def configure_ajp_connectors_required_secret(self):
logger.info('Configuring AJP connectors requiredSecret')
document = etree.parse(self.server_xml, parser)
server = document.getroot()
# replace 'secret' with 'requiredSecret' in comments
services = server.findall('Service')
for service in services:
children = list(service)
for child in children:
if not isinstance(child, etree._Comment): # pylint: disable=protected-access
# not a comment -> skip
continue
if 'protocol="AJP/1.3"' not in child.text:
# not an AJP connector -> skip
continue
child.text = re.sub(r'secret=',
r'requiredSecret=',
child.text,
flags=re.MULTILINE)
# replace 'secret' with 'requiredSecret' in Connectors
connectors = server.findall('Service/Connector')
for connector in connectors:
if connector.get('protocol') != 'AJP/1.3':
# not an AJP connector -> skip
continue
# remove existing 'secret' if any
value = connector.attrib.pop('secret', None)
print('AJP connector secret: %s' % value)
if connector.get('requiredSecret'):
# already has a 'requiredSecret' -> skip
continue
if not value:
raise Exception('Missing AJP connector requiredSecret in %s' % self.server_xml)
# store 'requiredSecret'
connector.set('requiredSecret', value)
with open(self.server_xml, 'wb') as f:
document.write(f, pretty_print=True, encoding='utf-8')
def enable_nuxwdog_server_xml(self, filename, instance):
if self.verbose:
print('Enabling nuxwdog in %s' % filename)
conf_file = self.get_conf_file(instance)
document = etree.parse(filename, self.parser)
server = document.getroot()
global_naming_resources = None
nuxwdog_listener = etree.Element('Listener')
nuxwdog_listener.set('className', self.nuxwdog_listener_class)
children = list(server)
for child in children:
if child.tag == 'Listener':
class_name = child.get('className')
if class_name == self.nuxwdog_listener_class:
nuxwdog_listener = None
elif child.tag == 'GlobalNamingResources':
global_naming_resources = child
# add before GlobalResourcesLifecycleListener if exists
if global_naming_resources is not None:
index = list(server).index(global_naming_resources) - 1
else:
index = 0
if nuxwdog_listener is not None:
server.insert(index, nuxwdog_listener)
connectors = server.findall('Service/Connector')
for connector in connectors:
if connector.get('secure') == 'true':
connector.set('passwordClass', self.nuxwdog_pwstore_class)
connector.set('passwordFile', conf_file)
with open(filename, 'wb') as f:
# xml as UTF-8 encoded bytes
document.write(f, pretty_print=True, encoding='utf-8')
os.chown(filename, instance.uid, instance.gid)
def enable_nuxwdog_server_xml(self, filename, instance):
if self.verbose:
print('Enabling nuxwdog in %s' % filename)
conf_file = self.get_conf_file(instance)
document = etree.parse(filename, self.parser)
server = document.getroot()
global_naming_resources = None
nuxwdog_listener = etree.Element('Listener')
nuxwdog_listener.set('className', self.nuxwdog_listener_class)
children = list(server)
for child in children:
if child.tag == 'Listener':
class_name = child.get('className')
if class_name == self.nuxwdog_listener_class:
nuxwdog_listener = None
elif child.tag == 'GlobalNamingResources':
global_naming_resources = child
# add before GlobalResourcesLifecycleListener if exists
if global_naming_resources is not None:
index = list(server).index(global_naming_resources) - 1
else:
index = 0
if nuxwdog_listener is not None:
server.insert(index, nuxwdog_listener)
connectors = server.findall('Service/Connector')
for connector in connectors:
if connector.get('secure') == 'true':
connector.set('passwordClass', self.nuxwdog_pwstore_class)
connector.set('passwordFile', conf_file)
with open(filename, 'wb') as f:
# xml as UTF-8 encoded bytes
document.write(f, pretty_print=True, encoding='utf-8')
os.chown(filename, instance.uid, instance.gid)
def disable_nuxwdog_server_xml(self, filename, instance):
logger.info('Disabling nuxwdog in %s', filename)
pw_conf = os.path.join(instance.conf_dir, 'password.conf')
document = etree.parse(filename, self.parser)
server = document.getroot()
connectors = server.findall('Service/Connector')
for connector in connectors:
if connector.get('secure') == 'true':
connector.set('passwordClass', self.plain_pwstore_class)
connector.set('passwordFile', pw_conf)
with open(filename, 'wb') as f:
