (N/A 'pki-kra') +## * ./tps/forms/tps/admin/console/config (N/A 'pki-kra') +## + +rm -rf ${PKI_KRA_BASE_DIR}/*/config + + +## +## Create the 'pki-kra' tarball +## + +mkdir -p ${PKI_KRA_SOURCES_DIR} +cd ${PKI_KRA_STAGING_DIR} +gtar -zcvf ${PKI_KRA_TARBALL} \ + "${PKI_KRA}-${PKI_KRA_VERSION}" > /dev/null 2>&1 +mv ${PKI_KRA_TARBALL} ${PKI_KRA_SOURCES_DIR} +cd - > /dev/null 2>&1 + + +## +## Always remove the PKI staging area +## + +rm -rf ${PKI_KRA_STAGING_DIR} + + +## +## Always generate a fresh 'pki-kra' package script +## + +rm -rf ${PKI_KRA_PACKAGE_SCRIPT} +printf "#!/bin/bash\n\n" > ${PKI_KRA_PACKAGE_SCRIPT} +printf "${PKI_KRA_PACKAGE_COMMAND}\n\n" >> ${PKI_KRA_PACKAGE_SCRIPT} +chmod 775 ${PKI_KRA_PACKAGE_SCRIPT} + + +## +## Automatically invoke RPM/SRPM creation +## + +cd ${PKI_PACKAGES} ; +script -c package_${PKI_KRA} package_${PKI_KRA}.log + diff --git a/pki/scripts/compose_pki_migrate_packages b/pki/scripts/compose_pki_migrate_packages new file mode 100755 index 000000000..d36b58417 --- /dev/null +++ b/pki/scripts/compose_pki_migrate_packages @@ -0,0 +1,201 @@ +#!/bin/bash +# BEGIN COPYRIGHT BLOCK +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + +## Always switch into the base directory three levels +## above this shell script prior to executing it so +## that all of its output is written to this directory + +cd `dirname $0`/../.. + + +## +## Retrieve the name of this base directory +## + +PKI_PWD=`pwd` + + +## +## Establish the 'pki-migrate' name and version information +## + +PKI_MIGRATE="pki-migrate" +PKI_MIGRATE_VERSION="9.0.0" + + +## +## Establish the SOURCE files/directories of the 'pki-migrate' source directory +## + +PKI_DIR="pki" +PKI_BASE_DIR="${PKI_DIR}/base" +PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_MIGRATE}.spec" +PKI_FILE_LIST="CMakeLists.txt COPYING CPackConfig.cmake ConfigureChecks.cmake DefineOptions.cmake README cmake_uninstall.cmake.in config.h.cmake" +PKI_CMAKE_DIR="cmake" +PKI_BASE_MANIFEST="CMakeLists.txt" +PKI_COMPONENT_LIST="migrate" + + +## +## Establish the TARGET files/directories of the 'pki-migrate' source/spec files +## + +PKI_PACKAGES="${PKI_PWD}/packages" +PKI_MIGRATE_BUILD_DIR="${PKI_PACKAGES}/BUILD" +PKI_MIGRATE_RPMS_DIR="${PKI_PACKAGES}/RPMS" +PKI_MIGRATE_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" +PKI_MIGRATE_SPECS_DIR="${PKI_PACKAGES}/SPECS" +PKI_MIGRATE_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" + +PKI_MIGRATE_TARBALL="${PKI_MIGRATE}-${PKI_MIGRATE_VERSION}.tar.gz" +PKI_MIGRATE_SPEC_FILE="${PKI_MIGRATE_SPECS_DIR}/${PKI_MIGRATE}.spec" +PKI_MIGRATE_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_MIGRATE}" +PKI_MIGRATE_PACKAGE_COMMAND="rpmbuild --define \"_topdir \`pwd\`\" -ba SPECS/${PKI_MIGRATE}.spec" + +PKI_MIGRATE_STAGING_DIR="${PKI_PACKAGES}/staging" +PKI_MIGRATE_DIR="${PKI_MIGRATE_STAGING_DIR}/${PKI_MIGRATE}-${PKI_MIGRATE_VERSION}" +PKI_MIGRATE_BASE_DIR="${PKI_MIGRATE_DIR}/base" + + +## +## Always create a top-level 'packages' directory +## + +mkdir -p ${PKI_PACKAGES} + + +## +## Always create 'pki-migrate' package directories +## + +mkdir -p ${PKI_MIGRATE_BUILD_DIR} +mkdir -p ${PKI_MIGRATE_RPMS_DIR} +mkdir -p ${PKI_MIGRATE_SOURCES_DIR} +mkdir -p ${PKI_MIGRATE_SPECS_DIR} +mkdir -p ${PKI_MIGRATE_SRPMS_DIR} + + +## +## Always start with new 'pki-migrate' package files +## + +rm -rf ${PKI_MIGRATE_BUILD_DIR}/${PKI_MIGRATE}-${PKI_MIGRATE_VERSION} +rm -f ${PKI_MIGRATE_RPMS_DIR}/${PKI_MIGRATE}-${PKI_MIGRATE_VERSION}*.rpm +rm -f ${PKI_MIGRATE_SOURCES_DIR}/${PKI_MIGRATE_TARBALL} +rm -f ${PKI_MIGRATE_SPEC_FILE} +rm -f ${PKI_MIGRATE_SRPMS_DIR}/${PKI_MIGRATE}-${PKI_MIGRATE_VERSION}*.rpm + + +## +## Copy a new 'pki-migrate' spec file from the +## current contents of the PKI working repository +## + +cp -p ${PKI_SPECS_FILE} ${PKI_MIGRATE_SPECS_DIR} + + +## +## Always start with a new 'pki-migrate' staging directory +## + +rm -rf ${PKI_MIGRATE_STAGING_DIR} + + +## +## To generate the 'pki-migrate' tarball, construct a staging area +## consisting of the 'pki-migrate' source components from the +## current contents of the PKI working repository +## + +mkdir -p ${PKI_MIGRATE_DIR} +cd ${PKI_DIR} +for file in "${PKI_FILE_LIST}" ; +do + cp -p ${file} ${PKI_MIGRATE_DIR} +done +find ${PKI_CMAKE_DIR} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -print | cpio -pdum ${PKI_MIGRATE_DIR} > /dev/null 2>&1 +cd - > /dev/null 2>&1 + +mkdir -p ${PKI_MIGRATE_BASE_DIR} +cd ${PKI_BASE_DIR} +cp -p ${PKI_BASE_MANIFEST} ${PKI_MIGRATE_BASE_DIR} +for component in "${PKI_COMPONENT_LIST}" ; +do + find ${component} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -name Makefile.am -prune -o \ + -name Makefile.in -prune -o \ + -name aclocal.m4 -prune -o \ + -name autogen.sh -prune -o \ + -name build.xml -prune -o \ + -name compile -prune -o \ + -name config.guess -prune -o \ + -name config.h.in -prune -o \ + -name config.sub -prune -o \ + -name configure -prune -o \ + -name configure.ac -prune -o \ + -name depcomp -prune -o \ + -name install-sh -prune -o \ + -name ltmain.sh -prune -o \ + -name m4 -prune -o \ + -name missing -prune -o \ + -name setup_package -prune -o \ + -print | cpio -pdum ${PKI_MIGRATE_BASE_DIR} > /dev/null 2>&1 +done +cd - > /dev/null 2>&1 + + +## +## Due to the following lower-level 'config' subdirectories, +## INDEPENDENTLY remove ALL top-level 'config' directories: +## +## * ./console/src/com/netscape/admin/certsrv/config (N/A 'pki-migrate') +## * ./tps/forms/tps/admin/console/config (N/A 'pki-migrate') +## + +rm -rf ${PKI_MIGRATE_BASE_DIR}/*/config + + +## +## Create the 'pki-migrate' tarball +## + +mkdir -p ${PKI_MIGRATE_SOURCES_DIR} +cd ${PKI_MIGRATE_STAGING_DIR} +gtar -zcvf ${PKI_MIGRATE_TARBALL} \ + "${PKI_MIGRATE}-${PKI_MIGRATE_VERSION}" > /dev/null 2>&1 +mv ${PKI_MIGRATE_TARBALL} ${PKI_MIGRATE_SOURCES_DIR} +cd - > /dev/null 2>&1 + + +## +## Always remove the PKI staging area +## + +rm -rf ${PKI_MIGRATE_STAGING_DIR} + + +## +## Always generate a fresh 'pki-migrate' package script +## + +rm -rf ${PKI_MIGRATE_PACKAGE_SCRIPT} +printf "#!/bin/bash\n\n" > ${PKI_MIGRATE_PACKAGE_SCRIPT} +printf "${PKI_MIGRATE_PACKAGE_COMMAND}\n\n" >> ${PKI_MIGRATE_PACKAGE_SCRIPT} +chmod 775 ${PKI_MIGRATE_PACKAGE_SCRIPT} + + +## +## Automatically invoke RPM/SRPM creation +## + +cd ${PKI_PACKAGES} ; +script -c package_${PKI_MIGRATE} package_${PKI_MIGRATE}.log + diff --git a/pki/scripts/compose_pki_ocsp_packages b/pki/scripts/compose_pki_ocsp_packages new file mode 100755 index 000000000..44f69bd3a --- /dev/null +++ b/pki/scripts/compose_pki_ocsp_packages @@ -0,0 +1,201 @@ +#!