248 lines
15 KiB
XML
248 lines
15 KiB
XML
<!-- BEGIN COPYRIGHT BLOCK
|
|
Copyright (C) 2012 Red Hat, Inc.
|
|
All rights reserved.
|
|
Modifications: configuration parameters
|
|
END COPYRIGHT BLOCK -->
|
|
<!--
|
|
Licensed to the Apache Software Foundation (ASF) under one or more
|
|
contributor license agreements. See the NOTICE file distributed with
|
|
this work for additional information regarding copyright ownership.
|
|
The ASF licenses this file to You under the Apache License, Version 2.0
|
|
(the "License"); you may not use this file except in compliance with
|
|
the License. You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
-->
|
|
<!-- Note: A "Server" is not itself a "Container", so you may not
|
|
define subcomponents such as "Valves" at this level.
|
|
Documentation at /docs/config/server.html
|
|
-->
|
|
<!-- DO NOT REMOVE - Begin PKI Status Definitions -->
|
|
<!-- CA Status Definitions -->
|
|
<?pkidaemon Unsecure URL = http://ipa1.example.com:8080/ca/ee/ca
|
|
Secure Agent URL = https://ipa1.example.com:8443/ca/agent/ca
|
|
Secure EE URL = https://ipa1.example.com:8443/ca/ee/ca
|
|
Secure Admin URL = https://ipa1.example.com:8443/ca/services
|
|
PKI Console Command = pkiconsole https://ipa1.example.com:8443/ca
|
|
Tomcat Port = 8005 (for shutdown)
|
|
?>
|
|
<!-- KRA Status Definitions -->
|
|
<?pkidaemon Secure Agent URL = https://ipa1.example.com:8443/kra/agent/kra
|
|
Secure Admin URL = https://ipa1.example.com:8443/kra/services
|
|
PKI Console Command = pkiconsole https://ipa1.example.com:8443/kra
|
|
Tomcat Port = 8005 (for shutdown)
|
|
?>
|
|
<!-- OCSP Status Definitions -->
|
|
<?pkidaemon Unsecure URL = http://ipa1.example.com:8080/ocsp/ee/ocsp/<ocsp request blob>
|
|
Secure Agent URL = https://ipa1.example.com:8443/ocsp/agent/ocsp
|
|
Secure EE URL = https://ipa1.example.com:8443/ocsp/ee/ocsp/<ocsp request blob>
|
|
Secure Admin URL = https://ipa1.example.com:8443/ocsp/services
|
|
PKI Console Command = pkiconsole https://ipa1.example.com:8443/ocsp
|
|
Tomcat Port = 8005 (for shutdown)
|
|
?>
|
|
<!-- TKS Status Definitions -->
|
|
<?pkidaemon Secure Agent URL = https://ipa1.example.com:8443/tks/agent/tks
|
|
Secure Admin URL = https://ipa1.example.com:8443/tks/services
|
|
PKI Console Command = pkiconsole https://ipa1.example.com:8443/tks
|
|
Tomcat Port = 8005 (for shutdown)
|
|
?>
|
|
<!-- TPS Status Definitions -->
|
|
<?pkidaemon Unsecure URL = http://ipa1.example.com:8080/tps
|
|
Secure URL = https://ipa1.example.com:8443/tps
|
|
Unsecure PHONE HOME = http://ipa1.example.com:8080/tps/phoneHome
|
|
Secure PHONE HOME = https://ipa1.example.com:8443/tps/phoneHome
|
|
Tomcat Port = 8005 (for shutdown)
|
|
?>
|
|
<!-- DO NOT REMOVE - End PKI Status Definitions -->
|
|
<Server port="8005" shutdown="SHUTDOWN">
|
|
<!--APR library loader. Documentation at /docs/apr.html -->
|
|
<!-- The following Listener class has been commented out because this -->
|
|
<!-- implementation depends upon the 'tomcatjss' JSSE module, 'JSS', -->
|
|
<!-- and 'NSS' rather than the 'tomcat-native' module! -->
|
|
<!-- Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" -->
|
|
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
|
|
<Listener className="org.apache.catalina.core.JasperListener"/>
|
|
<!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
|
|
<!-- The following class has been commented out because it -->
|
|
<!-- has been EXCLUDED from the Tomcat 7 'tomcat-lib' RPM! -->
|
|
<!-- Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" -->
|
|
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
|
|
<Listener className="com.netscape.cms.tomcat.PKIListener"/>
|
|
<!-- Global JNDI resources
|
|
Documentation at /docs/jndi-resources-howto.html
|
|
-->
|
|
<GlobalNamingResources>
|
|
<!-- Editable user database that can also be used by
|
|
UserDatabaseRealm to authenticate users
|
|
-->
|
|
<Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml"/>
|
|
</GlobalNamingResources>
|
|
<!-- A "Service" is a collection of one or more "Connectors" that share
|
|
a single "Container" Note: A "Service" is not itself a "Container",
|
|
so you may not define subcomponents such as "Valves" at this level.
