Hi, 

Dogtag 10 is being released on f18, and has a number of changes that
will affect IPA.  In particular, the following changes will affect
current IPA code. 

* The directory layout of the dogtag instance has changed.  Instead of
using separate tomcat instances to host different subsystems, the
standard dogtag installation will allow one to install a CA. KRA, OCSP
and TKS within the same instance.  There have been corresponding changes
in the directory layout, as well as the default instance name
(pki-tomcat instead of pki-ca), and startup daemon (pki-tomcatd, instead
of pki-cad, pki-krad etc.) 

* The default instance will use only four ports (HTTPS, HTTP, AJP and
tomcat shutdown port) rather than the 6 previously used.  The default
ports will be changed to the standard tomcat ports.  As these ports are
local to the ipa server machine, this should not cause too much
disruption. 

* There is a new single step installer written in python.
(pkispawn/destroy) vs. pkicreate/pkisilent/pkiremove.

* Dogtag 10 runs on tomcat7 - with a new corresponding version of
tomcatjss.

The attached patch integrates all the above changes in IPA installation
and maintenance code.  Once the patch is applied, users will be able to:

1. run ipa-server-install to completion on f18 with dogtag 10.
2. install a new replica on f18 on dogtag 10.
3. upgrade an f17 machine with an existing IPA instance to f18/ dogtag
10 - and have that old-style dogtag instance continue to run correctly.
This will require the installation of the latest version of tomcatjss as
well as the installation of tomcat6.  The old-style instance will
continue to use tomcat6.
4. in addition, the new cert renewal code has been patched and should
continue to work.

What is not yet completed / supported:

1. Installation with an external CA is not yet completed in the new
installer.  We plan to complete this soon.

2. There is some IPA upgrade code that has not yet been touched
(install/tools/ipa-upgradeconfig).

3. A script needs to be written to allow admins to convert their
old-style dogtag instances to new style instances, as well as code to
periodically prompt admins to do this.

4. Installation of old-style instances using pkicreate/pkisilent on
dogtag 10 will no longer be supported, and will be disabled soon.

5.  The pki-selinux policy has been updated to reflect these changes,
but is still in flux.  In fact, it is our intention to place the dogtag
selinux policy in the base selinux policy for f18.  In the meantime, it
may be necessary to run installs in permissive mode.

The dogtag 10 code will be released shortly into f18.  Prior to that
though, we have placed the new dogtag 10 and tomcatjss code in a
developer repo that is located at 
http://nkinder.fedorapeople.org/dogtag-devel/

Testing can be done on both f18 and f17 - although the target platform -
and the only platform for which official builds will be created is f18.

Thanks, 
Ade
>From c1677bf96235fb5f71dff899642d459f2fc2e9fc Mon Sep 17 00:00:00 2001
From: Ade Lee <a...@redhat.com>
Date: Sun, 29 Jul 2012 14:07:31 -0400
Subject: [PATCH] Modifications to install scripts for dogtag 10

Dogtag 10 uses a new installer, new directory layout and new default
ports.  This patch changes the ipa install code to integrate these changes.
---
 install/conf/ipa-pki-proxy.conf        |   16 +-
 install/conf/ipa.conf                  |    4 +-
 install/restart_scripts/renew_ca_cert  |   18 +-
 install/restart_scripts/restart_pkicad |   18 +-
 install/tools/ipa-ca-install           |   10 +
 install/tools/ipa-csreplica-manage     |    2 +-
 install/tools/ipa-replica-install      |    1 +
 install/tools/ipa-replica-prepare      |    2 +-
 install/tools/ipa-server-install       |    1 +
 install/ui/test/data/ipa_init.json     |    6 +-
 ipa-client/man/default.conf.5          |    6 +-
 ipalib/constants.py                    |    6 +-
 ipapython/certmonger.py                |    2 +-
 ipapython/platform/base.py             |    5 +-
 ipapython/platform/fedora16.py         |    7 +-
 ipapython/platform/systemd.py          |    4 +-
 ipaserver/install/cainstance.py        |  330 +++++++++++++-------------------
 ipaserver/install/installutils.py      |    2 +-
 ipaserver/install/service.py           |   13 +-
 selinux/ipa_dogtag/ipa_dogtag.fc       |    2 +-
 20 files changed, 219 insertions(+), 236 deletions(-)

diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 91a99aaf9cd9ce3669fbe12450bfae1b220fa67b..7dac76060f3fb7266b99e28cca4070bd1b9d5757 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -6,22 +6,22 @@ ProxyRequests Off
 <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient none
-    ProxyPassMatch ajp://localhost:9447/
-    ProxyPassReverse ajp://localhost:9447/
+    ProxyPassMatch ajp://localhost:8009
+    ProxyPassReverse ajp://localhost:8009
 </LocationMatch>
 
-# matches for admin port
-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML">
+# matches for admin port and installer
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/pki/installer/installToken">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient none
-    ProxyPassMatch ajp://localhost:9447/
-    ProxyPassReverse ajp://localhost:9447/
+    ProxyPassMatch ajp://localhost:8009
+    ProxyPassReverse ajp://localhost:8009
 </LocationMatch>
 
