From ee70d6866360c28335fb2ea61a3e7c3d1c341ae9 Mon Sep 17 00:00:00 2001 From: mharmsen Date: Tue, 14 Dec 2010 22:23:31 +0000 Subject: Bugzilla Bug #586073 - Add new 'mod_revocator' runtime dependency to RA and TPS git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1624 c9f7a03b-bd48-0410-a16d-cbbf54688b0b --- pki/base/CMakeLists.txt | 28 +- pki/base/ca/CMakeLists.txt | 3 + pki/base/ca/shared/CMakeLists.txt | 11 - pki/base/ca/shared/conf/CMakeLists.txt | 12 + pki/base/ca/shared/conf/CS.cfg | 1070 --------------- pki/base/ca/shared/conf/CS.cfg.in | 1070 +++++++++++++++ pki/base/ca/src/CMakeLists.txt | 34 +- pki/base/console/src/CMakeLists.txt | 56 +- pki/base/kra/CMakeLists.txt | 3 + pki/base/kra/shared/conf/CMakeLists.txt | 12 + pki/base/kra/shared/conf/CS.cfg | 368 ------ pki/base/kra/shared/conf/CS.cfg.in | 368 ++++++ pki/base/kra/src/CMakeLists.txt | 79 +- pki/base/ocsp/CMakeLists.txt | 3 + pki/base/ocsp/shared/conf/CMakeLists.txt | 12 + pki/base/ocsp/shared/conf/CS.cfg | 324 ----- pki/base/ocsp/shared/conf/CS.cfg.in | 324 +++++ pki/base/ocsp/src/CMakeLists.txt | 79 +- pki/base/ra/CMakeLists.txt | 56 +- pki/base/ra/doc/CS.cfg | 256 ---- pki/base/ra/doc/CS.cfg.in | 26 +- pki/base/tks/CMakeLists.txt | 3 + pki/base/tks/shared/conf/CMakeLists.txt | 12 + pki/base/tks/shared/conf/CS.cfg | 343 ----- pki/base/tks/shared/conf/CS.cfg.in | 343 +++++ pki/base/tks/src/CMakeLists.txt | 79 +- pki/base/tps/CMakeLists.txt | 98 +- pki/base/tps/Makefile.am | 2 +- pki/base/tps/Makefile.in | 2 +- pki/base/tps/doc/CS.cfg | 1577 ----------------------- pki/base/tps/doc/CS.cfg.in | 94 +- pki/base/tps/src/CMakeLists.txt | 12 +- pki/base/tps/src/authentication/CMakeLists.txt | 6 +- pki/base/tps/src/modules/tokendb/CMakeLists.txt | 5 +- pki/base/tps/src/modules/tps/CMakeLists.txt | 7 +- pki/base/tps/src/tus/CMakeLists.txt | 4 +- pki/base/tps/tools/raclient/CMakeLists.txt | 2 +- 37 files changed, 2652 insertions(+), 4131 deletions(-) delete mode 100644 pki/base/ca/shared/CMakeLists.txt create mode 100644 pki/base/ca/shared/conf/CMakeLists.txt delete mode 100644 pki/base/ca/shared/conf/CS.cfg create mode 100644 pki/base/ca/shared/conf/CS.cfg.in create mode 100644 pki/base/kra/shared/conf/CMakeLists.txt delete mode 100644 pki/base/kra/shared/conf/CS.cfg create mode 100644 pki/base/kra/shared/conf/CS.cfg.in create mode 100644 pki/base/ocsp/shared/conf/CMakeLists.txt delete mode 100644 pki/base/ocsp/shared/conf/CS.cfg create mode 100644 pki/base/ocsp/shared/conf/CS.cfg.in delete mode 100644 pki/base/ra/doc/CS.cfg create mode 100644 pki/base/tks/shared/conf/CMakeLists.txt delete mode 100644 pki/base/tks/shared/conf/CS.cfg create mode 100644 pki/base/tks/shared/conf/CS.cfg.in delete mode 100644 pki/base/tps/doc/CS.cfg (limited to 'pki/base') diff --git a/pki/base/CMakeLists.txt b/pki/base/CMakeLists.txt index fc96f785..9f4131d3 100644 --- a/pki/base/CMakeLists.txt +++ b/pki/base/CMakeLists.txt @@ -2,10 +2,10 @@ project(base) # The order is important! # add_subdirectory(osutil) -if (APPLICATION_FLAVOUR_OSUTIL) +if (APPLICATION_FLAVOR_OSUTIL) add_subdirectory(osutil) -endif (APPLICATION_FLAVOUR_OSUTIL) -if (APPLICATION_FLAVOUR_CORE) +endif (APPLICATION_FLAVOR_OSUTIL) +if (APPLICATION_FLAVOR_PKI_CORE) add_subdirectory(setup) add_subdirectory(symkey) add_subdirectory(native-tools) @@ -15,15 +15,25 @@ if (APPLICATION_FLAVOUR_CORE) add_subdirectory(selinux) add_subdirectory(ca) add_subdirectory(silent) -endif (APPLICATION_FLAVOUR_CORE) -if (APPLICATION_FLAVOUR_DOGTAG) +endif (APPLICATION_FLAVOR_PKI_CORE) +if (APPLICATION_FLAVOR_PKI_KRA) add_subdirectory(kra) +endif (APPLICATION_FLAVOR_PKI_KRA) +if (APPLICATION_FLAVOR_PKI_OCSP) add_subdirectory(ocsp) +endif (APPLICATION_FLAVOR_PKI_OCSP) +if (APPLICATION_FLAVOR_PKI_RA) + add_subdirectory(ra) +endif (APPLICATION_FLAVOR_PKI_RA) +if (APPLICATION_FLAVOR_PKI_TKS) add_subdirectory(tks) +endif (APPLICATION_FLAVOR_PKI_TKS) +if (APPLICATION_FLAVOR_PKI_TPS) add_subdirectory(tps) - add_subdirectory(ra) +endif (APPLICATION_FLAVOR_PKI_TPS) +if (APPLICATION_FLAVOR_PKI_CONSOLE) add_subdirectory(console) -endif (APPLICATION_FLAVOUR_DOGTAG) -if (APPLICATION_FLAVOUR_REDHAT) +endif (APPLICATION_FLAVOR_PKI_CONSOLE) +if (APPLICATION_FLAVOR_PKI_MIGRATE) add_subdirectory(migrate) -endif (APPLICATION_FLAVOUR_REDHAT) +endif (APPLICATION_FLAVOR_PKI_MIGRATE) diff --git a/pki/base/ca/CMakeLists.txt b/pki/base/ca/CMakeLists.txt index bab50004..9ad04dad 100644 --- a/pki/base/ca/CMakeLists.txt +++ b/pki/base/ca/CMakeLists.txt @@ -2,6 +2,7 @@ project(ca Java) add_subdirectory(src) add_subdirectory(setup) +add_subdirectory(shared/conf) # install init script install( @@ -25,6 +26,8 @@ install( "CMakeLists.txt" EXCLUDE PATTERN "etc/*" EXCLUDE + PATTERN + "conf/CS.cfg.in" EXCLUDE ) # install empty directories diff --git a/pki/base/ca/shared/CMakeLists.txt b/pki/base/ca/shared/CMakeLists.txt deleted file mode 100644 index 507395ff..00000000 --- a/pki/base/ca/shared/CMakeLists.txt +++ /dev/null @@ -1,11 +0,0 @@ -# install init script -install( - FILES - etc/init.d/pki-cad - DESTINATION - ${SYSCONF_INSTALL_DIR}/init.d - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) diff --git a/pki/base/ca/shared/conf/CMakeLists.txt b/pki/base/ca/shared/conf/CMakeLists.txt new file mode 100644 index 00000000..e3cef591 --- /dev/null +++ b/pki/base/ca/shared/conf/CMakeLists.txt @@ -0,0 +1,12 @@ +set(VERSION ${APPLICATION_VERSION}) +set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR}) +set(MINOR_VERSION ${APPLICATION_VERSION_MINOR}) + +configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY) + +install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg deleted file mode 100644 index 3ebd84d6..00000000 --- a/pki/base/ca/shared/conf/CS.cfg +++ /dev/null @@ -1,1070 +0,0 @@ -# -#cs.state=0 (pre-operational) -#cs.state=1 (running) -# -pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] -pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] -pkicreate.ee_secure_client_auth_port=[PKI_EE_SECURE_CLIENT_AUTH_PORT] -pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] -pkicreate.secure_port=[PKI_SECURE_PORT] -pkicreate.unsecure_port=[PKI_UNSECURE_PORT] -pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] -pkicreate.user=[PKI_USER] -pkicreate.arg11.group=[PKI_GROUP] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -installDate=[INSTALL_TIME] -preop.wizard.name=CA Setup Wizard -preop.product.name=CS -preop.product.version= -preop.system.name=CA -preop.system.fullname=Certificate Authority -cs.state=0 -cs.type=CA -authType=pwd -admin.interface.uri=ca/admin/console/config/wizard -ee.interface.uri=ca/ee/ca -agent.interface.uri=ca/agent/ca -preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 -securitydomain.flushinterval=86400000 -securitydomain.source=ldap -securitydomain.checkinterval=300000 -instanceRoot=[PKI_INSTANCE_PATH] -machineName=[PKI_MACHINE_NAME] -instanceId=[PKI_INSTANCE_ID] -service.machineName=[PKI_MACHINE_NAME] -service.instanceDir=[PKI_INSTANCE_ROOT] -service.securePort=[PKI_AGENT_SECURE_PORT] -service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] -service.clientauth_securePort=[PKI_EE_SECURE_CLIENT_AUTH_PORT] -service.unsecurePort=[PKI_UNSECURE_PORT] -service.instanceID=[PKI_INSTANCE_ID] -preop.admin.name=Certificate System Administrator -preop.admin.group=Certificate Manager Agents -preop.admincert.profile=caAdminCert -preop.pin=[PKI_RANDOM_NUMBER] -ca.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing -preop.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing -preop.cert.signing.enable=true -preop.cert.ocsp_signing.enable=true -preop.cert.sslserver.enable=true -preop.cert.subsystem.enable=true -preop.cert.audit_signing.enable=true -preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.signing.dn=CN=Certificate Authority -preop.cert.signing.cncomponent.override=true -preop.cert.signing.keysize.size=2048 -preop.cert.signing.keysize.custom_size=2048 -preop.cert.signing.nickname=caSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.signing.profile=caCert.profile -preop.cert.signing.signing.required=true -preop.cert.signing.subsystem=ca -preop.cert.signing.type=selfsign -preop.cert.signing.userfriendlyname=CA Signing Certificate -preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.audit_signing.dn=CN=CA Audit Signing Certificate -preop.cert.audit_signing.keysize.custom_size=2048 -preop.cert.audit_signing.keysize.size=2048 -preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.audit_signing.profile=caAuditSigningCert.profile -preop.cert.audit_signing.signing.required=false -preop.cert.audit_signing.subsystem=ca -preop.cert.audit_signing.type=local -preop.cert.audit_signing.userfriendlyname=CA Audit Signing Certificate -preop.cert.audit_signing.cncomponent.override=true -preop.cert.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.ocsp_signing.dn=CN=OCSP Signing Certificate -preop.cert.ocsp_signing.keysize.custom_size=2048 -preop.cert.ocsp_signing.keysize.size=2048 -preop.cert.ocsp_signing.nickname=ocspSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.ocsp_signing.profile=caOCSPCert.profile -preop.cert.ocsp_signing.signing.required=true -preop.cert.ocsp_signing.subsystem=ca -preop.cert.ocsp_signing.type=local -preop.cert.ocsp_signing.userfriendlyname=OCSP Signing Certificate -preop.cert.ocsp_signing.cncomponent.override=true -preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA -preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] -preop.cert.sslserver.keysize.custom_size=2048 -preop.cert.sslserver.keysize.size=2048 -preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] -preop.cert.sslserver.profile=serverCert.profile -preop.cert.sslserver.signing.required=false -preop.cert.sslserver.subsystem=ca -preop.cert.sslserver.type=local -preop.cert.sslserver.userfriendlyname=SSL Server Certificate -preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA -preop.cert.subsystem.dn=CN=CA Subsystem Certificate -preop.cert.subsystem.keysize.custom_size=2048 -preop.cert.subsystem.keysize.size=2048 -preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -preop.cert.subsystem.profile=subsystemCert.profile -preop.cert.subsystem.signing.required=false -preop.cert.subsystem.subsystem=ca -preop.cert.subsystem.type=local -preop.cert.subsystem.userfriendlyname=Subsystem Certificate -preop.cert.subsystem.cncomponent.override=true -preop.cert.admin.defaultSigningAlgorithm=SHA256withRSA -preop.cert.admin.dn=uid=admin,cn=admin -preop.cert.admin.keysize.custom_size=2048 -preop.cert.admin.keysize.size=2048 -preop.cert.admin.profile=adminCert.profile -preop.hierarchy.profile=caCert.profile -preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module -preop.configModules.module0.commonName=NSS Internal PKCS #11 Module -preop.configModules.module0.imagePath=../img/clearpixel.gif -preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module -preop.configModules.module1.commonName=nfast -preop.configModules.module1.imagePath=../img/clearpixel.gif -preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module -preop.configModules.module2.commonName=lunasa -preop.configModules.module2.imagePath=../img/clearpixel.gif -preop.configModules.count=3 -preop.module.token=Internal Key Storage Token -preop.name.caDN=CN=Certificate Authority -preop.name.sslDN=CN=[PKI_MACHINE_NAME] -preop.name.ocspDN=CN=OCSP Signing Certificate -preop.name.subsystemDN=CN=CA Subsystem Certificate -preop.name.canickname=caSigningCert cert-[PKI_INSTANCE_ID] -preop.name.ocspnickname=ocspSigningCert cert-[PKI_INSTANCE_ID] -preop.name.subsystemnickname=subsystemCert cert-[PKI_INSTANCE_ID] -preop.name.sslnickname=Server-Cert cert-[PKI_INSTANCE_ID] -preop.subsystem.count=0 -subsystem.count=0 -passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf -passwordClass=com.netscape.cmsutil.password.PlainPasswordFile -CrossCertPair._000=## -CrossCertPair._001=## CrossCertPair Import -CrossCertPair._002=## -CrossCertPair.ldap=internaldb -accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator -accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator -accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator -accessEvaluator.impl.user_origreq.class=com.netscape.cms.evaluators.UserOrigReqAccessEvaluator -auths._000=## -auths._001=## new authentication -auths._002=## -auths.impl._000=## -auths.impl._001=## authentication manager implementations -auths.impl._002=## -auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication -auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth -auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth -auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll -auths.impl.SSLclientCertAuth.class=com.netscape.cms.authentication.SSLclientCertAuthentication -auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication -auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication -auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication -auths.impl.UidPwdGroupDirAuth.class=com.netscape.cms.authentication.UidPwdGroupDirAuthentication -auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication -auths.impl.FlatFileAuth.class=com.netscape.cms.authentication.FlatFileAuth -auths.instance.TokenAuth.pluginName=TokenAuth -auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents -auths.instance.AgentCertAuth.pluginName=AgentCertAuth -auths.instance.raCertAuth.agentGroup=Registration Manager Agents -auths.instance.raCertAuth.pluginName=AgentCertAuth -auths.instance.flatFileAuth.pluginName=FlatFileAuth -auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/flatfile.txt -auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth -auths.revocationChecking.bufferSize=50 -auths.revocationChecking.ca=ca -auths.revocationChecking.enabled=true -auths.revocationChecking.unknownStateInterval=0 -auths.revocationChecking.validityInterval=120 -authz._000=## -authz._001=## new authorizatioin -authz._002=## -authz.evaluateOrder=deny,allow -authz.sourceType=ldap -authz.impl._000=## -authz.impl._001=## authorization manager implementations -authz.impl._002=## -authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz -authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz -authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz -authz.instance.DirAclAuthz.ldap=internaldb -authz.instance.DirAclAuthz.pluginName=DirAclAuthz -authz.instance.DirAclAuthz.ldap._000=## -authz.instance.DirAclAuthz.ldap._001=## Internal Database -authz.instance.DirAclAuthz.ldap._002=## -ca.ocsp=true -ca.certdbInc=20 -ca.crldbInc=20 -ca.id=ca -ca.local=true -ca.ocspUseCache=false -ca.enableNonces=true -ca.maxNumberOfNonces=100 -ca.reqdbInc=20 -ca.transitMaxRecords=1000000 -ca.transitRecordPageSize=200 -# maxSearchReturns - limits number of search results returned by SearchReqs and SrchCerts -# ca.maxSearchReturns=1000 -ca.scep.enable=false -ca.scep.hashAlgorithm=SHA1 -ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 -ca.scep.encryptionAlgorithm=DES3 -ca.scep.allowedEncryptionAlgorithms=DES3 -ca.scep.nonceSizeLimit=16 -ca.Policy._000=## -ca.Policy._001=## Certificate Policy Framework (deprecated) -ca.Policy._002=## -ca.Policy._003=## Set 'ca.Policy.enable=true' to allow the following: -ca.Policy._004=## -ca.Policy._005=## SERVLET-NAME URL-PATTERN -ca.Policy._006=## ==================================================== -ca.Policy._007=## caadminEnroll ca/admin/ca/adminEnroll.html -ca.Policy._008=## cabulkissuance ca/agent/ca/bulkissuance.html -ca.Policy._009=## cacertbasedenrollment ca/certbasedenrollment.html -ca.Policy._010=## caenrollment ca/enrollment.html -ca.Policy._011=## capolicy ca/capolicy -ca.Policy._012=## -ca.Policy.enable=false -ca.Policy.order=KeyAlgRule, RSAKeyRule, DefaultValidityRule, RenewalConstraintsRule, DefaultRenewalValidityRule, RevocationConstraintsRule, NSCertTypeExt, CMCertKeyUsageExt, RMCertKeyUsageExt, ClientCertKeyUsageExt, ServerCertKeyUsageExt, ObjSignCertKeyUsageExt, CRLSignCertKeyUsageExt, SubjectKeyIdentifierExt, CertificatePoliciesExt, NSCCommentExt, OCSPNoCheckExt, OCSPSigningExt, CODESigningExt, GenericASN1Ext, CRLDistributionPointsExt, SubjectAltNameExt, SigningAlgRule, AuthorityKeyIdentifierExt, AuthInfoAccessExt, BasicConstraintsExt, UniqueSubjectNameConstraints, NameConstraintsExt, PolicyConstraintsExt, SubCANameConstraints, PolicyMappingsExt, IssuerRule -ca.Policy.processor=classic -ca.Policy.impl._000=## -ca.Policy.impl._001=## Policy Implementations -ca.Policy.impl._002=## -ca.Policy.impl.AttributePresentConstraints.class=com.netscape.cms.policy.constraints.AttributePresentConstraints -ca.Policy.impl.AuthInfoAccessExt.class=com.netscape.cms.policy.extensions.AuthInfoAccessExt -ca.Policy.impl.AuthorityKeyIdentifierExt.class=com.netscape.cms.policy.extensions.AuthorityKeyIdentifierExt -ca.Policy.impl.BasicConstraintsExt.class=com.netscape.cms.policy.extensions.BasicConstraintsExt -ca.Policy.impl.CRLDistributionPointsExt.class=com.netscape.cms.policy.extensions.CRLDistributionPointsExt -ca.Policy.impl.CertificatePoliciesExt.class=com.netscape.cms.policy.extensions.CertificatePoliciesExt -ca.Policy.impl.CertificateRenewalWindowExt.class=com.netscape.cms.policy.extensions.CertificateRenewalWindowExt -ca.Policy.impl.CertificateScopeOfUseExt.class=com.netscape.cms.policy.extensions.CertificateScopeOfUseExt -ca.Policy.impl.DSAKeyConstraints.class=com.netscape.cms.policy.constraints.DSAKeyConstraints -ca.Policy.impl.ExtendedKeyUsageExt.class=com.netscape.cms.policy.extensions.ExtendedKeyUsageExt -ca.Policy.impl.GenericASN1Ext.class=com.netscape.cms.policy.extensions.GenericASN1Ext -ca.Policy.impl.IssuerAltNameExt.class=com.netscape.cms.policy.extensions.IssuerAltNameExt -ca.Policy.impl.IssuerConstraints.class=com.netscape.cms.policy.constraints.IssuerConstraints -ca.Policy.impl.KeyAlgorithmConstraints.class=com.netscape.cms.policy.constraints.KeyAlgorithmConstraints -ca.Policy.impl.KeyUsageExt.class=com.netscape.cms.policy.extensions.KeyUsageExt -ca.Policy.impl.NSCCommentExt.class=com.netscape.cms.policy.extensions.NSCCommentExt -ca.Policy.impl.NSCertTypeExt.class=com.netscape.cms.policy.extensions.NSCertTypeExt -ca.Policy.impl.NameConstraintsExt.class=com.netscape.cms.policy.extensions.NameConstraintsExt -ca.Policy.impl.OCSPNoCheckExt.class=com.netscape.cms.policy.extensions.OCSPNoCheckExt -ca.Policy.impl.PolicyConstraintsExt.class=com.netscape.cms.policy.extensions.PolicyConstraintsExt -ca.Policy.impl.PolicyMappingsExt.class=com.netscape.cms.policy.extensions.PolicyMappingsExt -ca.Policy.impl.PrivateKeyUsagePeriodExt.class=com.netscape.cms.policy.extensions.PrivateKeyUsagePeriodExt -ca.Policy.impl.RSAKeyConstraints.class=com.netscape.cms.policy.constraints.RSAKeyConstraints -ca.Policy.impl.RemoveBasicConstraintsExt.class=com.netscape.cms.policy.extensions.RemoveBasicConstraintsExt -ca.Policy.impl.RenewalConstraints.class=com.netscape.cms.policy.constraints.RenewalConstraints -ca.Policy.impl.RenewalValidityConstraints.class=com.netscape.cms.policy.constraints.RenewalValidityConstraints -ca.Policy.impl.RevocationConstraints.class=com.netscape.cms.policy.constraints.RevocationConstraints -ca.Policy.impl.SigningAlgorithmConstraints.class=com.netscape.cms.policy.constraints.SigningAlgorithmConstraints -ca.Policy.impl.SubCANameConstraints.class=com.netscape.cms.policy.constraints.SubCANameConstraints -ca.Policy.impl.SubjectAltNameExt.class=com.netscape.cms.policy.extensions.SubjectAltNameExt -ca.Policy.impl.SubjectDirectoryAttributesExt.class=com.netscape.cms.policy.extensions.SubjectDirectoryAttributesExt -ca.Policy.impl.SubjectKeyIdentifierExt.class=com.netscape.cms.policy.extensions.SubjectKeyIdentifierExt -ca.Policy.impl.UniqueSubjectNameConstraints.class=com.netscape.cms.policy.constraints.UniqueSubjectNameConstraints -ca.Policy.impl.ValidityConstraints.class=com.netscape.cms.policy.constraints.ValidityConstraints -ca.Policy.rule.AuthInfoAccessExt.ad0_location=http://[PKI_MACHINE_NAME]:8080/ocsp -ca.Policy.rule.AuthInfoAccessExt.ad0_location_type=URL -ca.Policy.rule.AuthInfoAccessExt.ad0_method=ocsp -ca.Policy.rule.AuthInfoAccessExt.enable=false -ca.Policy.rule.AuthInfoAccessExt.implName=AuthInfoAccessExt -ca.Policy.rule.AuthInfoAccessExt.numADs=1 -ca.Policy.rule.AuthInfoAccessExt.predicate=HTTP_PARAMS.certType==client -ca.Policy.rule.AuthorityKeyIdentifierExt.enable=true -ca.Policy.rule.AuthorityKeyIdentifierExt.implName=AuthorityKeyIdentifierExt -ca.Policy.rule.AuthorityKeyIdentifierExt.predicate= -ca.Policy.rule.BasicConstraintsExt.critical=true -ca.Policy.rule.BasicConstraintsExt.enable=true -ca.Policy.rule.BasicConstraintsExt.implName=BasicConstraintsExt -ca.Policy.rule.BasicConstraintsExt.maxPathLen= -ca.Policy.rule.BasicConstraintsExt.predicate=HTTP_PARAMS.certType == ca -ca.Policy.rule.BasicConstraintsExt.removeBasicExt=true -ca.Policy.rule.CMCertKeyUsageExt.crlSign=true -ca.Policy.rule.CMCertKeyUsageExt.dataEncipherment=false -ca.Policy.rule.CMCertKeyUsageExt.decipherOnly=false -ca.Policy.rule.CMCertKeyUsageExt.digitalSignature=true -ca.Policy.rule.CMCertKeyUsageExt.enable=true -ca.Policy.rule.CMCertKeyUsageExt.encipherOnly=false -ca.Policy.rule.CMCertKeyUsageExt.implName=KeyUsageExt -ca.Policy.rule.CMCertKeyUsageExt.keyAgreement=false -ca.Policy.rule.CMCertKeyUsageExt.keyCertsign=true -ca.Policy.rule.CMCertKeyUsageExt.keyEncipherment=false -ca.Policy.rule.CMCertKeyUsageExt.nonRepudiation=true -ca.Policy.rule.CMCertKeyUsageExt.predicate=HTTP_PARAMS.certType==ca -ca.Policy.rule.CODESigningExt.critical=false -ca.Policy.rule.CODESigningExt.enable=true -ca.Policy.rule.CODESigningExt.id0=1.3.6.1.5.5.7.3.3 -ca.Policy.rule.CODESigningExt.implName=ExtendedKeyUsageExt -ca.Policy.rule.CODESigningExt.predicate=HTTP_PARAMS.certType==codeSignClient -ca.Policy.rule.CRLDistributionPointsExt.enable=false -ca.Policy.rule.CRLDistributionPointsExt.implName=CRLDistributionPointsExt -ca.Policy.rule.CRLDistributionPointsExt.issuerName0= -ca.Policy.rule.CRLDistributionPointsExt.issuerName1= -ca.Policy.rule.CRLDistributionPointsExt.issuerName2= -ca.Policy.rule.CRLDistributionPointsExt.issuerType0= -ca.Policy.rule.CRLDistributionPointsExt.issuerType1= -ca.Policy.rule.CRLDistributionPointsExt.issuerType2= -ca.Policy.rule.CRLDistributionPointsExt.numPoints=0 -ca.Policy.rule.CRLDistributionPointsExt.pointName0= -ca.Policy.rule.CRLDistributionPointsExt.pointName1= -ca.Policy.rule.CRLDistributionPointsExt.pointName2= -ca.Policy.rule.CRLDistributionPointsExt.pointType0= -ca.Policy.rule.CRLDistributionPointsExt.pointType1= -ca.Policy.rule.CRLDistributionPointsExt.pointType2= -ca.Policy.rule.CRLDistributionPointsExt.predicate= -ca.Policy.rule.CRLDistributionPointsExt.reasons0= -ca.Policy.rule.CRLDistributionPointsExt.reasons1= -ca.Policy.rule.CRLDistributionPointsExt.reasons2= -ca.Policy.rule.CRLSignCertKeyUsageExt.crlSign=true -ca.Policy.rule.CRLSignCertKeyUsageExt.dataEncipherment=false -ca.Policy.rule.CRLSignCertKeyUsageExt.decipherOnly=false -ca.Policy.rule.CRLSignCertKeyUsageExt.digitalSignature=false -ca.Policy.rule.CRLSignCertKeyUsageExt.enable=true -ca.Policy.rule.CRLSignCertKeyUsageExt.encipherOnly=false -ca.Policy.rule.CRLSignCertKeyUsageExt.implName=KeyUsageExt -ca.Policy.rule.CRLSignCertKeyUsageExt.keyAgreement=false -ca.Policy.rule.CRLSignCertKeyUsageExt.keyCertsign=false -ca.Policy.rule.CRLSignCertKeyUsageExt.keyEncipherment=false -ca.Policy.rule.CRLSignCertKeyUsageExt.nonRepudiation=false -ca.Policy.rule.CRLSignCertKeyUsageExt.predicate=HTTP_PARAMS.certType==caCrlSigning -ca.Policy.rule.CertificatePoliciesExt.critical=false -ca.Policy.rule.CertificatePoliciesExt.enable=false -ca.Policy.rule.CertificatePoliciesExt.implName=CertificatePoliciesExt -ca.Policy.rule.CertificatePoliciesExt.numCertPolicies=1 -ca.Policy.rule.CertificatePoliciesExt.predicate= -ca.Policy.rule.CertificatePoliciesExt.certPolicy0.cpsURI= -ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefNumbers= -ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefOrganization= -ca.Policy.rule.CertificatePoliciesExt.certPolicy0.policyId= -ca.Policy.rule.CertificatePoliciesExt.certPolicy0.userNoticeExplicitText= -ca.Policy.rule.ClientCertKeyUsageExt.crlSign=false -ca.Policy.rule.ClientCertKeyUsageExt.dataEncipherment=false -ca.Policy.rule.ClientCertKeyUsageExt.decipherOnly=false -ca.Policy.rule.ClientCertKeyUsageExt.digitalSignature=true -ca.Policy.rule.ClientCertKeyUsageExt.enable=true -ca.Policy.rule.ClientCertKeyUsageExt.encipherOnly=false -ca.Policy.rule.ClientCertKeyUsageExt.implName=KeyUsageExt -ca.Policy.rule.ClientCertKeyUsageExt.keyAgreement=false -ca.Policy.rule.ClientCertKeyUsageExt.keyCertsign=false -ca.Policy.rule.ClientCertKeyUsageExt.keyEncipherment=true -ca.Policy.rule.ClientCertKeyUsageExt.nonRepudiation=true -ca.Policy.rule.ClientCertKeyUsageExt.predicate=HTTP_PARAMS.certType==client -ca.Policy.rule.DSAKeyRule.enable=true -ca.Policy.rule.DSAKeyRule.implName=DSAKeyConstraints -ca.Policy.rule.DSAKeyRule.maxSize=1024 -ca.Policy.rule.DSAKeyRule.minSize=512 -ca.Policy.rule.DSAKeyRule.predicate= -ca.Policy.rule.DefaultRenewalValidityRule.enable=true -ca.Policy.rule.DefaultRenewalValidityRule.implName=RenewalValidityConstraints -ca.Policy.rule.DefaultRenewalValidityRule.maxValidity=365 -ca.Policy.rule.DefaultRenewalValidityRule.minValidity=30 -ca.Policy.rule.DefaultRenewalValidityRule.predicate= -ca.Policy.rule.DefaultRenewalValidityRule.renewalInterval=15 -ca.Policy.rule.DefaultValidityRule.enable=true -ca.Policy.rule.DefaultValidityRule.implName=ValidityConstraints -ca.Policy.rule.DefaultValidityRule.maxValidity=365 -ca.Policy.rule.DefaultValidityRule.minValidity=1 -ca.Policy.rule.DefaultValidityRule.predicate= -ca.Policy.rule.GenericASN1Ext.critical=false -ca.Policy.rule.GenericASN1Ext.enable=false -ca.Policy.rule.GenericASN1Ext.implName=GenericASN1Ext -ca.Policy.rule.GenericASN1Ext.name= -ca.Policy.rule.GenericASN1Ext.oid= -ca.Policy.rule.GenericASN1Ext.pattern= -ca.Policy.rule.GenericASN1Ext.predicate= -ca.Policy.rule.GenericASN1Ext.attribute.0.source= -ca.Policy.rule.GenericASN1Ext.attribute.0.type= -ca.Policy.rule.GenericASN1Ext.attribute.0.value= -ca.Policy.rule.GenericASN1Ext.attribute.1.source= -ca.Policy.rule.GenericASN1Ext.attribute.1.type= -ca.Policy.rule.GenericASN1Ext.attribute.1.value= -ca.Policy.rule.GenericASN1Ext.attribute.2.source= -ca.Policy.rule.GenericASN1Ext.attribute.2.type= -ca.Policy.rule.GenericASN1Ext.attribute.2.value= -ca.Policy.rule.GenericASN1Ext.attribute.3.source= -ca.Policy.rule.GenericASN1Ext.attribute.3.type= -ca.Policy.rule.GenericASN1Ext.attribute.3.value= -ca.Policy.rule.GenericASN1Ext.attribute.4.source= -ca.Policy.rule.GenericASN1Ext.attribute.4.type= -ca.Policy.rule.GenericASN1Ext.attribute.4.value= -ca.Policy.rule.GenericASN1Ext.attribute.5.source= -ca.Policy.rule.GenericASN1Ext.attribute.5.type= -ca.Policy.rule.GenericASN1Ext.attribute.5.value= -ca.Policy.rule.GenericASN1Ext.attribute.6.source= -ca.Policy.rule.GenericASN1Ext.attribute.6.type= -ca.Policy.rule.GenericASN1Ext.attribute.6.value= -ca.Policy.rule.GenericASN1Ext.attribute.7.source= -ca.Policy.rule.GenericASN1Ext.attribute.7.type= -ca.Policy.rule.GenericASN1Ext.attribute.7.value= -ca.Policy.rule.GenericASN1Ext.attribute.8.source= -ca.Policy.rule.GenericASN1Ext.attribute.8.type= -ca.Policy.rule.GenericASN1Ext.attribute.8.value= -ca.Policy.rule.GenericASN1Ext.attribute.9.source= -ca.Policy.rule.GenericASN1Ext.attribute.9.type= -ca.Policy.rule.GenericASN1Ext.attribute.9.value= -ca.Policy.rule.IssuerRule.enable=false -ca.Policy.rule.IssuerRule.implName=IssuerConstraints -ca.Policy.rule.IssuerRule.issuerDN= -ca.Policy.rule.IssuerRule.predicate=HTTP_PARAMS.certType==client AND certauthEnroll==on -ca.Policy.rule.KeyAlgRule.algorithms=RSA,DSA -ca.Policy.rule.KeyAlgRule.enable=true -ca.Policy.rule.KeyAlgRule.implName=KeyAlgorithmConstraints -ca.Policy.rule.KeyAlgRule.predicate= -ca.Policy.rule.NSCCommentExt.commentFile= -ca.Policy.rule.NSCCommentExt.enable=false -ca.Policy.rule.NSCCommentExt.implName=NSCCommentExt -ca.Policy.rule.NSCCommentExt.inputType=Text -ca.Policy.rule.NSCCommentExt.predicate= -ca.Policy.rule.NSCertTypeExt.enable=true -ca.Policy.rule.NSCertTypeExt.implName=NSCertTypeExt -ca.Policy.rule.NSCertTypeExt.predicate=HTTP_PARAMS.certType!=CEP-Request -ca.Policy.rule.NameConstraintsExt.critical=true -ca.Policy.rule.NameConstraintsExt.enable=false -ca.Policy.rule.NameConstraintsExt.implName=NameConstraintsExt -ca.Policy.rule.NameConstraintsExt.numExcludedSubtrees=3 -ca.Policy.rule.NameConstraintsExt.numPermittedSubtrees=3 -ca.Policy.rule.NameConstraintsExt.predicate=HTTP_PARAMS.certType == ca -ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.max=-1 -ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.min=0 -ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base.generalNameChoice= -ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base.generalNameValue= -ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.max=-1 -ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.min=0 -ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base.generalNameChoice= -ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base.generalNameValue= -ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.max=-1 -ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.min=0 -ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base.generalNameChoice= -ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base.generalNameValue= -ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.max=-1 -ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.min=0 -ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base.generalNameChoice= -ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base.generalNameValue= -ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.max=-1 -ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.min=0 -ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base.generalNameChoice= -ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base.generalNameValue= -ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.max=-1 -ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.min=0 -ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base.generalNameChoice= -ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base.generalNameValue= -ca.Policy.rule.OCSPNoCheckExt.critical=false -ca.Policy.rule.OCSPNoCheckExt.enable=true -ca.Policy.rule.OCSPNoCheckExt.implName=OCSPNoCheckExt -ca.Policy.rule.OCSPNoCheckExt.predicate=HTTP_PARAMS.certType==ocspResponder -ca.Policy.rule.OCSPSigningExt.critical=false -ca.Policy.rule.OCSPSigningExt.enable=true -ca.Policy.rule.OCSPSigningExt.id0=1.3.6.1.5.5.7.3.9 -ca.Policy.rule.OCSPSigningExt.implName=ExtendedKeyUsageExt -ca.Policy.rule.OCSPSigningExt.predicate=HTTP_PARAMS.certType==ocspResponder -ca.Policy.rule.ObjSignCertKeyUsageExt.crlSign=false -ca.Policy.rule.ObjSignCertKeyUsageExt.dataEncipherment=false -ca.Policy.rule.ObjSignCertKeyUsageExt.decipherOnly=false -ca.Policy.rule.ObjSignCertKeyUsageExt.digitalSignature=true -ca.Policy.rule.ObjSignCertKeyUsageExt.enable=true -ca.Policy.rule.ObjSignCertKeyUsageExt.encipherOnly=false -ca.Policy.rule.ObjSignCertKeyUsageExt.implName=KeyUsageExt -ca.Policy.rule.ObjSignCertKeyUsageExt.keyAgreement=false -ca.Policy.rule.ObjSignCertKeyUsageExt.keyCertsign=true -ca.Policy.rule.ObjSignCertKeyUsageExt.keyEncipherment=false -ca.Policy.rule.ObjSignCertKeyUsageExt.nonRepudiation=false -ca.Policy.rule.ObjSignCertKeyUsageExt.predicate=HTTP_PARAMS.certType==objSignClient -ca.Policy.rule.PolicyConstraintsExt.critical=false -ca.Policy.rule.PolicyConstraintsExt.enable=false -ca.Policy.rule.PolicyConstraintsExt.implName=PolicyConstraintsExt -ca.Policy.rule.PolicyConstraintsExt.inhibitPolicyMapping=0 -ca.Policy.rule.PolicyConstraintsExt.predicate=HTTP_PARAMS.certType==ca -ca.Policy.rule.PolicyConstraintsExt.reqExplicitPolicy=0 -ca.Policy.rule.PolicyMappingsExt.critical=false -ca.Policy.rule.PolicyMappingsExt.enable=false -ca.Policy.rule.PolicyMappingsExt.implName=PolicyMappingsExt -ca.Policy.rule.PolicyMappingsExt.numPolicyMappings=1 -ca.Policy.rule.PolicyMappingsExt.predicate=HTTP_PARAMS.certType==ca -ca.Policy.rule.PolicyMappingsExt.policyMap0.issuerDomainPolicy= -ca.Policy.rule.PolicyMappingsExt.policyMap0.subjectDomainPolicy= -ca.Policy.rule.RMCertKeyUsageExt.crlSign=false -ca.Policy.rule.RMCertKeyUsageExt.dataEncipherment=false -ca.Policy.rule.RMCertKeyUsageExt.decipherOnly=false -ca.Policy.rule.RMCertKeyUsageExt.digitalSignature=true -ca.Policy.rule.RMCertKeyUsageExt.enable=true -ca.Policy.rule.RMCertKeyUsageExt.encipherOnly=false -ca.Policy.rule.RMCertKeyUsageExt.implName=KeyUsageExt -ca.Policy.rule.RMCertKeyUsageExt.keyAgreement=false -ca.Policy.rule.RMCertKeyUsageExt.keyCertsign=false -ca.Policy.rule.RMCertKeyUsageExt.keyEncipherment=false -ca.Policy.rule.RMCertKeyUsageExt.nonRepudiation=true -ca.Policy.rule.RMCertKeyUsageExt.predicate=HTTP_PARAMS.certType==ra -ca.Policy.rule.RSAKeyRule.enable=false -ca.Policy.rule.RSAKeyRule.exponents=3,7,17,65537 -ca.Policy.rule.RSAKeyRule.implName=RSAKeyConstraints -ca.Policy.rule.RSAKeyRule.maxSize=2048 -ca.Policy.rule.RSAKeyRule.minSize=512 -ca.Policy.rule.RSAKeyRule.predicate= -ca.Policy.rule.RenewalConstraintsRule.enable=true -ca.Policy.rule.RenewalConstraintsRule.implName=RenewalConstraints -ca.Policy.rule.RenewalConstraintsRule.predicate= -ca.Policy.rule.RevocationConstraintsRule.enable=true -ca.Policy.rule.RevocationConstraintsRule.implName=RevocationConstraints -ca.Policy.rule.RevocationConstraintsRule.predicate= -ca.Policy.rule.ServerCertKeyUsageExt.crlSign=false -ca.Policy.rule.ServerCertKeyUsageExt.dataEncipherment=true -ca.Policy.rule.ServerCertKeyUsageExt.decipherOnly=false -ca.Policy.rule.ServerCertKeyUsageExt.digitalSignature=true -ca.Policy.rule.ServerCertKeyUsageExt.enable=true -ca.Policy.rule.ServerCertKeyUsageExt.encipherOnly=false -ca.Policy.rule.ServerCertKeyUsageExt.implName=KeyUsageExt -ca.Policy.rule.ServerCertKeyUsageExt.keyAgreement=false -ca.Policy.rule.ServerCertKeyUsageExt.keyCertsign=false -ca.Policy.rule.ServerCertKeyUsageExt.keyEncipherment=true -ca.Policy.rule.ServerCertKeyUsageExt.nonRepudiation=true -ca.Policy.rule.ServerCertKeyUsageExt.predicate=HTTP_PARAMS.certType==server -ca.Policy.rule.SigningAlgRule.algorithms=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC -ca.Policy.rule.SigningAlgRule.enable=true -ca.Policy.rule.SigningAlgRule.implName=SigningAlgorithmConstraints -ca.Policy.rule.SigningAlgRule.predicate= -ca.Policy.rule.SubCANameConstraints.enable=true -ca.Policy.rule.SubCANameConstraints.implName=SubCANameConstraints -ca.Policy.rule.SubCANameConstraints.predicate=HTTP_PARAMS.certType == ca -ca.Policy.rule.SubjectAltNameExt.enable=true -ca.Policy.rule.SubjectAltNameExt.implName=SubjectAltNameExt -ca.Policy.rule.SubjectAltNameExt.numGeneralNames=3 -ca.Policy.rule.SubjectAltNameExt.predicate=HTTP_PARAMS.certType!=CEP-Request -ca.Policy.rule.SubjectAltNameExt.generalName0.generalNameChoice=rfc822Name -ca.Policy.rule.SubjectAltNameExt.generalName0.requestAttr=AUTH_TOKEN.mail -ca.Policy.rule.SubjectAltNameExt.generalName1.generalNameChoice=rfc822Name -ca.Policy.rule.SubjectAltNameExt.generalName1.requestAttr=AUTH_TOKEN.mailalternateaddress -ca.Policy.rule.SubjectAltNameExt.generalName2.generalNameChoice=rfc822Name -ca.Policy.rule.SubjectAltNameExt.generalName2.requestAttr=HTTP_PARAMS.csrRequestorEmail -ca.Policy.rule.SubjectKeyIdentifierExt.enable=true -ca.Policy.rule.SubjectKeyIdentifierExt.implName=SubjectKeyIdentifierExt -ca.Policy.rule.SubjectKeyIdentifierExt.predicate=HTTP_PARAMS.certType==ca -ca.Policy.rule.UniqueSubjectNameConstraints.enable=false -ca.Policy.rule.UniqueSubjectNameConstraints.implName=UniqueSubjectNameConstraints -ca.Policy.rule.UniqueSubjectNameConstraints.predicate= -ca.crl._000=## -ca.crl._001=## CA CRL -ca.crl._002=## -ca.crl.pageSize=100 -ca.crl.MasterCRL.allowExtensions=true -ca.crl.MasterCRL.alwaysUpdate=false -ca.crl.MasterCRL.autoUpdateInterval=240 -ca.crl.MasterCRL.caCertsOnly=false -ca.crl.MasterCRL.cacheUpdateInterval=15 -ca.crl.MasterCRL.class=com.netscape.ca.CRLIssuingPoint -ca.crl.MasterCRL.dailyUpdates=1:00 -ca.crl.MasterCRL.description=CA's complete Certificate Revocation List -ca.crl.MasterCRL.enable=true -ca.crl.MasterCRL.enableCRLCache=true -ca.crl.MasterCRL.enableCRLUpdates=true -ca.crl.MasterCRL.enableCacheRecovery=true -ca.crl.MasterCRL.enableDailyUpdates=true -ca.crl.MasterCRL.enableUpdateInterval=true -ca.crl.MasterCRL.extendedNextUpdate=true -ca.crl.MasterCRL.includeExpiredCerts=false -ca.crl.MasterCRL.minUpdateInterval=0 -ca.crl.MasterCRL.nextUpdateGracePeriod=0 -ca.crl.MasterCRL.publishOnStart=false -ca.crl.MasterCRL.signingAlgorithm=SHA256withRSA -ca.crl.MasterCRL.updateSchema=1 -ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessLocation0= -ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessLocationType0=URI -ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessMethod0=caIssuers -ca.crl.MasterCRL.extension.AuthorityInformationAccess.class=com.netscape.cms.crl.CMSAuthInfoAccessExtension -ca.crl.MasterCRL.extension.AuthorityInformationAccess.critical=false -ca.crl.MasterCRL.extension.AuthorityInformationAccess.enable=false -ca.crl.MasterCRL.extension.AuthorityInformationAccess.numberOfAccessDescriptions=1 -ca.crl.MasterCRL.extension.AuthorityInformationAccess.type=CRLExtension -ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.class=com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension -ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.critical=false -ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable=false -ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.type=CRLExtension -ca.crl.MasterCRL.extension.CRLNumber.class=com.netscape.cms.crl.CMSCRLNumberExtension -ca.crl.MasterCRL.extension.CRLNumber.critical=false -ca.crl.MasterCRL.extension.CRLNumber.enable=true -ca.crl.MasterCRL.extension.CRLNumber.type=CRLExtension -ca.crl.MasterCRL.extension.CRLReason.class=com.netscape.cms.crl.CMSCRLReasonExtension -ca.crl.MasterCRL.extension.CRLReason.critical=false -ca.crl.MasterCRL.extension.CRLReason.enable=true -ca.crl.MasterCRL.extension.CRLReason.type=CRLEntryExtension -ca.crl.MasterCRL.extension.DeltaCRLIndicator.class=com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension -ca.crl.MasterCRL.extension.DeltaCRLIndicator.critical=true -ca.crl.MasterCRL.extension.DeltaCRLIndicator.enable=false -ca.crl.MasterCRL.extension.DeltaCRLIndicator.type=CRLExtension -ca.crl.MasterCRL.extension.FreshestCRL.class=com.netscape.cms.crl.CMSFreshestCRLExtension -ca.crl.MasterCRL.extension.FreshestCRL.critical=false -ca.crl.MasterCRL.extension.FreshestCRL.enable=false -ca.crl.MasterCRL.extension.FreshestCRL.numPoints=0 -ca.crl.MasterCRL.extension.FreshestCRL.pointName0= -ca.crl.MasterCRL.extension.FreshestCRL.pointType0= -ca.crl.MasterCRL.extension.FreshestCRL.type=CRLExtension -ca.crl.MasterCRL.extension.InvalidityDate.class=com.netscape.cms.crl.CMSInvalidityDateExtension -ca.crl.MasterCRL.extension.InvalidityDate.critical=false -ca.crl.MasterCRL.extension.InvalidityDate.enable=true -ca.crl.MasterCRL.extension.InvalidityDate.type=CRLEntryExtension -ca.crl.MasterCRL.extension.IssuerAlternativeName.class=com.netscape.cms.crl.CMSIssuerAlternativeNameExtension -ca.crl.MasterCRL.extension.IssuerAlternativeName.critical=false -ca.crl.MasterCRL.extension.IssuerAlternativeName.enable=false -ca.crl.MasterCRL.extension.IssuerAlternativeName.name0= -ca.crl.MasterCRL.extension.IssuerAlternativeName.nameType0= -ca.crl.MasterCRL.extension.IssuerAlternativeName.numNames=0 -ca.crl.MasterCRL.extension.IssuerAlternativeName.type=CRLExtension -ca.crl.MasterCRL.extension.IssuingDistributionPoint.class=com.netscape.cms.crl.CMSIssuingDistributionPointExtension -ca.crl.MasterCRL.extension.IssuingDistributionPoint.critical=true -ca.crl.MasterCRL.extension.IssuingDistributionPoint.enable=false -ca.crl.MasterCRL.extension.IssuingDistributionPoint.indirectCRL=false -ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsCACerts=false -ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsUserCerts=false -ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlySomeReasons= -ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointName= -ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointType= -ca.crl.MasterCRL.extension.IssuingDistributionPoint.type=CRLExtension -ca.notification.certIssued.emailSubject=Your Certificate Request -ca.notification.certIssued.emailTemplate=[PKI_INSTANCE_PATH]/emails/certIssued_CA.html -ca.notification.certIssued.enabled=false -ca.notification.certIssued.senderEmail= -ca.notification.certRevoked.emailSubject=Your Certificate Revoked -ca.notification.certRevoked.emailTemplate=[PKI_INSTANCE_PATH]/emails/certRevoked_CA.html -ca.notification.certRevoked.enabled=false -ca.notification.certRevoked.senderEmail= -ca.notification.requestInQ.emailSubject=Certificate Request in Queue -ca.notification.requestInQ.emailTemplate=[PKI_INSTANCE_PATH]/emails/reqInQueue_CA.html -ca.notification.requestInQ.enabled=false -ca.notification.requestInQ.recipientEmail= -ca.notification.requestInQ.senderEmail= -ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_ID] -ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA -ca.ocsp_signing.tokenname=internal -ca.publish.createOwnDNEntry=false -ca.publish.queue.enable=true -ca.publish.queue.maxNumberOfThreads=3 -ca.publish.queue.pageSize=40 -ca.publish.queue.priorityLevel=0 -ca.publish.mapper.impl.LdapCaSimpleMap.class=com.netscape.cms.publish.mappers.LdapCaSimpleMap -ca.publish.mapper.impl.LdapDNCompsMap.class=com.netscape.cms.publish.mappers.LdapCertCompsMap -ca.publish.mapper.impl.LdapDNExactMap.class=com.netscape.cms.publish.mappers.LdapCertExactMap -ca.publish.mapper.impl.LdapEnhancedMap.class=com.netscape.cms.publish.mappers.LdapEnhancedMap -ca.publish.mapper.impl.LdapSimpleMap.class=com.netscape.cms.publish.mappers.LdapSimpleMap -ca.publish.mapper.impl.LdapSubjAttrMap.class=com.netscape.cms.publish.mappers.LdapCertSubjMap -ca.publish.mapper.impl.NoMap.class=com.netscape.cms.publish.mappers.NoMap -ca.publish.mapper.instance.LdapCaCertMap.createCAEntry=true -ca.publish.mapper.instance.LdapCaCertMap.dnPattern=UID=$subj.cn,OU=people,O=$subj.o -ca.publish.mapper.instance.LdapCaCertMap.pluginName=LdapCaSimpleMap -ca.publish.mapper.instance.LdapCrlMap.createCAEntry=true -ca.publish.mapper.instance.LdapCrlMap.dnPattern=UID=$subj.cn,OU=people,O=$subj.o -ca.publish.mapper.instance.LdapCrlMap.pluginName=LdapCaSimpleMap -ca.publish.mapper.instance.LdapUserCertMap.dnPattern=UID=$subj.UID,OU=people,O=$subj.o -ca.publish.mapper.instance.LdapUserCertMap.pluginName=LdapSimpleMap -ca.publish.mapper.instance.NoMap.pluginName=NoMap -ca.publish.publisher.impl.FileBasedPublisher.class=com.netscape.cms.publish.publishers.FileBasedPublisher -ca.publish.publisher.impl.LdapCaCertPublisher.class=com.netscape.cms.publish.publishers.LdapCaCertPublisher -ca.publish.publisher.impl.LdapCertificatePairPublisher.class=com.netscape.cms.publish.publishers.LdapCertificatePairPublisher -ca.publish.publisher.impl.LdapCrlPublisher.class=com.netscape.cms.publish.publishers.LdapCrlPublisher -ca.publish.publisher.impl.LdapDeltaCrlPublisher.class=com.netscape.cms.publish.publishers.LdapCrlPublisher -ca.publish.publisher.impl.LdapUserCertPublisher.class=com.netscape.cms.publish.publishers.LdapUserCertPublisher -ca.publish.publisher.impl.OCSPPublisher.class=com.netscape.cms.publish.publishers.OCSPPublisher -ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr=caCertificate;binary -ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass=certificationAuthority -ca.publish.publisher.instance.LdapCaCertPublisher.pluginName=LdapCaCertPublisher -ca.publish.publisher.instance.LdapCrlPublisher.crlAttr=certificateRevocationList;binary -ca.publish.publisher.instance.LdapCrlPublisher.pluginName=LdapCrlPublisher -ca.publish.publisher.instance.LdapCrossCertPairPublisher.caObjectClass=certificationAuthority -ca.publish.publisher.instance.LdapCrossCertPairPublisher.crossCertPairAttr=crossCertificatePair;binary -ca.publish.publisher.instance.LdapCrossCertPairPublisher.pluginName=LdapCertificatePairPublisher -ca.publish.publisher.instance.LdapDeltaCrlPublisher.crlAttr=deltaRevocationList;binary -ca.publish.publisher.instance.LdapDeltaCrlPublisher.pluginName=LdapDeltaCrlPublisher -ca.publish.publisher.instance.LdapUserCertPublisher.certAttr=userCertificate;binary -ca.publish.publisher.instance.LdapUserCertPublisher.pluginName=LdapUserCertPublisher -ca.publish.rule.impl.Rule.class=com.netscape.cmscore.ldap.LdapRule -ca.publish.rule.instance.LdapCaCertRule.enable=false -ca.publish.rule.instance.LdapCaCertRule.mapper=LdapCaCertMap -ca.publish.rule.instance.LdapCaCertRule.pluginName=Rule -ca.publish.rule.instance.LdapCaCertRule.predicate= -ca.publish.rule.instance.LdapCaCertRule.publisher=LdapCaCertPublisher -ca.publish.rule.instance.LdapCaCertRule.type=cacert -ca.publish.rule.instance.LdapCrlRule.enable=false -ca.publish.rule.instance.LdapCrlRule.mapper=LdapCrlMap -ca.publish.rule.instance.LdapCrlRule.pluginName=Rule -ca.publish.rule.instance.LdapCrlRule.predicate= -ca.publish.rule.instance.LdapCrlRule.publisher=LdapCrlPublisher -ca.publish.rule.instance.LdapCrlRule.type=crl -ca.publish.rule.instance.LdapUserCertRule.enable=false -ca.publish.rule.instance.LdapUserCertRule.mapper=LdapUserCertMap -ca.publish.rule.instance.LdapUserCertRule.pluginName=Rule -ca.publish.rule.instance.LdapUserCertRule.predicate= -ca.publish.rule.instance.LdapUserCertRule.publisher=LdapUserCertPublisher -ca.publish.rule.instance.LdapUserCertRule.type=certs -ca.publish.rule.instance.LdapXCertRule.enable=false -ca.publish.rule.instance.LdapXCertRule.mapper=LdapCaCertMap -ca.publish.rule.instance.LdapXCertRule.pluginName=Rule -ca.publish.rule.instance.LdapXCertRule.predicate= -ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher -ca.publish.rule.instance.LdapXCertRule.type=xcert -cmc.cert.confirmRequired=false -cmc.lraPopWitness.verify.allow=true -cmc.revokeCert.verify=true -cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cms.passwordlist=internaldb,replicationdb -cms.password.ignore.publishing.failure=true -cms.version= -cmsgateway._000=## -cmsgateway._001=## In the event that all Admin Certificates have been lost -cmsgateway._002=## for a given instance, perform the following steps to -cmsgateway._003=## re-enroll for a new Admin Certificate: -cmsgateway._004=## -cmsgateway._005=## (1) Become 'root' -cmsgateway._006=## (2) Type: 'service [PKI_INSTANCE_ID] stop' -cmsgateway._007=## (3) Edit '[PKI_INSTANCE_ROOT]/[PKI_INSTANCE_ID]/conf/CS.cfg' -cmsgateway._008=## and set the following name-value pairs (if necessary): -cmsgateway._009=## -cmsgateway._010=## ca.Policy.enable=true -cmsgateway._011=## cmsgateway.enableAdminEnroll=true -cmsgateway._012=## -cmsgateway._013=## (4) Type: 'service [PKI_INSTANCE_ID] start' -cmsgateway._014=## (5) Launch a browser and re-enroll for -cmsgateway._015=## a new Admin Certificate by typing: -cmsgateway._016=## -cmsgateway._017=## https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ca/admin/ca/adminEnroll.html -cmsgateway._018=## -cmsgateway._019=## (6) Verify that the browser contains the new -cmsgateway._020=## Admin Certificate by successfully navigating to: -cmsgateway._021=## -cmsgateway._022=## https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/ca/agent/ca/ -cmsgateway._023=## -cmsgateway._024=## (7) Optionally, disable the Certificate Policies Framework -cmsgateway._025=## by following steps (1) - (4), but ONLY resetting -cmsgateway._026=## 'ca.Policy.enable=false', as -cmsgateway._027=## 'cmsgateway.enableAdminEnroll=false' should have -cmsgateway._028=## already been reset. -cmsgateway._029=## -cmsgateway.enableAdminEnroll=false -https.port=8443 -http.port=8080 -dbs.enableSerialManagement=false -dbs.beginRequestNumber=1 -dbs.endRequestNumber=10000000 -dbs.requestIncrement=10000000 -dbs.requestLowWaterMark=2000000 -dbs.requestCloneTransferNumber=10000 -dbs.requestDN=ou=ca, ou=requests -dbs.requestRangeDN=ou=requests, ou=ranges -dbs.beginSerialNumber=1 -dbs.endSerialNumber=10000000 -dbs.serialIncrement=10000000 -dbs.serialLowWaterMark=2000000 -dbs.serialCloneTransferNumber=10000 -dbs.serialDN=ou=certificateRepository, ou=ca -dbs.serialRangeDN=ou=certificateRepository, ou=ranges -dbs.beginReplicaNumber=1 -dbs.endReplicaNumber=100 -dbs.replicaIncrement=100 -dbs.replicaLowWaterMark=20 -dbs.replicaCloneTransferNumber=5 -dbs.replicaDN=ou=replica -dbs.replicaRangeDN=ou=replica, ou=ranges -dbs.ldap=internaldb -dbs.newSchemaEntryAdded=true -debug.append=true -debug.enabled=true -debug.filename=[PKI_INSTANCE_PATH]/logs/debug -debug.hashkeytypes= -debug.level=0 -debug.showcaller=false -keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 -keys.ecc.curve.default=nistp521 -keys.rsa.keysize.default=2048 -internaldb._000=## -internaldb._001=## Internal Database -internaldb._002=## -internaldb.basedn= -internaldb.maxConns=15 -internaldb.minConns=3 -internaldb.ldapauth.authtype=BasicAuth -internaldb.ldapauth.bindDN=cn=Directory Manager -internaldb.ldapauth.bindPWPrompt=Internal LDAP Database -internaldb.ldapauth.clientCertNickname= -internaldb.ldapconn.host= -internaldb.ldapconn.port= -internaldb.ldapconn.secureConn=false -preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/schema.ldif -preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/database.ldif -preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/acl.ldif -preop.internaldb.index_ldif= -preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/index.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlvtasks.ldif -preop.internaldb.wait_dn=cn=index1160589769, cn=index, cn=tasks, cn=config -internaldb.multipleSuffix.enable=false -jobsScheduler._000=## -jobsScheduler._001=## jobScheduler -jobsScheduler._002=## -jobsScheduler.enabled=false -jobsScheduler.interval=1 -jobsScheduler.impl.PublishCertsJob.class=com.netscape.cms.jobs.PublishCertsJob -jobsScheduler.impl.RenewalNotificationJob.class=com.netscape.cms.jobs.RenewalNotificationJob -jobsScheduler.impl.RequestInQueueJob.class=com.netscape.cms.jobs.RequestInQueueJob -jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.cms.jobs.UnpublishExpiredJob -jobsScheduler.job.certRenewalNotifier.cron=0 3 * * 1-5 -jobsScheduler.job.certRenewalNotifier.emailSubject=Certificate Renewal Notification -jobsScheduler.job.certRenewalNotifier.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1.txt -jobsScheduler.job.certRenewalNotifier.enabled=false -jobsScheduler.job.certRenewalNotifier.notifyEndOffset=30 -jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=30 -jobsScheduler.job.certRenewalNotifier.pluginName=RenewalNotificationJob -jobsScheduler.job.certRenewalNotifier.senderEmail= -jobsScheduler.job.certRenewalNotifier.summary.emailSubject=Certificate Renewal Notification Summary -jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Summary.txt -jobsScheduler.job.certRenewalNotifier.summary.enabled=true -jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Item.txt -jobsScheduler.job.certRenewalNotifier.summary.recipientEmail= -jobsScheduler.job.certRenewalNotifier.summary.senderEmail= -jobsScheduler.job.publishCerts.cron=0 0 * * 2 -jobsScheduler.job.publishCerts.enabled=false -jobsScheduler.job.publishCerts.pluginName=PublishCertsJob -jobsScheduler.job.publishCerts.summary.emailSubject=Certs Publishing Summary -jobsScheduler.job.publishCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/publishCerts.html -jobsScheduler.job.publishCerts.summary.enabled=true -jobsScheduler.job.publishCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/publishCertsItem.html -jobsScheduler.job.publishCerts.summary.recipientEmail= -jobsScheduler.job.publishCerts.summary.senderEmail= -jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0 -jobsScheduler.job.requestInQueueNotifier.enabled=false -jobsScheduler.job.requestInQueueNotifier.pluginName=RequestInQueueJob -jobsScheduler.job.requestInQueueNotifier.subsystemId=ca -jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=Requests in Queue Summary Report -jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/riq1Summary.html -jobsScheduler.job.requestInQueueNotifier.summary.enabled=true -jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail= -jobsScheduler.job.requestInQueueNotifier.summary.senderEmail= -jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6 -jobsScheduler.job.unpublishExpiredCerts.enabled=false -jobsScheduler.job.unpublishExpiredCerts.pluginName=UnpublishExpiredJob -jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=Expired Certs Unpublished Summary -jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/euJob1.html -jobsScheduler.job.unpublishExpiredCerts.summary.enabled=true -jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/euJob1Item.html -jobsScheduler.job.unpublishExpiredCerts.summary.recipientEmail= -jobsScheduler.job.unpublishExpiredCerts.summary.senderEmail= -jss._000=## -jss._001=## JSS -jss._002=## -jss.configDir=[PKI_INSTANCE_PATH]/alias/ -jss.enable=true -jss.secmodName=secmod.db -jss.ocspcheck.enable=false -jss.ssl.cipherfortezza=true -jss.ssl.cipherpref= -jss.ssl.cipherversion=cipherdomestic -log._000=## -log._001=## Logging -log._002=## -log.impl.file.class=com.netscape.cms.logging.RollingLogFile -log.instance.SignedAudit._000=## -log.instance.SignedAudit._001=## Signed Audit Logging -log.instance.SignedAudit._002=## -log.instance.SignedAudit.bufferSize=512 -log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events._000=## -log.instance.SignedAudit.events._001=## Available Audit events: -log.instance.SignedAudit.events._002=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.events._003=## -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.expirationTime=0 -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ca_audit -log.instance.SignedAudit.flushInterval=5 -log.instance.SignedAudit.level=1 -log.instance.SignedAudit.logSigning=false -log.instance.SignedAudit.maxFileSize=2000 -log.instance.SignedAudit.pluginName=file -log.instance.SignedAudit.rolloverInterval=2592000 -log.instance.SignedAudit.signedAudit=_002=## -log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] -log.instance.SignedAudit.type=signedAudit -log.instance.System._000=## -log.instance.System._001=## System Logging -log.instance.System._002=## -log.instance.System.bufferSize=512 -log.instance.System.enable=true -log.instance.System.expirationTime=0 -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system -log.instance.System.flushInterval=5 -log.instance.System.level=3 -log.instance.System.maxFileSize=2000 -log.instance.System.pluginName=file -log.instance.System.rolloverInterval=2592000 -log.instance.System.type=system -log.instance.Transactions._000=## -log.instance.Transactions._001=## Transaction Logging -log.instance.Transactions._002=## -log.instance.Transactions.bufferSize=512 -log.instance.Transactions.enable=true -log.instance.Transactions.expirationTime=0 -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions -log.instance.Transactions.flushInterval=5 -log.instance.Transactions.level=1 -log.instance.Transactions.maxFileSize=2000 -log.instance.Transactions.pluginName=file -log.instance.Transactions.rolloverInterval=2592000 -log.instance.Transactions.type=transaction -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access -logError.fileName=[PKI_INSTANCE_PATH]/logs/error -oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension -oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 -oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword -oidmap.challenge_password.oid=1.2.840.113549.1.9.7 -oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension -oidmap.extended_key_usage.oid=2.5.29.37 -oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested -oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 -oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested -oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 -oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension -oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 -oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension -oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 -oidmap.pse.class=netscape.security.extensions.PresenceServerExtension -oidmap.pse.oid=2.16.840.1.113730.1.18 -oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension -oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 -os.userid=nobody -profile.list=caUserCert,caUserSMIMEcapCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caJarSigningCert,caIPAserviceCert -profile.caUUIDdeviceCert.class_id=caEnrollImpl -profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUUIDdeviceCert.cfg -profile.caManualRenewal.class_id=caEnrollImpl -profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caManualRenewal.cfg -profile.caDirUserRenewal.class_id=caEnrollImpl -profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserRenewal.cfg -profile.caSSLClientSelfRenewal.class_id=caEnrollImpl -profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caSSLClientSelfRenewal.cfg -profile.DomainController.class_id=caEnrollImpl -profile.DomainController.config=[PKI_INSTANCE_PATH]/profiles/ca/DomainController.cfg -profile.caAgentFileSigning.class_id=caEnrollImpl -profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentFileSigning.cfg -profile.caAgentServerCert.class_id=caEnrollImpl -profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentServerCert.cfg -profile.caRAserverCert.class_id=caEnrollImpl -profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAserverCert.cfg -profile.caCACert.class_id=caEnrollImpl -profile.caCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCACert.cfg -profile.caInstallCACert.class_id=caEnrollImpl -profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInstallCACert.cfg -profile.caCMCUserCert.class_id=caEnrollImpl -profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCMCUserCert.cfg -profile.caDirUserCert.class_id=caEnrollImpl -profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserCert.cfg -profile.caDualCert.class_id=caEnrollImpl -profile.caDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualCert.cfg -profile.caDualRAuserCert.class_id=caEnrollImpl -profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualRAuserCert.cfg -profile.caRAagentCert.class_id=caEnrollImpl -profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAagentCert.cfg -profile.caFullCMCUserCert.class_id=caEnrollImpl -profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caFullCMCUserCert.cfg -profile.caInternalAuthOCSPCert.class_id=caEnrollImpl -profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthOCSPCert.cfg -profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl -profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthAuditSigningCert.cfg -profile.caInternalAuthServerCert.class_id=caEnrollImpl -profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthServerCert.cfg -profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl -profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthSubsystemCert.cfg -profile.caInternalAuthDRMstorageCert.class_id=caEnrollImpl -profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthDRMstorageCert.cfg -profile.caInternalAuthTransportCert.class_id=caEnrollImpl -profile.caInternalAuthTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthTransportCert.cfg -profile.caOCSPCert.class_id=caEnrollImpl -profile.caOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOCSPCert.cfg -profile.caOtherCert.class_id=caEnrollImpl -profile.caOtherCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOtherCert.cfg -profile.caRACert.class_id=caEnrollImpl -profile.caRACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRACert.cfg -profile.caRARouterCert.class_id=caEnrollImpl -profile.caRARouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRARouterCert.cfg -profile.caRouterCert.class_id=caEnrollImpl -profile.caRouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRouterCert.cfg -profile.caServerCert.class_id=caEnrollImpl -profile.caServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caServerCert.cfg -profile.caSignedLogCert.class_id=caEnrollImpl -profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSignedLogCert.cfg -profile.caSimpleCMCUserCert.class_id=caEnrollImpl -profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSimpleCMCUserCert.cfg -profile.caTPSCert.class_id=caEnrollImpl -profile.caTPSCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTPSCert.cfg -profile.caAdminCert.class_id=caEnrollImpl -profile.caAdminCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAdminCert.cfg -profile.caTempTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg -profile.caTempTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTempTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg -profile.caTokenUserEncryptionKeyRenewal.class_id=caUserCertEnrollImpl -profile.caTokenUserEncryptionKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg -profile.caTempTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg -profile.caTokenUserSigningKeyRenewal.class_id=caUserCertEnrollImpl -profile.caTokenUserSigningKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyRenewal.cfg -profile.caTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenDeviceKeyEnrollment.cfg -profile.caTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg -profile.caTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyEnrollment.cfg -profile.caTokenMSLoginEnrollment.class_id=caUserCertEnrollImpl -profile.caTokenMSLoginEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenMSLoginEnrollment.cfg -profile.caTransportCert.class_id=caEnrollImpl -profile.caTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTransportCert.cfg -profile.caUserCert.class_id=caEnrollImpl -profile.caUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserCert.cfg -profile.caUserSMIMEcapCert.class_id=caEnrollImpl -profile.caUserSMIMEcapCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserSMIMEcapCert.cfg -profile.caJarSigningCert.class_id=caEnrollImpl -profile.caJarSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caJarSigningCert.cfg -profile.caIPAserviceCert.class_id=caEnrollImpl -profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caIPAserviceCert.cfg -registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg -request.assignee.enable=true -selftests._000=## -selftests._001=## Self Tests -selftests._002=## -selftests._003=## The Self-Test plugin SystemCertsVerification uses the -selftests._004=## following parameters (where certusage is optional): -selftests._005=## ca.cert.list = -selftests._006=## ca.cert..nickname -selftests._007=## ca.cert..certusage -selftests._008=## -selftests.container.instance.CAPresence=com.netscape.cms.selftests.ca.CAPresence -selftests.container.instance.CAValidity=com.netscape.cms.selftests.ca.CAValidity -selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification -selftests.container.logger.bufferSize=512 -selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile -selftests.container.logger.enable=true -selftests.container.logger.expirationTime=0 -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log -selftests.container.logger.flushInterval=5 -selftests.container.logger.level=1 -selftests.container.logger.maxFileSize=2000 -selftests.container.logger.register=false -selftests.container.logger.rolloverInterval=2592000 -selftests.container.logger.type=transaction -selftests.container.order.onDemand=CAPresence:critical, SystemCertsVerification:critical, CAValidity:critical -selftests.container.order.startup=CAPresence:critical, SystemCertsVerification:critical -selftests.plugin.CAPresence.CaSubId=ca -selftests.plugin.CAValidity.CaSubId=ca -selftests.plugin.SystemCertsVerification.SubId=ca -smtp.host=localhost -smtp.port=25 -subsystem.0.class=com.netscape.ca.CertificateAuthority -subsystem.0.id=ca -subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem -subsystem.1.id=profile -subsystem.2.class=com.netscape.cmscore.selftests.SelfTestSubsystem -subsystem.2.id=selftests -subsystem.3.class=com.netscape.cmscore.cert.CrossCertPairSubsystem -subsystem.3.id=CrossCertPair -subsystem.4.class=com.netscape.cmscore.util.StatsSubsystem -subsystem.4.id=stats -usrgrp._000=## -usrgrp._001=## User/Group -usrgrp._002=## -usrgrp.ldap=internaldb -multiroles._000=## -multiroles._001=## multiroles -multiroles._002=## -multiroles.enable=true -multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group diff --git a/pki/base/ca/shared/conf/CS.cfg.in b/pki/base/ca/shared/conf/CS.cfg.in new file mode 100644 index 00000000..e9b265f7 --- /dev/null +++ b/pki/base/ca/shared/conf/CS.cfg.in @@ -0,0 +1,1070 @@ +# +#cs.state=0 (pre-operational) +#cs.state=1 (running) +# +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] +pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] +pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] +pkicreate.ee_secure_client_auth_port=[PKI_EE_SECURE_CLIENT_AUTH_PORT] +pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] +pkicreate.secure_port=[PKI_SECURE_PORT] +pkicreate.unsecure_port=[PKI_UNSECURE_PORT] +pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] +pkicreate.user=[PKI_USER] +pkicreate.arg11.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +installDate=[INSTALL_TIME] +preop.wizard.name=CA Setup Wizard +preop.product.name=CS +preop.product.version=@VERSION@ +preop.system.name=CA +preop.system.fullname=Certificate Authority +cs.state=0 +cs.type=CA +authType=pwd +admin.interface.uri=ca/admin/console/config/wizard +ee.interface.uri=ca/ee/ca +agent.interface.uri=ca/agent/ca +preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 +securitydomain.flushinterval=86400000 +securitydomain.source=ldap +securitydomain.checkinterval=300000 +instanceRoot=[PKI_INSTANCE_PATH] +machineName=[PKI_MACHINE_NAME] +instanceId=[PKI_INSTANCE_ID] +service.machineName=[PKI_MACHINE_NAME] +service.instanceDir=[PKI_INSTANCE_ROOT] +service.securePort=[PKI_AGENT_SECURE_PORT] +service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] +service.clientauth_securePort=[PKI_EE_SECURE_CLIENT_AUTH_PORT] +service.unsecurePort=[PKI_UNSECURE_PORT] +service.instanceID=[PKI_INSTANCE_ID] +preop.admin.name=Certificate System Administrator +preop.admin.group=Certificate Manager Agents +preop.admincert.profile=caAdminCert +preop.pin=[PKI_RANDOM_NUMBER] +ca.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing +preop.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing +preop.cert.signing.enable=true +preop.cert.ocsp_signing.enable=true +preop.cert.sslserver.enable=true +preop.cert.subsystem.enable=true +preop.cert.audit_signing.enable=true +preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.signing.dn=CN=Certificate Authority +preop.cert.signing.cncomponent.override=true +preop.cert.signing.keysize.size=2048 +preop.cert.signing.keysize.custom_size=2048 +preop.cert.signing.nickname=caSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.signing.profile=caCert.profile +preop.cert.signing.signing.required=true +preop.cert.signing.subsystem=ca +preop.cert.signing.type=selfsign +preop.cert.signing.userfriendlyname=CA Signing Certificate +preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.audit_signing.dn=CN=CA Audit Signing Certificate +preop.cert.audit_signing.keysize.custom_size=2048 +preop.cert.audit_signing.keysize.size=2048 +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.audit_signing.profile=caAuditSigningCert.profile +preop.cert.audit_signing.signing.required=false +preop.cert.audit_signing.subsystem=ca +preop.cert.audit_signing.type=local +preop.cert.audit_signing.userfriendlyname=CA Audit Signing Certificate +preop.cert.audit_signing.cncomponent.override=true +preop.cert.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.ocsp_signing.dn=CN=OCSP Signing Certificate +preop.cert.ocsp_signing.keysize.custom_size=2048 +preop.cert.ocsp_signing.keysize.size=2048 +preop.cert.ocsp_signing.nickname=ocspSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.ocsp_signing.profile=caOCSPCert.profile +preop.cert.ocsp_signing.signing.required=true +preop.cert.ocsp_signing.subsystem=ca +preop.cert.ocsp_signing.type=local +preop.cert.ocsp_signing.userfriendlyname=OCSP Signing Certificate +preop.cert.ocsp_signing.cncomponent.override=true +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] +preop.cert.sslserver.keysize.custom_size=2048 +preop.cert.sslserver.keysize.size=2048 +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.cert.sslserver.profile=serverCert.profile +preop.cert.sslserver.signing.required=false +preop.cert.sslserver.subsystem=ca +preop.cert.sslserver.type=local +preop.cert.sslserver.userfriendlyname=SSL Server Certificate +preop.cert.sslserver.cncomponent.override=false +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=CA Subsystem Certificate +preop.cert.subsystem.keysize.custom_size=2048 +preop.cert.subsystem.keysize.size=2048 +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.cert.subsystem.profile=subsystemCert.profile +preop.cert.subsystem.signing.required=false +preop.cert.subsystem.subsystem=ca +preop.cert.subsystem.type=local +preop.cert.subsystem.userfriendlyname=Subsystem Certificate +preop.cert.subsystem.cncomponent.override=true +preop.cert.admin.defaultSigningAlgorithm=SHA256withRSA +preop.cert.admin.dn=uid=admin,cn=admin +preop.cert.admin.keysize.custom_size=2048 +preop.cert.admin.keysize.size=2048 +preop.cert.admin.profile=adminCert.profile +preop.hierarchy.profile=caCert.profile +preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module +preop.configModules.module0.commonName=NSS Internal PKCS #11 Module +preop.configModules.module0.imagePath=../img/clearpixel.gif +preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module +preop.configModules.module1.commonName=nfast +preop.configModules.module1.imagePath=../img/clearpixel.gif +preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module +preop.configModules.module2.commonName=lunasa +preop.configModules.module2.imagePath=../img/clearpixel.gif +preop.configModules.count=3 +preop.module.token=Internal Key Storage Token +preop.name.caDN=CN=Certificate Authority +preop.name.sslDN=CN=[PKI_MACHINE_NAME] +preop.name.ocspDN=CN=OCSP Signing Certificate +preop.name.subsystemDN=CN=CA Subsystem Certificate +preop.name.canickname=caSigningCert cert-[PKI_INSTANCE_ID] +preop.name.ocspnickname=ocspSigningCert cert-[PKI_INSTANCE_ID] +preop.name.subsystemnickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.name.sslnickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.subsystem.count=0 +subsystem.count=0 +passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf +passwordClass=com.netscape.cmsutil.password.PlainPasswordFile +CrossCertPair._000=## +CrossCertPair._001=## CrossCertPair Import +CrossCertPair._002=## +CrossCertPair.ldap=internaldb +accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator +accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator +accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator +accessEvaluator.impl.user_origreq.class=com.netscape.cms.evaluators.UserOrigReqAccessEvaluator +auths._000=## +auths._001=## new authentication +auths._002=## +auths.impl._000=## +auths.impl._001=## authentication manager implementations +auths.impl._002=## +auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication +auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth +auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth +auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll +auths.impl.SSLclientCertAuth.class=com.netscape.cms.authentication.SSLclientCertAuthentication +auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication +auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication +auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication +auths.impl.UidPwdGroupDirAuth.class=com.netscape.cms.authentication.UidPwdGroupDirAuthentication +auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication +auths.impl.FlatFileAuth.class=com.netscape.cms.authentication.FlatFileAuth +auths.instance.TokenAuth.pluginName=TokenAuth +auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents +auths.instance.AgentCertAuth.pluginName=AgentCertAuth +auths.instance.raCertAuth.agentGroup=Registration Manager Agents +auths.instance.raCertAuth.pluginName=AgentCertAuth +auths.instance.flatFileAuth.pluginName=FlatFileAuth +auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/flatfile.txt +auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth +auths.revocationChecking.bufferSize=50 +auths.revocationChecking.ca=ca +auths.revocationChecking.enabled=true +auths.revocationChecking.unknownStateInterval=0 +auths.revocationChecking.validityInterval=120 +authz._000=## +authz._001=## new authorizatioin +authz._002=## +authz.evaluateOrder=deny,allow +authz.sourceType=ldap +authz.impl._000=## +authz.impl._001=## authorization manager implementations +authz.impl._002=## +authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz +authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz +authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz +authz.instance.DirAclAuthz.ldap=internaldb +authz.instance.DirAclAuthz.pluginName=DirAclAuthz +authz.instance.DirAclAuthz.ldap._000=## +authz.instance.DirAclAuthz.ldap._001=## Internal Database +authz.instance.DirAclAuthz.ldap._002=## +ca.ocsp=true +ca.certdbInc=20 +ca.crldbInc=20 +ca.id=ca +ca.local=true +ca.ocspUseCache=false +ca.enableNonces=true +ca.maxNumberOfNonces=100 +ca.reqdbInc=20 +ca.transitMaxRecords=1000000 +ca.transitRecordPageSize=200 +# maxSearchReturns - limits number of search results returned by SearchReqs and SrchCerts +# ca.maxSearchReturns=1000 +ca.scep.enable=false +ca.scep.hashAlgorithm=SHA1 +ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 +ca.scep.encryptionAlgorithm=DES3 +ca.scep.allowedEncryptionAlgorithms=DES3 +ca.scep.nonceSizeLimit=16 +ca.Policy._000=## +ca.Policy._001=## Certificate Policy Framework (deprecated) +ca.Policy._002=## +ca.Policy._003=## Set 'ca.Policy.enable=true' to allow the following: +ca.Policy._004=## +ca.Policy._005=## SERVLET-NAME URL-PATTERN +ca.Policy._006=## ==================================================== +ca.Policy._007=## caadminEnroll ca/admin/ca/adminEnroll.html +ca.Policy._008=## cabulkissuance ca/agent/ca/bulkissuance.html +ca.Policy._009=## cacertbasedenrollment ca/certbasedenrollment.html +ca.Policy._010=## caenrollment ca/enrollment.html +ca.Policy._011=## capolicy ca/capolicy +ca.Policy._012=## +ca.Policy.enable=false +ca.Policy.order=KeyAlgRule, RSAKeyRule, DefaultValidityRule, RenewalConstraintsRule, DefaultRenewalValidityRule, RevocationConstraintsRule, NSCertTypeExt, CMCertKeyUsageExt, RMCertKeyUsageExt, ClientCertKeyUsageExt, ServerCertKeyUsageExt, ObjSignCertKeyUsageExt, CRLSignCertKeyUsageExt, SubjectKeyIdentifierExt, CertificatePoliciesExt, NSCCommentExt, OCSPNoCheckExt, OCSPSigningExt, CODESigningExt, GenericASN1Ext, CRLDistributionPointsExt, SubjectAltNameExt, SigningAlgRule, AuthorityKeyIdentifierExt, AuthInfoAccessExt, BasicConstraintsExt, UniqueSubjectNameConstraints, NameConstraintsExt, PolicyConstraintsExt, SubCANameConstraints, PolicyMappingsExt, IssuerRule +ca.Policy.processor=classic +ca.Policy.impl._000=## +ca.Policy.impl._001=## Policy Implementations +ca.Policy.impl._002=## +ca.Policy.impl.AttributePresentConstraints.class=com.netscape.cms.policy.constraints.AttributePresentConstraints +ca.Policy.impl.AuthInfoAccessExt.class=com.netscape.cms.policy.extensions.AuthInfoAccessExt +ca.Policy.impl.AuthorityKeyIdentifierExt.class=com.netscape.cms.policy.extensions.AuthorityKeyIdentifierExt +ca.Policy.impl.BasicConstraintsExt.class=com.netscape.cms.policy.extensions.BasicConstraintsExt +ca.Policy.impl.CRLDistributionPointsExt.class=com.netscape.cms.policy.extensions.CRLDistributionPointsExt +ca.Policy.impl.CertificatePoliciesExt.class=com.netscape.cms.policy.extensions.CertificatePoliciesExt +ca.Policy.impl.CertificateRenewalWindowExt.class=com.netscape.cms.policy.extensions.CertificateRenewalWindowExt +ca.Policy.impl.CertificateScopeOfUseExt.class=com.netscape.cms.policy.extensions.CertificateScopeOfUseExt +ca.Policy.impl.DSAKeyConstraints.class=com.netscape.cms.policy.constraints.DSAKeyConstraints +ca.Policy.impl.ExtendedKeyUsageExt.class=com.netscape.cms.policy.extensions.ExtendedKeyUsageExt +ca.Policy.impl.GenericASN1Ext.class=com.netscape.cms.policy.extensions.GenericASN1Ext +ca.Policy.impl.IssuerAltNameExt.class=com.netscape.cms.policy.extensions.IssuerAltNameExt +ca.Policy.impl.IssuerConstraints.class=com.netscape.cms.policy.constraints.IssuerConstraints +ca.Policy.impl.KeyAlgorithmConstraints.class=com.netscape.cms.policy.constraints.KeyAlgorithmConstraints +ca.Policy.impl.KeyUsageExt.class=com.netscape.cms.policy.extensions.KeyUsageExt +ca.Policy.impl.NSCCommentExt.class=com.netscape.cms.policy.extensions.NSCCommentExt +ca.Policy.impl.NSCertTypeExt.class=com.netscape.cms.policy.extensions.NSCertTypeExt +ca.Policy.impl.NameConstraintsExt.class=com.netscape.cms.policy.extensions.NameConstraintsExt +ca.Policy.impl.OCSPNoCheckExt.class=com.netscape.cms.policy.extensions.OCSPNoCheckExt +ca.Policy.impl.PolicyConstraintsExt.class=com.netscape.cms.policy.extensions.PolicyConstraintsExt +ca.Policy.impl.PolicyMappingsExt.class=com.netscape.cms.policy.extensions.PolicyMappingsExt +ca.Policy.impl.PrivateKeyUsagePeriodExt.class=com.netscape.cms.policy.extensions.PrivateKeyUsagePeriodExt +ca.Policy.impl.RSAKeyConstraints.class=com.netscape.cms.policy.constraints.RSAKeyConstraints +ca.Policy.impl.RemoveBasicConstraintsExt.class=com.netscape.cms.policy.extensions.RemoveBasicConstraintsExt +ca.Policy.impl.RenewalConstraints.class=com.netscape.cms.policy.constraints.RenewalConstraints +ca.Policy.impl.RenewalValidityConstraints.class=com.netscape.cms.policy.constraints.RenewalValidityConstraints +ca.Policy.impl.RevocationConstraints.class=com.netscape.cms.policy.constraints.RevocationConstraints +ca.Policy.impl.SigningAlgorithmConstraints.class=com.netscape.cms.policy.constraints.SigningAlgorithmConstraints +ca.Policy.impl.SubCANameConstraints.class=com.netscape.cms.policy.constraints.SubCANameConstraints +ca.Policy.impl.SubjectAltNameExt.class=com.netscape.cms.policy.extensions.SubjectAltNameExt +ca.Policy.impl.SubjectDirectoryAttributesExt.class=com.netscape.cms.policy.extensions.SubjectDirectoryAttributesExt +ca.Policy.impl.SubjectKeyIdentifierExt.class=com.netscape.cms.policy.extensions.SubjectKeyIdentifierExt +ca.Policy.impl.UniqueSubjectNameConstraints.class=com.netscape.cms.policy.constraints.UniqueSubjectNameConstraints +ca.Policy.impl.ValidityConstraints.class=com.netscape.cms.policy.constraints.ValidityConstraints +ca.Policy.rule.AuthInfoAccessExt.ad0_location=http://[PKI_MACHINE_NAME]:8080/ocsp +ca.Policy.rule.AuthInfoAccessExt.ad0_location_type=URL +ca.Policy.rule.AuthInfoAccessExt.ad0_method=ocsp +ca.Policy.rule.AuthInfoAccessExt.enable=false +ca.Policy.rule.AuthInfoAccessExt.implName=AuthInfoAccessExt +ca.Policy.rule.AuthInfoAccessExt.numADs=1 +ca.Policy.rule.AuthInfoAccessExt.predicate=HTTP_PARAMS.certType==client +ca.Policy.rule.AuthorityKeyIdentifierExt.enable=true +ca.Policy.rule.AuthorityKeyIdentifierExt.implName=AuthorityKeyIdentifierExt +ca.Policy.rule.AuthorityKeyIdentifierExt.predicate= +ca.Policy.rule.BasicConstraintsExt.critical=true +ca.Policy.rule.BasicConstraintsExt.enable=true +ca.Policy.rule.BasicConstraintsExt.implName=BasicConstraintsExt +ca.Policy.rule.BasicConstraintsExt.maxPathLen= +ca.Policy.rule.BasicConstraintsExt.predicate=HTTP_PARAMS.certType == ca +ca.Policy.rule.BasicConstraintsExt.removeBasicExt=true +ca.Policy.rule.CMCertKeyUsageExt.crlSign=true +ca.Policy.rule.CMCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.CMCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.CMCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.CMCertKeyUsageExt.enable=true +ca.Policy.rule.CMCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.CMCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.CMCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.CMCertKeyUsageExt.keyCertsign=true +ca.Policy.rule.CMCertKeyUsageExt.keyEncipherment=false +ca.Policy.rule.CMCertKeyUsageExt.nonRepudiation=true +ca.Policy.rule.CMCertKeyUsageExt.predicate=HTTP_PARAMS.certType==ca +ca.Policy.rule.CODESigningExt.critical=false +ca.Policy.rule.CODESigningExt.enable=true +ca.Policy.rule.CODESigningExt.id0=1.3.6.1.5.5.7.3.3 +ca.Policy.rule.CODESigningExt.implName=ExtendedKeyUsageExt +ca.Policy.rule.CODESigningExt.predicate=HTTP_PARAMS.certType==codeSignClient +ca.Policy.rule.CRLDistributionPointsExt.enable=false +ca.Policy.rule.CRLDistributionPointsExt.implName=CRLDistributionPointsExt +ca.Policy.rule.CRLDistributionPointsExt.issuerName0= +ca.Policy.rule.CRLDistributionPointsExt.issuerName1= +ca.Policy.rule.CRLDistributionPointsExt.issuerName2= +ca.Policy.rule.CRLDistributionPointsExt.issuerType0= +ca.Policy.rule.CRLDistributionPointsExt.issuerType1= +ca.Policy.rule.CRLDistributionPointsExt.issuerType2= +ca.Policy.rule.CRLDistributionPointsExt.numPoints=0 +ca.Policy.rule.CRLDistributionPointsExt.pointName0= +ca.Policy.rule.CRLDistributionPointsExt.pointName1= +ca.Policy.rule.CRLDistributionPointsExt.pointName2= +ca.Policy.rule.CRLDistributionPointsExt.pointType0= +ca.Policy.rule.CRLDistributionPointsExt.pointType1= +ca.Policy.rule.CRLDistributionPointsExt.pointType2= +ca.Policy.rule.CRLDistributionPointsExt.predicate= +ca.Policy.rule.CRLDistributionPointsExt.reasons0= +ca.Policy.rule.CRLDistributionPointsExt.reasons1= +ca.Policy.rule.CRLDistributionPointsExt.reasons2= +ca.Policy.rule.CRLSignCertKeyUsageExt.crlSign=true +ca.Policy.rule.CRLSignCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.CRLSignCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.CRLSignCertKeyUsageExt.digitalSignature=false +ca.Policy.rule.CRLSignCertKeyUsageExt.enable=true +ca.Policy.rule.CRLSignCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.CRLSignCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.CRLSignCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.CRLSignCertKeyUsageExt.keyCertsign=false +ca.Policy.rule.CRLSignCertKeyUsageExt.keyEncipherment=false +ca.Policy.rule.CRLSignCertKeyUsageExt.nonRepudiation=false +ca.Policy.rule.CRLSignCertKeyUsageExt.predicate=HTTP_PARAMS.certType==caCrlSigning +ca.Policy.rule.CertificatePoliciesExt.critical=false +ca.Policy.rule.CertificatePoliciesExt.enable=false +ca.Policy.rule.CertificatePoliciesExt.implName=CertificatePoliciesExt +ca.Policy.rule.CertificatePoliciesExt.numCertPolicies=1 +ca.Policy.rule.CertificatePoliciesExt.predicate= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.cpsURI= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefNumbers= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefOrganization= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.policyId= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.userNoticeExplicitText= +ca.Policy.rule.ClientCertKeyUsageExt.crlSign=false +ca.Policy.rule.ClientCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.ClientCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.ClientCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.ClientCertKeyUsageExt.enable=true +ca.Policy.rule.ClientCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.ClientCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.ClientCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.ClientCertKeyUsageExt.keyCertsign=false +ca.Policy.rule.ClientCertKeyUsageExt.keyEncipherment=true +ca.Policy.rule.ClientCertKeyUsageExt.nonRepudiation=true +ca.Policy.rule.ClientCertKeyUsageExt.predicate=HTTP_PARAMS.certType==client +ca.Policy.rule.DSAKeyRule.enable=true +ca.Policy.rule.DSAKeyRule.implName=DSAKeyConstraints +ca.Policy.rule.DSAKeyRule.maxSize=1024 +ca.Policy.rule.DSAKeyRule.minSize=512 +ca.Policy.rule.DSAKeyRule.predicate= +ca.Policy.rule.DefaultRenewalValidityRule.enable=true +ca.Policy.rule.DefaultRenewalValidityRule.implName=RenewalValidityConstraints +ca.Policy.rule.DefaultRenewalValidityRule.maxValidity=365 +ca.Policy.rule.DefaultRenewalValidityRule.minValidity=30 +ca.Policy.rule.DefaultRenewalValidityRule.predicate= +ca.Policy.rule.DefaultRenewalValidityRule.renewalInterval=15 +ca.Policy.rule.DefaultValidityRule.enable=true +ca.Policy.rule.DefaultValidityRule.implName=ValidityConstraints +ca.Policy.rule.DefaultValidityRule.maxValidity=365 +ca.Policy.rule.DefaultValidityRule.minValidity=1 +ca.Policy.rule.DefaultValidityRule.predicate= +ca.Policy.rule.GenericASN1Ext.critical=false +ca.Policy.rule.GenericASN1Ext.enable=false +ca.Policy.rule.GenericASN1Ext.implName=GenericASN1Ext +ca.Policy.rule.GenericASN1Ext.name= +ca.Policy.rule.GenericASN1Ext.oid= +ca.Policy.rule.GenericASN1Ext.pattern= +ca.Policy.rule.GenericASN1Ext.predicate= +ca.Policy.rule.GenericASN1Ext.attribute.0.source= +ca.Policy.rule.GenericASN1Ext.attribute.0.type= +ca.Policy.rule.GenericASN1Ext.attribute.0.value= +ca.Policy.rule.GenericASN1Ext.attribute.1.source= +ca.Policy.rule.GenericASN1Ext.attribute.1.type= +ca.Policy.rule.GenericASN1Ext.attribute.1.value= +ca.Policy.rule.GenericASN1Ext.attribute.2.source= +ca.Policy.rule.GenericASN1Ext.attribute.2.type= +ca.Policy.rule.GenericASN1Ext.attribute.2.value= +ca.Policy.rule.GenericASN1Ext.attribute.3.source= +ca.Policy.rule.GenericASN1Ext.attribute.3.type= +ca.Policy.rule.GenericASN1Ext.attribute.3.value= +ca.Policy.rule.GenericASN1Ext.attribute.4.source= +ca.Policy.rule.GenericASN1Ext.attribute.4.type= +ca.Policy.rule.GenericASN1Ext.attribute.4.value= +ca.Policy.rule.GenericASN1Ext.attribute.5.source= +ca.Policy.rule.GenericASN1Ext.attribute.5.type= +ca.Policy.rule.GenericASN1Ext.attribute.5.value= +ca.Policy.rule.GenericASN1Ext.attribute.6.source= +ca.Policy.rule.GenericASN1Ext.attribute.6.type= +ca.Policy.rule.GenericASN1Ext.attribute.6.value= +ca.Policy.rule.GenericASN1Ext.attribute.7.source= +ca.Policy.rule.GenericASN1Ext.attribute.7.type= +ca.Policy.rule.GenericASN1Ext.attribute.7.value= +ca.Policy.rule.GenericASN1Ext.attribute.8.source= +ca.Policy.rule.GenericASN1Ext.attribute.8.type= +ca.Policy.rule.GenericASN1Ext.attribute.8.value= +ca.Policy.rule.GenericASN1Ext.attribute.9.source= +ca.Policy.rule.GenericASN1Ext.attribute.9.type= +ca.Policy.rule.GenericASN1Ext.attribute.9.value= +ca.Policy.rule.IssuerRule.enable=false +ca.Policy.rule.IssuerRule.implName=IssuerConstraints +ca.Policy.rule.IssuerRule.issuerDN= +ca.Policy.rule.IssuerRule.predicate=HTTP_PARAMS.certType==client AND certauthEnroll==on +ca.Policy.rule.KeyAlgRule.algorithms=RSA,DSA +ca.Policy.rule.KeyAlgRule.enable=true +ca.Policy.rule.KeyAlgRule.implName=KeyAlgorithmConstraints +ca.Policy.rule.KeyAlgRule.predicate= +ca.Policy.rule.NSCCommentExt.commentFile= +ca.Policy.rule.NSCCommentExt.enable=false +ca.Policy.rule.NSCCommentExt.implName=NSCCommentExt +ca.Policy.rule.NSCCommentExt.inputType=Text +ca.Policy.rule.NSCCommentExt.predicate= +ca.Policy.rule.NSCertTypeExt.enable=true +ca.Policy.rule.NSCertTypeExt.implName=NSCertTypeExt +ca.Policy.rule.NSCertTypeExt.predicate=HTTP_PARAMS.certType!