/bin/bash +# BEGIN COPYRIGHT BLOCK +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + +## Always switch into the base directory three levels +## above this shell script prior to executing it so +## that all of its output is written to this directory + +cd `dirname $0`/../.. + + +## +## Retrieve the name of this base directory +## + +PKI_PWD=`pwd` + + +## +## Establish the 'pki-ocsp' name and version information +## + +PKI_OCSP="pki-ocsp" +PKI_OCSP_VERSION="9.0.0" + + +## +## Establish the SOURCE files/directories of the 'pki-ocsp' source directory +## + +PKI_DIR="pki" +PKI_BASE_DIR="${PKI_DIR}/base" +PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_OCSP}.spec" +PKI_FILE_LIST="CMakeLists.txt COPYING CPackConfig.cmake ConfigureChecks.cmake DefineOptions.cmake README cmake_uninstall.cmake.in config.h.cmake" +PKI_CMAKE_DIR="cmake" +PKI_BASE_MANIFEST="CMakeLists.txt" +PKI_COMPONENT_LIST="ocsp" + + +## +## Establish the TARGET files/directories of the 'pki-ocsp' source/spec files +## + +PKI_PACKAGES="${PKI_PWD}/packages" +PKI_OCSP_BUILD_DIR="${PKI_PACKAGES}/BUILD" +PKI_OCSP_RPMS_DIR="${PKI_PACKAGES}/RPMS" +PKI_OCSP_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" +PKI_OCSP_SPECS_DIR="${PKI_PACKAGES}/SPECS" +PKI_OCSP_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" + +PKI_OCSP_TARBALL="${PKI_OCSP}-${PKI_OCSP_VERSION}.tar.gz" +PKI_OCSP_SPEC_FILE="${PKI_OCSP_SPECS_DIR}/${PKI_OCSP}.spec" +PKI_OCSP_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_OCSP}" +PKI_OCSP_PACKAGE_COMMAND="rpmbuild --define \"_topdir \`pwd\`\" -ba SPECS/${PKI_OCSP}.spec" + +PKI_OCSP_STAGING_DIR="${PKI_PACKAGES}/staging" +PKI_OCSP_DIR="${PKI_OCSP_STAGING_DIR}/${PKI_OCSP}-${PKI_OCSP_VERSION}" +PKI_OCSP_BASE_DIR="${PKI_OCSP_DIR}/base" + + +## +## Always create a top-level 'packages' directory +## + +mkdir -p ${PKI_PACKAGES} + + +## +## Always create 'pki-ocsp' package directories +## + +mkdir -p ${PKI_OCSP_BUILD_DIR} +mkdir -p ${PKI_OCSP_RPMS_DIR} +mkdir -p ${PKI_OCSP_SOURCES_DIR} +mkdir -p ${PKI_OCSP_SPECS_DIR} +mkdir -p ${PKI_OCSP_SRPMS_DIR} + + +## +## Always start with new 'pki-ocsp' package files +## + +rm -rf ${PKI_OCSP_BUILD_DIR}/${PKI_OCSP}-${PKI_OCSP_VERSION} +rm -f ${PKI_OCSP_RPMS_DIR}/${PKI_OCSP}-${PKI_OCSP_VERSION}*.rpm +rm -f ${PKI_OCSP_SOURCES_DIR}/${PKI_OCSP_TARBALL} +rm -f ${PKI_OCSP_SPEC_FILE} +rm -f ${PKI_OCSP_SRPMS_DIR}/${PKI_OCSP}-${PKI_OCSP_VERSION}*.rpm + + +## +## Copy a new 'pki-ocsp' spec file from the +## current contents of the PKI working repository +## + +cp -p ${PKI_SPECS_FILE} ${PKI_OCSP_SPECS_DIR} + + +## +## Always start with a new 'pki-ocsp' staging directory +## + +rm -rf ${PKI_OCSP_STAGING_DIR} + + +## +## To generate the 'pki-ocsp' tarball, construct a staging area +## consisting of the 'pki-ocsp' source components from the +## current contents of the PKI working repository +## + +mkdir -p ${PKI_OCSP_DIR} +cd ${PKI_DIR} +for file in "${PKI_FILE_LIST}" ; +do + cp -p ${file} ${PKI_OCSP_DIR} +done +find ${PKI_CMAKE_DIR} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -print | cpio -pdum ${PKI_OCSP_DIR} > /dev/null 2>&1 +cd - > /dev/null 2>&1 + +mkdir -p ${PKI_OCSP_BASE_DIR} +cd ${PKI_BASE_DIR} +cp -p ${PKI_BASE_MANIFEST} ${PKI_OCSP_BASE_DIR} +for component in "${PKI_COMPONENT_LIST}" ; +do + find ${component} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -name Makefile.am -prune -o \ + -name Makefile.in -prune -o \ + -name aclocal.m4 -prune -o \ + -name autogen.sh -prune -o \ + -name build.xml -prune -o \ + -name compile -prune -o \ + -name config.guess -prune -o \ + -name config.h.in -prune -o \ + -name config.sub -prune -o \ + -name configure -prune -o \ + -name configure.ac -prune -o \ + -name depcomp -prune -o \ + -name install-sh -prune -o \ + -name ltmain.sh -prune -o \ + -name m4 -prune -o \ + -name missing -prune -o \ + -name setup_package -prune -o \ + -print | cpio -pdum ${PKI_OCSP_BASE_DIR} > /dev/null 2>&1 +done +cd - > /dev/null 2>&1 + + +## +## Due to the following lower-level 'config' subdirectories, +## INDEPENDENTLY remove ALL top-level 'config' directories: +## +## * ./console/src/com/netscape/admin/certsrv/config (N/A 'pki-ocsp') +## * ./tps/forms/tps/admin/console/config (N/A 'pki-ocsp') +## + +rm -rf ${PKI_OCSP_BASE_DIR}/*/config + + +## +## Create the 'pki-ocsp' tarball +## + +mkdir -p ${PKI_OCSP_SOURCES_DIR} +cd ${PKI_OCSP_STAGING_DIR} +gtar -zcvf ${PKI_OCSP_TARBALL} \ + "${PKI_OCSP}-${PKI_OCSP_VERSION}" > /dev/null 2>&1 +mv ${PKI_OCSP_TARBALL} ${PKI_OCSP_SOURCES_DIR} +cd - > /dev/null 2>&1 + + +## +## Always remove the PKI staging area +## + +rm -rf ${PKI_OCSP_STAGING_DIR} + + +## +## Always generate a fresh 'pki-ocsp' package script +## + +rm -rf ${PKI_OCSP_PACKAGE_SCRIPT} +printf "#!/bin/bash\n\n" > ${PKI_OCSP_PACKAGE_SCRIPT} +printf "${PKI_OCSP_PACKAGE_COMMAND}\n\n" >> ${PKI_OCSP_PACKAGE_SCRIPT} +chmod 775 ${PKI_OCSP_PACKAGE_SCRIPT} + + +## +## Automatically invoke RPM/SRPM creation +## + +cd ${PKI_PACKAGES} ; +script -c package_${PKI_OCSP} package_${PKI_OCSP}.log + diff --git a/pki/scripts/compose_pki_ra_packages b/pki/scripts/compose_pki_ra_packages new file mode 100755 index 000000000..10fd1790c --- /dev/null +++ b/pki/scripts/compose_pki_ra_packages @@ -0,0 +1,201 @@ +#!/bin/bash +# BEGIN COPYRIGHT BLOCK +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + +## Always switch into the base directory three levels +## above this shell script prior to executing it so +## that all of its output is written to this directory + +cd `dirname $0`/../.. + + +## +## Retrieve the name of this base directory +## + +PKI_PWD=`pwd` + + +## +## Establish the 'pki-ra' name and version information +## + +PKI_RA="pki-ra" +PKI_RA_VERSION="9.0.0" + + +## +## Establish the SOURCE files/directories of the 'pki-ra' source directory +## + +PKI_DIR="pki" +PKI_BASE_DIR="${PKI_DIR}/base" +PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_RA}.spec" +PKI_FILE_LIST="CMakeLists.txt COPYING CPackConfig.cmake ConfigureChecks.cmake DefineOptions.cmake README cmake_uninstall.cmake.in config.h.cmake" +PKI_CMAKE_DIR="cmake" +PKI_BASE_MANIFEST="CMakeLists.txt" +PKI_COMPONENT_LIST="ra" + + +## +## Establish the TARGET files/directories of the 'pki-ra' source/spec files +## + +PKI_PACKAGES="${PKI_PWD}/packages" +PKI_RA_BUILD_DIR="${PKI_PACKAGES}/BUILD" +PKI_RA_RPMS_DIR="${PKI_PACKAGES}/RPMS" +PKI_RA_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" +PKI_RA_SPECS_DIR="${PKI_PACKAGES}/SPECS" +PKI_RA_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" + +PKI_RA_TARBALL="${PKI_RA}-${PKI_RA_VERSION}.tar.gz" +PKI_RA_SPEC_FILE="${PKI_RA_SPECS_DIR}/${PKI_RA}.spec" +PKI_RA_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_RA}" +PKI_RA_PACKAGE_COMMAND="rpmbuild --define \"_topdir \`pwd\`\" -ba SPECS/${PKI_RA}.spec" + +PKI_RA_STAGING_DIR="${PKI_PACKAGES}/staging" +PKI_RA_DIR="${PKI_RA_STAGING_DIR}/${PKI_RA}-${PKI_RA_VERSION}" +PKI_RA_BASE_DIR="${PKI_RA_DIR}/base" + + +## +## Always create a top-level 'packages' directory +## + +mkdir -p ${PKI_PACKAGES} + + +## +## Always create 'pki-ra' package directories +## + +mkdir -p ${PKI_RA_BUILD_DIR} +mkdir -p ${PKI_RA_RPMS_DIR} +mkdir -p ${PKI_RA_SOURCES_DIR} +mkdir -p ${PKI_RA_SPECS_DIR} +mkdir -p ${PKI_RA_SRPMS_DIR} + + +## +## Always start with new 'pki-ra' package files +## + +rm -rf ${PKI_RA_BUILD_DIR}/${PKI_RA}-${PKI_RA_VERSION} +rm -f ${PKI_RA_RPMS_DIR}/${PKI_RA}-${PKI_RA_VERSION}*.rpm +rm -f ${PKI_RA_SOURCES_DIR}/${PKI_RA_TARBALL} +rm -f ${PKI_RA_SPEC_FILE} +rm -f ${PKI_RA_SRPMS_DIR}/${PKI_RA}-${PKI_RA_VERSION}*.rpm + + +## +## Copy a new 'pki-ra' spec file from the +## current contents of the PKI working repository +## + +cp -p ${PKI_SPECS_FILE} ${PKI_RA_SPECS_DIR} + + +## +## Always start with a new 'pki-ra' staging directory +## + +rm -rf ${PKI_RA_STAGING_DIR} + + +## +## To generate the 'pki-ra' tarball, construct a staging area +## consisting of the 'pki-ra' source components from the +## current contents of the PKI working repository +## + +mkdir -p ${PKI_RA_DIR} +cd ${PKI_DIR} +for file in "${PKI_FILE_LIST}" ; +do + cp -p ${file} ${PKI_RA_DIR} +done +find ${PKI_CMAKE_DIR} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -print | cpio -pdum ${PKI_RA_DIR} > /dev/null 2>&1 +cd - > /dev/null 2>&1 + +mkdir -p ${PKI_RA_BASE_DIR} +cd ${PKI_BASE_DIR} +cp -p ${PKI_BASE_MANIFEST} ${PKI_RA_BASE_DIR} +for component in "${PKI_COMPONENT_LIST}" ; +do + find ${component} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -name Makefile.am -prune -o \ + -name Makefile.in -prune -o \ + -name aclocal.m4 -prune -o \ + -name autogen.sh -prune -o \ + -name build.xml -prune -o \ + -name compile -prune -o \ + -name config.guess -prune -o \ + -name config.h.in -prune -o \ + -name config.sub -prune -o \ + -name configure -prune -o \ + -name configure.ac -prune -o \ + -name depcomp -prune -o \ + -name install-sh -prune -o \ + -name ltmain.sh -prune -o \ + -name m4 -prune -o \ + -name missing -prune -o \ + -name setup_package -prune -o \ + -print | cpio -pdum ${PKI_RA_BASE_DIR} > /dev/null 2>&1 +done +cd - > /dev/null 2>&1 + + +## +## Due to the following lower-level 'config' subdirectories, +## INDEPENDENTLY remove ALL top-level 'config' directories: +## +## * ./console/src/com/netscape/admin/certsrv/config (N/A 'pki-ra') +## * ./tps/forms/tps/admin/console/config (N/A 'pki-ra') +## + +rm -rf ${PKI_RA_BASE_DIR}/*/config + + +## +## Create the 'pki-ra' tarball +## + +mkdir -p ${PKI_RA_SOURCES_DIR} +cd ${PKI_RA_STAGING_DIR} +gtar -zcvf ${PKI_RA_TARBALL} \ + "${PKI_RA}-${PKI_RA_VERSION}" > /dev/null 2>&1 +mv ${PKI_RA_TARBALL} ${PKI_RA_SOURCES_DIR} +cd - > /dev/null 2>&1 + + +## +## Always remove the PKI staging area +## + +rm -rf ${PKI_RA_STAGING_DIR} + + +## +## Always generate a fresh 'pki-ra' package script +## + +rm -rf ${PKI_RA_PACKAGE_SCRIPT} +printf "#!/bin/bash\n\n" > ${PKI_RA_PACKAGE_SCRIPT} +printf "${PKI_RA_PACKAGE_COMMAND}\n\n" >> ${PKI_RA_PACKAGE_SCRIPT} +chmod 775 ${PKI_RA_PACKAGE_SCRIPT} + + +## +## Automatically invoke RPM/SRPM creation +## + +cd ${PKI_PACKAGES} ; +script -c package_${PKI_RA} package_${PKI_RA}.log + diff --git a/pki/scripts/compose_pki_tks_packages b/pki/scripts/compose_pki_tks_packages new file mode 100755 index 000000000..c6e900b98 --- /dev/null +++ b/pki/scripts/compose_pki_tks_packages @@ -0,0 +1,201 @@ +#!/bin/bash +# BEGIN COPYRIGHT BLOCK +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + +## Always switch into the base directory three levels +## above this shell script prior to executing it so +## that all of its output is written to this directory + +cd `dirname $0`/../.. + + +## +## Retrieve the name of this base directory +## + +PKI_PWD=`pwd` + + +## +## Establish the 'pki-tks' name and version information +## + +PKI_TKS="pki-tks" +PKI_TKS_VERSION="9.0.0" + + +## +## Establish the SOURCE files/directories of the 'pki-tks' source directory +## + +PKI_DIR="pki" +PKI_BASE_DIR="${PKI_DIR}/base" +PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_TKS}.spec" +PKI_FILE_LIST="CMakeLists.txt COPYING CPackConfig.cmake ConfigureChecks.cmake DefineOptions.cmake README cmake_uninstall.cmake.in config.h.cmake" +PKI_CMAKE_DIR="cmake" +PKI_BASE_MANIFEST="CMakeLists.txt" +PKI_COMPONENT_LIST="tks" + + +## +## Establish the TARGET files/directories of the 'pki-tks' source/spec files +## + +PKI_PACKAGES="${PKI_PWD}/packages" +PKI_TKS_BUILD_DIR="${PKI_PACKAGES}/BUILD" +PKI_TKS_RPMS_DIR="${PKI_PACKAGES}/RPMS" +PKI_TKS_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" +PKI_TKS_SPECS_DIR="${PKI_PACKAGES}/SPECS" +PKI_TKS_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" + +PKI_TKS_TARBALL="${PKI_TKS}-${PKI_TKS_VERSION}.tar.gz" +PKI_TKS_SPEC_FILE="${PKI_TKS_SPECS_DIR}/${PKI_TKS}.spec" +PKI_TKS_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_TKS}" +PKI_TKS_PACKAGE_COMMAND="rpmbuild --define \"_topdir \`pwd\`\" -ba SPECS/${PKI_TKS}.spec" + +PKI_TKS_STAGING_DIR="${PKI_PACKAGES}/staging" +PKI_TKS_DIR="${PKI_TKS_STAGING_DIR}/${PKI_TKS}-${PKI_TKS_VERSION}" +PKI_TKS_BASE_DIR="${PKI_TKS_DIR}/base" + + +## +## Always create a top-level 'packages' directory +## + +mkdir -p ${PKI_PACKAGES} + + +## +## Always create 'pki-tks' package directories +## + +mkdir -p ${PKI_TKS_BUILD_DIR} +mkdir -p ${PKI_TKS_RPMS_DIR} +mkdir -p ${PKI_TKS_SOURCES_DIR} +mkdir -p ${PKI_TKS_SPECS_DIR} +mkdir -p ${PKI_TKS_SRPMS_DIR} + + +## +## Always start with new 'pki-tks' package files +## + +rm -rf ${PKI_TKS_BUILD_DIR}/${PKI_TKS}-${PKI_TKS_VERSION} +rm -f ${PKI_TKS_RPMS_DIR}/${PKI_TKS}-${PKI_TKS_VERSION}*.rpm +rm -f ${PKI_TKS_SOURCES_DIR}/${PKI_TKS_TARBALL} +rm -f ${PKI_TKS_SPEC_FILE} +rm -f ${PKI_TKS_SRPMS_DIR}/${PKI_TKS}-${PKI_TKS_VERSION}*.rpm + + +## +## Copy a new 'pki-tks' spec file from the +## current contents of the PKI working repository +## + +cp -p ${PKI_SPECS_FILE} ${PKI_TKS_SPECS_DIR} + + +## +## Always start with a new 'pki-tks' staging directory +## + +rm -rf ${PKI_TKS_STAGING_DIR} + + +## +## To generate the 'pki-tks' tarball, construct a staging area +## consisting of the 'pki-tks' source components from the +## current contents of the PKI working repository +## + +mkdir -p ${PKI_TKS_DIR} +cd ${PKI_DIR} +for file