pki.git/base/common/src, branch branch-10.2.7-dev1 Unnamed repository; edit this file 'description' to name the repository. Added mechanism to import system certs via PKCS #12 file. 2016-04-02T04:22:41+00:00 Endi S. Dewata edewata@redhat.com 2016-02-19T07:42:30+00:00 58406095925cd3d26ab8eab0c7c7e99cdddf21ea The installation tool has been modified to provide an optional pki_server_pkcs12_path property to specify a PKCS #12 file containing certificate chain, system certificates, and third-party certificates needed by the subsystem being installed. If the pki_server_pkcs12_path is specified the installation tool will no longer download the certificate chain from the security domain directly, and it will no longer import the PKCS #12 containing the entire master NSS database specified in pki_clone_pkcs12_path. For backward compatibility, if the pki_server_pkcs12_path is not specified the installation tool will use the old mechanism to import the system certificates. The ConfigurationUtils.verifySystemCertificates() has been modified not to catch the exception to help troubleshooting. https://fedorahosted.org/pki/ticket/1742 
The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.

If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.

For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.

The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.

https://fedorahosted.org/pki/ticket/1742
Added mechanism to import existing CA certificate. 2016-02-23T03:19:30+00:00 Endi S. Dewata edewata@redhat.com 2015-11-06T23:09:19+00:00 bc0de424aa8c56d2278e41b7786ca202b7e64cc3 The deployment procedure for external CA has been modified such that it generates the CA CSR before starting the server. This allows the same procedure to be used to import CA certificate from an existing server. It also removes the requirement to keep the server running while waiting to get the CSR signed by an external CA. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit 20c985ae773b26f653cac6d22bd9d93923e18c8e) 
The deployment procedure for external CA has been modified
such that it generates the CA CSR before starting the server.
This allows the same procedure to be used to import CA
certificate from an existing server. It also removes the
requirement to keep the server running while waiting to get
the CSR signed by an external CA.

https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 20c985ae773b26f653cac6d22bd9d93923e18c8e)
Avoid profile race conditions by tracking entryUSN 2016-01-21T01:48:56+00:00 Fraser Tweedale ftweedal@redhat.com 2015-11-30T03:04:08+00:00 2cb2e9c8df06a7fdb2fed11e2973c03483024bc0 Avoid race conditions in the LDAPProfileSubsystem by tracking the most recently known entryUSN of profiles' LDAP entries. As part of this change, add the commitProfile method to the IProfileSubsystem interface, remove commit behaviour from the enableProfile and disableProfile methods and update ProfileService and ProfileApproveServlet to commit the profile (using the commitProfile method) where needed. Part of: https://fedorahosted.org/pki/ticket/1700 
Avoid race conditions in the LDAPProfileSubsystem by tracking the
most recently known entryUSN of profiles' LDAP entries.

As part of this change, add the commitProfile method to the
IProfileSubsystem interface, remove commit behaviour from the
enableProfile and disableProfile methods and update ProfileService
and ProfileApproveServlet to commit the profile (using the
commitProfile method) where needed.

Part of: https://fedorahosted.org/pki/ticket/1700
Replaced legacy HttpClient. 2015-10-23T15:31:49+00:00 Endi S. Dewata edewata@redhat.com 2015-10-20T19:07:33+00:00 e35499a0d72b47e1418cfb6526c301b442c87155 The ConfigurationUtils and CertUtil have been modified to use PKIConnection which uses Apache HttpClient instead of the legacy custom HttpClient. The POST request content is now created using MultivaluedMap. The PKIConnection has been modified to provide a get() method to send an HTTP GET request. The post() method was modified to accept a path parameter. https://fedorahosted.org/pki/ticket/342 (cherry picked from commit aaacd71a2f125501645885d3da1de18459782572) 
The ConfigurationUtils and CertUtil have been modified to use
PKIConnection which uses Apache HttpClient instead of the legacy
custom HttpClient. The POST request content is now created using
MultivaluedMap.

The PKIConnection has been modified to provide a get() method to
send an HTTP GET request. The post() method was modified to accept
a path parameter.

https://fedorahosted.org/pki/ticket/342
(cherry picked from commit aaacd71a2f125501645885d3da1de18459782572)
Removed unused WizardServlet. 2015-10-23T15:31:07+00:00 Endi S. Dewata edewata@redhat.com 2015-10-20T21:54:22+00:00 a156c64a8af6e32e6f356b4660769a808a361521 The unused configuration wizard servlet has been removed to simplify refactoring other codes. The remaining references in CertUtil and ConfigurationUtils have been removed as well. https://fedorahosted.org/pki/ticket/1120 (cherry picked from commit 60fa66aa04ec61350420d95a554c0cec7834ebbd) 
The unused configuration wizard servlet has been removed to
simplify refactoring other codes.

