[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pki-devel] [PATCH] Back port proxy port logic to 8.1



We need to back port the proxy port configuration to RHCS 8.1.
This addresses https://bugzilla.redhat.com/show_bug.cgi?id=988189

This is different from the original fix in that we allow the
specification of different ports for each interface.

Please review. 
Ade

Index: base/ca/shared/webapps/ca/WEB-INF/web.xml
===================================================================
--- base/ca/shared/webapps/ca/WEB-INF/web.xml	(revision 2621)
+++ base/ca/shared/webapps/ca/WEB-INF/web.xml	(working copy)
@@ -10,7 +10,13 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
         <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_AGENT_SECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
+        <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>
         </init-param>
@@ -23,7 +29,13 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
         <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_ADMIN_SECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
+        <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>
         </init-param>
@@ -40,7 +52,17 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_EE_SECURE_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
         <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_EE_SECURE_PORT]</param-value>
+        </init-param>
+        <init-param>
+            <param-name>proxy_http_port</param-name>
+            <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
+        <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>
         </init-param>
@@ -53,7 +75,13 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_EE_SECURE_CLIENT_AUTH_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
         <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_EECA_SECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
+        <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>
         </init-param>
Index: base/ca/shared/conf/CS.cfg
===================================================================
--- base/ca/shared/conf/CS.cfg	(revision 2621)
+++ base/ca/shared/conf/CS.cfg	(working copy)
@@ -11,6 +11,12 @@
 pkicreate.secure_port=[PKI_SECURE_PORT]
 pkicreate.unsecure_port=[PKI_UNSECURE_PORT]
 pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT]
+proxy.adminSecurePort=[PKI_PROXY_ADMIN_SECURE_PORT]
+proxy.agentSecurePort=[PKI_PROXY_AGENT_SECURE_PORT]
+proxy.eeSecurePort=[PKI_PROXY_EE_SECURE_PORT]
+proxy.eecaSecurePort=[PKI_PROXY_EECA_SECURE_PORT]
+proxy.unsecurePort=[PKI_PROXY_UNSECURE_PORT]
+proxy.enableAJP=false
 pkicreate.user=[PKI_USER]
 pkicreate.arg11.group=[PKI_GROUP]
 pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
Index: base/ca/shared/conf/server.xml
===================================================================
--- base/ca/shared/conf/server.xml	(revision 2621)
+++ base/ca/shared/conf/server.xml	(working copy)
@@ -227,12 +227,12 @@
 	-->
 
 
-    <!-- Define an AJP 1.3 Connector on port 8009 -->
-<!--
-    <Connector port="8009" 
-               enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
--->
+    <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
+[PKI_OPEN_AJP_PORT_COMMENT]
+    <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" />
+[PKI_CLOSE_AJP_PORT_COMMENT]
 
+
     <!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
     <!-- See proxy documentation for more information about using this. -->
     <!--
Index: base/ca/shared/conf/proxy.conf
===================================================================
--- base/ca/shared/conf/proxy.conf	(revision 0)
+++ base/ca/shared/conf/proxy.conf	(revision 0)
@@ -0,0 +1,33 @@
+ProxyRequests Off
+
+# matches for ee port
+<LocationMatch "^/ca/ee/*|^/ca/renewal|^/ca/certbasedenrollment|^/ca/ocsp|^/ca/enrollment|^/ca/profileSubmit|^/ca/cgi-bin/pkiclient.exe">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
+    ProxyPassMatch ajp://[PKI_EE_MACHINE_NAME]:[PKI_AJP_PORT]/
+    ProxyPassReverse ajp://[PKI_EE_MACHINE_NAME]:[PKI_AJP_PORT]/
+</LocationMatch>
+
+# matches for admin port 
+<LocationMatch "^/ca/admin/*|^/ca/auths|^/ca/acl|^/ca/server|^/ca/caadmin|^/ca/caprofile|^/ca/jobsScheduler|^/ca/capublisher|^/ca/log|^/ca/ug">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
+    ProxyPassMatch ajp://[PKI_ADMIN_MACHINE_NAME]:[PKI_AJP_PORT]/
+    ProxyPassReverse ajp://[PKI_ADMIN_MACHINE_NAME]:[PKI_AJP_PORT]/
+</LocationMatch>
+
+# matches for agent port and eeca port
+<LocationMatch "^/ca/agent/*|^/ca/ca/getCertFromRequest|^/ca/ca/GetBySerial|^/ca/ca/connector|/ca/ca/displayCertFromRequest|^/ca/doRevoke|^/ca/
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient require
+    ProxyPassMatch ajp://[PKI_AGENT_MACHINE_NAME]:[PKI_AJP_PORT]/
+    ProxyPassReverse ajp://[PKI_AGENT_MACHINE_NAME]:[PKI_AJP_PORT]/
+</LocationMatch>
+
+# static content
+<LocationMatch "^/graphics/*">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
+    ProxyPassMatch ajp://[PKI_EE_MACHINE_NAME]:[PKI_AJP_PORT]/
+    ProxyPassReverse ajp://[PKI_EE_MACHINE_NAME]:[PKI_AJP_PORT]/
+</LocationMatch>
Index: base/selinux/src/pki.if
===================================================================
--- base/selinux/src/pki.if	(revision 2621)
+++ base/selinux/src/pki.if	(working copy)
@@ -39,6 +39,7 @@
 		type $1_port_t;
                 type rpm_var_lib_t;
                 type rpm_exec_t;
+                type httpd_t;
 	')
 	########################################
 	#
@@ -200,8 +201,6 @@
         
