#!/bin/bash
#
# --- BEGIN COPYRIGHT BLOCK ---
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2007 Red Hat, Inc.
# All rights reserved.
# --- END COPYRIGHT BLOCK ### ---
#
# pki-ocspd  Startup script for Tomcat 5.0 pki-ocsp, the Apache Servlet Engine
#
# chkconfig:    - 83 17
# description:  Online Certificate Status Protocol Manager \
#               (Tomcat 5.0)
# processname:  pki-ocspd
# piddir:       /var/run/pki/ocsp
# config:       ${PKI_INSTANCE_PATH}/conf/tomcat5.conf
#
# Gomez Henri <hgomez@users.sourceforge.net>
# Keith Irwin <keith_irwin@non.hp.com>
# Nicolas Mailhot <nicolas.mailhot@one2team.com>
#
# version 1.02 - Removed initlog support
# version 1.03 - Removed config:
# version 1.04 - tomcat will start before httpd and stop after httpd
# version 1.05 - jdk hardcoded to link /usr/java/jdk and tomcat runs
#                as "nobody"
# version 1.06 - split up into script and config file
# version 1.07 - Rework from Nicolas ideas
# version 1.08 - Fix work dir permission at start time, switch to use tomcat4
# version 1.09 - Fix pidfile and config tags
# version 1.10 - Fallback to su direct use on systems without
#                Redhat/Mandrake init.d functions
# version 1.11 - Fix webapps dir permissions
# version 1.12 - remove initial start/stop level for chkconfig (- 80 20)
# version 1.13 - remove chown of logs/work/temp/webapps dir,
#                owned by tomcat4 at install time
# version 1.14 - correct the start/stop ugly hack by waiting
#                all the threads stops
# version 1.15 - ensure we're looking for TOMCAT_USER running catalina
# version 1.16 - Add support for CATALINA_PID env var
# version 1.17 - Remove run files only tomcat started correctl
#                in start area, check that tomcat is not allready running
# version 1.18 - Fix kill typo (thanks Kaj J. Niemi)
# version 1.19 - Add jar relinking
# version 1.20 - Check there is no stalling tomcat4.pid
# version 1.20tc5 - Changed all instances of tomcat4 to
#                   tomcat5 except TOMCAT_USER
# version 1.20tc5rh - Changed TOMCAT_USER from tomcat4 to tomcat
#

PKI_INIT_SCRIPT=""
PKI_PATH="/usr/share/pki/ocsp"
PKI_PIDDIR="/var/run/pki/ocsp"
PKI_PROCESS="pki-ocspd"
PKI_REGISTRY="/etc/sysconfig/pki/ocsp"
PKI_TYPE="pki-ocsp"

# PKI subsystem-level directory and file values for locks
lockfile="/var/lock/subsys/pki-ocspd"

# Disallow 'others' the ability to 'write' to new files
umask 00002

default_error=0
command="$1"
pki_instance="$2"
case "${command}" in
	start|stop|restart|condrestart|force-restart|try-restart)
		# * 1 generic or unspecified error (current practice)
		default_error=1
		;;
	reload)
		default_error=3
		;;
	status)
		# * 4 program or service status is unknown
		default_error=4
		;;
	*)
		# * 2 invalid argument(s)
		default_error=2
		;;
esac

# Check to insure that this script's original invocation directory
# has not been deleted!
CWD=`/bin/pwd > /dev/null 2>&1`
if [ $? -ne 0 ] ; then
	echo "Cannot invoke '$0' from non-existent directory!"
	exit ${default_error}
fi

# Check to insure that this script's associated PKI
# subsystem currently resides on this system.
if [ ! -d ${PKI_PATH} ] ; then
	echo "This machine is missing the '${PKI_TYPE}' subsystem!"
	if [ "${command}" != "status" ]; then
		# * 5 program is not installed
		exit 5
	else
		exit ${default_error}
	fi
fi

# Check to insure that this script's associated PKI
# subsystem instance registry currently resides on this system.
if [ ! -d ${PKI_REGISTRY} ] ; then
	echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!"
	if [ "${command}" != "status" ]; then
		# * 5 program is not installed
		exit 5
	else
		exit ${default_error}
	fi
fi

# Obtain the operating system upon which this script is being executed
OS=`uname -s`
ARCHITECTURE=""

# This script must be run as root!
RV=0
if [ ${OS} = "Linux" ] ; then
	PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}"
	if [ `id -u` -ne 0 ] ; then
		echo "Must be 'root' to execute '$0'!"
		if [ "${command}" != "status" ]; then
			# * 4 user had insufficient privilege
			exit 4
		else
			# * 4 program or service status is unknown
			exit 4
		fi
	fi
	ARCHITECTURE=`uname -i`
elif [ ${OS} = "SunOS" ] ; then
	PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}"
	if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then
		echo "Must be 'root' to execute '$0'!"
		if [ "${command}" != "status" ]; then
			# * 4 user had insufficient privilege
			exit 4
		else
			# * 4 program or service status is unknown
			exit 4
		fi
	fi
	ARCHITECTURE=`uname -p`
	if	[ "${ARCHITECTURE}" = "sparc" ] &&
		[ -d "/usr/lib/sparcv9/" ] ; then
		ARCHITECTURE="sparcv9"
	fi
else
	echo "Unsupported OS '${OS}'!"
	exit ${default_error}
fi

# Source function library.
if [ -f /etc/init.d/functions ]; then
	. /etc/init.d/functions
else
	# The checkpid() function is provided for platforms that do not
	# contain the "/etc/init.d/functions" file (e. g. - Solaris) . . .

	# Check if ${pid} (could be plural) are running (keep count)
	checkpid()
	{
		rv=0
		for i in $* ; do
			ps -p $i > /dev/null 2>&1 ;
			if [ $? -ne 0 ] ; then
				rv=`expr ${rv} + 1`
			else
				rv=`expr ${rv} + 0`
			fi
		done
		# echo "rv=${rv}"
		return ${rv}
	}

	# Create the following directories on platforms
	# where they do not exist (e. g. - Solaris) . . .
	if [ ! -d "/var/lock" ] ; then
		mkdir -p /var/lock
		chown root:sys /var/lock
		chmod 00755 /var/lock
	fi
	if [ ! -d "/var/lock/subsys" ] ; then
		mkdir -p /var/lock/subsys
		chown root:root /var/lock/subsys
		chmod 00755 /var/lock/subsys
	fi

	#######################################################################
	## NOTE:  The following code needs to eventually be moved into the   ##
	##        template used to create the                                ##
	##        "${PKI_INSTANCE_PATH}/conf/tomcat5.conf" file!             ##
	#######################################################################

	if [ ${OS} = "SunOS" ] ; then
		DEFAULT_SOLARIS_JAVA_HOME="/usr/jdk/instances/jdk1.5.0/jre"
		DEFAULT_LINUX_JAVA_HOME="/usr/lib/jvm/jre"
		DEFAULT_LINUX_JAVA_HOME_PATH=`dirname ${DEFAULT_LINUX_JAVA_HOME}`