in "${PKI_FILE_LIST}" ; +do + cp -p ${file} ${PKI_TKS_DIR} +done +find ${PKI_CMAKE_DIR} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -print | cpio -pdum ${PKI_TKS_DIR} > /dev/null 2>&1 +cd - > /dev/null 2>&1 + +mkdir -p ${PKI_TKS_BASE_DIR} +cd ${PKI_BASE_DIR} +cp -p ${PKI_BASE_MANIFEST} ${PKI_TKS_BASE_DIR} +for component in "${PKI_COMPONENT_LIST}" ; +do + find ${component} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -name Makefile.am -prune -o \ + -name Makefile.in -prune -o \ + -name aclocal.m4 -prune -o \ + -name autogen.sh -prune -o \ + -name build.xml -prune -o \ + -name compile -prune -o \ + -name config.guess -prune -o \ + -name config.h.in -prune -o \ + -name config.sub -prune -o \ + -name configure -prune -o \ + -name configure.ac -prune -o \ + -name depcomp -prune -o \ + -name install-sh -prune -o \ + -name ltmain.sh -prune -o \ + -name m4 -prune -o \ + -name missing -prune -o \ + -name setup_package -prune -o \ + -print | cpio -pdum ${PKI_TKS_BASE_DIR} > /dev/null 2>&1 +done +cd - > /dev/null 2>&1 + + +## +## Due to the following lower-level 'config' subdirectories, +## INDEPENDENTLY remove ALL top-level 'config' directories: +## +## * ./console/src/com/netscape/admin/certsrv/config (N/A 'pki-tks') +## * ./tps/forms/tps/admin/console/config (N/A 'pki-tks') +## + +rm -rf ${PKI_TKS_BASE_DIR}/*/config + + +## +## Create the 'pki-tks' tarball +## + +mkdir -p ${PKI_TKS_SOURCES_DIR} +cd ${PKI_TKS_STAGING_DIR} +gtar -zcvf ${PKI_TKS_TARBALL} \ + "${PKI_TKS}-${PKI_TKS_VERSION}" > /dev/null 2>&1 +mv ${PKI_TKS_TARBALL} ${PKI_TKS_SOURCES_DIR} +cd - > /dev/null 2>&1 + + +## +## Always remove the PKI staging area +## + +rm -rf ${PKI_TKS_STAGING_DIR} + + +## +## Always generate a fresh 'pki-tks' package script +## + +rm -rf ${PKI_TKS_PACKAGE_SCRIPT} +printf "#!/bin/bash\n\n" > ${PKI_TKS_PACKAGE_SCRIPT} +printf "${PKI_TKS_PACKAGE_COMMAND}\n\n" >> ${PKI_TKS_PACKAGE_SCRIPT} +chmod 775 ${PKI_TKS_PACKAGE_SCRIPT} + + +## +## Automatically invoke RPM/SRPM creation +## + +cd ${PKI_PACKAGES} ; +script -c package_${PKI_TKS} package_${PKI_TKS}.log + diff --git a/pki/scripts/compose_pki_tps_packages b/pki/scripts/compose_pki_tps_packages new file mode 100755 index 000000000..66dd30cd2 --- /dev/null +++ b/pki/scripts/compose_pki_tps_packages @@ -0,0 +1,201 @@ +#!/bin/bash +# BEGIN COPYRIGHT BLOCK +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + +## Always switch into the base directory three levels +## above this shell script prior to executing it so +## that all of its output is written to this directory + +cd `dirname $0`/../.. + + +## +## Retrieve the name of this base directory +## + +PKI_PWD=`pwd` + + +## +## Establish the 'pki-tps' name and version information +## + +PKI_TPS="pki-tps" +PKI_TPS_VERSION="9.0.0" + + +## +## Establish the SOURCE files/directories of the 'pki-tps' source directory +## + +PKI_DIR="pki" +PKI_BASE_DIR="${PKI_DIR}/base" +PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_TPS}.spec" +PKI_FILE_LIST="CMakeLists.txt COPYING CPackConfig.cmake ConfigureChecks.cmake DefineOptions.cmake README cmake_uninstall.cmake.in config.h.cmake" +PKI_CMAKE_DIR="cmake" +PKI_BASE_MANIFEST="CMakeLists.txt" +PKI_COMPONENT_LIST="tps" + + +## +## Establish the TARGET files/directories of the 'pki-tps' source/spec files +## + +PKI_PACKAGES="${PKI_PWD}/packages" +PKI_TPS_BUILD_DIR="${PKI_PACKAGES}/BUILD" +PKI_TPS_RPMS_DIR="${PKI_PACKAGES}/RPMS" +PKI_TPS_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" +PKI_TPS_SPECS_DIR="${PKI_PACKAGES}/SPECS" +PKI_TPS_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" + +PKI_TPS_TARBALL="${PKI_TPS}-${PKI_TPS_VERSION}.tar.gz" +PKI_TPS_SPEC_FILE="${PKI_TPS_SPECS_DIR}/${PKI_TPS}.spec" +PKI_TPS_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_TPS}" +PKI_TPS_PACKAGE_COMMAND="rpmbuild --define \"_topdir \`pwd\`\" -ba SPECS/${PKI_TPS}.spec" + +PKI_TPS_STAGING_DIR="${PKI_PACKAGES}/staging" +PKI_TPS_DIR="${PKI_TPS_STAGING_DIR}/${PKI_TPS}-${PKI_TPS_VERSION}" +PKI_TPS_BASE_DIR="${PKI_TPS_DIR}/base" + + +## +## Always create a top-level 'packages' directory +## + +mkdir -p ${PKI_PACKAGES} + + +## +## Always create 'pki-tps' package directories +## + +mkdir -p ${PKI_TPS_BUILD_DIR} +mkdir -p ${PKI_TPS_RPMS_DIR} +mkdir -p ${PKI_TPS_SOURCES_DIR} +mkdir -p ${PKI_TPS_SPECS_DIR} +mkdir -p ${PKI_TPS_SRPMS_DIR} + + +## +## Always start with new 'pki-tps' package files +## + +rm -rf ${PKI_TPS_BUILD_DIR}/${PKI_TPS}-${PKI_TPS_VERSION} +rm -f ${PKI_TPS_RPMS_DIR}/${PKI_TPS}-${PKI_TPS_VERSION}*.rpm +rm -f ${PKI_TPS_SOURCES_DIR}/${PKI_TPS_TARBALL} +rm -f ${PKI_TPS_SPEC_FILE} +rm -f ${PKI_TPS_SRPMS_DIR}/${PKI_TPS}-${PKI_TPS_VERSION}*.rpm + + +## +## Copy a new 'pki-tps' spec file from the +## current contents of the PKI working repository +## + +cp -p ${PKI_SPECS_FILE} ${PKI_TPS_SPECS_DIR} + + +## +## Always start with a new 'pki-tps' staging directory +## + +rm -rf ${PKI_TPS_STAGING_DIR} + + +## +## To generate the 'pki-tps' tarball, construct a staging area +## consisting of the 'pki-tps' source components from the +## current contents of the PKI working repository +## + +mkdir -p ${PKI_TPS_DIR} +cd ${PKI_DIR} +for file in "${PKI_FILE_LIST}" ; +do + cp -p ${file} ${PKI_TPS_DIR} +done +find ${PKI_CMAKE_DIR} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -print | cpio -pdum ${PKI_TPS_DIR} > /dev/null 2>&1 +cd - > /dev/null 2>&1 + +mkdir -p ${PKI_TPS_BASE_DIR} +cd ${PKI_BASE_DIR} +cp -p ${PKI_BASE_MANIFEST} ${PKI_TPS_BASE_DIR} +for component in "${PKI_COMPONENT_LIST}" ; +do + find ${component} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -name Makefile.am -prune -o \ + -name Makefile.in -prune -o \ + -name aclocal.m4 -prune -o \ + -name autogen.sh -prune -o \ + -name build.xml -prune -o \ + -name compile -prune -o \ + -name config.guess -prune -o \ + -name config.h.in -prune -o \ + -name config.sub -prune -o \ + -name configure -prune -o \ + -name configure.ac -prune -o \ + -name depcomp -prune -o \ + -name install-sh -prune -o \ + -name ltmain.sh -prune -o \ + -name m4 -prune -o \ + -name missing -prune -o \ + -name setup_package -prune -o \ + -print | cpio -pdum ${PKI_TPS_BASE_DIR} > /dev/null 2>&1 +done +cd - > /dev/null 2>&1 + + +## +## Due to the following lower-level 'config' subdirectories, +## INDEPENDENTLY remove ALL top-level 'config' directories: +## +## * ./console/src/com/netscape/admin/certsrv/config (N/A 'pki-tps') +## * ./tps/forms/tps/admin/console/config +## + +rm -rf ${PKI_TPS_BASE_DIR}/*/config + + +## +## Create the 'pki-tps' tarball +## + +mkdir -p ${PKI_TPS_SOURCES_DIR} +cd ${PKI_TPS_STAGING_DIR} +gtar -zcvf ${PKI_TPS_TARBALL} \ + "${PKI_TPS}-${PKI_TPS_VERSION}" > /dev/null 2>&1 +mv ${PKI_TPS_TARBALL} ${PKI_TPS_SOURCES_DIR} +cd - > /dev/null 2>&1 + + +## +## Always remove the PKI staging area +## + +rm -rf ${PKI_TPS_STAGING_DIR} + + +## +## Always generate a fresh 'pki-tps' package script +## + +rm -rf ${PKI_TPS_PACKAGE_SCRIPT} +printf "#!