From 8cbeb62e6b4f492047719d7c6e0cfa69c15ceaa4 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen@redhat.com>
Date: Fri, 8 Dec 2017 17:17:34 -0700
Subject: [PATCH 1/6] Fix nuxwdog to work on all platforms

- dogtagpki Pagure Issue #2874 - nuxwdog won't start on Fedora

Change-Id: I5ff65c75087aeb939cb58ee7cf888bbbacb57ad5
(cherry picked from commit 19f04606cb58f7dc6e2872e39f62d3dad427ae22)
---
 base/server/sbin/pki-server-nuxwdog | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/base/server/sbin/pki-server-nuxwdog b/base/server/sbin/pki-server-nuxwdog
index ead925303..cb8993821 100755
--- a/base/server/sbin/pki-server-nuxwdog
+++ b/base/server/sbin/pki-server-nuxwdog
@@ -41,8 +41,8 @@ nux_fname="${CATALINA_BASE}/conf/nuxwdog.conf"
 touch ${nux_fname}
 chown pkiuser: ${nux_fname}
 
-echo "ExeFile ${JAVACMD}" > $nux_fname
-echo "ExeArgs ${JAVACMD} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname
+echo "ExeFile ${JAVA_HOME}/bin/java" > $nux_fname
+echo "ExeArgs ${JAVA_HOME}/bin/java ${JAVACMD_OPTS} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname
 echo "TmpDir ${CATALINA_BASE}/logs/pids" >> $nux_fname
 echo "ChildSecurity 1" >> $nux_fname
 echo "ExeOut ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname
-- 
2.14.3


From e688a788f6cb9fd6e488ea5475c50c21583b9c87 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Tue, 2 Jan 2018 13:38:40 -0500
Subject: [PATCH 2/6] Modified systemd invocations in pkispawn to handle
 nuxwdog

The systemd invocations in pkispawn/pkidestroy did not account for
nuxwdog enabled instances.  This patch allows pkispawn/pkidestroy to
use the right service name if the nuxwdog service unit files exist.

Also modified instance_layout deployment script to delete the right
systemd link.

Change-Id: I25eac0555aad022784d7728913ae4a335eab3463
(cherry picked from commit c7c907c07599ef1d9b52638c25153f7bd82de999)
---
 .../python/pki/server/deployment/pkihelper.py      | 55 ++++++++++------------
 .../deployment/scriptlets/instance_layout.py       |  5 +-
 2 files changed, 28 insertions(+), 32 deletions(-)

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 9bb0dfc0e..2cc36f4a2 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -3495,17 +3495,28 @@ class Systemd(object):
 
         Args:
           deployer (dictionary):  PKI Deployment name/value parameters
-
-        Attributes:
-
-        Returns:
-
-        Raises:
-
-        Examples:
-
         """
         self.mdict = deployer.mdict
+        instance_name = deployer.mdict['pki_instance_name']
+
+        unit_file = 'pki-tomcatd@%s.service' % instance_name
+        systemd_link = os.path.join(
+            '/etc/systemd/system/pki-tomcatd.target.wants',
+            unit_file)
+
+        nuxwdog_unit_file = 'pki-tomcatd-nuxwdog@%s.service' % instance_name
+        nuxwdog_systemd_link = os.path.join(
+            '/etc/systemd/system/pki-tomcatd-nuxwdog.target.wants',
+            nuxwdog_unit_file)
+
+        if os.path.exists(nuxwdog_systemd_link):
+            self.is_nuxwdog_enabled = True
+            self.service_name = nuxwdog_unit_file
+            self.systemd_link = nuxwdog_systemd_link
+        else:
+            self.is_nuxwdog_enabled = False
+            self.service_name = unit_file
+            self.systemd_link = systemd_link
 
     def daemon_reload(self, critical_failure=True):
         """PKI Deployment execution management lifecycle function.
@@ -3579,7 +3590,7 @@ class Systemd(object):
                 command = ["rm", "/etc/rc3.d/*" +
                            self.mdict['pki_instance_name']]
             else:
-                command = ["systemctl", "disable", "pki-tomcatd.target"]
+                command = ["systemctl", "disable", self.service_name]
 
