# Python

%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from

distutils.sysconfig import get_python_lib; print(get_python_lib())")}

%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from

distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}

# Tomcat

%if 0%{?fedora} >= 23

%define with_tomcat7 0

%define with_tomcat8 1

%else

# 0%{?rhel} || 0%{?fedora} <= 22

%define with_tomcat7 1

%define with_tomcat8 0

%endif

# RESTEasy

%if 0%{?rhel}

%define resteasy_lib /usr/share/java/resteasy-base

%else

# 0%{?fedora}

%define resteasy_lib /usr/share/java/resteasy

%endif

# Dogtag

%bcond_without    server

%bcond_without    javadoc

# ignore unpackaged files from native 'tpsclient'

# REMINDER:  Remove this '%%define' once 'tpsclient' is rewritten as a Java app

%define _unpackaged_files_terminate_build 0

# pkiuser and group. The uid and gid are preallocated

# see /usr/share/doc/setup/uidgid

%define pki_username pkiuser

%define pki_uid 17

%define pki_groupname pkiuser

%define pki_gid 17

%define pki_homedir /usr/share/pki

Name:             pki-core

Version:          10.2.5

Release:          6%{?dist}

Summary:          Certificate System - PKI Core Components

URL:              http://pki.fedoraproject.org/

License:          GPLv2

Group:            System Environment/Daemons

BuildRoot:        %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

BuildRequires:    cmake >= 2.8.9-1

BuildRequires:    zip

BuildRequires:    java-devel >= 1:1.7.0

BuildRequires:    redhat-rpm-config

BuildRequires:    ldapjdk

BuildRequires:    apache-commons-cli

BuildRequires:    apache-commons-codec

BuildRequires:    apache-commons-io

BuildRequires:    apache-commons-lang

BuildRequires:    jakarta-commons-httpclient

BuildRequires:    nspr-devel

BuildRequires:    nss-devel >= 3.14.3

%if 0%{?rhel}

BuildRequires:    nuxwdog-client-java >= 1.0.1-11

%else

BuildRequires:    nuxwdog-client-java >= 1.0.3

%endif

BuildRequires:    openldap-devel

BuildRequires:    pkgconfig

BuildRequires:    policycoreutils

BuildRequires:    python-lxml

BuildRequires:    python-sphinx

BuildRequires:    velocity

BuildRequires:    xalan-j2

BuildRequires:    xerces-j2

%if 0%{?rhel}

# 'resteasy-base' is a subset of the complete set of

# 'resteasy' packages and consists of what is needed to

# support the PKI Restful interface on RHEL platforms

BuildRequires:    resteasy-base-atom-provider >= 3.0.6-1

BuildRequires:    resteasy-base-client >= 3.0.6-1

BuildRequires:    resteasy-base-jaxb-provider >= 3.0.6-1

BuildRequires:    resteasy-base-jaxrs >= 3.0.6-1

BuildRequires:    resteasy-base-jaxrs-api >= 3.0.6-1

BuildRequires:    resteasy-base-jackson-provider >= 3.0.6-1

%else

%if 0%{?fedora} >= 22

# Starting from Fedora 22, resteasy packages were split into

# subpackages.

BuildRequires:    resteasy-atom-provider >= 3.0.6-7

BuildRequires:    resteasy-client >= 3.0.6-7

BuildRequires:    resteasy-jaxb-provider >= 3.0.6-7

BuildRequires:    resteasy-core >= 3.0.6-7

BuildRequires:    resteasy-jaxrs-api >= 3.0.6-7

BuildRequires:    resteasy-jackson-provider >= 3.0.6-7

%else

BuildRequires:    resteasy >= 3.0.6-2

%endif

%endif

%if ! 0%{?rhel}

BuildRequires:    pylint

%endif

BuildRequires:    python-nss

BuildRequires:    python-requests

BuildRequires:    libselinux-python

BuildRequires:    policycoreutils-python

BuildRequires:    python-ldap

BuildRequires:    junit

BuildRequires:    jpackage-utils >= 0:1.7.5-10

BuildRequires:    jss >= 4.2.6-35

BuildRequires:    systemd-units

%if 0%{?rhel}

BuildRequires:    tomcatjss >= 7.1.0-6

%else

BuildRequires:    tomcatjss >= 7.1.2

%endif

# additional build requirements needed to build native 'tpsclient'

# REMINDER:  Revisit these once 'tpsclient' is rewritten as a Java app

BuildRequires:    apr-devel

BuildRequires:    apr-util-devel

BuildRequires:    cyrus-sasl-devel

BuildRequires:    httpd-devel >= 2.4.2

BuildRequires:    pcre-devel

BuildRequires:    python

BuildRequires:    systemd

BuildRequires:    svrcore-devel

BuildRequires:    zlib

BuildRequires:    zlib-devel

%if 0%{?rhel}

# NOTE:  In the future, as a part of its path, this URL will contain a release

#        directory which consists of the fixed number of the upstream release

#        upon which this tarball was originally based.

Source0:          http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{release}/rhel/%{name}-%{version}%{?prerel}.tar.gz

%else

Source0:          http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{release}/%{name}-%{version}%{?prerel}.tar.gz

%endif

Patch1:           pki-core-rhel-7-2.patch

Patch2:           pki-core-handle-JSON-decode-error.patch

Patch3:           pki-core-fix-exception-when-talking-to-Dogtag-9-systems.patch

Patch4:           pki-core-added-CLI-to-update-cert-data-and-request-in-CS-cfg.patch

Patch5:           pki-core-fixed-pkidbuser-group-memberships.patch

Patch6:           pki-core-added-support-for-secure-database-connection-in-CLI.patch

%global saveFileContext() \

if [ -s /etc/selinux/config ]; then \

     . %{_sysconfdir}/selinux/config; \

     FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \

     if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \

          cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \

     fi \

fi;

%global relabel() \

. %{_sysconfdir}/selinux/config; \

FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \

selinuxenabled; \

if [ $? == 0  -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \

     fixfiles -C ${FILE_CONTEXT}.%{name} restore; \

     rm -f ${FILE_CONTEXT}.%name; \

fi;