=CEP-Request +ca.Policy.rule.NameConstraintsExt.critical=true +ca.Policy.rule.NameConstraintsExt.enable=false +ca.Policy.rule.NameConstraintsExt.implName=NameConstraintsExt +ca.Policy.rule.NameConstraintsExt.numExcludedSubtrees=3 +ca.Policy.rule.NameConstraintsExt.numPermittedSubtrees=3 +ca.Policy.rule.NameConstraintsExt.predicate=HTTP_PARAMS.certType == ca +ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.max=-1 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.min=0 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.max=-1 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.min=0 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.max=-1 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.min=0 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.max=-1 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.min=0 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.max=-1 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.min=0 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.max=-1 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.min=0 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base.generalNameValue= +ca.Policy.rule.OCSPNoCheckExt.critical=false +ca.Policy.rule.OCSPNoCheckExt.enable=true +ca.Policy.rule.OCSPNoCheckExt.implName=OCSPNoCheckExt +ca.Policy.rule.OCSPNoCheckExt.predicate=HTTP_PARAMS.certType==ocspResponder +ca.Policy.rule.OCSPSigningExt.critical=false +ca.Policy.rule.OCSPSigningExt.enable=true +ca.Policy.rule.OCSPSigningExt.id0=1.3.6.1.5.5.7.3.9 +ca.Policy.rule.OCSPSigningExt.implName=ExtendedKeyUsageExt +ca.Policy.rule.OCSPSigningExt.predicate=HTTP_PARAMS.certType==ocspResponder +ca.Policy.rule.ObjSignCertKeyUsageExt.crlSign=false +ca.Policy.rule.ObjSignCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.ObjSignCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.ObjSignCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.ObjSignCertKeyUsageExt.enable=true +ca.Policy.rule.ObjSignCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.ObjSignCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.ObjSignCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.ObjSignCertKeyUsageExt.keyCertsign=true +ca.Policy.rule.ObjSignCertKeyUsageExt.keyEncipherment=false +ca.Policy.rule.ObjSignCertKeyUsageExt.nonRepudiation=false +ca.Policy.rule.ObjSignCertKeyUsageExt.predicate=HTTP_PARAMS.certType==objSignClient +ca.Policy.rule.PolicyConstraintsExt.critical=false +ca.Policy.rule.PolicyConstraintsExt.enable=false +ca.Policy.rule.PolicyConstraintsExt.implName=PolicyConstraintsExt +ca.Policy.rule.PolicyConstraintsExt.inhibitPolicyMapping=0 +ca.Policy.rule.PolicyConstraintsExt.predicate=HTTP_PARAMS.certType==ca +ca.Policy.rule.PolicyConstraintsExt.reqExplicitPolicy=0 +ca.Policy.rule.PolicyMappingsExt.critical=false +ca.Policy.rule.PolicyMappingsExt.enable=false +ca.Policy.rule.PolicyMappingsExt.implName=PolicyMappingsExt +ca.Policy.rule.PolicyMappingsExt.numPolicyMappings=1 +ca.Policy.rule.PolicyMappingsExt.predicate=HTTP_PARAMS.certType==ca +ca.Policy.rule.PolicyMappingsExt.policyMap0.issuerDomainPolicy= +ca.Policy.rule.PolicyMappingsExt.policyMap0.subjectDomainPolicy= +ca.Policy.rule.RMCertKeyUsageExt.crlSign=false +ca.Policy.rule.RMCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.RMCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.RMCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.RMCertKeyUsageExt.enable=true +ca.Policy.rule.RMCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.RMCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.RMCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.RMCertKeyUsageExt.keyCertsign=false +ca.Policy.rule.RMCertKeyUsageExt.keyEncipherment=false +ca.Policy.rule.RMCertKeyUsageExt.nonRepudiation=true +ca.Policy.rule.RMCertKeyUsageExt.predicate=HTTP_PARAMS.certType==ra +ca.Policy.rule.RSAKeyRule.enable=false +ca.Policy.rule.RSAKeyRule.exponents=3,7,17,65537 +ca.Policy.rule.RSAKeyRule.implName=RSAKeyConstraints +ca.Policy.rule.RSAKeyRule.maxSize=2048 +ca.Policy.rule.RSAKeyRule.minSize=512 +ca.Policy.rule.RSAKeyRule.predicate= +ca.Policy.rule.RenewalConstraintsRule.enable=true +ca.Policy.rule.RenewalConstraintsRule.implName=RenewalConstraints +ca.Policy.rule.RenewalConstraintsRule.predicate= +ca.Policy.rule.RevocationConstraintsRule.enable=true +ca.Policy.rule.RevocationConstraintsRule.implName=RevocationConstraints +ca.Policy.rule.RevocationConstraintsRule.predicate= +ca.Policy.rule.ServerCertKeyUsageExt.crlSign=false +ca.Policy.rule.ServerCertKeyUsageExt.dataEncipherment=true +ca.Policy.rule.ServerCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.ServerCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.ServerCertKeyUsageExt.enable=true +ca.Policy.rule.ServerCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.ServerCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.ServerCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.ServerCertKeyUsageExt.keyCertsign=false +ca.Policy.rule.ServerCertKeyUsageExt.keyEncipherment=true +ca.Policy.rule.ServerCertKeyUsageExt.nonRepudiation=true +ca.Policy.rule.ServerCertKeyUsageExt.predicate=HTTP_PARAMS.certType==server +ca.Policy.rule.SigningAlgRule.algorithms=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +ca.Policy.rule.SigningAlgRule.enable=true +ca.Policy.rule.SigningAlgRule.implName=SigningAlgorithmConstraints +ca.Policy.rule.SigningAlgRule.predicate= +ca.Policy.rule.SubCANameConstraints.enable=true +ca.Policy.rule.SubCANameConstraints.implName=SubCANameConstraints +ca.Policy.rule.SubCANameConstraints.predicate=HTTP_PARAMS.certType == ca +ca.Policy.rule.SubjectAltNameExt.enable=true +ca.Policy.rule.SubjectAltNameExt.implName=SubjectAltNameExt +ca.Policy.rule.SubjectAltNameExt.numGeneralNames=3 +ca.Policy.rule.SubjectAltNameExt.predicate=HTTP_PARAMS.certType!=CEP-Request +ca.Policy.rule.SubjectAltNameExt.generalName0.generalNameChoice=rfc822Name +ca.Policy.rule.SubjectAltNameExt.generalName0.requestAttr=AUTH_TOKEN.mail +ca.Policy.rule.SubjectAltNameExt.generalName1.generalNameChoice=rfc822Name +ca.Policy.rule.SubjectAltNameExt.generalName1.requestAttr=AUTH_TOKEN.mailalternateaddress +ca.Policy.rule.SubjectAltNameExt.generalName2.generalNameChoice=rfc822Name +ca.Policy.rule.SubjectAltNameExt.generalName2.requestAttr=HTTP_PARAMS.csrRequestorEmail +ca.Policy.rule.SubjectKeyIdentifierExt.enable=true +ca.Policy.rule.SubjectKeyIdentifierExt.implName=SubjectKeyIdentifierExt +ca.Policy.rule.SubjectKeyIdentifierExt.predicate=HTTP_PARAMS.certType==ca +ca.Policy.rule.UniqueSubjectNameConstraints.enable=false +ca.Policy.rule.UniqueSubjectNameConstraints.implName=UniqueSubjectNameConstraints +ca.Policy.rule.UniqueSubjectNameConstraints.predicate= +ca.crl._000=## +ca.crl._001=## CA CRL +ca.crl._002=## +ca.crl.pageSize=100 +ca.crl.MasterCRL.allowExtensions=true +ca.crl.MasterCRL.alwaysUpdate=false +ca.crl.MasterCRL.autoUpdateInterval=240 +ca.crl.MasterCRL.caCertsOnly=false +ca.crl.MasterCRL.cacheUpdateInterval=15 +ca.crl.MasterCRL.class=com.netscape.ca.CRLIssuingPoint +ca.crl.MasterCRL.dailyUpdates=1:00 +ca.crl.MasterCRL.description=CA's complete Certificate Revocation List +ca.crl.MasterCRL.enable=true +ca.crl.MasterCRL.enableCRLCache=true +ca.crl.MasterCRL.enableCRLUpdates=true +ca.crl.MasterCRL.enableCacheRecovery=true +ca.crl.MasterCRL.enableDailyUpdates=true +ca.crl.MasterCRL.enableUpdateInterval=true +ca.crl.MasterCRL.extendedNextUpdate=true +ca.crl.MasterCRL.includeExpiredCerts=false +ca.crl.MasterCRL.minUpdateInterval=0 +ca.crl.MasterCRL.nextUpdateGracePeriod=0 +ca.crl.MasterCRL.publishOnStart=false +ca.crl.MasterCRL.signingAlgorithm=SHA256withRSA +ca.crl.MasterCRL.updateSchema=1 +ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessLocation0= +ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessLocationType0=URI +ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessMethod0=caIssuers +ca.crl.MasterCRL.extension.AuthorityInformationAccess.class=com.netscape.cms.crl.CMSAuthInfoAccessExtension +ca.crl.MasterCRL.extension.AuthorityInformationAccess.critical=false +ca.crl.MasterCRL.extension.AuthorityInformationAccess.enable=false +ca.crl.MasterCRL.extension.AuthorityInformationAccess.numberOfAccessDescriptions=1 +ca.crl.MasterCRL.extension.AuthorityInformationAccess.type=CRLExtension +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.class=com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.critical=false +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable=false +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.type=CRLExtension +ca.crl.MasterCRL.extension.CRLNumber.class=com.netscape.cms.crl.CMSCRLNumberExtension +ca.crl.MasterCRL.extension.CRLNumber.critical=false +ca.crl.MasterCRL.extension.CRLNumber.enable=true +ca.crl.MasterCRL.extension.CRLNumber.type=CRLExtension +ca.crl.MasterCRL.extension.CRLReason.class=com.netscape.cms.crl.CMSCRLReasonExtension +ca.crl.MasterCRL.extension.CRLReason.critical=false +ca.crl.MasterCRL.extension.CRLReason.enable=true +ca.crl.MasterCRL.extension.CRLReason.type=CRLEntryExtension +ca.crl.MasterCRL.extension.DeltaCRLIndicator.class=com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension +ca.crl.MasterCRL.extension.DeltaCRLIndicator.critical=true +ca.crl.MasterCRL.extension.DeltaCRLIndicator.enable=false +ca.crl.MasterCRL.extension.DeltaCRLIndicator.type=CRLExtension +ca.crl.MasterCRL.extension.FreshestCRL.class=com.netscape.cms.crl.CMSFreshestCRLExtension +ca.crl.MasterCRL.extension.FreshestCRL.critical=false +ca.crl.MasterCRL.extension.FreshestCRL.enable=false +ca.crl.MasterCRL.extension.FreshestCRL.numPoints=0 +ca.crl.MasterCRL.extension.FreshestCRL.pointName0= +ca.crl.MasterCRL.extension.FreshestCRL.pointType0= +ca.crl.MasterCRL.extension.FreshestCRL.type=CRLExtension +ca.crl.MasterCRL.extension.InvalidityDate.class=com.netscape.cms.crl.CMSInvalidityDateExtension +ca.crl.MasterCRL.extension.InvalidityDate.critical=false +ca.crl.MasterCRL.extension.InvalidityDate.enable=true +ca.crl.MasterCRL.extension.InvalidityDate.type=CRLEntryExtension +ca.crl.MasterCRL.extension.IssuerAlternativeName.class=com.netscape.cms.crl.CMSIssuerAlternativeNameExtension +ca.crl.MasterCRL.extension.IssuerAlternativeName.critical=false +ca.crl.MasterCRL.extension.IssuerAlternativeName.enable=false +ca.crl.MasterCRL.extension.IssuerAlternativeName.name0= +ca.crl.MasterCRL.extension.IssuerAlternativeName.nameType0= +ca.crl.MasterCRL.extension.IssuerAlternativeName.numNames=0 +ca.crl.MasterCRL.extension.IssuerAlternativeName.type=CRLExtension +ca.crl.MasterCRL.extension.IssuingDistributionPoint.class=com.netscape.cms.crl.CMSIssuingDistributionPointExtension +ca.crl.MasterCRL.extension.IssuingDistributionPoint.critical=true +ca.crl.MasterCRL.extension.IssuingDistributionPoint.enable=false +ca.crl.MasterCRL.extension.IssuingDistributionPoint.indirectCRL=false +ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsCACerts=false +ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsUserCerts=false +ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlySomeReasons= +ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointName= +ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointType= +ca.crl.MasterCRL.extension.IssuingDistributionPoint.type=CRLExtension +ca.notification.certIssued.emailSubject=Your Certificate Request +ca.notification.certIssued.emailTemplate=[PKI_INSTANCE_PATH]/emails/certIssued_CA.html +ca.notification.certIssued.enabled=false +ca.notification.certIssued.senderEmail= +ca.notification.certRevoked.emailSubject=Your Certificate Revoked +ca.notification.certRevoked.emailTemplate=[PKI_INSTANCE_PATH]/emails/certRevoked_CA.html +ca.notification.certRevoked.enabled=false +ca.notification.certRevoked.senderEmail= +ca.notification.requestInQ.emailSubject=Certificate Request in Queue +ca.notification.requestInQ.emailTemplate=[PKI_INSTANCE_PATH]/emails/reqInQueue_CA.html +ca.notification.requestInQ.enabled=false +ca.notification.requestInQ.recipientEmail= +ca.notification.requestInQ.senderEmail= +ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_ID] +ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA +ca.ocsp_signing.tokenname=internal +ca.publish.createOwnDNEntry=false +ca.publish.queue.enable=true +ca.publish.queue.maxNumberOfThreads=3 +ca.publish.queue.pageSize=40 +ca.publish.queue.priorityLevel=0 +ca.publish.mapper.impl.LdapCaSimpleMap.class=com.netscape.cms.publish.mappers.LdapCaSimpleMap +ca.publish.mapper.impl.LdapDNCompsMap.class=com.netscape.cms.publish.mappers.LdapCertCompsMap +ca.publish.mapper.impl.LdapDNExactMap.class=com.netscape.cms.publish.mappers.LdapCertExactMap +ca.publish.mapper.impl.LdapEnhancedMap.class=com.netscape.cms.publish.mappers.LdapEnhancedMap +ca.publish.mapper.impl.LdapSimpleMap.class=com.netscape.cms.publish.mappers.LdapSimpleMap +ca.publish.mapper.impl.LdapSubjAttrMap.class=com.netscape.cms.publish.mappers.LdapCertSubjMap +ca.publish.mapper.impl.NoMap.class=com.netscape.cms.publish.mappers.NoMap +ca.publish.mapper.instance.LdapCaCertMap.createCAEntry=true +ca.publish.mapper.instance.LdapCaCertMap.dnPattern=UID=$subj.cn,OU=people,O=$subj.o +ca.publish.mapper.instance.LdapCaCertMap.pluginName=LdapCaSimpleMap +ca.publish.mapper.instance.LdapCrlMap.createCAEntry=true +ca.publish.mapper.instance.LdapCrlMap.dnPattern=UID=$subj.cn,OU=people,O=$subj.o +ca.publish.mapper.instance.LdapCrlMap.pluginName=LdapCaSimpleMap +ca.publish.mapper.instance.LdapUserCertMap.dnPattern=UID=$subj.UID,OU=people,O=$subj.o +ca.publish.mapper.instance.LdapUserCertMap.pluginName=LdapSimpleMap +ca.publish.mapper.instance.NoMap.pluginName=NoMap +ca.publish.publisher.impl.FileBasedPublisher.class=com.netscape.cms.publish.publishers.FileBasedPublisher +ca.publish.publisher.impl.LdapCaCertPublisher.class=com.netscape.cms.publish.publishers.LdapCaCertPublisher +ca.publish.publisher.impl.LdapCertificatePairPublisher.class=com.netscape.cms.publish.publishers.LdapCertificatePairPublisher +ca.publish.publisher.impl.LdapCrlPublisher.class=com.netscape.cms.publish.publishers.LdapCrlPublisher +ca.publish.publisher.impl.LdapDeltaCrlPublisher.class=com.netscape.cms.publish.publishers.LdapCrlPublisher +ca.publish.publisher.impl.LdapUserCertPublisher.class=com.netscape.cms.publish.publishers.LdapUserCertPublisher +ca.publish.publisher.impl.OCSPPublisher.class=com.netscape.cms.publish.publishers.OCSPPublisher +ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr=caCertificate;binary +ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass=certificationAuthority +ca.publish.publisher.instance.LdapCaCertPublisher.pluginName=LdapCaCertPublisher +ca.publish.publisher.instance.LdapCrlPublisher.crlAttr=certificateRevocationList;binary +ca.publish.publisher.instance.LdapCrlPublisher.pluginName=LdapCrlPublisher +ca.publish.publisher.instance.LdapCrossCertPairPublisher.caObjectClass=certificationAuthority +ca.publish.publisher.instance.LdapCrossCertPairPublisher.crossCertPairAttr=crossCertificatePair;binary +ca.publish.publisher.instance.LdapCrossCertPairPublisher.pluginName=LdapCertificatePairPublisher +ca.publish.publisher.instance.LdapDeltaCrlPublisher.crlAttr=deltaRevocationList;binary +ca.publish.publisher.instance.LdapDeltaCrlPublisher.pluginName=LdapDeltaCrlPublisher +ca.publish.publisher.instance.LdapUserCertPublisher.certAttr=userCertificate;binary +ca.publish.publisher.instance.LdapUserCertPublisher.pluginName=LdapUserCertPublisher +ca.publish.rule.impl.Rule.class=com.netscape.cmscore.ldap.LdapRule +ca.publish.rule.instance.LdapCaCertRule.enable=false +ca.publish.rule.instance.LdapCaCertRule.mapper=LdapCaCertMap +ca.publish.rule.instance.LdapCaCertRule.pluginName=Rule +ca.publish.rule.instance.LdapCaCertRule.predicate= +ca.publish.rule.instance.LdapCaCertRule.publisher=LdapCaCertPublisher +ca.publish.rule.instance.LdapCaCertRule.type=cacert +ca.publish.rule.instance.LdapCrlRule.enable=false +ca.publish.rule.instance.LdapCrlRule.mapper=LdapCrlMap +ca.publish.rule.instance.LdapCrlRule.pluginName=Rule +ca.publish.rule.instance.LdapCrlRule.predicate= +ca.publish.rule.instance.LdapCrlRule.publisher=LdapCrlPublisher +ca.publish.rule.instance.LdapCrlRule.type=crl +ca.publish.rule.instance.LdapUserCertRule.enable=false +ca.publish.rule.instance.LdapUserCertRule.mapper=LdapUserCertMap +ca.publish.rule.instance.LdapUserCertRule.pluginName=Rule +ca.publish.rule.instance.LdapUserCertRule.predicate= +ca.publish.rule.instance.LdapUserCertRule.publisher=LdapUserCertPublisher +ca.publish.rule.instance.LdapUserCertRule.type=certs +ca.publish.rule.instance.LdapXCertRule.enable=false +ca.publish.rule.instance.LdapXCertRule.mapper=LdapCaCertMap +ca.publish.rule.instance.LdapXCertRule.pluginName=Rule +ca.publish.rule.instance.LdapXCertRule.predicate= +ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher +ca.publish.rule.instance.LdapXCertRule.type=xcert +cmc.cert.confirmRequired=false +cmc.lraPopWitness.verify.allow=true +cmc.revokeCert.verify=true +cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cms.passwordlist=internaldb,replicationdb +cms.password.ignore.publishing.failure=true +cms.version=@MAJOR_VERSION@.@MINOR_VERSION@ +cmsgateway._000=## +cmsgateway._001=## In the event that all Admin Certificates have been lost +cmsgateway._002=## for a given instance, perform the following steps to +cmsgateway._003=## re-enroll for a new Admin Certificate: +cmsgateway._004=## +cmsgateway._005=## (1) Become 'root' +cmsgateway._006=## (2) Type: 'service [PKI_INSTANCE_ID] stop' +cmsgateway._007=## (3) Edit '[PKI_INSTANCE_ROOT]/[PKI_INSTANCE_ID]/conf/CS.cfg' +cmsgateway._008=## and set the following name-value pairs (if necessary): +cmsgateway._009=## +cmsgateway._010=## ca.Policy.enable=true +cmsgateway._011=## cmsgateway.enableAdminEnroll=true +cmsgateway._012=## +cmsgateway._013=## (4) Type: 'service [PKI_INSTANCE_ID] start' +cmsgateway._014=## (5) Launch a browser and re-enroll for +cmsgateway._015=## a new Admin Certificate by typing: +cmsgateway._016=## +cmsgateway._017=## https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ca/admin/ca/adminEnroll.html +cmsgateway._018=## +cmsgateway._019=## (6) Verify that the browser contains the new +cmsgateway._020=## Admin Certificate by successfully navigating to: +cmsgateway._021=## +cmsgateway._022=## https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/ca/agent/ca/ +cmsgateway._023=## +cmsgateway._024=## (7) Optionally, disable the Certificate Policies Framework +cmsgateway._025=## by following steps (1) - (4), but ONLY resetting +cmsgateway._026=## 'ca.Policy.enable=false', as +cmsgateway._027=## 'cmsgateway.enableAdminEnroll=false' should have +cmsgateway._028=## already been reset. +cmsgateway._029=## +cmsgateway.enableAdminEnroll=false +https.port=8443 +http.port=8080 +dbs.enableSerialManagement=false +dbs.beginRequestNumber=1 +dbs.endRequestNumber=10000000 +dbs.requestIncrement=10000000 +dbs.requestLowWaterMark=2000000 +dbs.requestCloneTransferNumber=10000 +dbs.requestDN=ou=ca, ou=requests +dbs.requestRangeDN=ou=requests, ou=ranges +dbs.beginSerialNumber=1 +dbs.endSerialNumber=10000000 +dbs.serialIncrement=10000000 +dbs.serialLowWaterMark=2000000 +dbs.serialCloneTransferNumber=10000 +dbs.serialDN=ou=certificateRepository, ou=ca +dbs.serialRangeDN=ou=certificateRepository, ou=ranges +dbs.beginReplicaNumber=1 +dbs.endReplicaNumber=100 +dbs.replicaIncrement=100 +dbs.replicaLowWaterMark=20 +dbs.replicaCloneTransferNumber=5 +dbs.replicaDN=ou=replica +dbs.replicaRangeDN=ou=replica, ou=ranges +dbs.ldap=internaldb +dbs.newSchemaEntryAdded=true +debug.append=true +debug.enabled=true +debug.filename=[PKI_INSTANCE_PATH]/logs/debug +debug.hashkeytypes= +debug.level=0 +debug.showcaller=false +keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 +keys.ecc.curve.default=nistp521 +keys.rsa.keysize.default=2048 +internaldb._000=## +internaldb._001=## Internal Database +internaldb._002=## +internaldb.basedn= +internaldb.maxConns=15 +internaldb.minConns=3 +internaldb.ldapauth.authtype=BasicAuth +internaldb.ldapauth.bindDN=cn=Directory Manager +internaldb.ldapauth.bindPWPrompt=Internal LDAP Database +internaldb.ldapauth.clientCertNickname= +internaldb.ldapconn.host= +internaldb.ldapconn.port= +internaldb.ldapconn.secureConn=false +preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/schema.ldif +preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/database.ldif +preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/acl.ldif +preop.internaldb.index_ldif= +preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/index.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlvtasks.ldif +preop.internaldb.wait_dn=cn=index1160589769, cn=index, cn=tasks, cn=config +internaldb.multipleSuffix.enable=false +jobsScheduler._000=## +jobsScheduler._001=## jobScheduler +jobsScheduler._002=## +jobsScheduler.enabled=false +jobsScheduler.interval=1 +jobsScheduler.impl.PublishCertsJob.class=com.netscape.cms.jobs.PublishCertsJob +jobsScheduler.impl.RenewalNotificationJob.class=com.netscape.cms.jobs.RenewalNotificationJob +jobsScheduler.impl.RequestInQueueJob.class=com.netscape.cms.jobs.RequestInQueueJob +jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.cms.jobs.UnpublishExpiredJob +jobsScheduler.job.certRenewalNotifier.cron=0 3 * * 1-5 +jobsScheduler.job.certRenewalNotifier.emailSubject=Certificate Renewal Notification +jobsScheduler.job.certRenewalNotifier.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1.txt +jobsScheduler.job.certRenewalNotifier.enabled=false +jobsScheduler.job.certRenewalNotifier.notifyEndOffset=30 +jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=30 +jobsScheduler.job.certRenewalNotifier.pluginName=RenewalNotificationJob +jobsScheduler.job.certRenewalNotifier.senderEmail= +jobsScheduler.job.certRenewalNotifier.summary.emailSubject=Certificate Renewal Notification Summary +jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Summary.txt +jobsScheduler.job.certRenewalNotifier.summary.enabled=true +jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Item.txt +jobsScheduler.job.certRenewalNotifier.summary.recipientEmail= +jobsScheduler.job.certRenewalNotifier.summary.senderEmail= +jobsScheduler.job.publishCerts.cron=0 0 * * 2 +jobsScheduler.job.publishCerts.enabled=false +jobsScheduler.job.publishCerts.pluginName=PublishCertsJob +jobsScheduler.job.publishCerts.summary.emailSubject=Certs Publishing Summary +jobsScheduler.job.publishCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/publishCerts.html +jobsScheduler.job.publishCerts.summary.enabled=true +jobsScheduler.job.publishCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/publishCertsItem.html +jobsScheduler.job.publishCerts.summary.recipientEmail= +jobsScheduler.job.publishCerts.summary.senderEmail= +jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0 +jobsScheduler.job.requestInQueueNotifier.enabled=false +jobsScheduler.job.requestInQueueNotifier.pluginName=RequestInQueueJob +jobsScheduler.job.requestInQueueNotifier.subsystemId=ca +jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=Requests in Queue Summary Report +jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/riq1Summary.html +jobsScheduler.job.requestInQueueNotifier.summary.enabled=true +jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail= +jobsScheduler.job.requestInQueueNotifier.summary.senderEmail= +jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6 +jobsScheduler.job.unpublishExpiredCerts.enabled=false +jobsScheduler.job.unpublishExpiredCerts.pluginName=UnpublishExpiredJob +jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=Expired Certs Unpublished Summary +jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/euJob1.html +jobsScheduler.job.unpublishExpiredCerts.summary.enabled=true +jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/euJob1Item.html +jobsScheduler.job.unpublishExpiredCerts.summary.recipientEmail= +jobsScheduler.job.unpublishExpiredCerts.summary.senderEmail= +jss._000=## +jss._001=## JSS +jss._002=## +jss.configDir=[PKI_INSTANCE_PATH]/alias/ +jss.enable=true +jss.secmodName=secmod.db +jss.ocspcheck.enable=false +jss.ssl.cipherfortezza=true +jss.ssl.cipherpref= +jss.ssl.cipherversion=cipherdomestic +log._000=## +log._001=## Logging +log._002=## +log.impl.file.class=com.netscape.cms.logging.RollingLogFile +log.instance.SignedAudit._000=## +log.instance.SignedAudit._001=## Signed Audit Logging +log.instance.SignedAudit._002=## +log.instance.SignedAudit.bufferSize=512 +log.instance.SignedAudit.enable=true +log.instance.SignedAudit.events._000=## +log.instance.SignedAudit.events._001=## Available Audit events: +log.instance.SignedAudit.events._002=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.events._003=## +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.expirationTime=0 +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ca_audit +log.instance.SignedAudit.flushInterval=5 +log.instance.SignedAudit.level=1 +log.instance.SignedAudit.logSigning=false +log.instance.SignedAudit.maxFileSize=2000 +log.instance.SignedAudit.pluginName=file +log.instance.SignedAudit.rolloverInterval=2592000 +log.instance.SignedAudit.signedAudit=_002=## +log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] +log.instance.SignedAudit.type=signedAudit +log.instance.System._000=## +log.instance.System._001=## System Logging +log.instance.System._002=## +log.instance.System.bufferSize=512 +log.instance.System.enable=true +log.instance.System.expirationTime=0 +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system +log.instance.System.flushInterval=5 +log.instance.System.level=3 +log.instance.System.maxFileSize=2000 +log.instance.System.pluginName=file +log.instance.System.rolloverInterval=2592000 +log.instance.System.type=system +log.instance.Transactions._000=## +log.instance.Transactions._001=## Transaction Logging +log.instance.Transactions._002=## +log.instance.Transactions.bufferSize=512 +log.instance.Transactions.enable=true +log.instance.Transactions.expirationTime=0 +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions +log.instance.Transactions.flushInterval=5 +log.instance.Transactions.level=1 +log.instance.Transactions.maxFileSize=2000 +log.instance.Transactions.pluginName=file +log.instance.Transactions.rolloverInterval=2592000 +log.instance.Transactions.type=transaction +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access +logError.fileName=[PKI_INSTANCE_PATH]/logs/error +oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension +oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 +oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword +oidmap.challenge_password.oid=1.2.840.113549.1.9.7 +oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension +oidmap.extended_key_usage.oid=2.5.29.37 +oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 +oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 +oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension +oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 +oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension +oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 +oidmap.pse.class=netscape.security.extensions.PresenceServerExtension +oidmap.pse.oid=2.16.840.1.113730.1.18 +oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension +oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 +os.userid=nobody +profile.list=caUserCert,caUserSMIMEcapCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caJarSigningCert,caIPAserviceCert +profile.caUUIDdeviceCert.class_id=caEnrollImpl +profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUUIDdeviceCert.cfg +profile.caManualRenewal.class_id=caEnrollImpl +profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caManualRenewal.cfg +profile.caDirUserRenewal.class_id=caEnrollImpl +profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserRenewal.cfg +profile.caSSLClientSelfRenewal.class_id=caEnrollImpl +profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caSSLClientSelfRenewal.cfg +profile.DomainController.class_id=caEnrollImpl +profile.DomainController.config=[PKI_INSTANCE_PATH]/profiles/ca/DomainController.cfg +profile.caAgentFileSigning.class_id=caEnrollImpl +profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentFileSigning.cfg +profile.caAgentServerCert.class_id=caEnrollImpl +profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentServerCert.cfg +profile.caRAserverCert.class_id=caEnrollImpl +profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAserverCert.cfg +profile.caCACert.class_id=caEnrollImpl +profile.caCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCACert.cfg +profile.caInstallCACert.class_id=caEnrollImpl +profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInstallCACert.cfg +profile.caCMCUserCert.class_id=caEnrollImpl +profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCMCUserCert.cfg +profile.caDirUserCert.class_id=caEnrollImpl +profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserCert.cfg +profile.caDualCert.class_id=caEnrollImpl +profile.caDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualCert.cfg +profile.caDualRAuserCert.class_id=caEnrollImpl +profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualRAuserCert.cfg +profile.caRAagentCert.class_id=caEnrollImpl +profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAagentCert.cfg +profile.caFullCMCUserCert.class_id=caEnrollImpl +profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caFullCMCUserCert.cfg +profile.caInternalAuthOCSPCert.class_id=caEnrollImpl +profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthOCSPCert.cfg +profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl +profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthAuditSigningCert.cfg +profile.caInternalAuthServerCert.class_id=caEnrollImpl +profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthServerCert.cfg +profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl +profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthSubsystemCert.cfg +profile.caInternalAuthDRMstorageCert.class_id=caEnrollImpl +profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthDRMstorageCert.cfg +profile.caInternalAuthTransportCert.class_id=caEnrollImpl +profile.caInternalAuthTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthTransportCert.cfg +profile.caOCSPCert.class_id=caEnrollImpl +profile.caOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOCSPCert.cfg +profile.caOtherCert.class_id=caEnrollImpl +profile.caOtherCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOtherCert.cfg +profile.caRACert.class_id=caEnrollImpl +profile.caRACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRACert.cfg +profile.caRARouterCert.class_id=caEnrollImpl +profile.caRARouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRARouterCert.cfg +profile.caRouterCert.class_id=caEnrollImpl +profile.caRouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRouterCert.cfg +profile.caServerCert.class_id=caEnrollImpl +profile.caServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caServerCert.cfg +profile.caSignedLogCert.class_id=caEnrollImpl +profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSignedLogCert.cfg +profile.caSimpleCMCUserCert.class_id=caEnrollImpl +profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSimpleCMCUserCert.cfg +profile.caTPSCert.class_id=caEnrollImpl +profile.caTPSCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTPSCert.cfg +profile.caAdminCert.class_id=caEnrollImpl +profile.caAdminCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAdminCert.cfg +profile.caTempTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg +profile.caTempTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTempTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg +profile.caTokenUserEncryptionKeyRenewal.class_id=caUserCertEnrollImpl +profile.caTokenUserEncryptionKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg +profile.caTempTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg +profile.caTokenUserSigningKeyRenewal.class_id=caUserCertEnrollImpl +profile.caTokenUserSigningKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyRenewal.cfg +profile.caTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenDeviceKeyEnrollment.cfg +profile.caTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg +profile.caTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyEnrollment.cfg +profile.caTokenMSLoginEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenMSLoginEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenMSLoginEnrollment.cfg +profile.caTransportCert.class_id=caEnrollImpl +profile.caTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTransportCert.cfg +profile.caUserCert.class_id=caEnrollImpl +profile.caUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserCert.cfg +profile.caUserSMIMEcapCert.class_id=caEnrollImpl +profile.caUserSMIMEcapCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserSMIMEcapCert.cfg +profile.caJarSigningCert.class_id=caEnrollImpl +profile.caJarSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caJarSigningCert.cfg +profile.caIPAserviceCert.class_id=caEnrollImpl +profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caIPAserviceCert.cfg +registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg +request.assignee.enable=true +selftests._000=## +selftests._001=## Self Tests +selftests._002=## +selftests._003=## The Self-Test plugin SystemCertsVerification uses the +selftests._004=## following parameters (where certusage is optional): +selftests._005=## ca.cert.list = +selftests._006=## ca.cert..nickname +selftests._007=## ca.cert..certusage +selftests._008=## +selftests.container.instance.CAPresence=com.netscape.cms.selftests.ca.CAPresence +selftests.container.instance.CAValidity=com.netscape.cms.selftests.ca.CAValidity +selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification +selftests.container.logger.bufferSize=512 +selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile +selftests.container.logger.enable=true +selftests.container.logger.expirationTime=0 +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log +selftests.container.logger.flushInterval=5 +selftests.container.logger.level=1 +selftests.container.logger.maxFileSize=2000 +selftests.container.logger.register=false +selftests.container.logger.rolloverInterval=2592000 +selftests.container.logger.type=transaction +selftests.container.order.onDemand=CAPresence:critical, SystemCertsVerification:critical, CAValidity:critical +selftests.container.order.startup=CAPresence:critical, SystemCertsVerification:critical +selftests.plugin.CAPresence.CaSubId=ca +selftests.plugin.CAValidity.CaSubId=ca +selftests.plugin.SystemCertsVerification.SubId=ca +smtp.host=localhost +smtp.port=25 +subsystem.0.class=com.netscape.ca.CertificateAuthority +subsystem.0.id=ca +subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem +subsystem.1.id=profile +subsystem.2.class=com.netscape.cmscore.selftests.SelfTestSubsystem +subsystem.2.id=selftests +subsystem.3.class=com.netscape.cmscore.cert.CrossCertPairSubsystem +subsystem.3.id=CrossCertPair +subsystem.4.class=com.netscape.cmscore.util.StatsSubsystem +subsystem.4.id=stats +usrgrp._000=## +usrgrp._001=## User/Group +usrgrp._002=## +usrgrp.ldap=internaldb +multiroles._000=## +multiroles._001=## multiroles +multiroles._002=## +multiroles.enable=true +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group diff --git a/pki/base/ca/src/CMakeLists.txt b/pki/base/ca/src/CMakeLists.txt index ab40e63b..f8e68c4f 100644 --- a/pki/base/ca/src/CMakeLists.txt +++ b/pki/base/ca/src/CMakeLists.txt @@ -1,21 +1,31 @@ project(ca_java Java) +# '/usr/share/java' jars +find_file(LDAPJDK_JAR + NAMES + ldapjdk.jar + PATHS + /usr/share/java +) + + +# '/usr/lib/java' jars find_file(JSS_JAR NAMES jss4.jar PATHS /usr/lib/java - /usr/share/java ) -find_file(LDAPJDK_JAR +find_file(OSUTIL_JAR NAMES - ldapjdk.jar + osutil.jar PATHS /usr/lib/java - /usr/share/java ) + +# identify java sources set(ca_java_SRCS com/netscape/ca/CMSCRLExtensions.java com/netscape/ca/CAService.java @@ -26,13 +36,21 @@ set(ca_java_SRCS com/netscape/ca/CertificateAuthority.java ) + +# set classpath set(CMAKE_JAVA_INCLUDE_PATH - ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} ${CMSUTIL_JAR} - ${OSUTIL_JAR} ${SYMKEY_JAR} ${CMS_JAR} ${CMSCORE_JAR} - ${CERTSRV_JAR}) + ${CERTSRV_JAR} ${CMS_JAR} ${CMSCORE_JAR} ${CMSUTIL_JAR} ${NSUTIL_JAR} + ${LDAPJDK_JAR} + ${JSS_JAR} ${OSUTIL_JAR} ${SYMKEY_JAR}) + + +# set version set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) + +# build ca.jar add_jar(ca ${ca_java_SRCS}) -add_dependencies(ca nsutil cmsutil osutil symkey cms cmscore certsrv) +add_dependencies(ca osutil symkey nsutil cmsutil certsrv cms cmscore) install_jar(ca ${JAVA_JAR_INSTALL_DIR}) set(CA_JAR ${ca_JAR_FILE} CACHE INTERNAL "ca jar file") + diff --git a/pki/base/console/src/CMakeLists.txt b/pki/base/console/src/CMakeLists.txt index ff17efc0..076f1807 100644 --- a/pki/base/console/src/CMakeLists.txt +++ b/pki/base/console/src/CMakeLists.txt @@ -1,24 +1,27 @@ -project(console_java Java) +project(pki_console_java Java) -find_file(JSS_JAR +# '/usr/share/java/pki' jars +find_file(NSUTIL_JAR NAMES - jss4.jar + nsutil.jar PATHS /usr/lib/java - /usr/share/java + /usr/share/java/pki ) -find_file(LDAPJDK_JAR + +# '/usr/share/java' jars +find_file(BASE_JAR NAMES - ldapjdk.jar + idm-console-base.jar PATHS /usr/lib/java /usr/share/java ) -find_file(BASE_JAR +find_file(LDAPJDK_JAR NAMES - idm-console-base.jar + ldapjdk.jar PATHS /usr/lib/java /usr/share/java @@ -56,7 +59,19 @@ find_file(NMCLF_EN_JAR /usr/share/java ) -set(console_java_SRCS + +# '/usr/lib/java' jars +find_file(JSS_JAR + NAMES + jss4.jar + PATHS + /usr/lib/java + /usr/share/java +) + + +# identify java sources +set(pki_console_java_SRCS com/netscape/certsrv/common/TaskId.java com/netscape/certsrv/common/DestDef.java com/netscape/certsrv/common/NameValuePairs.java @@ -578,13 +593,22 @@ set(console_java_SRCS com/netscape/admin/certsrv/IUIMapper.java ) + +# set classpath set(CMAKE_JAVA_INCLUDE_PATH - ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} - ${BASE_JAR} ${MMC_JAR} ${MMC_EN_JAR} - ${NMCLF_JAR} ${NMCLF_EN_JAR}) + ${BASE_JAR} ${LDAPJDK_JAR} ${MMC_JAR} + ${MMC_EN_JAR} ${NMCLF_JAR} ${NMCLF_EN_JAR} + ${NSUTIL_JAR} + ${JSS_JAR}) + + +# set version set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) -add_jar(console ${console_java_SRCS}) -add_dependencies(console nsutil) -install_jar(console ${JAVA_JAR_INSTALL_DIR}/pki) -set(CONSOLE_JAR ${console_JAR_FILE} CACHE INTERNAL "console jar file") + +# build pki-console.jar +add_jar(pki-console ${pki_console_java_SRCS}) +add_dependencies(pki-console nsutil) +install_jar(pki-console ${JAVA_JAR_INSTALL_DIR}) +set(PKI_CONSOLE_JAR ${pki_console_JAR_FILE} CACHE INTERNAL "pki-console jar file") + diff --git a/pki/base/kra/CMakeLists.txt b/pki/base/kra/CMakeLists.txt index 5155a84e..dc2564c9 100644 --- a/pki/base/kra/CMakeLists.txt +++ b/pki/base/kra/CMakeLists.txt @@ -2,6 +2,7 @@ project(kra Java) add_subdirectory(src) add_subdirectory(setup) +add_subdirectory(shared/conf) # install init script install( @@ -25,6 +26,8 @@ install( "CMakeLists.txt" EXCLUDE PATTERN "etc/*" EXCLUDE + PATTERN + "conf/CS.cfg.in" EXCLUDE ) # install empty directories diff --git a/pki/base/kra/shared/conf/CMakeLists.txt b/pki/base/kra/shared/conf/CMakeLists.txt new file mode 100644 index 00000000..e3cef591 --- /dev/null +++ b/pki/base/kra/shared/conf/CMakeLists.txt @@ -0,0 +1,12 @@ +set(VERSION ${APPLICATION_VERSION}) +set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR}) +set(MINOR_VERSION ${APPLICATION_VERSION_MINOR}) + +configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY) + +install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) diff --git a/pki/base/kra/shared/conf/CS.cfg b/pki/base/kra/shared/conf/CS.cfg deleted file mode 100644 index 56944d5f..00000000 --- a/pki/base/kra/shared/conf/CS.cfg +++ /dev/null @@ -1,368 +0,0 @@ -pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] -pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] -pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] -pkicreate.secure_port=[PKI_SECURE_PORT] -pkicreate.unsecure_port=[PKI_UNSECURE_PORT] -pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] -pkicreate.user=[PKI_USER] -pkicreate.group=[PKI_GROUP] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -installDate=[INSTALL_TIME] -preop.wizard.name=DRM Setup Wizard -preop.product.name=CS -preop.product.version= -preop.system.name=DRM -preop.system.fullname=Data Recovery Manager -cs.state=0 -cs.type=KRA -admin.interface.uri=kra/admin/console/config/wizard -agent.interface.uri=kra/agent/kra -authType=pwd -preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 -instanceRoot=[PKI_INSTANCE_PATH] -machineName=[PKI_MACHINE_NAME] -instanceId=[PKI_INSTANCE_ID] -service.machineName=[PKI_MACHINE_NAME] -service.instanceDir=[PKI_INSTANCE_ROOT] -service.securePort=[PKI_AGENT_SECURE_PORT] -service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] -service.unsecurePort=[PKI_UNSECURE_PORT] -service.instanceID=[PKI_INSTANCE_ID] -preop.admin.name=Data Recovery Manager Administrator -preop.admin.group=Data Recovery Manager Agents -preop.admincert.profile=caAdminCert -preop.pin=[PKI_RANDOM_NUMBER] -kra.cert.list=transport,storage,sslserver,subsystem,audit_signing -preop.cert.list=transport,storage,sslserver,subsystem,audit_signing -preop.cert.transport.enable=true -preop.cert.storage.enable=true -preop.cert.sslserver.enable=true -preop.cert.subsystem.enable=true -preop.cert.audit_signing.enable=true -preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.audit_signing.dn=CN=DRM Audit Signing Certificate -preop.cert.audit_signing.keysize.custom_size=2048 -preop.cert.audit_signing.keysize.size=2048 -preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert -preop.cert.audit_signing.signing.required=false -preop.cert.audit_signing.subsystem=kra -preop.cert.audit_signing.type=remote -preop.cert.audit_signing.userfriendlyname=DRM Audit Signing Certificate -preop.cert.audit_signing.cncomponent.override=true -preop.cert.storage.defaultSigningAlgorithm=SHA256withRSA -preop.cert.storage.dn=CN=DRM Storage Certificate -preop.cert.storage.keysize.custom_size=2048 -preop.cert.storage.keysize.size=2048 -preop.cert.storage.nickname=storageCert cert-[PKI_INSTANCE_ID] -preop.cert.storage.profile=caInternalAuthDRMstorageCert -preop.cert.storage.signing.required=false -preop.cert.storage.subsystem=kra -preop.cert.storage.type=remote -preop.cert.storage.userfriendlyname=Storage Certificate -preop.cert.storage.cncomponent.override=true -preop.cert.transport.defaultSigningAlgorithm=SHA256withRSA -preop.cert.transport.dn=CN=DRM Transport Certificate -preop.cert.transport.keysize.custom_size=2048 -preop.cert.transport.keysize.size=2048 -preop.cert.transport.nickname=transportCert cert-[PKI_INSTANCE_ID] -preop.cert.transport.profile=caInternalAuthTransportCert -preop.cert.transport.signing.required=true -preop.cert.transport.subsystem=kra -preop.cert.transport.type=remote -preop.cert.transport.userfriendlyname=Transport Certificate -preop.cert.transport.cncomponent.override=true -preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA -preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] -preop.cert.sslserver.keysize.custom_size=2048 -preop.cert.sslserver.keysize.size=2048 -preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] -preop.cert.sslserver.profile=caInternalAuthServerCert -preop.cert.sslserver.signing.required=false -preop.cert.sslserver.subsystem=kra -preop.cert.sslserver.type=remote -preop.cert.sslserver.userfriendlyname=SSL Server Certificate -preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA -preop.cert.subsystem.dn=CN=DRM Subsystem Certificate -preop.cert.subsystem.keysize.custom_size=2048 -preop.cert.subsystem.keysize.size=2048 -preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -preop.cert.subsystem.profile=caInternalAuthSubsystemCert -preop.cert.subsystem.signing.required=false -preop.cert.subsystem.subsystem=kra -preop.cert.subsystem.type=remote -preop.cert.subsystem.userfriendlyname=Subsystem Certificate -preop.cert.subsystem.cncomponent.override=true -preop.hierarchy.profile=caCert.profile -preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module -preop.configModules.module0.commonName=NSS Internal PKCS #11 Module -preop.configModules.module0.imagePath=../img/clearpixel.gif -preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module -preop.configModules.module1.commonName=nfast -preop.configModules.module1.imagePath=../img/clearpixel.gif -preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module -preop.configModules.module2.commonName=lunasa -preop.configModules.module2.imagePath=../img/clearpixel.gif -preop.configModules.count=3 -preop.module.token=Internal Key Storage Token -passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf -passwordClass=com.netscape.cmsutil.password.PlainPasswordFile -multiroles=true -multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group -CrossCertPair._000=## -CrossCertPair._001=## CrossCertPair Import -CrossCertPair._002=## -CrossCertPair.ldap=internaldb -accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator -accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator -accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator -auths._000=## -auths._001=## new authentication -auths._002=## -auths.impl._000=## -auths.impl._001=## authentication manager implementations -auths.impl._002=## -auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication -auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth -auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth -auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll -auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication -auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication -auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication -auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication -auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents -auths.instance.AgentCertAuth.pluginName=AgentCertAuth -auths.instance.TokenAuth.pluginName=TokenAuth -auths.revocationChecking.bufferSize=50 -auths.revocationChecking.enabled=false -auths.revocationChecking.kra=kra -authz._000=## -authz._001=## new authorizatioin -authz._002=## -authz.evaluateOrder=deny,allow -authz.sourceType=ldap -authz.impl._000=## -authz.impl._001=## authorization manager implementations -authz.impl._002=## -authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz -authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz -authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz -authz.instance.DirAclAuthz.ldap=internaldb -authz.instance.DirAclAuthz.pluginName=DirAclAuthz -authz.instance.DirAclAuthz.ldap._000=## -authz.instance.DirAclAuthz.ldap._001=## Internal Database -authz.instance.DirAclAuthz.ldap._002=## -cmc.cert.confirmRequired=false -cmc.lraPopWitness.verify.allow=true -cmc.revokeCert.verify=true -cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cms.version= -dbs.enableSerialManagement=false -dbs.beginRequestNumber=1 -dbs.endRequestNumber=10000000 -dbs.requestIncrement=10000000 -dbs.requestLowWaterMark=2000000 -dbs.requestCloneTransferNumber=10000 -dbs.requestDN=ou=kra, ou=requests -dbs.requestRangeDN=ou=requests, ou=ranges -dbs.beginSerialNumber=1 -dbs.endSerialNumber=10000000 -dbs.serialIncrement=10000000 -dbs.serialLowWaterMark=2000000 -dbs.serialCloneTransferNumber=10000 -dbs.serialDN=ou=keyRepository, ou=kra -dbs.serialRangeDN=ou=keyRepository, ou=ranges -dbs.beginReplicaNumber=1 -dbs.endReplicaNumber=100 -dbs.replicaIncrement=100 -dbs.replicaLowWaterMark=20 -dbs.replicaCloneTransferNumber=5 -dbs.replicaDN=ou=replica -dbs.replicaRangeDN=ou=replica, ou=ranges -dbs.ldap=internaldb -dbs.newSchemaEntryAdded=true -debug.append=true -debug.enabled=true -debug.filename=[PKI_INSTANCE_PATH]/logs/debug -debug.hashkeytypes= -debug.level=0 -debug.showcaller=false -keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 -keys.ecc.curve.default=nistp521 -keys.rsa.keysize.default=2048 -internaldb._000=## -internaldb._001=## Internal Database -internaldb._002=## -internaldb.maxConns=15 -internaldb.minConns=3 -internaldb.ldapauth.authtype=BasicAuth -internaldb.ldapauth.bindDN=cn=Directory Manager -internaldb.ldapauth.bindPWPrompt=Internal LDAP Database -internaldb.ldapauth.clientCertNickname= -internaldb.ldapconn.host= -internaldb.ldapconn.port= -internaldb.ldapconn.secureConn=false -preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/schema.ldif -preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/database.ldif -preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/db.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/acl.ldif -preop.internaldb.index_ldif= -preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/index.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlvtasks.ldif -preop.internaldb.wait_dn=cn=index1160527115, cn=index, cn=tasks, cn=config -internaldb.multipleSuffix.enable=false -jobsScheduler._000=## -jobsScheduler._001=## jobScheduler -jobsScheduler._002=## -jobsScheduler.enabled=false -jobsScheduler.interval=1 -jss._000=## -jss._001=## JSS -jss._002=## -jss.configDir=[PKI_INSTANCE_PATH]/alias/ -jss.enable=true -jss.secmodName=secmod.db -jss.ocspcheck.enable=false -jss.ssl.cipherfortezza=true -jss.ssl.cipherpref= -jss.ssl.cipherversion=cipherdomestic -kra.Policy._000=## -kra.Policy._001=## Certificate Policy Framework (deprecated) -kra.Policy._002=## -kra.Policy._003=## Set 'kra.Policy.enable=true' to allow the following: -kra.Policy._004=## -kra.Policy._005=## SERVLET-NAME URL-PATTERN -kra.Policy._006=## ==================================================== -kra.Policy._007=## krapolicy kra/krapolicy -kra.Policy._008=## -kra.Policy.enable=false -kra.keySplitting=false -kra.noOfRequiredRecoveryAgents=1 -kra.recoveryAgentGroup=Data Recovery Manager Agents -kra.reqdbInc=20 -kra.entropy.bitsperkeypair=0 -kra.entropy.blockwarnms=0 -kra.storageUnit.nickName=storageCert cert-[PKI_INSTANCE_ID] -kra.transportUnit.nickName=transportCert cert-[PKI_INSTANCE_ID] -log._000=## -log._001=## Logging -log._002=## -log.impl.file.class=com.netscape.cms.logging.RollingLogFile -log.instance.SignedAudit._000=## -log.instance.SignedAudit._001=## Signed Audit Logging -log.instance.SignedAudit._002=## -log.instance.SignedAudit.bufferSize=512 -log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events._000=## -log.instance.SignedAudit.events._001=## Available Audit events: -log.instance.SignedAudit.events._002=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.events._003=## -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.expirationTime=0 -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/kra_cert-kra_audit -log.instance.SignedAudit.flushInterval=5 -log.instance.SignedAudit.level=1 -log.instance.SignedAudit.logSigning=false -log.instance.SignedAudit.maxFileSize=2000 -log.instance.SignedAudit.pluginName=file -log.instance.SignedAudit.rolloverInterval=2592000 -log.instance.SignedAudit.signedAudit:_000=## -log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow KRA audit logs to be signed -log.instance.SignedAudit.signedAudit:_002=## -log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] -log.instance.SignedAudit.type=signedAudit -log.instance.System._000=## -log.instance.System._001=## System Logging -log.instance.System._002=## -log.instance.System.bufferSize=512 -log.instance.System.enable=true -log.instance.System.expirationTime=0 -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system -log.instance.System.flushInterval=5 -log.instance.System.level=3 -log.instance.System.maxFileSize=2000 -log.instance.System.pluginName=file -log.instance.System.rolloverInterval=2592000 -log.instance.System.type=system -log.instance.Transactions._000=## -log.instance.Transactions._001=## Transaction Logging -log.instance.Transactions._002=## -log.instance.Transactions.bufferSize=512 -log.instance.Transactions.enable=true -log.instance.Transactions.expirationTime=0 -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions -log.instance.Transactions.flushInterval=5 -log.instance.Transactions.level=1 -log.instance.Transactions.maxFileSize=2000 -log.instance.Transactions.pluginName=file -log.instance.Transactions.rolloverInterval=2592000 -log.instance.Transactions.type=transaction -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access -logError.fileName=[PKI_INSTANCE_PATH]/logs/error -oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension -oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 -oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword -oidmap.challenge_password.oid=1.2.840.113549.1.9.7 -oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension -oidmap.extended_key_usage.oid=2.5.29.37 -oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested -oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 -oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested -oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 -oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension -oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 -oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension -oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 -oidmap.pse.class=netscape.security.extensions.PresenceServerExtension -oidmap.pse.oid=2.16.840.1.113730.1.18 -oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension -oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 -os.serverName=cert-[PKI_INSTANCE_ID] -os.userid=nobody -registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg -selftests._000=## -selftests._001=## Self Tests -selftests._002=## -selftests._003=## The Self-Test plugin SystemCertsVerification uses the -selftests._004=## following parameters (where certusage is optional): -selftests._005=## kra.cert.list = -selftests._006=## kra.cert..nickname -selftests._007=## kra.cert..certusage -selftests._008=## -selftests.container.instance.KRAPresence=com.netscape.cms.selftests.kra.KRAPresence -selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification -selftests.container.logger.bufferSize=512 -selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile -selftests.container.logger.enable=true -selftests.container.logger.expirationTime=0 -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log -selftests.container.logger.flushInterval=5 -selftests.container.logger.level=1 -selftests.container.logger.maxFileSize=2000 -selftests.container.logger.register=false -selftests.container.logger.rolloverInterval=2592000 -selftests.container.logger.type=transaction -selftests.container.order.onDemand=KRAPresence:critical -selftests.container.order.startup=SystemCertsVerification:critical -selftests.plugin.KRAPresence.SubId=kra -selftests.plugin.SystemCertsVerification.SubId=kra -smtp.host=localhost -smtp.port=25 -subsystem.0.class=com.netscape.kra.KeyRecoveryAuthority -subsystem.0.id=kra -subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem -subsystem.1.id=selftests -subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem -subsystem.2.id=stats -usrgrp._000=## -usrgrp._001=## User/Group -usrgrp._002=## -usrgrp.ldap=internaldb -multiroles._000=## -multiroles._001=## multiroles -multiroles._002=## -multiroles.enable=true -multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group diff --git a/pki/base/kra/shared/conf/CS.cfg.in b/pki/base/kra/shared/conf/CS.cfg.in new file mode 100644 index 00000000..05ed8ce0 --- /dev/null +++ b/pki/base/kra/shared/conf/CS.cfg.in @@ -0,0 +1,368 @@ +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] +pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] +pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] +pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] +pkicreate.secure_port=[PKI_SECURE_PORT] +pkicreate.unsecure_port=[PKI_UNSECURE_PORT] +pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +installDate=[INSTALL_TIME] +preop.wizard.name=DRM Setup Wizard +preop.product.name=CS +preop.product.version=@VERSION@ +preop.system.name=DRM +preop.system.fullname=Data Recovery Manager +cs.state=0 +cs.type=KRA +admin.interface.uri=kra/admin/console/config/wizard +agent.interface.uri=kra/agent/kra +authType=pwd +preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 +instanceRoot=[PKI_INSTANCE_PATH] +machineName=[PKI_MACHINE_NAME] +instanceId=[PKI_INSTANCE_ID] +service.machineName=[PKI_MACHINE_NAME] +service.instanceDir=[PKI_INSTANCE_ROOT] +service.securePort=[PKI_AGENT_SECURE_PORT] +service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] +service.unsecurePort=[PKI_UNSECURE_PORT] +service.instanceID=[PKI_INSTANCE_ID] +preop.admin.name=Data Recovery Manager Administrator +preop.admin.group=Data Recovery Manager Agents +preop.admincert.profile=caAdminCert +preop.pin=[PKI_RANDOM_NUMBER] +kra.cert.list=transport,storage,sslserver,subsystem,audit_signing +preop.cert.list=transport,storage,sslserver,subsystem,audit_signing +preop.cert.transport.enable=true +preop.cert.storage.enable=true +preop.cert.sslserver.enable=true +preop.cert.subsystem.enable=true +preop.cert.audit_signing.enable=true +preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.audit_signing.dn=CN=DRM Audit Signing Certificate +preop.cert.audit_signing.keysize.custom_size=2048 +preop.cert.audit_signing.keysize.size=2048 +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert +preop.cert.audit_signing.signing.required=false +preop.cert.audit_signing.subsystem=kra +preop.cert.audit_signing.type=remote +preop.cert.audit_signing.userfriendlyname=DRM Audit Signing Certificate +preop.cert.audit_signing.cncomponent.override=true +preop.cert.storage.defaultSigningAlgorithm=SHA256withRSA +preop.cert.storage.dn=CN=DRM Storage Certificate +preop.cert.storage.keysize.custom_size=2048 +preop.cert.storage.keysize.size=2048 +preop.cert.storage.nickname=storageCert cert-[PKI_INSTANCE_ID] +preop.cert.storage.profile=caInternalAuthDRMstorageCert +preop.cert.storage.signing.required=false +preop.cert.storage.subsystem=kra +preop.cert.storage.type=remote +preop.cert.storage.userfriendlyname=Storage Certificate +preop.cert.storage.cncomponent.override=true +preop.cert.transport.defaultSigningAlgorithm=SHA256withRSA +preop.cert.transport.dn=CN=DRM Transport Certificate +preop.cert.transport.keysize.custom_size=2048 +preop.cert.transport.keysize.size=2048 +preop.cert.transport.nickname=transportCert cert-[PKI_INSTANCE_ID] +preop.cert.transport.profile=caInternalAuthTransportCert +preop.cert.transport.signing.required=true +preop.cert.transport.subsystem=kra +preop.cert.transport.type=remote +preop.cert.transport.userfriendlyname=Transport Certificate +preop.cert.transport.cncomponent.override=true +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] +preop.cert.sslserver.keysize.custom_size=2048 +preop.cert.sslserver.keysize.size=2048 +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.cert.sslserver.profile=caInternalAuthServerCert +preop.cert.sslserver.signing.required=false +preop.cert.sslserver.subsystem=kra +preop.cert.sslserver.type=remote +preop.cert.sslserver.userfriendlyname=SSL Server Certificate +preop.cert.sslserver.cncomponent.override=false +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=DRM Subsystem Certificate +preop.cert.subsystem.keysize.custom_size=2048 +preop.cert.subsystem.keysize.size=2048 +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.cert.subsystem.profile=caInternalAuthSubsystemCert +preop.cert.subsystem.signing.required=false +preop.cert.subsystem.subsystem=kra +preop.cert.subsystem.type=remote +preop.cert.subsystem.userfriendlyname=Subsystem Certificate +preop.cert.subsystem.cncomponent.override=true +preop.hierarchy.profile=caCert.profile +preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module +preop.configModules.module0.commonName=NSS Internal PKCS #11 Module +preop.configModules.module0.imagePath=../img/clearpixel.gif +preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module +preop.configModules.module1.commonName=nfast +preop.configModules.module1.imagePath=../img/clearpixel.gif +preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module +preop.configModules.module2.commonName=lunasa +preop.configModules.module2.imagePath=../img/clearpixel.gif +preop.configModules.count=3 +preop.module.token=Internal Key Storage Token +passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf +passwordClass=com.netscape.cmsutil.password.PlainPasswordFile +multiroles=true +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group +CrossCertPair._000=## +CrossCertPair._001=## CrossCertPair Import +CrossCertPair._002=## +CrossCertPair.ldap=internaldb +accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator +accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator +accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator +auths._000=## +auths._001=## new authentication +auths._002=## +auths.impl._000=## +auths.impl._001=## authentication manager implementations +auths.impl._002=## +auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication +auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth +auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth +auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll +auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication +auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication +auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication +auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication +auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents +auths.instance.AgentCertAuth.pluginName=AgentCertAuth +auths.instance.TokenAuth.pluginName=TokenAuth +auths.revocationChecking.bufferSize=50 +auths.revocationChecking.enabled=false +auths.revocationChecking.kra=kra +authz._000=## +authz._001=## new authorizatioin +authz._002=## +authz.evaluateOrder=deny,allow +authz.sourceType=ldap +authz.impl._000=## +authz.impl._001=## authorization manager implementations +authz.impl._002=## +authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz +authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz +authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz +authz.instance.DirAclAuthz.ldap=internaldb +authz.instance.DirAclAuthz.pluginName=DirAclAuthz +authz.instance.DirAclAuthz.ldap._000=## +authz.instance.DirAclAuthz.ldap._001=## Internal Database +authz.instance.DirAclAuthz.ldap._002=## +cmc.cert.confirmRequired=false +cmc.lraPopWitness.verify.allow=true +cmc.revokeCert.verify=true +cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cms.version=@MAJOR_VERSION@.@MINOR_VERSION@ +dbs.enableSerialManagement=false +dbs.beginRequestNumber=1 +dbs.endRequestNumber=10000000 +dbs.requestIncrement=10000000 +dbs.requestLowWaterMark=2000000 +dbs.requestCloneTransferNumber=10000 +dbs.requestDN=ou=kra, ou=requests +dbs.requestRangeDN=ou=requests, ou=ranges +dbs.beginSerialNumber=1 +dbs.endSerialNumber=10000000 +dbs.serialIncrement=10000000 +dbs.serialLowWaterMark=2000000 +dbs.serialCloneTransferNumber=10000 +dbs.serialDN=ou=keyRepository, ou=kra +dbs.serialRangeDN=ou=keyRepository, ou=ranges +dbs.beginReplicaNumber=1 +dbs.endReplicaNumber=100 +dbs.replicaIncrement=100 +dbs.replicaLowWaterMark=20 +dbs.replicaCloneTransferNumber=5 +dbs.replicaDN=ou=replica +dbs.replicaRangeDN=ou=replica, ou=ranges +dbs.ldap=internaldb +dbs.newSchemaEntryAdded=true +debug.append=true +debug.enabled=true +debug.filename=[PKI_INSTANCE_PATH]/logs/debug +debug.hashkeytypes= +debug.level=0 +debug.showcaller=false +keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 +keys.ecc.curve.default=nistp521 +keys.rsa.keysize.default=2048 +internaldb._000=## +internaldb._001=## Internal Database +internaldb._002=## +internaldb.maxConns=15 +internaldb.minConns=3 +internaldb.ldapauth.authtype=BasicAuth +internaldb.ldapauth.bindDN=cn=Directory Manager +internaldb.ldapauth.bindPWPrompt=Internal LDAP Database +internaldb.ldapauth.clientCertNickname= +internaldb.ldapconn.host= +internaldb.ldapconn.port= +internaldb.ldapconn.secureConn=false +preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/schema.ldif +preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/database.ldif +preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/db.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/acl.ldif +preop.internaldb.index_ldif= +preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/index.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlvtasks.ldif +preop.internaldb.wait_dn=cn=index1160527115, cn=index, cn=tasks, cn=config +internaldb.multipleSuffix.enable=false +jobsScheduler._000=## +jobsScheduler._001=## jobScheduler +jobsScheduler._002=## +jobsScheduler.enabled=false +jobsScheduler.interval=1 +jss._000=## +jss._001=## JSS +jss._002=## +jss.configDir=[PKI_INSTANCE_PATH]/alias/ +jss.enable=true +jss.secmodName=secmod.db +jss.ocspcheck.enable=false +jss.ssl.cipherfortezza=true +jss.ssl.cipherpref= +jss.ssl.cipherversion=cipherdomestic +kra.Policy._000=## +kra.Policy._001=## Certificate Policy Framework (deprecated) +kra.Policy._002=## +kra.Policy._003=## Set 'kra.Policy.enable=true' to allow the following: +kra.Policy._004=## +kra.Policy._005=## SERVLET-NAME URL-PATTERN +kra.Policy._006=## ==================================================== +kra.Policy._007=## krapolicy kra/krapolicy +kra.Policy._008=## +kra.Policy.enable=false +kra.keySplitting=false +kra.noOfRequiredRecoveryAgents=1 +kra.recoveryAgentGroup=Data Recovery Manager Agents +kra.reqdbInc=20 +kra.entropy.bitsperkeypair=0 +kra.entropy.blockwarnms=0 +kra.storageUnit.nickName=storageCert cert-[PKI_INSTANCE_ID] +kra.transportUnit.nickName=transportCert cert-[PKI_INSTANCE_ID] +log._000=## +log._001=## Logging +log._002=## +log.impl.file.class=com.netscape.cms.logging.RollingLogFile +log.instance.SignedAudit._000=## +log.instance.SignedAudit._001=## Signed Audit Logging +log.instance.SignedAudit._002=## +log.instance.SignedAudit.bufferSize=512 +log.instance.SignedAudit.enable=true +log.instance.SignedAudit.events._000=## +log.instance.SignedAudit.events._001=## Available Audit events: +log.instance.SignedAudit.events._002=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.events._003=## +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.expirationTime=0 +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/kra_cert-kra_audit +log.instance.SignedAudit.flushInterval=5 +log.instance.SignedAudit.level=1 +log.instance.SignedAudit.logSigning=false +log.instance.SignedAudit.maxFileSize=2000 +log.instance.SignedAudit.pluginName=file +log.instance.SignedAudit.rolloverInterval=2592000 +log.instance.SignedAudit.signedAudit:_000=## +log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow KRA audit logs to be signed +log.instance.SignedAudit.signedAudit:_002=## +log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] +log.instance.SignedAudit.type=signedAudit +log.instance.System._000=## +log.instance.System._001=## System Logging +log.instance.System._002=## +log.instance.System.bufferSize=512 +log.instance.System.enable=true +log.instance.System.expirationTime=0 +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system +log.instance.System.flushInterval=5 +log.instance.System.level=3 +log.instance.System.maxFileSize=2000 +log.instance.System.pluginName=file +log.instance.System.rolloverInterval=2592000 +log.instance.System.type=system +log.instance.Transactions._000=## +log.instance.Transactions._001=## Transaction Logging +log.instance.Transactions._002=## +log.instance.Transactions.bufferSize=512 +log.instance.Transactions.enable=true +log.instance.Transactions.expirationTime=0 +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions +log.instance.Transactions.flushInterval=5 +log.instance.Transactions.level=1 +log.instance.Transactions.maxFileSize=2000 +log.instance.Transactions.pluginName=file +log.instance.Transactions.rolloverInterval=2592000 +log.instance.Transactions.type=transaction +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access +logError.fileName=[PKI_INSTANCE_PATH]/logs/error +oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension +oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 +oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword +oidmap.challenge_password.oid=1.2.840.113549.1.9.7 +oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension +oidmap.extended_key_usage.oid=2.5.29.37 +oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 +oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 +oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension +oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 +oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension +oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 +oidmap.pse.class=netscape.security.extensions.PresenceServerExtension +oidmap.pse.oid=2.16.840.1.113730.1.18 +oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension +oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 +os.serverName=cert-[PKI_INSTANCE_ID] +os.userid=nobody +registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg +selftests._000=## +selftests._001=## Self Tests +selftests._002=## +selftests._003=## The Self-Test plugin SystemCertsVerification uses the +selftests._004=## following parameters (where certusage is optional): +selftests._005=## kra.cert.list = +selftests._006=## kra.cert..nickname +selftests._007=## kra.cert..certusage +selftests._008=## +selftests.container.instance.KRAPresence=com.netscape.cms.selftests.kra.KRAPresence +selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification +selftests.container.logger.bufferSize=512 +selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile +selftests.container.logger.enable=true +selftests.container.logger.expirationTime=0 +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log +selftests.container.logger.flushInterval=5 +selftests.container.logger.level=1 +selftests.container.logger.maxFileSize=2000 +selftests.container.logger.register=false +selftests.container.logger.rolloverInterval=2592000 +selftests.container.logger.type=transaction +selftests.container.order.onDemand=KRAPresence:critical +selftests.container.order.startup=SystemCertsVerification:critical +selftests.plugin.KRAPresence.SubId=kra +selftests.plugin.SystemCertsVerification.SubId=kra +smtp.host=localhost +smtp.port=25 +subsystem.0.class=com.netscape.kra.KeyRecoveryAuthority +subsystem.0.id=kra +subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem +subsystem.1.id=selftests +subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem +subsystem.2.id=stats +usrgrp._000=## +usrgrp._001=## User/Group +usrgrp._002=## +usrgrp.ldap=internaldb +multiroles._000=## +multiroles._001=## multiroles +multiroles._002=## +multiroles.enable=true +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group diff --git a/pki/base/kra/src/CMakeLists.txt b/pki/base/kra/src/CMakeLists.txt index d483a0a3..6e973438 100644 --- a/pki/base/kra/src/CMakeLists.txt +++ b/pki/base/kra/src/CMakeLists.txt @@ -1,21 +1,76 @@ project(kra_java Java) -find_file(JSS_JAR +# '/usr/share/java/pki' jars +find_file(CERTSRV_JAR NAMES - jss4.jar + certsrv.jar + PATHS + /usr/share/java/pki +) + +find_file(CMS_JAR + NAMES + cms.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSCORE_JAR + NAMES + cmscore.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSUTIL_JAR + NAMES + cmsutil.jar + PATHS + /usr/share/java/pki +) + +find_file(NSUTIL_JAR + NAMES + nsutil.jar PATHS /usr/lib/java - /usr/share/java + /usr/share/java/pki ) + +# '/usr/share/java' jars find_file(LDAPJDK_JAR NAMES ldapjdk.jar PATHS - /usr/lib/java /usr/share/java ) + +# '/usr/lib/java' jars +find_file(JSS_JAR + NAMES + jss4.jar + PATHS + /usr/lib/java +) + +find_file(OSUTIL_JAR + NAMES + osutil.jar + PATHS + /usr/lib/java +) + +find_file(SYMKEY_JAR + NAMES + symkey.jar + PATHS + /usr/lib/java +) + + +# identify java sources set(kra_java_SRCS com/netscape/kra/KeyRecoveryAuthority.java com/netscape/kra/EnrollmentService.java @@ -30,13 +85,21 @@ set(kra_java_SRCS com/netscape/kra/StorageKeyUnit.java ) + +# set classpath set(CMAKE_JAVA_INCLUDE_PATH - ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} ${CMSUTIL_JAR} - ${OSUTIL_JAR} ${SYMKEY_JAR} ${CMS_JAR} ${CMSCORE_JAR} - ${CERTSRV_JAR}) + ${CERTSRV_JAR} ${CMS_JAR} ${CMSCORE_JAR} ${CMSUTIL_JAR} ${NSUTIL_JAR} + ${LDAPJDK_JAR} + ${JSS_JAR} ${OSUTIL_JAR} ${SYMKEY_JAR}) + + +# set version set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) + +# build kra.jar add_jar(kra ${kra_java_SRCS}) -add_dependencies(kra nsutil cmsutil osutil symkey cms cmscore certsrv) +add_dependencies(kra osutil symkey nsutil cmsutil certsrv cms cmscore) install_jar(kra ${JAVA_JAR_INSTALL_DIR}) set(KRA_JAR ${kra_JAR_FILE} CACHE INTERNAL "kra jar file") + diff --git a/pki/base/ocsp/CMakeLists.txt b/pki/base/ocsp/CMakeLists.txt index 373fb4d1..1a780907 100644 --- a/pki/base/ocsp/CMakeLists.txt +++ b/pki/base/ocsp/CMakeLists.txt @@ -2,6 +2,7 @@ project(ocsp Java) add_subdirectory(src) add_subdirectory(setup) +add_subdirectory(shared/conf) # install init script install( @@ -25,6 +26,8 @@ install( "CMakeLists.txt" EXCLUDE PATTERN "etc/*" EXCLUDE + PATTERN + "CS.cfg.in" EXCLUDE ) # install empty directories diff --git a/pki/base/ocsp/shared/conf/CMakeLists.txt b/pki/base/ocsp/shared/conf/CMakeLists.txt new file mode 100644 index 00000000..e3cef591 --- /dev/null +++ b/pki/base/ocsp/shared/conf/CMakeLists.txt @@ -0,0 +1,12 @@ +set(VERSION ${APPLICATION_VERSION}) +set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR}) +set(MINOR_VERSION ${APPLICATION_VERSION_MINOR}) + +configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY) + +install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) diff --git a/pki/base/ocsp/shared/conf/CS.cfg b/pki/base/ocsp/shared/conf/CS.cfg deleted file mode 100644 index e4f0d2d7..00000000 --- a/pki/base/ocsp/shared/conf/CS.cfg +++ /dev/null @@ -1,324 +0,0 @@ -# --- BEGIN COPYRIGHT BLOCK --- -# Copyright (C) 2006 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] -pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] -pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] -pkicreate.secure_port=[PKI_SECURE_PORT] -pkicreate.unsecure_port=[PKI_UNSECURE_PORT] -pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] -pkicreate.user=[PKI_USER] -pkicreate.group=[PKI_GROUP] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -installDate=[INSTALL_TIME] -cs.type=OCSP -admin.interface.uri=ocsp/admin/console/config/wizard -agent.interface.uri=ocsp/agent/ocsp -preop.admin.name=Online Certificate Status Manager Administrator -preop.admin.group=Online Certificate Status Manager Agents -preop.admincert.profile=caAdminCert -preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 -preop.wizard.name=OCSP Setup Wizard -preop.product.name=CS -preop.product.version= -preop.system.name=OCSP -preop.system.fullname=OCSP Responder -preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module -preop.configModules.module0.commonName=NSS Internal PKCS #11 Module -preop.configModules.module0.imagePath=../img/clearpixel.gif -preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module -preop.configModules.module1.commonName=nfast -preop.configModules.module1.imagePath=../img/clearpixel.gif -preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module -preop.configModules.module2.commonName=lunasa -preop.configModules.module2.imagePath=../img/clearpixel.gif -preop.configModules.count=3 -preop.module.token=Internal Key Storage Token -ocsp.cert.list=signing,sslserver,subsystem,audit_signing -preop.cert.list=signing,sslserver,subsystem,audit_signing -preop.cert.ocsp_signing.enable=true -preop.cert.sslserver.enable=true -preop.cert.subsystem.enable=true -preop.cert.audit_signing.enable=true -preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.audit_signing.dn=CN=OCSP Audit Signing Certificate -preop.cert.audit_signing.keysize.custom_size=2048 -preop.cert.audit_signing.keysize.size=2048 -preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert -preop.cert.audit_signing.signing.required=false -preop.cert.audit_signing.subsystem=ocsp -preop.cert.audit_signing.type=remote -preop.cert.audit_signing.userfriendlyname=OCSP Audit Signing Certificate -preop.cert.audit_signing.cncomponent.override=true -preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.signing.dn=CN=OCSP Signing Certificate -preop.cert.signing.keysize.custom_size=2048 -preop.cert.signing.keysize.size=2048 -preop.cert.signing.nickname=ocspSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.signing.profile=caInternalAuthOCSPCert -preop.cert.signing.signing.required=true -preop.cert.signing.subsystem=ocsp -preop.cert.signing.type=remote -preop.cert.signing.userfriendlyname=OCSP Signing Certificate -preop.cert.signing.cncomponent.override=true -preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA -preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] -preop.cert.sslserver.keysize.custom_size=2048 -preop.cert.sslserver.keysize.size=2048 -preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] -preop.cert.sslserver.profile=caInternalAuthServerCert -preop.cert.sslserver.signing.required=false -preop.cert.sslserver.subsystem=ocsp -preop.cert.sslserver.type=remote -preop.cert.sslserver.userfriendlyname=SSL Server Certificate -preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA -preop.cert.subsystem.dn=CN=OCSP Subsystem Certificate -preop.cert.subsystem.keysize.custom_size=2048 -preop.cert.subsystem.keysize.size=2048 -preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -preop.cert.subsystem.profile=caInternalAuthSubsystemCert -preop.cert.subsystem.signing.required=false -preop.cert.subsystem.subsystem=ocsp -preop.cert.subsystem.type=remote -preop.cert.subsystem.userfriendlyname=Subsystem Certificate -preop.cert.subsystem.cncomponent.override=true -cs.state=0 -authType=pwd -instanceRoot=[PKI_INSTANCE_PATH] -machineName=[PKI_MACHINE_NAME] -instanceId=[PKI_INSTANCE_ID] -service.machineName=[PKI_MACHINE_NAME] -service.instanceDir=[PKI_INSTANCE_ROOT] -service.securePort=[PKI_AGENT_SECURE_PORT] -service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] -service.unsecurePort=[PKI_UNSECURE_PORT] -service.instanceID=[PKI_INSTANCE_ID] -preop.pin=[PKI_RANDOM_NUMBER] -passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf -passwordClass=com.netscape.cmsutil.password.PlainPasswordFile -multiroles=true -multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group -CrossCertPair._000=## -CrossCertPair._001=## CrossCertPair Import -CrossCertPair._002=## -CrossCertPair.ldap=internaldb -accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator -accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator -accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator -auths._000=## -auths._001=## new authentication -auths._002=## -auths.impl._000=## -auths.impl._001=## authentication manager implementations -auths.impl._002=## -auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication -auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth -auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth -auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll -auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication -auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication -auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication -auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication -auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents -auths.instance.AgentCertAuth.pluginName=AgentCertAuth -auths.instance.TokenAuth.pluginName=TokenAuth -auths.revocationChecking.bufferSize=50 -authz._000=## -authz._001=## new authorizatioin -authz._002=## -authz.evaluateOrder=deny,allow -authz.sourceType=ldap -authz.impl._000=## -authz.impl._001=## authorization manager implementations -authz.impl._002=## -authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz -authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz -authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz -authz.instance.DirAclAuthz.ldap=internaldb -authz.instance.DirAclAuthz.pluginName=DirAclAuthz -authz.instance.DirAclAuthz.ldap._000=## -authz.instance.DirAclAuthz.ldap._001=## Internal Database -authz.instance.DirAclAuthz.ldap._002=## -cmc.cert.confirmRequired=false -cmc.lraPopWitness.verify.allow=true -cmc.revokeCert.verify=true -cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cms.version= -dbs.ldap=internaldb -dbs.newSchemaEntryAdded=true -debug.append=true -debug.enabled=true -debug.filename=[PKI_INSTANCE_PATH]/logs/debug -debug.hashkeytypes= -debug.level=0 -debug.showcaller=false -keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 -keys.ecc.curve.default=nistp521 -keys.rsa.keysize.default=2048 -internaldb._000=## -internaldb._001=## Internal Database -internaldb._002=## -internaldb.maxConns=15 -internaldb.minConns=3 -internaldb.ldapauth.authtype=BasicAuth -internaldb.ldapauth.bindDN=cn=Directory Manager -internaldb.ldapauth.bindPWPrompt=Internal LDAP Database -internaldb.ldapauth.clientCertNickname= -internaldb.ldapconn.host= -internaldb.ldapconn.port= -internaldb.ldapconn.secureConn=false -preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/schema.ldif -preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/database.ldif -preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ocsp/conf/acl.ldif -preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/index.ldif -preop.internaldb.post_ldif= -preop.internaldb.wait_dn= -internaldb.multipleSuffix.enable=false -jss._000=## -jss._001=## JSS -jss._002=## -jss.configDir=[PKI_INSTANCE_PATH]/alias/ -jss.enable=true -jss.secmodName=secmod.db -jss.ocspcheck.enable=false -jss.ssl.cipherfortezza=true -jss.ssl.cipherpref= -jss.ssl.cipherversion=cipherdomestic -log._000=## -log._001=## Logging -log._002=## -log.impl.file.class=com.netscape.cms.logging.RollingLogFile -log.instance.SignedAudit._000=## -log.instance.SignedAudit._001=## Signed Audit Logging -log.instance.SignedAudit._002=## -log.instance.SignedAudit.bufferSize=512 -log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events._000=## -log.instance.SignedAudit.events._001=## Available