Open Source PKI

From Dogtag

Contents

Background

Dogtag Certificate System comprises six major subsystems as described in PKI Architecture - Certificate System.

For Dogtag Certificate System 9.0 and earlier to be utilized, each PKI subsystem required the installation and configuration of one or more instances of this specific type of PKI subsystem.

Each PKI instance of a CA, DRM, OCSP, or TKS were created as a unique instance of Tomcat, whereas each PKI instance of an RA or TPS were created as a unique instance of Apache, and more than one instance of the same type could reside on the same host machine or VM.

PKI Instance Installation (Legacy)

Dogtag Certificate System 9.0 and earlier used the following command-line utilities to install PKI instances:

    Operation Description Packages
    Installation The pkicreate command-line utility which consists of a Perl script with a large number of command-line options used to create the specified type of PKI instance. pki-setup
    pki-selinux

PKI Instance Configuration (Legacy)

For Dogtag Certificate System 9.0 and earlier, once a PKI instance was created, it needed to be configured before it could be used. To accomplish this, the following two methods of operation were provided:

    Operation Description Packages
    Interactive (Manual) Configuration Firefox browser-based configuration using dogtag-specific branded panels.

    dogtag-pki-ca-theme
    dogtag-pki-common-theme
    dogtag-pki-kra-theme
    dogtag-pki-ocsp-theme
    dogtag-pki-ra-theme
    dogtag-pki-tks-theme
    dogtag-pki-tps-theme

    Batch Configuration The pkisilent command-line utility which consists of a Perl script with a large number of command-line options used to call the appropriate Java program to configure the appropriate PKI instance based upon the order of the 'Manual' configuration panels for that particular type of PKI instance. pki-silent

PKI Instance Removal (Legacy)

Dogtag Certificate System 9.0 and earlier used the following command-line utilities to remove PKI instances:

    Operation Description Packages
    Removal The pkiremove command-line utility which consists of a Perl script with a large number of command-line options used to remove the specified PKI instance. pki-setup
    pki-selinux

Design Goals

For the embedded version of PKI, the following design goals are desired:

PKI Instance Deployment (Proposed)

  • Encapsulate PKI instance installation and configuration within a single Python script which works in conjunction with the new Java PKI installation servlet, and provide the various command-line options via a configuration file.
  • For Tomcat deployment purposes, integrate the use of a common shared "war" file.
  • Integrate Python exception handling to elegantly deal with any errors encountered

PKI Instance Installation (Proposed)

  • Collapse installation server code into a single servlet, replacing the pkicreate and pkiremove Perl scripts with alternatives written in Python, removing the need for any template-based substitutions.
  • Use a configuration file in lieu of command-line parameters, eliminating port and location choices being specified as passed-in parameters.
  • Use proxy logic by default to drastically reduce the number of ports (e. g. - 8009 AJP, 8080 http, and 8443 https) thus eliminating the pki-proxy tool.
  • Combine individual CA, DRM, OCSP, and TKS Tomcat-based instances into a single instance of Tomcat accessible via a RESTEasy interface.
  • Disallow the creation of multiple instances of a CA, DRM, OCSP, or TKS instance on a single host machine or VM, effectively eliminating the need for a PKI instance registry (although this would still be useful for non-default PKI instance installations).
  • Use the default Tomcat instance thereby eliminating the need for PKI subsystem SYS-V initialization scripts and/or PKI-specific systemd services.
  • Reuse the default system Tomcat SELinux policy to eliminate the need for PKI-specific SELinux policies.
  • Seamlessly integrate support for "upgrading" an existing PKI instance via integrating a -u update option from the command-line

PKI Instance Configuration (Proposed)

  • Re-write the pki-silent Perl script as a Python script which utilizes the single Java PKI installation servlet identified above to perform PKI configuration making it completely independent of any previous manual browser-based panels.
  • Eliminate the ability to manually configure a PKI instance via a browser, thus removing the runtime requirement for any theme-based UI components.

PKI Instance Removal (Proposed)

  • Provide PKI instance removal command-line options via a configuration file.

Associated Bugs

Detailed Design

Design Considerations

Due to aggressive scheduling, this effort will be broken down into the following phases:

Phase I

  • Install, configure, and remove a simple CA (no clone/no subordinate CA)
  • Install, configure, and remove a simple DRM (no clone)

Phase II

  • Add support to allow a command-line option of specifying a customized configuration file that will be merged with the existing configuration file

Phase III

  • [TBD]

High-Level Design

PKI Deployment Package (Proposed)

A new package called pki-deploy will be created which contains the following:

    Item Location Purpose
    pkispawn /usr/bin Python script utilized for installation and configuration of a PKI instance
    pkidestroy /usr/bin Python script utilized for removal of a PKI instance
    pkideployment.cfg /usr/share/pki/deployment/config Default pre-defined PKI instance configuration file
    "scriptlets" /usr/lib/python<version>/site-packages/pki/deployment General-purpose stand-alone Python scripts which will be invoked in a pre-determined numerical order by pkispawn and pkidestroy to perform all PKI instance installation, configuration, and removal tasks
    Symlinks (Installation/Configuration) /usr/share/pki/deployment/spawn/ca
    /usr/share/pki/deployment/spawn/kra
    /usr/share/pki/deployment/spawn/ocsp
    /usr/share/pki/deployment/spawn/ra
    /usr/share/pki/deployment/spawn/tks
    /usr/share/pki/deployment/spawn/tps
    Enumerated symbolic links to corresponding Python installation/configuration "scriptlets"
    Symlinks (Removal) /usr/share/pki/deployment/destroy/ca
    /usr/share/pki/deployment/destroy/kra
    /usr/share/pki/deployment/destroy/ocsp
    /usr/share/pki/deployment/destroy/ra
    /usr/share/pki/deployment/destroy/tks
    /usr/share/pki/deployment/destroy/tps
    Enumerated symbolic links to corresponding Python removal "scriptlets"

The pkispawn and pkidestroy Python code will only contain basic installation and removal engine frameworks respectively.

