diff options
| author | Christina Fu <cfu@redhat.com> | 2015-04-10 11:26:25 -0700 |
|---|---|---|
| committer | Christina Fu <cfu@redhat.com> | 2015-04-14 16:45:17 -0700 |
| commit | 711d3ca66b6702a33839c3a436550464fa49d0d8 (patch) | |
| tree | b9c037d045147eead5077e758608b66b84663fd3 /base/tps/shared/conf | |
| parent | bdd5cc759f5d1642986330a4c29ccfa131ab034f (diff) | |
| download | pki-711d3ca66b6702a33839c3a436550464fa49d0d8.tar.gz pki-711d3ca66b6702a33839c3a436550464fa49d0d8.tar.xz pki-711d3ca66b6702a33839c3a436550464fa49d0d8.zip | |
Ticket#1028 phase2: TPS rewrite: provide externalReg functionality
This patch is the 2nd phase of the externalReg feature, it makes the
following improvements:
* added feature: recovery by keyid (v.s. by cert)
* fixed some auditing message errors
* added some missing ldapStringAttributes needed for delegation to work
properly
* added missing externalReg required config parameters
* made corrections to some externalReg related parameters to allow
delegation to work properly
* added handle of some error cases
* made sure externalReg enrollment does not go half-way (once fails,
bails out)
tested:
* enrollment of the three default TPS profiles (tokenTypes)
* format of the tokens enrolled with the three default tps profiles
* delegation enrollments
* cuid match check
next phase:
* cert/key retention (allow preserving existing certs/keys on the token)
note:
* some of the activity log and cert status related issues that are not
specifically relating to externalReg will be addressed in other more
relevant tickets.
Diffstat (limited to 'base/tps/shared/conf')
| -rw-r--r-- | base/tps/shared/conf/CS.cfg.in | 38 |
1 files changed, 32 insertions, 6 deletions
diff --git a/base/tps/shared/conf/CS.cfg.in b/base/tps/shared/conf/CS.cfg.in index b899e7d21..e583ac097 100644 --- a/base/tps/shared/conf/CS.cfg.in +++ b/base/tps/shared/conf/CS.cfg.in @@ -56,7 +56,7 @@ auths.instance.ldap1.ldapStringAttributes._001=# For isExternalReg auths.instance.ldap1.ldapStringAttributes._002=# attributes will be available as auths.instance.ldap1.ldapStringAttributes._003=# $<attribute>$ auths.instance.ldap1.ldapStringAttributes._004=# attributes example: -auths.instance.ldap1.ldapStringAttributes._005=#mail,cn,uid,exec-edipi,firstname,lastname,exec-pcc,exec-mail,certsToAdd,tokenCUID,tokenType +auths.instance.ldap1.ldapStringAttributes._005=#mail,cn,uid,edipi,pcc,firstname,lastname,exec-edipi,exec-pcc,exec-mail,certsToAdd,tokenCUID,tokenType auths.instance.ldap1.attributes._006=################################# ############# auths.instance.ldap1.ldapStringAttributes=mail,cn,uid auths.instance.ldap1.ldap.basedn=[LDAP_ROOT] @@ -78,7 +78,7 @@ auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth auths.revocationChecking.bufferSize=50 authType=pwd authz._000=## -authz._001=## new authorizatioin +authz._001=## new authorization authz._002=## authz.evaluateOrder=deny,allow authz.impl._000=## @@ -273,7 +273,7 @@ op.enroll.delegateIEtoken.keyGen.authentication.ca.profileId=caTokenUserDelegate op.enroll.delegateIEtoken.keyGen.authentication.certAttrId=c3 op.enroll.delegateIEtoken.keyGen.authentication.certId=C3 op.enroll.delegateIEtoken.keyGen.authentication.cuid_label=$cuid$ -op.enroll.delegateIEtoken.keyGen.authentication.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.exec-edipi$,e=$auth.mail$,o=TMS Org +op.enroll.delegateIEtoken.keyGen.authentication.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org op.enroll.delegateIEtoken.keyGen.authentication.keySize=1024 op.enroll.delegateIEtoken.keyGen.authentication.keyUsage=0 op.enroll.delegateIEtoken.keyGen.authentication.keyUser=0 @@ -316,6 +316,7 @@ op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.scheme=Ge op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeCert=false op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeCert.reason=6 op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.scheme=GenerateNewKey +op.enroll.delegateIEtoken.keyGen.encryption.ca.conn=ca1 op.enroll.delegateIEtoken.keyGen.encryption.private.keyCapabilities.decrypt=true op.enroll.delegateIEtoken.keyGen.encryption.private.keyCapabilities.derive=false op.enroll.delegateIEtoken.keyGen.encryption.private.keyCapabilities.encrypt=false @@ -440,7 +441,7 @@ op.enroll.delegateISEtoken.keyGen.authentication.ca.profileId=caTokenUserDelegat op.enroll.delegateISEtoken.keyGen.authentication.certAttrId=c3 op.enroll.delegateISEtoken.keyGen.authentication.certId=C3 op.enroll.delegateISEtoken.keyGen.authentication.cuid_label=$cuid$ -op.enroll.delegateISEtoken.keyGen.authentication.