Audit events: -log.instance.SignedAudit.events._002=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.events._003=## -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.expirationTime=0 -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ocsp_cert-ocsp_audit -log.instance.SignedAudit.flushInterval=5 -log.instance.SignedAudit.level=1 -log.instance.SignedAudit.logSigning=false -log.instance.SignedAudit.maxFileSize=2000 -log.instance.SignedAudit.pluginName=file -log.instance.SignedAudit.rolloverInterval=2592000 -log.instance.SignedAudit.signedAudit:_000=## -log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow OCSP audit logs to be signed -log.instance.SignedAudit.signedAudit:_002=## -log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] -log.instance.SignedAudit.type=signedAudit -log.instance.System._000=## -log.instance.System._001=## System Logging -log.instance.System._002=## -log.instance.System.bufferSize=512 -log.instance.System.enable=true -log.instance.System.expirationTime=0 -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system -log.instance.System.flushInterval=5 -log.instance.System.level=3 -log.instance.System.maxFileSize=2000 -log.instance.System.pluginName=file -log.instance.System.rolloverInterval=2592000 -log.instance.System.type=system -log.instance.Transactions._000=## -log.instance.Transactions._001=## Transaction Logging -log.instance.Transactions._002=## -log.instance.Transactions.bufferSize=512 -log.instance.Transactions.enable=true -log.instance.Transactions.expirationTime=0 -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions -log.instance.Transactions.flushInterval=5 -log.instance.Transactions.level=1 -log.instance.Transactions.maxFileSize=2000 -log.instance.Transactions.pluginName=file -log.instance.Transactions.rolloverInterval=2592000 -log.instance.Transactions.type=transaction -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access -logError.fileName=[PKI_INSTANCE_PATH]/logs/error -ocsp.certNickname= -ocsp.storeId=defStore -ocsp.signing.certnickname= -ocsp.signing.defaultSigningAlgorithm=SHA256withRSA -ocsp.signing.tokenname=internal -ocsp.store.defStore.class=com.netscape.cms.ocsp.DefStore -ocsp.store.defStore.includeNextUpdate=false -ocsp.store.defStore.notFoundAsGood=true -ocsp.store.ldapStore.class=com.netscape.cms.ocsp.LDAPStore -oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension -oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 -oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword -oidmap.challenge_password.oid=1.2.840.113549.1.9.7 -oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension -oidmap.extended_key_usage.oid=2.5.29.37 -oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested -oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 -oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested -oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 -oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension -oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 -oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension -oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 -oidmap.pse.class=netscape.security.extensions.PresenceServerExtension -oidmap.pse.oid=2.16.840.1.113730.1.18 -oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension -oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 -os.serverName=cert-[PKI_INSTANCE_ID] -os.userid=nobody -registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg -selftests._000=## -selftests._001=## Self Tests -selftests._002=## -selftests._003=## The Self-Test plugin SystemCertsVerification uses the -selftests._004=## following parameters (where certusage is optional): -selftests._005=## ocsp.cert.list = -selftests._006=## ocsp.cert..nickname -selftests._007=## ocsp.cert..certusage -selftests._008=## -selftests.container.instance.OCSPPresence=com.netscape.cms.selftests.ocsp.OCSPPresence -selftests.container.instance.OCSPValidity=com.netscape.cms.selftests.ocsp.OCSPValidity -selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification -selftests.container.logger.bufferSize=512 -selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile -selftests.container.logger.enable=true -selftests.container.logger.expirationTime=0 -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log -selftests.container.logger.flushInterval=5 -selftests.container.logger.level=1 -selftests.container.logger.maxFileSize=2000 -selftests.container.logger.register=false -selftests.container.logger.rolloverInterval=2592000 -selftests.container.logger.type=transaction -selftests.container.order.onDemand=OCSPPresence:critical, SystemCertsVerification:critical, OCSPValidity:critical -selftests.container.order.startup=OCSPPresence:critical, SystemCertsVerification:critical -selftests.plugin.OCSPPresence.OcspSubId=ocsp -selftests.plugin.OCSPValidity.OcspSubId=ocsp -selftests.plugin.SystemCertsVerification.SubId=ocsp -smtp.host=localhost -smtp.port=25 -subsystem.0.class=com.netscape.ocsp.OCSPAuthority -subsystem.0.id=ocsp -subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem -subsystem.1.id=selftests -subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem -subsystem.2.id=stats -usrgrp._000=## -usrgrp._001=## User/Group -usrgrp._002=## -usrgrp.ldap=internaldb -multiroles._000=## -multiroles._001=## multiroles -multiroles._002=## -multiroles.enable=true -multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group diff --git a/pki/base/ocsp/shared/conf/CS.cfg.in b/pki/base/ocsp/shared/conf/CS.cfg.in new file mode 100644 index 00000000..84553d3f --- /dev/null +++ b/pki/base/ocsp/shared/conf/CS.cfg.in @@ -0,0 +1,324 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] +pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] +pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] +pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] +pkicreate.secure_port=[PKI_SECURE_PORT] +pkicreate.unsecure_port=[PKI_UNSECURE_PORT] +pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +installDate=[INSTALL_TIME] +cs.type=OCSP +admin.interface.uri=ocsp/admin/console/config/wizard +agent.interface.uri=ocsp/agent/ocsp +preop.admin.name=Online Certificate Status Manager Administrator +preop.admin.group=Online Certificate Status Manager Agents +preop.admincert.profile=caAdminCert +preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 +preop.wizard.name=OCSP Setup Wizard +preop.product.name=CS +preop.product.version=@VERSION@ +preop.system.name=OCSP +preop.system.fullname=OCSP Responder +preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module +preop.configModules.module0.commonName=NSS Internal PKCS #11 Module +preop.configModules.module0.imagePath=../img/clearpixel.gif +preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module +preop.configModules.module1.commonName=nfast +preop.configModules.module1.imagePath=../img/clearpixel.gif +preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module +preop.configModules.module2.commonName=lunasa +preop.configModules.module2.imagePath=../img/clearpixel.gif +preop.configModules.count=3 +preop.module.token=Internal Key Storage Token +ocsp.cert.list=signing,sslserver,subsystem,audit_signing +preop.cert.list=signing,sslserver,subsystem,audit_signing +preop.cert.ocsp_signing.enable=true +preop.cert.sslserver.enable=true +preop.cert.subsystem.enable=true +preop.cert.audit_signing.enable=true +preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.audit_signing.dn=CN=OCSP Audit Signing Certificate +preop.cert.audit_signing.keysize.custom_size=2048 +preop.cert.audit_signing.keysize.size=2048 +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert +preop.cert.audit_signing.signing.required=false +preop.cert.audit_signing.subsystem=ocsp +preop.cert.audit_signing.type=remote +preop.cert.audit_signing.userfriendlyname=OCSP Audit Signing Certificate +preop.cert.audit_signing.cncomponent.override=true +preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.signing.dn=CN=OCSP Signing Certificate +preop.cert.signing.keysize.custom_size=2048 +preop.cert.signing.keysize.size=2048 +preop.cert.signing.nickname=ocspSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.signing.profile=caInternalAuthOCSPCert +preop.cert.signing.signing.required=true +preop.cert.signing.subsystem=ocsp +preop.cert.signing.type=remote +preop.cert.signing.userfriendlyname=OCSP Signing Certificate +preop.cert.signing.cncomponent.override=true +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] +preop.cert.sslserver.keysize.custom_size=2048 +preop.cert.sslserver.keysize.size=2048 +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.cert.sslserver.profile=caInternalAuthServerCert +preop.cert.sslserver.signing.required=false +preop.cert.sslserver.subsystem=ocsp +preop.cert.sslserver.type=remote +preop.cert.sslserver.userfriendlyname=SSL Server Certificate +preop.cert.sslserver.cncomponent.override=false +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=OCSP Subsystem Certificate +preop.cert.subsystem.keysize.custom_size=2048 +preop.cert.subsystem.keysize.size=2048 +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.cert.subsystem.profile=caInternalAuthSubsystemCert +preop.cert.subsystem.signing.required=false +preop.cert.subsystem.subsystem=ocsp +preop.cert.subsystem.type=remote +preop.cert.subsystem.userfriendlyname=Subsystem Certificate +preop.cert.subsystem.cncomponent.override=true +cs.state=0 +authType=pwd +instanceRoot=[PKI_INSTANCE_PATH] +machineName=[PKI_MACHINE_NAME] +instanceId=[PKI_INSTANCE_ID] +service.machineName=[PKI_MACHINE_NAME] +service.instanceDir=[PKI_INSTANCE_ROOT] +service.securePort=[PKI_AGENT_SECURE_PORT] +service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] +service.unsecurePort=[PKI_UNSECURE_PORT] +service.instanceID=[PKI_INSTANCE_ID] +preop.pin=[PKI_RANDOM_NUMBER] +passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf +passwordClass=com.netscape.cmsutil.password.PlainPasswordFile +multiroles=true +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group +CrossCertPair._000=## +CrossCertPair._001=## CrossCertPair Import +CrossCertPair._002=## +CrossCertPair.ldap=internaldb +accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator +accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator +accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator +auths._000=## +auths._001=## new authentication +auths._002=## +auths.impl._000=## +auths.impl._001=## authentication manager implementations +auths.impl._002=## +auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication +auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth +auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth +auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll +auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication +auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication +auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication +auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication +auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents +auths.instance.AgentCertAuth.pluginName=AgentCertAuth +auths.instance.TokenAuth.pluginName=TokenAuth +auths.revocationChecking.bufferSize=50 +authz._000=## +authz._001=## new authorizatioin +authz._002=## +authz.evaluateOrder=deny,allow +authz.sourceType=ldap +authz.impl._000=## +authz.impl._001=## authorization manager implementations +authz.impl._002=## +authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz +authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz +authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz +authz.instance.DirAclAuthz.ldap=internaldb +authz.instance.DirAclAuthz.pluginName=DirAclAuthz +authz.instance.DirAclAuthz.ldap._000=## +authz.instance.DirAclAuthz.ldap._001=## Internal Database +authz.instance.DirAclAuthz.ldap._002=## +cmc.cert.confirmRequired=false +cmc.lraPopWitness.verify.allow=true +cmc.revokeCert.verify=true +cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cms.version=@MAJOR_VERSION@.@MINOR_VERSION@ +dbs.ldap=internaldb +dbs.newSchemaEntryAdded=true +debug.append=true +debug.enabled=true +debug.filename=[PKI_INSTANCE_PATH]/logs/debug +debug.hashkeytypes= +debug.level=0 +debug.showcaller=false +keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 +keys.ecc.curve.default=nistp521 +keys.rsa.keysize.default=2048 +internaldb._000=## +internaldb._001=## Internal Database +internaldb._002=## +internaldb.maxConns=15 +internaldb.minConns=3 +internaldb.ldapauth.authtype=BasicAuth +internaldb.ldapauth.bindDN=cn=Directory Manager +internaldb.ldapauth.bindPWPrompt=Internal LDAP Database +internaldb.ldapauth.clientCertNickname= +internaldb.ldapconn.host= +internaldb.ldapconn.port= +internaldb.ldapconn.secureConn=false +preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/schema.ldif +preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/database.ldif +preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ocsp/conf/acl.ldif +preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/index.ldif +preop.internaldb.post_ldif= +preop.internaldb.wait_dn= +internaldb.multipleSuffix.enable=false +jss._000=## +jss._001=## JSS +jss._002=## +jss.configDir=[PKI_INSTANCE_PATH]/alias/ +jss.enable=true +jss.secmodName=secmod.db +jss.ocspcheck.enable=false +jss.ssl.cipherfortezza=true +jss.ssl.cipherpref= +jss.ssl.cipherversion=cipherdomestic +log._000=## +log._001=## Logging +log._002=## +log.impl.file.class=com.netscape.cms.logging.RollingLogFile +log.instance.SignedAudit._000=## +log.instance.SignedAudit._001=## Signed Audit Logging +log.instance.SignedAudit._002=## +log.instance.SignedAudit.bufferSize=512 +log.instance.SignedAudit.enable=true +log.instance.SignedAudit.events._000=## +log.instance.SignedAudit.events._001=## Available Audit events: +log.instance.SignedAudit.events._002=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.events._003=## +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.expirationTime=0 +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ocsp_cert-ocsp_audit +log.instance.SignedAudit.flushInterval=5 +log.instance.SignedAudit.level=1 +log.instance.SignedAudit.logSigning=false +log.instance.SignedAudit.maxFileSize=2000 +log.instance.SignedAudit.pluginName=file +log.instance.SignedAudit.rolloverInterval=2592000 +log.instance.SignedAudit.signedAudit:_000=## +log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow OCSP audit logs to be signed +log.instance.SignedAudit.signedAudit:_002=## +log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] +log.instance.SignedAudit.type=signedAudit +log.instance.System._000=## +log.instance.System._001=## System Logging +log.instance.System._002=## +log.instance.System.bufferSize=512 +log.instance.System.enable=true +log.instance.System.expirationTime=0 +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system +log.instance.System.flushInterval=5 +log.instance.System.level=3 +log.instance.System.maxFileSize=2000 +log.instance.System.pluginName=file +log.instance.System.rolloverInterval=2592000 +log.instance.System.type=system +log.instance.Transactions._000=## +log.instance.Transactions._001=## Transaction Logging +log.instance.Transactions._002=## +log.instance.Transactions.bufferSize=512 +log.instance.Transactions.enable=true +log.instance.Transactions.expirationTime=0 +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions +log.instance.Transactions.flushInterval=5 +log.instance.Transactions.level=1 +log.instance.Transactions.maxFileSize=2000 +log.instance.Transactions.pluginName=file +log.instance.Transactions.rolloverInterval=2592000 +log.instance.Transactions.type=transaction +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access +logError.fileName=[PKI_INSTANCE_PATH]/logs/error +ocsp.certNickname= +ocsp.storeId=defStore +ocsp.signing.certnickname= +ocsp.signing.defaultSigningAlgorithm=SHA256withRSA +ocsp.signing.tokenname=internal +ocsp.store.defStore.class=com.netscape.cms.ocsp.DefStore +ocsp.store.defStore.includeNextUpdate=false +ocsp.store.defStore.notFoundAsGood=true +ocsp.store.ldapStore.class=com.netscape.cms.ocsp.LDAPStore +oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension +oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 +oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword +oidmap.challenge_password.oid=1.2.840.113549.1.9.7 +oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension +oidmap.extended_key_usage.oid=2.5.29.37 +oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 +oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 +oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension +oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 +oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension +oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 +oidmap.pse.class=netscape.security.extensions.PresenceServerExtension +oidmap.pse.oid=2.16.840.1.113730.1.18 +oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension +oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 +os.serverName=cert-[PKI_INSTANCE_ID] +os.userid=nobody +registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg +selftests._000=## +selftests._001=## Self Tests +selftests._002=## +selftests._003=## The Self-Test plugin SystemCertsVerification uses the +selftests._004=## following parameters (where certusage is optional): +selftests._005=## ocsp.cert.list = +selftests._006=## ocsp.cert..nickname +selftests._007=## ocsp.cert..certusage +selftests._008=## +selftests.container.instance.OCSPPresence=com.netscape.cms.selftests.ocsp.OCSPPresence +selftests.container.instance.OCSPValidity=com.netscape.cms.selftests.ocsp.OCSPValidity +selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification +selftests.container.logger.bufferSize=512 +selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile +selftests.container.logger.enable=true +selftests.container.logger.expirationTime=0 +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log +selftests.container.logger.flushInterval=5 +selftests.container.logger.level=1 +selftests.container.logger.maxFileSize=2000 +selftests.container.logger.register=false +selftests.container.logger.rolloverInterval=2592000 +selftests.container.logger.type=transaction +selftests.container.order.onDemand=OCSPPresence:critical, SystemCertsVerification:critical, OCSPValidity:critical +selftests.container.order.startup=OCSPPresence:critical, SystemCertsVerification:critical +selftests.plugin.OCSPPresence.OcspSubId=ocsp +selftests.plugin.OCSPValidity.OcspSubId=ocsp +selftests.plugin.SystemCertsVerification.SubId=ocsp +smtp.host=localhost +smtp.port=25 +subsystem.0.class=com.netscape.ocsp.OCSPAuthority +subsystem.0.id=ocsp +subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem +subsystem.1.id=selftests +subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem +subsystem.2.id=stats +usrgrp._000=## +usrgrp._001=## User/Group +usrgrp._002=## +usrgrp.ldap=internaldb +multiroles._000=## +multiroles._001=## multiroles +multiroles._002=## +multiroles.enable=true +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group diff --git a/pki/base/ocsp/src/CMakeLists.txt b/pki/base/ocsp/src/CMakeLists.txt index 53f2dc58..f707654e 100644 --- a/pki/base/ocsp/src/CMakeLists.txt +++ b/pki/base/ocsp/src/CMakeLists.txt @@ -1,21 +1,76 @@ project(ocsp_java Java) -find_file(JSS_JAR +# '/usr/share/java/pki' jars +find_file(CERTSRV_JAR NAMES - jss4.jar + certsrv.jar + PATHS + /usr/share/java/pki +) + +find_file(CMS_JAR + NAMES + cms.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSCORE_JAR + NAMES + cmscore.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSUTIL_JAR + NAMES + cmsutil.jar + PATHS + /usr/share/java/pki +) + +find_file(NSUTIL_JAR + NAMES + nsutil.jar PATHS /usr/lib/java - /usr/share/java + /usr/share/java/pki ) + +# '/usr/share/java' jars find_file(LDAPJDK_JAR NAMES ldapjdk.jar PATHS - /usr/lib/java /usr/share/java ) + +# '/usr/lib/java' jars +find_file(JSS_JAR + NAMES + jss4.jar + PATHS + /usr/lib/java +) + +find_file(OSUTIL_JAR + NAMES + osutil.jar + PATHS + /usr/lib/java +) + +find_file(SYMKEY_JAR + NAMES + symkey.jar + PATHS + /usr/lib/java +) + + +# identify java sources set(ocsp_java_SRCS com/netscape/ocsp/OCSPResources.java com/netscape/ocsp/OCSPAuthority.java @@ -23,13 +78,21 @@ set(ocsp_java_SRCS com/netscape/ocsp/EOCSPException.java ) + +# set classpath set(CMAKE_JAVA_INCLUDE_PATH - ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} ${CMSUTIL_JAR} - ${OSUTIL_JAR} ${SYMKEY_JAR} ${CMS_JAR} ${CMSCORE_JAR} - ${CERTSRV_JAR}) + ${CERTSRV_JAR} ${CMS_JAR} ${CMSCORE_JAR} ${CMSUTIL_JAR} ${NSUTIL_JAR} + ${LDAPJDK_JAR} + ${JSS_JAR} ${OSUTIL_JAR} ${SYMKEY_JAR}) + + +# set version set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) + +# build ocsp.jar add_jar(ocsp ${ocsp_java_SRCS}) -add_dependencies(ocsp nsutil cmsutil osutil symkey cms cmscore certsrv) +add_dependencies(ocsp osutil symkey nsutil cmsutil certsrv cms cmscore) install_jar(ocsp ${JAVA_JAR_INSTALL_DIR}) set(OCSP_JAR ${ocsp_JAR_FILE} CACHE INTERNAL "ocsp jar file") + diff --git a/pki/base/ra/CMakeLists.txt b/pki/base/ra/CMakeLists.txt index f5aaa147..59910fe9 100644 --- a/pki/base/ra/CMakeLists.txt +++ b/pki/base/ra/CMakeLists.txt @@ -1,7 +1,7 @@ project(ra) -add_subdirectory(setup) add_subdirectory(doc) +add_subdirectory(setup) # install init script install( @@ -13,69 +13,52 @@ install( OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ - PATTERN - "CMakeLists.txt" EXCLUDE -) - -install( - FILES - scripts/nss_pcache - DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME} - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - -install( - FILES - scripts/schema.sql - DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME} ) -# install directories install( DIRECTORY - alias/ + apache/conf/ DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/alias + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf ) install( DIRECTORY - lib/ + emails/ DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/lib + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf ) install( DIRECTORY - logs/ + forms/ DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/logs + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot ) install( DIRECTORY - forms/ + lib/ DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot/forms + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/lib ) install( - DIRECTORY - emails/ + FILES + scripts/nss_pcache DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/emails + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ ) install( - DIRECTORY - apache/conf/ + FILES + scripts/schema.sql DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/apache/conf + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts ) # install empty directories @@ -90,3 +73,4 @@ install( DESTINATION ${VAR_INSTALL_DIR}/run/pki/ra ) + diff --git a/pki/base/ra/doc/CS.cfg b/pki/base/ra/doc/CS.cfg deleted file mode 100644 index 0fc0efb3..00000000 --- a/pki/base/ra/doc/CS.cfg +++ /dev/null @@ -1,256 +0,0 @@ -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.secure_port=[SECURE_PORT] -pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] -pkicreate.unsecure_port=[PORT] -pkicreate.user=[PKI_USER] -pkicreate.group=[PKI_GROUP] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -request._000=######################################### -request._001=# Request Queue Parameters -request._002=######################################### -agent.authorized_groups=administrators,agents -admin.authorized_groups=administrators -database.dbfile=[SERVER_ROOT]/conf/dbfile -database.lockfile=[SERVER_ROOT]/conf/dblock -request.renewal.approve_request.0.ca=ca1 -request.renewal.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA -request.renewal.approve_request.0.profileId=caDualRAuserCert -request.renewal.approve_request.0.reqType=crmf -request.renewal.approve_request.1.mailTo=$created_by -request.renewal.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.renewal.approve_request.1.templateDir=/usr/share/pki/ra/conf -request.renewal.approve_request.1.templateFile=mail_approve_request.vm -request.renewal.approve_request.num_plugins=2 -request.renewal.reject_request.num_plugins=0 -request.renewal.create_request.0.assignTo=agents -request.renewal.create_request.0.plugin=PKI::Request::Plugin::AutoAssign -request.renewal.create_request.1.mailTo=$created_by -request.renewal.create_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.renewal.create_request.1.templateDir=/usr/share/pki/ra/conf -request.renewal.create_request.1.templateFile=mail_create_request.vm -request.renewal.create_request.num_plugins=2 -request.scep.profileId=caRARouterCert -request.scep.reqType=pkcs10 -request.scep.create_request.num_plugins=2 -request.scep.create_request.0.plugin=PKI::Request::Plugin::AutoAssign -request.scep.create_request.0.assignTo=agents -request.scep.create_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.scep.create_request.1.mailTo= -request.scep.create_request.1.templateDir=/usr/share/pki/ra/conf -request.scep.create_request.1.templateFile=mail_create_request.vm -request.scep.approve_request.num_plugins=1 -request.scep.approve_request.0.plugin=PKI::Request::Plugin::CreatePin -request.scep.approve_request.0.pinFormat=$site_id -request.scep.reject_request.num_plugins=0 -request.agent.profileId=caRAagentCert -request.agent.reqType=crmf -request.agent.create_request.num_plugins=2 -request.agent.create_request.0.plugin=PKI::Request::Plugin::AutoAssign -request.agent.create_request.0.assignTo=agents -request.agent.create_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.agent.create_request.1.mailTo= -request.agent.create_request.1.templateDir=/usr/share/pki/ra/conf -request.agent.create_request.1.templateFile=mail_create_request.vm -request.agent.approve_request.num_plugins=1 -request.agent.approve_request.0.plugin=PKI::Request::Plugin::CreatePin -request.agent.approve_request.0.pinFormat=$uid -request.agent.reject_request.num_plugins=0 -request.user.create_request.num_plugins=2 -request.user.create_request.0.plugin=PKI::Request::Plugin::AutoAssign -request.user.create_request.0.assignTo=agents -request.user.create_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.user.create_request.1.templateDir=/usr/share/pki/ra/conf -request.user.create_request.1.templateFile=mail_create_request.vm -request.user.create_request.1.mailTo= -request.user.approve_request.num_plugins=2 -request.user.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA -request.user.approve_request.0.ca=ca1 -request.user.approve_request.0.profileId=caDualRAuserCert -request.user.approve_request.0.reqType=crmf -request.user.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.user.approve_request.1.mailTo=$created_by -request.user.approve_request.1.templateDir=/usr/share/pki/ra/conf -request.user.approve_request.1.templateFile=mail_approve_request.vm -request.user.reject_request.num_plugins=0 -request.server.create_request.num_plugins=2 -request.server.create_request.0.plugin=PKI::Request::Plugin::AutoAssign -request.server.create_request.0.assignTo=agents -request.server.create_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.server.create_request.1.mailTo= -request.server.create_request.1.templateDir=/usr/share/pki/ra/conf -request.server.create_request.1.templateFile=mail_create_request.vm -request.server.approve_request.num_plugins=2 -request.server.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA -request.server.approve_request.0.ca=ca1 -request.server.approve_request.0.profileId=caRAserverCert -request.server.approve_request.0.reqType=pkcs10 -request.server.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.server.approve_request.1.mailTo=$created_by -request.server.approve_request.1.templateDir=/usr/share/pki/ra/conf -request.server.approve_request.1.templateFile=mail_approve_request.vm -request.server.reject_request.num_plugins=0 -cs.type=RA -service.machineName=[SERVER_NAME] -service.instanceDir=[SERVER_ROOT] -service.securePort=[SECURE_PORT] -service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] -service.unsecurePort=[PORT] -service.instanceID=[PKI_INSTANCE_ID] -logging._000=######################################### -logging._001=# RA configuration File -logging._002=# -logging._003=# All <...> must be replaced with -logging._004=# appropriate values. -logging._005=######################################### -logging._006=######################################## -logging._007=# logging -logging._008=# -logging._009=# logging.debug.enable: -logging._010=# logging.audit.enable: -logging._011=# logging.error.enable: -logging._012=# - enable or disable the corresponding logging -logging._013=# logging.debug.filename: -logging._014=# logging.audit.filename: -logging._015=# logging.error.filename: -logging._016=# - name of the log file -logging._017=# logging.debug.level: -logging._018=# logging.audit.level: -logging._019=# logging.error.level: -logging._020=# - level of logging. (0-10) -logging._021=# 0 - no logging, -logging._022=# 4 - LL_PER_SERVER these messages will occur only once -logging._023=# during the entire invocation of the -logging._024=# server, e. g. at startup or shutdown -logging._025=# time., reading the conf parameters. -logging._026=# Perhaps other infrequent events -logging._027=# relating to failing over of CA, TKS, -logging._028=# too -logging._029=# 6 - LL_PER_CONNECTION these messages happen once per -logging._030=# connection - most of the log events -logging._031=# will be at this level -logging._032=# 8 - LL_PER_PDU these messages relate to PDU -logging._033=# processing. If you have something that -logging._034=# is done for every PDU, such as -logging._035=# applying the MAC, it should be logged -logging._036=# at this level -logging._037=# 9 - LL_ALL_DATA_IN_PDU dump all the data in the PDU - a more -logging._038=# chatty version of the above -logging._039=# 10 - all logging -logging._040=######################################### -logging.debug.enable=true -logging.debug.filename=[SERVER_ROOT]/logs/ra-debug.log -logging.debug.level=7 -logging.audit.enable=true -logging.audit.filename=[SERVER_ROOT]/logs/ra-audit.log -logging.audit.level=10 -logging.error.enable=true -logging.error.filename=[SERVER_ROOT]/logs/ra-error.log -logging.error.level=10 -conn.ca1._000=######################################### -conn.ca1._001=# CA connection -conn.ca1._002=# -conn.ca1._003=# conn.ca.hostport: -conn.ca1._004=# - host name and port number of your CA, format is host:port -conn.ca1._005=# conn.ca.clientNickname: -conn.ca1._006=# - nickname of the client certificate for -conn.ca1._007=# authentication -conn.ca1._008=# conn.ca.servlet.enrollment: -conn.ca1._009=# - servlet to contact in CA -conn.ca1._010=# - must be '/ca/ee/ca/profileSubmitSSLClient' -conn.ca1._008=# conn.ca.servlet.addagent: -conn.ca1._009=# - servlet to add ra agent on CA -conn.ca1._010=# - must be '/ca/admin/ca/registerRaUser -conn.ca1._011=# conn.ca.retryConnect: -conn.ca1._012=# - number of reconnection attempts on failure -conn.ca1._013=# conn.ca.timeout: -conn.ca1._014=# - connection timeout -conn.ca1._015=# conn.ca.SSLOn: -conn.ca1._016=# - enable SSL or not -conn.ca1._017=# conn.ca.keepAlive: -conn.ca1._018=# - enable keep alive or not -conn.ca1._019=# -conn.ca1._020=# where -conn.ca1._021=# - CA connection ID -conn.ca1._022=######################################### -failover.pod.enable=false -conn.ca1.hostport=[CA_HOST]:[CA_PORT] -conn.ca1.clientNickname=[HSM_LABEL][NICKNAME] -conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient -conn.ca1.servlet.addagent=/ca/admin/ca/registerRaUser -conn.ca1.servlet.revoke=/ca/subsystem/ca/doRevoke -conn.ca1.servlet.unrevoke=/ca/subsystem/ca/doUnrevoke -conn.ca1.retryConnect=3 -conn.ca1.timeout=100 -conn.ca1.SSLOn=true -conn.ca1.keepAlive=true -preop.pin=[PKI_RANDOM_NUMBER] -preop.product.version= -preop.cert._000=######################################### -preop.cert._001=# Installation configuration "preop" certs parameters -preop.cert._002=######################################### -preop.cert.list=sslserver,subsystem -preop.cert.sslserver.enable=true -preop.cert.subsystem.enable=true -preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA -preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] -preop.cert.sslserver.keysize.customsize=2048 -preop.cert.sslserver.keysize.size=2048 -preop.cert.sslserver.keysize.select=custom -preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] -preop.cert.sslserver.profile=caInternalAuthServerCert -preop.cert.sslserver.subsystem=ra -preop.cert._003=#preop.cert.sslserver.type=local -preop.cert.sslserver.userfriendlyname=SSL Server Certificate -preop.cert._004=#preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA -preop.cert.subsystem.dn=CN=RA Subsystem Certificate, OU=[PKI_INSTANCE_ID] -preop.cert.subsystem.keysize.customsize=2048 -preop.cert.subsystem.keysize.size=2048 -preop.cert.subsystem.keysize.select=custom -preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -preop.cert.subsystem.profile=caInternalAuthSubsystemCert -preop.cert.subsystem.subsystem=ra -preop.cert._005=#preop.cert.subsystem.type=local -preop.cert.subsystem.userfriendlyname=Subsystem Certificate -preop.cert._006=#preop.cert.subsystem.cncomponent.override=true -preop.configModules._000=######################################### -preop.configModules._001=# Installation configuration "preop" module parameters -preop.configModules._002=######################################### -preop.configModules.count=3 -preop.configModules.module0.commonName=NSS Internal PKCS #11 Module -preop.configModules.module0.imagePath=../img/clearpixel.gif -preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module -preop.configModules.module1.commonName=nfast -preop.configModules.module1.imagePath=../img/clearpixel.gif -preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module -preop.configModules.module2.commonName=lunasa -preop.configModules.module2.imagePath=../img/clearpixel.gif -preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module -preop.module.token=NSS Certificate DB -preop.keysize._000=######################################### -preop.keysize._001=# Installation configuration "preop" keysize parameters -preop.keysize._002=######################################### -preop.keysize.customsize=2048 -preop.keysize.select=default -preop.keysize.size=2048 -preop.keysize.ecc.size=256 diff --git a/pki/base/ra/doc/CS.cfg.in b/pki/base/ra/doc/CS.cfg.in index fd564abb..4fea4674 100644 --- a/pki/base/ra/doc/CS.cfg.in +++ b/pki/base/ra/doc/CS.cfg.in @@ -16,15 +16,15 @@ # All rights reserved. # --- END COPYRIGHT BLOCK --- # -pkicreate.pki_instance_root=[INSTANCE_ROOT] -pkicreate.pki_instance_name=[INSTANCE_ID] -pkicreate.subsystem_type=[SUBSYSTEM_TYPE] +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] pkicreate.secure_port=[SECURE_PORT] pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] pkicreate.unsecure_port=[PORT] -pkicreate.user=[USERID] -pkicreate.group=[GROUPID] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] request._000=######################################### request._001=# Request Queue Parameters request._002=######################################### @@ -115,7 +115,7 @@ service.instanceDir=[SERVER_ROOT] service.securePort=[SECURE_PORT] service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] service.unsecurePort=[PORT] -service.instanceID=[INSTANCE_ID] +service.instanceID=[PKI_INSTANCE_ID] logging._000=######################################### logging._001=# RA configuration File logging._002=# @@ -211,23 +211,23 @@ preop.cert._002=######################################### preop.cert.list=sslserver,subsystem preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true -preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA -preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[INSTANCE_ID] +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] preop.cert.sslserver.keysize.customsize=2048 preop.cert.sslserver.keysize.size=2048 preop.cert.sslserver.keysize.select=custom -preop.cert.sslserver.nickname=Server-Cert cert-[INSTANCE_ID] +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] preop.cert.sslserver.profile=caInternalAuthServerCert preop.cert.sslserver.subsystem=ra preop.cert._003=#preop.cert.sslserver.type=local preop.cert.sslserver.userfriendlyname=SSL Server Certificate preop.cert._004=#preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA1withRSA -preop.cert.subsystem.dn=CN=RA Subsystem Certificate, OU=[INSTANCE_ID] +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=RA Subsystem Certificate, OU=[PKI_INSTANCE_ID] preop.cert.subsystem.keysize.customsize=2048 preop.cert.subsystem.keysize.size=2048 preop.cert.subsystem.keysize.select=custom -preop.