# Python, keep every statement on a single line

%{!?__python2: %global __python2 /usr/bin/python2}

%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}

%if 0%{?fedora} || 0%{?rhel} > 7

%global with_python3 1

%else

%global with_python3 0

%endif

%if 0%{?rhel}

# Package RHEL-specific RPMS Only

%global package_rhel_packages 1

# Package RHCS-specific RPMS Only

%global package_rhcs_packages 0

%define pki_core_rhel_version 10.5.9

%else

# 0%{?fedora}

# Fedora always packages all RPMS

%global package_fedora_packages 1

%endif

# Java

%define java_home /usr/lib/jvm/jre-1.8.0-openjdk

# Tomcat

%if 0%{?fedora} || 0%{?rhel} > 7

%define with_tomcat7 0

%define with_tomcat8 1

%else

%define with_tomcat7 1

%define with_tomcat8 0

%endif

# RESTEasy

%if 0%{?rhel} && 0%{?rhel} <= 7

%define jaxrs_api_jar /usr/share/java/resteasy-base/jaxrs-api.jar

%define resteasy_lib /usr/share/java/resteasy-base

%else

%define jaxrs_api_jar /usr/share/java/jboss-jaxrs-2.0-api.jar

%define resteasy_lib /usr/share/java/resteasy

%endif

# Dogtag

%bcond_without    server

%bcond_without    javadoc

# ignore unpackaged files from native 'tpsclient'

# REMINDER:  Remove this '%%define' once 'tpsclient' is rewritten as a Java app

%define _unpackaged_files_terminate_build 0

# pkiuser and group. The uid and gid are preallocated

# see /usr/share/doc/setup/uidgid

%define pki_username pkiuser

%define pki_uid 17

%define pki_groupname pkiuser

%define pki_gid 17

%define pki_homedir /usr/share/pki

# Optionally fetch the release from the environment variable 'PKI_RELEASE'

%define use_pki_release %{getenv:USE_PKI_RELEASE}

%if 0%{?use_pki_release}

%define pki_release %{getenv:PKI_RELEASE}

%endif

Name:             pki-core

%if 0%{?rhel}

Version:                10.5.9

%define redhat_release  13

%define redhat_stage    0

#%define default_release %{redhat_release}.%{redhat_stage}

%define default_release %{redhat_release}

%else

Version:                10.5.14

%define fedora_release  3

%define fedora_stage    0

#%define default_release %{fedora_release}.%{fedora_stage}

%define default_release %{fedora_release}

%endif

%if 0%{?use_pki_release}

#Release:          %{pki_release}%{?dist}

Release:          %{pki_release}.el7_6

%else

#Release:          %{default_release}%{?dist}

Release:          %{default_release}.el7_6

%endif

Summary:          Certificate System - PKI Core Components

URL:              http://pki.fedoraproject.org/

License:          GPLv2

Group:            System Environment/Daemons

BuildRoot:        %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

BuildRequires:    cmake >= 2.8.9-1

BuildRequires:    gcc-c++

BuildRequires:    zip

BuildRequires:    java-1.8.0-openjdk-devel

BuildRequires:    redhat-rpm-config

BuildRequires:    ldapjdk >= 4.19-5

BuildRequires:    apache-commons-cli

BuildRequires:    apache-commons-codec

BuildRequires:    apache-commons-io

BuildRequires:    apache-commons-lang

BuildRequires:    jakarta-commons-httpclient

BuildRequires:    slf4j

%if 0%{?fedora} || 0%{?rhel} > 7

BuildRequires:    slf4j-jdk14

%endif

BuildRequires:    nspr-devel

BuildRequires:    nss-devel >= 3.28.3

%if 0%{?rhel} && 0%{?rhel} <= 7

BuildRequires:    nuxwdog-client-java >= 1.0.3-8

%else

BuildRequires:    nuxwdog-client-java >= 1.0.3-14

%endif

BuildRequires:    openldap-devel

BuildRequires:    pkgconfig

BuildRequires:    policycoreutils

BuildRequires:    python-lxml

BuildRequires:    python-sphinx

BuildRequires:    velocity

BuildRequires:    xalan-j2

BuildRequires:    xerces-j2

%if 0%{?rhel} && 0%{?rhel} <= 7

# 'resteasy-base' is a subset of the complete set of

# 'resteasy' packages and consists of what is needed to

# support the PKI Restful interface on certain RHEL platforms

BuildRequires:    resteasy-base-atom-provider >= 3.0.6-1

