pki.git/base/server/cms, branch branch-10.2.7-dev1 Unnamed repository; edit this file 'description' to name the repository. Added mechanism to import system certs via PKCS #12 file. 2016-04-02T04:22:41+00:00 Endi S. Dewata edewata@redhat.com 2016-02-19T07:42:30+00:00 58406095925cd3d26ab8eab0c7c7e99cdddf21ea The installation tool has been modified to provide an optional pki_server_pkcs12_path property to specify a PKCS #12 file containing certificate chain, system certificates, and third-party certificates needed by the subsystem being installed. If the pki_server_pkcs12_path is specified the installation tool will no longer download the certificate chain from the security domain directly, and it will no longer import the PKCS #12 containing the entire master NSS database specified in pki_clone_pkcs12_path. For backward compatibility, if the pki_server_pkcs12_path is not specified the installation tool will use the old mechanism to import the system certificates. The ConfigurationUtils.verifySystemCertificates() has been modified not to catch the exception to help troubleshooting. https://fedorahosted.org/pki/ticket/1742 
The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.

If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.

For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.

The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.

https://fedorahosted.org/pki/ticket/1742
Fixed mismatching certificate validity calculation. 2016-02-23T03:19:55+00:00 Endi S. Dewata edewata@redhat.com 2015-12-20T20:46:56+00:00 576c3afbe96aed07d994533767f1b4aec1b88e4c The CAValidityDefault has been modified to use Calendar API to calculate the certificate validity range to be consistent with the ValidityConstraint and ValidityDefault. https://fedorahosted.org/pki/ticket/1682 (cherry picked from commit 9193fe5191d1bd857b7e1f5a398c6a279b42ec84) 
The CAValidityDefault has been modified to use Calendar API to
calculate the certificate validity range to be consistent with
the ValidityConstraint and ValidityDefault.

https://fedorahosted.org/pki/ticket/1682
(cherry picked from commit 9193fe5191d1bd857b7e1f5a398c6a279b42ec84)
Added mechanism to import existing CA certificate. 2016-02-23T03:19:30+00:00 Endi S. Dewata edewata@redhat.com 2015-11-06T23:09:19+00:00 bc0de424aa8c56d2278e41b7786ca202b7e64cc3 The deployment procedure for external CA has been modified such that it generates the CA CSR before starting the server. This allows the same procedure to be used to import CA certificate from an existing server. It also removes the requirement to keep the server running while waiting to get the CSR signed by an external CA. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit 20c985ae773b26f653cac6d22bd9d93923e18c8e) 
The deployment procedure for external CA has been modified
such that it generates the CA CSR before starting the server.
This allows the same procedure to be used to import CA
certificate from an existing server. It also removes the
requirement to keep the server running while waiting to get
the CSR signed by an external CA.

https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 20c985ae773b26f653cac6d22bd9d93923e18c8e)
Avoid profile race conditions by tracking entryUSN 2016-01-21T01:48:56+00:00 Fraser Tweedale ftweedal@redhat.com 2015-11-30T03:04:08+00:00 2cb2e9c8df06a7fdb2fed11e2973c03483024bc0 Avoid race conditions in the LDAPProfileSubsystem by tracking the most recently known entryUSN of profiles' LDAP entries. As part of this change, add the commitProfile method to the IProfileSubsystem interface, remove commit behaviour from the enableProfile and disableProfile methods and update ProfileService and ProfileApproveServlet to commit the profile (using the commitProfile method) where needed. Part of: https://fedorahosted.org/pki/ticket/1700 
Avoid race conditions in the LDAPProfileSubsystem by tracking the
most recently known entryUSN of profiles' LDAP entries.

As part of this change, add the commitProfile method to the
IProfileSubsystem interface, remove commit behaviour from the
enableProfile and disableProfile methods and update ProfileService
and ProfileApproveServlet to commit the profile (using the
commitProfile method) where needed.

Part of: https://fedorahosted.org/pki/ticket/1700
Replaced legacy HttpClient. 2015-10-23T15:31:49+00:00 Endi S. Dewata edewata@redhat.com 2015-10-20T19:07:33+00:00 e35499a0d72b47e1418cfb6526c301b442c87155 The ConfigurationUtils and CertUtil have been modified to use PKIConnection which uses Apache HttpClient instead of the legacy custom HttpClient. The POST request content is now created using MultivaluedMap. The PKIConnection has been modified to provide a get() method to send an HTTP GET request. The post() method was modified to accept a path parameter. https://fedorahosted.org/pki/ticket/342 (cherry picked from commit aaacd71a2f125501645885d3da1de18459782572) 
The ConfigurationUtils and CertUtil have been modified to use
PKIConnection which uses Apache HttpClient instead of the legacy
custom HttpClient. The POST request content is now created using
MultivaluedMap.

