3:57 a.m.
*NOTE: Due to the complexity of these patches, and as they are in the
midst of the review process, I would greatly appreciate it if no more
patches are applied to
the 'master' until such time as all of these patches may be
checked in (to avoid any additional merge conflicts).
*
This patch documents continued implementation of the PKI Deployment
Framework based upon the revised filesystem layout documented here:
*
http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_...
This patch must be applied *AFTER* the following three patches (for
convenience, all four patches have been attached to this email):
* [Patch] Port 'tomcatjss' from Tomcat 6 to Tomcat 7 . . .
* [PATCH] PKI Deployment Framework (20120716)
* [PATCH] PKI Deployment Framework Admin Certificate PKCS12 File"
The following patch adds/corrects functionality of the existing PKI
Deployment Framework including (but not limited to):
* In 'catalina.properties', removed commented out jars for each of
the subsystems in the 'common.loader'
* In 'server.xml', removed the line containing a '1'
* Moved all parameters from the [Mandatory] and [Optional] sections
of the 'pkideployment.cfg' file to other more appropriate sections
(e.g. - [Common], [CA], [KRA], etc.), and removed these sections
and all of their associated logic from the 'pki-deploy' package
* Resolved Dogtag TRAC Ticket #225
Dogtag 10: Move "pkispawn"/"pkidestroy" logs
* Removed all security domain references from external CA logic
* Added new 'pki_subsystem_name' parameter to 'pkideployment.cfg'
file, and applied logic throughout 'pki-deploy'
* Added new error message in the case of an unset DNS domain name,
and replaced the log message with a simple print in the case of a
'domainname' exception
To test this patch, follow the procedure documented in "[PATCH] PKI
Deployment Framework Admin Certificate PKCS12 File".
NOTE: All patches listed above have been successfully tested on a
64-bit Fedora 17 host - there is one minor correct that will need to be
made to 'pkidestroy',
as it failed to remove the instance directory under '/var/log/pki'.
Index: src/org/apache/tomcat/util/net/jss/IJSSFactory.java
===================================================================
--- src/org/apache/tomcat/util/net/jss/IJSSFactory.java (revision 229)
+++ src/org/apache/tomcat/util/net/jss/IJSSFactory.java (working copy)
@@ -24,6 +24,6 @@
import java.net.*;
interface IJSSFactory {
- public ServerSocketFactory getSocketFactory();
+ public ServerSocketFactory getSocketFactory(AbstractEndpoint endpoint);
public SSLSupport getSSLSupport(Socket socket);
}
Index: src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
===================================================================
--- src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (revision 229)
+++ src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (working copy)
@@ -31,8 +31,15 @@
import java.net.*;
import java.io.*;
+// Imports required to "implement" Tomcat 7 Interface
+import org.apache.tomcat.util.net.AbstractEndpoint;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+
public class JSSSocketFactory
- extends org.apache.tomcat.util.net.ServerSocketFactory {
+ implements org.apache.tomcat.util.net.ServerSocketFactory,
+ org.apache.tomcat.util.net.SSLUtil {
private static HashMap cipherMap = new HashMap();
static {
@@ -157,6 +164,8 @@
eccCipherMap.put(SSLSocket.TLS_ECDH_ECDSA_WITH_NULL_SHA,
