pki.git/pki/base/common/src/com, branch ticket-498 Unnamed repository; edit this file 'description' to name the repository. Removed unnecessary pki folder. 2012-03-26T16:43:54+00:00 Endi Sukma Dewata edewata@redhat.com 2012-03-24T07:27:47+00:00 621d9e5c413e561293d7484b93882d985b3fe15f Previously the source code was located inside a pki folder. This folder was created during svn migration and is no longer needed. This folder has now been removed and the contents have been moved up one level. Ticket #131 
Previously the source code was located inside a pki folder.
This folder was created during svn migration and is no longer
needed. This folder has now been removed and the contents have
been moved up one level.

Ticket #131
Added policy deprecations 2012-03-24T00:51:42+00:00 Ade Lee alee@redhat.com 2012-03-23T20:19:59+00:00 40d3643b8d91886bf210aa27f711731c81a11e49 Many of the policy deprecation warnings come from classes that probably ought to be deprecated as part of the deprecated policy framework as well. Making these as deprecated removes the deprecation warnings - and we can really see where we make sure of deprecated policy code elsewhere. Also removed some URLEncoder, Decoder deprecations 
Many of the policy deprecation warnings come from classes that probably ought to
be deprecated as part of the deprecated policy framework as well.  Making these
as deprecated removes the deprecation warnings - and we can really see where
we make sure of deprecated policy code elsewhere.

Also removed some URLEncoder, Decoder deprecations
Removed unused variables (part 2). 2012-03-23T18:49:50+00:00 Endi Sukma Dewata edewata@redhat.com 2012-03-14T19:36:25+00:00 154c2954b7986299840746e98ae7a23199cc35b9 This patch brings down the warnings from 1943 to 1221. Ticket #103 
This patch brings down the warnings from 1943 to 1221.

Ticket #103
Allow clones to specify master and replica ports and security options 2012-03-23T17:32:53+00:00 Ade Lee alee@redhat.com 2012-03-22T03:25:29+00:00 9513af54d56955734a58561a6753b0aafc83c162 Removed -clone_start_tls option and subsumed it into -replicationSecurity. Refactored DatabasePanel parameter verification code to allow it to be used in both update() and validate(). Added new parameters to pkisilent and databasepanel.vm. Also fixed cloning error when master uses localhost. 
Removed -clone_start_tls option and subsumed it into -replicationSecurity.
Refactored DatabasePanel parameter verification code to allow it to be
used in both update() and validate().  Added new parameters to pkisilent
and databasepanel.vm.

Also fixed cloning error when master uses localhost.
Escape parameter values in search filter. 2012-03-14T19:45:02+00:00 Endi Sukma Dewata edewata@redhat.com 2012-03-14T17:51:23+00:00 5c613fcb2323cb477ac6d4518a73fc4a810c2b3f The REST interface was vulnerable to injection attack. This has been fixed by escaping the special characters in parameter values before using them in the search filter. Ticket #96 
The REST interface was vulnerable to injection attack. This has
been fixed by escaping the special characters in parameter values
before using them in the search filter.

Ticket #96
Fixed IAttrSet.getElements() implementations. 2012-03-13T15:53:47+00:00 Endi Sukma Dewata edewata@redhat.com 2012-02-22T07:15:56+00:00 2bd9e3b8555fddcb9f8d762988384fc1c78ef37c This patch fixes incorrect implementation of getElement() in some subclasses of IAttrSet. The method is supposed return the attribute names as an enumeration of strings. Ticket #42 
This patch fixes incorrect implementation of getElement() in
some subclasses of IAttrSet. The method is supposed return the
attribute names as an enumeration of strings.

Ticket #42
Provide Custom PKI JNDI Realm. 2012-03-13T00:27:11+00:00 Jack Magne jmagne@dhcp-32-224.sjc.redhat.com 2012-03-09T21:15:02+00:00 1f759b5cb7aef73092a473c01cbec1928651c10a Provide a Realm that provides the following: 1. Allows SSL client certificate authentation upon protected URLs. For now we are protecting the new DRM Rest functions. 2. Allows simple PKI ACL checking like we have in the current server. This is accomplished with the help of a simple file that maps URLs to ACL resourceIDs and operations. 3. DRMRestClient now support SSL Client authentication to test the feature. How to test this: Install new KRA server, after installing build pki-core rpm. Uncomment "PKIJNDIRealm" settings in conf/server.xml Some customization will be needed for instance specific info. See the sample in server.xml. Uncomment the "Security Constraint" and "login-config" settings webapps/kra/WEB-INF/web.xml In running DRMTest.java in eclipse do the following: Change the arguments to support SSL Client auth such as: -h localhost -p 10443 -w secret -d ~/archive-test -s true -c "KRA Administrator of Instance pki-kra's SjcRedhat Domain ID" where the new flags are -s = true for SSL and -c = <client auth cert name> Export the KRA's admin/agent client auth cert from Firefox to a pk12 file. Import this cert into ~/archive-test by using "pk12util" utility. Run the DRMTest.java program in eclipse and observe the results. There should be a prompt for a client cert. 
Provide a Realm that provides the following:

1. Allows SSL client certificate authentation upon protected URLs.
For now we are protecting the new DRM Rest functions.

2. Allows simple PKI ACL checking like we have in the current server.
  This is accomplished with the help of a simple file that maps URLs
  to ACL resourceIDs and operations.

3. DRMRestClient now support SSL Client authentication to test the feature.

How to test this:

Install new KRA server, after installing build pki-core rpm.
Uncomment "PKIJNDIRealm" settings in conf/server.xml
Some customization will be needed for instance specific info. See
the sample in server.xml.
Uncomment the "Security Constraint" and "login-config" settings webapps/kra/WEB-INF/web.xml

In running DRMTest.java in eclipse do the following:
   Change the arguments to support SSL Client auth such as:
      -h localhost -p 10443 -w secret -d ~/archive-test -s true -c "KRA Administrator of Instance pki-kra's SjcRedhat Domain ID"
       where the new flags are -s = true for SSL and -c = <client auth cert name>

   Export the KRA's admin/agent client auth cert from Firefox to a pk12 file.
   Import this cert into ~/archive-test by using "pk12util" utility.

Run the DRMTest.java program in eclipse and observe the results. There should be a prompt
for a client cert.
Refactored NameValuePairs. 2012-03-12T17:45:05+00:00 Endi Sukma Dewata edewata@redhat.com 2012-02-27T15:36:14+00:00 0bc851bff69ef174b11cf147aeb1289c43de0666 The NameValuePairs class has been modified to extend the Linked- HashMap which preserves the order of elements as in the original code. Some methods are renamed to match Java Map interface. The NameValuePair class is no longer needed and has been removed. Ticket #78 
The NameValuePairs class has been modified to extend the Linked-
HashMap which preserves the order of elements as in the original
code. Some methods are renamed to match Java Map interface. The
NameValuePair class is no longer needed and has been removed.

Ticket #78
Replaced daemon threads with executor service. 2012-03-12T14:39:35+00:00 Endi Sukma Dewata edewata@redhat.com 2012-03-07T02:06:44+00:00 c0b210a15ef43873b52c1c9fbec73eba48155b4b The certificate status update and retrieving modifications tasks have been modified to use the executor service. Unlike daemon threads, the service will allow existing task to exit gracefully before shutting down. An abandon operation is used terminate the persistent search used for retrieving modifications. Some methods have been moved to CertificateRepository class to simplify synchronizations. Ticket #73 
The certificate status update and retrieving modifications tasks
have been modified to use the executor service. Unlike daemon
threads, the service will allow existing task to exit gracefully
before shutting down. An abandon operation is used terminate the
persistent search used for retrieving modifications. Some methods
have been moved to CertificateRepository class to simplify
synchronizations.

Ticket #73
Refactored JobsScheduler. 2012-03-12T14:39:31+00:00 Endi Sukma Dewata edewata@redhat.com 2012-02-27T20:58:24+00:00 34f141c1144dac37248cf404835248413218627e The JobsScheduler has been modified to stop all jobs on shutdown. This is done by setting a flag in each job instead of stopping the job thread abruptly. Long running jobs should check this flag periodically and then exit gracefully. None of the existing jobs need to do this since they do not run very long. Other threads that run background services have been converted into daemons such that they will terminate automatically when the JVM exits. Ticket #73 
The JobsScheduler has been modified to stop all jobs on shutdown.
This is done by setting a flag in each job instead of stopping the
job thread abruptly. Long running jobs should check this flag
periodically and then exit gracefully. None of the existing jobs
need to do this since they do not run very long.

Other threads that run background services have been converted into
daemons such that they will terminate automatically when the JVM
exits.

Ticket #73