#!/bin/bash
#
# --- BEGIN COPYRIGHT BLOCK ---
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2007 Red Hat, Inc.
# All rights reserved.
# --- END COPYRIGHT BLOCK ---
#
# pki-rad Startup script for the Apache HTTP pki-ra Server
#
# chkconfig: - 86 14
# description: Registration Authority \
# (Apache 2.2)
# processname: pki-rad
# piddir: /var/run/pki/ra
# config: ${PKI_SERVER_ROOT}/conf/httpd.conf
PKI_INIT_SCRIPT=""
PKI_PATH="/usr/share/pki/ra"
PKI_PIDDIR="/var/run/pki/ra"
PKI_PROCESS="pki-rad"
PKI_REGISTRY="/etc/sysconfig/pki/ra"
PKI_SELINUX_TYPE="pki_ra_t"
PKI_TYPE="pki-ra"
# PKI subsystem-level directory and file values for locks
lockfile="/var/lock/subsys/pki-rad"
# Disallow 'others' the ability to 'write' to new files
umask 00002
default_error=0
command="$1"
pki_instance="$2"
case "${command}" in
start|stop|restart|condrestart|force-restart|try-restart)
# * 1 generic or unspecified error (current practice)
default_error=1
;;
reload)
default_error=3
;;
status)
# * 4 program or service status is unknown
default_error=4
;;
*)
# * 2 invalid argument(s)
default_error=2
;;
esac
# Check to insure that this script's original invocation directory
# has not been deleted!
CWD=`/bin/pwd > /dev/null 2>&1`
if [ $? -ne 0 ] ; then
echo "Cannot invoke '$0' from non-existent directory!"
exit ${default_error}
fi
# Check to insure that this script's associated PKI
# subsystem currently resides on this system.
if [ ! -d ${PKI_PATH} ] ; then
echo "This machine is missing the '${PKI_TYPE}' subsystem!"
if [ "${command}" != "status" ]; then
# * 5 program is not installed
exit 5
else
exit ${default_error}
fi
fi
# Check to insure that this script's associated PKI
# subsystem instance registry currently resides on this system.
if [ ! -d ${PKI_REGISTRY} ] ; then
echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!"
if [ "${command}" != "status" ]; then
# * 5 program is not installed
exit 5
else
exit ${default_error}
fi
fi
# Obtain the operating system upon which this script is being executed
# and initialize environment variables
OS=`uname -s`
ARCHITECTURE=""
LD_LIBRARY_PATH=""
# Time to wait in seconds, before killing process
#
# NOTE: Defined in "tomcat5.conf" for PKI Java/Tomcat Subsystems.
#
STARTUP_WAIT=30
SHUTDOWN_WAIT=30
# This script must be run as root!
RV=0
if [ ${OS} = "Linux" ] ; then
PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}"
if [ `id -u` -ne 0 ] ; then
echo "Must be 'root' to execute '$0'!"
if [ "${command}" != "status" ]; then
# * 4 user had insufficient privilege
exit 4
else
# * 4 program or service status is unknown
exit 4
fi
fi
ARCHITECTURE=`uname -i`
if [ ${ARCHITECTURE} = "i386" ] ; then
LD_LIBRARY_PATH="/usr/lib:/lib:${LD_LIBRARY_PATH}"
elif [ ${ARCHITECTURE} = "x86_64" ] ; then
LD_LIBRARY_PATH="/usr/lib64:/lib64:${LD_LIBRARY_PATH}"
else
echo "Unsupported architecture '${ARCHITECTURE}'!"
exit ${default_error}
fi
elif [ ${OS} = "SunOS" ] ; then
PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}"
if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then
echo "Must be 'root' to execute '$0'!"
if [ "${command}" != "status" ]; then
# * 4 user had insufficient privilege
exit 4
else
# * 4 program or service status is unknown
exit 4
fi
fi
ARCHITECTURE=`uname -p`
if [ "${ARCHITECTURE}" = "sparc" ] &&
[ -d "/usr/lib/sparcv9/" ] ; then
ARCHITECTURE="sparcv9"
fi
if [ ${ARCHITECTURE} = "sparcv9" ] ; then
LD_LIBRARY_PATH="/usr/lib/sparcv9:/lib/sparcv9:${LD_LIBRARY_PATH}"
LD_LIBRARY_PATH="/usr/lib/sparcv9/dirsec:${LD_LIBRARY_PATH}"
else
echo "Unsupported architecture '${ARCHITECTURE}'!"