        # allow writing to the kernel keyring
        allow $1_t self:key { write read };
-
-
 ')
 
 ########################################
Index: base/selinux/src/pki.te
===================================================================
--- base/selinux/src/pki.te	(revision 2621)
+++ base/selinux/src/pki.te	(working copy)
@@ -1,4 +1,4 @@
-policy_module(pki,8.1.1)
+policy_module(pki,8.1.2)
 
 attribute pki_ca_config;
 attribute pki_ca_executable;
@@ -22,6 +22,12 @@
 corenet_tcp_connect_pki_kra_port(pki_ca_t)
 corenet_tcp_connect_pki_ocsp_port(pki_ca_t)
 
+# forward proxy
+corenet_tcp_connect_pki_ca_port(httpd_t)
+
+#reverse proxy
+corenet_tcp_connect_pki_ca_port(pki_ca_t)
+
 # for crl publishing
 allow pki_ca_t pki_ca_var_lib_t:lnk_file { rename create unlink };
 
@@ -43,6 +49,12 @@
 pki_ca_template(pki_kra)
 corenet_tcp_connect_pki_ca_port(pki_kra_t)
 
+# forward proxy
+corenet_tcp_connect_pki_kra_port(httpd_t)
+
+#reverse proxy
+corenet_tcp_connect_pki_kra_port(pki_kra_t)
+
 attribute pki_ocsp_config;
 attribute pki_ocsp_executable;
 attribute pki_ocsp_var_lib;
@@ -58,6 +70,12 @@
 pki_ca_template(pki_ocsp)
 corenet_tcp_connect_pki_ca_port(pki_ocsp_t)
 
+# forward proxy
+corenet_tcp_connect_pki_ocsp_port(httpd_t)
+
+#reverse proxy
+corenet_tcp_connect_pki_ocsp_port(pki_ocsp_t)
+
 attribute pki_ra_config;
 attribute pki_ra_executable;
 attribute pki_ra_var_lib;
@@ -87,6 +105,12 @@
 pki_ca_template(pki_tks)
 corenet_tcp_connect_pki_ca_port(pki_tks_t)
 
+# forward proxy
+corenet_tcp_connect_pki_tks_port(httpd_t)
+
+#reverse proxy
+corenet_tcp_connect_pki_tks_port(pki_tks_t)
+
 # needed for token enrollment, list /var/cache/tomcat5/temp
 files_list_var(pki_tks_t)
 
Index: base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java
===================================================================
--- base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java	(revision 2621)
+++ base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java	(working copy)
@@ -28,6 +28,8 @@
     private static final String HTTP_ROLE = "EE";
     private static final String HTTPS_SCHEME = "https";
     private static final String HTTPS_PORT = "https_port";
+    private static final String PROXY_PORT = "proxy_port";
+    private static final String PROXY_HTTP_PORT = "proxy_http_port";
     private static final String HTTPS_ROLE = "EE";
 
     private FilterConfig config;
@@ -55,6 +57,8 @@
         String request_port = null;
         String param_http_port = null;
         String param_https_port = null;
+        String param_proxy_port = null;
+        String param_proxy_http_port = null;
         String msg = null;
         String param_active = null;
 
