diff options
| author | Jack Magne <jmagne@dhcp-32-224.sjc.redhat.com> | 2012-03-09 13:15:02 -0800 |
|---|---|---|
| committer | Jack Magne <jmagne@dhcp-32-224.sjc.redhat.com> | 2012-03-12 17:27:11 -0700 |
| commit | 1f759b5cb7aef73092a473c01cbec1928651c10a (patch) | |
| tree | b24a5ab8ce2bf007ee046ed15d58336528095426 /pki/specs/pki-core.spec | |
| parent | 0bc851bff69ef174b11cf147aeb1289c43de0666 (diff) | |
| download | pki-1f759b5cb7aef73092a473c01cbec1928651c10a.tar.gz pki-1f759b5cb7aef73092a473c01cbec1928651c10a.tar.xz pki-1f759b5cb7aef73092a473c01cbec1928651c10a.zip | |
Provide Custom PKI JNDI Realm.
Provide a Realm that provides the following:
1. Allows SSL client certificate authentation upon protected URLs.
For now we are protecting the new DRM Rest functions.
2. Allows simple PKI ACL checking like we have in the current server.
This is accomplished with the help of a simple file that maps URLs
to ACL resourceIDs and operations.
3. DRMRestClient now support SSL Client authentication to test the feature.
How to test this:
Install new KRA server, after installing build pki-core rpm.
Uncomment "PKIJNDIRealm" settings in conf/server.xml
Some customization will be needed for instance specific info. See
the sample in server.xml.
Uncomment the "Security Constraint" and "login-config" settings webapps/kra/WEB-INF/web.xml
In running DRMTest.java in eclipse do the following:
Change the arguments to support SSL Client auth such as:
-h localhost -p 10443 -w secret -d ~/archive-test -s true -c "KRA Administrator of Instance pki-kra's SjcRedhat Domain ID"
where the new flags are -s = true for SSL and -c = <client auth cert name>
Export the KRA's admin/agent client auth cert from Firefox to a pk12 file.
Import this cert into ~/archive-test by using "pk12util" utility.
Run the DRMTest.java program in eclipse and observe the results. There should be a prompt
for a client cert.
Diffstat (limited to 'pki/specs/pki-core.spec')
| -rw-r--r-- | pki/specs/pki-core.spec | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/pki/specs/pki-core.spec b/pki/specs/pki-core.spec index 6e19c008a..94e4a7fb3 100644 --- a/pki/specs/pki-core.spec +++ b/pki/specs/pki-core.spec @@ -7,7 +7,7 @@ Name: pki-core Version: 10.0.0 -Release: %{?relprefix}7%{?prerel}%{?dist} +Release: %{?relprefix}8%{?prerel}%{?dist} Summary: Certificate System - PKI Core Components URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -722,6 +722,9 @@ echo "D /var/run/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfil %{__rm} %{buildroot}%{_initrddir}/pki-krad %{__rm} %{buildroot}%{_initrddir}/pki-ocspd %{__rm} %{buildroot}%{_initrddir}/pki-tksd +# Create symlink to the pki-jndi-realm jar +mkdir -p %{buildroot}%{_javadir}/tomcat6 +ln -s -f %{_javadir}/pki/pki-jndi-realm.jar %{buildroot}%{_javadir}/tomcat6/pki-jndi-realm.jar %else %{__rm} %{buildroot}%{_bindir}/pkicontrol %{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-cad.target.wants @@ -932,7 +935,6 @@ if [ -d /etc/sysconfig/pki/tks ]; then fi /bin/systemctl daemon-reload >/dev/null 2>&1 || : - %preun -n pki-ca if [ $1 = 0 ] ; then /bin/systemctl --no-reload disable pki-cad.target > /dev/null 2>&1 || : @@ -1084,6 +1086,15 @@ fi %{_javadir}/pki/pki-cmsbundle.jar %{_javadir}/pki/pki-cmscore-%{version}.jar %{_javadir}/pki/pki-cmscore.jar + +%if 0%{?fedora} >= 16 +# Create symlink to the pki-jndi-realm jar +%{_javadir}/tomcat6/pki-jndi-realm.jar +%endif + +%{_javadir}/pki/pki-jndi-realm-%{version}.jar +%{_javadir}/pki/pki-jndi-realm.jar + %{_datadir}/pki/setup/ %files -n pki-common-javadoc @@ -1222,6 +1233,12 @@ fi %changelog + +* Fri Mar 09 2018 Jack Magne <jmagne@redhat.com> 10.0.0-5.a1 +- Added support for pki-jndi-realm in tomcat6 in pki-common + and pki-kra. +- Ticket #69. + * Fri Mar 2 2012 Matthew Harmsen <mharmsen@redhat.com> 10.0.0-0.7.a1 - For 'mock' purposes, removed platform-specific logic from around the 'patch' files so that ALL 'patch' files will be included in |