%global overview                                                       \

==================================                                     \

||  ABOUT "CERTIFICATE SYSTEM"  ||                                     \

==================================                                     \

                                                                       \

Certificate System (CS) is an enterprise software system designed      \

to manage enterprise Public Key Infrastructure (PKI) deployments.      \

                                                                       \

PKI Core contains ALL top-level java-based Tomcat PKI components:      \

                                                                       \

  * pki-symkey                                                         \

  * pki-base                                                           \

  * pki-tools                                                          \

  * pki-server                                                         \

  * pki-ca                                                             \

  * pki-kra                                                            \

  * pki-ocsp                                                           \

  * pki-tks                                                            \

  * pki-tps                                                            \

  * pki-javadoc                                                        \

                                                                       \

which comprise the following corresponding PKI subsystems:             \

                                                                       \

  * Certificate Authority (CA)                                         \

  * Data Recovery Manager (DRM)                                        \

  * Online Certificate Status Protocol (OCSP) Manager                  \

  * Token Key Service (TKS)                                            \

  * Token Processing Service (TPS)                                     \

                                                                       \

For deployment purposes, PKI Core contains fundamental packages        \

required by BOTH native-based Apache AND java-based Tomcat             \

Certificate System instances consisting of the following components:   \

                                                                       \

  * pki-tools                                                          \

                                                                       \

Additionally, PKI Core contains the following fundamental packages     \

required ONLY by ALL java-based Tomcat Certificate System instances:   \

                                                                       \

  * pki-symkey                                                         \

  * pki-base                                                           \

  * pki-tools                                                          \

  * pki-server                                                         \

                                                                       \

PKI Core also includes the following components:                       \

                                                                       \

  * pki-javadoc                                                        \

                                                                       \

Finally, if Certificate System is being deployed as an individual or   \

set of standalone rather than embedded server(s)/service(s), it is     \

strongly recommended (though not explicitly required) to include at    \

least one PKI Theme package:                                           \

                                                                       \

  * dogtag-pki-theme (Dogtag Certificate System deployments)           \

    * dogtag-pki-server-theme                                          \

  * redhat-pki-server-theme (Red Hat Certificate System deployments)   \

    * redhat-pki-server-theme                                          \