|
|
Documentation at /docs/config/service.html
|
|
-->
|
|
<Service name="Catalina">
|
|
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
|
|
<!--
|
|
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
|
|
maxThreads="150" minSpareThreads="4"/>
|
|
-->
|
|
<!-- A "Connector" represents an endpoint by which requests are received
|
|
and responses are returned. Documentation at :
|
|
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
|
|
Java AJP Connector: /docs/config/ajp.html
|
|
APR (HTTP/AJP) Connector: /docs/apr.html
|
|
Define a non-SSL HTTP/1.1 Connector on port 8080
|
|
-->
|
|
<!-- Shared Ports: Unsecure Port Connector -->
|
|
<Connector name="Unsecure" port="8080" protocol="HTTP/1.1" redirectPort="8443" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" enableLookups="false" connectionTimeout="80000" disableUploadTimeout="true"/>
|
|
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
|
|
<!-- Shared Ports: Agent, EE, and Admin Secure Port Connector -->
|
|
<!-- DO NOT REMOVE - Begin define PKI secure port
|
|
NOTE: The following 'keys' (and their assigned values) are exclusive to
|
|
the 'tomcatjss' JSSE module:
|
|
|
|
'enableOCSP'
|
|
'ocspResponderURL'
|
|
'ocspResponderCertNickname'
|
|
'ocspCacheSize'
|
|
'ocspMinCacheEntryDuration'
|
|
'ocspMaxCacheEntryDuration'
|
|
'ocspTimeout'
|
|
'strictCiphers'
|
|
'clientauth' (ALL lowercase)
|
|
'sslVersionRangeStream'
|
|
'sslVersionRangeDatagram'
|
|
'sslRangeCiphers'
|
|
'serverCertNickFile'
|
|
'passwordFile'
|
|
'passwordClass'
|
|
'certdbDir'
|
|
|
|
and are referenced via the value of the 'sslImplementationName' key.
|
|
NOTE: The OCSP settings take effect globally, so it should only be set once.
|
|
|
|
In setup where SSL clientauth="true", OCSP can be turned on by
|
|
setting enableOCSP to true like the following:
|
|
enableOCSP="true"
|
|
along with changes to related settings, especially:
|
|
ocspResponderURL=<see example in connector definition below>
|
|
ocspResponderCertNickname=<see example in connector definition below>
|
|
Here are the definition to all the OCSP-related settings:
|
|
enableOCSP - turns on/off the ocsp check
|
|
ocspResponderURL - sets the url where the ocsp requests are sent
|
|
Make sure this URL uses the NON SSL or HTTP port for the OCSP interface.
|
|
Ex: use 8080 instead of say 8443.
|
|
ocspResponderCertNickname - sets the nickname of the cert that is
|
|
either CA's signing certificate or the OCSP server's signing
|
|
certificate.
|
|
The CA's signing certificate should already be in the db, in
|
|
case of the same security domain.
|
|
In case of an ocsp signing certificate, one must import the cert
|
|
into the subsystem's nss db and set trust. e.g.:
|
|
certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64
|
|
|
|
If both ocspResponderURL and ocspResponderCertNickname are both unset
|
|
all OCSP checks will be made using the URL encoded within the AIA extension
|
|
of each cert being verified.
|
|
|
|
ocspCacheSize - sets max cache entries
|
|
ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt
|
|
ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt
|
|
ocspTimeout -sets OCSP timeout in seconds
|
|
|
|
See <instance dir>/conf/ciphers.info
|
|
About the TLS range related parameters
|
|
-->
|
|
<Connector name="Secure" port="8443" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" maxHttpHeaderSize="8192" connectionTimeout="80000" keepAliveTimeout="300000" acceptCount="100" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation" enableOCSP="false" ocspResponderURL="http://ipa1.example.com:8080/ca/ocsp" ocspResponderCertNickname="ocspSigningCert cert-pki-ca" ocspCacheSize="1000" ocspMinCacheEntryDuration="7200" ocspMaxCacheEntryDuration="14400" ocspTimeout="10" strictCiphers="true" clientAuth="want" sslVersionRangeStream="tls1_1:tls1_2" sslVersionRangeDatagram="tls1_1:tls1_2" sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384" serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf" passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" certdbDir="/var/lib/pki/pki-tomcat/alias"/>
|
|
<!-- DO NOT REMOVE - End define PKI secure port -->
|
|
<!-- Define an AJP 1.3 Connector on port 8009 -->
|
|
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost" requiredSecret="testSecret"/>
|
|
<!-- An Engine represents the entry point (within Catalina) that processes
|
|
every request. The Engine implementation for Tomcat stand alone
|
|
analyzes the HTTP headers included with the request, and passes them
|
|
on to the appropriate Host (virtual host).
