diff --git a/opensciencegrid/osdf-chtc-issuer/Dockerfile b/opensciencegrid/osdf-chtc-issuer/Dockerfile
new file mode 100644
index 00000000..a4c8c22b
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/Dockerfile
@@ -0,0 +1,104 @@
+FROM hub.opensciencegrid.org/opensciencegrid/software-base:3.6-el8-release
+
+RUN yum install -y curl java-11-openjdk java-11-openjdk-devel
+
+# Download and install tomcat
+RUN useradd -r -s /sbin/nologin tomcat ;\
+mkdir -p /opt/tomcat ;\
+curl -s -L https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69.tar.gz | tar -zxf - -C /opt/tomcat --strip-components=1 ;\
+chgrp -R tomcat /opt/tomcat/conf ;\
+chmod g+rwx /opt/tomcat/conf ;\
+chmod g+r /opt/tomcat/conf/* ;\
+chown -R tomcat /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/webapps/ /opt/tomcat/work/ ;\
+chgrp -R tomcat /opt/tomcat/bin /opt/tomcat/lib ;\
+chmod g+rwx /opt/tomcat/bin ;\
+chmod g+r /opt/tomcat/bin/*
+
+ADD server.xml /opt/tomcat/conf/server.xml
+RUN chgrp -R tomcat /opt/tomcat/conf/server.xml ;\
+chmod go+r /opt/tomcat/conf/server.xml
+
+ARG TOMCAT_ADMIN_USERNAME=admin
+ARG TOMCAT_ADMIN_PASSWORD=password
+ADD tomcat-users.xml.tmpl /opt/tomcat/conf/tomcat-users.xml.tmpl
+RUN sed s+TOMCAT_ADMIN_USERNAME+${TOMCAT_ADMIN_USERNAME}+g /opt/tomcat/conf/tomcat-users.xml.tmpl | sed s+TOMCAT_ADMIN_PASSWORD+${TOMCAT_ADMIN_PASSWORD}+g > /opt/tomcat/conf/tomcat-users.xml ;\
+chgrp tomcat /opt/tomcat/conf/tomcat-users.xml
+
+ARG TOMCAT_ADMIN_IP=127.0.0.1
+ADD manager.xml.tmpl /opt/tomcat/conf/Catalina/localhost/manager.xml.tmpl
+RUN sed s+TOMCAT_ADMIN_IP+${TOMCAT_ADMIN_IP}+g /opt/tomcat/conf/Catalina/localhost/manager.xml.tmpl > /opt/tomcat/conf/Catalina/localhost/manager.xml ;\
+chgrp -R tomcat  /opt/tomcat/conf/Catalina
+
+COPY --chown=tomcat:tomcat scitokens-server /opt
+#COPY target/oauth2.war /opt/tomcat/webapps/scitokens-server.war
+RUN \
+curl -s -L https://github.com/ncsa/OA4MP/releases/download/v5.2.9.0/oauth2.war > /opt/tomcat/webapps/scitokens-server.war ;\
+mkdir -p /opt/tomcat/webapps/scitokens-server ;\
+cd /opt/tomcat/webapps/scitokens-server ;\
+jar -xf ../scitokens-server.war ;\
+chgrp -R tomcat /opt/tomcat/webapps/scitokens-server ;\
+mkdir -p /opt/tomcat/var/storage/scitokens-server ;\
+chown -R tomcat:tomcat /opt/tomcat/var/storage/scitokens-server ;\
+rm -rf /opt/tomcat/webapps/ROOT /opt/tomcat/webapps/docs /opt/tomcat/webapps/examples /opt/tomcat/webapps/host-manager /opt/tomcat/webapps/manager
+COPY --chown=tomcat:tomcat scitokens-server/web.xml /opt/tomcat/webapps/scitokens-server/WEB-INF/web.xml
+RUN chmod 644 /opt/tomcat/webapps/scitokens-server/WEB-INF/web.xml
+
+# need to put the java mail jar into the tomcat lib directory
+RUN curl -s -L https://github.com/javaee/javamail/releases/download/JAVAMAIL-1_6_2/javax.mail.jar > /opt/tomcat/lib/javax.mail.jar
+
+# Make JWK a volume mount
+RUN mkdir -p /opt/scitokens-server/bin && mkdir -p /opt/scitokens-server/etc && mkdir -p /opt/scitokens-server/etc/templates && mkdir -p /opt/scitokens-server/lib && mkdir -p /opt/scitokens-server/log && mkdir -p /opt/scitokens-server/var/qdl/scitokens && mkdir -p /opt/scitokens-server/var/storage/file_store
+
+# Make server configuration a volume mount
+ADD scitokens-server/etc/server-config.xml /opt/scitokens-server/etc/server-config.xml.tmpl
+ADD scitokens-server/etc/proxy-config.xml /opt/scitokens-server/etc/proxy-config.xml.tmpl
+
+ADD scitokens-server/bin/scitokens-cli /opt/scitokens-server/bin/scitokens-cli
+#COPY target/oa2-cli.jar /opt/scitokens-server/lib/scitokens-cli.jar
+RUN \
+curl -L -s https://github.com/ncsa/OA4MP/releases/download/v5.2.9.0/oa2-cli.jar >/opt/scitokens-server/lib/scitokens-cli.jar ;\
+chmod +x /opt/scitokens-server/bin/scitokens-cli
+
+ADD scitokens-server/etc/templates/client-template.xml /opt/scitokens-server/etc/templates/client-template.xml
+ADD scitokens-server/var/qdl/scitokens/ospool.qdl /opt/scitokens-server/var/qdl/scitokens/ospool.qdl
+ADD scitokens-server/var/qdl/scitokens/comanage.qdl.tmpl /opt/scitokens-server/var/qdl/scitokens/comanage.qdl.tmpl
+RUN chgrp tomcat /opt/scitokens-server/var/qdl/scitokens/ospool.qdl /opt/scitokens-server/var/qdl/scitokens/comanage.qdl.tmpl
+RUN ln -s /usr/lib64/libapr-1.so.0 /opt/tomcat/lib/libapr-1.so.0
+
+# QDL support 21-01-2021
+RUN curl -L -s https://github.com/ncsa/OA4MP/releases/download/v5.2.9.0/oa2-qdl-installer.jar >/tmp/oa2-qdl-installer.jar ;\
+java -jar /tmp/oa2-qdl-installer.jar -dir /opt/qdl
+
+RUN  mkdir -p /opt/qdl/var/scripts
+
+ADD qdl/etc/qdl.properties /opt/qdl/etc/qdl.properties
+ADD qdl/etc/qdl-cfg.xml /opt/qdl/etc/qdl-cfg.xml
+
+ADD qdl/var/scripts/boot.qdl /opt/qdl/var/scripts/boot.qdl
+RUN chmod +x /opt/qdl/var/scripts/boot.qdl
+
+ADD qdl/bin/qdl /opt/qdl/bin/qdl
+RUN chmod +x /opt/qdl/bin/qdl
+
+ADD qdl/bin/qdl-run /opt/qdl/bin/qdl-run
+RUN chmod +x /opt/qdl/bin/qdl-run
+# END QDL support
+
+# Add CHTC custom CA to trust store
+COPY tiger-ca.pem /opt/scitokens-server/tiger-ca.pem
+RUN keytool -import -alias tigerca -file /opt/scitokens-server/tiger-ca.pem -cacerts -trustcacerts -noprompt -storepass changeit;\
+rm /opt/scitokens-server/tiger-ca.pem
+
+ENV JAVA_HOME=/usr/lib/jvm/jre
+ENV CATALINA_PID=/opt/tomcat/temp/tomcat.pid
+ENV CATALINA_HOME=/opt/tomcat
+ENV CATALINA_BASE=/opt/tomcat
+ENV CATALINA_OPTS="-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
+ENV JAVA_OPTS="-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Djava.library.path=/opt/tomcat/lib"
+ENV ST_HOME="/opt/scitokens-server"
+ENV QDL_HOME="/opt/qdl"
+ENV PATH="${ST_HOME}/bin:${QDL_HOME}/bin:${PATH}"
+
+#RUN "${QDL_HOME}/var/scripts/boot.qdl"
+ADD start.sh /start.sh
+CMD ["/start.sh"]
diff --git a/opensciencegrid/osdf-chtc-issuer/manager.xml.tmpl b/opensciencegrid/osdf-chtc-issuer/manager.xml.tmpl
new file mode 100644
index 00000000..841abc65
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/manager.xml.tmpl
@@ -0,0 +1,5 @@
+<Context privileged="true" antiResourceLocking="false"
+         docBase="${catalina.home}/webapps/manager">
+    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|TOMCAT_ADMIN_IP" />
+</Context>
+
diff --git a/opensciencegrid/osdf-chtc-issuer/qdl/bin/qdl b/opensciencegrid/osdf-chtc-issuer/qdl/bin/qdl
new file mode 100644
index 00000000..6ffeb98d
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/qdl/bin/qdl
@@ -0,0 +1,9 @@
+# The script to invoke the QDL interpreter.