# xml as UTF-8 encoded bytes
document.write(f, pretty_print=True, encoding='utf-8')
os.chown(filename, instance.uid, instance.gid)
def disable_nuxwdog_server_xml(self, filename, instance):
if self.verbose:
print('Disabling nuxwdog in %s' % filename)
pw_conf = os.path.join(instance.conf_dir, 'password.conf')
document = etree.parse(filename, self.parser)
server = document.getroot()
connectors = server.findall('Service/Connector')
for connector in connectors:
if connector.get('secure') == 'true':
connector.set('passwordClass', self.plain_pwstore_class)
connector.set('passwordFile', pw_conf)
with open(filename, 'wb') as f:
# xml as UTF-8 encoded bytes
document.write(f, pretty_print=True, encoding='utf-8')
os.chown(filename, instance.uid, instance.gid)
def migrate_server_xml_to_tomcat8(self, instance, document):
server = document.getroot()
version_logger_listener = etree.Element('Listener')
version_logger_listener.set(
'className',
'org.apache.catalina.startup.VersionLoggerListener')
security_listener_comment = etree.Comment(''' Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
''')
jre_memory_leak_prevention_listener = etree.Element('Listener')
jre_memory_leak_prevention_listener.set(
'className',
'org.apache.catalina.core.JreMemoryLeakPreventionListener')
global_resources_lifecycle_listener = None
thread_local_leak_prevention_listener = etree.Element('Listener')
thread_local_leak_prevention_listener.set(
'className',
'org.apache.catalina.core.ThreadLocalLeakPreventionListener')
prevent_comment = etree.Comment(
' Prevent memory leaks due to use of particular java/javax APIs')
children = list(server)
for child in children:
if isinstance(child, etree._Comment): # pylint: disable=protected-access
if 'org.apache.catalina.security.SecurityListener' in child.text:
security_listener_comment = None
elif 'Initialize Jasper prior to webapps are loaded.' in child.text:
server.remove(child)
elif 'JMX Support for the Tomcat server.' in child.text:
server.remove(child)
elif 'The following class has been commented out because it' in child.text:
server.remove(child)
elif 'has been EXCLUDED from the Tomcat 7 \'tomcat-lib\' RPM!' in child.text:
server.remove(child)
elif 'org.apache.catalina.mbeans.ServerLifecycleListener' in child.text:
server.remove(child)
elif 'Prevent memory leaks due to use of particular java/javax APIs' in child.text:
prevent_comment = None
elif child.tag == 'Listener':
class_name = child.get('className')
if class_name == 'org.apache.catalina.core.JasperListener'\
or class_name == 'org.apache.catalina.mbeans.ServerLifecycleListener':
if self.debug:
print('* removing %s' % class_name)
server.remove(child)
elif class_name == 'org.apache.catalina.startup.VersionLoggerListener':
version_logger_listener = None
elif class_name == 'org.apache.catalina.core.JreMemoryLeakPreventionListener':
jre_memory_leak_prevention_listener = None
elif class_name == 'org.apache.catalina.mbeans.GlobalResourcesLifecycleListener':
global_resources_lifecycle_listener = child
elif class_name == 'org.apache.catalina.core.ThreadLocalLeakPreventionListener':
thread_local_leak_prevention_listener = None
# add at the top
index = 0
if version_logger_listener is not None:
if self.debug:
print('* adding VersionLoggerListener')
server.insert(index, version_logger_listener)
index += 1
if security_listener_comment is not None:
server.insert(index, security_listener_comment)
index += 1
# add before GlobalResourcesLifecycleListener if exists
if global_resources_lifecycle_listener is not None:
index = list(server).index(global_resources_lifecycle_listener)
if prevent_comment is not None:
server.insert(index, prevent_comment)
index += 1
if jre_memory_leak_prevention_listener is not None:
if self.debug:
print('* adding JreMemoryLeakPreventionListener')
server.insert(index, jre_memory_leak_prevention_listener)
index += 1
# add after GlobalResourcesLifecycleListener if exists
if global_resources_lifecycle_listener is not None:
index = list(server).index(global_resources_lifecycle_listener) + 1
if thread_local_leak_prevention_listener is not None:
if self.debug:
print('* adding ThreadLocalLeakPreventionListener')
server.insert(index, thread_local_leak_prevention_listener)
index += 1
if self.debug:
print('* updating secure Connector')
