[Pki-devel] [PATCH] PKI Deployment Framework (20120716) ERRATA
Ade Lee
alee at redhat.com
Thu Jul 19 16:14:07 UTC 2012
ACK on all patches except the tomcatjss patch. Please ask cfu to review
that patch.
Also, the following proviso. At some point in the installation, you
make a call to get the domain name. This is used, for example, in the
default security domain name for certs. There was a thought that if
this were not set, then the installation would fail in any case.
This is not true. I am on a system that has a fully qualified hostname,
but for which the command "domainname" returns "(none)". Note that in
this case, the command to get the domain name did not fail --> you
actually get "(none)" and use that string in your subject names etc.
And I have a working server notwithstanding.
So, you should be extracting the domain data from the fully qualified
hostname and not the output of domainname.
You can check in first and fix this issue in a separate patch.
Ade
On Thu, 2012-07-19 at 01:57 -0700, Matthew Harmsen wrote:
> NOTE: Due to the complexity of these patches, and as they are in the
> midst of the review process, I would greatly appreciate it if no more
> patches are applied to
> the 'master' until such time as all of these patches may be
> checked in (to avoid any additional merge conflicts).
>
> This patch documents continued implementation of the PKI Deployment
> Framework based upon the revised filesystem layout documented here:
> * http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_OCSP_.2F_RA_.2F_TKS_.2F_TPS
> This patch must be applied AFTER the following three patches (for
> convenience, all four patches have been attached to this email):
> * [Patch] Port 'tomcatjss' from Tomcat 6 to Tomcat 7 . . .
> * [PATCH] PKI Deployment Framework (20120716)
> * [PATCH] PKI Deployment Framework Admin Certificate PKCS12
> File"
> The following patch adds/corrects functionality of the existing PKI
> Deployment Framework including (but not limited to):
> * In 'catalina.properties', removed commented out jars for each
> of the subsystems in the 'common.loader'
> * In 'server.xml', removed the line containing a '1'
> * Moved all parameters from the [Mandatory] and [Optional]
> sections of the 'pkideployment.cfg' file to other more
> appropriate sections (e.g. - [Common], [CA], [KRA], etc.),
> and removed these sections and all of their associated logic
> from the 'pki-deploy' package
> * Resolved Dogtag TRAC Ticket #225
> Dogtag 10: Move "pkispawn"/"pkidestroy" logs
> * Removed all security domain references from external CA logic
> * Added new 'pki_subsystem_name' parameter to
> 'pkideployment.cfg' file, and applied logic throughout
> 'pki-deploy'
> * Added new error message in the case of an unset DNS domain
> name, and replaced the log message with a simple print in the
> case of a 'domainname' exception
> To test this patch, follow the procedure documented in "[PATCH] PKI
> Deployment Framework Admin Certificate PKCS12 File".
>
> NOTE: All patches listed above have been successfully tested on a
> 64-bit Fedora 17 host - there is one minor correct that will need to
> be made to 'pkidestroy',
> as it failed to remove the instance directory under
> '/var/log/pki'.
>
> plain text document attachment (tomcatjss.diffs)
> Index: src/org/apache/tomcat/util/net/jss/IJSSFactory.java
> ===================================================================
> --- src/org/apache/tomcat/util/net/jss/IJSSFactory.java (revision 229)
> +++ src/org/apache/tomcat/util/net/jss/IJSSFactory.java (working copy)
> @@ -24,6 +24,6 @@
> import java.net.*;
>
> interface IJSSFactory {
> - public ServerSocketFactory getSocketFactory();
> + public ServerSocketFactory getSocketFactory(AbstractEndpoint endpoint);
> public SSLSupport getSSLSupport(Socket socket);
> }
> Index: src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
> ===================================================================
> --- src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (revision 229)
> +++ src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (working copy)
> @@ -31,8 +31,15 @@
> import java.net.*;
> import java.io.*;
>
> +// Imports required to "implement" Tomcat 7 Interface
> +import org.apache.tomcat.util.net.AbstractEndpoint;
> +import javax.net.ssl.KeyManager;
> +import javax.net.ssl.SSLContext;
> +import javax.net.ssl.TrustManager;
> +
> public class JSSSocketFactory
> - extends org.apache.tomcat.util.net.ServerSocketFactory {
> + implements org.apache.tomcat.util.net.ServerSocketFactory,
> + org.apache.tomcat.util.net.SSLUtil {
>
> private static HashMap cipherMap = new HashMap();
> static {
> @@ -157,6 +164,8 @@
> eccCipherMap.put(SSLSocket.TLS_ECDH_ECDSA_WITH_NULL_SHA, "TLS_ECDH_ECDSA_WITH_NULL_SHA");
> }
>
> + private AbstractEndpoint endpoint;
> +
> static org.apache.commons.logging.Log log =
> org.apache.commons.logging.LogFactory.getLog(JSSSocketFactory.class);
>
> @@ -176,8 +185,8 @@
> private IPasswordStore mPasswordStore = null;
> private boolean mStrictCiphers = false;
>
> - public JSSSocketFactory() {
> - super();
> + public JSSSocketFactory (AbstractEndpoint endpoint) {
> + this.endpoint = endpoint;
> }
>
> private void debugWrite(String m) throws IOException {
> @@ -190,7 +199,7 @@
>
> public void setSSLCiphers(String attr) throws SocketException
> {
> - String ciphers = (String)attributes.get(attr);
> + String ciphers = (String)endpoint.getAttribute(attr);
> StringTokenizer st = new StringTokenizer(ciphers, ",");
> while (st.hasMoreTokens()) {
> String cipherstr = st.nextToken();
> @@ -250,7 +259,7 @@
>
> public void setSSLOptions() throws SocketException
> {
> - String options = (String)attributes.get("sslOptions");
> + String options = (String)endpoint.getAttribute("sslOptions");
> StringTokenizer st = new StringTokenizer(options, ",");
> while (st.hasMoreTokens()) {
> String option = st.nextToken();
> @@ -301,7 +310,7 @@
>
> void init() throws IOException {
> try {
> - String deb = (String)attributes.get("debug");
> + String deb = (String)endpoint.getAttribute("debug");
> if (deb.equals("true")) {
> debug = true;
> debugFile = new FileWriter("/tmp/tomcatjss.log", true);
> @@ -313,8 +322,8 @@
>
> try {
> try {
> - mPwdPath = (String)attributes.get("passwordFile");
> - mPwdClass = (String)attributes.get("passwordClass");
> + mPwdPath = (String)endpoint.getAttribute("passwordFile");
> + mPwdClass = (String)endpoint.getAttribute("passwordClass");
> if (mPwdClass != null) {
> mPasswordStore = (IPasswordStore)Class.forName(mPwdClass).newInstance();
> mPasswordStore.init(mPwdPath);
> @@ -328,7 +337,7 @@
> throw new IOException("JSSSocketFactory: no passwordFilePath defined");
> }
>
> - String certDir = (String)attributes.get("certdbDir");
> + String certDir = (String)endpoint.getAttribute("certdbDir");
>
> CryptoManager.InitializationValues vals =
> new CryptoManager.InitializationValues(certDir,
> @@ -355,7 +364,7 @@
> String st = (String) en.nextElement();
> debugWrite("JSSSocketFactory init - tag name="+st+"\n");
> pwd = mPasswordStore.getPassword(st);
> -
> +
> if (pwd != null) {
> debugWrite("JSSSocketFactory init - got password\n");
> pw = new Password(pwd.toCharArray());
> @@ -393,10 +402,12 @@
> debugWrite("JSSSocketFactory init - no login done\n");
> } //mPasswordStore not null
>
> - String clientAuthStr = (String)attributes.get("clientauth");
> + // MUST look for "clientauth" (ALL lowercase) since "clientAuth"
> + // (camel case) has already been processed by Tomcat 7
> + String clientAuthStr = (String)endpoint.getAttribute("clientauth");
> File file = null;
> try {
> - mServerCertNickPath = (String)attributes.get("serverCertNickFile");
> + mServerCertNickPath = (String)endpoint.getAttribute("serverCertNickFile");
> debugWrite("JSSSocketFactory init - got serverCertNickFile"+
> mServerCertNickPath+"\n");
> file = new File(mServerCertNickPath);
> @@ -430,7 +441,7 @@
> throw new IOException("JSSSocketFactory: no serverCertNickFile defined");
> }
>
> - //serverCertNick = (String)attributes.get("serverCert");
> + //serverCertNick = (String)endpoint.getAttribute("serverCert");
> if (clientAuthStr.equalsIgnoreCase("true") ||
> clientAuthStr.equalsIgnoreCase("yes")) {
> requireClientAuth = true;
> @@ -444,7 +455,7 @@
> && ocspConfigured == false ) {
> debugWrite("JSSSocketFactory init - checking for OCSP settings. \n" );
> boolean enableOCSP = false;
> - String doOCSP = (String) attributes.get("enableOCSP");
> + String doOCSP = (String) endpoint.getAttribute("enableOCSP");
>
> debugWrite("JSSSocketFactory init - doOCSP flag:"+
> doOCSP+ " \n");
> @@ -457,10 +468,10 @@
> enableOCSP+ "\n");
>
> if( enableOCSP == true ) {
> - String ocspResponderURL = (String) attributes.get("ocspResponderURL");
> + String ocspResponderURL = (String) endpoint.getAttribute("ocspResponderURL");
> debugWrite("JSSSocketFactory init - ocspResponderURL "+
> ocspResponderURL+ "\n");
> - String ocspResponderCertNickname = (String) attributes.get("ocspResponderCertNickname");
> + String ocspResponderCertNickname = (String) endpoint.getAttribute("ocspResponderCertNickname");
> debugWrite("JSSSocketFactory init - ocspResponderCertNickname" + ocspResponderCertNickname + "\n");
> if( (ocspResponderURL != null && ocspResponderURL.length() > 0) &&
> (ocspResponderCertNickname != null &&
> @@ -473,9 +484,9 @@
> int ocspMinCacheEntryDuration_i = 3600;
> int ocspMaxCacheEntryDuration_i = 86400;
>
> - String ocspCacheSize = (String) attributes.get("ocspCacheSize");
> - String ocspMinCacheEntryDuration = (String) attributes.get("ocspMinCacheEntryDuration");
> - String ocspMaxCacheEntryDuration = (String) attributes.get("ocspMaxCacheEntryDuration");
> + String ocspCacheSize = (String) endpoint.getAttribute("ocspCacheSize");
> + String ocspMinCacheEntryDuration = (String) endpoint.getAttribute("ocspMinCacheEntryDuration");
> + String ocspMaxCacheEntryDuration = (String) endpoint.getAttribute("ocspMaxCacheEntryDuration");
>
> if (ocspCacheSize != null ||
> ocspMinCacheEntryDuration != null ||
> @@ -498,7 +509,7 @@
> }
>
> // defualt to 60 seconds;
> - String ocspTimeout = (String) attributes.get("ocspTimeout");
> + String ocspTimeout = (String) endpoint.getAttribute("ocspTimeout");
> if (ocspTimeout != null) {
> debugWrite("JSSSocketFactory init - ocspTimeout= \n" + ocspTimeout);
> int ocspTimeout_i = Integer.parseInt(ocspTimeout);
> @@ -525,7 +536,7 @@
> // 12 hours = 43200 seconds
> SSLServerSocket.configServerSessionIDCache(0, 43200, 43200, null);
>
> - String strictCiphersStr = (String)attributes.get("strictCiphers");
> + String strictCiphersStr = (String)endpoint.getAttribute("strictCiphers");
> if (strictCiphersStr.equalsIgnoreCase("true") ||
> strictCiphersStr.equalsIgnoreCase("yes")) {
> mStrictCiphers = true;
> @@ -539,7 +550,6 @@
> }
>
> setSSLOptions();
> - setSSLOptions();
> debugWrite("SSSocketFactory init - after setSSLOptions\n");
> } catch (Exception ex) {
> debugWrite("JSSSocketFactory init - exception thrown:"+
> @@ -627,4 +637,21 @@
> } catch (Exception e) {
> }
> }
> +
> + // Methods required to "implement" Tomcat 7 Interface
> + public SSLContext createSSLContext() throws Exception {
> + return null;
> + }
> +
> + public KeyManager[] getKeyManagers() throws Exception {
> + return null;
> + }
> +
> + public TrustManager[] getTrustManagers() throws Exception {
> + return null;
> + }
> +
> + public void configureSessionContext(javax.net.ssl.SSLSessionContext sslSessionContext) {
> + return;
> + }
> }
> Index: src/org/apache/tomcat/util/net/jss/JSSImplementation.java
> ===================================================================
> --- src/org/apache/tomcat/util/net/jss/JSSImplementation.java (revision 229)
> +++ src/org/apache/tomcat/util/net/jss/JSSImplementation.java (working copy)
> @@ -12,7 +12,7 @@
> * You should have received a copy of the GNU Lesser General Public
> * License along with this library; if not, write to the Free Software
> * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> - *
> + *
> * Copyright (C) 2007 Red Hat, Inc.
> * All rights reserved.
> * END COPYRIGHT BLOCK */
> @@ -21,8 +21,10 @@
>
> import java.net.Socket;
> import java.io.*;
> +import org.apache.tomcat.util.net.AbstractEndpoint;
> import org.apache.tomcat.util.net.SSLImplementation;
> import org.apache.tomcat.util.net.SSLSupport;
> +import org.apache.tomcat.util.net.SSLUtil;
> import org.apache.tomcat.util.net.ServerSocketFactory;
>
> public class JSSImplementation extends SSLImplementation
> @@ -38,7 +40,7 @@
>
> public JSSImplementation() throws ClassNotFoundException {
> Class.forName(SSLSocketClass);
> -
> +
> try {
> Class factcl = Class.forName(JSSFactory);
> factory = (JSSFactory)factcl.newInstance();
> @@ -52,8 +54,9 @@
> return "JSS";
> }
>
> - public ServerSocketFactory getServerSocketFactory() {
> - ServerSocketFactory ssf = factory.getSocketFactory();
> + public ServerSocketFactory getServerSocketFactory(AbstractEndpoint endpoint)
> + {
> + ServerSocketFactory ssf = factory.getSocketFactory(endpoint);
> return ssf;
> }
>
> @@ -85,7 +88,13 @@
> *
> * Once this abstract method is removed from SSLImplementation in a
> * future release we can remove this stub.
> + *
> + * NOTE: This method has NOT yet been deprecated in Tomcat 7!
> */
> return null;
> }
> +
> + public SSLUtil getSSLUtil(AbstractEndpoint endpoint) {
> + return null;
> + }
> }
> Index: src/org/apache/tomcat/util/net/jss/JSSFactory.java
> ===================================================================
> --- src/org/apache/tomcat/util/net/jss/JSSFactory.java (revision 229)
> +++ src/org/apache/tomcat/util/net/jss/JSSFactory.java (working copy)
> @@ -27,8 +27,8 @@
> JSSFactory() {
> }
>
> - public ServerSocketFactory getSocketFactory() {
> - return new JSSSocketFactory();
> + public ServerSocketFactory getSocketFactory(AbstractEndpoint endpoint) {
> + return new JSSSocketFactory(endpoint);
> }
>
> public SSLSupport getSSLSupport(Socket socket) {
> Index: README
> ===================================================================
> --- README (revision 229)
> +++ README (working copy)
> @@ -3,7 +3,7 @@
>
> tomcatjss defines a number of attributes for a Connector including:
>
> -clientAuth: specify if client authentication is required in the connector (or
> +clientauth: specify if client authentication is required in the connector (or
> port), it can be true or false. If true then client authentication is required.
>
> sslOptions: specify a comma-delimited list of ssl options to pass into the ssl
> @@ -16,6 +16,9 @@
> ssl3Ciphers: specifies a list of SSL3 ciphers that tomcatjss should accept
> or reject from the client. You can use + to denote "accept", - means "reject".
>
> +tlsCiphers: specifies a list of TLS ciphers that tomcatjss should accept
> +or reject from the client. You can use + to denote "accept", - means "reject".
> +
> serverCertNickFile: a file in which specify the nickname of the
> server certificate. The file should contain a single line that contains
> the nickname.
> @@ -30,29 +33,41 @@
>
> sslProtocol: needs to be SSL
>
> -SSLImplementation: Needs to be org.apache.tomcat.util.net.jss.JSSImplementation
> +sslImplementationName: MUST be org.apache.tomcat.util.net.jss.JSSImplementation
> in order to use the plugin
>
> Here is an example of a secure connector:
>
> -<Connector port="9443"
> +<Connector port="8443"
> + protocol="HTTP/1.1"
> + SSLEnabled="true"
> + sslProtocol="SSL"
> + scheme="https"
> + secure="true"
> + keyStoreType="PKCS11"
> maxHttpHeaderSize="8192"
> + acceptCount="100"
> maxThreads="150"
> minSpareThreads="25"
> - maxSpareThreads="75"
> enableLookups="false"
> disableUploadTimeout="true"
> - acceptCount="100"
> - scheme="https"
> - secure="true"
> - clientAuth="false"
> - sslProtocol="SSL"
> + sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
> + enableOCSP="false"
> + ocspResponderURL="http://pkilinux.sjc.redhat.com:9080/ca/ocsp"
> + ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
> + ocspCacheSize="1000"
> + ocspMinCacheEntryDuration="60"
> + ocspMaxCacheEntryDuration="120"
> + ocspTimeout="10"
> + strictCiphers="false"
> + clientAuth="agent"
> + clientauth="agent"
> sslOptions="ssl2=true,ssl3=true,tls=true"
> ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
> - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
> - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
> - serverCertNickFile="/var/lib/rhpki-ca/conf/serverCertNick.conf"
> - passwordFile="/var/lib/rhpki-ca/conf/password.conf"
> + ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
> + tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
> + serverCertNickFile="/var/lib/pki/redhat.com-foobar/conf/serverCertNick.conf"
> + passwordFile="/var/lib/pki/redhat.com-foobar/conf/password.conf"
> passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
> - certdbDir="/var/lib/rhpki-ca/alias"
> + certdbDir="/var/lib/pki/redhat.com-foobar/alias"
> />
> Index: build.xml
> ===================================================================
> --- build.xml (revision 229)
> +++ build.xml (working copy)
> @@ -37,8 +37,8 @@
>
> <property name="Name" value="Tomcat JSS"/>
> <property name="name" value="tomcatjss"/>
> - <property name="version" value="6.0.2"/>
> - <property name="manifest-version" value="6.0.2"/>
> + <property name="version" value="7.0.0"/>
> + <property name="manifest-version" value="7.0.0"/>
>
> <!--
> Set the properties that control various build options
> @@ -98,7 +98,7 @@
> -->
> <property name="jar.home" value="/usr/share/java" />
> <property name="commons-logging.jar" value="${jar.home}/commons-logging-api.jar" />
> - <property name="tomcat.lib" value="${jar.home}/tomcat6" />
> + <property name="tomcat.lib" value="${jar.home}/tomcat" />
> <property name="tomcat-coyote.jar" value="${tomcat.lib}/tomcat-coyote.jar" />
> <property name="jss.home" value="${jnidir}" />
> <!-- This property is set to '/dirsec' when built on rhel4 -->
> Index: tomcatjss.spec
> ===================================================================
> --- tomcatjss.spec (revision 229)
> +++ tomcatjss.spec (working copy)
> @@ -1,5 +1,5 @@
> Name: tomcatjss
> -Version: 6.0.2
> +Version: 7.0.0
> Release: 1%{?dist}
> Summary: JSSE implementation using JSS for Tomcat
> URL: http://pki.fedoraproject.org/
> @@ -13,41 +13,17 @@
>
> # jpackage-utils requires versioning to meet both build and runtime requirements
> # jss requires versioning to meet both build and runtime requirements
> -# tomcat6 requires versioning to meet both build and runtime requirements
> +# tomcat requires versioning to meet both build and runtime requirements
> BuildRequires: ant
> -BuildRequires: java-devel >= 1:1.6.0
> -%if 0%{?fedora} >= 16
> -BuildRequires: jpackage-utils >= 0:1.7.5-10
> -BuildRequires: jss >= 4.2.6-19.1
> -BuildRequires: tomcat6 >= 6.0.32-16
> -%else
> -%if 0%{?fedora} >= 15
> -BuildRequires: jpackage-utils
> -BuildRequires: jss >= 4.2.6-17
> -BuildRequires: tomcat6 >= 6.0.30-6
> -%else
> -BuildRequires: jpackage-utils
> -BuildRequires: jss >= 4.2.6-17
> -BuildRequires: tomcat6
> -%endif
> -%endif
> +BuildRequires: java-devel
> +BuildRequires: jpackage-utils >= 0:1.7.5-15
> +BuildRequires: jss >= 4.2.6-24
> +BuildRequires: tomcat >= 7.0.27
>
> -Requires: java >= 1:1.6.0
> -%if 0%{?fedora} >= 16
> -Requires: jpackage-utils >= 0:1.7.5-10
> -Requires: jss >= 4.2.6-19.1
> -Requires: tomcat6 >= 6.0.32-16
> -%else
> -%if 0%{?fedora} >= 15
> -Requires: jpackage-utils
> -Requires: jss >= 4.2.6-17
> -Requires: tomcat6 >= 6.0.30-6
> -%else
> -Requires: jpackage-utils
> -Requires: jss >= 4.2.6-17
> -Requires: tomcat6
> -%endif
> -%endif
> +Requires: java
> +BuildRequires: jpackage-utils >= 0:1.7.5-15
> +BuildRequires: jss >= 4.2.6-24
> +BuildRequires: tomcat >= 7.0.27
>
> # The 'tomcatjss' package conflicts with the 'tomcat-native' package
> # because it uses an underlying NSS security model rather than the
> @@ -100,6 +76,9 @@
> %{_javadir}/*
>
> %changelog
> +* Wed Jun 06 2012 Matthew Harmsen <mharmsen at redhat.com> 7.0.0-1
> +- Bugzilla Bug #819554 - tomcatjss: Please migrate from tomcat6 to tomcat7
> +
> * Thu Sep 22 2011 Matthew Harmsen <mharmsen at redhat.com> 6.0.2-1
> - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen)
> - Bugzilla Bug #699809 - Convert CS to use systemd (alee)
> differences between files attachment
> (0009-PKI-Deployment-Scriptlets.patch)
> From 6f7a9aa5c19fcadca0dd630234d49236af803006 Mon Sep 17 00:00:00 2001
> From: Matthew Harmsen <mharmsen at redhat.com>
> Date: Tue, 3 Jul 2012 17:52:33 -0700
> Subject: [PATCH] PKI Deployment Scriptlets
>
> * Integration of Tomcat 7
> * Introduction of dependency upon tomcatjss 7.0
> * Removal of http filtering configuration mechanisms
> * Introduction of additional slot substitution to
> support revised filesystem layout
> * Addition of 'pkiuser' uid:gid creation methods
> * Inclusion of per instance '*.profile' files
> * Introduction of configurable 'configurationRoot'
> parameter
> * Introduction of default configuration of 'log4j'
> mechanism (alee)
> * Modify web.xml to use new Application classes to
> bootstrap servers (alee)
> * Introduction of "Wrapper" logic to support
> Tomcat 6 --> Tomcat 7 API change (jmagne)
> * Added jython helper function to allow attaching
> a remote java debugger (e. g. - eclipse)
> ---
> .classpath | 3 +-
> base/ca/shared/conf/CS.cfg.in | 145 +-
> base/ca/shared/webapps/ca/WEB-INF/web.xml | 139 +-
> base/common/shared/conf/catalina.properties | 4 +
> base/common/shared/conf/log4j.properties | 27 +-
> base/common/shared/conf/server.xml | 95 +-
> base/common/shared/conf/serverCertNick.conf | 6 +
> base/common/shared/conf/tomcat.conf | 7 +-
> base/common/shared/conf/web.xml | 4283 ++++++++++++++++++++
> base/common/src/CMakeLists.txt | 11 +-
> .../com/netscape/cms/servlet/csadmin/CertUtil.java | 4 +-
> .../com/netscape/cmscore/realm/PKIJNDIRealm.java | 21 +-
> base/deploy/config/pkideployment.cfg | 201 +-
> base/deploy/config/pkislots.cfg | 2 +
> base/deploy/scripts/pkidaemon | 2 +
> base/deploy/src/pkidestroy | 34 +-
> base/deploy/src/pkispawn | 34 +-
> base/deploy/src/scriptlets/configuration.jy | 116 +-
> base/deploy/src/scriptlets/configuration.py | 69 +-
> base/deploy/src/scriptlets/finalization.py | 16 +
> base/deploy/src/scriptlets/initialization.py | 7 +
> base/deploy/src/scriptlets/instance_layout.py | 119 +-
> base/deploy/src/scriptlets/pkiconfig.py | 58 +
> base/deploy/src/scriptlets/pkihelper.py | 382 +-
> base/deploy/src/scriptlets/pkijython.py | 429 +-
> base/deploy/src/scriptlets/pkimessages.py | 65 +
> base/deploy/src/scriptlets/pkiparser.py | 1251 +++++-
> base/deploy/src/scriptlets/security_databases.py | 33 +-
> base/deploy/src/scriptlets/slot_substitution.py | 26 +-
> base/deploy/src/scriptlets/subsystem_layout.py | 68 +
> base/deploy/src/scriptlets/war_explosion.py | 32 +-
> base/kra/shared/conf/CS.cfg.in | 15 +-
> base/kra/shared/webapps/kra/WEB-INF/web.xml | 101 +-
> base/ocsp/shared/conf/CS.cfg.in | 15 +-
> base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml | 101 +-
> base/setup/pkicreate | 2 +
> base/tks/shared/conf/CS.cfg.in | 15 +-
> base/tks/shared/webapps/tks/WEB-INF/web.xml | 100 +-
> specs/dogtag-pki.spec | 19 +-
> specs/pki-core.spec | 32 +-
> 40 files changed, 7401 insertions(+), 688 deletions(-)
> create mode 100644 base/common/shared/conf/serverCertNick.conf
> create mode 100644 base/common/shared/conf/web.xml
>
> diff --git a/.classpath b/.classpath
> index f588393..28dddff 100644
> --- a/.classpath
> +++ b/.classpath
> @@ -39,10 +39,11 @@
> <classpathentry kind="lib" path="/usr/share/java/velocity.jar"/>
> <classpathentry kind="lib" path="/usr/share/java/xerces-j2.jar"/>
> <classpathentry kind="lib" path="/usr/share/java/xml-commons-apis.jar"/>
> - <classpathentry kind="lib" path="/usr/share/tomcat6/lib/catalina.jar"/>
> <classpathentry kind="lib" path="/usr/share/java/istack-commons-runtime.jar"/>
> <classpathentry kind="lib" path="/usr/share/java/jss/jss4.jar"/>
> <classpathentry kind="lib" path="/usr/share/java/apache-commons-lang.jar"/>
> <classpathentry kind="lib" path="/usr/share/java/resteasy/resteasy-atom-provider.jar"/>
> + <classpathentry kind="lib" path="/usr/share/java/tomcat/catalina.jar"/>
> + <classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-util.jar"/>
> <classpathentry kind="output" path="build/classes"/>
> </classpath>
> diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
> index 78c2843..ca90d52 100644
> --- a/base/ca/shared/conf/CS.cfg.in
> +++ b/base/ca/shared/conf/CS.cfg.in
> @@ -38,6 +38,7 @@ securitydomain.flushinterval=86400000
> securitydomain.source=ldap
> securitydomain.checkinterval=300000
> instanceRoot=[PKI_INSTANCE_PATH]
> +configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/
> machineName=[PKI_MACHINE_NAME]
> instanceId=[PKI_INSTANCE_ID]
> pidDir=[PKI_PIDDIR]
> @@ -180,7 +181,7 @@ auths.instance.AgentCertAuth.pluginName=AgentCertAuth
> auths.instance.raCertAuth.agentGroup=Registration Manager Agents
> auths.instance.raCertAuth.pluginName=AgentCertAuth
> auths.instance.flatFileAuth.pluginName=FlatFileAuth
> -auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/flatfile.txt
> +auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]flatfile.txt
> auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth
> auths.revocationChecking.bufferSize=50
> auths.revocationChecking.ca=ca
> @@ -643,15 +644,15 @@ ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointName=
> ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointType=
> ca.crl.MasterCRL.extension.IssuingDistributionPoint.type=CRLExtension
> ca.notification.certIssued.emailSubject=Your Certificate Request
> -ca.notification.certIssued.emailTemplate=[PKI_INSTANCE_PATH]/emails/certIssued_CA.html
> +ca.notification.certIssued.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/certIssued_CA.html
> ca.notification.certIssued.enabled=false
> ca.notification.certIssued.senderEmail=
> ca.notification.certRevoked.emailSubject=Your Certificate Revoked
> -ca.notification.certRevoked.emailTemplate=[PKI_INSTANCE_PATH]/emails/certRevoked_CA.html
> +ca.notification.certRevoked.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/certRevoked_CA.html
> ca.notification.certRevoked.enabled=false
> ca.notification.certRevoked.senderEmail=
> ca.notification.requestInQ.emailSubject=Certificate Request in Queue
> -ca.notification.requestInQ.emailTemplate=[PKI_INSTANCE_PATH]/emails/reqInQueue_CA.html
> +ca.notification.requestInQ.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/reqInQueue_CA.html
> ca.notification.requestInQ.enabled=false
> ca.notification.requestInQ.recipientEmail=
> ca.notification.requestInQ.senderEmail=
> @@ -793,7 +794,7 @@ dbs.ldap=internaldb
> dbs.newSchemaEntryAdded=true
> debug.append=true
> debug.enabled=true
> -debug.filename=[PKI_INSTANCE_PATH]/logs/debug
> +debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug
> debug.hashkeytypes=
> debug.level=0
> debug.showcaller=false
> @@ -815,8 +816,8 @@ internaldb.ldapconn.host=
> internaldb.ldapconn.port=
> internaldb.ldapconn.secureConn=false
> preop.internaldb.schema.ldif=/usr/share/pki/ca/conf/schema.ldif
> -preop.internaldb.ldif=/usr/share/pki/ca/conf/database.ldif
> -preop.internaldb.data_ldif=/usr/share/pki/ca/conf/db.ldif,/usr/share/pki/ca/conf/acl.ldif
> +preop.internaldb.ldif=/usr/share/pki/[PKI_SUBSYSTEM_DIR]conf/database.ldif
> +preop.internaldb.data_ldif=/usr/share/pki/[PKI_SUBSYSTEM_DIR]conf/db.ldif,/usr/share/pki/ca/conf/acl.ldif
> preop.internaldb.index_ldif=
> preop.internaldb.manager_ldif=/usr/share/pki/ca/conf/manager.ldif
> preop.internaldb.post_ldif=/usr/share/pki/ca/conf/index.ldif,/usr/share/pki/ca/conf/vlv.ldif,/usr/share/pki/ca/conf/vlvtasks.ldif
> @@ -833,25 +834,25 @@ jobsScheduler.impl.RequestInQueueJob.class=com.netscape.cms.jobs.RequestInQueueJ
> jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.cms.jobs.UnpublishExpiredJob
> jobsScheduler.job.certRenewalNotifier.cron=0 3 * * 1-5
> jobsScheduler.job.certRenewalNotifier.emailSubject=Certificate Renewal Notification
> -jobsScheduler.job.certRenewalNotifier.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1.txt
> +jobsScheduler.job.certRenewalNotifier.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/rnJob1.txt
> jobsScheduler.job.certRenewalNotifier.enabled=false
> jobsScheduler.job.certRenewalNotifier.notifyEndOffset=30
> jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=30
> jobsScheduler.job.certRenewalNotifier.pluginName=RenewalNotificationJob
> jobsScheduler.job.certRenewalNotifier.senderEmail=
> jobsScheduler.job.certRenewalNotifier.summary.emailSubject=Certificate Renewal Notification Summary
> -jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Summary.txt
> +jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/rnJob1Summary.txt
> jobsScheduler.job.certRenewalNotifier.summary.enabled=true
> -jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Item.txt
> +jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/rnJob1Item.txt
> jobsScheduler.job.certRenewalNotifier.summary.recipientEmail=
> jobsScheduler.job.certRenewalNotifier.summary.senderEmail=
> jobsScheduler.job.publishCerts.cron=0 0 * * 2
> jobsScheduler.job.publishCerts.enabled=false
> jobsScheduler.job.publishCerts.pluginName=PublishCertsJob
> jobsScheduler.job.publishCerts.summary.emailSubject=Certs Publishing Summary
> -jobsScheduler.job.publishCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/publishCerts.html
> +jobsScheduler.job.publishCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/publishCerts.html
> jobsScheduler.job.publishCerts.summary.enabled=true
> -jobsScheduler.job.publishCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/publishCertsItem.html
> +jobsScheduler.job.publishCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/publishCertsItem.html
> jobsScheduler.job.publishCerts.summary.recipientEmail=
> jobsScheduler.job.publishCerts.summary.senderEmail=
> jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0
> @@ -859,7 +860,7 @@ jobsScheduler.job.requestInQueueNotifier.enabled=false
> jobsScheduler.job.requestInQueueNotifier.pluginName=RequestInQueueJob
> jobsScheduler.job.requestInQueueNotifier.subsystemId=ca
> jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=Requests in Queue Summary Report
> -jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/riq1Summary.html
> +jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/riq1Summary.html
> jobsScheduler.job.requestInQueueNotifier.summary.enabled=true
> jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail=
> jobsScheduler.job.requestInQueueNotifier.summary.senderEmail=
> @@ -867,9 +868,9 @@ jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6
> jobsScheduler.job.unpublishExpiredCerts.enabled=false
> jobsScheduler.job.unpublishExpiredCerts.pluginName=UnpublishExpiredJob
> jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=Expired Certs Unpublished Summary
> -jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/euJob1.html
> +jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/euJob1.html
> jobsScheduler.job.unpublishExpiredCerts.summary.enabled=true
> -jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/euJob1Item.html
> +jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/euJob1Item.html
> jobsScheduler.job.unpublishExpiredCerts.summary.recipientEmail=
> jobsScheduler.job.unpublishExpiredCerts.summary.senderEmail=
> jss._000=##
> @@ -897,7 +898,7 @@ log.instance.SignedAudit.bufferSize=512
> log.instance.SignedAudit.enable=true
> log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER
> log.instance.SignedAudit.expirationTime=0
> -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ca_audit
> +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/ca_audit
> log.instance.SignedAudit.flushInterval=5
> log.instance.SignedAudit.level=1
> log.instance.SignedAudit.logSigning=false
> @@ -913,7 +914,7 @@ log.instance.System._002=##
> log.instance.System.bufferSize=512
> log.instance.System.enable=true
> log.instance.System.expirationTime=0
> -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system
> +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system
> log.instance.System.flushInterval=5
> log.instance.System.level=3
> log.instance.System.maxFileSize=2000
> @@ -926,15 +927,15 @@ log.instance.Transactions._002=##
> log.instance.Transactions.bufferSize=512
> log.instance.Transactions.enable=true
> log.instance.Transactions.expirationTime=0
> -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions
> +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions
> log.instance.Transactions.flushInterval=5
> log.instance.Transactions.level=1
> log.instance.Transactions.maxFileSize=2000
> log.instance.Transactions.pluginName=file
> log.instance.Transactions.rolloverInterval=2592000
> log.instance.Transactions.type=transaction
> -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access
> -logError.fileName=[PKI_INSTANCE_PATH]/logs/error
> +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access
> +logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error
> oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension
> oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1
> oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword
> @@ -956,106 +957,106 @@ oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
> os.userid=nobody
> profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert
> profile.caUUIDdeviceCert.class_id=caEnrollImpl
> -profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUUIDdeviceCert.cfg
> +profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caUUIDdeviceCert.cfg
> profile.caManualRenewal.class_id=caEnrollImpl
> -profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caManualRenewal.cfg
> +profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caManualRenewal.cfg
> profile.caDirUserRenewal.class_id=caEnrollImpl
> -profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserRenewal.cfg
> +profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDirUserRenewal.cfg
> profile.caSSLClientSelfRenewal.class_id=caEnrollImpl
> -profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caSSLClientSelfRenewal.cfg
> +profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caSSLClientSelfRenewal.cfg
> profile.DomainController.class_id=caEnrollImpl
> -profile.DomainController.config=[PKI_INSTANCE_PATH]/profiles/ca/DomainController.cfg
> +profile.DomainController.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/DomainController.cfg
> profile.caAgentFileSigning.class_id=caEnrollImpl
> -profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentFileSigning.cfg
> +profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caAgentFileSigning.cfg
> profile.caAgentServerCert.class_id=caEnrollImpl
> -profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentServerCert.cfg
> +profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caAgentServerCert.cfg
> profile.caRAserverCert.class_id=caEnrollImpl
> -profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAserverCert.cfg
> +profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRAserverCert.cfg
> profile.caCACert.class_id=caEnrollImpl
> -profile.caCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCACert.cfg
> +profile.caCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caCACert.cfg
> profile.caInstallCACert.class_id=caEnrollImpl
> -profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInstallCACert.cfg
> +profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInstallCACert.cfg
> profile.caCMCUserCert.class_id=caEnrollImpl
> -profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCMCUserCert.cfg
> +profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caCMCUserCert.cfg
> profile.caDirUserCert.class_id=caEnrollImpl
> -profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserCert.cfg
> +profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDirUserCert.cfg
> profile.caDualCert.class_id=caEnrollImpl
> -profile.caDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualCert.cfg
> +profile.caDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDualCert.cfg
> profile.caECDualCert.class_id=caEnrollImpl
> -profile.caECDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caECDualCert.cfg
> +profile.caECDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caECDualCert.cfg
> profile.caDualRAuserCert.class_id=caEnrollImpl
> -profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualRAuserCert.cfg
> +profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDualRAuserCert.cfg
> profile.caRAagentCert.class_id=caEnrollImpl
> -profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAagentCert.cfg
> +profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRAagentCert.cfg
> profile.caFullCMCUserCert.class_id=caEnrollImpl
> -profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caFullCMCUserCert.cfg
> +profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caFullCMCUserCert.cfg
> profile.caInternalAuthOCSPCert.class_id=caEnrollImpl
> -profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthOCSPCert.cfg
> +profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthOCSPCert.cfg
> profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl
> -profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthAuditSigningCert.cfg
> +profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthAuditSigningCert.cfg
> profile.caInternalAuthServerCert.class_id=caEnrollImpl
> -profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthServerCert.cfg
> +profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthServerCert.cfg
> profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl
> -profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthSubsystemCert.cfg
> +profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthSubsystemCert.cfg
> profile.caInternalAuthDRMstorageCert.class_id=caEnrollImpl
> -profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthDRMstorageCert.cfg
> +profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthDRMstorageCert.cfg
> profile.caInternalAuthTransportCert.class_id=caEnrollImpl
> -profile.caInternalAuthTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthTransportCert.cfg
> +profile.caInternalAuthTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthTransportCert.cfg
> profile.caOCSPCert.class_id=caEnrollImpl
> -profile.caOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOCSPCert.cfg
> +profile.caOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caOCSPCert.cfg
> profile.caOtherCert.class_id=caEnrollImpl
> -profile.caOtherCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOtherCert.cfg
> +profile.caOtherCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caOtherCert.cfg
> profile.caRACert.class_id=caEnrollImpl
> -profile.caRACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRACert.cfg
> +profile.caRACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRACert.cfg
> profile.caRARouterCert.class_id=caEnrollImpl
> -profile.caRARouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRARouterCert.cfg
> +profile.caRARouterCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRARouterCert.cfg
> profile.caRouterCert.class_id=caEnrollImpl
> -profile.caRouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRouterCert.cfg
> +profile.caRouterCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRouterCert.cfg
> profile.caServerCert.class_id=caEnrollImpl
> -profile.caServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caServerCert.cfg
> +profile.caServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caServerCert.cfg
> profile.caSignedLogCert.class_id=caEnrollImpl
> -profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSignedLogCert.cfg
> +profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caSignedLogCert.cfg
> profile.caSimpleCMCUserCert.class_id=caEnrollImpl
> -profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSimpleCMCUserCert.cfg
> +profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caSimpleCMCUserCert.cfg
> profile.caTPSCert.class_id=caEnrollImpl
> -profile.caTPSCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTPSCert.cfg
> +profile.caTPSCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTPSCert.cfg
> profile.caAdminCert.class_id=caEnrollImpl
> -profile.caAdminCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAdminCert.cfg
> +profile.caAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caAdminCert.cfg
> profile.caTempTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl
> -profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg
> +profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTempTokenDeviceKeyEnrollment.cfg
> profile.caTempTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl
> -profile.caTempTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg
> +profile.caTempTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg
> profile.caTokenUserEncryptionKeyRenewal.class_id=caUserCertEnrollImpl
> -profile.caTokenUserEncryptionKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg
> +profile.caTokenUserEncryptionKeyRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserEncryptionKeyRenewal.cfg
> profile.caTempTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl
> -profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg
> +profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg
> profile.caTokenUserSigningKeyRenewal.class_id=caUserCertEnrollImpl
> -profile.caTokenUserSigningKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyRenewal.cfg
> +profile.caTokenUserSigningKeyRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserSigningKeyRenewal.cfg
> profile.caTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl
> -profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenDeviceKeyEnrollment.cfg
> +profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenDeviceKeyEnrollment.cfg
> profile.caTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl
> -profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg
> +profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg
> profile.caTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl
> -profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyEnrollment.cfg
> +profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserSigningKeyEnrollment.cfg
> profile.caTokenMSLoginEnrollment.class_id=caUserCertEnrollImpl
> -profile.caTokenMSLoginEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenMSLoginEnrollment.cfg
> +profile.caTokenMSLoginEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenMSLoginEnrollment.cfg
> profile.caTransportCert.class_id=caEnrollImpl
> -profile.caTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTransportCert.cfg
> +profile.caTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTransportCert.cfg
> profile.caUserCert.class_id=caEnrollImpl
> -profile.caUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserCert.cfg
> +profile.caUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caUserCert.cfg
> profile.caECUserCert.class_id=caEnrollImpl
> -profile.caECUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caECUserCert.cfg
> +profile.caECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caECUserCert.cfg
> profile.caUserSMIMEcapCert.class_id=caEnrollImpl
> -profile.caUserSMIMEcapCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserSMIMEcapCert.cfg
> +profile.caUserSMIMEcapCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caUserSMIMEcapCert.cfg
> profile.caJarSigningCert.class_id=caEnrollImpl
> -profile.caJarSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caJarSigningCert.cfg
> +profile.caJarSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caJarSigningCert.cfg
> profile.caIPAserviceCert.class_id=caEnrollImpl
> -profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caIPAserviceCert.cfg
> +profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caIPAserviceCert.cfg
> profile.caEncUserCert.class_id=caEnrollImpl
> -profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caEncUserCert.cfg
> +profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caEncUserCert.cfg
> profile.caEncECUserCert.class_id=caEnrollImpl
> -profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caEncECUserCert.cfg
> -registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg
> +profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caEncECUserCert.cfg
> +registry.file=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]registry.cfg
> processor.caProfileProcess.getClientCert=true
> processor.caProfileProcess.authzMgr=BasicAclAuthz
> processor.caProfileProcess.authorityId=ca
> @@ -1096,7 +1097,7 @@ selftests.container.logger.bufferSize=512
> selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile
> selftests.container.logger.enable=true
> selftests.container.logger.expirationTime=0
> -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log
> +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log
> selftests.container.logger.flushInterval=5
> selftests.container.logger.level=1
> selftests.container.logger.maxFileSize=2000
> diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
> index 692cb48..8471d6c 100644
> --- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
> +++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
> @@ -3,90 +3,6 @@
> PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd">
> <web-app>
>
> - <filter>
> - <filter-name>AgentRequestFilter</filter-name>
> - <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
> - <init-param>
> - <param-name>https_port</param-name>
> - <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_OPEN_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>proxy_port</param-name>
> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_CLOSE_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>active</param-name>
> - <param-value>true</param-value>
> - </init-param>
> - </filter>
> -
> - <filter>
> - <filter-name>AdminRequestFilter</filter-name>
> - <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class>
> - <init-param>
> - <param-name>https_port</param-name>
> - <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_OPEN_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>proxy_port</param-name>
> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_CLOSE_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>active</param-name>
> - <param-value>true</param-value>
> - </init-param>
> - </filter>
> -
> - <filter>
> - <filter-name>EERequestFilter</filter-name>
> - <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class>
> - <init-param>
> - <param-name>http_port</param-name>
> - <param-value>[PKI_UNSECURE_PORT]</param-value>
> - </init-param>
> - <init-param>
> - <param-name>https_port</param-name>
> - <param-value>[PKI_EE_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_OPEN_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>proxy_port</param-name>
> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
> - </init-param>
> - <init-param>
> - <param-name>proxy_http_port</param-name>
> - <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
> - </init-param>
> -[PKI_CLOSE_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>active</param-name>
> - <param-value>true</param-value>
> - </init-param>
> - </filter>
> -
> - <filter>
> - <filter-name>EEClientAuthRequestFilter</filter-name>
> - <filter-class>com.netscape.cms.servlet.filter.EEClientAuthRequestFilter</filter-class>
> - <init-param>
> - <param-name>https_port</param-name>
> - <param-value>[PKI_EE_SECURE_CLIENT_AUTH_PORT]</param-value>
> - </init-param>
> -[PKI_OPEN_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>proxy_port</param-name>
> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_CLOSE_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>active</param-name>
> - <param-value>true</param-value>
> - </init-param>
> - </filter>
> -
> <servlet>
> <servlet-name>csadmin-wizard</servlet-name>
> <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class>
> @@ -415,7 +331,7 @@
> <init-param><param-name> AuthzMgr </param-name>
> <param-value> BasicAclAuthz </param-value> </init-param>
> <init-param><param-name> cfgPath </param-name>
> - <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param>
> + <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg </param-value> </init-param>
> <init-param><param-name> ID </param-name>
> <param-value> castart </param-value> </init-param>
> <load-on-startup> 1 </load-on-startup>
> @@ -1900,10 +1816,9 @@
> <param-value> /agent/ca/doRevoke </param-value> </init-param>
> </servlet>
>
> - <context-param>
> - <param-name>resteasy.scan</param-name>
> - <param-value>true</param-value>
> - </context-param>
> + <listener>
> + <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class>
> + </listener>
>
> <context-param>
> <param-name>resteasy.servlet.mapping.prefix</param-name>
> @@ -1920,50 +1835,12 @@
> <servlet>
> <servlet-name>Resteasy</servlet-name>
> <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
> + <init-param>
> + <param-name>javax.ws.rs.Application</param-name>
> + <param-value>com.netscape.ca.CertificateAuthorityApplication</param-value>
> + </init-param>
> </servlet>
>
> -[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
> - <filter-mapping>
> - <filter-name> AgentRequestFilter </filter-name>
> - <url-pattern> /agent/* </url-pattern>
> - <url-pattern> /ca/getCertFromRequest </url-pattern>
> - <url-pattern> /ca/getBySerial </url-pattern>
> - <url-pattern> /ca/connector </url-pattern>
> - <url-pattern> /ca/displayCertFromRequest </url-pattern>
> - <url-pattern> /doRevoke </url-pattern>
> - </filter-mapping>
> -
> - <filter-mapping>
> - <filter-name> AdminRequestFilter </filter-name>
> - <url-pattern> /admin/* </url-pattern>
> - <url-pattern> /auths </url-pattern>
> - <url-pattern> /acl </url-pattern>
> - <url-pattern> /server </url-pattern>
> - <url-pattern> /caadmin </url-pattern>
> - <url-pattern> /caprofile </url-pattern>
> - <url-pattern> /jobsScheduler </url-pattern>
> - <url-pattern> /capublisher </url-pattern>
> - <url-pattern> /log </url-pattern>
> - <url-pattern> /ug </url-pattern>
> - </filter-mapping>
> -
> - <filter-mapping>
> - <filter-name> EEClientAuthRequestFilter </filter-name>
> - <url-pattern> /eeca/* </url-pattern>
> - </filter-mapping>
> -
> - <filter-mapping>
> - <filter-name> EERequestFilter </filter-name>
> - <url-pattern> /ee/* </url-pattern>
> - <url-pattern> /renewal </url-pattern>
> - <url-pattern> /certbasedenrollment </url-pattern>
> - <url-pattern> /ocsp </url-pattern>
> - <url-pattern> /enrollment </url-pattern>
> - <url-pattern> /profileSubmit </url-pattern>
> - <url-pattern> /cgi-bin/pkiclient.exe </url-pattern>
> - </filter-mapping>
> -[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
> -
> <servlet-mapping>
> <servlet-name>Resteasy</servlet-name>
> <url-pattern>/pki/*</url-pattern>
> diff --git a/base/common/shared/conf/catalina.properties b/base/common/shared/conf/catalina.properties
> index 003089a..c447586 100644
> --- a/base/common/shared/conf/catalina.properties
> +++ b/base/common/shared/conf/catalina.properties
> @@ -51,6 +51,10 @@ package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache
> # repositories
> # "foo/bar.jar": Add bar.jar as a class repository
> common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB]
> +#,[PKI_INSTANCE_PATH]/webapps/ca/WEB-INF/lib/pki-ca.jar
> +#,[PKI_INSTANCE_PATH]/webapps/kra/WEB-INF/lib/pki-kra.jar
> +#,[PKI_INSTANCE_PATH]/webapps/ocsp/WEB-INF/lib/pki-ocsp.jar
> +#,[PKI_INSTANCE_PATH]/webapps/tks/WEB-INF/lib/pki-tks.jar
>
> #
> # List of comma-separated paths defining the contents of the "server"
> diff --git a/base/common/shared/conf/log4j.properties b/base/common/shared/conf/log4j.properties
> index 5861ec7..dd4bd93 100644
> --- a/base/common/shared/conf/log4j.properties
> +++ b/base/common/shared/conf/log4j.properties
> @@ -4,14 +4,27 @@
> # Modifications: configuration parameters
> # --- END COPYRIGHT BLOCK ---
>
> -log4j.rootLogger=debug, R
> -log4j.appender.R=org.apache.log4j.RollingFileAppender
> -log4j.appender.R.File=${catalina.home}/logs/tomcat.log
> -log4j.appender.R.MaxFileSize=10MB
> -log4j.appender.R.MaxBackupIndex=10
> -log4j.appender.R.layout=org.apache.log4j.PatternLayout
> -log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n
> +log4j.rootLogger=debug, R
> +log4j.appender.R=org.apache.log4j.RollingFileAppender
> +log4j.appender.R.File=${catalina.base}/logs/catalina.out
> +log4j.appender.R.MaxFileSize=10MB
> +log4j.appender.R.MaxBackupIndex=10
> +log4j.appender.R.layout=org.apache.log4j.PatternLayout
> +log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n
> log4j.logger.org.apache.catalina=DEBUG, R
> log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=DEBUG, R
> log4j.logger.org.apache.catalina.core=DEBUG, R
> log4j.logger.org.apache.catalina.session=DEBUG, R
> +
> +#resteasy
> +log4j.appender.stdout=org.apache.log4j.ConsoleAppender
> +log4j.appender.stdout.Target=System.out
> +log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
> +log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p (%c:%L) - %m%n
> +log4j.rootLogger=warn, stdout
> +log4j.rootCategory=debug, stdout
> +log4j.category.org.jboss.resteasy.core=debug
> +log4j.category.org.jboss.resteasy.plugins.providers=debug
> +log4j.category.org.jboss.resteasy.specimpl=debug
> +log4j.category.org.jboss.resteasy.plugins.server=debug
> +log4j.logger.org.jboss.resteasy.mock=debug
> diff --git a/base/common/shared/conf/server.xml b/base/common/shared/conf/server.xml
> index d578855..46ee15b 100644
> --- a/base/common/shared/conf/server.xml
> +++ b/base/common/shared/conf/server.xml
> @@ -68,7 +68,10 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
> <Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN">
>
> <!--APR library loader. Documentation at /docs/apr.html -->
> - <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
> + <!-- The following Listener class has been commented out because this -->
> + <!-- implementation depends upon the 'tomcatjss' JSSE module, 'JSS', -->
> + <!-- and 'NSS' rather than the 'tomcat-native' module! -->
> + <!-- Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" -->
> <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
> <Listener className="org.apache.catalina.core.JasperListener" />
> <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
> @@ -116,7 +119,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
> [PKI_UNSECURE_PORT_SERVER_COMMENT]
> <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443"
> maxHttpHeaderSize="8192"
> - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> + acceptCount="100" maxThreads="150" minSpareThreads="25"
> enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
> />
>
> @@ -124,9 +127,31 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
> [PKI_SECURE_PORT_SERVER_COMMENT]
> <!-- DO NOT REMOVE - Begin define PKI secure port
> 1
> + NOTE: The following 'keys' (and their assigned values) are exclusive to
> + the 'tomcatjss' JSSE module:
> +
> + 'enableOCSP'
> + 'ocspResponderURL'
> + 'ocspResponderCertNickname'
> + 'ocspCacheSize'
> + 'ocspMinCacheEntryDuration'
> + 'ocspMaxCacheEntryDuration'
> + 'ocspTimeout'
> + 'strictCiphers'
> + 'clientauth' (ALL lowercase)
> + 'sslOptions'
> + 'ssl2Ciphers'
> + 'ssl3Ciphers'
> + 'tlsCiphers'
> + 'serverCertNickFile'
> + 'passwordFile'
> + 'passwordClass'
> + 'certdbDir'
> +
> + and are referenced via the value of the 'sslImplementationName' key.
