[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pki-devel] [pki-devel][PATCH] 0042-TPS-add-phone-home-URLs-to-pkidaemon-status-message.patch



 TPS add phone home URLs to pkidaemon status message.

Ticket # 1466 .

Also removed some needless copies of server.xml from the code.

Related to ticket #773 - Remove legacy configuration files . . .

Code verified in pycharm free of warnings.

Tested with an upgrade to work fine.
Also tested with a fresh install to make sure the proper entries show up in server.xml.
Also tested the upgrade with a server.xml that already has the proper entries, the upgrade handles this case properly as well.
From 539e845ec75e08722bd78df7fb26bce5eafa8e36 Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne localhost localdomain>
Date: Tue, 14 Jul 2015 10:07:10 -0700
Subject: [PATCH] TPS add phone home URLs to pkidaemon status message.

Ticket # 1466 .

Also remove some needless copies of server.xml from the code.
---
 base/ca/shared/conf/server.xml                     | 277 ---------------------
 base/kra/shared/conf/server.xml                    | 265 --------------------
 base/ocsp/shared/conf/server.xml                   | 258 -------------------
 base/server/scripts/operations                     |   4 +
 base/server/tomcat7/conf/server.xml                |   2 +
 base/server/tomcat8/conf/server.xml                |   2 +
 .../10.2.6/02-AddPhoneHomeURLsToTPSsServerXML      | 112 +++++++++
 base/tks/shared/conf/server.xml                    | 258 -------------------
 base/tps/shared/conf/server.xml                    | 258 -------------------
 9 files changed, 120 insertions(+), 1316 deletions(-)
 delete mode 100644 base/ca/shared/conf/server.xml
 delete mode 100644 base/kra/shared/conf/server.xml
 delete mode 100644 base/ocsp/shared/conf/server.xml
 create mode 100755 base/server/upgrade/10.2.6/02-AddPhoneHomeURLsToTPSsServerXML
 delete mode 100644 base/tks/shared/conf/server.xml
 delete mode 100644 base/tps/shared/conf/server.xml

diff --git a/base/ca/shared/conf/server.xml b/base/ca/shared/conf/server.xml
deleted file mode 100644
index 92f8426..0000000
--- a/base/ca/shared/conf/server.xml
+++ /dev/null
@@ -1,277 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!-- BEGIN COPYRIGHT BLOCK
-     Copyright (C) 2006-2010 Red Hat, Inc.
-     All rights reserved.
-     Modifications: configuration parameters
-     END COPYRIGHT BLOCK -->
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<!-- Note:  A "Server" is not itself a "Container", so you may not
-     define subcomponents such as "Valves" at this level.
-     Documentation at /docs/config/server.html
- -->
-
-<!-- DO NOT REMOVE - Begin PKI Status Definitions -->
-<!--
-Unsecure URL        = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE]
-Secure Agent URL    = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE]
-Secure EE URL       = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE]
-Secure Admin URL    = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services
-EE Client Auth URL  = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_CLIENT_AUTH_PORT]/[PKI_SUBSYSTEM_TYPE]/eeca/[PKI_SUBSYSTEM_TYPE]
-PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]
-Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
--->
-<!-- DO NOT REMOVE - End PKI Status Definitions -->
-
-<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN">
-
-  <!--APR library loader. Documentation at /docs/apr.html -->
-  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
-  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
-  <Listener className="org.apache.catalina.core.JasperListener" />
-  <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
-  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
-  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
-
-  <!-- Global JNDI resources
-       Documentation at /docs/jndi-resources-howto.html
-  -->
-  <GlobalNamingResources>
-    <!-- Editable user database that can also be used by
-         UserDatabaseRealm to authenticate users
-    -->
-    <Resource name="UserDatabase" auth="Container"
-              type="org.apache.catalina.UserDatabase"
-              description="User database that can be updated and saved"
-              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
-              pathname="conf/tomcat-users.xml" />
-  </GlobalNamingResources>
-
-  <!-- A "Service" is a collection of one or more "Connectors" that share
-       a single "Container" Note:  A "Service" is not itself a "Container", 
-       so you may not define subcomponents such as "Valves" at this level.
-       Documentation at /docs/config/service.html
-   -->
-  <Service name="Catalina">
-  
-    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
-    <!--
-    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" 
-        maxThreads="150" minSpareThreads="4"/>
-    -->
-    
-    
-    <!-- A "Connector" represents an endpoint by which requests are received
-         and responses are returned. Documentation at :
-         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
-         Java AJP  Connector: /docs/config/ajp.html
-         APR (HTTP/AJP) Connector: /docs/apr.html
-         Define a non-SSL HTTP/1.1 Connector on port 8080
-    -->
-
-    [PKI_UNSECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="[PKI_SECURE_PORT]"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
-	       />
-
-    <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
-    [PKI_SECURE_PORT_SERVER_COMMENT]
-    <!-- DO NOT REMOVE - Begin define PKI secure port
-	NOTE: The OCSP settings take effect globally, so it should only be set once.
-
-	  In setup where SSL clientAuth="true", OCSP can be turned on by
-	  setting enableOCSP to true like the following:
-	    enableOCSP="true"
-	  along with changes to related settings, especially:
-	    ocspResponderURL=<see example in connector definition below>
-	    ocspResponderCertNickname=<see example in connector definition below>
-	  Here are the definition to all the OCSP-related settings:
-	    enableOCSP - turns on/off the ocsp check
-	    ocspResponderURL - sets the url where the ocsp requests are sent
-	    ocspResponderCertNickname - sets the nickname of the cert that is
-		either CA's signing certificate or the OCSP server's signing
-		certificate.
-		The CA's signing certificate should already be in the db, in
-		case of the same security domain.