full_name = instance.get_sslserver_cert_nickname()
connectors = server.findall('Service/Connector')
for connector in connectors:
if connector.get('secure') != 'true':
continue
connector.set(
'protocol',
'org.dogtagpki.tomcat.Http11NioProtocol')
connector.attrib.pop('sslImplementationName', None)
connector.set('keystoreType', 'pkcs11')
connector.set('keystoreProvider', 'Mozilla-JSS')
connector.attrib.pop('keystoreFile', None)
connector.attrib.pop('keystorePassFile', None)
connector.set('keyAlias', full_name)
connector.set('trustManagerClassName', 'org.dogtagpki.tomcat.PKITrustManager')
if self.debug:
print('* updating AccessLogValve')
valves = server.findall('Service/Engine/Host/Valve')
for valve in valves:
if valve.get(
'className') == 'org.apache.catalina.valves.AccessLogValve':
valve.set('prefix', 'localhost_access_log')
def migrate_server_xml_to_tomcat7(self, document):
server = document.getroot()
jasper_comment = etree.Comment(
'Initialize Jasper prior to webapps are loaded. Documentation '
'at /docs/jasper-howto.html ')
jasper_listener = etree.Element('Listener')
jasper_listener.set(
'className',
'org.apache.catalina.core.JasperListener')
jmx_support_comment = etree.Comment(
' JMX Support for the Tomcat server. Documentation at '
'/docs/non-existent.html ')
excluded_comment1 = etree.Comment(
' The following class has been commented out because it ')
excluded_comment2 = etree.Comment(
' has been EXCLUDED from the Tomcat 7 \'tomcat-lib\' RPM! ')
server_lifecycle_comment = etree.Comment(
' Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" ')
global_resources_lifecycle_listener = None
children = list(server)
for child in children:
if isinstance(child, etree._Comment): # pylint: disable=protected-access
if 'org.apache.catalina.security.SecurityListener' in child.text:
server.remove(child)
elif 'Initialize Jasper prior to webapps are loaded.' in child.text:
jasper_comment = None
elif 'JMX Support for the Tomcat server.' in child.text:
jmx_support_comment = None
elif 'The following class has been commented out because it' in child.text:
excluded_comment1 = None
elif 'has been EXCLUDED from the Tomcat 7 \'tomcat-lib\' RPM!' in child.text:
excluded_comment2 = None
elif 'org.apache.catalina.mbeans.ServerLifecycleListener' in child.text:
server_lifecycle_comment = None
if 'Prevent memory leaks due to use of particular java/javax APIs' in child.text:
server.remove(child)
elif child.tag == 'Listener':
class_name = child.get('className')
if class_name in {
'org.apache.catalina.startup.VersionLoggerListener',
'org.apache.catalina.security.SecurityListener',
'org.apache.catalina.mbeans.ServerLifecycleListener',
'org.apache.catalina.core.JreMemoryLeakPreventionListener',
'org.apache.catalina.core.ThreadLocalLeakPreventionListener'}:
if self.debug:
print('* removing %s' % class_name)
server.remove(child)
elif class_name == 'org.apache.catalina.core.JasperListener':
jasper_listener = None
elif class_name == 'org.apache.catalina.mbeans.GlobalResourcesLifecycleListener':
global_resources_lifecycle_listener = child
# add before GlobalResourcesLifecycleListener if exists
if global_resources_lifecycle_listener is not None:
index = list(server).index(global_resources_lifecycle_listener)
else:
index = 0
if jasper_comment is not None:
server.insert(index, jasper_comment)
index += 1
if jasper_listener is not None:
if self.debug:
print('* adding %s' % jasper_listener.get('className'))
server.insert(index, jasper_listener)
index += 1
if jmx_support_comment is not None:
server.insert(index, jmx_support_comment)
index += 1
if excluded_comment1 is not None:
server.insert(index, excluded_comment1)
index += 1
if excluded_comment2 is not None:
server.insert(index, excluded_comment2)
index += 1
if server_lifecycle_comment is not None:
server.insert(index, server_lifecycle_comment)
index += 1
if self.debug:
print('* updating secure Connector')
connectors = server.findall('Service/Connector')
for connector in connectors:
if connector.get('secure') == 'true':
connector.set('protocol', 'HTTP/1.1')
if self.debug:
print('* updating AccessLogValve')
valves = server.findall('Service/Engine/Host/Valve')
for valve in valves:
if valve.get('className') == 'org.apache.catalina.valves.AccessLogValve':
valve.set('prefix', 'localhost_access_log.')
