Background#
Dogtag Certificate System comprises six major subsystems as described in PKI Architecture - Certificate System.
For Dogtag Certificate System 9.0 and earlier to be utilized, each PKI subsystem required the installation and configuration of one or more instances of this specific type of PKI subsystem.
Each PKI instance of a CA, DRM, OCSP, or TKS were created as a unique instance of Tomcat, whereas each PKI instance of an RA or TPS were created as a unique instance of Apache, and more than one instance of the same type could reside on the same host machine or VM.
PKI Instance Installation (Legacy)#
Dogtag Certificate System 9.0 and earlier used the following command-line utilities to install PKI instances:
Operation |
Description |
Packages |
|---|---|---|
Installation |
The pkicreate command-line utility which consists of a Perl script with a large number of command-line options used to create the specified type of PKI instance. |
pki-setup
pki-selinux
|
PKI Instance Configuration (Legacy)#
For Dogtag Certificate System 9.0 and earlier, once a PKI instance was created, it needed to be configured before it could be used. To accomplish this, the following two methods of operation were provided:
Operation |
Description |
Packages |
|---|---|---|
Interactive (Manual) Configuration |
Firefox browser-based configuration using dogtag-specific branded panels. |
dogtag-pki-ca-theme** | dogt ag-pki-common-theme | d ogtag-pki-kra-theme | do gtag-pki-ocsp-theme | ** dogtag-pki-ra-theme** | d ogtag-pki-tks-theme | d ogtag-pki-tps-theme |
Batch Configuration |
The pkisilent command-line utility which consists of a Perl script with a large number of command-line options used to call the appropriate Java program to configure the appropriate PKI instance based upon the order of the ‘Manual’ configuration panels for that particular type of PKI instance. |
pki-silent |
PKI Instance Removal (Legacy)#
Dogtag Certificate System 9.0 and earlier used the following command-line utilities to remove PKI instances:
Operation |
Description |
Packages |
|---|---|---|
Removal |
The pkiremove command-line utility which consists of a Perl script with a large number of command-line options used to remove the specified PKI instance. |
pki-setup
pki-selinux
|
Design Goals#
For the embedded version of PKI, the following design goals are desired:
Encapsulate PKI instance installation and configuration within a single Python script which works in conjunction with the new Java PKI installation servlet, and provide the various command-line options via a configuration file.
For Tomcat deployment purposes, integrate the use of a common shared “war” file.
Integrate Python exception handling to elegantly deal with any errors encountered
Collapse installation server code into a single servlet, replacing the pkicreate and pkiremove Perl scripts with alternatives written in Python, removing the need for any template-based substitutions.
Use a configuration file in lieu of command-line parameters, eliminating port and location choices being specified as passed-in parameters.
Use proxy logic by default to drastically reduce the number of ports (e. g. - 8009 AJP, 8080 http, and 8443 https) thus eliminating the pki-proxy tool.
Combine individual CA, DRM, OCSP, and TKS Tomcat-based instances into a single instance of Tomcat accessible via a RESTEasy interface.
Disallow the creation of multiple instances of a CA, DRM, OCSP, or TKS instance on a single host machine or VM, effectively eliminating the need for a PKI instance registry (although this would still be useful for non-default PKI instance installations).
Use the default Tomcat instance thereby eliminating the need for PKI subsystem SYS-V initialization scripts and/or PKI-specific systemd services.
Reuse the default system Tomcat SELinux policy to eliminate the need for PKI-specific SELinux policies.
Seamlessly integrate support for “upgrading” an existing PKI instance via integrating a -u update option from the command-line
Re-write the pki-silent Perl script as a Python script which utilizes the single Java PKI installation servlet identified above to perform PKI configuration making it completely independent of any previous manual browser-based panels.
Eliminate the ability to manually configure a PKI instance via a browser, thus removing the runtime requirement for any theme-based UI components.
Provide PKI instance removal command-line options via a configuration file.
