pki.git/base/ca/shared, branch branch-10.2.7-dev1 Unnamed repository; edit this file 'description' to name the repository. Ticket #1593 auto-shutdown - for HSM failover support 2015-10-01T20:22:38+00:00 Christina Fu cfu@redhat.com 2015-09-30T11:55:05+00:00 ed98129b58b5b13031331fb88eb14d7c33474a59 This is an interim solution for supporting HSM failover by automatically shutting down the server when signing key becomes inaccessible. At auto-shutdown, a crumb fiile will be left in the instance directory for an external daemon to detect and restart, if necessary. Due to limitation of the watch dog (nuxwdog) at present time, the restart option currently only works if started with watch dog (nuxwdog), and it will prompt for passwords on the terminals. The restart counter is to prevent the server from going into an infinite restart loop. Administrator will have to reset autoShutdown.restart.count to 0 when max is reached. (cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1) 
This is an interim solution for supporting HSM failover by automatically
shutting down the server when signing key becomes inaccessible.
At auto-shutdown, a crumb fiile will be left in the instance directory
for an external daemon to detect and restart, if necessary.
Due to limitation of the watch dog (nuxwdog) at present time,
the restart option currently only works if started with watch dog (nuxwdog),
and it will prompt for passwords on the terminals.
The restart counter is to prevent the server from going into an infinite restart
loop. Administrator will have to reset autoShutdown.restart.count to 0 when max
is reached.

(cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1)
Internet Explorer 11 not working browser warning. 2015-08-21T03:17:09+00:00 Jack Magne jmagne@localhost.localdomain 2015-08-20T19:06:32+00:00 f44e1a7a987bfe024fbd18cf4ca0e867112edcfd Related to ticket #1575 Internet Explorer 11: caUserCert request submission fails using the EE page. This patch will only do the following: Detect IE when IE11 is being used. Before this IE11 was mistaken for Firefox. Detect IE11 specifically and warn the user that there is no support. This ticket will live to se we can fix this properly by porting the current VBS script to Javascript to support cert enrollment on IE 11. (cherry picked from commit 0baf14ad496d18991a83f211b4b60d1811e21fb3) 
Related to ticket #1575 Internet Explorer 11: caUserCert request submission fails using the EE page.

This patch will only do the following:

Detect IE when IE11 is being used. Before this IE11 was mistaken for Firefox.
Detect IE11 specifically and warn the user that there is no support.

This ticket will live to se we can fix this properly by porting the current
VBS script to Javascript to support cert enrollment on IE 11.

(cherry picked from commit 0baf14ad496d18991a83f211b4b60d1811e21fb3)
Ticket 1543 portalEnroll authentication does not load during creation from Console 2015-08-14T18:00:20+00:00 Christina Fu cfu@redhat.com 2015-08-12T16:56:49+00:00 fdd6b6e967febffa9ec7b78f752047d46a4f05d4 It appears that the PortalEnroll plugin was never converted to work in the Profile Framework. This patch takes out the following line from CS.cfg: auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll so that it cannot be instantiated from the console, nor manually in CS.cfg, unless explicitly put back in. While in CS.cfg.in, I found the NSSAuth auths.impl line having no real implementation, so I remove that too. (cherry picked from commit a62ab357eb759ea59ea5204a046d0cab99126000) 
It appears that the PortalEnroll plugin was never converted to work in the
Profile Framework.
This patch takes out the following line from CS.cfg:
auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll

so that it cannot be instantiated from the console, nor manually in CS.cfg,
unless explicitly put back in.
While in CS.cfg.in, I found the NSSAuth auths.impl line having no real
implementation, so I remove that too.

(cherry picked from commit a62ab357eb759ea59ea5204a046d0cab99126000)
Fixed missing query parameters in ListCerts page. 2015-08-14T17:58:59+00:00 Endi S. Dewata edewata@redhat.com 2015-08-12T16:59:57+00:00 2f4d04be6d6191d57082e3c8a17d73c74c6c427c The ListCerts servlet and the templates have been fixed to pass the skipRevoked and skipNonValid parameters to the subsequent page. Some debugging messages have been cleaned up as well. https://fedorahosted.org/pki/ticket/1538 (cherry picked from commit 24d7d88bd0d8b79fe5b8b6dfd84238399bc1433c) 
The ListCerts servlet and the templates have been fixed to pass
the skipRevoked and skipNonValid parameters to the subsequent page.