             # Display this "systemd" execution managment command
             config.pki_log.info(
@@ -3629,7 +3640,7 @@ class Systemd(object):
                 command = ["ln", "-s", "/etc/init.d/pki-tomcatd",
                            "/etc/rc3.d/S89" + self.mdict['pki_instance_name']]
             else:
-                command = ["systemctl", "enable", "pki-tomcatd.target"]
+                command = ["systemctl", "enable", self.service_name]
 
             # Display this "systemd" execution managment command
             config.pki_log.info(
@@ -3673,20 +3684,15 @@ class Systemd(object):
 
         """
         try:
-            service = None
             # Execute the "systemd daemon-reload" management lifecycle command
             if reload_daemon:
                 self.daemon_reload(critical_failure)
-            # Compose this "systemd" execution management command
-            service = "pki-tomcatd" + "@" +\
-                      self.mdict['pki_instance_name'] + "." +\
-                      "service"
 
             if pki.system.SYSTEM_TYPE == "debian":
                 command = ["/etc/init.d/pki-tomcatd", "start",
                            self.mdict['pki_instance_name']]
             else:
-                command = ["systemctl", "start", service]
+                command = ["systemctl", "start", self.service_name]
 
             # Display this "systemd" execution managment command
             config.pki_log.info(
@@ -3726,17 +3732,11 @@ class Systemd(object):
 
         """
         try:
-            service = None
-            # Compose this "systemd" execution management command
-            service = "pki-tomcatd" + "@" +\
-                      self.mdict['pki_instance_name'] + "." +\
-                      "service"
-
             if pki.system.SYSTEM_TYPE == "debian":
                 command = ["/etc/init.d/pki-tomcatd", "stop",
                            self.mdict['pki_instance_name']]
             else:
-                command = ["systemctl", "stop", service]
+                command = ["systemctl", "stop", self.service_name]
 
             # Display this "systemd" execution managment command
             config.pki_log.info(
@@ -3777,21 +3777,16 @@ class Systemd(object):
 
         """
         try:
-            service = None
             # Compose this "systemd" execution management command
             # Execute the "systemd daemon-reload" management lifecycle command
             if reload_daemon:
                 self.daemon_reload(critical_failure)
 
-            service = "pki-tomcatd" + "@" +\
-                      self.mdict['pki_instance_name'] + "." +\
-                      "service"
-
             if pki.system.SYSTEM_TYPE == "debian":
                 command = ["/etc/init.d/pki-tomcatd", "restart",
                            self.mdict['pki_instance_name']]
             else:
-                command = ["systemctl", "restart", service]
+                command = ["systemctl", "restart", self.service_name]
 
             # Display this "systemd" execution managment command
             config.pki_log.info(
diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
index a9a2840c7..b225d653b 100644
--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
@@ -58,7 +58,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             # Link /etc/pki/<instance>/logging.properties
             # to /usr/share/pki/server/conf/logging.properties.
             deployer.symlink.create(
-                os.path.join(deployer.mdict['pki_source_server_path'], "logging.properties"),
+                os.path.join(deployer.mdict['pki_source_server_path'],
+                             "logging.properties"),
                 os.path.join(deployer.mdict['pki_instance_configuration_path'],
                              "logging.properties"))
 
@@ -173,7 +174,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         if len(deployer.instance.tomcat_instance_subsystems()) == 0:
 
             # remove Tomcat instance systemd service link
-            deployer.symlink.delete(deployer.mdict['pki_systemd_service_link'])
+            deployer.symlink.delete(deployer.systemd.systemd_link)
 
             # remove Tomcat instance base
             deployer.directory.delete(deployer.mdict['pki_instance_path'])
-- 
2.14.3


From 98851261dd164bc586c78d0b96df712918c336e8 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Tue, 2 Jan 2018 14:52:32 -0500
Subject: [PATCH 3/6] Allow prompting for token passwords if not present

Change-Id: Ifa2e60424d713ebe15bf9aa92f1d5b7691b7e0ff
(cherry picked from commit 6716b82ecc38b23de81c8f0fe18863e1df4bfddb)
---
 .../python/pki/server/deployment/__init__.py       |  4 +++-
 .../python/pki/server/deployment/pkihelper.py      | 27 ++++++++--------------
 base/server/sbin/pkidestroy                        |  2 +-
 base/server/sbin/pkispawn                          |  2 +-
 4 files changed, 15 insertions(+), 20 deletions(-)

diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
index 709fe7014..f9b05dd42 100644
--- a/base/server/python/pki/server/deployment/__init__.py
+++ b/base/server/python/pki/server/deployment/__init__.py
@@ -66,6 +66,7 @@ class PKIDeployer:
         self.systemd = None
         self.tps_connector = None
         self.config_client = None
+        self.parser = None
 