		# ensure that the Sun JRE 1.5.0 exists at the default location
		if [ -d ${DEFAULT_SOLARIS_JAVA_HOME} ] ; then
			# create the directory in which the symlink resides (if necessary)
			if [ ! -d ${DEFAULT_LINUX_JAVA_HOME_PATH} ] ; then
				mkdir -p ${DEFAULT_LINUX_JAVA_HOME_PATH}
			fi
			# create the actual symlink (if necessary)
			if [ ! -h ${DEFAULT_LINUX_JAVA_HOME} ] ; then
				ln -s ${DEFAULT_SOLARIS_JAVA_HOME} ${DEFAULT_LINUX_JAVA_HOME}
			fi
		else
			# for now, simply exit with an appropriate error message
			echo -n "The Solaris 1.5.0 JRE must be installed "
			echo -n "at \"${DEFAULT_SOLARIS_JAVA_HOME}\"!"
			echo
			echo
			exit ${default_error}
		fi
	fi
fi

PKI_REGISTRY_ENTRIES=""
TOTAL_PKI_REGISTRY_ENTRIES=0
TOTAL_UNCONFIGURED_PKI_ENTRIES=0

# Gather ALL registered instances of this PKI subsystem type
for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
	if [ -f "$FILE" ] ; then
		inst=`echo "$FILE"`
		PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst"
		TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1`
	fi
done

if [ -n "${pki_instance}" ]; then
	for I in ${PKI_REGISTRY_ENTRIES}; do
		if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then
			PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}"
			TOTAL_PKI_REGISTRY_ENTRIES=1
			break
		fi
	done
fi

usage()
{
	echo -n "Usage: ${PKI_INIT_SCRIPT} "
	echo -n "{start"
	echo -n "|stop"
	echo -n "|restart"
	echo -n "|condrestart"
	echo -n "|force-restart"
	echo -n "|try-restart"
	echo -n "|reload"
	echo -n "|status} "
	echo -n "[instance-name]"
	echo
	echo
}

list_instances()
{
	echo
	for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
		echo "    ${FILE}"
	done
	echo
}

# Check arguments
if [ $# -lt 1 ] ; then
	# * 3 unimplemented feature (for example, "reload")
	#     [insufficient arguments]
	echo "$0:  Insufficient arguments!"
	echo
	usage
	echo "where valid instance names include:"
	list_instances
	exit 3
elif [ ${default_error} -eq 2 ] ; then
	# * 2 invalid argument
	echo "$0:  Invalid arguments!"
	echo
	usage
	echo "where valid instance names include:"
	list_instances
	exit 2
elif [ $# -gt 2 ] ; then
	echo "$0:  Excess arguments!"
	echo
	usage
	echo "where valid instance names include:"
	list_instances
	if [ "${command}" != "status" ]; then
		# * 2 excess arguments
		exit 2
	else
		# * 4 program or service status is unknown
		exit 4
	fi
fi

# If an "instance" was supplied, check that it is a "valid" instance
if [ -n "${pki_instance}" ]; then
	if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then
		echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance"
		echo_failure
		echo
		if [ "${command}" != "status" ]; then
			# * 5 program is not installed
			exit 5
		else
			# * 4 program or service status is unknown
			exit 4
		fi
	fi
fi

# On Solaris /var/run is in tmpfs and gets wiped out upon reboot
# we have to recreate the ${PKI_PIDDIR} directory and make sure that
# the directory is writable by the ${PKI_TYPE} server process.
#
# IMPORTANT:  ALL PKI subsystems installed on this machine MUST utilize
#             the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the
#             "${PKI_PIDDIR}" will end up with the ownership permissions
#             of the first instance that executes this function!
#
fix_pid_dir_ownership()
{
	if [ ! -d ${PKI_PIDDIR} ] ; then
		mkdir -p ${PKI_PIDDIR}

		chown root:root /var/run/pki
		chmod 00755 /var/run/pki

		chown root:root ${PKI_PIDDIR}
		chmod 00755 ${PKI_PIDDIR}
	fi
}

check_pki_configuration_status()
{
	rv=0

	rv=`grep -c ^preop ${pki_instance_configuration_file}`

	rv=`expr ${rv} + 0`

	if [ ${rv} -ne 0 ] ; then
		echo "    '${PKI_INSTANCE_ID}' must still be CONFIGURED!"
		echo "    (see /var/log/${PKI_INSTANCE_ID}-install.log)"
		if [ "${command}" != "status" ]; then
			# * 6 program is not configured
			rv=6
		else
			# * 4 program or service status is unknown
			rv=4
		fi
		TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1`
	elif [ -f ${RESTART_SERVER} ] ; then
		echo -n "    Although '${PKI_INSTANCE_ID}' has been CONFIGURED, "
		echo -n "it must still be RESTARTED!"
		echo
		if [ "${command}" != "status" ]; then
			# * 1 generic or unspecified error (current practice)
			rv=1
		else
			# * 4 program or service status is unknown
			rv=4
		fi
	fi

	return ${rv}
}

get_pki_status_definitions()
{
	# establish well-known strings
	begin_pki_status_comment="<!-- DO NOT REMOVE - Begin PKI Status Definitions -->"
	end_pki_status_comment="<!-- DO NOT REMOVE - End PKI Status Definitions -->"
	total_ports=0
	unsecure_port_statement="Unsecure Port     = "
	secure_agent_port_statement="Secure Agent Port = "
	secure_ee_port_statement="Secure EE Port    = "
	secure_admin_port_statement="Secure Admin Port = "
	pki_console_port_statement="PKI Console Port  = "
	tomcat_port_statement="Tomcat Port       = "

	# initialize looping variables
	pki_status_comment_found=0

	# first check to see that an instance-specific "server.xml" file exists
	if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then
		echo "File '${PKI_SERVER_XML_CONF}' does not exist!"
		exit ${default_error}
	fi

	# read this instance-specific "server.xml" file line-by-line
	# to obtain the current PKI Status Definitions
	exec < ${PKI_SERVER_XML_CONF}
	while read line; do
		# first look for the well-known end PKI Status comment
		# (to turn off processing)
		if [ "$line" == "$end_pki_status_comment" ] ; then
			pki_status_comment_found=0
			break;
		fi

		# then look for the well-known begin PKI Status comment
		# (to turn on processing)
		if [ "$line" == "$begin_pki_status_comment" ] ; then
			pki_status_comment_found=1
		fi

		# once the well-known begin PKI Status comment has been found,
		# begin processing to obtain all of the PKI Status Definitions
		if [ $pki_status_comment_found -eq 1 ] ; then
			# look for a PKI Status Definition and print it
			head=`echo "$line" | cut -b1-20`
			if	[ "$head" == "$unsecure_port_statement"     ] ||
				[ "$head" == "$secure_agent_port_statement" ] ||
				[ "$head" == "$secure_ee_port_statement"    ] ||
				[ "$head" == "$secure_admin_port_statement" ] ||
				[ "$head" == "$pki_console_port_statement"  ] ||
				[ "$head" == "$tomcat_port_statement"       ] ; then
				echo "    $line"
				total_ports=`expr ${total_ports} + 1`
			fi
		fi
	done

	if [ ${total_ports} -eq 6 ] ; then
		return 0
	else
		return ${default_error}
	fi
}

get_pki_configuration_definitions()
{
	# Obtain the PKI Subsystem Type
	line=`grep ^cs.type= ${pki_instance_configuration_file}`
	pki_subsystem=`echo "${line}" | cut -b9-`
	if [ "${line}" != "" ] ; then
		if	[ "${pki_subsystem}" != "CA"   ]  &&
			[ "${pki_subsystem}" != "KRA"  ]  &&
			[ "${pki_subsystem}" != "OCSP" ]  &&
			[ "${pki_subsystem}" != "TKS"  ]  &&
			[ "${pki_subsystem}" != "RA"   ]  &&
			[ "${pki_subsystem}" != "TPS"  ]
		then
			return ${default_error}
		fi
		if	[ "${pki_subsystem}" == "KRA"   ] ; then
			# Rename "KRA" to "DRM"
			pki_subsystem="DRM"
		fi
	else
		return ${default_error}
	fi