 # matches for agent port and eeca port
 <LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient require
-    ProxyPassMatch ajp://localhost:9447/
-    ProxyPassReverse ajp://localhost:9447/
+    ProxyPassMatch ajp://localhost:8009
+    ProxyPassReverse ajp://localhost:8009
 </LocationMatch>
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 1b31a52ac505cb54ccf8de2171f3fccd201bba88..d428460fee0bdbcdb968c23860d09eb0134cb4e3 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -105,8 +105,8 @@ Alias /ipa/config "/usr/share/ipa/html"
 
 
 # For CRL publishing
-Alias /ipa/crl "/var/lib/pki-ca/publish"
-<Directory "/var/lib/pki-ca/publish">
+Alias /ipa/crl "/var/lib/pki/tomcat-ca/ca/publish"
+<Directory "/var/lib/pki/tomcat-ca/ca/publish">
   SetHandler None
   AllowOverride None
   Options Indexes FollowSymLinks
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index d3b756042685b4e35dab754a0e45ccb37e871d21..053dad291fa6f660184ebe64f5b31e64debe54a1 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -39,8 +39,14 @@ nickname = sys.argv[1]
 api.bootstrap(context='restart')
 api.finalize()
 
+alias_dir = '/etc/pki/pki-tomcat/alias'
+dogtag_instance = 'pki-tomcat'
+if 'dogtag_version' not in api.env:
+    alias_dir = '/var/lib/pki-ca/alias'
+    dogtag_instance = 'pki-ca'
+
 # Fetch the new certificate
-db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+db = certs.CertDB(api.env.realm, nssdir=alias_dir)
 cert = db.get_cert_from_db(nickname, pem=False)
 
 if not cert:
@@ -73,7 +79,7 @@ finally:
 
 # Fix permissions on the audit cert if we're updating it
 if nickname == 'auditSigningCert cert-pki-ca':
-    db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+    db = certs.CertDB(api.env.realm, nssdir=alias_dir)
     args = ['-M',
             '-n', nickname,
             '-t', 'u,u,Pu',
@@ -85,9 +91,11 @@ if nickname == 'auditSigningCert cert-pki-ca':
 
 update_cert_config(nickname, cert)
 
-syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca')
+syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted %sd instance %s' %\
+              (dogtag_instance, dogtag_instance))
 
 try:
-    ipaservices.knownservices.pki_cad.restart('pki-ca')
+    ipaservices.knownservices.pki_cad.restart(dogtag_instance)
 except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
+                  (dogtag_instance, str(e)))
diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad
index 070760b16c2aecff07c8cce0b25b5d38d45689fb..c21fb802f0cde44637f0cd31438040a190ff9860 100644
--- a/install/restart_scripts/restart_pkicad
+++ b/install/restart_scripts/restart_pkicad
@@ -30,11 +30,18 @@ nickname = sys.argv[1]
 api.bootstrap(context='restart')
 api.finalize()
 
-syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted pki-cad, nickname '%s'" % nickname)
+alias_dir = '/etc/pki/pki-tomcat/alias'
+dogtag_instance = 'pki-tomcat'
+if 'dogtag_version' not in api.env:
+    alias_dir = '/var/lib/pki-ca/alias'
+    dogtag_instance = 'pki-ca'
+
+syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % \
+              (dogtag_instance, nickname))
 
 # Fix permissions on the audit cert if we're updating it
 if nickname == 'auditSigningCert cert-pki-ca':
-    db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+    db = certs.CertDB(api.env.realm, nssdir = alias_dir )
     args = ['-M',
             '-n', nickname,
             '-t', 'u,u,Pu',
@@ -44,7 +51,8 @@ if nickname == 'auditSigningCert cert-pki-ca':
 try:
     # I've seen times where systemd restart does not actually restart
     # the process. A full stop/start is required. This works around that
-    ipaservices.knownservices.pki_cad.stop('pki-ca')
-    ipaservices.knownservices.pki_cad.start('pki-ca')
+    ipaservices.knownservices.pki_cad.stop(dogtag_instance)
+    ipaservices.knownservices.pki_cad.start(dogtag_instance)
 except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
+                  (dogtag_instance, str(e)))
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 4d7be217d2d19cb769990a58d4ff78b6b3dc698e..d52832239c947ddce72078313daeadb3afc7ad5d 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -156,6 +156,16 @@ def main():
     # We need to restart apache as we drop a new config file in there
     ipaservices.knownservices.httpd.restart(capture_output=True)
 
+    #update dogtag version in config file to denote new instance
+    try:
+        fd = open("/etc/ipa/default.conf", "a")
+        fd.write("dogtag_version=10\n")
+        fd.close()
+    except IOError, e:
+        print "Failed to update /etc/ipa/default.conf"
+        root_logger.error(str(e))
+        sys.exit(1)
+
 fail_message = '''
 Your system may be partly configured.
 Run /usr/sbin/ipa-server-install --uninstall to clean up.
diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index 938201fed8efe1b75508bd23930a69855fdf24ac..0a11c3db59901844fd28cdc163d4ae8857382dc5 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -80,7 +80,7 @@ class CSReplicationManager(replication.ReplicationManager):
         """
         dn = None
         cn = None
-        instance_name = 'pki-ca'
+        instance_name = 'pki-tomcat'
 