exit ${default_error}
fi
else
echo "Unsupported OS '${OS}'!"
exit ${default_error}
fi
export LD_LIBRARY_PATH
# Source function library.
if [ -f /etc/init.d/functions ]; then
. /etc/init.d/functions
else
# The checkpid() function is provided for platforms that do not
# contain the "/etc/init.d/functions" file (e. g. - Solaris) . . .
# Check if ${pid} (could be plural) are running (keep count)
checkpid()
{
rv=0
for i in $* ; do
ps -p $i > /dev/null 2>&1 ;
if [ $? -ne 0 ] ; then
rv=`expr $rv + 1`
else
rv=`expr $rv + 0`
fi
done
# echo "rv=$rv"
return $rv
}
# Create the following directories on platforms
# where they do not exist (e. g. - Solaris) . . .
if [ ! -d "/var/lock" ] ; then
mkdir -p /var/lock
chown root:sys /var/lock
chmod 00755 /var/lock
fi
if [ ! -d "/var/lock/subsys" ] ; then
mkdir -p /var/lock/subsys
chown root:root /var/lock/subsys
chmod 00755 /var/lock/subsys
fi
fi
PKI_REGISTRY_ENTRIES=""
TOTAL_PKI_REGISTRY_ENTRIES=0
TOTAL_UNCONFIGURED_PKI_ENTRIES=0
# Gather ALL registered instances of this PKI subsystem type
for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
if [ -f "$FILE" ] ; then
inst=`echo "$FILE"`
PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst"
TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1`
fi
done
if [ -n "${pki_instance}" ]; then
for I in ${PKI_REGISTRY_ENTRIES}; do
if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then
PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}"
TOTAL_PKI_REGISTRY_ENTRIES=1
break
fi
done
fi
usage()
{
echo -n "Usage: ${PKI_INIT_SCRIPT} "
echo -n "{start"
echo -n "|stop"
echo -n "|restart"
echo -n "|condrestart"
echo -n "|force-restart"
echo -n "|try-restart"
echo -n "|reload"
echo -n "|status} "
echo -n "[instance-name]"
echo
echo
}
list_instances()
{
echo
for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
echo " ${FILE}"
done
echo
}
# Check arguments
if [ $# -lt 1 ] ; then
# * 3 unimplemented feature (for example, "reload")
# [insufficient arguments]
echo "$0: Insufficient arguments!"
echo
usage
echo "where valid instance names include:"
list_instances
exit 3
elif [ ${default_error} -eq 2 ] ; then
# * 2 invalid argument
echo "$0: Invalid arguments!"
echo
usage
echo "where valid instance names include:"
list_instances
exit 2
elif [ $# -gt 2 ] ; then
echo "$0: Excess arguments!"
echo
usage
echo "where valid instance names include:"
list_instances
if [ "${command}" != "status" ]; then
# * 2 excess arguments
exit 2
else
# * 4 program or service status is unknown
exit 4
fi
fi
# If an "instance" was supplied, check that it is a "valid" instance
if [ -n "${pki_instance}" ]; then
if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then
echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance"
echo_failure
echo
if [ "${command}" != "status" ]; then
# * 5 program is not installed
exit 5
else
# * 4 program or service status is unknown
exit 4
fi
fi
fi
# On Solaris /var/run is in tmpfs and gets wiped out upon reboot
# we have to recreate the ${PKI_PIDDIR} directory and make sure that
# the directory is writable by the ${PKI_TYPE} server process.
#
# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize
# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the
# "${PKI_PIDDIR}" will end up with the ownership permissions
# of the first instance that executes this function!
#
fix_pid_dir_ownership()
{
if [ ! -d ${PKI_PIDDIR} ] ; then
mkdir -p ${PKI_PIDDIR}
chown root:root /var/run/pki
chmod 00755 /var/run/pki
chown root:root ${PKI_PIDDIR}
chmod 00755 ${PKI_PIDDIR}
fi
}
check_pki_configuration_status()
{
rv=0
rv=`grep -c ^preop ${pki_instance_configuration_file}`
rv=`expr ${rv} + 0`
if [ ${rv} -ne 0 ] ; then
echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!"
echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)"
if [ "${command}" != "status" ]; then
# * 6 program is not configured
rv=6
else
# * 4 program or service status is unknown
rv=4
fi
TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1`
elif [ -f ${RESTART_SERVER} ] ; then
echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, "
echo -n "it must still be RESTARTED!"
echo
if [ "${command}" != "status" ]; then
# * 1 generic or unspecified error (current practice)
rv=1
else
# * 4 program or service status is unknown
rv=4
fi
fi
return ${rv}
}
get_pki_status_definitions()
{
# establish well-known strings
listen_statement="Listen"
total_ports=0
UNSECURE_PORT=""
CLIENTAUTH_PORT=""
NON_CLIENTAUTH_PORT=""
# check to see that an instance-specific "httpd.conf" file exists
if [ ! -f ${PKI_HTTPD_CONF} ] ; then
echo "File '${PKI_HTTPD_CONF}' does not exist!"
exit ${default_error}
fi
# check to see that an instance-specific "nss.conf" file exists
if [ ! -f ${PKI_NSS_CONF} ] ; then
echo "File '${PKI_NSS_CONF}' does not exist!"
exit ${default_error}
fi
# read this instance-specific "httpd.conf" file line-by-line
# to obtain the current value of the PKI unsecure port
exec < ${PKI_HTTPD_CONF}
while read line; do
# look for the listen statement
head=`echo $line | cut -b1-6`
if [ "$head" == "$listen_statement" ] ; then
# once the 'unsecure' listen statement has been found,
# extract the numeric port information
port=`echo $line | cut -b8-`
UNSECURE_PORT=$port
echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}"
total_ports=`expr ${total_ports} + 1`
break;
fi
done
# read this instance-specific "nss.conf" file line-by-line
# to obtain the current value of the "clientauth" PKI secure port
# AND the current value of the "non-clientauth" PKI secure port
exec < ${PKI_NSS_CONF}
while read line; do
# look for the listen statement
head=`echo $line | cut -b1-6`
if [ "$head" == "$listen_statement" ] &&
[ ${total_ports} -eq 2 ] ; then
# once the 'non-clientauth' listen statement has been found,
# extract the numeric port information
non_clientauth_port=`echo $line | cut -b8-`
NON_CLIENTAUTH_PORT=$non_clientauth_port
echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}"
total_ports=`expr ${total_ports} + 1`
break
fi
if [ "$head" == "$listen_statement" ] &&
[ ${total_ports} -eq 1 ] ; then
# once the 'clientauth' listen statement has been found,
# extract the numeric port information
clientauth_port=`echo $line | cut -b8-`
CLIENTAUTH_PORT=$clientauth_port
echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}"
total_ports=`expr ${total_ports} + 1`
fi
done
if [ ${total_ports} -eq 3 ] ; then
return 0
else
return ${default_error}
fi
}
get_pki_configuration_definitions()
{
# Obtain the PKI Subsystem Type
line=`grep ^cs.type= ${pki_instance_configuration_file}`
pki_subsystem=`echo "${line}" | cut -b9-`
if [ "${line}" != "" ] ; then
if [ "${pki_subsystem}" != "CA" ] &&
[ "${pki_subsystem}" != "KRA" ] &&
[ "${pki_subsystem}" != "OCSP" ] &&
[ "${pki_subsystem}" != "TKS" ] &&
[ "${pki_subsystem}" != "RA" ] &&
[ "${pki_subsystem}" != "TPS" ]
then
return ${default_error}
fi
if [ "${pki_subsystem}" == "KRA" ] ; then
# Rename "KRA" to "DRM"
pki_subsystem="DRM"
fi
else
return ${default_error}
fi
# If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS,
# check to see if "${pki_subsystem}" is a "Clone"
pki_clone=""
if [ "${pki_subsystem}" == "CA" ] ||
[ "${pki_subsystem}" == "DRM" ] ||
[ "${pki_subsystem}" == "OCSP" ] ||
[ "${pki_subsystem}" == "TKS" ]
then
line=`grep ^subsystem.select= ${pki_instance_configuration_file}`
if [ "${line}" != "" ] ; then
pki_clone=`echo "${line}" | cut -b18-`
if [ "${pki_clone}" != "Clone" ] ; then
# Reset "${pki_clone}" to be empty
pki_clone=""
fi
else
return ${default_error}
fi
fi