         # Set installation time
         ticks = time.time()
@@ -88,7 +89,7 @@ class PKIDeployer:
         if not len(self.dns_domainname):
             self.dns_domainname = self.hostname
 
-    def init(self):
+    def init(self, parser):
 
         # Utility objects
         self.identity = util.Identity(self)
@@ -111,6 +112,7 @@ class PKIDeployer:
         self.systemd = util.Systemd(self)
         self.tps_connector = util.TPSConnector(self)
         self.config_client = util.ConfigClient(self)
+        self.parser = parser
 
     def flatten_master_dict(self):
 
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 2cc36f4a2..8049e61fc 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -2057,6 +2057,7 @@ class Password:
 
     def __init__(self, deployer):
         self.mdict = deployer.mdict
+        self.deployer = deployer
 
     def create_password_conf(self, path, pin, pin_sans_token=False,
                              overwrite_flag=False, critical_failure=True):
@@ -2146,7 +2147,7 @@ class Password:
                 raise
         return
 
-    def get_password(self, path, token_name, critical_failure=True):
+    def get_password(self, path, token_name):
         token_pwd = None
         if os.path.exists(path) and os.path.isfile(path) and\
            os.access(path, os.R_OK):
@@ -2159,16 +2160,11 @@ class Password:
                 token_pwd = tokens[token_name]
 
         if token_pwd is None or token_pwd == '':
-            # TODO prompt for this password
-            config.pki_log.error(log.PKIHELPER_PASSWORD_NOT_FOUND_1,
-                                 token_name,
-                                 extra=config.PKI_INDENTATION_LEVEL_2)
-            if critical_failure:
-                raise Exception(
-                    log.PKIHELPER_PASSWORD_NOT_FOUND_1 %
-                    token_name)
-            else:
-                return
+            self.deployer.parser.read_password(
+                'Password for token {}'.format(token_name),
+                self.deployer.subsystem_name,
+                'token_pwd')
+            token_pwd = self.mdict['token_pwd']
         return token_pwd
 
 
@@ -2998,8 +2994,7 @@ class KRAConnector:
 
             token_pwd = self.password.get_password(
                 self.mdict['pki_shared_password_conf'],
-                token_name,
-                critical_failure)
+                token_name)
 
             if token_pwd is None or token_pwd == '':
                 config.pki_log.warning(
@@ -3203,8 +3198,7 @@ class TPSConnector:
 
             token_pwd = self.password.get_password(
                 self.mdict['pki_shared_password_conf'],
-                token_name,
-                critical_failure)
+                token_name)
 
             if token_pwd is None or token_pwd == '':
                 config.pki_log.warning(
@@ -3441,8 +3435,7 @@ class SecurityDomain:
 
         token_pwd = self.password.get_password(
             self.mdict['pki_shared_password_conf'],
-            token_name,
-            critical_failure)
+            token_name)
 
         if token_pwd is None or token_pwd == '':
             config.pki_log.warning(
diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy
index 4a0c6a0b8..58d49698a 100755
--- a/base/server/sbin/pkidestroy
+++ b/base/server/sbin/pkidestroy
@@ -227,7 +227,7 @@ def main(argv):
 
     # Process the various "scriptlets" to remove the specified PKI subsystem.
     pki_subsystem_scriptlets = parser.mdict['destroy_scriplets'].split()
-    deployer.init()
+    deployer.init(parser)
 
     try:
         for scriptlet_name in pki_subsystem_scriptlets:
diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
index 1aa7079e8..6d387b2d8 100755
--- a/base/server/sbin/pkispawn
+++ b/base/server/sbin/pkispawn
@@ -519,7 +519,7 @@ def main(argv):
 
     # Process the various "scriptlets" to create the specified PKI subsystem.
     pki_subsystem_scriptlets = parser.mdict['spawn_scriplets'].split()
-    deployer.init()
+    deployer.init(parser)
 
     try:
         for scriptlet_name in pki_subsystem_scriptlets:
-- 
2.14.3


From 25439301773d2bf80a7eb871c8e1161bdbdb0315 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Wed, 17 Jan 2018 18:31:19 -0500
Subject: [PATCH 4/6] Allow instances to be created with custom users

Some folks want to run instances under a different user and
group (ie. not pkiuser).  They may even want a different user for
each instance.  The way to do this in systemd is to create systemd
override files for the specific instance.