def migrate_server_xml_to_tomcat85(self, instance, document):
self.migrate_server_xml_to_tomcat80(instance, document)
server = document.getroot()
services = server.findall('Service')
for service in services:
children = list(service)
for child in children:
if isinstance(child, etree._Comment): # pylint: disable=protected-access
if 'Java HTTP Connector: /docs/config/http.html' in child.text:
child.text = child.text.replace(' (blocking & non-blocking)', '')
elif 'Shared Ports: Agent, EE, and Admin Secure Port Connector' in child.text:
service.remove(child)
elif 'DO NOT REMOVE - Begin define PKI secure port' in child.text:
service.remove(child)
elif 'DO NOT REMOVE - End define PKI secure port' in child.text:
service.remove(child)
elif 'protocol="AJP/1.3"' in child.text:
child.text = re.sub(r'^ *([^ ]+)=',
r' \g<1>=',
child.text,
flags=re.MULTILINE)
if self.debug:
print('* adding SSLHostConfig')
full_name = instance.get_sslserver_cert_nickname()
connectors = server.findall('Service/Connector')
for connector in connectors:
if connector.get('secure') != 'true':
continue
connector.set('sslImplementationName', 'org.dogtagpki.tomcat.JSSImplementation')
connector.attrib.pop('sslProtocol', None)
connector.attrib.pop('clientAuth', None)
connector.attrib.pop('keystoreType', None)
connector.attrib.pop('keystoreProvider', None)
connector.attrib.pop('keyAlias', None)
connector.attrib.pop('trustManagerClassName', None)
sslHostConfigs = connector.findall('SSLHostConfig')
if len(sslHostConfigs) > 0:
sslHostConfig = sslHostConfigs[0]
else:
sslHostConfig = etree.SubElement(connector, 'SSLHostConfig')
sslHostConfig.set('sslProtocol', 'SSL')
sslHostConfig.set('certificateVerification', 'optional')
sslHostConfig.attrib.pop('trustManagerClassName', None)
certificates = sslHostConfig.findall('Certificate')
if len(certificates) > 0:
certificate = certificates[0]
else:
certificate = etree.SubElement(sslHostConfig, 'Certificate')
certificate.set('certificateKeystoreType', 'pkcs11')
certificate.set('certificateKeystoreProvider', 'Mozilla-JSS')
certificate.set('certificateKeyAlias', full_name)
def migrate_server_xml_to_tomcat8(self, document):
server = document.getroot()
version_logger_listener = etree.Element('Listener')
version_logger_listener.set(
'className',
'org.apache.catalina.startup.VersionLoggerListener')
security_listener_comment = etree.Comment(''' Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
''')
jre_memory_leak_prevention_listener = etree.Element('Listener')
jre_memory_leak_prevention_listener.set(
'className',
'org.apache.catalina.core.JreMemoryLeakPreventionListener')
global_resources_lifecycle_listener = None
thread_local_leak_prevention_listener = etree.Element('Listener')
thread_local_leak_prevention_listener.set(
'className',
'org.apache.catalina.core.ThreadLocalLeakPreventionListener')
prevent_comment = etree.Comment(
' Prevent memory leaks due to use of particular java/javax APIs')
children = list(server)
for child in children:
if isinstance(child, etree._Comment): # pylint: disable=protected-access
if 'org.apache.catalina.security.SecurityListener' in child.text:
security_listener_comment = None
elif 'Initialize Jasper prior to webapps are loaded.' in child.text:
server.remove(child)
elif 'JMX Support for the Tomcat server.' in child.text:
server.remove(child)
elif 'The following class has been commented out because it' in child.text:
server.remove(child)
elif 'has been EXCLUDED from the Tomcat 7 \'tomcat-lib\' RPM!' in child.text:
server.remove(child)
elif 'org.apache.catalina.mbeans.ServerLifecycleListener' in child.text:
server.remove(child)
elif 'Prevent memory leaks due to use of particular java/javax APIs' in child.text:
prevent_comment = None
elif child.tag == 'Listener':
class_name = child.get('className')
if class_name == 'org.apache.catalina.core.JasperListener'\
