Remove redundant default values in CS.cfg

Some default values in CS.cfg have been removed since they will be overwritten by pkispawn.
dogtagpki · Jun 11, 2024 · 1dde79c · 1dde79c
1 parent a5e513a
commit 1dde79c
Show file tree

Hide file tree

Showing 6 changed files with 81 additions and 46 deletions.
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
@@ -551,7 +551,7 @@ ca.notification.requestInQ.emailTemplate=[pki_instance_path]/ca/emails/reqInQueu
 ca.notification.requestInQ.enabled=false
 ca.notification.requestInQ.recipientEmail=
 ca.notification.requestInQ.senderEmail=
-ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[pki_instance_name]
+ca.ocsp_signing.cacertnickname=
 ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
 ca.ocsp_signing.tokenname=internal
 ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC
@@ -634,14 +634,14 @@ cmsgateway._002=## for a given instance, perform the following steps to
 cmsgateway._003=## re-enroll for a new Admin Certificate:
 cmsgateway._004=##
 cmsgateway._005=##   (1) Become 'root'
-cmsgateway._006=##   (2) Type:  'systemctl stop pki-tomcatd@[pki_instance_name].service'
+cmsgateway._006=##   (2) Type:  'systemctl stop pki-tomcatd@<instance>.service'
 cmsgateway._007=##   (3) Edit this file
 cmsgateway._008=##       and set the following name-value pairs (if necessary):
 cmsgateway._009=##
 cmsgateway._010=##           ca.Policy.enable=true
 cmsgateway._011=##           cmsgateway.enableAdminEnroll=true
 cmsgateway._012=##
-cmsgateway._013=##   (4) Type:  'systemctl start pki-tomcatd@[pki_instance_name].service'
+cmsgateway._013=##   (4) Type:  'systemctl start pki-tomcatd@<instance>.service'
 cmsgateway._014=##   (5) Launch a browser and re-enroll for
 cmsgateway._015=##       a new Admin Certificate by typing:
 cmsgateway._016=##
@@ -791,7 +791,7 @@ log.instance.SignedAudit.rolloverInterval=2592000
 log.instance.SignedAudit.signedAudit._000=##
 log.instance.SignedAudit.signedAudit._001=## Fill in the nickname of a trusted signing certificate to allow CA audit logs to be signed
 log.instance.SignedAudit.signedAudit._002=##
-log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[pki_instance_name]
+log.instance.SignedAudit.signedAuditCertNickname=
 log.instance.SignedAudit.type=signedAudit
 oidmap.auth_info_access.class=org.mozilla.jss.netscape.security.extensions.AuthInfoAccessExtension
 oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1

diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
@@ -153,8 +153,8 @@ kra.storageUnit.wrapping.1.payloadEncryptionIVLen=16
 kra.storageUnit.wrapping.1.payloadWrapAlgorithm=AES KeyWrap/Padding
 kra.storageUnit.wrapping.1.sessionKeyType=AES
 kra.storageUnit.wrapping.choice=1
-kra.storageUnit.nickName=storageCert cert-[pki_instance_name]
-kra.transportUnit.nickName=transportCert cert-[pki_instance_name]
+kra.storageUnit.nickName=
+kra.transportUnit.nickName=
 log._000=##
 log._001=## Logging
 log._002=##
@@ -196,7 +196,7 @@ log.instance.SignedAudit.rolloverInterval=2592000
 log.instance.SignedAudit.signedAudit._000=##
 log.instance.SignedAudit.signedAudit._001=## Fill in the nickname of a trusted signing certificate to allow KRA audit logs to be signed
 log.instance.SignedAudit.signedAudit._002=##
-log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[pki_instance_name]
+log.instance.SignedAudit.signedAuditCertNickname=
 log.instance.SignedAudit.type=signedAudit
 oidmap.auth_info_access.class=org.mozilla.jss.netscape.security.extensions.AuthInfoAccessExtension
 oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1

diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg
@@ -123,7 +123,7 @@ log.instance.SignedAudit.rolloverInterval=2592000
 log.instance.SignedAudit.signedAudit._000=##
 log.instance.SignedAudit.signedAudit._001=## Fill in the nickname of a trusted signing certificate to allow OCSP audit logs to be signed
 log.instance.SignedAudit.signedAudit._002=##
-log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[pki_instance_name]
+log.instance.SignedAudit.signedAuditCertNickname=
 log.instance.SignedAudit.type=signedAudit
 ocsp.certNickname=
 ocsp.storeId=defStore

diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
@@ -1128,6 +1128,9 @@ def init_subsystem(self, subsystem):
             subsystem.set_config(
                 'auths.instance.ldap1.ldap.ldapconn.secureConn',
                 self.mdict['pki_authdb_secure_conn'])
+            subsystem.set_config(
+                'auths.instance.ldap1.ldap.ldapauth.clientCertNickname',
+                self.mdict['pki_subsystem_nickname'])
 
     def configure_ca(self, subsystem):
 
