pki.git/base/ca, branch branch-10.2.7-dev1 Unnamed repository; edit this file 'description' to name the repository. Avoid profile race conditions by tracking entryUSN 2016-01-21T01:48:56+00:00 Fraser Tweedale ftweedal@redhat.com 2015-11-30T03:04:08+00:00 2cb2e9c8df06a7fdb2fed11e2973c03483024bc0 Avoid race conditions in the LDAPProfileSubsystem by tracking the most recently known entryUSN of profiles' LDAP entries. As part of this change, add the commitProfile method to the IProfileSubsystem interface, remove commit behaviour from the enableProfile and disableProfile methods and update ProfileService and ProfileApproveServlet to commit the profile (using the commitProfile method) where needed. Part of: https://fedorahosted.org/pki/ticket/1700 
Avoid race conditions in the LDAPProfileSubsystem by tracking the
most recently known entryUSN of profiles' LDAP entries.

As part of this change, add the commitProfile method to the
IProfileSubsystem interface, remove commit behaviour from the
enableProfile and disableProfile methods and update ProfileService
and ProfileApproveServlet to commit the profile (using the
commitProfile method) where needed.

Part of: https://fedorahosted.org/pki/ticket/1700
Ticket #1593 auto-shutdown - for HSM failover support 2015-10-01T20:22:38+00:00 Christina Fu cfu@redhat.com 2015-09-30T11:55:05+00:00 ed98129b58b5b13031331fb88eb14d7c33474a59 This is an interim solution for supporting HSM failover by automatically shutting down the server when signing key becomes inaccessible. At auto-shutdown, a crumb fiile will be left in the instance directory for an external daemon to detect and restart, if necessary. Due to limitation of the watch dog (nuxwdog) at present time, the restart option currently only works if started with watch dog (nuxwdog), and it will prompt for passwords on the terminals. The restart counter is to prevent the server from going into an infinite restart loop. Administrator will have to reset autoShutdown.restart.count to 0 when max is reached. (cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1) 
This is an interim solution for supporting HSM failover by automatically
shutting down the server when signing key becomes inaccessible.
At auto-shutdown, a crumb fiile will be left in the instance directory
for an external daemon to detect and restart, if necessary.
Due to limitation of the watch dog (nuxwdog) at present time,
the restart option currently only works if started with watch dog (nuxwdog),
and it will prompt for passwords on the terminals.
The restart counter is to prevent the server from going into an infinite restart
loop. Administrator will have to reset autoShutdown.restart.count to 0 when max
is reached.

(cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1)
Refactored certificate processors. 2015-09-30T17:54:04+00:00 Endi S. Dewata edewata@redhat.com 2015-09-28T20:37:02+00:00 8a7fbb03f8317a881032e098b6360018878ac280 The CertProcessor.setCredentialsIntoContext() and CAProcessor. authenticate() methods have been modified such that they can accept credentials provided via the AuthCredentials (for REST services) or via the HttpServletRequest (for legacy servlets). The CertEnrollmentRequest has been modified to inherit from ResourceMessage such that REST clients can provide the credentials via request attributes. https://fedorahosted.org/pki/ticket/1463 (cherry picked from commit 6c5fc90ffedcd7be17a2d014915f8e908e2488d5) 
The CertProcessor.setCredentialsIntoContext() and CAProcessor.
authenticate() methods have been modified such that they can
accept credentials provided via the AuthCredentials (for REST
services) or via the HttpServletRequest (for legacy servlets).

The CertEnrollmentRequest has been modified to inherit from
ResourceMessage such that REST clients can provide the credentials
via request attributes.

https://fedorahosted.org/pki/ticket/1463
(cherry picked from commit 6c5fc90ffedcd7be17a2d014915f8e908e2488d5)
Internet Explorer 11 not working browser warning. 2015-08-21T03:17:09+00:00 Jack Magne jmagne@localhost.localdomain 2015-08-20T19:06:32+00:00 f44e1a7a987bfe024fbd18cf4ca0e867112edcfd Related to ticket #1575 Internet Explorer 11: caUserCert request submission fails using the EE page. This patch will only do the following: Detect IE when IE11 is being used. Before this IE11 was mistaken for Firefox. Detect IE11 specifically and warn the user that there is no support. This ticket will live to se we can fix this properly by porting the current VBS script to Javascript to support cert enrollment on IE 11. (cherry picked from commit 0baf14ad496d18991a83f211b4b60d1811e21fb3) 
Related to ticket #1575 Internet Explorer 11: caUserCert request submission fails using the EE page.

This patch will only do the following:

Detect IE when IE11 is being used. Before this IE11 was mistaken for Firefox.
Detect IE11 specifically and warn the user that there is no support.

This ticket will live to se we can fix this properly by porting the current
VBS script to Javascript to support cert enrollment on IE 11.