The code contained within these two engines will be minimal, primarily relying upon data obtained from a configuration file, and specific invocation execution based upon enumerated symlinks to scriptlets.

Since configuration files will be utilized by the new pkispawn and pkidestroy command-line Python scripts, command-line options will be dramatically reduced.

PKI Deployment Packages (Legacy)

The pki-setup, pki-selinux, and pki-silent packages will be removed and replaced by the new pki-deploy package in the pki-core source package.

Similarly, the dogtag-pki-ca-theme, dogtag-pki-common-theme, dogtag-pki-kra-theme, dogtag-pki-ocsp-theme, dogtag-pki-ra-theme, dogtag-pki-tks-theme, and dogtag-pki-tps-theme packages will be removed from the dogtag-pki-theme source package during their appropriate phase detailed above, and the various runtime dependency requirements will be deleted from their respective packages (e. g. - the pki-ca-theme runtime requirement will be removed from the pki-ca package).

The following table summarizes the old and new command-line utilities and their associated packages:

    New Command (associated package) Old Command (associated packages)
    pkispawn (pki-deploy)

    pkicreate (pki-setup, pki-selinux)
    pkisilent (pki-silent)
    dogtag-pki-ca-theme (dogtag-pki-theme)
    dogtag-pki-common-theme (dogtag-pki-theme)
    dogtag-pki-kra-theme (dogtag-pki-theme)
    dogtag-pki-ocsp-theme (dogtag-pki-theme)
    dogtag-pki-ra-theme (dogtag-pki-theme)
    dogtag-pki-tks-theme (dogtag-pki-theme)
    dogtag-pki-tps-theme (dogtag-pki-theme)

    pkidestroy (pki-deploy) pkiremove (pki-setup, pki-selinux)

Low-Level Design

The following design was inspired by the Perl installation "scriptlets" used by the 389 Directory Server project, as well as System V init process.

PKI Deployment Engines

PKI Installation Engine

The pkispawn Python code will be invoked from /usr/bin as follows (per PKI TRAC Ticket #261 - Dogtag 10: Revisit command-line options of 'pkispawn' and 'pkidestroy' . . .):

   # pkispawn -h
   usage: pkispawn -s <subsystem> -f <file> [--dry_run] [-h] [-u] [-v]
                   [-p <prefix>]
   
   PKI Instance Installation and Configuration
   
   mandatory arguments:
     -s <subsystem>       where <subsystem> is CA, KRA, OCSP, RA, TKS, or TPS
     -f <file>            specifies configuration filename
   
   optional arguments:
     --dry_run            do not actually perform any actions
     -h, --help           show this help message and exit
     -u                   update instance of specified subsystem
     -v                   display verbose information (details below)
   
   test arguments:
     -p <prefix>          directory prefix to specify local directory [TEST ONLY]
   
   {POSSIBLY ADDITIONAL HELP TEXT REGARDING INSTANCE, DOMAIN, PORT INTERACTIONS}
   
   VERBOSITY FLAGS    CONSOLE MESSAGE LEVEL       LOG MESSAGE LEVEL
   =======================================================================
     NONE             error|warning               error|warning|info
     -v               error|warning|info          error|warning|info
     -vv              error|warning|info          error|warning|info|debug
     -vvv             error|warning|info|debug    error|warning|info|debug

PKI Removal Engine

Similarly, the pkidestroy Python code will be invoked from /usr/bin as follows (per PKI TRAC Ticket #261 - Dogtag 10: Revisit command-line options of 'pkispawn' and 'pkidestroy' . . .):

   # pkidestroy -h
   usage: pkidestroy -s <subsystem> -i <instance> [-d <admin_domain>]
                     [--dry_run] [-h] [-v] [-p <prefix>]
   
   PKI Instance Removal
   
   mandatory arguments:
     -s <subsystem>     where <subsystem> is CA, KRA, OCSP, RA, TKS, or TPS
     -i <instance>      PKI instance name
   
   optional arguments:
     -d <admin_domain>  PKI admin domain name (instance name suffix)
     --dry_run          do not actually perform any actions
     -h, --help         show this help message and exit
     -v                 display verbose information (details below)
   
   test arguments:
     -p <prefix>        directory prefix to specify local directory [TEST ONLY]
   
   {POSSIBLE ADDITIONAL HELP TEXT EXPLAINING WHEN DOMAIN MUST BE SPECIFIED}
   
   VERBOSITY FLAGS    CONSOLE MESSAGE LEVEL       LOG MESSAGE LEVEL
   =======================================================================
     NONE             error|warning               error|warning|info
     -v               error|warning|info          error|warning|info
     -vv              error|warning|info          error|warning|info|debug
     -vvv             error|warning|info|debug    error|warning|info|debug

PKI Configuration Files

PKI Installation Configuration Files

The pkispawn executable will obtain its default command-line options from a single configuration file stored at /usr/share/pki/config/pkideployment.cfg (which will have been copied and the required [Sensitive] parameters will have at least been filled out). The entire path to this copied 'pkideployment.cfg' file will be specified by the mandatory -f <file> command-line option); a copy of each instance-specific configuration file will be saved within the instance itself, as this will be used for instance removal.