-		In case of an ocsp signing certificate, one must import the cert
-		into the subsystem's nss db and set trust. e.g.:
-		  certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64
-	    ocspCacheSize - sets max cache entries
-	    ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt
-	    ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt
-	    ocspTimeout -sets OCSP timeout in seconds
-    -->
-    <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" disableUploadTimeout="true"
-	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-	       enableOCSP="false"
-	       ocspResponderURL="http://[PKI_HOSTNAME]:9080/ca/ocsp";
-	       ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
-	       ocspCacheSize="1000"
-	       ocspMinCacheEntryDuration="60"
-	       ocspMaxCacheEntryDuration="120"
-	       ocspTimeout="10"
-	       strictCiphers="false"
-	       clientAuth="[PKI_AGENT_CLIENTAUTH]"
-	       sslOptions="[TOMCAT_SSL_OPTIONS]"
-	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
-	       ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
-	       tlsCiphers="[TOMCAT_TLS_CIPHERS]"
-	       serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-	       passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-	       passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-	       certdbDir="[PKI_INSTANCE_PATH]/alias"
-	       />
-    <!-- DO NOT REMOVE - End define PKI secure port -->
-
-    [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" disableUploadTimeout="true"
-	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-	       strictCiphers="false"
-	       clientAuth="false"
-	       sslOptions="[TOMCAT_SSL_OPTIONS]"
-	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
-	       ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
-	       tlsCiphers="[TOMCAT_TLS_CIPHERS]"
-	       serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-	       passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-	       passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-	       certdbDir="[PKI_INSTANCE_PATH]/alias"/>
-    [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT]
-
-    [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" disableUploadTimeout="true"
-	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-	       strictCiphers="false"
-	       clientAuth="false"
-	       sslOptions="[TOMCAT_SSL_OPTIONS]"
-	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
-	       ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
-	       tlsCiphers="[TOMCAT_TLS_CIPHERS]"
-	       serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-	       passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-	       passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-	       certdbDir="[PKI_INSTANCE_PATH]/alias"/>
-    [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT]
-
-    [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_CLIENT_AUTH_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" disableUploadTimeout="true"
-	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-	       strictCiphers="false"
-	       clientAuth="true"
-	       sslOptions="[TOMCAT_SSL_OPTIONS]"
-	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
-	       ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
-	       tlsCiphers="[TOMCAT_TLS_CIPHERS]"
-	       serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-	       passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-	       passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-	       certdbDir="[PKI_INSTANCE_PATH]/alias"/>
-    [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT]
-
-    <!-- A "Connector" using the shared thread pool-->
-    <!--
-    <Connector executor="tomcatThreadPool"
-               port="8080" protocol="HTTP/1.1" 
-               connectionTimeout="20000" 
-               redirectPort="8443" />
-    -->           
-    <!-- Define a SSL HTTP/1.1 Connector on port 8443
-         This connector uses the JSSE configuration, when using APR, the 
-         connector should be using the OpenSSL style configuration
-         described in the APR documentation -->
-    <!--
-    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
-               maxThreads="150" scheme="https" secure="true"
-               clientAuth="false" sslProtocol="TLS" />
-    -->
-
-    <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
-[PKI_OPEN_AJP_PORT_COMMENT]
-    <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" address="127.0.0.1" />
-[PKI_CLOSE_AJP_PORT_COMMENT]
-
-
-    <!-- An Engine represents the entry point (within Catalina) that processes
-         every request.  The Engine implementation for Tomcat stand alone
-         analyzes the HTTP headers included with the request, and passes them
-         on to the appropriate Host (virtual host).
-         Documentation at /docs/config/engine.html -->
-
-    <!-- You should set jvmRoute to support load-balancing via AJP ie :
-    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">         
-    --> 
-    <Engine name="Catalina" defaultHost="localhost">
-
-      <!--For clustering, please take a look at documentation at:
-          /docs/cluster-howto.html  (simple how to)
-          /docs/config/cluster.html (reference documentation) -->
-      <!--
-      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-      -->        
-
-      <!-- The request dumper valve dumps useful debugging information about
-           the request and response data received and sent by Tomcat.
-           Documentation at: /docs/config/valve.html -->
-      <!--
-      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-      -->
-
-      <!-- This Realm uses the UserDatabase configured in the global JNDI
-           resources under the key "UserDatabase".  Any edits
-           that are performed against this UserDatabase are immediately
-           available for use by the Realm.  -->
-      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-             resourceName="UserDatabase"/>
-
-      <!-- Define the default virtual host
-           Note: XML Schema validation will not work with Xerces 2.2.
-       -->
-      <Host name="localhost"  appBase="webapps"
-            unpackWARs="true" autoDeploy="false"
-            xmlValidation="false" xmlNamespaceAware="false">
-
-        <!-- SingleSignOn valve, share authentication between web applications
-             Documentation at: /docs/config/valve.html -->
-        <!--
-        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-        -->
-
-        <!-- Access log processes all example.
-             Documentation at: /docs/config/valve.html -->
-        [PKI_OPEN_TOMCAT_ACCESS_LOG_COMMENT]
-        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"  
-               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
-        [PKI_CLOSE_TOMCAT_ACCESS_LOG_COMMENT]
-
-      </Host>
-    </Engine>
-  </Service>
-</Server>
diff --git a/base/kra/shared/conf/server.xml b/base/kra/shared/conf/server.xml
deleted file mode 100644
index 0075249..0000000
--- a/base/kra/shared/conf/server.xml
+++ /dev/null
@@ -1,265 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!-- BEGIN COPYRIGHT BLOCK
-     Copyright (C) 2006-2010 Red Hat, Inc.
-     All rights reserved.
-     Modifications: configuration parameters
-     END COPYRIGHT BLOCK -->
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<!-- Note:  A "Server" is not itself a "Container", so you may not
-     define subcomponents such as "Valves" at this level.
-     Documentation at /docs/config/server.html
- -->
-
-<!-- DO NOT REMOVE - Begin PKI Status Definitions -->
-<!--
-Unsecure URL        = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE]
-Secure Agent URL    = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE]
-Secure EE URL       = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE]
-Secure Admin URL    = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services
-PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]
-Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
--->
-<!-- DO NOT REMOVE - End PKI Status Definitions -->
-
-<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN">
-
-  <!--APR library loader. Documentation at /docs/apr.html -->
-  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
-  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
-  <Listener className="org.apache.catalina.core.JasperListener" />
-  <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
-  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
-  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
-
-  <!-- Global JNDI resources
-       Documentation at /docs/jndi-resources-howto.html
-  -->
-  <GlobalNamingResources>
-    <!-- Editable user database that can also be used by
-         UserDatabaseRealm to authenticate users
-    -->
-    <Resource name="UserDatabase" auth="Container"
-              type="org.apache.catalina.UserDatabase"
-              description="User database that can be updated and saved"
-              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
-              pathname="conf/tomcat-users.xml" />
-  </GlobalNamingResources>
-
-  <!-- A "Service" is a collection of one or more "Connectors" that share
-       a single "Container" Note:  A "Service" is not itself a "Container", 
-       so you may not define subcomponents such as "Valves" at this level.