(cherry picked from commit 0baf14ad496d18991a83f211b4b60d1811e21fb3)
Ticket 1543 portalEnroll authentication does not load during creation from Console 2015-08-14T18:00:20+00:00 Christina Fu cfu@redhat.com 2015-08-12T16:56:49+00:00 fdd6b6e967febffa9ec7b78f752047d46a4f05d4 It appears that the PortalEnroll plugin was never converted to work in the Profile Framework. This patch takes out the following line from CS.cfg: auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll so that it cannot be instantiated from the console, nor manually in CS.cfg, unless explicitly put back in. While in CS.cfg.in, I found the NSSAuth auths.impl line having no real implementation, so I remove that too. (cherry picked from commit a62ab357eb759ea59ea5204a046d0cab99126000) 
It appears that the PortalEnroll plugin was never converted to work in the
Profile Framework.
This patch takes out the following line from CS.cfg:
auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll

so that it cannot be instantiated from the console, nor manually in CS.cfg,
unless explicitly put back in.
While in CS.cfg.in, I found the NSSAuth auths.impl line having no real
implementation, so I remove that too.

(cherry picked from commit a62ab357eb759ea59ea5204a046d0cab99126000)
Fixed missing query parameters in ListCerts page. 2015-08-14T17:58:59+00:00 Endi S. Dewata edewata@redhat.com 2015-08-12T16:59:57+00:00 2f4d04be6d6191d57082e3c8a17d73c74c6c427c The ListCerts servlet and the templates have been fixed to pass the skipRevoked and skipNonValid parameters to the subsequent page. Some debugging messages have been cleaned up as well. https://fedorahosted.org/pki/ticket/1538 (cherry picked from commit 24d7d88bd0d8b79fe5b8b6dfd84238399bc1433c) 
The ListCerts servlet and the templates have been fixed to pass
the skipRevoked and skipNonValid parameters to the subsequent page.

Some debugging messages have been cleaned up as well.

https://fedorahosted.org/pki/ticket/1538
(cherry picked from commit 24d7d88bd0d8b79fe5b8b6dfd84238399bc1433c)
Ticket 1539 Unable to create ECC KRA Instance when kra admin key type is ECC 2015-08-14T17:58:31+00:00 Christina Fu cfu@redhat.com 2015-08-10T22:38:06+00:00 799590e6cc15f279a0ae5c700787d9c4d9b8d861 This patch changes the relevant CA enrollment admin profiles so that they accept requests for EC certs. The issue actually not just affected KRA, it also affected other non-CA subsystems. (cherry picked from commit 017f4f9d4b3c6051f082b8c2b49d5143fd8450e9) 
This patch changes the relevant CA enrollment admin profiles so that they accept
requests for EC certs. The issue actually not just affected KRA, it also affected
other non-CA subsystems.

(cherry picked from commit 017f4f9d4b3c6051f082b8c2b49d5143fd8450e9)
Separate range and cert status threads 2015-08-14T17:57:06+00:00 Ade Lee alee@redhat.com 2015-08-12T04:57:46+00:00 29d35d80bb8aba820d4fbfd2738ce6ad4bb54ade We currently disable the cert status maintenance thread on clone CAs because CRL processing should only be done on the master CA. Currently, the maintenance thread also performs other checks on serial number ranges and settings. By disabling the maintenance thread, we disable these checks too. To fix this, we have separated the serial number checks into a different maintenance thread, so that these tasks will occur even if the cert status thread is disabled. Bugzilla # 1251606 (cherry picked from commit d3d80046fd6985b809900005a685695d3181d9d3) 
We currently disable the cert status maintenance thread on
clone CAs because CRL processing should only be done on the
master CA.  Currently, the maintenance thread also performs
other checks on serial number ranges and settings.  By disabling
the maintenance thread, we disable these checks too.

To fix this, we have separated the serial number checks into a
different maintenance thread, so that these tasks will occur
even if the cert status thread is disabled.

Bugzilla # 1251606

(cherry picked from commit d3d80046fd6985b809900005a685695d3181d9d3)
Fixed missing cert request hostname and address. 2015-08-05T19:14:24+00:00 Endi S. Dewata edewata@redhat.com 2015-08-05T17:10:19+00:00 fec55e3cfa8c0917ef63f3d6289fe3788f80bf33 The CA services have been modified to inject request hostname and address into the certificate request object such that they will be stored in the database. This fixes the problem with requests submitted either via the UI or the CLI. An unused method in CertRequestResource has been removed. Some debug messages have been cleaned as well. https://fedorahosted.org/pki/ticket/1535 
The CA services have been modified to inject request hostname and
address into the certificate request object such that they will be
stored in the database. This fixes the problem with requests
submitted either via the UI or the CLI.

An unused method in CertRequestResource has been removed. Some
debug messages have been cleaned as well.

https://fedorahosted.org/pki/ticket/1535
remove extra space from Base 64 encoded cert displays 2015-08-01T00:21:55+00:00 Matthew Harmsen mharmsen@redhat.com 2015-07-31T23:28:57+00:00 6999197b067af920b53c75e17dc20181ba49e997 - PKI TRAC Ticket #1522 - CA UI adds extra space in Base 64 encoded certificate display 
- PKI TRAC Ticket #1522 - CA UI adds extra space in Base 64 encoded
  certificate display