> NOTE: The OCSP settings take effect globally, so it should only be set once.
>
> - In setup where SSL clientAuth="true", OCSP can be turned on by
> + In setup where SSL clientauth="true", OCSP can be turned on by
> setting enableOCSP to true like the following:
> enableOCSP="true"
> along with changes to related settings, especially:
> @@ -150,9 +175,9 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
> -->
> <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
> maxHttpHeaderSize="8192"
> - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> + acceptCount="100" maxThreads="150" minSpareThreads="25"
> enableLookups="false" disableUploadTimeout="true"
> - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
> + sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
> enableOCSP="false"
> ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp"
> ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
> @@ -162,6 +187,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
> ocspTimeout="10"
> strictCiphers="false"
> clientAuth="[PKI_AGENT_CLIENTAUTH]"
> + clientauth="[PKI_AGENT_CLIENTAUTH]"
> sslOptions="[TOMCAT_SSL_OPTIONS]"
> ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
> ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
> @@ -173,23 +199,6 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
> />
> <!-- DO NOT REMOVE - End define PKI secure port -->
>
> - <!-- A "Connector" using the shared thread pool-->
> - <!--
> - <Connector executor="tomcatThreadPool"
> - port="8080" protocol="HTTP/1.1"
> - connectionTimeout="20000"
> - redirectPort="8443" />
> - -->
> - <!-- Define a SSL HTTP/1.1 Connector on port 8443
> - This connector uses the JSSE configuration, when using APR, the
> - connector should be using the OpenSSL style configuration
> - described in the APR documentation -->
> - <!--
> - <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> - maxThreads="150" scheme="https" secure="true"
> - clientAuth="false" sslProtocol="TLS" />
> - -->
> -
> <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
> [PKI_OPEN_AJP_PORT_COMMENT]
> <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" />
> @@ -281,10 +290,45 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
> <!-- Define the default virtual host
> Note: XML Schema validation will not work with Xerces 2.2.
> -->
> - <Host name="localhost" appBase="webapps"
> + <Host name="localhost"
> + appBase="[PKI_INSTANCE_PATH]/webapps"
> unpackWARs="true" autoDeploy="false"
> xmlValidation="false" xmlNamespaceAware="false">
>
> + <!--
> + <Context path="/ca"
> + docBase="ca"
> + allowLinking="true">
> + <Loader className="org.apache.catalina.loader.VirtualWebappLoader"
> + virtualClasspath="[PKI_INSTANCE_PATH]/ca/webapps/ca/WEB-INF/classes;[PKI_INSTANCE_PATH]/ca/webapps/ca/WEB-INF/lib" />" />
> + <JarScanner scanAllDirectories="true" />
> + </Context>
> +
> + <Context path="/kra"
> + docBase="kra"
> + allowLinking="true">
> + <Loader className="org.apache.catalina.loader.VirtualWebappLoader"
> + virtualClasspath="[PKI_INSTANCE_PATH]/kra/webapps/kra/WEB-INF/classes;[PKI_INSTANCE_PATH]/kra/webapps/kra/WEB-INF/lib" />
> + <JarScanner scanAllDirectories="true" />
> + </Context>
> +
> + <Context path="/ocsp"
> + docBase="ocsp"
> + allowLinking="true">
> + <Loader className="org.apache.catalina.loader.VirtualWebappLoader"
> + virtualClasspath="[PKI_INSTANCE_PATH]/ocsp/webapps/ocsp/WEB-INF/classes;[PKI_INSTANCE_PATH]/ocsp/webapps/ocsp/WEB-INF/lib" />
> + <JarScanner scanAllDirectories="true" />
> + </Context>
> +
> + <Context path="/tks"
> + docBase="tks"
> + allowLinking="true">
> + <Loader className="org.apache.catalina.loader.VirtualWebappLoader"
> + virtualClasspath="[PKI_INSTANCE_PATH]/tks/webapps/tks/WEB-INF/classes;[PKI_INSTANCE_PATH]/tks/webapps/tks/WEB-INF/lib" />
> + <JarScanner scanAllDirectories="true" />
> + </Context>
> + -->
> +
> <!-- SingleSignOn valve, share authentication between web applications
> Documentation at: /docs/config/valve.html -->
> <!--
> @@ -294,8 +338,9 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
> <!-- Access log processes all example.
> Documentation at: /docs/config/valve.html -->
> <!--
> - <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
> - prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
> + <Valve className="org.apache.catalina.valves.AccessLogValve"
> + directory="logs" prefix="localhost_access_log." suffix=".txt"
> + pattern="common" resolveHosts="false"/>
> -->
>
> </Host>
> diff --git a/base/common/shared/conf/serverCertNick.conf b/base/common/shared/conf/serverCertNick.conf
> new file mode 100644
> index 0000000..25bafd6
> --- /dev/null
> +++ b/base/common/shared/conf/serverCertNick.conf
> @@ -0,0 +1,6 @@
> +# --- BEGIN COPYRIGHT BLOCK ---
> +# Copyright (C) 2012 Red Hat, Inc.
> +# All rights reserved.
> +# --- END COPYRIGHT BLOCK ---
> +#
> +Server-Cert cert-[PKI_INSTANCE_ID]
> diff --git a/base/common/shared/conf/tomcat.conf b/base/common/shared/conf/tomcat.conf
> index aa7fefd..9c1a81b 100644
> --- a/base/common/shared/conf/tomcat.conf
> +++ b/base/common/shared/conf/tomcat.conf
> @@ -21,7 +21,7 @@
> CATALINA_BASE="[PKI_INSTANCE_PATH]"
> #CATALINA_HOME="/usr/share/tomcat"
> #JASPER_HOME="/usr/share/tomcat"
> -#CATALINA_TMPDIR="/var/cache/tomcat/temp"
> +CATALINA_TMPDIR=[PKI_TMPDIR]
>
> # You can pass some parameters to java here if you wish to
> #JAVA_OPTS="-Xminf0.1 -Xmaxf0.3"
> @@ -29,6 +29,9 @@ CATALINA_BASE="[PKI_INSTANCE_PATH]"
> # Use JAVA_OPTS to set java.library.path for libtcnative.so
> #JAVA_OPTS="-Djava.library.path=/usr/lib"
>
> +# Enable the following JAVA_OPTS to run a java debugger (e. g. - 'eclipse')
> +#JAVA_OPTS="-Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n -Djava.awt.headless=true -Xmx128M"
> +
> # What user should run tomcat
> TOMCAT_USER="[PKI_USER]"
>
> @@ -36,7 +39,7 @@ TOMCAT_USER="[PKI_USER]"
> #LANG="en_US"
>
> # Run tomcat under the Java Security Manager
> -SECURITY_MANAGER="[PKI_SECURITY_MANAGER]"
> +#SECURITY_MANAGER="[PKI_SECURITY_MANAGER]"
>
> # Time to wait in seconds, before killing process
> #SHUTDOWN_WAIT="30"
> diff --git a/base/common/shared/conf/web.xml b/base/common/shared/conf/web.xml
> new file mode 100644
> index 0000000..cc8383c
> --- /dev/null
> +++ b/base/common/shared/conf/web.xml
> @@ -0,0 +1,4283 @@
> +<?xml version="1.0" encoding="ISO-8859-1"?>
> +<!--
> + Licensed to the Apache Software Foundation (ASF) under one or more
> + contributor license agreements. See the NOTICE file distributed with
> + this work for additional information regarding copyright ownership.
> + The ASF licenses this file to You under the Apache License, Version 2.0
> + (the "License"); you may not use this file except in compliance with
> + the License. You may obtain a copy of the License at
> +
> + http://www.apache.org/licenses/LICENSE-2.0
> +
> + Unless required by applicable law or agreed to in writing, software
> + distributed under the License is distributed on an "AS IS" BASIS,
> + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> + See the License for the specific language governing permissions and
> + limitations under the License.
> +-->
> +<web-app xmlns="http://java.sun.com/xml/ns/javaee"
> + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> + xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> + http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
> + version="3.0">
> +
> + <!-- ======================== Introduction ============================== -->
> + <!-- This document defines default values for *all* web applications -->
> + <!-- loaded into this instance of Tomcat. As each application is -->
> + <!-- deployed, this file is processed, followed by the -->
> + <!-- "/WEB-INF/web.xml" deployment descriptor from your own -->
> + <!-- applications. -->
> + <!-- -->
> + <!-- WARNING: Do not configure application-specific resources here! -->
> + <!-- They should go in the "/WEB-INF/web.xml" file in your application. -->
> +
> +
> + <!-- ================== Built In Servlet Definitions ==================== -->
> +
> +
> + <!-- The default servlet for all web applications, that serves static -->
> + <!-- resources. It processes all requests that are not mapped to other -->
> + <!-- servlets with servlet mappings (defined either here or in your own -->
> + <!-- web.xml file). This servlet supports the following initialization -->
> + <!-- parameters (default values are in square brackets): -->
> + <!-- -->
> + <!-- debug Debugging detail level for messages logged -->
> + <!-- by this servlet. [0] -->
> + <!-- -->
> + <!-- fileEncoding Encoding to be used to read static resources -->
> + <!-- [platform default] -->
> + <!-- -->
> + <!-- input Input buffer size (in bytes) when reading -->
> + <!-- resources to be served. [2048] -->
> + <!-- -->
> + <!-- listings Should directory listings be produced if there -->
> + <!-- is no welcome file in this directory? [false] -->
> + <!-- WARNING: Listings for directories with many -->
> + <!-- entries can be slow and may consume -->
> + <!-- significant proportions of server resources. -->
> + <!-- -->
> + <!-- output Output buffer size (in bytes) when writing -->
> + <!-- resources to be served. [2048] -->
> + <!-- -->
> + <!-- readonly Is this context "read only", so HTTP -->
> + <!-- commands like PUT and DELETE are -->
> + <!-- rejected? [true] -->
> + <!-- -->
> + <!-- readmeFile File to display together with the directory -->
> + <!-- contents. [null] -->
> + <!-- -->
> + <!-- sendfileSize If the connector used supports sendfile, this -->
> + <!-- represents the minimal file size in KB for -->
> + <!-- which sendfile will be used. Use a negative -->
> + <!-- value to always disable sendfile. [48] -->
> + <!-- -->
> + <!-- useAcceptRanges Should the Accept-Ranges header be included -->
> + <!-- in responses where appropriate? [true] -->
> + <!-- -->
> + <!-- For directory listing customization. Checks localXsltFile, then -->
> + <!-- globalXsltFile, then defaults to original behavior. -->
> + <!-- -->
> + <!-- localXsltFile Make directory listings an XML doc and -->
> + <!-- pass the result to this style sheet residing -->
> + <!-- in that directory. This overrides -->
> + <!-- contextXsltFile and globalXsltFile[null] -->
> + <!-- -->
> + <!-- contextXsltFile Make directory listings an XML doc and -->
> + <!-- pass the result to this style sheet which is -->
> + <!-- relative to the context root. This overrides -->
> + <!-- globalXsltFile[null] -->
> + <!-- -->
> + <!-- globalXsltFile Site wide configuration version of -->
> + <!-- localXsltFile This argument is expected -->
> + <!-- to be a physical file. [null] -->
> + <!-- -->
> + <!-- -->
> +
> + <servlet>
> + <servlet-name>default</servlet-name>
> + <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
> + <init-param>
> + <param-name>debug</param-name>
> + <param-value>0</param-value>
> + </init-param>
> + <init-param>
> + <param-name>listings</param-name>
> + <param-value>false</param-value>
> + </init-param>
> + <load-on-startup>1</load-on-startup>
> + </servlet>
> +
> +
> + <!-- The JSP page compiler and execution servlet, which is the mechanism -->
> + <!-- used by Tomcat to support JSP pages. Traditionally, this servlet -->
> + <!-- is mapped to the URL pattern "*.jsp". This servlet supports the -->
> + <!-- following initialization parameters (default values are in square -->
> + <!-- brackets): -->
> + <!-- -->
> + <!-- checkInterval If development is false and checkInterval is -->
> + <!-- greater than zero, background compilations are -->
> + <!-- enabled. checkInterval is the time in seconds -->
> + <!-- between checks to see if a JSP page (and its -->
> + <!-- dependent files) needs to be recompiled. [0] -->
> + <!-- -->
> + <!-- classdebuginfo Should the class file be compiled with -->
> + <!-- debugging information? [true] -->
> + <!-- -->
> + <!-- classpath What class path should I use while compiling -->
> + <!-- generated servlets? [Created dynamically -->
> + <!-- based on the current web application] -->
> + <!-- -->
> + <!-- compiler Which compiler Ant should use to compile JSP -->
> + <!-- pages. See the jasper documentation for more -->
> + <!-- information. -->
> + <!-- -->
> + <!-- compilerSourceVM Compiler source VM. [1.6] -->
> + <!-- -->
> + <!-- compilerTargetVM Compiler target VM. [1.6] -->
> + <!-- -->
> + <!-- development Is Jasper used in development mode? If true, -->
> + <!-- the frequency at which JSPs are checked for -->
> + <!-- modification may be specified via the -->
> + <!-- modificationTestInterval parameter. [true] -->
> + <!-- -->
> + <!-- displaySourceFragment -->
> + <!-- Should a source fragment be included in -->
> + <!-- exception messages? [true] -->
> + <!-- -->
> + <!-- dumpSmap Should the SMAP info for JSR45 debugging be -->
> + <!-- dumped to a file? [false] -->
> + <!-- False if suppressSmap is true -->
> + <!-- -->
> + <!-- enablePooling Determines whether tag handler pooling is -->
> + <!-- enabled. This is a compilation option. It will -->
> + <!-- not alter the behaviour of JSPs that have -->
> + <!-- already been compiled. [true] -->
> + <!-- -->
> + <!-- engineOptionsClass Allows specifying the Options class used to -->
> + <!-- configure Jasper. If not present, the default -->
> + <!-- EmbeddedServletOptions will be used. -->
> + <!-- -->
> + <!-- errorOnUseBeanInvalidClassAttribute -->
> + <!-- Should Jasper issue an error when the value of -->
> + <!-- the class attribute in an useBean action is -->
> + <!-- not a valid bean class? [true] -->
> + <!-- -->
> + <!-- fork Tell Ant to fork compiles of JSP pages so that -->
> + <!-- a separate JVM is used for JSP page compiles -->
> + <!-- from the one Tomcat is running in. [true] -->
> + <!-- -->
> + <!-- genStringAsCharArray -->
> + <!-- Should text strings be generated as char -->
> + <!-- arrays, to improve performance in some cases? -->
> + <!-- [false] -->
> + <!-- -->
> + <!-- ieClassId The class-id value to be sent to Internet -->
> + <!-- Explorer when using <jsp:plugin> tags. -->
> + <!-- [clsid:8AD9C840-044E-11D1-B3E9-00805F499D93] -->
> + <!-- -->
> + <!-- javaEncoding Java file encoding to use for generating java -->
> + <!-- source files. [UTF8] -->
> + <!-- -->
> + <!-- keepgenerated Should we keep the generated Java source code -->
> + <!-- for each page instead of deleting it? [true] -->
> + <!-- -->
> + <!-- mappedfile Should we generate static content with one -->
> + <!-- print statement per input line, to ease -->
> + <!-- debugging? [true] -->
> + <!-- -->
> + <!-- maxLoadedJsps The maximum number of JSPs that will be loaded -->
> + <!-- for a web application. If more than this -->
> + <!-- number of JSPs are loaded, the least recently -->
> + <!-- used JSPs will be unloaded so that the number -->
> + <!-- of JSPs loaded at any one time does not exceed -->
> + <!-- this limit. A value of zero or less indicates -->
> + <!-- no limit. [-1] -->
> + <!-- -->
> + <!-- jspIdleTimeout The amount of time in seconds a JSP can be -->
> + <!-- idle before it is unloaded. A value of zero -->
> + <!-- or less indicates never unload. [-1] -->
> + <!-- -->
> + <!-- modificationTestInterval -->
> + <!-- Causes a JSP (and its dependent files) to not -->
> + <!-- be checked for modification during the -->
> + <!-- specified time interval (in seconds) from the -->
> + <!-- last time the JSP was checked for -->
> + <!-- modification. A value of 0 will cause the JSP -->
> + <!-- to be checked on every access. -->
> + <!-- Used in development mode only. [4] -->
> + <!-- -->
> + <!-- recompileOnFail If a JSP compilation fails should the -->
> + <!-- modificationTestInterval be ignored and the -->
> + <!-- next access trigger a re-compilation attempt? -->
> + <!-- Used in development mode only and is disabled -->
> + <!-- by default as compilation may be expensive and -->
> + <!-- could lead to excessive resource usage. -->
> + <!-- [false] -->
> + <!-- -->
> + <!-- scratchdir What scratch directory should we use when -->
> + <!-- compiling JSP pages? [default work directory -->
> + <!-- for the current web application] -->
> + <!-- -->
> + <!-- suppressSmap Should the generation of SMAP info for JSR45 -->
> + <!-- debugging be suppressed? [false] -->
> + <!-- -->
> + <!-- trimSpaces Should white spaces in template text between -->
> + <!-- actions or directives be trimmed? [false] -->
> + <!-- -->
> + <!-- xpoweredBy Determines whether X-Powered-By response -->
> + <!-- header is added by generated servlet. [false] -->
> +
> + <servlet>
> + <servlet-name>jsp</servlet-name>
> + <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
> + <init-param>
> + <param-name>fork</param-name>
> + <param-value>false</param-value>
> + </init-param>
> + <init-param>
> + <param-name>xpoweredBy</param-name>
> + <param-value>false</param-value>
> + </init-param>
> + <load-on-startup>3</load-on-startup>
> + </servlet>
> +
> +
> + <!-- NOTE: An SSI Filter is also available as an alternative SSI -->
> + <!-- implementation. Use either the Servlet or the Filter but NOT both. -->
> + <!-- -->
> + <!-- Server Side Includes processing servlet, which processes SSI -->
> + <!-- directives in HTML pages consistent with similar support in web -->
> + <!-- servers like Apache. Traditionally, this servlet is mapped to the -->
> + <!-- URL pattern "*.shtml". This servlet supports the following -->
> + <!-- initialization parameters (default values are in square brackets): -->
> + <!-- -->
> + <!-- buffered Should output from this servlet be buffered? -->
> + <!-- (0=false, 1=true) [0] -->
> + <!-- -->
> + <!-- debug Debugging detail level for messages logged -->
> + <!-- by this servlet. [0] -->
> + <!-- -->
> + <!-- expires The number of seconds before a page with SSI -->
> + <!-- directives will expire. [No default] -->
> + <!-- -->
> + <!-- isVirtualWebappRelative -->
> + <!-- Should "virtual" paths be interpreted as -->
> + <!-- relative to the context root, instead of -->
> + <!-- the server root? (0=false, 1=true) [0] -->
> + <!-- -->
> + <!-- inputEncoding The encoding to assume for SSI resources if -->
> + <!-- one is not available from the resource. -->
> + <!-- [Platform default] -->
> + <!-- -->
> + <!-- outputEncoding The encoding to use for the page that results -->
> + <!-- from the SSI processing. [UTF-8] -->
> + <!-- -->
> + <!-- allowExec Is use of the exec command enabled? [false] -->
> +
> +<!--
> + <servlet>
> + <servlet-name>ssi</servlet-name>
> + <servlet-class>
> + org.apache.catalina.ssi.SSIServlet
> + </servlet-class>
> + <init-param>
> + <param-name>buffered</param-name>
> + <param-value>1</param-value>
> + </init-param>
> + <init-param>
> + <param-name>debug</param-name>
> + <param-value>0</param-value>
> + </init-param>
> + <init-param>
> + <param-name>expires</param-name>
> + <param-value>666</param-value>
> + </init-param>
> + <init-param>
> + <param-name>isVirtualWebappRelative</param-name>
> + <param-value>0</param-value>
> + </init-param>
> + <load-on-startup>4</load-on-startup>
> + </servlet>
> +-->
> +
> +
> + <!-- Common Gateway Includes (CGI) processing servlet, which supports -->
> + <!-- execution of external applications that conform to the CGI spec -->
> + <!-- requirements. Typically, this servlet is mapped to the URL pattern -->
> + <!-- "/cgi-bin/*", which means that any CGI applications that are -->
> + <!-- executed must be present within the web application. This servlet -->
> + <!-- supports the following initialization parameters (default values -->
> + <!-- are in square brackets): -->
> + <!-- -->
> + <!-- cgiPathPrefix The CGI search path will start at -->
> + <!-- webAppRootDir + File.separator + this prefix. -->
> + <!-- [WEB-INF/cgi] -->
> + <!-- -->
> + <!-- debug Debugging detail level for messages logged -->
> + <!-- by this servlet. [0] -->
> + <!-- -->
> + <!-- executable Name of the executable used to run the -->
> + <!-- script. [perl] -->
> + <!-- -->
> + <!-- parameterEncoding Name of parameter encoding to be used with -->
> + <!-- CGI servlet. -->
> + <!-- [System.getProperty("file.encoding","UTF-8")] -->
> + <!-- -->
> + <!-- passShellEnvironment Should the shell environment variables (if -->
> + <!-- any) be passed to the CGI script? [false] -->
> + <!-- -->
> + <!-- stderrTimeout The time (in milliseconds) to wait for the -->
> + <!-- reading of stderr to complete before -->
> + <!-- terminating the CGI process. [2000] -->
> +
> +<!--
> + <servlet>
> + <servlet-name>cgi</servlet-name>
> + <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
> + <init-param>
> + <param-name>debug</param-name>
> + <param-value>0</param-value>
> + </init-param>
> + <init-param>
> + <param-name>cgiPathPrefix</param-name>
> + <param-value>WEB-INF/cgi</param-value>
> + </init-param>
> + <load-on-startup>5</load-on-startup>
> + </servlet>
> +-->
> +
> +
> + <!-- ================ Built In Servlet Mappings ========================= -->
> +
> +
> + <!-- The servlet mappings for the built in servlets defined above. Note -->
> + <!-- that, by default, the CGI and SSI servlets are *not* mapped. You -->
> + <!-- must uncomment these mappings (or add them to your application's own -->
> + <!-- web.xml deployment descriptor) to enable these services -->
> +
> + <!-- The mapping for the default servlet -->
> + <servlet-mapping>
> + <servlet-name>default</servlet-name>
> + <url-pattern>/</url-pattern>
> + </servlet-mapping>
> +
> + <!-- The mappings for the JSP servlet -->
> + <servlet-mapping>
> + <servlet-name>jsp</servlet-name>
> + <url-pattern>*.jsp</url-pattern>
> + <url-pattern>*.jspx</url-pattern>
> + </servlet-mapping>
> +
> + <!-- The mapping for the SSI servlet -->
> +<!--
> + <servlet-mapping>
> + <servlet-name>ssi</servlet-name>
> + <url-pattern>*.shtml</url-pattern>
> + </servlet-mapping>
> +-->
> +
> + <!-- The mapping for the CGI Gateway servlet -->
> +
> +<!--
> + <servlet-mapping>
> + <servlet-name>cgi</servlet-name>
> + <url-pattern>/cgi-bin/*</url-pattern>
> + </servlet-mapping>
> +-->
> +
> +
> + <!-- ================== Built In Filter Definitions ===================== -->
> +
> + <!-- A filter that sets character encoding that is used to decode -->
> + <!-- parameters in a POST request -->
> +<!--
> + <filter>
> + <filter-name>setCharacterEncodingFilter</filter-name>
> + <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class>
> + <init-param>
> + <param-name>encoding</param-name>
> + <param-value>UTF-8</param-value>
> + </init-param>
> + <async-supported>true</async-supported>
> + </filter>
> +-->
> +
> + <!-- A filter that triggers request parameters parsing and rejects the -->
> + <!-- request if some parameters were skipped because of parsing errors or -->
> + <!-- request size limitations. -->
> +<!--
> + <filter>
> + <filter-name>failedRequestFilter</filter-name>
> + <filter-class>
> + org.apache.catalina.filters.FailedRequestFilter
> + </filter-class>
> + <async-supported>true</async-supported>
> + </filter>
> +-->
> +
> +
> + <!-- NOTE: An SSI Servlet is also available as an alternative SSI -->
> + <!-- implementation. Use either the Servlet or the Filter but NOT both. -->
> + <!-- -->
> + <!-- Server Side Includes processing filter, which processes SSI -->
> + <!-- directives in HTML pages consistent with similar support in web -->
> + <!-- servers like Apache. Traditionally, this filter is mapped to the -->
> + <!-- URL pattern "*.shtml", though it can be mapped to "*" as it will -->
> + <!-- selectively enable/disable SSI processing based on mime types. For -->
> + <!-- this to work you will need to uncomment the .shtml mime type -->
> + <!-- definition towards the bottom of this file. -->
> + <!-- The contentType init param allows you to apply SSI processing to JSP -->
> + <!-- pages, javascript, or any other content you wish. This filter -->
> + <!-- supports the following initialization parameters (default values are -->
> + <!-- in square brackets): -->
> + <!-- -->
> + <!-- contentType A regex pattern that must be matched before -->
> + <!-- SSI processing is applied. -->
> + <!-- [text/x-server-parsed-html(;.*)?] -->
> + <!-- -->
> + <!-- debug Debugging detail level for messages logged -->
> + <!-- by this servlet. [0] -->
> + <!-- -->
> + <!-- expires The number of seconds before a page with SSI -->
> + <!-- directives will expire. [No default] -->
> + <!-- -->
> + <!-- isVirtualWebappRelative -->
> + <!-- Should "virtual" paths be interpreted as -->
> + <!-- relative to the context root, instead of -->
> + <!-- the server root? (0=false, 1=true) [0] -->
> + <!-- -->
> + <!-- allowExec Is use of the exec command enabled? [false] -->
> +
> +<!--
> + <filter>
> + <filter-name>ssi</filter-name>
> + <filter-class>
> + org.apache.catalina.ssi.SSIFilter
> + </filter-class>
> + <init-param>
> + <param-name>contentType</param-name>
> + <param-value>text/x-server-parsed-html(;.*)?</param-value>
> + </init-param>
> + <init-param>
> + <param-name>debug</param-name>
> + <param-value>0</param-value>
> + </init-param>
> + <init-param>
> + <param-name>expires</param-name>
> + <param-value>666</param-value>
> + </init-param>
> + <init-param>
> + <param-name>isVirtualWebappRelative</param-name>
> + <param-value>0</param-value>
> + </init-param>
> + </filter>
> +-->
> +
> +
> + <!-- ==================== Built In Filter Mappings ====================== -->
> +
> + <!-- The mapping for the Set Character Encoding Filter -->
> +<!--
> + <filter-mapping>
> + <filter-name>setCharacterEncodingFilter</filter-name>
> + <url-pattern>/*</url-pattern>
> + </filter-mapping>
> +-->
> +
> + <!-- The mapping for the Failed Request Filter -->
> +<!--
> + <filter-mapping>
> + <filter-name>failedRequestFilter</filter-name>
> + <url-pattern>/*</url-pattern>
> + </filter-mapping>
> +-->
> +
> + <!-- The mapping for the SSI Filter -->
> +<!--
> + <filter-mapping>
> + <filter-name>ssi</filter-name>
> + <url-pattern>*.shtml</url-pattern>
> + </filter-mapping>
> +-->
> +
> +
> + <!-- ==================== Default Session Configuration ================= -->
> + <!-- You can set the default session timeout (in minutes) for all newly -->
> + <!-- created sessions by modifying the value below. -->
> +
> + <session-config>
> + <session-timeout>30</session-timeout>
> + </session-config>
> +
> +
> + <!-- ===================== Default MIME Type Mappings =================== -->
> + <!-- When serving static resources, Tomcat will automatically generate -->
> + <!-- a "Content-Type" header based on the resource's filename extension, -->
> + <!-- based on these mappings. Additional mappings can be added here (to -->
> + <!-- apply to all web applications), or in your own application's web.xml -->
> + <!-- deployment descriptor. -->
> +
> + <mime-mapping>
> + <extension>123</extension>
> + <mime-type>application/vnd.lotus-1-2-3</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>3dml</extension>
> + <mime-type>text/vnd.in3d.3dml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>3g2</extension>
> + <mime-type>video/3gpp2</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>3gp</extension>
> + <mime-type>video/3gpp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>7z</extension>
> + <mime-type>application/x-7z-compressed</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>aab</extension>
> + <mime-type>application/x-authorware-bin</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>aac</extension>
> + <mime-type>audio/x-aac</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>aam</extension>
> + <mime-type>application/x-authorware-map</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>aas</extension>
> + <mime-type>application/x-authorware-seg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>abs</extension>
> + <mime-type>audio/x-mpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>abw</extension>
> + <mime-type>application/x-abiword</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ac</extension>
> + <mime-type>application/pkix-attr-cert</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>acc</extension>
> + <mime-type>application/vnd.americandynamics.acc</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ace</extension>
> + <mime-type>application/x-ace-compressed</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>acu</extension>
> + <mime-type>application/vnd.acucobol</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>acutc</extension>
> + <mime-type>application/vnd.acucorp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>adp</extension>
> + <mime-type>audio/adpcm</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>aep</extension>
> + <mime-type>application/vnd.audiograph</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>afm</extension>
> + <mime-type>application/x-font-type1</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>afp</extension>
> + <mime-type>application/vnd.ibm.modcap</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ahead</extension>
> + <mime-type>application/vnd.ahead.space</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ai</extension>
> + <mime-type>application/postscript</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>aif</extension>
> + <mime-type>audio/x-aiff</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>aifc</extension>
> + <mime-type>audio/x-aiff</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>aiff</extension>
> + <mime-type>audio/x-aiff</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>aim</extension>
> + <mime-type>application/x-aim</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>air</extension>
> + <mime-type>application/vnd.adobe.air-application-installer-package+zip</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ait</extension>
> + <mime-type>application/vnd.dvb.ait</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ami</extension>
> + <mime-type>application/vnd.amiga.ami</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>anx</extension>
> + <mime-type>application/annodex</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>apk</extension>
> + <mime-type>application/vnd.android.package-archive</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>application</extension>
> + <mime-type>application/x-ms-application</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>apr</extension>
> + <mime-type>application/vnd.lotus-approach</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>art</extension>
> + <mime-type>image/x-jg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>asc</extension>
> + <mime-type>application/pgp-signature</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>asf</extension>
> + <mime-type>video/x-ms-asf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>asm</extension>
> + <mime-type>text/x-asm</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>aso</extension>
> + <mime-type>application/vnd.accpac.simply.aso</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>asx</extension>
> + <mime-type>video/x-ms-asf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>atc</extension>
> + <mime-type>application/vnd.acucorp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>atom</extension>
> + <mime-type>application/atom+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>atomcat</extension>
> + <mime-type>application/atomcat+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>atomsvc</extension>
> + <mime-type>application/atomsvc+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>atx</extension>
> + <mime-type>application/vnd.antix.game-component</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>au</extension>
> + <mime-type>audio/basic</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>avi</extension>
> + <mime-type>video/x-msvideo</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>avx</extension>
> + <mime-type>video/x-rad-screenplay</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>aw</extension>
> + <mime-type>application/applixware</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>axa</extension>
> + <mime-type>audio/annodex</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>axv</extension>
> + <mime-type>video/annodex</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>azf</extension>
> + <mime-type>application/vnd.airzip.filesecure.azf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>azs</extension>
> + <mime-type>application/vnd.airzip.filesecure.azs</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>azw</extension>
> + <mime-type>application/vnd.amazon.ebook</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>bat</extension>
> + <mime-type>application/x-msdownload</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>bcpio</extension>
> + <mime-type>application/x-bcpio</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>bdf</extension>
> + <mime-type>application/x-font-bdf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>bdm</extension>
> + <mime-type>application/vnd.syncml.dm+wbxml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>bed</extension>
> + <mime-type>application/vnd.realvnc.bed</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>bh2</extension>
> + <mime-type>application/vnd.fujitsu.oasysprs</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>bin</extension>
> + <mime-type>application/octet-stream</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>bmi</extension>
> + <mime-type>application/vnd.bmi</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>bmp</extension>
> + <mime-type>image/bmp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>body</extension>
> + <mime-type>text/html</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>book</extension>
> + <mime-type>application/vnd.framemaker</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>box</extension>
> + <mime-type>application/vnd.previewsystems.box</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>boz</extension>
> + <mime-type>application/x-bzip2</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>bpk</extension>
> + <mime-type>application/octet-stream</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>btif</extension>
> + <mime-type>image/prs.btif</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>bz</extension>
> + <mime-type>application/x-bzip</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>bz2</extension>
> + <mime-type>application/x-bzip2</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>c</extension>
> + <mime-type>text/x-c</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>c11amc</extension>
> + <mime-type>application/vnd.cluetrust.cartomobile-config</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>c11amz</extension>
> + <mime-type>application/vnd.cluetrust.cartomobile-config-pkg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>c4d</extension>
> + <mime-type>application/vnd.clonk.c4group</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>c4f</extension>
> + <mime-type>application/vnd.clonk.c4group</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>c4g</extension>
> + <mime-type>application/vnd.clonk.c4group</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>c4p</extension>
> + <mime-type>application/vnd.clonk.c4group</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>c4u</extension>
> + <mime-type>application/vnd.clonk.c4group</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cab</extension>
> + <mime-type>application/vnd.ms-cab-compressed</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cap</extension>
> + <mime-type>application/vnd.tcpdump.pcap</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>car</extension>
> + <mime-type>application/vnd.curl.car</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cat</extension>
> + <mime-type>application/vnd.ms-pki.seccat</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cc</extension>
> + <mime-type>text/x-c</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cct</extension>
> + <mime-type>application/x-director</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ccxml</extension>
> + <mime-type>application/ccxml+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cdbcmsg</extension>
> + <mime-type>application/vnd.contact.cmsg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cdf</extension>
> + <mime-type>application/x-cdf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cdkey</extension>
> + <mime-type>application/vnd.mediastation.cdkey</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cdmia</extension>
> + <mime-type>application/cdmi-capability</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cdmic</extension>
> + <mime-type>application/cdmi-container</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cdmid</extension>
> + <mime-type>application/cdmi-domain</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cdmio</extension>
> + <mime-type>application/cdmi-object</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cdmiq</extension>
> + <mime-type>application/cdmi-queue</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cdx</extension>
> + <mime-type>chemical/x-cdx</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cdxml</extension>
> + <mime-type>application/vnd.chemdraw+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cdy</extension>
> + <mime-type>application/vnd.cinderella</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cer</extension>
> + <mime-type>application/pkix-cert</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cgm</extension>
> + <mime-type>image/cgm</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>chat</extension>
> + <mime-type>application/x-chat</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>chm</extension>
> + <mime-type>application/vnd.ms-htmlhelp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>chrt</extension>
> + <mime-type>application/vnd.kde.kchart</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cif</extension>
> + <mime-type>chemical/x-cif</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cii</extension>
> + <mime-type>application/vnd.anser-web-certificate-issue-initiation</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cil</extension>
> + <mime-type>application/vnd.ms-artgalry</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cla</extension>
> + <mime-type>application/vnd.claymore</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>class</extension>
> + <mime-type>application/java</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>clkk</extension>
> + <mime-type>application/vnd.crick.clicker.keyboard</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>clkp</extension>
> + <mime-type>application/vnd.crick.clicker.palette</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>clkt</extension>
> + <mime-type>application/vnd.crick.clicker.template</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>clkw</extension>
> + <mime-type>application/vnd.crick.clicker.wordbank</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>clkx</extension>
> + <mime-type>application/vnd.crick.clicker</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>clp</extension>
> + <mime-type>application/x-msclip</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cmc</extension>
> + <mime-type>application/vnd.cosmocaller</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cmdf</extension>
> + <mime-type>chemical/x-cmdf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cml</extension>
> + <mime-type>chemical/x-cml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cmp</extension>
> + <mime-type>application/vnd.yellowriver-custom-menu</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cmx</extension>
> + <mime-type>image/x-cmx</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cod</extension>
> + <mime-type>application/vnd.rim.cod</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>com</extension>
> + <mime-type>application/x-msdownload</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>conf</extension>
> + <mime-type>text/plain</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cpio</extension>
> + <mime-type>application/x-cpio</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cpp</extension>
> + <mime-type>text/x-c</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cpt</extension>
> + <mime-type>application/mac-compactpro</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>crd</extension>
> + <mime-type>application/x-mscardfile</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>crl</extension>
> + <mime-type>application/pkix-crl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>crt</extension>
> + <mime-type>application/x-x509-ca-cert</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cryptonote</extension>
> + <mime-type>application/vnd.rig.cryptonote</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>csh</extension>
> + <mime-type>application/x-csh</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>csml</extension>
> + <mime-type>chemical/x-csml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>csp</extension>
> + <mime-type>application/vnd.commonspace</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>css</extension>
> + <mime-type>text/css</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cst</extension>
> + <mime-type>application/x-director</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>csv</extension>
> + <mime-type>text/csv</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cu</extension>
> + <mime-type>application/cu-seeme</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>curl</extension>
> + <mime-type>text/vnd.curl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cww</extension>
> + <mime-type>application/prs.cww</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cxt</extension>
> + <mime-type>application/x-director</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>cxx</extension>
> + <mime-type>text/x-c</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dae</extension>
> + <mime-type>model/vnd.collada+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>daf</extension>
> + <mime-type>application/vnd.mobius.daf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dataless</extension>
> + <mime-type>application/vnd.fdsn.seed</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>davmount</extension>
> + <mime-type>application/davmount+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dcr</extension>
> + <mime-type>application/x-director</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dcurl</extension>
> + <mime-type>text/vnd.curl.dcurl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dd2</extension>
> + <mime-type>application/vnd.oma.dd2+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ddd</extension>
> + <mime-type>application/vnd.fujixerox.ddd</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>deb</extension>
> + <mime-type>application/x-debian-package</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>def</extension>
> + <mime-type>text/plain</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>deploy</extension>
> + <mime-type>application/octet-stream</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>der</extension>
> + <mime-type>application/x-x509-ca-cert</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dfac</extension>
> + <mime-type>application/vnd.dreamfactory</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dib</extension>
> + <mime-type>image/bmp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dic</extension>
> + <mime-type>text/x-c</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dir</extension>
> + <mime-type>application/x-director</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dis</extension>
> + <mime-type>application/vnd.mobius.dis</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dist</extension>
> + <mime-type>application/octet-stream</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>distz</extension>
> + <mime-type>application/octet-stream</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>djv</extension>
> + <mime-type>image/vnd.djvu</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>djvu</extension>
> + <mime-type>image/vnd.djvu</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dll</extension>
> + <mime-type>application/x-msdownload</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dmg</extension>
> + <mime-type>application/octet-stream</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dmp</extension>
> + <mime-type>application/vnd.tcpdump.pcap</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dms</extension>
> + <mime-type>application/octet-stream</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dna</extension>
> + <mime-type>application/vnd.dna</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>doc</extension>
> + <mime-type>application/msword</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>docm</extension>
> + <mime-type>application/vnd.ms-word.document.macroenabled.12</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>docx</extension>
> + <mime-type>application/vnd.openxmlformats-officedocument.wordprocessingml.document</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dot</extension>
> + <mime-type>application/msword</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dotm</extension>
> + <mime-type>application/vnd.ms-word.template.macroenabled.12</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dotx</extension>
> + <mime-type>application/vnd.openxmlformats-officedocument.wordprocessingml.template</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dp</extension>
> + <mime-type>application/vnd.osgi.dp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dpg</extension>
> + <mime-type>application/vnd.dpgraph</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dra</extension>
> + <mime-type>audio/vnd.dra</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dsc</extension>
> + <mime-type>text/prs.lines.tag</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dssc</extension>
> + <mime-type>application/dssc+der</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dtb</extension>
> + <mime-type>application/x-dtbook+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dtd</extension>
> + <mime-type>application/xml-dtd</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dts</extension>
> + <mime-type>audio/vnd.dts</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dtshd</extension>
> + <mime-type>audio/vnd.dts.hd</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dump</extension>
> + <mime-type>application/octet-stream</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dv</extension>
> + <mime-type>video/x-dv</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dvb</extension>
> + <mime-type>video/vnd.dvb.file</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dvi</extension>
> + <mime-type>application/x-dvi</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dwf</extension>
> + <mime-type>model/vnd.dwf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dwg</extension>
> + <mime-type>image/vnd.dwg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dxf</extension>
> + <mime-type>image/vnd.dxf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dxp</extension>
> + <mime-type>application/vnd.spotfire.dxp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>dxr</extension>
> + <mime-type>application/x-director</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ecelp4800</extension>
> + <mime-type>audio/vnd.nuera.ecelp4800</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ecelp7470</extension>
> + <mime-type>audio/vnd.nuera.ecelp7470</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ecelp9600</extension>
> + <mime-type>audio/vnd.nuera.ecelp9600</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ecma</extension>
> + <mime-type>application/ecmascript</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>edm</extension>
> + <mime-type>application/vnd.novadigm.edm</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>edx</extension>
> + <mime-type>application/vnd.novadigm.edx</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>efif</extension>
> + <mime-type>application/vnd.picsel</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ei6</extension>
> + <mime-type>application/vnd.pg.osasli</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>elc</extension>
> + <mime-type>application/octet-stream</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>eml</extension>
> + <mime-type>message/rfc822</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>emma</extension>
> + <mime-type>application/emma+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>eol</extension>
> + <mime-type>audio/vnd.digital-winds</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>eot</extension>
> + <mime-type>application/vnd.ms-fontobject</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>eps</extension>
> + <mime-type>application/postscript</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>epub</extension>
> + <mime-type>application/epub+zip</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>es3</extension>
> + <mime-type>application/vnd.eszigno3+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>esf</extension>
> + <mime-type>application/vnd.epson.esf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>et3</extension>
> + <mime-type>application/vnd.eszigno3+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>etx</extension>
> + <mime-type>text/x-setext</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>exe</extension>
> + <mime-type>application/octet-stream</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>exi</extension>
> + <mime-type>application/exi</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ext</extension>
> + <mime-type>application/vnd.novadigm.ext</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ez</extension>
> + <mime-type>application/andrew-inset</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ez2</extension>
> + <mime-type>application/vnd.ezpix-album</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ez3</extension>
> + <mime-type>application/vnd.ezpix-package</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>f</extension>
> + <mime-type>text/x-fortran</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>f4v</extension>
> + <mime-type>video/x-f4v</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>f77</extension>
> + <mime-type>text/x-fortran</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>f90</extension>
> + <mime-type>text/x-fortran</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fbs</extension>
> + <mime-type>image/vnd.fastbidsheet</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fcs</extension>
> + <mime-type>application/vnd.isac.fcs</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fdf</extension>
> + <mime-type>application/vnd.fdf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fe_launch</extension>
> + <mime-type>application/vnd.denovo.fcselayout-link</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fg5</extension>
> + <mime-type>application/vnd.fujitsu.oasysgp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fgd</extension>
> + <mime-type>application/x-director</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fh</extension>
> + <mime-type>image/x-freehand</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fh4</extension>
> + <mime-type>image/x-freehand</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fh5</extension>
> + <mime-type>image/x-freehand</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fh7</extension>
> + <mime-type>image/x-freehand</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fhc</extension>
> + <mime-type>image/x-freehand</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fig</extension>
> + <mime-type>application/x-xfig</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>flac</extension>
> + <mime-type>audio/flac</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fli</extension>
> + <mime-type>video/x-fli</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>flo</extension>
> + <mime-type>application/vnd.micrografx.flo</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>flv</extension>
> + <mime-type>video/x-flv</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>flw</extension>
> + <mime-type>application/vnd.kde.kivio</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>flx</extension>
> + <mime-type>text/vnd.fmi.flexstor</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fly</extension>
> + <mime-type>text/vnd.fly</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fm</extension>
> + <mime-type>application/vnd.framemaker</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fnc</extension>
> + <mime-type>application/vnd.frogans.fnc</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>for</extension>
> + <mime-type>text/x-fortran</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fpx</extension>
> + <mime-type>image/vnd.fpx</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>frame</extension>
> + <mime-type>application/vnd.framemaker</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fsc</extension>
> + <mime-type>application/vnd.fsc.weblaunch</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fst</extension>
> + <mime-type>image/vnd.fst</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ftc</extension>
> + <mime-type>application/vnd.fluxtime.clip</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fti</extension>
> + <mime-type>application/vnd.anser-web-funds-transfer-initiation</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fvt</extension>
> + <mime-type>video/vnd.fvt</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fxp</extension>
> + <mime-type>application/vnd.adobe.fxp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fxpl</extension>
> + <mime-type>application/vnd.adobe.fxp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>fzs</extension>
> + <mime-type>application/vnd.fuzzysheet</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>g2w</extension>
> + <mime-type>application/vnd.geoplan</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>g3</extension>
> + <mime-type>image/g3fax</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>g3w</extension>
> + <mime-type>application/vnd.geospace</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gac</extension>
> + <mime-type>application/vnd.groove-account</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gbr</extension>
> + <mime-type>application/rpki-ghostbusters</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gdl</extension>
> + <mime-type>model/vnd.gdl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>geo</extension>
> + <mime-type>application/vnd.dynageo</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gex</extension>
> + <mime-type>application/vnd.geometry-explorer</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ggb</extension>
> + <mime-type>application/vnd.geogebra.file</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ggt</extension>
> + <mime-type>application/vnd.geogebra.tool</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ghf</extension>
> + <mime-type>application/vnd.groove-help</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gif</extension>
> + <mime-type>image/gif</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gim</extension>
> + <mime-type>application/vnd.groove-identity-message</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gmx</extension>
> + <mime-type>application/vnd.gmx</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gnumeric</extension>
> + <mime-type>application/x-gnumeric</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gph</extension>
> + <mime-type>application/vnd.flographit</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gqf</extension>
> + <mime-type>application/vnd.grafeq</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gqs</extension>
> + <mime-type>application/vnd.grafeq</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gram</extension>
> + <mime-type>application/srgs</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gre</extension>
> + <mime-type>application/vnd.geometry-explorer</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>grv</extension>
> + <mime-type>application/vnd.groove-injector</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>grxml</extension>
> + <mime-type>application/srgs+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gsf</extension>
> + <mime-type>application/x-font-ghostscript</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gtar</extension>
> + <mime-type>application/x-gtar</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gtm</extension>
> + <mime-type>application/vnd.groove-tool-message</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gtw</extension>
> + <mime-type>model/vnd.gtw</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gv</extension>
> + <mime-type>text/vnd.graphviz</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gxt</extension>
> + <mime-type>application/vnd.geonext</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>gz</extension>
> + <mime-type>application/x-gzip</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>h</extension>
> + <mime-type>text/x-c</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>h261</extension>
> + <mime-type>video/h261</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>h263</extension>
> + <mime-type>video/h263</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>h264</extension>
> + <mime-type>video/h264</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>hal</extension>
> + <mime-type>application/vnd.hal+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>hbci</extension>
> + <mime-type>application/vnd.hbci</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>hdf</extension>
> + <mime-type>application/x-hdf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>hh</extension>
> + <mime-type>text/x-c</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>hlp</extension>
> + <mime-type>application/winhlp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>hpgl</extension>
> + <mime-type>application/vnd.hp-hpgl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>hpid</extension>
> + <mime-type>application/vnd.hp-hpid</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>hps</extension>
> + <mime-type>application/vnd.hp-hps</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>hqx</extension>
> + <mime-type>application/mac-binhex40</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>htc</extension>
> + <mime-type>text/x-component</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>htke</extension>
> + <mime-type>application/vnd.kenameaapp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>htm</extension>
> + <mime-type>text/html</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>html</extension>
> + <mime-type>text/html</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>hvd</extension>
> + <mime-type>application/vnd.yamaha.hv-dic</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>hvp</extension>
> + <mime-type>application/vnd.yamaha.hv-voice</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>hvs</extension>
> + <mime-type>application/vnd.yamaha.hv-script</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>i2g</extension>
> + <mime-type>application/vnd.intergeo</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>icc</extension>
> + <mime-type>application/vnd.iccprofile</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ice</extension>
> + <mime-type>x-conference/x-cooltalk</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>icm</extension>
> + <mime-type>application/vnd.iccprofile</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ico</extension>
> + <mime-type>image/x-icon</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ics</extension>
> + <mime-type>text/calendar</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ief</extension>
> + <mime-type>image/ief</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ifb</extension>
> + <mime-type>text/calendar</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ifm</extension>
> + <mime-type>application/vnd.shana.informed.formdata</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>iges</extension>
> + <mime-type>model/iges</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>igl</extension>
> + <mime-type>application/vnd.igloader</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>igm</extension>
> + <mime-type>application/vnd.insors.igm</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>igs</extension>
> + <mime-type>model/iges</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>igx</extension>
> + <mime-type>application/vnd.micrografx.igx</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>iif</extension>
> + <mime-type>application/vnd.shana.informed.interchange</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>imp</extension>
> + <mime-type>application/vnd.accpac.simply.imp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ims</extension>
> + <mime-type>application/vnd.ms-ims</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>in</extension>
> + <mime-type>text/plain</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ink</extension>
> + <mime-type>application/inkml+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>inkml</extension>
> + <mime-type>application/inkml+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>iota</extension>
> + <mime-type>application/vnd.astraea-software.iota</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ipfix</extension>
> + <mime-type>application/ipfix</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ipk</extension>
> + <mime-type>application/vnd.shana.informed.package</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>irm</extension>
> + <mime-type>application/vnd.ibm.rights-management</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>irp</extension>
> + <mime-type>application/vnd.irepository.package+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>iso</extension>
> + <mime-type>application/octet-stream</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>itp</extension>
> + <mime-type>application/vnd.shana.informed.formtemplate</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ivp</extension>
> + <mime-type>application/vnd.immervision-ivp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ivu</extension>
> + <mime-type>application/vnd.immervision-ivu</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>jad</extension>
> + <mime-type>text/vnd.sun.j2me.app-descriptor</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>jam</extension>
> + <mime-type>application/vnd.jam</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>jar</extension>
> + <mime-type>application/java-archive</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>java</extension>
> + <mime-type>text/x-java-source</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>jisp</extension>
> + <mime-type>application/vnd.jisp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>jlt</extension>
> + <mime-type>application/vnd.hp-jlyt</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>jnlp</extension>
> + <mime-type>application/x-java-jnlp-file</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>joda</extension>
> + <mime-type>application/vnd.joost.joda-archive</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>jpe</extension>
> + <mime-type>image/jpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>jpeg</extension>
> + <mime-type>image/jpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>jpg</extension>
> + <mime-type>image/jpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>jpgm</extension>
> + <mime-type>video/jpm</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>jpgv</extension>
> + <mime-type>video/jpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>jpm</extension>
> + <mime-type>video/jpm</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>js</extension>
> + <mime-type>application/javascript</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>jsf</extension>
> + <mime-type>text/plain</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>json</extension>
> + <mime-type>application/json</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>jspf</extension>
> + <mime-type>text/plain</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>kar</extension>
> + <mime-type>audio/midi</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>karbon</extension>
> + <mime-type>application/vnd.kde.karbon</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>kfo</extension>
> + <mime-type>application/vnd.kde.kformula</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>kia</extension>
> + <mime-type>application/vnd.kidspiration</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>kml</extension>
> + <mime-type>application/vnd.google-earth.kml+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>kmz</extension>
> + <mime-type>application/vnd.google-earth.kmz</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>kne</extension>
> + <mime-type>application/vnd.kinar</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>knp</extension>
> + <mime-type>application/vnd.kinar</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>kon</extension>
> + <mime-type>application/vnd.kde.kontour</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>kpr</extension>
> + <mime-type>application/vnd.kde.kpresenter</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>kpt</extension>
> + <mime-type>application/vnd.kde.kpresenter</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ksp</extension>
> + <mime-type>application/vnd.kde.kspread</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ktr</extension>
> + <mime-type>application/vnd.kahootz</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ktx</extension>
> + <mime-type>image/ktx</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ktz</extension>
> + <mime-type>application/vnd.kahootz</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>kwd</extension>
> + <mime-type>application/vnd.kde.kword</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>kwt</extension>
> + <mime-type>application/vnd.kde.kword</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>lasxml</extension>
> + <mime-type>application/vnd.las.las+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>latex</extension>
> + <mime-type>application/x-latex</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>lbd</extension>
> + <mime-type>application/vnd.llamagraphics.life-balance.desktop</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>lbe</extension>
> + <mime-type>application/vnd.llamagraphics.life-balance.exchange+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>les</extension>
> + <mime-type>application/vnd.hhe.lesson-player</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>lha</extension>
> + <mime-type>application/octet-stream</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>link66</extension>
> + <mime-type>application/vnd.route66.link66+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>list</extension>
> + <mime-type>text/plain</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>list3820</extension>
> + <mime-type>application/vnd.ibm.modcap</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>listafp</extension>
> + <mime-type>application/vnd.ibm.modcap</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>log</extension>
> + <mime-type>text/plain</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>lostxml</extension>
> + <mime-type>application/lost+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>lrf</extension>
> + <mime-type>application/octet-stream</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>lrm</extension>
> + <mime-type>application/vnd.ms-lrm</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ltf</extension>
> + <mime-type>application/vnd.frogans.ltf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>lvp</extension>
> + <mime-type>audio/vnd.lucent.voice</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>lwp</extension>
> + <mime-type>application/vnd.lotus-wordpro</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>lzh</extension>
> + <mime-type>application/octet-stream</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>m13</extension>
> + <mime-type>application/x-msmediaview</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>m14</extension>
> + <mime-type>application/x-msmediaview</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>m1v</extension>
> + <mime-type>video/mpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>m21</extension>
> + <mime-type>application/mp21</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>m2a</extension>
> + <mime-type>audio/mpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>m2v</extension>
> + <mime-type>video/mpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>m3a</extension>
> + <mime-type>audio/mpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>m3u</extension>
> + <mime-type>audio/x-mpegurl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>m3u8</extension>
> + <mime-type>application/vnd.apple.mpegurl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>m4a</extension>
> + <mime-type>audio/mp4</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>m4b</extension>
> + <mime-type>audio/mp4</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>m4r</extension>
> + <mime-type>audio/mp4</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>m4u</extension>
> + <mime-type>video/vnd.mpegurl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>m4v</extension>
> + <mime-type>video/mp4</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ma</extension>
> + <mime-type>application/mathematica</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mac</extension>
> + <mime-type>image/x-macpaint</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mads</extension>
> + <mime-type>application/mads+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mag</extension>
> + <mime-type>application/vnd.ecowin.chart</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>maker</extension>
> + <mime-type>application/vnd.framemaker</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>man</extension>
> + <mime-type>text/troff</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mathml</extension>
> + <mime-type>application/mathml+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mb</extension>
> + <mime-type>application/mathematica</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mbk</extension>
> + <mime-type>application/vnd.mobius.mbk</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mbox</extension>
> + <mime-type>application/mbox</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mc1</extension>
> + <mime-type>application/vnd.medcalcdata</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mcd</extension>
> + <mime-type>application/vnd.mcd</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mcurl</extension>
> + <mime-type>text/vnd.curl.mcurl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mdb</extension>
> + <mime-type>application/x-msaccess</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mdi</extension>
> + <mime-type>image/vnd.ms-modi</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>me</extension>
> + <mime-type>text/troff</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mesh</extension>
> + <mime-type>model/mesh</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>meta4</extension>
> + <mime-type>application/metalink4+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mets</extension>
> + <mime-type>application/mets+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mfm</extension>
> + <mime-type>application/vnd.mfmp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mft</extension>
> + <mime-type>application/rpki-manifest</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mgp</extension>
> + <mime-type>application/vnd.osgeo.mapguide.package</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mgz</extension>
> + <mime-type>application/vnd.proteus.magazine</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mid</extension>
> + <mime-type>audio/midi</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>midi</extension>
> + <mime-type>audio/midi</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mif</extension>
> + <mime-type>application/x-mif</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mime</extension>
> + <mime-type>message/rfc822</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mj2</extension>
> + <mime-type>video/mj2</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mjp2</extension>
> + <mime-type>video/mj2</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mlp</extension>
> + <mime-type>application/vnd.dolby.mlp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mmd</extension>
> + <mime-type>application/vnd.chipnuts.karaoke-mmd</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mmf</extension>
> + <mime-type>application/vnd.smaf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mmr</extension>
> + <mime-type>image/vnd.fujixerox.edmics-mmr</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mny</extension>
> + <mime-type>application/x-msmoney</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mobi</extension>