-       Documentation at /docs/config/service.html
-   -->
-  <Service name="Catalina">
-  
-    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
-    <!--
-    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" 
-        maxThreads="150" minSpareThreads="4"/>
-    -->
-    
-    
-    <!-- A "Connector" represents an endpoint by which requests are received
-         and responses are returned. Documentation at :
-         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
-         Java AJP  Connector: /docs/config/ajp.html
-         APR (HTTP/AJP) Connector: /docs/apr.html
-         Define a non-SSL HTTP/1.1 Connector on port 8080
-    -->
-
-    [PKI_UNSECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" 
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
-	       />
-
-    <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
-    [PKI_SECURE_PORT_SERVER_COMMENT]
-    <!-- DO NOT REMOVE - Begin define PKI secure port
-	NOTE: The OCSP settings take effect globally, so it should only be set once.
-
-	  In setup where SSL clientAuth="true", OCSP can be turned on by
-	  setting enableOCSP to true like the following:
-	    enableOCSP="true"
-	  along with changes to related settings, especially:
-	    ocspResponderURL=<see example in connector definition below>
-	    ocspResponderCertNickname=<see example in connector definition below>
-	  Here are the definition to all the OCSP-related settings:
-	    enableOCSP - turns on/off the ocsp check
-	    ocspResponderURL - sets the url where the ocsp requests are sent
-	    ocspResponderCertNickname - sets the nickname of the cert that is
-		either CA's signing certificate or the OCSP server's signing
-		certificate.
-		The CA's signing certificate should already be in the db, in
-		case of the same security domain.
-		In case of an ocsp signing certificate, one must import the cert
-		into the subsystem's nss db and set trust. e.g.:
-		  certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64
-	    ocspCacheSize - sets max cache entries
-	    ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt
-	    ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt
-	    ocspTimeout -sets OCSP timeout in seconds
-    -->
-    <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" disableUploadTimeout="true"
-	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-	       enableOCSP="false"
-	       ocspResponderURL="http://[PKI_HOSTNAME]:9080/ca/ocsp";
-	       ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
-	       ocspCacheSize="1000"
-	       ocspMinCacheEntryDuration="60"
-	       ocspMaxCacheEntryDuration="120"
-	       ocspTimeout="10"
-           strictCiphers="false"
-	       clientAuth="[PKI_AGENT_CLIENTAUTH]"
-	       sslOptions="[TOMCAT_SSL_OPTIONS]"
-	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
-	       ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
-	       tlsCiphers="[TOMCAT_TLS_CIPHERS]"
-	       serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-	       passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-	       passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-	       certdbDir="[PKI_INSTANCE_PATH]/alias"
-	       />
-    <!-- DO NOT REMOVE - End define PKI secure port -->
-
-    [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" disableUploadTimeout="true"
-	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-           strictCiphers="false"
-	       clientAuth="false"
-	       sslOptions="[TOMCAT_SSL_OPTIONS]"
-	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
-	       ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
-	       tlsCiphers="[TOMCAT_TLS_CIPHERS]"
-	       serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-	       passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-	       passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-	       certdbDir="[PKI_INSTANCE_PATH]/alias"/>
-    [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT]
-
-    [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" disableUploadTimeout="true"
-	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-           strictCiphers="false"
-	       clientAuth="false"
-	       sslOptions="[TOMCAT_SSL_OPTIONS]"
-	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
-	       ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
-	       tlsCiphers="[TOMCAT_TLS_CIPHERS]"
-	       serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-	       passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-	       passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-	       certdbDir="[PKI_INSTANCE_PATH]/alias"/>
-    [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT]
-
-    <!-- A "Connector" using the shared thread pool-->
-    <!--
-    <Connector executor="tomcatThreadPool"
-               port="8080" protocol="HTTP/1.1" 
-               connectionTimeout="20000" 
-               redirectPort="8443" />
-    -->           
-    <!-- Define a SSL HTTP/1.1 Connector on port 8443
-         This connector uses the JSSE configuration, when using APR, the 
-         connector should be using the OpenSSL style configuration
-         described in the APR documentation -->
-    <!--
-    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
-               maxThreads="150" scheme="https" secure="true"
-               clientAuth="false" sslProtocol="TLS" />
-    -->
-
-    <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
-[PKI_OPEN_AJP_PORT_COMMENT]
-    <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" address="127.0.0.1" />
-[PKI_CLOSE_AJP_PORT_COMMENT]
-
-
-    <!-- An Engine represents the entry point (within Catalina) that processes
-         every request.  The Engine implementation for Tomcat stand alone
-         analyzes the HTTP headers included with the request, and passes them
-         on to the appropriate Host (virtual host).
-         Documentation at /docs/config/engine.html -->
-
-    <!-- You should set jvmRoute to support load-balancing via AJP ie :
-    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">         
-    --> 
-    <Engine name="Catalina" defaultHost="localhost">
-
-      <!--For clustering, please take a look at documentation at:
-          /docs/cluster-howto.html  (simple how to)
-          /docs/config/cluster.html (reference documentation) -->
-      <!--
-      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-      -->        
-
-      <!-- The request dumper valve dumps useful debugging information about
-           the request and response data received and sent by Tomcat.
-           Documentation at: /docs/config/valve.html -->
-      <!--
-      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-      -->
-
-      <!-- This Realm uses the UserDatabase configured in the global JNDI
-           resources under the key "UserDatabase".  Any edits
-           that are performed against this UserDatabase are immediately
-           available for use by the Realm.  -->
-
-      <!--
-      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-             resourceName="UserDatabase"/>
-      -->
-
-      <!-- 
-      <Realm className="com.netscape.cmscore.realm.PKIRealm" />
-       -->
-
-      <!-- Define the default virtual host
-           Note: XML Schema validation will not work with Xerces 2.2.
-       -->
-      <Host name="localhost"  appBase="webapps"
-            unpackWARs="true" autoDeploy="false"
-            xmlValidation="false" xmlNamespaceAware="false">
-
-        <!-- SingleSignOn valve, share authentication between web applications
-             Documentation at: /docs/config/valve.html -->
-        <!--
-        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-        -->
-
-        <!-- Access log processes all example.