The default installation configuration file will contain general sections for Sensitive, Common, Apache, and Tomcat specific name-value pairs. Additionally, each PKI subsystem will have its own section which contains simple default name-value pairs:

   ###############################################################################
   ##  'Sensitive' Data:                                                        ##
   ##                                                                           ##
   ##  Values in this section pertain to various PKI subsystems, and contain    ##
   ##  required 'sensitive' information which MUST ALWAYS be provided by users. ##
   ##                                                                           ##
   ##  IMPORTANT:  Sensitive data values must NEVER be displayed to the         ##
   ##              console NOR stored in log files!!!                           ##
   ###############################################################################
   [Sensitive]
   pki_admin_password=
   pki_backup_password=
   pki_client_pkcs12_password=
   pki_clone_pkcs12_password=
   pki_ds_password=
   pki_security_domain_password=
   ###############################################################################
   ##  'Common' Data:                                                           ##
   ##                                                                           ##
   ##  Values in this section are common to more than one PKI subsystem, and    ##
   ##  contain required information which MAY be overridden by users as         ##
   ##  necessary.                                                               ##
   ##                                                                           ##
   ##  NOTE:  Default values will be generated for any and all required         ##
   ##         'common' data values which are left undefined.                    ##
   ###############################################################################
   [Common]
   pki_admin_cert_request_type=crmf
   pki_admin_domain_name=
   pki_admin_dualkey=False
   pki_admin_email=
   pki_admin_keysize=2048
   pki_admin_name=admin
   pki_admin_nickname=
   pki_admin_subject_dn=
   pki_admin_uid=admin
   pki_audit_group=pkiaudit
   pki_audit_signing_key_algorithm=SHA256withRSA
   pki_audit_signing_key_size=2048
   pki_audit_signing_key_type=rsa
   pki_audit_signing_nickname=
   pki_audit_signing_signing_algorithm=SHA256withRSA
   pki_audit_signing_subject_dn=
   pki_audit_signing_token=
   pki_backup_file=
   pki_backup_keys=False
   pki_ds_base_dn=
   pki_ds_bind_dn=cn=Directory Manager
   pki_ds_database=
   pki_ds_hostname=
   pki_ds_ldap_port=389
   pki_ds_ldaps_port=636
   pki_ds_remove_data=True
   pki_ds_secure_connection=False
   pki_group=pkiuser
   pki_security_domain_hostname=
   pki_security_domain_https_port=8443
   pki_security_domain_name=
   pki_security_domain_user=admin
   pki_ssl_server_key_algorithm=SHA256withRSA
   pki_ssl_server_key_size=2048
   pki_ssl_server_key_type=rsa
   pki_ssl_server_nickname=
   pki_ssl_server_subject_dn=
   pki_ssl_server_token=
   pki_subsystem_key_algorithm=SHA256withRSA
   pki_subsystem_key_size=2048
   pki_subsystem_key_type=rsa
   pki_subsystem_nickname=
   pki_subsystem_subject_dn=
   pki_subsystem_token=
   pki_user=pkiuser
   ###############################################################################
   ##  'Apache' Data:                                                           ##
   ##                                                                           ##
   ##  Values in this section are common to PKI subsystems that run             ##
   ##  as an instance of 'Apache' (RA and TPS subsystems), and contain          ##
   ##  required information which MAY be overridden by users as necessary.      ##
   ###############################################################################
   [Apache]
   pki_instance_name=pki-apache
   pki_http_port=80
   pki_https_port=443
   ###############################################################################
   ##  'Tomcat' Data:                                                           ##
   ##                                                                           ##
   ##  Values in this section are common to PKI subsystems that run             ##
   ##  as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems            ##
   ##  including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain  ##
   ##  required information which MAY be overridden by users as necessary.      ##
   ##                                                                           ##
   ##  PKI CLONES:  To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone',    ##
   ##               or a 'TKS Clone', change the value of 'pki_clone'           ##
   ##               from 'False' to 'True'.                                     ##
   ##                                                                           ##
   ##    REMINDER:  PKI CA Clones, Subordinate CAs, and External CAs            ##
   ##               are MUTUALLY EXCLUSIVE entities!!!                          ##
   ###############################################################################
   [Tomcat]
   pki_ajp_port=8009
   pki_clone=False
   pki_enable_java_debugger=False
   pki_http_port=8080
   pki_https_port=8443
   pki_instance_name=pki-tomcat
   pki_proxy_http_port=
   pki_proxy_https_port=
   pki_security_manager=false
   pki_tomcat_server_port=8005
   ###############################################################################
   ##  'CA' Data:                                                               ##
   ##                                                                           ##
   ##  Values in this section are common to CA subsystems including 'PKI CAs',  ##
   ##  'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain         ##
   ##  required information which MAY be overridden by users as necessary.      ##
   ##                                                                           ##
   ##     EXTERNAL CAs:  To specify an 'External CA', change the value          ##
   ##                    of 'pki_external' from 'False' to 'True'.              ##
   ##                                                                           ##
   ##  SUBORDINATE CAs:  To specify a 'Subordinate CA', change the value        ##
   ##                    of 'pki_subordinate' from 'False' to 'True'.           ##
   ##                                                                           ##
   ##         REMINDER:  PKI CA Clones, Subordinate CAs, and External CAs       ##
   ##                    are MUTUALLY EXCLUSIVE entities!!!                     ##
   ###############################################################################
   [CA]
   pki_ca_signing_key_algorithm=SHA256withRSA
   pki_ca_signing_key_size=2048
   pki_ca_signing_key_type=rsa
   pki_ca_signing_nickname=
   pki_ca_signing_signing_algorithm=SHA256withRSA
   pki_ca_signing_subject_dn=
   pki_ca_signing_token=
   pki_external=False
   pki_ocsp_signing_key_algorithm=SHA256withRSA
   pki_ocsp_signing_key_size=2048
   pki_ocsp_signing_key_type=rsa
   pki_ocsp_signing_nickname=
   pki_ocsp_signing_signing_algorithm=SHA256withRSA
   pki_ocsp_signing_subject_dn=
   pki_ocsp_signing_token=
   pki_subordinate=False
   pki_subsystem=CA
   pki_subsystem_name=
   pki_war_name=ca.war
   ###############################################################################
   ##  'KRA' Data:                                                              ##
   ##                                                                           ##
   ##  Values in this section are common to KRA subsystems                      ##
   ##  including 'PKI KRAs' and 'Cloned KRAs', and contain                      ##
   ##  required information which MAY be overridden by users as necessary.      ##
   ###############################################################################
   [KRA]
   pki_storage_key_algorithm=SHA256withRSA
   pki_storage_key_size=2048
   pki_storage_key_type=rsa
   pki_storage_nickname=
   pki_storage_signing_algorithm=SHA256withRSA
   pki_storage_subject_dn=
   pki_storage_token=
   pki_subsystem=KRA
   pki_subsystem_name=
   pki_transport_key_algorithm=SHA256withRSA
   pki_transport_key_size=2048
   pki_transport_key_type=rsa
   pki_transport_nickname=
   pki_transport_signing_algorithm=SHA256withRSA
   pki_transport_subject_dn=
   pki_transport_token=
   pki_war_name=kra.war
   ###############################################################################
   ##  'OCSP' Data:                                                             ##
   ##                                                                           ##
   ##  Values in this section are common to OCSP subsystems                     ##
   ##  including 'PKI OCSPs' and 'Cloned OCSPs', and contain                    ##
   ##  required information which MAY be overridden by users as necessary.      ##
   ###############################################################################
   [OCSP]
   pki_ocsp_signing_key_algorithm=SHA256withRSA
   pki_ocsp_signing_key_size=2048
   pki_ocsp_signing_key_type=rsa
   pki_ocsp_signing_nickname=
   pki_ocsp_signing_signing_algorithm=SHA256withRSA
   pki_ocsp_signing_subject_dn=
   pki_ocsp_signing_token=
   pki_subsystem=OCSP
   pki_subsystem_name=
   pki_war_name=ocsp.war
   ###############################################################################
   ##  'RA' Data:                                                               ##
   ##                                                                           ##
   ##  Values in this section are common to PKI RA subsystems, and contain      ##
   ##  required information which MAY be overridden by users as necessary.      ##
   ###############################################################################
   [RA]
   pki_subsystem=RA
   pki_subsystem_name=
   ###############################################################################
   ##  'TKS' Data:                                                              ##
   ##                                                                           ##
   ##  Values in this section are common to TKS subsystems                      ##
   ##  including 'PKI TKSs' and 'Cloned TKSs', and contain                      ##
   ##  required information which MAY be overridden by users as necessary.      ##
   ###############################################################################
   [TKS]
   pki_subsystem=TKS
   pki_subsystem_name=
   pki_war_name=tks.war
   ###############################################################################
   ##  'TPS' Data:                                                              ##
   ##                                                                           ##
   ##  Values in this section are common to PKI TPS subsystems, and contain     ##
   ##  required information which MAY be overridden by users as necessary.      ##
   ###############################################################################
   [TPS]
   pki_subsystem=TPS
   pki_subsystem_name=