"TLS_ECDH_ECDSA_WITH_NULL_SHA");
}
+ private AbstractEndpoint endpoint;
+
static org.apache.commons.logging.Log log =
org.apache.commons.logging.LogFactory.getLog(JSSSocketFactory.class);
@@ -176,8 +185,8 @@
private IPasswordStore mPasswordStore = null;
private boolean mStrictCiphers = false;
- public JSSSocketFactory() {
- super();
+ public JSSSocketFactory (AbstractEndpoint endpoint) {
+ this.endpoint = endpoint;
}
private void debugWrite(String m) throws IOException {
@@ -190,7 +199,7 @@
public void setSSLCiphers(String attr) throws SocketException
{
- String ciphers = (String)attributes.get(attr);
+ String ciphers = (String)endpoint.getAttribute(attr);
StringTokenizer st = new StringTokenizer(ciphers, ",");
while (st.hasMoreTokens()) {
String cipherstr = st.nextToken();
@@ -250,7 +259,7 @@
public void setSSLOptions() throws SocketException
{
- String options = (String)attributes.get("sslOptions");
+ String options = (String)endpoint.getAttribute("sslOptions");
StringTokenizer st = new StringTokenizer(options, ",");
while (st.hasMoreTokens()) {
String option = st.nextToken();
@@ -301,7 +310,7 @@
void init() throws IOException {
try {
- String deb = (String)attributes.get("debug");
+ String deb = (String)endpoint.getAttribute("debug");
if (deb.equals("true")) {
debug = true;
debugFile = new FileWriter("/tmp/tomcatjss.log", true);
@@ -313,8 +322,8 @@
try {
try {
- mPwdPath = (String)attributes.get("passwordFile");
- mPwdClass = (String)attributes.get("passwordClass");
+ mPwdPath = (String)endpoint.getAttribute("passwordFile");
+ mPwdClass = (String)endpoint.getAttribute("passwordClass");
if (mPwdClass != null) {
mPasswordStore = (IPasswordStore)Class.forName(mPwdClass).newInstance();
mPasswordStore.init(mPwdPath);
@@ -328,7 +337,7 @@
throw new IOException("JSSSocketFactory: no passwordFilePath
defined");
}
- String certDir = (String)attributes.get("certdbDir");
+ String certDir = (String)endpoint.getAttribute("certdbDir");
CryptoManager.InitializationValues vals =
new CryptoManager.InitializationValues(certDir,
@@ -355,7 +364,7 @@
String st = (String) en.nextElement();
debugWrite("JSSSocketFactory init - tag
name="+st+"\n");
pwd = mPasswordStore.getPassword(st);
-
+
if (pwd != null) {
debugWrite("JSSSocketFactory init - got password\n");
pw = new Password(pwd.toCharArray());
@@ -393,10 +402,12 @@
debugWrite("JSSSocketFactory init - no login done\n");
} //mPasswordStore not null
- String clientAuthStr = (String)attributes.get("clientauth");
+ // MUST look for "clientauth" (ALL lowercase) since
"clientAuth"
+ // (camel case) has already been processed by Tomcat 7
+ String clientAuthStr =
(String)endpoint.getAttribute("clientauth");
File file = null;
try {
- mServerCertNickPath =
(String)attributes.get("serverCertNickFile");
+ mServerCertNickPath =
(String)endpoint.getAttribute("serverCertNickFile");
debugWrite("JSSSocketFactory init - got serverCertNickFile"+
mServerCertNickPath+"\n");
file = new File(mServerCertNickPath);
@@ -430,7 +441,7 @@
throw new IOException("JSSSocketFactory: no serverCertNickFile
defined");
}
- //serverCertNick = (String)attributes.get("serverCert");
+ //serverCertNick = (String)endpoint.getAttribute("serverCert");
if (clientAuthStr.equalsIgnoreCase("true") ||
clientAuthStr.equalsIgnoreCase("yes")) {
requireClientAuth = true;
@@ -444,7 +455,7 @@
&& ocspConfigured == false ) {
debugWrite("JSSSocketFactory init - checking for OCSP settings.