-             Documentation at: /docs/config/valve.html -->
-        [PKI_OPEN_TOMCAT_ACCESS_LOG_COMMENT]
-        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"  
-               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
-        [PKI_CLOSE_TOMCAT_ACCESS_LOG_COMMENT]
-
-      </Host>
-    </Engine>
-  </Service>
-</Server>
diff --git a/base/ocsp/shared/conf/server.xml b/base/ocsp/shared/conf/server.xml
deleted file mode 100644
index 744b57d..0000000
--- a/base/ocsp/shared/conf/server.xml
+++ /dev/null
@@ -1,258 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!-- BEGIN COPYRIGHT BLOCK
-     Copyright (C) 2006-2010 Red Hat, Inc.
-     All rights reserved.
-     Modifications: configuration parameters
-     END COPYRIGHT BLOCK -->
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<!-- Note:  A "Server" is not itself a "Container", so you may not
-     define subcomponents such as "Valves" at this level.
-     Documentation at /docs/config/server.html
- -->
-
-<!-- DO NOT REMOVE - Begin PKI Status Definitions -->
-<!--
-Unsecure URL        = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE]
-Secure Agent URL    = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE]
-Secure EE URL       = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE]
-Secure Admin URL    = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services
-PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]
-Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
--->
-<!-- DO NOT REMOVE - End PKI Status Definitions -->
-
-<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN">
-
-  <!--APR library loader. Documentation at /docs/apr.html -->
-  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
-  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
-  <Listener className="org.apache.catalina.core.JasperListener" />
-  <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
-  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
-  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
-
-  <!-- Global JNDI resources
-       Documentation at /docs/jndi-resources-howto.html
-  -->
-  <GlobalNamingResources>
-    <!-- Editable user database that can also be used by
-         UserDatabaseRealm to authenticate users
-    -->
-    <Resource name="UserDatabase" auth="Container"
-              type="org.apache.catalina.UserDatabase"
-              description="User database that can be updated and saved"
-              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
-              pathname="conf/tomcat-users.xml" />
-  </GlobalNamingResources>
-
-  <!-- A "Service" is a collection of one or more "Connectors" that share
-       a single "Container" Note:  A "Service" is not itself a "Container", 
-       so you may not define subcomponents such as "Valves" at this level.
-       Documentation at /docs/config/service.html
-   -->
-  <Service name="Catalina">
-  
-    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
-    <!--
-    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" 
-        maxThreads="150" minSpareThreads="4"/>
-    -->
-    
-    
-    <!-- A "Connector" represents an endpoint by which requests are received
-         and responses are returned. Documentation at :
-         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
-         Java AJP  Connector: /docs/config/ajp.html
-         APR (HTTP/AJP) Connector: /docs/apr.html
-         Define a non-SSL HTTP/1.1 Connector on port 8080
-    -->
-
-    [PKI_UNSECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" 
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
-	       />
-
-    <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
-    [PKI_SECURE_PORT_SERVER_COMMENT]
-    <!-- DO NOT REMOVE - Begin define PKI secure port
-	NOTE: The OCSP settings take effect globally, so it should only be set once.
-
-	  In setup where SSL clientAuth="true", OCSP can be turned on by
-	  setting enableOCSP to true like the following:
-	    enableOCSP="true"
-	  along with changes to related settings, especially:
-	    ocspResponderURL=<see example in connector definition below>
-	    ocspResponderCertNickname=<see example in connector definition below>
-	  Here are the definition to all the OCSP-related settings:
-	    enableOCSP - turns on/off the ocsp check
-	    ocspResponderURL - sets the url where the ocsp requests are sent
-	    ocspResponderCertNickname - sets the nickname of the cert that is
-		either CA's signing certificate or the OCSP server's signing
-		certificate.
-		The CA's signing certificate should already be in the db, in
-		case of the same security domain.
-		In case of an ocsp signing certificate, one must import the cert
-		into the subsystem's nss db and set trust. e.g.:
-		  certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64
-	    ocspCacheSize - sets max cache entries
-	    ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt
-	    ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt
-	    ocspTimeout -sets OCSP timeout in seconds
-    -->
-    <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" disableUploadTimeout="true"
-	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-	       enableOCSP="false"
-	       ocspResponderURL="http://[PKI_HOSTNAME]:9080/ca/ocsp";
-	       ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
-	       ocspCacheSize="1000"
-	       ocspMinCacheEntryDuration="60"
-	       ocspMaxCacheEntryDuration="120"
-	       ocspTimeout="10"
-           strictCiphers="false"
-	       clientAuth="[PKI_AGENT_CLIENTAUTH]"
-	       sslOptions="[TOMCAT_SSL_OPTIONS]"
-	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
-	       ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
-	       tlsCiphers="[TOMCAT_TLS_CIPHERS]"
-	       serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-	       passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-	       passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-	       certdbDir="[PKI_INSTANCE_PATH]/alias"
-	       />
-    <!-- DO NOT REMOVE - End define PKI secure port -->
-
-    [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" disableUploadTimeout="true"
-	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-           strictCiphers="false"
-	       clientAuth="false"
-	       sslOptions="[TOMCAT_SSL_OPTIONS]"
-	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
-	       ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
-	       tlsCiphers="[TOMCAT_TLS_CIPHERS]"
-	       serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-	       passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-	       passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-	       certdbDir="[PKI_INSTANCE_PATH]/alias"/>
-    [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT]
-
-    [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" disableUploadTimeout="true"
-	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-           strictCiphers="false"
-	       clientAuth="false"
-	       sslOptions="[TOMCAT_SSL_OPTIONS]"
-	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
-	       ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
-	       tlsCiphers="[TOMCAT_TLS_CIPHERS]"
-	       serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-	       passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-	       passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-	       certdbDir="[PKI_INSTANCE_PATH]/alias"/>
-    [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT]
-
-    <!-- A "Connector" using the shared thread pool-->
-    <!--
-    <Connector executor="tomcatThreadPool"
-               port="8080" protocol="HTTP/1.1" 
-               connectionTimeout="20000" 
-               redirectPort="8443" />
-    -->           
-    <!-- Define a SSL HTTP/1.1 Connector on port 8443
-         This connector uses the JSSE configuration, when using APR, the 
-         connector should be using the OpenSSL style configuration
-         described in the APR documentation -->
-    <!--
-    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
-               maxThreads="150" scheme="https" secure="true"
-               clientAuth="false" sslProtocol="TLS" />
-    -->
-
-    <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
-[PKI_OPEN_AJP_PORT_COMMENT]
-    <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" address="127.0.0.1" />
-[PKI_CLOSE_AJP_PORT_COMMENT]
-
-
-    <!-- An Engine represents the entry point (within Catalina) that processes
-         every request.  The Engine implementation for Tomcat stand alone
-         analyzes the HTTP headers included with the request, and passes them
-         on to the appropriate Host (virtual host).