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] preop.cert.subsystem.profile=caInternalAuthSubsystemCert preop.cert.subsystem.subsystem=ra preop.cert._005=#preop.cert.subsystem.type=local diff --git a/pki/base/tks/CMakeLists.txt b/pki/base/tks/CMakeLists.txt index 023aaa02..0f1221ea 100644 --- a/pki/base/tks/CMakeLists.txt +++ b/pki/base/tks/CMakeLists.txt @@ -2,6 +2,7 @@ project(tks Java) add_subdirectory(src) add_subdirectory(setup) +add_subdirectory(shared/conf) # install init script install( @@ -25,6 +26,8 @@ install( "CMakeLists.txt" EXCLUDE PATTERN "etc/*" EXCLUDE + PATTERN + "CS.cfg.in" EXCLUDE ) # install empty directories diff --git a/pki/base/tks/shared/conf/CMakeLists.txt b/pki/base/tks/shared/conf/CMakeLists.txt new file mode 100644 index 00000000..e3cef591 --- /dev/null +++ b/pki/base/tks/shared/conf/CMakeLists.txt @@ -0,0 +1,12 @@ +set(VERSION ${APPLICATION_VERSION}) +set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR}) +set(MINOR_VERSION ${APPLICATION_VERSION_MINOR}) + +configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY) + +install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) diff --git a/pki/base/tks/shared/conf/CS.cfg b/pki/base/tks/shared/conf/CS.cfg deleted file mode 100644 index 55689d70..00000000 --- a/pki/base/tks/shared/conf/CS.cfg +++ /dev/null @@ -1,343 +0,0 @@ -# --- BEGIN COPYRIGHT BLOCK --- -# Copyright (C) 2006 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -_000=## -_001=## File Created On : Mon Oct 10 15:57:03 PDT 2005 -_002=## -pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] -pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] -pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] -pkicreate.secure_port=[PKI_SECURE_PORT] -pkicreate.unsecure_port=[PKI_UNSECURE_PORT] -pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] -pkicreate.user=[PKI_USER] -pkicreate.group=[PKI_GROUP] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -installDate=[INSTALL_TIME] -cs.type=TKS -admin.interface.uri=tks/admin/console/config/wizard -preop.admin.name=Token Key Service Manager Administrator -preop.admin.group=Token Key Service Manager Agents -preop.admincert.profile=caAdminCert -preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 -preop.wizard.name=TKS Setup Wizard -preop.system.name=TKS -preop.product.name=CS -preop.product.version= -preop.system.fullname=Token Key Service -tks.cert.list=sslserver,subsystem,audit_signing -preop.cert.list=sslserver,subsystem,audit_signing -preop.cert.sslserver.enable=true -preop.cert.subsystem.enable=true -preop.cert.audit_signing.enable=true -preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.audit_signing.dn=CN=TKS Audit Signing Certificate -preop.cert.audit_signing.keysize.custom_size=2048 -preop.cert.audit_signing.keysize.size=2048 -preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert -preop.cert.audit_signing.signing.required=false -preop.cert.audit_signing.subsystem=tks -preop.cert.audit_signing.type=remote -preop.cert.audit_signing.userfriendlyname=TKS Audit Signing Certificate -preop.cert.audit_signing.cncomponent.override=true -preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA -preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] -preop.cert.sslserver.keysize.custom_size=2048 -preop.cert.sslserver.keysize.size=2048 -preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] -preop.cert.sslserver.profile=caInternalAuthServerCert -preop.cert.sslserver.signing.required=false -preop.cert.sslserver.subsystem=tks -preop.cert.sslserver.type=remote -preop.cert.sslserver.userfriendlyname=SSL Server Certificate -preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA -preop.cert.subsystem.dn=CN=TKS Subsystem Certificate -preop.cert.subsystem.keysize.custom_size=2048 -preop.cert.subsystem.keysize.size=2048 -preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -preop.cert.subsystem.profile=caInternalAuthSubsystemCert -preop.cert.subsystem.signing.required=false -preop.cert.subsystem.subsystem=tks -preop.cert.subsystem.type=remote -preop.cert.subsystem.userfriendlyname=Subsystem Certificate -preop.cert.subsystem.cncomponent.override=true -preop.cert.admin.defaultSigningAlgorithm=SHA256withRSA -preop.cert.admin.dn=uid=admin,cn=admin -preop.cert.admin.keysize.custom_size=2048 -preop.cert.admin.keysize.size=2048 -preop.cert.admin.profile=adminCert.profile -preop.hierarchy.profile=caCert.profile -preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module -preop.configModules.module0.commonName=NSS Internal PKCS #11 Module -preop.configModules.module0.imagePath=../img/clearpixel.gif -preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module -preop.configModules.module1.commonName=nfast -preop.configModules.module1.imagePath=../img/clearpixel.gif -preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module -preop.configModules.module2.commonName=lunasa -preop.configModules.module2.imagePath=../img/clearpixel.gif -preop.configModules.count=3 -preop.module.token=Internal Key Storage Token -cs.state=0 -authType=pwd -instanceRoot=[PKI_INSTANCE_PATH] -machineName=[PKI_MACHINE_NAME] -instanceId=[PKI_INSTANCE_ID] -preop.pin=[PKI_RANDOM_NUMBER] -service.machineName=[PKI_MACHINE_NAME] -service.instanceDir=[PKI_INSTANCE_ROOT] -service.securePort=[PKI_AGENT_SECURE_PORT] -service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] -service.unsecurePort=[PKI_UNSECURE_PORT] -service.instanceID=[PKI_INSTANCE_ID] -passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf -passwordClass=com.netscape.cmsutil.password.PlainPasswordFile -multiroles=true -multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group -CrossCertPair._000=## -CrossCertPair._001=## CrossCertPair Import -CrossCertPair._002=## -CrossCertPair.ldap=internaldb -accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator -accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator -accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator -auths._000=## -auths._001=## new authentication -auths._002=## -auths.impl._000=## -auths.impl._001=## authentication manager implementations -auths.impl._002=## -auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication -auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth -auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth -auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll -auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication -auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication -auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication -auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication -auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents -auths.instance.AgentCertAuth.pluginName=AgentCertAuth -auths.instance.TokenAuth.pluginName=TokenAuth -auths.revocationChecking.bufferSize=50 -authz._000=## -authz._001=## new authorizatioin -authz._002=## -authz.evaluateOrder=deny,allow -authz.sourceType=ldap -authz.impl._000=## -authz.impl._001=## authorization manager implementations -authz.impl._002=## -authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz -authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz -authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz -authz.instance.DirAclAuthz.ldap=internaldb -authz.instance.DirAclAuthz.pluginName=DirAclAuthz -authz.instance.DirAclAuthz.ldap._000=## -authz.instance.DirAclAuthz.ldap._001=## Internal Database -authz.instance.DirAclAuthz.ldap._002=## -cardcryptogram.validate.enable=true -cmc.cert.confirmRequired=false -cmc.lraPopWitness.verify.allow=true -cmc.revokeCert.verify=true -cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cms.version= -dbs.ldap=internaldb -dbs.newSchemaEntryAdded=true -debug.append=true -debug.enabled=true -debug.filename=[PKI_INSTANCE_PATH]/logs/debug -debug.hashkeytypes= -debug.level=0 -debug.showcaller=false -keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 -keys.ecc.curve.default=nistp521 -keys.rsa.keysize.default=2048 -internaldb._000=## -internaldb._001=## Internal Database -internaldb._002=## -internaldb.maxConns=15 -internaldb.minConns=3 -internaldb.ldapauth.authtype=BasicAuth -internaldb.ldapauth.bindDN=cn=Directory Manager -internaldb.ldapauth.bindPWPrompt=Internal LDAP Database -internaldb.ldapauth.clientCertNickname= -internaldb.ldapconn.host= -internaldb.ldapconn.port= -internaldb.ldapconn.secureConn=false -preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/schema.ldif -preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/database.ldif -preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/db.ldif,/usr/share/[PKI_FLAVOR]/tks/conf/acl.ldif -preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/index.ldif -preop.internaldb.post_ldif= -preop.internaldb.wait_dn= -internaldb.multipleSuffix.enable=false -jss._000=## -jss._001=## JSS -jss._002=## -jss.configDir=[PKI_INSTANCE_PATH]/alias/ -jss.enable=true -jss.secmodName=secmod.db -jss.ocspcheck.enable=false -jss.ssl.cipherfortezza=true -jss.ssl.cipherpref= -jss.ssl.cipherversion=cipherdomestic -log._000=## -log._001=## Logging -log._002=## -log.impl.file.class=com.netscape.cms.logging.RollingLogFile -log.instance.SignedAudit._000=## -log.instance.SignedAudit._001=## Signed Audit Logging -log.instance.SignedAudit._002=## -log.instance.SignedAudit.bufferSize=512 -log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events._000=## -log.instance.SignedAudit.events._001=## Available Audit events: -log.instance.SignedAudit.events._002=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.events._003=## -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.expirationTime=0 -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/tks_cert-tks_audit -log.instance.SignedAudit.flushInterval=5 -log.instance.SignedAudit.level=1 -log.instance.SignedAudit.logSigning=false -log.instance.SignedAudit.maxFileSize=2000 -log.instance.SignedAudit.pluginName=file -log.instance.SignedAudit.rolloverInterval=2592000 -log.instance.SignedAudit.signedAudit:_000=## -log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow TKS audit logs to be signed -log.instance.SignedAudit.signedAudit:_002=## -log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] -log.instance.SignedAudit.type=signedAudit -log.instance.System._000=## -log.instance.System._001=## System Logging -log.instance.System._002=## -log.instance.System.bufferSize=512 -log.instance.System.enable=true -log.instance.System.expirationTime=0 -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system -log.instance.System.flushInterval=5 -log.instance.System.level=3 -log.instance.System.maxFileSize=2000 -log.instance.System.pluginName=file -log.instance.System.rolloverInterval=2592000 -log.instance.System.type=system -log.instance.Transactions._000=## -log.instance.Transactions._001=## Transaction Logging -log.instance.Transactions._002=## -log.instance.Transactions.bufferSize=512 -log.instance.Transactions.enable=true -log.instance.Transactions.expirationTime=0 -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions -log.instance.Transactions.flushInterval=5 -log.instance.Transactions.level=1 -log.instance.Transactions.maxFileSize=2000 -log.instance.Transactions.pluginName=file -log.instance.Transactions.rolloverInterval=2592000 -log.instance.Transactions.type=transaction -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access -logError.fileName=[PKI_INSTANCE_PATH]/logs/error -oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension -oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 -oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword -oidmap.challenge_password.oid=1.2.840.113549.1.9.7 -oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension -oidmap.extended_key_usage.oid=2.5.29.37 -oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested -oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 -oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested -oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 -oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension -oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 -oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension -oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 -oidmap.pse.class=netscape.security.extensions.PresenceServerExtension -oidmap.pse.oid=2.16.840.1.113730.1.18 -oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension -oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 -os.serverName=cert-[PKI_INSTANCE_ID] -os.userid=nobody -registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg -selftests._000=## -selftests._001=## Self Tests -selftests._002=## -selftests._003=## The Self-Test plugin SystemCertsVerification uses the -selftests._004=## following parameters (where certusage is optional): -selftests._005=## tks.cert.list = -selftests._006=## tks.cert..nickname -selftests._007=## tks.cert..certusage -selftests._008=## -selftests.container.instance.TKSKnownSessionKey=com.netscape.cms.selftests.tks.TKSKnownSessionKey -selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification -selftests.container.logger.bufferSize=512 -selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile -selftests.container.logger.enable=true -selftests.container.logger.expirationTime=0 -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log -selftests.container.logger.flushInterval=5 -selftests.container.logger.level=1 -selftests.container.logger.maxFileSize=2000 -selftests.container.logger.register=false -selftests.container.logger.rolloverInterval=2592000 -selftests.container.logger.type=transaction -selftests.container.order.onDemand=TKSKnownSessionKey:critical, SystemCertsVerification:critical -selftests.container.order.startup=TKSKnownSessionKey:critical, SystemCertsVerification:critical -selftests.plugin.TKSKnownSessionKey.CUID=#a0#01#92#03#04#05#06#07#08#c9 -selftests.plugin.TKSKnownSessionKey.TksSubId=tks -selftests.plugin.TKSKnownSessionKey.cardChallenge=#bd#6d#19#85#6e#54#0f#cd -selftests.plugin.TKSKnownSessionKey.hostChallenge=#77#57#62#e4#5e#23#66#7d -selftests.plugin.TKSKnownSessionKey.keyName=#01#01 -selftests.plugin.TKSKnownSessionKey.macKey=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f -selftests.plugin.TKSKnownSessionKey.sessionKey=#d1#be#b8#26#dc#56#20#25#8c#93#e7#de#f0#ab#4f#5b -selftests.plugin.TKSKnownSessionKey.token=Internal Key Storage Token -selftests.plugin.TKSKnownSessionKey.useSoftToken=true -selftests.plugin.SystemCertsVerification.SubId=tks -smtp.host=localhost -smtp.port=25 -subsystem.0.class=com.netscape.tks.TKSAuthority -subsystem.0.id=tks -subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem -subsystem.1.id=selftests -subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem -subsystem.2.id=stats -tks._000=## -tks._001=## TKS -tks._002=## -tks._003=## -tks.debug=false -tks.defaultSlot=Internal Key Storage Token -tks.drm_transport_cert_nickname= -tks.master_key_prefix= -tks.useDefaultSlot=true -usrgrp._000=## -usrgrp._001=## User/Group -usrgrp._002=## -usrgrp.ldap=internaldb -tks.defKeySet._000=## -tks.defKeySet._001=## Axalto default key set: -tks.defKeySet._002=## -tks.defKeySet._003=## tks.defKeySet.mk_mappings.#02#01=: -tks.defKeySet._004=## -tks.defKeySet.auth_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f -tks.defKeySet.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f -tks.defKeySet.kek_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f -tks.jForte._000=## -tks.jForte._001=## SAFLink's jForte default key set: -tks.jForte._002=## -tks.jForte._003=## tks.jForte.mk_mappings.#02#01=: -tks.jForte._004=## -tks.jForte.auth_key=#30#31#32#33#34#35#36#37#38#39#3a#3b#3c#3d#3e#3f -tks.jForte.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f -tks.jForte.kek_key=#50#51#52#53#54#55#56#57#58#59#5a#5b#5c#5d#5e#5f -multiroles._000=## -multiroles._001=## multiroles -multiroles._002=## -multiroles.enable=true -multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group diff --git a/pki/base/tks/shared/conf/CS.cfg.in b/pki/base/tks/shared/conf/CS.cfg.in new file mode 100644 index 00000000..1b5d89ea --- /dev/null +++ b/pki/base/tks/shared/conf/CS.cfg.in @@ -0,0 +1,343 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +_000=## +_001=## File Created On : Mon Oct 10 15:57:03 PDT 2005 +_002=## +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] +pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] +pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] +pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] +pkicreate.secure_port=[PKI_SECURE_PORT] +pkicreate.unsecure_port=[PKI_UNSECURE_PORT] +pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +installDate=[INSTALL_TIME] +cs.type=TKS +admin.interface.uri=tks/admin/console/config/wizard +preop.admin.name=Token Key Service Manager Administrator +preop.admin.group=Token Key Service Manager Agents +preop.admincert.profile=caAdminCert +preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 +preop.wizard.name=TKS Setup Wizard +preop.system.name=TKS +preop.product.name=CS +preop.product.version=@VERSION@ +preop.system.fullname=Token Key Service +tks.cert.list=sslserver,subsystem,audit_signing +preop.cert.list=sslserver,subsystem,audit_signing +preop.cert.sslserver.enable=true +preop.cert.subsystem.enable=true +preop.cert.audit_signing.enable=true +preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.audit_signing.dn=CN=TKS Audit Signing Certificate +preop.cert.audit_signing.keysize.custom_size=2048 +preop.cert.audit_signing.keysize.size=2048 +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert +preop.cert.audit_signing.signing.required=false +preop.cert.audit_signing.subsystem=tks +preop.cert.audit_signing.type=remote +preop.cert.audit_signing.userfriendlyname=TKS Audit Signing Certificate +preop.cert.audit_signing.cncomponent.override=true +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] +preop.cert.sslserver.keysize.custom_size=2048 +preop.cert.sslserver.keysize.size=2048 +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.cert.sslserver.profile=caInternalAuthServerCert +preop.cert.sslserver.signing.required=false +preop.cert.sslserver.subsystem=tks +preop.cert.sslserver.type=remote +preop.cert.sslserver.userfriendlyname=SSL Server Certificate +preop.cert.sslserver.cncomponent.override=false +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=TKS Subsystem Certificate +preop.cert.subsystem.keysize.custom_size=2048 +preop.cert.subsystem.keysize.size=2048 +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.cert.subsystem.profile=caInternalAuthSubsystemCert +preop.cert.subsystem.signing.required=false +preop.cert.subsystem.subsystem=tks +preop.cert.subsystem.type=remote +preop.cert.subsystem.userfriendlyname=Subsystem Certificate +preop.cert.subsystem.cncomponent.override=true +preop.cert.admin.defaultSigningAlgorithm=SHA256withRSA +preop.cert.admin.dn=uid=admin,cn=admin +preop.cert.admin.keysize.custom_size=2048 +preop.cert.admin.keysize.size=2048 +preop.cert.admin.profile=adminCert.profile +preop.hierarchy.profile=caCert.profile +preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module +preop.configModules.module0.commonName=NSS Internal PKCS #11 Module +preop.configModules.module0.imagePath=../img/clearpixel.gif +preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module +preop.configModules.module1.commonName=nfast +preop.configModules.module1.imagePath=../img/clearpixel.gif +preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module +preop.configModules.module2.commonName=lunasa +preop.configModules.module2.imagePath=../img/clearpixel.gif +preop.configModules.count=3 +preop.module.token=Internal Key Storage Token +cs.state=0 +authType=pwd +instanceRoot=[PKI_INSTANCE_PATH] +machineName=[PKI_MACHINE_NAME] +instanceId=[PKI_INSTANCE_ID] +preop.pin=[PKI_RANDOM_NUMBER] +service.machineName=[PKI_MACHINE_NAME] +service.instanceDir=[PKI_INSTANCE_ROOT] +service.securePort=[PKI_AGENT_SECURE_PORT] +service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] +service.unsecurePort=[PKI_UNSECURE_PORT] +service.instanceID=[PKI_INSTANCE_ID] +passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf +passwordClass=com.netscape.cmsutil.password.PlainPasswordFile +multiroles=true +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group +CrossCertPair._000=## +CrossCertPair._001=## CrossCertPair Import +CrossCertPair._002=## +CrossCertPair.ldap=internaldb +accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator +accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator +accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator +auths._000=## +auths._001=## new authentication +auths._002=## +auths.impl._000=## +auths.impl._001=## authentication manager implementations +auths.impl._002=## +auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication +auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth +auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth +auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll +auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication +auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication +auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication +auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication +auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents +auths.instance.AgentCertAuth.pluginName=AgentCertAuth +auths.instance.TokenAuth.pluginName=TokenAuth +auths.revocationChecking.bufferSize=50 +authz._000=## +authz._001=## new authorizatioin +authz._002=## +authz.evaluateOrder=deny,allow +authz.sourceType=ldap +authz.impl._000=## +authz.impl._001=## authorization manager implementations +authz.impl._002=## +authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz +authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz +authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz +authz.instance.DirAclAuthz.ldap=internaldb +authz.instance.DirAclAuthz.pluginName=DirAclAuthz +authz.instance.DirAclAuthz.ldap._000=## +authz.instance.DirAclAuthz.ldap._001=## Internal Database +authz.instance.DirAclAuthz.ldap._002=## +cardcryptogram.validate.enable=true +cmc.cert.confirmRequired=false +cmc.lraPopWitness.verify.allow=true +cmc.revokeCert.verify=true +cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cms.version=@MAJOR_VERSION@.@MINOR_VERSION@ +dbs.ldap=internaldb +dbs.newSchemaEntryAdded=true +debug.append=true +debug.enabled=true +debug.filename=[PKI_INSTANCE_PATH]/logs/debug +debug.hashkeytypes= +debug.level=0 +debug.showcaller=false +keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 +keys.ecc.curve.default=nistp521 +keys.rsa.keysize.default=2048 +internaldb._000=## +internaldb._001=## Internal Database +internaldb._002=## +internaldb.maxConns=15 +internaldb.minConns=3 +internaldb.ldapauth.authtype=BasicAuth +internaldb.ldapauth.bindDN=cn=Directory Manager +internaldb.ldapauth.bindPWPrompt=Internal LDAP Database +internaldb.ldapauth.clientCertNickname= +internaldb.ldapconn.host= +internaldb.ldapconn.port= +internaldb.ldapconn.secureConn=false +preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/schema.ldif +preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/database.ldif +preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/db.ldif,/usr/share/[PKI_FLAVOR]/tks/conf/acl.ldif +preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/index.ldif +preop.internaldb.post_ldif= +preop.internaldb.wait_dn= +internaldb.multipleSuffix.enable=false +jss._000=## +jss._001=## JSS +jss._002=## +jss.configDir=[PKI_INSTANCE_PATH]/alias/ +jss.enable=true +jss.secmodName=secmod.db +jss.ocspcheck.enable=false +jss.ssl.cipherfortezza=true +jss.ssl.cipherpref= +jss.ssl.cipherversion=cipherdomestic +log._000=## +log._001=## Logging +log._002=## +log.impl.file.class=com.netscape.cms.logging.RollingLogFile +log.instance.SignedAudit._000=## +log.instance.SignedAudit._001=## Signed Audit Logging +log.instance.SignedAudit._002=## +log.instance.SignedAudit.bufferSize=512 +log.instance.SignedAudit.enable=true +log.instance.SignedAudit.events._000=## +log.instance.SignedAudit.events._001=## Available Audit events: +log.instance.SignedAudit.events._002=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.events._003=## +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.expirationTime=0 +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/tks_cert-tks_audit +log.instance.SignedAudit.flushInterval=5 +log.instance.SignedAudit.level=1 +log.instance.SignedAudit.logSigning=false +log.instance.SignedAudit.maxFileSize=2000 +log.instance.SignedAudit.pluginName=file +log.instance.SignedAudit.rolloverInterval=2592000 +log.instance.SignedAudit.signedAudit:_000=## +log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow TKS audit logs to be signed +log.instance.SignedAudit.signedAudit:_002=## +log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] +log.instance.SignedAudit.type=signedAudit +log.instance.System._000=## +log.instance.System._001=## System Logging +log.instance.System._002=## +log.instance.System.bufferSize=512 +log.instance.System.enable=true +log.instance.System.expirationTime=0 +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system +log.instance.System.flushInterval=5 +log.instance.System.level=3 +log.instance.System.maxFileSize=2000 +log.instance.System.pluginName=file +log.instance.System.rolloverInterval=2592000 +log.instance.System.type=system +log.instance.Transactions._000=## +log.instance.Transactions._001=## Transaction Logging +log.instance.Transactions._002=## +log.instance.Transactions.bufferSize=512 +log.instance.Transactions.enable=true +log.instance.Transactions.expirationTime=0 +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions +log.instance.Transactions.flushInterval=5 +log.instance.Transactions.level=1 +log.instance.Transactions.maxFileSize=2000 +log.instance.Transactions.pluginName=file +log.instance.Transactions.rolloverInterval=2592000 +log.instance.Transactions.type=transaction +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access +logError.fileName=[PKI_INSTANCE_PATH]/logs/error +oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension +oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 +oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword +oidmap.challenge_password.oid=1.2.840.113549.1.9.7 +oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension +oidmap.extended_key_usage.oid=2.5.29.37 +oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 +oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 +oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension +oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 +oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension +oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 +oidmap.pse.class=netscape.security.extensions.PresenceServerExtension +oidmap.pse.oid=2.16.840.1.113730.1.18 +oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension +oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 +os.serverName=cert-[PKI_INSTANCE_ID] +os.userid=nobody +registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg +selftests._000=## +selftests._001=## Self Tests +selftests._002=## +selftests._003=## The Self-Test plugin SystemCertsVerification uses the +selftests._004=## following parameters (where certusage is optional): +selftests._005=## tks.cert.list = +selftests._006=## tks.cert..nickname +selftests._007=## tks.cert..certusage +selftests._008=## +selftests.container.instance.TKSKnownSessionKey=com.netscape.cms.selftests.tks.TKSKnownSessionKey +selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification +selftests.container.logger.bufferSize=512 +selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile +selftests.container.logger.enable=true +selftests.container.logger.expirationTime=0 +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log +selftests.container.logger.flushInterval=5 +selftests.container.logger.level=1 +selftests.container.logger.maxFileSize=2000 +selftests.container.logger.register=false +selftests.container.logger.rolloverInterval=2592000 +selftests.container.logger.type=transaction +selftests.container.order.onDemand=TKSKnownSessionKey:critical, SystemCertsVerification:critical +selftests.container.order.startup=TKSKnownSessionKey:critical, SystemCertsVerification:critical +selftests.plugin.TKSKnownSessionKey.CUID=#a0#01#92#03#04#05#06#07#08#c9 +selftests.plugin.TKSKnownSessionKey.TksSubId=tks +selftests.plugin.TKSKnownSessionKey.cardChallenge=#bd#6d#19#85#6e#54#0f#cd +selftests.plugin.TKSKnownSessionKey.hostChallenge=#77#57#62#e4#5e#23#66#7d +selftests.plugin.TKSKnownSessionKey.keyName=#01#01 +selftests.plugin.TKSKnownSessionKey.macKey=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f +selftests.plugin.TKSKnownSessionKey.sessionKey=#d1#be#b8#26#dc#56#20#25#8c#93#e7#de#f0#ab#4f#5b +selftests.plugin.TKSKnownSessionKey.token=Internal Key Storage Token +selftests.plugin.TKSKnownSessionKey.useSoftToken=true +selftests.plugin.SystemCertsVerification.SubId=tks +smtp.host=localhost +smtp.port=25 +subsystem.0.class=com.netscape.tks.TKSAuthority +subsystem.0.id=tks +subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem +subsystem.1.id=selftests +subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem +subsystem.2.id=stats +tks._000=## +tks._001=## TKS +tks._002=## +tks._003=## +tks.debug=false +tks.defaultSlot=Internal Key Storage Token +tks.drm_transport_cert_nickname= +tks.master_key_prefix= +tks.useDefaultSlot=true +usrgrp._000=## +usrgrp._001=## User/Group +usrgrp._002=## +usrgrp.ldap=internaldb +tks.defKeySet._000=## +tks.defKeySet._001=## Axalto default key set: +tks.defKeySet._002=## +tks.defKeySet._003=## tks.defKeySet.mk_mappings.#02#01=: +tks.defKeySet._004=## +tks.defKeySet.auth_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f +tks.defKeySet.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f +tks.defKeySet.kek_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f +tks.jForte._000=## +tks.jForte._001=## SAFLink's jForte default key set: +tks.jForte._002=## +tks.jForte._003=## tks.jForte.mk_mappings.#02#01=: +tks.jForte._004=## +tks.jForte.auth_key=#30#31#32#33#34#35#36#37#38#39#3a#3b#3c#3d#3e#3f +tks.jForte.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f +tks.jForte.kek_key=#50#51#52#53#54#55#56#57#58#59#5a#5b#5c#5d#5e#5f +multiroles._000=## +multiroles._001=## multiroles +multiroles._002=## +multiroles.enable=true +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group diff --git a/pki/base/tks/src/CMakeLists.txt b/pki/base/tks/src/CMakeLists.txt index ac7acb88..6178dd3f 100644 --- a/pki/base/tks/src/CMakeLists.txt +++ b/pki/base/tks/src/CMakeLists.txt @@ -1,32 +1,95 @@ project(tks_java Java) -find_file(JSS_JAR +# '/usr/share/java/pki' jars +find_file(CERTSRV_JAR NAMES - jss4.jar + certsrv.jar + PATHS + /usr/share/java/pki +) + +find_file(CMS_JAR + NAMES + cms.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSCORE_JAR + NAMES + cmscore.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSUTIL_JAR + NAMES + cmsutil.jar + PATHS + /usr/share/java/pki +) + +find_file(NSUTIL_JAR + NAMES + nsutil.jar PATHS /usr/lib/java - /usr/share/java + /usr/share/java/pki ) + +# '/usr/share/java' jars find_file(LDAPJDK_JAR NAMES ldapjdk.jar PATHS - /usr/lib/java /usr/share/java ) + +# '/usr/lib/java' jars +find_file(JSS_JAR + NAMES + jss4.jar + PATHS + /usr/lib/java +) + +find_file(OSUTIL_JAR + NAMES + osutil.jar + PATHS + /usr/lib/java +) + +find_file(SYMKEY_JAR + NAMES + symkey.jar + PATHS + /usr/lib/java +) + + +# identify java sources set(tks_java_SRCS com/netscape/tks/TKSAuthority.java ) + +# set classpath set(CMAKE_JAVA_INCLUDE_PATH - ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} ${CMSUTIL_JAR} - ${OSUTIL_JAR} ${SYMKEY_JAR} ${CMS_JAR} ${CMSCORE_JAR} - ${CERTSRV_JAR}) + ${CERTSRV_JAR} ${CMS_JAR} ${CMSCORE_JAR} ${CMSUTIL_JAR} ${NSUTIL_JAR} + ${LDAPJDK_JAR} + ${JSS_JAR} ${OSUTIL_JAR} ${SYMKEY_JAR}) + + +# set version set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) + +# build tks.jar add_jar(tks ${tks_java_SRCS}) -add_dependencies(tks nsutil cmsutil osutil symkey cms cmscore certsrv) +add_dependencies(tks osutil symkey nsutil cmsutil certsrv cms cmscore) install_jar(tks ${JAVA_JAR_INSTALL_DIR}) set(TKS_JAR ${tks_JAR_FILE} CACHE INTERNAL "tks jar file") + diff --git a/pki/base/tps/CMakeLists.txt b/pki/base/tps/CMakeLists.txt index 05c3a0ac..0ccce633 100644 --- a/pki/base/tps/CMakeLists.txt +++ b/pki/base/tps/CMakeLists.txt @@ -12,18 +12,47 @@ install( FILES etc/init.d/pki-tpsd DESTINATION - ${SYSCONF_INSTALL_DIR}/init.d + ${SYSCONF_INSTALL_DIR}/rc.d/init.d PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ - PATTERN - "CMakeLists.txt" EXCLUDE ) install( + FILES + applets/1.3.44724DDE.ijc + applets/1.4.499dc06c.ijc + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/applets +) + +install( + DIRECTORY + forms/esc/cgi-bin + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME} +) + +install( + DIRECTORY + apache/conf + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME} +) + +install( + FILES + forms/index.html + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot +) + +install( + FILES + forms/index.cgi DESTINATION - ${LIB_INSTALL_DIR}/${APPLICATION_NAME}/${PROJECT_NAME} + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_EXECUTE GROUP_READ @@ -31,44 +60,60 @@ install( ) install( - FILES - forms/index.cgi - forms/index.html + DIRECTORY + forms/esc/demo + forms/esc/home + forms/esc/so + forms/esc/sow + forms/tps DESTINATION ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot + PATTERN + "forms/esc/sow/css" EXCLUDE + PATTERN + "forms/esc/sow/images"EXCLUDE + PATTERN + "forms/esc/sow/js"EXCLUDE + PATTERN + "forms/tps/admin/console/css"EXCLUDE ) install( DIRECTORY - apache/conf DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot/tokendb ) install( DIRECTORY - forms/esc/cgi-bin + lib DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/cgi-bin + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME} ) -# install directories -set(INSTALL_DIRS - alias - applets - lib - logs - scripts +install( + FILES + scripts/nss_pcache + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ ) -foreach(INSTALL_DIR ${INSTALL_DIRS}) - install( - DIRECTORY - ${INSTALL_DIR} - DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/${INSTALL_DIR} - ) -endforeach(INSTALL_DIR ${INSTALL_DIRS}) +install( + FILES + scripts/addAgents.ldif + scripts/addIndexes.ldif + scripts/addTokens.ldif + scripts/addVLVIndexes.ldif + scripts/database.ldif + scripts/schemaMods.ldif + scripts/vlvtasks.ldif + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts +) # install empty directories install( @@ -82,3 +127,4 @@ install( DESTINATION ${VAR_INSTALL_DIR}/run/pki/tps ) + diff --git a/pki/base/tps/Makefile.am b/pki/base/tps/Makefile.am index be106184..fb97a8a0 100644 --- a/pki/base/tps/Makefile.am +++ b/pki/base/tps/Makefile.am @@ -163,7 +163,7 @@ conf_DATA = $(srcdir)/apache/conf/httpd.conf \ $(srcdir)/apache/conf/mime.types \ $(srcdir)/apache/conf/nss.conf \ $(srcdir)/apache/conf/perl.conf \ - $(srcdir)/doc/CS.cfg + $(srcdir)/doc/CS.cfg.in docroot_DATA = $(srcdir)/forms/index.cgi \ $(srcdir)/forms/index.html diff --git a/pki/base/tps/Makefile.in b/pki/base/tps/Makefile.in index 0a2581e6..ec02c560 100644 --- a/pki/base/tps/Makefile.in +++ b/pki/base/tps/Makefile.in @@ -657,7 +657,7 @@ conf_DATA = $(srcdir)/apache/conf/httpd.conf \ $(srcdir)/apache/conf/mime.types \ $(srcdir)/apache/conf/nss.conf \ $(srcdir)/apache/conf/perl.conf \ - $(srcdir)/doc/CS.cfg + $(srcdir)/doc/CS.cfg.in docroot_DATA = $(srcdir)/forms/index.cgi \ $(srcdir)/forms/index.html diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg deleted file mode 100644 index 0bcf905c..00000000 --- a/pki/base/tps/doc/CS.cfg +++ /dev/null @@ -1,1577 +0,0 @@ -# --- BEGIN COPYRIGHT BLOCK --- -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; -# version 2.1 of the License. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301 USA -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.secure_port=[SECURE_PORT] -pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] -pkicreate.unsecure_port=[PORT] -pkicreate.user=[PKI_USER] -pkicreate.group=[PKI_GROUP] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -cs.type=TPS -selftests._000=## -selftests._001=## Self Tests -selftests._002=## -selftests._003=## The Self-Test plugin TPSSystemCertsVerification uses the -selftests._004=## following parameters (where certusage is optional): -selftests._005=## tps.cert.list = -selftests._006=## tps.cert..nickname -selftests._007=## tps.cert..certusage -selftests._008=## -selftests.container.logger.enable=true -selftests.container.logger.expirationTime=0 -selftests.container.logger.file.type=RollingLogFile -selftests.container.logger.fileName=[SERVER_ROOT]/logs/selftests.log -selftests.container.logger.level=10 -selftests.container.logger.maxFileSize=2000 -selftests.container.logger.rolloverInterval=2592000 -selftests.container.order.startup=TPSPresence:critical, TPSSystemCertsVerification:critical -selftests.container.order.onDemand=TPSPresence:critical, TPSValidity:critical, TPSSystemCertsVerification:critical -selftests.plugin.TPSPresence.nickname=[HSM_LABEL][NICKNAME] -selftests.plugin.TPSValidity.nickname=[HSM_LABEL][NICKNAME] -service.machineName=[SERVER_NAME] -service.instanceDir=[SERVER_ROOT] -service.securePort=[SECURE_PORT] -service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] -service.unsecurePort=[PORT] -service.instanceID=[PKI_INSTANCE_ID] -logging._000=######################################### -logging._001=# RA configuration File -logging._002=# -logging._003=# All <...> must be replaced with -logging._004=# appropriate values. -logging._005=######################################### -logging._006=######################################## -logging._007=# logging -logging._008=# -logging._009=# logging.debug.enable: -logging._010=# logging.audit.enable: -logging._011=# logging.error.enable: -logging._012=# - enable or disable the corresponding logging -logging._013=# logging.debug.filename: -logging._014=# logging.audit.filename: -logging._015=# logging.error.filename: -logging._016=# - name of the log file -logging._017=# logging.debug.level: -logging._018=# logging.audit.level: -logging._019=# logging.error.level: -logging._020=# - level of logging. (0-10) -logging._021=# 0 - no logging, -logging._022=# 4 - LL_PER_SERVER these messages will occur only once -logging._023=# during the entire invocation of the -logging._024=# server, e. g. at startup or shutdown -logging._025=# time., reading the conf parameters. -logging._026=# Perhaps other infrequent events -logging._027=# relating to failing over of CA, TKS, -logging._028=# too -logging._029=# 6 - LL_PER_CONNECTION these messages happen once per -logging._030=# connection - most of the log events -logging._031=# will be at this level -logging._032=# 8 - LL_PER_PDU these messages relate to PDU -logging._033=# processing. If you have something that -logging._034=# is done for every PDU, such as -logging._035=# applying the MAC, it should be logged -logging._036=# at this level -logging._037=# 9 - LL_ALL_DATA_IN_PDU dump all the data in the PDU - a more -logging._038=# chatty version of the above -logging._039=# 10 - all logging -logging._040=# logging.audit.buffer.size: # in bytes -logging._041=# logging.audit.flush.interval: # in seconds, 0 disables flush thread -logging._042=# logging.*.file.type: -logging._043=# - file type: RollingLogFile or LogFile -logging._044=# logging.*.rolloverInterval: -logging._045=# - interval to roll over logs (seconds), 0 to disable rollover -logging._046=# logging.*.maxFileSize: -logging._047=# - size at which file rollover occurs, in kB -logging._048=# logging.*.expirationTime: -logging._049=# - maximum age of log, older unmodified logs are deleted( in seconds, 0 to disable) -logging._050=######################################### -logging.debug.enable=true -logging.debug.filename=[SERVER_ROOT]/logs/tps-debug.log -logging.debug.level=10 -logging.debug.file.type=RollingLogFile -logging.debug.maxFileSize=2000 -logging.debug.rolloverInterval=2592000 -logging.debug.expirationTime=0 -logging.audit.enable=true -logging.audit.filename=[SERVER_ROOT]/logs/tps-audit.log -logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit -logging.audit.level=10 -logging.audit.logSigning=false -logging.audit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] -logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION -logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION -logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING -logging.audit.buffer.size=512 -logging.audit.flush.interval=5 -logging.audit.file.type=RollingLogFile -logging.audit.maxFileSize=2000 -logging.audit.rolloverInterval=2592000 -logging.audit.expirationTime=0 -logging.error.enable=true -logging.error.filename=[SERVER_ROOT]/logs/tps-error.log -logging.error.level=10 -logging.error.file.type=RollingLogFile -logging.error.maxFileSize=2000 -logging.error.rolloverInterval=2592000 -logging.error.expirationTime=0 -conn.ca1._000=######################################### -conn.ca1._001=# CA connection -conn.ca1._002=# -conn.ca1._003=# conn.ca.hostport: -conn.ca1._004=# - host name and port number of your CA, format is host:port -conn.ca1._005=# conn.ca.clientNickname: -conn.ca1._006=# - nickname of the client certificate for -conn.ca1._007=# authentication -conn.ca1._008=# conn.ca.servlet.enrollment: -conn.ca1._009=# - servlet to contact in CA -conn.ca1._010=# - must be '/ca/profileSubmitSSLClient' -conn.ca1._011=# conn.ca.retryConnect: -conn.ca1._012=# - number of reconnection attempts on failure -conn.ca1._013=# conn.ca.timeout: -conn.ca1._014=# - connection timeout -conn.ca1._015=# conn.ca.SSLOn: -conn.ca1._016=# - enable SSL or not -conn.ca1._017=# conn.ca.keepAlive: -conn.ca1._018=# - enable keep alive or not -conn.ca1._019=# -conn.ca1._020=# where -conn.ca1._021=# - CA connection ID -conn.ca1._022=######################################### -failover.pod.enable=false -conn.ca1.hostport=[CA_HOST]:[CA_PORT] -conn.ca1.clientNickname=[HSM_LABEL][NICKNAME] -conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient -conn.ca1.servlet.renewal=/ca/ee/ca/profileSubmitSSLClient -conn.ca1.servlet.revoke=/ca/ee/subsystem/ca/doRevoke -conn.ca1.servlet.unrevoke=/ca/ee/subsystem/ca/doUnrevoke -conn.ca1.retryConnect=3 -conn.ca1.timeout=100 -conn.ca1.SSLOn=true -conn.ca1.keepAlive=true -conn.tks1._000=######################################### -conn.tks1._001=# TKS connection -conn.tks1._002=# -conn.tks1._003=# conn.tks.hostport: -conn.tks1._004=# - host name and port number of your TKS, the format is host:port -conn.tks1._005=# conn.tks.clientNickname: -conn.tks1._006=# - nickname of the client certificate for -conn.tks1._007=# authentication -conn.tks1._008=# conn.tks.servlet.computeSessionKey: -conn.tks1._009=# - servlet to compute session key -conn.tks1._010=# - must be '/tks/computeSessionKey' -conn.tks1._011=# conn.tks.servlet.encryptData: -conn.tks1._012=# - servlet to encrypt data -conn.tks1._013=# - must be '/tks/encryptData' -conn.tks1._014=# conn.tks.servlet.createKeySetData: -conn.tks1._015=# - servlet to create key set data -conn.tks1._016=# - must be '/tks/createKeySetData' -conn.tks1._017=# conn.tks.retryConnect: -conn.tks1._018=# - number of reconnection attempts on failure -conn.tks1._019=# conn.tks.SSLOn -conn.tks1._020=# - enable SSL or not -conn.tks1._021=# conn.tks.keepAlive: -conn.tks1._022=# - enable keep alive or not -conn.tks1._023=# -conn.tks1._024=# where -conn.tks1._025=# - TKS connection ID -conn.tks1._026=######################################### -conn.tks1.hostport=[TKS_HOST]:[TKS_PORT] -conn.tks1.clientNickname=[HSM_LABEL][NICKNAME] -conn.tks1.servlet.computeSessionKey=/tks/agent/tks/computeSessionKey -conn.tks1.servlet.encryptData=/tks/agent/tks/encryptData -conn.tks1.servlet.createKeySetData=/tks/agent/tks/createKeySetData -conn.tks1.servlet.computeRandomData=/tks/agent/tks/computeRandomData -conn.tks1.retryConnect=3 -conn.tks1.timeout=100 -conn.tks1.generateHostChallenge=true -conn.tks1.SSLOn=true -conn.tks1.keepAlive=false -conn.tks1.keySet=defKeySet -conn.tks1.serverKeygen=[SERVER_KEYGEN] -conn.drm1._000=######################################### -conn.drm1._001=# DRM connection -conn.drm1._002=# -conn.drm1._003=#conn.drm.totalConns -conn.drm1._004=# - # of DRM connections -conn.drm1._005=#conn.drm.hostport -conn.drm1._006=# - host name and port number of your DRM, the format is host:port -conn.drm1._007=#conn.drm.clientNickname -conn.drm1._008=# - nickname of the client certificate for -conn.drm1._009=# authentication -conn.drm1._010=#conn.drm.servlet.GenerateKeyPair -conn.drm1._011=# - servlet to generate key pairs and archive keys on DRM -conn.drm1._012=# - must be '/kra/GenerateKeyPair' -conn.drm1._013=#conn.drm.servlet.TokenKeyRecovery=/kra/TokenKeyRecovery -conn.drm1._014=# - servlet to handle key recovery -conn.drm1._015=# - must be '/kra/TokenKeyRecovery' -conn.drm1._016=#conn.drm.retryConnect=3 -conn.drm1._017=# - number of reconnection attempts on failure -conn.drm1._018=#conn.drm.SSLOn=true -conn.drm1._019=# - enable SSL or not -conn.drm1._020=#conn.drm.keepAlive=false -conn.drm1._021=# - enable keep alive or not -conn.drm1._022=# -conn.drm1._023=# where -conn.drm1._024=# - DRM connection ID -conn.drm1._025=######################################### -conn.drm.totalConns=1 -conn.drm1.hostport=[DRM_HOST]:[DRM_PORT] -conn.drm1.clientNickname=[HSM_LABEL][NICKNAME] -conn.drm1.servlet.GenerateKeyPair=/kra/agent/kra/GenerateKeyPair -conn.drm1.servlet.TokenKeyRecovery=/kra/agent/kra/TokenKeyRecovery -conn.drm1.retryConnect=3 -conn.drm1.timeout=100 -conn.drm1.SSLOn=true -conn.drm1.keepAlive=false -auth.instance._000=######################################## -auth.instance._001=# publishing -auth.instance._002=# -auth.instance._003=# publisher.instance..libraryName: -auth.instance._004=# - name of the library specified with a fully qualified path name -auth.instance._005=# publisher.instance..libraryFactory: -auth.instance._006=# - the name of the function which instantiates the publisher -auth.instance._007=# publisher.instance..publisherId: -auth.instance._008=# - the publisher ID -auth.instance._009=# -auth.instance._010=# where -auth.instance._011=# - publisher connection ID -auth.instance._012=######################################## -auth.instance._013=######################################### -auth.instance._014=# authentication -auth.instance._015=# -auth.instance._016=# auth.instance..libraryName: -auth.instance._017=# - name of the library specified with a fully qualified path name -auth.instance._018=# auth.instance..libraryFactory: -auth.instance._019=# - the name of the function which instantiates the authentication -auth.instance._020=# auth.instance..authId -auth.instance._021=# - the authentication ID -auth.instance._022=# auth.instance..hostport -auth.instance._023=# - parameter specific to the given authentication, -auth.instance._024=# i. e., LDAPAuthentication (id=ldap1) -auth.instance._025=# - host name and port number, host:port -auth.instance._026=# - for failover, provide multiple host:port designations -auth.instance._027=# separated by " " -auth.instance._028=# auth.instance..SSLOn: -auth.instance._029=# - parameter specific to the given authentication, -auth.instance._030=# i. e., LDAPAuthentication (id=ldap1) -auth.instance._031=# - use SSL or not for LDAP service -auth.instance._032=# auth.instance..retries: -auth.instance._033=# - parameter specific to the given authentication, -auth.instance._034=# i. e., LDAPAuthentication (id=ldap1) -auth.instance._035=# - number of authentication re-attempts when authentication failed -auth.instance._036=# auth.instance..retryConnect: -auth.instance._037=# - parameter specific to the given authentication, -auth.instance._038=# i. e., LDAPAuthentication (id=ldap1) -auth.instance._039=# - number of connection re-attempts when connection failed -auth.instance._040=# -auth.instance._041=# where -auth.instance._042=# - authentication connection ID -auth.instance._043=######################################### -auth.instance.0.type=LDAP_Authentication -auth.instance.0.libraryName=[SYSTEM_USER_LIBRARIES]/[LIB_PREFIX]ldapauth[OBJ_EXT] -auth.instance.0.libraryFactory=GetAuthentication -auth.instance.0.authId=ldap1 -auth.instance.0.hostport=[LDAP_HOST]:[LDAP_PORT] -auth.instance.0.SSLOn=false -auth.instance.0.retries=1 -auth.instance.0.retryConnect=3 -auth.instance.0.baseDN=[LDAP_ROOT] -auth.instance.0.ssl=false -auth.instance.0.attributes._001=############################################## -auth.instance.0.attributes._002=# attributes will be available -auth.instance.0.attributes._003=# as $auth.