|
|
Documentation at /docs/config/engine.html -->
|
|
<!-- You should set jvmRoute to support load-balancing via AJP ie :
|
|
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
|
|
-->
|
|
<Engine name="Catalina" defaultHost="localhost">
|
|
<!--For clustering, please take a look at documentation at:
|
|
/docs/cluster-howto.html (simple how to)
|
|
/docs/config/cluster.html (reference documentation) -->
|
|
<!--
|
|
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
|
|
-->
|
|
<!-- The request dumper valve dumps useful debugging information about
|
|
the request and response data received and sent by Tomcat.
|
|
Documentation at: /docs/config/valve.html -->
|
|
<!--
|
|
<Valve className="org.apache.catalina.valves.RequestDumperValve"/>
|
|
-->
|
|
<!-- This Realm uses the UserDatabase configured in the global JNDI
|
|
resources under the key "UserDatabase". Any edits
|
|
that are performed against this UserDatabase are immediately
|
|
available for use by the Realm. -->
|
|
<!--
|
|
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
|
|
resourceName="UserDatabase"/>
|
|
-->
|
|
<!--
|
|
<Realm className="com.netscape.cmscore.realm.PKIRealm" />
|
|
-->
|
|
<!-- Define the default virtual host
|
|
Note: XML Schema validation will not work with Xerces 2.2.
|
|
-->
|
|
<Host name="localhost" appBase="/var/lib/pki/pki-tomcat/webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
|
|
<!--
|
|
<Context path="/ca"
|
|
docBase="ca"
|
|
allowLinking="true">
|
|
<Loader className="org.apache.catalina.loader.VirtualWebappLoader"
|
|
virtualClasspath="/var/lib/pki/pki-tomcat/ca/webapps/ca/WEB-INF/classes;/var/lib/pki/pki-tomcat/ca/webapps/ca/WEB-INF/lib" />" />
|
|
<JarScanner scanAllDirectories="true" />
|
|
</Context>
|
|
|
|
<Context path="/kra"
|
|
docBase="kra"
|
|
allowLinking="true">
|
|
<Loader className="org.apache.catalina.loader.VirtualWebappLoader"
|
|
virtualClasspath="/var/lib/pki/pki-tomcat/kra/webapps/kra/WEB-INF/classes;/var/lib/pki/pki-tomcat/kra/webapps/kra/WEB-INF/lib" />
|
|
<JarScanner scanAllDirectories="true" />
|
|
</Context>
|
|
|
|
<Context path="/ocsp"
|
|
docBase="ocsp"
|
|
allowLinking="true">
|
|
<Loader className="org.apache.catalina.loader.VirtualWebappLoader"
|
|
virtualClasspath="/var/lib/pki/pki-tomcat/ocsp/webapps/ocsp/WEB-INF/classes;/var/lib/pki/pki-tomcat/ocsp/webapps/ocsp/WEB-INF/lib" />
|
|
<JarScanner scanAllDirectories="true" />
|
|
</Context>
|
|
|
|
<Context path="/tks"
|
|
docBase="tks"
|
|
allowLinking="true">
|
|
<Loader className="org.apache.catalina.loader.VirtualWebappLoader"
|
|
virtualClasspath="/var/lib/pki/pki-tomcat/tks/webapps/tks/WEB-INF/classes;/var/lib/pki/pki-tomcat/tks/webapps/tks/WEB-INF/lib" />
|
|
<JarScanner scanAllDirectories="true" />
|
|
</Context>
|
|
-->
|
|
<!-- SingleSignOn valve, share authentication between web applications
|
|
Documentation at: /docs/config/valve.html -->
|
|
<!--
|
|
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
|
|
-->
|
|
<!-- Access log processes all example.
|
|
Documentation at: /docs/config/valve.html -->
|
|
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
|
|
</Host>
|
|
</Engine>
|
|
</Service>
|
|
</Server> |