	# If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS,
	# check to see if "${pki_subsystem}" is a "Clone"
	pki_clone=""
	if	[ "${pki_subsystem}" == "CA"   ]  ||
		[ "${pki_subsystem}" == "DRM"  ]  ||
		[ "${pki_subsystem}" == "OCSP" ]  ||
		[ "${pki_subsystem}" == "TKS"  ]
	then
		line=`grep ^subsystem.select= ${pki_instance_configuration_file}`
		if [ "${line}" != "" ] ; then
			pki_clone=`echo "${line}" | cut -b18-`
			if [ "${pki_clone}" != "Clone" ] ; then
				# Reset "${pki_clone}" to be empty
				pki_clone=""
			fi
		else
			return ${default_error}
		fi
	fi

	# If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to
	# see "${pki_subsystem}" is a "Root" or a "Subordinate" CA
	pki_hierarchy=""
	if	[ "${pki_subsystem}" == "CA" ]  &&
		[ "${pki_clone}" != "Clone"  ]
	then
		line=`grep ^hierarchy.select= ${pki_instance_configuration_file}`
		if [ "${line}" != "" ] ; then
			pki_hierarchy=`echo "${line}" | cut -b18-`
		else
			return ${default_error}
		fi
	fi

	# If ${pki_subsystem} is a CA, check to
	# see if it is also a Security Domain
	pki_security_domain=""
	if	[ "${pki_subsystem}" == "CA" ] ; then
		line=`grep ^securitydomain.select= ${pki_instance_configuration_file}`
		if [ "${line}" != "" ] ; then
			pki_security_domain=`echo "${line}" | cut -b23-`
			if [ "${pki_security_domain}" == "new" ] ; then
				# Set a fixed value for "${pki_security_domain}"
				pki_security_domain="(Security Domain)"
			else
				# Reset "${pki_security_domain}" to be empty
				pki_security_domain=""
			fi
		else
			return ${default_error}
		fi
	fi

	# Always obtain this PKI instance's "registered"
	# security domain information
	pki_security_domain_name=""
	pki_security_domain_hostname=""
	pki_security_domain_https_admin_port=""

	line=`grep ^securitydomain.name= ${pki_instance_configuration_file}`
	if [ "${line}" != "" ] ; then
		pki_security_domain_name=`echo "${line}" | cut -b21-`
	else
		return ${default_error}
	fi

	line=`grep ^securitydomain.host= ${pki_instance_configuration_file}`
	if [ "${line}" != "" ] ; then
		pki_security_domain_hostname=`echo "${line}" | cut -b21-`
	else
		return ${default_error}
	fi

	line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}`
	if [ "${line}" != "" ] ; then
		pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-`
	else
		return ${default_error}
	fi

	# Compose the "PKI Instance Name" Status Line
	pki_instance_name="PKI Instance Name:   ${PKI_INSTANCE_ID}"

	# Compose the "PKI Subsystem Type" Status Line
	header="PKI Subsystem Type: "
	if   [ "${pki_clone}" != "" ] ; then
		if [ "${pki_security_domain}" != "" ]; then
			# Possible Values:
			#
			#     "CA Clone (Security Domain)"
			#
			data="${pki_subsystem} ${pki_clone} ${pki_security_domain}"
		else
			# Possible Values:
			#
			#     "CA Clone"
			#     "DRM Clone"
			#     "OCSP Clone"
			#     "TKS Clone"
			#
			data="${pki_subsystem} ${pki_clone}"
		fi
	elif [ "${pki_hierarchy}" != "" ] ; then
		if [ "${pki_security_domain}" != "" ]; then
			# Possible Values:
			#
			#     "Root CA (Security Domain)"
			#     "Subordinate CA (Security Domain)"
			#
			data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}"
		else
			# Possible Values:
			#
			#     "Root CA"
			#     "Subordinate CA"
			#
			data="${pki_hierarchy} ${pki_subsystem}"
		fi
	else
		# Possible Values:
		#
		#     "DRM"
		#     "OCSP"
		#     "RA"
		#     "TKS"
		#     "TPS"
		#
		data="${pki_subsystem}"
	fi
	pki_subsystem_type="${header} ${data}"

	# Compose the "Registered PKI Security Domain Information" Status Line
	header="Name: "
	registered_pki_security_domain_name="${header} ${pki_security_domain_name}"

	header="URL:  "
	if	[ "${pki_security_domain_hostname}" != ""         ] &&
		[ "${pki_security_domain_https_admin_port}" != "" ]
	then
		data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}"
	else
		return ${default_error}
	fi
	registered_pki_security_domain_url="${header} ${data}"

	# Print the "PKI Subsystem Type" Status Line
	echo
	echo "    ${pki_instance_name}"

	# Print the "PKI Subsystem Type" Status Line
	echo
	echo "    ${pki_subsystem_type}"

	# Print the "Registered PKI Security Domain Information" Status Line
	echo
	echo "    Registered PKI Security Domain Information:"
	echo "    =========================================================================="
	echo "    ${registered_pki_security_domain_name}"
	echo "    ${registered_pki_security_domain_url}"
	echo "    =========================================================================="

	return 0
}

get_pki_secure_port()
{
	# establish well-known strings
	begin_ssl_comment="<!-- DO NOT REMOVE - Begin define PKI secure port -->"
	end_ssl_comment="<!-- DO NOT REMOVE - End define PKI secure port -->"
	connector_statement="<Connector name=\""

	# initialize looping variables
	ssl_comment_found=0

	# first check to see that an instance-specific "server.xml" file exists
	if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then
		echo "File '${PKI_SERVER_XML_CONF}' does not exist!"
		exit ${default_error}
	fi

	# read this instance-specific "server.xml" file line-by-line
	# to obtain the current value of the PKI secure port
	exec < ${PKI_SERVER_XML_CONF}
	while read line; do
		# first look for the well-known end SSL comment
		# (to turn off processing)
		if [ "$line" == "$end_ssl_comment" ] ; then
			ssl_comment_found=0
		fi

		# then look for the well-known begin SSL comment
		# (to turn on processing)
		if [ "$line" == "$begin_ssl_comment" ] ; then
			ssl_comment_found=1
		fi