PKI Removal Configuration Files

For pkidestroy, the aforementioned instance-specific configuration file will be used to remove the specified instance.

PKI Python Dictionaries

Having obtained their default command-line options by reading the appropriate configuration file, the pkispawn and the pkidestroy executables will utilize Python's ConfigParser library to parse this information into four distinct Python dictionaries:

    • Sensitive
    • Common
    • Web
    • Subsystem

Three of these Python dictionaries (Common, Web, and Subsystem) will be used to encapsulate all data relevant to the pkispawn and the pkidestroy executables and their associated stand-alone Python "scriptlets" and will be combined in a single "Master" Python dictionary.

Command-line Processing of PKI Scriptlets

Command-line Processing of PKI Installation Scriptlets

Command-line processing of pkispawn will primarily be accomplished via individual enumerated symlinks to scriptlets stored under /usr/share/pki/deployment/spawn/<subsystem>/ which will be invoked in ascending order; these pkispawn symlinks will be located under the following directories:

  • CA (/usr/share/pki/deployment/spawn/ca/)
    KRA (/usr/share/pki/deployment/spawn/kra/)
    OCSP (/usr/share/pki/deployment/spawn/ocsp/)
    TKS (/usr/share/pki/deployment/spawn/tks/)
    Execution Order Python Scriptlet Purpose Installation Upgrade
    000 initialization.py First 'scriptlet' executed
    010 infrastructure_layout.py Populate/Re-populate top-level PKI infrastructure directories, files, and symlinks
    020 instance_layout.py Populate/Re-populate PKI instance directories, files, and symlinks
    030 subsystem_layout.py Populate/Re-populate PKI subsystem directories, files, and symlinks
    040 war_explosion.py Explode the subsystem "war" file
    050 slot_substitution.py Substitute variables in various files
    060 security_databases.py Create (if necessary) and initialize the shared PKI-specific Apache/Tomcat security databases
    070 configuration.py Invoke Java client to configure PKI subsystem
    999 finalization.py Last 'scriptlet' executed
  • RA (/usr/share/pki/deployment/spawn/ra/)
    TPS (/usr/share/pki/deployment/spawn/tps/)
   [TBD]

Command-line Processing of PKI Removal Scriptlets

Likewise, command-line processing of pkidestroy will primarily be accomplished via individual enumerated symlinks to scriptlets stored under /usr/share/pki/deployment/destroy/<subsystem>/ which will be invoked in descending order; these pkidestroy symlinks will be located under the following directories:

  • CA (/usr/share/pki/deployment/destroy/ca/)
    KRA (/usr/share/pki/deployment/destroy/kra/)
    OCSP (/usr/share/pki/deployment/destroy/ocsp/)
    TKS (/usr/share/pki/deployment/destroy/tks/)
    Execution Order Python Scriptlet Purpose Removal
    000 initialization.py First 'scriptlet' executed
    930 configuration.py Invoke Java client to configure PKI subsystem
    940 security_databases.py Remove (if necessary) the shared PKI-specific Apache/Tomcat security databases
    960 war_explosion.py Remove previously exploded subsystem "war" directories, files, and symlinks
    970 subsystem_layout.py Remove PKI subsystem directories, files, and symlinks
    980 instance_layout.py Remove PKI instance directories, files, and symlinks
    990 infrastructure_layout.py Remove top-level PKI infrastructure directories, files, and symlinks
    999 finalization.py Last 'scriptlet' executed
  • RA (/usr/share/pki/deployment/destroy/ra/)
    TPS (/usr/share/pki/deployment/destroy/tps/)
   [TBD]