# If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to
# see "${pki_subsystem}" is a "Root" or a "Subordinate" CA
pki_hierarchy=""
if [ "${pki_subsystem}" == "CA" ] &&
[ "${pki_clone}" != "Clone" ]
then
line=`grep ^hierarchy.select= ${pki_instance_configuration_file}`
if [ "${line}" != "" ] ; then
pki_hierarchy=`echo "${line}" | cut -b18-`
else
return ${default_error}
fi
fi
# If ${pki_subsystem} is a CA, check to
# see if it is also a Security Domain
pki_security_domain=""
if [ "${pki_subsystem}" == "CA" ] ; then
line=`grep ^securitydomain.select= ${pki_instance_configuration_file}`
if [ "${line}" != "" ] ; then
pki_security_domain=`echo "${line}" | cut -b23-`
if [ "${pki_security_domain}" == "new" ] ; then
# Set a fixed value for "${pki_security_domain}"
pki_security_domain="(Security Domain)"
else
# Reset "${pki_security_domain}" to be empty
pki_security_domain=""
fi
else
return ${default_error}
fi
fi
# Always obtain this PKI instance's "registered"
# security domain information
pki_security_domain_name=""
pki_security_domain_hostname=""
pki_security_domain_https_admin_port=""
line=`grep ^securitydomain.name= ${pki_instance_configuration_file}`
if [ "${line}" != "" ] ; then
pki_security_domain_name=`echo "${line}" | cut -b21-`
else
return ${default_error}
fi
line=`grep ^securitydomain.host= ${pki_instance_configuration_file}`
if [ "${line}" != "" ] ; then
pki_security_domain_hostname=`echo "${line}" | cut -b21-`
else
return ${default_error}
fi
line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}`
if [ "${line}" != "" ] ; then
pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-`
else
return ${default_error}
fi
# Compose the "PKI Instance Name" Status Line
pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}"
# Compose the "PKI Subsystem Type" Status Line
header="PKI Subsystem Type: "
if [ "${pki_clone}" != "" ] ; then
if [ "${pki_security_domain}" != "" ]; then
# Possible Values:
#
# "CA Clone (Security Domain)"
#
data="${pki_subsystem} ${pki_clone} ${pki_security_domain}"
else
# Possible Values:
#
# "CA Clone"
# "DRM Clone"
# "OCSP Clone"
# "TKS Clone"
#
data="${pki_subsystem} ${pki_clone}"
fi
elif [ "${pki_hierarchy}" != "" ] ; then
if [ "${pki_security_domain}" != "" ]; then
# Possible Values:
#
# "Root CA (Security Domain)"
# "Subordinate CA (Security Domain)"
#
data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}"
else
# Possible Values:
#
# "Root CA"
# "Subordinate CA"
#
data="${pki_hierarchy} ${pki_subsystem}"
fi
else
# Possible Values:
#
# "DRM"
# "OCSP"
# "RA"
# "TKS"
# "TPS"
#
data="${pki_subsystem}"
fi
pki_subsystem_type="${header} ${data}"
# Compose the "Registered PKI Security Domain Information" Status Line
header="Name: "
registered_pki_security_domain_name="${header} ${pki_security_domain_name}"
header="URL: "
if [ "${pki_security_domain_hostname}" != "" ] &&
[ "${pki_security_domain_https_admin_port}" != "" ]
then
data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}"
else
return ${default_error}
fi
registered_pki_security_domain_url="${header} ${data}"
# Print the "PKI Subsystem Type" Status Line
echo
echo " ${pki_instance_name}"
# Print the "PKI Subsystem Type" Status Line
echo
echo " ${pki_subsystem_type}"
# Print the "Registered PKI Security Domain Information" Status Line
echo
echo " Registered PKI Security Domain Information:"
echo " =========================================================================="
echo " ${registered_pki_security_domain_name}"
echo " ${registered_pki_security_domain_url}"
echo " =========================================================================="
return 0
}
get_pki_secure_port()
{
# establish well-known strings
listen_statement="Listen"
# first check to see that an instance-specific "nss.conf" file exists
if [ ! -f ${PKI_NSS_CONF} ] ; then
echo "File '${PKI_NSS_CONF}' does not exist!"