/bin/bash\n\n" > ${PKI_TPS_PACKAGE_SCRIPT} +printf "${PKI_TPS_PACKAGE_COMMAND}\n\n" >> ${PKI_TPS_PACKAGE_SCRIPT} +chmod 775 ${PKI_TPS_PACKAGE_SCRIPT} + + +## +## Automatically invoke RPM/SRPM creation +## + +cd ${PKI_PACKAGES} ; +script -c package_${PKI_TPS} package_${PKI_TPS}.log + diff --git a/pki/specs/dogtag-pki-theme.spec b/pki/specs/dogtag-pki-theme.spec index 9c5cf0ecd..d1c89dc37 100644 --- a/pki/specs/dogtag-pki-theme.spec +++ b/pki/specs/dogtag-pki-theme.spec @@ -36,7 +36,7 @@ BuildRequires: cmake Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz -%define overview \ +%global overview \ ========================================= \ || ABOUT "DOGTAG CERTIFICATE SYSTEM" || \ ========================================= \ @@ -379,7 +379,7 @@ This package is used by the Dogtag Certificate System. %build %{__mkdir_p} build cd build -%cmake -DBUILD_DOGTAG_THEME:BOOL=ON .. +%cmake -DBUILD_DOGTAG_PKI_THEME:BOOL=ON .. %{__make} VERBOSE=1 %{?_smp_mflags} diff --git a/pki/specs/ipa-pki-theme.spec b/pki/specs/ipa-pki-theme.spec index 12ad3947b..9e874eb09 100644 --- a/pki/specs/ipa-pki-theme.spec +++ b/pki/specs/ipa-pki-theme.spec @@ -36,7 +36,7 @@ BuildRequires: cmake Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz -%define overview \ +%global overview \ ================================== \ || ABOUT "CERTIFICATE SYSTEM" || \ ================================== \ @@ -160,7 +160,7 @@ This package is used by the Certificate System utilized by IPA. %build %{__mkdir_p} build cd build -%cmake -DBUILD_NULL_THEME:BOOL=ON .. +%cmake -DBUILD_NULL_PKI_THEME:BOOL=ON .. %{__make} VERBOSE=1 %{?_smp_mflags} diff --git a/pki/specs/pki-console.spec b/pki/specs/pki-console.spec new file mode 100644 index 000000000..ed9e57b1a --- /dev/null +++ b/pki/specs/pki-console.spec @@ -0,0 +1,100 @@ +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + + +############################################################################### +### P A C K A G E H E A D E R ### +############################################################################### + +Name: pki-console +Version: 9.0.0 +Release: 1%{?dist} +Summary: Certificate System - PKI Console +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Base + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: idm-console-framework +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6 +BuildRequires: ldapjdk +BuildRequires: pki-util + +Requires: idm-console-framework +Requires: java >= 1:1.6.0 +Requires: jss >= 4.2.6 +Requires: ldapjdk +Requires: pki-console-theme + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The PKI Console is a java application used to administer CS. + +For deployment purposes, a PKI Console requires ONE AND ONLY ONE of the +following "Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_CONSOLE:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} + + +%files +%defattr(-,root,root,-) +%doc base/console/LICENSE +%{_bindir}/pkiconsole +%{_javadir}/pki-console-%{version}.jar +%{_javadir}/pki-console.jar +#%{_javadir}/pki/pki-console-%{version}.jar +#%{_javadir}/pki/pki-console.jar + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + diff --git a/pki/specs/pki-core.spec b/pki/specs/pki-core.spec index 613115bb0..333460f59 100644 --- a/pki/specs/pki-core.spec +++ b/pki/specs/pki-core.spec @@ -39,11 +39,25 @@ BuildRequires: osutil Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz -%define major_version %(echo `echo %{version} | awk -F. '{ print $1 }'`) -%define minor_version %(echo `echo %{version} | awk -F. '{ print $2 }'`) -%define patch_version %(echo `echo %{version} | awk -F. '{ print $3 }'`) - -%define overview \ +%global saveFileContext() \ +if [ -s /etc/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ + FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ + if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \ + cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \ + fi \ +fi; + +%global relabel() \ +. %{_sysconfdir}/selinux/config; \ +FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ +selinuxenabled; \ +if [ $? == 0 -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \ + fixfiles -C ${FILE_CONTEXT}.%{name} restore; \ + rm -f ${FILE_CONTEXT}.%name; \ +fi; + +%global overview \ ================================== \ || ABOUT "CERTIFICATE SYSTEM" || \ ================================== \ @@ -328,6 +342,7 @@ Requires: java >= 1:1.6.0 Requires: pki-ca-theme Requires: pki-common = %{version}-%{release} Requires: pki-selinux = %{version}-%{release} +Requires: pki-setup = %{version}-%{release} Requires(post): chkconfig Requires(preun): chkconfig Requires(preun): initscripts @@ -394,7 +409,7 @@ This package is a part of the PKI Core used by the Certificate System. %build %{__mkdir_p} build cd build -%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_CORE:BOOL=ON .. +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_CORE:BOOL=ON .. %{__make} VERBOSE=1 %{?_smp_mflags} @@ -444,13 +459,6 @@ cd %{buildroot}%{_libdir}/symkey ## pki-java-tools ## ######################## -#cd %{buildroot}%{_javadir} -#%{__ln_s} pkitools.jar cstools.jar -#cd %{buildroot}%{_javadir}/pki -#%{__ln_s} pkitools.jar cstools.jar -#cd %{buildroot}%{_javadir}/pki -#%{__ln_s} ../pkitools.jar cstools.jar - ######################## ## pki-common ## @@ -466,9 +474,6 @@ cd %{buildroot}%{_libdir}/symkey ## pki-ca ## ######################## -%{__sed} -i 's/^preop.product.version=.*$/preop.product.version=%{version}/' %{buildroot}%{_datadir}/pki/ca/conf/CS.cfg -%{__sed} -i 's/^cms.version=.*$/cms.version=%{major_version}.