BuildRequires:    resteasy-base-client >= 3.0.6-1

BuildRequires:    resteasy-base-jaxb-provider >= 3.0.6-1

BuildRequires:    resteasy-base-jaxrs >= 3.0.6-1

BuildRequires:    resteasy-base-jaxrs-api >= 3.0.6-1

BuildRequires:    resteasy-base-jackson-provider >= 3.0.6-1

%else

BuildRequires:    jboss-annotations-1.2-api

BuildRequires:    jboss-jaxrs-2.0-api

BuildRequires:    jboss-logging

BuildRequires:    resteasy-atom-provider >= 3.0.17-1

BuildRequires:    resteasy-client >= 3.0.17-1

BuildRequires:    resteasy-jaxb-provider >= 3.0.17-1

BuildRequires:    resteasy-core >= 3.0.17-1

BuildRequires:    resteasy-jackson-provider >= 3.0.17-1

%endif

%if 0%{?fedora} || 0%{?rhel} > 7

BuildRequires:    pylint

BuildRequires:    python-flake8 >= 2.5.4

BuildRequires:    python3-flake8 >= 2.5.4

# python-flake8 2.5.4 package should require pyflakes >= 1.2.3

BuildRequires:    pyflakes >= 1.2.3

# python3-flake8 2.5.4 package should require python3-pyflakes >= 1.2.3

BuildRequires:    python3-pyflakes >= 1.2.3

%endif

BuildRequires:    python2-cryptography

BuildRequires:    python-nss

BuildRequires:    python-requests >= 2.6.0

BuildRequires:    python-six

BuildRequires:    libselinux-python

BuildRequires:    policycoreutils-python

%if 0%{?fedora} || 0%{?rhel} > 7

BuildRequires:    policycoreutils-python-utils

%endif

BuildRequires:    python-ldap

BuildRequires:    junit

BuildRequires:    jpackage-utils >= 0:1.7.5-10

BuildRequires:    jss >= 4.4.4-5

%if 0%{?rhel} && 0%{?rhel} <= 7

BuildRequires:    tomcatjss >= 7.2.1-8

%else

BuildRequires:    tomcatjss >= 7.2.4-4

%endif

BuildRequires:    systemd-units

%if 0%{?with_python3}

BuildRequires:  python3-cryptography

BuildRequires:  python3-devel

BuildRequires:  python3-lxml

BuildRequires:  python3-nss

BuildRequires:  python3-pyldap

BuildRequires:  python3-requests >= 2.6.0

BuildRequires:  python3-six

%endif  # with_python3

BuildRequires:  python-devel

# additional build requirements needed to build native 'tpsclient'

# REMINDER:  Revisit these once 'tpsclient' is rewritten as a Java app

BuildRequires:    apr-devel

BuildRequires:    apr-util-devel

BuildRequires:    cyrus-sasl-devel

BuildRequires:    httpd-devel >= 2.4.2

BuildRequires:    pcre-devel

BuildRequires:    python

BuildRequires:    systemd

BuildRequires:    zlib

BuildRequires:    zlib-devel

%if 0%{?rhel}

# NOTE:  In the future, as a part of its path, this URL will contain a release

#        directory which consists of the fixed number of the upstream release

#        upon which this tarball was originally based.

Source0:          http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{release}/rhel/%{name}-%{version}%{?prerel}.tar.gz

%else

Source0:          http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{release}/%{name}-%{version}%{?prerel}.tar.gz

%endif

Patch0:           pki-core-10.5.9-alpha.patch

Patch1:           pki-core-10.5.9-beta.patch

Patch2:           pki-core-nsds5replicaLastInitStatus-format.patch

Patch3:           pki-core-10.5.9-snapshot-1.patch

Patch4:           pki-core-10.5.9-batch-1.0.patch

Patch5:           pki-core-10.5.9-batch-2.0.patch

Patch6:           pki-core-CA-OCSP-SystemCertsVerification.patch

Patch7:           pki-core-Session-Timeout.patch

Patch8:           pki-core-Audit-Event-Names-Upgrade-Scripts.patch

Patch9:           pki-core-Verify-Cert-Before-Import.patch

Patch10:          pki-core-Audit-Event-Names-Upgrade-Scripts-2.patch

Patch11:          pki-core-10.5.9-batch-3.0.patch

# Obtain version phase number (e. g. - used by "alpha", "beta", etc.)

#

#     NOTE:  For "alpha" releases, will be ".a1", ".a2", etc.

#            For "beta" releases, will be ".b1", ".b2", etc.

#

%define version_phase "%(echo `echo %{version} | awk -F. '{ print $4 }'`)"

