diff options
| author | Endi Sukma Dewata <edewata@redhat.com> | 2012-03-24 02:27:47 -0500 |
|---|---|---|
| committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-03-26 11:43:54 -0500 |
| commit | 621d9e5c413e561293d7484b93882d985b3fe15f (patch) | |
| tree | 638f3d75761c121d9a8fb50b52a12a6686c5ac5c /specs/pki-core.spec | |
| parent | 40d3643b8d91886bf210aa27f711731c81a11e49 (diff) | |
| download | pki-621d9e5c413e561293d7484b93882d985b3fe15f.tar.gz pki-621d9e5c413e561293d7484b93882d985b3fe15f.tar.xz pki-621d9e5c413e561293d7484b93882d985b3fe15f.zip | |
Removed unnecessary pki folder.
Previously the source code was located inside a pki folder.
This folder was created during svn migration and is no longer
needed. This folder has now been removed and the contents have
been moved up one level.
Ticket #131
Diffstat (limited to 'specs/pki-core.spec')
| -rw-r--r-- | specs/pki-core.spec | 2174 |
1 files changed, 2174 insertions, 0 deletions
diff --git a/specs/pki-core.spec b/specs/pki-core.spec new file mode 100644 index 000000000..2c1906fc5 --- /dev/null +++ b/specs/pki-core.spec @@ -0,0 +1,2174 @@ +# for a pre-release, define the prerel field e.g. .a1 .rc2 - comment out for official release +# also remove the space between % and global - this space is needed because +# fedpkg verrel stupidly ignores comment lines +%global prerel .a1 +# also need the relprefix field for a pre-release e.g. .0 - also comment out for official release +%global relprefix 0. + +%if ! (0%{?fedora} > 12 || 0%{?rhel} > 5) +%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from +distutils.sysconfig import get_python_lib; print(get_python_lib())")} +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from +distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} +%endif + +Name: pki-core +Version: 10.0.0 +Release: %{?relprefix}11%{?prerel}%{?dist} +Summary: Certificate System - PKI Core Components +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +# specify '_unitdir' macro for platforms that don't use 'systemd' +%if 0%{?rhel} || 0%{?fedora} < 16 +%define _unitdir /lib/systemd/system +%endif + +# tomcatjss requires versioning since version 2.0.0 requires tomcat6 +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: ldapjdk +BuildRequires: apache-commons-codec +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: openldap-devel +BuildRequires: pkgconfig +BuildRequires: policycoreutils +BuildRequires: selinux-policy-devel +BuildRequires: velocity +BuildRequires: xalan-j2 +BuildRequires: xerces-j2 +BuildRequires: candlepin-deps >= 0.0.21-1 +%if 0%{?fedora} >= 17 +BuildRequires: junit +%else +BuildRequires: junit4 +%endif +%if 0%{?fedora} >= 16 +BuildRequires: jpackage-utils >= 0:1.7.5-10 +BuildRequires: jss >= 4.2.6-19.1 +BuildRequires: systemd-units +BuildRequires: tomcatjss >= 6.0.2 +%else +%if 0%{?fedora} >= 15 +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6-17 +BuildRequires: tomcatjss >= 6.0.0 +%else +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6-17 +BuildRequires: tomcatjss >= 2.0.0 +%endif +%endif + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz + +Patch0: %{name}-selinux-f16.patch +Patch1: %{name}-selinux-f17.patch + +%if 0%{?rhel} +ExcludeArch: ppc ppc64 s390 s390x +%endif + +%global saveFileContext() \ +if [ -s /etc/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ + FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ + if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \ + cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \ + fi \ +fi; + +%global relabel() \ +. %{_sysconfdir}/selinux/config; \ +FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ +selinuxenabled; \ +if [ $? == 0 -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \ + fixfiles -C ${FILE_CONTEXT}.%{name} restore; \ + rm -f ${FILE_CONTEXT}.