\n" );
boolean enableOCSP = false;
- String doOCSP = (String) attributes.get("enableOCSP");
+ String doOCSP = (String) endpoint.getAttribute("enableOCSP");
debugWrite("JSSSocketFactory init - doOCSP flag:"+
doOCSP+ " \n");
@@ -457,10 +468,10 @@
enableOCSP+ "\n");
if( enableOCSP == true ) {
- String ocspResponderURL = (String)
attributes.get("ocspResponderURL");
+ String ocspResponderURL = (String)
endpoint.getAttribute("ocspResponderURL");
debugWrite("JSSSocketFactory init - ocspResponderURL "+
ocspResponderURL+ "\n");
- String ocspResponderCertNickname = (String)
attributes.get("ocspResponderCertNickname");
+ String ocspResponderCertNickname = (String)
endpoint.getAttribute("ocspResponderCertNickname");
debugWrite("JSSSocketFactory init - ocspResponderCertNickname" +
ocspResponderCertNickname + "\n");
if( (ocspResponderURL != null && ocspResponderURL.length()
> 0) &&
(ocspResponderCertNickname != null &&
@@ -473,9 +484,9 @@
int ocspMinCacheEntryDuration_i = 3600;
int ocspMaxCacheEntryDuration_i = 86400;
- String ocspCacheSize = (String)
attributes.get("ocspCacheSize");
- String ocspMinCacheEntryDuration = (String)
attributes.get("ocspMinCacheEntryDuration");
- String ocspMaxCacheEntryDuration = (String)
attributes.get("ocspMaxCacheEntryDuration");
+ String ocspCacheSize = (String)
endpoint.getAttribute("ocspCacheSize");
+ String ocspMinCacheEntryDuration = (String)
endpoint.getAttribute("ocspMinCacheEntryDuration");
+ String ocspMaxCacheEntryDuration = (String)
endpoint.getAttribute("ocspMaxCacheEntryDuration");
if (ocspCacheSize != null ||
ocspMinCacheEntryDuration != null ||
@@ -498,7 +509,7 @@
}
// defualt to 60 seconds;
- String ocspTimeout = (String)
attributes.get("ocspTimeout");
+ String ocspTimeout = (String)
endpoint.getAttribute("ocspTimeout");
if (ocspTimeout != null) {
debugWrite("JSSSocketFactory init - ocspTimeout= \n" + ocspTimeout);
int ocspTimeout_i = Integer.parseInt(ocspTimeout);
@@ -525,7 +536,7 @@
// 12 hours = 43200 seconds
SSLServerSocket.configServerSessionIDCache(0, 43200, 43200, null);
- String strictCiphersStr = (String)attributes.get("strictCiphers");
+ String strictCiphersStr =
(String)endpoint.getAttribute("strictCiphers");
if (strictCiphersStr.equalsIgnoreCase("true") ||
strictCiphersStr.equalsIgnoreCase("yes")) {
mStrictCiphers = true;
@@ -539,7 +550,6 @@
}
setSSLOptions();
- setSSLOptions();
debugWrite("SSSocketFactory init - after setSSLOptions\n");
} catch (Exception ex) {
debugWrite("JSSSocketFactory init - exception thrown:"+
@@ -627,4 +637,21 @@
} catch (Exception e) {
}
}
+
+ // Methods required to "implement" Tomcat 7 Interface
+ public SSLContext createSSLContext() throws Exception {
+ return null;
+ }
+
+ public KeyManager[] getKeyManagers() throws Exception {
+ return null;
+ }
+
+ public TrustManager[] getTrustManagers() throws Exception {
+ return null;
+ }
+
+ public void configureSessionContext(javax.net.ssl.SSLSessionContext
sslSessionContext) {
+ return;
+ }
}
Index: src/org/apache/tomcat/util/net/jss/JSSImplementation.java
===================================================================
--- src/org/apache/tomcat/util/net/jss/JSSImplementation.java (revision 229)
+++ src/org/apache/tomcat/util/net/jss/JSSImplementation.java (working copy)
@@ -12,7 +12,7 @@
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
+ *
* Copyright (C) 2007 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK */
@@ -21,8 +21,10 @@
import java.net.Socket;
import java.io.*;
+import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.SSLImplementation;
import org.apache.tomcat.util.net.SSLSupport;
+import org.apache.tomcat.util.net.SSLUtil;
import org.apache.tomcat.util.net.ServerSocketFactory;
public class JSSImplementation extends SSLImplementation
@@ -38,7 +40,7 @@
public JSSImplementation() throws ClassNotFoundException {
Class.forName(SSLSocketClass);
-
+
try {
Class factcl = Class.forName(JSSFactory);
factory = (JSSFactory)factcl.newInstance();
@@ -52,8 +54,9 @@
return "JSS";
}
- public ServerSocketFactory getServerSocketFactory() {
- ServerSocketFactory ssf = factory.getSocketFactory();
+ public ServerSocketFactory getServerSocketFactory(AbstractEndpoint endpoint)
+ {
+ ServerSocketFactory ssf = factory.getSocketFactory(endpoint);
return ssf;
}
@@ -85,7 +88,13 @@
*
* Once this abstract method is removed from SSLImplementation in a
* future release we can remove this stub.