> + <mime-type>application/x-mobipocket-ebook</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mods</extension>
> + <mime-type>application/mods+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mov</extension>
> + <mime-type>video/quicktime</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>movie</extension>
> + <mime-type>video/x-sgi-movie</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mp1</extension>
> + <mime-type>audio/mpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mp2</extension>
> + <mime-type>audio/mpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mp21</extension>
> + <mime-type>application/mp21</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mp2a</extension>
> + <mime-type>audio/mpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mp3</extension>
> + <mime-type>audio/mpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mp4</extension>
> + <mime-type>video/mp4</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mp4a</extension>
> + <mime-type>audio/mp4</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mp4s</extension>
> + <mime-type>application/mp4</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mp4v</extension>
> + <mime-type>video/mp4</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mpa</extension>
> + <mime-type>audio/mpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mpc</extension>
> + <mime-type>application/vnd.mophun.certificate</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mpe</extension>
> + <mime-type>video/mpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mpeg</extension>
> + <mime-type>video/mpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mpega</extension>
> + <mime-type>audio/x-mpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mpg</extension>
> + <mime-type>video/mpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mpg4</extension>
> + <mime-type>video/mp4</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mpga</extension>
> + <mime-type>audio/mpeg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mpkg</extension>
> + <mime-type>application/vnd.apple.installer+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mpm</extension>
> + <mime-type>application/vnd.blueice.multipass</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mpn</extension>
> + <mime-type>application/vnd.mophun.application</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mpp</extension>
> + <mime-type>application/vnd.ms-project</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mpt</extension>
> + <mime-type>application/vnd.ms-project</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mpv2</extension>
> + <mime-type>video/mpeg2</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mpy</extension>
> + <mime-type>application/vnd.ibm.minipay</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mqy</extension>
> + <mime-type>application/vnd.mobius.mqy</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mrc</extension>
> + <mime-type>application/marc</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mrcx</extension>
> + <mime-type>application/marcxml+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ms</extension>
> + <mime-type>text/troff</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mscml</extension>
> + <mime-type>application/mediaservercontrol+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mseed</extension>
> + <mime-type>application/vnd.fdsn.mseed</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mseq</extension>
> + <mime-type>application/vnd.mseq</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>msf</extension>
> + <mime-type>application/vnd.epson.msf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>msh</extension>
> + <mime-type>model/mesh</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>msi</extension>
> + <mime-type>application/x-msdownload</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>msl</extension>
> + <mime-type>application/vnd.mobius.msl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>msty</extension>
> + <mime-type>application/vnd.muvee.style</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mts</extension>
> + <mime-type>model/vnd.mts</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mus</extension>
> + <mime-type>application/vnd.musician</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>musicxml</extension>
> + <mime-type>application/vnd.recordare.musicxml+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mvb</extension>
> + <mime-type>application/x-msmediaview</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mwf</extension>
> + <mime-type>application/vnd.mfer</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mxf</extension>
> + <mime-type>application/mxf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mxl</extension>
> + <mime-type>application/vnd.recordare.musicxml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mxml</extension>
> + <mime-type>application/xv+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mxs</extension>
> + <mime-type>application/vnd.triscape.mxs</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>mxu</extension>
> + <mime-type>video/vnd.mpegurl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>n-gage</extension>
> + <mime-type>application/vnd.nokia.n-gage.symbian.install</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>n3</extension>
> + <mime-type>text/n3</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>nb</extension>
> + <mime-type>application/mathematica</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>nbp</extension>
> + <mime-type>application/vnd.wolfram.player</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>nc</extension>
> + <mime-type>application/x-netcdf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ncx</extension>
> + <mime-type>application/x-dtbncx+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ngdat</extension>
> + <mime-type>application/vnd.nokia.n-gage.data</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>nlu</extension>
> + <mime-type>application/vnd.neurolanguage.nlu</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>nml</extension>
> + <mime-type>application/vnd.enliven</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>nnd</extension>
> + <mime-type>application/vnd.noblenet-directory</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>nns</extension>
> + <mime-type>application/vnd.noblenet-sealer</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>nnw</extension>
> + <mime-type>application/vnd.noblenet-web</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>npx</extension>
> + <mime-type>image/vnd.net-fpx</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>nsf</extension>
> + <mime-type>application/vnd.lotus-notes</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>oa2</extension>
> + <mime-type>application/vnd.fujitsu.oasys2</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>oa3</extension>
> + <mime-type>application/vnd.fujitsu.oasys3</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>oas</extension>
> + <mime-type>application/vnd.fujitsu.oasys</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>obd</extension>
> + <mime-type>application/x-msbinder</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>oda</extension>
> + <mime-type>application/oda</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- OpenDocument Database -->
> + <extension>odb</extension>
> + <mime-type>application/vnd.oasis.opendocument.database</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- OpenDocument Chart -->
> + <extension>odc</extension>
> + <mime-type>application/vnd.oasis.opendocument.chart</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- OpenDocument Formula -->
> + <extension>odf</extension>
> + <mime-type>application/vnd.oasis.opendocument.formula</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>odft</extension>
> + <mime-type>application/vnd.oasis.opendocument.formula-template</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- OpenDocument Drawing -->
> + <extension>odg</extension>
> + <mime-type>application/vnd.oasis.opendocument.graphics</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- OpenDocument Image -->
> + <extension>odi</extension>
> + <mime-type>application/vnd.oasis.opendocument.image</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- OpenDocument Master Document -->
> + <extension>odm</extension>
> + <mime-type>application/vnd.oasis.opendocument.text-master</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- OpenDocument Presentation -->
> + <extension>odp</extension>
> + <mime-type>application/vnd.oasis.opendocument.presentation</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- OpenDocument Spreadsheet -->
> + <extension>ods</extension>
> + <mime-type>application/vnd.oasis.opendocument.spreadsheet</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- OpenDocument Text -->
> + <extension>odt</extension>
> + <mime-type>application/vnd.oasis.opendocument.text</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>oga</extension>
> + <mime-type>audio/ogg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ogg</extension>
> + <mime-type>audio/ogg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ogv</extension>
> + <mime-type>video/ogg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- xiph mime types -->
> + <extension>ogx</extension>
> + <mime-type>application/ogg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>onepkg</extension>
> + <mime-type>application/onenote</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>onetmp</extension>
> + <mime-type>application/onenote</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>onetoc</extension>
> + <mime-type>application/onenote</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>onetoc2</extension>
> + <mime-type>application/onenote</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>opf</extension>
> + <mime-type>application/oebps-package+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>oprc</extension>
> + <mime-type>application/vnd.palm</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>org</extension>
> + <mime-type>application/vnd.lotus-organizer</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>osf</extension>
> + <mime-type>application/vnd.yamaha.openscoreformat</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>osfpvg</extension>
> + <mime-type>application/vnd.yamaha.openscoreformat.osfpvg+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>otc</extension>
> + <mime-type>application/vnd.oasis.opendocument.chart-template</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>otf</extension>
> + <mime-type>application/x-font-otf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- OpenDocument Drawing Template -->
> + <extension>otg</extension>
> + <mime-type>application/vnd.oasis.opendocument.graphics-template</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- HTML Document Template -->
> + <extension>oth</extension>
> + <mime-type>application/vnd.oasis.opendocument.text-web</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>oti</extension>
> + <mime-type>application/vnd.oasis.opendocument.image-template</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- OpenDocument Presentation Template -->
> + <extension>otp</extension>
> + <mime-type>application/vnd.oasis.opendocument.presentation-template</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- OpenDocument Spreadsheet Template -->
> + <extension>ots</extension>
> + <mime-type>application/vnd.oasis.opendocument.spreadsheet-template</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- OpenDocument Text Template -->
> + <extension>ott</extension>
> + <mime-type>application/vnd.oasis.opendocument.text-template</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>oxps</extension>
> + <mime-type>application/oxps</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>oxt</extension>
> + <mime-type>application/vnd.openofficeorg.extension</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>p</extension>
> + <mime-type>text/x-pascal</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>p10</extension>
> + <mime-type>application/pkcs10</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>p12</extension>
> + <mime-type>application/x-pkcs12</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>p7b</extension>
> + <mime-type>application/x-pkcs7-certificates</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>p7c</extension>
> + <mime-type>application/pkcs7-mime</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>p7m</extension>
> + <mime-type>application/pkcs7-mime</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>p7r</extension>
> + <mime-type>application/x-pkcs7-certreqresp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>p7s</extension>
> + <mime-type>application/pkcs7-signature</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>p8</extension>
> + <mime-type>application/pkcs8</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pas</extension>
> + <mime-type>text/x-pascal</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>paw</extension>
> + <mime-type>application/vnd.pawaafile</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pbd</extension>
> + <mime-type>application/vnd.powerbuilder6</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pbm</extension>
> + <mime-type>image/x-portable-bitmap</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pcap</extension>
> + <mime-type>application/vnd.tcpdump.pcap</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pcf</extension>
> + <mime-type>application/x-font-pcf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pcl</extension>
> + <mime-type>application/vnd.hp-pcl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pclxl</extension>
> + <mime-type>application/vnd.hp-pclxl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pct</extension>
> + <mime-type>image/pict</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pcurl</extension>
> + <mime-type>application/vnd.curl.pcurl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pcx</extension>
> + <mime-type>image/x-pcx</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pdb</extension>
> + <mime-type>application/vnd.palm</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pdf</extension>
> + <mime-type>application/pdf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pfa</extension>
> + <mime-type>application/x-font-type1</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pfb</extension>
> + <mime-type>application/x-font-type1</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pfm</extension>
> + <mime-type>application/x-font-type1</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pfr</extension>
> + <mime-type>application/font-tdpfr</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pfx</extension>
> + <mime-type>application/x-pkcs12</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pgm</extension>
> + <mime-type>image/x-portable-graymap</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pgn</extension>
> + <mime-type>application/x-chess-pgn</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pgp</extension>
> + <mime-type>application/pgp-encrypted</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pic</extension>
> + <mime-type>image/pict</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pict</extension>
> + <mime-type>image/pict</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pkg</extension>
> + <mime-type>application/octet-stream</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pki</extension>
> + <mime-type>application/pkixcmp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pkipath</extension>
> + <mime-type>application/pkix-pkipath</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>plb</extension>
> + <mime-type>application/vnd.3gpp.pic-bw-large</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>plc</extension>
> + <mime-type>application/vnd.mobius.plc</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>plf</extension>
> + <mime-type>application/vnd.pocketlearn</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pls</extension>
> + <mime-type>audio/x-scpls</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pml</extension>
> + <mime-type>application/vnd.ctc-posml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>png</extension>
> + <mime-type>image/png</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pnm</extension>
> + <mime-type>image/x-portable-anymap</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pnt</extension>
> + <mime-type>image/x-macpaint</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>portpkg</extension>
> + <mime-type>application/vnd.macports.portpkg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pot</extension>
> + <mime-type>application/vnd.ms-powerpoint</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>potm</extension>
> + <mime-type>application/vnd.ms-powerpoint.template.macroenabled.12</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>potx</extension>
> + <mime-type>application/vnd.openxmlformats-officedocument.presentationml.template</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ppam</extension>
> + <mime-type>application/vnd.ms-powerpoint.addin.macroenabled.12</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ppd</extension>
> + <mime-type>application/vnd.cups-ppd</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ppm</extension>
> + <mime-type>image/x-portable-pixmap</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pps</extension>
> + <mime-type>application/vnd.ms-powerpoint</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ppsm</extension>
> + <mime-type>application/vnd.ms-powerpoint.slideshow.macroenabled.12</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ppsx</extension>
> + <mime-type>application/vnd.openxmlformats-officedocument.presentationml.slideshow</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ppt</extension>
> + <mime-type>application/vnd.ms-powerpoint</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pptm</extension>
> + <mime-type>application/vnd.ms-powerpoint.presentation.macroenabled.12</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pptx</extension>
> + <mime-type>application/vnd.openxmlformats-officedocument.presentationml.presentation</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pqa</extension>
> + <mime-type>application/vnd.palm</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>prc</extension>
> + <mime-type>application/x-mobipocket-ebook</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pre</extension>
> + <mime-type>application/vnd.lotus-freelance</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>prf</extension>
> + <mime-type>application/pics-rules</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ps</extension>
> + <mime-type>application/postscript</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>psb</extension>
> + <mime-type>application/vnd.3gpp.pic-bw-small</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>psd</extension>
> + <mime-type>image/vnd.adobe.photoshop</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>psf</extension>
> + <mime-type>application/x-font-linux-psf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pskcxml</extension>
> + <mime-type>application/pskc+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ptid</extension>
> + <mime-type>application/vnd.pvi.ptid1</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pub</extension>
> + <mime-type>application/x-mspublisher</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pvb</extension>
> + <mime-type>application/vnd.3gpp.pic-bw-var</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pwn</extension>
> + <mime-type>application/vnd.3m.post-it-notes</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pya</extension>
> + <mime-type>audio/vnd.ms-playready.media.pya</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>pyv</extension>
> + <mime-type>video/vnd.ms-playready.media.pyv</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>qam</extension>
> + <mime-type>application/vnd.epson.quickanime</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>qbo</extension>
> + <mime-type>application/vnd.intu.qbo</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>qfx</extension>
> + <mime-type>application/vnd.intu.qfx</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>qps</extension>
> + <mime-type>application/vnd.publishare-delta-tree</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>qt</extension>
> + <mime-type>video/quicktime</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>qti</extension>
> + <mime-type>image/x-quicktime</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>qtif</extension>
> + <mime-type>image/x-quicktime</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>qwd</extension>
> + <mime-type>application/vnd.quark.quarkxpress</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>qwt</extension>
> + <mime-type>application/vnd.quark.quarkxpress</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>qxb</extension>
> + <mime-type>application/vnd.quark.quarkxpress</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>qxd</extension>
> + <mime-type>application/vnd.quark.quarkxpress</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>qxl</extension>
> + <mime-type>application/vnd.quark.quarkxpress</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>qxt</extension>
> + <mime-type>application/vnd.quark.quarkxpress</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ra</extension>
> + <mime-type>audio/x-pn-realaudio</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ram</extension>
> + <mime-type>audio/x-pn-realaudio</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rar</extension>
> + <mime-type>application/x-rar-compressed</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ras</extension>
> + <mime-type>image/x-cmu-raster</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rcprofile</extension>
> + <mime-type>application/vnd.ipunplugged.rcprofile</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rdf</extension>
> + <mime-type>application/rdf+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rdz</extension>
> + <mime-type>application/vnd.data-vision.rdz</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rep</extension>
> + <mime-type>application/vnd.businessobjects</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>res</extension>
> + <mime-type>application/x-dtbresource+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rgb</extension>
> + <mime-type>image/x-rgb</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rif</extension>
> + <mime-type>application/reginfo+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rip</extension>
> + <mime-type>audio/vnd.rip</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rl</extension>
> + <mime-type>application/resource-lists+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rlc</extension>
> + <mime-type>image/vnd.fujixerox.edmics-rlc</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rld</extension>
> + <mime-type>application/resource-lists-diff+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rm</extension>
> + <mime-type>application/vnd.rn-realmedia</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rmi</extension>
> + <mime-type>audio/midi</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rmp</extension>
> + <mime-type>audio/x-pn-realaudio-plugin</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rms</extension>
> + <mime-type>application/vnd.jcp.javame.midlet-rms</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rnc</extension>
> + <mime-type>application/relax-ng-compact-syntax</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>roa</extension>
> + <mime-type>application/rpki-roa</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>roff</extension>
> + <mime-type>text/troff</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rp9</extension>
> + <mime-type>application/vnd.cloanto.rp9</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rpss</extension>
> + <mime-type>application/vnd.nokia.radio-presets</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rpst</extension>
> + <mime-type>application/vnd.nokia.radio-preset</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rq</extension>
> + <mime-type>application/sparql-query</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rs</extension>
> + <mime-type>application/rls-services+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rsd</extension>
> + <mime-type>application/rsd+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rss</extension>
> + <mime-type>application/rss+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rtf</extension>
> + <mime-type>application/rtf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>rtx</extension>
> + <mime-type>text/richtext</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>s</extension>
> + <mime-type>text/x-asm</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>saf</extension>
> + <mime-type>application/vnd.yamaha.smaf-audio</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sbml</extension>
> + <mime-type>application/sbml+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sc</extension>
> + <mime-type>application/vnd.ibm.secure-container</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>scd</extension>
> + <mime-type>application/x-msschedule</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>scm</extension>
> + <mime-type>application/vnd.lotus-screencam</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>scq</extension>
> + <mime-type>application/scvp-cv-request</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>scs</extension>
> + <mime-type>application/scvp-cv-response</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>scurl</extension>
> + <mime-type>text/vnd.curl.scurl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sda</extension>
> + <mime-type>application/vnd.stardivision.draw</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sdc</extension>
> + <mime-type>application/vnd.stardivision.calc</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sdd</extension>
> + <mime-type>application/vnd.stardivision.impress</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sdkd</extension>
> + <mime-type>application/vnd.solent.sdkm+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sdkm</extension>
> + <mime-type>application/vnd.solent.sdkm+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sdp</extension>
> + <mime-type>application/sdp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sdw</extension>
> + <mime-type>application/vnd.stardivision.writer</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>see</extension>
> + <mime-type>application/vnd.seemail</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>seed</extension>
> + <mime-type>application/vnd.fdsn.seed</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sema</extension>
> + <mime-type>application/vnd.sema</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>semd</extension>
> + <mime-type>application/vnd.semd</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>semf</extension>
> + <mime-type>application/vnd.semf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ser</extension>
> + <mime-type>application/java-serialized-object</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>setpay</extension>
> + <mime-type>application/set-payment-initiation</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>setreg</extension>
> + <mime-type>application/set-registration-initiation</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sfd-hdstx</extension>
> + <mime-type>application/vnd.hydrostatix.sof-data</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sfs</extension>
> + <mime-type>application/vnd.spotfire.sfs</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sgl</extension>
> + <mime-type>application/vnd.stardivision.writer-global</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sgm</extension>
> + <mime-type>text/sgml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sgml</extension>
> + <mime-type>text/sgml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sh</extension>
> + <mime-type>application/x-sh</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>shar</extension>
> + <mime-type>application/x-shar</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>shf</extension>
> + <mime-type>application/shf+xml</mime-type>
> + </mime-mapping>
> + <!--
> + <mime-mapping>
> + <extension>shtml</extension>
> + <mime-type>text/x-server-parsed-html</mime-type>
> + </mime-mapping>
> + -->
> + <mime-mapping>
> + <extension>sig</extension>
> + <mime-type>application/pgp-signature</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>silo</extension>
> + <mime-type>model/mesh</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sis</extension>
> + <mime-type>application/vnd.symbian.install</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sisx</extension>
> + <mime-type>application/vnd.symbian.install</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sit</extension>
> + <mime-type>application/x-stuffit</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sitx</extension>
> + <mime-type>application/x-stuffitx</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>skd</extension>
> + <mime-type>application/vnd.koan</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>skm</extension>
> + <mime-type>application/vnd.koan</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>skp</extension>
> + <mime-type>application/vnd.koan</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>skt</extension>
> + <mime-type>application/vnd.koan</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sldm</extension>
> + <mime-type>application/vnd.ms-powerpoint.slide.macroenabled.12</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sldx</extension>
> + <mime-type>application/vnd.openxmlformats-officedocument.presentationml.slide</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>slt</extension>
> + <mime-type>application/vnd.epson.salt</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sm</extension>
> + <mime-type>application/vnd.stepmania.stepchart</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>smf</extension>
> + <mime-type>application/vnd.stardivision.math</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>smi</extension>
> + <mime-type>application/smil+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>smil</extension>
> + <mime-type>application/smil+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>smzip</extension>
> + <mime-type>application/vnd.stepmania.package</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>snd</extension>
> + <mime-type>audio/basic</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>snf</extension>
> + <mime-type>application/x-font-snf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>so</extension>
> + <mime-type>application/octet-stream</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>spc</extension>
> + <mime-type>application/x-pkcs7-certificates</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>spf</extension>
> + <mime-type>application/vnd.yamaha.smaf-phrase</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>spl</extension>
> + <mime-type>application/x-futuresplash</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>spot</extension>
> + <mime-type>text/vnd.in3d.spot</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>spp</extension>
> + <mime-type>application/scvp-vp-response</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>spq</extension>
> + <mime-type>application/scvp-vp-request</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>spx</extension>
> + <mime-type>audio/ogg</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>src</extension>
> + <mime-type>application/x-wais-source</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sru</extension>
> + <mime-type>application/sru+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>srx</extension>
> + <mime-type>application/sparql-results+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sse</extension>
> + <mime-type>application/vnd.kodak-descriptor</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ssf</extension>
> + <mime-type>application/vnd.epson.ssf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ssml</extension>
> + <mime-type>application/ssml+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>st</extension>
> + <mime-type>application/vnd.sailingtracker.track</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>stc</extension>
> + <mime-type>application/vnd.sun.xml.calc.template</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>std</extension>
> + <mime-type>application/vnd.sun.xml.draw.template</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>stf</extension>
> + <mime-type>application/vnd.wt.stf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sti</extension>
> + <mime-type>application/vnd.sun.xml.impress.template</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>stk</extension>
> + <mime-type>application/hyperstudio</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>stl</extension>
> + <mime-type>application/vnd.ms-pki.stl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>str</extension>
> + <mime-type>application/vnd.pg.format</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>stw</extension>
> + <mime-type>application/vnd.sun.xml.writer.template</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sub</extension>
> + <mime-type>text/vnd.dvb.subtitle</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sus</extension>
> + <mime-type>application/vnd.sus-calendar</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>susp</extension>
> + <mime-type>application/vnd.sus-calendar</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sv4cpio</extension>
> + <mime-type>application/x-sv4cpio</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sv4crc</extension>
> + <mime-type>application/x-sv4crc</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>svc</extension>
> + <mime-type>application/vnd.dvb.service</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>svd</extension>
> + <mime-type>application/vnd.svd</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>svg</extension>
> + <mime-type>image/svg+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>svgz</extension>
> + <mime-type>image/svg+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>swa</extension>
> + <mime-type>application/x-director</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>swf</extension>
> + <mime-type>application/x-shockwave-flash</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>swi</extension>
> + <mime-type>application/vnd.aristanetworks.swi</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sxc</extension>
> + <mime-type>application/vnd.sun.xml.calc</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sxd</extension>
> + <mime-type>application/vnd.sun.xml.draw</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sxg</extension>
> + <mime-type>application/vnd.sun.xml.writer.global</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sxi</extension>
> + <mime-type>application/vnd.sun.xml.impress</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sxm</extension>
> + <mime-type>application/vnd.sun.xml.math</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>sxw</extension>
> + <mime-type>application/vnd.sun.xml.writer</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>t</extension>
> + <mime-type>text/troff</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>taglet</extension>
> + <mime-type>application/vnd.mynfc</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tao</extension>
> + <mime-type>application/vnd.tao.intent-module-archive</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tar</extension>
> + <mime-type>application/x-tar</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tcap</extension>
> + <mime-type>application/vnd.3gpp2.tcap</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tcl</extension>
> + <mime-type>application/x-tcl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>teacher</extension>
> + <mime-type>application/vnd.smart.teacher</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tei</extension>
> + <mime-type>application/tei+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>teicorpus</extension>
> + <mime-type>application/tei+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tex</extension>
> + <mime-type>application/x-tex</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>texi</extension>
> + <mime-type>application/x-texinfo</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>texinfo</extension>
> + <mime-type>application/x-texinfo</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>text</extension>
> + <mime-type>text/plain</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tfi</extension>
> + <mime-type>application/thraud+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tfm</extension>
> + <mime-type>application/x-tex-tfm</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>thmx</extension>
> + <mime-type>application/vnd.ms-officetheme</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tif</extension>
> + <mime-type>image/tiff</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tiff</extension>
> + <mime-type>image/tiff</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tmo</extension>
> + <mime-type>application/vnd.tmobile-livetv</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>torrent</extension>
> + <mime-type>application/x-bittorrent</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tpl</extension>
> + <mime-type>application/vnd.groove-tool-template</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tpt</extension>
> + <mime-type>application/vnd.trid.tpt</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tr</extension>
> + <mime-type>text/troff</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tra</extension>
> + <mime-type>application/vnd.trueapp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>trm</extension>
> + <mime-type>application/x-msterminal</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tsd</extension>
> + <mime-type>application/timestamped-data</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>tsv</extension>
> + <mime-type>text/tab-separated-values</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ttc</extension>
> + <mime-type>application/x-font-ttf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ttf</extension>
> + <mime-type>application/x-font-ttf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ttl</extension>
> + <mime-type>text/turtle</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>twd</extension>
> + <mime-type>application/vnd.simtech-mindmapper</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>twds</extension>
> + <mime-type>application/vnd.simtech-mindmapper</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>txd</extension>
> + <mime-type>application/vnd.genomatix.tuxedo</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>txf</extension>
> + <mime-type>application/vnd.mobius.txf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>txt</extension>
> + <mime-type>text/plain</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>u32</extension>
> + <mime-type>application/x-authorware-bin</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>udeb</extension>
> + <mime-type>application/x-debian-package</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ufd</extension>
> + <mime-type>application/vnd.ufdl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ufdl</extension>
> + <mime-type>application/vnd.ufdl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ulw</extension>
> + <mime-type>audio/basic</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>umj</extension>
> + <mime-type>application/vnd.umajin</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>unityweb</extension>
> + <mime-type>application/vnd.unity</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uoml</extension>
> + <mime-type>application/vnd.uoml+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uri</extension>
> + <mime-type>text/uri-list</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uris</extension>
> + <mime-type>text/uri-list</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>urls</extension>
> + <mime-type>text/uri-list</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>ustar</extension>
> + <mime-type>application/x-ustar</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>utz</extension>
> + <mime-type>application/vnd.uiq.theme</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uu</extension>
> + <mime-type>text/x-uuencode</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uva</extension>
> + <mime-type>audio/vnd.dece.audio</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvd</extension>
> + <mime-type>application/vnd.dece.data</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvf</extension>
> + <mime-type>application/vnd.dece.data</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvg</extension>
> + <mime-type>image/vnd.dece.graphic</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvh</extension>
> + <mime-type>video/vnd.dece.hd</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvi</extension>
> + <mime-type>image/vnd.dece.graphic</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvm</extension>
> + <mime-type>video/vnd.dece.mobile</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvp</extension>
> + <mime-type>video/vnd.dece.pd</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvs</extension>
> + <mime-type>video/vnd.dece.sd</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvt</extension>
> + <mime-type>application/vnd.dece.ttml+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvu</extension>
> + <mime-type>video/vnd.uvvu.mp4</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvv</extension>
> + <mime-type>video/vnd.dece.video</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvva</extension>
> + <mime-type>audio/vnd.dece.audio</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvvd</extension>
> + <mime-type>application/vnd.dece.data</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvvf</extension>
> + <mime-type>application/vnd.dece.data</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvvg</extension>
> + <mime-type>image/vnd.dece.graphic</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvvh</extension>
> + <mime-type>video/vnd.dece.hd</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvvi</extension>
> + <mime-type>image/vnd.dece.graphic</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvvm</extension>
> + <mime-type>video/vnd.dece.mobile</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvvp</extension>
> + <mime-type>video/vnd.dece.pd</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvvs</extension>
> + <mime-type>video/vnd.dece.sd</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvvt</extension>
> + <mime-type>application/vnd.dece.ttml+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvvu</extension>
> + <mime-type>video/vnd.uvvu.mp4</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvvv</extension>
> + <mime-type>video/vnd.dece.video</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvvx</extension>
> + <mime-type>application/vnd.dece.unspecified</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvvz</extension>
> + <mime-type>application/vnd.dece.zip</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvx</extension>
> + <mime-type>application/vnd.dece.unspecified</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>uvz</extension>
> + <mime-type>application/vnd.dece.zip</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vcard</extension>
> + <mime-type>text/vcard</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vcd</extension>
> + <mime-type>application/x-cdlink</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vcf</extension>
> + <mime-type>text/x-vcard</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vcg</extension>
> + <mime-type>application/vnd.groove-vcard</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vcs</extension>
> + <mime-type>text/x-vcalendar</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vcx</extension>
> + <mime-type>application/vnd.vcx</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vis</extension>
> + <mime-type>application/vnd.visionary</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>viv</extension>
> + <mime-type>video/vnd.vivo</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vor</extension>
> + <mime-type>application/vnd.stardivision.writer</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vox</extension>
> + <mime-type>application/x-authorware-bin</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vrml</extension>
> + <mime-type>model/vrml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vsd</extension>
> + <mime-type>application/vnd.visio</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vsf</extension>
> + <mime-type>application/vnd.vsf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vss</extension>
> + <mime-type>application/vnd.visio</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vst</extension>
> + <mime-type>application/vnd.visio</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vsw</extension>
> + <mime-type>application/vnd.visio</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vtu</extension>
> + <mime-type>model/vnd.vtu</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>vxml</extension>
> + <mime-type>application/voicexml+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>w3d</extension>
> + <mime-type>application/x-director</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wad</extension>
> + <mime-type>application/x-doom</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wav</extension>
> + <mime-type>audio/x-wav</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wax</extension>
> + <mime-type>audio/x-ms-wax</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- Wireless Bitmap -->
> + <extension>wbmp</extension>
> + <mime-type>image/vnd.wap.wbmp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wbs</extension>
> + <mime-type>application/vnd.criticaltools.wbs+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wbxml</extension>
> + <mime-type>application/vnd.wap.wbxml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wcm</extension>
> + <mime-type>application/vnd.ms-works</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wdb</extension>
> + <mime-type>application/vnd.ms-works</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>weba</extension>
> + <mime-type>audio/webm</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>webm</extension>
> + <mime-type>video/webm</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>webp</extension>
> + <mime-type>image/webp</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wg</extension>
> + <mime-type>application/vnd.pmi.widget</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wgt</extension>
> + <mime-type>application/widget</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wks</extension>
> + <mime-type>application/vnd.ms-works</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wm</extension>
> + <mime-type>video/x-ms-wm</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wma</extension>
> + <mime-type>audio/x-ms-wma</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wmd</extension>
> + <mime-type>application/x-ms-wmd</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wmf</extension>
> + <mime-type>application/x-msmetafile</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- WML Source -->
> + <extension>wml</extension>
> + <mime-type>text/vnd.wap.wml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- Compiled WML -->
> + <extension>wmlc</extension>
> + <mime-type>application/vnd.wap.wmlc</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- WML Script Source -->
> + <extension>wmls</extension>
> + <mime-type>text/vnd.wap.wmlscript</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <!-- Compiled WML Script -->
> + <extension>wmlsc</extension>
> + <mime-type>application/vnd.wap.wmlscriptc</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wmv</extension>
> + <mime-type>video/x-ms-wmv</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wmx</extension>
> + <mime-type>video/x-ms-wmx</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wmz</extension>
> + <mime-type>application/x-ms-wmz</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>woff</extension>
> + <mime-type>application/x-font-woff</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wpd</extension>
> + <mime-type>application/vnd.wordperfect</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wpl</extension>
> + <mime-type>application/vnd.ms-wpl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wps</extension>
> + <mime-type>application/vnd.ms-works</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wqd</extension>
> + <mime-type>application/vnd.wqd</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wri</extension>
> + <mime-type>application/x-mswrite</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wrl</extension>
> + <mime-type>model/vrml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wsdl</extension>
> + <mime-type>application/wsdl+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wspolicy</extension>
> + <mime-type>application/wspolicy+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wtb</extension>
> + <mime-type>application/vnd.webturbo</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>wvx</extension>
> + <mime-type>video/x-ms-wvx</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>x32</extension>
> + <mime-type>application/x-authorware-bin</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>x3d</extension>
> + <mime-type>application/vnd.hzn-3d-crossword</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xap</extension>
> + <mime-type>application/x-silverlight-app</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xar</extension>
> + <mime-type>application/vnd.xara</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xbap</extension>
> + <mime-type>application/x-ms-xbap</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xbd</extension>
> + <mime-type>application/vnd.fujixerox.docuworks.binder</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xbm</extension>
> + <mime-type>image/x-xbitmap</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xdf</extension>
> + <mime-type>application/xcap-diff+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xdm</extension>
> + <mime-type>application/vnd.syncml.dm+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xdp</extension>
> + <mime-type>application/vnd.adobe.xdp+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xdssc</extension>
> + <mime-type>application/dssc+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xdw</extension>
> + <mime-type>application/vnd.fujixerox.docuworks</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xenc</extension>
> + <mime-type>application/xenc+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xer</extension>
> + <mime-type>application/patch-ops-error+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xfdf</extension>
> + <mime-type>application/vnd.adobe.xfdf</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xfdl</extension>
> + <mime-type>application/vnd.xfdl</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xht</extension>
> + <mime-type>application/xhtml+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xhtml</extension>
> + <mime-type>application/xhtml+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xhvml</extension>
> + <mime-type>application/xv+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xif</extension>
> + <mime-type>image/vnd.xiff</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xla</extension>
> + <mime-type>application/vnd.ms-excel</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xlam</extension>
> + <mime-type>application/vnd.ms-excel.addin.macroenabled.12</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xlc</extension>
> + <mime-type>application/vnd.ms-excel</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xlm</extension>
> + <mime-type>application/vnd.ms-excel</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xls</extension>
> + <mime-type>application/vnd.ms-excel</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xlsb</extension>
> + <mime-type>application/vnd.ms-excel.sheet.binary.macroenabled.12</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xlsm</extension>
> + <mime-type>application/vnd.ms-excel.sheet.macroenabled.12</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xlsx</extension>
> + <mime-type>application/vnd.openxmlformats-officedocument.spreadsheetml.sheet</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xlt</extension>
> + <mime-type>application/vnd.ms-excel</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xltm</extension>
> + <mime-type>application/vnd.ms-excel.template.macroenabled.12</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xltx</extension>
> + <mime-type>application/vnd.openxmlformats-officedocument.spreadsheetml.template</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xlw</extension>
> + <mime-type>application/vnd.ms-excel</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xml</extension>
> + <mime-type>application/xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xo</extension>
> + <mime-type>application/vnd.olpc-sugar</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xop</extension>
> + <mime-type>application/xop+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xpi</extension>
> + <mime-type>application/x-xpinstall</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xpm</extension>
> + <mime-type>image/x-xpixmap</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xpr</extension>
> + <mime-type>application/vnd.is-xpr</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xps</extension>
> + <mime-type>application/vnd.ms-xpsdocument</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xpw</extension>
> + <mime-type>application/vnd.intercon.formnet</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xpx</extension>
> + <mime-type>application/vnd.intercon.formnet</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xsl</extension>
> + <mime-type>application/xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xslt</extension>
> + <mime-type>application/xslt+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xsm</extension>
> + <mime-type>application/vnd.syncml+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xspf</extension>
> + <mime-type>application/xspf+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xul</extension>
> + <mime-type>application/vnd.mozilla.xul+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xvm</extension>
> + <mime-type>application/xv+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xvml</extension>
> + <mime-type>application/xv+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xwd</extension>
> + <mime-type>image/x-xwindowdump</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>xyz</extension>
> + <mime-type>chemical/x-xyz</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>yang</extension>
> + <mime-type>application/yang</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>yin</extension>
> + <mime-type>application/yin+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>z</extension>
> + <mime-type>application/x-compress</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>Z</extension>
> + <mime-type>application/x-compress</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>zaz</extension>
> + <mime-type>application/vnd.zzazz.deck+xml</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>zip</extension>
> + <mime-type>application/zip</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>zir</extension>
> + <mime-type>application/vnd.zul</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>zirz</extension>
> + <mime-type>application/vnd.zul</mime-type>
> + </mime-mapping>
> + <mime-mapping>
> + <extension>zmm</extension>
> + <mime-type>application/vnd.handheld-entertainment+xml</mime-type>
> + </mime-mapping>
> +
> + <!-- ==================== Default Welcome File List ===================== -->
> + <!-- When a request URI refers to a directory, the default servlet looks -->
> + <!-- for a "welcome file" within that directory and, if present, to the -->
> + <!-- corresponding resource URI for display. -->
> + <!-- If no welcome files are present, the default servlet either serves a -->
> + <!-- directory listing (see default servlet configuration on how to -->
> + <!-- customize) or returns a 404 status, depending on the value of the -->
> + <!-- listings setting. -->
> + <!-- -->
> + <!-- If you define welcome files in your own application's web.xml -->
> + <!-- deployment descriptor, that list *replaces* the list configured -->
> + <!-- here, so be sure to include any of the default values that you wish -->
> + <!-- to use within your application. -->
> +
> + <welcome-file-list>
> + <welcome-file>index.html</welcome-file>
> + <welcome-file>index.htm</welcome-file>
> + <welcome-file>index.jsp</welcome-file>
> + </welcome-file-list>
> +
> +</web-app>
> diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
> index eab5db2..0505c7e 100644
> --- a/base/common/src/CMakeLists.txt
> +++ b/base/common/src/CMakeLists.txt
> @@ -48,7 +48,14 @@ find_file(TOMCAT_CATALINA_JAR
> NAMES
> catalina.jar
> PATHS
> - /usr/share/java/tomcat6
> + /usr/share/java/tomcat
> +)
> +
> +find_file(TOMCAT_UTIL_JAR
> + NAMES
> + tomcat-util.jar
> + PATHS
> + /usr/share/java/tomcat
> )
>
> find_file(SERVLET_JAR
> @@ -1193,7 +1200,7 @@ set(CMAKE_JAVA_INCLUDE_PATH
> ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR}
> ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR}
> ${APACHE_COMMONS_CLI_JAR} ${APACHE_COMMONS_LANG_JAR}
> - ${TOMCAT_CATALINA_JAR} ${SYMKEY_JAR}
> + ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_JAR} ${SYMKEY_JAR}
> ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR}
> ${HTTPCLIENT_JAR} ${HTTPCORE_JAR})
>
> diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
> index 35ec7c5..6ad9e76 100644
> --- a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
> +++ b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
> @@ -371,8 +371,10 @@ public class CertUtil {
>
> String instanceRoot = config.getString("instanceRoot");
>
> + String configurationRoot = config.getString("configurationRoot");
> +
> CertInfoProfile processor = new CertInfoProfile(
> - instanceRoot + "/conf/" + profile);
> + instanceRoot + configurationRoot + profile);
>
> // cfu - create request to enable renewal
> try {
> diff --git a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
> index 86debf3..bd551ba 100644
> --- a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
> +++ b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
> @@ -28,6 +28,7 @@ import org.apache.catalina.connector.Request;
> import org.apache.catalina.connector.Response;
> import org.apache.catalina.deploy.SecurityConstraint;
> import org.apache.catalina.realm.JNDIRealm;
> +import org.apache.catalina.Wrapper;
>
> /*
> * Self contained PKI JNDI Real that overrides the standard JNDI Realm
> @@ -206,6 +207,8 @@ public class PKIJNDIRealm extends JNDIRealm {
>
> boolean allowed = super.hasResourcePermission(request, response, constraints, context);
>
> + Wrapper wrapper = request.getWrapper();
> +
> if (allowed == true && hasResourceACLS()) {
>
> loadAuthzProperties(context);
> @@ -238,7 +241,7 @@ public class PKIJNDIRealm extends JNDIRealm {
> }
> }
>
> - allowed = checkACLPermission(principal, resourceID, operation);
> + allowed = checkACLPermission(principal, resourceID, operation, wrapper);
> logDebug("resourceID: " + resourceID + " operation: " + operation + " allowed: " + allowed);
> }
> }
> @@ -351,7 +354,7 @@ public class PKIJNDIRealm extends JNDIRealm {
>
> // Check a PKI ACL resourceID and operation for permissions
> // If the check fails the user (principal) is not authorized to access the resource
> - private boolean checkACLPermission(Principal principal, String resourceId, String operation) {
> + private boolean checkACLPermission(Principal principal, String resourceId, String operation, Wrapper wrapper) {
>
> boolean allowed = true;
>
> @@ -378,7 +381,7 @@ public class PKIJNDIRealm extends JNDIRealm {
>
> String expressions = entry.getAttributeExpressions();
>
> - allowed = evaluateExpressions(principal, expressions);
> + allowed = evaluateExpressions(principal, expressions, wrapper);
>
> if (isEntryNegative) {
> allowed = !allowed;
> @@ -400,7 +403,7 @@ public class PKIJNDIRealm extends JNDIRealm {
>
> // Evaluate an expression as part of a PKI ACL
> // Ex: user=anybody , group=Data Recovery Manager Agents
> - private boolean evaluateExpression(Principal principal, String expression) {
> + private boolean evaluateExpression(Principal principal, String expression, Wrapper wrapper) {
>
> boolean allowed = true;
> if (principal == null || expression == null) {
> @@ -445,7 +448,7 @@ public class PKIJNDIRealm extends JNDIRealm {
> allowed = false;
> if (left.equals(PROP_GROUP)) {
> // Check JNDI to see if the user has this role/group
> - if (hasRole(principal, right)) {
> + if (hasRole(wrapper, principal, right)) {
> allowed = true;
> }
> } else if (left.equals(PROP_USER)) {
> @@ -482,7 +485,7 @@ public class PKIJNDIRealm extends JNDIRealm {
> }
>
> // Take a set of expressions in an ACL and evaluate it
> - private boolean evaluateExpressions(Principal principal, String s) {
> + private boolean evaluateExpressions(Principal principal, String s, Wrapper wrapper) {
>
> Vector<Object> v = new Vector<Object>();
>
> @@ -492,7 +495,7 @@ public class PKIJNDIRealm extends JNDIRealm {
>
> // this is the last expression
> if (orIndex == -1 && andIndex == -1) {
> - boolean passed = evaluateExpression(principal, s.trim());
> + boolean passed = evaluateExpression(principal, s.trim(), wrapper);
>
> v.addElement(Boolean.valueOf(passed));
> break;
> @@ -500,7 +503,7 @@ public class PKIJNDIRealm extends JNDIRealm {
> // || first
> } else if (andIndex == -1 || (orIndex != -1 && orIndex < andIndex)) {
> String s1 = s.substring(0, orIndex);
> - boolean passed = evaluateExpression(principal, s1.trim());
> + boolean passed = evaluateExpression(principal, s1.trim(), wrapper);
>
> v.addElement(Boolean.valueOf(passed));
> v.addElement("||");
> @@ -508,7 +511,7 @@ public class PKIJNDIRealm extends JNDIRealm {
> // && first
> } else {
> String s1 = s.substring(0, andIndex);
> - boolean passed = evaluateExpression(principal, s1.trim());
> + boolean passed = evaluateExpression(principal, s1.trim(), wrapper);
>
> v.addElement(Boolean.valueOf(passed));
> v.addElement("&&");
> diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg
> index dd688ed..542fc5b 100644
> --- a/base/deploy/config/pkideployment.cfg
> +++ b/base/deploy/config/pkideployment.cfg
> @@ -1,34 +1,219 @@
> -[Common]
> +###############################################################################
> +## 'Sensitive' Data: ##
> +## ##
> +## Values in this section pertain to various PKI subsystems, and contain ##
> +## required 'sensitive' information which MUST ALWAYS be provided by users. ##
> +## ##
> +## IMPORTANT: Sensitive data values must NEVER be displayed to the ##
> +## console NOR stored in log files!!! ##
> +###############################################################################
> +[Sensitive]
> +pki_admin_password=
> +pki_backup_password=
> +pki_ds_password=
> +pki_pkcs12_password=
> +pki_security_domain_password=
> +###############################################################################
> +## 'Mandatory' Data: ##
> +## ##
> +## Values in this section pertain to various PKI subsystems, and contain ##
> +## required information which MUST ALWAYS be provided by users. ##
> +###############################################################################
> +[Mandatory]
> +###############################################################################
> +## 'Optional' Data: ##
> +## ##
> +## Values in this section pertain to various PKI subsystems, and contain ##
> +## required information which MAY OPTIONALLY be provided by users. ##
> +## ##
> +## NOTE: Default values will be generated for any and all required ##
> +## 'optional' data values which are left undefined. ##
> +###############################################################################
> +[Optional]
> pki_admin_domain_name=
> -pki_user=pkiuser
> -pki_group=pkiuser
> +pki_admin_email=
> +pki_admin_subject_dn=
> +pki_audit_signing_nickname=
> +pki_audit_signing_subject_dn=
> +pki_audit_signing_token=
> +pki_backup_file=
> +pki_ca_signing_nickname=
> +pki_ca_signing_subject_dn=
> +pki_ca_signing_token=
> +pki_ds_base_dn=
> +pki_ds_database=
> +pki_ds_hostname=
> +pki_ocsp_signing_nickname=
> +pki_ocsp_signing_subject_dn=
> +pki_ocsp_signing_token=
> +pki_security_domain_hostname=
> +pki_security_domain_name=
> +pki_ssl_server_nickname=
> +pki_ssl_server_subject_dn=
> +pki_ssl_server_token=
> +pki_storage_nickname=
> +pki_storage_subject_dn=
> +pki_storage_token=
> +pki_subsystem_nickname=
> +pki_subsystem_subject_dn=
> +pki_subsystem_token=
> +pki_transport_nickname=
> +pki_transport_subject_dn=
> +pki_transport_token=
> +###############################################################################
> +## 'Common' Data: ##
> +## ##
> +## Values in this section are common to ALL PKI subsystems, and contain ##
> +## required information which MAY be overridden by users as necessary. ##
> +###############################################################################
> +[Common]
> +pki_admin_cert_request_type=crmf
> +pki_admin_dualkey=False
> +pki_admin_keysize=2048
> +pki_admin_name=admin
> +pki_admin_uid=admin
> pki_audit_group=pkiaudit
> +pki_audit_signing_key_algorithm=SHA256withRSA
> +pki_audit_signing_key_size=2048
> +pki_audit_signing_key_type=rsa
> +pki_audit_signing_signing_algorithm=SHA256withRSA
> +pki_backup_keys=False
> +pki_ds_bind_dn=cn=Directory Manager
> +pki_ds_http_port=389
> +pki_ds_https_port=636
> +pki_ds_remove_data=True
> +pki_ds_secure_connection=False
> +pki_group=pkiuser
> +pki_security_domain_https_port=8443
> +pki_security_domain_user=admin
> +pki_ssl_server_key_algorithm=SHA256withRSA
> +pki_ssl_server_key_size=2048
> +pki_ssl_server_key_type=rsa
> +pki_subsystem_key_algorithm=SHA256withRSA
> +pki_subsystem_key_size=2048
> +pki_subsystem_key_type=rsa
> +pki_user=pkiuser
> +###############################################################################
> +## 'Apache' Data: ##
> +## ##
> +## Values in this section are common to PKI subsystems that run ##
> +## as an instance of 'Apache' (RA and TPS subsystems), and contain ##
> +## required information which MAY be overridden by users as necessary. ##
> +###############################################################################
> [Apache]
> pki_instance_name=apache
> pki_http_port=80
> pki_https_port=443
> +###############################################################################
> +## 'Tomcat' Data: ##
> +## ##
> +## Values in this section are common to PKI subsystems that run ##
> +## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ##
> +## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ##
> +## required information which MAY be overridden by users as necessary. ##
> +## ##
> +## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ##
> +## or a 'TKS Clone', change the value of 'pki_clone' ##
> +## from 'False' to 'True'. ##
> +## ##
> +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ##
> +## are MUTUALLY EXCLUSIVE entities!!! ##
> +###############################################################################
> [Tomcat]
> -pki_instance_name=tomcat
> +pki_ajp_port=8009
> +pki_clone=False
> +pki_enable_java_debugger=False
> pki_http_port=8080
> pki_https_port=8443
> -pki_ajp_port=8009
> -pki_proxy_http_port=80
> -pki_proxy_https_port=443
> -pki_security_manager=true
> +pki_instance_name=tomcat
> +pki_proxy_http_port=
> +pki_proxy_https_port=
> +pki_security_manager=false
> pki_tomcat_server_port=8005
> +###############################################################################
> +## 'CA' Data: ##
> +## ##
> +## Values in this section are common to CA subsystems including 'PKI CAs', ##
> +## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ##
> +## required information which MAY be overridden by users as necessary. ##
> +## ##
> +## EXTERNAL CAs: To specify an 'External CA', change the value ##
> +## of 'pki_external' from 'False' to 'True'. ##
> +## ##
> +## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ##
> +## of 'pki_subordinate' from 'False' to 'True'. ##
> +## ##
> +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ##
> +## are MUTUALLY EXCLUSIVE entities!!! ##
> +###############################################################################
> [CA]
> +pki_ca_signing_key_algorithm=SHA256withRSA
> +pki_ca_signing_key_size=2048
> +pki_ca_signing_key_type=rsa
> +pki_ca_signing_signing_algorithm=SHA256withRSA
> +pki_external=False
> +pki_ocsp_signing_key_algorithm=SHA256withRSA
> +pki_ocsp_signing_key_size=2048
> +pki_ocsp_signing_key_type=rsa
> +pki_ocsp_signing_signing_algorithm=SHA256withRSA
> +pki_subordinate=False
> pki_subsystem=CA
> pki_war_name=ca.war
> +###############################################################################
> +## 'KRA' Data: ##
> +## ##
> +## Values in this section are common to KRA subsystems ##
> +## including 'PKI KRAs' and 'Cloned KRAs', and contain ##
> +## required information which MAY be overridden by users as necessary. ##
> +###############################################################################
> [KRA]
> +pki_storage_key_algorithm=SHA256withRSA
> +pki_storage_key_size=2048
> +pki_storage_key_type=rsa
> +pki_storage_signing_algorithm=SHA256withRSA
> pki_subsystem=KRA
> +pki_transport_key_algorithm=SHA256withRSA
> +pki_transport_key_size=2048
> +pki_transport_key_type=rsa
> +pki_transport_signing_algorithm=SHA256withRSA
> pki_war_name=kra.war
> +###############################################################################
> +## 'OCSP' Data: ##
> +## ##
> +## Values in this section are common to OCSP subsystems ##
> +## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ##
> +## required information which MAY be overridden by users as necessary. ##
> +###############################################################################
> [OCSP]
> +pki_ocsp_signing_key_algorithm=SHA256withRSA
> +pki_ocsp_signing_key_size=2048
> +pki_ocsp_signing_key_type=rsa
> +pki_ocsp_signing_signing_algorithm=SHA256withRSA
> pki_subsystem=OCSP
> pki_war_name=ocsp.war
> +###############################################################################
> +## 'RA' Data: ##
> +## ##
> +## Values in this section are common to PKI RA subsystems, and contain ##
> +## required information which MAY be overridden by users as necessary. ##
> +###############################################################################
> [RA]
> pki_subsystem=RA
> +###############################################################################
> +## 'TKS' Data: ##
> +## ##
> +## Values in this section are common to TKS subsystems ##
> +## including 'PKI TKSs' and 'Cloned TKSs', and contain ##
> +## required information which MAY be overridden by users as necessary. ##
> +###############################################################################
> [TKS]
> pki_subsystem=TKS
> pki_war_name=tks.war
> +###############################################################################
> +## 'TPS' Data: ##
> +## ##
> +## Values in this section are common to PKI TPS subsystems, and contain ##
> +## required information which MAY be overridden by users as necessary. ##
> +###############################################################################
> [TPS]
> pki_subsystem=TPS
> diff --git a/base/deploy/config/pkislots.cfg b/base/deploy/config/pkislots.cfg
> index b6c40eb..ee75154 100644
> --- a/base/deploy/config/pkislots.cfg
> +++ b/base/deploy/config/pkislots.cfg
> @@ -70,8 +70,10 @@ PKI_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_SECURE_PORT_CONNECTOR_NAME]
> PKI_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_SECURE_PORT_SERVER_COMMENT]
> PKI_SECURITY_MANAGER_SLOT=[PKI_SECURITY_MANAGER]
> PKI_SERVER_XML_CONF_SLOT=[PKI_SERVER_XML_CONF]
> +PKI_SUBSYSTEM_DIR_SLOT=[PKI_SUBSYSTEM_DIR]
> PKI_SUBSYSTEM_TYPE_SLOT=[PKI_SUBSYSTEM_TYPE]
> PKI_SYSTEMD_SERVICENAME_SLOT=[PKI_SYSTEMD_SERVICENAME]
> +PKI_TMPDIR_SLOT=[PKI_TMPDIR]
> PKI_UNSECURE_PORT_SLOT=[PKI_UNSECURE_PORT]
> PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_UNSECURE_PORT_CONNECTOR_NAME]
> PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT]
> diff --git a/base/deploy/scripts/pkidaemon b/base/deploy/scripts/pkidaemon
> index 7be30c9..02b0237 100755
> --- a/base/deploy/scripts/pkidaemon
> +++ b/base/deploy/scripts/pkidaemon
> @@ -51,6 +51,8 @@ case $command in
> exit $?