Associated Bugs#
Detailed Design#
Design Considerations#
Due to aggressive scheduling, this effort will be broken down into the following phases:
Phase I#
Install, configure, and remove a simple CA (no clone/no subordinate CA)
Install, configure, and remove a simple DRM (no clone)
Phase II#
Add support to allow a command-line option of specifying a customized configuration file that will be merged with the existing configuration file
Phase III#
[TBD]
High-Level Design#
PKI Deployment Package (Proposed)#
A new package called pki-deploy will be created which contains the following:
Item |
Location |
Purpose |
|---|---|---|
pkispawn |
/usr/bin |
Python script utilized for installation and configuration of a PKI instance |
pkidestroy |
/usr/bin |
Python script utilized for removal of a PKI instance |
‘’’pkideployment.cfg |
/usr/share/ pki/deployment/config |
Default pre-defined PKI instance configuration file |
“scriptlets” |
/usr/lib/py thon<version>/site-pa ckages/pki/deployment |
General-purpose stand-alone Python scripts which will be invoked in a pre-determined numerical order by pkispawn and pkidestroy to perform all PKI instance installation, configuration, and removal tasks |
Symlinks (Instal lation/Configuration) |
/usr/share/pk
i/deployment/spawn/ca | /usr/share/pki /deployment/spawn/kra | /usr/share/pki/ deployment/spawn/ocsp | /usr/share/pk i/deployment/spawn/ra | /usr/share/pki /deployment/spawn/tks | /usr/share/pki /deployment/spawn/tps |
Enumerated symbolic links to corresponding Python insta llation/configuration “scriptlets” |
Symlinks (Removal) |
/usr/share/pki/
deployment/destroy/ca | /usr/share/pki/d eployment/destroy/kra | /usr/share/pki/de ployment/destroy/ocsp | /usr/share/pki/ deployment/destroy/ra | /usr/share/pki/d eployment/destroy/tks | /usr/share/pki/d eployment/destroy/tps |
Enumerated symbolic links to corresponding Python removal “scriptlets” |
The pkispawn and pkidestroy Python code will only contain basic installation and removal engine frameworks respectively.
The code contained within these two engines will be minimal, primarily relying upon data obtained from a configuration file, and specific invocation execution based upon enumerated symlinks to scriptlets.
Since configuration files will be utilized by the new pkispawn and pkidestroy command-line Python scripts, command-line options will be dramatically reduced.
PKI Deployment Packages (Legacy)#
The pki-setup[STRIKEOUT:, pki-selinux,] and pki-silent packages will be removed and replaced by the new pki-deploy package in the pki-core source package.
[STRIKEOUT:Similarly, the dogtag-pki-ca-theme, dogtag-pki-common-theme, dogtag-pki-kra-theme, dogtag-pki-ocsp-theme, dogtag-pki-ra-theme, dogtag-pki-tks-theme, and dogtag-pki-tps-theme packages will be removed from the dogtag-pki-theme source package during their appropriate phase detailed above, and the various runtime dependency requirements will be deleted from their respective packages (e. g. - the pki-ca-theme runtime requirement will be removed from the pki-ca package).]
The following table summarizes the old and new command-line utilities and their associated packages:
New Command (associated package) |
Old Command (associated packages) |
|---|---|
pkispawn (pki-deploy) |
pkicreate (pki-setup,
pki-selinux)
pkisilent (pki-silent)
[STRIKEOUT:dogtag-pki-ca-theme
(dogtag-pki-theme)
dogtag-pki-common-theme
(dogtag-pki-theme)
dogtag-pki-kra-theme
(dogtag-pki-theme)
dogtag-pki-ocsp-theme
(dogtag-pki-theme)
dogtag-pki-ra-theme
(dogtag-pki-theme)
dogtag-pki-tks-theme
(dogtag-pki-theme)
dogtag-pki-tps-theme
(dogtag-pki-theme)]
|
pkidestroy (pki-deploy) |
pkiremove (pki-setup, pki-selinux) |
Low-Level Design#
The following design was inspired by the Perl installation “scriptlets” used by the 389 Directory Server project, as well as System V init process.