PKI Scriptlets

Anatomy of a PKI Scriptlet

All PKI "scriptlets" are defined to be implementations of the following abstract base class:

   #!/usr/bin/python -t
   # Authors:
   #     Matthew Harmsen <mharmsen@redhat.com>
   #
   # This program is free software; you can redistribute it and/or modify
   # it under the terms of the GNU General Public License as published by
   # the Free Software Foundation; version 2 of the License.
   #
   # This program is distributed in the hope that it will be useful,
   # but WITHOUT ANY WARRANTY; without even the implied warranty of
   # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   # GNU General Public License for more details.
   #
   # You should have received a copy of the GNU General Public License along
   # with this program; if not, write to the Free Software Foundation, Inc.,
   # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
   #
   # Copyright (C) 2011 Red Hat, Inc.
   # All rights reserved.
   #
   
   # System Imports
   import abc
   
   
   # PKI Deployment Classes
   class AbstractBasePkiScriptlet(object):
       __metaclass__ = abc.ABCMeta
   
       @abc.abstractmethod
       def spawn(self):
           """Retrieve data from the specified dictionaries and
              use it to install a new PKI instance."""
           return
   
       @abc.abstractmethod
       def respawn(self):
           """Retrieve data from the specified dictionaries and
              use it to update an existing PKI instance."""
           return
   
       @abc.abstractmethod
       def destroy(self):
           """Retrieve data from the specified dictionaries and
              use it to destroy an existing PKI instance."""
           return

List of PKI Scriptlets

All Python-based installation/removal scriptlets will be located under /usr/lib/python<version>/site-packages/pki/deployment/:

    Python Scriptlet Explanation
    initialization.py First 'scriptlet' executed
    infrastructure_layout.py Create top-level PKI infrastructure directories, files, and symlinks
    instance_layout.py Create top-level PKI instance directories, files, and symlinks
    subsystem_layout.py Create top-level PKI subsystem directories, files, and symlinks
    war_explosion.py Explode specified "war" file
    slot_substitution.py Make variable substitutions in various files
    security_databases.py Create/modify shared NSS security databases for this instance
    configuration.py FUTURE: Invoke the Java-based client to configure this instance
    finalization.py Last 'scriptlet' executed

PKI (CA, KRA, OCSP, TKS) Instance Tomcat Class Loader Order

For Tomcat 7, this is described in detail at the following link:

In summary, from the perspective of a web application, class or resource loading looks in the following repositories, in this order:

  • Bootstrap classes of your JVM
  • System class loader classes (described above)
  • /WEB-INF/classes of your web application
  • /WEB-INF/lib/*.jar of your web application
  • Common class loader classes (described above)

PKI Instance File System Directory Layout

File System Directory Layout (Proposed)