%name; \ +fi; + +%global overview \ +================================== \ +|| ABOUT "CERTIFICATE SYSTEM" || \ +================================== \ + \ +Certificate System (CS) is an enterprise software system designed \ +to manage enterprise Public Key Infrastructure (PKI) deployments. \ + \ +PKI Core contains ALL top-level java-based Tomcat PKI components: \ + \ + * pki-deploy \ + * pki-setup \ + * pki-symkey \ + * pki-native-tools \ + * pki-util \ + * pki-util-javadoc \ + * pki-java-tools \ + * pki-java-tools-javadoc \ + * pki-common \ + * pki-common-javadoc \ + * pki-selinux \ + * pki-ca \ + * pki-kra \ + * pki-ocsp \ + * pki-tks \ + \ +which comprise the following corresponding PKI subsystems: \ + \ + * Certificate Authority (CA) \ + * Data Recovery Manager (DRM) \ + * Online Certificate Status Protocol (OCSP) Manager \ + * Token Key Service (TKS) \ + \ +For deployment purposes, PKI Core contains fundamental packages \ +required by BOTH native-based Apache AND java-based Tomcat \ +Certificate System instances consisting of the following components: \ + \ + * pki-native-tools \ + * pki-selinux \ + * pki-setup \ + * pki-silent (required for IPA deployments; optional otherwise) \ + \ +Additionally, PKI Core contains the following fundamental packages \ +required ONLY by ALL java-based Tomcat Certificate System instances: \ + \ + * pki-common \ + * pki-java-tools \ + * pki-symkey (ONLY required for TKS subsystems) \ + * pki-util \ + \ +PKI Core also includes the following components: \ + \ + * pki-common-javadoc \ + * pki-java-tools-javadoc \ + * pki-util-javadoc \ + \ +Finally, for deployment purposes, Certificate System requires ONE AND \ +ONLY ONE of the following "Mutually-Exclusive" PKI Theme packages: \ + \ + * dogtag-pki-theme (Dogtag Certificate System deployments) \ + * ipa-pki-theme (IPA deployments) \ + * redhat-pki-theme (Red Hat Certificate System deployments) \ + \ +%{nil} + +%description %{overview} + + +%package -n pki-deploy +Summary: Certificate System - PKI Instance Deployment Scripts +Group: System Environment/Base + +BuildArch: noarch + +%description -n pki-deploy +PKI deployment scripts are used to create and remove instances from PKI deployments. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-setup +Summary: Certificate System - PKI Instance Creation & Removal Scripts +Group: System Environment/Base + +BuildArch: noarch + +Requires: perl(File::Slurp) +Requires: perl(XML::LibXML) +Requires: perl-Crypt-SSLeay +Requires: policycoreutils +Requires: openldap-clients + +%description -n pki-setup +PKI setup scripts are used to create and remove instances from PKI deployments. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-symkey +Summary: Symmetric Key JNI Package +Group: System Environment/Libraries + +Requires: java >= 1:1.6.0 +Requires: nss +%if 0%{?fedora} >= 16 +Requires: jpackage-utils >= 0:1.7.5-10 +Requires: jss >= 4.2.6-19.1 +%else +Requires: jpackage-utils +Requires: jss >= 4.2.6-17 +%endif + +Provides: symkey = %{version}-%{release} + +Obsoletes: symkey < %{version}-%{release} + +%description -n pki-symkey +The Symmetric Key Java Native Interface (JNI) package supplies various native +symmetric key operations to Java programs. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-native-tools +Summary: Certificate System - Native Tools +Group: System Environment/Base + +Requires: openldap-clients +Requires: nss +Requires: nss-tools + +%description -n pki-native-tools +These platform-dependent PKI executables are used to help make +Certificate System into a more complete and robust PKI solution. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-util +Summary: Certificate System - PKI Utility Framework +Group: System Environment/Base + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: ldapjdk +Requires: apache-commons-codec +%if 0%{?fedora} >= 16 +Requires: jpackage-utils >= 0:1.7.5-10 +Requires: jss >= 4.2.6-19.1 +%else +%if 0%{?fedora} >= 15 +Requires: jpackage-utils +Requires: jss >= 4.2.6-17 +%else +Requires: jpackage-utils +Requires: jss >= 4.2.6-17 +%endif +%endif + +%description -n pki-util +The PKI Utility Framework is required by the following four PKI subsystems: + + the Certificate Authority (CA), + the Data Recovery Manager (DRM), + the Online Certificate Status Protocol (OCSP) Manager, and + the Token Key Service (TKS). + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-util-javadoc +Summary: Certificate System - PKI Utility Framework Javadocs +Group: Documentation + +BuildArch: noarch + +Requires: pki-util = %{version}-%{release} + +%description -n pki-util-javadoc +This documentation pertains exclusively to version %{version} of +the PKI Utility Framework. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-java-tools +Summary: Certificate System - PKI Java-Based Tools +Group: System Environment/Base + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-native-tools = %{version}-%{release} +Requires: pki-util = %{version}-%{release} +%if 0%{?fedora} >= 16 +Requires: jpackage-utils >= 0:1.7.5-10 +%else +Requires: jpackage-utils +%endif + +%description -n pki-java-tools +These platform-independent PKI executables are used to help make +Certificate System into a more complete and robust PKI solution. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-java-tools-javadoc +Summary: Certificate System - PKI Java-Based Tools Javadocs +Group: Documentation + +BuildArch: noarch + +Requires: pki-java-tools = %{version}-%{release} + +%description -n pki-java-tools-javadoc +This documentation pertains exclusively to version %{version} of +the PKI Java-Based Tools. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-common +Summary: Certificate System - PKI Common Framework +Group: System Environment/Base + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: candlepin-deps >= 0.0.21-1 +Requires: javassist +Requires: jettison +Requires: pki-common-theme >= 9.0.0 +Requires: pki-java-tools = %{version}-%{release} +Requires: pki-deploy = %{version}-%{release} +Requires: pki-setup = %{version}-%{release} +Requires: %{_javadir}/ldapjdk.jar +Requires: %{_javadir}/velocity.jar +Requires: %{_javadir}/xalan-j2.jar +Requires: %{_javadir}/xalan-j2-serializer.jar +Requires: %{_javadir}/xerces-j2.jar +Requires: %{_javadir}/xml-commons-apis.jar +Requires: %{_javadir}/xml-commons-resolver.jar +Requires: velocity +%if 0%{?fedora} >= 16 +Requires: apache-commons-lang +Requires: apache-commons-logging +Requires: jss >= 4.2.6-19.1 +Requires: tomcatjss >= 6.0.2 +%else +%if 0%{?fedora} >= 15 +Requires: apache-commons-lang +Requires: apache-commons-logging +Requires: jss >= 4.2.6-17 +Requires: tomcatjss >= 6.0.0 +%else +%if 0%{?fedora} >= 14 +Requires: apache-commons-lang +Requires: apache-commons-logging +Requires: jss >= 4.2.6-17 +Requires: tomcatjss >= 2.0.0 +%else +Requires: jakarta-commons-lang +Requires: jakarta-commons-logging +Requires: jss >= 4.2.6-17 +Requires: tomcatjss >= 2.0.0 +%endif +%endif +%endif + +%description -n pki-common +The PKI Common Framework is required by the following four PKI subsystems: + + the Certificate Authority (CA), + the Data Recovery Manager (DRM), + the Online Certificate Status Protocol (OCSP) Manager, and + the Token Key Service (TKS). + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-common-javadoc +Summary: Certificate System - PKI Common Framework Javadocs +Group: Documentation + +BuildArch: noarch + +Requires: pki-common = %{version}-%{release} + +%description -n pki-common-javadoc +This documentation pertains exclusively to version %{version} of +the PKI Common Framework. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-selinux +Summary: Certificate System - PKI Selinux Policies +Group: System Environment/Base + +BuildArch: noarch + +Requires: policycoreutils +Requires: selinux-policy-targeted + +%description -n pki-selinux +Selinux policies for the PKI components. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-ca +Summary: Certificate System - Certificate Authority +Group: System Environment/Daemons + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-ca-theme >= 9.0.0 +Requires: pki-common = %{version}-%{release} +Requires: pki-selinux = %{version}-%{release} +%if 0%{?fedora} >= 16 +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +%else +%if 0%{?fedora} >= 15 +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%else +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%endif +%endif + +%description -n pki-ca +The Certificate Authority (CA) is a required PKI subsystem which issues, +renews, revokes, and publishes certificates as well as compiling and +publishing Certificate Revocation Lists (CRLs). + +The Certificate Authority can be configured as a self-signing Certificate +Authority, where it is the root CA, or it can act as a subordinate CA, +where it obtains its own signing certificate from a