$ -auth.instance.0.attributes._004=############################################## -auth.instance.0.attributes=mail,cn,uid -auth.instance.0.ui.title.en=LDAP Authentication -auth.instance.0.ui.description.en=This authenticates user against the LDAP directory. -auth.instance.0.ui.id.UID.name.en=LDAP User ID -auth.instance.0.ui.id.PASSWORD.name.en=LDAP Password -auth.instance.0.ui.id.UID.description.en=LDAP User ID -auth.instance.0.ui.id.PASSWORD.description.en=LDAP Password -auth.instance.1.type=LDAP_Authentication -auth.instance.1.libraryName=[SYSTEM_USER_LIBRARIES]/[LIB_PREFIX]ldapauth[OBJ_EXT] -auth.instance.1.libraryFactory=GetAuthentication -auth.instance.1.authId=ldap2 -auth.instance.1.bindDN=cn=Directory Manager -auth.instance.1.bindPWD=[SERVER_ROOT]/conf/password.conf -auth.instance.1.hostport=[TOKENDB_HOST]:[TOKENDB_PORT] -auth.instance.1.SSLOn=false -auth.instance.1.retries=1 -auth.instance.1.retryConnect=3 -auth.instance.1.baseDN=[TOKENDB_ROOT] -auth.instance.1.ssl=false -auth.instance.1.attributes._001=############################################## -auth.instance.1.attributes._002=# attributes will be available -auth.instance.1.attributes._003=# as $auth.$ -auth.instance.1.attributes._004=############################################## -auth.instance.1.attributes=mail,cn,uid -auth.instance.1.ui.title.en=LDAP Authentication -auth.instance.1.ui.description.en=This authenticates user against the LDAP directory. -auth.instance.1.ui.id.UID.name.en=LDAP User ID -auth.instance.1.ui.id.PASSWORD.name.en=LDAP Password -auth.instance.1.ui.id.UID.description.en=LDAP User ID -auth.instance.1.ui.id.PASSWORD.description.en=LDAP Password -applet._000=######################################### -applet._001=# applet information -applet._002=# SAF Key: -applet._003=# applet.aid.cardmgr_instance=A0000001510000 -applet._004=######################################### -applet.aid.cardmgr_instance=A0000000030000 -applet.aid.netkey_instance=627601FF000000 -applet.aid.netkey_file=627601FF0000 -applet.aid.netkey_old_instance=A00000000101 -applet.aid.netkey_old_file=A000000001 -applet.so_pin=000000000000 -applet.delete_old=true -general.verifyProof=1 -general.applet_ext=ijc -general.search.sizelimit.max=2000 -general.search.sizelimit.default=100 -general.search.timelimit.max=10 -general.search.timelimit.default=10 -general.pwlength.min=16 -channel._000=######################################### -channel._001=# channel.encryption: -channel._002=# -channel._003=# - enable encryption for all operation commands to token -channel._004=# - default is true -channel._005=# channel.blocksize=242 -channel._006=# channel.defKeyVersion=0 -channel._007=# channel.defKeyIndex=0 -channel._008=######################################### -channel.encryption=true -channel.blocksize=248 -channel.defKeyVersion=0 -channel.defKeyIndex=0 -#Config the size of memory managed memory in the applet -#Default is 5000, try not go get close to the instanceSize -#Which defaults to 18000 -#channel.instanceSize=18000 -#channel.appletMemorySize=5000 -preop.pin=[PKI_RANDOM_NUMBER] -preop.product.version= -preop.cert._000=######################################### -preop.cert._001=# Installation configuration "preop" certs parameters -preop.cert._002=######################################### -preop.cert.list=sslserver,subsystem,audit_signing -preop.cert.sslserver.enable=true -preop.cert.subsystem.enable=true -preop.cert.audit_signing.enable=false -preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA -preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] -preop.cert.sslserver.keysize.customsize=2048 -preop.cert.sslserver.keysize.size=2048 -preop.cert.sslserver.keysize.select=custom -preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] -preop.cert.sslserver.profile=caInternalAuthServerCert -preop.cert.sslserver.subsystem=tps -preop.cert._003=#preop.cert.sslserver.type=local -preop.cert.sslserver.userfriendlyname=SSL Server Certificate -preop.cert._004=#preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA -preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[PKI_INSTANCE_ID] -preop.cert.subsystem.keysize.customsize=2048 -preop.cert.subsystem.keysize.size=2048 -preop.cert.subsystem.keysize.select=custom -preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -preop.cert.subsystem.profile=caInternalAuthSubsystemCert -preop.cert.subsystem.subsystem=tps -preop.cert._005=#preop.cert.subsystem.type=local -preop.cert.subsystem.userfriendlyname=Subsystem Certificate -preop.cert._006=#preop.cert.subsystem.cncomponent.override=true -preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[PKI_INSTANCE_ID] -preop.cert.audit_signing.keysize.customsize=2048 -preop.cert.audit_signing.keysize.size=2048 -preop.cert.audit_signing.keysize.select=custom -preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert -preop.cert.audit_signing.subsystem=tps -preop.cert._005=#preop.cert.audit_signing.type=local -preop.cert.audit_signing.userfriendlyname=Audit Log Signing Certificate -preop.cert._006=#preop.cert.audit_signing.cncomponent.override=true -preop.configModules._000=######################################### -preop.configModules._001=# Installation configuration "preop" module parameters -preop.configModules._002=######################################### -preop.configModules.count=3 -preop.configModules.module0.commonName=NSS Internal PKCS #11 Module -preop.configModules.module0.imagePath=../img/clearpixel.gif -preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module -preop.configModules.module1.commonName=nfast -preop.configModules.module1.imagePath=../img/clearpixel.gif -preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module -preop.configModules.module2.commonName=lunasa -preop.configModules.module2.imagePath=../img/clearpixel.gif -preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module -preop.module.token=NSS Certificate DB -preop.keysize._000=######################################### -preop.keysize._001=# Installation configuration "preop" keysize parameters -preop.keysize._002=######################################### -preop.keysize.customsize=2048 -preop.keysize.select=default -preop.keysize.size=2048 -preop.keysize.ecc.size=256 -preop.adminauth.done=false -preop.adminpanel.done=false -preop.agentauth.done=false -preop.authdb.done=false -preop.cainfo.done=false -preop.certprettyprint.done=false -preop.certrequest.done=false -preop.confighsmlogin.done=false -preop.confighsm.done=false -preop.database.done=false -preop.displaycertchain2.done=false -preop.displaycertchain.done=false -preop.donepanel.done=false -preop.drminfo.done=false -preop.importadmincert.done=false -preop.loginpanel.done=false -preop.ModulePanel.done=false -preop.namepanel.done=false -preop.securitydomain.done=false -preop.SizePanel.done=false -preop.subsystemtype.done=false -preop.tksinfo.done=false -preop.welcome.done=false -op.enroll._000=######################################### -op.enroll._001=# Default Operations -op.enroll._002=# -op.enroll._003=# op..mapping.order=,, -op.enroll._004=# - contains at least one value or a series -op.enroll._005=# of comma-separated mapping values which -op.enroll._006=# are checked in sequential order -op.enroll._007=# op..mapping..filter.tokenType=userKey -op.enroll._008=# - can be either empty or token type -op.enroll._009=# specified by the client -op.enroll._010=# op..mapping..filter.tokenATR= -op.enroll._011=# - can be either empty or token ATR -op.enroll._012=# specified by the client -op.enroll._013=# op..mapping..filter.appletMajorVersion=1 -op.enroll._014=# - can be either empty or applet major version -op.enroll._015=# specified by the client -op.enroll._016=# op..mapping..filter.appletMinorVersion= -op.enroll._017=# - can be either empty or applet minor version -op.enroll._018=# specified by the client -op.enroll._019=# - if major and minor versions are both zero, this -op.enroll._020=# indicate there is no applet on the token. -op.enroll._021=# op..mapping..target.tokenType=userKey -op.enroll._022=# - if tokenType, tokenATR, appletMajorVersion, -op.enroll._023=# and appletMinorVersion are matched, value in -op.enroll._024=# targetTokenType will be used to locate -op.enroll._025=# the corresponding token profile to -op.enroll._026=# process the request. -op.enroll._027=# -op.enroll._028=# where -op.enroll._029=# - operation; enroll,pinReset,format -op.enroll._030=# - mapping ID; order is specifiable -op.enroll._031=# -op.enroll._032=# Token ATR: -op.enroll._033=# Web Store - 3B759400006202020201 -op.enroll._034=######################################### -op.enroll.mapping.order=0,1,2 -op.enroll.mapping.0.filter.tokenType=userKey -op.enroll.mapping.0.filter.tokenATR= -op.enroll.mapping.0.filter.tokenCUID.start= -op.enroll.mapping.0.filter.tokenCUID.end= -op.enroll.mapping.0.filter.appletMajorVersion=1 -op.enroll.mapping.0.filter.appletMinorVersion= -op.enroll.mapping.0.target.tokenType=userKey -op.enroll.mapping.1.filter.tokenType=soKey -op.enroll.mapping.1.filter.tokenATR= -op.enroll.mapping.1.filter.tokenCUID.start= -op.enroll.mapping.1.filter.tokenCUID.end= -op.enroll.mapping.1.filter.appletMajorVersion= -op.enroll.mapping.1.filter.appletMinorVersion= -op.enroll.mapping.1.target.tokenType=soKey -op.enroll.mapping.2.filter.tokenType= -op.enroll.mapping.2.filter.tokenATR= -op.enroll.mapping.2.filter.tokenCUID.start= -op.enroll.mapping.2.filter.tokenCUID.end= -op.enroll.mapping.2.filter.appletMajorVersion= -op.enroll.mapping.2.filter.appletMinorVersion= -op.enroll.mapping.2.target.tokenType=userKey -op.pinReset.mapping.order=0 -op.pinReset.mapping.0.filter.tokenType= -op.pinReset.mapping.0.filter.tokenATR= -op.pinReset.mapping.0.filter.tokenCUID.start= -op.pinReset.mapping.0.filter.tokenCUID.end= -op.pinReset.mapping.0.filter.appletMajorVersion= -op.pinReset.mapping.0.filter.appletMinorVersion= -op.pinReset.mapping.0.target.tokenType=userKey -op.format.mapping.order=0,1,2,3,4,5,6 -op.format.mapping.0.filter.tokenType=soCleanUserToken -op.format.mapping.0.filter.tokenATR= -op.format.mapping.0.filter.tokenCUID.start= -op.format.mapping.0.filter.tokenCUID.end= -op.format.mapping.0.filter.appletMajorVersion= -op.format.mapping.0.filter.appletMinorVersion= -op.format.mapping.0.target.tokenType=soCleanUserToken -op.format.mapping.1.filter.tokenType=soUserKey -op.format.mapping.1.filter.tokenATR= -op.format.mapping.1.filter.tokenCUID.start= -op.format.mapping.1.filter.tokenCUID.end= -op.format.mapping.1.filter.appletMajorVersion= -op.format.mapping.1.filter.appletMinorVersion= -op.format.mapping.1.target.tokenType=soUserKey -op.format.mapping.2.filter.tokenType=soKey -op.format.mapping.2.filter.tokenATR= -op.format.mapping.2.filter.tokenCUID.start= -op.format.mapping.2.filter.tokenCUID.end= -op.format.mapping.2.filter.appletMajorVersion= -op.format.mapping.2.filter.appletMinorVersion= -op.format.mapping.2.target.tokenType=soKey -op.format.mapping.3.filter.tokenType=userKey -op.format.mapping.3.filter.tokenATR= -op.format.mapping.3.filter.tokenCUID.start= -op.format.mapping.3.filter.tokenCUID.end= -op.format.mapping.3.filter.appletMajorVersion= -op.format.mapping.3.filter.appletMinorVersion= -op.format.mapping.3.target.tokenType=userKey -op.format.mapping.4.filter.tokenType=soCleanSOToken -op.format.mapping.4.filter.tokenATR= -op.format.mapping.4.filter.tokenCUID.start= -op.format.mapping.4.filter.tokenCUID.end= -op.format.mapping.4.filter.appletMajorVersion= -op.format.mapping.4.filter.appletMinorVersion= -op.format.mapping.5.filter.tokenType=cleanToken -op.format.mapping.5.filter.tokenATR= -op.format.mapping.5.filter.tokenCUID.start= -op.format.mapping.5.filter.tokenCUID.end= -op.format.mapping.5.filter.appletMajorVersion= -op.format.mapping.5.filter.appletMinorVersion= -op.format.mapping.5.target.tokenType=cleanToken -op.format.mapping.4.target.tokenType=soCleanSOToken -op.format.mapping.6.filter.tokenATR= -op.format.mapping.6.filter.tokenCUID.start= -op.format.mapping.6.filter.tokenCUID.end= -op.format.mapping.6.filter.appletMajorVersion= -op.format.mapping.6.filter.appletMinorVersion= -op.format.mapping.6.target.tokenType=tokenKey -op.enroll.userKey._000=######################################### -op.enroll.userKey._001=# Enrollment Operation For CoolKey -op.enroll.userKey._002=# -op.enroll.userKey._003=# op.enroll..keyGen..keySize=1024 -op.enroll.userKey._004=# - size of the key the token should generate -op.enroll.userKey._005=# - max value: 1024 -op.enroll.userKey._006=# -op.enroll.userKey._007=# op.enroll..keyGen..keyCapabilities.encrypt=false -op.enroll.userKey._008=# op.enroll..keyGen..keyCapabilities.sign=true -op.enroll.userKey._009=# op.enroll..keyGen..keyCapabilities.signRecover=true -op.enroll.userKey._010=# op.enroll..keyGen..keyCapabilities.decrypt=false -op.enroll.userKey._011=# op.enroll..keyGen..keyCapabilities.derive=false -op.enroll.userKey._012=# op.enroll..keyGen..keyCapabilities.unwrap=false -op.enroll.userKey._013=# op.enroll..keyGen..keyCapabilities.wrap=false -op.enroll.userKey._014=# op.enroll..keyGen..keyCapabilities.verifyRecover=true -op.enroll.userKey._015=# op.enroll..keyGen..keyCapabilities.verify=true -op.enroll.userKey._016=# op.enroll..keyGen..keyCapabilities.sensitive=true -op.enroll.userKey._017=# op.enroll..keyGen..keyCapabilities.private=true -op.enroll.userKey._018=# op.enroll..keyGen..keyCapabilities.token=true -op.enroll.userKey._019=# - specify the PKCS11 attributes to set on the token -op.enroll.userKey._020=# -op.enroll.userKey._021=# op.enroll.userKey.keyGen.signing.cuid_label -op.enroll.userKey._022=# - specify the CUID shown in the certificate -op.enroll.userKey._023=# -op.enroll.userKey._024=# op.enroll.userKey.keyGen.signing.label -op.enroll.userKey._025=# - specify the token name. all resulting labels for co-existing keys -op.enroll.userKey._026=# on the same token must be unique -op.enroll.userKey._027=# - $pretty_cuid$ - Pretty Print CUID (i.e. 4090-0062-FF02-0000-0B9C) -op.enroll.userKey._028=# - $cuid$ - CUID (i.e. 40900062FF0200000B9C) -op.enroll.userKey._029=# - $msn$ - MSN -op.enroll.userKey._030=# - $userid$ - User ID -op.enroll.userKey._031=# - $profileId$ - Profile ID -op.enroll.userKey._032=# -op.enroll.userKey._033=# op.enroll..keyGen..overwrite=true|false -op.enroll.userKey._034=# - if key and certificate exist, should RA overwrite them -op.enroll.userKey._035=# -op.enroll.userKey._036=# op.enroll..keyGen..certId=C1 -op.enroll.userKey._037=# op.enroll..keyGen..certAttrId=c1 -op.enroll.userKey._038=# op.enroll..keyGen..privateKeyAttrId=k2 -op.enroll.userKey._039=# op.enroll..keyGen..publicKeyAttrId=k3 -op.enroll.userKey._040=# op.enroll..keyGen..privateKeyNumber=2 -op.enroll.userKey._041=# op.enroll..keyGen..publicKeyNumber=3 -op.enroll.userKey._042=# - specify name PKCS11 object IDs -op.enroll.userKey._043=# - Lower case letters signify objects containing PKCS11 object attributes, -op.enroll.userKey._044=# in the format described below. -op.enroll.userKey._045=# 'c' An object containing PKCS11 attributes for a certificate. -op.enroll.userKey._046=# 'k' An object containing PKCS11 attributes for a public or private key -op.enroll.userKey._047=# 'r' An object containing PKCS11 attributes for an "reader". -op.enroll.userKey._048=# - Upper case letters signify objects containing raw data corresponding to -op.enroll.userKey._049=# the lower case letters described above. For example, object "C0" -op.enroll.userKey._050=# contains raw data corresponding to object "c0". -op.enroll.userKey._051=# 'C' This object contains an entire DER cert, and nothing else. -op.enroll.userKey._052=# 'K' This object contains a MUSCLE "key blob". TPS does not use this. -op.enroll.userKey._053=# -op.enroll.userKey._054=# op.enroll..keyGen..keyUsage=0 -op.enroll.userKey._055=# op.enroll..keyGen..keyUser=0 -op.enroll.userKey._056=# - user specifies which PIN user should be granted -op.enroll.userKey._057=# use privilege of the generated private key, or -op.enroll.userKey._058=# 15 if all users have use privilege for the private key -op.enroll.userKey._059=# - Valid uage: (only specifies the usage for the private key) -op.enroll.userKey._060=# 0 - default usage (Signing only for this APDU) -op.enroll.userKey._061=# 1 - signing only -op.enroll.userKey._062=# 2 - decryption only -op.enroll.userKey._063=# 3 - signing and decryption -op.enroll.userKey._064=# -op.enroll.userKey._065=# op.enroll..pkcs11obj.enable=true|false -op.enroll.userKey._066=# - enable writing of PKCS11 cache object to the token -op.enroll.userKey._067=# -op.enroll.userKey._068=# op.enroll..pkcs11obj.compress.enable=true|false -op.enroll.userKey._069=# - enable compression for writing of PKCS11 cache object to the token -op.enroll.userKey._070=# -op.enroll.userKey._071=# op.enroll..pinReset.pin.maxRetries=127 -op.enroll.userKey._072=# - max number of retries before blocking the token -op.enroll.userKey._073=# - max value: 127 -op.enroll.userKey._074=# -op.enroll.userKey._075=# There is a special case of tokenType userKeyTemporary. -op.enroll.userKey._076=# Make sure the profile specified by the profileId to have -op.enroll.userKey._077=# short validity period (eg, 7 days) for the certificate. -op.enroll.userKey._078=######################################### -op.enroll.allowUnknownToken=true -#The three recovery schemes supported are: -# GenerateNewKey - Generate a new cert for the encryption cert. -# RecoverLast - Recover the most recent cert for the encryption cert. -# GenerateNewKeyandRecoverLast - Generate new cert AND recover last for encryption cert. -op.enroll.userKey.temporaryToken.tokenType=userKeyTemporary -op.enroll.userKey.keyGen.recovery.destroyed.keyType.num=2 -op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.0=signing -op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.1=encryption -op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey -op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert=true -op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0 -op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast -op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false -op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0 -op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.num=2 -op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.0=signing -op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.1=encryption -op.enroll.userKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey -op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert=true -op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1 -op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey -op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true -op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1 -op.enroll.userKey.keyGen.recovery.onHold.keyType.num=2 -op.enroll.userKey.keyGen.recovery.onHold.keyType.value.0=signing -op.enroll.userKey.keyGen.recovery.onHold.keyType.value.1=encryption -op.enroll.userKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey -op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert=true -op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert.reason=6 -op.enroll.userKey.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey -op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert=true -op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6 -op.enroll.userKey.keyGen.tokenName=$auth.cn$ -op.enroll.userKey.keyGen.keyType.num=2 -op.enroll.userKey.keyGen.keyType.value.0=signing -op.enroll.userKey.keyGen.keyType.value.1=encryption -op.enroll.userKey.keyGen.signing.keySize=1024 -op.enroll.userKey.keyGen.signing.public.keyCapabilities.encrypt=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.sign=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.signRecover=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.decrypt=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.derive=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.unwrap=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.wrap=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.verifyRecover=true -op.enroll.userKey.keyGen.signing.public.keyCapabilities.verify=true -op.enroll.userKey.keyGen.signing.public.keyCapabilities.sensitive=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.private=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.token=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.encrypt=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.sign=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.signRecover=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.decrypt=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.derive=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.unwrap=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.wrap=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.verifyRecover=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.verify=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.sensitive=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.private=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.token=true -op.enroll.userKey.keyGen.signing.label=signing key for $userid$ -op.enroll.userKey.keyGen.signing.cuid_label=$cuid$ -op.enroll.userKey.keyGen.signing.overwrite=true -op.enroll.userKey.keyGen.signing.certId=C1 -op.enroll.userKey.keyGen.signing.certAttrId=c1 -op.enroll.userKey.keyGen.signing.privateKeyAttrId=k2 -op.enroll.userKey.keyGen.signing.publicKeyAttrId=k3 -op.enroll.userKey.keyGen.signing.keyUsage=0 -op.enroll.userKey.keyGen.signing.keyUser=0 -op.enroll.userKey.keyGen.signing.privateKeyNumber=2 -op.enroll.userKey.keyGen.signing.publicKeyNumber=3 -op.enroll.userKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment -op.enroll.userKey.keyGen.signing.ca.conn=ca1 -op.enroll.userKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher -op.enroll.userKey.keyGen.encryption.keySize=1024 -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.encrypt=true -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.sign=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.signRecover=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.decrypt=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.derive=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.unwrap=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.wrap=true -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.verifyRecover=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.verify=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.sensitive=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.private=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.token=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.encrypt=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.sign=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.signRecover=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.decrypt=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.derive=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.unwrap=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.wrap=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.verifyRecover=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.verify=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.sensitive=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.private=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.token=true -op.enroll.userKey.keyGen.encryption.label=encryption key for $userid$ -op.enroll.userKey.keyGen.encryption.cuid_label=$cuid$ -op.enroll.userKey.keyGen.encryption.overwrite=true -op.enroll.userKey.keyGen.encryption.certId=C2 -op.enroll.userKey.keyGen.encryption.certAttrId=c2 -op.enroll.userKey.keyGen.encryption.privateKeyAttrId=k4 -op.enroll.userKey.keyGen.encryption.publicKeyAttrId=k5 -op.enroll.userKey.keyGen.encryption.keyUsage=0 -op.enroll.userKey.keyGen.encryption.keyUser=0 -op.enroll.userKey.keyGen.encryption.privateKeyNumber=4 -op.enroll.userKey.keyGen.encryption.publicKeyNumber=5 -op.enroll.userKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment -op.enroll.userKey.keyGen.encryption.ca.conn=ca1 -op.enroll.userKey.pkcs11obj.enable=true -op.enroll.userKey.pkcs11obj.compress.enable=true -op.enroll.userKey.update.applet.emptyToken.enable=true -op.enroll.userKey.update.applet.enable=true -op.enroll.userKey.update.applet.requiredVersion=1.4.499dc06c -op.enroll.userKey.update.applet.directory=[TPS_DIR]/applets -op.enroll.userKey.update.applet.encryption=true -op.enroll.userKey.update.symmetricKeys.enable=false -op.enroll.userKey.update.symmetricKeys.requiredVersion=1 -op.enroll.userKey.loginRequest.enable=true -op.enroll.userKey.pinReset.enable=true -op.enroll.userKey.pinReset.pin.maxRetries=127 -op.enroll.userKey.pinReset.pin.minLen=4 -op.enroll.userKey.pinReset.pin.maxLen=10 -op.enroll.userKey.cardmgr_instance=A0000000030000 -op.enroll.userKey.tks.conn=tks1 -op.enroll.userKey.auth.id=ldap1 -op.enroll.userKey.auth.enable=true -op.enroll.userKey.issuerinfo.enable=true -op.enroll.userKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/home/index.cgi -op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.num=2 -op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing -op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption -op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey -op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true -op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0 -op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast -op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true -op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert.reason=0 -op.enroll.userKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] -op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=drm1 -op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true -op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable=true -op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=drm1 -op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.archive=true -op.enroll.userKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary) -op.enroll.userKeyTemporary.keyGen.keyType.num=3 -op.enroll.userKeyTemporary.keyGen.keyType.value.0=auth -op.enroll.userKeyTemporary.keyGen.keyType.value.1=signing -op.enroll.userKeyTemporary.keyGen.keyType.value.2=encryption -op.enroll.userKeyTemporary.keyGen.auth.keySize=1024 -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.sign=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.signRecover=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.sensitive=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.private=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.sign=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.signRecover=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.verifyRecover=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.verify=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.sensitive=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.private=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.auth.label=Temporary Key for $userid$ -op.enroll.userKeyTemporary.keyGen.auth.cuid_label=$cuid$ -op.enroll.userKeyTemporary.keyGen.auth.overwrite=false -op.enroll.userKeyTemporary.keyGen.auth.certId=C0 -op.enroll.userKeyTemporary.keyGen.auth.certAttrId=c0 -op.enroll.userKeyTemporary.keyGen.auth.privateKeyAttrId=k0 -op.enroll.userKeyTemporary.keyGen.auth.publicKeyAttrId=k1 -op.enroll.userKeyTemporary.keyGen.auth.keyUsage=0 -op.enroll.userKeyTemporary.keyGen.auth.keyUser=15 -op.enroll.userKeyTemporary.keyGen.auth.privateKeyNumber=0 -op.enroll.userKeyTemporary.keyGen.auth.publicKeyNumber=1 -op.enroll.userKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment -op.enroll.userKeyTemporary.keyGen.auth.ca.conn=ca1 -op.enroll.userKeyTemporary.keyGen.signing.keySize=1024 -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.signRecover=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.verifyRecover=true -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.verify=true -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sensitive=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.private=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.sign=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.signRecover=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.verifyRecover=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.verify=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.sensitive=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.private=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.signing.label=signing key for $userid$ -op.enroll.userKeyTemporary.keyGen.signing.cuid_label=$cuid$ -op.enroll.userKeyTemporary.keyGen.signing.overwrite=true -op.enroll.userKeyTemporary.keyGen.signing.certId=C1 -op.enroll.userKeyTemporary.keyGen.signing.certAttrId=c1 -op.enroll.userKeyTemporary.keyGen.signing.privateKeyAttrId=k2 -op.enroll.userKeyTemporary.keyGen.signing.publicKeyAttrId=k3 -op.enroll.userKeyTemporary.keyGen.signing.keyUsage=0 -op.enroll.userKeyTemporary.keyGen.signing.keyUser=0 -op.enroll.userKeyTemporary.keyGen.signing.privateKeyNumber=2 -op.enroll.userKeyTemporary.keyGen.signing.publicKeyNumber=3 -op.enroll.userKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment -op.enroll.userKeyTemporary.keyGen.signing.ca.conn=ca1 -op.enroll.userKey._080=#op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher -op.enroll.userKeyTemporary.keyGen.encryption.keySize=1024 -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.signRecover=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.wrap=true -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.verifyRecover=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.verify=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.sensitive=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.private=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.sign=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.signRecover=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.decrypt=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.unwrap=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.verifyRecover=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.verify=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.sensitive=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.private=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.encryption.label=encryption key for $userid$ -op.enroll.userKeyTemporary.keyGen.encryption.cuid_label=$cuid$ -op.enroll.userKeyTemporary.keyGen.encryption.overwrite=true -op.enroll.userKeyTemporary.keyGen.encryption.certId=C2 -op.enroll.userKeyTemporary.keyGen.encryption.certAttrId=c2 -op.enroll.userKeyTemporary.keyGen.encryption.privateKeyAttrId=k4 -op.enroll.userKeyTemporary.keyGen.encryption.publicKeyAttrId=k5 -op.enroll.userKeyTemporary.keyGen.encryption.keyUsage=0 -op.enroll.userKeyTemporary.keyGen.encryption.keyUser=0 -op.enroll.userKeyTemporary.keyGen.encryption.privateKeyNumber=4 -op.enroll.userKeyTemporary.keyGen.encryption.publicKeyNumber=5 -op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment -op.enroll.userKeyTemporary.keyGen.encryption.ca.conn=ca1 -op.enroll.userKeyTemporary.pkcs11obj.enable=true -op.enroll.userKeyTemporary.pkcs11obj.compress.enable=true -op.enroll.userKeyTemporary.update.applet.emptyToken.enable=true -op.enroll.userKeyTemporary.update.applet.enable=true -op.enroll.userKeyTemporary.update.applet.requiredVersion=1.4.499dc06c -op.enroll.userKeyTemporary.update.applet.directory=[TPS_DIR]/applets -op.enroll.userKeyTemporary.update.applet.encryption=true -op.enroll.userKeyTemporary.update.symmetricKeys.enable=false -op.enroll.userKeyTemporary.update.symmetricKeys.requiredVersion=1 -op.enroll.userKeyTemporary.loginRequest.enable=true -op.enroll.userKeyTemporary.pinReset.enable=true -op.enroll.userKeyTemporary.pinReset.pin.maxRetries=127 -op.enroll.userKeyTemporary.pinReset.pin.minLen=4 -op.enroll.userKeyTemporary.pinReset.pin.maxLen=10 -op.enroll.userKeyTemporary.tks.conn=tks1 -op.enroll.userKeyTemporary.cardmgr_instance=A0000000030000 -op.enroll.userKeyTemporary.auth.id=ldap1 -op.enroll.userKeyTemporary.auth.enable=true -# Token Renewal. -# For each token in TPS UI set the following: -# RENEW=YES -# To trigger renewal operations. -op.enroll.userKey.renewal.keyType.num=2 -op.enroll.userKey.renewal.keyType.value.0=signing -op.enroll.userKey.renewal.keyType.value.1=encryption -op.enroll.userKey.renewal.signing.enable=true -#optional grace period enforcement -#must coincide exactly with what the CA enforces -op.enroll.userKey.renewal.signing.gracePeriod.enable=false -op.enroll.userKey.renewal.signing.gracePeriod.before=30 -op.enroll.userKey.renewal.signing.gracePeriod.after=30 -op.enroll.userKey.renewal.signing.certId=C1 -#in case of renewal, encryption certId values for completeness only -#server code calculates actual values used. -op.enroll.userKey.renewal.encryption.certId=C2 -op.enroll.userKey.renewal.signing.certAttrId=c1 -op.enroll.userKey.renewal.encryption.certAttrId=c2 -op.enroll.userKey.renewal.encryption.enable=true -#optional grace period enforcement -#must coincide exactly with what the CA enforces -op.enroll.userKey.renewal.encryption.gracePeriod.enable=false -op.enroll.userKey.renewal.encryption.gracePeriod.before=30 -op.enroll.userKey.renewal.encryption.gracePeriod.after=30 -op.enroll.userKey.renewal.signing.ca.conn=ca1 -op.enroll.userKey.renewal.encryption.ca.conn=ca1 -op.enroll.userKey.renewal.signing.ca.profileId=caTokenUserSigningKeyRenewal -op.enroll.userKey.renewal.encryption.ca.profileId=caTokenUserEncryptionKeyRenewal -op.enroll.soKey.temporaryToken.tokenType=soKeyTemporary -op.enroll.soKey.keyGen.recovery.destroyed.keyType.num=2 -op.enroll.soKey.keyGen.recovery.destroyed.keyType.value.0=signing -op.enroll.soKey.keyGen.recovery.destroyed.keyType.value.1=encryption -op.enroll.soKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey -op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeCert=true -op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0 -op.enroll.soKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast -op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert=false -op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0 -op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.num=2 -op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.value.0=signing -op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.value.1=encryption -op.enroll.soKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey -op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeCert=true -op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1 -op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey -op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true -op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1 -op.enroll.soKey.keyGen.recovery.onHold.keyType.num=2 -op.enroll.soKey.keyGen.recovery.onHold.keyType.value.0=signing -op.enroll.soKey.keyGen.recovery.onHold.keyType.value.1=encryption -op.enroll.soKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey -op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert=true -op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert.reason=6 -op.enroll.soKey.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey -op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeCert=true -op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6 -op.enroll.soKey.keyGen.tokenName=$auth.cn$ -op.enroll.soKey.keyGen.keyType.num=2 -op.enroll.soKey.keyGen.keyType.value.0=signing -op.enroll.soKey.keyGen.keyType.value.1=encryption -op.enroll.soKey.keyGen.signing.keySize=1024 -op.enroll.soKey.keyGen.signing.public.keyCapabilities.encrypt=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.sign=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.signRecover=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.decrypt=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.derive=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.unwrap=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.wrap=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.verifyRecover=true -op.enroll.soKey.keyGen.signing.public.keyCapabilities.verify=true -op.enroll.soKey.keyGen.signing.public.keyCapabilities.sensitive=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.private=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.token=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.encrypt=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.sign=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.signRecover=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.decrypt=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.derive=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.unwrap=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.wrap=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.verifyRecover=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.verify=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.sensitive=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.private=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.token=true -op.enroll.soKey.keyGen.signing.label=signing key for $userid$ -op.enroll.soKey.keyGen.signing.cuid_label=$cuid$ -op.enroll.soKey.keyGen.signing.overwrite=true -op.enroll.soKey.keyGen.signing.certId=C1 -op.enroll.soKey.keyGen.signing.certAttrId=c1 -op.enroll.soKey.keyGen.signing.privateKeyAttrId=k2 -op.enroll.soKey.keyGen.signing.publicKeyAttrId=k3 -op.enroll.soKey.keyGen.signing.keyUsage=0 -op.enroll.soKey.keyGen.signing.keyUser=0 -op.enroll.soKey.keyGen.signing.privateKeyNumber=2 -op.enroll.soKey.keyGen.signing.publicKeyNumber=3 -op.enroll.soKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment -op.enroll.soKey.keyGen.signing.ca.conn=ca1 -op.enroll.soKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher -op.enroll.soKey.keyGen.encryption.keySize=1024 -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.encrypt=true -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.sign=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.signRecover=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.decrypt=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.derive=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.unwrap=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.wrap=true -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.verifyRecover=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.verify=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.sensitive=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.private=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.token=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.encrypt=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.sign=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.signRecover=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.decrypt=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.derive=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.unwrap=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.wrap=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.verifyRecover=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.verify=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.sensitive=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.private=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.token=true -op.enroll.soKey.keyGen.encryption.label=encryption key for $userid$ -op.enroll.soKey.keyGen.encryption.cuid_label=$cuid$ -op.enroll.soKey.keyGen.encryption.overwrite=true -op.enroll.soKey.keyGen.encryption.certId=C2 -op.enroll.soKey.keyGen.encryption.certAttrId=c2 -op.enroll.soKey.keyGen.encryption.privateKeyAttrId=k4 -op.enroll.soKey.keyGen.encryption.publicKeyAttrId=k5 -op.enroll.soKey.keyGen.encryption.keyUsage=0 -op.enroll.soKey.keyGen.encryption.keyUser=0 -op.enroll.soKey.keyGen.encryption.privateKeyNumber=4 -op.enroll.soKey.keyGen.encryption.publicKeyNumber=5 -op.enroll.soKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment -op.enroll.soKey.keyGen.encryption.ca.conn=ca1 -op.enroll.soKey.pkcs11obj.enable=true -op.enroll.soKey.pkcs11obj.compress.enable=true -op.enroll.soKey.update.applet.emptyToken.enable=true -op.enroll.soKey.update.applet.enable=true -op.enroll.soKey.update.applet.requiredVersion=1.4.499dc06c -op.enroll.soKey.update.applet.directory=[TPS_DIR]/applets -op.enroll.soKey.update.applet.encryption=true -op.enroll.soKey.update.symmetricKeys.enable=false -op.enroll.soKey.update.symmetricKeys.requiredVersion=1 -op.enroll.soKey.loginRequest.enable=true -op.enroll.soKey.pinReset.enable=true -op.enroll.soKey.pinReset.pin.maxRetries=127 -op.enroll.soKey.pinReset.pin.minLen=4 -op.enroll.soKey.pinReset.pin.maxLen=10 -op.enroll.soKey.cardmgr_instance=A0000000030000 -op.enroll.soKey.tks.conn=tks1 -op.enroll.soKey.auth.id=ldap2 -op.enroll.soKey.auth.enable=true -op.enroll.soKey.issuerinfo.enable=true -op.enroll.soKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/so/index.cgi -op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.num=2 -op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing -op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption -op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey -op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true -op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0 -op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast -op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true -op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert.reason=0 -op.enroll.soKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] -op.enroll.soKey.keyGen.encryption.serverKeygen.drm.conn=drm1 -op.enroll.soKey.keyGen.encryption.serverKeygen.archive=true -op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable=true -op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=drm1 -op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.archive=true -op.enroll.soKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary) -op.enroll.soKeyTemporary.keyGen.keyType.num=3 -op.enroll.soKeyTemporary.keyGen.keyType.value.0=auth -op.enroll.soKeyTemporary.keyGen.keyType.value.1=signing -op.enroll.soKeyTemporary.keyGen.keyType.value.2=encryption -op.enroll.soKeyTemporary.keyGen.auth.keySize=1024 -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.sign=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.signRecover=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.sensitive=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.private=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.sign=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.signRecover=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.verifyRecover=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.verify=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.sensitive=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.private=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.auth.label=Temporary Key for $userid$ -op.enroll.soKeyTemporary.keyGen.auth.cuid_label=$cuid$ -op.enroll.soKeyTemporary.keyGen.auth.overwrite=false -op.enroll.soKeyTemporary.keyGen.auth.certId=C0 -op.enroll.soKeyTemporary.keyGen.auth.certAttrId=c0 -op.enroll.soKeyTemporary.keyGen.auth.privateKeyAttrId=k0 -op.enroll.soKeyTemporary.keyGen.auth.publicKeyAttrId=k1 -op.enroll.soKeyTemporary.keyGen.auth.keyUsage=0 -op.enroll.soKeyTemporary.keyGen.auth.keyUser=15 -op.enroll.soKeyTemporary.keyGen.auth.privateKeyNumber=0 -op.enroll.soKeyTemporary.keyGen.auth.publicKeyNumber=1 -op.enroll.soKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment -op.enroll.soKeyTemporary.keyGen.auth.