> ;;
> stop)
> + echo "An exit status of '143' refers to the 'systemd' method of using"\
> + "'SIGTERM' to shutdown a Java process and can safely be ignored."
> stop
> exit $?
> ;;
> diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy
> index 6a2db56..5faa97c 100755
> --- a/base/deploy/src/pkidestroy
> +++ b/base/deploy/src/pkidestroy
> @@ -34,6 +34,7 @@ try:
> import socket
> import string
> import struct
> + import subprocess
> import time
> from time import strftime as date
> from pki.deployment import pkiconfig as config
> @@ -74,7 +75,18 @@ def main(argv):
> config.pki_architecture = struct.calcsize("P") * 8
>
> # Retrieve hostname
> - config.pki_hostname = socket.gethostname()
> + config.pki_hostname = socket.getfqdn()
> +
> + # Retrieve DNS domainname
> + config.pki_dns_domainname = None
> + try:
> + config.pki_dns_domainname = subprocess.check_output("domainname",
> + shell=True)
> + config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n')
> + except subprocess.CalledProcessError as exc:
> + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
> + extra=config.PKI_INDENTATION_LEVEL_0)
> + sys.exit(1)
>
> # Initialize 'pretty print' for objects
> pp = pprint.PrettyPrinter(indent=4)
> @@ -111,6 +123,15 @@ def main(argv):
> extra=config.PKI_INDENTATION_LEVEL_0)
> sys.exit(1)
> else:
> + # NEVER print out 'sensitive' name/value pairs!!!
> + config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
> + extra=config.PKI_INDENTATION_LEVEL_0)
> + config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
> + extra=config.PKI_INDENTATION_LEVEL_0)
> + config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
> + extra=config.PKI_INDENTATION_LEVEL_0)
> + config.pki_log.debug(pp.pformat(config.pki_optional_dict),
> + extra=config.PKI_INDENTATION_LEVEL_0)
> config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
> extra=config.PKI_INDENTATION_LEVEL_0)
> config.pki_log.debug(pp.pformat(config.pki_common_dict),
> @@ -126,7 +147,7 @@ def main(argv):
>
> # Override PKI configuration file values with 'custom' command-line values.
> if not config.custom_pki_admin_domain_name is None:
> - config.pki_common_dict['pki_admin_domain_name'] =\
> + config.pki_optional_dict['pki_admin_domain_name'] =\
> config.custom_pki_admin_domain_name
> if not config.custom_pki_instance_name is None:
> config.pki_web_server_dict['pki_instance_name'] =\
> @@ -140,6 +161,15 @@ def main(argv):
> if not config.custom_pki_ajp_port is None:
> config.pki_web_server_dict['pki_ajp_port'] =\
> config.custom_pki_ajp_port
> + # NEVER print out 'sensitive' name/value pairs!!!
> + config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
> + extra=config.PKI_INDENTATION_LEVEL_0)
> + config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
> + extra=config.PKI_INDENTATION_LEVEL_0)
> + config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
> + extra=config.PKI_INDENTATION_LEVEL_0)
> + config.pki_log.debug(pp.pformat(config.pki_optional_dict),
> + extra=config.PKI_INDENTATION_LEVEL_0)
> config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
> extra=config.PKI_INDENTATION_LEVEL_0)
> config.pki_log.debug(pp.pformat(config.pki_common_dict),
> diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn
> index 66152a3..931b9ba 100755
> --- a/base/deploy/src/pkispawn
> +++ b/base/deploy/src/pkispawn
> @@ -34,6 +34,7 @@ try:
> import socket
> import string
> import struct
> + import subprocess
> import time
> from time import strftime as date
> from pki.deployment import pkiconfig as config
> @@ -74,7 +75,18 @@ def main(argv):
> config.pki_architecture = struct.calcsize("P") * 8
>
> # Retrieve hostname
> - config.pki_hostname = socket.gethostname()
> + config.pki_hostname = socket.getfqdn()
> +
> + # Retrieve DNS domainname
> + config.pki_dns_domainname = None
> + try:
> + config.pki_dns_domainname = subprocess.check_output("domainname",
> + shell=True)
> + config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n')
> + except subprocess.CalledProcessError as exc:
> + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
> + extra=config.PKI_INDENTATION_LEVEL_0)
> + sys.exit(1)
>
> # Generate random 'pin's for use as security database passwords
> pin_low = 100000000000
> @@ -140,6 +152,15 @@ def main(argv):
> extra=config.PKI_INDENTATION_LEVEL_0)
> sys.exit(1)
> else:
> + # NEVER print out 'sensitive' name/value pairs!!!
> + config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
> + extra=config.PKI_INDENTATION_LEVEL_0)
> + config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
> + extra=config.PKI_INDENTATION_LEVEL_0)
> + config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
> + extra=config.PKI_INDENTATION_LEVEL_0)
> + config.pki_log.debug(pp.pformat(config.pki_optional_dict),
> + extra=config.PKI_INDENTATION_LEVEL_0)
> config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
> extra=config.PKI_INDENTATION_LEVEL_0)
> config.pki_log.debug(pp.pformat(config.pki_common_dict),
> @@ -155,7 +176,7 @@ def main(argv):
>
> # Override PKI configuration file values with 'custom' command-line values.
> if not config.custom_pki_admin_domain_name is None:
> - config.pki_common_dict['pki_admin_domain_name'] =\
> + config.pki_optional_dict['pki_admin_domain_name'] =\
> config.custom_pki_admin_domain_name
> if not config.custom_pki_instance_name is None:
> config.pki_web_server_dict['pki_instance_name'] =\
> @@ -169,6 +190,15 @@ def main(argv):
> if not config.custom_pki_ajp_port is None:
> config.pki_web_server_dict['pki_ajp_port'] =\
> config.custom_pki_ajp_port
> + # NEVER print out 'sensitive' name/value pairs!!!
> + config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
> + extra=config.PKI_INDENTATION_LEVEL_0)
> + config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
> + extra=config.PKI_INDENTATION_LEVEL_0)
> + config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
> + extra=config.PKI_INDENTATION_LEVEL_0)
> + config.pki_log.debug(pp.pformat(config.pki_optional_dict),
> + extra=config.PKI_INDENTATION_LEVEL_0)
> config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
> extra=config.PKI_INDENTATION_LEVEL_0)
> config.pki_log.debug(pp.pformat(config.pki_common_dict),
> diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy
> index f7366c7..a40e7c6 100644
> --- a/base/deploy/src/scriptlets/configuration.jy
> +++ b/base/deploy/src/scriptlets/configuration.jy
> @@ -9,7 +9,6 @@ import sys
> # PKI Python Imports
> import pkijython as jyutil
> import pkiconfig as config
> -from pkiconfig import pki_master_jython_dict as master
> import pkimessages as log
>
>
> @@ -18,12 +17,19 @@ from java.lang import System as javasystem
>
>
> def main(argv):
> + rv = 0
> +
> # Establish 'master' as the PKI jython dictionary
> master = dict()
>
> - # import the master dictionary from 'pkispawn'
> + # Import the master dictionary from 'pkispawn'
> master = pickle.loads(argv[1])
>
> + # Optionally enable a java debugger (e. g. - 'eclipse'):
> + if config.str2bool(master['pki_enable_java_debugger']):
> + config.wait_to_attach_an_external_java_debugger()
> +
> +
> # IMPORTANT: Unfortunately, 'jython 2.2' does NOT support logging!
> #
> # Until, and unless, 'jython 2.5' or later is used,
> @@ -59,11 +65,107 @@ def main(argv):
> master['pki_jython_log_level'])
>
> # Log into token
> - jyutil.security_databases.log_into_token(
> - master['pki_client_database_path'],
> - master['pki_client_password_conf'],
> - master['pki_dry_run_flag'],
> - master['pki_jython_log_level'])
> + token = jyutil.security_databases.log_into_token(
> + master['pki_client_database_path'],
> + master['pki_client_password_conf'],
> + master['pki_dry_run_flag'],
> + master['pki_jython_log_level'])
> +
> + # Establish REST Client
> + client = jyutil.rest_client.initialize(
> + master['pki_jython_base_uri'],
> + master['pki_dry_run_flag'],
> + master['pki_jython_log_level'])
> +
> + # Construct PKI Subsystem Configuration Data
> + data = None
> + if master['pki_instance_type'] == "Apache":
> + if master['pki_subsystem'] == "RA":
> + print "%s '%s' %s" %\
> + (log.PKI_JYTHON_INDENTATION_2,
> + master['pki_subsystem'],
> + log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
> + return self.rv
> + elif master['pki_subsystem'] == "TPS":
> + print "%s '%s' %s" %\
> + (log.PKI_JYTHON_INDENTATION_2,
> + master['pki_subsystem'],
> + log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
> + return self.rv
> + elif master['pki_instance_type'] == "Tomcat":
> + if master['pki_subsystem'] == "CA":
> + if config.str2bool(master['pki_clone']):
> + print "%s '%s %s' %s" %\
> + (log.PKI_JYTHON_INDENTATION_2,
> + log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM,
> + master['pki_subsystem'],
> + log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
> + return self.rv
> + elif config.str2bool(master['pki_external']):
> + print "%s '%s %s' %s" %\
> + (log.PKI_JYTHON_INDENTATION_2,
> + log.PKI_JYTHON_EXTERNAL_CA,
> + master['pki_subsystem'],
> + log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
> + return self.rv
> + elif config.str2bool(master['pki_subordinate']):
> + print "%s '%s %s' %s" %\
> + (log.PKI_JYTHON_INDENTATION_2,
> + log.PKI_JYTHON_SUBORDINATE_CA,
> + master['pki_subsystem'],
> + log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
> + return self.rv
> + else:
> + data = jyutil.rest_client.construct_pki_configuration_data(
> + master, token)
> + elif master['pki_subsystem'] == "KRA":
> + if config.str2bool(master['pki_clone']):
> + print "%s '%s %s' %s" %\
> + (log.PKI_JYTHON_INDENTATION_2,
> + log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM,
> + master['pki_subsystem'],
> + log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
> + return self.rv
> + else:
> + print "%s '%s' %s" %\
> + (log.PKI_JYTHON_INDENTATION_2,
> + master['pki_subsystem'],
> + log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
> + return self.rv
> + elif master['pki_subsystem'] == "OCSP":
> + if config.str2bool(master['pki_clone']):
> + print "%s '%s %s' %s" %\
> + (log.PKI_JYTHON_INDENTATION_2,
> + log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM,
> + master['pki_subsystem'],
> + log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
> + return self.rv
> + else:
> + print "%s '%s' %s" %\
> + (log.PKI_JYTHON_INDENTATION_2,
> + master['pki_subsystem'],
> + log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
> + return self.rv
> + elif master['pki_subsystem'] == "TKS":
> + if config.str2bool(master['pki_clone']):
> + print "%s '%s %s' %s" %\
> + (log.PKI_JYTHON_INDENTATION_2,
> + log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM,
> + master['pki_subsystem'],
> + log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
> + return self.rv
> + else:
> + print "%s '%s' %s" %\
> + (log.PKI_JYTHON_INDENTATION_2,
> + master['pki_subsystem'],
> + log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
> + return self.rv
> +
> + # Formulate PKI Subsystem Configuration Data Response
> + jyutil.rest_client.configure_pki_data(data,
> + master['pki_subsystem'],
> + master['pki_dry_run_flag'],
> + master['pki_jython_log_level'])
>
>
> if __name__ == "__main__":
> diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py
> index f405739..421e08d 100644
> --- a/base/deploy/src/scriptlets/configuration.py
> +++ b/base/deploy/src/scriptlets/configuration.py
> @@ -36,9 +36,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> extra=config.PKI_INDENTATION_LEVEL_1)
> if not config.pki_dry_run_flag:
> util.directory.create(master['pki_client_path'], uid=0, gid=0)
> + # Since 'certutil' does NOT strip the 'token=' portion of
> + # the 'token=password' entries, create a client password file
> + # which ONLY contains the 'password' for the purposes of
> + # allowing 'certutil' to generate the security databases
> util.password.create_password_conf(
> master['pki_client_password_conf'],
> - master['pki_client_pin'])
> + master['pki_client_pin'], pin_sans_token=True)
> util.directory.create(master['pki_client_database_path'],
> uid=0, gid=0)
> util.certutil.create_security_databases(
> @@ -47,19 +51,60 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> master['pki_client_key_database'],
> master['pki_client_secmod_database'],
> password_file=master['pki_client_password_conf'])
> - util.symlink.create(
> - config.pki_master_dict['pki_systemd_service'],
> - config.pki_master_dict['pki_systemd_service_link'])
> + util.symlink.create(master['pki_systemd_service'],
> + master['pki_systemd_service_link'])
> else:
> + # Since 'certutil' does NOT strip the 'token=' portion of
> + # the 'token=password' entries, create a client password file
> + # which ONLY contains the 'password' for the purposes of
> + # allowing 'certutil' to generate the security databases
> util.password.create_password_conf(
> master['pki_client_password_conf'],
> - master['pki_client_pin'])
> + master['pki_client_pin'], pin_sans_token=True)
> util.certutil.create_security_databases(
> master['pki_client_database_path'],
> master['pki_client_cert_database'],
> master['pki_client_key_database'],
> master['pki_client_secmod_database'],
> password_file=master['pki_client_password_conf'])
> + # Start/Restart this Apache/Tomcat PKI Process
> + if not config.pki_dry_run_flag:
> + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
> + apache_instances = util.instance.apache_instances()
> + if apache_instances == 1:
> + util.systemd.start()
> + elif apache_instances > 1:
> + util.systemd.restart()
> + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
> + # Optionally prepare to enable a java debugger
> + # (e. g. - 'eclipse'):
> + if config.str2bool(master['pki_enable_java_debugger']):
> + config.prepare_for_an_external_java_debugger(
> + master['pki_target_tomcat_conf_instance_id'])
> + tomcat_instances = util.instance.tomcat_instances()
> + if tomcat_instances == 1:
> + util.systemd.start()
> + elif tomcat_instances > 1:
> + util.systemd.restart()
> + else:
> + # ALWAYS display correct information (even during dry_run)
> + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
> + apache_instances = util.instance.apache_instances()
> + if apache_instances == 0:
> + util.systemd.start()
> + elif apache_instances > 0:
> + util.systemd.restart()
> + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
> + # Optionally prepare to enable a java debugger
> + # (e. g. - 'eclipse'):
> + if config.str2bool(master['pki_enable_java_debugger']):
> + config.prepare_for_an_external_java_debugger(
> + master['pki_target_tomcat_conf_instance_id'])
> + tomcat_instances = util.instance.tomcat_instances()
> + if tomcat_instances == 0:
> + util.systemd.start()
> + elif tomcat_instances > 0:
> + util.systemd.restart()
> # Pass control to the Java servlet via Jython 2.2 'configuration.jy'
> util.jython.invoke(master['pki_jython_configuration_scriptlet'])
> return self.rv
> @@ -67,6 +112,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> def respawn(self):
> config.pki_log.info(log.CONFIGURATION_RESPAWN_1, __name__,
> extra=config.PKI_INDENTATION_LEVEL_1)
> + # ALWAYS Restart this Apache/Tomcat PKI Process
> + util.systemd.restart()
> return self.rv
>
> def destroy(self):
> @@ -76,23 +123,19 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
> util.instance.apache_instances() == 1:
> util.directory.delete(master['pki_client_path'])
> - util.symlink.delete(
> - config.pki_master_dict['pki_systemd_service_link'])
> + util.symlink.delete(master['pki_systemd_service_link'])
> elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
> util.instance.tomcat_instances() == 1:
> util.directory.delete(master['pki_client_path'])
> - util.symlink.delete(
> - config.pki_master_dict['pki_systemd_service_link'])
> + util.symlink.delete(master['pki_systemd_service_link'])
> else:
> # ALWAYS display correct information (even during dry_run)
> if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
> util.instance.apache_instances() == 0:
> util.directory.delete(master['pki_client_path'])
> - util.symlink.delete(
> - config.pki_master_dict['pki_systemd_service_link'])
> + util.symlink.delete(master['pki_systemd_service_link'])
> elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
> util.instance.tomcat_instances() == 0:
> util.directory.delete(master['pki_client_path'])
> - util.symlink.delete(
> - config.pki_master_dict['pki_systemd_service_link'])
> + util.symlink.delete(master['pki_systemd_service_link'])
> return self.rv
> diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py
> index 02c5065..bceec67 100644
> --- a/base/deploy/src/scriptlets/finalization.py
> +++ b/base/deploy/src/scriptlets/finalization.py
> @@ -100,4 +100,20 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> extra=config.PKI_INDENTATION_LEVEL_0)
> if not config.pki_dry_run_flag:
> util.file.modify(master['pki_destroy_log'], silent=True)
> + # Start this Apache/Tomcat PKI Process
> + if not config.pki_dry_run_flag:
> + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
> + util.instance.apache_instances() >= 1:
> + util.systemd.start()
> + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
> + util.instance.tomcat_instances() >= 1:
> + util.systemd.start()
> + else:
> + # ALWAYS display correct information (even during dry_run)
> + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
> + util.instance.apache_instances() >= 0:
> + util.systemd.start()
> + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
> + util.instance.tomcat_instances() >= 0:
> + util.systemd.start()
> return self.rv
> diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py
> index 3077737..1ff8522 100644
> --- a/base/deploy/src/scriptlets/initialization.py
> +++ b/base/deploy/src/scriptlets/initialization.py
> @@ -41,9 +41,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> # verify that this type of "subsystem" does NOT yet
> # exist for this "instance"
> util.instance.verify_subsystem_does_not_exist()
> + # initialize 'uid' and 'gid'
> + util.identity.add_uid_and_gid(master['pki_user'], master['pki_group'])
> # establish 'uid' and 'gid'
> util.identity.set_uid(master['pki_user'])
> util.identity.set_gid(master['pki_group'])
> + # verify existence of MANDATORY configuration file data
> + util.configuration_file.verify_sensitive_data()
> + util.configuration_file.verify_mutually_exclusive_data()
> return self.rv
>
> def respawn(self):
> @@ -74,4 +79,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> # establish 'uid' and 'gid'
> util.identity.set_uid(master['pki_user'])
> util.identity.set_gid(master['pki_group'])
> + # ALWAYS Stop this Apache/Tomcat PKI Process
> + util.systemd.stop()
> return self.rv
> diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py
> index 8a645f0..2fd7165 100644
> --- a/base/deploy/src/scriptlets/instance_layout.py
> +++ b/base/deploy/src/scriptlets/instance_layout.py
> @@ -48,30 +48,90 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> # establish Tomcat instance base
> util.directory.create(master['pki_tomcat_common_path'])
> util.directory.create(master['pki_tomcat_common_lib_path'])
> + util.directory.create(master['pki_tomcat_tmpdir_path'])
> util.directory.create(master['pki_tomcat_webapps_path'])
> util.directory.create(master['pki_tomcat_webapps_root_path'])
> util.directory.create(master['pki_tomcat_webapps_root_webinf_path'])
> util.file.copy(master['pki_source_webapps_root_web_xml'],
> master['pki_tomcat_webapps_root_webinf_web_xml'],
> overwrite_flag=True)
> - util.directory.create(master['pki_tomcat_webapps_webinf_path'])
> + util.directory.create(master['pki_tomcat_work_path'])
> + util.directory.create(master['pki_tomcat_work_catalina_path'])
> + util.directory.create(master['pki_tomcat_work_catalina_host_path'])
> util.directory.create(
> - master['pki_tomcat_webapps_webinf_classes_path'])
> - util.directory.create(master['pki_tomcat_webapps_webinf_lib_path'])
> + master['pki_tomcat_work_catalina_host_run_path'])
> + util.directory.create(
> + master['pki_tomcat_work_catalina_host_subsystem_path'])
> # establish Tomcat instance logs
> # establish Tomcat instance configuration
> util.directory.copy(master['pki_source_shared_path'],
> master['pki_instance_configuration_path'],
> overwrite_flag=True)
> # establish Tomcat instance registry
> - # establish Tomcat instance convenience
> - # symbolic links
> + # establish Tomcat instance convenience symbolic links
> util.symlink.create(master['pki_tomcat_bin_path'],
> master['pki_tomcat_bin_link'])
> util.symlink.create(master['pki_tomcat_lib_path'],
> master['pki_tomcat_lib_link'])
> + util.symlink.create(master['pki_instance_log4j_properties'],
> + master['pki_tomcat_lib_log4j_properties_link'],
> + uid=0, gid=0)
> util.symlink.create(master['pki_tomcat_systemd'],
> - master['pki_instance_systemd_link'])
> + master['pki_instance_systemd_link'],
> + uid=0, gid=0)
> + # establish Tomcat instance common lib jar symbolic links
> + util.symlink.create(master['pki_apache_commons_collections_jar'],
> + master['pki_apache_commons_collections_jar_link'])
> + util.symlink.create(master['pki_apache_commons_lang_jar'],
> + master['pki_apache_commons_lang_jar_link'])
> + util.symlink.create(master['pki_apache_commons_logging_jar'],
> + master['pki_apache_commons_logging_jar_link'])
> + util.symlink.create(master['pki_commons_codec_jar'],
> + master['pki_commons_codec_jar_link'])
> + util.symlink.create(master['pki_httpclient_jar'],
> + master['pki_httpclient_jar_link'])
> + util.symlink.create(master['pki_javassist_jar'],
> + master['pki_javassist_jar_link'])
> + util.symlink.create(master['pki_resteasy_jaxrs_api_jar'],
> + master['pki_resteasy_jaxrs_api_jar_link'])
> + util.symlink.create(master['pki_jettison_jar'],
> + master['pki_jettison_jar_link'])
> + util.symlink.create(master['pki_jss_jar'],
> + master['pki_jss_jar_link'])
> + util.symlink.create(master['pki_ldapjdk_jar'],
> + master['pki_ldapjdk_jar_link'])
> + util.symlink.create(master['pki_certsrv_jar'],
> + master['pki_certsrv_jar_link'])
> + util.symlink.create(master['pki_cmsbundle'],
> + master['pki_cmsbundle_jar_link'])
> + util.symlink.create(master['pki_cmscore'],
> + master['pki_cmscore_jar_link'])
> + util.symlink.create(master['pki_cms'],
> + master['pki_cms_jar_link'])
> + util.symlink.create(master['pki_cmsutil'],
> + master['pki_cmsutil_jar_link'])
> + util.symlink.create(master['pki_nsutil'],
> + master['pki_nsutil_jar_link'])
> + util.symlink.create(master['pki_resteasy_jaxb_provider_jar'],
> + master['pki_resteasy_jaxb_provider_jar_link'])
> + util.symlink.create(master['pki_resteasy_jaxrs_jar'],
> + master['pki_resteasy_jaxrs_jar_link'])
> + util.symlink.create(master['pki_resteasy_jettison_provider_jar'],
> + master['pki_resteasy_jettison_provider_jar_link'])
> + util.symlink.create(master['pki_scannotation_jar'],
> + master['pki_scannotation_jar_link'])
> + util.symlink.create(master['pki_symkey_jar'],
> + master['pki_symkey_jar_link'])
> + util.symlink.create(master['pki_tomcatjss_jar'],
> + master['pki_tomcatjss_jar_link'])
> + util.symlink.create(master['pki_velocity_jar'],
> + master['pki_velocity_jar_link'])
> + util.symlink.create(master['pki_xerces_j2_jar'],
> + master['pki_xerces_j2_jar_link'])
> + util.symlink.create(master['pki_xml_commons_apis_jar'],
> + master['pki_xml_commons_apis_jar_link'])
> + util.symlink.create(master['pki_xml_commons_resolver_jar'],
> + master['pki_xml_commons_resolver_jar_link'])
> # establish shared NSS security databases for this instance
> util.directory.create(master['pki_database_path'])
> # establish instance convenience symbolic links
> @@ -106,16 +166,53 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> util.file.copy(master['pki_source_webapps_root_web_xml'],
> master['pki_tomcat_webapps_root_webinf_web_xml'],
> overwrite_flag=True)
> - util.directory.modify(master['pki_tomcat_webapps_webinf_path'])
> + util.directory.modify(master['pki_tomcat_work_path'])
> + util.directory.modify(master['pki_tomcat_work_catalina_path'])
> + util.directory.modify(master['pki_tomcat_work_catalina_host_path'])
> + util.directory.modify(
> + master['pki_tomcat_work_catalina_host_run_path'])
> util.directory.modify(
> - master['pki_tomcat_webapps_webinf_classes_path'])
> - util.directory.modify(master['pki_tomcat_webapps_webinf_lib_path'])
> + master['pki_tomcat_work_catalina_host_subsystem_path'])
> # update Tomcat instance logs
> # update Tomcat instance configuration
> # update Tomcat instance registry
> # update Tomcat instance convenience symbolic links
> util.symlink.modify(master['pki_tomcat_bin_link'])
> util.symlink.modify(master['pki_tomcat_lib_link'])
> + util.symlink.modify(master['pki_tomcat_lib_log4j_properties_link'],
> + uid=0, gid=0)
> + util.symlink.modify(master['pki_instance_systemd_link'],
> + uid=0, gid=0)
> + # update Tomcat instance common lib jar symbolic links
> +
> + util.symlink.modify(
> + master['pki_apache_commons_collections_jar_link'])
> + util.symlink.modify(master['pki_apache_commons_lang_jar_link'])
> + util.symlink.modify(master['pki_apache_commons_logging_jar_link'])
> + util.symlink.modify(master['pki_commons_codec_jar_link'])
> + util.symlink.modify(master['pki_httpclient_jar_link'])
> + util.symlink.modify(master['pki_javassist_jar_link'])
> + util.symlink.modify(master['pki_resteasy_jaxrs_api_jar_link'])
> + util.symlink.modify(master['pki_jettison_jar_link'])
> + util.symlink.modify(master['pki_jss_jar_link'])
> + util.symlink.modify(master['pki_ldapjdk_jar_link'])
> + util.symlink.modify(master['pki_certsrv_jar_link'])
> + util.symlink.modify(master['pki_cmsbundle_jar_link'])
> + util.symlink.modify(master['pki_cmscore_jar_link'])
> + util.symlink.modify(master['pki_cms_jar_link'])
> + util.symlink.modify(master['pki_cmsutil_jar_link'])
> + util.symlink.modify(master['pki_nsutil_jar_link'])
> + util.symlink.modify(master['pki_resteasy_jaxb_provider_jar_link'])
> + util.symlink.modify(master['pki_resteasy_jaxrs_jar_link'])
> + util.symlink.modify(
> + master['pki_resteasy_jettison_provider_jar_link'])
> + util.symlink.modify(master['pki_scannotation_jar_link'])
> + util.symlink.modify(master['pki_symkey_jar_link'])
> + util.symlink.modify(master['pki_tomcatjss_jar_link'])
> + util.symlink.modify(master['pki_velocity_jar_link'])
> + util.symlink.modify(master['pki_xerces_j2_jar_link'])
> + util.symlink.modify(master['pki_xml_commons_apis_jar_link'])
> + util.symlink.modify(master['pki_xml_commons_resolver_jar_link'])
> # update shared NSS security databases for this instance
> util.directory.modify(master['pki_database_path'])
> # update instance convenience symbolic links
> @@ -150,6 +247,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> # remove shared NSS security database path for this instance
> util.directory.delete(master['pki_database_path'])
> # remove Tomcat instance configuration
> + util.symlink.delete(
> + master['pki_tomcat_lib_log4j_properties_link'])
> util.directory.delete(master['pki_instance_configuration_path'])
> # remove Tomcat instance registry
> util.directory.delete(master['pki_instance_type_registry_path'])
> @@ -174,6 +273,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> # remove shared NSS security database path for this instance
> util.directory.delete(master['pki_database_path'])
> # remove Tomcat instance configuration
> + util.symlink.delete(
> + master['pki_tomcat_lib_log4j_properties_link'])
> util.directory.delete(master['pki_instance_configuration_path'])
> # remove Tomcat instance registry
> util.directory.delete(master['pki_instance_type_registry_path'])
> diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
> index 2acd37d..07537d7 100644
> --- a/base/deploy/src/scriptlets/pkiconfig.py
> +++ b/base/deploy/src/scriptlets/pkiconfig.py
> @@ -28,6 +28,13 @@ PKI_DEPLOYMENT_DEFAULT_SGID_DIR_PERMISSIONS = 02770
> PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS = 00777
> PKI_DEPLOYMENT_DEFAULT_UMASK = 00002
>
> +PKI_DEPLOYMENT_DEFAULT_COMMENT = "'Certificate System'"
> +PKI_DEPLOYMENT_DEFAULT_GID = 17
> +PKI_DEPLOYMENT_DEFAULT_GROUP = "pkiuser"
> +PKI_DEPLOYMENT_DEFAULT_SHELL = "/sbin/nologin"
> +PKI_DEPLOYMENT_DEFAULT_UID = 17
> +PKI_DEPLOYMENT_DEFAULT_USER = "pkiuser"
> +
> PKI_SUBSYSTEMS = ["CA","KRA","OCSP","RA","TKS","TPS"]
> PKI_SIGNED_AUDIT_SUBSYSTEMS = ["CA","KRA","OCSP","TKS","TPS"]
> PKI_APACHE_SUBSYSTEMS = ["RA","TPS"]
> @@ -39,6 +46,12 @@ PKI_INDENTATION_LEVEL_2 = {'indent' : '....... '}
> PKI_INDENTATION_LEVEL_3 = {'indent' : '........... '}
> PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '}
>
> +PKI_DEPLOYMENT_INTERRUPT_BANNER = "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"\
> + "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-"
> +PKI_DEPLOYMENT_JAR_SOURCE_ROOT = "/usr/share/java"
> +PKI_DEPLOYMENT_HTTPCOMPONENTS_JAR_SOURCE_ROOT = "/usr/share/java/httpcomponents"
> +PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT = "/usr/share/java/pki"
> +PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT = "/usr/share/java/resteasy"
> PKI_DEPLOYMENT_SOURCE_ROOT = "/usr/share/pki"
> PKI_DEPLOYMENT_SYSTEMD_ROOT = "/lib/systemd/system"
> PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT = "/etc/systemd/system"
> @@ -101,6 +114,48 @@ custom_pki_https_port = None
> custom_pki_ajp_port = None
>
>
> +# PKI Deployment Helper Functions
> +def str2bool(string):
> + return string.lower() in ("yes", "true", "t", "1")
> +
> +# NOTE: To utilize the 'preparations_for_an_external_java_debugger(master)'
> +# and 'wait_to_attach_an_external_java_debugger(master)' functions,
> +# change 'pki_enable_java_debugger=False' to
> +# 'pki_enable_java_debugger=True' in the appropriate
> +# 'pkideployment.cfg' configuration file.
> +def prepare_for_an_external_java_debugger(instance):
> + print
> + print PKI_DEPLOYMENT_INTERRUPT_BANNER
> + print
> + print "The following 'JAVA_OPTS' MUST be enabled (uncommented) in"
> + print "'%s':" % instance
> + print
> + print " JAVA_OPTS=\"-Xdebug -Xrunjdwp:transport=dt_socket,\""
> + print " \"address=8000,server=y,suspend\""
> + print
> + raw_input("Enable external java debugger 'JAVA_OPTS' "\
> + "and press return to continue . . . ")
> + print
> + print PKI_DEPLOYMENT_INTERRUPT_BANNER
> + print
> + return
> +
> +def wait_to_attach_an_external_java_debugger():
> + print
> + print PKI_DEPLOYMENT_INTERRUPT_BANNER
> + print
> + print "Attach the java debugger to this process on the port specified by"
> + print "the 'address' selected by 'JAVA_OPTS' (e. g. - port 8000) and"
> + print "set any desired breakpoints"
> + print
> + raw_input("Please attach an external java debugger "\
> + "and press return to continue . . . ")
> + print
> + print PKI_DEPLOYMENT_INTERRUPT_BANNER
> + print
> + return
> +
> +
> # PKI Deployment Logger Variables
> pki_jython_log_level = None
> pki_log = None
> @@ -111,6 +166,9 @@ pki_console_log_level = None
>
>
> # PKI Deployment Global Dictionaries
> +pki_sensitive_dict = None
> +pki_mandatory_dict = None
> +pki_optional_dict = None
> pki_common_dict = None
> pki_web_server_dict = None
> pki_subsystem_dict = None
> diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py
> index b88eafe..7b77bce 100644
> --- a/base/deploy/src/scriptlets/pkihelper.py
> +++ b/base/deploy/src/scriptlets/pkihelper.py
> @@ -30,14 +30,17 @@ import random
> import shutil
> import string
> import subprocess
> +from grp import getgrgid
> from grp import getgrnam
> from pwd import getpwnam
> +from pwd import getpwuid
> import zipfile
>
>
> # PKI Deployment Imports
> import pkiconfig as config
> from pkiconfig import pki_master_dict as master
> +from pkiconfig import pki_sensitive_dict as sensitive
> from pkiconfig import pki_slots_dict as slots
> import pkimanifest as manifest
> import pkimessages as log
> @@ -117,6 +120,136 @@ def pki_copytree(src, dst, symlinks=False, ignore=None):
>
> # PKI Deployment Identity Class
> class identity:
> + def __add_gid(self, pki_group):
> + pki_gid = None
> + try:
> + # Does the specified 'pki_group' exist?
> + pki_gid = getgrnam(pki_group)[2]
> + # Yes, group 'pki_group' exists!
> + config.pki_log.info(log.PKIHELPER_GROUP_ADD_2, pki_group, pki_gid,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + except KeyError as exc:
> + # No, group 'pki_group' does not exist!
> + config.pki_log.debug(log.PKIHELPER_GROUP_ADD_KEYERROR_1, exc,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + try:
> + # Is the default well-known GID already defined?
> + group = getgrgid(config.PKI_DEPLOYMENT_DEFAULT_GID)[0]
> + # Yes, the default well-known GID exists!
> + config.pki_log.info(log.PKIHELPER_GROUP_ADD_DEFAULT_2,
> + group, config.PKI_DEPLOYMENT_DEFAULT_GID,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + # Attempt to create 'pki_group' using a random GID.
> + command = "/usr/sbin/groupadd" + " " +\
> + pki_group + " " +\
> + "> /dev/null 2>&1"
> + except KeyError as exc:
> + # No, the default well-known GID does not exist!
> + config.pki_log.debug(log.PKIHELPER_GROUP_ADD_GID_KEYERROR_1,
> + exc, extra=config.PKI_INDENTATION_LEVEL_2)
> + # Is the specified 'pki_group' the default well-known group?
> + if pki_group == config.PKI_DEPLOYMENT_DEFAULT_GROUP:
> + # Yes, attempt to create the default well-known group
> + # using the default well-known GID.
> + command = "/usr/sbin/groupadd" + " " +\
> + "-g" + " " +\
> + str(config.PKI_DEPLOYMENT_DEFAULT_GID) + " " +\
> + "-r" + " " +\
> + pki_group + " " +\
> + "> /dev/null 2>&1"
> + else:
> + # No, attempt to create 'pki_group' using a random GID.
> + command = "/usr/sbin/groupadd" + " " +\
> + pki_group + " " +\
> + "> /dev/null 2>&1"
> + # Execute this "groupadd" command.
> + subprocess.call(command, shell=True)
> + except subprocess.CalledProcessError as exc:
> + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + sys.exit(1)
> + return
> +
> + def __add_uid(self, pki_user, pki_group):
> + pki_uid = None
> + try:
> + # Does the specified 'pki_user' exist?
> + pki_uid = getpwnam(pki_user)[2]
> + # Yes, user 'pki_user' exists!
> + config.pki_log.info(log.PKIHELPER_USER_ADD_2, pki_user, pki_uid,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + # NOTE: For now, never check validity of specified 'pki_group'!
> + except KeyError as exc:
> + # No, user 'pki_user' does not exist!
> + config.pki_log.debug(log.PKIHELPER_USER_ADD_KEYERROR_1, exc,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + try:
> + # Is the default well-known UID already defined?
> + user = getpwuid(config.PKI_DEPLOYMENT_DEFAULT_UID)[0]
> + # Yes, the default well-known UID exists!
> + config.pki_log.info(log.PKIHELPER_USER_ADD_DEFAULT_2,
> + user, config.PKI_DEPLOYMENT_DEFAULT_UID,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + # Attempt to create 'pki_user' using a random UID.
> + command = "/usr/sbin/useradd" + " " +\
> + "-g" + " " +\
> + pki_group + " " +\
> + "-d" + " " +\
> + config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\
> + "-s" + " " +\
> + config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\
> + "-c" + " " +\
> + config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\
> + pki_user + " " +\
> + "> /dev/null 2>&1"
> + except KeyError as exc:
> + # No, the default well-known UID does not exist!
> + config.pki_log.debug(log.PKIHELPER_USER_ADD_UID_KEYERROR_1,
> + exc, extra=config.PKI_INDENTATION_LEVEL_2)
> + # Is the specified 'pki_user' the default well-known user?
> + if pki_user == config.PKI_DEPLOYMENT_DEFAULT_USER:
> + # Yes, attempt to create the default well-known user
> + # using the default well-known UID.
> + command = "/usr/sbin/useradd" + " " +\
> + "-g" + " " +\
> + pki_group + " " +\
> + "-d" + " " +\
> + config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\
> + "-s" + " " +\
> + config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\
> + "-c" + " " +\
> + config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\
> + "-u" + " " +\
> + str(config.PKI_DEPLOYMENT_DEFAULT_UID) + " " +\
> + "-r" + " " +\
> + pki_user + " " +\
> + "> /dev/null 2>&1"
> + else:
> + # No, attempt to create 'pki_user' using a random UID.
> + command = "/usr/sbin/useradd" + " " +\
> + "-g" + " " +\
> + pki_group + " " +\
> + "-d" + " " +\
> + config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\
> + "-s" + " " +\
> + config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\
> + "-c" + " " +\
> + config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\
> + pki_user + " " +\
> + "> /dev/null 2>&1"
> + # Execute this "useradd" command.