+ *
+ * NOTE: This method has NOT yet been deprecated in Tomcat 7!
*/
return null;
}
+
+ public SSLUtil getSSLUtil(AbstractEndpoint endpoint) {
+ return null;
+ }
}
Index: src/org/apache/tomcat/util/net/jss/JSSFactory.java
===================================================================
--- src/org/apache/tomcat/util/net/jss/JSSFactory.java (revision 229)
+++ src/org/apache/tomcat/util/net/jss/JSSFactory.java (working copy)
@@ -27,8 +27,8 @@
JSSFactory() {
}
- public ServerSocketFactory getSocketFactory() {
- return new JSSSocketFactory();
+ public ServerSocketFactory getSocketFactory(AbstractEndpoint endpoint) {
+ return new JSSSocketFactory(endpoint);
}
public SSLSupport getSSLSupport(Socket socket) {
Index: README
===================================================================
--- README (revision 229)
+++ README (working copy)
@@ -3,7 +3,7 @@
tomcatjss defines a number of attributes for a Connector including:
-clientAuth: specify if client authentication is required in the connector (or
+clientauth: specify if client authentication is required in the connector (or
port), it can be true or false. If true then client authentication is required.
sslOptions: specify a comma-delimited list of ssl options to pass into the ssl
@@ -16,6 +16,9 @@
ssl3Ciphers: specifies a list of SSL3 ciphers that tomcatjss should accept
or reject from the client. You can use + to denote "accept", - means
"reject".
+tlsCiphers: specifies a list of TLS ciphers that tomcatjss should accept
+or reject from the client. You can use + to denote "accept", - means
"reject".
+
serverCertNickFile: a file in which specify the nickname of the
server certificate. The file should contain a single line that contains
the nickname.
@@ -30,29 +33,41 @@
sslProtocol: needs to be SSL
-SSLImplementation: Needs to be org.apache.tomcat.util.net.jss.JSSImplementation
+sslImplementationName: MUST be org.apache.tomcat.util.net.jss.JSSImplementation
in order to use the plugin
Here is an example of a secure connector:
-<Connector port="9443"
+<Connector port="8443"
+ protocol="HTTP/1.1"
+ SSLEnabled="true"
+ sslProtocol="SSL"
+ scheme="https"
+ secure="true"
+ keyStoreType="PKCS11"
maxHttpHeaderSize="8192"
+ acceptCount="100"
maxThreads="150"
minSpareThreads="25"
- maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
- acceptCount="100"
- scheme="https"
- secure="true"
- clientAuth="false"
- sslProtocol="SSL"
+
sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
+ enableOCSP="false"
+ ocspResponderURL="http://pkilinux.sjc.redhat.com:9080/ca/ocsp"
+ ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
+ ocspCacheSize="1000"
+ ocspMinCacheEntryDuration="60"
+ ocspMaxCacheEntryDuration="120"
+ ocspTimeout="10"
+ strictCiphers="false"
+ clientAuth="agent"
+ clientauth="agent"
sslOptions="ssl2=true,ssl3=true,tls=true"
ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
-
ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
-
SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
- serverCertNickFile="/var/lib/rhpki-ca/conf/serverCertNick.conf"
- passwordFile="/var/lib/rhpki-ca/conf/password.conf"
+
ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
+
tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
+
serverCertNickFile="/var/lib/pki/redhat.com-foobar/conf/serverCertNick.conf"
+ passwordFile="/var/lib/pki/redhat.com-foobar/conf/password.conf"