%global saveFileContext() \

if [ -s /etc/selinux/config ]; then \

     . %{_sysconfdir}/selinux/config; \

     FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \

     if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \

          cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \

     fi \

fi;

%global relabel() \

. %{_sysconfdir}/selinux/config; \

FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \

selinuxenabled; \

if [ $? == 0  -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \

     fixfiles -C ${FILE_CONTEXT}.%{name} restore; \

     rm -f ${FILE_CONTEXT}.%name; \

fi;

%global overview                                                       \

==================================                                     \

||  ABOUT "CERTIFICATE SYSTEM"  ||                                     \

==================================                                     \

                                                                       \

Certificate System (CS) is an enterprise software system designed      \

to manage enterprise Public Key Infrastructure (PKI) deployments.      \

                                                                       \

PKI Core contains ALL top-level java-based Tomcat PKI components:      \

                                                                       \

  * pki-symkey                                                         \

  * pki-base                                                           \

  * pki-base-python2 (alias for pki-base)                              \

  * pki-base-python3                                                   \

  * pki-base-java                                                      \

  * pki-tools                                                          \

  * pki-server                                                         \

  * pki-ca                                                             \

  * pki-kra                                                            \

  * pki-ocsp                                                           \

  * pki-tks                                                            \

  * pki-tps                                                            \

  * pki-javadoc                                                        \

                                                                       \

which comprise the following corresponding PKI subsystems:             \

                                                                       \

  * Certificate Authority (CA)                                         \

  * Key Recovery Authority (KRA)                                        \

  * Online Certificate Status Protocol (OCSP) Manager                  \

  * Token Key Service (TKS)                                            \

  * Token Processing Service (TPS)                                     \

                                                                       \

Python clients need only install the pki-base package.  This           \

package contains the python REST client packages and the client        \

upgrade framework.                                                     \

                                                                       \

Java clients should install the pki-base-java package.  This package   \

contains the legacy and REST Java client packages.  These clients      \

should also consider installing the pki-tools package, which contain   \

native and Java-based PKI tools and utilities.                         \

                                                                       \

Certificate Server instances require the fundamental classes and       \

modules in pki-base and pki-base-java, as well as the utilities in     \

pki-tools.  The main server classes are in pki-server, with subsystem  \

specific Java classes and resources in pki-ca, pki-kra, pki-ocsp etc.  \

                                                                       \

Finally, if Certificate System is being deployed as an individual or   \

set of standalone rather than embedded server(s)/service(s), it is     \

strongly recommended (though not explicitly required) to include at    \

least one PKI Theme package:                                           \

                                                                       \

  * dogtag-pki-theme (Dogtag Certificate System deployments)           \

    * dogtag-pki-server-theme                                          \

  * redhat-pki-server-theme (Red Hat Certificate System deployments)   \

    * redhat-pki-server-theme                                          \

  * customized pki theme (Customized Certificate System deployments)   \

    * <customized>-pki-server-theme                                    \

                                                                       \