-         Documentation at /docs/config/engine.html -->
-
-    <!-- You should set jvmRoute to support load-balancing via AJP ie :
-    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">         
-    --> 
-    <Engine name="Catalina" defaultHost="localhost">
-
-      <!--For clustering, please take a look at documentation at:
-          /docs/cluster-howto.html  (simple how to)
-          /docs/config/cluster.html (reference documentation) -->
-      <!--
-      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-      -->        
-
-      <!-- The request dumper valve dumps useful debugging information about
-           the request and response data received and sent by Tomcat.
-           Documentation at: /docs/config/valve.html -->
-      <!--
-      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-      -->
-
-      <!-- This Realm uses the UserDatabase configured in the global JNDI
-           resources under the key "UserDatabase".  Any edits
-           that are performed against this UserDatabase are immediately
-           available for use by the Realm.  -->
-      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-             resourceName="UserDatabase"/>
-
-      <!-- Define the default virtual host
-           Note: XML Schema validation will not work with Xerces 2.2.
-       -->
-      <Host name="localhost"  appBase="webapps"
-            unpackWARs="true" autoDeploy="false"
-            xmlValidation="false" xmlNamespaceAware="false">
-
-        <!-- SingleSignOn valve, share authentication between web applications
-             Documentation at: /docs/config/valve.html -->
-        <!--
-        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-        -->
-
-        <!-- Access log processes all example.
-             Documentation at: /docs/config/valve.html -->
-        [PKI_OPEN_TOMCAT_ACCESS_LOG_COMMENT]
-        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"  
-               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
-        [PKI_CLOSE_TOMCAT_ACCESS_LOG_COMMENT]
-
-      </Host>
-    </Engine>
-  </Service>
-</Server>
diff --git a/base/server/scripts/operations b/base/server/scripts/operations
index 8fa58e1..ede5f82 100644
--- a/base/server/scripts/operations
+++ b/base/server/scripts/operations
@@ -488,6 +488,8 @@ get_pki_status_definitions_tomcat()
     secure_admin_url_statement="Secure Admin URL"
     pki_console_command_statement="PKI Console Command"
     tomcat_port_statement="Tomcat Port"
+    unsecure_phone_home_statement="Unsecure PHONE HOME"
+    secure_phone_home_statement="Secure PHONE HOME"
 
     # initialize looping variables
     pki_status_comment_found=0
@@ -615,6 +617,8 @@ get_pki_status_definitions_tomcat()
                     [ "$head" == "$secure_admin_url_statement"  ]          ||
                     [ "$head" == "$secure_ee_client_auth_url_statement" ]  ||
                     [ "$head" == "$pki_console_command_statement"  ]       ||
+                    [ "$head" == "$unsecure_phone_home_statement"  ]       ||
+                    [ "$head" == "$secure_phone_home_statement"    ]       ||
                     [ "$head" == "$tomcat_port_statement"       ] ; then
                      echo "    $line"
                      total_ports=`expr ${total_ports} + 1`
diff --git a/base/server/tomcat7/conf/server.xml b/base/server/tomcat7/conf/server.xml
index c52bd5b..81a8016 100644
--- a/base/server/tomcat7/conf/server.xml
+++ b/base/server/tomcat7/conf/server.xml
@@ -64,6 +64,8 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
 <!--
 Unsecure URL        = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps
 Secure URL          = https://[PKI_HOSTNAME]:[PKI_SECURE_PORT]/tps
+Unsecure PHONE HOME = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome
+Secure PHONE HOME   = https://[PKI_HOSTNAME]:[PKI_SECURE_PORT]/tps/phoneHome
 Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
 -->
 <!-- DO NOT REMOVE - End PKI Status Definitions -->
diff --git a/base/server/tomcat8/conf/server.xml b/base/server/tomcat8/conf/server.xml
index a794760..c482fc1 100644
--- a/base/server/tomcat8/conf/server.xml
+++ b/base/server/tomcat8/conf/server.xml
@@ -64,6 +64,8 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
 <!--
 Unsecure URL        = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps
 Secure URL          = https://[PKI_HOSTNAME]:[PKI_SECURE_PORT]/tps
+Unsecure PHONE HOME = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome
+Secure PHONE HOME   = https://[PKI_HOSTNAME]:[PKI_SECURE_PORT]/tps/phoneHome
 Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
 -->
 <!-- DO NOT REMOVE - End PKI Status Definitions -->
diff --git a/base/server/upgrade/10.2.6/02-AddPhoneHomeURLsToTPSsServerXML b/base/server/upgrade/10.2.6/02-AddPhoneHomeURLsToTPSsServerXML
new file mode 100755
index 0000000..1cf7413
--- /dev/null
+++ b/base/server/upgrade/10.2.6/02-AddPhoneHomeURLsToTPSsServerXML
@@ -0,0 +1,112 @@
+#!/usr/bin/python
+# Authors:
+# Jack Magne <jmagne redhat com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2015 Red Hat, Inc.
+# All rights reserved.
+#
+
+import os
+
+import pki.server.upgrade
+
+
+class AddPhoneHomeURLsToTPSsServerXML(
+    pki.server.upgrade.PKIServerUpgradeScriptlet):
+    def __init__(self):
+        super(AddPhoneHomeURLsToTPSsServerXML, self).__init__()
+        self.message = 'Add Phone Home URLs to TPS section of server.xml.'