The deployment scriptlets have been updated to create (and delete)
these override files.

Change-Id: Icb0b6d15c6c8542dbbd565987d5fb3f1bddf6037
(cherry picked from commit afe0a2525cace41a1bef2ff7fe0f8f53aa5990e5)
---
 .../python/pki/server/deployment/pkihelper.py      | 55 ++++++++++++++++++++++
 .../deployment/scriptlets/instance_layout.py       | 18 +++++++
 2 files changed, 73 insertions(+)

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 8049e61fc..2b18f003c 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -21,6 +21,12 @@
 # System Imports
 from __future__ import absolute_import
 from __future__ import print_function
+
+try:
+    import configparser
+except ImportError:
+    import ConfigParser as configparser
+
 import errno
 import sys
 import os
@@ -3490,26 +3496,75 @@ class Systemd(object):
           deployer (dictionary):  PKI Deployment name/value parameters
         """
         self.mdict = deployer.mdict
+        self.deployer = deployer
         instance_name = deployer.mdict['pki_instance_name']
 
         unit_file = 'pki-tomcatd@%s.service' % instance_name
         systemd_link = os.path.join(
             '/etc/systemd/system/pki-tomcatd.target.wants',
             unit_file)
+        override_dir = '/etc/systemd/system/pki-tomcatd@{}.service.d'.format(
+            instance_name)
+        self.base_override_dir = override_dir
 
         nuxwdog_unit_file = 'pki-tomcatd-nuxwdog@%s.service' % instance_name
         nuxwdog_systemd_link = os.path.join(
             '/etc/systemd/system/pki-tomcatd-nuxwdog.target.wants',
             nuxwdog_unit_file)
+        nuxwdog_override_dir = (
+            '/etc/systemd/system/pki-tomcatd-nuxwdog@{}.service.d'.format(
+                instance_name))
+        self.nuxwdog_override_dir = nuxwdog_override_dir
+
+        # self.overrides will be a hash of ConfigParsers indexed by filename
+        # once the overrides have been constructed, the caller should call
+        # write_overrides()
+        self.overrides = {}
 
         if os.path.exists(nuxwdog_systemd_link):
             self.is_nuxwdog_enabled = True
             self.service_name = nuxwdog_unit_file
             self.systemd_link = nuxwdog_systemd_link
+            self.override_dir = nuxwdog_override_dir
         else:
             self.is_nuxwdog_enabled = False
             self.service_name = unit_file
             self.systemd_link = systemd_link
+            self.override_dir = override_dir
+
+    def create_override_directory(self):
+        self.deployer.directory.create(self.override_dir, uid=0, gid=0)
+
+    def create_override_file(self, fname):
+        self.create_override_directory()
+        self.deployer.file.create(
+            os.path.join(self.override_dir, fname),
+            uid=0, gid=0
+        )
+
+    def set_override(self, section, param, value, fname='local.conf'):
+        if fname not in self.overrides:
+            parser = configparser.ConfigParser()
+            parser.optionxform = str
+            override_file = os.path.join(self.override_dir, fname)
+            if os.path.exists(override_file):
+                parser.read(override_file)
+            self.overrides[fname] = parser
+        else:
+            parser = self.overrides[fname]
+
+        if not parser.has_section(section):
+            parser.add_section(section)
+
+        parser[section][param] = value
+
+    def write_overrides(self):
+        for fname, parser in self.overrides.items():
+            override_file = os.path.join(self.override_dir, fname)
+            if not os.path.exists(override_file):
+                self.create_override_file(override_file)
+            with open(override_file, 'w') as fp:
+                parser.write(fp, space_around_delimiters=False)
 
     def daemon_reload(self, critical_failure=True):
         """PKI Deployment execution management lifecycle function.
diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
index b225d653b..bb9919f34 100644
--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
@@ -144,10 +144,21 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             deployer.symlink.create(
                 deployer.mdict['pki_tomcat_bin_path'],
                 deployer.mdict['pki_tomcat_bin_link'])
+
+            # create systemd links
             deployer.symlink.create(
                 deployer.mdict['pki_tomcat_systemd'],
                 deployer.mdict['pki_instance_systemd_link'],
                 uid=0, gid=0)
+            user = deployer.mdict['pki_user']
+            group = deployer.mdict['pki_group']
+            if user != 'pkiuser' or group != 'pkiuser':
+                deployer.systemd.set_override(
+                    'Service', 'User', user, 'user.conf')
+                deployer.systemd.set_override(
+                    'Service', 'Group', group, 'user.conf')
+            deployer.systemd.write_overrides()
+            deployer.systemd.daemon_reload()
 