CA / KRA / OCSP / RA / TKS / TPS
+    /etc/sysconfig/pki                                                                                                 (PKI-specific registry)
+    /etc/sysconfig/pki/apache                                                                                          (PKI-specific Apache registry)
+    /etc/sysconfig/pki/apache/<apache_instance[.admin_domain]>                                                         (PKI-specific <apache_instance[.admin_domain]> registry)
     /etc/sysconfig/pki/apache/<apache_instance[.admin_domain]>/ra                                                      (PKI-specific <apache_instance[.admin_domain]> RA-specific registry - contains installation manifest file)
     /etc/sysconfig/pki/apache/<apache_instance[.admin_domain]>/tps                                                     (PKI-specific <apache_instance[.admin_domain]> TPS-specific registry - contains installation manifest file)
+    /etc/sysconfig/pki/tomcat                                                                                          (PKI-specific Tomcat registry)
+    /etc/sysconfig/pki/tomcat/<tomcat_instance[.admin_domain]>                                                         (PKI-specific <tomcat_instance[.admin_domain]> registry)
+/-  /etc/sysconfig/pki/tomcat/<tomcat_instance[.admin_domain]>/ca                                                      (PKI-specific <tomcat_instance[.admin_domain]> CA-specific registry - contains installation manifest file)
+/=  /etc/sysconfig/pki/tomcat/<tomcat_instance[.admin_domain]>/kra                                                     (PKI-specific <tomcat_instance[.admin_domain]> KRA-specific registry - contains installation manifest file)
     /etc/sysconfig/pki/tomcat/<tomcat_instance[.admin_domain]>/ocsp                                                    (PKI-specific <tomcat_instance[.admin_domain]> OCSP-specific registry - contains installation manifest file)
     /etc/sysconfig/pki/tomcat/<tomcat_instance[.admin_domain]>/tks                                                     (PKI-specific <tomcat_instance[.admin_domain]> TKS-specific registry - contains installation manifest file)
+    /etc/pki                                                                                                           (PKI-specific configuration files)
+    /etc/pki/<apache_instance[.admin_domain]>                                                                          (PKI-specific <apache_instance[.admin_domain]> shared configuration files - e. g. - password.conf)
+    /etc/pki/<apache_instance[.admin_domain]>/alias                                                                    (PKI-specific <apache_instance[.admin_domain]> shared NSS security databases)
     /etc/pki/<apache_instance[.admin_domain]>/ra                                                                       (PKI-specific <apache_instance[.admin_domain]> RA-specific configuration files)
     /etc/pki/<apache_instance[.admin_domain]>/tps                                                                      (PKI-specific <apache_instance[.admin_domain]> TPS-specific configuration files)
+    /etc/pki/<tomcat_instance[.admin_domain]>                                                                          (PKI-specific <tomcat_instance[.admin_domain]> shared configuration files - e. g. - password.conf)
+    /etc/pki/<tomcat_instance[.admin_domain]>/alias                                                                    (PKI-specific <tomcat_instance[.admin_domain]> shared NSS security databases)
+/-  /etc/pki/<tomcat_instance[.admin_domain]>/ca                                                                       (PKI-specific <tomcat_instance[.admin_domain]> CA-specific configuration files)
+/=  /etc/pki/<tomcat_instance[.admin_domain]>/kra                                                                      (PKI-specific <tomcat_instance[.admin_domain]> KRA-specific configuration files)
     /etc/pki/<tomcat_instance[.admin_domain]>/ocsp                                                                     (PKI-specific <tomcat_instance[.admin_domain]> OCSP-specific configuration files)
     /etc/pki/<tomcat_instance[.admin_domain]>/tks                                                                      (PKI-specific <tomcat_instance[.admin_domain]> TKS-specific configuration files)
+    /var/lib/pki                                                                                                       (PKI-specific base files)
+    /var/lib/pki/<apache_instance[.admin_domain]>                                                                      (PKI-specific <apache_instance[.admin_domain]> - RA / TPS shared base files)
#    /var/lib/pki/<apache_instance[.admin_domain]>/alias -> /etc/pki/[admin_domain]/[apache_instance]/alias             (link to PKI-specific <apache_instance[.admin_domain]> shared NSS security databases)
#    /var/lib/pki/<apache_instance[.admin_domain]>/conf -> /etc/pki/[admin_domain]/[apache_instance]                    (link to PKI-specific <apache_instance[.admin_domain]> shared configuration files)
#    /var/lib/pki/<apache_instance[.admin_domain]>/logs -> /var/log/pki/[admin_domain]/[apache_instance]                (link to PKI-specific <apache_instance[.admin_domain]> log files) 
     /var/lib/pki/<apache_instance[.admin_domain]>/ra                                                                   (PKI-specific <tomcat_instance[.admin_domain]> RA-specific base files)
#    /var/lib/pki/<apache_instance[.admin_domain]>/ra/alias -> /var/lib/pki/[admin_domain]/[apache_instance]/alias      (link to PKI-specific <apache_instance[.admin_domain]> NSS security databases)
     /var/lib/pki/<apache_instance[.admin_domain]>/tps                                                                  (PKI-specific <tomcat_instance[.admin_domain]> TPS-specific base files)
#    /var/lib/pki/<apache_instance[.admin_domain]>/tps/alias -> /var/lib/pki/[admin_domain]/[apache_instance]/alias     (link to PKI-specific <apache_instance[.admin_domain]> shared NSS security databases)
+    /var/lib/pki/<tomcat_instance[.admin_domain]>                                                                      (PKI-specific <tomcat_instance[.admin_domain]> - CA / KRA / OCSP / TKS shared base files)
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/alias -> /etc/pki/[admin_domain]/[tomcat_instance]/alias             (link to PKI-specific <tomcat_instance[.admin_domain]> shared NSS security databases)
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/bin -> /usr/share/[tomcat_instance]/bin                              (link to <tomcat_instance[.admin_domain]> binaries for use by Eclipse)
+/-  /var/lib/pki/<tomcat_instance[.admin_domain]>/ca                                                                   (PKI-specific <tomcat_instance[.admin_domain]> CA-specific base files)
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/ca/alias -> /var/lib/pki/[admin_domain]/[tomcat_instance]/alias      (link to PKI-specific <apache_instance[.admin_domain]> shared NSS security databases)
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/ca/conf -> /etc/pki/[admin_domain]/[tomcat_instance]/ca              (link to PKI-specific <tomcat_instance[.admin_domain]> CA-specific configuration files)
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/ca/emails                                                            (PKI-specific <tomcat_instance[.admin_domain]> CA-specific email files)
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/ca/logs -> /var/log/pki/[admin_domain]/[tomcat_instance]/ca          (link to PKI-specific <tomcat_instance[.admin_domain]> CA-specific log files)
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/ca/profiles                                                          (PKI-specific <tomcat_instance[.admin_domain]> CA-specific profiles)
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/ca/webapps -> /var/lib/pki/[admin_domain]/[tomcat_instance]/webapps  (link to PKI-specific <tomcat_instance[.admin_domain]> CA-specific webapps files)
+    /var/lib/pki/<tomcat_instance[.admin_domain]>/common                                                               (PKI-specific <tomcat_instance[.admin_domain]> common files)
+    /var/lib/pki/<tomcat_instance[.admin_domain]>/common/lib                                                           (PKI-specific <tomcat_instance[.admin_domain]> common libraries)
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/conf -> /etc/pki/[admin_domain]/[tomcat_instance]                    (link to PKI-specific <tomcat_instance[.admin_domain]> shared configuration files)
=    /var/lib/pki/<tomcat_instance[.admin_domain]>/kra                                                                  (PKI-specific <tomcat_instance[.admin_domain]> KRA-specific base files)
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/kra/alias -> /var/lib/pki/[admin_domain]/[tomcat_instance]/alias     (link to PKI-specific <apache_instance[.admin_domain]> shared NSS security databases)
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/kra/conf -> /etc/pki/[admin_domain]/[tomcat_instance]/kra            (link to PKI-specific <tomcat_instance[.admin_domain]> KRA-specific configuration files)
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/kra/logs -> /var/log/pki/[admin_domain]/[tomcat_instance]/kra        (link to PKI-specific <tomcat_instance[.admin_domain]> KRA-specific log files)
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/kra/webapps -> /var/lib/pki/[admin_domain]/[tomcat_instance]/webapps (link to PKI-specific <tomcat_instance[.admin_domain]> KRA-specific webapps files)
     /var/lib/pki/<tomcat_instance[.admin_domain]>/ocsp                                                                 (PKI-specific <tomcat_instance[.admin_domain]> OCSP-specific base files)