+
+    def upgrade_instance(self, instance):
+        server_xml = os.path.join(instance.conf_dir, 'server.xml')
+        # Backup
+        self.backup(server_xml)
+
+        # Simply read in the document by lines
+
+        with open(server_xml) as f:
+            content = f.readlines()
+            f.close()
+
+        tps_statuses_pattern = "<!-- TPS Status Definitions -->"
+        tps_end_statuses_pattern = "-->"
+        tps_unsecure_phone_home_pattern = "Unsecure PHONE HOME"
+        tps_secure_phone_home_pattern = "Secure PHONE HOME"
+        tps_secure_url_pattern = "Secure URL"
+        tps_unsecure_url_pattern = "Unsecure URL"
+        tps_phone_home_path = "phoneHome"
+
+        tps_secure_url = None
+        tps_unsecure_url = None
+
+        found_tps_statuses = -1
+        # loop through file, looking for TPS settings
+
+        rewrite_server_xml = False
+        final_content = []
+        for index, line in enumerate(content):
+
+            if found_tps_statuses == -1:
+                found_tps_statuses = line.find(tps_statuses_pattern)
+            else:
+                if line.find(tps_unsecure_phone_home_pattern) != -1:
+                    # already upgraded, abort
+                    break
+                if line.find(tps_secure_phone_home_pattern) != -1:
+                    # already upgraded, abort
+                    break
+
+                if line.find(tps_unsecure_url_pattern) != -1:
+                    splits = line.split("=")
+                    if len(splits) == 2:
+                        tps_unsecure_url = splits[1].strip()
+
+                if line.find(tps_secure_url_pattern) != -1:
+                    splits = line.split("=")
+                    if len(splits) == 2:
+                        tps_secure_url = splits[1].strip()
+
+                if line.find(tps_end_statuses_pattern) != -1:
+                    if tps_unsecure_url and tps_secure_url:
+                        # Create the added lines we need
+                        # Phone home url is simply a super set of the base url
+                        unsec_phone_home_url = tps_unsecure_phone_home_pattern + \
+                            ' = ' + tps_unsecure_url + \
+                            '/' + tps_phone_home_path + '\n'
+                        sec_phone_home_url = tps_secure_phone_home_pattern + \
+                            '   = ' + tps_secure_url + \
+                            '/' + tps_phone_home_path + '\n'
+                        # Spot to add the URLs
+                        final_content.append(unsec_phone_home_url)
+                        final_content.append(sec_phone_home_url)
+                        # Just write the rest of the original to the copy
+                        final_content.extend(content[index:])
+                        # Indicate that we want to update the server.xml
+                        rewrite_server_xml = True
+                        # Done
+                        break
+                    else:
+                        # Just give up
+                        break
+
+            final_content.append(line)
+
+        # Rewrite the file if needed
+        if rewrite_server_xml:
+            with open(server_xml, 'w') as fout:
+                for line_out in final_content:
+                    fout.write(line_out)
+            fout.close()
diff --git a/base/tks/shared/conf/server.xml b/base/tks/shared/conf/server.xml
deleted file mode 100644
index 744b57d..0000000
--- a/base/tks/shared/conf/server.xml
+++ /dev/null
@@ -1,258 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!-- BEGIN COPYRIGHT BLOCK
-     Copyright (C) 2006-2010 Red Hat, Inc.
-     All rights reserved.
-     Modifications: configuration parameters
-     END COPYRIGHT BLOCK -->
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<!-- Note:  A "Server" is not itself a "Container", so you may not
-     define subcomponents such as "Valves" at this level.
-     Documentation at /docs/config/server.html
- -->
-
-<!-- DO NOT REMOVE - Begin PKI Status Definitions -->
-<!--
-Unsecure URL        = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE]
-Secure Agent URL    = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE]
-Secure EE URL       = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE]
-Secure Admin URL    = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services
-PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]
-Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
--->
-<!-- DO NOT REMOVE - End PKI Status Definitions -->
-
-<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN">
-
-  <!--APR library loader. Documentation at /docs/apr.html -->
-  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
-  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
-  <Listener className="org.apache.catalina.core.JasperListener" />
-  <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
-  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
-  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
-
-  <!-- Global JNDI resources
-       Documentation at /docs/jndi-resources-howto.html
-  -->
-  <GlobalNamingResources>
-    <!-- Editable user database that can also be used by
-         UserDatabaseRealm to authenticate users
-    -->
-    <Resource name="UserDatabase" auth="Container"
-              type="org.apache.catalina.UserDatabase"
-              description="User database that can be updated and saved"
-              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
-              pathname="conf/tomcat-users.xml" />
-  </GlobalNamingResources>
-
-  <!-- A "Service" is a collection of one or more "Connectors" that share
-       a single "Container" Note:  A "Service" is not itself a "Container", 
-       so you may not define subcomponents such as "Valves" at this level.
-       Documentation at /docs/config/service.html
-   -->
-  <Service name="Catalina">
-  
-    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
-    <!--
-    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" 
-        maxThreads="150" minSpareThreads="4"/>
-    -->
-    
-    
-    <!-- A "Connector" represents an endpoint by which requests are received
-         and responses are returned. Documentation at :
-         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
-         Java AJP  Connector: /docs/config/ajp.html
-         APR (HTTP/AJP) Connector: /docs/apr.html
-         Define a non-SSL HTTP/1.1 Connector on port 8080
-    -->
-
-    [PKI_UNSECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" 
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
-	       />
-
-    <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
-    [PKI_SECURE_PORT_SERVER_COMMENT]
-    <!-- DO NOT REMOVE - Begin define PKI secure port
-	NOTE: The OCSP settings take effect globally, so it should only be set once.
-
-	  In setup where SSL clientAuth="true", OCSP can be turned on by
-	  setting enableOCSP to true like the following:
-	    enableOCSP="true"
-	  along with changes to related settings, especially:
-	    ocspResponderURL=<see example in connector definition below>
-	    ocspResponderCertNickname=<see example in connector definition below>
-	  Here are the definition to all the OCSP-related settings:
-	    enableOCSP - turns on/off the ocsp check
-	    ocspResponderURL - sets the url where the ocsp requests are sent
-	    ocspResponderCertNickname - sets the nickname of the cert that is
-		either CA's signing certificate or the OCSP server's signing
-		certificate.
-		The CA's signing certificate should already be in the db, in
-		case of the same security domain.