%{minor_version}/' %{buildroot}%{_datadir}/pki/ca/conf/CS.cfg - ######################## ## pki-silent ## @@ -513,6 +518,27 @@ cd %{buildroot}%{_libdir}/symkey ## pki-selinux ## ######################## +%pre -n pki-selinux +%saveFileContext targeted + + +%post -n pki-selinux +semodule -s targeted -i %{_datadir}/selinux/modules/pki.pp +%relabel targeted + + +%preun -n pki-selinux +if [ $1 = 0 ]; then + %saveFileContext targeted +fi + + +%postun -n pki-selinux +if [ $1 = 0 ]; then + semodule -s targeted -r pki + %relabel targeted +fi + ######################## ## pki-ca ## diff --git a/pki/specs/pki-kra.spec b/pki/specs/pki-kra.spec new file mode 100644 index 000000000..34ae27eed --- /dev/null +++ b/pki/specs/pki-kra.spec @@ -0,0 +1,165 @@ +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + + +############################################################################### +### P A C K A G E H E A D E R ### +############################################################################### + +Name: pki-kra +Version: 9.0.0 +Release: 1%{?dist} +Summary: Certificate System - Data Recovery Manager +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6 +BuildRequires: pki-common +BuildRequires: pki-util +BuildRequires: tomcatjss + +Requires: java >= 1:1.6.0 +Requires: pki-common +Requires: pki-kra-theme +Requires: pki-selinux +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The Data Recovery Manager (DRM) is an optional PKI subsystem that can act +as a Key Recovery Authority (KRA). When configured in conjunction with the +Certificate Authority (CA), the DRM stores private encryption keys as part of +the certificate enrollment process. The key archival mechanism is triggered +when a user enrolls in the PKI and creates the certificate request. Using the +Certificate Request Message Format (CRMF) request format, a request is +generated for the user's private encryption key. This key is then stored in +the DRM which is configured to store keys in an encrypted format that can only +be decrypted by several agents requesting the key at one time, providing for +protection of the public encryption keys for the users in the PKI deployment. + +Note that the DRM archives encryption keys; it does NOT archive signing keys, +since such archival would undermine non-repudiation properties of signing keys. + +For deployment purposes, a DRM requires the following components from the PKI +Core package: + + * pki-setup + * pki-native-tools + * pki-util + * pki-java-tools + * pki-common + * pki-selinux + +and can also make use of the following optional components from the PKI Core +package: + + * pki-util-javadoc + * pki-java-tools-javadoc + * pki-common-javadoc + * pki-silent + +Additionally, Certificate System requires ONE AND ONLY ONE of the following +"Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_KRA:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} + + +%pre + + +%post +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-krad || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-krad stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-krad || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-krad condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/kra/LICENSE +%{_initrddir}/pki-krad +%{_javadir}/kra-%{version}.jar +%{_javadir}/kra.jar +#%{_javadir}/pki/kra-%{version}.jar +#%{_javadir}/pki/kra/kra.jar +%dir %{_datadir}/pki/kra +%dir %{_datadir}/pki/kra/acl +%{_datadir}/pki/kra/acl/* +%dir %{_datadir}/pki/kra/conf +%{_datadir}/pki/kra/conf/* +%dir %{_datadir}/pki/kra/setup +%{_datadir}/pki/kra/setup/* +%dir %{_datadir}/pki/kra/webapps +%{_datadir}/pki/kra/webapps/* +%dir %{_localstatedir}/lock/pki/kra +%dir %{_localstatedir}/run/pki/kra + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + diff --git a/pki/specs/pki-migrate.spec b/pki/specs/pki-migrate.spec new file mode 100644 index 000000000..e02539434 --- /dev/null +++ b/pki/specs/pki-migrate.spec @@ -0,0 +1,95 @@ +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + + +############################################################################### +### P A C K A G E H E A D E R ### +############################################################################### + +Name: pki-migrate +Version: 9.0.0 +Release: 1%{?dist} +Summary: Red Hat Certificate System - PKI Migration Scripts +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Base + +# Suppress automatic 'requires' and 'provisions' of multi-platform 'binaries' +AutoReqProv: no + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils + +Requires: java >= 1:1.6.0 + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%global _binaries_in_noarch_packages_terminate_build 0 + +%description +Red Hat Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +PKI Migration Scripts are used to export data from previous versions of +Netscape Certificate Management Systems, iPlanet Certificate Management +Systems, and Red Hat Certificate Systems into a flat-file which may then +be imported into this release of Red Hat Certificate System. + +Note that since this utility is platform-independent, it is generally possible +to migrate data from previous PKI deployments originally stored on other +hardware platforms as well as earlier versions of this operating system. + + +%prep + + +%setup -q + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_MIGRATE:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} + + +%files +%defattr(-,root,root,-) +%doc base/migrate/LICENSE +%dir %{_datadir}/pki/migrate +%{_datadir}/pki/migrate/* + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + diff --git a/pki/specs/pki-ocsp.spec b/pki/specs/pki-ocsp.spec new file mode 100644 index 000000000..ece867975 --- /dev/null +++ b/pki/specs/pki-ocsp.spec @@ -0,0 +1,172 @@ +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + + +############################################################################### +### P A C K A G E H E A D E R ### +############################################################################### + +Name: pki-ocsp +Version: 9.0.0 +Release: 1%{?dist} +Summary: Certificate System - Online Certificate Status Protocol Manager +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6 +BuildRequires: pki-common +BuildRequires: pki-util +BuildRequires: tomcatjss + +Requires: java >= 1:1.6.0 +Requires: pki-common +Requires: pki-ocsp-theme +Requires: pki-selinux +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The Online Certificate Status Protocol (OCSP) Manager is an optional PKI +subsystem that can act as a stand-alone OCSP service. The OCSP Manager +performs the task of an online certificate validation authority by enabling +OCSP-compliant clients to do real-time verification of certificates. Note +that an online certificate-validation authority is often referred to as an +OCSP Responder. + +Although the Certificate Authority (CA) is already configured with an +internal OCSP service. An external OCSP Responder is offered as a separate +subsystem in case the user wants the OCSP service provided outside of a +firewall while the CA resides inside of a firewall, or to take the load of +requests off of the CA. + +The OCSP Manager can receive Certificate Revocation Lists (CRLs) from +multiple CA servers, and clients can query the OCSP Manager for the +revocation status of certificates issued by all of these CA servers. + +When an instance of OCSP Manager is set up with an instance of CA, and +publishing is set up to this OCSP Manager, CRLs are published to it +whenever they are issued or updated. + +For deployment purposes, an OCSP Manager requires the following components +from the PKI Core package: + + * pki-setup + * pki-native-tools + * pki-util + * pki-java-tools + * pki-common + * pki-selinux + +and can also make use of the following optional components from the PKI Core +package: + + * pki-util-javadoc + * pki-java-tools-javadoc + * pki-common-javadoc + * pki-silent + +Additionally, Certificate System requires ONE AND ONLY ONE of the following +"Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_OCSP:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} + + +%pre + + +%post +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-ocspd || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-ocspd stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-ocspd || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-ocspd condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/ocsp/LICENSE +%{_initrddir}/pki-ocspd +%{_javadir}/ocsp-%{version}.jar +%{_javadir}/ocsp.jar +#%{_javadir}/pki/ocsp-%{version}.jar +#%{_javadir}/pki/ocsp/ocsp.jar +%dir %{_datadir}/pki/ocsp +%dir %{_datadir}/pki/ocsp/acl +%{_datadir}/pki/ocsp/acl/* +%dir %{_datadir}/pki/ocsp/conf +%{_datadir}/pki/ocsp/conf/* +%dir %{_datadir}/pki/ocsp/setup +%{_datadir}/pki/ocsp/setup/* +%dir %{_datadir}/pki/ocsp/webapps +%{_datadir}/pki/ocsp/webapps/* +%dir %{_localstatedir}/lock/pki/ocsp +%dir %{_localstatedir}/run/pki/ocsp + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + diff --git a/pki/specs/pki-ra.spec b/pki/specs/pki-ra.spec new file mode 100644 index 000000000..de9060c73 --- /dev/null +++ b/pki/specs/pki-ra.spec @@ -0,0 +1,171 @@ +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + + +############################################################################### +### P A C K A G E H E A D E R ### +############################################################################### + +Name: pki-ra +Version: 9.0.0 +Release: 1%{?dist} +Summary: Certificate System - Registration Authority +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake + +Requires: mod_nss >= 1.0.8 +Requires: mod_perl >= 1.99_16 +Requires: mod_revocator >= 1.0.3 +Requires: mozldap >= 6.0.2 +Requires: pki-native-tools +Requires: pki-ra-theme +Requires: pki-selinux +Requires: pki-setup +Requires: perl-DBD-SQLite +Requires: sqlite +Requires: /usr/sbin/sendmail +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The Registration Authority (RA) is an optional PKI subsystem that acts as a +front-end for authenticating and processing enrollment requests, PIN reset +requests, and formatting requests. + +An RA communicates over SSL with a Certificate Authority (CA) to fulfill +the user's requests. An RA may often be located outside an organization's +firewall to allow external users the ability to communicate with that +organization's PKI deployment. + +For deployment purposes, an RA requires the following components from the PKI +Core package: + + * pki-setup + * pki-native-tools + * pki-selinux + +and can also make use of the following optional components from the PKI Core +package: + + * pki-silent + +Additionally, Certificate System requires ONE AND ONLY ONE of the following +"Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q + +cat << \EOF > %{name}-prov +#!/bin/sh +%{__perl_provides} $* |\ +sed -e '/perl(PKI.*)/d' -e '/perl(Template.*)/d' +EOF + +%global __perl_provides %{_builddir}/%{name}-%{version}/%{name}-prov +chmod +x %{__perl_provides} + +cat << \EOF > %{name}-req +#!/bin/sh +%{__perl_requires} $* |\ +sed -e '/perl(PKI.*)/d' -e '/perl(Template.*)/d' +EOF + +%global __perl_requires %{_builddir}/%{name}-%{version}/%{name}-req +chmod +x %{__perl_requires} + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_RA:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} + + +%pre + + +%post +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-rad || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-rad stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-rad || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-rad condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/ra/LICENSE +%{_initrddir}/pki-rad +%dir %{_datadir}/pki/ra +%dir %{_datadir}/pki/ra/conf +%{_datadir}/pki/ra/conf/* +%dir %{_datadir}/pki/ra/docroot +%{_datadir}/pki/ra/docroot/* +%dir %{_datadir}/pki/ra/lib +%{_datadir}/pki/ra/lib/* +%dir %{_datadir}/pki/ra/scripts +%{_datadir}/pki/ra/scripts/* +%dir %{_datadir}/pki/ra/setup +%{_datadir}/pki/ra/setup/* +%dir %{_localstatedir}/lock/pki/ra +%dir %{_localstatedir}/run/pki/ra + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + diff --git a/pki/specs/pki-tks.spec b/pki/specs/pki-tks.spec new file mode 100644 index 000000000..19f87f842 --- /dev/null +++ b/pki/specs/pki-tks.spec @@ -0,0 +1,166 @@ +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + + +############################################################################### +### P A C K A G E H E A D E R ### +############################################################################### + +Name: pki-tks +Version: 9.0.0 +Release: 1%{?dist} +Summary: Certificate System - Token Key Service +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6 +BuildRequires: pki-common +BuildRequires: pki-util +BuildRequires: tomcatjss + +Requires: java >= 1:1.6.0 +Requires: pki-common +Requires: pki-selinux +Requires: pki-tks-theme +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The Token Key Service (TKS) is an optional PKI subsystem that manages the +master key(s) and the transport key(s) required to generate and distribute +keys for hardware tokens. TKS provides the security between tokens and an +instance of Token Processing System (TPS), where the security relies upon the +relationship between the master key and the token keys. A TPS communicates +with a TKS over SSL using client authentication. + +TKS helps establish a secure channel (signed and encrypted) between the token +and the TPS, provides proof of presence of the security token during +enrollment, and supports key changeover when the master key changes on the +TKS. Tokens with older keys will get new token keys. + +Because of the sensitivity of the data that TKS manages, TKS should be set up +behind the firewall with