pki.git/base/ca/src, branch branch-10.2.7-dev1 Unnamed repository; edit this file 'description' to name the repository. Avoid profile race conditions by tracking entryUSN 2016-01-21T01:48:56+00:00 Fraser Tweedale ftweedal@redhat.com 2015-11-30T03:04:08+00:00 2cb2e9c8df06a7fdb2fed11e2973c03483024bc0 Avoid race conditions in the LDAPProfileSubsystem by tracking the most recently known entryUSN of profiles' LDAP entries. As part of this change, add the commitProfile method to the IProfileSubsystem interface, remove commit behaviour from the enableProfile and disableProfile methods and update ProfileService and ProfileApproveServlet to commit the profile (using the commitProfile method) where needed. Part of: https://fedorahosted.org/pki/ticket/1700 
Avoid race conditions in the LDAPProfileSubsystem by tracking the
most recently known entryUSN of profiles' LDAP entries.

As part of this change, add the commitProfile method to the
IProfileSubsystem interface, remove commit behaviour from the
enableProfile and disableProfile methods and update ProfileService
and ProfileApproveServlet to commit the profile (using the
commitProfile method) where needed.

Part of: https://fedorahosted.org/pki/ticket/1700
Ticket #1593 auto-shutdown - for HSM failover support 2015-10-01T20:22:38+00:00 Christina Fu cfu@redhat.com 2015-09-30T11:55:05+00:00 ed98129b58b5b13031331fb88eb14d7c33474a59 This is an interim solution for supporting HSM failover by automatically shutting down the server when signing key becomes inaccessible. At auto-shutdown, a crumb fiile will be left in the instance directory for an external daemon to detect and restart, if necessary. Due to limitation of the watch dog (nuxwdog) at present time, the restart option currently only works if started with watch dog (nuxwdog), and it will prompt for passwords on the terminals. The restart counter is to prevent the server from going into an infinite restart loop. Administrator will have to reset autoShutdown.restart.count to 0 when max is reached. (cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1) 
This is an interim solution for supporting HSM failover by automatically
shutting down the server when signing key becomes inaccessible.
At auto-shutdown, a crumb fiile will be left in the instance directory
for an external daemon to detect and restart, if necessary.
Due to limitation of the watch dog (nuxwdog) at present time,
the restart option currently only works if started with watch dog (nuxwdog),
and it will prompt for passwords on the terminals.
The restart counter is to prevent the server from going into an infinite restart
loop. Administrator will have to reset autoShutdown.restart.count to 0 when max
is reached.

(cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1)
Refactored certificate processors. 2015-09-30T17:54:04+00:00 Endi S. Dewata edewata@redhat.com 2015-09-28T20:37:02+00:00 8a7fbb03f8317a881032e098b6360018878ac280 The CertProcessor.setCredentialsIntoContext() and CAProcessor. authenticate() methods have been modified such that they can accept credentials provided via the AuthCredentials (for REST services) or via the HttpServletRequest (for legacy servlets). The CertEnrollmentRequest has been modified to inherit from ResourceMessage such that REST clients can provide the credentials via request attributes. https://fedorahosted.org/pki/ticket/1463 (cherry picked from commit 6c5fc90ffedcd7be17a2d014915f8e908e2488d5) 
The CertProcessor.setCredentialsIntoContext() and CAProcessor.
authenticate() methods have been modified such that they can
accept credentials provided via the AuthCredentials (for REST
services) or via the HttpServletRequest (for legacy servlets).

The CertEnrollmentRequest has been modified to inherit from
ResourceMessage such that REST clients can provide the credentials
via request attributes.

https://fedorahosted.org/pki/ticket/1463
(cherry picked from commit 6c5fc90ffedcd7be17a2d014915f8e908e2488d5)
Separate range and cert status threads 2015-08-14T17:57:06+00:00 Ade Lee alee@redhat.com 2015-08-12T04:57:46+00:00 29d35d80bb8aba820d4fbfd2738ce6ad4bb54ade We currently disable the cert status maintenance thread on clone CAs because CRL processing should only be done on the master CA. Currently, the maintenance thread also performs other checks on serial number ranges and settings. By disabling the maintenance thread, we disable these checks too. To fix this, we have separated the serial number checks into a different maintenance thread, so that these tasks will occur even if the cert status thread is disabled. Bugzilla # 1251606 (cherry picked from commit d3d80046fd6985b809900005a685695d3181d9d3) 
We currently disable the cert status maintenance thread on
clone CAs because CRL processing should only be done on the
master CA.  Currently, the maintenance thread also performs
other checks on serial number ranges and settings.  By disabling
the maintenance thread, we disable these checks too.