PKI Deployment Engines#
PKI Installation Engine#
The pkispawn Python code will be invoked from /usr/bin as follows (per PKI TRAC Ticket #261 - Dogtag 10: Revisit command-line options of ‘pkispawn’ and ‘pkidestroy’ . . .):
\ `` -f ``\ `` [--dry_run] [-h] [-u] [-v]\ ``]\ `` where ``\ `` is CA, KRA, OCSP, RA, TKS, or TPS\ `` specifies configuration filename\ `` directory prefix to specify local directory [TEST ONLY]PKI Removal Engine#
Similarly, the pkidestroy Python code will be invoked from /usr/bin as follows (per PKI TRAC Ticket #261 - Dogtag 10: Revisit command-line options of ‘pkispawn’ and ‘pkidestroy’ . . .):
\ `` -i ``\ `` [-d ``\ ``]\ ``]\ `` where ``\ `` is CA, KRA, OCSP, RA, TKS, or TPS\ `` PKI instance name\ `` PKI admin domain name (instance name suffix)\ `` directory prefix to specify local directory [TEST ONLY]PKI Configuration Files#
PKI Installation Configuration Files#
The pkispawn executable will obtain its default command-line options from a single configuration file stored at /usr/share/pki/config/pkideployment.cfg (which will have been copied and the required [Sensitive] parameters will have at least been filled out). The entire path to this copied ‘pkideployment.cfg’ file will be specified by the mandatory -f command-line option); a copy of each instance-specific configuration file will be saved within the instance itself, as this will be used for instance removal.
The default installation configuration file will contain general sections for Sensitive, Common, Apache, and Tomcat specific name-value pairs. Additionally, each PKI subsystem will have its own section which contains simple default name-value pairs:
PKI Removal Configuration Files#
For pkidestroy, the aforementioned instance-specific configuration file will be used to remove the specified instance.
PKI Python Dictionaries#
Having obtained their default command-line options by reading the appropriate configuration file, the pkispawn and the pkidestroy executables will utilize Python’s ConfigParser library to parse this information into four distinct Python dictionaries:
Sensitive
Common
Web
Subsystem
Three of these Python dictionaries (Common, Web, and Subsystem) will be used to encapsulate all data relevant to the pkispawn and the pkidestroy executables and their associated stand-alone Python “scriptlets” and will be combined in a single “Master” Python dictionary.
Command-line Processing of PKI Scriptlets#
Command-line Processing of PKI Installation Scriptlets#
Command-line processing of pkispawn will primarily be accomplished via individual enumerated symlinks to scriptlets stored under /usr/share/pki/deployment/spawn/<subsystem>/ which will be invoked in ascending order; these pkispawn symlinks will be located under the following directories:
CA (/usr/share/pki/deployment/spawn/ca/) KRA (/usr/share/pki/deployment/spawn/kra/) OCSP (/usr/share/pki/deployment/spawn/ocsp/) TKS (/usr/share/pki/deployment/spawn/tks/)
Execution Order |
Python Scriptlet |
Purpose |
Installation |
Upgrade |
|---|---|---|---|---|
000 |
initi alization.py |
First ‘scriptlet’ executed |
√ |
√ |
010 |
infrastructu re_layout.py |
Populate /Re-populate top-level PKI in frastructure directories, files, and symlinks |
√ |
√ |
020 |
instan ce_layout.py |
Populate /Re-populate PKI instance directories, files, and symlinks |
√ |
√ |
030 |
subsyst em_layout.py |
Populate /Re-populate PKI subsystem directories, files, and symlinks |
√ |
√ |
040 |
war_ explosion.py |
Explode the subsystem “war” file |
√ |
√ |
050 |
slot_sub stitution.py |
Substitute variables in various files |
√ |
√ |
060 |
security_ databases.py |
Create (if necessary) and initialize the shared PKI-specific A pache/Tomcat security databases |
√ |
√ |
070 |
conf iguration.py |
Invoke Java client to configure PKI subsystem |
√ |
√ |
999 |
fin alization.py |