exit ${default_error}
fi
# read this instance-specific "nss.conf" file line-by-line
# to obtain the current value of the "clientauth" PKI secure port
exec < ${PKI_NSS_CONF}
while read line; do
# look for the listen statement
head=`echo $line | cut -b1-6`
if [ "$head" == "$listen_statement" ] ; then
# once the 'clientauth' listen statement has been found,
# extract the numeric port information
port=`echo $line | cut -b8-`
SECURE_PORT=$port
return 0
fi
done
return ${default_error}
}
display_instance_status()
{
rv=0
if [ -f ${pidfile} ] ; then
pid=`cat ${pidfile}`
if [ "${pid}" == "" ] ; then
echo "${PKI_INSTANCE_ID} pid file exists but is empty"
if [ "${command}" != "status" ]; then
# * 1 generic or unspecified error (current practice)
rv=1
else
# * 4 program or service status is unknown
rv=4
fi
elif kill -0 ${pid} > /dev/null 2>&1 ; then
echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..."
echo
check_pki_configuration_status
rv=$?
if [ ${rv} -eq 0 ] ; then
get_pki_status_definitions
rv=$?
if [ ${rv} -ne 0 ] ; then
echo
echo "${PKI_INSTANCE_ID} Status Definitions not found"
else
get_pki_configuration_definitions
rv=$?
if [ ${rv} -ne 0 ] ; then
echo
echo "${PKI_INSTANCE_ID} Configuration Definitions not found"
fi
fi
else
# From the PKI point of view for a "non-status" action,
# a returned error code of "6" implies that the program
# is not "configured". Similarly, an error code of "1"
# implies that the program was "configured" but must
# still be restarted.
#
# Similarly, from the PKI point of view for a "status"
# action, a returned error code of "4" implies that either
# the program is not "configured", or that the program
# was "configured" but must still be restarted.
#
# Regardless, it must still be considered that the instance
# is "running" from the viewpoint of other OS programs such
# as 'chkconfig'.
#
# For this reason, when returning from
# 'display_instance_status()', ignore non-zero return codes
# returned from 'check_pki_configuration_status()'.
#
if [ "${command}" != "status" ]; then
# * 0 action was successful
rv=0
else
# * 0 program is running or service is OK
rv=0
fi
fi
echo
else
echo "${PKI_INSTANCE_ID} is dead but pid file exists"
if [ "${command}" != "status" ]; then
# * 1 generic or unspecified error (current practice)
rv=1
else
# * 1 program is dead and /var/run pid file exists
rv=1
fi
fi
else
echo "${PKI_INSTANCE_ID} is stopped"
if [ "${command}" != "status" ]; then
# * 7 program is not running
rv=7
else
# * 3 program is not running
rv=3
fi
fi
return ${rv}
}
start_instance()
{
rv=0
echo -n $"Starting ${prog}: "
if [ -f ${RESTART_SERVER} ] ; then
rm -f ${RESTART_SERVER}
fi
if [ -f ${PKI_LOCKFILE} ] ; then
if [ -f ${pidfile} ]; then
read kpid < ${pidfile}
if checkpid $kpid 2>&1; then
echo
echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..."
echo
check_pki_configuration_status
rv=$?
if [ ${rv} != 0 ]; then
# From the PKI point of view for a "non-status" action,
# a returned error code of "6" implies that the program
# is not "configured". Similarly, an error code of "1"
# implies that the program was "configured" but must
# still be restarted.
#
# Regardless, it must still be considered that the instance
# is "running" from the viewpoint of other OS programs such
# as 'chkconfig'.
#
# For "non-status" actions, ignore return codes of "1"
# from 'check_pki_configuration_status()'.
#
# However, for "non-status" actions that have a return
# code of "6", return this value unchanged to
# the calling routine so that the total number of
# configuration errors may be counted.
#
echo
if [ ${rv} = 1 ] ; then
# * 0 action was successful
return 0
elif [ ${rv} = 6 ] ; then
# * 6 program is not configured
return 6
else
# should never be reached
return ${rv}
fi
else
return 0
fi
else
echo
echo -n "lock file found but no process "
echo -n "running for pid $kpid, continuing"
echo
echo
rm -f ${PKI_LOCKFILE}
fi
fi
fi
fix_pid_dir_ownership
touch ${pidfile}
chown ${PKI_USER}:${PKI_GROUP} ${pidfile}
chmod 00600 ${pidfile}
[ -x /sbin/restorecon ] && /sbin/restorecon ${pidfile}
# restore context for ncipher hsm
[ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
if [ -f /etc/init.d/functions ]; then
/usr/sbin/selinuxenabled
rv=$?