@@ -100,6 +104,10 @@
                 return; 
             }
 
+            param_proxy_http_port = config.getInitParameter(PROXY_HTTP_PORT);
+            param_proxy_port = config.getInitParameter(PROXY_PORT);
+            boolean bad_port = false;
+
             // If the scheme is "http", compare
             // the request and param "http" ports;
             // otherwise, if the scheme is "https", compare
@@ -107,30 +115,58 @@
             if( scheme.equals( HTTP_SCHEME ) ) {
                 if( ! param_http_port.equals( request_port ) ) {
                     String uri = ((HttpServletRequest) request).getRequestURI();
-                    msg = "Use HTTP port '" + param_http_port
-                        + "' instead of '" + request_port
-                        + "' when performing " + HTTP_ROLE + " tasks!";
-                    CMS.debug( filterName + ":  " + msg );
-                    CMS.debug( filterName + ": uri is " + uri);
-                    if ((param_active != null) &&(param_active.equals("false"))) {
-                        CMS.debug("Filter is disabled .. continuing");
+                    if (param_proxy_http_port != null) {  
+                        if (!param_proxy_http_port.equals(request_port)) {
+                            msg = "Use HTTP port '" + param_http_port
+                                + "' or proxy port '" + param_proxy_http_port
+                                + "' instead of '" + request_port
+                                + "' when performing " + HTTP_ROLE + " tasks!";
+                            bad_port = true;
+                        }
                     } else {
-                        resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
-                        return;
+                        msg = "Use HTTP port '" + param_http_port
+                            + "' instead of '" + request_port
+                            + "' when performing " + HTTP_ROLE + " tasks!";
+                        bad_port = true;
                     }
+                    if (bad_port) {
+                        CMS.debug( filterName + ":  " + msg );
+                        CMS.debug( filterName + ": uri is " + uri);
+                        if ((param_active != null) &&(param_active.equals("false"))) {
+                            CMS.debug("Filter is disabled .. continuing");
+                        } else {
+                            resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
+                            return;
+                        }
+                    }
                 }
             } else if( scheme.equals( HTTPS_SCHEME ) ) {
                 if( ! param_https_port.equals( request_port ) ) {
-                    msg = "Use HTTPS port '" + param_https_port
-                        + "' instead of '" + request_port
-                        + "' when performing " + HTTPS_ROLE + " tasks!";
-                    CMS.debug( filterName + ":  " + msg );
-                    if ((param_active != null) &&(param_active.equals("false"))) {
-                        CMS.debug("Filter is disabled .. continuing");
+                    String uri = ((HttpServletRequest) request).getRequestURI();
+                    if (param_proxy_port != null) {  
+                        if (!param_proxy_port.equals(request_port)) {
+                            msg = "Use HTTPS port '" + param_https_port
+                                + "' or proxy port '" + param_proxy_port
+                                + "' instead of '" + request_port
+                                + "' when performing " + HTTPS_ROLE + " tasks!";
+                            bad_port = true;
+                        }
                     } else {
-                        resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
-                        return;
+                        msg = "Use HTTPS port '" + param_https_port
+                            + "' instead of '" + request_port
+                            + "' when performing " + HTTPS_ROLE + " tasks!";
+                        bad_port = true;
                     }
+                    if (bad_port) {
+                        CMS.debug( filterName + ":  " + msg );
+                        CMS.debug( filterName + ": uri is " + uri);
+                        if ((param_active != null) &&(param_active.equals("false"))) {
+                            CMS.debug("Filter is disabled .. continuing");
+                        } else {
+                            resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
+                            return;
+                        }
+                    }
                 }
             }
         }
Index: base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java
===================================================================
--- base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java	(revision 2621)
+++ base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java	(working copy)
@@ -26,6 +26,7 @@
     private static final String HTTPS_SCHEME = "https";
     private static final String HTTPS_PORT = "https_port";
     private static final String HTTPS_ROLE = "EE Client Auth";
+    private static final String PROXY_PORT = "proxy_port";
 
     private FilterConfig config;
     
@@ -51,6 +52,7 @@
 
         String request_port = null;
         String param_https_port = null;
+        String param_proxy_port = null;
         String msg = null;
         String param_active = null;
 
@@ -84,20 +86,36 @@
                 return;
             }
 
+            param_proxy_port = config.getInitParameter(PROXY_PORT);
+            boolean bad_port = false;
+
             // Compare the request and param "https" ports
             if( ! param_https_port.equals( request_port ) ) {
                 String uri = ((HttpServletRequest) request).getRequestURI();
-                msg = "Use HTTPS port '" + param_https_port
-                    + "' instead of '" + request_port
-                    + "' when performing " + HTTPS_ROLE + " tasks!";
-                CMS.debug( filterName + ":  " + msg );
-                CMS.debug( filterName + ": uri is " + msg);
-                if ((param_active != null) &&(param_active.equals("false"))) {
-                    CMS.debug("Filter is disabled .. continuing");
+                if (param_proxy_port != null) {
+                    if (!param_proxy_port.equals(request_port)) {
+                        msg = "Use HTTPS port '" + param_https_port
+                            + "' or proxy port '" + param_proxy_port
+                            + "' instead of '" + request_port
+                            + "' when performing " + HTTPS_ROLE + " tasks!";
+                        bad_port = true;
+                    }
                 } else {
-                    resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
-                    return;
+                    msg = "Use HTTPS port '" + param_https_port
+                        + "' instead of '" + request_port
+                        + "' when performing " + HTTPS_ROLE + " tasks!";
+                    bad_port = true;
                 }
+                if (bad_port) {
+                    CMS.debug( filterName + ":  " + msg );
+                    CMS.debug( filterName + ": uri is " + uri);
+                    if ((param_active != null) &&(param_active.equals("false"))) {
+                        CMS.debug("Filter is disabled .. continuing");
+                    } else {
+                        resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
+                        return;
+                    }
+                }
             }
         }
        // CMS.debug("exiting the EECA filter");
Index: base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java
===================================================================
--- base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java	(revision 2621)
+++ base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java	(working copy)
@@ -26,6 +26,7 @@
     private static final String HTTPS_SCHEME = "https";
     private static final String HTTPS_PORT = "https_port";
     private static final String HTTPS_ROLE = "Agent";
+    private static final String PROXY_PORT = "proxy_port";
 
     private FilterConfig config;
     
@@ -51,6 +52,7 @@
 
         String request_port = null;
         String param_https_port = null;
+        String param_proxy_port = null;
         String msg = null;
 
         String param_active = null;
@@ -85,20 +87,36 @@
                 return;
             }
 