or class_name == 'org.apache.catalina.mbeans.ServerLifecycleListener':
if self.debug:
print('* removing %s' % class_name)
server.remove(child)
elif class_name == 'org.apache.catalina.startup.VersionLoggerListener':
version_logger_listener = None
elif class_name == 'org.apache.catalina.core.JreMemoryLeakPreventionListener':
jre_memory_leak_prevention_listener = None
elif class_name == 'org.apache.catalina.mbeans.GlobalResourcesLifecycleListener':
global_resources_lifecycle_listener = child
elif class_name == 'org.apache.catalina.core.ThreadLocalLeakPreventionListener':
thread_local_leak_prevention_listener = None
# add at the top
index = 0
if version_logger_listener is not None:
if self.debug:
print('* adding VersionLoggerListener')
server.insert(index, version_logger_listener)
index += 1
if security_listener_comment is not None:
server.insert(index, security_listener_comment)
index += 1
# add before GlobalResourcesLifecycleListener if exists
if global_resources_lifecycle_listener is not None:
index = list(server).index(global_resources_lifecycle_listener)
if prevent_comment is not None:
server.insert(index, prevent_comment)
index += 1
if jre_memory_leak_prevention_listener is not None:
if self.debug:
print('* adding JreMemoryLeakPreventionListener')
server.insert(index, jre_memory_leak_prevention_listener)
index += 1
# add after GlobalResourcesLifecycleListener if exists
if global_resources_lifecycle_listener is not None:
index = list(server).index(global_resources_lifecycle_listener) + 1
if thread_local_leak_prevention_listener is not None:
if self.debug:
print('* adding ThreadLocalLeakPreventionListener')
server.insert(index, thread_local_leak_prevention_listener)
index += 1
if self.debug:
print('* updating secure Connector')
connectors = server.findall('Service/Connector')
for connector in connectors:
if connector.get('secure') == 'true':
connector.set(
'protocol',
'org.apache.coyote.http11.Http11Protocol')
if self.debug:
print('* updating AccessLogValve')
valves = server.findall('Service/Engine/Host/Valve')
for valve in valves:
if valve.get(
'className') == 'org.apache.catalina.valves.AccessLogValve':
valve.set('prefix', 'localhost_access_log')
def migrate_server_xml_to_tomcat7(self, document):
server = document.getroot()
jasper_comment = etree.Comment(
'Initialize Jasper prior to webapps are loaded. Documentation '
'at /docs/jasper-howto.html ')
jasper_listener = etree.Element('Listener')
jasper_listener.set(
'className',
'org.apache.catalina.core.JasperListener')
jmx_support_comment = etree.Comment(
' JMX Support for the Tomcat server. Documentation at '
'/docs/non-existent.html ')
excluded_comment1 = etree.Comment(
' The following class has been commented out because it ')
excluded_comment2 = etree.Comment(
' has been EXCLUDED from the Tomcat 7 \'tomcat-lib\' RPM! ')
server_lifecycle_comment = etree.Comment(
' Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" ')
global_resources_lifecycle_listener = None
children = list(server)
for child in children:
if isinstance(child, etree._Comment): # pylint: disable=protected-access
if 'org.apache.catalina.security.SecurityListener' in child.text:
server.remove(child)
elif 'Initialize Jasper prior to webapps are loaded.' in child.text:
jasper_comment = None
elif 'JMX Support for the Tomcat server.' in child.text:
jmx_support_comment = None
elif 'The following class has been commented out because it' in child.text:
excluded_comment1 = None
elif 'has been EXCLUDED from the Tomcat 7 \'tomcat-lib\' RPM!' in child.text:
excluded_comment2 = None
elif 'org.apache.catalina.mbeans.ServerLifecycleListener' in child.text:
server_lifecycle_comment = None
if 'Prevent memory leaks due to use of particular java/javax APIs' in child.text:
server.remove(child)
elif child.tag == 'Listener':
class_name = child.get('className')
if class_name in {