+CFG_FILE="$QDL_HOME/etc/qdl-cfg.xml"
+CFG_NAME="oa2-dev"
+QDL_JAR="$QDL_HOME/lib/qdl.jar"
+
+cfgFile=${1:-$CFG_FILE}
+cfgName=${2:-$CFG_NAME}
+
+java -cp $QDL_JAR edu.uiuc.ncsa.qdl.workspace.QDLWorkspace -cfg  $cfgFile -name $cfgName -home_dir $QDL_HOME
\ No newline at end of file
diff --git a/opensciencegrid/osdf-chtc-issuer/qdl/bin/qdl-run b/opensciencegrid/osdf-chtc-issuer/qdl/bin/qdl-run
new file mode 100644
index 00000000..cfd93f36
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/qdl/bin/qdl-run
@@ -0,0 +1,7 @@
+# The script to invoke the QDL interpreter.
+
+CFG_FILE="$QDL_HOME/etc/qdl-cfg.xml"
+CFG_NAME="run-it"
+QDL_JAR="$QDL_HOME/lib/qdl.jar"
+
+java -cp $QDL_JAR edu.uiuc.ncsa.qdl.workspace.QDLWorkspace -cfg  $CFG_FILE -name $CFG_NAME -home_dir $QDL_HOME -run "$@"
diff --git a/opensciencegrid/osdf-chtc-issuer/qdl/etc/qdl-cfg.xml b/opensciencegrid/osdf-chtc-issuer/qdl/etc/qdl-cfg.xml
new file mode 100644
index 00000000..548d4f7b
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/qdl/etc/qdl-cfg.xml
@@ -0,0 +1,109 @@
+<config>
+    <qdl name="oa2-dev"
+            enabled="true"
+            server_mode="false"
+            numeric_digits="15"
+            compressOn="false"
+            script_path="vfs#/scripts/"
+            module_path="/opt/qdl/var/modules/">
+           <workspace verbose="true"
+                      echoModeOn="true"
+                      autosaveOn="true"
+                      editor_name="line"
+                      use_editor="true"
+                      save_dir="/opt/qdl/var/ws"
+                      showBanner = "false"
+                      autosaveInterval="300000"
+                      prettyPrint="true">
+               <home_dir>/opt/qdl</home_dir>
+               <env>etc/qdl.properties</env>
+           </workspace>
+
+           <editors>
+              <editor
+                 name="nano"
+                 exec="/bin/nano"/>
+               <editor
+                  name="vi"
+                  exec="/bin/vi"/>
+           </editors>
+            <logging
+                   logFileName="/opt/qdl/log/qdl.log"
+                   logName="qdl"
+                   disableLog4j="true"
+                   logSize="100000"
+                   logFileCount="2"
+                   debug="true"/>
+        <virtual_file_systems>
+               <vfs type="pass_through"
+                    access="rw">
+                   <root_dir>/opt/scitokens-server/var/qdl</root_dir>
+                   <scheme><![CDATA[vfs]]></scheme>
+                   <mount_point>/scripts</mount_point>
+               </vfs>
+        </virtual_file_systems>
+        <modules>
+            <module type="java"
+                    import_on_start="true">
+                <class_name>edu.uiuc.ncsa.myproxy.oa4mp.qdl.OA2QDLLoader</class_name>
+            </module>
+            <module type="java"
+                    import_on_start="true">
+                <class_name>edu.uiuc.ncsa.oa2.qdl.QDLToolsLoader</class_name>
+            </module>
+            <module type="java"
+                    import_on_start="false">
+                <class_name>edu.uiuc.ncsa.oa2.qdl.storage.StoreAccessLoader</class_name>
+            </module>
+            <module type="qdl"
+                 import_on_start="true">
+                 <path>/opt/qdl/etc/modules/math-x.mdl</path>
+            </module>
+            <module type="qdl"
+                  import_on_start="true">
+                 <path>/opt/qdl/etc/modules/ext.mdl</path>
+            </module>
+        </modules>
+
+    </qdl>
+    <qdl name="run-it"
+            enabled="true"
+            server_mode="false">
+           <workspace verbose="false"
+                      echoModeOn="false"
+                      prettyPrint="false">
+               <home_dir>/opt/qdl</home_dir>
+               <env>etc/qdl.properties</env>
+           </workspace>
+
+            <logging
+                   logFileName="/opt/qdl/log/qdl.log"
+                   logName="qdl"
+                   disableLog4j="true"
+                   logSize="100000"
+                   logFileCount="2"
+                   debug="false"/>
+           <modules>
+               <module type="java"
+                       import_on_start="true">
+                   <class_name>edu.uiuc.ncsa.myproxy.oa4mp.qdl.OA2QDLLoader</class_name>
+               </module>
+               <module type="java"
+                       import_on_start="true">
+                   <class_name>edu.uiuc.ncsa.oa2.qdl.QDLToolsLoader</class_name>
+               </module>
+               <module type="java"
+                       import_on_start="false">
+                   <class_name>edu.uiuc.ncsa.oa2.qdl.storage.StoreAccessLoader</class_name>
+               </module>
+               <module type="qdl"
+                    import_on_start="true">
+                    <path>/opt/qdl/etc/modules/math-x.mdl</path>
+               </module>
+               <module type="qdl"
+                     import_on_start="true">
+                    <path>/opt/qdl/etc/modules/ext.mdl</path>
+               </module>
+           </modules>
+    </qdl>
+</config>
diff --git a/opensciencegrid/osdf-chtc-issuer/qdl/etc/qdl.properties b/opensciencegrid/osdf-chtc-issuer/qdl/etc/qdl.properties
new file mode 100644
index 00000000..3ed80aa7
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/qdl/etc/qdl.properties
@@ -0,0 +1,2 @@
+#Environment saved to "/opt/qdl/etc/qdl.properties"
+#Basic properties file. This can be empty
diff --git a/opensciencegrid/osdf-chtc-issuer/qdl/nano b/opensciencegrid/osdf-chtc-issuer/qdl/nano
new file mode 100644
index 00000000..faa38886
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/qdl/nano
@@ -0,0 +1 @@
+include /opt/qdl/etc/qdl.nanorc-2.3.1
\ No newline at end of file
diff --git a/opensciencegrid/osdf-chtc-issuer/qdl/var/scripts/boot.qdl b/opensciencegrid/osdf-chtc-issuer/qdl/var/scripts/boot.qdl
new file mode 100644
index 00000000..ffdc4e7e
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/qdl/var/scripts/boot.qdl
@@ -0,0 +1,59 @@
+#! /usr/bin/env qdl-run
+
+/*
+   Boot script in QDL to set up a new OA4MP issuer install. This is run exactly
+   once before the system is started the first time. This will read in all the
+   template files for clients in ${ST_HOME}/etc/templates and ingest them into
+   OA4MP's client store.