Last ‘scriptlet’ executed |
√ |
√ |
RA (/usr/share/pki/deployment/spawn/ra/) TPS (/usr/share/pki/deployment/spawn/tps/)
`` [TBD]``
Command-line Processing of PKI Removal Scriptlets#
Likewise, command-line processing of pkidestroy will primarily be accomplished via individual enumerated symlinks to scriptlets stored under /usr/share/pki/deployment/destroy/<subsystem>/ which will be invoked in descending order; these pkidestroy symlinks will be located under the following directories:
CA (/usr/share/pki/deployment/destroy/ca/) KRA (/usr/share/pki/deployment/destroy/kra/) OCSP (/usr/share/pki/deployment/destroy/ocsp/) TKS (/usr/share/pki/deployment/destroy/tks/)
Execution Order |
Python Scriptlet |
Purpose |
Removal |
|---|---|---|---|
000 |
i nitialization.py |
First ‘scriptlet’ executed |
√ |
930 |
configuration.py |
Invoke Java client to configure PKI subsystem |
√ |
940 |
secur ity_databases.py |
Remove (if necessary) the shared PKI-specific Apache/Tomcat security databases |
√ |
960 |
war_explosion.py |
Remove previously exploded subsystem “war” directories, files, and symlinks |
√ |
970 |
sub system_layout.py |
Remove PKI subsystem directories, files, and symlinks |
√ |
980 |
in stance_layout.py |
Remove PKI instance directories, files, and symlinks |
√ |
990 |
infrastr ucture_layout.py |
Remove top-level PKI infrastructure directories, files, and symlinks |
√ |
999 |
finalization.py |
Last ‘scriptlet’ executed |
√ |
RA (/usr/share/pki/deployment/destroy/ra/) TPS (/usr/share/pki/deployment/destroy/tps/)
`` [TBD]``
PKI Scriptlets#
Anatomy of a PKI Scriptlet#
All PKI “scriptlets” are defined to be implementations of the following abstract base class:
List of PKI Scriptlets#
All Python-based installation/removal scriptlets will be located under /usr/lib/python<version>/site-packages/pki/deployment/:
Python Scriptlet |
Explanation |
|---|---|
initialization.py |
First ‘scriptlet’ executed |
infrastructure_layout.py |
Create top-level PKI infrastructure directories, files, and symlinks |
instance_layout.py |
Create top-level PKI instance directories, files, and symlinks |
subsystem_layout.py |
Create top-level PKI subsystem directories, files, and symlinks |
war_explosion.py |
Explode specified “war” file |
slot_substitution.py |
Make variable substitutions in various files |
security_databases.py |
Create/modify shared NSS security databases for this instance |
configuration.py |
FUTURE: Invoke the Java-based client to configure this instance |
finalization.py |
Last ‘scriptlet’ executed |
PKI (CA, KRA, OCSP, TKS) Instance Tomcat Class Loader Order#
For Tomcat 7, this is described in detail at the following link:
In summary, from the perspective of a web application, class or resource loading looks in the following repositories, in this order:
Bootstrap classes of your JVM
System class loader classes (described above)
/WEB-INF/classes of your web application
/WEB-INF/lib/*.jar of your web application
Common class loader classes (described above)
PKI Instance File System Directory Layout#
File System Directory Layout (Proposed)#
CA / KRA / OCSP / RA / TKS / TPS#
+ ``\ **/etc/sysconfig/pki``**`` (PKI-specific registry)``+ ``\ **/etc/sysconfig/pki/apache``**`` (PKI-specific Apache registry)``+ ``\ **/etc/sysconfig/pki/apache``**/<apache_instance[.admin_domain]> (PKI-specific <apache_instance[.admin_domain]> registry)\ **/etc/sysconfig/pki/apache``**/``<apache_instance[.admin_domain]>/ra````````(PKI-specific````````<apache_instance[.admin_domain]>````````RA-specific````````registry````````-````````contains````````installation````````manifest````````file)``\ **/etc/sysconfig/pki/apache``**/``<apache_instance[.admin_domain]>/tps````````(PKI-specific````````<apache_instance[.admin_domain]>````````TPS-specific````````registry````````-````````contains````````installation````````manifest````````file)``+ ``\ **/etc/sysconfig/pki/tomcat``**`` (PKI-specific Tomcat registry)``+ ``\ **/etc/sysconfig/pki/tomcat``**/<tomcat_instance[.admin_domain]> (PKI-specific <tomcat_instance[.admin_domain]> registry)+/- ``\ **/etc/sysconfig/pki/tomcat``**/<tomcat_instance[.admin_domain]>/ca (PKI-specific <tomcat_instance[.admin_domain]> CA-specific registry - contains installation manifest file)+/= ``\ **/etc/sysconfig/pki/tomcat``**/<tomcat_instance[.admin_domain]>/kra (PKI-specific <tomcat_instance[.admin_domain]> KRA-specific registry - contains installation manifest file)\ **/etc/sysconfig/pki/tomcat``**/``<tomcat_instance[.admin_domain]>/ocsp````````(PKI-specific````````<tomcat_instance[.admin_domain]>````````OCSP-specific````````registry````````-````````contains````````installation````````manifest````````file)``\ **/etc/sysconfig/pki/tomcat``**/``<tomcat_instance[.admin_domain]>/tks````````(PKI-specific````````<tomcat_instance[.admin_domain]>````````TKS-specific````````registry````````-````````contains````````installation````````manifest````````file)``+ ``\ **/etc/pki``**`` (PKI-specific configuration files)``+ ``\ **/etc/pki``**/<apache_instance[.admin_domain]> (PKI-specific <apache_instance[.admin_domain]> shared configuration files - e. g. - password.conf)+ ``\ **/etc/pki``**/<apache_instance[.admin_domain]>/alias (PKI-specific <apache_instance[.admin_domain]> shared NSS security databases)\ **/etc/pki``**/``<apache_instance[.admin_domain]>/ra````````(PKI-specific````````<apache_instance[.admin_domain]>````````RA-specific````````configuration````````files)``\ **/etc/pki``**/``<apache_instance[.admin_domain]>/tps````````(PKI-specific````````<apache_instance[.admin_domain]>````````TPS-specific````````configuration````````files)``+ ``\ **/etc/pki``**/<tomcat_instance[.admin_domain]> (PKI-specific <tomcat_instance[.admin_domain]> shared configuration files - e. g. - password.conf)+ ``\ **/etc/pki``**/<tomcat_instance[.admin_domain]>/alias (PKI-specific <tomcat_instance[.admin_domain]> shared NSS security databases)+/- ``\ **/etc/pki``**/<tomcat_instance[.admin_domain]>/ca (PKI-specific <tomcat_instance[.admin_domain]> CA-specific configuration files)+/= ``\ **/etc/pki``**/<tomcat_instance[.admin_domain]>/kra (PKI-specific <tomcat_instance[.admin_domain]> KRA-specific configuration files)\ **/etc/pki``**/``<tomcat_instance[.admin_domain]>/ocsp````````(PKI-specific````````<tomcat_instance[.admin_domain]>````````OCSP-specific````````configuration````````files)``\ **/etc/pki``**/``<tomcat_instance[.admin_domain]>/tks````````(PKI-specific````````<tomcat_instance[.admin_domain]>````````TKS-specific````````configuration````````files)``+ ``\ **/var/lib/pki``**`` (PKI-specific base files)``+ ``\ **/var/lib/pki``**/<apache_instance[.admin_domain]> (PKI-specific <apache_instance[.admin_domain]> - RA / TPS shared base files)# ``\ **/var/lib/pki``**/<apache_instance[.admin_domain]>/alias -> /etc/pki/[admin_domain]/[apache_instance]/alias (link to PKI-specific <apache_instance[.admin_domain]> shared NSS security databases)# ``\ **/var/lib/pki``**/<apache_instance[.admin_domain]>/conf -> /etc/pki/[admin_domain]/[apache_instance] (link to PKI-specific <apache_instance[.admin_domain]> shared configuration files)# ``\ **/var/lib/pki``**``/<apache_instance[.admin_domain]>/logs -> /var/log/pki/[admin_domain]/[apache_instance] (link to PKI-specific <apache_instance[.admin_domain]> log files) ``\ **/var/lib/pki``**/``<apache_instance[.admin_domain]>/ra````````(PKI-specific````````<tomcat_instance[.admin_domain]>````````RA-specific````````base````````files)``# ``\ **/var/lib/pki``**/``<apache_instance[.admin_domain]>/ra/alias````````->````````/var/lib/pki/[admin_domain]/[apache_instance]/alias````````(link````````to````````PKI-specific````````<apache_instance[.admin_domain]>````````NSS````````security````````databases)``\ **/var/lib/pki``**/``<apache_instance[.admin_domain]>/tps````````(PKI-specific````````<tomcat_instance[.admin_domain]>````````TPS-specific````````base````````files)``# ``\ **/var/lib/pki``**/``<apache_instance[.admin_domain]>/tps/alias````````->````````/var/lib/pki/[admin_domain]/[apache_instance]/alias````````(link````````to````````PKI-specific````````<apache_instance[.admin_domain]>````````shared````````NSS````````security````````databases)``+ ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]> (PKI-specific <tomcat_instance[.admin_domain]> - CA / KRA / OCSP / TKS shared base files)# ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/alias -> /etc/pki/[admin_domain]/[tomcat_instance]/alias (link to PKI-specific <tomcat_instance[.admin_domain]> shared NSS security databases)# ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/bin -> /usr/share/[tomcat_instance]/bin (link to <tomcat_instance[.admin_domain]> binaries for use by Eclipse)+/- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/ca (PKI-specific <tomcat_instance[.admin_domain]> CA-specific base files)# ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/ca/alias -> /var/lib/pki/[admin_domain]/[tomcat_instance]/alias (link to PKI-specific <apache_instance[.admin_domain]> shared NSS security databases)# ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/ca/conf -> /etc/pki/[admin_domain]/[tomcat_instance]/ca (link to PKI-specific <tomcat_instance[.admin_domain]> CA-specific configuration files)- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/ca/emails (PKI-specific <tomcat_instance[.admin_domain]> CA-specific email files)# ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/ca/logs -> /var/log/pki/[admin_domain]/[tomcat_instance]/ca (link to PKI-specific <tomcat_instance[.admin_domain]> CA-specific log files)- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/ca/profiles (PKI-specific <tomcat_instance[.admin_domain]> CA-specific profiles)# ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/ca/webapps -> /var/lib/pki/[admin_domain]/[tomcat_instance]/webapps (link to PKI-specific <tomcat_instance[.admin_domain]> CA-specific webapps files)+ ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/common (PKI-specific <tomcat_instance[.admin_domain]> common files)+ ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/common/lib (PKI-specific <tomcat_instance[.admin_domain]> common libraries)# ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/conf -> /etc/pki/[admin_domain]/[tomcat_instance] (link to PKI-specific <tomcat_instance[.admin_domain]> shared configuration files)= ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/kra (PKI-specific <tomcat_instance[.admin_domain]> KRA-specific base files)# ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/kra/alias -> /var/lib/pki/[admin_domain]/[tomcat_instance]/alias (link to PKI-specific <apache_instance[.admin_domain]> shared NSS security databases)# ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/kra/conf -> /etc/pki/[admin_domain]/[tomcat_instance]/kra (link to PKI-specific <tomcat_instance[.admin_domain]> KRA-specific configuration files)# ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/kra/logs -> /var/log/pki/[admin_domain]/[tomcat_instance]/kra (link to PKI-specific <tomcat_instance[.admin_domain]> KRA-specific log files)# ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/kra/webapps -> /var/lib/pki/[admin_domain]/[tomcat_instance]/webapps (link to PKI-specific <tomcat_instance[.admin_domain]> KRA-specific webapps files)\ **/var/lib/pki``**/``<tomcat_instance[.admin_domain]>/ocsp````````(PKI-specific````````<tomcat_instance[.admin_domain]>````````OCSP-specific````````base````````files)``\ **/var/lib/pki``**/``<tomcat_instance[.admin_domain]>/tks````````(PKI-specific````````<tomcat_instance[.admin_domain]>````````TKS-specific````````base````````files)``# ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/lib -> /usr/share/[tomcat_instance]/lib (link to <tomcat_instance[.admin_domain]> libraries for use by Eclipse)# ``\ **/var/lib/pki``**``/<tomcat_instance[.admin_domain]>/logs -> /var/log/pki/[admin_domain]/[tomcat_instance] (link to PKI-specific <tomcat_instance[.admin_domain]> log files) ``+ ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps+ ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ROOT+ ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ROOT/WEB-INF+ ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/WEB-INF+ ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/WEB-INF/classes+ ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/WEB-INF/lib+/- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/WEB-INF# ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/WEB-INF/classes -> /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/WEB-INF/classes# ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/WEB-INF/lib -> /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/WEB-INF/lib- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/admin- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/admin/ca- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/admin/console- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/admin/console/config- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/admin/console/img- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/admin/console/js- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/admin/graphics- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/agent- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/agent/ca- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/agent/graphics- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/css- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/ee- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/ee/ca- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/ee/ca/policyEnrollment- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/ee/ca/profileEnrollment- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/ee/graphics- ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/ca/img+/= ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/kra= ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/kra/WEB-INF# ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/kra/WEB-INF/classes -> /var/lib/pki/<tomcat_instance[.admin_domain]]>/webapps/WEB-INF/classes# ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/kra/WEB-INF/lib -> /var/lib/pki/<tomcat_instance[.admin_domain]]>/webapps/WEB-INF/lib= ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/kra/admin= ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/kra/admin/console= ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/kra/admin/console/config= ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/kra/admin/console/img= ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/kra/admin/console/js= ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/kra/agent= ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/kra/agent/graphics= ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/kra/agent/kra= ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/kra/css= ``\ **/var/lib/pki``**/<tomcat_instance[.admin_domain]>/webapps/kra/img\ **/var/lock/pki``**`` (PKI-specific locks)``\ **/var/lock/pki/apache``**`` (PKI-specific Apache locks)``\ **/var/lock/pki/ca``**`` (CA-specific locks)``\ **/var/lock/pki/kra``**`` (KRA-specific locks)``\ **/var/lock/pki/ocsp``**``````(OCSP-specific````````locks)``\ **/var/lock/pki/ra``**``````(RA-specific````````locks)``\ **/var/lock/pki/tks``**``````(TKS-specific````````locks)``\ **/var/lock/pki/tomcat``**`` (PKI-specific