         # if master is not None we know what dn to return:
         if master is not None:
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index c322cb62e99493a5da035db6a7745b6d694fad54..133e79b3f27b75405c042152cefeff487ac695b5 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -369,6 +369,7 @@ def main():
         if ipautil.file_exists(config.dir + "/cacert.p12"):
             fd.write("enable_ra=True\n")
             fd.write("ra_plugin=dogtag\n")
+            fd.write("dogtag_version=10\n")
         fd.write("mode=production\n")
         fd.close()
     finally:
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 19360fdf229738d61fd7d6f36e783374333b63f4..d944d293986efdfff40370fe524e3fddebef8b38 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -293,7 +293,7 @@ def main():
         if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address):
             sys.exit(1)
 
-    if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin:
+    if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki/pki-tomcat/conf/ca/CS.cfg") and not options.dirsrv_pin:
         sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
 
     check_ipa_configuration(api.env.realm)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index d7de7063111936550ae1f14cf93ebfd46754c829..42382f4fa7fd6e9a0a972ec9e8880ed683d29582 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -849,6 +849,7 @@ def main():
     fd.write("enable_ra=True\n")
     if not options.selfsign:
         fd.write("ra_plugin=dogtag\n")
+        fd.write("dogtag_version=10\n")
     fd.write("mode=production\n")
     fd.close()
 
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index 4325a5552e1205a3839e5830c59af73448785789..02ad87d61ae498f96a4458a1cc53b4c882a8375b 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -637,12 +637,12 @@
                 "result": {
                     "basedn": "dc=dev,dc=example,dc=com",
                     "bin": "/var/www",
-                    "ca_agent_install_port": 9443,
+                    "ca_agent_install_port": 8443,
                     "ca_agent_port": 443,
-                    "ca_ee_install_port": 9444,
+                    "ca_ee_install_port": 8443,
                     "ca_ee_port": 443,
                     "ca_host": "dev.example.com",
-                    "ca_install_port": 9180,
+                    "ca_install_port": 8080,
                     "ca_port": 80,
                     "conf": "/etc/ipa/server.conf",
                     "conf_default": "/etc/ipa/default.conf",
diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5
index ba9b1250d9bd36da943a4f0401185840d146bec5..e956751522318c571ef7d279fd217039ad617d23 100644
--- a/ipa-client/man/default.conf.5
+++ b/ipa-client/man/default.conf.5
@@ -66,13 +66,13 @@ The following options are relevant for the server:
 Specifies the base DN to use when performing LDAP operations. The base must be in DN format (dc=example,dc=com).
 .TP
 .B ca_agent_port <port>
-Specifies the secure CA agent port. The default is 9443.
+Specifies the secure CA agent port. The default is 8443.
 .TP
 .B ca_ee_port <port>
-Specifies the secure CA end user port. The default is 9444.
+Specifies the secure CA end user port. The default is 8443.
 .TP
 .B ca_port <port>
-Specifies the insecure CA end user port. The default is 9180.
+Specifies the insecure CA end user port. The default is 8080.
 .TP
 .B ca_host <hostname>
 Specifies the hostname of the dogtag CA server. The default is the hostname of the IPA server.
diff --git a/ipalib/constants.py b/ipalib/constants.py
index f0f89a3b3ff51e06709809d4d606af96d13a7063..c7785e540ff28d4accf6617d9c64db3a27acbf64 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -140,9 +140,9 @@ DEFAULT_CONFIG = (
     ('ca_port', 80),
     ('ca_agent_port', 443),
     ('ca_ee_port', 443),
-    ('ca_install_port', 9180),
-    ('ca_agent_install_port', 9443),
-    ('ca_ee_install_port', 9444),
+    ('ca_install_port', 8080),
+    ('ca_agent_install_port', 8443),
+    ('ca_ee_install_port', 8443),
 
 
     # Special CLI:
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index bdc8591e7a1ddd91455b910f0ee125881913e419..7f88a05d0b89983a62c86a5dc39f076814b2aff7 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -337,7 +337,7 @@ def get_pin(token):
 
     The caller is expected to handle any exceptions raised.
     """
-    filename = '/var/lib/pki-ca/conf/password.conf'
+    filename = '/var/lib/pki/pki-tomcat/conf/password.conf'
     with open(filename, 'r') as f:
         for line in f:
             (tok, pin) = line.split('=', 1)
diff --git a/ipapython/platform/base.py b/ipapython/platform/base.py
index 8c694ac04c35e3a2f6b0cf9af662712373cec997..4ec21a1a0d879a5584006b6df15c78e8ec37c84d 100644
--- a/ipapython/platform/base.py
+++ b/ipapython/platform/base.py
@@ -25,7 +25,7 @@ from ipalib.plugable import MagicDict
 wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
                      'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
                      'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
-                     'rpcidmapd', 'pki_cad']
+                     'rpcidmapd', 'pki_tomcatd', 'pki-cad']
 