Some debugging messages have been cleaned up as well.

https://fedorahosted.org/pki/ticket/1538
(cherry picked from commit 24d7d88bd0d8b79fe5b8b6dfd84238399bc1433c)
Ticket 1539 Unable to create ECC KRA Instance when kra admin key type is ECC 2015-08-14T17:58:31+00:00 Christina Fu cfu@redhat.com 2015-08-10T22:38:06+00:00 799590e6cc15f279a0ae5c700787d9c4d9b8d861 This patch changes the relevant CA enrollment admin profiles so that they accept requests for EC certs. The issue actually not just affected KRA, it also affected other non-CA subsystems. (cherry picked from commit 017f4f9d4b3c6051f082b8c2b49d5143fd8450e9) 
This patch changes the relevant CA enrollment admin profiles so that they accept
requests for EC certs. The issue actually not just affected KRA, it also affected
other non-CA subsystems.

(cherry picked from commit 017f4f9d4b3c6051f082b8c2b49d5143fd8450e9)
remove extra space from Base 64 encoded cert displays 2015-08-01T00:21:55+00:00 Matthew Harmsen mharmsen@redhat.com 2015-07-31T23:28:57+00:00 6999197b067af920b53c75e17dc20181ba49e997 - PKI TRAC Ticket #1522 - CA UI adds extra space in Base 64 encoded certificate display 
- PKI TRAC Ticket #1522 - CA UI adds extra space in Base 64 encoded
  certificate display
Add code to reindex data during cloning without replication 2015-07-31T22:35:30+00:00 Ade Lee alee@redhat.com 2015-07-29T18:23:35+00:00 7c4bc2480c0cb0b4bb816ec090e9673bdddce047 When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414 
When setting up a clone, indexes are added before the
replication agreements are set up and the consumer is initialized.
Thus, as data is replicated and added to the clone db, the
data is indexed.

When cloning is done with the replication agreements already set
up and the data replicated, the existing data is not indexed and
cannot be accessed in searches.  The data needs to be reindexed.

Related to ticket 1414
Firefox warning 2015-07-31T22:28:47+00:00 Jack Magne jmagne@localhost.localdomain 2015-07-31T20:55:07+00:00 e1eb261b467f6e19c7e6604fc7ecb03e8b1f8166 Ticket #1523 Move the dire warning about the crypto object to sections where it applies. Also slightly changed the message due to context. 
Ticket #1523

Move the dire warning about the crypto object to sections where it applies.

Also slightly changed the message due to context.
TPS add phone home URLs to pkidaemon status message. 2015-07-17T02:11:12+00:00 Jack Magne jmagne@localhost.localdomain 2015-07-14T17:07:10+00:00 5952c616ad8dd271af7ceaa19f84dd81ca3be34d Ticket # 1466 . Also remove some needless copies of server.xml from the code. 
Ticket # 1466 .

Also remove some needless copies of server.xml from the code.
Unable to select ECC Curves from EE fix. 2015-07-02T17:53:42+00:00 Jack Magne jmagne@localhost.localdomain 2015-07-01T00:22:23+00:00 bbd2feaa1f0ca4c338ca490f191184f2bd5c1a41 Ticket #1446: Without the crypto object, the user is now presented with a very bared bones keygen tag powered UI. ONe can only select a key strength and only use RSA. This fix adds simple UI to make better use of the keygen tag: 1. Allows the use of ECC. 2. Gives simple info on how the key strengths map to RSA key size and ECC curves. When the user selects High, they get RSA 2043, and ECC nistp384. When the user selects Medium, they get RSA 1024, and ECC nistp256. 
Ticket #1446:

Without the crypto object, the user is now presented with a very bared bones
keygen tag powered UI. ONe can only select a key strength and only use RSA.

This fix adds simple UI to make better use of the keygen tag:

1. Allows the use of ECC.
2. Gives simple info on how the key strengths map to RSA key size and
ECC curves.

When the user selects High, they get RSA 2043, and ECC nistp384.
When the user selects Medium, they get RSA 1024, and ECC nistp256.