+*/
+
+assert[is_defined(os_env().'ST_HOME')]['Environment variable ST_HOME is not defined. Exiting...'];
+
+st_home := os_env().'ST_HOME'; // get the scitokens home directory from the environment
+// normalize the path. If it ends in a /, drop it for later use in strings.
+st_home := '.*/' =~ st_home?substring(st_home,0,size(st_home)-1):st_home;
+template_dir := st_home + '/etc/templates';
+/*
+    Set up access to the client store using the current server configuration.
+*/
+module_import('oa2:/qdl/store', 'clients');
+clients#init(st_home+'/etc/server-config.xml', 'scitokens-server', 'client');
+
+
+files. := dir(template_dir);
+if[
+   size(files.) == 0
+ ][
+   say('(no templates.)');
+   return();
+];
+
+files. := ~mask(files.,   '.*xml' =~ files.); // regex match on those that end in .xml
+say('processing ' + size(files.) + ' templates from ' + template_dir);
+
+while[
+   for_next(t, files.)
+ ][
+   template. := clients#from_xml(file_read(template_dir + '/' + t));
+   if[
+      !is_defined(template.'client_id')
+   ][
+      say('warning -- file "' + t + '" is not a client template. skipping');
+   ]else[
+   // At this point we don't want to just overwrite an existing template since
+   // there may be customizations that the admin has added.
+     if[
+          size(clients#read(template.'client_id')) == 0
+        ][
+          clients#save(template.);
+        ]else[
+          say('Warning, but "' + t + '" already exists in the store. Update it manually. Skipping');
+       ];
+   ];
+]; // end while
+
+say('done!');
+
+
+
+
diff --git a/opensciencegrid/osdf-chtc-issuer/scitokens-server/bin/create_keys b/opensciencegrid/osdf-chtc-issuer/scitokens-server/bin/create_keys
new file mode 100644
index 00000000..12083855
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/scitokens-server/bin/create_keys
@@ -0,0 +1 @@
+java -jar /opt/scitokens-server/lib/jwt.jar -batch create_keys -single -o
diff --git a/opensciencegrid/osdf-chtc-issuer/scitokens-server/bin/scitokens-cli b/opensciencegrid/osdf-chtc-issuer/scitokens-server/bin/scitokens-cli
new file mode 100644
index 00000000..bdd89a2b
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/scitokens-server/bin/scitokens-cli
@@ -0,0 +1,37 @@
+# Run the OA4MP command processor. This will allow you to edit, create or remove
+# clients, approvals, users and archived users. You can also reset the counter and do copy
+# operations from one store to another
+#
+# The next 5 entries completely determine how this operates. Change these to whatever you want if
+# different from the standard install.
+
+OA2_ROOT=/opt/scitokens-server
+DEFAULT_CONFIG=$OA2_ROOT/etc/server-config.xml
+DEFAULT_TARGET=scitokens-server
+oa2jar=$OA2_ROOT/lib/scitokens-cli.jar
+logFile=$OA2_ROOT/var/log/scitokens--cli.log
+DEFAULT_ENV=$OA2_ROOT/etc/cli.properties
+
+# End of user serviceable parts.
+
+if [[  "$1" = "--help" || $# -gt 2 ]];then
+  echo "scitokens-server-cli [configName configFile environment"]
+  echo "Start the OA4MP for OAuth2 command line admin tool with the"
+  echo "given configuration name in the given configuration file (full path)."
+  echo "No arguments means to use the config named '$DEFAULT_TARGET' in the file  '$DEFAULT_CONFIG'" 
+  echo "and to try and load the '$DEFAULT_ENV' as the environment."
+  echo "One argument is assumed to be the configuration name in the default config file."
+  exit 1
+fi
+
+target=${1:-$DEFAULT_TARGET}
+adminCfg=${2:-$DEFAULT_CONFIG}
+env=${3:-$DEFAULT_ENV}
+
+java -jar $oa2jar -cfg $adminCfg -name $target -log $logFile  -v -set_env $env
+
+if [ $? != 0 ]; then
+  exit 1
+fi
+
+exit 0
diff --git a/opensciencegrid/osdf-chtc-issuer/scitokens-server/etc/proxy-config.xml b/opensciencegrid/osdf-chtc-issuer/scitokens-server/etc/proxy-config.xml
new file mode 100644
index 00000000..2edc7a62
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/scitokens-server/etc/proxy-config.xml
@@ -0,0 +1,24 @@
+<config>
+    <client name="proxy-client">
+        <logging
+                logFileName="/tmp/oa4mp-oauth2-fs-client.xml"
+                logName="oa4mp"
+                logSize="100000"
+                logFileCount="2"
+                debug="true"/>
+        <id>{CLIENT_ID}</id>
+        <secret>{CLIENT_SECRET}</secret>
+        <callbackUri>https://{HOSTNAME}/scitokens-server/ready</callbackUri>
+        <serviceUri>https://cilogon.org/oauth2</serviceUri>
+        <authorizeUri>https://cilogon.org/authorize</authorizeUri>
+        <wellKnownUri>https://cilogon.org/oauth2/.well-known/openid-configuration</wellKnownUri>
+        <scopes>
+            <scope>email</scope>
+            <scope>openid</scope>
+            <scope>profile</scope>
+            <scope>org.cilogon.userinfo</scope>
+        </scopes>
+        <memoryStore><assetStore/></memoryStore>
+    </client>
+
+</config>
\ No newline at end of file
diff --git a/opensciencegrid/osdf-chtc-issuer/scitokens-server/etc/server-config.xml b/opensciencegrid/osdf-chtc-issuer/scitokens-server/etc/server-config.xml
new file mode 100644
index 00000000..e51f734d
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/scitokens-server/etc/server-config.xml
@@ -0,0 +1,91 @@
+<config>
+    <service name="scitokens-server"
+             disableDefaultStores="true"
+             authorizationGrantLifetime="750 sec"
+             defaultAccessTokenLifetime="1009 sec."