 
 # The common ports for these services. This is used to wait for the
@@ -34,7 +34,8 @@ wellknownports = {
     'dirsrv@PKI-IPA.service': [7389],
     'PKI-IPA': [7389],
     'dirsrv': [389], # this is only used if the incoming instance name is blank
-    'pki-cad': [9180],
+    'pki-tomcatd': [8080],
+    'pki-cad': [9180]
 }
 
 class AuthConfig(object):
diff --git a/ipapython/platform/fedora16.py b/ipapython/platform/fedora16.py
index 100bbb2abd93f3d07264d53a66bab7e9b2fc01ae..794c39e2091f9402282e18fbe162d40892cb1e0d 100644
--- a/ipapython/platform/fedora16.py
+++ b/ipapython/platform/fedora16.py
@@ -46,7 +46,7 @@ system_units = dict(map(lambda x: (x, "%s.service" % (x)), base.wellknownservice
 system_units['rpcgssd'] = 'nfs-secure.service'
 system_units['rpcidmapd'] = 'nfs-idmap.service'
 
-# Rewrite dirsrv and pki-cad services as they support instances via separate
+# Rewrite dirsrv and pki-tomcatd services as they support instances via separate
 # service generator. To make this working, one needs to have both foo@.servic
 # and foo.target -- the latter is used when request should be coming for
 # all instances (like stop). systemd, unfortunately, does not allow one
@@ -58,9 +58,12 @@ system_units['rpcidmapd'] = 'nfs-idmap.service'
 system_units['dirsrv'] = 'dirsrv@.service'
 # Our directory server instance for PKI is dirsrv@PKI-IPA.service
 system_units['pkids'] = 'dirsrv@PKI-IPA.service'
-# Our PKI instance is pki-cad@pki-ca.service
+# Old style PKI instance
 system_units['pki-cad'] = 'pki-cad@pki-ca.service'
 system_units['pki_cad'] = system_units['pki-cad']
+# Our PKI instance is pki-tomcatd@pki-tomcat.service
+system_units['pki-tomcatd'] = 'pki-tomcatd@pki-tomcat.service'
+system_units['pki_tomcatd'] = system_units['pki-tomcatd']
 
 class Fedora16Service(systemd.SystemdService):
     def __init__(self, service_name):
diff --git a/ipapython/platform/systemd.py b/ipapython/platform/systemd.py
index a233e1045e225718353adbb9bf618a1d0b73c4ac..c174488c08a73ce02b5f568ddd24c98d8dab83d1 100644
--- a/ipapython/platform/systemd.py
+++ b/ipapython/platform/systemd.py
@@ -41,10 +41,10 @@ class SystemdService(base.PlatformService):
         # Short-cut: if there is already exact service name, return it
         if self.lib_path_exists and len(instance_name) == 0:
             if len(elements) == 1:
-                # service name is like pki-cad.target or krb5kdc.service
+                # service name is like pki-tomcatd.target or krb5kdc.service
                 return self.service_name
             if len(elements) > 1 and elements[1][0] != '.':
-                # Service name is like pki-cad@pki-ca.service and that file exists
+                # Service name is like pki-tomcatd@pki-tomcat.service and that file exists
                 return self.service_name
 
         if len(elements) > 1:
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index dc4374ccef4f7bd64edb14d77efe35b46895bfb5..0675418b9ace43f6394b77d86e4ac7ba3c3d662f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -65,15 +65,10 @@ PKI_USER = "pkiuser"
 PKI_DS_USER = "pkisrv"
 
 # These values come from /usr/share/pki/ca/setup/postinstall
-PKI_INSTANCE_NAME="pki-ca"
-AGENT_SECURE_PORT=9443
-EE_SECURE_PORT=9444
-ADMIN_SECURE_PORT=9445
-EE_CLIENT_AUTH_PORT=9446
-UNSECURE_PORT=9180
-TOMCAT_SERVER_PORT=9701
+PKI_INSTANCE_NAME="pki-tomcat"
+AGENT_SECURE_PORT=8443
 
-IPA_SERVICE_PROFILE = '/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME
+IPA_SERVICE_PROFILE = '/var/lib/pki/%s/ca/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME
 
 # We need to reset the template because the CA uses the regular boot
 # information
@@ -97,9 +92,9 @@ def check_inst():
     """
 
     # Check for a couple of binaries we need
-    if not os.path.exists('/usr/bin/pkicreate'):
+    if not os.path.exists('/bin/pkispawn'):
         return False
-    if not os.path.exists('/usr/bin/pkisilent'):
+    if not os.path.exists('/bin/pkidestroy'):
         return False
 
     # This is the template tomcat file for a CA
@@ -108,31 +103,6 @@ def check_inst():
 
     return True
 
-def get_preop_pin(instance_root, instance_name):
-    preop_pin = None
-
-    filename = instance_root + "/" + instance_name + "/conf/CS.cfg"
-
-    # read the config file and get the preop pin
-    try:
-        f=open(filename)
-    except IOError, e:
-        root_logger.error("Cannot open configuration file." + str(e))
-        raise e
-    data = f.read()
-    data = data.split('\n')
-    pattern = re.compile("preop.pin=(.*)" )
-    for line in data:
-        match = re.search(pattern, line)
-        if (match):
-            preop_pin=match.group(1)
-            break
-
-    if preop_pin is None:
-        raise RuntimeError("Unable to find preop.pin in %s. Is your CA already configured?" % filename)
-
-    return preop_pin
-
 def import_pkcs12(input_file, input_passwd, cert_database,
                   cert_passwd):
     ipautil.run(["/usr/bin/pk12util", "-d", cert_database,
@@ -413,7 +383,7 @@ class CADSInstance(service.Service):
                          'ocspSigningCert cert-pki-ca',
                          'subsystemCert cert-pki-ca']:
             try:
-                certmonger.stop_tracking('/var/lib/pki-ca/alias', nickname=nickname)
+                certmonger.stop_tracking('/etc/pki/pki-tomcat/alias', nickname=nickname)
             except (ipautil.CalledProcessError, RuntimeError), e:
                 root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
 