if [ ${rv} = 0 ] ; then
if [ ${ARCHITECTURE} = "i386" ] ; then
LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS}
# overwrite output from "daemon"
echo -n $"Starting ${prog}: "
elif [ ${ARCHITECTURE} = "x86_64" ] ; then
# NOTE: "daemon" is incompatible with "httpd"
# on 64-bit architectures
LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS}
fi
else
LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS}
# overwrite output from "daemon"
echo -n $"Starting ${prog}: "
fi
else
LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -k start
fi
rv=$?
if [ ${rv} = 0 ] ; then
touch ${PKI_LOCKFILE}
chown ${PKI_USER}:${PKI_GROUP} ${PKI_LOCKFILE}
chmod 00600 ${PKI_LOCKFILE}
fi
if [ ${rv} = 0 ] ; then
count=0;
let swait=$STARTUP_WAIT
until [ -s ${pidfile} ] ||
[ $count -gt $swait ]
do
echo -n "."
sleep 1
let count=$count+1;
done
if [ -f /etc/init.d/functions ]; then
if [ "$CONSOLETYPE" = "serial" ]; then
echo -n " "
fi
echo_success
echo
else
echo " [ OK ]"
fi
get_pki_secure_port
if [ $? -ne 0 ] ; then
SECURE_PORT="<Port Undefined>"
fi
# Set permissions of log files
for file in ${pki_logs_directory}/*; do
chown ${PKI_USER}:${PKI_GROUP} ${file}
chmod 00660 ${file}
done
# ignore "status" return codes
echo
display_instance_status
else
if [ -f /etc/init.d/functions ]; then
if [ "$CONSOLETYPE" = "serial" ]; then
$0 echo -n " "
fi
echo_failure
echo
else
echo " [ FAILED ]"
fi
fi
if [ ${OS} = "Linux" ] ; then
sleep 10
elif [ ${OS} = "SunOS" ] ; then
sleep 20
fi
return ${rv}
}
stop_instance()
{
rv=0
echo -n "Stopping ${prog}: "
if [ -f ${PKI_LOCKFILE} ] ; then
${httpd} ${PKI_OPTIONS} -k stop
rv=$?
if [ ${rv} = 0 ]; then
count=0;
if [ -f ${pidfile} ]; then
read kpid < ${pidfile}
let kwait=$SHUTDOWN_WAIT
until [ `ps -p $kpid | grep -c $kpid` = '0' ] ||
[ $count -gt $kwait ]
do
echo -n "."
sleep 1
let count=$count+1;
done
if [ $count -gt $kwait ]; then
kill -9 $kpid
fi
fi
rm -f ${PKI_LOCKFILE}
rm -f ${pidfile}
if [ -f /etc/init.d/functions ]; then
if [ "$CONSOLETYPE" = "serial" ]; then
echo -n " "
fi
echo_success
echo
else
echo " [ OK ]"
fi
else
if [ -f /etc/init.d/functions ]; then
if [ "$CONSOLETYPE" = "serial" ]; then
echo -n " "
fi
echo_failure
echo
else
echo " [ FAILED ]"
fi
rv=${default_error}
fi
else
echo
echo "process already stopped"
rv=0
fi
return ${rv}
}
reload_instance()
{
rv=0
echo -n $"Reloading ${prog}: "
if ! LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -t >&/dev/null; then
rv=$?
echo $"not reloading due to configuration syntax error"
if [ -f /etc/init.d/functions ]; then
failure $"not reloading ${httpd} due to configuration syntax error"
else
echo $"not reloading ${httpd} due to configuration syntax error"
fi
else
if [ -f /etc/init.d/functions ]; then
killproc -p ${pidfile} ${httpd} -HUP
rv=$?
else
if [ -f ${PKI_LOCKFILE} ] ; then
if [ -f ${pidfile} ]; then
read kpid < ${pidfile}
if checkpid $kpid 2>&1; then
kill -HUP $kpid
rv=$?