  NOTE:  As a convenience for standalone deployments, top-level meta   \

         packages may be provided which bind a particular theme to     \

         these certificate server packages.                            \

                                                                       \

%{nil}

%description %{overview}

%package -n       pki-symkey

Summary:          Symmetric Key JNI Package

Group:            System Environment/Libraries

Requires:         java-1.8.0-openjdk-headless

Requires:         jpackage-utils >= 0:1.7.5-10

Requires:         jss >= 4.4.4-5

Requires:         nss >= 3.28.3

Provides:         symkey = %{version}-%{release}

Obsoletes:        symkey < %{version}-%{release}

%if 0%{?rhel} && 0%{?rhel} <= 7

## Because RHCS 9.0 does not run on RHEL 7.3+, obsolete all

## RHCS 9.0 packages that can be replaced by RHCS 9.1 packages:

# pki-console

Obsoletes:        pki-console < 10.3.0

# pki-core

Obsoletes:        pki-core-debug = 10.2.6

Obsoletes:        pki-ocsp < 10.3.0

Obsoletes:        pki-tks < 10.3.0

Obsoletes:        pki-tps < 10.3.0

# redhat-pki

Obsoletes:        redhat-pki < 10.3.0

# redhat-pki-theme

Obsoletes:        redhat-pki-console-theme < 10.3.0

Obsoletes:        redhat-pki-server-theme < 10.3.0

%endif

%description -n   pki-symkey

The Symmetric Key Java Native Interface (JNI) package supplies various native

symmetric key operations to Java programs.

This package is a part of the PKI Core used by the Certificate System.

%{overview}

%package -n       pki-base

Summary:          Certificate System - PKI Framework

Group:            System Environment/Base

BuildArch:        noarch

Provides:         pki-common = %{version}-%{release}

Provides:         pki-util = %{version}-%{release}

Provides:         pki-base-python2 = %{version}-%{release}

Obsoletes:        pki-common < %{version}-%{release}

Obsoletes:        pki-util < %{version}-%{release}

Conflicts:        freeipa-server < 3.0.0

Requires:         nss >= 3.28.3

Requires:         python2-cryptography

Requires:         python-nss

Requires:         python-requests >= 2.6.0

Requires:         python-six

%description -n   pki-base

The PKI Framework contains the common and client libraries and utilities

written in Python.  This package is a part of the PKI Core used by the

Certificate System.

%{overview}

%package -n       pki-base-java

Summary:          Certificate System - Java Framework

Group:            System Environment/Base

BuildArch:        noarch

Requires:         java-1.8.0-openjdk-headless

Requires:         apache-commons-cli

Requires:         apache-commons-codec

Requires:         apache-commons-io

Requires:         apache-commons-lang

Requires:         apache-commons-logging

Requires:         jakarta-commons-httpclient

Requires:         slf4j

%if 0%{?fedora} || 0%{?rhel} > 7

Requires:         slf4j-jdk14

%endif

Requires:         javassist

Requires:         jpackage-utils >= 0:1.7.5-10

Requires:         jss >= 4.4.4-5

Requires:         ldapjdk >= 4.19-5

Requires:         pki-base = %{version}-%{release}

%if 0%{?rhel} && 0%{?rhel} <= 7

# 'resteasy-base' is a subset of the complete set of

# 'resteasy' packages and consists of what is needed to

# support the PKI Restful interface on certain RHEL platforms

Requires:    resteasy-base-atom-provider >= 3.0.6-1

Requires:    resteasy-base-client >= 3.0.6-1

Requires:    resteasy-base-jaxb-provider >= 3.0.6-1

Requires:    resteasy-base-jaxrs >= 3.0.6-1

Requires:    resteasy-base-jaxrs-api >= 3.0.6-1

Requires:    resteasy-base-jackson-provider >= 3.0.6-1

%else

Requires:    resteasy-atom-provider >= 3.0.17-1

Requires:    resteasy-client >= 3.0.17-1

Requires:    resteasy-jaxb-provider >= 3.0.17-1

Requires:    resteasy-core >= 3.0.17-1

Requires:    resteasy-jackson-provider >= 3.0.17-1

%endif

Requires:         xalan-j2

Requires:         xerces-j2

Requires:         xml-commons-apis

Requires:         xml-commons-resolver

%description -n   pki-base-java

The PKI Framework contains the common and client libraries and utilities

written in Java.  This package is a part of the PKI Core used by the

Certificate System.

This package is a part of the PKI Core used by the Certificate System.

%{overview}

%if 0%{?with_python3}

%package -n       pki-base-python3

Summary:          Certificate System - PKI Framework

Group:            System Environment/Base

BuildArch:        noarch

Requires:         pki-base = %{version}-%{release}

Requires:         python3-cryptography

Requires:         python3-lxml

Requires:         python3-nss

Requires:         python3-requests >= 2.6.0

Requires:         python3-six

%description -n   pki-base-python3

This package contains PKI client library for Python 3.

This package is a part of the PKI Core used by the Certificate System.