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.signing.keySize=1024 -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.signRecover=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.verifyRecover=true -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.verify=true -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sensitive=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.private=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.sign=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.signRecover=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.verifyRecover=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.verify=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.sensitive=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.private=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.signing.label=signing key for $userid$ -op.enroll.soKeyTemporary.keyGen.signing.cuid_label=$cuid$ -op.enroll.soKeyTemporary.keyGen.signing.overwrite=true -op.enroll.soKeyTemporary.keyGen.signing.certId=C1 -op.enroll.soKeyTemporary.keyGen.signing.certAttrId=c1 -op.enroll.soKeyTemporary.keyGen.signing.privateKeyAttrId=k2 -op.enroll.soKeyTemporary.keyGen.signing.publicKeyAttrId=k3 -op.enroll.soKeyTemporary.keyGen.signing.keyUsage=0 -op.enroll.soKeyTemporary.keyGen.signing.keyUser=0 -op.enroll.soKeyTemporary.keyGen.signing.privateKeyNumber=2 -op.enroll.soKeyTemporary.keyGen.signing.publicKeyNumber=3 -op.enroll.soKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment -op.enroll.soKeyTemporary.keyGen.signing.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.encryption.keySize=1024 -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.signRecover=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.wrap=true -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.verifyRecover=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.verify=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sensitive=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.private=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.sign=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.signRecover=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.decrypt=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.unwrap=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.verifyRecover=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.verify=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.sensitive=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.private=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.encryption.label=encryption key for $userid$ -op.enroll.soKeyTemporary.keyGen.encryption.cuid_label=$cuid$ -op.enroll.soKeyTemporary.keyGen.encryption.overwrite=true -op.enroll.soKeyTemporary.keyGen.encryption.certId=C2 -op.enroll.soKeyTemporary.keyGen.encryption.certAttrId=c2 -op.enroll.soKeyTemporary.keyGen.encryption.privateKeyAttrId=k4 -op.enroll.soKeyTemporary.keyGen.encryption.publicKeyAttrId=k5 -op.enroll.soKeyTemporary.keyGen.encryption.keyUsage=0 -op.enroll.soKeyTemporary.keyGen.encryption.keyUser=0 -op.enroll.soKeyTemporary.keyGen.encryption.privateKeyNumber=4 -op.enroll.soKeyTemporary.keyGen.encryption.publicKeyNumber=5 -op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment -op.enroll.soKeyTemporary.keyGen.encryption.ca.conn=ca1 -op.enroll.soKeyTemporary.pkcs11obj.enable=true -op.enroll.soKeyTemporary.pkcs11obj.compress.enable=true -op.enroll.soKeyTemporary.update.applet.emptyToken.enable=true -op.enroll.soKeyTemporary.update.applet.enable=true -op.enroll.soKeyTemporary.update.applet.requiredVersion=1.4.499dc06c -op.enroll.soKeyTemporary.update.applet.directory=[TPS_DIR]/applets -op.enroll.soKeyTemporary.update.applet.encryption=true -op.enroll.soKeyTemporary.update.symmetricKeys.enable=false -op.enroll.soKeyTemporary.update.symmetricKeys.requiredVersion=1 -op.enroll.soKeyTemporary.loginRequest.enable=true -op.enroll.soKeyTemporary.pinReset.enable=true -op.enroll.soKeyTemporary.pinReset.pin.maxRetries=127 -op.enroll.soKeyTemporary.pinReset.pin.minLen=4 -op.enroll.soKeyTemporary.pinReset.pin.maxLen=10 -op.enroll.soKeyTemporary.cardmgr_instance=A0000000030000 -op.enroll.soKeyTemporary.tks.conn=tks1 -op.enroll.soKeyTemporary.tks.keySet=defKeyset -op.enroll.soKeyTemporary.auth.id=ldap2 -op.enroll.soKeyTemporary.auth.enable=true -op.pinReset._000=######################################### -op.pinReset._001=# Certificate Chain Imports -op.pinReset._002=# -op.pinReset._003=# op.enroll.certificates.num=1 -op.pinReset._004=# op.enroll.certificates.value.0=caCert -op.pinReset._005=# op.enroll.certificates.caCert.nickName=caCert0 pki-tps -op.pinReset._006=# op.enroll.certificates.caCert.certId=C5 -op.pinReset._007=# op.enroll.certificates.caCert.certAttrId=c5 -op.pinReset._008=# op.enroll.certificates.caCert.label=caCert Label -op.pinReset._009=######################################### -op.pinReset._010=######################################### -op.pinReset._011=# Pin Reset Operation For CoolKey -op.pinReset._012=# -op.pinReset._013=# op.pinReset.userKey.update.applet.emptyToken.enable=false -op.pinReset._014=# - update applet or not if token is empty -op.pinReset._015=# -op.pinReset._016=# - N/A for HouseKey -op.pinReset._017=# - N/A for HouseKey with Legacy Applet -op.pinReset._018=######################################### -op.pinReset.userKey.update.applet.emptyToken.enable=true -op.pinReset.userKey.update.applet.enable=false -op.pinReset.userKey.update.applet.requiredVersion=1.4.499dc06c -op.pinReset.userKey.update.applet.directory=[TPS_DIR]/applets -op.pinReset.userKey.update.applet.encryption=true -op.pinReset.userKey.update.symmetricKeys.enable=false -op.pinReset.userKey.update.symmetricKeys.requiredVersion=1 -op.pinReset.userKey.loginRequest.enable=true -op.pinReset.userKey.pinReset.pin.minLen=4 -op.pinReset.userKey.pinReset.pin.maxLen=10 -op.pinReset.userKey.tks.conn=tks1 -op.pinReset.userKey.cardmgr_instance=A0000000030000 -op.pinReset.userKey.auth.id=ldap1 -op.pinReset.userKey.auth.enable=true -op.format._000=######################################### -op.format._001=# Format Operation For tokenKey -op.format._002=# -op.format._003=# op.format.tokenKey.update.applet.emptyToken.enable=false -op.format._004=# - update applet or not if token is empty -op.format._005=# -op.format._006=# - applicable to CoolKey -op.format._007=# - applicable to HouseKey -op.format._008=# - applicable to HouseKey with Legacy Applet -op.format._009=######################################### -op.format.allowUnknownToken=true -op.format.soCleanUserToken.update.applet.emptyToken.enable=true -op.format.soCleanUserToken.update.applet.requiredVersion=1.4.499dc06c -op.format.soCleanUserToken.update.applet.directory=[TPS_DIR]/applets -op.format.soCleanUserToken.update.applet.encryption=true -op.format.soCleanUserToken.update.symmetricKeys.enable=false -op.format.soCleanUserToken.update.symmetricKeys.requiredVersion=1 -op.format.soCleanUserToken.revokeCert=true -op.format.soCleanUserToken.ca.conn=ca1 -op.format.soCleanUserToken.loginRequest.enable=false -op.format.soCleanUserToken.cardmgr_instance=A0000000030000 -op.format.soCleanUserToken.tks.conn=tks1 -op.format.soCleanUserToken.auth.id=ldap1 -op.format.soCleanUserToken.auth.enable=false -op.format.soCleanUserToken.issuerinfo.enable=true -op.format.soCleanUserToken.issuerinfo.value= -op.format.soCleanSOToken.update.applet.emptyToken.enable=true -op.format.soCleanSOToken.update.applet.requiredVersion=1.4.499dc06c -op.format.soCleanSOToken.update.applet.directory=[TPS_DIR]/applets -op.format.soCleanSOToken.update.applet.encryption=true -op.format.soCleanSOToken.update.symmetricKeys.enable=false -op.format.soCleanSOToken.update.symmetricKeys.requiredVersion=1 -op.format.soCleanSOToken.revokeCert=true -op.format.soCleanSOToken.ca.conn=ca1 -op.format.soCleanSOToken.loginRequest.enable=false -op.format.soCleanSOToken.cardmgr_instance=A0000000030000 -op.format.soCleanSOToken.tks.conn=tks1 -op.format.soCleanSOToken.auth.id=ldap1 -op.format.soCleanSOToken.auth.enable=false -op.format.soCleanSOToken.issuerinfo.enable=true -op.format.soCleanSOToken.issuerinfo.value= -op.format.cleanToken.update.applet.emptyToken.enable=true -op.format.cleanToken.update.applet.requiredVersion=1.4.499dc06c -op.format.cleanToken.update.applet.directory=[TPS_DIR]/applets -op.format.cleanToken.update.applet.encryption=true -op.format.cleanToken.update.symmetricKeys.enable=false -op.format.cleanToken.update.symmetricKeys.requiredVersion=1 -op.format.cleanToken.revokeCert=true -op.format.cleanToken.ca.conn=ca1 -op.format.cleanToken.loginRequest.enable=true -op.format.cleanToken.cardmgr_instance=A0000000030000 -op.format.cleanToken.tks.conn=tks1 -op.format.cleanToken.auth.id=ldap1 -op.format.cleanToken.auth.enable=false -op.format.cleanToken.issuerinfo.enable=true -op.format.cleanToken.issuerinfo.value= -op.format.soUserKey.update.applet.emptyToken.enable=true -op.format.soUserKey.update.applet.requiredVersion=1.4.499dc06c -op.format.soUserKey.update.applet.directory=[TPS_DIR]/applets -op.format.soUserKey.update.applet.encryption=true -op.format.soUserKey.update.symmetricKeys.enable=false -op.format.soUserKey.update.symmetricKeys.requiredVersion=1 -op.format.soUserKey.revokeCert=true -op.format.soUserKey.ca.conn=ca1 -op.format.soUserKey.loginRequest.enable=false -op.format.soUserKey.cardmgr_instance=A0000000030000 -op.format.soUserKey.tks.conn=tks1 -op.format.soUserKey.auth.id=ldap1 -op.format.soUserKey.auth.enable=false -op.format.soUserKey.issuerinfo.enable=true -op.format.soUserKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/home/index.cgi -op.format.soKey.update.applet.emptyToken.enable=true -op.format.soKey.update.applet.requiredVersion=1.4.499dc06c -op.format.soKey.update.applet.directory=[TPS_DIR]/applets -op.format.soKey.update.applet.encryption=true -op.format.soKey.update.symmetricKeys.enable=false -op.format.soKey.update.symmetricKeys.requiredVersion=1 -op.format.soKey.revokeCert=true -op.format.soKey.ca.conn=ca1 -op.format.soKey.loginRequest.enable=true -op.format.soKey.cardmgr_instance=A0000000030000 -op.format.soKey.tks.conn=tks1 -op.format.soKey.auth.id=ldap2 -op.format.soKey.auth.enable=true -op.format.soKey.issuerinfo.enable=true -op.format.soKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/so/index.cgi -op.format.userKey.update.applet.emptyToken.enable=true -op.format.userKey.update.applet.requiredVersion=1.4.499dc06c -op.format.userKey.update.applet.directory=[TPS_DIR]/applets -op.format.userKey.update.applet.encryption=true -op.format.userKey.update.symmetricKeys.enable=false -op.format.userKey.update.symmetricKeys.requiredVersion=1 -op.format.userKey.revokeCert=true -op.format.userKey.ca.conn=ca1 -op.format.userKey.loginRequest.enable=true -op.format.userKey.cardmgr_instance=A0000000030000 -op.format.userKey.tks.conn=tks1 -op.format.userKey.auth.id=ldap1 -op.format.userKey.auth.enable=true -op.format.userKey.issuerinfo.enable=true -op.format.userKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/home/index.cgi -op.format.tokenKey.update.applet.emptyToken.enable=true -op.format.tokenKey.update.applet.requiredVersion=1.4.499dc06c -op.format.tokenKey.update.applet.directory=[TPS_DIR]/applets -op.format.tokenKey.update.applet.encryption=true -op.format.tokenKey.update.symmetricKeys.enable=false -op.format.tokenKey.update.symmetricKeys.requiredVersion=1 -op.format.tokenKey.revokeCert=true -op.format.tokenKey.ca.conn=ca1 -op.format.tokenKey.loginRequest.enable=true -op.format.tokenKey.cardmgr_instance=A0000000030000 -op.format.tokenKey.tks.conn=tks1 -op.format.tokenKey.auth.id=ldap1 -op.format.tokenKey.auth.enable=true -op.format.tokenKey.issuerinfo.enable=true -op.format.tokenKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/home/index.cgi -tokendb._000=######################################### -tokendb._001=# tokendb.auditLog: -tokendb._002=# - audit log path -tokendb._003=# tokendb.host: -tokendb._004=# - tokendb host name -tokendb._005=# tokendb.port: -tokendb._006=# - tokendb port number -tokendb._007=# tokendb.bindDN: -tokendb._008=# - tokendb administration DN (i.e. cn=Directory Manager) -tokendb._009=# tokendb.bindPassPath: -tokendb._010=# - tokendb administration password file path -tokendb._011=# tokendb.templateDir -tokendb._012=# - directory where all the tokendb templates are located -tokendb._013=# tokendb.userBaseDN: -tokendb._014=# - directory base DN for users and groups -tokendb._015=# tokendb.baseDN: -tokendb._016=# - directory base DN for tokens -tokendb._017=# tokendb.activityBaseDN: -tokendb._018=# - directory base DN for activities -tokendb._019=# tokendb.indexTemplate=index.template -tokendb._020=# - index template -tokendb._021=# tokendb.newTemplate=new.template -tokendb._022=# - add template -tokendb._023=# tokendb.showTemplate=show.template -tokendb._024=# - show template -tokendb._025=# tokendb.errorTemplate=error.template -tokendb._026=# - error template -tokendb._027=# tokendb.searchTemplate=search.template -tokendb._028=# - search template -tokendb._029=# tokendb.searchResultTemplate=searchResults.template -tokendb._030=# - search result template -tokendb._031=# tokendb.editTemplate=edit.template -tokendb._032=# - edit template -tokendb._033=# tokendb.editResultTemplate=editResults.template -tokendb._034=# - edit result template -tokendb._035=# tokendb.addResultTemplate=addResults.template -tokendb._036=# - add result template -tokendb._037=# tokendb.deleteResultTemplate=deleteResults.template -tokendb._038=# - delete result template -tokendb._039=# tokendb.searchActivityTemplate=searchActivity.template -tokendb._040=# - search activity template -tokendb._041=# tokendb.searchActivityResultTemplate=searchActivityResults.template -tokendb._042=# - search activity result template -tokendb._043=# tokendb.showAdminTemplate=showAdmin.template -tokendb._044=# - show admin template -tokendb._045=# tokendb.editAdminTemplate=editAdmin.template -tokendb._046=# - edit admin template -tokendb._047=# tokendb.editAdminResultTemplate=editAdminResults.template -tokendb._048=# - edit admin result template -tokendb._049=# tokendb.searchAdminTemplate=searchAdmin.template -tokendb._050=# - search admin template -tokendb._051=# tokendb.searchAdminResultTemplate=searchAdminResults.template -tokendb._052=# - search admin result template -tokendb._053=# tokendb.defaultPolicy: -tokendb._054=# Supported Policy (Separated by ; [Semicolon]): -tokendb._055=# For example, PIN_RESET=YES|NO;RE_ENROLL=YES|NO -tokendb._056=# PIN_RESET=YES|NO -tokendb._057=# - If not present, pin reset by user is allowed. -tokendb._058=# - If present and agent change PIN_RESET from NO -tokendb._059=# to YES, user is allowed to do pin reset. This -tokendb._060=# policy will be changed back to NO after pin reset. -tokendb._061=# RE_ENROLL=YES|NO -tokendb._062=# - If not present, re-enrollment is allowed. -tokendb._063=# - If present, re-enrollment is allowed when RE_ENROLL -tokendb._064=# is set to YES. Otherwise, re-enrollment is not -tokendb._065=# allowed. -tokendb._066=# tokendb.allowedTransitions: -tokendb._067=# - has transitions between the following states -tokendb._068=# TOKEN_UNINITIALIZED = 0, -tokendb._069=# TOKEN_DAMAGED =1, -tokendb._070=# TOKEN_PERM_LOST=2, -tokendb._071=# TOKEN_TEMP_LOST=3, -tokendb._072=# TOKEN_FOUND =4, -tokendb._073=# TOKEN_TEMP_LOST_PERM_LOST =5, -tokendb._074=# TOKEN_TERMINATED = 6 -tokendb._075=######################################### -tokendb.auditLog=[SERVER_ROOT]/logs/tokendb-audit.log -tokendb.hostport=[TOKENDB_HOST]:[TOKENDB_PORT] -tokendb.ssl=false -tokendb.bindDN=cn=Directory Manager -tokendb.bindPassPath=[SERVER_ROOT]/conf/password.conf -tokendb.templateDir=[SERVER_ROOT]/docroot/tus -tokendb.userBaseDN=[TOKENDB_ROOT] -tokendb.baseDN=ou=Tokens,[TOKENDB_ROOT] -tokendb.activityBaseDN=ou=Activities,[TOKENDB_ROOT] -tokendb.certBaseDN=ou=Certificates,[TOKENDB_ROOT] -tokendb.indexTemplate=index.template -tokendb.indexAdminTemplate=indexAdmin.template -tokendb.newTemplate=new.template -tokendb.showTemplate=show.template -tokendb.showCertTemplate=showCert.template -tokendb.errorTemplate=error.template -tokendb.searchTemplate=search.template -tokendb.searchResultTemplate=searchResults.template -tokendb.searchCertificateResultTemplate=searchCertificateResults.template -tokendb.editTemplate=edit.template -tokendb.editResultTemplate=editResults.template -tokendb.addResultTemplate=addResults.template -tokendb.deleteTemplate=delete.template -tokendb.deleteResultTemplate=deleteResults.template -tokendb.searchActivityTemplate=searchActivity.template -tokendb.searchCertificateTemplate=searchCertificate.template -tokendb.searchActivityResultTemplate=searchActivityResults.template -tokendb.searchActivityAdminTemplate=searchActivityAdmin.template -tokendb.searchActivityAdminResultTemplate=searchActivityAdminResults.template -tokendb.showAdminTemplate=showAdmin.template -tokendb.doTokenTemplate=doToken.template -tokendb.doTokenConfirmTemplate=doTokenConfirm.template -tokendb.revokeTemplate=revoke.template -tokendb.searchAdminTemplate=searchAdmin.template -tokendb.searchAdminResultTemplate=searchAdminResults.template -tokendb.defaultPolicy=RE_ENROLL=YES -tokendb.newUserTemplate=newUser.template -tokendb.userDeleteTemplate=userDelete.template -tokendb.searchUserResultTemplate=searchUserResults.template -tokendb.searchUserTemplate=searchUser.template -tokendb.editUserTemplate=editUser.template -tokendb.indexOperatorTemplate=indexOperator.template -tokendb.selfTestTemplate=selfTest.template -tokendb.selfTestResultsTemplate=selfTestResults.template -tokendb.auditAdminTemplate=auditAdmin.template -tokendb.selectConfigTemplate=selectConfig.template -tokendb.agentSelectConfigTemplate=agentSelectConfig.template -tokendb.editConfigTemplate=editConfig.template -tokendb.agentViewConfigTemplate=agentViewConfig.template -tokendb.addConfigTemplate=addConfig.template -tokendb.confirmConfigChangesTemplate=confirmConfigChanges.template -tokendb.confirmDeleteConfigTemplate=confirmDeleteConfig.template -log.instance.SignedAudit.selected.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL -log.instance.SignedAudit.selectable.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE,PRIVATE_KEY_ARCHIVE_PROCESSED,KEY_RECOVERY_REQUEST,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_PROCESSED,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL -log.instance.SignedAudit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST -tokendb.allowedTransitions=0:1,0:2,0:3,0:4,0:5,0:6,3:4,3:5,3:6,4:1,4:2,4:3,4:6 -target._000=######################################### -target._001=# entries to enable configuration of parameter sets through the TPS UI agent and admin tabs -target._002=# -target._003=# target.configure.list = comma separated lists of all parameter sets that can be configured by the admin. -target._004=# Each entry will show up (with underscore replaced by space) under Advanced Configuration on the admin tab. -target._005=# -target._006=# target.agent_approve.list = comma separated subset of above list. Parameter sets in this list -target._007=# will show up in the agent tab (under advanced configuration) and will require agent involvement -target._008=# (enable/ disable) to be edited. -target._009=# -target._010=# For the wording to display correctly, the values in the above list should be plurals. -target._011=# -target._012=# Each parameter set in the lists above requires three parameters: -target._013=# target..list : list of choices of this parameter set type (will display in the drop down box) -target._014=# target..pattern : the regular expression to select parameters in CS.cfg for this parameter set. -target._015=# target..displayname: used in the UI display text. This should be the singular form of . -target._016=# -target._017=# The exception is the parameter set Generals, which has only a pattern and displayname defined. -target._018=# -target._019=######################################## -target.configure.list=Profiles,Subsystem_Connections,Profile_Mappings,Authentication_Sources -target.agent_approve.list=Profiles -target.Profiles.list=userKey,soKey,soCleanUserToken,soUserKey,cleanToken,soCleanSoToken,tokenKey -target.Profiles.pattern=op\..*\.$name\..* -target.Profiles.displayname=Profile -target.Subsystem_Connections.list=ca1,drm1,tks1 -target.Subsystem_Connections.pattern=conn\.$name\..* -target.Subsystem_Connections.displayname=Subsystem Connection -target.Profile_Mappings.list=enroll,format,pinReset -target.Profile_Mappings.pattern=op\.$name\.mapping\..* -target.Profile_Mappings.displayname=Profile Mapping -target.Authentication_Sources.list=0,1 -target.Authentication_Sources.pattern=auth\.instance\.$name\..* -target.Authentication_Sources.displayname=Authentication Source -target.Generals.displayname=General -target.Generals.pattern=^applet\..*\|^general\..*\|^failover.pod.enable\|^channel\..* -config.Generals.General.state=Enabled -config.Generals.General.timestamp=1280283607424406 -tps._000=######################################## -tps._001=# For verifying system certificates -tps._002=# tps.cert.list=sslserver,subsystem,audit_signing -tps._003=# tps.cert.sslserver.nickname=xxx -tps._005=# tps.cert.subsystem.nickname=xxx -tps._007=# tps.cert.audit_signing.nickname=xxx -tps._009=######################################## -tps.cert.list=sslserver,subsystem,audit_signing -tps.cert.sslserver.nickname=[HSM_LABEL][NICKNAME] -tps.cert.subsystem.nickname=[HSM_LABEL][NICKNAME] -tps.cert.audit_signing.nickname=[HSM_LABEL][NICKNAME] diff --git a/pki/base/tps/doc/CS.cfg.in b/pki/base/tps/doc/CS.cfg.in index 896bcbc1..2c7ec602 100644 --- a/pki/base/tps/doc/CS.cfg.in +++ b/pki/base/tps/doc/CS.cfg.in @@ -18,19 +18,25 @@ # All rights reserved. # --- END COPYRIGHT BLOCK --- # -pkicreate.pki_instance_root=[INSTANCE_ROOT] -pkicreate.pki_instance_name=[INSTANCE_ID] -pkicreate.subsystem_type=[SUBSYSTEM_TYPE] +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] pkicreate.secure_port=[SECURE_PORT] pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] pkicreate.unsecure_port=[PORT] -pkicreate.user=[USERID] -pkicreate.group=[GROUPID] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] cs.type=TPS selftests._000=## selftests._001=## Self Tests selftests._002=## +selftests._003=## The Self-Test plugin TPSSystemCertsVerification uses the +selftests._004=## following parameters (where certusage is optional): +selftests._005=## tps.cert.list = +selftests._006=## tps.cert..nickname +selftests._007=## tps.cert..certusage +selftests._008=## selftests.container.logger.enable=true selftests.container.logger.expirationTime=0 selftests.container.logger.file.type=RollingLogFile @@ -38,8 +44,8 @@ selftests.container.logger.fileName=[SERVER_ROOT]/logs/selftests.log selftests.container.logger.level=10 selftests.container.logger.maxFileSize=2000 selftests.container.logger.rolloverInterval=2592000 -selftests.container.order.startup=TPSPresence:critical, TPSValidity:critical -selftests.container.order.onDemand=TPSPresence:critical, TPSValidity:critical +selftests.container.order.startup=TPSPresence:critical, TPSSystemCertsVerification:critical +selftests.container.order.onDemand=TPSPresence:critical, TPSValidity:critical, TPSSystemCertsVerification:critical selftests.plugin.TPSPresence.nickname=[HSM_LABEL][NICKNAME] selftests.plugin.TPSValidity.nickname=[HSM_LABEL][NICKNAME] service.machineName=[SERVER_NAME] @@ -47,7 +53,7 @@ service.instanceDir=[SERVER_ROOT] service.securePort=[SECURE_PORT] service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] service.unsecurePort=[PORT] -service.instanceID=[INSTANCE_ID] +service.instanceID=[PKI_INSTANCE_ID] logging._000=######################################### logging._001=# RA configuration File logging._002=# @@ -111,9 +117,9 @@ logging.audit.filename=[SERVER_ROOT]/logs/tps-audit.log logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit logging.audit.level=10 logging.audit.logSigning=false -logging.audit.signedAuditCertNickname=auditSigningCert cert-[INSTANCE_ID] -logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL -logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL +logging.audit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] +logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION +logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING logging.audit.buffer.size=512 logging.audit.flush.interval=5 @@ -156,8 +162,8 @@ conn.ca1.hostport=[CA_HOST]:[CA_PORT] conn.ca1.clientNickname=[HSM_LABEL][NICKNAME] conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient conn.ca1.servlet.renewal=/ca/ee/ca/profileSubmitSSLClient -conn.ca1.servlet.revoke=/ca/subsystem/ca/doRevoke -conn.ca1.servlet.unrevoke=/ca/subsystem/ca/doUnrevoke +conn.ca1.servlet.revoke=/ca/ee/subsystem/ca/doRevoke +conn.ca1.servlet.unrevoke=/ca/ee/subsystem/ca/doUnrevoke conn.ca1.retryConnect=3 conn.ca1.timeout=100 conn.ca1.SSLOn=true @@ -343,6 +349,7 @@ general.search.sizelimit.max=2000 general.search.sizelimit.default=100 general.search.timelimit.max=10 general.search.timelimit.default=10 +general.pwlength.min=16 channel._000=######################################### channel._001=# channel.encryption: channel._002=# @@ -370,34 +377,34 @@ preop.cert.list=sslserver,subsystem,audit_signing preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true preop.cert.audit_signing.enable=false -preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA -preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[INSTANCE_ID] +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] preop.cert.sslserver.keysize.customsize=2048 preop.cert.sslserver.keysize.size=2048 preop.cert.sslserver.keysize.select=custom -preop.cert.sslserver.nickname=Server-Cert cert-[INSTANCE_ID] +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] preop.cert.sslserver.profile=caInternalAuthServerCert preop.cert.sslserver.subsystem=tps preop.cert._003=#preop.cert.sslserver.type=local preop.cert.sslserver.userfriendlyname=SSL Server Certificate preop.cert._004=#preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA1withRSA -preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[INSTANCE_ID] +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[PKI_INSTANCE_ID] preop.cert.subsystem.keysize.customsize=2048 preop.cert.subsystem.keysize.size=2048 preop.cert.subsystem.keysize.select=custom -preop.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] preop.cert.subsystem.profile=caInternalAuthSubsystemCert preop.cert.subsystem.subsystem=tps preop.cert._005=#preop.cert.subsystem.type=local preop.cert.subsystem.userfriendlyname=Subsystem Certificate preop.cert._006=#preop.cert.subsystem.cncomponent.override=true -preop.cert.audit_signing.defaultSigningAlgorithm=SHA1withRSA -preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[INSTANCE_ID] +preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[PKI_INSTANCE_ID] preop.cert.audit_signing.keysize.customsize=2048 preop.cert.audit_signing.keysize.size=2048 preop.cert.audit_signing.keysize.select=custom -preop.cert.audit_signing.nickname=auditSigningCert cert-[INSTANCE_ID] +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert preop.cert.audit_signing.subsystem=tps preop.cert._005=#preop.cert.audit_signing.type=local @@ -715,7 +722,6 @@ op.enroll.userKey.keyGen.signing.privateKeyNumber=2 op.enroll.userKey.keyGen.signing.publicKeyNumber=3 op.enroll.userKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment op.enroll.userKey.keyGen.signing.ca.conn=ca1 -op.enroll.userKey.keyGen.signing.revokeCert=true op.enroll.userKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher op.enroll.userKey.keyGen.encryption.keySize=1024 op.enroll.userKey.keyGen.encryption.public.keyCapabilities.encrypt=true @@ -755,7 +761,6 @@ op.enroll.userKey.keyGen.encryption.privateKeyNumber=4 op.enroll.userKey.keyGen.encryption.publicKeyNumber=5 op.enroll.userKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment op.enroll.userKey.keyGen.encryption.ca.conn=ca1 -op.enroll.userKey.keyGen.encryption.revokeCert=true op.enroll.userKey.pkcs11obj.enable=true op.enroll.userKey.pkcs11obj.compress.enable=true op.enroll.userKey.update.applet.emptyToken.enable=true @@ -834,7 +839,6 @@ op.enroll.userKeyTemporary.keyGen.auth.privateKeyNumber=0 op.enroll.userKeyTemporary.keyGen.auth.publicKeyNumber=1 op.enroll.userKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment op.enroll.userKeyTemporary.keyGen.auth.ca.conn=ca1 -op.enroll.userKeyTemporary.keyGen.auth.revokeCert=true op.enroll.userKeyTemporary.keyGen.signing.keySize=1024 op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false @@ -873,7 +877,6 @@ op.enroll.userKeyTemporary.keyGen.signing.privateKeyNumber=2 op.enroll.userKeyTemporary.keyGen.signing.publicKeyNumber=3 op.enroll.userKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment op.enroll.userKeyTemporary.keyGen.signing.ca.conn=ca1 -op.enroll.userKeyTemporary.keyGen.signing.revokeCert=true op.enroll.userKey._080=#op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher op.enroll.userKeyTemporary.keyGen.encryption.keySize=1024 op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true @@ -913,7 +916,6 @@ op.enroll.userKeyTemporary.keyGen.encryption.privateKeyNumber=4 op.enroll.userKeyTemporary.keyGen.encryption.publicKeyNumber=5 op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment op.enroll.userKeyTemporary.keyGen.encryption.ca.conn=ca1 -op.enroll.userKeyTemporary.keyGen.encryption.revokeCert=true op.enroll.userKeyTemporary.pkcs11obj.enable=true op.enroll.userKeyTemporary.pkcs11obj.compress.enable=true op.enroll.userKeyTemporary.update.applet.emptyToken.enable=true @@ -1031,7 +1033,6 @@ op.enroll.soKey.keyGen.signing.privateKeyNumber=2 op.enroll.soKey.keyGen.signing.publicKeyNumber=3 op.enroll.soKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment op.enroll.soKey.keyGen.signing.ca.conn=ca1 -op.enroll.soKey.keyGen.signing.revokeCert=true op.enroll.soKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher op.enroll.soKey.keyGen.encryption.keySize=1024 op.enroll.soKey.keyGen.encryption.public.keyCapabilities.encrypt=true @@ -1071,7 +1072,6 @@ op.enroll.soKey.keyGen.encryption.privateKeyNumber=4 op.enroll.soKey.keyGen.encryption.publicKeyNumber=5 op.enroll.soKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment op.enroll.soKey.keyGen.encryption.ca.conn=ca1 -op.enroll.soKey.keyGen.encryption.revokeCert=true op.enroll.soKey.pkcs11obj.enable=true op.enroll.soKey.pkcs11obj.compress.enable=true op.enroll.soKey.update.applet.emptyToken.enable=true @@ -1150,7 +1150,6 @@ op.enroll.soKeyTemporary.keyGen.auth.privateKeyNumber=0 op.enroll.soKeyTemporary.keyGen.auth.publicKeyNumber=1 op.enroll.soKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment op.enroll.soKeyTemporary.keyGen.auth.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.auth.revokeCert=true op.enroll.soKeyTemporary.keyGen.signing.keySize=1024 op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false @@ -1189,7 +1188,6 @@ op.enroll.soKeyTemporary.keyGen.signing.privateKeyNumber=2 op.enroll.soKeyTemporary.keyGen.signing.publicKeyNumber=3 op.enroll.soKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment op.enroll.soKeyTemporary.keyGen.signing.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.signing.revokeCert=true op.enroll.soKeyTemporary.keyGen.encryption.keySize=1024 op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false @@ -1228,7 +1226,6 @@ op.enroll.soKeyTemporary.keyGen.encryption.privateKeyNumber=4 op.enroll.soKeyTemporary.keyGen.encryption.publicKeyNumber=5 op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment op.enroll.soKeyTemporary.keyGen.encryption.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.encryption.revokeCert=true op.enroll.soKeyTemporary.pkcs11obj.enable=true op.enroll.soKeyTemporary.pkcs11obj.compress.enable=true op.enroll.soKeyTemporary.update.applet.emptyToken.enable=true @@ -1539,23 +1536,42 @@ target._006=# target.agent_approve.list = comma separated subset of above list. target._007=# will show up in the agent tab (under advanced configuration) and will require agent involvement target._008=# (enable/ disable) to be edited. target._009=# -target._010=# Each parameter set in the lists above requires two parameters: -target._011=# target..list : list of choices of this parameter set type (will display in the drop down box) -target._012=# target..pattern : the regular expression to select parameters in CS.cfg for this parameter set. -target._013=# -target._014=# The exception is the parameter set Generals, which only has a pattern defined. ie. target.Generals.pattern +target._010=# For the wording to display correctly, the values in the above list should be plurals. +target._011=# +target._012=# Each parameter set in the lists above requires three parameters: +target._013=# target..list : list of choices of this parameter set type (will display in the drop down box) +target._014=# target..pattern : the regular expression to select parameters in CS.cfg for this parameter set. +target._015=# target..displayname: used in the UI display text. This should be the singular form of . target._016=# -target._017=######################################## +target._017=# The exception is the parameter set Generals, which has only a pattern and displayname defined. +target._018=# +target._019=######################################## target.configure.list=Profiles,Subsystem_Connections,Profile_Mappings,Authentication_Sources target.agent_approve.list=Profiles target.Profiles.list=userKey,soKey,soCleanUserToken,soUserKey,cleanToken,soCleanSoToken,tokenKey target.Profiles.pattern=op\..*\.$name\..* +target.Profiles.displayname=Profile target.Subsystem_Connections.list=ca1,drm1,tks1 target.Subsystem_Connections.pattern=conn\.$name\..* +target.Subsystem_Connections.displayname=Subsystem Connection target.Profile_Mappings.list=enroll,format,pinReset target.Profile_Mappings.pattern=op\.$name\.mapping\..* +target.Profile_Mappings.displayname=Profile Mapping target.Authentication_Sources.list=0,1 target.Authentication_Sources.pattern=auth\.instance\.$name\..* +target.Authentication_Sources.displayname=Authentication Source +target.Generals.displayname=General target.Generals.pattern=^applet\..*\|^general\..*\|^failover.pod.enable\|^channel\..* config.Generals.General.state=Enabled config.Generals.General.timestamp=1280283607424406 +tps._000=######################################## +tps._001=# For verifying system certificates +tps._002=# tps.cert.list=sslserver,subsystem,audit_signing +tps._003=# tps.cert.sslserver.nickname=xxx +tps._005=# tps.cert.subsystem.nickname=xxx +tps._007=# tps.cert.audit_signing.nickname=xxx +tps._009=######################################## +tps.cert.list=sslserver,subsystem,audit_signing +tps.cert.sslserver.nickname=[HSM_LABEL][NICKNAME] +tps.cert.subsystem.nickname=[HSM_LABEL][NICKNAME] +tps.cert.audit_signing.nickname=[HSM_LABEL][NICKNAME] diff --git a/pki/base/tps/src/CMakeLists.txt b/pki/base/tps/src/CMakeLists.txt index fe27b3e6..7f7859ba 100644 --- a/pki/base/tps/src/CMakeLists.txt +++ b/pki/base/tps/src/CMakeLists.txt @@ -1,10 +1,11 @@ project(tps_library CXX) +set(TPS_LIBRARY_VERSION ${APPLICATION_VERSION}) +set(TPS_LIBRARY_SOVERSION 9) + set(TPS_INCLUDE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/include) -add_subdirectory(authentication) add_subdirectory(tus) -add_subdirectory(modules) set(TPS_PUBLIC_INCLUDE_DIRS ${CMAKE_CURRENT_BINARY_DIR} @@ -19,6 +20,7 @@ set(TPS_PRIVATE_INCLUDE_DIRS ${NSS_INCLUDE_DIRS} ${NSPR_INCLUDE_DIRS} ${APR_INCLUDE_DIRS} + ${SVRCORE_INCLUDE_DIRS} ${MOZLDAP_INCLUDE_DIRS} ) @@ -31,6 +33,7 @@ set(TPS_LINK_LIBRARIES ${NSPR_LIBRARIES} ${NSS_LIBRARIES} ${APR_LIBRARIES} + ${SVRCORE_LIBRARIES} ${MOZLDAP_LIBRARIES} ${TOKENDB_SHARED_LIBRARY} ) @@ -121,6 +124,7 @@ set(tps_library_SRCS processor/RA_Format_Processor.cpp selftests/SelfTest.cpp selftests/TPSPresence.cpp + selftests/TPSSystemCertsVerification.cpp selftests/TPSValidity.cpp ) @@ -144,3 +148,7 @@ install( ${TPS_SHARED_LIBRARY} LIBRARY DESTINATION ${LIB_INSTALL_DIR} ) + +add_subdirectory(authentication) +add_subdirectory(modules) + diff --git a/pki/base/tps/src/authentication/CMakeLists.txt b/pki/base/tps/src/authentication/CMakeLists.txt index 5dec1b5c..25cb4720 100644 --- a/pki/base/tps/src/authentication/CMakeLists.txt +++ b/pki/base/tps/src/authentication/CMakeLists.txt @@ -1,7 +1,7 @@ project(ldapauth_library CXX) set(LDAPAUTH_LIBRARY_VERSION ${APPLICATION_VERSION}) -set(LDAPAUTH_LIBRARY_SOVERSION 1) +set(LDAPAUTH_LIBRARY_SOVERSION 9) set(LDAPAUTH_PUBLIC_INCLUDE_DIRS ${CMAKE_CURRENT_BINARY_DIR} @@ -15,6 +15,7 @@ set(LDAPAUTH_PRIVATE_INCLUDE_DIRS ${CMAKE_BINARY_DIR} ${NSPR_INCLUDE_DIRS} ${NSS_INCLUDE_DIRS} + ${SVRCORE_INCLUDE_DIRS} ${MOZLDAP_INCLUDE_DIRS} ) @@ -26,7 +27,10 @@ set(LDAPAUTH_SHARED_LIBRARY set(LDAPAUTH_LINK_LIBRARIES ${NSPR_LIBRARIES} ${NSS_LIBRARIES} + ${SVRCORE_LIBRARIES} ${MOZLDAP_LIBRARIES} + ${TOKENDB_SHARED_LIBRARY} + ${TPS_SHARED_LIBRARY} ) set(ldapauth_library_SRCS diff --git a/pki/base/tps/src/modules/tokendb/CMakeLists.txt b/pki/base/tps/src/modules/tokendb/CMakeLists.txt index 927d2ff7..c152d80e 100644 --- a/pki/base/tps/src/modules/tokendb/CMakeLists.txt +++ b/pki/base/tps/src/modules/tokendb/CMakeLists.txt @@ -6,6 +6,7 @@ set(TOKENDB_PRIVATE_INCLUDE_DIRS ${NSPR_INCLUDE_DIRS} ${NSS_INCLUDE_DIRS} ${APR_INCLUDE_DIRS} + ${SVRCORE_INCLUDE_DIRS} ${MOZLDAP_INCLUDE_DIRS} ) @@ -19,6 +20,7 @@ set(TOKENDB_LINK_LIBRARIES ${NSPR_LIBRARIES} ${NSS_LIBRARIES} ${APR_LIBRARIES} + ${SVRCORE_LIBRARIES} ${MOZLDAP_LIBRARIES} ) @@ -33,7 +35,6 @@ target_link_libraries(${TOKENDB_MODULE} ${TOKENDB_LINK_LIBRARIES}) set_target_properties(${TOKENDB_MODULE} PROPERTIES - ${TOKENDB_LIBRARY_SOVERSION} OUTPUT_NAME mod_tokendb PREFIX "" @@ -43,5 +44,5 @@ install( TARGETS ${TOKENDB_MODULE} DESTINATION - ${SYSCONF_INSTALL_DIR}/httpd/modules + ${LIB_INSTALL_DIR}/httpd/modules ) diff --git a/pki/base/tps/src/modules/tps/CMakeLists.txt b/pki/base/tps/src/modules/tps/CMakeLists.txt index ecc99ff0..069c87f8 100644 --- a/pki/base/tps/src/modules/tps/CMakeLists.txt +++ b/pki/base/tps/src/modules/tps/CMakeLists.txt @@ -6,6 +6,7 @@ set(TPS_PRIVATE_INCLUDE_DIRS ${NSPR_INCLUDE_DIRS} ${NSS_INCLUDE_DIRS} ${APR_INCLUDE_DIRS} + ${SVRCORE_INCLUDE_DIRS} ${MOZLDAP_INCLUDE_DIRS} ) @@ -19,7 +20,10 @@ set(TPS_LINK_LIBRARIES ${NSPR_LIBRARIES} ${NSS_LIBRARIES} ${APR_LIBRARIES} + ${SVRCORE_LIBRARIES} ${MOZLDAP_LIBRARIES} + ${TOKENDB_SHARED_LIBRARY} + ${TPS_SHARED_LIBRARY} ) set(tps_module_SRCS @@ -35,7 +39,6 @@ target_link_libraries(${TPS_MODULE} ${TPS_LINK_LIBRARIES}) set_target_properties(${TPS_MODULE} PROPERTIES - ${TPS_LIBRARY_SOVERSION} OUTPUT_NAME mod_tps PREFIX "" @@ -45,5 +48,5 @@ install( TARGETS ${TPS_MODULE} DESTINATION - ${SYSCONF_INSTALL_DIR}/httpd/modules + ${LIB_INSTALL_DIR}/httpd/modules ) diff --git a/pki/base/tps/src/tus/CMakeLists.txt b/pki/base/tps/src/tus/CMakeLists.txt index 6785ed62..7cff9d73 100644 --- a/pki/base/tps/src/tus/CMakeLists.txt +++ b/pki/base/tps/src/tus/CMakeLists.txt @@ -1,7 +1,7 @@ project(tokendb_library C) set(TOKENDB_LIBRARY_VERSION ${APPLICATION_VERSION}) -set(TOKENDB_LIBRARY_SOVERSION 1) +set(TOKENDB_LIBRARY_SOVERSION 9) set(TOKENDB_PUBLIC_INCLUDE_DIRS ${CMAKE_CURRENT_BINARY_DIR} @@ -15,6 +15,7 @@ set(TOKENDB_PRIVATE_INCLUDE_DIRS ${CMAKE_BINARY_DIR} ${NSPR_INCLUDE_DIRS} ${NSS_INCLUDE_DIRS} + ${SVRCORE_INCLUDE_DIRS} ${MOZLDAP_INCLUDE_DIRS} ) @@ -26,6 +27,7 @@ set(TOKENDB_SHARED_LIBRARY set(TOKENDB_LINK_LIBRARIES ${NSPR_LIBRARIES} ${NSS_LIBRARIES} + ${SVRCORE_LIBRARIES} ${MOZLDAP_LIBRARIES} ) diff --git a/pki/base/tps/tools/raclient/CMakeLists.txt b/pki/base/tps/tools/raclient/CMakeLists.txt index e28a40d5..9f4020b3 100644 --- a/pki/base/tps/tools/raclient/CMakeLists.txt +++ b/pki/base/tps/tools/raclient/CMakeLists.txt @@ -43,5 +43,5 @@ install( format.tps reset_pin.tps DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/samples + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/tps/samples ) -- cgit