		# once the well-known begin SSL comment has been found,
		# begin processing to obtain the numeric port information
		if [ $ssl_comment_found -eq 1 ] ; then
			# look for the next Connector statement
			head=`echo $line | cut -b1-17`
			if [ "$head" == "$connector_statement" ] ; then
				# once the Connector statement has been found,
				tail=`echo $line | cut -b18-`
				# extract the name of the connector
				name=`echo $tail | cut -d\" -f1`
				if	[ "$name" == "Agent"  ] ||
					[ "$name" == "Secure" ] ; then
					# extract the numeric port information
					port=`echo $tail | cut -d\" -f3`
					PKI_SECURE_PORT=$port
					return 0
				fi
			fi
		fi
	done

	return ${default_error}
}

display_instance_status()
{
	rv=0

	if [ -f ${pidfile} ] ; then
		pid=`cat ${pidfile}`
		if [ "${pid}" == "" ] ; then
			echo "${PKI_INSTANCE_ID} pid file exists but is empty"
			if [ "${command}" != "status" ]; then
				# * 1 generic or unspecified error (current practice)
				rv=1
			else
				# * 4 program or service status is unknown
				rv=4
			fi
		elif kill -0 ${pid} > /dev/null 2>&1 ; then
			echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..."
			echo
			check_pki_configuration_status
			rv=$?
			if [ ${rv} -eq 0 ] ; then
				get_pki_status_definitions
				rv=$?
				if [ ${rv} -ne 0 ] ; then
					echo
					echo "${PKI_INSTANCE_ID} Status Definitions not found"
				else
					get_pki_configuration_definitions
					rv=$?
					if [ ${rv} -ne 0 ] ; then
						echo
						echo "${PKI_INSTANCE_ID} Configuration Definitions not found"
					fi
				fi
			else
				# From the PKI point of view for a "non-status" action,
				# a returned error code of "6" implies that the program
				# is not "configured".  Similarly, an error code of "1"
				# implies that the program was "configured" but must
				# still be restarted.
				#
				# Similarly, from the PKI point of view for a "status"
				# action, a returned error code of "4" implies that either
				# the program is not "configured", or that the program
				# was "configured" but must still be restarted.
				#
				# Regardless, it must still be considered that the instance
				# is "running" from the viewpoint of other OS programs such
				# as 'chkconfig'.
				#
				# For this reason, when returning from
				# 'display_instance_status()', ignore non-zero return codes
				# returned from 'check_pki_configuration_status()'.
				#
				if [ "${command}" != "status" ]; then
					# * 0 action was successful
					rv=0
				else
					# * 0 program is running or service is OK
					rv=0
				fi
			fi
			echo
		else
			echo "${PKI_INSTANCE_ID} is dead but pid file exists"
			if [ "${command}" != "status" ]; then
				# * 1 generic or unspecified error (current practice)
				rv=1
			else
				# * 1 program is dead and /var/run pid file exists
				rv=1
			fi
		fi
	else
		echo "${PKI_INSTANCE_ID} is stopped"
		if [ "${command}" != "status" ]; then
			# * 7 program is not running
			rv=7
		else
			# * 3 program is not running
			rv=3
		fi
	fi

	return ${rv}
}

start_instance()
{
	rv=0

	echo -n "Starting $TOMCAT_PROG: "

	if [ -f ${RESTART_SERVER} ] ; then
		rm -f ${RESTART_SERVER}
	fi

	if [ -f ${PKI_LOCKFILE} ] ; then
		if [ -f ${pidfile} ]; then
			read kpid < ${pidfile}
			if checkpid $kpid 2>&1; then
				echo
				echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..."
				echo
				check_pki_configuration_status
				rv=$?
				if [ ${rv} != 0 ]; then
					# From the PKI point of view for a "non-status" action,
					# a returned error code of "6" implies that the program
					# is not "configured".  Similarly, an error code of "1"
					# implies that the program was "configured" but must
					# still be restarted.
					#
					# Regardless, it must still be considered that the instance
					# is "running" from the viewpoint of other OS programs such
					# as 'chkconfig'.
					#
					# For "non-status" actions, ignore return codes of "1"
					# from 'check_pki_configuration_status()'.
					#
					# However, for "non-status" actions that have a return
					# code of "6", return this value unchanged to
					# the calling routine so that the total number of
					# configuration errors may be counted.
					#

					echo
					if [ ${rv} = 1 ] ; then
						# * 0 action was successful
						return 0
					elif [ ${rv} = 6 ] ; then
						# * 6 program is not configured
						return 6
					else
						# should never be reached
						return ${rv}
					fi
				else
					return 0
				fi
			else
				echo
				echo -n "lock file found but no process "
				echo -n "running for pid $kpid, continuing"
				echo
				echo
				rm -f ${PKI_LOCKFILE}
			fi
		fi
	fi

	fix_pid_dir_ownership

	CATALINA_PID=${pidfile}
	export CATALINA_PID
	touch $CATALINA_PID
	chown $TOMCAT_USER:$TOMCAT_GROUP $CATALINA_PID
	chmod 00600 $CATALINA_PID
	[ -x /sbin/restorecon ] && /sbin/restorecon  $CATALINA_PID

	# restore context for ncipher hsm
	[ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast

	# Always initialize CLASSPATH to start looking
	# in the local PKI classes directory . . .
	CLASSPATH=/usr/share/pki/classes

	if [ ${OS} = "Linux" ] ; then
		$TOMCAT_RELINK_SCRIPT
	elif [ ${OS} = "SunOS" ] ; then
		# The following definitions are provided for Solaris
		# platforms since they are unable to execute the
		# "/usr/share/tomcat5/bin/relink",
		# "/usr/bin/rebuild-jar-repository", and
		# "/usr/share/java-utils/java-functions" files . . .

		#######################################
		##    /var/lib/tomcat5/common/lib:
		#######################################

		# Build the tomcat jar classpath . . .
		CLASSPATH="$CLASSPATH":/usr/share/java/ant.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/commons-collections.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/commons-dbcp.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/commons-el.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging-api.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/commons-pool.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-ejb-2.1.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-1.4.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-connector-1.5.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-deployment-1.1.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-jacc-1.0.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-management-1.0.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2eeschema-1.0.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jms-1.1.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jsp-2.0.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jta-1.0.1B.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-servlet-2.4.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/jaf.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/jakarta-commons-collections.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/jakarta-commons-modeler.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/jasper5-compiler.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/jasper5-runtime.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/javamail/imap.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/javamail/mailapi.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/javamail/nntp.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/javamail/pop3.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/javamail/providers.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/javamail/smtp.jar

		# BEGIN LINUX-SPECIFIC FILE
		# CLASSPATH="$CLASSPATH":/usr/share/java/jdtCompilerAdapter.jar
		# CLASSPATH="$CLASSPATH":/usr/share/java/jdtcore.jar
		# CLASSPATH="$CLASSPATH":/usr/share/java/jsp.jar
		# END LINUX-SPECIFIC FILE

		CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-remote.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rimpl.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rjmx.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-tools.jar

		# BEGIN LINUX-SPECIFIC FILE
		# CLASSPATH="$CLASSPATH":/usr/share/java/servlet.jar
		# END LINUX-SPECIFIC FILE

		CLASSPATH="$CLASSPATH":/usr/share/java/avalon-logkit.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/cmsutil.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar
		if [ "$ARCHITECTURE" = "sparc" ] ; then
			CLASSPATH="$CLASSPATH":/usr/lib/java/dirsec/jss4.jar
		elif [ "$ARCHITECTURE" = "sparcv9" ] ; then
			CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/dirsec/jss4.jar
		fi
		CLASSPATH="$CLASSPATH":/usr/share/java/ldapjdk.jar
		CLASSPATH="$CLASSPATH":/var/lib/tomcat5/common/lib/naming-factory.jar
		CLASSPATH="$CLASSPATH":/var/lib/tomcat5/common/lib/naming-resources.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/pki/nsutil.jar
		if [ "$ARCHITECTURE" = "sparc" ] ; then
			CLASSPATH="$CLASSPATH":/usr/lib/java/osutil.jar
		elif [ "$ARCHITECTURE" = "sparcv9" ] ; then
			CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/osutil.jar
		fi
		CLASSPATH="$CLASSPATH":/usr/share/java/rhino.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/servletapi5.jar
		if [ "$ARCHITECTURE" = "sparc" ] ; then
			CLASSPATH="$CLASSPATH":/usr/lib/java/symkey.jar
		elif [ "$ARCHITECTURE" = "sparcv9" ] ; then
			CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/symkey.jar
		fi
		CLASSPATH="$CLASSPATH":/usr/share/java/velocity.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/xalan-j2.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/xerces-j2.jar