%{overview}

%endif  # with_python3 for python3-pki

%package -n       pki-tools

Summary:          Certificate System - PKI Tools

Group:            System Environment/Base

Provides:         pki-native-tools = %{version}-%{release}

Provides:         pki-java-tools = %{version}-%{release}

Obsoletes:        pki-native-tools < %{version}-%{release}

Obsoletes:        pki-java-tools < %{version}-%{release}

Requires:         openldap-clients

Requires:         nss-tools >= 3.28.3

Requires:         java-1.8.0-openjdk-headless

Requires:         pki-base = %{version}-%{release}

Requires:         pki-base-java = %{version}-%{release}

Requires:         jpackage-utils >= 0:1.7.5-10

%if 0%{?fedora} || 0%{?rhel} > 7

Requires:         tomcat-servlet-3.1-api

%endif

%description -n   pki-tools

This package contains PKI executables that can be used to help make

Certificate System into a more complete and robust PKI solution.

This package is a part of the PKI Core used by the Certificate System.

%{overview}

%if %{with server}

%package -n       pki-server

Summary:          Certificate System - PKI Server Framework

Group:            System Environment/Base

BuildArch:        noarch

Provides:         pki-deploy = %{version}-%{release}

Provides:         pki-setup = %{version}-%{release}

Provides:         pki-silent = %{version}-%{release}

Obsoletes:        pki-deploy < %{version}-%{release}

Obsoletes:        pki-setup < %{version}-%{release}

Obsoletes:        pki-silent < %{version}-%{release}

Requires:         java-1.8.0-openjdk-headless

Requires:         hostname

Requires:         net-tools

%if 0%{?rhel} && 0%{?rhel} <= 7

Requires:    nuxwdog-client-java >= 1.0.3-8

%else

Requires:    nuxwdog-client-java >= 1.0.3-14

%endif

Requires:         policycoreutils

Requires:         procps-ng

Requires:         openldap-clients

%if 0%{?rhel} && 0%{?rhel} <= 7

Requires:         openssl >= 1.0.2k-11

%else

Requires:         openssl

%endif

Requires:         pki-base = %{version}-%{release}

Requires:         pki-base-java = %{version}-%{release}

Requires:         pki-tools = %{version}-%{release}

Requires:         python-ldap

Requires:         python-lxml

Requires:         libselinux-python

Requires:         policycoreutils-python

%if 0%{?fedora} || 0%{?rhel} > 7

Requires:         policycoreutils-python-utils

%endif

Requires:         selinux-policy-targeted >= 3.13.1-159

Obsoletes:        pki-selinux

%if 0%{?rhel} && 0%{?rhel} <= 7

Requires:         tomcat >= 7.0.69

%else

Requires:         tomcat >= 7.0.68

Requires:         tomcat-el-3.0-api

Requires:         tomcat-jsp-2.3-api

Requires:         tomcat-servlet-3.1-api

%endif

Requires:         velocity

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

Requires(pre):    shadow-utils

%if 0%{?rhel} && 0%{?rhel} <= 7

Requires:         tomcatjss >= 7.2.1-8

%else

Requires:         tomcatjss >= 7.2.4-4

%endif

%if 0%{?rhel} && 0%{?rhel} <= 7

## Because RHCS 9.0 does not run on RHEL 7.3+, obsolete all

## RHCS 9.0 packages that can be replaced by RHCS 9.1 packages:

# pki-console

Obsoletes:        pki-console < 10.3.0

# pki-core

Obsoletes:        pki-core-debug = 10.2.6

Obsoletes:        pki-ocsp < 10.3.0

Obsoletes:        pki-tks < 10.3.0

Obsoletes:        pki-tps < 10.3.0

# redhat-pki

Obsoletes:        redhat-pki < 10.3.0

# redhat-pki-theme

Obsoletes:        redhat-pki-console-theme < 10.3.0

Obsoletes:        redhat-pki-server-theme < 10.3.0

%endif

%description -n   pki-server

The PKI Server Framework is required by the following four PKI subsystems:

    the Certificate Authority (CA),

    the Key Recovery Authority (KRA),

    the Online Certificate Status Protocol (OCSP) Manager,

    the Token Key Service (TKS), and

    the Token Processing Service (TPS).

