summaryrefslogtreecommitdiffstats
path: root/base/kra/src
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2017-05-23 12:14:06 -0400
committerAde Lee <alee@redhat.com>2017-05-24 11:24:34 -0400
commitde9f890133e3acc660b985e8ef5950507d341a03 (patch)
tree02c83b1ac86f7b43dbfdb00e8530375771961b8b /base/kra/src
parentb9f906eb1f26cf3d82262bc9894785742f451cd9 (diff)
downloadpki-de9f890133e3acc660b985e8ef5950507d341a03.tar.gz
pki-de9f890133e3acc660b985e8ef5950507d341a03.tar.xz
pki-de9f890133e3acc660b985e8ef5950507d341a03.zip
Make sure archivalID is passed through archival
There was some confusion in the previous commit for archival logging. The archivalID is the id provided by the CA for the archival and is its requestID. This allows the cert request operation to be tracked through the archival. Made sure therefore, that we have two fields - one for the archivalID and one for the requestId (which is the KRA archival request ID) In addition, some of the archival events occur in the CA component just before the request id sent to the KRA. These events will not be displayed unless the audit event is added to the CA CS.cfg. Change-Id: I3904d42ae677d5916385e0120f0e25311b4d9d08
Diffstat (limited to 'base/kra/src')
-rw-r--r--base/kra/src/com/netscape/kra/EnrollmentService.java53
-rw-r--r--base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java11
-rw-r--r--base/kra/src/com/netscape/kra/NetkeyKeygenService.java5
-rw-r--r--base/kra/src/com/netscape/kra/SecurityDataProcessor.java1
-rw-r--r--base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java1
5 files changed, 54 insertions, 17 deletions
diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
index b28fbc6ac..4cf36d1a2 100644
--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
@@ -56,6 +56,7 @@ import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
import com.netscape.certsrv.profile.IEnrollProfile;
import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.IService;
+import com.netscape.certsrv.request.RequestId;
import com.netscape.certsrv.security.IStorageKeyUnit;
import com.netscape.certsrv.security.ITransportKeyUnit;
import com.netscape.certsrv.util.IStatsSubsystem;
@@ -158,6 +159,7 @@ public class EnrollmentService implements IService {
String auditSubjectID = auditSubjectID();
String auditRequesterID = auditRequesterID();
String auditPublicKey = ILogger.UNIDENTIFIED;
+ RequestId requestId = request.getRequestId();
if (CMS.debugOn())
CMS.debug("EnrollmentServlet: KRA services enrollment request");
@@ -198,7 +200,9 @@ public class EnrollmentService implements IService {
audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID));
+ auditRequesterID,
+ requestId,
+ null));
throw new EKRAException(
CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
@@ -243,7 +247,9 @@ public class EnrollmentService implements IService {
audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID));
+ auditRequesterID,
+ requestId,
+ null));
throw new EKRAException(
CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
@@ -276,7 +282,9 @@ public class EnrollmentService implements IService {
audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID));
+ auditRequesterID,
+ requestId,
+ null));
throw new EKRAException(
CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
@@ -315,7 +323,9 @@ public class EnrollmentService implements IService {
audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID));
+ auditRequesterID,
+ requestId,
+ null));
throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"), e);
}
@@ -333,7 +343,9 @@ public class EnrollmentService implements IService {
audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID));
+ auditRequesterID,
+ requestId,
+ null));
throw new EKRAException(
CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
@@ -355,7 +367,9 @@ public class EnrollmentService implements IService {
audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID));
+ auditRequesterID,
+ requestId,
+ null));
throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
}
@@ -387,7 +401,9 @@ public class EnrollmentService implements IService {
audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID));
+ auditRequesterID,
+ requestId,
+ null));
throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
}
@@ -411,7 +427,9 @@ public class EnrollmentService implements IService {
audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID));
+ auditRequesterID,
+ requestId,
+ null));
throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
}
@@ -458,7 +476,9 @@ public class EnrollmentService implements IService {
audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID));
+ auditRequesterID,
+ requestId,
+ null));
throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
}
@@ -477,7 +497,9 @@ public class EnrollmentService implements IService {
audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID));
+ auditRequesterID,
+ requestId,
+ null));
throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
}
@@ -492,7 +514,9 @@ public class EnrollmentService implements IService {
audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID));
+ auditRequesterID,
+ requestId,
+ null));
throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
}
@@ -546,14 +570,17 @@ public class EnrollmentService implements IService {
audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.SUCCESS,
- auditRequesterID));
+ auditRequesterID,
+ requestId,
+ null));
// store a message in the signed audit log file
auditPublicKey = auditPublicKey(rec);
audit(new SecurityDataArchivalProcessedEvent(
auditSubjectID,
ILogger.SUCCESS,
- request.getRequestId(),
+ auditRequesterID,
+ requestId,
null,
new KeyId(rec.getSerialNumber()),
null,
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
index 3c29bbf10..ed20394b3 100644
--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
@@ -766,18 +766,21 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
r = queue.newRequest(KRAService.ENROLLMENT);
- // store a message in the signed audit log file
audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.SUCCESS,
- auditRequesterID));
+ auditRequesterID,
+ r.getRequestId(),
+ null));
} catch (EBaseException eAudit1) {
// store a message in the signed audit log file
audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID));
+ auditRequesterID,
+ null /* requestId */,
+ null /*clientKeyId */));
throw eAudit1;
}
@@ -792,6 +795,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
audit(new SecurityDataArchivalProcessedEvent(
auditSubjectID,
ILogger.SUCCESS,
+ auditRequesterID,
r.getRequestId(),
null,
new KeyId(rec.getSerialNumber()),
@@ -801,6 +805,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
audit(new SecurityDataArchivalProcessedEvent(
auditSubjectID,
ILogger.FAILURE,
+ auditRequesterID,
r.getRequestId(),
null,
new KeyId(rec.getSerialNumber()),
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index df42a4f28..947377a25 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -397,7 +397,9 @@ public class NetkeyKeygenService implements IService {
audit( new SecurityDataArchivalEvent(
agentId,
ILogger.SUCCESS,
- auditSubjectID));
+ auditSubjectID,
+ request.getRequestId(),
+ null));
CMS.debug("KRA encrypts private key to put on internal ldap db");
byte privateKeyData[] = null;
@@ -487,6 +489,7 @@ public class NetkeyKeygenService implements IService {
audit(new SecurityDataArchivalProcessedEvent(
agentId,
ILogger.SUCCESS,
+ auditSubjectID,
request.getRequestId(),
null,
new KeyId(serialNo),
diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
index a44eb2fc8..326630c69 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
@@ -873,6 +873,7 @@ public class SecurityDataProcessor {
audit(new SecurityDataArchivalProcessedEvent(
subjectID,
status,
+ null,
requestID,
clientKeyID,
keyID,
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
index 12040e0ed..8ec69a7e0 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
@@ -357,6 +357,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
audit(new SecurityDataArchivalEvent(
getRequestor(),
status,
+ null,
requestId,
clientKeyID));
}
generated by cgit (git 2.34.1) at 2026-01-06 12:52:13 +0000