+            param_proxy_port = config.getInitParameter(PROXY_PORT);
+            boolean bad_port = false;
+
             // Compare the request and param "https" ports
             if( ! param_https_port.equals( request_port ) ) {
                 String uri = ((HttpServletRequest) request).getRequestURI();
-                msg = "Use HTTPS port '" + param_https_port
-                    + "' instead of '" + request_port
-                    + "' when performing " + HTTPS_ROLE + " tasks!";
-                CMS.debug( filterName + ":  " + msg );
-                CMS.debug( filterName + ": uri is " + uri);
-                if ((param_active != null) &&(param_active.equals("false"))) {
-                    CMS.debug("Filter is disabled .. continuing");
+                if (param_proxy_port != null) {
+                    if (!param_proxy_port.equals(request_port)) {
+                        msg = "Use HTTPS port '" + param_https_port
+                            + "' or proxy port '" + param_proxy_port 
+                            + "' instead of '" + request_port
+                            + "' when performing " + HTTPS_ROLE + " tasks!";
+                        bad_port = true;
+                    }
                 } else {
-                    resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
-                    return;
+                    msg = "Use HTTPS port '" + param_https_port
+                        + "' instead of '" + request_port
+                        + "' when performing " + HTTPS_ROLE + " tasks!";
+                    bad_port = true;
                 }
+                if (bad_port) {
+                    CMS.debug( filterName + ":  " + msg );
+                    CMS.debug( filterName + ": uri is " + uri);
+                    if ((param_active != null) &&(param_active.equals("false"))) {
+                        CMS.debug("Filter is disabled .. continuing");
+                    } else {
+                        resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
+                        return;
+                    }
+                }
             }
         }
         // CMS.debug("Exiting the Agent filter");
Index: base/common/src/com/netscape/cmscore/apps/CMSEngine.java
===================================================================
--- base/common/src/com/netscape/cmscore/apps/CMSEngine.java	(revision 2621)
+++ base/common/src/com/netscape/cmscore/apps/CMSEngine.java	(working copy)
@@ -430,6 +430,7 @@
             }
         }
         parseServerXML();
+        fixProxyPorts();
 
         String sd = mConfig.getString("securitydomain.select", "");
         if ((state == 1) && (!sd.equals("existing"))) {
@@ -457,6 +458,38 @@
         }
     }
 
+    private void fixProxyPorts() throws EBaseException {
+        try {
+            String port = mConfig.getString("proxy.eeSecurePort", "");
+            if (!port.isEmpty()) {
+                info[EE_SSL][PORT] = port;
+            }
+
+            port = mConfig.getString("proxy.adminSecurePort", "");
+            if (!port.isEmpty()) {
+                info[ADMIN][PORT] = port;
+            }
+
+            port = mConfig.getString("proxy.agentSecurePort", "");
+            if (!port.isEmpty()) {
+                info[AGENT][PORT] = port;
+            }
+
+            port = mConfig.getString("proxy.eecaSecurePort", "");
+            if (!port.isEmpty()) {
+                info[EE_CLIENT_AUTH_SSL][PORT] = port;
+            }
+
+            port = mConfig.getString("proxy.unsecurePort", "");
+            if (!port.equals("")) {
+                info[EE_NON_SSL][PORT] = port;
+            }
+        } catch (EBaseException e) {
+            CMS.debug("CMSEngine: fixProxyPorts exception: " + e.toString());
+            throw e;
+        }   
+    }
+
     public int testLDAPConnection(String name, String host, String port, String pwd, String binddn, String secure, String authType, String clientNick) {
         int p = -1;
         int ret = PW_OK;
Index: base/setup/pkicreate
===================================================================
--- base/setup/pkicreate	(revision 2621)
+++ base/setup/pkicreate	(working copy)
@@ -271,6 +271,7 @@
 my $web_xml_base_name            = "web.xml";              # CA, KRA, OCSP, TKS
 my $web_xml_runtime_base_name    = "web.xml.runtime";      # CA, KRA, OCSP, TKS
 my $profile_select_base_name     = "ProfileSelect.template"; #CA
+my $proxy_conf_base_name          = "proxy.conf";            # CA
 