		# Relink tomcat jar repositories . . .
		cd /var/lib/tomcat5/common/lib

		if [ ! -e /var/lib/tomcat5/common/lib/\[ant\].jar ]; then
			ln -s /usr/share/java/ant.jar [ant].jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-collections\].jar ]; then
			ln -s /usr/share/java/commons-collections.jar [commons-collections].jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-dbcp\].jar ]; then
			ln -s /usr/share/java/commons-dbcp.jar [commons-dbcp].jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-el\].jar ]; then
			ln -s /usr/share/java/commons-el.jar [commons-el].jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-logging-api\].jar ]; then
			ln -s /usr/share/java/commons-logging-api.jar [commons-logging-api].jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-pool\].jar ]; then
			ln -s /usr/share/java/commons-pool.jar [commons-pool].jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-ejb\-2.1\-rc2.jar ]; then
			ln -s /usr/share/java/geronimo/spec-ejb-2.1-rc2.jar [geronimo]spec-ejb-2.1-rc2.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-ejb\-2.1.jar ]; then
			ln -s /usr/share/java/geronimo/spec-ejb-2.1.jar [geronimo]spec-ejb-2.1.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-1.4\-rc2.jar ]; then
			ln -s /usr/share/java/geronimo/spec-j2ee-1.4-rc2.jar [geronimo]spec-j2ee-1.4-rc2.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-1.4.jar ]; then
			ln -s /usr/share/java/geronimo/spec-j2ee-1.4.jar [geronimo]spec-j2ee-1.4.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-connector\-1.5\-rc2.jar ]; then
			ln -s /usr/share/java/geronimo/spec-j2ee-connector-1.5-rc2.jar [geronimo]spec-j2ee-connector-1.5-rc2.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-connector\-1.5.jar ]; then
			ln -s /usr/share/java/geronimo/spec-j2ee-connector-1.5.jar [geronimo]spec-j2ee-connector-1.5.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-deployment\-1.1\-rc2.jar ]; then
			ln -s /usr/share/java/geronimo/spec-j2ee-deployment-1.1-rc2.jar [geronimo]spec-j2ee-deployment-1.1-rc2.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-deployment\-1.1.jar ]; then
			ln -s /usr/share/java/geronimo/spec-j2ee-deployment-1.1.jar [geronimo]spec-j2ee-deployment-1.1.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-jacc\-1.0\-rc2.jar ]; then
			ln -s /usr/share/java/geronimo/spec-j2ee-jacc-1.0-rc2.jar [geronimo]spec-j2ee-jacc-1.0-rc2.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-jacc\-1.0.jar ]; then
			ln -s  /usr/share/java/geronimo/spec-j2ee-jacc-1.0.jar [geronimo]spec-j2ee-jacc-1.0.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-management\-1.0\-rc2.jar ]; then
			ln -s /usr/share/java/geronimo/spec-j2ee-management-1.0-rc2.jar [geronimo]spec-j2ee-management-1.0-rc2.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-management\-1.0.jar ]; then
			ln -s /usr/share/java/geronimo/spec-j2ee-management-1.0.jar [geronimo]spec-j2ee-management-1.0.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2eeschema\-1.0\-M2.jar ]; then
			ln -s /usr/share/java/geronimo/spec-j2eeschema-1.0-M2.jar [geronimo]spec-j2eeschema-1.0-M2.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2eeschema\-1.0.jar ]; then
			ln -s /usr/share/java/geronimo/spec-j2eeschema-1.0.jar [geronimo]spec-j2eeschema-1.0.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jms\-1.1\-rc2.jar ]; then
			ln -s /usr/share/java/geronimo/spec-jms-1.1-rc2.jar [geronimo]spec-jms-1.1-rc2.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jms\-1.1.jar ]; then
			ln -s /usr/share/java/geronimo/spec-jms-1.1.jar [geronimo]spec-jms-1.1.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jsp\-2.0\-rc2.jar ]; then
			ln -s /usr/share/java/geronimo/spec-jsp-2.0-rc2.jar [geronimo]spec-jsp-2.0-rc2.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jsp\-2.0.jar ]; then
			ln -s /usr/share/java/geronimo/spec-jsp-2.0.jar [geronimo]spec-jsp-2.0.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec-jta-1.0.1B-rc2.jar ]; then
			ln -s /usr/share/java/geronimo/spec-jta-1.0.1B-rc2.jar [geronimo]spec-jta-1.0.1B-rc2.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jta\-1.0.1B.jar ]; then
			ln -s /usr/share/java/geronimo/spec-jta-1.0.1B.jar [geronimo]spec-jta-1.0.1B.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-servlet\-2.4\-rc2.jar ]; then
			ln -s /usr/share/java/geronimo/spec-servlet-2.4-rc2.jar [geronimo]spec-servlet-2.4-rc2.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-servlet\-2.4.jar ]; then
			ln -s  /usr/share/java/geronimo/spec-servlet-2.4.jar [geronimo]spec-servlet-2.4.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[jaf\].jar ]; then
			ln -s /usr/share/java/jaf.jar [jaf].jar
		fi

		### BEGIN SOLARIS-SPECIFIC LINKS
		### if [ ! -e /var/lib/tomcat5/common/lib/\[jakarta\-commons\-collections.jar\] ]; then
		###     ln -s /usr/share/java/jakarta-commons-collections.jar [jakarta-commons-collections.jar]
		### fi
		### if [ ! -e /var/lib/tomcat5/common/lib/\[jakarta\-commons\-modeler.jar\] ]; then
		###     ln -s /usr/share/java/jakarta-commons-modeler.jar [jakarta-commons-modeler.jar]
		### fi
		### END SOLARIS-SPECIFIC LINKS

		### if [ ! -e /var/lib/tomcat5/common/lib/\[jasper5\-compiler\].jar ]; then
		###     ln -s /usr/share/java/jasper5-compiler.jar [jasper5-compiler].jar
		### fi
		### if [ ! -e /var/lib/tomcat5/common/lib/\[jasper5\-runtime\].jar ]; then
		###     ln -s /usr/share/java/jasper5-runtime.jar [jasper5-runtime].jar
		### fi

		if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]imap\-1.3.1.jar ]; then
			ln -s /usr/share/java/javamail/imap-1.3.1.jar [javamail]imap-1.3.1.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]imap.jar ]; then
			ln -s /usr/share/java/javamail/imap.jar [javamail]imap.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]mailapi\-1.3.1.jar ]; then
			ln -s /usr/share/java/javamail/mailapi-1.3.1.jar [javamail]mailapi-1.3.1.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]mailapi.jar ]; then
			ln -s /usr/share/java/javamail/mailapi.jar [javamail]mailapi.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]nntp\-1.3.1.jar ]; then
			ln -s /usr/share/java/javamail/nntp-1.3.1.jar [javamail]nntp-1.3.1.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]nntp.jar ]; then
			ln -s /usr/share/java/javamail/nntp.jar [javamail]nntp.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3\-1.3.1.jar ]; then
			ln -s /usr/share/java/javamail/pop3-1.3.1.jar [javamail]pop3-1.3.1.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3.jar ]; then
			ln -s /usr/share/java/javamail/pop3.jar [javamail]pop3.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers\-1.3.1.jar ]; then
			ln -s /usr/share/java/javamail/providers-1.3.1.jar [javamail]providers-1.3.1.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers.jar ]; then
			ln -s /usr/share/java/javamail/providers.jar [javamail]providers.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]smtp\-1.3.1.jar ]; then
			ln -s /usr/share/java/javamail/smtp-1.3.1.jar [javamail]smtp-1.3.1.jar
		fi
		if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]smtp.jar ]; then
			ln -s /usr/share/java/javamail/smtp.jar [javamail]smtp.jar
		fi