+             maxAccessTokenLifetime="1800 sec"
+             maxRefreshTokenLifetime="2592000 sec"
+             maxClientRefreshTokenLifetime="1296000 sec."
+             refreshTokenEnabled="true"
+             enableTokenExchange="true"
+             clientSecretLength="24"
+             scheme="oa4mp"
+             schemeSpecificPart=""
+             debug="trace"
+             OIDCEnabled = "false"
+             serverDN="CN=localhost"
+             issuer="https://{HOSTNAME}/scitokens-server"
+             address="https://{HOSTNAME}/scitokens-server">
+
+        <logging
+                logFileName="/opt/scitokens-server/log/scitokens-server.log"
+                logName="scitokens-server"
+                logSize="100000"
+                logFileCount="2"
+                debug="trace"/>
+        <JSONWebKey>
+            <path><![CDATA[/opt/scitokens-server/etc/keys.jwk]]></path>
+        </JSONWebKey>
+        <!-- Remove the next authorizationServlet if using a proxy -->
+        <!--<authorizationServlet authorizationURI="https://{HOSTNAME}/scitokens-server/authorize"/>-->
+       <authorizationServlet
+                useProxy="true"
+                cfgFile="/opt/scitokens-server/etc/proxy-config.xml"
+                cfgName="proxy-client"
+        />
+        <deviceFlowServlet
+                verificationURI="https://{HOSTNAME}/scitokens-server/device"
+                interval="5"
+                codeChars="0123456789ABCDEFX"
+                codeLength="9"
+                codeSeparator="_"
+                codePeriodLength="3"
+        />
+
+        <clientManagement>
+           <api protocol="rfc7591"
+                enabled="true"
+                endpoint="oidc-cm"
+                anonymousOK="true"
+                autoApprove="true"
+                autoApproverName="anonymous"
+                template="localhost:template"
+           />
+           <api protocol="rfc7592" enabled="true" endpoint="oidc-cm"/>
+           <api protocol="oa4mp" enabled="false" />
+        </clientManagement>
+
+        <fileStore path="/opt/scitokens-server/var/storage/file_store">
+            <clients/>
+            <clientApprovals/>
+            <transactions/>
+            <permissions/>
+            <adminClients/>
+            <txStore/>
+            <voStore/>
+        </fileStore>
+
+        <qdl name="qdl-default"
+             enabled="true"
+             debug="info"
+             strict_acls="false"
+             script_path="vfs#/scripts/">
+            <virtual_file_systems>
+                <vfs type="pass_through"
+                     access="rw">
+                    <root_dir>/opt/scitokens-server/var/qdl</root_dir>
+                    <scheme><![CDATA[vfs]]></scheme>
+                    <mount_point>/scripts</mount_point>
+                </vfs>
+            </virtual_file_systems>
+            <modules>
+                <module type="java"
+                        import_on_start="true">
+                    <class_name>edu.uiuc.ncsa.myproxy.oa4mp.qdl.OA2QDLLoader</class_name>
+                </module>
+            </modules>
+        </qdl>
+
+        <mail enabled="false"/>
+    </service>
+</config>
diff --git a/opensciencegrid/osdf-chtc-issuer/scitokens-server/etc/templates/client-template.xml b/opensciencegrid/osdf-chtc-issuer/scitokens-server/etc/templates/client-template.xml
new file mode 100644
index 00000000..6ea41958
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/scitokens-server/etc/templates/client-template.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
+<!--
+     Template for clients. This should be referenced in the server configuration
+     so that any client created in the client management API is auto approved
+     and starts with the properties here.
+-->
+<properties>
+<comment>OA4MP stream store</comment>
+<entry key="at_lifetime">-1</entry>
+<entry key="public_key">4b289478ab9e80f43a837620fd09e3484b10bb77</entry>
+<entry key="last_modified_ts">2022-01-19T21:39:03.254Z</entry>
+<entry key="rt_lifetime">1209600000</entry>
+<entry key="cfg">{"tokens":{"access":{"audience":"ANY","type":"sci_token","qdl": {"load": "vfs#/scripts/scitokens/ospool.qdl","xmd": {"exec_phase":  ["pre_auth","post_token","post_refresh","post_exchange"]}}}}}</entry>
+<entry key="proxy_limited">false</entry>
+<entry key="home_url">https://localhost:9443/client2</entry>
+<entry key="sign_tokens">true</entry>
+<entry key="debug_on">false</entry>
+<entry key="client_id">localhost:template</entry>
+<entry key="strict_scopes">false</entry>
+<entry key="public_client">true</entry>
+<entry key="callback_uri">["https://localhost:9443/client2/ready"]</entry>
+<entry key="name">SciToken client template</entry>
+<entry key="creation_ts">2022-01-19T19:55:55.172Z</entry>
+<entry key="df_lifetime">-1</entry>
+<entry key="scopes">["openid", "wlcg"]</entry>
+<entry key="email">gaynor@illinois.edu</entry>
+<entry key="df_interval">-1</entry>
+</properties>
diff --git a/opensciencegrid/osdf-chtc-issuer/scitokens-server/etc/templates/readme.txt b/opensciencegrid/osdf-chtc-issuer/scitokens-server/etc/templates/readme.txt
new file mode 100644
index 00000000..c2f99219
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/scitokens-server/etc/templates/readme.txt
@@ -0,0 +1,5 @@
+A directory of templates for clients. Each one is in XML format. This directory will be read
+when the system is created and each file will be imported to the store. Simply put
+whatever templates you want in here.
+
+The only requirement to be read is that it end in .xml
\ No newline at end of file
diff --git a/opensciencegrid/osdf-chtc-issuer/scitokens-server/readme.txt b/opensciencegrid/osdf-chtc-issuer/scitokens-server/readme.txt
new file mode 100644
index 00000000..c29ba529
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/scitokens-server/readme.txt
@@ -0,0 +1,38 @@
+Author: Jeff Gaynor
+Created: 2021-08-20T11:12:15.435Z
+
+Originally part of the scitokens/lightweight-issuer project.
+
+This directory has the installation layout and files for the docker image.