> + subprocess.call(command, shell=True)
> + except subprocess.CalledProcessError as exc:
> + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + sys.exit(1)
> + return
> +
> + def add_uid_and_gid(self, pki_user, pki_group):
> + self.__add_gid(pki_group)
> + self.__add_uid(pki_user, pki_group)
> + return
> +
> def get_uid(self, critical_failure=True):
> try:
> pki_uid = master['pki_uid']
> @@ -170,18 +303,140 @@ class identity:
> return pki_gid
>
>
> +# PKI Deployment Configuration File Class
> +class configuration_file:
> + def verify_sensitive_data(self):
> + # Silently verify the existence of 'sensitive' data
> + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
> + # Verify existence of Directory Server Password (ALWAYS)
> + if not sensitive.has_key('pki_ds_password') or\
> + not len(sensitive['pki_ds_password']):
> + config.pki_log.error(
> + log.PKIHELPER_UNDEFINED_DS_PASSWORD_1,
> + config.pkideployment_cfg,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + sys.exit(1)
> + # Verify existence of Admin Password (except for Clones)
> + if not config.str2bool(master['pki_clone']):
> + if not sensitive.has_key('pki_admin_password') or\
> + not len(sensitive['pki_admin_password']):
> + config.pki_log.error(
> + log.PKIHELPER_UNDEFINED_ADMIN_PASSWORD_1,
> + config.pkideployment_cfg,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + sys.exit(1)
> + # If required, verify existence of Backup Password
> + # (except for Clones)
> + if config.str2bool(master['pki_backup_keys']):
> + if not config.str2bool(master['pki_clone']):
> + if not sensitive.has_key('pki_backup_password') or\
> + not len(sensitive['pki_backup_password']):
> + config.pki_log.error(
> + log.PKIHELPER_UNDEFINED_BACKUP_PASSWORD_1,
> + config.pkideployment_cfg,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + sys.exit(1)
> + # Verify existence of PKCS #12 Password (ONLY for Clones)
> + if config.str2bool(master['pki_clone']):
> + if not sensitive.has_key('pki_pkcs12_password') or\
> + not len(sensitive['pki_pkcs12_password']):
> + config.pki_log.error(
> + log.PKIHELPER_UNDEFINED_PKCS12_PASSWORD_1,
> + config.pkideployment_cfg,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + sys.exit(1)
> + # Verify existence of Security Domain Password File
> + # (ONLY for Clones, Subordinate CA, KRA, OCSP, RA, TKS, or TPS)
> + if config.str2bool(master['pki_clone']) or\
> + config.str2bool(master['pki_subordinate']) or\
> + master['pki_subsystem'] == "KRA" or\
> + master['pki_subsystem'] == "OCSP" or\
> + master['pki_subsystem'] == "RA" or\
> + master['pki_subsystem'] == "TKS" or\
> + master['pki_subsystem'] == "TPS":
> + if not sensitive.has_key('pki_security_domain_password') or\
> + not len(sensitive['pki_security_domain_password']):
> + config.pki_log.error(
> + log.PKIHELPER_UNDEFINED_SECURITY_DOMAIN_PASSWORD_1,
> + config.pkideployment_cfg,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + sys.exit(1)
> + return
> +
> + def verify_mutually_exclusive_data(self):
> + # Silently verify the existence of 'mutually exclusive' data
> + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
> + if master['pki_subsystem'] == "CA":
> + if config.str2bool(master['pki_clone']) and\
> + config.str2bool(master['pki_external']) and\
> + config.str2bool(master['pki_subordinate']):
> + config.pki_log.error(
> + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA,
> + config.pkideployment_cfg,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + sys.exit(1)
> + elif config.str2bool(master['pki_clone']) and\
> + config.str2bool(master['pki_external']):
> + config.pki_log.error(
> + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA,
> + config.pkideployment_cfg,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + sys.exit(1)
> + elif config.str2bool(master['pki_clone']) and\
> + config.str2bool(master['pki_subordinate']):
> + config.pki_log.error(
> + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA,
> + config.pkideployment_cfg,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + sys.exit(1)
> + elif config.str2bool(master['pki_external']) and\
> + config.str2bool(master['pki_subordinate']):
> + config.pki_log.error(
> + log.PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA,
> + config.pkideployment_cfg,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + sys.exit(1)
> +
> +
> +# PKI Deployment XML File Class
> +#class xml_file:
> +# def remove_filter_section_from_web_xml(self,
> +# web_xml_source,
> +# web_xml_target):
> +# config.pki_log.info(log.PKIHELPER_REMOVE_FILTER_SECTION_1,
> +# master['pki_target_subsystem_web_xml'],
> +# extra=config.PKI_INDENTATION_LEVEL_2)
> +# if not config.pki_dry_run_flag:
> +# begin_filters_section = False
> +# begin_servlet_section = False
> +# FILE = open(web_xml_target, "w")
> +# for line in fileinput.FileInput(web_xml_source):
> +# if not begin_filters_section:
> +# # Read and write lines until first "<filter>" tag
> +# if line.count("<filter>") >= 1:
> +# # Mark filters section
> +# begin_filters_section = True
> +# else:
> +# FILE.write(line)
> +# elif not begin_servlet_section:
> +# # Skip lines until first "<servlet>" tag
> +# if line.count("<servlet>") >= 1:
> +# # Mark servlets section and write out the opening tag
> +# begin_servlet_section = True
> +# FILE.write(line)
> +# else:
> +# continue
> +# else:
> +# # Read and write lines all lines after "<servlet>" tag
> +# FILE.write(line)
> +# FILE.close()
> +
> +
> # PKI Deployment Instance Class
> class instance:
> def apache_instances(self):
> rv = 0
> try:
> - if not os.path.exists(master['pki_instance_path']) or\
> - not os.path.isdir(master['pki_instance_path']):
> - config.pki_log.error(
> - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
> - master['pki_instance_path'],
> - extra=config.PKI_INDENTATION_LEVEL_2)
> - sys.exit(1)
> # count number of PKI subsystems present
> # within the specified Apache instance
> for subsystem in config.PKI_APACHE_SUBSYSTEMS:
> @@ -206,13 +461,6 @@ class instance:
> def pki_subsystem_instances(self):
> rv = 0
> try:
> - if not os.path.exists(master['pki_path']) or\
> - not os.path.isdir(master['pki_path']):
> - config.pki_log.error(
> - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
> - master['pki_path'],
> - extra=config.PKI_INDENTATION_LEVEL_2)
> - sys.exit(1)
> # Since ALL directories within the top-level PKI infrastructure
> # SHOULD represent PKI instances, look for all possible
> # PKI instances within the top-level PKI infrastructure
> @@ -247,13 +495,6 @@ class instance:
> def tomcat_instances(self):
> rv = 0
> try:
> - if not os.path.exists(master['pki_instance_path']) or\
> - not os.path.isdir(master['pki_instance_path']):
> - config.pki_log.error(
> - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
> - master['pki_instance_path'],
> - extra=config.PKI_INDENTATION_LEVEL_2)
> - sys.exit(1)
> # count number of PKI subsystems present
> # within the specified Tomcat instance
> for subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
> @@ -1295,8 +1536,8 @@ class war:
>
> # PKI Deployment Password Class
> class password:
> - def create_password_conf(self, path, pin, overwrite_flag=False,
> - critical_failure=True):
> + def create_password_conf(self, path, pin, pin_sans_token=False,
> + overwrite_flag=False, critical_failure=True):
> try:
> if not config.pki_dry_run_flag:
> if os.path.exists(path):
> @@ -1306,7 +1547,9 @@ class password:
> extra=config.PKI_INDENTATION_LEVEL_2)
> # overwrite the existing 'password.conf' file
> with open(path, "wt") as fd:
> - if master['pki_subsystem'] in\
> + if pin_sans_token == True:
> + fd.write(str(pin))
> + elif master['pki_subsystem'] in\
> config.PKI_APACHE_SUBSYSTEMS:
> fd.write(master['pki_self_signed_token'] +\
> ":" + str(pin))
> @@ -1319,7 +1562,9 @@ class password:
> extra=config.PKI_INDENTATION_LEVEL_2)
> # create a new 'password.conf' file
> with open(path, "wt") as fd:
> - if master['pki_subsystem'] in\
> + if pin_sans_token == True:
> + fd.write(str(pin))
> + elif master['pki_subsystem'] in\
> config.PKI_APACHE_SUBSYSTEMS:
> fd.write(master['pki_self_signed_token'] +\
> ":" + str(pin))
> @@ -1642,6 +1887,90 @@ class certutil:
> return
>
>
> +# PKI Deployment 'systemd' Execution Management Class
> +class systemd:
> + def start(self, critical_failure=True):
> + try:
> + # Compose this "systemd" execution management command
> + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
> + command = "systemctl" + " " +\
> + "start" + " " +\
> + "pki-apached" + "@" +\
> + master['pki_instance_id'] + "." + "service"
> + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
> + command = "systemctl" + " " +\
> + "start" + " " +\
> + "pki-tomcatd" + "@" +\
> + master['pki_instance_id'] + "." + "service"
> + # Display this "systemd" execution managment command
> + config.pki_log.info(
> + log.PKIHELPER_SYSTEMD_COMMAND_1, command,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + if not config.pki_dry_run_flag:
> + # Execute this "systemd" execution management command
> + subprocess.call(command, shell=True)
> + except subprocess.CalledProcessError as exc:
> + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + if critical_failure == True:
> + sys.exit(1)
> + return
> +
> + def stop(self, critical_failure=True):
> + try:
> + # Compose this "systemd" execution management command
> + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
> + command = "systemctl" + " " +\
> + "stop" + " " +\
> + "pki-apached" + "@" +\
> + master['pki_instance_id'] + "." + "service"
> + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
> + command = "systemctl" + " " +\
> + "stop" + " " +\
> + "pki-tomcatd" + "@" +\
> + master['pki_instance_id'] + "." + "service"
> + # Display this "systemd" execution managment command
> + config.pki_log.info(
> + log.PKIHELPER_SYSTEMD_COMMAND_1, command,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + if not config.pki_dry_run_flag:
> + # Execute this "systemd" execution management command
> + subprocess.call(command, shell=True)
> + except subprocess.CalledProcessError as exc:
> + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + if critical_failure == True:
> + sys.exit(1)
> + return
> +
> + def restart(self, critical_failure=True):
> + try:
> + # Compose this "systemd" execution management command
> + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
> + command = "systemctl" + " " +\
> + "restart" + " " +\
> + "pki-apached" + "@" +\
> + master['pki_instance_id'] + "." + "service"
> + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
> + command = "systemctl" + " " +\
> + "restart" + " " +\
> + "pki-tomcatd" + "@" +\
> + master['pki_instance_id'] + "." + "service"
> + # Display this "systemd" execution managment command
> + config.pki_log.info(
> + log.PKIHELPER_SYSTEMD_COMMAND_1, command,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + if not config.pki_dry_run_flag:
> + # Execute this "systemd" execution management command
> + subprocess.call(command, shell=True)
> + except subprocess.CalledProcessError as exc:
> + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + if critical_failure == True:
> + sys.exit(1)
> + return
> +
> +
> # PKI Deployment 'jython' Class
> class jython:
> def invoke(self, scriptlet, critical_failure=True):
> @@ -1681,6 +2010,8 @@ class jython:
>
> # PKI Deployment Helper Class Instances
> identity = identity()
> +configuration_file = configuration_file()
> +#xml_file = xml_file()
> instance = instance()
> directory = directory()
> file = file()
> @@ -1688,4 +2019,5 @@ symlink = symlink()
> war = war()
> password = password()
> certutil = certutil()
> +systemd = systemd()
> jython = jython()
> diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py
> index 9c8765a..8008266 100644
> --- a/base/deploy/src/scriptlets/pkijython.py
> +++ b/base/deploy/src/scriptlets/pkijython.py
> @@ -5,6 +5,7 @@ from java.io import BufferedReader
> from java.io import ByteArrayInputStream
> from java.io import FileReader
> from java.io import IOException
> +from java.lang import Integer
> from java.lang import String as javastring
> from java.lang import System as javasystem
> from java.net import URISyntaxException
> @@ -18,6 +19,7 @@ import jarray
>
>
> # System Python Imports
> +import ConfigParser
> import os
> import sys
> pki_python_module_path = os.path.join(sys.prefix,
> @@ -79,10 +81,15 @@ class classPathHacker:
> jarLoad = classPathHacker()
> # Webserver Jars
> jarLoad.addFile("/usr/share/java/httpcomponents/httpclient.jar")
> +jarLoad.addFile("/usr/share/java/httpcomponents/httpcore.jar")
> jarLoad.addFile("/usr/share/java/apache-commons-cli.jar")
> +jarLoad.addFile("/usr/share/java/apache-commons-codec.jar")
> +jarLoad.addFile("/usr/share/java/apache-commons-logging.jar")
> +jarLoad.addFile("/usr/share/java/istack-commons-runtime.jar")
> # Resteasy Jars
> jarLoad.addFile("/usr/share/java/glassfish-jaxb/jaxb-impl.jar")
> jarLoad.addFile("/usr/share/java/resteasy/jaxrs-api.jar")
> +jarLoad.addFile("/usr/share/java/resteasy/resteasy-atom-provider.jar")
> jarLoad.addFile("/usr/share/java/resteasy/resteasy-jaxb-provider.jar")
> jarLoad.addFile("/usr/share/java/resteasy/resteasy-jaxrs.jar")
> jarLoad.addFile("/usr/share/java/resteasy/resteasy-jettison-provider.jar")
> @@ -145,6 +152,63 @@ import pkiconfig as config
> import pkimessages as log
>
>
> +# PKI Deployment Jython Helper Functions
> +def extract_sensitive_data(configuration_file):
> + "Read 'sensitive' configuration file section into a dictionary"
> + try:
> + parser = ConfigParser.ConfigParser()
> + # Make keys case-sensitive!
> + parser.optionxform = str
> + parser.read(configuration_file)
> + # return dict(parser._sections['Sensitive'])
> + dictionary = {}
> + for option in parser.options('Sensitive'):
> + dictionary[option] = parser.get('Sensitive', option)
> + return dictionary
> + except ConfigParser.ParsingError, err:
> + javasystem.out.println(log.PKI_JYTHON_EXCEPTION_PARSER + " '" +\
> + configuration_file + "': " + str(err))
> + javasystem.exit(1)
> +
> +def generateCRMFRequest(token, keysize, subjectdn, dualkey):
> + kg = token.getKeyPairGenerator(KeyPairAlgorithm.RSA)
> + x = Integer(keysize)
> + key_len = x.intValue()
> + kg.initialize(key_len)
> + # 1st key pair
> + pair = kg.genKeyPair()
> + # create CRMF
> + certTemplate = CertTemplate()
> + certTemplate.setVersion(INTEGER(2))
> + if not subjectdn is None:
> + name = X500Name(subjectdn)
> + cs = ByteArrayInputStream(name.getEncoded())
> + n = Name.getTemplate().decode(cs)
> + certTemplate.setSubject(n)
> + certTemplate.setPublicKey(SubjectPublicKeyInfo(pair.getPublic()))
> + seq = SEQUENCE()
> + certReq = CertRequest(INTEGER(1), certTemplate, seq)
> + popdata = jarray.array([0x0,0x3,0x0], 'b')
> + pop = ProofOfPossession.createKeyEncipherment(
> + POPOPrivKey.createThisMessage(BIT_STRING(popdata, 3)))
> + crmfMsg = CertReqMsg(certReq, pop, None)
> + s1 = SEQUENCE()
> + # 1st : Encryption key
> + s1.addElement(crmfMsg)
> + # 2nd : Signing Key
> + if dualkey:
> + javasystem.out.println(log.PKI_JYTHON_IS_DUALKEY)
> + seq1 = SEQUENCE()
> + certReqSigning = CertRequest(INTEGER(1), certTemplate, seq1)
> + signingMsg = CertReqMsg(certReqSigning, pop, None)
> + s1.addElement(signingMsg)
> + encoded = jarray.array(ASN1Util.encode(s1), 'b')
> + # encoder = BASE64Encoder()
> + # Req1 = encoder.encodeBuffer(encoded)
> + Req1 = Utils.base64encode(encoded)
> + return Req1
> +
> +
> # PKI Deployment 'security databases' Class
> class security_databases:
> def initialize_token(self, pki_database_path, pki_dry_run_flag, log_level):
> @@ -160,11 +224,13 @@ class security_databases:
> # it is ok if it is already initialized
> pass
> except Exception, e:
> - javasystem.out.println("INITIALIZATION ERROR: " + str(e))
> + javasystem.out.println(log.PKI_JYTHON_INITIALIZATION_ERROR +\
> + " " + str(e))
> javasystem.exit(1)
>
> def log_into_token(self, pki_database_path, password_conf,
> pki_dry_run_flag, log_level):
> + token = None
> try:
> if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
> print "%s %s '%s'" %\
> @@ -174,10 +240,10 @@ class security_databases:
> if not pki_dry_run_flag:
> manager = CryptoManager.getInstance()
> token = manager.getInternalKeyStorageToken()
> - # Retrieve 'token_pwd' from 'password_conf'
> + # Retrieve 'password' from client-side 'password_conf'
> #
> # NOTE: For now, ONLY read the first line
> - # (which contains the password)
> + # (which contains "password")
> #
> fd = open(password_conf, "r")
> token_pwd = fd.readline()
> @@ -188,13 +254,364 @@ class security_databases:
> try:
> token.login(password)
> except Exception, e:
> - javasystem.out.println("login Exception: " + str(e))
> + javasystem.out.println(log.PKI_JYTHON_LOGIN_EXCEPTION +\
> + " " + str(e))
> if not token.isLoggedIn():
> token.initPassword(password, password)
> + javasystem.exit(1)
> except Exception, e:
> - javasystem.out.println("Exception in logging into token: " +\
> - str(e))
> + javasystem.out.println(log.PKI_JYTHON_TOKEN_LOGIN_EXCEPTION +\
> + " " + str(e))
> javasystem.exit(1)
> + return token
> +
> +
> +# PKI Deployment 'REST Client' Class
> +class rest_client:
> + client = None
> +
> + def initialize(self, base_uri, pki_dry_run_flag, log_level):
> + try:
> + if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
> + print "%s %s '%s'" %\
> + (log.PKI_JYTHON_INDENTATION_2,
> + log.PKI_JYTHON_INITIALIZING_REST_CLIENT,
> + base_uri)
> + if not pki_dry_run_flag:
> + self.client = ConfigurationRESTClient(base_uri, None)
> + return self.client
> + except URISyntaxException, e:
> + e.printStackTrace()
> + javasystem.exit(1)
> +
> + def construct_pki_configuration_data(self, master, token):
> + data = None
> + if master['pki_jython_log_level'] >= config.PKI_JYTHON_INFO_LOG_LEVEL:
> + print "%s %s '%s'" %\
> + (log.PKI_JYTHON_INDENTATION_2,
> + log.PKI_JYTHON_CONSTRUCTING_PKI_DATA,
> + master['pki_subsystem'])
> + if not master['pki_dry_run_flag']:
> + sensitive = extract_sensitive_data(master['pki_deployment_cfg'])
> + data = ConfigurationData()
> + # Miscellaneous Configuration Information
> + data.setPin(master['pki_one_time_pin'])
> + data.setToken(ConfigurationData.TOKEN_DEFAULT)
> + if master['pki_instance_type'] == "Tomcat":
> + if master['pki_subsystem'] == "CA":
> + if config.str2bool(master['pki_clone']):
> + # Cloned CA
> + data.setHierarchy("root")
> + data.setIsClone("true")
> + data.setSubsystemName("Cloned CA Subsystem")
> + elif config.str2bool(master['pki_external']):
> + # External CA
> + data.setHierarchy("join")
> + data.setIsClone("false")
> + data.setSubsystemName("External CA Subsystem")
> + elif config.str2bool(master['pki_subordinate']):
> + # Subordinate CA
> + data.setHierarchy("join")
> + data.setIsClone("false")
> + data.setSubsystemName("Subordinate CA Subsystem")
> + else:
> + # PKI CA
> + data.setHierarchy("root")
> + data.setIsClone("false")
> + data.setSubsystemName("PKI CA Subsystem")
> + elif master['pki_subsystem'] == "KRA":
> + if config.str2bool(master['pki_clone']):
> + # Cloned KRA
> + data.setIsClone("true")
> + data.setSubsystemName("Cloned KRA Subsystem")
> + else:
> + # PKI KRA
> + data.setIsClone("false")
> + data.setSubsystemName("PKI KRA Subsystem")
> + elif master['pki_subsystem'] == "OCSP":
> + if config.str2bool(master['pki_clone']):
> + # Cloned OCSP
> + data.setIsClone("true")
> + data.setSubsystemName("Cloned OCSP Subsystem")
> + else:
> + # PKI OCSP
> + data.setIsClone("false")
> + data.setSubsystemName("PKI OCSP Subsystem")
> + elif master['pki_subsystem'] == "TKS":
> + if config.str2bool(master['pki_clone']):
> + # Cloned TKS
> + data.setIsClone("true")
> + data.setSubsystemName("Cloned TKS Subsystem")
> + else:
> + # PKI TKS
> + data.setIsClone("false")
> + data.setSubsystemName("PKI TKS Subsystem")
> + # Security Domain Information
> + if master['pki_instance_type'] == "Tomcat":
> + if master['pki_subsystem'] == "CA":
> + if config.str2bool(master['pki_external']):
> + # External CA
> + data.setSecurityDomainType(
> + ConfigurationData.NEW_DOMAIN)
> + data.setSecurityDomainName(
> + master['pki_security_domain_name'])
> + elif not config.str2bool(master['pki_clone']) and\
> + not config.str2bool(master['pki_subordinate']):
> + # PKI CA
> + data.setSecurityDomainType(
> + ConfigurationData.NEW_DOMAIN)
> + data.setSecurityDomainName(
> + master['pki_security_domain_name'])
> + else:
> + # PKI Cloned or Subordinate CA
> + data.setSecurityDomainType(
> + ConfigurationData.EXISTING_DOMAIN)
> + data.setSecurityDomainUri(
> + master['pki_security_domain_uri'])
> + data.setSecurityDomainUser(
> + master['pki_security_domain_user'])
> + data.setSecurityDomainPassword(
> + sensitive['pki_security_domain_password'])
> + else:
> + # PKI KRA, OCSP, or TKS
> + data.setSecurityDomainType(
> + ConfigurationData.EXISTING_DOMAIN)
> + data.setSecurityDomainUri(
> + master['pki_security_domain_uri'])
> + data.setSecurityDomainUser(
> + master['pki_security_domain_user'])
> + data.setSecurityDomainPassword(
> + sensitive['pki_security_domain_password'])
> + # Directory Server Information
> + if master['pki_subsystem'] != "RA":
> + data.setDsHost(master['pki_ds_hostname'])
> + data.setDsPort(master['pki_ds_http_port'])
> + data.setBaseDN(master['pki_ds_base_dn'])
> + data.setBindDN(master['pki_ds_bind_dn'])
> + data.setDatabase(master['pki_ds_database'])
> + data.setBindpwd(sensitive['pki_ds_password'])
> + if config.str2bool(master['pki_ds_remove_data']):
> + data.setRemoveData("true")
> + else:
> + data.setRemoveData("false")
> + if config.str2bool(master['pki_ds_secure_connection']):
> + data.setSecureConn("true")
> + else:
> + data.setSecureConn("false")
> + # Backup Information
> + if master['pki_instance_type'] == "Tomcat":
> + if config.str2bool(master['pki_backup_keys']):
> + data.setBackupKeys("true")
> + data.setBackupFile(master['pki_backup_file'])
> + data.setBackupPassword(
> + sensitive['pki_backup_password'])
> + else:
> + data.setBackupKeys("false")
> + # Admin Information
> + if master['pki_instance_type'] == "Tomcat":
> + if not config.str2bool(master['pki_clone']):
> + data.setAdminEmail(master['pki_admin_email'])
> + data.setAdminName(master['pki_admin_name'])
> + data.setAdminPassword(sensitive['pki_admin_password'])
> + data.setAdminProfileID(master['pki_admin_profile_id'])
> + data.setAdminUID(master['pki_admin_uid'])
> + data.setAdminSubjectDN(master['pki_admin_subject_dn'])
> + if master['pki_admin_cert_request_type'] == "crmf":
> + data.setAdminCertRequestType("crmf")
> + if config.str2bool(master['pki_admin_dualkey']):
> + crmf_request = generateCRMFRequest(
> + token,
> + master['pki_admin_keysize'],
> + master['pki_admin_subject_dn'],
> + "true")
> + else:
> + crmf_request = generateCRMFRequest(
> + token,
> + master['pki_admin_keysize'],
> + master['pki_admin_subject_dn'],
> + "false")
> + data.setAdminCertRequest(crmf_request)
> + else:
> + javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY)
> + javasystem.exit(1)
> + # Create system certs
> + systemCerts = ArrayList()
> + # Create 'CA Signing Certificate'
> + if master['pki_instance_type'] == "Tomcat":
> + if not config.str2bool(master['pki_clone']):
> + if master['pki_subsystem'] == "CA":
> + # External CA, Subordinate CA, or PKI CA
> + cert1 = CertData()
> + cert1.setTag(master['pki_ca_signing_tag'])
> + cert1.setKeyAlgorithm(
> + master['pki_ca_signing_key_algorithm'])
> + cert1.setKeySize(master['pki_ca_signing_key_size'])
> + cert1.setKeyType(master['pki_ca_signing_key_type'])
> + cert1.setNickname(master['pki_ca_signing_nickname'])
> + cert1.setSigningAlgorithm(
> + master['pki_ca_signing_signing_algorithm'])
> + cert1.setSubjectDN(master['pki_ca_signing_subject_dn'])
> + cert1.setToken(master['pki_ca_signing_token'])
> + systemCerts.add(cert1)
> + # Create 'OCSP Signing Certificate'
> + if master['pki_instance_type'] == "Tomcat":
> + if not config.str2bool(master['pki_clone']):
> + if master['pki_subsystem'] == "CA" or\
> + master['pki_subsystem'] == "OCSP":
> + # External CA, Subordinate CA, PKI CA, or PKI OCSP
> + cert2 = CertData()
> + cert2.setTag(master['pki_ocsp_signing_tag'])
> + cert2.setKeyAlgorithm(
> + master['pki_ocsp_signing_key_algorithm'])
> + cert2.setKeySize(master['pki_ocsp_signing_key_size'])
> + cert2.setKeyType(master['pki_ocsp_signing_key_type'])
> + cert2.setNickname(master['pki_ocsp_signing_nickname'])
> + cert2.setSigningAlgorithm(
> + master['pki_ocsp_signing_signing_algorithm'])
> + cert2.setSubjectDN(
> + master['pki_ocsp_signing_subject_dn'])
> + cert2.setToken(master['pki_ocsp_signing_token'])
> + systemCerts.add(cert2)
> + # Create 'SSL Server Certificate'
> + # PKI RA, PKI TPS,
> + # PKI CA, PKI KRA, PKI OCSP, PKI TKS,
> + # PKI CA CLONE, PKI KRA CLONE, PKI OCSP CLONE, PKI TKS CLONE,
> + # External CA, or Subordinate CA
> + cert3 = CertData()
> + cert3.setTag(master['pki_ssl_server_tag'])
> + cert3.setKeyAlgorithm(master['pki_ssl_server_key_algorithm'])
> + cert3.setKeySize(master['pki_ssl_server_key_size'])
> + cert3.setKeyType(master['pki_ssl_server_key_type'])
> + cert3.setNickname(master['pki_ssl_server_nickname'])
> + cert3.setSubjectDN(master['pki_ssl_server_subject_dn'])
> + cert3.setToken(master['pki_ssl_server_token'])
> + systemCerts.add(cert3)
> + # Create 'Subsystem Certificate'
> + if master['pki_instance_type'] == "Apache":
> + # PKI RA or PKI TPS
> + cert4 = CertData()
> + cert4.setTag(master['pki_subsystem_tag'])
> + cert4.setKeyAlgorithm(master['pki_subsystem_key_algorithm'])
> + cert4.setKeySize(master['pki_subsystem_key_size'])
> + cert4.setKeyType(master['pki_subsystem_key_type'])
> + cert4.setNickname(master['pki_subsystem_nickname'])
> + cert4.setSubjectDN(master['pki_subsystem_subject_dn'])
> + cert4.setToken(master['pki_subsystem_token'])
> + systemCerts.add(cert4)
> + elif master['pki_instance_type'] == "Tomcat":
> + if not config.str2bool(master['pki_clone']):
> + # PKI CA, PKI KRA, PKI OCSP, PKI TKS,
> + # External CA, or Subordinate CA
> + cert4 = CertData()
> + cert4.setTag(master['pki_subsystem_tag'])
> + cert4.setKeyAlgorithm(master['pki_subsystem_key_algorithm'])
> + cert4.setKeySize(master['pki_subsystem_key_size'])
> + cert4.setKeyType(master['pki_subsystem_key_type'])
> + cert4.setNickname(master['pki_subsystem_nickname'])
> + cert4.setSubjectDN(master['pki_subsystem_subject_dn'])
> + cert4.setToken(master['pki_subsystem_token'])
> + systemCerts.add(cert4)
> + # Create 'Audit Signing Certificate'
> + if master['pki_instance_type'] == "Apache":
> + if master['pki_subsystem'] != "RA":
> + # PKI TPS
> + cert5 = CertData()
> + cert5.setTag(master['pki_audit_signing_tag'])
> + cert5.setKeyAlgorithm(
> + master['pki_audit_signing_key_algorithm'])
> + cert5.setKeySize(master['pki_audit_signing_key_size'])
> + cert5.setKeyType(master['pki_audit_signing_key_type'])
> + cert5.setNickname(master['pki_audit_signing_nickname'])
> + cert5.setKeyAlgorithm(
> + master['pki_audit_signing_signing_algorithm'])
> + cert5.setSubjectDN(master['pki_audit_signing_subject_dn'])
> + cert5.setToken(master['pki_audit_signing_token'])
> + systemCerts.add(cert5)
> + elif master['pki_instance_type'] == "Tomcat":
> + if not config.str2bool(master['pki_clone']):
> + # PKI CA, PKI KRA, PKI OCSP, PKI TKS,
> + # External CA, or Subordinate CA
> + cert5 = CertData()
> + cert5.setTag(master['pki_audit_signing_tag'])
> + cert5.setKeyAlgorithm(
> + master['pki_audit_signing_key_algorithm'])
> + cert5.setKeySize(master['pki_audit_signing_key_size'])
> + cert5.setKeyType(master['pki_audit_signing_key_type'])
> + cert5.setNickname(master['pki_audit_signing_nickname'])
> + cert5.setKeyAlgorithm(
> + master['pki_audit_signing_signing_algorithm'])
> + cert5.setSubjectDN(master['pki_audit_signing_subject_dn'])
> + cert5.setToken(master['pki_audit_signing_token'])
> + systemCerts.add(cert5)
> + # Create 'DRM Transport Certificate'
> + if master['pki_instance_type'] == "Tomcat":
> + if not config.str2bool(master['pki_clone']):
> + if master['pki_subsystem'] == "KRA":
> + # PKI KRA
> + cert6 = CertData()
> + cert6.setTag(master['pki_transport_tag'])
> + cert6.setKeyAlgorithm(
> + master['pki_transport_key_algorithm'])
> + cert6.setKeySize(master['pki_transport_key_size'])
> + cert6.setKeyType(master['pki_transport_key_type'])
> + cert6.setNickname(master['pki_transport_nickname'])
> + cert6.setKeyAlgorithm(
> + master['pki_transport_signing_algorithm'])
> + cert6.setSubjectDN(master['pki_transport_subject_dn'])
> + cert6.setToken(master['pki_transport_token'])
> + systemCerts.add(cert6)
> + # Create 'DRM Storage Certificate'
> + if master['pki_instance_type'] == "Tomcat":
> + if not config.str2bool(master['pki_clone']):
> + if master['pki_subsystem'] == "KRA":
> + # PKI KRA
> + cert7 = CertData()
> + cert7.setTag(master['pki_storage_tag'])
> + cert7.setKeyAlgorithm(
> + master['pki_storage_key_algorithm'])
> + cert7.setKeySize(master['pki_storage_key_size'])
> + cert7.setKeyType(master['pki_storage_key_type'])
> + cert7.setNickname(master['pki_storage_nickname'])
> + cert7.setKeyAlgorithm(
> + master['pki_storage_signing_algorithm'])
> + cert7.setSubjectDN(master['pki_storage_subject_dn'])
> + cert7.setToken(master['pki_storage_token'])
> + systemCerts.add(cert7)
> + # Create system certs
> + data.setSystemCerts(systemCerts)
> + return data
> +
> + def configure_pki_data(self, data, pki_subsystem, pki_dry_run_flag,
> + log_level):
> + if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
> + print "%s %s '%s'" %\
> + (log.PKI_JYTHON_INDENTATION_2,
> + log.PKI_JYTHON_CONFIGURING_PKI_DATA,
> + pki_subsystem)
> + if not pki_dry_run_flag:
> + try:
> + response = self.client.configure(data)
> + javasystem.out.println(log.PKI_JYTHON_RESPONSE_STATUS +\
> + " " + response.getStatus())
> + javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\
> + " " + response.getAdminCert().getCert())
> + certs = response.getSystemCerts()
> + iterator = certs.iterator()
> + while iterator.hasNext():
> + cdata = iterator.next()
> + javasystem.out.println(log.PKI_JYTHON_CDATA_TAG + " " +\
> + cdata.getTag())
> + javasystem.out.println(log.PKI_JYTHON_CDATA_CERT + " " +\
> + cdata.getCert())
> + javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\
> + cdata.getRequest())
> + except Exception, e:
> + javasystem.out.println(
> + log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e))
> + javasystem.exit(1)
> + return
> +
>
> # PKI Deployment Jython Class Instances
> security_databases = security_databases()
> +rest_client = rest_client()
> diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py
> index 806a64e..d7d50a6 100644
> --- a/base/deploy/src/scriptlets/pkimessages.py
> +++ b/base/deploy/src/scriptlets/pkimessages.py
> @@ -20,6 +20,14 @@
> #
>
> # PKI Deployment Engine Messages
> +PKI_DICTIONARY_MANDATORY ="\n"\
> +"=====================================================\n"\
> +" DISPLAY CONTENTS OF PKI MANDATORY DICTIONARY\n"\
> +"====================================================="
> +PKI_DICTIONARY_OPTIONAL ="\n"\
> +"=====================================================\n"\
> +" DISPLAY CONTENTS OF PKI OPTIONAL DICTIONARY\n"\
> +"====================================================="
> PKI_DICTIONARY_COMMON ="\n"\
> "=====================================================\n"\
> " DISPLAY CONTENTS OF PKI COMMON DICTIONARY\n"\
> @@ -40,6 +48,7 @@ PKI_DICTIONARY_WEB_SERVER="\n"\
> "=====================================================\n"\
> " DISPLAY CONTENTS OF PKI WEB SERVER DICTIONARY\n"\
> "====================================================="
> +# NEVER print out 'sensitive' data dictionary!!!
>
>
> # PKI Deployment Log Messages
> @@ -150,10 +159,16 @@ PKIHELPER_CP_P_2 = "cp -p %s %s"
> PKIHELPER_CP_RP_2 = "cp -rp %s %s"
> PKIHELPER_CREATE_SECURITY_DATABASES_1 = "executing '%s'"
> PKIHELPER_DANGLING_SYMLINK_2 = "Dangling symlink '%s'-->'%s'"
> +PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1 = "KeyError: Master dictionary "\
> + "is missing the key called '%s'!"
> PKIHELPER_DIRECTORY_IS_EMPTY_1 = "directory '%s' is empty"
> PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1 = "directory '%s' is NOT empty"
> PKIHELPER_GID_2 = "GID of '%s' is %s"
> PKIHELPER_GROUP_1 = "retrieving GID for '%s' . . ."
> +PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ."
> +PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ."
> +PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s"
> +PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s"
> PKIHELPER_INVOKE_JYTHON_3 = "executing 'export %s;"\
> "jython %s %s <master_dictionary>'"
> PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory"
> @@ -165,32 +180,82 @@ PKIHELPER_MKDIR_1 = "mkdir -p %s"
> PKIHELPER_MODIFY_DIR_1 = "modifying '%s'"
> PKIHELPER_MODIFY_FILE_1 = "modifying '%s'"
> PKIHELPER_MODIFY_SYMLINK_1 = "modifying '%s'"
> +PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA = "cloned CAs and external "\
> + "CAs MUST be MUTUALLY "\
> + "EXCLUSIVE in '%s'"
> +PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA = "cloned CAs, external "\
> + "CAs, and subordinate CAs"\
> + "MUST ALL be MUTUALLY "\
> + "EXCLUSIVE in '%s'"
> +PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA = "cloned CAs and subordinate "\
> + "CAs MUST be MUTUALLY "\
> + "EXCLUSIVE in '%s'"
> +PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA = "external CAs and subordinate "\
> + "CAs MUST be MUTUALLY "\
> + "EXCLUSIVE in '%s'"
> PKIHELPER_NOISE_FILE_2 = "generating noise file called '%s' and "\
> "filling it with '%d' random bytes"
> PKIHELPER_PASSWORD_CONF_1 = "generating '%s'"
> PKIHELPER_PKI_SUBSYSTEM_INSTANCES_2 = "instance '%s' contains '%d' "\
> "PKI subsystems"
> +PKIHELPER_REMOVE_FILTER_SECTION_1 = "removing filter section from '%s'"
> PKIHELPER_RM_F_1 = "rm -f %s"
> PKIHELPER_RM_RF_1 = "rm -rf %s"
> PKIHELPER_RMDIR_1 = "rmdir %s"
> PKIHELPER_SET_MODE_1 = "setting ownerships, permissions, and acls on '%s'"
> PKIHELPER_SLOT_SUBSTITUTION_2 = "slot substitution: '%s' ==> '%s'"
> +PKIHELPER_SYSTEMD_COMMAND_1 = "executing '%s'"
> PKIHELPER_TOMCAT_INSTANCES_2 = "instance '%s' contains '%d' "\
> "Tomcat PKI subsystems"
> PKIHELPER_TOUCH_1 = "touch %s"
> PKIHELPER_UID_2 = "UID of '%s' is %s"
> +PKIHELPER_UNDEFINED_ADMIN_PASSWORD_1 =\
> + "A value for 'pki_admin_password' MUST be defined in '%s'"
> +PKIHELPER_UNDEFINED_BACKUP_PASSWORD_1 =\
> + "A value for 'pki_backup_password' MUST be defined in '%s'"
> +PKIHELPER_UNDEFINED_DS_PASSWORD_1 =\
> + "A value for 'pki_ds_password' MUST be defined in '%s'"
> +PKIHELPER_UNDEFINED_PKCS12_PASSWORD_1 =\
> + "A value for 'pki_pkcs12_password' MUST be defined in '%s'"
> +PKIHELPER_UNDEFINED_SECURITY_DOMAIN_PASSWORD_1 =\
> + "A value for 'pki_security_domain_password' MUST be defined in '%s'"
> PKIHELPER_USER_1 = "retrieving UID for '%s' . . ."
> +PKIHELPER_USER_ADD_2 = "adding UID '%s' for user '%s' . . ."
> +PKIHELPER_USER_ADD_DEFAULT_2 = "adding default UID '%s' for user '%s' . . ."
> +PKIHELPER_USER_ADD_KEYERROR_1 = "KeyError: pki_user %s"
> +PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError: pki_uid %s"
>
>
> # PKI Deployment Jython "Scriptlet" Messages
> # (MUST contain NO embedded formats since Jython 2.2 does not support logging!)
> +PKI_JYTHON_CDATA_TAG = "tag:"
> +PKI_JYTHON_CDATA_CERT = "cert:"
> +PKI_JYTHON_CDATA_REQUEST = "request:"
> +PKI_JYTHON_CLONED_PKI_SUBSYSTEM = "Cloned"
> +PKI_JYTHON_CONFIGURING_PKI_DATA = "configuring PKI configuration data for"
> +PKI_JYTHON_CONSTRUCTING_PKI_DATA = "constructing PKI configuration data for"
> +PKI_JYTHON_CRMF_SUPPORT_ONLY = "only the 'crmf' certificate request type "\
> + "is currently supported"
> +PKI_JYTHON_IS_DUALKEY = "dualkey = true"
> +PKI_JYTHON_EXCEPTION_PARSER = "Problem parsing"
> +PKI_JYTHON_EXTERNAL_CA = "External"
> PKI_JYTHON_INDENTATION_0 = "pkispawn : JYTHON "
> PKI_JYTHON_INDENTATION_1 = "pkispawn : JYTHON ..."
> PKI_JYTHON_INDENTATION_2 = "pkispawn : JYTHON ......."
> PKI_JYTHON_INDENTATION_3 = "pkispawn : JYTHON ..........."
> PKI_JYTHON_INDENTATION_4 = "pkispawn : JYTHON ..............."
> +PKI_JYTHON_INITIALIZATION_ERROR = "INITIALIZATION ERROR:"
> +PKI_JYTHON_INITIALIZING_REST_CLIENT = "initializing REST client via"
> PKI_JYTHON_INITIALIZING_TOKEN = "initializing token located in"
> +PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION =\
> + "Exception from Java Configuration Servlet:"
> PKI_JYTHON_LOG_INTO_TOKEN = "logging into token located in"
> +PKI_JYTHON_LOGIN_EXCEPTION = "login Exception:"
> +PKI_JYTHON_RESPONSE_ADMIN_CERT = "adminCert:"
> +PKI_JYTHON_RESPONSE_STATUS = "status:"
> +PKI_JYTHON_TOKEN_LOGIN_EXCEPTION = "Exception in logging into token:"
> +PKI_JYTHON_NOT_YET_IMPLEMENTED = "NOT YET IMPLEMENTED"
> +PKI_JYTHON_SUBORDINATE_CA = "Subordinate"
>
>
> # PKI Deployment "Scriptlet" Messages
> diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
> index 0add192..5abfdc0 100644
> --- a/base/deploy/src/scriptlets/pkiparser.py
> +++ b/base/deploy/src/scriptlets/pkiparser.py
> @@ -53,22 +53,18 @@ def process_command_line_arguments(argv):
> required=True, metavar='<subsystem>',
> help='where <subsystem> is '
> 'CA, KRA, OCSP, RA, TKS, or TPS')
> + if os.path.basename(argv[0]) == 'pkispawn':
> + mandatory.add_argument('-f',
> + dest='pkideployment_cfg', action='store',
> + nargs=1, required=True, metavar='<file>',
> + help='specifies configuration filename')
> optional = parser.add_argument_group('optional arguments')
> optional.add_argument('--dry_run',
> dest='pki_dry_run_flag', action='store_true',
> help='do not actually perform any actions')
> - optional.add_argument('-f',
> - dest='pkideployment_cfg', action='store',
> - nargs=1, metavar='<file>',
> - help='overrides default configuration filename')
> optional.add_argument('-h', '--help',
> dest='help', action='help',
> help='show this help message and exit')
> - optional.add_argument('-p',
> - dest='pki_root_prefix', action='store',
> - nargs=1, metavar='<prefix>',
> - help='directory prefix to specify local directory '
> - '[TEST ONLY]')
> if os.path.basename(argv[0]) == 'pkispawn':
> optional.add_argument('-u',
> dest='pki_update_flag', action='store_true',
> @@ -98,6 +94,12 @@ def process_command_line_arguments(argv):
> dest='custom_pki_ajp_port', action='store',
> nargs=1, metavar='<port>',
> help='AJP port (CA, KRA, OCSP, TKS)')
> + test = parser.add_argument_group('test arguments')
> + test.add_argument('-p',
> + dest='pki_root_prefix', action='store',
> + nargs=1, metavar='<prefix>',
> + help='directory prefix to specify local directory '
> + '[TEST ONLY]')
> args = parser.parse_args()
>
> config.pki_subsystem = str(args.pki_subsystem).strip('[\']')
> @@ -187,7 +189,7 @@ def process_command_line_arguments(argv):
> print
> parser.print_help()
> parser.exit(-1);
> - if not args.pkideployment_cfg is None:
> + if os.path.basename(argv[0]) == 'pkispawn':
> config.pkideployment_cfg = str(args.pkideployment_cfg).strip('[\']')
> elif os.path.basename(argv[0]) == 'pkidestroy':
> # NOTE: When performing 'pkidestroy', a configuration file must be
> @@ -258,6 +260,9 @@ def read_pki_configuration_file():
> # Make keys case-sensitive!
> parser.optionxform = str
> parser.read(config.pkideployment_cfg)
> + config.pki_sensitive_dict = dict(parser._sections['Sensitive'])
> + config.pki_mandatory_dict = dict(parser._sections['Mandatory'])
> + config.pki_optional_dict = dict(parser._sections['Optional'])
> config.pki_common_dict = dict(parser._sections['Common'])
> if config.pki_subsystem == "CA":
> config.pki_web_server_dict = dict(parser._sections['Tomcat'])
> @@ -278,6 +283,9 @@ def read_pki_configuration_file():
> config.pki_web_server_dict = dict(parser._sections['Apache'])
> config.pki_subsystem_dict = dict(parser._sections['TPS'])
> # Insert empty record into dictionaries for "pretty print" statements
> + # NEVER print "sensitive" key value pairs!!!
> + config.pki_mandatory_dict[0] = None
> + config.pki_optional_dict[0] = None
> config.pki_common_dict[0] = None
> config.pki_web_server_dict[0] = None
> config.pki_subsystem_dict[0] = None
> @@ -297,13 +305,19 @@ def compose_pki_master_dictionary():
> config.pki_certificate_timestamp
> config.pki_master_dict['pki_architecture'] = config.pki_architecture
> config.pki_master_dict['pki_hostname'] = config.pki_hostname
> + config.pki_master_dict['pki_dns_domainname'] =\
> + config.pki_dns_domainname
> config.pki_master_dict['pki_pin'] = config.pki_pin
> config.pki_master_dict['pki_client_pin'] = config.pki_client_pin
> config.pki_master_dict['pki_one_time_pin'] = config.pki_one_time_pin
> config.pki_master_dict['pki_dry_run_flag'] = config.pki_dry_run_flag
> config.pki_master_dict['pki_jython_log_level'] =\
> config.pki_jython_log_level
> + config.pki_master_dict['pki_deployment_cfg'] = config.pkideployment_cfg
> # Configuration file name/value pairs
> + # NEVER add "sensitive" key value pairs to the master dictionary!!!
> + config.pki_master_dict.update(config.pki_mandatory_dict)
> + config.pki_master_dict.update(config.pki_optional_dict)
> config.pki_master_dict.update(config.pki_common_dict)
> config.pki_master_dict.update(config.pki_web_server_dict)
> config.pki_master_dict.update(config.pki_subsystem_dict)
> @@ -357,8 +371,7 @@ def compose_pki_master_dictionary():
> # (e. g. Tomcat: "tomcat", "example.com-tomcat")
> # (e. g. Apache: "apache", "example.com-apache")
> #
> - if not config.pki_master_dict['pki_admin_domain_name'] is None and\
> - not config.pki_master_dict['pki_admin_domain_name'] is '':
> + if len(config.pki_master_dict['pki_admin_domain_name']):
> config.pki_master_dict['pki_instance_id'] =\
> config.pki_master_dict['pki_admin_domain_name'] +\
> "-" + config.pki_master_dict['pki_instance_name']
> @@ -458,6 +471,9 @@ def compose_pki_master_dictionary():
> os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
> "ca",
> "emails")
> + config.pki_master_dict['pki_source_flatfile_txt'] =\
> + os.path.join(config.pki_master_dict['pki_source_conf_path'],
> + "flatfile.txt")
> config.pki_master_dict['pki_source_profiles'] =\
> os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
> "ca",
> @@ -465,6 +481,43 @@ def compose_pki_master_dictionary():
> config.pki_master_dict['pki_source_proxy_conf'] =\
> os.path.join(config.pki_master_dict['pki_source_conf_path'],
> "proxy.conf")
> + config.pki_master_dict['pki_source_registry_cfg'] =\
> + os.path.join(config.pki_master_dict['pki_source_conf_path'],
> + "registry.cfg")
> + # '*.profile'
> + config.pki_master_dict['pki_source_admincert_profile'] =\
> + os.path.join(config.pki_master_dict['pki_source_conf_path'],
> + "adminCert.profile")
> + config.pki_master_dict['pki_source_caauditsigningcert_profile']\
> + = os.path.join(
> + config.pki_master_dict['pki_source_conf_path'],
> + "caAuditSigningCert.profile")
> + config.pki_master_dict['pki_source_cacert_profile'] =\
> + os.path.join(config.pki_master_dict['pki_source_conf_path'],
> + "caCert.profile")
> + config.pki_master_dict['pki_source_caocspcert_profile'] =\
> + os.path.join(config.pki_master_dict['pki_source_conf_path'],
> + "caOCSPCert.profile")
> + config.pki_master_dict['pki_source_servercert_profile'] =\
> + os.path.join(config.pki_master_dict['pki_source_conf_path'],
> + "serverCert.profile")
> + config.pki_master_dict['pki_source_subsystemcert_profile'] =\
> + os.path.join(config.pki_master_dict['pki_source_conf_path'],
> + "subsystemCert.profile")
> + elif config.pki_master_dict['pki_subsystem'] == "KRA":
> + # '*.profile'
> + config.pki_master_dict['pki_source_servercert_profile'] =\
> + os.path.join(config.pki_master_dict['pki_source_conf_path'],
> + "serverCert.profile")
> + config.pki_master_dict['pki_source_storagecert_profile'] =\
> + os.path.join(config.pki_master_dict['pki_source_conf_path'],
> + "storageCert.profile")
> + config.pki_master_dict['pki_source_subsystemcert_profile'] =\
> + os.path.join(config.pki_master_dict['pki_source_conf_path'],
> + "subsystemCert.profile")
> + config.pki_master_dict['pki_source_transportcert_profile'] =\
> + os.path.join(config.pki_master_dict['pki_source_conf_path'],
> + "transportCert.profile")
> # PKI top-level file system layout name/value pairs
> # NOTE: Never use 'os.path.join()' whenever 'pki_root_prefix'
> # is being prepended!!!