             # establish shared NSS security databases for this instance
             deployer.directory.create(deployer.mdict['pki_database_path'])
@@ -176,6 +187,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             # remove Tomcat instance systemd service link
             deployer.symlink.delete(deployer.systemd.systemd_link)
 
+            # delete systemd override directories
+            if deployer.directory.exists(deployer.systemd.base_override_dir):
+                deployer.directory.delete(deployer.systemd.base_override_dir)
+            if deployer.directory.exists(deployer.systemd.nuxwdog_override_dir):
+                deployer.directory.delete(deployer.systemd.nuxwdog_override_dir)
+            deployer.systemd.daemon_reload()
+
             # remove Tomcat instance base
             deployer.directory.delete(deployer.mdict['pki_instance_path'])
             # remove Tomcat instance logs
-- 
2.14.3


From dc0af568a913d06ced134e6685b5dec1bafb5153 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Tue, 16 Jan 2018 15:10:15 -0500
Subject: [PATCH 5/6] Make sure tomcat is running as pki user with nuxwdog

The nuxwdog process needs to run as a privileged user to be able
to retrieve the passwords from the systemd tty agent in systemctl.
Therefore, the nuxwdog unit file should NOT specify the PKI user
there.

However, we have added an option to nuxwdog to specify the user
in the nuxwdog config file, so that the process that nuxwdog spawns
(ie. tomcat) will run as the specified user.

The code changes in this patch ensure that when the nuxwdog conf
file is created, the user is set correctly as the value of the
variable TOMCAT_USER.

Change-Id: I0b4f8caedb048aaedf6a8a8f72b24fab39ad7bbf
(cherry picked from commit 96e99209b278b5ba380a61486a5b6ce6a87326a0)
---
 base/server/sbin/pki-server-nuxwdog | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/base/server/sbin/pki-server-nuxwdog b/base/server/sbin/pki-server-nuxwdog
index cb8993821..ffdbc3394 100755
--- a/base/server/sbin/pki-server-nuxwdog
+++ b/base/server/sbin/pki-server-nuxwdog
@@ -39,7 +39,7 @@ set_javacmd
 # create the nuxwdog config file
 nux_fname="${CATALINA_BASE}/conf/nuxwdog.conf"
 touch ${nux_fname}
-chown pkiuser: ${nux_fname}
+chown ${TOMCAT_USER}: ${nux_fname}
 
 echo "ExeFile ${JAVA_HOME}/bin/java" > $nux_fname
 echo "ExeArgs ${JAVA_HOME}/bin/java ${JAVACMD_OPTS} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname
@@ -50,4 +50,5 @@ echo "ExeErr ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname
 echo "ExeBackground 1" >> $nux_fname
 echo "PidFile $NUXWDOG_PID" >> $nux_fname
 echo "ChildPidFile $CATALINA_PID" >> $nux_fname
+echo "User ${TOMCAT_USER}" >> $nux_fname
 
-- 
2.14.3


From 73faa356531a529e13e55800861598bb6cc8ab6a Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Thu, 1 Feb 2018 13:02:03 -0500
Subject: [PATCH 6/6] More fixes for non-standard users

Needed to fix some python code that was added that works only on Python 3.
The top level directories for the registry should be owned by
root and be world readable/executable so that different users
can read the registry.