  * customized pki theme (Customized Certificate System deployments)   \

    * <customized>-pki-server-theme                                    \

                                                                       \

  NOTE:  As a convenience for standalone deployments, top-level meta   \

         packages may be provided which bind a particular theme to     \

         these certificate server packages.                            \

                                                                       \

%{nil}

%description %{overview}

%package -n       pki-symkey

Summary:          Symmetric Key JNI Package

Group:            System Environment/Libraries

Requires:         java-headless >= 1:1.7.0

Requires:         nss

Requires:         jpackage-utils >= 0:1.7.5-10

Requires:         jss >= 4.2.6-35

Provides:         symkey = %{version}-%{release}

Obsoletes:        symkey < %{version}-%{release}

%description -n   pki-symkey

The Symmetric Key Java Native Interface (JNI) package supplies various native

symmetric key operations to Java programs.

This package is a part of the PKI Core used by the Certificate System.

%{overview}

%package -n       pki-base

Summary:          Certificate System - PKI Framework

Group:            System Environment/Base

BuildArch:        noarch

Provides:         pki-common = %{version}-%{release}

Provides:         pki-util = %{version}-%{release}

Obsoletes:        pki-common < %{version}-%{release}

Obsoletes:        pki-util < %{version}-%{release}

Conflicts:        freeipa-server < 3.0.0

Requires:         apache-commons-cli

Requires:         apache-commons-codec

Requires:         apache-commons-io

Requires:         apache-commons-lang

Requires:         apache-commons-logging

Requires:         jakarta-commons-httpclient

Requires:         java-headless >= 1:1.7.0

Requires:         javassist

Requires:         jpackage-utils >= 0:1.7.5-10

Requires:         jss >= 4.2.6-35

Requires:         ldapjdk

Requires:         python-ldap

Requires:         python-lxml

Requires:         python-requests >= 1.1.0-3

%if 0%{?rhel}

# 'resteasy-base' is a subset of the complete set of

# 'resteasy' packages and consists of what is needed to

# support the PKI Restful interface on RHEL platforms

Requires:    resteasy-base-atom-provider >= 3.0.6-1

Requires:    resteasy-base-client >= 3.0.6-1

Requires:    resteasy-base-jaxb-provider >= 3.0.6-1

Requires:    resteasy-base-jaxrs >= 3.0.6-1

Requires:    resteasy-base-jaxrs-api >= 3.0.6-1

Requires:    resteasy-base-jackson-provider >= 3.0.6-1

%else

%if 0%{?fedora} >= 22

# Starting from Fedora 22, resteasy packages were split into

# subpackages.

Requires:    resteasy-atom-provider >= 3.0.6-7

Requires:    resteasy-client >= 3.0.6-7

Requires:    resteasy-jaxb-provider >= 3.0.6-7

Requires:    resteasy-core >= 3.0.6-7

Requires:    resteasy-jaxrs-api >= 3.0.6-7

Requires:    resteasy-jackson-provider >= 3.0.6-7

%else

Requires:         resteasy >= 3.0.6-2

%endif

%endif

Requires:         xalan-j2

Requires:         xerces-j2

Requires:         xml-commons-apis

Requires:         xml-commons-resolver

%description -n   pki-base

The PKI Framework contains the common and client libraries and utilities.

This package is a part of the PKI Core used by the Certificate System.

%{overview}

%package -n       pki-tools

Summary:          Certificate System - PKI Tools

Group:            System Environment/Base

Provides:         pki-native-tools = %{version}-%{release}

Provides:         pki-java-tools = %{version}-%{release}

Obsoletes:        pki-native-tools < %{version}-%{release}

Obsoletes:        pki-java-tools < %{version}-%{release}

Requires:         openldap-clients

Requires:         nss

Requires:         nss-tools

Requires:         java-headless >= 1:1.7.0

Requires:         pki-base = %{version}-%{release}

Requires:         jpackage-utils >= 0:1.7.5-10

%description -n   pki-tools

This package contains PKI executables that can be used to help make

Certificate System into a more complete and robust PKI solution.