> @@ -498,12 +551,14 @@ def compose_pki_master_dictionary():
> if config.pki_master_dict['pki_subsystem'] in\
> config.PKI_APACHE_SUBSYSTEMS:
> # Apache instance base name/value pairs
> + config.pki_master_dict['pki_instance_type'] = "Apache"
> # Apache instance log name/value pairs
> # Apache instance configuration name/value pairs
> # Apache instance registry name/value pairs
> config.pki_master_dict['pki_instance_type_registry_path'] =\
> - os.path.join(config.pki_master_dict['pki_registry_path'],
> - "apache")
> + os.path.join(
> + config.pki_master_dict['pki_registry_path'],
> + config.pki_master_dict['pki_instance_type'].lower())
> config.pki_master_dict['pki_instance_registry_path'] =\
> os.path.join(
> config.pki_master_dict['pki_instance_type_registry_path'],
> @@ -513,12 +568,16 @@ def compose_pki_master_dictionary():
> elif config.pki_master_dict['pki_subsystem'] in\
> config.PKI_TOMCAT_SUBSYSTEMS:
> # Tomcat instance base name/value pairs
> + config.pki_master_dict['pki_instance_type'] = "Tomcat"
> config.pki_master_dict['pki_tomcat_common_path'] =\
> os.path.join(config.pki_master_dict['pki_instance_path'],
> "common")
> config.pki_master_dict['pki_tomcat_common_lib_path'] =\
> os.path.join(config.pki_master_dict['pki_tomcat_common_path'],
> "lib")
> + config.pki_master_dict['pki_tomcat_tmpdir_path'] =\
> + os.path.join(config.pki_master_dict['pki_instance_path'],
> + "temp")
> config.pki_master_dict['pki_tomcat_webapps_path'] =\
> os.path.join(config.pki_master_dict['pki_instance_path'],
> "webapps")
> @@ -529,28 +588,43 @@ def compose_pki_master_dictionary():
> os.path.join(
> config.pki_master_dict['pki_tomcat_webapps_root_path'],
> "WEB-INF")
> - config.pki_master_dict['pki_tomcat_webapps_webinf_path'] =\
> - os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'],
> - "WEB-INF")
> - config.pki_master_dict['pki_tomcat_webapps_webinf_classes_path'] =\
> - os.path.join(
> - config.pki_master_dict['pki_tomcat_webapps_webinf_path'],
> - "classes")
> - config.pki_master_dict['pki_tomcat_webapps_webinf_lib_path'] =\
> - os.path.join(
> - config.pki_master_dict['pki_tomcat_webapps_webinf_path'],
> - "lib")
> config.pki_master_dict['pki_tomcat_webapps_root_webinf_web_xml'] =\
> os.path.join(
> config.pki_master_dict\
> ['pki_tomcat_webapps_root_webinf_path'],
> "web.xml")
> + config.pki_master_dict['pki_tomcat_work_path'] =\
> + os.path.join(config.pki_master_dict['pki_instance_path'],
> + "work")
> + config.pki_master_dict['pki_tomcat_work_catalina_path'] =\
> + os.path.join(config.pki_master_dict['pki_tomcat_work_path'],
> + "Catalina")
> + config.pki_master_dict['pki_tomcat_work_catalina_host_path'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_work_catalina_path'],
> + "localhost")
> + config.pki_master_dict['pki_tomcat_work_catalina_host_run_path'] =\
> + os.path.join(
> + config.pki_master_dict\
> + ['pki_tomcat_work_catalina_host_path'],
> + "_")
> + config.pki_master_dict\
> + ['pki_tomcat_work_catalina_host_subsystem_path'] =\
> + os.path.join(
> + config.pki_master_dict\
> + ['pki_tomcat_work_catalina_host_path'],
> + config.pki_master_dict['pki_subsystem'].lower())
> # Tomcat instance log name/value pairs
> # Tomcat instance configuration name/value pairs
> + config.pki_master_dict['pki_instance_log4j_properties'] =\
> + os.path.join(
> + config.pki_master_dict['pki_instance_configuration_path'],
> + "log4j.properties")
> # Tomcat instance registry name/value pairs
> config.pki_master_dict['pki_instance_type_registry_path'] =\
> - os.path.join(config.pki_master_dict['pki_registry_path'],
> - "tomcat")
> + os.path.join(
> + config.pki_master_dict['pki_registry_path'],
> + config.pki_master_dict['pki_instance_type'].lower())
> config.pki_master_dict['pki_instance_registry_path'] =\
> os.path.join(
> config.pki_master_dict['pki_instance_type_registry_path'],
> @@ -562,9 +636,205 @@ def compose_pki_master_dictionary():
> config.pki_master_dict['pki_tomcat_lib_link'] =\
> os.path.join(config.pki_master_dict['pki_instance_path'],
> "lib")
> + config.pki_master_dict['pki_tomcat_lib_log4j_properties_link'] =\
> + os.path.join(config.pki_master_dict['pki_tomcat_lib_path'],
> + "log4j.properties")
> config.pki_master_dict['pki_instance_systemd_link'] =\
> os.path.join(config.pki_master_dict['pki_instance_path'],
> config.pki_master_dict['pki_instance_id'])
> + # Tomcat instance common lib jars
> + if config.pki_master_dict['pki_architecture'] == 64:
> + config.pki_master_dict['pki_jss_jar'] =\
> + os.path.join("/usr/lib64/java",
> + "jss4.jar")
> + config.pki_master_dict['pki_symkey_jar'] =\
> + os.path.join("/usr/lib64/java",
> + "symkey.jar")
> + else:
> + config.pki_master_dict['pki_jss_jar'] =\
> + os.path.join("/usr/lib/java",
> + "jss4.jar")
> + config.pki_master_dict['pki_symkey_jar'] =\
> + os.path.join("/usr/lib/java",
> + "symkey.jar")
> + config.pki_master_dict['pki_apache_commons_collections_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
> + "apache-commons-collections.jar")
> + config.pki_master_dict['pki_apache_commons_lang_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
> + "apache-commons-lang.jar")
> + config.pki_master_dict['pki_apache_commons_logging_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
> + "apache-commons-logging.jar")
> + config.pki_master_dict['pki_commons_codec_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
> + "commons-codec.jar")
> + config.pki_master_dict['pki_httpclient_jar'] =\
> + os.path.join(
> + config.PKI_DEPLOYMENT_HTTPCOMPONENTS_JAR_SOURCE_ROOT,
> + "httpclient.jar")
> + config.pki_master_dict['pki_javassist_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
> + "javassist.jar")
> + config.pki_master_dict['pki_resteasy_jaxrs_api_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
> + "jaxrs-api.jar")
> + config.pki_master_dict['pki_jettison_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
> + "jettison.jar")
> + config.pki_master_dict['pki_ldapjdk_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
> + "ldapjdk.jar")
> + config.pki_master_dict['pki_certsrv_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
> + "pki-certsrv.jar")
> + config.pki_master_dict['pki_cmsbundle'] =\
> + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
> + "pki-cmsbundle.jar")
> + config.pki_master_dict['pki_cmscore'] =\
> + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
> + "pki-cmscore.jar")
> + config.pki_master_dict['pki_cms'] =\
> + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
> + "pki-cms.jar")
> + config.pki_master_dict['pki_cmsutil'] =\
> + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
> + "pki-cmsutil.jar")
> + config.pki_master_dict['pki_nsutil'] =\
> + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
> + "pki-nsutil.jar")
> + config.pki_master_dict['pki_resteasy_jaxb_provider_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
> + "resteasy-jaxb-provider.jar")
> + config.pki_master_dict['pki_resteasy_jaxrs_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
> + "resteasy-jaxrs.jar")
> + config.pki_master_dict['pki_resteasy_jettison_provider_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
> + "resteasy-jettison-provider.jar")
> + config.pki_master_dict['pki_scannotation_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
> + "scannotation.jar")
> + config.pki_master_dict['pki_tomcatjss_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
> + "tomcatjss.jar")
> + config.pki_master_dict['pki_velocity_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
> + "velocity.jar")
> + config.pki_master_dict['pki_xerces_j2_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
> + "xerces-j2.jar")
> + config.pki_master_dict['pki_xml_commons_apis_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
> + "xml-commons-apis.jar")
> + config.pki_master_dict['pki_xml_commons_resolver_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
> + "xml-commons-resolver.jar")
> + # Tomcat instance common lib jar symbolic links
> + config.pki_master_dict['pki_jss_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "jss4.jar")
> + config.pki_master_dict['pki_symkey_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "symkey.jar")
> + config.pki_master_dict['pki_apache_commons_collections_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "apache-commons-collections.jar")
> + config.pki_master_dict['pki_apache_commons_lang_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "apache-commons-lang.jar")
> + config.pki_master_dict['pki_apache_commons_logging_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "apache-commons-logging.jar")
> + config.pki_master_dict['pki_commons_codec_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "apache-commons-codec.jar")
> + config.pki_master_dict['pki_httpclient_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "httpclient.jar")
> + config.pki_master_dict['pki_javassist_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "javassist.jar")
> + config.pki_master_dict['pki_resteasy_jaxrs_api_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "jaxrs-api.jar")
> + config.pki_master_dict['pki_jettison_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "jettison.jar")
> + config.pki_master_dict['pki_ldapjdk_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "ldapjdk.jar")
> + config.pki_master_dict['pki_certsrv_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "pki-certsrv.jar")
> + config.pki_master_dict['pki_cmsbundle_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "pki-cmsbundle.jar")
> + config.pki_master_dict['pki_cmscore_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "pki-cmscore.jar")
> + config.pki_master_dict['pki_cms_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "pki-cms.jar")
> + config.pki_master_dict['pki_cmsutil_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "pki-cmsutil.jar")
> + config.pki_master_dict['pki_nsutil_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "pki-nsutil.jar")
> + config.pki_master_dict['pki_resteasy_jaxb_provider_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "resteasy-jaxb-provider.jar")
> + config.pki_master_dict['pki_resteasy_jaxrs_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "resteasy-jaxrs.jar")
> + config.pki_master_dict['pki_resteasy_jettison_provider_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "resteasy-jettison-provider.jar")
> + config.pki_master_dict['pki_scannotation_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "scannotation.jar")
> + config.pki_master_dict['pki_tomcatjss_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "tomcatjss.jar")
> + config.pki_master_dict['pki_velocity_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "velocity.jar")
> + config.pki_master_dict['pki_xerces_j2_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "xerces-j2.jar")
> + config.pki_master_dict['pki_xml_commons_apis_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "xml-commons-apis.jar")
> + config.pki_master_dict['pki_xml_commons_resolver_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "xml-commons-resolver.jar")
> # Instance layout NSS security database name/value pairs
> config.pki_master_dict['pki_database_path'] =\
> os.path.join(
> @@ -612,9 +882,6 @@ def compose_pki_master_dictionary():
> elif config.pki_master_dict['pki_subsystem'] in\
> config.PKI_TOMCAT_SUBSYSTEMS:
> # Instance-based Tomcat PKI subsystem base name/value pairs
> - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\
> - os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'],
> - config.pki_master_dict['pki_subsystem'].lower())
> if config.pki_master_dict['pki_subsystem'] == "CA":
> config.pki_master_dict['pki_subsystem_emails_path'] =\
> os.path.join(config.pki_master_dict['pki_subsystem_path'],
> @@ -632,18 +899,6 @@ def compose_pki_master_dictionary():
> config.pki_master_dict['pki_subsystem_tomcat_webapps_link'] =\
> os.path.join(config.pki_master_dict['pki_subsystem_path'],
> "webapps")
> - config.pki_master_dict\
> - ['pki_tomcat_webapps_subsystem_webinf_classes_link'] =\
> - os.path.join(
> - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
> - "WEB-INF",
> - "classes")
> - config.pki_master_dict\
> - ['pki_tomcat_webapps_subsystem_webinf_lib_link'] =\
> - os.path.join(
> - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
> - "WEB-INF",
> - "lib")
> # Instance-based Apache/Tomcat PKI subsystem convenience symbolic links
> config.pki_master_dict['pki_subsystem_database_link'] =\
> os.path.join(config.pki_master_dict['pki_subsystem_path'],
> @@ -654,6 +909,78 @@ def compose_pki_master_dictionary():
> config.pki_master_dict['pki_subsystem_logs_link'] =\
> os.path.join(config.pki_master_dict['pki_subsystem_path'],
> "logs")
> + # PKI Target (war file) name/value pairs
> + if config.pki_master_dict['pki_subsystem'] in\
> + config.PKI_TOMCAT_SUBSYSTEMS:
> + # Tomcat PKI subsystem war file base name/value pairs
> + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\
> + os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'],
> + config.pki_master_dict['pki_subsystem'].lower())
> + config.pki_master_dict\
> + ['pki_tomcat_webapps_subsystem_webinf_classes_path'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
> + "WEB-INF",
> + "classes")
> + config.pki_master_dict\
> + ['pki_tomcat_webapps_subsystem_webinf_lib_path'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
> + "WEB-INF",
> + "lib")
> + # Tomcat PKI subsystem war file convenience symbolic links
> + if config.pki_master_dict['pki_subsystem'] == "CA":
> + config.pki_master_dict['pki_ca_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
> + "pki-ca.jar")
> + # config.pki_master_dict['pki_ca_jar_link'] =\
> + # os.path.join(
> + # config.pki_master_dict\
> + # ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
> + # "pki-ca.jar")
> + config.pki_master_dict['pki_ca_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "pki-ca.jar")
> + elif config.pki_master_dict['pki_subsystem'] == "KRA":
> + config.pki_master_dict['pki_kra_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
> + "pki-kra.jar")
> + # config.pki_master_dict['pki_kra_jar_link'] =\
> + # os.path.join(
> + # config.pki_master_dict\
> + # ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
> + # "pki-kra.jar")
> + config.pki_master_dict['pki_kra_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "pki-kra.jar")
> + elif config.pki_master_dict['pki_subsystem'] == "OCSP":
> + config.pki_master_dict['pki_ocsp_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
> + "pki-ocsp.jar")
> + # config.pki_master_dict['pki_ocsp_jar_link'] =\
> + # os.path.join(
> + # config.pki_master_dict\
> + # ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
> + # "pki-ocsp.jar")
> + config.pki_master_dict['pki_ocsp_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "pki-ocsp.jar")
> + elif config.pki_master_dict['pki_subsystem'] == "TKS":
> + config.pki_master_dict['pki_tks_jar'] =\
> + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
> + "pki-tks.jar")
> + # config.pki_master_dict['pki_tks_jar_link'] =\
> + # os.path.join(
> + # config.pki_master_dict\
> + # ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
> + # "pki-tks.jar")
> + config.pki_master_dict['pki_tks_jar_link'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_common_lib_path'],
> + "pki-tks.jar")
> # PKI Target (slot substitution) name/value pairs
> config.pki_master_dict['pki_target_cs_cfg'] =\
> os.path.join(
> @@ -699,12 +1026,50 @@ def compose_pki_master_dictionary():
> config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
> "WEB-INF",
> "web.xml")
> + config.pki_master_dict['pki_target_subsystem_web_xml_orig'] =\
> + os.path.join(
> + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
> + "WEB-INF",
> + "web.xml.orig")
> # subystem-specific slot substitution name/value pairs
> if config.pki_master_dict['pki_subsystem'] == "CA":
> + config.pki_master_dict['pki_target_flatfile_txt'] =\
> + os.path.join(config.pki_master_dict\
> + ['pki_subsystem_configuration_path'],
> + "flatfile.txt")
> config.pki_master_dict['pki_target_proxy_conf'] =\
> os.path.join(config.pki_master_dict\
> ['pki_subsystem_configuration_path'],
> "proxy.conf")
> + config.pki_master_dict['pki_target_registry_cfg'] =\
> + os.path.join(config.pki_master_dict\
> + ['pki_subsystem_configuration_path'],
> + "registry.cfg")
> + # '*.profile'
> + config.pki_master_dict['pki_target_admincert_profile'] =\
> + os.path.join(config.pki_master_dict\
> + ['pki_subsystem_configuration_path'],
> + "adminCert.profile")
> + config.pki_master_dict['pki_target_caauditsigningcert_profile']\
> + = os.path.join(config.pki_master_dict\
> + ['pki_subsystem_configuration_path'],
> + "caAuditSigningCert.profile")
> + config.pki_master_dict['pki_target_cacert_profile'] =\
> + os.path.join(config.pki_master_dict\
> + ['pki_subsystem_configuration_path'],
> + "caCert.profile")
> + config.pki_master_dict['pki_target_caocspcert_profile'] =\
> + os.path.join(config.pki_master_dict\
> + ['pki_subsystem_configuration_path'],
> + "caOCSPCert.profile")
> + config.pki_master_dict['pki_target_servercert_profile'] =\
> + os.path.join(config.pki_master_dict\
> + ['pki_subsystem_configuration_path'],
> + "serverCert.profile")
> + config.pki_master_dict['pki_target_subsystemcert_profile'] =\
> + os.path.join(config.pki_master_dict\
> + ['pki_subsystem_configuration_path'],
> + "subsystemCert.profile")
> # in-place slot substitution name/value pairs
> config.pki_master_dict['pki_target_profileselect_template'] =\
> os.path.join(
> @@ -713,6 +1078,24 @@ def compose_pki_master_dictionary():
> "ee",
> config.pki_master_dict['pki_subsystem'].lower(),
> "ProfileSelect.template")
> + elif config.pki_master_dict['pki_subsystem'] == "KRA":
> + # '*.profile'
> + config.pki_master_dict['pki_target_servercert_profile'] =\
> + os.path.join(config.pki_master_dict\
> + ['pki_subsystem_configuration_path'],
> + "serverCert.profile")
> + config.pki_master_dict['pki_target_storagecert_profile'] =\
> + os.path.join(config.pki_master_dict\
> + ['pki_subsystem_configuration_path'],
> + "storageCert.profile")
> + config.pki_master_dict['pki_target_subsystemcert_profile'] =\
> + os.path.join(config.pki_master_dict\
> + ['pki_subsystem_configuration_path'],
> + "subsystemCert.profile")
> + config.pki_master_dict['pki_target_transportcert_profile'] =\
> + os.path.join(config.pki_master_dict\
> + ['pki_subsystem_configuration_path'],
> + "transportCert.profile")
> # Slot assignment name/value pairs
> # NOTE: Master key == Slots key; Master value ==> Slots value
> config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\
> @@ -830,6 +1213,8 @@ def compose_pki_master_dictionary():
> "tomcat")
> config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] =\
> config.pki_master_dict['pki_proxy_https_port']
> + config.pki_master_dict['PKI_TMPDIR_SLOT'] =\
> + config.pki_master_dict['pki_tomcat_tmpdir_path']
> config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] =\
> config.pki_master_dict['pki_proxy_http_port']
> config.pki_master_dict['PKI_RANDOM_NUMBER_SLOT'] =\
> @@ -846,6 +1231,8 @@ def compose_pki_master_dictionary():
> config.pki_master_dict['pki_security_manager']
> config.pki_master_dict['PKI_SERVER_XML_CONF_SLOT'] =\
> config.pki_master_dict['pki_target_server_xml']
> + config.pki_master_dict['PKI_SUBSYSTEM_DIR_SLOT'] =\
> + config.pki_master_dict['pki_subsystem'].lower() + "/"
> config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\
> config.pki_master_dict['pki_subsystem'].lower()
> config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\
> @@ -924,6 +1311,10 @@ def compose_pki_master_dictionary():
> "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," +\
> "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
> # Shared Apache/Tomcat NSS security database name/value pairs
> + config.pki_master_dict['pki_shared_pfile'] =\
> + os.path.join(
> + config.pki_master_dict['pki_instance_configuration_path'],
> + "pfile")
> config.pki_master_dict['pki_shared_password_conf'] =\
> os.path.join(
> config.pki_master_dict['pki_instance_configuration_path'],
> @@ -941,13 +1332,13 @@ def compose_pki_master_dictionary():
> config.pki_master_dict['pki_self_signed_nickname'] =\
> "Server-Cert cert-" + config.pki_master_dict['pki_instance_id']
> config.pki_master_dict['pki_self_signed_subject'] =\
> - "CN=" + config.pki_master_dict['pki_hostname'] + "," +\
> - "O=" + config.pki_master_dict['pki_certificate_timestamp']
> + "cn=" + config.pki_master_dict['pki_hostname'] + "," +\
> + "o=" + config.pki_master_dict['pki_certificate_timestamp']
> config.pki_master_dict['pki_self_signed_serial_number'] = 0
> config.pki_master_dict['pki_self_signed_validity_period'] = 12
> config.pki_master_dict['pki_self_signed_issuer_name'] =\
> - "CN=" + config.pki_master_dict['pki_hostname'] + "," +\
> - "O=" + config.pki_master_dict['pki_certificate_timestamp']
> + "cn=" + config.pki_master_dict['pki_hostname'] + "," +\
> + "o=" + config.pki_master_dict['pki_certificate_timestamp']
> config.pki_master_dict['pki_self_signed_trustargs'] = "CTu,CTu,CTu"
> config.pki_master_dict['pki_self_signed_noise_file'] =\
> os.path.join(
> @@ -992,10 +1383,778 @@ def compose_pki_master_dictionary():
> "pki",
> "deployment",
> "configuration.jy")
> + config.pki_master_dict['pki_jython_base_uri'] =\
> + "https" + "://" + config.pki_master_dict['pki_hostname'] + ":" +\
> + config.pki_master_dict['pki_https_port'] + "/" +\
> + config.pki_master_dict['pki_subsystem'].lower() + "/" + "pki"
> + # Jython scriptlet
> + # 'Security Domain' Configuration name/value pairs
> + #
> + # Apache - [RA], [TPS]
> + # Tomcat - [CA], [KRA], [OCSP], [TKS]
> + # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone]
> + # - [External CA]
> + # - [Subordinate CA]
> + #
> + # The following variables are defined below:
> + #
> + # config.pki_master_dict['pki_security_domain_type']
> + # config.pki_master_dict['pki_security_domain_uri']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and are NOT redefined below:
> + #
> + # config.pki_master_dict['pki_security_domain_https_port']
> + # config.pki_master_dict['pki_security_domain_password']
> + # config.pki_master_dict['pki_security_domain_user']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and potentially overridden below:
> + #
> + # config.pki_master_dict['pki_security_domain_hostname']
> + # config.pki_master_dict['pki_security_domain_name']
> + #
> + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
> + if config.pki_subsystem == "CA":
> + if config.str2bool(config.pki_master_dict['pki_external']):
> + # External CA
> + config.pki_master_dict['pki_security_domain_type'] = "new"
> + if not len(config.pki_master_dict\
> + ['pki_security_domain_name']):
> + config.pki_master_dict['pki_security_domain_name'] =\
> + "External CA Security Domain"
> + elif not config.str2bool(config.pki_master_dict['pki_clone'])\
> + and not\
> + config.str2bool(config.pki_master_dict['pki_subordinate']):
> + # PKI CA
> + config.pki_master_dict['pki_security_domain_type'] = "new"
> + if not len(config.pki_master_dict\
> + ['pki_security_domain_name']):
> + config.pki_master_dict['pki_security_domain_name'] =\
> + config.pki_master_dict['pki_dns_domainname'] +\
> + " " + "Security Domain"
> + else:
> + # PKI Cloned or Subordinate CA
> + config.pki_master_dict['pki_security_domain_type'] =\
> + "existing"
> + if not len(config.pki_master_dict\
> + ['pki_security_domain_hostname']):
> + # Guess that it is the local host
> + config.pki_master_dict['pki_security_domain_hostname']\
> + = config.pki_master_dict['pki_hostname']
> + config.pki_master_dict['pki_security_domain_uri'] =\
> + "https" + "://" +\
> + config.pki_master_dict['pki_security_domain_hostname']\
> + + ":" + config.pki_security_domain_https_port
> + else:
> + # PKI KRA, OCSP, or TKS
> + config.pki_master_dict['pki_security_domain_type'] = "existing"
> + if not len(config.pki_master_dict\
> + ['pki_security_domain_hostname']):
> + # Guess that it is the local host
> + config.pki_master_dict['pki_security_domain_hostname'] =\
> + config.pki_master_dict['pki_hostname']
> + config.pki_master_dict['pki_security_domain_uri'] =\
> + "https" + "://" +\
> + config.pki_master_dict['pki_security_domain_hostname'] +\
> + ":" +\
> + config.pki_master_dict['pki_security_domain_https_port']
> + # Jython scriptlet
> + # 'Directory Server' Configuration name/value pairs
> + #
> + # Apache - [TPS]
> + # Tomcat - [CA], [KRA], [OCSP], [TKS]
> + # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone]
> + # - [External CA]
> + # - [Subordinate CA]
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and are NOT redefined below:
> + #
> + # config.pki_master_dict['pki_ds_bind_dn']
> + # config.pki_master_dict['pki_ds_http_port']
> + # config.pki_master_dict['pki_ds_https_port']
> + # config.pki_master_dict['pki_ds_password']
> + # config.pki_master_dict['pki_ds_remove_data']
> + # config.pki_master_dict['pki_ds_secure_connection']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and potentially overridden below:
> + #
> + # config.pki_master_dict['pki_ds_base_dn']
> + # config.pki_master_dict['pki_ds_database']
> + # config.pki_master_dict['pki_ds_hostname']
> + #
> + if not len(config.pki_master_dict['pki_ds_base_dn']):
> + config.pki_master_dict['pki_ds_base_dn'] =\
> + "o=" + config.pki_master_dict['pki_instance_id']
> + if not len(config.pki_master_dict['pki_ds_database']):
> + config.pki_master_dict['pki_ds_database'] =\
> + "o=" + config.pki_master_dict['pki_instance_id']
> + if not len(config.pki_master_dict['pki_ds_hostname']):
> + # Guess that the Directory Server resides on the local host
> + config.pki_master_dict['pki_ds_hostname'] =\
> + config.pki_master_dict['pki_hostname']
> + # Jython scriptlet
> + # 'Backup' Configuration name/value pairs
> + #
> + # Apache - [RA], [TPS]
> + # Tomcat - [CA], [KRA], [OCSP], [TKS]
> + # - [External CA]
> + # - [Subordinate CA]
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and are NOT redefined below:
> + #
> + # config.pki_master_dict['pki_backup_keys']
> + # config.pki_master_dict['pki_backup_password']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and potentially overridden below:
> + #
> + # config.pki_master_dict['pki_backup_file']
> + #
> + if config.str2bool(config.pki_master_dict['pki_backup_keys']):
> + if not len(config.pki_master_dict['pki_backup_file']):
> + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
> + if not config.str2bool(config.pki_master_dict['pki_clone']):
> + if config.pki_master_dict['pki_subsystem'] == "CA":
> + if config.str2bool(
> + config.pki_master_dict['pki_external']):
> + # External CA
> + config.pki_master_dict['pki_backup_file'] =\
> + "/tmp" + "/" + "externalca.p12" + "." +\
> + config.pki_master_dict['pki_timestamp']
> + elif config.str2bool(
> + config.pki_master_dict['pki_subordinate']):
> + # Subordinate CA
> + config.pki_master_dict['pki_backup_file'] =\
> + "/tmp" + "/" + "subca.p12" + "." +\
> + config.pki_master_dict['pki_timestamp']
> + else:
> + # PKI CA
> + config.pki_master_dict['pki_backup_file'] =\
> + "/tmp" + "/" + "ca.p12" + "." +\
> + config.pki_master_dict['pki_timestamp']
> + elif config.pki_master_dict['pki_subsystem'] == "KRA":
> + # PKI KRA
> + config.pki_master_dict['pki_backup_file'] =\
> + "/tmp" + "/" + "kra.p12" + "." +\
> + config.pki_master_dict['pki_timestamp']
> + elif config.pki_master_dict['pki_subsystem'] == "OCSP":
> + # PKI OCSP
> + config.pki_master_dict['pki_backup_file'] =\
> + "/tmp" + "/" + "ocsp.p12" + "." +\
> + config.pki_master_dict['pki_timestamp']
> + elif config.pki_master_dict['pki_subsystem'] == "TKS":
> + # PKI TKS
> + config.pki_master_dict['pki_backup_file'] =\
> + "/tmp" + "/" + "tks.p12" + "." +\
> + config.pki_master_dict['pki_timestamp']
> + # Jython scriptlet
> + # 'Admin Certificate' Configuration name/value pairs
> + #
> + # Apache - [RA], [TPS]
> + # Tomcat - [CA], [KRA], [OCSP], [TKS]
> + # - [External CA]
> + # - [Subordinate CA]
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and are NOT redefined below:
> + #
> + # config.pki_master_dict['pki_admin_cert_request_type']
> + # config.pki_master_dict['pki_admin_dualkey']
> + # config.pki_master_dict['pki_admin_keysize']
> + # config.pki_master_dict['pki_admin_name']
> + # config.pki_master_dict['pki_admin_password']
> + # config.pki_master_dict['pki_admin_uid']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and potentially overridden below:
> + #
> + # config.pki_master_dict['pki_admin_email']
> + # config.pki_master_dict['pki_admin_subject_dn']
> + #
> + config.pki_master_dict['pki_admin_profile_id'] = "caAdminCert"
> + if not len(config.pki_master_dict['pki_admin_email']):
> + config.pki_master_dict['pki_admin_email'] =\
> + config.pki_master_dict['pki_admin_name'] + "@" +\
> + config.pki_master_dict['pki_dns_domainname']
> + if not len(config.pki_master_dict['pki_admin_subject_dn']):
> + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
> + if config.pki_master_dict['pki_subsystem'] == "RA":
> + # PKI RA
> + config.pki_master_dict['pki_admin_subject_dn'] =\
> + "cn=" + "RA Administrator" + "," +\
> + "uid=" + config.pki_master_dict['pki_admin_uid'] +\
> + "," + "e=" +\
> + config.pki_master_dict['pki_admin_email'] +\
> + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + elif config.pki_master_dict['pki_subsystem'] == "TPS":
> + # PKI TPS
> + config.pki_master_dict['pki_admin_subject_dn'] =\
> + "cn=" + "TPS Administrator" + "," +\
> + "uid=" + config.pki_master_dict['pki_admin_uid'] +\
> + "," + "e=" +\
> + config.pki_master_dict['pki_admin_email'] +\
> + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
> + if not config.str2bool(config.pki_master_dict['pki_clone']):
> + if config.pki_master_dict['pki_subsystem'] == "CA":
> + # PKI CA, Subordinate CA, or External CA
> + config.pki_master_dict['pki_admin_subject_dn'] =\
> + "cn=" + "CA Administrator of Instance" + " " +\
> + config.pki_master_dict['pki_instance_id'] + "," +\
> + "uid=" + config.pki_master_dict['pki_admin_uid'] +\
> + "," + "e=" +\
> + config.pki_master_dict['pki_admin_email'] +\
> + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + elif config.pki_master_dict['pki_subsystem'] == "KRA":
> + # PKI KRA
> + config.pki_master_dict['pki_admin_subject_dn'] =\
> + "cn=" + "KRA Administrator of Instance" + " " +\
> + config.pki_master_dict['pki_instance_id'] + "," +\
> + "uid=" + config.pki_master_dict['pki_admin_uid'] +\
> + "," + "e=" +\
> + config.pki_master_dict['pki_admin_email'] +\
> + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + elif config.pki_master_dict['pki_subsystem'] == "OCSP":
> + # PKI OCSP
> + config.pki_master_dict['pki_admin_subject_dn'] =\
> + "cn=" + "OCSP Administrator of Instance" + " " +\
> + config.pki_master_dict['pki_instance_id'] + "," +\
> + "uid=" + config.pki_master_dict['pki_admin_uid'] +\
> + "," + "e=" +\
> + config.pki_master_dict['pki_admin_email'] +\
> + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + elif config.pki_master_dict['pki_subsystem'] == "TKS":
> + # PKI TKS
> + config.pki_master_dict['pki_admin_subject_dn'] =\
> + "cn=" + "TKS Administrator of Instance" + " " +\
> + config.pki_master_dict['pki_instance_id'] + "," +\
> + "uid=" + config.pki_master_dict['pki_admin_uid'] +\
> + "," + "e=" +\
> + config.pki_master_dict['pki_admin_email'] +\
> + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + # Jython scriptlet
> + # 'CA Signing Certificate' Configuration name/value pairs
> + #
> + # Tomcat - [CA]
> + # - [External CA]
> + # - [Subordinate CA]
> + #
> + # The following variables are defined below:
> + #
> + # config.pki_master_dict['pki_ca_signing_tag']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and are NOT redefined below:
> + #
> + # config.pki_master_dict['pki_ca_signing_key_algorithm']
> + # config.pki_master_dict['pki_ca_signing_key_size']
> + # config.pki_master_dict['pki_ca_signing_key_type']
> + # config.pki_master_dict['pki_ca_signing_signing_algorithm']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and potentially overridden below:
> + #
> + # config.pki_master_dict['pki_ca_signing_nickname']
> + # config.pki_master_dict['pki_ca_signing_subject_dn']
> + # config.pki_master_dict['pki_ca_signing_token']
> + #
> + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
> + if not config.str2bool(config.pki_master_dict['pki_clone']):
> + if config.pki_master_dict['pki_subsystem'] == "CA":
> + # config.pki_master_dict['pki_ca_signing_nickname']
> + if not len(config.pki_master_dict\
> + ['pki_ca_signing_nickname']):
> + config.pki_master_dict['pki_ca_signing_nickname'] =\
> + "caSigningCert" + " " + "cert-" +\
> + config.pki_master_dict['pki_instance_id']
> + # config.pki_master_dict['pki_ca_signing_subject_dn']
> + if config.str2bool(config.pki_master_dict['pki_external']):
> + # External CA
> + if not len(config.pki_master_dict\
> + ['pki_ca_signing_subject_dn']):
> + config.pki_master_dict['pki_ca_signing_subject_dn']\
> + = "cn=" + "External CA Signing Certificate" +\
> + "," + "o=" +\
> + config.pki_master_dict\
> + ['pki_security_domain_name']
> + elif config.str2bool(
> + config.pki_master_dict['pki_subordinate']):
> + # Subordinate CA
> + if not len(config.pki_master_dict\
> + ['pki_ca_signing_subject_dn']):
> + config.pki_master_dict['pki_ca_signing_subject_dn']\
> + = "cn=" + "SubCA Signing Certificate" +\
> + "," + "o=" +\
> + config.pki_master_dict\
> + ['pki_security_domain_name']
> + else:
> + # PKI CA
> + if not len(config.pki_master_dict\
> + ['pki_ca_signing_subject_dn']):
> + config.pki_master_dict['pki_ca_signing_subject_dn']\
> + = "cn=" + "CA Signing Certificate" +\
> + "," + "o=" +\
> + config.pki_master_dict\
> + ['pki_security_domain_name']
> + # config.pki_master_dict['pki_ca_signing_tag']
> + config.pki_master_dict['pki_ca_signing_tag'] =\
> + "signing"
> + # config.pki_master_dict['pki_ca_signing_token']
> + if not len(config.pki_master_dict['pki_ca_signing_token']):
> + config.pki_master_dict['pki_ca_signing_token'] =\
> + "Internal Key Storage Token"
> + # Jython scriptlet
> + # 'OCSP Signing Certificate' Configuration name/value pairs
> + #
> + # Tomcat - [CA], [OCSP]
> + # - [External CA]
> + # - [Subordinate CA]
> + #
> + # The following variables are defined below:
> + #
> + # config.pki_master_dict['pki_ocsp_signing_tag']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and are NOT redefined below:
> + #
> + # config.pki_master_dict['pki_ocsp_signing_key_algorithm']
> + # config.pki_master_dict['pki_ocsp_signing_key_size']
> + # config.pki_master_dict['pki_ocsp_signing_key_type']
> + # config.pki_master_dict['pki_ocsp_signing_signing_algorithm']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and potentially overridden below:
> + #
> + # config.pki_master_dict['pki_ocsp_signing_nickname']
> + # config.pki_master_dict['pki_ocsp_signing_subject_dn']
> + # config.pki_master_dict['pki_ocsp_signing_token']
> + #
> + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
> + if not config.str2bool(config.pki_master_dict['pki_clone']):
> + if config.pki_master_dict['pki_subsystem'] == "CA":
> + if not len(config.pki_master_dict\
> + ['pki_ocsp_signing_nickname']):
> + config.pki_master_dict['pki_ocsp_signing_nickname'] =\
> + "ocspSigningCert" + " " + "cert-" +\
> + config.pki_master_dict['pki_instance_id']
> + if config.str2bool(config.pki_master_dict['pki_external']):
> + # External CA
> + if not len(config.pki_master_dict\
> + ['pki_ocsp_signing_subject_dn']):
> + config.pki_master_dict\
> + ['pki_ocsp_signing_subject_dn'] =\
> + "cn=" + "External CA OCSP Signing Certificate"\
> + + "," + "o=" +\
> + config.pki_master_dict\
> + ['pki_security_domain_name']
> + elif config.str2bool(
> + config.pki_master_dict['pki_subordinate']):
> + # Subordinate CA
> + if not len(config.pki_master_dict\
> + ['pki_ocsp_signing_subject_dn']):
> + config.pki_master_dict\
> + ['pki_ocsp_signing_subject_dn'] =\
> + "cn=" + "SubCA OCSP Signing Certificate"\
> + + "," + "o=" +\
> + config.pki_master_dict\
> + ['pki_security_domain_name']
> + else:
> + # PKI CA
> + if not len(config.pki_master_dict\
> + ['pki_ocsp_signing_subject_dn']):
> + config.pki_master_dict\
> + ['pki_ocsp_signing_subject_dn'] =\
> + "cn=" + "CA OCSP Signing Certificate"\
> + + "," + "o=" +\
> + config.pki_master_dict\
> + ['pki_security_domain_name']
> + config.pki_master_dict['pki_ocsp_signing_tag'] =\
> + "ocsp_signing"
> + if not len(config.pki_master_dict\
> + ['pki_ocsp_signing_token']):
> + config.pki_master_dict['pki_ocsp_signing_token'] =\
> + "Internal Key Storage Token"
> + elif config.pki_master_dict['pki_subsystem'] == "OCSP":
> + # PKI OCSP
> + if not len(config.pki_master_dict\
> + ['pki_ocsp_signing_nickname']):
> + config.pki_master_dict['pki_ocsp_signing_nickname'] =\
> + "ocspSigningCert" + " " + "cert-" +\
> + config.pki_master_dict['pki_instance_id']
> + if not len(config.pki_master_dict\
> + ['pki_ocsp_signing_subject_dn']):
> + config.pki_master_dict['pki_ocsp_signing_subject_dn'] =\
> + "cn=" + "OCSP Signing Certificate" + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + config.pki_master_dict['pki_ocsp_signing_tag'] =\
> + "signing"
> + if not len(config.pki_master_dict\
> + ['pki_ocsp_signing_token']):
> + config.pki_master_dict['pki_ocsp_signing_token'] =\
> + "Internal Key Storage Token"
> + # Jython scriptlet
> + # 'SSL Server Certificate' Configuration name/value pairs
> + #
> + # Apache - [RA], [TPS]
> + # Tomcat - [CA], [KRA], [OCSP], [TKS]
> + # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone]
> + # - [External CA]
> + # - [Subordinate CA]
> + #
> + # The following variables are defined below:
> + #
> + # config.pki_master_dict['pki_ssl_server_tag']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and are NOT redefined below:
> + #
> + # config.pki_master_dict['pki_ssl_server_key_algorithm']
> + # config.pki_master_dict['pki_ssl_server_key_size']
> + # config.pki_master_dict['pki_ssl_server_key_type']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and potentially overridden below:
> + #
> + # config.pki_master_dict['pki_ssl_server_nickname']
> + # config.pki_master_dict['pki_ssl_server_subject_dn']
> + # config.pki_master_dict['pki_ssl_server_token']
> + #
> + if not len(config.pki_master_dict['pki_ssl_server_nickname']):
> + config.pki_master_dict['pki_ssl_server_nickname'] =\
> + "Server-Cert" + " " + "cert-" +\
> + config.pki_master_dict['pki_instance_id']
> + if not len(config.pki_master_dict['pki_ssl_server_subject_dn']):
> + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
> + config.pki_master_dict['pki_ssl_server_subject_dn'] =\
> + "cn=" + config.pki_master_dict['pki_hostname'] +\
> + "," + "ou=" + config.pki_master_dict['pki_instance_id'] +\
> + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
> + config.pki_master_dict['pki_ssl_server_subject_dn'] =\
> + "cn=" + config.pki_master_dict['pki_hostname'] +\
> + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + config.pki_master_dict['pki_ssl_server_tag'] = "sslserver"
> + if not len(config.pki_master_dict['pki_ssl_server_token']):
> + config.pki_master_dict['pki_ssl_server_token'] =\
> + "Internal Key Storage Token"
> + # Jython scriptlet
> + # 'Subsystem Certificate' Configuration name/value pairs
> + #
> + # Apache - [RA], [TPS]
> + # Tomcat - [CA], [KRA], [OCSP], [TKS]
> + # - [External CA]
> + # - [Subordinate CA]
> + #
> + # The following variables are defined below:
> + #
> + # config.pki_master_dict['pki_subsystem_tag']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and are NOT redefined below:
> + #
> + # config.pki_master_dict['pki_subsystem_key_algorithm']
> + # config.pki_master_dict['pki_subsystem_key_size']
> + # config.pki_master_dict['pki_subsystem_key_type']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and potentially overridden below:
> + #
> + # config.pki_master_dict['pki_subsystem_nickname']
> + # config.pki_master_dict['pki_subsystem_subject_dn']
> + # config.pki_master_dict['pki_subsystem_token']
> + #
> + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
> + if not len(config.pki_master_dict['pki_subsystem_nickname']):
> + config.pki_master_dict['pki_subsystem_nickname'] =\
> + "subsystemCert" + " " + "cert-" +\
> + config.pki_master_dict['pki_instance_id']
> + if not len(config.pki_master_dict['pki_subsystem_subject_dn']):
> + if config.pki_master_dict['pki_subsystem'] == "RA":
> + # PKI RA
> + config.pki_master_dict['pki_subsystem_subject_dn'] =\
> + "cn=" + "RA Subsystem Certificate" +\
> + "," + "ou=" + config.pki_master_dict['pki_instance_id']\
> + + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + elif config.pki_master_dict['pki_subsystem'] == "TPS":
> + # PKI TPS
> + config.pki_master_dict['pki_subsystem_subject_dn'] =\
> + "cn=" + "TPS Subsystem Certificate" +\
> + "," + "ou=" + config.pki_master_dict['pki_instance_id']\
> + + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + config.pki_master_dict['pki_subsystem_tag'] = "subsystem"
> + if not len(config.pki_master_dict['pki_subsystem_token']):
> + config.pki_master_dict['pki_subsystem_token'] =\
> + "Internal Key Storage Token"
> + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
> + if not config.str2bool(config.pki_master_dict['pki_clone']):
> + if not len(config.pki_master_dict['pki_subsystem_nickname']):
> + config.pki_master_dict['pki_subsystem_nickname'] =\
> + "subsystemCert" + " " + "cert-" +\
> + config.pki_master_dict['pki_instance_id']
> + if not len(config.pki_master_dict['pki_subsystem_subject_dn']):
> + if config.pki_master_dict['pki_subsystem'] == "CA":
> + if config.str2bool(
> + config.pki_master_dict['pki_external']):
> + # External CA
> + config.pki_master_dict['pki_subsystem_subject_dn']\
> + = "cn=" + "External CA Subsystem Certificate" +\
> + "," + "o=" +\
> + config.pki_master_dict\
> + ['pki_security_domain_name']
> + elif config.str2bool(
> + config.pki_master_dict['pki_subordinate']):
> + # Subordinate CA
> + config.pki_master_dict['pki_subsystem_subject_dn']\
> + = "cn=" + "SubCA Subsystem Certificate" +\
> + "," + "o=" +\
> + config.pki_master_dict\
> + ['pki_security_domain_name']
> + else:
> + # PKI CA
> + config.pki_master_dict['pki_subsystem_subject_dn']\
> + = "cn=" + "CA Subsystem Certificate" +\
> + "," + "o=" +\
> + config.pki_master_dict\
> + ['pki_security_domain_name']
> + elif config.pki_master_dict['pki_subsystem'] == "KRA":
> + # PKI KRA
> + config.pki_master_dict['pki_subsystem_subject_dn'] =\
> + "cn=" + "DRM Subsystem Certificate" +\
> + "," + "o=" +\
> + config.pki_master_dict\
> + ['pki_security_domain_name']
> + elif config.pki_master_dict['pki_subsystem'] == "OCSP":
> + # PKI OCSP
> + config.pki_master_dict['pki_subsystem_subject_dn'] =\
> + "cn=" + "OCSP Subsystem Certificate" +\
> + "," + "o=" +\
> + config.pki_master_dict\
> + ['pki_security_domain_name']
> + elif config.pki_master_dict['pki_subsystem'] == "TKS":
> + # PKI TKS
> + config.pki_master_dict['pki_subsystem_subject_dn'] =\
> + "cn=" + "TKS Subsystem Certificate" +\
> + "," + "o=" +\
> + config.pki_master_dict\
> + ['pki_security_domain_name']
> + config.pki_master_dict['pki_subsystem_tag'] = "subsystem"
> + if not len(config.pki_master_dict['pki_subsystem_token']):
> + config.pki_master_dict['pki_subsystem_token'] =\
> + "Internal Key Storage Token"
> + # Jython scriptlet
> + # 'Audit Signing Certificate' Configuration name/value pairs
> + #
> + # Apache - [TPS]
> + # Tomcat - [CA], [KRA], [OCSP], [TKS]
> + # - [External CA]
> + # - [Subordinate CA]
> + #
> + # The following variables are defined below:
> + #
> + # config.pki_master_dict['pki_audit_signing_tag']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and are NOT redefined below:
> + #
> + # config.pki_master_dict['pki_audit_signing_key_algorithm']
> + # config.pki_master_dict['pki_audit_signing_key_size']
> + # config.pki_master_dict['pki_audit_signing_key_type']
> + # config.pki_master_dict['pki_audit_signing_signing_algorithm']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and potentially overridden below:
> + #
> + # config.pki_master_dict['pki_audit_signing_nickname']
> + # config.pki_master_dict['pki_audit_signing_subject_dn']
> + # config.pki_master_dict['pki_audit_signing_token']
> + #
> + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
> + if config.pki_master_dict['pki_subsystem'] != "RA":
> + if not len(config.pki_master_dict\
> + ['pki_audit_signing_nickname']):
> + config.pki_master_dict['pki_audit_signing_nickname'] =\
> + "auditSigningCert" + " " + "cert-" +\
> + config.pki_master_dict['pki_instance_id']
> + if not len(config.pki_master_dict\
> + ['pki_audit_signing_subject_dn']):
> + config.pki_master_dict['pki_audit_signing_subject_dn'] =\
> + "cn=" + "TPS Audit Signing Certificate" +\
> + "," + "ou=" + config.pki_master_dict['pki_instance_id']\
> + + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + config.pki_master_dict['pki_audit_signing_tag'] =\
> + "audit_signing"
> + if not len(config.pki_master_dict['pki_audit_signing_token']):
> + config.pki_master_dict['pki_audit_signing_token'] =\
> + "Internal Key Storage Token"
> + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
> + if not config.str2bool(config.pki_master_dict['pki_clone']):
> + if not len(config.pki_master_dict\
> + ['pki_audit_signing_nickname']):
> + config.pki_master_dict['pki_audit_signing_nickname'] =\
> + "auditSigningCert" + " " + "cert-" +\
> + config.pki_master_dict['pki_instance_id']
> + if not len(config.pki_master_dict\
> + ['pki_audit_signing_subject_dn']):
> + if config.pki_master_dict['pki_subsystem'] == "CA":
> + if config.str2bool(
> + config.pki_master_dict['pki_external']):
> + # External CA
> + config.pki_master_dict\
> + ['pki_audit_signing_subject_dn'] =\
> + "cn=" + "External CA Audit Signing Certificate"\
> + + "," + "o=" +\
> + config.pki_master_dict\
> + ['pki_security_domain_name']
> + elif config.str2bool(
> + config.pki_master_dict['pki_subordinate']):
> + # Subordinate CA
> + config.pki_master_dict\
> + ['pki_audit_signing_subject_dn'] =\
> + "cn=" + "SubCA Audit Signing Certificate" +\
> + "," + "o=" +\
> + config.pki_master_dict\
> + ['pki_security_domain_name']
> + else:
> + # PKI CA
> + config.pki_master_dict\
> + ['pki_audit_signing_subject_dn'] =\
> + "cn=" + "CA Audit Signing Certificate" +\
> + "," + "o=" +\
> + config.pki_master_dict\
> + ['pki_security_domain_name']
> + elif config.pki_master_dict['pki_subsystem'] == "KRA":
> + # PKI KRA
> + config.pki_master_dict['pki_audit_signing_subject_dn']\
> + = "cn=" + "DRM Audit Signing Certificate" +\
> + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + elif config.pki_master_dict['pki_subsystem'] == "OCSP":
> + # PKI OCSP
> + config.pki_master_dict['pki_audit_signing_subject_dn']\
> + = "cn=" + "OCSP Audit Signing Certificate" +\
> + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + elif config.pki_master_dict['pki_subsystem'] == "TKS":
> + # PKI TKS
> + config.pki_master_dict['pki_audit_signing_subject_dn']\
> + = "cn=" + "TKS Audit Signing Certificate" +\
> + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + config.pki_master_dict['pki_audit_signing_tag'] =\
> + "audit_signing"
> + if not len(config.pki_master_dict['pki_audit_signing_token']):
> + config.pki_master_dict['pki_audit_signing_token'] =\
> + "Internal Key Storage Token"
> + # Jython scriptlet
> + # 'DRM Transport Certificate' Configuration name/value pairs
> + #
> + # Tomcat - [KRA]
> + #
> + # The following variables are defined below:
> + #
> + # config.pki_master_dict['pki_transport_tag']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and are NOT redefined below:
> + #
> + # config.pki_master_dict['pki_transport_key_algorithm']
> + # config.pki_master_dict['pki_transport_key_size']
> + # config.pki_master_dict['pki_transport_key_type']
> + # config.pki_master_dict['pki_transport_signing_algorithm']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and potentially overridden below:
> + #
> + # config.pki_master_dict['pki_transport_nickname']
> + # config.pki_master_dict['pki_transport_subject_dn']
> + # config.pki_master_dict['pki_transport_token']
> + #
> + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
> + if not config.str2bool(config.pki_master_dict['pki_clone']):
> + if config.pki_master_dict['pki_subsystem'] == "KRA":
> + # PKI KRA
> + if not len(config.pki_master_dict\
> + ['pki_transport_nickname']):
> + config.pki_master_dict['pki_transport_nickname'] =\
> + "transportCert" + " " + "cert-" +\
> + config.pki_master_dict['pki_instance_id']
> + if not len(config.pki_master_dict\
> + ['pki_transport_subject_dn']):
> + config.pki_master_dict['pki_transport_subject_dn']\
> + = "cn=" + "DRM Transport Certificate" +\
> + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + config.pki_master_dict['pki_transport_tag'] =\
> + "transport"
> + if not len(config.pki_master_dict['pki_transport_token']):
> + config.pki_master_dict['pki_transport_token'] =\
> + "Internal Key Storage Token"
> + # Jython scriptlet
> + # 'DRM Storage Certificate' Configuration name/value pairs
> + #
> + # Tomcat - [KRA]
> + #
> + # The following variables are defined below:
> + #
> + # config.pki_master_dict['pki_storage_tag']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and are NOT redefined below:
> + #
> + # config.pki_master_dict['pki_storage_key_algorithm']
> + # config.pki_master_dict['pki_storage_key_size']
> + # config.pki_master_dict['pki_storage_key_type']
> + # config.pki_master_dict['pki_storage_signing_algorithm']
> + #
> + # The following variables are established via the specified PKI
> + # deployment configuration file and potentially overridden below:
> + #
> + # config.pki_master_dict['pki_storage_nickname']
> + # config.pki_master_dict['pki_storage_subject_dn']
> + # config.pki_master_dict['pki_storage_token']
> + #
> + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
> + if not config.str2bool(config.pki_master_dict['pki_clone']):
> + if config.pki_master_dict['pki_subsystem'] == "KRA":
> + # PKI KRA
> + if not len(config.pki_master_dict['pki_storage_nickname']):
> + config.pki_master_dict['pki_storage_nickname'] =\
> + "storageCert" + " " + "cert-" +\
> + config.pki_master_dict['pki_instance_id']
> + if not len(config.pki_master_dict\
> + ['pki_storage_subject_dn']):
> + config.pki_master_dict['pki_storage_subject_dn']\
> + = "cn=" + "DRM Storage Certificate" +\
> + "," + "o=" +\
> + config.pki_master_dict['pki_security_domain_name']
> + config.pki_master_dict['pki_storage_tag'] =\
> + "storage"
> + if not len(config.pki_master_dict['pki_storage_token']):
> + config.pki_master_dict['pki_storage_token'] =\
> + "Internal Key Storage Token"
> except OSError as exc:
> config.pki_log.error(log.PKI_OSERROR_1, exc,
> extra=config.PKI_INDENTATION_LEVEL_2)
> sys.exit(1)
> + except KeyError as err:
> + config.pki_log.error(log.PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1,
> + err, extra=config.PKI_INDENTATION_LEVEL_2)
> + sys.exit(1)
> return
>
>
> diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py
> index 1a08fdc..8364d95 100644
> --- a/base/deploy/src/scriptlets/security_databases.py
> +++ b/base/deploy/src/scriptlets/security_databases.py
> @@ -38,13 +38,20 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> util.password.create_password_conf(
> master['pki_shared_password_conf'],
> master['pki_pin'])
> + # Since 'certutil' does NOT strip the 'token=' portion of
> + # the 'token=password' entries, create a temporary server 'pfile'
> + # which ONLY contains the 'password' for the purposes of
> + # allowing 'certutil' to generate the security databases
> + util.password.create_password_conf(
> + master['pki_shared_pfile'],
> + master['pki_pin'], pin_sans_token=True)
> util.file.modify(master['pki_shared_password_conf'])
> util.certutil.create_security_databases(
> master['pki_database_path'],
> master['pki_cert_database'],
> master['pki_key_database'],
> master['pki_secmod_database'],
> - password_file=master['pki_shared_password_conf'])
> + password_file=master['pki_shared_pfile'])
> util.file.modify(master['pki_cert_database'], perms=\
> config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
> util.file.modify(master['pki_key_database'], perms=\
> @@ -58,7 +65,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> master['pki_secmod_database'],
> master['pki_self_signed_token'],
> master['pki_self_signed_nickname'],
> - password_file=master['pki_shared_password_conf'])
> + password_file=master['pki_shared_pfile'])
> if not rv:
> util.file.generate_noise_file(
> master['pki_self_signed_noise_file'],
> @@ -76,18 +83,28 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> master['pki_self_signed_issuer_name'],
> master['pki_self_signed_trustargs'],
> master['pki_self_signed_noise_file'],
> - password_file=master['pki_shared_password_conf'])
> + password_file=master['pki_shared_pfile'])
> + # Delete the temporary 'noise' file
> util.file.delete(master['pki_self_signed_noise_file'])
> + # Delete the temporary 'pfile'
> + util.file.delete(master['pki_shared_pfile'])
> else:
> util.password.create_password_conf(
> master['pki_shared_password_conf'],
> master['pki_pin'])
> + # Since 'certutil' does NOT strip the 'token=' portion of
> + # the 'token=password' entries, create a temporary server 'pfile'
> + # which ONLY contains the 'password' for the purposes of
> + # allowing 'certutil' to generate the security databases
> + util.password.create_password_conf(
> + master['pki_shared_pfile'],
> + master['pki_pin'], pin_sans_token=True)
> util.certutil.create_security_databases(
> master['pki_database_path'],
> master['pki_cert_database'],
> master['pki_key_database'],
> master['pki_secmod_database'],
> - password_file=master['pki_shared_password_conf'])
> + password_file=master['pki_shared_pfile'])
> rv = util.certutil.verify_certificate_exists(
> master['pki_database_path'],
> master['pki_cert_database'],
> @@ -95,7 +112,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> master['pki_secmod_database'],
> master['pki_self_signed_token'],
> master['pki_self_signed_nickname'],
> - password_file=master['pki_shared_password_conf'])
> + password_file=master['pki_shared_pfile'])
> if not rv:
> util.file.generate_noise_file(
> master['pki_self_signed_noise_file'],
> @@ -113,7 +130,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> master['pki_self_signed_issuer_name'],
> master['pki_self_signed_trustargs'],
> master['pki_self_signed_noise_file'],
> - password_file=master['pki_shared_password_conf'])
> + password_file=master['pki_shared_pfile'])
> + # Delete the temporary 'noise' file
> + util.file.delete(master['pki_self_signed_noise_file'])
> + # Delete the temporary 'pfile'
> + util.file.delete(master['pki_shared_pfile'])
> return self.rv
>
> def respawn(self):
> diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py
> index 93b0ae7..3467596 100644
> --- a/base/deploy/src/scriptlets/slot_substitution.py
> +++ b/base/deploy/src/scriptlets/slot_substitution.py
> @@ -39,7 +39,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> master['pki_target_cs_cfg'])
> util.file.copy_with_slot_substitution(master['pki_source_registry'],
> master['pki_target_registry'],
> - overwrite_flag=True)
> + uid=0, gid=0, overwrite_flag=True)
> if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
> util.file.copy_with_slot_substitution(
> master['pki_source_catalina_properties'],
> @@ -56,7 +56,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> util.file.copy_with_slot_substitution(
> master['pki_source_tomcat_conf'],
> master['pki_target_tomcat_conf_instance_id'],
> - overwrite_flag=True)
> + uid=0, gid=0, overwrite_flag=True)
> util.file.copy_with_slot_substitution(
> master['pki_source_tomcat_conf'],
> master['pki_target_tomcat_conf'],
> @@ -69,6 +69,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> master['pki_target_velocity_properties'])
> util.file.apply_slot_substitution(
> master['pki_target_subsystem_web_xml'])
> + # Strip "<filter>" section from subsystem "web.xml"
> + # This is ONLY necessary because XML comments cannot be "nested"!