		### BEGIN LINUX-SPECIFIC LINKS
		### if [ ! -e /var/lib/tomcat5/common/lib/\[jdtCompilerAdapter\].jar ]; then
		###     ln -s /usr/share/java/jdtCompilerAdapter.jar [jdtCompilerAdapter].jar
		### fi
		### if [ ! -e /var/lib/tomcat5/common/lib/\[jdtcore\].jar ]; then
		###     ln -s /usr/share/java/jdtcore.jar [jdtcore].jar
		### fi
		### if [ ! -e /var/lib/tomcat5/common/lib/\[jsp\].jar ]; then
		###     ln -s /usr/share/java/jsp.jar [jsp].jar
		### fi
		### END LINUX-SPECIFIC LINKS

		if [ ! -e /var/lib/tomcat5/common/lib/\[mx4j\]\[mx4j\].jar ]; then
			ln -s /usr/share/java/mx4j/mx4j.jar [mx4j][mx4j].jar
		fi

		### BEGIN LINUX-SPECIFIC LINKS
		### if [ ! -e /var/lib/tomcat5/common/lib/\[servlet\].jar ]; then
		###     ln -s /usr/share/java/servlet.jar [servlet].jar
		### fi
		### END LINUX-SPECIFIC LINKS

		### BEGIN LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK
		if [ ! -e /var/lib/tomcat5/common/lib/avalon\-logkit.jar ]; then
			ln -s /usr/share/java/avalon-logkit.jar avalon-logkit.jar
		fi
		### END LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK

		### if [ ! -e /var/lib/tomcat5/common/lib/cmsutil.jar ]; then
		###     ln -s /usr/share/java/rphki/cmsutil.jar cmsutil.jar
		### fi

		### BEGIN LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK
		if [ ! -e /var/lib/tomcat5/common/lib/commons\-logging.jar ]; then
			ln -s /usr/share/java/commons-logging.jar commons-logging.jar
		fi
		### END LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK

		### if [ ! -e /var/lib/tomcat5/common/lib/jss4.jar ]; then
		###     if [ "$ARCHITECTURE" = "sparc" ] ; then
		###         ln -s /usr/lib/java/dirsec/jss4.jar jss4.jar
		###     elif [ "$ARCHITECTURE" = "sparcv9" ] ; then
		###         ln -s /usr/lib/sparcv9/java/dirsec/jss4.jar jss4.jar
		###     fi
		### fi
		### if [ ! -e /var/lib/tomcat5/common/lib/ldapjdk.jar ]; then
		###     ln -s /usr/share/java/ldapjdk.jar ldapjdk.jar
		### fi

		### naming-factory.jar
		### naming-resources.jar

		### if [ ! -e /var/lib/tomcat5/common/lib/nsutil.jar ]; then
		###     ln -s /usr/share/java/pki/nsutil.jar nsutil.jar
		### fi
		### if [ ! -e /var/lib/tomcat5/common/lib/osutil.jar ]; then
		###     if [ "$ARCHITECTURE" = "sparc" ] ; then
		###         ln -s /usr/lib/java/osutil.jar osutil.jar
		###     elif [ "$ARCHITECTURE" = "sparcv9" ] ; then
		###         ln -s /usr/lib/sparcv9/java/osutil.jar osutil.jar
		###     fi
		### fi
		### if [ ! -e /var/lib/tomcat5/common/lib/rhino.jar ]; then
		###     ln -s /usr/share/java/rhino.jar rhino.jar
		### fi

		### BEGIN SOLARIS-SPECIFIC LINKS
		### if [ ! -e /var/lib/tomcat5/common/lib/\[servletapi5.jar\] ]; then
		###     ln -s /usr/share/java/servletapi5.jar [servletapi5.jar]
		### fi
		### END SOLARIS-SPECIFIC LINKS

		### if [ ! -e /var/lib/tomcat5/common/lib/symkey.jar ]; then
		###     if [ "$ARCHITECTURE" = "sparc" ] ; then
		###         ln -s /usr/lib/java/symkey.jar symkey.jar
		###     elif [ "$ARCHITECTURE" = "sparcv9" ] ; then
		###         ln -s /usr/lib/sparcv9/java/symkey.jar symkey.jar
		###     fi
		### fi
		### if [ ! -e /var/lib/tomcat5/common/lib/velocity.jar ]; then
		###     ln -s /usr/share/java/velocity.jar velocity.jar
		### fi
		### if [ ! -e /var/lib/tomcat5/common/lib/xalan\-j2.jar ]; then
		###     ln -s /usr/share/java/xalan-j2.jar xalan-j2.jar
		### fi

		if [ ! -e /var/lib/tomcat5/common/lib/xerces\-j2\-2.6.2.jar ]; then
			ln -s /usr/share/java/xerces-j2-2.6.2.jar xerces-j2-2.6.2.jar
		fi

		### if [ ! -e /var/lib/tomcat5/common/lib/xerces\-j2.jar ]; then
		###     ln -s /usr/share/java/xerces-j2.jar xerces-j2.jar
		### fi


		#######################################
		##    /var/lib/tomcat5/common/endorsed:
		#######################################

		# Build the tomcat jar classpath . . .
		CLASSPATH="$CLASSPATH":/usr/share/java/xml-commons-apis.jar

		# BEGIN LINUX-SPECIFIC FILE
		# CLASSPATH="$CLASSPATH":/usr/share/java/jaxp_parser_impl.jar
		# END LINUX-SPECIFIC FILE


		# Relink tomcat jar repositories . . .
		cd /var/lib/tomcat5/common/endorsed

		### BEGIN LINUX-SPECIFIC LINKS
		### if [ ! -e /var/lib/tomcat5/common/endorsed/\[jaxp_parser_impl\].jar ]; then
		###     ln -s /usr/share/java/jaxp_parser_impl.jar [jaxp_parser_impl].jar
		### fi
		### END LINUX-SPECIFIC LINKS

		if [ ! -e /var/lib/tomcat5/common/endorsed/\[xml\-commons\-apis\].jar ]; then
			ln -s /usr/share/java/xml-commons-apis.jar [xml-commons-apis].jar
		fi


		#######################################
		##    /var/lib/tomcat5/server/lib:
		#######################################

		# Build the tomcat jar classpath . . .
		CLASSPATH="$CLASSPATH":/usr/share/java/catalina-ant5.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/commons-beanutils.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/commons-digester.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/commons-el.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/commons-fileupload.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/commons-modeler.jar

		# BEGIN LINUX-SPECIFIC FILE
		# CLASSPATH="$CLASSPATH":/usr/share/java/jdtCompilerAdapter.jar
		# CLASSPATH="$CLASSPATH":/usr/share/java/jdtcore.jar
		# END LINUX-SPECIFIC FILE

		CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-remote.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rimpl.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rjmx.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-tools.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/regexp.jar
		CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-cluster.jar
		CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-optional.jar
		CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-storeconfig.jar
		CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina.jar
		if [ "$ARCHITECTURE" = "sparc" ] ; then
			CLASSPATH="$CLASSPATH":/usr/lib/java/dirsec/jss4.jar
		elif [ "$ARCHITECTURE" = "sparcv9" ] ; then
			CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/dirsec/jss4.jar
		fi
		CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-cgi.renametojar
		CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-default.jar
		CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-invoker.jar
		CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-ssi.renametojar
		CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-webdav.jar
		CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-ajp.jar
		CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-coyote.jar
		CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-http.jar
		CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-util.jar
		CLASSPATH="$CLASSPATH":/usr/share/java/tomcatjss.jar


		# Relink tomcat jar repositories . . .
		cd /var/lib/tomcat5/server/lib

		if [ ! -e /var/lib/tomcat5/server/lib/\[catalina\-ant5\].jar ]; then
			ln -s /usr/share/java/catalina-ant5.jar [catalina-ant5].jar
		fi
		if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-beanutils\].jar ]; then
			ln -s /usr/share/java/commons-beanutils.jar [commons-beanutils].jar
		fi
		if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-digester\].jar ]; then
			ln -s /usr/share/java/commons-digester.jar [commons-digester].jar
		fi
		if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-el\].jar ]; then
			ln -s /usr/share/java/commons-el.jar [commons-el].jar
		fi
		if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-fileupload\].jar ]; then
			ln -s /usr/share/java/commons-fileupload.jar [commons-fileupload].jar
		fi
		if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-logging\].jar ]; then
			ln -s /usr/share/java/commons-logging.jar [commons-logging].jar
		fi
		if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-modeler\].jar ]; then
			ln -s /usr/share/java/commons-modeler.jar [commons-modeler].jar
		fi

		### BEGIN LINUX-SPECIFIC LINKS
		### if [ ! -e /var/lib/tomcat5/server/lib/\[jdtCompilerAdapter\].jar ]; then
		###     ln -s /usr/share/java/jdtCompilerAdapter.jar [jdtCompilerAdapter].jar
		### fi
		### if [ ! -e /var/lib/tomcat5/server/lib/\[jdtcore\].jar ]; then
		###     ln -s /usr/share/java/jdtcore.jar [jdtcore].jar
		### fi
		### END LINUX-SPECIFIC LINKS

		if [ ! -e /var/lib/tomcat5/server/lib/\[mx4j\]\[mx4j\].jar ]; then
			ln -s /usr/share/java/mx4j/mx4j.jar [mx4j][mx4j].jar
		fi
		if [ ! -e /var/lib/tomcat5/server/lib/\[regexp\].jar ]; then
			ln -s /usr/share/java/regexp.jar [regexp].jar
		fi

		### catalina-cluster.jar
		### catalina-optional.jar
		### catalina-storeconfig.jar
		### catalina.jar
		### if [ ! -e /var/lib/tomcat5/server/lib/jss4.jar ]; then
		###     if [ "$ARCHITECTURE" = "sparc" ] ; then
		###         ln -s /usr/lib/java/dirsec/jss4.jar jss4.jar
		###     elif [ "$ARCHITECTURE" = "sparcv9" ] ; then
		###         ln -s /usr/lib/sparcv9/java/dirsec/jss4.jar jss4.jar
		###     fi
		### fi
		### servlets-cgi.renametojar
		### servlets-default.jar
		### servlets-invoker.jar
		### servlets-ssi.renametojar
		### servlets-webdav.jar
		### tomcat-ajp.jar
		### tomcat-coyote.jar
		### tomcat-http.jar
		### tomcat-util.jar
		### if [ ! -e /var/lib/tomcat5/server/lib/tomcatjss.jar ]; then
		###     ln -s /usr/share/java/tomcatjss.jar tomcatjss.jar
		### fi


		#######################################
		##    /var/lib/tomcat5/shared/lib:
		#######################################

		# Build the tomcat jar classpath . . .

		export CLASSPATH


		# Relink tomcat jar repositories . . .
		cd /var/lib/tomcat5/shared/lib
	fi

	# daemon --user $TOMCAT_USER $TOMCAT_SCRIPT start
	if [ ${OS} = "SunOS" ] ; then
		su  $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null
	else
		runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null
	fi

	rv=$?
	if [ ${rv} = 0 ] ; then
		touch ${PKI_LOCKFILE}
		chown $TOMCAT_USER:$TOMCAT_GROUP $PKI_LOCKFILE
		chmod 00600 $PKI_LOCKFILE
	fi

	if [ ${rv} = 0 ] ; then
		count=0;

		let swait=$STARTUP_WAIT
		while	[ ! -s ${pidfile} ] &&
				[ $count -lt $swait ]
		do
			echo -n "."
			sleep 1
			let count=$count+1;
		done

		if [ -f /etc/init.d/functions ]; then
			if [ "$CONSOLETYPE" = "serial" ]; then
				echo -n "         "
			fi
			echo_success
			echo
		else
			echo "         [  OK  ]"
		fi

		get_pki_secure_port
		if [ $? -ne 0 ] ; then
			PKI_SECURE_PORT="<Port Undefined>"
		fi

		# ignore "status" return codes
		echo
		display_instance_status
	else
		if [ -f /etc/init.d/functions ]; then
			if [ "$CONSOLETYPE" = "serial" ]; then
				$0	echo -n "         "
			fi
			echo_failure
			echo
		else
			echo "         [  FAILED  ]"
		fi
	fi

	sleep 5
	return ${rv}
}

stop_instance()
{
	rv=0

	echo -n "Stopping $TOMCAT_PROG: "

	if [ -f ${PKI_LOCKFILE} ] ; then
		CATALINA_PID=${pidfile}
		export CATALINA_PID

		# daemon --user $TOMCAT_USER $TOMCAT_SCRIPT stop
		if [ ${OS} = "SunOS" ] ; then
			su  $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null
		else
			runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null
		fi

		rv=$?

		if [ ${rv} = 0 ]; then
			count=0;

			if [ -f ${pidfile} ]; then
				read kpid < ${pidfile}
				let kwait=$SHUTDOWN_WAIT

				until	[ `ps -p $kpid | grep -c $kpid` = '0' ] ||
						[ $count -gt $kwait ]
				do
					echo -n "."
					sleep 1
					let count=$count+1;
				done

				if [ $count -gt $kwait ]; then
					kill -9 $kpid
				fi
			fi

			rm -f ${PKI_LOCKFILE}
			rm -f ${pidfile}

			if [ -f /etc/init.d/functions ]; then
				if [ "$CONSOLETYPE" = "serial" ]; then
					echo -n "         "
				fi
				echo_success
				echo
			else
				echo "         [  OK  ]"
			fi
		else
			if [ -f /etc/init.d/functions ]; then
				if [ "$CONSOLETYPE" = "serial" ]; then
					echo -n "         "
				fi
				echo_failure
				echo
			else
				echo "         [  FAILED  ]"
			fi
			rv=${default_error}
		fi
	else
		echo
		echo "process already stopped"
		rv=0
	fi

	return ${rv}
}

start()
{
	# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
	#
	#     * 0 action was successful
	#     * 1 generic or unspecified error (current practice)
	#     * 2 invalid or excess argument(s)
	#     * 3 unimplemented feature (for example, "reload")
	#     * 4 user had insufficient privilege
	#     * 5 program is not installed
	#     * 6 program is not configured
	#     * 7 program is not running
	#     * 8-99 reserved for future LSB use
	#     * 100-149 reserved for distribution use
	#     * 150-199 reserved for application use
	#     * 200-254 reserved
	#

	error_rv=0
	rv=0

	if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
		config_errors=0
		errors=0

		if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
			echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):"
		fi