This package is a part of the PKI Core used by the Certificate System.

%{overview}

%if %{with server}

%package -n       pki-server

Summary:          Certificate System - PKI Server Framework

Group:            System Environment/Base

BuildArch:        noarch

Provides:         pki-deploy = %{version}-%{release}

Provides:         pki-setup = %{version}-%{release}

Provides:         pki-silent = %{version}-%{release}

Obsoletes:        pki-deploy < %{version}-%{release}

Obsoletes:        pki-setup < %{version}-%{release}

Obsoletes:        pki-silent < %{version}-%{release}

Requires:         java-headless >= 1:1.7.0

Requires:         net-tools

%if 0%{?rhel}

Requires:    nuxwdog-client-java >= 1.0.1-11

%else

Requires:    nuxwdog-client-java >= 1.0.3

%endif

Requires:         perl(File::Slurp)

Requires:         policycoreutils

Requires:         openldap-clients

Requires:         pki-base = %{version}-%{release}

Requires:         pki-tools = %{version}-%{release}

Requires:         policycoreutils-python

%if 0%{?fedora} >= 21

Requires:         selinux-policy-targeted >= 3.13.1-9

%else

# 0%{?rhel} || 0%{?fedora} < 21

Requires:         selinux-policy-targeted >= 3.12.1-153

%endif

Obsoletes:        pki-selinux

%if 0%{?rhel}

Requires:         tomcat >= 7.0.54

%else

Requires:         tomcat >= 7.0.47

%if 0%{?fedora} >= 23

Requires:         tomcat-el-3.0-api

Requires:         tomcat-jsp-2.3-api

Requires:         tomcat-servlet-3.1-api

%else

Requires:         tomcat-el-2.2-api

Requires:         tomcat-jsp-2.2-api

Requires:         tomcat-servlet-3.0-api

%endif

%endif

Requires:         velocity

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

Requires(pre):    shadow-utils

%if 0%{?rhel}

Requires:    tomcatjss >= 7.1.0-6

%else

Requires:    tomcatjss >= 7.1.2

%endif

%description -n   pki-server

The PKI Server Framework is required by the following four PKI subsystems:

    the Certificate Authority (CA),

    the Data Recovery Manager (DRM),

    the Online Certificate Status Protocol (OCSP) Manager,

    the Token Key Service (TKS), and

    the Token Processing Service (TPS).

This package is a part of the PKI Core used by the Certificate System.

The package contains scripts to create and remove PKI subsystems.

%{overview}

%package -n       pki-ca

Summary:          Certificate System - Certificate Authority

Group:            System Environment/Daemons

BuildArch:        noarch

Requires:         java-headless >= 1:1.7.0

Requires:         pki-server = %{version}-%{release}

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

%description -n   pki-ca

The Certificate Authority (CA) is a required PKI subsystem which issues,

renews, revokes, and publishes certificates as well as compiling and

publishing Certificate Revocation Lists (CRLs).

The Certificate Authority can be configured as a self-signing Certificate

Authority, where it is the root CA, or it can act as a subordinate CA,

where it obtains its own signing certificate from a public CA.

This package is one of the top-level java-based Tomcat PKI subsystems

provided by the PKI Core used by the Certificate System.

%{overview}

%package -n       pki-kra

Summary:          Certificate System - Data Recovery Manager

Group:            System Environment/Daemons

BuildArch:        noarch

Requires:         java-headless >= 1:1.7.0

Requires:         pki-server = %{version}-%{release}

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

%description -n   pki-kra

The Data Recovery Manager (DRM) is an optional PKI subsystem that can act

as a Key Recovery Authority (KRA).  When configured in conjunction with the

Certificate Authority (CA), the DRM stores private encryption keys as part of

the certificate enrollment process.  The key archival mechanism is triggered

when a user enrolls in the PKI and creates the certificate request.  Using the

Certificate Request Message Format (CRMF) request format, a request is

generated for the user's private encryption key.  This key is then stored in

the DRM which is configured to store keys in an encrypted format that can only

be decrypted by several agents requesting the key at one time, providing for

protection of the public encryption keys for the users in the PKI deployment.