To fix this, we have separated the serial number checks into a
different maintenance thread, so that these tasks will occur
even if the cert status thread is disabled.

Bugzilla # 1251606

(cherry picked from commit d3d80046fd6985b809900005a685695d3181d9d3)
Fixed missing cert request hostname and address. 2015-08-05T19:14:24+00:00 Endi S. Dewata edewata@redhat.com 2015-08-05T17:10:19+00:00 fec55e3cfa8c0917ef63f3d6289fe3788f80bf33 The CA services have been modified to inject request hostname and address into the certificate request object such that they will be stored in the database. This fixes the problem with requests submitted either via the UI or the CLI. An unused method in CertRequestResource has been removed. Some debug messages have been cleaned as well. https://fedorahosted.org/pki/ticket/1535 
The CA services have been modified to inject request hostname and
address into the certificate request object such that they will be
stored in the database. This fixes the problem with requests
submitted either via the UI or the CLI.

An unused method in CertRequestResource has been removed. Some
debug messages have been cleaned as well.

https://fedorahosted.org/pki/ticket/1535
Removed audit CLI from non-TPS subsystems. 2015-07-18T01:47:28+00:00 Endi S. Dewata edewata@redhat.com 2015-07-17T22:18:28+00:00 ed5b182d0d409665fc3cab3cac349f54da623181 Due to database upgrade issue the pki <subsystem>-audit CLI has been removed from all subsystems except TPS. The AuditModifyCLI has been modified to clarify that the --action and the --input parameters are mutually exclusive. https://fedorahosted.org/pki/ticket/1437 
Due to database upgrade issue the pki <subsystem>-audit CLI has
been removed from all subsystems except TPS.

The AuditModifyCLI has been modified to clarify that the --action
and the --input parameters are mutually exclusive.

https://fedorahosted.org/pki/ticket/1437
Fixed cert-find performance. 2015-07-15T14:17:13+00:00 Endi S. Dewata edewata@redhat.com 2015-07-14T23:47:15+00:00 fca8dcbaa6a779a7685b935d1e216dbc775093f2 The CertService.searchCerts() has been modified to use the VLV properly to retrieve just the entries in the requested page, thus reducing the response time and memory requirement. Some classes have been modified to clean up the debugging logs. 
The CertService.searchCerts() has been modified to use the VLV
properly to retrieve just the entries in the requested page, thus
reducing the response time and memory requirement.

Some classes have been modified to clean up the debugging logs.
Fixed default cert-find filter. 2015-07-06T23:42:11+00:00 Endi S. Dewata edewata@redhat.com 2015-07-06T17:31:22+00:00 ac5447a8e0bac5112882be700a17a9274e322adc To improve the performance the default LDAP filter generated by cert-find has been changed to (certStatus=*) to match an existing VLV index. https://fedorahosted.org/pki/ticket/1449 
To improve the performance the default LDAP filter generated by
cert-find has been changed to (certStatus=*) to match an existing
VLV index.

https://fedorahosted.org/pki/ticket/1449
Verify raw profile config before accepting it 2015-07-06T22:46:38+00:00 Fraser Tweedale ftweedal@redhat.com 2015-07-04T15:00:29+00:00 c48c52703c374c8e7e65c11fdeee9eeda464290f Creating or modifying a profile with bad profile data in the "raw" format succeeds and saves the bad data. After restart, the profile cannot be loaded and attempting to use, modify or delete or recreate the profile will fail. Verify raw profile data by instantiating a temporary profile and attempting to initialise it with the received configuration. Fixes: https://fedorahosted.org/pki/ticket/1462 
Creating or modifying a profile with bad profile data in the "raw"
format succeeds and saves the bad data.  After restart, the profile
cannot be loaded and attempting to use, modify or delete or recreate
the profile will fail.

Verify raw profile data by instantiating a temporary profile and
attempting to initialise it with the received configuration.

Fixes: https://fedorahosted.org/pki/ticket/1462
Fixed fail-over in HttpConnection. 2015-07-02T23:21:12+00:00 Endi S. Dewata edewata@redhat.com 2015-07-01T18:41:51+00:00 cc8f6468bb9f509d16ed526e42d546aaa2ae9ed3 The HttpConnection class has been modified to support fail-over and timeout more consistently. The targets are parsed into a list during initialization. All direct calls to HttpClient.connect() are replaced with a method that will connect to the first available target. All connections are now created with a timeout (which by default is 0). https://fedorahosted.org/pki/ticket/891 
The HttpConnection class has been modified to support fail-over
and timeout more consistently. The targets are parsed into a list
during initialization. All direct calls to HttpClient.connect()
are replaced with a method that will connect to the first available
target. All connections are now created with a timeout (which by
default is 0).

https://fedorahosted.org/pki/ticket/891