+
+╔══════════════════════════════════════════════════════════════════════════╗
+║ NOTE: The permissions for this directory should be restricted to exactly ║
+║ owner - root                                                             ║
+║ group - tomcat                                                           ║
+╚══════════════════════════════════════════════════════════════════════════╝
+
+If the group is not tomcat, then tomcat cannot access anything in it.
+
+
+Top level for the install is:
+
+/opt/scitokens-server
+
+All files below are relative to that.
+
+web.xml = the web.xml file that should be deployed with this, overwriting the
+          supplied web in the war. This contains the pointer to the configuration
+          and configuring Tomcat as a standalone service.
+
+    etc = configuration files.
+          server-config.xml = the configuration for the OA4MP server.
+          keys.jwk - generated JSON web keys
+
+    log = log files, if logging is enabled.
+
+    var = directory for things that vary.
+         - storage
+            -file_store = file store for OA4MP
+         - qdl
+            -scripts = mounted scripts directory for QDL (OA4MP's policy language).
+
diff --git a/opensciencegrid/osdf-chtc-issuer/scitokens-server/var/qdl/scitokens/comanage.qdl.tmpl b/opensciencegrid/osdf-chtc-issuer/scitokens-server/var/qdl/scitokens/comanage.qdl.tmpl
new file mode 100644
index 00000000..83bfbae2
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/scitokens-server/var/qdl/scitokens/comanage.qdl.tmpl
@@ -0,0 +1,24 @@
+/*
+ * Query the CHTC LDAP for information
+ */
+
+block [
+  ini. := file_read('/opt/secrets/cilogon_ldap_password.ini', 2).'prod';
+
+  ldap_cfg.                   := new_template('ldap');
+  ldap_cfg.auth_type          := 'simple';
+  ldap_cfg.address            := ini.'server';
+  ldap_cfg.port               := 636;
+  ldap_cfg.claim_name         := 'uid';
+  ldap_cfg.search_base        := ini.'search_base';
+  ldap_cfg.search_scope       := 'subtree';
+  ldap_cfg.fail_on_error      := true;
+  ldap_cfg.type               := 'ldap';
+  ldap_cfg.groups             := ['isMemberOf'];
+  ldap_cfg.ldap_name          := 'gecos';
+  ldap_cfg.search_attributes. := ['isMemberOf', 'uid', 'gecos'];
+  ldap_cfg.password           := @LDAP_PASSWORD@
+  ldap_cfg.username           := ini.'name';
+
+  return(get_claims(create_source(ldap_cfg.), script_args(0)));
+];
diff --git a/opensciencegrid/osdf-chtc-issuer/scitokens-server/var/qdl/scitokens/ospool.qdl b/opensciencegrid/osdf-chtc-issuer/scitokens-server/var/qdl/scitokens/ospool.qdl
new file mode 100644
index 00000000..5cecb22c
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/scitokens-server/var/qdl/scitokens/ospool.qdl
@@ -0,0 +1,89 @@
+/*
+ * This script changes the provided scopes based on request.
+ *
+ * TODO:
+ * - prefix matching, allowing more refined scopes.
+ * - have token prefix path specified by an INI file instead of hardcode.
+ */
+
+if [0 == size(proxy_claims.)] then
+[
+     return();
+];
+
+say(proxy_claims.);
+
+if [!is_defined(proxy_claims.'idp_name')] then
+[
+     sys_err.ok := false;
+     sys_err.message := 'Authentication is missing IDP name.';
+     return();
+];
+
+if [!is_defined(proxy_claims.'eppn')] then
+[
+     sys_err.ok := false;
+     sys_err.message := 'Authentication is missing ePPN.';
+     return();
+];
+
+if [proxy_claims.'idp_name'  != 'University of Wisconsin-Madison'] then
+[
+     sys_err.ok := false;
+     sys_err.message := 'Identity provider must be "University of Wisconsin-Madison" for CHTC authentication';
+     return();
+];
+
+eppn_tokens. := tokenize(proxy_claims.'eppn', '@');
+netid := eppn_tokens.0;
+
+record. := script_load('scitokens/comanage.qdl', netid);
+
+if [0 == size(record.)] then
+[
+     sys_err.ok := false;
+     sys_err.message := 'Failed to locate the user record.';
+     return();
+];
+
+group_scopes_read.  := [];
+group_scopes_write. := [];
+if [is_defined(record.'isMemberOf'.)] then
+[
+/*
+    if [!reduce(@&&, in_group2('cn=htc_execute_node,ou=user_tags,dc=chtc,dc=wisc,dc=edu', record.'isMemberOf'.))] then
+    [
+        sys_err.ok := false;
+        sys_err.message := 'User must be in the htc_execute_node group';
+        return();
+    ];
+*/
+
+    group_scopes_read.  := 'storage.read:/PROTECTED/projects/' + ~values(record.'isMemberOf'.);
+    group_scopes_read.  :=  ~mask(group_scopes_read.,  -1 >= starts_with(group_scopes_read., 'storage.read:/PROTECTED/projects/cn='));
+    group_scopes_write. := 'storage.write:/PROTECTED/projects/' + ~values(record.'isMemberOf'.);
+    group_scopes_write. :=  ~mask(group_scopes_write., -1 >= starts_with(group_scopes_write., 'storage.write:/PROTECTED/projects/cn='));
+] else [
+    sys_err.ok := false;
+    sys_err.message := 'User must be in CHTC groups';
+    return();
+];
+
+// group_scopes_read.  := ~mask(scopes., -1 < list_starts_with(scopes., group_scopes_read.));
+// group_scopes_write. := ~mask(scopes., -1 < list_starts_with(scopes., group_scopes_write.));
+
+user_scopes. := [];
+if [0 < size(record.uid.)] then
+[
+     //user_scopes. := ~mask(scopes., -1 < list_starts_with(scopes., ['storage.read:/PROTECTED/' + record.uid, 'storage.write:/PROTECTED/' + record.uid]));
+     user_scopes. := ['storage.read:/PROTECTED/' + record.uid, 'storage.write:/PROTECTED/' + record.uid];
+];
+
+remove(access_token.ver.);
+access_token.'wlcg.ver'. := '1.0';
+access_token.'aud'       := 'https://wlcg.cern.ch/jwt/v1/any';
+access_token.sub         := record.uid;
+access_token.iss         := 'https://chtc.cs.wisc.edu';
+
+all_scopes. := unique(group_scopes_read. ~ group_scopes_write. ~ user_scopes.);
+access_token.scope := detokenize(all_scopes., ' ', 2);
diff --git a/opensciencegrid/osdf-chtc-issuer/scitokens-server/var/qdl/scitokens/st.qdl b/opensciencegrid/osdf-chtc-issuer/scitokens-server/var/qdl/scitokens/st.qdl
new file mode 100644
index 00000000..a42871f1
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/scitokens-server/var/qdl/scitokens/st.qdl
@@ -0,0 +1,38 @@
+/*
+   Basic script to fetch the capabilities for a user (by eppn here) and
+   put it in the scopes for the access token.
+*/
+define[
+   stAud(x.)