 # Subdirectory names
 my $initd_base_subsystem_dir        = "init.d";      # CA, KRA, OCSP, TKS, RA, TPS
@@ -357,6 +358,7 @@
 my $PKI_SECURE_PORT_SLOT      = "PKI_SECURE_PORT";
 my $PKI_EE_SECURE_PORT_SLOT   = "PKI_EE_SECURE_PORT";
 my $PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT   = "PKI_EE_SECURE_CLIENT_AUTH_PORT";
+my $PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT = "PKI_EE_SECURE_CLIENT_AUTH_PORT_UI";
 my $PKI_AGENT_SECURE_PORT_SLOT = "PKI_AGENT_SECURE_PORT";
 my $PKI_ADMIN_SECURE_PORT_SLOT = "PKI_ADMIN_SECURE_PORT";
 my $PKI_SERVER_XML_CONF       = "PKI_SERVER_XML_CONF";
@@ -380,6 +382,17 @@
 my $PKI_CLOSE_SEPARATE_PORTS_COMMENT_SERVER_SLOT = "PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT";
 my $PKI_OPEN_SEPARATE_PORTS_COMMENT_WEB_SLOT  = "PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT";
 my $PKI_CLOSE_SEPARATE_PORTS_COMMENT_WEB_SLOT = "PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT";
+my $PKI_OPEN_AJP_PORT_COMMENT_SLOT                     = "PKI_OPEN_AJP_PORT_COMMENT";
+my $PKI_CLOSE_AJP_PORT_COMMENT_SLOT                    = "PKI_CLOSE_AJP_PORT_COMMENT";
+my $PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT                 = "PKI_OPEN_ENABLE_PROXY_COMMENT";
+my $PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT                = "PKI_CLOSE_ENABLE_PROXY_COMMENT";
+my $PKI_AJP_REDIRECT_PORT_SLOT                         = "PKI_AJP_REDIRECT_PORT";
+my $PKI_AJP_PORT_SLOT                                  = "PKI_AJP_PORT";
+my $PROXY_ADMIN_SECURE_PORT_SLOT                       = "PKI_PROXY_ADMIN_SECURE_PORT";
+my $PROXY_AGENT_SECURE_PORT_SLOT                       = "PKI_PROXY_AGENT_SECURE_PORT";
+my $PROXY_EE_SECURE_PORT_SLOT                          = "PKI_PROXY_EE_SECURE_PORT";
+my $PROXY_EECA_SECURE_PORT_SLOT                        = "PKI_PROXY_EECA_SECURE_PORT";
+my $PROXY_UNSECURE_PORT_SLOT                           = "PKI_PROXY_UNSECURE_PORT";
 my $PKI_UNSECURE_PORT_NAME      = "Unsecure";
 my $PKI_AGENT_SECURE_PORT_NAME  = "Agent";
 my $PKI_ADMIN_SECURE_PORT_NAME  = "Admin";
@@ -414,6 +427,11 @@
 my $SELINUX_MODE_ENFORCING = "Enforcing";
 my $SELINUX_MODE_PERMISSIVE = "Permissive";
 
+#proxy defaults
+my $PROXY_SECURE_PORT_DEFAULT   = "443";
+my $PROXY_UNSECURE_PORT_DEFAULT = "80";
+my $AJP_PORT_DEFAULT            = "9447";
+
 # PKI banners
 $marked_header = "    <!-- ================= PKI Installation Wizard Header ================= -->";
 $marked_footer = "    <!-- ================= PKI Installation Wizard Footer ================= -->";
@@ -451,6 +469,14 @@
 my $ee_secure_port       = -1;
 my $ee_secure_client_auth_port = -1;
 my $admin_secure_port    = -1;
+my $proxy_admin_secure_port = -1;
+my $proxy_agent_secure_port = -1;
+my $proxy_ee_secure_port    = -1;
+my $proxy_eeca_secure_port  = -1;
+my $proxy_unsecure_port     = -1;
+my $ajp_port             = -1;
+my $enable_proxy         = undef;
+my $enable_ajp           = undef;
 my $agent_ip_addr        = "";
 my $ee_ip_addr           = "";
 my $ee_client_auth_ip_addr = "";
@@ -613,7 +639,9 @@
 my $webinf_lib_instance_path                  = "";  # CA, KRA, OCSP, TKS
 my $webinf_subsystem_path                     = "";  # CA, KRA, OCSP, TKS
 my $profile_select_template_subsystem_file_path = ""; #CA
-my $profile_select_template_instance_file_path = "";  #CA
+my $profile_select_template_instance_file_path  = "";  #CA
+my $proxy_conf_subsystem_file_path            = undef;  #CA
+my $proxy_conf_instance_file_path             = undef;  #CA
 
 # PKI creation variables
 my $host = "";
@@ -884,6 +912,29 @@
          . "# Unique port for each\n"
          . "                                                   "
          . "# Tomcat instance\n\n"
+         . "          #####################################################################\n"
+         . "          ###  proxy configuration                                          ###\n"
+         . "          ###  if -enable_proxy is set, ajp_port, proxy_secure_port, and    ###\n"
+         . "          ###  proxy_unsecure_port are also set.                            ###\n"
+         . "          ###                                                               ###\n"
+         . "          ###  -enable_ajp must be set to enable the AJP port               ###\n"
+         . "          #####################################################################\n\n"
+         . "          [-enable_proxy]                           #enable proxy configuration\n"
+         . "          [-enable_ajp]                             #enable AJP configuration\n"
+         . "          [-ajp_port=<ajp_port>]                    #AJP port, default 9447\n\n"
+         . "          [-proxy_admin_secure_port=<proxy_secure_port>]   # Proxy secure port,\n" 
+         . "                                                           # default 443\n\n"
+         . "          [-proxy_agent_secure_port=<proxy_secure_port>]   # Proxy secure port,\n" 
+         . "                                                           # default 443\n\n"
+         . "          [-proxy_ee_secure_port=<proxy_secure_port>]      # Proxy secure port,\n" 
+         . "                                                           # default 443\n\n"
+         . "          [-proxy_eeca_secure_port=<proxy_secure_port>]    # Proxy secure port,\n" 
+         . "                                                           # default 443\n\n"
+         . "          [-proxy_unsecure_port=<unsecure_port>]           # Proxy unsecure port,\n"
+         . "                                                           # default 80\n\n"
+         . "          #####################################################################\n"
+         . "          ###   END proxy configuration                                     ###\n"
+         . "          #####################################################################\n\n"
          . "          [-user=<username>]                       "
          . "# User ownership\n"
          . "                                                   "
@@ -1156,6 +1207,12 @@
     my $l_ee_secure_port     = -1;
     my $l_ee_secure_client_auth_port     = -1;
     my $l_admin_secure_port  = -1;
+    my $l_proxy_admin_secure_port  = -1;
+    my $l_proxy_agent_secure_port  = -1;
+    my $l_proxy_ee_secure_port  = -1;
+    my $l_proxy_eeca_secure_port  = -1;
+    my $l_proxy_unsecure_port  = -1;
+    my $l_ajp_port  = -1;
     my $l_agent_hostname     = "";
     my $l_ee_hostname        = "";
     my $l_ee_client_auth_hostname = "";
@@ -1179,6 +1236,14 @@
                           "admin_hostname=s" => \$l_admin_hostname,
                           "admin_secure_port:i" => \$l_admin_secure_port, 
                           "tomcat_server_port:i" => \$l_tomcat_server_port,
+                          "proxy_admin_secure_port:i"    => \$l_proxy_admin_secure_port,
+                          "proxy_agent_secure_port:i"    => \$l_proxy_agent_secure_port,
+                          "proxy_ee_secure_port:i"       => \$l_proxy_ee_secure_port,
+                          "proxy_eeca_secure_port:i"     => \$l_proxy_eeca_secure_port,
+                          "proxy_unsecure_port:i"  => \$l_proxy_unsecure_port,
+                          "ajp_port:i"             => \$l_ajp_port,
+                          "enable_proxy"           => \$enable_proxy,
+                          "enable_ajp"           => \$enable_ajp,
                           "user=s" => \$username,
                           "group=s" => \$groupname,
                           "audit_group=s" => \$audit_groupname,
@@ -1515,6 +1580,31 @@
         }
     }
 