		# Start every PKI instance of this type that isn't already running
		for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
			# Source values associated with this particular PKI instance
			[ -f ${PKI_REGISTRY_ENTRY} ] &&
			. ${PKI_REGISTRY_ENTRY}

			pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}

			[ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo

			start_instance

			rv=$?
			if [ ${rv} = 6 ] ; then
				# Since at least ONE configuration error exists, then there
				# is at least ONE unconfigured instance from the PKI point
				# of view.
				#
				# However, it must still be considered that the
				# instance is "running" from the point of view of other
				# OS programs such as 'chkconfig'.
				#
				# Therefore, ignore non-zero return codes resulting
				# from configuration errors.
				#

				config_errors=`expr $config_errors + 1`
				rv=0
			elif [ ${rv} != 0 ] ; then
				errors=`expr $errors + 1`
				error_rv=${rv}
			fi
		done

		if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then
			touch ${lockfile}
			chmod 00600 ${lockfile}
		fi

		# ONLY print a "WARNING" message if multiple
		# instances are being examined
		if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
			# NOTE:  "bad" return code(s) OVERRIDE configuration errors!
			if [ ${errors} -eq 1 ]; then
				# Since only ONE error exists, return that "bad" error code.
				rv=${error_rv}
			elif [ ${errors} -gt 1 ]; then
				# Since MORE than ONE error exists, return an OVERALL status
				# of "1 generic or unspecified error (current practice)"
				rv=1
			fi

			if [ ${errors} -ge 1 ]; then
				echo
				echo -n "WARNING:  "
				echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
				echo -n "'${PKI_TYPE}' instances failed to start!"
				echo
			fi

			if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
				echo
				echo -n "WARNING:  "
				echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
				echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
				echo -n "'${PKI_TYPE}' instances MUST be configured!"
				echo
			fi

			echo
			echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)."
		fi
	else
		echo
		echo "ERROR:  No '${PKI_TYPE}' instances installed!"
		rv=5
	fi

	return ${rv}
}

stop()
{
	# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
	#
	#     * 0 action was successful
	#     * 1 generic or unspecified error (current practice)
	#     * 2 invalid or excess argument(s)
	#     * 3 unimplemented feature (for example, "reload")
	#     * 4 user had insufficient privilege
	#     * 5 program is not installed
	#     * 6 program is not configured
	#     * 7 program is not running
	#     * 8-99 reserved for future LSB use
	#     * 100-149 reserved for distribution use
	#     * 150-199 reserved for application use
	#     * 200-254 reserved
	#

	error_rv=0
	rv=0

	if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
		errors=0

		if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
			echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):"
		fi

		# Shutdown every PKI instance of this type that is running
		for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
			# Source values associated with this particular PKI instance
			[ -f ${PKI_REGISTRY_ENTRY} ] &&
			. ${PKI_REGISTRY_ENTRY}

			pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}

			[ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo

			stop_instance

			rv=$?
			if [ ${rv} != 0 ] ; then
				errors=`expr $errors + 1`
				error_rv=${rv}
			fi
		done

		if [ ${errors} -eq 0 ] ; then
			rm -f ${lockfile}
		fi

		# ONLY print a "WARNING" message if multiple
		# instances are being examined
		if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
			if [ ${errors} -eq 1 ]; then
				# Since only ONE error exists, return that "bad" error code.
				rv=${error_rv}
			elif [ ${errors} -gt 1 ]; then
				# Since MORE than ONE error exists, return an OVERALL status
				# of "1 generic or unspecified error (current practice)"
				rv=1
			fi

			if [ ${errors} -ge 1 ]; then
				echo
				echo -n "WARNING:  "
				echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
				echo -n "'${PKI_TYPE}' instances were "
				echo -n "unsuccessfully stopped!"
				echo
			fi

			echo
			echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)."
		fi
	else
		echo
		echo "ERROR:  No '${PKI_TYPE}' instances installed!"
		rv=5
	fi

	return ${rv}
}

restart()
{
	# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
	#
	#     * 0 action was successful
	#     * 1 generic or unspecified error (current practice)
	#     * 2 invalid or excess argument(s)
	#     * 3 unimplemented feature (for example, "reload")
	#     * 4 user had insufficient privilege
	#     * 5 program is not installed
	#     * 6 program is not configured
	#     * 7 program is not running
	#     * 8-99 reserved for future LSB use
	#     * 100-149 reserved for distribution use
	#     * 150-199 reserved for application use
	#     * 200-254 reserved
	#

	stop
	sleep 2
	echo
	echo "============================================================"
	echo
	start

	return $?
}

status()
{
	# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
	#
	#     * 0 program is running or service is OK
	#     * 1 program is dead and /var/run pid file exists
	#     * 2 program is dead and /var/lock lock file exists
	#     * 3 program is not running
	#     * 4 program or service status is unknown
	#     * 5-99 reserved for future LSB use
	#     * 100-149 reserved for distribution use
	#     * 150-199 reserved for application use
	#     * 200-254 reserved
	#

	error_rv=0
	rv=0

	if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
		errors=0

		if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
			echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):"
		fi

		# Obtain status of every PKI instance of this type
		for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
			# Source values associated with this particular PKI instance
			[ -f ${PKI_REGISTRY_ENTRY} ] &&
			. ${PKI_REGISTRY_ENTRY}

			pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}

			[ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo

			display_instance_status

			rv=$?
			if [ ${rv} -ne 0 ] ; then
				errors=`expr $errors + 1`
				error_rv=${rv}
			fi
		done

		# ONLY print a "WARNING" message if multiple
		# instances are being examined
		if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
			if [ ${errors} -eq 1 ]; then
				# Since only ONE error exists, return that "bad" error code.
				rv=${error_rv}
			elif [ ${errors} -gt 1 ]; then
				# Since MORE than ONE error exists, return an OVERALL status
				# of "4 - program or service status is unknown"
				rv=4
			fi

			if [ ${errors} -ge 1 ]; then
				echo
				echo -n "WARNING:  "
				echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
				echo -n "'${PKI_TYPE}' instances reported status failures!"
				echo
			fi

			if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
				echo
				echo -n "WARNING:  "
				echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
				echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
				echo -n "'${PKI_TYPE}' instances MUST be configured!"
				echo
			fi

			echo
			echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)."
		fi
	else
		echo
		echo "ERROR:  No '${PKI_TYPE}' instances installed!"
		rv=4
	fi

	return ${rv}
}

# See how we were called.
case "${command}" in
	start|stop|restart|status)
		${command}
		exit $?
		;;
	condrestart|force-restart|try-restart)
		[ ! -f ${lockfile} ] || restart
		exit $?
		;;
	reload)
		echo "The 'reload' action is an unimplemented feature."
		exit ${default_error}
		;;
	*)
		# * 3 unimplemented feature (for example, "reload")
		#     [invalid command - should never be reached]
		echo
		usage
		echo "where valid instance names include:"
		list_instances
		exit 3
		;;
esac