-		In case of an ocsp signing certificate, one must import the cert
-		into the subsystem's nss db and set trust. e.g.:
-		  certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64
-	    ocspCacheSize - sets max cache entries
-	    ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt
-	    ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt
-	    ocspTimeout -sets OCSP timeout in seconds
-    -->
-    <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" disableUploadTimeout="true"
-	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-	       enableOCSP="false"
-	       ocspResponderURL="http://[PKI_HOSTNAME]:9080/ca/ocsp";
-	       ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
-	       ocspCacheSize="1000"
-	       ocspMinCacheEntryDuration="60"
-	       ocspMaxCacheEntryDuration="120"
-	       ocspTimeout="10"
-           strictCiphers="false"
-	       clientAuth="[PKI_AGENT_CLIENTAUTH]"
-	       sslOptions="[TOMCAT_SSL_OPTIONS]"
-	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
-	       ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
-	       tlsCiphers="[TOMCAT_TLS_CIPHERS]"
-	       serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-	       passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-	       passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-	       certdbDir="[PKI_INSTANCE_PATH]/alias"
-	       />
-    <!-- DO NOT REMOVE - End define PKI secure port -->
-
-    [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" disableUploadTimeout="true"
-	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-           strictCiphers="false"
-	       clientAuth="false"
-	       sslOptions="[TOMCAT_SSL_OPTIONS]"
-	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
-	       ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
-	       tlsCiphers="[TOMCAT_TLS_CIPHERS]"
-	       serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-	       passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-	       passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-	       certdbDir="[PKI_INSTANCE_PATH]/alias"/>
-    [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT]
-
-    [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" disableUploadTimeout="true"
-	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-           strictCiphers="false"
-	       clientAuth="false"
-	       sslOptions="[TOMCAT_SSL_OPTIONS]"
-	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
-	       ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
-	       tlsCiphers="[TOMCAT_TLS_CIPHERS]"
-	       serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-	       passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-	       passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-	       certdbDir="[PKI_INSTANCE_PATH]/alias"/>
-    [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT]
-
-    <!-- A "Connector" using the shared thread pool-->
-    <!--
-    <Connector executor="tomcatThreadPool"
-               port="8080" protocol="HTTP/1.1" 
-               connectionTimeout="20000" 
-               redirectPort="8443" />
-    -->           
-    <!-- Define a SSL HTTP/1.1 Connector on port 8443
-         This connector uses the JSSE configuration, when using APR, the 
-         connector should be using the OpenSSL style configuration
-         described in the APR documentation -->
-    <!--
-    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
-               maxThreads="150" scheme="https" secure="true"
-               clientAuth="false" sslProtocol="TLS" />
-    -->
-
-    <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
-[PKI_OPEN_AJP_PORT_COMMENT]
-    <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" address="127.0.0.1" />
-[PKI_CLOSE_AJP_PORT_COMMENT]
-
-
-    <!-- An Engine represents the entry point (within Catalina) that processes
-         every request.  The Engine implementation for Tomcat stand alone
-         analyzes the HTTP headers included with the request, and passes them
-         on to the appropriate Host (virtual host).
-         Documentation at /docs/config/engine.html -->
-
-    <!-- You should set jvmRoute to support load-balancing via AJP ie :
-    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">         
-    --> 
-    <Engine name="Catalina" defaultHost="localhost">
-
-      <!--For clustering, please take a look at documentation at:
-          /docs/cluster-howto.html  (simple how to)
-          /docs/config/cluster.html (reference documentation) -->
-      <!--
-      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-      -->        
-
-      <!-- The request dumper valve dumps useful debugging information about
-           the request and response data received and sent by Tomcat.
-           Documentation at: /docs/config/valve.html -->
-      <!--
-      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-      -->
-
-      <!-- This Realm uses the UserDatabase configured in the global JNDI
-           resources under the key "UserDatabase".  Any edits
-           that are performed against this UserDatabase are immediately
-           available for use by the Realm.  -->
-      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-             resourceName="UserDatabase"/>
-
-      <!-- Define the default virtual host
-           Note: XML Schema validation will not work with Xerces 2.2.
-       -->
-      <Host name="localhost"  appBase="webapps"
-            unpackWARs="true" autoDeploy="false"
-            xmlValidation="false" xmlNamespaceAware="false">
-
-        <!-- SingleSignOn valve, share authentication between web applications
-             Documentation at: /docs/config/valve.html -->
-        <!--
-        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-        -->
-
-        <!-- Access log processes all example.
-             Documentation at: /docs/config/valve.html -->
-        [PKI_OPEN_TOMCAT_ACCESS_LOG_COMMENT]
-        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"  
-               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
-        [PKI_CLOSE_TOMCAT_ACCESS_LOG_COMMENT]
-
-      </Host>
-    </Engine>
-  </Service>
-</Server>
diff --git a/base/tps/shared/conf/server.xml b/base/tps/shared/conf/server.xml
deleted file mode 100644
index 23e4f5f..0000000
--- a/base/tps/shared/conf/server.xml
+++ /dev/null
@@ -1,258 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!-- BEGIN COPYRIGHT BLOCK
-     Copyright (C) 2006-2010 Red Hat, Inc.
-     All rights reserved.
-     Modifications: configuration parameters
-     END COPYRIGHT BLOCK -->
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<!-- Note:  A "Server" is not itself a "Container", so you may not
-     define subcomponents such as "Valves" at this level.
-     Documentation at /docs/config/server.html
- -->
-
-<!-- DO NOT REMOVE - Begin PKI Status Definitions -->
-<!--
-Unsecure URL        = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE]
-Secure Agent URL    = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE]
-Secure EE URL       = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE]
-Secure Admin URL    = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services
-PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]
-Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
--->
-<!-- DO NOT REMOVE - End PKI Status Definitions -->
-
-<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN">
-
-  <!--APR library loader. Documentation at /docs/apr.html -->
-  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
-  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
-  <Listener className="org.apache.catalina.core.JasperListener" />
-  <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
-  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
-  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
-
-  <!-- Global JNDI resources
-       Documentation at /docs/jndi-resources-howto.html
-  -->
-  <GlobalNamingResources>
-    <!-- Editable user database that can also be used by
-         UserDatabaseRealm to authenticate users
-    -->
-    <Resource name="UserDatabase" auth="Container"
-              type="org.apache.catalina.UserDatabase"
-              description="User database that can be updated and saved"
-              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
-              pathname="conf/tomcat-users.xml" />
-  </GlobalNamingResources>
-
-  <!-- A "Service" is a collection of one or more "Connectors" that share
-       a single "Container" Note:  A "Service" is not itself a "Container",
-       so you may not define subcomponents such as "Valves" at this level.