> + #util.file.copy(master['pki_target_subsystem_web_xml'],
> + # master['pki_target_subsystem_web_xml_orig'])
> + #util.file.delete(master['pki_target_subsystem_web_xml'])
> + #util.xml_file.remove_filter_section_from_web_xml(
> + # master['pki_target_subsystem_web_xml_orig'],
> + # master['pki_target_subsystem_web_xml'])
> + #util.file.delete(master['pki_target_subsystem_web_xml_orig'])
> if master['pki_subsystem'] == "CA":
> util.file.copy_with_slot_substitution(
> master['pki_source_proxy_conf'],
> @@ -85,7 +94,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> overwrite_flag=True)
> util.file.copy_with_slot_substitution(master['pki_source_registry'],
> master['pki_target_registry'],
> - overwrite_flag=True)
> + uid=0, gid=0, overwrite_flag=True)
> if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
> util.file.copy_with_slot_substitution(
> master['pki_source_catalina_properties'],
> @@ -102,7 +111,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> util.file.copy_with_slot_substitution(
> master['pki_source_tomcat_conf'],
> master['pki_target_tomcat_conf_instance_id'],
> - overwrite_flag=True)
> + uid=0, gid=0, overwrite_flag=True)
> util.file.copy_with_slot_substitution(
> master['pki_source_tomcat_conf'],
> master['pki_target_tomcat_conf'],
> @@ -115,6 +124,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> master['pki_target_velocity_properties'])
> util.file.apply_slot_substitution(
> master['pki_target_subsystem_web_xml'])
> + # Strip "<filter>" section from subsystem "web.xml"
> + # This is ONLY necessary because XML comments cannot be "nested"!
> + #util.file.copy(master['pki_target_subsystem_web_xml'],
> + # master['pki_target_subsystem_web_xml_orig'])
> + #util.file.delete(master['pki_target_subsystem_web_xml'])
> + #util.xml_file.remove_filter_section_from_web_xml(
> + # master['pki_target_subsystem_web_xml_orig'],
> + # master['pki_target_subsystem_web_xml'])
> + #util.file.delete(master['pki_target_subsystem_web_xml_orig'])
> if master['pki_subsystem'] == "CA":
> util.file.copy_with_slot_substitution(
> master['pki_source_proxy_conf'],
> diff --git a/base/deploy/src/scriptlets/subsystem_layout.py b/base/deploy/src/scriptlets/subsystem_layout.py
> index 4ea5e6f..d9c597d 100644
> --- a/base/deploy/src/scriptlets/subsystem_layout.py
> +++ b/base/deploy/src/scriptlets/subsystem_layout.py
> @@ -56,6 +56,34 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> master['pki_subsystem_profiles_path'])
> # establish instance-based Tomcat PKI subsystem logs
> # establish instance-based Tomcat PKI subsystem configuration
> + if master['pki_subsystem'] == "CA":
> + util.file.copy(master['pki_source_flatfile_txt'],
> + master['pki_target_flatfile_txt'])
> + util.file.copy(master['pki_source_registry_cfg'],
> + master['pki_target_registry_cfg'])
> + # '*.profile'
> + util.file.copy(master['pki_source_admincert_profile'],
> + master['pki_target_admincert_profile'])
> + util.file.copy(master['pki_source_caauditsigningcert_profile'],
> + master['pki_target_caauditsigningcert_profile'])
> + util.file.copy(master['pki_source_cacert_profile'],
> + master['pki_target_cacert_profile'])
> + util.file.copy(master['pki_source_caocspcert_profile'],
> + master['pki_target_caocspcert_profile'])
> + util.file.copy(master['pki_source_servercert_profile'],
> + master['pki_target_servercert_profile'])
> + util.file.copy(master['pki_source_subsystemcert_profile'],
> + master['pki_target_subsystemcert_profile'])
> + elif master['pki_subsystem'] == "KRA":
> + # '*.profile'
> + util.file.copy(master['pki_source_servercert_profile'],
> + master['pki_target_servercert_profile'])
> + util.file.copy(master['pki_source_storagecert_profile'],
> + master['pki_target_storagecert_profile'])
> + util.file.copy(master['pki_source_subsystemcert_profile'],
> + master['pki_target_subsystemcert_profile'])
> + util.file.copy(master['pki_source_transportcert_profile'],
> + master['pki_target_transportcert_profile'])
> # establish instance-based Tomcat PKI subsystem registry
> # establish instance-based Tomcat PKI subsystem convenience
> # symbolic links
> @@ -98,6 +126,46 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> overwrite_flag=True)
> # update instance-based Tomcat PKI subsystem logs
> # update instance-based Tomcat PKI subsystem configuration
> + if master['pki_subsystem'] == "CA":
> + # util.file.copy(master['pki_source_flatfile_txt'],
> + # master['pki_target_flatfile_txt'],
> + # overwrite_flag=True)
> + util.file.copy(master['pki_source_registry_cfg'],
> + master['pki_target_registry_cfg'],
> + overwrite_flag=True)
> + # '*.profile'
> + util.file.copy(master['pki_source_admincert_profile'],
> + master['pki_target_admincert_profile'],
> + overwrite_flag=True)
> + util.file.copy(master['pki_source_caauditsigningcert_profile'],
> + master['pki_target_caauditsigningcert_profile'],
> + overwrite_flag=True)
> + util.file.copy(master['pki_source_cacert_profile'],
> + master['pki_target_cacert_profile'],
> + overwrite_flag=True)
> + util.file.copy(master['pki_source_caocspcert_profile'],
> + master['pki_target_caocspcert_profile'],
> + overwrite_flag=True)
> + util.file.copy(master['pki_source_servercert_profile'],
> + master['pki_target_servercert_profile'],
> + overwrite_flag=True)
> + util.file.copy(master['pki_source_subsystemcert_profile'],
> + master['pki_target_subsystemcert_profile'],
> + overwrite_flag=True)
> + elif master['pki_subsystem'] == "KRA":
> + # '*.profile'
> + util.file.copy(master['pki_source_servercert_profile'],
> + master['pki_target_servercert_profile'],
> + overwrite_flag=True)
> + util.file.copy(master['pki_source_storagecert_profile'],
> + master['pki_target_storagecert_profile'],
> + overwrite_flag=True)
> + util.file.copy(master['pki_source_subsystemcert_profile'],
> + master['pki_target_subsystemcert_profile'],
> + overwrite_flag=True)
> + util.file.copy(master['pki_source_transportcert_profile'],
> + master['pki_target_transportcert_profile'],
> + overwrite_flag=True)
> # update instance-based Tomcat PKI subsystem registry
> # update instance-based Tomcat PKI subsystem convenience
> # symbolic links
> diff --git a/base/deploy/src/scriptlets/war_explosion.py b/base/deploy/src/scriptlets/war_explosion.py
> index ca2ea60..16113ba 100644
> --- a/base/deploy/src/scriptlets/war_explosion.py
> +++ b/base/deploy/src/scriptlets/war_explosion.py
> @@ -39,11 +39,23 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> util.directory.create(master['pki_tomcat_webapps_subsystem_path'])
> util.war.explode(master['pki_war'],
> master['pki_tomcat_webapps_subsystem_path'])
> - # establish convenience symbolic links
> - util.symlink.create(master['pki_tomcat_webapps_webinf_classes_path'],
> - master['pki_tomcat_webapps_subsystem_webinf_classes_link'])
> - util.symlink.create(master['pki_tomcat_webapps_webinf_lib_path'],
> - master['pki_tomcat_webapps_subsystem_webinf_lib_link'])
> + util.directory.create(
> + master['pki_tomcat_webapps_subsystem_webinf_classes_path'])
> + util.directory.create(
> + master['pki_tomcat_webapps_subsystem_webinf_lib_path'])
> + # establish Tomcat webapps subsystem WEB-INF lib symbolic links
> + if master['pki_subsystem'] == "CA":
> + util.symlink.create(master['pki_ca_jar'],
> + master['pki_ca_jar_link'])
> + elif master['pki_subsystem'] == "KRA":
> + util.symlink.create(master['pki_kra_jar'],
> + master['pki_kra_jar_link'])
> + elif master['pki_subsystem'] == "OCSP":
> + util.symlink.create(master['pki_ocsp_jar'],
> + master['pki_ocsp_jar_link'])
> + elif master['pki_subsystem'] == "TKS":
> + util.symlink.create(master['pki_tks_jar'],
> + master['pki_tks_jar_link'])
> # set ownerships, permissions, and acls
> util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path'])
> return self.rv
> @@ -56,8 +68,16 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> util.directory.modify(master['pki_tomcat_webapps_subsystem_path'])
> util.war.explode(master['pki_war'],
> master['pki_tomcat_webapps_subsystem_path'])
> + # update Tomcat webapps subsystem WEB-INF lib symbolic links
> + if master['pki_subsystem'] == "CA":
> + util.symlink.modify(master['pki_ca_jar_link'])
> + elif master['pki_subsystem'] == "KRA":
> + util.symlink.modify(master['pki_kra_jar_link'])
> + elif master['pki_subsystem'] == "OCSP":
> + util.symlink.modify(master['pki_ocsp_jar_link'])
> + elif master['pki_subsystem'] == "TKS":
> + util.symlink.modify(master['pki_tks_jar_link'])
> # update ownerships, permissions, and acls
> - # NOTE: This includes existing convenience symbolic links
> util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path'])
> return self.rv
>
> diff --git a/base/kra/shared/conf/CS.cfg.in b/base/kra/shared/conf/CS.cfg.in
> index 5135e13..c2655fc 100644
> --- a/base/kra/shared/conf/CS.cfg.in
> +++ b/base/kra/shared/conf/CS.cfg.in
> @@ -29,6 +29,7 @@ agent.interface.uri=kra/agent/kra
> authType=pwd
> preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445
> instanceRoot=[PKI_INSTANCE_PATH]
> +configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/
> machineName=[PKI_MACHINE_NAME]
> instanceId=[PKI_INSTANCE_ID]
> pidDir=[PKI_PIDDIR]
> @@ -201,7 +202,7 @@ dbs.ldap=internaldb
> dbs.newSchemaEntryAdded=true
> debug.append=true
> debug.enabled=true
> -debug.filename=[PKI_INSTANCE_PATH]/logs/debug
> +debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug
> debug.hashkeytypes=
> debug.level=0
> debug.showcaller=false
> @@ -277,7 +278,7 @@ log.instance.SignedAudit.bufferSize=512
> log.instance.SignedAudit.enable=true
> log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER
> log.instance.SignedAudit.expirationTime=0
> -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/kra_cert-kra_audit
> +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/kra_cert-kra_audit
> log.instance.SignedAudit.flushInterval=5
> log.instance.SignedAudit.level=1
> log.instance.SignedAudit.logSigning=false
> @@ -295,7 +296,7 @@ log.instance.System._002=##
> log.instance.System.bufferSize=512
> log.instance.System.enable=true
> log.instance.System.expirationTime=0
> -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system
> +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system
> log.instance.System.flushInterval=5
> log.instance.System.level=3
> log.instance.System.maxFileSize=2000
> @@ -308,15 +309,15 @@ log.instance.Transactions._002=##
> log.instance.Transactions.bufferSize=512
> log.instance.Transactions.enable=true
> log.instance.Transactions.expirationTime=0
> -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions
> +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions
> log.instance.Transactions.flushInterval=5
> log.instance.Transactions.level=1
> log.instance.Transactions.maxFileSize=2000
> log.instance.Transactions.pluginName=file
> log.instance.Transactions.rolloverInterval=2592000
> log.instance.Transactions.type=transaction
> -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access
> -logError.fileName=[PKI_INSTANCE_PATH]/logs/error
> +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access
> +logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error
> oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension
> oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1
> oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword
> @@ -353,7 +354,7 @@ selftests.container.logger.bufferSize=512
> selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile
> selftests.container.logger.enable=true
> selftests.container.logger.expirationTime=0
> -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log
> +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log
> selftests.container.logger.flushInterval=5
> selftests.container.logger.level=1
> selftests.container.logger.maxFileSize=2000
> diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml
> index c6e9934..273ca1f 100644
> --- a/base/kra/shared/webapps/kra/WEB-INF/web.xml
> +++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml
> @@ -3,71 +3,6 @@
> PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd">
> <web-app>
>
> - <filter>
> - <filter-name>AgentRequestFilter</filter-name>
> - <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
> - <init-param>
> - <param-name>https_port</param-name>
> - <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_OPEN_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>proxy_port</param-name>
> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_CLOSE_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>active</param-name>
> - <param-value>true</param-value>
> - </init-param>
> - </filter>
> -
> - <filter>
> - <filter-name>AdminRequestFilter</filter-name>
> - <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class>
> - <init-param>
> - <param-name>https_port</param-name>
> - <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_OPEN_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>proxy_port</param-name>
> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_CLOSE_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>active</param-name>
> - <param-value>true</param-value>
> - </init-param>
> - </filter>
> -
> - <filter>
> - <filter-name>EERequestFilter</filter-name>
> - <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class>
> - <init-param>
> - <param-name>http_port</param-name>
> - <param-value>[PKI_UNSECURE_PORT]</param-value>
> - </init-param>
> - <init-param>
> - <param-name>https_port</param-name>
> - <param-value>[PKI_EE_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_OPEN_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>proxy_port</param-name>
> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
> - </init-param>
> - <init-param>
> - <param-name>proxy_http_port</param-name>
> - <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
> - </init-param>
> -[PKI_CLOSE_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>active</param-name>
> - <param-value>true</param-value>
> - </init-param>
> - </filter>
> -
> <servlet>
> <servlet-name>csadmin-wizard</servlet-name>
> <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class>
> @@ -640,7 +575,7 @@
> <init-param><param-name> AuthzMgr </param-name>
> <param-value> BasicAclAuthz </param-value> </init-param>
> <init-param><param-name> cfgPath </param-name>
> - <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param>
> + <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg </param-value> </init-param>
> <init-param><param-name> ID </param-name>
> <param-value> krastart </param-value> </init-param>
> <load-on-startup> 1 </load-on-startup>
> @@ -756,10 +691,9 @@
> <param-value> ee </param-value> </init-param>
> </servlet>
>
> - <context-param>
> - <param-name>resteasy.scan</param-name>
> - <param-value>true</param-value>
> - </context-param>
> + <listener>
> + <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class>
> + </listener>
>
> <context-param>
> <param-name>resteasy.servlet.mapping.prefix</param-name>
> @@ -776,31 +710,12 @@
> <servlet>
> <servlet-name>Resteasy</servlet-name>
> <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
> + <init-param>
> + <param-name>javax.ws.rs.Application</param-name>
> + <param-value>com.netscape.kra.KeyRecoveryAuthorityApplication</param-value>
> + </init-param>
> </servlet>
>
> -[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
> - <filter-mapping>
> - <filter-name> AgentRequestFilter </filter-name>
> - <url-pattern> /agent/* </url-pattern>
> - </filter-mapping>
> -
> - <filter-mapping>
> - <filter-name> AdminRequestFilter </filter-name>
> - <url-pattern> /admin/* </url-pattern>
> - <url-pattern> /auths </url-pattern>
> - <url-pattern> /server </url-pattern>
> - <url-pattern> /log </url-pattern>
> - <url-pattern> /ug </url-pattern>
> - <url-pattern> /acl </url-pattern>
> - <url-pattern> /kra </url-pattern>
> - </filter-mapping>
> -
> - <filter-mapping>
> - <filter-name> EERequestFilter </filter-name>
> - <url-pattern> /ee/* </url-pattern>
> - </filter-mapping>
> -[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
> -
> <servlet-mapping>
> <servlet-name>Resteasy</servlet-name>
> <url-pattern>/pki/*</url-pattern>
> diff --git a/base/ocsp/shared/conf/CS.cfg.in b/base/ocsp/shared/conf/CS.cfg.in
> index 658a1b6..0910d66 100644
> --- a/base/ocsp/shared/conf/CS.cfg.in
> +++ b/base/ocsp/shared/conf/CS.cfg.in
> @@ -99,6 +99,7 @@ preop.cert.subsystem.cncomponent.override=true
> cs.state=0
> authType=pwd
> instanceRoot=[PKI_INSTANCE_PATH]
> +configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/
> machineName=[PKI_MACHINE_NAME]
> instanceId=[PKI_INSTANCE_ID]
> service.machineName=[PKI_MACHINE_NAME]
> @@ -163,7 +164,7 @@ dbs.ldap=internaldb
> dbs.newSchemaEntryAdded=true
> debug.append=true
> debug.enabled=true
> -debug.filename=[PKI_INSTANCE_PATH]/logs/debug
> +debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug
> debug.hashkeytypes=
> debug.level=0
> debug.showcaller=false
> @@ -216,7 +217,7 @@ log.instance.SignedAudit.bufferSize=512
> log.instance.SignedAudit.enable=true
> log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION
> log.instance.SignedAudit.expirationTime=0
> -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ocsp_cert-ocsp_audit
> +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/ocsp_cert-ocsp_audit
> log.instance.SignedAudit.flushInterval=5
> log.instance.SignedAudit.level=1
> log.instance.SignedAudit.logSigning=false
> @@ -234,7 +235,7 @@ log.instance.System._002=##
> log.instance.System.bufferSize=512
> log.instance.System.enable=true
> log.instance.System.expirationTime=0
> -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system
> +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system
> log.instance.System.flushInterval=5
> log.instance.System.level=3
> log.instance.System.maxFileSize=2000
> @@ -247,15 +248,15 @@ log.instance.Transactions._002=##
> log.instance.Transactions.bufferSize=512
> log.instance.Transactions.enable=true
> log.instance.Transactions.expirationTime=0
> -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions
> +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions
> log.instance.Transactions.flushInterval=5
> log.instance.Transactions.level=1
> log.instance.Transactions.maxFileSize=2000
> log.instance.Transactions.pluginName=file
> log.instance.Transactions.rolloverInterval=2592000
> log.instance.Transactions.type=transaction
> -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access
> -logError.fileName=[PKI_INSTANCE_PATH]/logs/error
> +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access
> +logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error
> ocsp.certNickname=
> ocsp.storeId=defStore
> ocsp.signing.certnickname=
> @@ -302,7 +303,7 @@ selftests.container.logger.bufferSize=512
> selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile
> selftests.container.logger.enable=true
> selftests.container.logger.expirationTime=0
> -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log
> +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log
> selftests.container.logger.flushInterval=5
> selftests.container.logger.level=1
> selftests.container.logger.maxFileSize=2000
> diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
> index e4ea799..cb18574 100644
> --- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
> +++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
> @@ -7,71 +7,6 @@
> PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd">
> <web-app>
>
> - <filter>
> - <filter-name>AgentRequestFilter</filter-name>
> - <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
> - <init-param>
> - <param-name>https_port</param-name>
> - <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_OPEN_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>proxy_port</param-name>
> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_CLOSE_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>active</param-name>
> - <param-value>true</param-value>
> - </init-param>
> - </filter>
> -
> - <filter>
> - <filter-name>AdminRequestFilter</filter-name>
> - <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class>
> - <init-param>
> - <param-name>https_port</param-name>
> - <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_OPEN_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>proxy_port</param-name>
> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_CLOSE_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>active</param-name>
> - <param-value>true</param-value>
> - </init-param>
> - </filter>
> -
> - <filter>
> - <filter-name>EERequestFilter</filter-name>
> - <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class>
> - <init-param>
> - <param-name>http_port</param-name>
> - <param-value>[PKI_UNSECURE_PORT]</param-value>
> - </init-param>
> - <init-param>
> - <param-name>https_port</param-name>
> - <param-value>[PKI_EE_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_OPEN_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>proxy_port</param-name>
> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
> - </init-param>
> - <init-param>
> - <param-name>proxy_http_port</param-name>
> - <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
> - </init-param>
> -[PKI_CLOSE_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>active</param-name>
> - <param-value>true</param-value>
> - </init-param>
> - </filter>
> -
> <servlet>
> <servlet-name>csadmin-wizard</servlet-name>
> <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class>
> @@ -160,7 +95,7 @@
> <init-param><param-name> AuthzMgr </param-name>
> <param-value> BasicAclAuthz </param-value> </init-param>
> <init-param><param-name> cfgPath </param-name>
> - <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param>
> + <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg </param-value> </init-param>
> <init-param><param-name> ID </param-name>
> <param-value> ocspstart </param-value> </init-param>
> <load-on-startup> 1 </load-on-startup>
> @@ -469,10 +404,9 @@
> <param-value> ee </param-value> </init-param>
> </servlet>
>
> - <context-param>
> - <param-name>resteasy.scan</param-name>
> - <param-value>true</param-value>
> - </context-param>
> + <listener>
> + <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class>
> + </listener>
>
> <context-param>
> <param-name>resteasy.servlet.mapping.prefix</param-name>
> @@ -489,31 +423,12 @@
> <servlet>
> <servlet-name>Resteasy</servlet-name>
> <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
> + <init-param>
> + <param-name>javax.ws.rs.Application</param-name>
> + <param-value>com.netscape.ocsp.OCSPApplication</param-value>
> + </init-param>
> </servlet>
>
> -[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
> - <filter-mapping>
> - <filter-name> AgentRequestFilter </filter-name>
> - <url-pattern> /agent/* </url-pattern>
> - </filter-mapping>
> -
> - <filter-mapping>
> - <filter-name> AdminRequestFilter </filter-name>
> - <url-pattern> /admin/* </url-pattern>
> - <url-pattern> /auths </url-pattern>
> - <url-pattern> /ug </url-pattern>
> - <url-pattern> /log </url-pattern>
> - <url-pattern> /acl </url-pattern>
> - <url-pattern> /server </url-pattern>
> - <url-pattern> /ocsp </url-pattern>
> - </filter-mapping>
> -
> - <filter-mapping>
> - <filter-name> EERequestFilter </filter-name>
> - <url-pattern> /ee/* </url-pattern>
> - </filter-mapping>
> -[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
> -
> <servlet-mapping>
> <servlet-name>Resteasy</servlet-name>
> <url-pattern>/pki/*</url-pattern>
> diff --git a/base/setup/pkicreate b/base/setup/pkicreate
> index bd07eb0..6abb737 100755
> --- a/base/setup/pkicreate
> +++ b/base/setup/pkicreate
> @@ -307,6 +307,7 @@ my $PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT = "PKI_EE_SECURE_CLIENT_AUTH_PORT_UI"
> my $PKI_AGENT_SECURE_PORT_SLOT = "PKI_AGENT_SECURE_PORT";
> my $PKI_ADMIN_SECURE_PORT_SLOT = "PKI_ADMIN_SECURE_PORT";
> my $PKI_SERVER_XML_CONF = "PKI_SERVER_XML_CONF";
> +my $PKI_SUBSYSTEM_DIR_SLOT = "PKI_SUBSYSTEM_DIR";
> my $PKI_SUBSYSTEM_TYPE_SLOT = "PKI_SUBSYSTEM_TYPE";
> my $PKI_UNSECURE_PORT_SLOT = "PKI_UNSECURE_PORT";
> my $PKI_USER_SLOT = "PKI_USER";
> @@ -2417,6 +2418,7 @@ sub process_pki_templates
>
> emit("Processing PKI templates for '$pki_instance_path' ...\n");
>
> + $slot_hash{$PKI_SUBSYSTEM_DIR_SLOT} = "";
> $slot_hash{$PKI_SUBSYSTEM_TYPE_SLOT} = $subsystem_type;
> $slot_hash{$PKI_INSTANCE_ID_SLOT} = $pki_instance_name;
> $slot_hash{$PKI_INSTANCE_ROOT_SLOT} = $pki_instance_root;
> diff --git a/base/tks/shared/conf/CS.cfg.in b/base/tks/shared/conf/CS.cfg.in
> index 740baf6..f641e02 100644
> --- a/base/tks/shared/conf/CS.cfg.in
> +++ b/base/tks/shared/conf/CS.cfg.in
> @@ -91,6 +91,7 @@ preop.module.token=Internal Key Storage Token
> cs.state=0
> authType=pwd
> instanceRoot=[PKI_INSTANCE_PATH]
> +configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/
> machineName=[PKI_MACHINE_NAME]
> instanceId=[PKI_INSTANCE_ID]
> preop.pin=[PKI_RANDOM_NUMBER]
> @@ -156,7 +157,7 @@ dbs.ldap=internaldb
> dbs.newSchemaEntryAdded=true
> debug.append=true
> debug.enabled=true
> -debug.filename=[PKI_INSTANCE_PATH]/logs/debug
> +debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug
> debug.hashkeytypes=
> debug.level=0
> debug.showcaller=false
> @@ -209,7 +210,7 @@ log.instance.SignedAudit.bufferSize=512
> log.instance.SignedAudit.enable=true
> log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION
> log.instance.SignedAudit.expirationTime=0
> -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/tks_cert-tks_audit
> +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/tks_cert-tks_audit
> log.instance.SignedAudit.flushInterval=5
> log.instance.SignedAudit.level=1
> log.instance.SignedAudit.logSigning=false
> @@ -227,7 +228,7 @@ log.instance.System._002=##
> log.instance.System.bufferSize=512
> log.instance.System.enable=true
> log.instance.System.expirationTime=0
> -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system
> +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system
> log.instance.System.flushInterval=5
> log.instance.System.level=3
> log.instance.System.maxFileSize=2000
> @@ -240,15 +241,15 @@ log.instance.Transactions._002=##
> log.instance.Transactions.bufferSize=512
> log.instance.Transactions.enable=true
> log.instance.Transactions.expirationTime=0
> -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions
> +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions
> log.instance.Transactions.flushInterval=5
> log.instance.Transactions.level=1
> log.instance.Transactions.maxFileSize=2000
> log.instance.Transactions.pluginName=file
> log.instance.Transactions.rolloverInterval=2592000
> log.instance.Transactions.type=transaction
> -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access
> -logError.fileName=[PKI_INSTANCE_PATH]/logs/error
> +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access
> +logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error
> oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension
> oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1
> oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword
> @@ -285,7 +286,7 @@ selftests.container.logger.bufferSize=512
> selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile
> selftests.container.logger.enable=true
> selftests.container.logger.expirationTime=0
> -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log
> +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log
> selftests.container.logger.flushInterval=5
> selftests.container.logger.level=1
> selftests.container.logger.maxFileSize=2000
> diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml
> index c3f7593..20874de 100644
> --- a/base/tks/shared/webapps/tks/WEB-INF/web.xml
> +++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml
> @@ -7,71 +7,6 @@
> PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd">
> <web-app>
>
> - <filter>
> - <filter-name>AgentRequestFilter</filter-name>
> - <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
> - <init-param>
> - <param-name>https_port</param-name>
> - <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_OPEN_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>proxy_port</param-name>
> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_CLOSE_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>active</param-name>
> - <param-value>true</param-value>
> - </init-param>
> - </filter>
> -
> - <filter>
> - <filter-name>AdminRequestFilter</filter-name>
> - <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class>
> - <init-param>
> - <param-name>https_port</param-name>
> - <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_OPEN_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>proxy_port</param-name>
> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_CLOSE_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>active</param-name>
> - <param-value>true</param-value>
> - </init-param>
> - </filter>
> -
> - <filter>
> - <filter-name>EERequestFilter</filter-name>
> - <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class>
> - <init-param>
> - <param-name>http_port</param-name>
> - <param-value>[PKI_UNSECURE_PORT]</param-value>
> - </init-param>
> - <init-param>
> - <param-name>https_port</param-name>
> - <param-value>[PKI_EE_SECURE_PORT]</param-value>
> - </init-param>
> -[PKI_OPEN_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>proxy_port</param-name>
> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
> - </init-param>
> - <init-param>
> - <param-name>proxy_http_port</param-name>
> - <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
> - </init-param>
> -[PKI_CLOSE_ENABLE_PROXY_COMMENT]
> - <init-param>
> - <param-name>active</param-name>
> - <param-value>true</param-value>
> - </init-param>
> - </filter>
> -
> <servlet>
> <servlet-name>csadmin-wizard</servlet-name>
> <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class>
> @@ -104,7 +39,7 @@
> <init-param><param-name> AuthzMgr </param-name>
> <param-value> BasicAclAuthz </param-value> </init-param>
> <init-param><param-name> cfgPath </param-name>
> - <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param>
> + <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg </param-value> </init-param>
> <init-param><param-name> ID </param-name>
> <param-value> tksstart </param-value> </init-param>
> <load-on-startup> 1 </load-on-startup>
> @@ -338,10 +273,9 @@
> <param-value> ee </param-value> </init-param>
> </servlet>
>
> - <context-param>
> - <param-name>resteasy.scan</param-name>
> - <param-value>true</param-value>
> - </context-param>
> + <listener>
> + <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class>
> + </listener>
>
> <context-param>
> <param-name>resteasy.servlet.mapping.prefix</param-name>
> @@ -358,30 +292,12 @@
> <servlet>
> <servlet-name>Resteasy</servlet-name>
> <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
> + <init-param>
> + <param-name>javax.ws.rs.Application</param-name>
> + <param-value>com.netscape.tks.TKSApplication</param-value>
> + </init-param>
> </servlet>
>
> -[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
> - <filter-mapping>
> - <filter-name> AgentRequestFilter </filter-name>
> - <url-pattern> /agent/* </url-pattern>
> - </filter-mapping>
> -
> - <filter-mapping>
> - <filter-name> AdminRequestFilter </filter-name>
> - <url-pattern> /admin/* </url-pattern>
> - <url-pattern> /auths </url-pattern>
> - <url-pattern> /ug </url-pattern>
> - <url-pattern> /log </url-pattern>
> - <url-pattern> /acl </url-pattern>
> - <url-pattern> /server </url-pattern>
> - </filter-mapping>
> -
> - <filter-mapping>
> - <filter-name> EERequestFilter </filter-name>
> - <url-pattern> /ee/* </url-pattern>
> - </filter-mapping>
> -[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
> -
> <servlet-mapping>
> <servlet-name>Resteasy</servlet-name>
> <url-pattern>/pki/*</url-pattern>
> diff --git a/specs/dogtag-pki.spec b/specs/dogtag-pki.spec
> index 20b0c7b..4b07975 100644
> --- a/specs/dogtag-pki.spec
> +++ b/specs/dogtag-pki.spec
> @@ -8,7 +8,7 @@
> Summary: Dogtag Public Key Infrastructure (PKI) Suite
> Name: dogtag-pki
> Version: 10.0.0
> -Release: %{?relprefix}4%{?prerel}%{?dist}
> +Release: %{?relprefix}5%{?prerel}%{?dist}
> # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2
> License: GPLv2 and LGPLv2
> URL: http://pki.fedoraproject.org/
> @@ -17,6 +17,19 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
> BuildArch: noarch
>
> # Establish MINIMUM package versions based upon platform
> +%if 0%{?fedora} >= 18
> +%define dogtag_pki_theme_version 10.0.0
> +%define esc_version 1.1.0
> +%define jss_version 4.2.6-24
> +%define pki_core_version 10.0.0
> +%define pki_kra_version 10.0.0
> +%define pki_ocsp_version 10.0.0
> +%define pki_ra_version 10.0.0
> +%define pki_tks_version 10.0.0
> +%define pki_tps_version 10.0.0
> +%define pki_console_version 10.0.0
> +%define tomcatjss_version 7.0.0
> +%else
> %if 0%{?fedora} >= 17
> %define dogtag_pki_theme_version 10.0.0
> %define esc_version 1.1.0
> @@ -56,6 +69,7 @@ BuildArch: noarch
> %define tomcatjss_version 2.0.0
> %endif
> %endif
> +%endif
>
> Requires: apache-commons-codec
>
> @@ -184,6 +198,9 @@ rm -rf %{buildroot}
> %doc README
>
> %changelog
> +* Thu Jun 14 2012 Matthew Harmsen <mharmsen at redhat.com> 10.0.0-0.5.a1
> +- Updated release of 'tomcatjss' to rely on Tomcat 7 for Fedora 18
> +
> * Thu Apr 5 2012 Christina Fu <cfu at redhat.com> 10.0.0-0.4.a1
> - Bug 745278 - [RFE] ECC encryption keys cannot be archived
>
> diff --git a/specs/pki-core.spec b/specs/pki-core.spec
> index b742e52..2af4311 100644
> --- a/specs/pki-core.spec
> +++ b/specs/pki-core.spec
> @@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
>
> Name: pki-core
> Version: 10.0.0
> -Release: %{?relprefix}17%{?prerel}%{?dist}
> +Release: %{?relprefix}19%{?prerel}%{?dist}
> Summary: Certificate System - PKI Core Components
> URL: http://pki.fedoraproject.org/
> License: GPLv2
> @@ -47,6 +47,12 @@ BuildRequires: junit
> %else
> BuildRequires: junit4
> %endif
> +%if 0%{?fedora} >= 18
> +BuildRequires: jpackage-utils >= 0:1.7.5-10
> +BuildRequires: jss >= 4.2.6-24
> +BuildRequires: systemd-units
> +BuildRequires: tomcatjss >= 7.0.0
> +%else
> %if 0%{?fedora} >= 16
> BuildRequires: jpackage-utils >= 0:1.7.5-10
> BuildRequires: jss >= 4.2.6-24
> @@ -63,6 +69,7 @@ BuildRequires: jss >= 4.2.6-17
> BuildRequires: tomcatjss >= 2.0.0
> %endif
> %endif
> +%endif
> # Add the following build-time requirements to support the "pki-deploy" package
> BuildRequires: pki-common-theme
> BuildRequires: pki-ca-theme
> @@ -345,6 +352,7 @@ BuildArch: noarch
> Requires: java >= 1:1.6.0
> Requires: javassist
> Requires: jettison
> +Requires: jython >= 2.2.1
> Requires: pki-common-theme >= 9.0.0
> Requires: pki-java-tools = %{version}-%{release}
> Requires: pki-deploy = %{version}-%{release}
> @@ -360,6 +368,15 @@ Requires: velocity
> %if 0%{?fedora} >= 17
> Requires: resteasy >= 2.3.2-1
> %endif
> +%if 0%{?fedora} >= 18
> +Requires: apache-commons-lang
> +Requires: apache-commons-logging
> +Requires: jss >= 4.2.6-24
> +Requires(post): systemd-units
> +Requires(preun): systemd-units
> +Requires(postun): systemd-units
> +Requires: tomcatjss >= 7.0.0
> +%else
> %if 0%{?fedora} >= 16
> Requires: apache-commons-lang
> Requires: apache-commons-logging
> @@ -398,6 +415,7 @@ Requires: tomcatjss >= 2.0.0
> %endif
> %endif
> %endif
> +%endif
>
> %description -n pki-common
> The PKI Common Framework is required by the following four PKI subsystems:
> @@ -785,8 +803,8 @@ echo "D /var/run/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfil
> %{__rm} %{buildroot}%{_initrddir}/pki-ocspd
> %{__rm} %{buildroot}%{_initrddir}/pki-tksd
> # Create symlink to the pki-jndi-realm jar
> -%{__mkdir_p} %{buildroot}%{_javadir}/tomcat6
> -%{__ln_s} -f %{_javadir}/pki/pki-jndi-realm.jar %{buildroot}%{_javadir}/tomcat6/pki-jndi-realm.jar
> +%{__mkdir_p} %{buildroot}%{_javadir}/tomcat
> +%{__ln_s} -f %{_javadir}/pki/pki-jndi-realm.jar %{buildroot}%{_javadir}/tomcat/pki-jndi-realm.jar
> %else
> %{__rm} %{buildroot}%{_bindir}/pkicontrol
> %{__rm} %{buildroot}%{_bindir}/pkidaemon
> @@ -1253,7 +1271,7 @@ fi
>
> %if 0%{?fedora} >= 16
> # Create symlink to the pki-jndi-realm jar
> -%{_javadir}/tomcat6/pki-jndi-realm.jar
> +%{_javadir}/tomcat/pki-jndi-realm.jar
> %endif
> %if 0%{?fedora} >= 15
> # Details:
> @@ -1413,6 +1431,12 @@ fi
>
>
> %changelog
> +* Wed Jul 11 2012 Matthew Harmsen <mharmsen at redhat.com> 10.0.0-0.19.a1
> +- Moved 'pki-jndi-real.jar' link from 'tomcat6' to 'tomcat' (Tomcat 7)
> +
> +* Thu Jun 14 2012 Matthew Harmsen <mharmsen at redhat.com> 10.0.0-0.18.a1
> +- Updated release of 'tomcatjss' to rely on Tomcat 7 for Fedora 18
> +
> * Mon May 29 2012 Endi S. Dewata <edewata at redhat.com> 10.0.0-0.17.a1
> - Added CLI for REST services
>
> differences between files attachment
> (0010-PKI-Deployment-Scriptlets-Admin-Certificate-PKCS12-File.patch)
> >From 3dc8b16a5a777d3c8f463b43f2917c7c9fe88830 Mon Sep 17 00:00:00 2001
> From: Matthew Harmsen <mharmsen at redhat.com>
> Date: Wed, 18 Jul 2012 17:48:11 -0700
> Subject: [PATCH] PKI Deployment Scriptlets
>
> Saved Admin Certificate, imported it into NSS client security databases, and
> exported it to a PKCS #12 file such that it may be imported into a browser.
>
> TRAC Ticket #221
> Dogtag 10: Create a PKCS #12 file containing the Admin Certificate
> (https://fedorahosted.org/pki/ticket/221)
> ---
> base/deploy/config/pkideployment.cfg | 2 +
> base/deploy/src/scriptlets/configuration.jy | 4 +-
> base/deploy/src/scriptlets/configuration.py | 24 ++++++-
> base/deploy/src/scriptlets/pkiconfig.py | 1 +
> base/deploy/src/scriptlets/pkihelper.py | 55 +++++++++++---
> base/deploy/src/scriptlets/pkijython.py | 86 ++++++++++++++++++++--
> base/deploy/src/scriptlets/pkimessages.py | 8 +++
> base/deploy/src/scriptlets/pkiparser.py | 103 +++++++++++++++++++++++++--
> 8 files changed, 260 insertions(+), 23 deletions(-)
>
> diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg
> index 542fc5b..a4513d7 100644
> --- a/base/deploy/config/pkideployment.cfg
> +++ b/base/deploy/config/pkideployment.cfg
> @@ -10,6 +10,7 @@
> [Sensitive]
> pki_admin_password=
> pki_backup_password=
> +pki_client_pkcs12_password=
> pki_ds_password=
> pki_pkcs12_password=
> pki_security_domain_password=
> @@ -32,6 +33,7 @@ pki_security_domain_password=
> [Optional]
> pki_admin_domain_name=
> pki_admin_email=
> +pki_admin_nickname=
> pki_admin_subject_dn=
> pki_audit_signing_nickname=
> pki_audit_signing_subject_dn=
> diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy
> index a40e7c6..2e72f40 100644
> --- a/base/deploy/src/scriptlets/configuration.jy
> +++ b/base/deploy/src/scriptlets/configuration.jy
> @@ -163,9 +163,7 @@ def main(argv):
>
> # Formulate PKI Subsystem Configuration Data Response
> jyutil.rest_client.configure_pki_data(data,
> - master['pki_subsystem'],
> - master['pki_dry_run_flag'],
> - master['pki_jython_log_level'])
> + master)
>
>
> if __name__ == "__main__":
> diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py
> index 421e08d..742a4ec 100644
> --- a/base/deploy/src/scriptlets/configuration.py
> +++ b/base/deploy/src/scriptlets/configuration.py
> @@ -35,7 +35,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__,
> extra=config.PKI_INDENTATION_LEVEL_1)
> if not config.pki_dry_run_flag:
> - util.directory.create(master['pki_client_path'], uid=0, gid=0)
> + # Place "slightly" less restrictive permissions on
> + # the top-level client directory ONLY
> + util.directory.create(master['pki_client_path'],
> + uid=0, gid=0,
> + perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS)
> # Since 'certutil' does NOT strip the 'token=' portion of
> # the 'token=password' entries, create a client password file
> # which ONLY contains the 'password' for the purposes of
> @@ -43,6 +47,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> util.password.create_password_conf(
> master['pki_client_password_conf'],
> master['pki_client_pin'], pin_sans_token=True)
> + util.file.modify(master['pki_client_password_conf'],
> + uid=0, gid=0)
> + # Similarly, create a simple password file containing the
> + # PKCS #12 password used when exporting the "Admin Certificate"
> + # into a PKCS #12 file
> + util.password.create_client_pkcs12_password_conf(
> + master['pki_client_pkcs12_password_conf'])
> + util.file.modify(master['pki_client_pkcs12_password_conf'],
> + uid=0, gid=0)
> util.directory.create(master['pki_client_database_path'],
> uid=0, gid=0)
> util.certutil.create_security_databases(
> @@ -61,6 +74,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> util.password.create_password_conf(
> master['pki_client_password_conf'],
> master['pki_client_pin'], pin_sans_token=True)
> + # Similarly, create a simple password file containing the
> + # PKCS #12 password used when exporting the "Admin Certificate"
> + # into a PKCS #12 file
> + util.password.create_client_pkcs12_password_conf(
> + master['pki_client_pkcs12_password_conf'])
> util.certutil.create_security_databases(
> master['pki_client_database_path'],
> master['pki_client_cert_database'],
> @@ -112,6 +130,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> def respawn(self):
> config.pki_log.info(log.CONFIGURATION_RESPAWN_1, __name__,
> extra=config.PKI_INDENTATION_LEVEL_1)
> + util.file.modify(master['pki_client_password_conf'],
> + uid=0, gid=0)
> + util.file.modify(master['pki_client_pkcs12_password_conf'],
> + uid=0, gid=0)
> # ALWAYS Restart this Apache/Tomcat PKI Process
> util.systemd.restart()
> return self.rv
> diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
> index 07537d7..59526e6 100644
> --- a/base/deploy/src/scriptlets/pkiconfig.py
> +++ b/base/deploy/src/scriptlets/pkiconfig.py
> @@ -20,6 +20,7 @@
> #
>
> # PKI Deployment Constants
> +PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS = 00755
> PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS = 00770
> PKI_DEPLOYMENT_DEFAULT_EXE_PERMISSIONS = 00770
> PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS = 00660
> diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py
> index 7b77bce..7de6502 100644
> --- a/base/deploy/src/scriptlets/pkihelper.py
> +++ b/base/deploy/src/scriptlets/pkihelper.py
> @@ -326,16 +326,22 @@ class configuration_file:
> extra=config.PKI_INDENTATION_LEVEL_2)
> sys.exit(1)
> # If required, verify existence of Backup Password
> - # (except for Clones)
> if config.str2bool(master['pki_backup_keys']):
> - if not config.str2bool(master['pki_clone']):
> - if not sensitive.has_key('pki_backup_password') or\
> - not len(sensitive['pki_backup_password']):
> - config.pki_log.error(
> - log.PKIHELPER_UNDEFINED_BACKUP_PASSWORD_1,
> - config.pkideployment_cfg,
> - extra=config.PKI_INDENTATION_LEVEL_2)
> - sys.exit(1)
> + if not sensitive.has_key('pki_backup_password') or\
> + not len(sensitive['pki_backup_password']):
> + config.pki_log.error(
> + log.PKIHELPER_UNDEFINED_BACKUP_PASSWORD_1,
> + config.pkideployment_cfg,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + sys.exit(1)
> + # Verify existence of Client PKCS #12 Password for Admin Cert
> + if not sensitive.has_key('pki_client_pkcs12_password') or\
> + not len(sensitive['pki_client_pkcs12_password']):
> + config.pki_log.error(
> + log.PKIHELPER_UNDEFINED_CLIENT_PKCS12_PASSWORD_1,
> + config.pkideployment_cfg,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + sys.exit(1)
> # Verify existence of PKCS #12 Password (ONLY for Clones)
> if config.str2bool(master['pki_clone']):
> if not sensitive.has_key('pki_pkcs12_password') or\
> @@ -1583,6 +1589,37 @@ class password:
> sys.exit(1)
> return
>
> + def create_client_pkcs12_password_conf(self, path, overwrite_flag=False,
> + critical_failure=True):
> + try:
> + if not config.pki_dry_run_flag:
> + if os.path.exists(path):
> + if overwrite_flag:
> + config.pki_log.info(
> + log.PKIHELPER_PASSWORD_CONF_1, path,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + # overwrite the existing 'pkcs12_password.conf' file
> + with open(path, "wt") as fd:
> + fd.write(sensitive['pki_client_pkcs12_password'])
> + fd.closed
> + else:
> + config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + # create a new 'pkcs12_password.conf' file
> + with open(path, "wt") as fd:
> + fd.write(sensitive['pki_client_pkcs12_password'])
> + fd.closed
> + else:
> + if not os.path.exists(path) or overwrite_flag:
> + config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + except OSError as exc:
> + config.pki_log.error(log.PKI_OSERROR_1, exc,
> + extra=config.PKI_INDENTATION_LEVEL_2)
> + if critical_failure == True:
> + sys.exit(1)
> + return
> +
>
> # PKI Deployment NSS 'certutil' Class
> class certutil:
> diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py
> index 8008266..7856ba8c 100644
> --- a/base/deploy/src/scriptlets/pkijython.py
> +++ b/base/deploy/src/scriptlets/pkijython.py
> @@ -21,6 +21,7 @@ import jarray
> # System Python Imports
> import ConfigParser
> import os
> +import re
> import sys
> pki_python_module_path = os.path.join(sys.prefix,
> "lib",
> @@ -581,20 +582,21 @@ class rest_client:
> data.setSystemCerts(systemCerts)
> return data
>
> - def configure_pki_data(self, data, pki_subsystem, pki_dry_run_flag,
> - log_level):
> - if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
> + def configure_pki_data(self, data, master):
> + if master['pki_jython_log_level'] >= config.PKI_JYTHON_INFO_LOG_LEVEL:
> print "%s %s '%s'" %\
> (log.PKI_JYTHON_INDENTATION_2,
> log.PKI_JYTHON_CONFIGURING_PKI_DATA,
> - pki_subsystem)
> - if not pki_dry_run_flag:
> + master['pki_subsystem'])
> + if not master['pki_dry_run_flag']:
> try:
> + sensitive = extract_sensitive_data(master['pki_deployment_cfg'])
> response = self.client.configure(data)
> javasystem.out.println(log.PKI_JYTHON_RESPONSE_STATUS +\
> " " + response.getStatus())
> + admin_cert = response.getAdminCert().getCert()
> javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\
> - " " + response.getAdminCert().getCert())
> + " " + admin_cert)
> certs = response.getSystemCerts()
> iterator = certs.iterator()
> while iterator.hasNext():
> @@ -605,6 +607,78 @@ class rest_client:
> cdata.getCert())
> javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\
> cdata.getRequest())
> + # Store the Administration Certificate in a file
> + admin_cert_file = os.path.join(master['pki_client_path'],
> + master['pki_client_admin_cert'])
> + javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_SAVE +\
> + " " + "'" + admin_cert_file + "'")
> + FILE = open(admin_cert_file, "w")
> + FILE.write(admin_cert)
> + FILE.close()
> + # Since Jython runs under Java, it does NOT support the
> + # following operating system specific command:
> + #
> + # os.chmod(admin_cert_file,
> + # config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS)
> + #
> + # Emulate it with a system call.