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.exec-edipi$,e=$auth.mail$,o=TMS Org +op.enroll.delegateISEtoken.keyGen.authentication.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org op.enroll.delegateISEtoken.keyGen.authentication.keySize=1024 op.enroll.delegateISEtoken.keyGen.authentication.keyUsage=0 op.enroll.delegateISEtoken.keyGen.authentication.keyUser=0 @@ -654,6 +655,27 @@ op.enroll.delegateISEtoken.update.applet.encryption=true op.enroll.delegateISEtoken.update.applet.requiredVersion=1.4.4d40a449 op.enroll.delegateISEtoken.update.symmetricKeys.enable=false op.enroll.delegateISEtoken.update.symmetricKeys.requiredVersion=1 +op.format.delegateISEtoken.auth.enable=true +op.format.delegateISEtoken.cuidMustMatchKDD=false +op.format.delegateISEtoken.enableBoundedGPKeyVersion=true +op.format.delegateISEtoken.minimumGPKeyVersion=01 +op.format.delegateISEtoken.maximumGPKeyVersion=FF +op.format.delegateISEtoken.rollbackKeyVersionOnPutKeyFailure=false +op.format.delegateISEtoken.validateCardKeyInfoAgainstTokenDB=true +op.format.delegateISEtoken.auth.id=ldap3 +op.format.delegateISEtoken.ca.conn=ca1 +op.format.delegateISEtoken.cardmgr_instance=A0000000030000 +op.format.delegateISEtoken.issuerinfo.enable=true +op.format.delegateISEtoken.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome +op.format.delegateISEtoken.loginRequest.enable=true +op.format.delegateISEtoken.revokeCert=false +op.format.delegateISEtoken.tks.conn=tks1 +op.format.delegateISEtoken.update.applet.directory=/usr/share/pki/tps/applets +op.format.delegateISEtoken.update.applet.emptyToken.enable=true +op.format.delegateISEtoken.update.applet.encryption=true +op.format.delegateISEtoken.update.applet.requiredVersion=1.4.4d40a449 +op.format.delegateISEtoken.update.symmetricKeys.enable=false +op.format.delegateISEtoken.update.symmetricKeys.requiredVersion=1 op.enroll.externalRegAddToToken._000=######################################### op.enroll.externalRegAddToToken._001=# for externalReg recovering certs/keys only op.enroll.externalRegAddToToken._002=######################################### @@ -668,6 +690,7 @@ op.enroll.externalRegAddToToken.auth.id=ldap1 op.enroll.externalRegAddToToken.cardmgr_instance=A0000000030000 op.enroll.externalRegAddToToken.issuerinfo.enable=true op.enroll.externalRegAddToToken.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome +op.enroll.externalRegAddToToken.keyGen.encryption.ca.conn=ca1 op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.decrypt=true op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.derive=false op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.encrypt=false @@ -698,6 +721,9 @@ op.enroll.externalRegAddToToken.keyGen.encryption.recovery.onHold.revokeCert=fal op.enroll.externalRegAddToToken.keyGen.signing.recovery.destroyed.revokeCert=false op.enroll.externalRegAddToToken.keyGen.signing.recovery.keyCompromise.revokeCert=false op.enroll.externalRegAddToToken.keyGen.signing.recovery.onHold.revokeCert=false +op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.archive=true +op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.drm.conn=kra1 +op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.enable=true op.enroll.externalRegAddToToken.keyGen.tokenName=$auth.cn$ op.enroll.externalRegAddToToken.loginRequest.enable=true op.enroll.externalRegAddToToken.pkcs11obj.compress.enable=true @@ -724,8 +750,8 @@ op.format.externalRegAddToToken.update.applet.directory=/usr/share/pki/tps/apple op.format.externalRegAddToToken.update.applet.emptyToken.enable=true op.format.externalRegAddToToken.update.applet.encryption=true op.format.externalRegAddToToken.update.applet.requiredVersion=1.4.4d40a449 -op.format.externalRegAddToToken.update.symmetricKeys.enable=true -op.format.externalRegAddToToken.update.symmetricKeys.requiredVersion=2 +op.format.externalRegAddToToken.update.symmetricKeys.enable=false +op.format.externalRegAddToToken.update.symmetricKeys.requiredVersion=1 op.enroll._000=######################################### op.enroll._001=# Default Operations op.enroll._002=# |