if [ ${rv} != 0 ]; then
rv=${default_error}
fi
fi
else
# * 7 program is not running
rv=7
echo
echo -n "lock file found but no process "
echo -n "running for pid $kpid, continuing"
echo
echo
rm -f ${PKI_LOCKFILE}
fi
fi
fi
fi
echo
return ${rv}
}
# The semantics of the 'start()' function differs from the way 'apachectl'
# does things -- attempting to start while running is a failure.
# So we just do it the way init scripts are expected to behave here.
start()
{
# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
#
# * 0 action was successful
# * 1 generic or unspecified error (current practice)
# * 2 invalid or excess argument(s)
# * 3 unimplemented feature (for example, "reload")
# * 4 user had insufficient privilege
# * 5 program is not installed
# * 6 program is not configured
# * 7 program is not running
# * 8-99 reserved for future LSB use
# * 100-149 reserved for distribution use
# * 150-199 reserved for application use
# * 200-254 reserved
#
error_rv=0
rv=0
if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
config_errors=0
errors=0
if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):"
fi
# Start every PKI instance of this type that isn't already running
for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
# Source values associated with this particular PKI instance
[ -f ${PKI_REGISTRY_ENTRY} ] &&
. ${PKI_REGISTRY_ENTRY}
pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
[ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
start_instance
rv=$?
if [ ${rv} = 6 ] ; then
# Since at least ONE configuration error exists, then there
# is at least ONE unconfigured instance from the PKI point
# of view.
#
# However, it must still be considered that the
# instance is "running" from the point of view of other
# OS programs such as 'chkconfig'.
#
# Therefore, ignore non-zero return codes resulting
# from configuration errors.
#
config_errors=`expr $config_errors + 1`
rv=0
elif [ ${rv} != 0 ] ; then
errors=`expr $errors + 1`
error_rv=${rv}
fi
done
if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then
touch ${lockfile}
chmod 00600 ${lockfile}
fi
# ONLY print a "WARNING" message if multiple
# instances are being examined
if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
# NOTE: "bad" return code(s) OVERRIDE configuration errors!
if [ ${errors} -eq 1 ]; then
# Since only ONE error exists, return that "bad" error code.
rv=${error_rv}
elif [ ${errors} -gt 1 ]; then
# Since MORE than ONE error exists, return an OVERALL status
# of "1 generic or unspecified error (current practice)"
rv=1
fi
if [ ${errors} -ge 1 ]; then
echo
echo -n "WARNING: "
echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
echo -n "'${PKI_TYPE}' instances failed to start!"
echo
fi
if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
echo
echo -n "WARNING: "
echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
echo -n "'${PKI_TYPE}' instances MUST be configured!"
echo
fi
echo
echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)."
fi
else
echo
echo "ERROR: No '${PKI_TYPE}' instances installed!"
rv=5
fi
return ${rv}
}
# The semantics of the 'stop()' function differs from the way 'apachectl'
# does things -- attempting to shutdown when not running is a failure.
# So we just do it the way init scripts are expected to behave here.
stop()
{
# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
#
# * 0 action was successful
# * 1 generic or unspecified error (current practice)
# * 2 invalid or excess argument(s)
# * 3 unimplemented feature (for example, "reload")
# * 4 user had insufficient privilege
# * 5 program is not installed
# * 6 program is not configured
# * 7 program is not running
# * 8-99 reserved for future LSB use
# * 100-149 reserved for distribution use
# * 150-199 reserved for application use
# * 200-254 reserved
#
error_rv=0
rv=0
if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
errors=0
if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):"
fi
# Shutdown every PKI instance of this type that is running
for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
# Source values associated with this particular PKI instance
[ -f ${PKI_REGISTRY_ENTRY} ] &&
. ${PKI_REGISTRY_ENTRY}
pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
[ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
stop_instance
rv=$?
if [ ${rv} != 0 ] ; then
errors=`expr $errors + 1`
error_rv=${rv}
fi
done
if [ ${errors} -eq 0 ] ; then
rm -f ${lockfile}
fi
# ONLY print a "WARNING" message if multiple
# instances are being examined
if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
if [ ${errors} -eq 1 ]; then
# Since only ONE error exists, return that "bad" error code.
rv=${error_rv}
elif [ ${errors} -gt 1 ]; then
# Since MORE than ONE error exists, return an OVERALL status
# of "1 generic or unspecified error (current practice)"
rv=1
fi
if [ ${errors} -ge 1 ]; then
echo
echo -n "WARNING: "
echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
echo -n "'${PKI_TYPE}' instances were "
echo -n "unsuccessfully stopped!"
echo
fi
echo
echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)."
fi
else
echo
echo "ERROR: No '${PKI_TYPE}' instances installed!"
rv=5
fi
return ${rv}
}
restart()
{
# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
#
# * 0 action was successful
# * 1 generic or unspecified error (current practice)
# * 2 invalid or excess argument(s)
# * 3 unimplemented feature (for example, "reload")
# * 4 user had insufficient privilege
# * 5 program is not installed
# * 6 program is not configured
# * 7 program is not running
# * 8-99 reserved for future LSB use
# * 100-149 reserved for distribution use
# * 150-199 reserved for application use
# * 200-254 reserved
#
stop
sleep 2
echo
echo "============================================================"
echo
start
return $?