@@ -442,7 +412,7 @@ class CAInstance(service.Service):
     """
 
     def __init__(self, realm, ra_db):
-        service.Service.__init__(self, "pki-cad")
+        service.Service.__init__(self, "pki-tomcatd")
         self.realm = realm
         self.dm_password = None
         self.admin_password = None
@@ -466,7 +436,7 @@ class CAInstance(service.Service):
         self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt"
         self.ds_port = DEFAULT_DSPORT
         self.domain_name = "IPA"
-        self.server_root = "/var/lib"
+        self.server_root = "/var/lib/pki"
         self.ra_cert = None
         self.requestId = None
 
@@ -487,8 +457,7 @@ class CAInstance(service.Service):
                            pkcs12_info=None, master_host=None, csr_file=None,
                            cert_file=None, cert_chain_file=None,
                            subject_base=None):
-        """Create a CA instance. This may involve creating the pki-ca instance
-           dogtag instance.
+        """Create a CA instance.
 
            To create a clone, pass in pkcs12_info.
 
@@ -521,15 +490,11 @@ class CAInstance(service.Service):
             self.external=2
 
         self.step("creating certificate server user", self.__create_ca_user)
-        if not ipautil.dir_exists("/var/lib/pki-ca"):
-            self.step("creating pki-ca instance", self.create_instance)
-        self.step("configuring certificate server instance", self.__configure_instance)
+        self.step("configuring certificate server instance", self.__spawn_instance)
         self.step("disabling nonces", self.__disable_nonce)
         # Step 1 of external is getting a CSR so we don't need to do these
         # steps until we get a cert back from the external CA.
         if self.external != 1:
-            if not self.clone:
-                self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12)
             if self.create_ra_agent_db:
                 self.step("creating RA agent certificate database", self.__create_ra_agent_db)
             self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
@@ -553,26 +518,117 @@ class CAInstance(service.Service):
 
         self.start_creation("Configuring certificate server", 210)
 
-    def create_instance(self):
+    def __spawn_instance(self):
         """
-        If for some reason the instance doesn't exist, create a new one."
+        Create and configure a new instance using pkispawn.
+        pkispawn requires a configuration file with the appropriate
+        values substituted in.
         """
 
-        args = ['/usr/bin/pkicreate',
-                '-pki_instance_root', '/var/lib',
-                '-pki_instance_name', PKI_INSTANCE_NAME,
-                '-subsystem_type', 'ca',
-                '-agent_secure_port', str(AGENT_SECURE_PORT),
-                '-ee_secure_port', str(EE_SECURE_PORT),
-                '-admin_secure_port', str(ADMIN_SECURE_PORT),
-                '-ee_secure_client_auth_port', str(EE_CLIENT_AUTH_PORT),
-                '-unsecure_port', str(UNSECURE_PORT),
-                '-tomcat_server_port', str(TOMCAT_SERVER_PORT),
-                '-redirect', 'conf=/etc/pki-ca',
-                '-redirect', 'logs=/var/log/pki-ca',
-                '-enable_proxy'
-        ]
-        ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
+        # create a new config file for this installation
+        (cfg_fd, cfg_file) = tempfile.mkstemp()
+        os.close(cfg_fd)
+        shutil.copy("/usr/share/pki/deployment/config/pkideployment.cfg",
+                    cfg_file)
+        pent = pwd.getpwnam(PKI_USER)
+        os.chown(cfg_file, pent.pw_uid, pent.pw_gid )
+        replacevars = {
+            "pki_enable_proxy": "True",
+            "pki_restart_configured_instance": "False",
+            "pki_client_database_dir": self.ca_agent_db,
+            "pki_client_database_password": self.admin_password,
+            "pki_client_database_purge": "False",
+            "pki_client_pkcs12_password": self.admin_password,
+            "pki_security_domain_name": self.domain_name,
+            "pki_admin_email":  "root@localhost",
+            "pki_admin_password": self.admin_password,
+            "pki_admin_nickname": "ipa-ca-agent",
+            "pki_admin_subject_dn": "CN=ipa-ca-agent,%s" % self.subject_base,
+            "pki_ds_ldap_port": str(self.ds_port),
+            "pki_ds_password": self.dm_password,
+            "pki_ds_base_dn": self.basedn,
+            "pki_ds_database": "ipaca",
+            "pki_backup_keys": "True",
+            "pki_backup_password": self.admin_password,
+            "pki_subsystem_subject_dn": \
+                "CN=CA Subsystem,%s" % self.subject_base,
+            "pki_ocsp_signing_subject_dn": \
+                "CN=OCSP Subsystem,%s" % self.subject_base,
+            "pki_ssl_server_subject_dn": \
+                "CN=%s,%s" % (self.fqdn, self.subject_base),
+            "pki_audit_signing_subject_dn": \
+                "CN=CA Audit,%s" % self.subject_base,
+            "pki_ca_signing_subject_dn": \
+                 "CN=Certificate Authority,%s" % self.subject_base,
+            "pki_subsystem_nickname": "subsystemCert cert-pki-ca",
+            "pki_ocsp_signing_nickname": "ocspSigningCert cert-pki-ca",
+            "pki_ssl_server_nickname": "Server-Cert cert-pki-ca",
+            "pki_audit_signing_nickname": "auditSigningCert cert-pki-ca",
+            "pki_ca_signing_nickname": "caSigningCert cert-pki-ca"
+        }
+
+        if (self.clone):
+            cafile = self.pkcs12_info[0]
+            shutil.copy(cafile, "/tmp/ca.p12")
+            pent = pwd.getpwnam(PKI_USER)
+            os.chown("/tmp/ca.p12", pent.pw_uid, pent.pw_gid )
+
+            clone_vars = {
+                "pki_clone_pkcs12_password": self.dm_password,
+                "pki_clone": "True",
+                "pki_clone_pkcs12_path": "/tmp/ca.p12",
+                "pki_security_domain_hostname": self.master_host,
+                "pki_security_domain_https_port": "443",
+                "pki_security_domain_password": self.admin_password,
+                "pki_clone_replication_security": "SSL",
+                "pki_clone_uri": \
+                    "https://%s"; % ipautil.format_netloc(self.master_host, 443)
+            }
+            replacevars.update(clone_vars)
+
+        if self.external == 1:
+            external_vars = {
+                "pki_external": "True",
+                "pki_external_csr_path": self.csr_file
+            }
+            replacevars.update(external_vars)
+        elif self.external == 2:
+            external_vars = {
+                "pki_external": "True",
+                "pki_external_ca_cert_path": self.cert_file,
+                "pki_external_ca_cert_chain_path": self.cert_chain_file,
+                "pki_external_step_two": "True"
+            }
+            replacevars.update(external_vars)
+
+        ipautil.config_replace_variables(cfg_file, replacevars=replacevars)
+
+        # Define the things we don't want logged
+        nolog = (self.admin_password, self.dm_password,)
+
+        args = ["/bin/pkispawn", "-s", "CA", "-f", cfg_file ]
+
+        try:
+            ipautil.run(args, nolog=nolog)
+        except ipautil.CalledProcessError, e:
+            root_logger.critical("failed to configure ca instance %s" % e)
+            raise RuntimeError('Configuration of CA failed')
+        finally:
+            os.remove(cfg_file)
+
+        if not self.clone:
+            shutil.move("/var/lib/pki/pki-tomcat/alias/ca_admin_cert.p12", \
+                        "/root/ca-agent.p12")
+        shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \
+                    "/root/cacert.p12")
+
+        if self.external == 1:
+            print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file
+            print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
+            sys.exit(0)
+
+        root_logger.debug("completed creating ca instance")
+
 