+ ][
+   aud_caput := 'aud:';
+   xi. := mask(x., starts_with(x., aud_caput) == 0); // only those that start with the caput
+   return(substring(xi., size(aud_caput)));
+ ];
+
+               EPE := 'eduPersonEntitlement';
+
+              cfg. := new_template('file');
+   cfg.'file_path' := 'vfs#/scripts/user-config.txt';
+   /* Uncomment next two lines if you want to enable default user support */
+   cfg.use_default := true;
+ cfg.default_claim := 'default_claim';
+
+   // Snarf up the exactly the EPE from the claims using the subject.
+              eta. := get_claims(create_source(cfg.), claims.'sub');
+
+access_token.scope := detokenize(unique(eta.EPE), ' ', 2); // turn in to string, omit duplications, trailing space
+if[is_defined(eta.'audience')][access_token.'aud' := eta.'audience';];
+xi. := stAud(scopes.);
+if[0<size(xi.)][access_token.'aud' := xi.;];
+if[
+   is_defined(claims.'eppn')
+][
+   access_token.'sub' := claims.'eppn';
+]else[
+  if[
+     is_defined(claims.'email')
+  ][
+   access_token.'sub' := claims.'email';
+  ];
+];
diff --git a/opensciencegrid/osdf-chtc-issuer/scitokens-server/var/qdl/user-config.json b/opensciencegrid/osdf-chtc-issuer/scitokens-server/var/qdl/user-config.json
new file mode 100644
index 00000000..f2380456
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/scitokens-server/var/qdl/user-config.json
@@ -0,0 +1,28 @@
+{
+  "comment": [
+    "This JSON file contains claims (i.e. assertions about each user) which are used in issuing access tokens.",
+    "The key is the eppn of each user and the eduPersonEntitlement (a JSON array) containing the permissions",
+    "explicitly granted. These will simply be returned as the scope in the access token.",
+    "https://wiki.refeds.org/display/STAN/eduPerson+2020-01#eduPerson202001-eduPersonEntitlement"
+  ],
+  "dweitzel2@unl.edu": {
+    "eduPersonEntitlement": [
+      "storage.read:/home/some_group/dweitzel",
+      "storage.write:/home/some_group/dweitzel"
+    ]
+  },
+  "http://cilogon.org/serverA/users/6849": {
+    "eduPersonEntitlement": [
+      "storage.read:/home/some_group/jgaynor",
+      "storage.write:/home/some_group/jgaynor"
+    ],
+    "audience": "ANY"
+  },
+  "default_claim": {
+    "comment": [
+      "This is the default claim returned by the handler **if** you specify use_default",
+      "as part of the st.qdl script"
+    ],
+    "eduPersonEntitlement": ["storage.read:/public/guest"]
+  }
+}
diff --git a/opensciencegrid/osdf-chtc-issuer/scitokens-server/web.xml b/opensciencegrid/osdf-chtc-issuer/scitokens-server/web.xml
new file mode 100644
index 00000000..563694ef
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/scitokens-server/web.xml
@@ -0,0 +1,226 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+                  http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+         version="2.5">
+
+    <display-name>The OA4MP Service</display-name>
+    <!--
+         Updated to use OA4MP 5.2.0 or above.
+    -->
+    <servlet>
+        <servlet-name>discovery</servlet-name>
+        <servlet-class>edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet.OA2DiscoveryServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>discovery</servlet-name>
+        <url-pattern>/.well-known/*</url-pattern>
+    </servlet-mapping>
+    <servlet-mapping>
+        <servlet-name>discovery</servlet-name>
+        <url-pattern>/certs/*</url-pattern>
+    </servlet-mapping>
+
+    <servlet>
+        <servlet-name>callback</servlet-name>
+        <servlet-class>edu.uiuc.ncsa.oa2.servlet.ProxyCallbackServlet</servlet-class>
+        <load-on-startup>0</load-on-startup>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>callback</servlet-name>
+        <url-pattern>/ready</url-pattern>
+    </servlet-mapping>
+
+
+    <servlet>
+        <servlet-name>accessToken</servlet-name>
+        <servlet-class>edu.uiuc.ncsa.oa2.servlet.OA2ATServlet</servlet-class>
+        <load-on-startup>0</load-on-startup>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>accessToken</servlet-name>
+        <url-pattern>/token</url-pattern>
+    </servlet-mapping>
+
+
+    <servlet>
+        <servlet-name>oidc-cm</servlet-name>
+        <servlet-class>edu.uiuc.ncsa.myproxy.oa4mp.oauth2.cm.oidc_cm.OIDCCMServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>oidc-cm</servlet-name>
+        <url-pattern>/oidc-cm</url-pattern>
+    </servlet-mapping>
+
+
+    <servlet>
+        <servlet-name>getCert</servlet-name>
+        <servlet-class>edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet.OA2CertServlet</servlet-class>
+
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>getCert</servlet-name>
+        <url-pattern>/getcert</url-pattern>
+    </servlet-mapping>
+
+    <servlet>
+        <servlet-name>error</servlet-name>
+        <servlet-class>edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.ErrorServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>error</servlet-name>
+        <url-pattern>/error</url-pattern>
+    </servlet-mapping>
+
+    <servlet>
+        <servlet-name>authorize</servlet-name>
+        <servlet-class>edu.uiuc.ncsa.oa2.servlet.OA2AuthorizationServer</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>authorize</servlet-name>
+        <url-pattern>/authorize</url-pattern>
+    </servlet-mapping>
+
+    <servlet>
+        <servlet-name>device_authorization</servlet-name>
+        <servlet-class>edu.uiuc.ncsa.oa2.servlet.RFC8628Servlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>device_authorization</servlet-name>
+        <url-pattern>/device_authorization</url-pattern>
+    </servlet-mapping>
+
+    <servlet>
+        <servlet-name>device</servlet-name>
+        <servlet-class>edu.uiuc.ncsa.oa2.servlet.RFC8628AuthorizationServer</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>device</servlet-name>
+        <url-pattern>/device</url-pattern>
+    </servlet-mapping>
+
+    <servlet>
+        <servlet-name>admin-register</servlet-name>
+        <servlet-class>edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet.OA2AdminRegistrationServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>admin-register</servlet-name>
+        <url-pattern>/admin-register</url-pattern>
+    </servlet-mapping>
+
+
+    <servlet>
+        <servlet-name>clientVetting</servlet-name>
+        <servlet-class>edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet.OA2AutoRegistrationServlet</servlet-class>
+        <load-on-startup>1</load-on-startup>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>clientVetting</servlet-name>
+        <url-pattern>/register</url-pattern>
+    </servlet-mapping>
+
+    <servlet>
+        <servlet-name>client</servlet-name>
+        <servlet-class>edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet.ClientServlet</servlet-class>
+        <load-on-startup>1</load-on-startup>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>client</servlet-name>
+        <url-pattern>/clients</url-pattern>
+    </servlet-mapping>
+
+    <servlet>
+        <servlet-name>userInfo</servlet-name>
+        <servlet-class>edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet.UserInfoServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>userInfo</servlet-name>
+        <url-pattern>/userinfo</url-pattern>
+    </servlet-mapping>
+
+    <servlet>
+         <servlet-name>revoke</servlet-name>
+         <servlet-class>edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet.RFC7009</servlet-class>
+         <load-on-startup>0</load-on-startup>
+     </servlet>
+     <servlet-mapping>
+         <servlet-name>revoke</servlet-name>
+         <url-pattern>/revoke</url-pattern>
+     </servlet-mapping>
+
+    <servlet>
+         <servlet-name>introspect</servlet-name>
+         <servlet-class>edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet.RFC7662</servlet-class>
+         <load-on-startup>0</load-on-startup>
+     </servlet>
+     <servlet-mapping>
+         <servlet-name>introspect</servlet-name>
+         <url-pattern>/introspect</url-pattern>
+     </servlet-mapping>
+
+    <!--
+      The next section should be uncommented if you are running this as a standalone service under Tomcat.