Note that the DRM archives encryption keys; it does NOT archive signing keys,

since such archival would undermine non-repudiation properties of signing keys.

This package is one of the top-level java-based Tomcat PKI subsystems

provided by the PKI Core used by the Certificate System.

%{overview}

%package -n       pki-ocsp

Summary:          Certificate System - Online Certificate Status Protocol Manager

Group:            System Environment/Daemons

BuildArch:        noarch

Requires:         java-headless >= 1:1.7.0

Requires:         pki-server = %{version}-%{release}

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

%description -n   pki-ocsp

The Online Certificate Status Protocol (OCSP) Manager is an optional PKI

subsystem that can act as a stand-alone OCSP service.  The OCSP Manager

performs the task of an online certificate validation authority by enabling

OCSP-compliant clients to do real-time verification of certificates.  Note

that an online certificate-validation authority is often referred to as an

OCSP Responder.

Although the Certificate Authority (CA) is already configured with an

internal OCSP service.  An external OCSP Responder is offered as a separate

subsystem in case the user wants the OCSP service provided outside of a

firewall while the CA resides inside of a firewall, or to take the load of

requests off of the CA.

The OCSP Manager can receive Certificate Revocation Lists (CRLs) from

multiple CA servers, and clients can query the OCSP Manager for the

revocation status of certificates issued by all of these CA servers.

When an instance of OCSP Manager is set up with an instance of CA, and

publishing is set up to this OCSP Manager, CRLs are published to it

whenever they are issued or updated.

This package is one of the top-level java-based Tomcat PKI subsystems

provided by the PKI Core used by the Certificate System.

%{overview}

%package -n       pki-tks

Summary:          Certificate System - Token Key Service

Group:            System Environment/Daemons

BuildArch:        noarch

Requires:         java-headless >= 1:1.7.0

Requires:         pki-server = %{version}-%{release}

Requires:         pki-symkey = %{version}-%{release}

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

%description -n   pki-tks

The Token Key Service (TKS) is an optional PKI subsystem that manages the

master key(s) and the transport key(s) required to generate and distribute

keys for hardware tokens.  TKS provides the security between tokens and an

instance of Token Processing System (TPS), where the security relies upon the

relationship between the master key and the token keys.  A TPS communicates

with a TKS over SSL using client authentication.

TKS helps establish a secure channel (signed and encrypted) between the token

and the TPS, provides proof of presence of the security token during

enrollment, and supports key changeover when the master key changes on the

TKS.  Tokens with older keys will get new token keys.

Because of the sensitivity of the data that TKS manages, TKS should be set up

behind the firewall with restricted access.

This package is one of the top-level java-based Tomcat PKI subsystems

provided by the PKI Core used by the Certificate System.

%{overview}

%package -n       pki-tps

Summary:          Certificate System - Token Processing Service

Group:            System Environment/Daemons

Provides:         pki-tps-tomcat

Provides:         pki-tps-client

Obsoletes:        pki-tps-tomcat

Obsoletes:        pki-tps-client

Requires:         java-headless >= 1:1.7.0

Requires:         pki-server = %{version}-%{release}

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

# additional runtime requirements needed to run native 'tpsclient'

# REMINDER:  Revisit these once 'tpsclient' is rewritten as a Java app

Requires:         mod_nss

Requires:         mod_revocator

Requires:         nss >= 3.14.3

Requires:         nss-tools >= 3.14.3

Requires:         openldap-clients

Requires:         pki-symkey = %{version}-%{release}

%description -n   pki-tps

The Token Processing System (TPS) is an optional PKI subsystem that acts

as a Registration Authority (RA) for authenticating and processing

enrollment requests, PIN reset requests, and formatting requests from

the Enterprise Security Client (ESC).