restricted access. + +For deployment purposes, a TKS requires the following components from the PKI +Core package: + + * pki-setup + * pki-native-tools + * pki-util + * pki-java-tools + * pki-common + * pki-selinux + +and can also make use of the following optional components from the PKI Core +package: + + * pki-util-javadoc + * pki-java-tools-javadoc + * pki-common-javadoc + * pki-silent + +Additionally, Certificate System requires ONE AND ONLY ONE of the following +"Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_TKS:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} + + +%pre + + +%post +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-tksd || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-tksd stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-tksd || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-tksd condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/tks/LICENSE +%{_initrddir}/pki-tksd +%{_javadir}/tks-%{version}.jar +%{_javadir}/tks.jar +#%{_javadir}/pki/tks-%{version}.jar +#%{_javadir}/pki/tks/tks.jar +%dir %{_datadir}/pki/tks +%dir %{_datadir}/pki/tks/acl +%{_datadir}/pki/tks/acl/* +%dir %{_datadir}/pki/tks/conf +%{_datadir}/pki/tks/conf/* +%dir %{_datadir}/pki/tks/setup +%{_datadir}/pki/tks/setup/* +%dir %{_datadir}/pki/tks/webapps +%{_datadir}/pki/tks/webapps/* +%dir %{_localstatedir}/lock/pki/tks +%dir %{_localstatedir}/run/pki/tks + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + diff --git a/pki/specs/pki-tps.spec b/pki/specs/pki-tps.spec new file mode 100644 index 000000000..c1aa2fd46 --- /dev/null +++ b/pki/specs/pki-tps.spec @@ -0,0 +1,225 @@ +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + + +############################################################################### +### P A C K A G E H E A D E R ### +############################################################################### + +Name: pki-tps +Version: 9.0.0 +Release: 1%{?dist} +Summary: Certificate System - Token Processing System +URL: http://pki.fedoraproject.org/ +License: LGPLv2 +Group: System Environment/Daemons + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: apr-devel +BuildRequires: apr-util-devel +BuildRequires: cyrus-sasl-devel +BuildRequires: httpd-devel >= 2.2.3 +BuildRequires: mozldap-devel +BuildRequires: nspr-devel >= 4.6.99 +BuildRequires: nss-devel >= 3.12.3.99 +BuildRequires: pcre-devel +BuildRequires: svrcore-devel +BuildRequires: zlib +BuildRequires: zlib-devel + +Requires: mod_nss >= 1.0.8 +Requires: mod_perl >= 1.99_16 +Requires: mod_revocator >= 1.0.3 +Requires: mozldap >= 6.0.2 +Requires: pki-native-tools +Requires: pki-selinux +Requires: pki-setup +Requires: pki-tps-theme +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%global overview \ +Certificate System (CS) is an enterprise software system designed \ +to manage enterprise Public Key Infrastructure (PKI) deployments. \ + \ +The Token Processing System (TPS) is an optional PKI subsystem that acts \ +as a Registration Authority (RA) for authenticating and processing \ +enrollment requests, PIN reset requests, and formatting requests from \ +the Enterprise Security Client (ESC). \ + \ +TPS is designed to communicate with tokens that conform to \ +Global Platform's Open Platform Specification. \ + \ +TPS communicates over SSL with various PKI backend subsystems (including \ +the Certificate Authority (CA), the Data Recovery Manager (DRM), and the \ +Token Key Service (TKS)) to fulfill the user's requests. \ + \ +TPS also interacts with the token database, an LDAP server that stores \ +information about individual tokens. \ + \ +For deployment purposes, a TPS requires the following components from the \ +PKI Core package: \ + \ + * pki-setup \ + * pki-native-tools \ + * pki-selinux \ + \ +and can also make use of the following optional components from the \ +PKI CORE package: \ + \ + * pki-silent \ + \ +Additionally, Certificate System requires ONE AND ONLY ONE of the \ +following "Mutually-Exclusive" PKI Theme packages: \ + \ + * dogtag-pki-theme (Dogtag Certificate System deployments) \ + * redhat-pki-theme (Red Hat Certificate System deployments) \ + \ +%{nil} + +%description %{overview} + + +%package devel +Group: Development/Libraries +Summary: Dogtag Certificate System - Token Processing System Library Symlinks + +Requires: %{name} = %{version}-%{release} + +%description devel +This package contains symlinks to the Certificate System (CS) +Token Processing System (TPS) library files required to link executables. + + +================================== +|| ABOUT "CERTIFICATE SYSTEM" || +================================== +${overview} + + +%prep + + +%setup -q -n %{name}-%{version} + +cat << \EOF > %{name}-prov +#!/bin/sh +%{__perl_provides} $* |\ +sed -e '/perl(PKI.*)/d' -e '/perl(Template.*)/d' +EOF + +%global __perl_provides %{_builddir}/%{name}-%{version}/%{name}-prov +chmod +x %{__perl_provides} + +cat << \EOF > %{name}-req +#!/bin/sh +%{__perl_requires} $* |\ +sed -e '/perl(PKI.*)/d' -e '/perl(Template.*)/d' +EOF + +%global __perl_requires %{_builddir}/%{name}-%{version}/%{name}-req +chmod +x %{__perl_requires} + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_TPS:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + +# This should be done in CMAKE +cd %{buildroot}/%{_datadir}/pki/tps/docroot +%{__ln_s} tokendb tus + + +%pre + + +%post +/sbin/ldconfig +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-tpsd || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-tpsd stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-tpsd || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-tpsd condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/tps/LICENSE +%{_initrddir}/pki-tpsd +%{_bindir}/tpsclient +%{_libdir}/httpd/modules/* +%{_libdir}/lib* +%dir %{_datadir}/pki/tps +%dir %{_datadir}/pki/tps/applets +%{_datadir}/pki/tps/applets/* +%dir %{_datadir}/pki/tps/cgi-bin +%{_datadir}/pki/tps/cgi-bin/* +%dir %{_datadir}/pki/tps/conf +%{_datadir}/pki/tps/conf/* +%dir %{_datadir}/pki/tps/docroot +%{_datadir}/pki/tps/docroot/* +%dir %{_datadir}/pki/tps/lib +%{_datadir}/pki/tps/lib/* +%dir %{_datadir}/pki/tps/samples +%{_datadir}/pki/tps/samples/* +%dir %{_datadir}/pki/tps/scripts +%{_datadir}/pki/tps/scripts/* +%dir %{_datadir}/pki/tps/setup +%{_datadir}/pki/tps/setup/* +%dir %{_localstatedir}/lock/pki/tps +%dir %{_localstatedir}/run/pki/tps + + +%files devel +%defattr(-,root,root,-) +%{_libdir}/libldapauth.so +%{_libdir}/libtokendb.so +%{_libdir}/libtps.so + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + -- cgit