}
reload()
{
# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
#
# * 0 action was successful
# * 1 generic or unspecified error (current practice)
# * 2 invalid or excess argument(s)
# * 3 unimplemented feature (for example, "reload")
# * 4 user had insufficient privilege
# * 5 program is not installed
# * 6 program is not configured
# * 7 program is not running
# * 8-99 reserved for future LSB use
# * 100-149 reserved for distribution use
# * 150-199 reserved for application use
# * 200-254 reserved
#
error_rv=0
rv=0
if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
errors=0
if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
echo "BEGIN RELOADING '${PKI_TYPE}' INSTANCE(S):"
fi
# Reload every PKI instance of this type that is running
for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
# Source values associated with this particular PKI instance
[ -f ${PKI_REGISTRY_ENTRY} ] &&
. ${PKI_REGISTRY_ENTRY}
pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
[ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
reload_instance
rv=$?
if [ ${rv} != 0 ] ; then
errors=`expr $errors + 1`
error_rv=${rv}
fi
done
# ONLY print a "WARNING" message if multiple
# instances are being examined
if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
if [ ${errors} -eq 1 ]; then
# Since only ONE error exists, return that "bad" error code.
rv=${error_rv}
elif [ ${errors} -gt 1 ]; then
# Since MORE than ONE error exists, return an OVERALL status
# of "1 generic or unspecified error (current practice)"
rv=1
fi
if [ ${errors} -ge 1 ]; then
echo
echo -n "WARNING: "
echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
echo -n "'${PKI_TYPE}' instances were "
echo -n "unsuccessfully reloaded!"
echo
fi
echo
echo "FINISHED RELOADING '${PKI_TYPE}' INSTANCE(S)."
fi
else
echo
echo "ERROR: No '${PKI_TYPE}' instances reloaded!"
rv=5
fi
return ${rv}
}
status()
{
# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
#
# * 0 program is running or service is OK
# * 1 program is dead and /var/run pid file exists
# * 2 program is dead and /var/lock lock file exists
# * 3 program is not running
# * 4 program or service status is unknown
# * 5-99 reserved for future LSB use
# * 100-149 reserved for distribution use
# * 150-199 reserved for application use
# * 200-254 reserved
#
error_rv=0
rv=0
if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
errors=0
if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):"
fi
# Obtain status of every PKI instance of this type
for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
# Source values associated with this particular PKI instance
[ -f ${PKI_REGISTRY_ENTRY} ] &&
. ${PKI_REGISTRY_ENTRY}
pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
[ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
display_instance_status
rv=$?
if [ ${rv} -ne 0 ] ; then
errors=`expr $errors + 1`
error_rv=${rv}
fi
done
# ONLY print a "WARNING" message if multiple
# instances are being examined
if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
if [ ${errors} -eq 1 ]; then
# Since only ONE error exists, return that "bad" error code.
rv=${error_rv}
elif [ ${errors} -gt 1 ]; then
# Since MORE than ONE error exists, return an OVERALL status
# of "4 - program or service status is unknown"
rv=4
fi
if [ ${errors} -ge 1 ]; then
echo
echo -n "WARNING: "
echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
echo -n "'${PKI_TYPE}' instances reported status failures!"
echo
fi
if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
echo
echo -n "WARNING: "
echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
echo -n "'${PKI_TYPE}' instances MUST be configured!"
echo
fi
echo
echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)."
fi
else
echo
echo "ERROR: No '${PKI_TYPE}' instances installed!"
rv=4
fi
return ${rv}
}
# See how we were called.
case "${command}" in
start|stop|restart|reload|status)
${command}
exit $?
;;
condrestart|force-restart|try-restart)
[ ! -f ${lockfile} ] || restart
exit $?
;;
*)
# * 3 unimplemented feature (for example, "reload")
# [invalid command - should never be reached]
echo
usage
echo "where valid instance names include:"
list_instances
exit 3
;;
esac