+      This forces all network traffic to run over SSL.  If you are running this under Apache, then you should
+      comment out it.
+      -->
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>portalSecurity</web-resource-name>
+            <url-pattern>/*</url-pattern>
+            <http-method>GET</http-method>
+            <http-method>POST</http-method>
+        </web-resource-collection>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+    <!--
+       <resource-ref>
+           <description>
+               Resource reference to a factory for javax.mail.Session
+               instances that may be used for sending electronic mail
+               messages, preconfigured to connect to the appropriate
+               SMTP server.
+           </description>
+           <res-ref-name>java:comp/env/mail/Session</res-ref-name>
+           <res-type>javax.mail.Session</res-type>
+           <res-auth>Container</res-auth>
+       </resource-ref>
+       -->
+    <resource-ref>
+        <description>
+            Resource reference to a factory for javax.mail.Session
+            instances that may be used for sending electronic mail
+            messages, preconfigured to connect to the appropriate
+            SMTP server.
+        </description>
+        <res-ref-name>mail/Session</res-ref-name>
+        <res-type>javax.mail.Session</res-type>
+        <res-auth>Container</res-auth>
+    </resource-ref>
+
+    <listener>
+        <listener-class>edu.uiuc.ncsa.myproxy.oa4mp.oauth2.loader.OA2Bootstrapper</listener-class>
+
+    </listener>
+
+    <error-page>
+        <exception-type>edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.TooManyRequestsException</exception-type>
+        <location>/tooManyClientRequests.jsp</location>
+    </error-page>
+
+    <context-param>
+        <param-name>oa4mp:oauth2.server.config.file</param-name>
+        <param-value>/opt/scitokens-server/etc/server-config.xml</param-value>
+    </context-param>
+
+
+    <context-param>
+        <param-name>oa4mp:oauth2.server.config.name</param-name>
+        <param-value>scitokens-server</param-value>
+    </context-param>
+
+</web-app>
diff --git a/opensciencegrid/osdf-chtc-issuer/server.xml b/opensciencegrid/osdf-chtc-issuer/server.xml
new file mode 100644
index 00000000..538d5502
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/server.xml
@@ -0,0 +1,175 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!-- Note:  A "Server" is not itself a "Container", so you may not
+     define subcomponents such as "Valves" at this level.
+     Documentation at /docs/config/server.html
+ -->
+<Server port="8005" shutdown="SHUTDOWN">
+  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
+  <!-- Security listener. Documentation at /docs/config/listeners.html
+  <Listener className="org.apache.catalina.security.SecurityListener" />
+  -->
+  <!--APR library loader. Documentation at /docs/apr.html -->
+  <!--
+     Jeff: 2021-08-26 comment out APR stuff so it doesn't look for it
+     and give us an error
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  -->
+  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+
+  <!-- Global JNDI resources
+       Documentation at /docs/jndi-resources-howto.html
+  -->
+  <GlobalNamingResources>
+    <!-- Editable user database that can also be used by
+         UserDatabaseRealm to authenticate users
+    -->
+    <Resource name="UserDatabase" auth="Container"
+              type="org.apache.catalina.UserDatabase"
+              description="User database that can be updated and saved"
+              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+              pathname="conf/tomcat-users.xml" />
+  </GlobalNamingResources>
+
+  <!-- A "Service" is a collection of one or more "Connectors" that share
+       a single "Container" Note:  A "Service" is not itself a "Container",
+       so you may not define subcomponents such as "Valves" at this level.
+       Documentation at /docs/config/service.html
+   -->
+  <Service name="Catalina">
+
+    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+    <!--
+    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+        maxThreads="150" minSpareThreads="4"/>
+    -->
+
+
+    <!-- A "Connector" represents an endpoint by which requests are received
+         and responses are returned. Documentation at :
+         Java HTTP Connector: /docs/config/http.html
+         Java AJP  Connector: /docs/config/ajp.html
+         APR (HTTP/AJP) Connector: /docs/apr.html
+         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
+    -->
+    
+    <Connector port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000" />
+               <!--
+               redirectPort="8443" />
+               -->
+   
+    <!-- A "Connector" using the shared thread pool-->
+    <!--
+    <Connector executor="tomcatThreadPool"
+               port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               redirectPort="8443" />
+    -->
+    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
+         This connector uses the NIO implementation. The default
+         SSLImplementation will depend on the presence of the APR/native
+         library and the useOpenSSL attribute of the
+         AprLifecycleListener.
+         Either JSSE or OpenSSL style configuration may be used regardless of
+         the SSLImplementation selected. JSSE style configuration is used below.
+    -->
+    <!--
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+               maxThreads="150" SSLEnabled="true">
+        <SSLHostConfig>
+            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
+    -->
+    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
+         This connector uses the APR/native implementation which always uses
+         OpenSSL for TLS.
+         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
+         configuration is used below.
+    -->
+    <Connector port="8443" protocol="HTTP/1.1"
+	    maxThreads="150" SSLEnabled="true"
+	    scheme="https" secure="true" URIEncoding="UTF-8">
+        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
+        <SSLHostConfig>
+            <Certificate certificateKeyFile="conf/hostkey.pem"
+                         certificateFile="conf/hostcert.pem"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
+
+    <!-- Define an AJP 1.3 Connector on port 8009 -->
+    <!--
+    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
+    -->
+
+
+    <!-- An Engine represents the entry point (within Catalina) that processes
+         every request.  The Engine implementation for Tomcat stand alone
+         analyzes the HTTP headers included with the request, and passes them
+         on to the appropriate Host (virtual host).