The PKIConnection has been modified to provide a get() method to
send an HTTP GET request. The post() method was modified to accept
a path parameter.

https://fedorahosted.org/pki/ticket/342
(cherry picked from commit aaacd71a2f125501645885d3da1de18459782572)
Removed unused WizardServlet. 2015-10-23T15:31:07+00:00 Endi S. Dewata edewata@redhat.com 2015-10-20T21:54:22+00:00 a156c64a8af6e32e6f356b4660769a808a361521 The unused configuration wizard servlet has been removed to simplify refactoring other codes. The remaining references in CertUtil and ConfigurationUtils have been removed as well. https://fedorahosted.org/pki/ticket/1120 (cherry picked from commit 60fa66aa04ec61350420d95a554c0cec7834ebbd) 
The unused configuration wizard servlet has been removed to
simplify refactoring other codes.

The remaining references in CertUtil and ConfigurationUtils
have been removed as well.

https://fedorahosted.org/pki/ticket/1120
(cherry picked from commit 60fa66aa04ec61350420d95a554c0cec7834ebbd)
Fixed user search in PasswdUserDBAuthentication. 2015-10-06T17:15:02+00:00 Endi S. Dewata edewata@redhat.com 2015-10-01T22:09:36+00:00 e7716ffa375b849337075f30f879d2d5b71625e3 The PasswdUserDBAuthentication.authenticate() has been modified such that it uses the UGSubsystem to find the user in the proper LDAP subtree to avoid matching other LDAP entries that contain a uid attribute. https://fedorahosted.org/pki/ticket/1580 (cherry picked from commit 017d582ba50fe4ffc4bedf40a5229fb6aa381b37) 
The PasswdUserDBAuthentication.authenticate() has been modified
such that it uses the UGSubsystem to find the user in the proper
LDAP subtree to avoid matching other LDAP entries that contain
a uid attribute.

https://fedorahosted.org/pki/ticket/1580
(cherry picked from commit 017d582ba50fe4ffc4bedf40a5229fb6aa381b37)
Refactored certificate processors. 2015-09-30T17:54:04+00:00 Endi S. Dewata edewata@redhat.com 2015-09-28T20:37:02+00:00 8a7fbb03f8317a881032e098b6360018878ac280 The CertProcessor.setCredentialsIntoContext() and CAProcessor. authenticate() methods have been modified such that they can accept credentials provided via the AuthCredentials (for REST services) or via the HttpServletRequest (for legacy servlets). The CertEnrollmentRequest has been modified to inherit from ResourceMessage such that REST clients can provide the credentials via request attributes. https://fedorahosted.org/pki/ticket/1463 (cherry picked from commit 6c5fc90ffedcd7be17a2d014915f8e908e2488d5) 
The CertProcessor.setCredentialsIntoContext() and CAProcessor.
authenticate() methods have been modified such that they can
accept credentials provided via the AuthCredentials (for REST
services) or via the HttpServletRequest (for legacy servlets).

The CertEnrollmentRequest has been modified to inherit from
ResourceMessage such that REST clients can provide the credentials
via request attributes.

https://fedorahosted.org/pki/ticket/1463
(cherry picked from commit 6c5fc90ffedcd7be17a2d014915f8e908e2488d5)
Relocated legacy cert enrollment methods. 2015-09-30T17:53:54+00:00 Endi S. Dewata edewata@redhat.com 2015-09-28T08:40:32+00:00 fe956dab8709e7c2bf892b7a87f5c170baedd679 The EnrollmentProcessor.processEnrollment() and RenewalProcessor. processRenewal() methods that take CMSRequest object have been moved into ProfileSubmitServlet because they are only used by the legacy servlet. https://fedorahosted.org/pki/ticket/1463 (cherry picked from commit 0e728a28c1a5515bb7dbf5ee799c093bd6db6813) 
The EnrollmentProcessor.processEnrollment() and RenewalProcessor.
processRenewal() methods that take CMSRequest object have been
moved into ProfileSubmitServlet because they are only used by
the legacy servlet.

https://fedorahosted.org/pki/ticket/1463
(cherry picked from commit 0e728a28c1a5515bb7dbf5ee799c093bd6db6813)
Fixed pkidbuser group memberships. 2015-09-23T21:07:45+00:00 Matthew Harmsen mharmsen@redhat.com 2015-09-15T18:29:08+00:00 5a8996b20d297ed29a142f5d70f03b5af4e37484 Due to a certificate mapping issue the subsystem certificate can be mapped into either the subsystem user or pkidbuser, which may cause problems since the users don't belong to the same groups. As a temporary solution the pkidbuser is now added into the same groups. This way the client subsystem can always access the services regardless of which user the certificate is actually mapped to. Bugzilla Bug #1258634 - CA fails to authenticate to KRA for archival https://fedorahosted.org/pki/ticket/1595 (cherry picked from commit e6f8b52e97926e7b6c30a6ce958a7e590c2e6b76) Conflicts: base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java 
Due to a certificate mapping issue the subsystem certificate can
be mapped into either the subsystem user or pkidbuser, which may
cause problems since the users don't belong to the same groups.
As a temporary solution the pkidbuser is now added into the same
groups. This way the client subsystem can always access the
services regardless of which user the certificate is actually
mapped to.

Bugzilla Bug #1258634 - CA fails to authenticate to KRA for archival

https://fedorahosted.org/pki/ticket/1595
(cherry picked from commit e6f8b52e97926e7b6c30a6ce958a7e590c2e6b76)

Conflicts:
	base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java