+    if ($enable_proxy) {
+        $proxy_admin_secure_port = ($l_proxy_admin_secure_port >= 0) ? $l_proxy_admin_secure_port : 
+            $PROXY_SECURE_PORT_DEFAULT;
+        emit("    proxy_admin_secure_port   $proxy_admin_secure_port\n");
+
+        $proxy_agent_secure_port = ($l_proxy_agent_secure_port >= 0) ? $l_proxy_agent_secure_port : 
+            $PROXY_SECURE_PORT_DEFAULT;
+        emit("    proxy_agent_secure_port   $proxy_agent_secure_port\n");
+
+        $proxy_ee_secure_port = ($l_proxy_ee_secure_port >= 0) ? $l_proxy_ee_secure_port : 
+            $PROXY_SECURE_PORT_DEFAULT;
+        emit("    proxy_ee_secure_port   $proxy_ee_secure_port\n");
+
+        $proxy_eeca_secure_port = ($l_proxy_eeca_secure_port >= 0) ? $l_proxy_eeca_secure_port : 
+            $PROXY_SECURE_PORT_DEFAULT;
+        emit("    proxy_eeca_secure_port   $proxy_eeca_secure_port\n");
+
+        $proxy_unsecure_port = ($l_proxy_unsecure_port >= 0) ? $l_proxy_unsecure_port : 
+            $PROXY_UNSECURE_PORT_DEFAULT;
+        emit("    proxy_unsecure_port   $proxy_unsecure_port\n");
+
+        $ajp_port = ($l_ajp_port >= 0) ? $l_ajp_port : $AJP_PORT_DEFAULT;  
+        emit("    ajp_port   $ajp_port\n");
+    }
+
     if( $port_configuration_mode_errors > 0 ) {
         usage();
         emit( "Correct $port_configuration_mode_errors port configuration mode error(s)!\n", "error");
@@ -2067,9 +2157,11 @@
         $profile_select_template_instance_file_path = $webapps_subsystem_instance_path
                                                      . "/ee/". $subsystem_type 
                                                      . "/" . $profile_select_base_name;
+    
+        $proxy_conf_subsystem_file_path = $conf_subsystem_path 
+                                          . "/" . $proxy_conf_base_name;
     }
 
-
     ## Initialize subdirectory paths (RA, TPS subsystems)
     if( $subsystem_type eq $RA  || $subsystem_type eq $TPS ) {
 
@@ -2294,6 +2386,9 @@
         $pki_cfg_instance_file_path       = $conf_instance_path
                                           . "/" . $pki_cfg_base_name;
 
+        $proxy_conf_instance_file_path    = $conf_instance_path
+                                          . "/" . $proxy_conf_base_name;
+
         if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) {
             $httpd_conf_instance_file_path = "$conf_instance_path"
                                            . "/" . $httpd_conf_base_name;
@@ -2361,7 +2456,10 @@
                                           . "/" . $pfile_base_name;
         $pki_cfg_instance_file_path       = $redirected_conf_path
                                           . "/" . $pki_cfg_base_name;
+        $proxy_conf_instance_file_path    = $redirected_conf_path
+                                          . "/" . $proxy_conf_base_name;
 
+
         # Populate optionally redirected instance directory path
         # and setup a symlink in the standard area
         if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) {
@@ -2907,7 +3005,8 @@
             $slot_hash{$PKI_SECURE_PORT_SLOT}       = $agent_secure_port;
             $slot_hash{$PKI_AGENT_SECURE_PORT_SLOT} = $agent_secure_port;
             $slot_hash{$PKI_EE_SECURE_PORT_SLOT}    = $ee_secure_port; 
-            $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT}    = $ee_secure_client_auth_port; 
+            $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT}    = $ee_secure_client_auth_port;
+            $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT}    = $secure_port;
             $slot_hash{$PKI_ADMIN_SECURE_PORT_SLOT} = $admin_secure_port;
 