     /var/lib/pki/<tomcat_instance[.admin_domain]>/tks                                                                  (PKI-specific <tomcat_instance[.admin_domain]> TKS-specific base files)
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/lib -> /usr/share/[tomcat_instance]/lib                              (link to <tomcat_instance[.admin_domain]> libraries for use by Eclipse)
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/logs -> /var/log/pki/[admin_domain]/[tomcat_instance]                (link to PKI-specific <tomcat_instance[.admin_domain]> log files) 
+    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps
+    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ROOT
+    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ROOT/WEB-INF
+    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/WEB-INF
+    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/WEB-INF/classes
+    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/WEB-INF/lib
+/-  /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/WEB-INF
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/WEB-INF/classes -> /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/WEB-INF/classes
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/WEB-INF/lib -> /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/WEB-INF/lib
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/admin
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/admin/ca
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/admin/console
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/admin/console/config
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/admin/console/img
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/admin/console/js
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/admin/graphics
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/agent
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/agent/ca
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/agent/graphics
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/css
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/ee
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/ee/ca
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/ee/ca/policyEnrollment
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/ee/ca/profileEnrollment
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/ee/graphics
-    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/ca/img
+/=  /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/kra
=    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/kra/WEB-INF
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/kra/WEB-INF/classes -> /var/lib/pki/<tomcat_instance[.admin_domain]]>/webapps/WEB-INF/classes
#    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/kra/WEB-INF/lib -> /var/lib/pki/<tomcat_instance[.admin_domain]]>/webapps/WEB-INF/lib
=    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/kra/admin
=    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/kra/admin/console
=    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/kra/admin/console/config
=    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/kra/admin/console/img
=    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/kra/admin/console/js
=    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/kra/agent
=    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/kra/agent/graphics
=    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/kra/agent/kra
=    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/kra/css
=    /var/lib/pki/<tomcat_instance[.admin_domain]>/webapps/kra/img
     /var/lock/pki                                                                                                      (PKI-specific locks)
     /var/lock/pki/apache                                                                                               (PKI-specific Apache locks)
     /var/lock/pki/ca                                                                                                   (CA-specific locks)
     /var/lock/pki/kra                                                                                                  (KRA-specific locks)
     /var/lock/pki/ocsp                                                                                                 (OCSP-specific locks)
     /var/lock/pki/ra                                                                                                   (RA-specific locks)
     /var/lock/pki/tks                                                                                                  (TKS-specific locks)
     /var/lock/pki/tomcat                                                                                               (PKI-specific Tomcat locks)
     /var/lock/pki/tps                                                                                                  (TPS-specific locks)
+    /var/log/pki                                                                                                       (PKI-specific log files)
+    /var/log/pki/<apache_instance[.admin_domain]>                                                                      (PKI-specific <apache_instance[.admin_domain]< log files)
     /var/log/pki/<apache_instance[.admin_domain]>/ra                                                                   (PKI-specific <apache_instance[.admin_domain]< RA-specific log files)
     /var/log/pki/<apache_instance[.admin_domain]>/tps                                                                  (PKI-specific <apache_instance[.admin_domain]< TPS-specific log files)
     /var/log/pki/<apache_instance[.admin_domain]>/tps/signedAudit                                                      (PKI-specific <apache_instance[.admin_domain]< TPS-specific signed audit log files)
+    /var/log/pki/<tomcat_instance[.admin_domain]>                                                                      (PKI-specific <tomcat_instance[.admin_domain]< log files)
+    /var/log/pki/<tomcat_instance[.admin_domain]>/ca                                                                   (PKI-specific <tomcat_instance[.admin_domain]< CA-specific log files)
+    /var/log/pki/<tomcat_instance[.admin_domain]>/ca/signedAudit                                                       (PKI-specific <tomcat_instance[.admin_domain]< CA-specific signed audit log files)
+    /var/log/pki/<tomcat_instance[.admin_domain]>/kra                                                                  (PKI-specific <tomcat_instance[.admin_domain]< KRA-specific log files)
+    /var/log/pki/<tomcat_instance[.admin_domain]>/kra/signedAudit                                                      (PKI-specific <tomcat_instance[.admin_domain]< KRA-specific signed audit log files)
     /var/log/pki/<tomcat_instance[.admin_domain]>/ocsp                                                                 (PKI-specific <tomcat_instance[.admin_domain]< OCSP-specific log files)
     /var/log/pki/<tomcat_instance[.admin_domain]>/ocsp/signedAudit                                                     (PKI-specific <tomcat_instance[.admin_domain]< OCSP-specific signed audit log files)
     /var/log/pki/<tomcat_instance[.admin_domain]>/tks                                                                  (PKI-specific <tomcat_instance[.admin_domain]< TKS-specific log files)
     /var/log/pki/<tomcat_instance[.admin_domain]>/tks/signedAudit                                                      (PKI-specific <tomcat_instance[.admin_domain]< TKS-specific signed audit log files)
     /var/run/pki                                                                                                       (PKI-specific pids)
     /var/run/pki/apache                                                                                                (PKI-specific Apache pids)
     /var/run/pki/ca                                                                                                    (CA-specific pids)
     /var/run/pki/kra                                                                                                   (KRA-specific pids)
     /var/run/pki/ocsp                                                                                                  (OCSP-specific pids)
     /var/run/pki/ra                                                                                                    (RA-specific pids)
     /var/run/pki/tks                                                                                                   (TKS-specific pids)
     /var/run/pki/tomcat                                                                                                (PKI-specific Tomcat pids)
     /var/run/pki/tps                                                                                                   (TPS-specific pids)
    NOTE:   All references in bold are considered "fixed" directories which are not data-specific, and will be owned by the pki-deploy RPM rather than created by the pkispawn process.
    All references in bold-italics are considered "fixed" directories which are not data-specific, and will be owned by the appropriate pki-ca or pki-kra RPM rather than created by the pkispawn process.
    All references preceded by a "+" (plus) are directories which will be generated via the initial pkispawn process (regardless of subsystem type). As these are the top-level data directories, they cannot be "owned" by any RPM.
    All references preceded by a "-" (dash) are candidates for an exploded ca.war file (not all contents would be included as some would be populated via the pkispawn process).
    All references preceded by an "=" (equal sign) are candidates for an exploded kra.war file (not all contents would be included as some would be populated via the pkispawn process).
    All references preceded by a "#" (hash mark) are symlinks which will be created via a pkispawn scriptlet which will be generated AFTER an exploded war file.