Change-Id: Ic0ce188cb678ff66e1a7370451f8df2285fc1282
cherry-pick from 79e8a8e99a3c9c6d16b63bb5d4b2b18a4b828b11

(cherry picked from commit e37ddfbc8b54e17dbe081221f6c849732a30ebe2)
---
 base/common/CMakeLists.txt                                 | 12 ++++++++++++
 base/server/python/pki/server/deployment/pkihelper.py      |  8 ++------
 .../server/deployment/scriptlets/infrastructure_layout.py  | 14 ++++++++++----
 .../pki/server/deployment/scriptlets/instance_layout.py    |  5 +++--
 4 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt
index d7856e1aa..3e8659da6 100644
--- a/base/common/CMakeLists.txt
+++ b/base/common/CMakeLists.txt
@@ -133,6 +133,18 @@ install(
         ${SYSTEMD_ETC_INSTALL_DIR}/pki-tomcatd-nuxwdog.target.wants
 )
 
+install(
+    DIRECTORY
+    DESTINATION
+        /etc/sysconfig/pki
+)
+
+install(
+    DIRECTORY
+    DESTINATION
+        /etc/sysconfig/pki/tomcat
+)
+
 install(
     DIRECTORY
         man/
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 2b18f003c..2e92b5956 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -1024,8 +1024,6 @@ class Instance:
             raise
 
     def get_instance_status(self, secure_connection=True):
-        pki_protocol = None
-        pki_port = None
         if secure_connection:
             pki_protocol = "https"
             pki_port = self.mdict['pki_https_port']
@@ -2931,7 +2929,6 @@ class ServerCertNickConf:
             try:
                 # overwrite value inside 'serverCertNick.conf'
                 with open(self.servercertnick_conf, "w") as fd:
-                    ssl_server_nickname = None
                     if self.step_two:
                         # use final HSM name
                         ssl_server_nickname = (self.token_name + ":" +
@@ -3556,7 +3553,7 @@ class Systemd(object):
         if not parser.has_section(section):
             parser.add_section(section)
 
-        parser[section][param] = value
+        parser.set(section, param, value)
 
     def write_overrides(self):
         for fname, parser in self.overrides.items():
@@ -3564,7 +3561,7 @@ class Systemd(object):
             if not os.path.exists(override_file):
                 self.create_override_file(override_file)
             with open(override_file, 'w') as fp:
-                parser.write(fp, space_around_delimiters=False)
+                parser.write(fp)
 
     def daemon_reload(self, critical_failure=True):
         """PKI Deployment execution management lifecycle function.
@@ -4142,7 +4139,6 @@ class ConfigClient:
             os.path.dirname(self.mdict['pki_external_admin_csr_path']))
         with open(self.mdict['pki_external_admin_csr_path'], "w") as f:
             f.write("-----BEGIN CERTIFICATE REQUEST-----\n")
-        admin_certreq = None
         with open(os.path.join(
                   self.mdict['pki_client_database_dir'],
                   "admin_pkcs10.bin.asc"), "r") as f:
diff --git a/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py b/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py
index b105378f8..7322ac392 100644
--- a/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py
+++ b/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py
@@ -53,9 +53,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         # registry directories for storage of a copy of the original
         # deployment configuration file used to spawn this instance,
         # and save a copy of this file
-        deployer.directory.create(deployer.mdict['pki_registry_path'])
-        deployer.directory.create(
-            deployer.mdict['pki_instance_type_registry_path'])
+        #
+        # Unless a prefix is used, the top level directories should exist
+        # and be owned by the rpm
+        if deployer.mdict['pki_root_prefix'] != "":
+            deployer.directory.create(deployer.mdict['pki_registry_path'])
+            deployer.directory.create(
+                deployer.mdict['pki_instance_type_registry_path'])
+
         deployer.directory.create(deployer.mdict['pki_instance_registry_path'])
         deployer.directory.create(
             deployer.mdict['pki_subsystem_registry_path'])
@@ -123,4 +128,5 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 deployer.directory.delete(
                     deployer.mdict['pki_configuration_path'])
             # remove top-level infrastructure registry
-            deployer.directory.delete(deployer.mdict['pki_registry_path'])
+            if deployer.mdict['pki_root_prefix'] != "":
+                deployer.directory.delete(deployer.mdict['pki_registry_path'])
diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
index bb9919f34..b24e9b728 100644
--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
@@ -211,8 +211,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 deployer.mdict['pki_instance_registry_path'])
             # remove Tomcat PKI registry (if empty)
             if deployer.instance.tomcat_instances() == 0:
-                deployer.directory.delete(
-                    deployer.mdict['pki_instance_type_registry_path'])
+                if deployer.mdict['pki_root_prefix'] != "":
+                    deployer.directory.delete(
+                        deployer.mdict['pki_instance_type_registry_path'])
 
 
 # Callback only when the /usr/share/pki/server/conf directory
-- 
2.14.3