     def __enable(self):
         self.backup_state("enabled", self.is_enabled())
@@ -598,109 +654,6 @@ class CAInstance(service.Service):
             except ipautil.CalledProcessError, e:
                 root_logger.critical("failed to add user %s" % e)
 
-    def __configure_instance(self):
-        preop_pin = get_preop_pin(self.server_root, PKI_INSTANCE_NAME)
-
-        try:
-            args = ["/usr/bin/perl", "/usr/bin/pkisilent",  "ConfigureCA",
-                    "-cs_hostname", self.fqdn,
-                    "-cs_port", str(ADMIN_SECURE_PORT),
-                    "-client_certdb_dir", self.ca_agent_db,
-                    "-client_certdb_pwd", self.admin_password,
-                    "-preop_pin" , preop_pin,
-                    "-domain_name", self.domain_name,
-                    "-admin_user", "admin",
-                    "-admin_email",  "root@localhost",
-                    "-admin_password", self.admin_password,
-                    "-agent_name", "ipa-ca-agent",
-                    "-agent_key_size", "2048",
-                    "-agent_key_type", "rsa",
-                    "-agent_cert_subject", "CN=ipa-ca-agent,%s" % self.subject_base,
-                    "-ldap_host", self.fqdn,
-                    "-ldap_port", str(self.ds_port),
-                    "-bind_dn", "cn=Directory Manager",
-                    "-bind_password", self.dm_password,
-                    "-base_dn", self.basedn,
-                    "-db_name", "ipaca",
-                    "-key_size", "2048",
-                    "-key_type", "rsa",
-                    "-key_algorithm", "SHA256withRSA",
-                    "-save_p12", "true",
-                    "-backup_pwd", self.admin_password,
-                    "-subsystem_name", self.service_name,
-                    "-token_name", "internal",
-                    "-ca_subsystem_cert_subject_name", "CN=CA Subsystem,%s" % self.subject_base,
-                    "-ca_ocsp_cert_subject_name", "CN=OCSP Subsystem,%s" % self.subject_base,
-                    "-ca_server_cert_subject_name", "CN=%s,%s" % (self.fqdn, self.subject_base),
-                    "-ca_audit_signing_cert_subject_name", "CN=CA Audit,%s" % self.subject_base,
-                    "-ca_sign_cert_subject_name", "CN=Certificate Authority,%s" % self.subject_base ]
-            if self.external == 1:
-                args.append("-external")
-                args.append("true")
-                args.append("-ext_csr_file")
-                args.append(self.csr_file)
-            elif self.external == 2:
-                args.append("-external")
-                args.append("true")
-                args.append("-ext_ca_cert_file")
-                args.append(self.cert_file)
-                args.append("-ext_ca_cert_chain_file")
-                args.append(self.cert_chain_file)
-            else:
-                args.append("-external")
-                args.append("false")
-            if (self.clone):
-                """sd = security domain -->  all CS systems get registered to
-                   a security domain. This is set to the hostname and port of
-                   the master CA.
-                """
-                # The install wizard expects the file to be here.
-                cafile = self.pkcs12_info[0]
-                shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12")
-                pent = pwd.getpwnam(PKI_USER)
-                os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid )
-                args.append("-clone")
-                args.append("true")
-                args.append("-clone_p12_file")
-                args.append("ca.p12")
-                args.append("-clone_p12_password")
-                args.append(self.dm_password)
-                args.append("-sd_hostname")
-                args.append(self.master_host)
-                args.append("-sd_admin_port")
-                args.append("443")
-                args.append("-sd_admin_name")
-                args.append("admin")
-                args.append("-sd_admin_password")
-                args.append(self.admin_password)
-                args.append("-clone_start_tls")
-                args.append("true")
-                args.append("-clone_uri")
-                args.append("https://%s"; % ipautil.format_netloc(self.master_host, 443))
-            else:
-                args.append("-clone")
-                args.append("false")
-
-            # Define the things we don't want logged
-            nolog = (self.admin_password, self.dm_password,)
-
-            ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog)
-        except ipautil.CalledProcessError, e:
-            root_logger.critical("failed to configure ca instance %s" % e)
-            raise RuntimeError('Configuration of CA failed')
-
-        if self.external == 1:
-            print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file
-            print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
-            sys.exit(0)
-
-        # pkisilent makes a copy of the CA PKCS#12 file for us but gives
-        # it a lousy name.
-        if ipautil.file_exists("/root/tmp-ca.p12"):
-            shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
-
-        root_logger.debug("completed creating ca instance")
-
     def __restart_instance(self):
         try:
             self.restart(PKI_INSTANCE_NAME)
@@ -710,10 +663,11 @@ class CAInstance(service.Service):
 