File System Directory Layout (Legacy)

CA
   # find /var/lib/pki-ca -type d -print | sort
   /var/lib/pki-ca
   /var/lib/pki-ca/alias
   /var/lib/pki-ca/common
   /var/lib/pki-ca/common/lib
   /var/lib/pki-ca/emails
   /var/lib/pki-ca/profiles
   /var/lib/pki-ca/profiles/ca
   /var/lib/pki-ca/shared
   /var/lib/pki-ca/shared/classes
   /var/lib/pki-ca/shared/lib
   /var/lib/pki-ca/temp
   /var/lib/pki-ca/webapps
   /var/lib/pki-ca/webapps/ROOT
   /var/lib/pki-ca/webapps/ROOT/WEB-INF
   /var/lib/pki-ca/webapps/ca
   /var/lib/pki-ca/webapps/ca/WEB-INF
   /var/lib/pki-ca/webapps/ca/WEB-INF/classes
   /var/lib/pki-ca/webapps/ca/WEB-INF/lib
   /var/lib/pki-ca/webapps/ca/admin
   /var/lib/pki-ca/webapps/ca/admin/ca
   /var/lib/pki-ca/webapps/ca/admin/console
   /var/lib/pki-ca/webapps/ca/admin/console/config
   /var/lib/pki-ca/webapps/ca/admin/console/img
   /var/lib/pki-ca/webapps/ca/admin/console/js
   /var/lib/pki-ca/webapps/ca/admin/graphics
   /var/lib/pki-ca/webapps/ca/agent
   /var/lib/pki-ca/webapps/ca/agent/ca
   /var/lib/pki-ca/webapps/ca/agent/graphics
   /var/lib/pki-ca/webapps/ca/css
   /var/lib/pki-ca/webapps/ca/ee
   /var/lib/pki-ca/webapps/ca/ee/ca
   /var/lib/pki-ca/webapps/ca/ee/ca/policyEnrollment
   /var/lib/pki-ca/webapps/ca/ee/ca/profileEnrollment
   /var/lib/pki-ca/webapps/ca/ee/graphics
   /var/lib/pki-ca/webapps/ca/img
   /var/lib/pki-ca/work
   /var/lib/pki-ca/work/Catalina
   /var/lib/pki-ca/work/Catalina/localhost
   /var/lib/pki-ca/work/Catalina/localhost/_
   /var/lib/pki-ca/work/Catalina/localhost/ca
   # find /var/lib/pki-ca -type l -print | sort (manually excluded symlinks to files)
   /var/lib/pki-ca/conf -> /etc/pki-ca
   /var/lib/pki-ca/logs -> /var/log/pki-ca
                           /var/log/pki-ca/signedAudit
   # Named CA registries
   /etc/sysconfig/pki/ca
   # CA locks
   /var/lock/pki
   /var/lock/pki/ca
   # CA pids
   /var/run/pki
   /var/run/pki/ca
KRA
   # find /var/lib/pki-kra -type d -print | sort
   /var/lib/pki-kra
   /var/lib/pki-kra/alias
   /var/lib/pki-kra/common
   /var/lib/pki-kra/common/lib
   /var/lib/pki-kra/shared
   /var/lib/pki-kra/shared/classes
   /var/lib/pki-kra/shared/lib
   /var/lib/pki-kra/temp
   /var/lib/pki-kra/webapps
   /var/lib/pki-kra/webapps/ROOT
   /var/lib/pki-kra/webapps/ROOT/WEB-INF
   /var/lib/pki-kra/webapps/kra
   /var/lib/pki-kra/webapps/kra/WEB-INF
   /var/lib/pki-kra/webapps/kra/WEB-INF/classes
   /var/lib/pki-kra/webapps/kra/WEB-INF/lib
   /var/lib/pki-kra/webapps/kra/admin
   /var/lib/pki-kra/webapps/kra/admin/console
   /var/lib/pki-kra/webapps/kra/admin/console/config
   /var/lib/pki-kra/webapps/kra/admin/console/img
   /var/lib/pki-kra/webapps/kra/admin/console/js
   /var/lib/pki-kra/webapps/kra/agent
   /var/lib/pki-kra/webapps/kra/agent/graphics
   /var/lib/pki-kra/webapps/kra/agent/kra
   /var/lib/pki-kra/webapps/kra/css
   /var/lib/pki-kra/webapps/kra/img
   /var/lib/pki-kra/work
   /var/lib/pki-kra/work/Catalina
   /var/lib/pki-kra/work/Catalina/localhost
   /var/lib/pki-kra/work/Catalina/localhost/_
   /var/lib/pki-kra/work/Catalina/localhost/kra
   # find /var/lib/pki-kra -type l -print | sort (manually excluded symlinks to files)
   /var/lib/pki-kra/conf -> /etc/pki-kra
   /var/lib/pki-kra/logs -> /var/log/pki-kra
                            /var/log/pki-kra/signedAudit
   # Named KRA registries
   /etc/sysconfig/pki/kra
   # KRA locks
   /var/lock/pki
   /var/lock/pki/kra
   # KRA pids
   /var/run/pki
   /var/run/pki/kra
OCSP
RA
TKS
TPS