This package is a part of the PKI Core used by the Certificate System.

The package contains scripts to create and remove PKI subsystems.

%{overview}

%package -n       pki-ca

Summary:          Certificate System - Certificate Authority

Group:            System Environment/Daemons

BuildArch:        noarch

Requires:         java-1.8.0-openjdk-headless

Requires:         pki-server = %{version}-%{release}

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

%description -n   pki-ca

The Certificate Authority (CA) is a required PKI subsystem which issues,

renews, revokes, and publishes certificates as well as compiling and

publishing Certificate Revocation Lists (CRLs).

The Certificate Authority can be configured as a self-signing Certificate

Authority, where it is the root CA, or it can act as a subordinate CA,

where it obtains its own signing certificate from a public CA.

This package is one of the top-level java-based Tomcat PKI subsystems

provided by the PKI Core used by the Certificate System.

%{overview}

%package -n       pki-kra

Summary:          Certificate System - Key Recovery Authority

Group:            System Environment/Daemons

BuildArch:        noarch

Requires:         java-1.8.0-openjdk-headless

Requires:         pki-server = %{version}-%{release}

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

%description -n   pki-kra

The Key Recovery Authority (KRA) is an optional PKI subsystem that can act

as a key archival facility.  When configured in conjunction with the

Certificate Authority (CA), the KRA stores private encryption keys as part of

the certificate enrollment process.  The key archival mechanism is triggered

when a user enrolls in the PKI and creates the certificate request.  Using the

Certificate Request Message Format (CRMF) request format, a request is

generated for the user's private encryption key.  This key is then stored in

the KRA which is configured to store keys in an encrypted format that can only

be decrypted by several agents requesting the key at one time, providing for

protection of the public encryption keys for the users in the PKI deployment.

Note that the KRA archives encryption keys; it does NOT archive signing keys,

since such archival would undermine non-repudiation properties of signing keys.

This package is one of the top-level java-based Tomcat PKI subsystems

provided by the PKI Core used by the Certificate System.

%{overview}

%package -n       pki-ocsp

Summary:          Certificate System - Online Certificate Status Protocol Manager

Group:            System Environment/Daemons

BuildArch:        noarch

Requires:         java-1.8.0-openjdk-headless

%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}

Requires:         pki-server = %{version}-%{release}

%else

Requires:         pki-server >= %{pki_core_rhel_version}

%endif

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

%description -n   pki-ocsp

The Online Certificate Status Protocol (OCSP) Manager is an optional PKI

subsystem that can act as a stand-alone OCSP service.  The OCSP Manager

performs the task of an online certificate validation authority by enabling

OCSP-compliant clients to do real-time verification of certificates.  Note

that an online certificate-validation authority is often referred to as an

OCSP Responder.

Although the Certificate Authority (CA) is already configured with an

internal OCSP service.  An external OCSP Responder is offered as a separate

subsystem in case the user wants the OCSP service provided outside of a

firewall while the CA resides inside of a firewall, or to take the load of

requests off of the CA.

The OCSP Manager can receive Certificate Revocation Lists (CRLs) from

multiple CA servers, and clients can query the OCSP Manager for the

revocation status of certificates issued by all of these CA servers.

When an instance of OCSP Manager is set up with an instance of CA, and

publishing is set up to this OCSP Manager, CRLs are published to it

whenever they are issued or updated.

This package is one of the top-level java-based Tomcat PKI subsystems

provided by the PKI Core used by the Certificate System.

%{overview}

%package -n       pki-tks

Summary:          Certificate System - Token Key Service

Group:            System Environment/Daemons

BuildArch:        noarch

Requires:         java-1.8.0-openjdk-headless

%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}

Requires:         pki-server = %{version}-%{release}

Requires:         pki-symkey = %{version}-%{release}

%else

Requires:         pki-server >= %{pki_core_rhel_version}

Requires:         pki-symkey >= %{pki_core_rhel_version}

%endif

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

%description -n   pki-tks

The Token Key Service (TKS) is an optional PKI subsystem that manages the

master key(s) and the transport key(s) required to generate and distribute

keys for hardware tokens.  TKS provides the security between tokens and an

instance of Token Processing System (TPS), where the security relies upon the

relationship between the master key and the token keys.  A TPS communicates

with a TKS over SSL using client authentication.