TPS is designed to communicate with tokens that conform to

Global Platform's Open Platform Specification.

TPS communicates over SSL with various PKI backend subsystems (including

the Certificate Authority (CA), the Data Recovery Manager (DRM), and the

Token Key Service (TKS)) to fulfill the user's requests.

TPS also interacts with the token database, an LDAP server that stores

information about individual tokens.

The utility "tpsclient" is a test tool that interacts with TPS.  This

tool is useful to test TPS server configs without risking an actual

smart card.

%{overview}

%package -n       pki-javadoc

Summary:          Certificate System - PKI Framework Javadocs

Group:            Documentation

BuildArch:        noarch

Provides:         pki-util-javadoc = %{version}-%{release}

Provides:         pki-java-tools-javadoc = %{version}-%{release}

Provides:         pki-common-javadoc = %{version}-%{release}

Obsoletes:        pki-util-javadoc < %{version}-%{release}

Obsoletes:        pki-java-tools-javadoc < %{version}-%{release}

Obsoletes:        pki-common-javadoc < %{version}-%{release}

%description -n   pki-javadoc

This documentation pertains exclusively to version %{version} of

the PKI Framework and Tools.

This package is a part of the PKI Core used by the Certificate System.

%{overview}

%endif # %{with server}

%prep

%setup -q -n %{name}-%{version}%{?prerel}

%patch1 -p1

%patch2 -p1

%patch3 -p1

%patch4 -p1

%patch5 -p1

%patch6 -p1

%clean

%{__rm} -rf %{buildroot}

%build

%{__mkdir_p} build

cd build

%cmake -DVERSION=%{version}-%{release} \

	-DVAR_INSTALL_DIR:PATH=/var \

	-DBUILD_PKI_CORE:BOOL=ON \

	-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \

	-DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \

%if ! %{with_tomcat7}

	-DWITH_TOMCAT7:BOOL=OFF \

%endif

%if ! %{with_tomcat8}

	-DWITH_TOMCAT8:BOOL=OFF \

%endif

	-DRESTEASY_LIB=%{resteasy_lib} \

%if ! %{with server}

	-DWITH_SERVER:BOOL=OFF \

%endif

%if ! %{with server}

	-DWITH_SERVER:BOOL=OFF \

%endif

%if ! %{with javadoc}

	-DWITH_JAVADOC:BOOL=OFF \

%endif

	..

%{__make} VERBOSE=1 %{?_smp_mflags} all

# %{__make} VERBOSE=1 %{?_smp_mflags} unit-test

%install

%{__rm} -rf %{buildroot}

cd build

%{__make} install DESTDIR=%{buildroot} INSTALL="install -p"

# Create symlinks for admin console (TPS does not use admin console)

for subsystem in ca kra ocsp tks; do

    %{__mkdir_p} %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/admin

    ln -s %{_datadir}/pki/server/webapps/pki/admin/console %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/admin

done

# Create symlinks for subsystem libraries

for subsystem in ca kra ocsp tks tps; do

    %{__mkdir_p} %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib

    ln -s %{_javadir}/pki/pki-nsutil.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib

    ln -s %{_javadir}/pki/pki-cmsutil.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib

    ln -s %{_javadir}/pki/pki-certsrv.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib

    ln -s %{_javadir}/pki/pki-cms.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib

    ln -s %{_javadir}/pki/pki-cmscore.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib

    ln -s %{_javadir}/pki/pki-cmsbundle.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib

    ln -s %{_javadir}/pki/pki-$subsystem.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib

done

%if %{with server}

%if ! 0%{?rhel}

# Scanning the python code with pylint.

sh ../pylint-build-scan.sh %{buildroot} `pwd`

if [ $? -ne 0 ]; then

    echo "pylint failed. RC: $?"

    exit 1

fi

%endif

%{__rm} -rf %{buildroot}%{_datadir}/pki/server/lib

%endif # %{with server}