     def __disable_nonce(self):
         # Turn off Nonces
-        if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
+        cfg_file = '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
+        if installutils.update_file(cfg_file, 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
             raise RuntimeError("Disabling nonces failed")
         pent = pwd.getpwnam(PKI_USER)
-        os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
+        os.chown(cfg_file, pent.pw_uid, pent.pw_gid )
 
     def __issue_ra_cert(self):
         # The CA certificate is in the agent DB but isn't trusted
@@ -764,7 +718,7 @@ class CAInstance(service.Service):
         ]
         (stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,))
 
-        data = stdout.split('\r\n')
+        data = stdout.split('\n')
         params = get_defList(data)
         params['requestId'] = find_substring(data, "requestId")
         params['op'] = 'approve'
@@ -785,7 +739,7 @@ class CAInstance(service.Service):
         ]
         (stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,))
 
-        data = stdout.split('\r\n')
+        data = stdout.split('\n')
         outputList = get_outputList(data)
 
         self.ra_cert = outputList['b64_cert']
@@ -899,20 +853,6 @@ class CAInstance(service.Service):
         except Exception, e:
             raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
 
-    def __create_ca_agent_pkcs12(self):
-        (pwd_fd, pwd_name) = tempfile.mkstemp()
-        os.write(pwd_fd, self.admin_password)
-        os.close(pwd_fd)
-        try:
-            ipautil.run(["/usr/bin/pk12util",
-                         "-n", "ipa-ca-agent",
-                         "-o", "/root/ca-agent.p12",
-                         "-d", self.ca_agent_db,
-                         "-k", pwd_name,
-                         "-w", pwd_name])
-        finally:
-            os.remove(pwd_name)
-
     def __import_ca_chain(self):
         chain = self.__get_ca_chain()
 
@@ -976,7 +916,7 @@ class CAInstance(service.Service):
         csr = pkcs10.strip_header(stdout)
 
         # Send the request to the CA
-        conn = httplib.HTTPConnection(self.fqdn, 9180)
+        conn = httplib.HTTPConnection(self.fqdn, 8080)
         params = urllib.urlencode({'profileId': 'caServerCert',
                 'cert_request_type': 'pkcs10',
                 'requestor_name': 'IPA Installer',
@@ -1014,7 +954,7 @@ class CAInstance(service.Service):
 
     def __setup_sign_profile(self):
         # Tell the profile to automatically issue certs for RAs
-        installutils.set_directive('/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
+        installutils.set_directive('/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
 
     def __enable_crl_publish(self):
         """
@@ -1022,9 +962,9 @@ class CAInstance(service.Service):
 
         http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Setting_up_Publishing.html
         """
-        caconfig = "/var/lib/pki-ca/conf/CS.cfg"
+        caconfig = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
 
-        publishdir='/var/lib/pki-ca/publish'
+        publishdir='/var/lib/pki/pki-tomcat/ca/publish'
         os.mkdir(publishdir)
         os.chmod(publishdir, 0755)
         pent = pwd.getpwnam(PKI_USER)
@@ -1083,8 +1023,8 @@ class CAInstance(service.Service):
             self.disable()
 
         try:
-            ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib",
-                         "-pki_instance_name=%s" % PKI_INSTANCE_NAME, "--force"])
+            ipautil.run(["/bin/pkidestroy", "-i", "pki-tomcat",
+                         "-s", "CA"])
         except ipautil.CalledProcessError, e:
             root_logger.critical("failed to uninstall CA instance %s" % e)
 