@@ -1338,37 +1341,69 @@ def configure_tps(self, subsystem):
             subsystem.set_config('tps.connector.tks1.serverKeygen', 'true')
 
             # TODO: see if there are other profiles need to be configured
-            subsystem.config[
-                'op.enroll.userKey.keyGen.encryption.serverKeygen.enable'] = 'true'
-            subsystem.config[
-                'op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable'] = 'true'
-            subsystem.config[
-                'op.enroll.soKey.keyGen.encryption.serverKeygen.enable'] = 'true'
-            subsystem.config[
-                'op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable'] = 'true'
+            subsystem.set_config(
+                'op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.enable',
+                'true')
+            subsystem.set_config(
+                'op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.enable',
+                'true')
+            subsystem.set_config(
+                'op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.enable',
+                'true')
+            subsystem.set_config(
+                'op.enroll.soKey.keyGen.encryption.serverKeygen.enable',
+                'true')
+            subsystem.set_config(
+                'op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable',
+                'true')
+            subsystem.set_config(
+                'op.enroll.userKey.keyGen.encryption.serverKeygen.enable',
+                'true')
+            subsystem.set_config(
+                'op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable',
+                'true')
 
         else:
             # TODO: see if there are other profiles need to be configured
-            subsystem.config[
-                'op.enroll.userKey.keyGen.encryption.serverKeygen.enable'] = 'false'
-            subsystem.config[
-                'op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable'] = 'false'
-            subsystem.config[
-                'op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme'
-            ] = 'GenerateNewKey'
-            subsystem.config[
-                'op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme'
-            ] = 'GenerateNewKey'
-            subsystem.config[
-                'op.enroll.soKey.keyGen.encryption.serverKeygen.enable'] = 'false'
-            subsystem.config[
-                'op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable'] = 'false'
-            subsystem.config[
-                'op.enroll.soKey.keyGen.encryption.recovery.destroyed.scheme'
-            ] = 'GenerateNewKey'
-            subsystem.config[
-                'op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.scheme'
-            ] = 'GenerateNewKey'
+            subsystem.set_config(
+                'op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.enable',
+                'false')
+
+            subsystem.set_config(
+                'op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.enable',
+                'false')
+
+            subsystem.set_config(
+                'op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.enable',
+                'false')
+
+            subsystem.set_config(
+                'op.enroll.soKey.keyGen.encryption.serverKeygen.enable',
+                'false')
+            subsystem.set_config(
+                'op.enroll.soKey.keyGen.encryption.recovery.destroyed.scheme',
+                'GenerateNewKey')
+
+            subsystem.set_config(
+                'op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable',
+                'false')
+            subsystem.set_config(
+                'op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.scheme',
+                'GenerateNewKey')
+
+            subsystem.set_config(
+                'op.enroll.userKey.keyGen.encryption.serverKeygen.enable',
+                'false')
+            subsystem.set_config(
+                'op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme',
+                'GenerateNewKey')
+
+            subsystem.set_config(
+                'op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable',
+                'false')
+            subsystem.set_config(
+                'op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme',
+                'GenerateNewKey')
 
     def configure_subsystem(self, subsystem):
 

diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg
@@ -122,7 +122,7 @@ log.instance.SignedAudit.rolloverInterval=2592000
 log.instance.SignedAudit.signedAudit._000=##
 log.instance.SignedAudit.signedAudit._001=## Fill in the nickname of a trusted signing certificate to allow TKS audit logs to be signed
 log.instance.SignedAudit.signedAudit._002=##
-log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[pki_instance_name]
+log.instance.SignedAudit.signedAuditCertNickname=
 log.instance.SignedAudit.type=signedAudit
 oidmap.auth_info_access.class=org.mozilla.jss.netscape.security.extensions.AuthInfoAccessExtension
 oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1

diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
@@ -73,7 +73,7 @@ auths.instance.ldap1.ldap.minConns=3
 auths.instance.ldap1.ldap.ldapauth.authtype=BasicAuth
 auths.instance.ldap1.ldap.ldapauth.bindDN=
 auths.instance.ldap1.ldap.ldapauth.bindPWPrompt=ldap1
-auths.instance.ldap1.ldap.ldapauth.clientCertNickname=subsystemCert cert-[pki_instance_name]
+auths.instance.ldap1.ldap.ldapauth.clientCertNickname=
 auths.instance.ldap1.ldap.ldapconn.host=localhost
 auths.instance.ldap1.ldap.ldapconn.port=389
 auths.instance.ldap1.ldap.ldapconn.secureConn=false
@@ -238,7 +238,7 @@ log.instance.SignedAudit.rolloverInterval=2592000
 log.instance.SignedAudit.signedAudit._000=##
 log.instance.SignedAudit.signedAudit._001=## Fill in the nickname of a trusted signing certificate to allow TPS audit logs to be signed
 log.instance.SignedAudit.signedAudit._002=##
-log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[pki_instance_name]
+log.instance.SignedAudit.signedAuditCertNickname=
 log.instance.SignedAudit.type=signedAudit
 machineName=[pki_hostname]
 multiroles._000=##
@@ -373,7 +373,7 @@ op.enroll.delegateIEtoken.keyGen.encryption.public.keyCapabilities.verifyRecover
 op.enroll.delegateIEtoken.keyGen.encryption.public.keyCapabilities.wrap=true
 op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.archive=true
 op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.drm.conn=kra1
-op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.enable=[pki_enable_server_side_keygen]
+op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.enable=false
 op.enroll.delegateIEtoken.keyGen.keyType.num=1
 op.enroll.delegateIEtoken.keyGen.keyType.value.0=authentication
 op.enroll.delegateIEtoken.keyGen.recovery.destroyed.keyType.num=1
@@ -595,7 +595,7 @@ op.enroll.delegateISEtoken.keyGen.encryption.recovery.onHold.holdRevocationUntil
 op.enroll.delegateISEtoken.keyGen.encryption.recovery.onHold.revokeExpiredCerts=false
 op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.archive=true
 op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.drm.conn=kra1
-op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.enable=[pki_enable_server_side_keygen]
+op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.enable=false
 op.enroll.delegateISEtoken.keyGen.keyType.num=2
 op.enroll.delegateISEtoken.keyGen.keyType.value.0=signing
 op.enroll.delegateISEtoken.keyGen.keyType.value.1=authentication
@@ -808,7 +808,7 @@ op.enroll.externalRegAddToToken.keyGen.encryption.recovery.onHold.holdRevocation
 op.enroll.externalRegAddToToken.keyGen.encryption.recovery.onHold.revokeExpiredCerts=false
 op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.archive=true
 op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.drm.conn=kra1
-op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.enable=[pki_enable_server_side_keygen]
+op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.enable=false
 op.enroll.externalRegAddToToken.keyGen.tokenName=$auth.cn$
 op.enroll.externalRegAddToToken.loginRequest.enable=true
 op.enroll.externalRegAddToToken.pkcs11obj.compress.enable=true
@@ -1217,7 +1217,7 @@ op.enroll.soKey.keyGen.encryption.recovery.onHold.holdRevocationUntilLastCredent
 op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeExpiredCerts=false
 op.enroll.soKey.keyGen.encryption.serverKeygen.archive=true
 op.enroll.soKey.keyGen.encryption.serverKeygen.drm.conn=kra1
-op.enroll.soKey.keyGen.encryption.serverKeygen.enable=[pki_enable_server_side_keygen]
+op.enroll.soKey.keyGen.encryption.serverKeygen.enable=false
 op.enroll.soKey.keyGen.keyType.num=2
 op.enroll.soKey.keyGen.keyType.value.0=signing
 op.enroll.soKey.keyGen.keyType.value.1=encryption
@@ -1392,7 +1392,7 @@ op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true
 op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast
 op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.archive=true
 op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=kra1
-op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable=[pki_enable_server_side_keygen]
+op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable=false
 op.enroll.soKeyTemporary.keyGen.keyType.num=3
 op.enroll.soKeyTemporary.keyGen.keyType.value.0=auth
 op.enroll.soKeyTemporary.keyGen.keyType.value.1=signing
@@ -1541,7 +1541,7 @@ op.enroll.userKey.keyGen.encryption.recovery.onHold.holdRevocationUntilLastCrede
 op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeExpiredCerts=false
 op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true
 op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=kra1
-op.enroll.userKey.keyGen.encryption.serverKeygen.enable=[pki_enable_server_side_keygen]
+op.enroll.userKey.keyGen.encryption.serverKeygen.enable=false
 op.enroll.userKey.keyGen.keyType.num=2
 op.enroll.userKey.keyGen.keyType.value.0=signing
 op.enroll.userKey.keyGen.keyType.value.1=encryption
@@ -1729,7 +1729,7 @@ op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true
 op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast
 op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.archive=true
 op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=kra1
-op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable=[pki_enable_server_side_keygen]
+op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable=false
 op.enroll.userKeyTemporary.keyGen.keyType.num=3
 op.enroll.userKeyTemporary.keyGen.keyType.value.0=auth
 op.enroll.userKeyTemporary.keyGen.keyType.value.1=signing