             # Comment "Port Separation" appropriately
@@ -2960,8 +3059,43 @@
             # Comment out the "Admin/Agent/EE" Filters
             $slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_WEB_SLOT}  = $PKI_OPEN_COMMENT;
             $slot_hash{$PKI_CLOSE_SEPARATE_PORTS_COMMENT_WEB_SLOT} = $PKI_CLOSE_COMMENT;
-        } 
+        }
 
+        if ($enable_proxy) {
+            if ($use_port_separation) {
+                $slot_hash{$PKI_AJP_REDIRECT_PORT_SLOT}  = $ee_secure_port;
+            } else {
+                $slot_hash{$PKI_AJP_REDIRECT_PORT_SLOT}  = $secure_port;
+            }
+            $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT} = $proxy_eeca_secure_port;
+            $slot_hash{$PKI_AJP_PORT_SLOT}                      = $ajp_port;
+            $slot_hash{$PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT}     = "";
+            $slot_hash{$PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT}    = "";
+        } else {
+            $slot_hash{$PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT}  = $PKI_OPEN_COMMENT;
+            $slot_hash{$PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT} = $PKI_CLOSE_COMMENT;
+        }
+
+        if ($enable_ajp) {
+            $slot_hash{$PKI_OPEN_AJP_PORT_COMMENT_SLOT}         = "";
+            $slot_hash{$PKI_CLOSE_AJP_PORT_COMMENT_SLOT}        = "";
+        } else {
+            $slot_hash{$PKI_OPEN_AJP_PORT_COMMENT_SLOT}      = $PKI_OPEN_COMMENT;
+            $slot_hash{$PKI_CLOSE_AJP_PORT_COMMENT_SLOT}     = $PKI_CLOSE_COMMENT;
+        }
+
+
+        $slot_hash{$PROXY_ADMIN_SECURE_PORT_SLOT}   = ($proxy_admin_secure_port >=0) ?
+            $proxy_admin_secure_port : "";
+        $slot_hash{$PROXY_AGENT_SECURE_PORT_SLOT}   = ($proxy_agent_secure_port >=0) ?
+            $proxy_agent_secure_port : "";
+        $slot_hash{$PROXY_EE_SECURE_PORT_SLOT}   = ($proxy_ee_secure_port >=0) ?
+            $proxy_ee_secure_port : "";
+        $slot_hash{$PROXY_EECA_SECURE_PORT_SLOT}   = ($proxy_eeca_secure_port >=0) ?
+            $proxy_eeca_secure_port : "";
+        $slot_hash{$PROXY_UNSECURE_PORT_SLOT} = ($proxy_unsecure_port>=0) ?
+            $proxy_unsecure_port : "";
+
         $slot_hash{$PKI_WEBAPPS_NAME}          = $webapps_base_subsystem_dir; 
         $slot_hash{$PKI_USER_SLOT}             = $pki_user;
         $slot_hash{$TOMCAT_SERVER_PORT_SLOT}   = $tomcat_server_port;
@@ -3041,7 +3175,11 @@
         if( ! $result ) {
             return 0;
         }
- 
+
+        # process proxy.conf file
+        return 0 if !process_file_template($proxy_conf_subsystem_file_path,
+                                           $proxy_conf_instance_file_path,
+                                           \%slot_hash);
      }
 
 
@@ -4157,6 +4295,11 @@
             }
         }
     }
+
+    if ($ajp_port != -1) {
+        &add_selinux_port($setype_p, $ajp_port);
+    }
+
 }
 
 # no args
Index: base/tks/shared/webapps/tks/WEB-INF/web.xml
===================================================================
--- base/tks/shared/webapps/tks/WEB-INF/web.xml	(revision 2621)
+++ base/tks/shared/webapps/tks/WEB-INF/web.xml	(working copy)
@@ -13,7 +13,13 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
         <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_AGENT_SECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
+        <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>
         </init-param>
@@ -26,7 +32,13 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
         <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_ADMIN_SECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
+        <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>
         </init-param>
@@ -43,7 +55,17 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_EE_SECURE_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
         <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_EE_SECURE_PORT]</param-value>
+        </init-param>
+        <init-param>
+            <param-name>proxy_http_port</param-name>
+            <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
+        <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>
         </init-param>
Index: base/tks/shared/conf/CS.cfg
===================================================================
--- base/tks/shared/conf/CS.cfg	(revision 2621)
+++ base/tks/shared/conf/CS.cfg	(working copy)
@@ -10,6 +10,11 @@
 pkicreate.secure_port=[PKI_SECURE_PORT]
 pkicreate.unsecure_port=[PKI_UNSECURE_PORT]
 pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT]
+proxy.adminSecurePort=[PKI_PROXY_ADMIN_SECURE_PORT]
+proxy.agentSecurePort=[PKI_PROXY_AGENT_SECURE_PORT]
+proxy.eeSecurePort=[PKI_PROXY_EE_SECURE_PORT]
+proxy.unsecurePort=[PKI_PROXY_UNSECURE_PORT]
+proxy.enableAJP=false
 pkicreate.user=[PKI_USER]
 pkicreate.group=[PKI_GROUP]
 pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
Index: base/tks/shared/conf/server.xml
===================================================================
--- base/tks/shared/conf/server.xml	(revision 2621)
+++ base/tks/shared/conf/server.xml	(working copy)
@@ -204,11 +204,10 @@
 	-->
 