Tomcat locks)``\ **/var/lock/pki/tps``**``````(TPS-specific````````locks)``+ ``\ **/var/log/pki``**`` (PKI-specific log files)``+ ``\ **/var/log/pki``**/<apache_instance[.admin_domain]> (PKI-specific <apache_instance[.admin_domain]< log files)\ **/var/log/pki``**/``<apache_instance[.admin_domain]>/ra````````(PKI-specific````````<apache_instance[.admin_domain]<````````RA-specific````````log````````files)``\ **/var/log/pki``**/``<apache_instance[.admin_domain]>/tps````````(PKI-specific````````<apache_instance[.admin_domain]<````````TPS-specific````````log````````files)``\ **/var/log/pki``**/``<apache_instance[.admin_domain]>/tps/signedAudit````````(PKI-specific````````<apache_instance[.admin_domain]<````````TPS-specific````````signed````````audit````````log````````files)``+ ``\ **/var/log/pki``**/<tomcat_instance[.admin_domain]> (PKI-specific <tomcat_instance[.admin_domain]< log files)+ ``\ **/var/log/pki``**/<tomcat_instance[.admin_domain]>/ca (PKI-specific <tomcat_instance[.admin_domain]< CA-specific log files)+ ``\ **/var/log/pki``**/<tomcat_instance[.admin_domain]>/ca/signedAudit (PKI-specific <tomcat_instance[.admin_domain]< CA-specific signed audit log files)+ ``\ **/var/log/pki``**/<tomcat_instance[.admin_domain]>/kra (PKI-specific <tomcat_instance[.admin_domain]< KRA-specific log files)+ ``\ **/var/log/pki``**/<tomcat_instance[.admin_domain]>/kra/signedAudit (PKI-specific <tomcat_instance[.admin_domain]< KRA-specific signed audit log files)\ **/var/log/pki``**/``<tomcat_instance[.admin_domain]>/ocsp````````(PKI-specific````````<tomcat_instance[.admin_domain]<````````OCSP-specific````````log````````files)``\ **/var/log/pki``**/``<tomcat_instance[.admin_domain]>/ocsp/signedAudit````````(PKI-specific````````<tomcat_instance[.admin_domain]<````````OCSP-specific````````signed````````audit````````log````````files)``\ **/var/log/pki``**/``<tomcat_instance[.admin_domain]>/tks````````(PKI-specific````````<tomcat_instance[.admin_domain]<````````TKS-specific````````log````````files)``\ **/var/log/pki``**/``<tomcat_instance[.admin_domain]>/tks/signedAudit````````(PKI-specific````````<tomcat_instance[.admin_domain]<````````TKS-specific````````signed````````audit````````log````````files)``\ **/var/run/pki``**`` (PKI-specific pids)``\ **/var/run/pki/apache``**`` (PKI-specific Apache pids)``\ **/var/run/pki/ca``**`` (CA-specific pids)``\ **/var/run/pki/kra``**`` (KRA-specific pids)``\ **/var/run/pki/ocsp``**``````(OCSP-specific````````pids)``\ **/var/run/pki/ra``**``````(RA-specific````````pids)``\ **/var/run/pki/tks``**``````(TKS-specific````````pids)``\ **/var/run/pki/tomcat``**`` (PKI-specific Tomcat pids)``\ **/var/run/pki/tps``**``````(TPS-specific````````pids)``**NOTE: **
All references in bold are considered “fixed” directories which are not data-specific, and will be owned by the pki-deploy RPM rather than created by the pkispawn process.
All references in bold-italics are considered “fixed” directories which are not data-specific, and will be owned by the appropriate pki-ca or pki-kra RPM rather than created by the pkispawn process.
All references preceded by a “+” (plus) are directories which will be generated via the initial pkispawn process (regardless of subsystem type). As these are the top-level data directories, they cannot be “owned” by any RPM.
All references preceded by a “-” (dash) are candidates for an exploded ca.war file (not all contents would be included as some would be populated via the pkispawn process).
All references preceded by an “=” (equal sign) are candidates for an exploded kra.war file (not all contents would be included as some would be populated via the pkispawn process).
All references preceded by a “#” (hash mark) are symlinks which will be created via a pkispawn scriptlet which will be generated AFTER an exploded war file.