-       Documentation at /docs/config/service.html
-   -->
-  <Service name="Catalina">
-
-    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
-    <!--
-    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
-        maxThreads="150" minSpareThreads="4"/>
-    -->
-
-
-    <!-- A "Connector" represents an endpoint by which requests are received
-         and responses are returned. Documentation at :
-         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
-         Java AJP  Connector: /docs/config/ajp.html
-         APR (HTTP/AJP) Connector: /docs/apr.html
-         Define a non-SSL HTTP/1.1 Connector on port 8080
-    -->
-
-    [PKI_UNSECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
-	       />
-
-    <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
-    [PKI_SECURE_PORT_SERVER_COMMENT]
-    <!-- DO NOT REMOVE - Begin define PKI secure port
-	NOTE: The OCSP settings take effect globally, so it should only be set once.
-
-	  In setup where SSL clientAuth="true", OCSP can be turned on by
-	  setting enableOCSP to true like the following:
-	    enableOCSP="true"
-	  along with changes to related settings, especially:
-	    ocspResponderURL=<see example in connector definition below>
-	    ocspResponderCertNickname=<see example in connector definition below>
-	  Here are the definition to all the OCSP-related settings:
-	    enableOCSP - turns on/off the ocsp check
-	    ocspResponderURL - sets the url where the ocsp requests are sent
-	    ocspResponderCertNickname - sets the nickname of the cert that is
-		either CA's signing certificate or the OCSP server's signing
-		certificate.
-		The CA's signing certificate should already be in the db, in
-		case of the same security domain.
-		In case of an ocsp signing certificate, one must import the cert
-		into the subsystem's nss db and set trust. e.g.:
-		  certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64
-	    ocspCacheSize - sets max cache entries
-	    ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt
-	    ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt
-	    ocspTimeout -sets OCSP timeout in seconds
-    -->
-    <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" disableUploadTimeout="true"
-	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-	       enableOCSP="false"
-	       ocspResponderURL="http://[PKI_HOSTNAME]:9080/ca/ocsp";
-	       ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
-	       ocspCacheSize="1000"
-	       ocspMinCacheEntryDuration="60"
-	       ocspMaxCacheEntryDuration="120"
-	       ocspTimeout="10"
-           strictCiphers="false"
-	       clientAuth="[PKI_AGENT_CLIENTAUTH]"
-	       sslOptions="[TOMCAT_SSL_OPTIONS]"
-	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
-	       ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
-	       tlsCiphers="[TOMCAT_TLS_CIPHERS]"
-	       serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-	       passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-	       passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-	       certdbDir="[PKI_INSTANCE_PATH]/alias"
-	       />
-    <!-- DO NOT REMOVE - End define PKI secure port -->
-
-    [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" disableUploadTimeout="true"
-	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-           strictCiphers="false"
-	       clientAuth="false"
-	       sslOptions="[TOMCAT_SSL_OPTIONS]"
-	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
-	       ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
-	       tlsCiphers="[TOMCAT_TLS_CIPHERS]"
-	       serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-	       passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-	       passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-	       certdbDir="[PKI_INSTANCE_PATH]/alias"/>
-    [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT]
-
-    [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
-	       maxHttpHeaderSize="8192"
-	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-	       enableLookups="false" disableUploadTimeout="true"
-	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-           strictCiphers="false"
-	       clientAuth="false"
-	       sslOptions="[TOMCAT_SSL_OPTIONS]"
-	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
-	       ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
-	       tlsCiphers="[TOMCAT_TLS_CIPHERS]"
-	       serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-	       passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-	       passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-	       certdbDir="[PKI_INSTANCE_PATH]/alias"/>
-    [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT]
-
-    <!-- A "Connector" using the shared thread pool-->
-    <!--
-    <Connector executor="tomcatThreadPool"
-               port="8080" protocol="HTTP/1.1"
-               connectionTimeout="20000"
-               redirectPort="8443" />
-    -->
-    <!-- Define a SSL HTTP/1.1 Connector on port 8443
-         This connector uses the JSSE configuration, when using APR, the
-         connector should be using the OpenSSL style configuration
-         described in the APR documentation -->
-    <!--
-    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
-               maxThreads="150" scheme="https" secure="true"
-               clientAuth="false" sslProtocol="TLS" />
-    -->
-
-    <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
-[PKI_OPEN_AJP_PORT_COMMENT]
-    <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" address="127.0.0.1" />
-[PKI_CLOSE_AJP_PORT_COMMENT]
-
-
-    <!-- An Engine represents the entry point (within Catalina) that processes
-         every request.  The Engine implementation for Tomcat stand alone
-         analyzes the HTTP headers included with the request, and passes them
-         on to the appropriate Host (virtual host).
-         Documentation at /docs/config/engine.html -->
-
-    <!-- You should set jvmRoute to support load-balancing via AJP ie :
-    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-    -->
-    <Engine name="Catalina" defaultHost="localhost">
-
-      <!--For clustering, please take a look at documentation at:
-          /docs/cluster-howto.html  (simple how to)
-          /docs/config/cluster.html (reference documentation) -->
-      <!--
-      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-      -->
-
-      <!-- The request dumper valve dumps useful debugging information about
-           the request and response data received and sent by Tomcat.
-           Documentation at: /docs/config/valve.html -->
-      <!--
-      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-      -->
-
-      <!-- This Realm uses the UserDatabase configured in the global JNDI
-           resources under the key "UserDatabase".  Any edits
-           that are performed against this UserDatabase are immediately
-           available for use by the Realm.  -->
-      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-             resourceName="UserDatabase"/>
-
-      <!-- Define the default virtual host
-           Note: XML Schema validation will not work with Xerces 2.2.
-       -->
-      <Host name="localhost"  appBase="webapps"
-            unpackWARs="true" autoDeploy="false"
-            xmlValidation="false" xmlNamespaceAware="false">
-
-        <!-- SingleSignOn valve, share authentication between web applications
-             Documentation at: /docs/config/valve.html -->
-        <!--
-        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-        -->
-
-        <!-- Access log processes all example.
-             Documentation at: /docs/config/valve.html -->
-        [PKI_OPEN_TOMCAT_ACCESS_LOG_COMMENT]
-        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
-               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
-        [PKI_CLOSE_TOMCAT_ACCESS_LOG_COMMENT]
-
-      </Host>
-    </Engine>
-  </Service>
-</Server>
-- 
2.1.0


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]