The remaining references in CertUtil and ConfigurationUtils
have been removed as well.

https://fedorahosted.org/pki/ticket/1120
(cherry picked from commit 60fa66aa04ec61350420d95a554c0cec7834ebbd)
Ticket #1593 auto-shutdown - for HSM failover support 2015-10-01T20:22:38+00:00 Christina Fu cfu@redhat.com 2015-09-30T11:55:05+00:00 ed98129b58b5b13031331fb88eb14d7c33474a59 This is an interim solution for supporting HSM failover by automatically shutting down the server when signing key becomes inaccessible. At auto-shutdown, a crumb fiile will be left in the instance directory for an external daemon to detect and restart, if necessary. Due to limitation of the watch dog (nuxwdog) at present time, the restart option currently only works if started with watch dog (nuxwdog), and it will prompt for passwords on the terminals. The restart counter is to prevent the server from going into an infinite restart loop. Administrator will have to reset autoShutdown.restart.count to 0 when max is reached. (cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1) 
This is an interim solution for supporting HSM failover by automatically
shutting down the server when signing key becomes inaccessible.
At auto-shutdown, a crumb fiile will be left in the instance directory
for an external daemon to detect and restart, if necessary.
Due to limitation of the watch dog (nuxwdog) at present time,
the restart option currently only works if started with watch dog (nuxwdog),
and it will prompt for passwords on the terminals.
The restart counter is to prevent the server from going into an infinite restart
loop. Administrator will have to reset autoShutdown.restart.count to 0 when max
is reached.

(cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1)
Refactored certificate processors. 2015-09-30T17:54:04+00:00 Endi S. Dewata edewata@redhat.com 2015-09-28T20:37:02+00:00 8a7fbb03f8317a881032e098b6360018878ac280 The CertProcessor.setCredentialsIntoContext() and CAProcessor. authenticate() methods have been modified such that they can accept credentials provided via the AuthCredentials (for REST services) or via the HttpServletRequest (for legacy servlets). The CertEnrollmentRequest has been modified to inherit from ResourceMessage such that REST clients can provide the credentials via request attributes. https://fedorahosted.org/pki/ticket/1463 (cherry picked from commit 6c5fc90ffedcd7be17a2d014915f8e908e2488d5) 
The CertProcessor.setCredentialsIntoContext() and CAProcessor.
authenticate() methods have been modified such that they can
accept credentials provided via the AuthCredentials (for REST
services) or via the HttpServletRequest (for legacy servlets).

The CertEnrollmentRequest has been modified to inherit from
ResourceMessage such that REST clients can provide the credentials
via request attributes.

https://fedorahosted.org/pki/ticket/1463
(cherry picked from commit 6c5fc90ffedcd7be17a2d014915f8e908e2488d5)
Fixed missing cert request hostname and address. 2015-08-05T19:14:24+00:00 Endi S. Dewata edewata@redhat.com 2015-08-05T17:10:19+00:00 fec55e3cfa8c0917ef63f3d6289fe3788f80bf33 The CA services have been modified to inject request hostname and address into the certificate request object such that they will be stored in the database. This fixes the problem with requests submitted either via the UI or the CLI. An unused method in CertRequestResource has been removed. Some debug messages have been cleaned as well. https://fedorahosted.org/pki/ticket/1535 
The CA services have been modified to inject request hostname and
address into the certificate request object such that they will be
stored in the database. This fixes the problem with requests
submitted either via the UI or the CLI.

An unused method in CertRequestResource has been removed. Some
debug messages have been cleaned as well.

https://fedorahosted.org/pki/ticket/1535
Add code to reindex data during cloning without replication 2015-07-31T22:35:30+00:00 Ade Lee alee@redhat.com 2015-07-29T18:23:35+00:00 7c4bc2480c0cb0b4bb816ec090e9673bdddce047 When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414 
When setting up a clone, indexes are added before the
replication agreements are set up and the consumer is initialized.
Thus, as data is replicated and added to the clone db, the
data is indexed.

When cloning is done with the replication agreements already set
up and the data replicated, the existing data is not indexed and
cannot be accessed in searches.  The data needs to be reindexed.

Related to ticket 1414
Removed audit CLI from non-TPS subsystems. 2015-07-18T01:47:28+00:00 Endi S. Dewata edewata@redhat.com 2015-07-17T22:18:28+00:00 ed5b182d0d409665fc3cab3cac349f54da623181 Due to database upgrade issue the pki <subsystem>-audit CLI has been removed from all subsystems except TPS. The AuditModifyCLI has been modified to clarify that the --action and the --input parameters are mutually exclusive. https://fedorahosted.org/pki/ticket/1437 
Due to database upgrade issue the pki <subsystem>-audit CLI has
been removed from all subsystems except TPS.

The AuditModifyCLI has been modified to clarify that the --action
and the --input parameters are mutually exclusive.

https://fedorahosted.org/pki/ticket/1437