@@ -1112,7 +1052,7 @@ class CAInstance(service.Service):
             pin = certmonger.get_pin('internal')
         except IOError, e:
             raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e))
-        certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/var/lib/pki-ca/alias', 'restart_pkicad "Server-Cert cert-pki-ca"')
+        certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "Server-Cert cert-pki-ca"')
 
     def configure_renewal(self):
         cmonger = ipaservices.knownservices.certmonger
@@ -1129,7 +1069,7 @@ class CAInstance(service.Service):
         for nickname in ['auditSigningCert cert-pki-ca',
                          'ocspSigningCert cert-pki-ca',
                          'subsystemCert cert-pki-ca']:
-            certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/var/lib/pki-ca/alias', 'renew_ca_cert "%s"' % nickname)
+            certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'renew_ca_cert "%s"' % nickname)
 
         # Set up the agent cert for renewal
         certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', 'renew_ra_cert')
@@ -1173,7 +1113,7 @@ class CAInstance(service.Service):
         for nickname in ['auditSigningCert cert-pki-ca',
                          'ocspSigningCert cert-pki-ca',
                          'subsystemCert cert-pki-ca']:
-            certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/var/lib/pki-ca/alias', 'restart_pkicad "%s"' % nickname)
+            certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "%s"' % nickname)
 
         # The agent renewal is configured in import_ra_cert which is called
         # after the HTTP instance is created.
@@ -1185,7 +1125,7 @@ class CAInstance(service.Service):
         setlist = installutils.get_directive(IPA_SERVICE_PROFILE,
             'policyset.serverCertSet.list', separator='=')
 
-        # this is the default setting from pki-ca. Don't touch it if a user
+        # this is the default setting from pki-tomcat. Don't touch it if a user
         # has manually modified it.
         if setlist == '1,2,3,4,5,6,7,8':
             installutils.set_directive(IPA_SERVICE_PROFILE,
@@ -1228,7 +1168,7 @@ class CAInstance(service.Service):
         responsibility to handle changes on upgrades.
         """
         master = installutils.get_directive(
-            '/var/lib/pki-ca/conf/CS.cfg', 'subsystem.select', '=')
+            '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg', 'subsystem.select', '=')
 
         return master == 'New'
 
@@ -1316,7 +1256,7 @@ def update_cert_config(nickname, cert):
                   'caSigningCert cert-pki-ca': 'ca.signing.cert',
                   'Server-Cert cert-pki-ca': 'ca.sslserver.cert' }
 
-    installutils.set_directive('/var/lib/%s/conf/CS.cfg' % PKI_INSTANCE_NAME,
+    installutils.set_directive('/var/lib/pki/%s/conf/ca/CS.cfg' % PKI_INSTANCE_NAME,
                                 directives[nickname],
                                 base64.b64encode(cert),
                                 quotes=False, separator='=')
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 388a11e26000a045a13c35ec54e02a2b5a2ea41e..7d58eb426b64a7efc521217ac8ee1efb420eb386 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -46,7 +46,7 @@ from ipapython import config
 from ipalib import errors
 
 # Used to determine install status
-IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
+IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
 
 class BadHostError(Exception):
     pass
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 198cb387011be1239eedbff410863232922a21e1..530348d74687ed6a146cb55c6cf510078aaba2de 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -40,6 +40,17 @@ AUTO = 1
 ENABLED = 2
 DISABLED = 3
 
+# Determine if we have an updated dogtag instance (dogtag 10+) or
+# an older one.
+dogtag_service = 'pki-cad'
+try: 
+    for line in open("/etc/ipa/default.conf", "r"):
+        if "dogtag_version" in line:
+            dogtag_service = 'pki-tomcatd'
+            break
+except IOError, e:
+    pass
+
 # The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple
 # the first value is the *nix service name, the second the start order.
 SERVICE_LIST = {
@@ -48,7 +59,7 @@ SERVICE_LIST = {
     'DNS':('named', 30),
     'MEMCACHE':('ipa_memcached', 39),
     'HTTP':('httpd', 40),
-    'CA':('pki-cad', 50),
+    'CA':(dogtag_service, 50),
     'ADTRUST':('smb', 60),
     'EXTID':('winbind', 70)
 }
diff --git a/selinux/ipa_dogtag/ipa_dogtag.fc b/selinux/ipa_dogtag/ipa_dogtag.fc
index 58a4b3e829ebc1fcee5f033814c8e21259ff2663..e467972be11605c58f8b743f820c04148f7f04d9 100644
--- a/selinux/ipa_dogtag/ipa_dogtag.fc
+++ b/selinux/ipa_dogtag/ipa_dogtag.fc
@@ -1 +1 @@
-/var/lib/pki-ca/publish(/.*)?	gen_context(system_u:object_r:cert_t,s0)
+/var/lib/pki/pki-tomcat/ca/publish(/.*)?	gen_context(system_u:object_r:cert_t,s0)
-- 
1.7.10.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to