 
-    <!-- Define an AJP 1.3 Connector on port 8009 -->
-<!--
-    <Connector port="8009" 
-               enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
--->
+    <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
+[PKI_OPEN_AJP_PORT_COMMENT]
+    <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" />
+[PKI_CLOSE_AJP_PORT_COMMENT]
 
     <!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
     <!-- See proxy documentation for more information about using this. -->
Index: base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
===================================================================
--- base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml	(revision 2621)
+++ base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml	(working copy)
@@ -13,7 +13,13 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
         <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_AGENT_SECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
+        <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>
         </init-param>
@@ -26,7 +32,13 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
         <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_ADMIN_SECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
+        <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>
         </init-param>
@@ -43,7 +55,17 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_EE_SECURE_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
         <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_EE_SECURE_PORT]</param-value>
+        </init-param>
+        <init-param>
+            <param-name>proxy_http_port</param-name>
+            <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
+        <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>
         </init-param>
Index: base/ocsp/shared/conf/CS.cfg
===================================================================
--- base/ocsp/shared/conf/CS.cfg	(revision 2621)
+++ base/ocsp/shared/conf/CS.cfg	(working copy)
@@ -10,6 +10,11 @@
 pkicreate.secure_port=[PKI_SECURE_PORT]
 pkicreate.unsecure_port=[PKI_UNSECURE_PORT]
 pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT]
+proxy.adminSecurePort=[PKI_PROXY_ADMIN_SECURE_PORT]
+proxy.agentSecurePort=[PKI_PROXY_AGENT_SECURE_PORT]
+proxy.eeSecurePort=[PKI_PROXY_EE_SECURE_PORT]
+proxy.unsecurePort=[PKI_PROXY_UNSECURE_PORT]
+proxy.enableAJP=false
 pkicreate.user=[PKI_USER]
 pkicreate.group=[PKI_GROUP]
 pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
Index: base/ocsp/shared/conf/server.xml
===================================================================
--- base/ocsp/shared/conf/server.xml	(revision 2621)
+++ base/ocsp/shared/conf/server.xml	(working copy)
@@ -204,12 +204,12 @@
 	-->
 
 
-    <!-- Define an AJP 1.3 Connector on port 8009 -->
-<!--
-    <Connector port="8009" 
-               enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
--->
+    <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
+[PKI_OPEN_AJP_PORT_COMMENT]
+    <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" />
+[PKI_CLOSE_AJP_PORT_COMMENT]
 
+
     <!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
     <!-- See proxy documentation for more information about using this. -->
     <!--
Index: base/kra/shared/webapps/kra/WEB-INF/web.xml
===================================================================
--- base/kra/shared/webapps/kra/WEB-INF/web.xml	(revision 2621)
+++ base/kra/shared/webapps/kra/WEB-INF/web.xml	(working copy)
@@ -9,7 +9,13 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
         <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_AGENT_SECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
+        <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>
         </init-param>
@@ -22,7 +28,13 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
         <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_ADMIN_SECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
+        <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>
         </init-param>
@@ -39,7 +51,17 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_EE_SECURE_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
         <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_EE_SECURE_PORT]</param-value>
+        </init-param>
+        <init-param>
+            <param-name>proxy_http_port</param-name>
+            <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
+        <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>
         </init-param>
Index: base/kra/shared/conf/CS.cfg
===================================================================
--- base/kra/shared/conf/CS.cfg	(revision 2621)
+++ base/kra/shared/conf/CS.cfg	(working copy)
@@ -10,6 +10,11 @@
 pkicreate.secure_port=[PKI_SECURE_PORT]
 pkicreate.unsecure_port=[PKI_UNSECURE_PORT]
 pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT]
+proxy.adminSecurePort=[PKI_PROXY_ADMIN_SECURE_PORT]
+proxy.agentSecurePort=[PKI_PROXY_AGENT_SECURE_PORT]
+proxy.eeSecurePort=[PKI_PROXY_EE_SECURE_PORT]
+proxy.unsecurePort=[PKI_PROXY_UNSECURE_PORT]
+proxy.enableAJP=false
 pkicreate.user=[PKI_USER]
 pkicreate.arg11.group=[PKI_GROUP]
 pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
Index: base/kra/shared/conf/server.xml
===================================================================
--- base/kra/shared/conf/server.xml	(revision 2621)
+++ base/kra/shared/conf/server.xml	(working copy)
@@ -204,12 +204,12 @@
 	-->
 
 
-    <!-- Define an AJP 1.3 Connector on port 8009 -->
-<!--
-    <Connector port="8009" 
-               enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
--->
+    <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
+[PKI_OPEN_AJP_PORT_COMMENT]
+    <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" />
+[PKI_CLOSE_AJP_PORT_COMMENT]
 
+
     <!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
     <!-- See proxy documentation for more information about using this. -->
     <!--

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]