pki.git/base/server/share, branch branch-10.2.7-dev1 Unnamed repository; edit this file 'description' to name the repository. Ticket 1566 on HSM, non-CA subystem installations failing while trying to join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations 2015-08-19T22:57:49+00:00 Christina Fu cfu@redhat.com 2015-08-19T11:52:53+00:00 6b508becda86037e1cba833e5e72f3c87cd19ee0 (cherry picked from commit 89211b9915e9c3e034d311ac0fa7091e9e08bde8) 
(cherry picked from commit 89211b9915e9c3e034d311ac0fa7091e9e08bde8)
Ticket #1556 Weak HTTPS TLS ciphers 2015-08-15T01:26:05+00:00 Christina Fu cfu@redhat.com 2015-08-14T17:57:15+00:00 67c895851781d69343979cbcff138184803880ea This patch fixes the RSA ciphers that were mistakenly turned on under ECC section, and off under RSA section. A few adjustments have also been made based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info was also created to 1. provide info on the ciphers 2. provide default rsa and ecc ciphers for admins to incorporate into earlier instances (as migration script might not be ideal due to possible customization) 
This patch fixes the RSA ciphers that were mistakenly turned on under ECC
section, and off under RSA section. A few adjustments have also been made
based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info
was also created to
 1. provide info on the ciphers
 2. provide default rsa and ecc ciphers for admins to incorporate into earlier
    instances (as migration script might not be ideal due to possible customization)
Firefox warning 2015-07-31T22:28:47+00:00 Jack Magne jmagne@localhost.localdomain 2015-07-31T20:55:07+00:00 e1eb261b467f6e19c7e6604fc7ecb03e8b1f8166 Ticket #1523 Move the dire warning about the crypto object to sections where it applies. Also slightly changed the message due to context. 
Ticket #1523

Move the dire warning about the crypto object to sections where it applies.

Also slightly changed the message due to context.
Add profiles schema update file 2015-06-19T15:52:45+00:00 Fraser Tweedale ftweedal@redhat.com 2015-06-19T01:28:02+00:00 e3800de31aaa7fec63fea958bc024afeae96bef2 Dogtag does not yet have a reliable way to update its schema, but FreeIPA does need to add the new schema for LDAP-based profiles during upgrade to 4.2. As a temporary solution until Dogtag can manage its own schema updates (including when deployed as FreeIPA CA), FreeIPA will perform the schema upgrade. Provide a schema file that FreeIPA can use to do this. 
Dogtag does not yet have a reliable way to update its schema, but
FreeIPA does need to add the new schema for LDAP-based profiles
during upgrade to 4.2.  As a temporary solution until Dogtag can
manage its own schema updates (including when deployed as FreeIPA
CA), FreeIPA will perform the schema upgrade.  Provide a schema file
that FreeIPA can use to do this.
Fixed typos in Web UI. 2015-06-18T04:58:29+00:00 Endi S. Dewata edewata@redhat.com 2015-06-18T04:58:29+00:00 8cd43950a25b819c07c9d913da794068db58e18a 






Mozilla crypto object warning:
2015-06-16T17:09:01+00:00

Jack Magne
jmagne@localhost.localdomain

2015-06-16T17:09:01+00:00

bd780990a15d10c3df9a8da81486878012e00884

Provide simple textual warning when the user is using a browser that no longer supports the crypto object, which results in reduced CA certficat enrollment functionality. For simplicity provide the warning at the top of the main index page and at the top of the CA's services page. The services page is where the pkispawn of the CA points the uers after installation. The ticket originally called for a JS warnign but the simple text warning should be less intrusive and repetitive to the user.

Ticket #1398 Provide UI Javascript warning for missing Mozilla Crypto Object in the CA.





Provide simple textual warning when the user is using a browser that no longer supports the crypto object, which results in reduced CA certficat enrollment functionality. For simplicity provide the warning at the top of the main index page and at the top of the CA's services page. The services page is where the pkispawn of the CA points the uers after installation. The ticket originally called for a JS warnign but the simple text warning should be less intrusive and repetitive to the user.

Ticket #1398 Provide UI Javascript warning for missing Mozilla Crypto Object in the CA.







Warning for the main index to tell the user that the crypto object is not available for use in the browser.
2015-06-16T16:47:30+00:00

Jack Magne
jmagne@localhost.localdomain

2015-06-11T22:25:36+00:00

791764dd01ab2e3c3c82547598d3dc8588919895












Cleaned up links in main page.
2015-06-12T01:15:56+00:00

Endi S. Dewata
edewata@redhat.com

2015-06-11T21:48:05+00:00

3b54cb0a675bbdf345e3fd5c914886483d98a821

The ROOT's index.jsp has been modified to show the links to all
subsystems installed on the instance. When opened, it will show
the services provided by the subsystem.

The pkispawn output has been modified to show the subsystem URL
more consistently:
   https://<hostname>:<port>/<subsystem>

In all subsystems except TPS the page will redirect to:
   https://<hostname>:<port>/<subsystem>/services





The ROOT's index.jsp has been modified to show the links to all
subsystems installed on the instance. When opened, it will show
the services provided by the subsystem.

The pkispawn output has been modified to show the subsystem URL
more consistently:
   https://<hostname>:<port>/<subsystem>

In all subsystems except TPS the page will redirect to:
   https://<hostname>:<port>/<subsystem>/services







Fixed NPE in ROOT's index.jsp.
2015-06-08T13:53:05+00:00

Endi S. Dewata
edewata@redhat.com

2015-06-04T23:58:52+00:00

d7c80ae21a141438d38bfb0da9afbccfd453aa80

The ROOT's index.jsp has been modified to check each subsystem's
servlet context for null before accessing the value.

https://fedorahosted.org/pki/ticket/1407





The ROOT's index.jsp has been modified to check each subsystem's
servlet context for null before accessing the value.

https://fedorahosted.org/pki/ticket/1407







Patches to get nuxwdog working with systemd
2015-05-10T20:09:24+00:00

Ade Lee
alee@redhat.com

2015-05-06T20:06:34+00:00

7dca020819b7573cd05bd54482fb5d1afe9bb658

This patch adds some new unit files and targets for starting instances
with nuxwdog, as well as logic within the pki-server nuxwdog module to
switch to/from the old and new systemd unit files.

It also corrects some issues found in additional testing of the nuxwdog
change scripts.

To use nuxwdog to start the instance, a user needs to do the following:

1. Create an instance normally.
2. Run: pki-server instance-nuxwdog-enable <instance_name>
3. Start the instance using:
   systemctl start pki-tomcatd-nuxwdog@<instance_name>.service

To revert the instance, simply do the following:

1. Run: pki-server instance-nuxwdog-disable <instance_name>
2. Start the instance using:
   systemctl start pki-tomcatd@<instance_name>.service





This patch adds some new unit files and targets for starting instances
with nuxwdog, as well as logic within the pki-server nuxwdog module to
switch to/from the old and new systemd unit files.

It also corrects some issues found in additional testing of the nuxwdog
change scripts.

To use nuxwdog to start the instance, a user needs to do the following:

1. Create an instance normally.
2. Run: pki-server instance-nuxwdog-enable <instance_name>
3. Start the instance using:
   systemctl start pki-tomcatd-nuxwdog@<instance_name>.service

To revert the instance, simply do the following:

1. Run: pki-server instance-nuxwdog-disable <instance_name>
2. Start the instance using:
   systemctl start pki-tomcatd@<instance_name>.service