'org.apache.catalina.startup.VersionLoggerListener',
'org.apache.catalina.security.SecurityListener',
'org.apache.catalina.mbeans.ServerLifecycleListener',
'org.apache.catalina.core.JreMemoryLeakPreventionListener',
'org.apache.catalina.core.ThreadLocalLeakPreventionListener'}:
if self.debug:
print('* removing %s' % class_name)
server.remove(child)
elif class_name == 'org.apache.catalina.core.JasperListener':
jasper_listener = None
elif class_name == 'org.apache.catalina.mbeans.GlobalResourcesLifecycleListener':
global_resources_lifecycle_listener = child
# add before GlobalResourcesLifecycleListener if exists
if global_resources_lifecycle_listener is not None:
index = list(server).index(global_resources_lifecycle_listener)
else:
index = 0
if jasper_comment is not None:
server.insert(index, jasper_comment)
index += 1
if jasper_listener is not None:
if self.debug:
print('* adding %s' % jasper_listener.get('className'))
server.insert(index, jasper_listener)
index += 1
if jmx_support_comment is not None:
server.insert(index, jmx_support_comment)
index += 1
if excluded_comment1 is not None:
server.insert(index, excluded_comment1)
index += 1
if excluded_comment2 is not None:
server.insert(index, excluded_comment2)
index += 1
if server_lifecycle_comment is not None:
server.insert(index, server_lifecycle_comment)
index += 1
if self.debug:
print('* updating secure Connector')
connectors = server.findall('Service/Connector')
for connector in connectors:
if connector.get('secure') == 'true':
connector.set('protocol', 'HTTP/1.1')
if self.debug:
print('* updating AccessLogValve')
valves = server.findall('Service/Engine/Host/Valve')
for valve in valves:
if valve.get('className') == 'org.apache.catalina.valves.AccessLogValve':
valve.set('prefix', 'localhost_access_log.')
def migrate_server_xml_to_tomcat85(self, instance, document):
self.migrate_server_xml_to_tomcat80(instance, document)
server = document.getroot()
services = server.findall('Service')
for service in services:
children = list(service)
for child in children:
if isinstance(child, etree._Comment): # pylint: disable=protected-access
if 'Java HTTP Connector: /docs/config/http.html' in child.text:
child.text = child.text.replace(' (blocking & non-blocking)', '')
elif 'Shared Ports: Agent, EE, and Admin Secure Port Connector' in child.text:
service.remove(child)
elif 'DO NOT REMOVE - Begin define PKI secure port' in child.text:
service.remove(child)
elif 'DO NOT REMOVE - End define PKI secure port' in child.text:
service.remove(child)
elif 'protocol="AJP/1.3"' in child.text:
child.text = re.sub(r'^ *([^ ]+)=',
r' \g<1>=',
child.text,
flags=re.MULTILINE)
if self.debug:
print('* adding SSLHostConfig')
full_name = instance.get_sslserver_cert_nickname()
connectors = server.findall('Service/Connector')
for connector in connectors:
if connector.get('secure') != 'true':
continue
connector.attrib.pop('sslProtocol', None)
connector.attrib.pop('clientAuth', None)
connector.attrib.pop('keystoreType', None)
connector.attrib.pop('keystoreProvider', None)
connector.attrib.pop('keyAlias', None)
connector.attrib.pop('trustManagerClassName', None)
sslHostConfigs = connector.findall('SSLHostConfig')
if len(sslHostConfigs) > 0:
sslHostConfig = sslHostConfigs[0]
else:
sslHostConfig = etree.SubElement(connector, 'SSLHostConfig')
sslHostConfig.set('sslProtocol', 'SSL')
sslHostConfig.set('certificateVerification', 'optional')
sslHostConfig.set('trustManagerClassName', 'org.dogtagpki.tomcat.PKITrustManager')
certificates = sslHostConfig.findall('Certificate')
if len(certificates) > 0:
certificate = certificates[0]
else:
certificate = etree.SubElement(sslHostConfig, 'Certificate')
certificate.set('certificateKeystoreType', 'pkcs11')
certificate.set('certificateKeystoreProvider', 'Mozilla-JSS')
certificate.set('certificateKeyAlias', full_name)