> + command = "chmod" + " " + "660" + " " + admin_cert_file
> + javasystem.out.println(
> + log.PKI_JYTHON_CHMOD +\
> + " " + "'" + command + "'")
> + os.system(command)
> + # Import the Administration Certificate
> + # into the client NSS security database
> + command = "certutil" + " " +\
> + "-A" + " " +\
> + "-n" + " " + "\"" +\
> + re.sub("'", "'", master['pki_admin_nickname']) +\
> + "\"" + " " +\
> + "-t" + " " +\
> + "\"" + "u,u,u" + "\"" + " " +\
> + "-f" + " " +\
> + master['pki_client_password_conf'] + " " +\
> + "-d" + " " +\
> + master['pki_client_database_path'] + " " +\
> + "-a" + " " +\
> + "-i" + " " +\
> + admin_cert_file
> + javasystem.out.println(
> + log.PKI_JYTHON_ADMIN_CERT_IMPORT +\
> + " " + "'" + command + "'")
> + os.system(command)
> + # Export the Administration Certificate from the
> + # client NSS security database into a PKCS #12 file
> + command = "pk12util" + " " +\
> + "-o" + " " +\
> + master['pki_client_admin_cert_p12'] + " " +\
> + "-n" + " " + "\"" +\
> + re.sub("'", "'", master['pki_admin_nickname']) +\
> + "\"" + " " +\
> + "-d" + " " +\
> + master['pki_client_database_path'] + " " +\
> + "-k" + " " +\
> + master['pki_client_password_conf'] + " " +\
> + "-w" + " " +\
> + master['pki_client_pkcs12_password_conf']
> + javasystem.out.println(
> + log.PKI_JYTHON_ADMIN_CERT_EXPORT +\
> + " " + "'" + command + "'")
> + os.system(command)
> + # Since Jython runs under Java, it does NOT support the
> + # following operating system specific command:
> + #
> + # os.chmod(master['pki_client_admin_cert_p12'],
> + # config.\
> + # PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
> + #
> + # Emulate it with a system call.
> + command = "chmod" + " " + "664" + " " +\
> + master['pki_client_admin_cert_p12']
> + javasystem.out.println(
> + log.PKI_JYTHON_CHMOD +\
> + " " + "'" + command + "'")
> + os.system(command)
> except Exception, e:
> javasystem.out.println(
> log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e))
> diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py
> index d7d50a6..58b09dc 100644
> --- a/base/deploy/src/scriptlets/pkimessages.py
> +++ b/base/deploy/src/scriptlets/pkimessages.py
> @@ -213,6 +213,8 @@ PKIHELPER_UNDEFINED_ADMIN_PASSWORD_1 =\
> "A value for 'pki_admin_password' MUST be defined in '%s'"
> PKIHELPER_UNDEFINED_BACKUP_PASSWORD_1 =\
> "A value for 'pki_backup_password' MUST be defined in '%s'"
> +PKIHELPER_UNDEFINED_CLIENT_PKCS12_PASSWORD_1 =\
> + "A value for 'pki_client_pkcs12_password' MUST be defined in '%s'"
> PKIHELPER_UNDEFINED_DS_PASSWORD_1 =\
> "A value for 'pki_ds_password' MUST be defined in '%s'"
> PKIHELPER_UNDEFINED_PKCS12_PASSWORD_1 =\
> @@ -228,9 +230,15 @@ PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError: pki_uid %s"
>
> # PKI Deployment Jython "Scriptlet" Messages
> # (MUST contain NO embedded formats since Jython 2.2 does not support logging!)
> +PKI_JYTHON_ADMIN_CERT_EXPORT = "exporting Admin Certificate from "\
> + "NSS client security database:"
> +PKI_JYTHON_ADMIN_CERT_IMPORT = "importing Admin Certificate into "\
> + "NSS client security database:"
> +PKI_JYTHON_ADMIN_CERT_SAVE = "saving Admin Certificate to file:"
> PKI_JYTHON_CDATA_TAG = "tag:"
> PKI_JYTHON_CDATA_CERT = "cert:"
> PKI_JYTHON_CDATA_REQUEST = "request:"
> +PKI_JYTHON_CHMOD = "performing chmod:"
> PKI_JYTHON_CLONED_PKI_SUBSYSTEM = "Cloned"
> PKI_JYTHON_CONFIGURING_PKI_DATA = "configuring PKI configuration data for"
> PKI_JYTHON_CONSTRUCTING_PKI_DATA = "constructing PKI configuration data for"
> diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
> index 5abfdc0..6c4574a 100644
> --- a/base/deploy/src/scriptlets/pkiparser.py
> +++ b/base/deploy/src/scriptlets/pkiparser.py
> @@ -1352,6 +1352,12 @@ def compose_pki_master_dictionary():
> config.pki_master_dict['pki_subsystem_configuration_path'],
> "password.conf")
> # Client NSS security database name/value pairs
> + #
> + # The following variable is established via the specified PKI
> + # deployment configuration file and is NOT redefined below:
> + #
> + # config.pki_sensitive_dict['pki_client_pkcs12_password']
> + #
> config.pki_master_dict['pki_client_path'] =\
> os.path.join(
> "/tmp",
> @@ -1360,6 +1366,10 @@ def compose_pki_master_dictionary():
> os.path.join(
> config.pki_master_dict['pki_client_path'],
> "password.conf")
> + config.pki_master_dict['pki_client_pkcs12_password_conf'] =\
> + os.path.join(
> + config.pki_master_dict['pki_client_path'],
> + "pkcs12_password.conf")
> config.pki_master_dict['pki_client_database_path'] =\
> os.path.join(
> config.pki_master_dict['pki_client_path'],
> @@ -1373,6 +1383,42 @@ def compose_pki_master_dictionary():
> config.pki_master_dict['pki_client_secmod_database'] =\
> os.path.join(config.pki_master_dict['pki_client_database_path'],
> "secmod.db")
> + if config.pki_master_dict['pki_subsystem'] == "CA":
> + config.pki_master_dict['pki_client_admin_cert'] = "ca_admin.cert"
> + config.pki_master_dict['pki_client_admin_cert_p12'] =\
> + os.path.join(
> + config.pki_master_dict['pki_client_path'],
> + "ca_admin_cert.p12")
> + elif config.pki_master_dict['pki_subsystem'] == "KRA":
> + config.pki_master_dict['pki_client_admin_cert'] = "kra_admin.cert"
> + config.pki_master_dict['pki_client_admin_cert_p12'] =\
> + os.path.join(
> + config.pki_master_dict['pki_client_path'],
> + "kra_admin_cert.p12")
> + elif config.pki_master_dict['pki_subsystem'] == "OCSP":
> + config.pki_master_dict['pki_client_admin_cert'] = "ocsp_admin.cert"
> + config.pki_master_dict['pki_client_admin_cert_p12'] =\
> + os.path.join(
> + config.pki_master_dict['pki_client_path'],
> + "ocsp_admin_cert.p12")
> + elif config.pki_master_dict['pki_subsystem'] == "RA":
> + config.pki_master_dict['pki_client_admin_cert'] = "ra_admin.cert"
> + config.pki_master_dict['pki_client_admin_cert_p12'] =\
> + os.path.join(
> + config.pki_master_dict['pki_client_path'],
> + "ra_admin_cert.p12")
> + elif config.pki_master_dict['pki_subsystem'] == "TKS":
> + config.pki_master_dict['pki_client_admin_cert'] = "tks_admin.cert"
> + config.pki_master_dict['pki_client_admin_cert_p12'] =\
> + os.path.join(
> + config.pki_master_dict['pki_client_path'],
> + "tks_admin_cert.p12")
> + elif config.pki_master_dict['pki_subsystem'] == "TPS":
> + config.pki_master_dict['pki_client_admin_cert'] = "tps_admin.cert"
> + config.pki_master_dict['pki_client_admin_cert_p12'] =\
> + os.path.join(
> + config.pki_master_dict['pki_client_path'],
> + "tps_admin_cert.p12")
> # Jython scriptlet name/value pairs
> config.pki_master_dict['pki_jython_configuration_scriptlet'] =\
> os.path.join(sys.prefix,
> @@ -1405,7 +1451,7 @@ def compose_pki_master_dictionary():
> # deployment configuration file and are NOT redefined below:
> #
> # config.pki_master_dict['pki_security_domain_https_port']
> - # config.pki_master_dict['pki_security_domain_password']
> + # config.pki_sensitive_dict['pki_security_domain_password']
> # config.pki_master_dict['pki_security_domain_user']
> #
> # The following variables are established via the specified PKI
> @@ -1474,7 +1520,7 @@ def compose_pki_master_dictionary():
> # config.pki_master_dict['pki_ds_bind_dn']
> # config.pki_master_dict['pki_ds_http_port']
> # config.pki_master_dict['pki_ds_https_port']
> - # config.pki_master_dict['pki_ds_password']
> + # config.pki_sensitive_dict['pki_ds_password']
> # config.pki_master_dict['pki_ds_remove_data']
> # config.pki_master_dict['pki_ds_secure_connection']
> #
> @@ -1507,7 +1553,7 @@ def compose_pki_master_dictionary():
> # deployment configuration file and are NOT redefined below:
> #
> # config.pki_master_dict['pki_backup_keys']
> - # config.pki_master_dict['pki_backup_password']
> + # config.pki_sensitive_dict['pki_backup_password']
> #
> # The following variables are established via the specified PKI
> # deployment configuration file and potentially overridden below:
> @@ -1566,13 +1612,14 @@ def compose_pki_master_dictionary():
> # config.pki_master_dict['pki_admin_dualkey']
> # config.pki_master_dict['pki_admin_keysize']
> # config.pki_master_dict['pki_admin_name']
> - # config.pki_master_dict['pki_admin_password']
> + # config.pki_sensitive_dict['pki_admin_password']
> # config.pki_master_dict['pki_admin_uid']
> #
> # The following variables are established via the specified PKI
> # deployment configuration file and potentially overridden below:
> #
> # config.pki_master_dict['pki_admin_email']
> + # config.pki_master_dict['pki_admin_nickname']
> # config.pki_master_dict['pki_admin_subject_dn']
> #
> config.pki_master_dict['pki_admin_profile_id'] = "caAdminCert"
> @@ -1580,6 +1627,54 @@ def compose_pki_master_dictionary():
> config.pki_master_dict['pki_admin_email'] =\
> config.pki_master_dict['pki_admin_name'] + "@" +\
> config.pki_master_dict['pki_dns_domainname']
> + if not len(config.pki_master_dict['pki_admin_nickname']):
> + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
> + if config.pki_master_dict['pki_subsystem'] == "RA":
> + # PKI RA
> + config.pki_master_dict['pki_admin_nickname'] =\
> + "RA Administrator's" + " " +\
> + config.pki_master_dict['pki_security_domain_name'] +\
> + " " + "ID"
> + elif config.pki_master_dict['pki_subsystem'] == "TPS":
> + # PKI TPS
> + config.pki_master_dict['pki_admin_nickname'] =\
> + "TPS Administrator's" + " " +\
> + config.pki_master_dict['pki_security_domain_name'] +\
> + " " + "ID"
> + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
> + if not config.str2bool(config.pki_master_dict['pki_clone']):
> + if config.pki_master_dict['pki_subsystem'] == "CA":
> + # PKI CA, Subordinate CA, or External CA
> + config.pki_master_dict['pki_admin_nickname'] =\
> + "CA Administrator of Instance" + " " +\
> + config.pki_master_dict['pki_instance_id'] +\
> + "'s" + " " +\
> + config.pki_master_dict['pki_security_domain_name']\
> + + " " + "ID"
> + elif config.pki_master_dict['pki_subsystem'] == "KRA":
> + # PKI KRA
> + config.pki_master_dict['pki_admin_nickname'] =\
> + "KRA Administrator of Instance" + " " +\
> + config.pki_master_dict['pki_instance_id'] +\
> + "'s" + " " +\
> + config.pki_master_dict['pki_security_domain_name']\
> + + " " + "ID"
> + elif config.pki_master_dict['pki_subsystem'] == "OCSP":
> + # PKI OCSP
> + config.pki_master_dict['pki_admin_nickname'] =\
> + "OCSP Administrator of Instance" + " " +\
> + config.pki_master_dict['pki_instance_id'] +\
> + "'s" + " " +\
> + config.pki_master_dict['pki_security_domain_name']\
> + + " " + "ID"
> + elif config.pki_master_dict['pki_subsystem'] == "TKS":
> + # PKI TKS
> + config.pki_master_dict['pki_admin_nickname'] =\
> + "TKS Administrator of Instance" + " " +\
> + config.pki_master_dict['pki_instance_id'] +\
> + "'s" + " " +\
> + config.pki_master_dict['pki_security_domain_name']\
> + + " " + "ID"
> if not len(config.pki_master_dict['pki_admin_subject_dn']):
> if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
> if config.pki_master_dict['pki_subsystem'] == "RA":
> differences between files attachment
> (0011-PKI-Deployment-Scriptlets-20120716-Errata.patch)
> >From 4170b93f15ee8a19f6cb1e054220a6448d6bccec Mon Sep 17 00:00:00 2001
> From: Matthew Harmsen <mharmsen at redhat.com>
> Date: Thu, 19 Jul 2012 01:04:54 -0700
> Subject: [PATCH] PKI Deployment Scriptlets
>
> * In 'catalina.properties', removed commented out jars
> for each of the subsystems in the 'common.loader'
> * In 'server.xml', removed the line containing a '1'
> * Moved all parameters from the [Mandatory] and [Optional]
> sections of the 'pkideployment.cfg' file to other more
> appropriate sections (e.g. - [Common], [CA], [KRA], etc.),
> and removed these sections and all of their associated
> logic from the 'pki-deploy' package
> * Resolved Dogtag TRAC Ticket #225
> Dogtag 10: Move "pkispawn"/"pkidestroy" logs
> * Removed all security domain references from
> external CA logic
> * Added new 'pki_subsystem_name' parameter to
> 'pkideployment.cfg' file, and applied logic
> throughout 'pki-deploy'
> * Added new error message in the case of an
> unset DNS domain name, and replaced the
> log message with a simple print in the
> case of a 'domainname' exception
> ---
> base/common/shared/conf/catalina.properties | 4 -
> base/common/shared/conf/server.xml | 1 -
> base/deploy/config/pkideployment.cfg | 95 ++++++++++----------
> base/deploy/src/pkidestroy | 26 ++----
> base/deploy/src/pkispawn | 28 ++----
> .../deploy/src/scriptlets/infrastructure_layout.py | 16 ++--
> base/deploy/src/scriptlets/initialization.py | 3 +-
> base/deploy/src/scriptlets/pkiconfig.py | 4 +-
> base/deploy/src/scriptlets/pkijython.py | 23 ++---
> base/deploy/src/scriptlets/pkimessages.py | 10 +--
> base/deploy/src/scriptlets/pkiparser.py | 94 ++++++++++++++++---
> 11 files changed, 161 insertions(+), 143 deletions(-)
>
> diff --git a/base/common/shared/conf/catalina.properties b/base/common/shared/conf/catalina.properties
> index c447586..003089a 100644
> --- a/base/common/shared/conf/catalina.properties
> +++ b/base/common/shared/conf/catalina.properties
> @@ -51,10 +51,6 @@ package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache
> # repositories
> # "foo/bar.jar": Add bar.jar as a class repository
> common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB]
> -#,[PKI_INSTANCE_PATH]/webapps/ca/WEB-INF/lib/pki-ca.jar
> -#,[PKI_INSTANCE_PATH]/webapps/kra/WEB-INF/lib/pki-kra.jar
> -#,[PKI_INSTANCE_PATH]/webapps/ocsp/WEB-INF/lib/pki-ocsp.jar
> -#,[PKI_INSTANCE_PATH]/webapps/tks/WEB-INF/lib/pki-tks.jar
>
> #
> # List of comma-separated paths defining the contents of the "server"
> diff --git a/base/common/shared/conf/server.xml b/base/common/shared/conf/server.xml
> index 46ee15b..3757642 100644
> --- a/base/common/shared/conf/server.xml
> +++ b/base/common/shared/conf/server.xml
> @@ -126,7 +126,6 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
> <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
> [PKI_SECURE_PORT_SERVER_COMMENT]
> <!-- DO NOT REMOVE - Begin define PKI secure port
> - 1
> NOTE: The following 'keys' (and their assigned values) are exclusive to
> the 'tomcatjss' JSSE module:
>
> diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg
> index a4513d7..fb04c85 100644
> --- a/base/deploy/config/pkideployment.cfg
> +++ b/base/deploy/config/pkideployment.cfg
> @@ -15,85 +15,60 @@ pki_ds_password=
> pki_pkcs12_password=
> pki_security_domain_password=
> ###############################################################################
> -## 'Mandatory' Data: ##
> -## ##
> -## Values in this section pertain to various PKI subsystems, and contain ##
> -## required information which MUST ALWAYS be provided by users. ##
> -###############################################################################
> -[Mandatory]
> -###############################################################################
> -## 'Optional' Data: ##
> +## 'Common' Data: ##
> ## ##
> -## Values in this section pertain to various PKI subsystems, and contain ##
> -## required information which MAY OPTIONALLY be provided by users. ##
> +## Values in this section are common to more than one PKI subsystem, and ##
> +## contain required information which MAY be overridden by users as ##
> +## necessary. ##
> ## ##
> ## NOTE: Default values will be generated for any and all required ##
> -## 'optional' data values which are left undefined. ##
> -###############################################################################
> -[Optional]
> -pki_admin_domain_name=
> -pki_admin_email=
> -pki_admin_nickname=
> -pki_admin_subject_dn=
> -pki_audit_signing_nickname=
> -pki_audit_signing_subject_dn=
> -pki_audit_signing_token=
> -pki_backup_file=
> -pki_ca_signing_nickname=
> -pki_ca_signing_subject_dn=
> -pki_ca_signing_token=
> -pki_ds_base_dn=
> -pki_ds_database=
> -pki_ds_hostname=
> -pki_ocsp_signing_nickname=
> -pki_ocsp_signing_subject_dn=
> -pki_ocsp_signing_token=
> -pki_security_domain_hostname=
> -pki_security_domain_name=
> -pki_ssl_server_nickname=
> -pki_ssl_server_subject_dn=
> -pki_ssl_server_token=
> -pki_storage_nickname=
> -pki_storage_subject_dn=
> -pki_storage_token=
> -pki_subsystem_nickname=
> -pki_subsystem_subject_dn=
> -pki_subsystem_token=
> -pki_transport_nickname=
> -pki_transport_subject_dn=
> -pki_transport_token=
> -###############################################################################
> -## 'Common' Data: ##
> -## ##
> -## Values in this section are common to ALL PKI subsystems, and contain ##
> -## required information which MAY be overridden by users as necessary. ##
> +## 'common' data values which are left undefined. ##
> ###############################################################################
> [Common]
> pki_admin_cert_request_type=crmf
> +pki_admin_domain_name=
> pki_admin_dualkey=False
> +pki_admin_email=
> pki_admin_keysize=2048
> pki_admin_name=admin
> +pki_admin_nickname=
> +pki_admin_subject_dn=
> pki_admin_uid=admin
> pki_audit_group=pkiaudit
> pki_audit_signing_key_algorithm=SHA256withRSA
> pki_audit_signing_key_size=2048
> pki_audit_signing_key_type=rsa
> +pki_audit_signing_nickname=
> pki_audit_signing_signing_algorithm=SHA256withRSA
> +pki_audit_signing_subject_dn=
> +pki_audit_signing_token=
> +pki_backup_file=
> pki_backup_keys=False
> +pki_ds_base_dn=
> pki_ds_bind_dn=cn=Directory Manager
> +pki_ds_database=
> +pki_ds_hostname=
> pki_ds_http_port=389
> pki_ds_https_port=636
> pki_ds_remove_data=True
> pki_ds_secure_connection=False
> pki_group=pkiuser
> +pki_security_domain_hostname=
> pki_security_domain_https_port=8443
> +pki_security_domain_name=
> pki_security_domain_user=admin
> pki_ssl_server_key_algorithm=SHA256withRSA
> pki_ssl_server_key_size=2048
> pki_ssl_server_key_type=rsa
> +pki_ssl_server_nickname=
> +pki_ssl_server_subject_dn=
> +pki_ssl_server_token=
> pki_subsystem_key_algorithm=SHA256withRSA
> pki_subsystem_key_size=2048
> pki_subsystem_key_type=rsa
> +pki_subsystem_nickname=
> +pki_subsystem_subject_dn=
> +pki_subsystem_token=
> pki_user=pkiuser
> ###############################################################################
> ## 'Apache' Data: ##
> @@ -152,14 +127,21 @@ pki_tomcat_server_port=8005
> pki_ca_signing_key_algorithm=SHA256withRSA
> pki_ca_signing_key_size=2048
> pki_ca_signing_key_type=rsa
> +pki_ca_signing_nickname=
> pki_ca_signing_signing_algorithm=SHA256withRSA
> +pki_ca_signing_subject_dn=
> +pki_ca_signing_token=
> pki_external=False
> pki_ocsp_signing_key_algorithm=SHA256withRSA
> pki_ocsp_signing_key_size=2048
> pki_ocsp_signing_key_type=rsa
> +pki_ocsp_signing_nickname=
> pki_ocsp_signing_signing_algorithm=SHA256withRSA
> +pki_ocsp_signing_subject_dn=
> +pki_ocsp_signing_token=
> pki_subordinate=False
> pki_subsystem=CA
> +pki_subsystem_name=
> pki_war_name=ca.war
> ###############################################################################
> ## 'KRA' Data: ##
> @@ -172,12 +154,19 @@ pki_war_name=ca.war
> pki_storage_key_algorithm=SHA256withRSA
> pki_storage_key_size=2048
> pki_storage_key_type=rsa
> +pki_storage_nickname=
> pki_storage_signing_algorithm=SHA256withRSA
> +pki_storage_subject_dn=
> +pki_storage_token=
> pki_subsystem=KRA
> +pki_subsystem_name=
> pki_transport_key_algorithm=SHA256withRSA
> pki_transport_key_size=2048
> pki_transport_key_type=rsa
> +pki_transport_nickname=
> pki_transport_signing_algorithm=SHA256withRSA
> +pki_transport_subject_dn=
> +pki_transport_token=
> pki_war_name=kra.war
> ###############################################################################
> ## 'OCSP' Data: ##
> @@ -190,8 +179,13 @@ pki_war_name=kra.war
> pki_ocsp_signing_key_algorithm=SHA256withRSA
> pki_ocsp_signing_key_size=2048
> pki_ocsp_signing_key_type=rsa
> +pki_ocsp_signing_nickname=
> pki_ocsp_signing_signing_algorithm=SHA256withRSA
> +pki_ocsp_signing_subject_dn=
> +pki_ocsp_signing_token=
> +pki_subordinate=False
> pki_subsystem=OCSP
> +pki_subsystem_name=
> pki_war_name=ocsp.war
> ###############################################################################
> ## 'RA' Data: ##
> @@ -201,6 +195,7 @@ pki_war_name=ocsp.war
> ###############################################################################
> [RA]
> pki_subsystem=RA
> +pki_subsystem_name=
> ###############################################################################
> ## 'TKS' Data: ##
> ## ##
> @@ -210,6 +205,7 @@ pki_subsystem=RA
> ###############################################################################
> [TKS]
> pki_subsystem=TKS
> +pki_subsystem_name=
> pki_war_name=tks.war
> ###############################################################################
> ## 'TPS' Data: ##
> @@ -219,3 +215,4 @@ pki_war_name=tks.war
> ###############################################################################
> [TPS]
> pki_subsystem=TPS
> +pki_subsystem_name=
> diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy
> index 5faa97c..304b0bd 100755
> --- a/base/deploy/src/pkidestroy
> +++ b/base/deploy/src/pkidestroy
> @@ -83,9 +83,11 @@ def main(argv):
> config.pki_dns_domainname = subprocess.check_output("domainname",
> shell=True)
> config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n')
> + if not len(config.pki_dns_domainname):
> + print log.PKI_DNS_DOMAIN_NOT_SET
> + sys.exit(1)
> except subprocess.CalledProcessError as exc:
> - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
> - extra=config.PKI_INDENTATION_LEVEL_0)
> + print log.PKI_SUBPROCESS_ERROR_1 % exc
> sys.exit(1)
>
> # Initialize 'pretty print' for objects
> @@ -97,7 +99,7 @@ def main(argv):
> # Enable 'pkidestroy' logging.
> if not config.pki_dry_run_flag:
> config.pki_log_dir = config.pki_root_prefix +\
> - "/var/log"
> + config.PKI_DEPLOYMENT_LOG_ROOT
> config.pki_log_name = "pki" + "-" +\
> config.pki_subsystem.lower() +\
> "-" + "destroy" + "." +\
> @@ -124,14 +126,6 @@ def main(argv):
> sys.exit(1)
> else:
> # NEVER print out 'sensitive' name/value pairs!!!
> - config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
> - extra=config.PKI_INDENTATION_LEVEL_0)
> - config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
> - extra=config.PKI_INDENTATION_LEVEL_0)
> - config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
> - extra=config.PKI_INDENTATION_LEVEL_0)
> - config.pki_log.debug(pp.pformat(config.pki_optional_dict),
> - extra=config.PKI_INDENTATION_LEVEL_0)
> config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
> extra=config.PKI_INDENTATION_LEVEL_0)
> config.pki_log.debug(pp.pformat(config.pki_common_dict),
> @@ -147,7 +141,7 @@ def main(argv):
>
> # Override PKI configuration file values with 'custom' command-line values.
> if not config.custom_pki_admin_domain_name is None:
> - config.pki_optional_dict['pki_admin_domain_name'] =\
> + config.pki_common_dict['pki_admin_domain_name'] =\
> config.custom_pki_admin_domain_name
> if not config.custom_pki_instance_name is None:
> config.pki_web_server_dict['pki_instance_name'] =\
> @@ -162,14 +156,6 @@ def main(argv):
> config.pki_web_server_dict['pki_ajp_port'] =\
> config.custom_pki_ajp_port
> # NEVER print out 'sensitive' name/value pairs!!!
> - config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
> - extra=config.PKI_INDENTATION_LEVEL_0)
> - config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
> - extra=config.PKI_INDENTATION_LEVEL_0)
> - config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
> - extra=config.PKI_INDENTATION_LEVEL_0)
> - config.pki_log.debug(pp.pformat(config.pki_optional_dict),
> - extra=config.PKI_INDENTATION_LEVEL_0)
> config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
> extra=config.PKI_INDENTATION_LEVEL_0)
> config.pki_log.debug(pp.pformat(config.pki_common_dict),
> diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn
> index 931b9ba..6f32d08 100755
> --- a/base/deploy/src/pkispawn
> +++ b/base/deploy/src/pkispawn
> @@ -83,9 +83,11 @@ def main(argv):
> config.pki_dns_domainname = subprocess.check_output("domainname",
> shell=True)
> config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n')
> + if not len(config.pki_dns_domainname):
> + print log.PKI_DNS_DOMAIN_NOT_SET
> + sys.exit(1)
> except subprocess.CalledProcessError as exc:
> - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
> - extra=config.PKI_INDENTATION_LEVEL_0)
> + print log.PKI_SUBPROCESS_ERROR_1 % exc
> sys.exit(1)
>
> # Generate random 'pin's for use as security database passwords
> @@ -110,7 +112,7 @@ def main(argv):
> if not config.pki_update_flag:
> if not config.pki_dry_run_flag:
> config.pki_log_dir = config.pki_root_prefix +\
> - "/var/log"
> + config.PKI_DEPLOYMENT_LOG_ROOT
> config.pki_log_name = "pki" + "-" +\
> config.pki_subsystem.lower() +\
> "-" + "spawn" + "." +\
> @@ -126,7 +128,7 @@ def main(argv):
> else:
> if not config.pki_dry_run_flag:
> config.pki_log_dir = config.pki_root_prefix +\
> - "/var/log"
> + config.PKI_DEPLOYMENT_LOG_ROOT
> config.pki_log_name = "pki" + "-" +\
> config.pki_subsystem.lower() +\
> "-" + "respawn" + "." +\
> @@ -153,14 +155,6 @@ def main(argv):
> sys.exit(1)
> else:
> # NEVER print out 'sensitive' name/value pairs!!!
> - config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
> - extra=config.PKI_INDENTATION_LEVEL_0)
> - config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
> - extra=config.PKI_INDENTATION_LEVEL_0)
> - config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
> - extra=config.PKI_INDENTATION_LEVEL_0)
> - config.pki_log.debug(pp.pformat(config.pki_optional_dict),
> - extra=config.PKI_INDENTATION_LEVEL_0)
> config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
> extra=config.PKI_INDENTATION_LEVEL_0)
> config.pki_log.debug(pp.pformat(config.pki_common_dict),
> @@ -176,7 +170,7 @@ def main(argv):
>
> # Override PKI configuration file values with 'custom' command-line values.
> if not config.custom_pki_admin_domain_name is None:
> - config.pki_optional_dict['pki_admin_domain_name'] =\
> + config.pki_common_dict['pki_admin_domain_name'] =\
> config.custom_pki_admin_domain_name
> if not config.custom_pki_instance_name is None:
> config.pki_web_server_dict['pki_instance_name'] =\
> @@ -191,14 +185,6 @@ def main(argv):
> config.pki_web_server_dict['pki_ajp_port'] =\
> config.custom_pki_ajp_port
> # NEVER print out 'sensitive' name/value pairs!!!
> - config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
> - extra=config.PKI_INDENTATION_LEVEL_0)
> - config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
> - extra=config.PKI_INDENTATION_LEVEL_0)
> - config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
> - extra=config.PKI_INDENTATION_LEVEL_0)
> - config.pki_log.debug(pp.pformat(config.pki_optional_dict),
> - extra=config.PKI_INDENTATION_LEVEL_0)
> config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
> extra=config.PKI_INDENTATION_LEVEL_0)
> config.pki_log.debug(pp.pformat(config.pki_common_dict),
> diff --git a/base/deploy/src/scriptlets/infrastructure_layout.py b/base/deploy/src/scriptlets/infrastructure_layout.py
> index 4717397..d5ce233 100644
> --- a/base/deploy/src/scriptlets/infrastructure_layout.py
> +++ b/base/deploy/src/scriptlets/infrastructure_layout.py
> @@ -36,8 +36,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> extra=config.PKI_INDENTATION_LEVEL_1)
> # establish top-level infrastructure base
> util.directory.create(master['pki_path'])
> - # establish top-level infrastructure logs
> - util.directory.create(master['pki_log_path'])
> + # no need to establish top-level infrastructure logs
> + # since it now stores 'pkispawn'/'pkidestroy' logs
> + # and will already exist
> + # util.directory.create(master['pki_log_path'])
> # establish top-level infrastructure configuration
> if master['pki_configuration_path'] !=\
> config.PKI_DEPLOYMENT_CONFIGURATION_ROOT:
> @@ -70,8 +72,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> util.instance.pki_subsystem_instances() == 0:
> # remove top-level infrastructure base
> util.directory.delete(master['pki_path'])
> - # remove top-level infrastructure logs
> - util.directory.delete(master['pki_log_path'])
> + # do NOT remove top-level infrastructure logs
> + # since it now stores 'pkispawn'/'pkidestroy' logs
> + # util.directory.delete(master['pki_log_path'])
> # remove top-level infrastructure configuration
> if util.directory.is_empty(master['pki_configuration_path'])\
> and master['pki_configuration_path'] !=\
> @@ -89,8 +92,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> util.instance.pki_subsystem_instances() == 1:
> # remove top-level infrastructure base
> util.directory.delete(master['pki_path'])
> - # remove top-level infrastructure logs
> - util.directory.delete(master['pki_log_path'])
> + # do NOT remove top-level infrastructure logs
> + # since it now stores 'pkispawn'/'pkidestroy' logs
> + # util.directory.delete(master['pki_log_path'])
> # remove top-level infrastructure configuration
> if util.directory.is_empty(master['pki_configuration_path'])\
> and master['pki_configuration_path'] !=\
> diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py
> index 1ff8522..cc51653 100644
> --- a/base/deploy/src/scriptlets/initialization.py
> +++ b/base/deploy/src/scriptlets/initialization.py
> @@ -46,8 +46,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
> # establish 'uid' and 'gid'
> util.identity.set_uid(master['pki_user'])
> util.identity.set_gid(master['pki_group'])
> - # verify existence of MANDATORY configuration file data
> + # verify existence of SENSITIVE configuration file data
> util.configuration_file.verify_sensitive_data()
> + # verify existence of MUTUALLY EXCLUSIVE configuration file data
> util.configuration_file.verify_mutually_exclusive_data()
> return self.rv
>
> diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
> index 59526e6..fc8ddac 100644
> --- a/base/deploy/src/scriptlets/pkiconfig.py
> +++ b/base/deploy/src/scriptlets/pkiconfig.py
> @@ -100,9 +100,9 @@ pki_one_time_pin = None
>
> # PKI Deployment "Mandatory" Command-Line Variables
> pki_subsystem = None
> +pkideployment_cfg = "/usr/share/pki/deployment/config/pkideployment.cfg"
>
> # PKI Deployment "Optional" Command-Line Variables
> -pkideployment_cfg = "/usr/share/pki/deployment/config/pkideployment.cfg"
> pki_dry_run_flag = False
> pki_root_prefix = None
> pki_update_flag = False
> @@ -168,8 +168,6 @@ pki_console_log_level = None
>
> # PKI Deployment Global Dictionaries
> pki_sensitive_dict = None
> -pki_mandatory_dict = None
> -pki_optional_dict = None
> pki_common_dict = None
> pki_web_server_dict = None
> pki_subsystem_dict = None
> diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py
> index 7856ba8c..b55c9ec 100644
> --- a/base/deploy/src/scriptlets/pkijython.py
> +++ b/base/deploy/src/scriptlets/pkijython.py
> @@ -299,65 +299,52 @@ class rest_client:
> data.setPin(master['pki_one_time_pin'])
> data.setToken(ConfigurationData.TOKEN_DEFAULT)
> if master['pki_instance_type'] == "Tomcat":
> + data.setSubsystemName(master['pki_subsystem_name'])
> if master['pki_subsystem'] == "CA":
> if config.str2bool(master['pki_clone']):
> # Cloned CA
> data.setHierarchy("root")
> data.setIsClone("true")
> - data.setSubsystemName("Cloned CA Subsystem")
> elif config.str2bool(master['pki_external']):
> # External CA
> data.setHierarchy("join")
> data.setIsClone("false")
> - data.setSubsystemName("External CA Subsystem")
> elif config.str2bool(master['pki_subordinate']):
> # Subordinate CA
> data.setHierarchy("join")
> data.setIsClone("false")
> - data.setSubsystemName("Subordinate CA Subsystem")
> else:
> # PKI CA
> data.setHierarchy("root")
> data.setIsClone("false")
> - data.setSubsystemName("PKI CA Subsystem")
> elif master['pki_subsystem'] == "KRA":
> if config.str2bool(master['pki_clone']):
> # Cloned KRA
> data.setIsClone("true")
> - data.setSubsystemName("Cloned KRA Subsystem")
> else:
> # PKI KRA
> data.setIsClone("false")
> - data.setSubsystemName("PKI KRA Subsystem")
> elif master['pki_subsystem'] == "OCSP":
> if config.str2bool(master['pki_clone']):
> # Cloned OCSP
> data.setIsClone("true")
> - data.setSubsystemName("Cloned OCSP Subsystem")
> else:
> # PKI OCSP
> data.setIsClone("false")
> - data.setSubsystemName("PKI OCSP Subsystem")
> elif master['pki_subsystem'] == "TKS":
> if config.str2bool(master['pki_clone']):
> # Cloned TKS
> data.setIsClone("true")
> - data.setSubsystemName("Cloned TKS Subsystem")
> else:
> # PKI TKS
> data.setIsClone("false")
> - data.setSubsystemName("PKI TKS Subsystem")
> # Security Domain Information
> + #
> + # NOTE: External CA's DO NOT require a security domain
> if master['pki_instance_type'] == "Tomcat":
> if master['pki_subsystem'] == "CA":
> - if config.str2bool(master['pki_external']):
> - # External CA
> - data.setSecurityDomainType(
> - ConfigurationData.NEW_DOMAIN)
> - data.setSecurityDomainName(
> - master['pki_security_domain_name'])
> - elif not config.str2bool(master['pki_clone']) and\
> - not config.str2bool(master['pki_subordinate']):
> + if not config.str2bool(master['pki_clone']) and\
> + not config.str2bool(master['pki_subordinate']):
> # PKI CA
> data.setSecurityDomainType(
> ConfigurationData.NEW_DOMAIN)
> diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py
> index 58b09dc..d1326ed 100644
> --- a/base/deploy/src/scriptlets/pkimessages.py
> +++ b/base/deploy/src/scriptlets/pkimessages.py
> @@ -20,14 +20,6 @@
> #
>
> # PKI Deployment Engine Messages
> -PKI_DICTIONARY_MANDATORY ="\n"\
> -"=====================================================\n"\
> -" DISPLAY CONTENTS OF PKI MANDATORY DICTIONARY\n"\
> -"====================================================="
> -PKI_DICTIONARY_OPTIONAL ="\n"\
> -"=====================================================\n"\
> -" DISPLAY CONTENTS OF PKI OPTIONAL DICTIONARY\n"\
> -"====================================================="
> PKI_DICTIONARY_COMMON ="\n"\
> "=====================================================\n"\
> " DISPLAY CONTENTS OF PKI COMMON DICTIONARY\n"\
> @@ -80,6 +72,8 @@ PKI_DIRECTORY_ALREADY_EXISTS_NOT_A_DIRECTORY_1 = "Directory '%s' already "\
> "directory!"
> PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1 = "Directory '%s' is either "\
> "missing or is NOT a directory!"
> +PKI_DNS_DOMAIN_NOT_SET = "A valid DNS domain name MUST be established "\
> + "to use PKI services!"
> PKI_FILE_ALREADY_EXISTS_1 = "File '%s' already exists!"
> PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1 = "File '%s' already "\
> "exists BUT it is NOT a "\
> diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
> index 6c4574a..e824c8a 100644
> --- a/base/deploy/src/scriptlets/pkiparser.py
> +++ b/base/deploy/src/scriptlets/pkiparser.py
> @@ -261,8 +261,6 @@ def read_pki_configuration_file():
> parser.optionxform = str
> parser.read(config.pkideployment_cfg)
> config.pki_sensitive_dict = dict(parser._sections['Sensitive'])
> - config.pki_mandatory_dict = dict(parser._sections['Mandatory'])
> - config.pki_optional_dict = dict(parser._sections['Optional'])
> config.pki_common_dict = dict(parser._sections['Common'])
> if config.pki_subsystem == "CA":
> config.pki_web_server_dict = dict(parser._sections['Tomcat'])
> @@ -284,8 +282,6 @@ def read_pki_configuration_file():
> config.pki_subsystem_dict = dict(parser._sections['TPS'])
> # Insert empty record into dictionaries for "pretty print" statements
> # NEVER print "sensitive" key value pairs!!!
> - config.pki_mandatory_dict[0] = None
> - config.pki_optional_dict[0] = None
> config.pki_common_dict[0] = None
> config.pki_web_server_dict[0] = None
> config.pki_subsystem_dict[0] = None
> @@ -316,8 +312,6 @@ def compose_pki_master_dictionary():
> config.pki_master_dict['pki_deployment_cfg'] = config.pkideployment_cfg
> # Configuration file name/value pairs
> # NEVER add "sensitive" key value pairs to the master dictionary!!!
> - config.pki_master_dict.update(config.pki_mandatory_dict)
> - config.pki_master_dict.update(config.pki_optional_dict)
> config.pki_master_dict.update(config.pki_common_dict)
> config.pki_master_dict.update(config.pki_web_server_dict)
> config.pki_master_dict.update(config.pki_subsystem_dict)
> @@ -1435,6 +1429,7 @@ def compose_pki_master_dictionary():
> config.pki_master_dict['pki_subsystem'].lower() + "/" + "pki"
> # Jython scriptlet
> # 'Security Domain' Configuration name/value pairs
> + # 'Subsystem Name' Configuration name/value pairs
> #
> # Apache - [RA], [TPS]
> # Tomcat - [CA], [KRA], [OCSP], [TKS]
> @@ -1459,16 +1454,19 @@ def compose_pki_master_dictionary():
> #
> # config.pki_master_dict['pki_security_domain_hostname']
> # config.pki_master_dict['pki_security_domain_name']
> + # config.pki_master_dict['pki_subsystem_name']
> #
> if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
> if config.pki_subsystem == "CA":
> if config.str2bool(config.pki_master_dict['pki_external']):
> # External CA
> - config.pki_master_dict['pki_security_domain_type'] = "new"
> - if not len(config.pki_master_dict\
> - ['pki_security_domain_name']):
> - config.pki_master_dict['pki_security_domain_name'] =\
> - "External CA Security Domain"
> + #
> + # NOTE: External CA's DO NOT require a security domain
> + if not len(config.pki_master_dict['pki_subsystem_name']):
> + config.pki_master_dict['pki_subsystem_name'] =\
> + "External CA" + " " +\
> + config.pki_master_dict['pki_hostname'] + " " +\
> + config.pki_master_dict['pki_https_port']
> elif not config.str2bool(config.pki_master_dict['pki_clone'])\
> and not\
> config.str2bool(config.pki_master_dict['pki_subordinate']):
> @@ -1479,6 +1477,11 @@ def compose_pki_master_dictionary():
> config.pki_master_dict['pki_security_domain_name'] =\
> config.pki_master_dict['pki_dns_domainname'] +\
> " " + "Security Domain"
> + if not len(config.pki_master_dict['pki_subsystem_name']):
> + config.pki_master_dict['pki_subsystem_name'] =\
> + "PKI CA" + " " +\
> + config.pki_master_dict['pki_hostname'] + " " +\
> + config.pki_master_dict['pki_https_port']
> else:
> # PKI Cloned or Subordinate CA
> config.pki_master_dict['pki_security_domain_type'] =\
> @@ -1492,8 +1495,24 @@ def compose_pki_master_dictionary():
> "https" + "://" +\
> config.pki_master_dict['pki_security_domain_hostname']\
> + ":" + config.pki_security_domain_https_port
> + if config.str2bool(config.pki_master_dict['pki_clone']):
> + # Cloned CA
> + if not\
> + len(config.pki_master_dict['pki_subsystem_name']):
> + config.pki_master_dict['pki_subsystem_name'] =\
> + "Cloned CA" + " " +\
> + config.pki_master_dict['pki_hostname'] + " " +\
> + config.pki_master_dict['pki_https_port']
> + else:
> + # Subordinate CA
> + if not\
> + len(config.pki_master_dict['pki_subsystem_name']):
> + config.pki_master_dict['pki_subsystem_name'] =\
> + "Subordinate CA" + " " +\
> + config.pki_master_dict['pki_hostname'] + " " +\
> + config.pki_master_dict['pki_https_port']
> else:
> - # PKI KRA, OCSP, or TKS
> + # PKI or Cloned KRA, OCSP, or TKS
> config.pki_master_dict['pki_security_domain_type'] = "existing"
> if not len(config.pki_master_dict\
> ['pki_security_domain_hostname']):
> @@ -1505,6 +1524,57 @@ def compose_pki_master_dictionary():
> config.pki_master_dict['pki_security_domain_hostname'] +\
> ":" +\
> config.pki_master_dict['pki_security_domain_https_port']
> + if config.pki_subsystem == "KRA":
> + if config.str2bool(config.pki_master_dict['pki_clone']):
> + # Cloned KRA
> + if not\
> + len(config.pki_master_dict['pki_subsystem_name']):
> + config.pki_master_dict['pki_subsystem_name'] =\
> + "Cloned KRA" + " " +\
> + config.pki_master_dict['pki_hostname'] + " " +\
> + config.pki_master_dict['pki_https_port']
> + else:
> + # PKI KRA
> + if not\
> + len(config.pki_master_dict['pki_subsystem_name']):
> + config.pki_master_dict['pki_subsystem_name'] =\
> + "PKI KRA" + " " +\
> + config.pki_master_dict['pki_hostname'] + " " +\
> + config.pki_master_dict['pki_https_port']
> + elif config.pki_subsystem == "OCSP":
> + if config.str2bool(config.pki_master_dict['pki_clone']):
> + # Cloned OCSP
> + if not\
> + len(config.pki_master_dict['pki_subsystem_name']):
> + config.pki_master_dict['pki_subsystem_name'] =\
> + "Cloned OCSP" + " " +\
> + config.pki_master_dict['pki_hostname'] + " " +\
> + config.pki_master_dict['pki_https_port']
> + else:
> + # PKI OCSP
> + if not\
> + len(config.pki_master_dict['pki_subsystem_name']):
> + config.pki_master_dict['pki_subsystem_name'] =\
> + "PKI OCSP" + " " +\
> + config.pki_master_dict['pki_hostname'] + " " +\
> + config.pki_master_dict['pki_https_port']
> + elif config.pki_subsystem == "TKS":
> + if config.str2bool(config.pki_master_dict['pki_clone']):
> + # Cloned TKS
> + if not\
> + len(config.pki_master_dict['pki_subsystem_name']):
> + config.pki_master_dict['pki_subsystem_name'] =\
> + "Cloned TKS" + " " +\
> + config.pki_master_dict['pki_hostname'] + " " +\
> + config.pki_master_dict['pki_https_port']
> + else:
> + # PKI TKS
> + if not\
> + len(config.pki_master_dict['pki_subsystem_name']):
> + config.pki_master_dict['pki_subsystem_name'] =\
> + "PKI TKS" + " " +\
> + config.pki_master_dict['pki_hostname'] + " " +\
> + config.pki_master_dict['pki_https_port']
> # Jython scriptlet
> # 'Directory Server' Configuration name/value pairs
> #
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list