+         Documentation at /docs/config/engine.html -->
+
+    <!-- You should set jvmRoute to support load-balancing via AJP ie :
+    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+    -->
+    <Engine name="Catalina" defaultHost="localhost">
+
+      <!--For clustering, please take a look at documentation at:
+          /docs/cluster-howto.html  (simple how to)
+          /docs/config/cluster.html (reference documentation) -->
+      <!--
+      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+      -->
+
+      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+           via a brute-force attack -->
+      <Realm className="org.apache.catalina.realm.LockOutRealm">
+        <!-- This Realm uses the UserDatabase configured in the global JNDI
+             resources under the key "UserDatabase".  Any edits
+             that are performed against this UserDatabase are immediately
+             available for use by the Realm.  -->
+        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+               resourceName="UserDatabase"/>
+      </Realm>
+
+      <Host name="localhost"  appBase="webapps"
+            unpackWARs="true" autoDeploy="true">
+
+        <!-- SingleSignOn valve, share authentication between web applications
+             Documentation at: /docs/config/valve.html -->
+        <!--
+        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+        -->
+
+        <!-- Access log processes all example.
+             Documentation at: /docs/config/valve.html
+             Note: The pattern used is equivalent to using pattern="common" -->
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+               prefix="localhost_access_log" suffix=".txt"
+               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
+
+      </Host>
+    </Engine>
+  </Service>
+</Server>
diff --git a/opensciencegrid/osdf-chtc-issuer/start.sh b/opensciencegrid/osdf-chtc-issuer/start.sh
new file mode 100755
index 00000000..7a95a5d8
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/start.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Set the hostname
+sed s+\{HOSTNAME\}+$HOSTNAME+g /opt/scitokens-server/etc/server-config.xml.tmpl > /opt/scitokens-server/etc/server-config.xml
+sed s+\{HOSTNAME\}+$HOSTNAME+g /opt/scitokens-server/etc/proxy-config.xml.tmpl | \
+sed s+\{CLIENT_ID\}+$CLIENT_ID+g | \
+sed s+\{CLIENT_SECRET\}+$CLIENT_SECRET+g > /opt/scitokens-server/etc/proxy-config.xml
+chgrp tomcat /opt/scitokens-server/etc/server-config.xml
+chgrp tomcat /opt/scitokens-server/etc/proxy-config.xml
+
+# As of OA4MP 5.2.9.0, QDL cannot process an ini file with a '\' -- but it can do so for QDL files.
+export LDAP_PASSWORD=$(cat /opt/secrets/cilogon_ldap_password.ini | grep password | awk '{print $NF}')
+sed s+@LDAP_PASSWORD@+"$(echo "$LDAP_PASSWORD" | sed 's|\\|\\\\\\|')"+ /opt/scitokens-server/var/qdl/scitokens/comanage.qdl.tmpl > /opt/scitokens-server/var/qdl/scitokens/comanage.qdl
+chgrp tomcat /opt/scitokens-server/var/qdl/scitokens/comanage.qdl
+
+# Run the boot to inject the template
+${QDL_HOME}/var/scripts/boot.qdl
+
+# Start tomcat
+exec /opt/tomcat/bin/catalina.sh run
+
diff --git a/opensciencegrid/osdf-chtc-issuer/tiger-ca.pem b/opensciencegrid/osdf-chtc-issuer/tiger-ca.pem
new file mode 100644
index 00000000..ad54f0f0
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/tiger-ca.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDIjCCAgqgAwIBAgIQA/0dKICdYCUtKfaEdwep1DANBgkqhkiG9w0BAQsFADAr
+MQ0wCwYDVQQKEwRjaHRjMRowGAYDVQQDExFUaWdlciBJbnRlcm5hbCBDQTAeFw0y
+MjEyMzEwMDQ5MzZaFw0zMjEyMjgwMDQ5MzZaMCsxDTALBgNVBAoTBGNodGMxGjAY
+BgNVBAMTEVRpZ2VyIEludGVybmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAp89PG8qlaxUosqo77D27SqSofop8nHb3ed1/Vrvuwqgw4b3k2jON
+tCWcWrgixDdx8IJVSnbFkCRMgfuTecLiZ0iePQngXrFpwyKhIkgFfs3/YlVRUpbL
+UUjeiXJRuoBAJpLh2eo5RLHvDe8qNclwQ4JDSxFmljcBKaIZHOerbpvWUin2x1bu
+YX41mNnJ8tWchabOm6L5BcD0d//zW+bQx+s/PK/ohq7GNsmsNgMFWzr6ipD4Osjl
+1uIi62QjdnX0NyplYpFs+2rvXBQcvAwvYb+Wm39yq15rzYi9rN/8+Bbv4DtnF+is
+YZDgsX4dvnoUDJ9/yBTJaorvqUAbED29VwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMC
+AqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU5reL6iLsrH/cL54j+QlFRbM0
+FA0wDQYJKoZIhvcNAQELBQADggEBAIKEbJYmjU9FuWTvqX73Sb2K4Axpl/11s4vY
+bnRAj+zmGZavYkYbB/xKPb42BqCjrUCTGVwsn71cUtKzbrFtqnz1lo3WDFkF9gbL
+V+9WebikYlhITrRaEl7sONk7sBe0EG6eOS6dggPzWldzBZ8/z2QwxfKaRwTOdgAK
+9mSJEGJi/VlbExpGn9UyYfD4bMYtpEG+nu4CbnA5dfIjuFjjqCA7HkPd8pxmk/Ir
+IZET7BBwdrOkl+77FiLBBuh7q+UOU1YVZKIvgTE3N4HInFMz4TbIgBLgGsnjg0F8
+Pq52rqAf/WqYAsoaUl5NmNTL2hED4oTkj5STSF8miwvCPcWj/FY=
+-----END CERTIFICATE-----
diff --git a/opensciencegrid/osdf-chtc-issuer/tomcat-users.xml.tmpl b/opensciencegrid/osdf-chtc-issuer/tomcat-users.xml.tmpl
new file mode 100644
index 00000000..aff130f8
--- /dev/null
+++ b/opensciencegrid/osdf-chtc-issuer/tomcat-users.xml.tmpl
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<tomcat-users xmlns="http://tomcat.apache.org/xml"
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
+              version="1.0">
+<!--
+  NOTE:  By default, no user is included in the "manager-gui" role required
+  to operate the "/manager/html" web application.  If you wish to use this app,
+  you must define such a user - the username and password are arbitrary. It is
+  strongly recommended that you do NOT use one of the users in the commented out
+  section below since they are intended for use with the examples web
+  application.
+-->
+<!--
+  NOTE:  The sample user and role entries below are intended for use with the
+  examples web application. They are wrapped in a comment and thus are ignored
+  when reading this file. If you wish to configure these users for use with the
+  examples web application, do not forget to remove the <!.. ..> that surrounds
+  them. You will also need to set the passwords to something appropriate.
+-->
+<!--
+  <role rolename="tomcat"/>
+  <role rolename="role1"/>
+  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
+  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
+  <user username="role1" password="<must-be-changed>" roles="role1"/>
+-->
+  <role rolename="manager-script"/>
+  <role rolename="manager-gui"/>
+  <role rolename="manager-jmx"/>
+  <role rolename="manager-status"/>
+  <role rolename="oa4mp-user"/>
+  <user username="TOMCAT_ADMIN_USERNAME" password="TOMCAT_ADMIN_PASSWORD" roles="manager-script,manager-gui,manager-jmx,manager-status,oa4mp-user"/>
+</tomcat-users>