diff options
| author | Ade Lee <alee@redhat.com> | 2012-12-20 17:38:13 -0500 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2013-01-15 09:28:38 -0500 |
| commit | 1cceecafb8050ec362a9c9568d36d52d3fe4117e (patch) | |
| tree | cc4019509f5befe6159b00e95a2fbbb9415df921 /base/ca | |
| parent | d93a522df48a294018468c1db60f651e501ec458 (diff) | |
| download | pki-1cceecafb8050ec362a9c9568d36d52d3fe4117e.tar.gz pki-1cceecafb8050ec362a9c9568d36d52d3fe4117e.tar.xz pki-1cceecafb8050ec362a9c9568d36d52d3fe4117e.zip | |
Resolved Trac Ticket 367 - pkidestroy does not remove connector
* Added RESTful servlet to add/remove a KRA connector from the CA.
* Modified ACL to allow KRA subsystem user to remove connector.
* Modified connector code to allow the connector to be replaced without a server restart.
* Added functionality to pki CLI to add/remove connector
* Added code to pkidestroy to remove the connector (using both pki CLI and sslget)
When the issues with pki connection are resolved, we will use that method instead.
* Modified sslget to accept HTTP return codes != 200. In this case, we were returning
204 - which is perfectly legitimate.
Diffstat (limited to 'base/ca')
| -rw-r--r-- | base/ca/shared/conf/acl.ldif | 2 | ||||
| -rw-r--r-- | base/ca/shared/webapps/ca/WEB-INF/auth.properties | 1 | ||||
| -rw-r--r-- | base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java | 4 |
3 files changed, 6 insertions, 1 deletions
diff --git a/base/ca/shared/conf/acl.ldif b/base/ca/shared/conf/acl.ldif index c7d71f9e6..732179216 100644 --- a/base/ca/shared/conf/acl.ldif +++ b/base/ca/shared/conf/acl.ldif @@ -47,7 +47,7 @@ resourceACLS: certServer.ca.connector:submit:allow (submit) group="Trusted Manag resourceACLS: certServer.ca.clone:submit:allow (submit) group="Certificate Manager Agents":Certificate Manager Agents are allowed to submit request to the master CA resourceACLS: certServer.ca.systemstatus:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may view statistics resourceACLS: certServer.ca.group:read,modify:allow (modify,read) group="Administrators":Only administrators are allowed to read and modify users and groups -resourceACLS: certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information +resourceACLS: certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information resourceACLS: certServer.ca.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration. resourceACLS: certServer.admin.ocsp:read,modify:allow (modify,read) group="Enterprise OCSP Administrators":Only Enterprise Administrators are allowed to read or update the OCSP configuration. diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/auth.properties index 08f5bea50..b73b9ac10 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/auth.properties +++ b/base/ca/shared/webapps/ca/WEB-INF/auth.properties @@ -8,6 +8,7 @@ account.login = certServer.ca.account,login account.logout = certServer.ca.account,logout admin.users = certServer.ca.users,execute admin.groups = certServer.ca.groups,execute +admin.kraconnector = certServer.ca.connectorInfo,modify agent.certrequests = certServer.ca.certrequests,execute agent.certs = certServer.ca.certs,execute securityDomain.installToken = certServer.securitydomain.domainxml,read diff --git a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java index bc6dd71a6..14b44e5d7 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java @@ -13,6 +13,7 @@ import com.netscape.certsrv.base.PKIException; import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupMemberService; import com.netscape.cms.servlet.admin.GroupService; +import com.netscape.cms.servlet.admin.KRAConnectorService; import com.netscape.cms.servlet.admin.SystemCertService; import com.netscape.cms.servlet.admin.UserCertService; import com.netscape.cms.servlet.admin.UserService; @@ -50,6 +51,9 @@ public class CertificateAuthorityApplication extends Application { // system certs classes.add(SystemCertService.class); + // kra connector + classes.add(KRAConnectorService.class); + // security domain IConfigStore cs = CMS.getConfigStore(); |