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
- certdbDir="/var/lib/rhpki-ca/alias"
+ certdbDir="/var/lib/pki/redhat.com-foobar/alias"
/>
Index: build.xml
===================================================================
--- build.xml (revision 229)
+++ build.xml (working copy)
@@ -37,8 +37,8 @@
<property name="Name" value="Tomcat JSS"/>
<property name="name" value="tomcatjss"/>
- <property name="version" value="6.0.2"/>
- <property name="manifest-version" value="6.0.2"/>
+ <property name="version" value="7.0.0"/>
+ <property name="manifest-version" value="7.0.0"/>
<!--
Set the properties that control various build options
@@ -98,7 +98,7 @@
-->
<property name="jar.home" value="/usr/share/java" />
<property name="commons-logging.jar"
value="${jar.home}/commons-logging-api.jar" />
- <property name="tomcat.lib" value="${jar.home}/tomcat6" />
+ <property name="tomcat.lib" value="${jar.home}/tomcat" />
<property name="tomcat-coyote.jar"
value="${tomcat.lib}/tomcat-coyote.jar" />
<property name="jss.home" value="${jnidir}" />
<!-- This property is set to '/dirsec' when built on rhel4 -->
Index: tomcatjss.spec
===================================================================
--- tomcatjss.spec (revision 229)
+++ tomcatjss.spec (working copy)
@@ -1,5 +1,5 @@
Name: tomcatjss
-Version: 6.0.2
+Version: 7.0.0
Release: 1%{?dist}
Summary: JSSE implementation using JSS for Tomcat
URL: http://pki.fedoraproject.org/
@@ -13,41 +13,17 @@
# jpackage-utils requires versioning to meet both build and runtime requirements
# jss requires versioning to meet both build and runtime requirements
-# tomcat6 requires versioning to meet both build and runtime requirements
+# tomcat requires versioning to meet both build and runtime requirements
BuildRequires: ant
-BuildRequires: java-devel >= 1:1.6.0
-%if 0%{?fedora} >= 16
-BuildRequires: jpackage-utils >= 0:1.7.5-10
-BuildRequires: jss >= 4.2.6-19.1
-BuildRequires: tomcat6 >= 6.0.32-16
-%else
-%if 0%{?fedora} >= 15
-BuildRequires: jpackage-utils
-BuildRequires: jss >= 4.2.6-17
-BuildRequires: tomcat6 >= 6.0.30-6
-%else
-BuildRequires: jpackage-utils
-BuildRequires: jss >= 4.2.6-17
-BuildRequires: tomcat6
-%endif
-%endif
+BuildRequires: java-devel
+BuildRequires: jpackage-utils >= 0:1.7.5-15
+BuildRequires: jss >= 4.2.6-24
+BuildRequires: tomcat >= 7.0.27
-Requires: java >= 1:1.6.0
-%if 0%{?fedora} >= 16
-Requires: jpackage-utils >= 0:1.7.5-10
-Requires: jss >= 4.2.6-19.1
-Requires: tomcat6 >= 6.0.32-16
-%else
-%if 0%{?fedora} >= 15
-Requires: jpackage-utils
-Requires: jss >= 4.2.6-17
-Requires: tomcat6 >= 6.0.30-6
-%else
-Requires: jpackage-utils
-Requires: jss >= 4.2.6-17
-Requires: tomcat6
-%endif
-%endif
+Requires: java
+BuildRequires: jpackage-utils >= 0:1.7.5-15
+BuildRequires: jss >= 4.2.6-24
+BuildRequires: tomcat >= 7.0.27
# The 'tomcatjss' package conflicts with the 'tomcat-native' package
# because it uses an underlying NSS security model rather than the
@@ -100,6 +76,9 @@
%{_javadir}/*
%changelog
+* Wed Jun 06 2012 Matthew Harmsen <mharmsen(a)redhat.com> 7.0.0-1
+- Bugzilla Bug #819554 - tomcatjss: Please migrate from tomcat6 to tomcat7
+
* Thu Sep 22 2011 Matthew Harmsen <mharmsen(a)redhat.com> 6.0.2-1
- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen)
- Bugzilla Bug #699809 - Convert CS to use systemd (alee)