public CA. + +This package is one of the top-level java-based Tomcat PKI subsystems +provided by the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-kra +Summary: Certificate System - Data Recovery Manager +Group: System Environment/Daemons + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-kra-theme >= 9.0.0 +Requires: pki-common = %{version}-%{release} +Requires: pki-selinux = %{version}-%{release} +%if 0%{?fedora} >= 16 +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +%else +%if 0%{?fedora} >= 15 +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%else +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%endif +%endif + +%description -n pki-kra +The Data Recovery Manager (DRM) is an optional PKI subsystem that can act +as a Key Recovery Authority (KRA). When configured in conjunction with the +Certificate Authority (CA), the DRM stores private encryption keys as part of +the certificate enrollment process. The key archival mechanism is triggered +when a user enrolls in the PKI and creates the certificate request. Using the +Certificate Request Message Format (CRMF) request format, a request is +generated for the user's private encryption key. This key is then stored in +the DRM which is configured to store keys in an encrypted format that can only +be decrypted by several agents requesting the key at one time, providing for +protection of the public encryption keys for the users in the PKI deployment. + +Note that the DRM archives encryption keys; it does NOT archive signing keys, +since such archival would undermine non-repudiation properties of signing keys. + +This package is one of the top-level java-based Tomcat PKI subsystems +provided by the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-ocsp +Summary: Certificate System - Online Certificate Status Protocol Manager +Group: System Environment/Daemons + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-ocsp-theme >= 9.0.0 +Requires: pki-common = %{version}-%{release} +Requires: pki-selinux = %{version}-%{release} +%if 0%{?fedora} >= 16 +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +%else +%if 0%{?fedora} >= 15 +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%else +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%endif +%endif + +%description -n pki-ocsp +The Online Certificate Status Protocol (OCSP) Manager is an optional PKI +subsystem that can act as a stand-alone OCSP service. The OCSP Manager +performs the task of an online certificate validation authority by enabling +OCSP-compliant clients to do real-time verification of certificates. Note +that an online certificate-validation authority is often referred to as an +OCSP Responder. + +Although the Certificate Authority (CA) is already configured with an +internal OCSP service. An external OCSP Responder is offered as a separate +subsystem in case the user wants the OCSP service provided outside of a +firewall while the CA resides inside of a firewall, or to take the load of +requests off of the CA. + +The OCSP Manager can receive Certificate Revocation Lists (CRLs) from +multiple CA servers, and clients can query the OCSP Manager for the +revocation status of certificates issued by all of these CA servers. + +When an instance of OCSP Manager is set up with an instance of CA, and +publishing is set up to this OCSP Manager, CRLs are published to it +whenever they are issued or updated. + +This package is one of the top-level java-based Tomcat PKI subsystems +provided by the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-tks +Summary: Certificate System - Token Key Service +Group: System Environment/Daemons + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-tks-theme >= 9.0.0 +Requires: pki-common = %{version}-%{release} +Requires: pki-selinux = %{version}-%{release} +Requires: pki-symkey = %{version}-%{release} +%if 0%{?fedora} >= 16 +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +%else +%if 0%{?fedora} >= 15 +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%else +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%endif +%endif + +%description -n pki-tks +The Token Key Service (TKS) is an optional PKI subsystem that manages the +master key(s) and the transport key(s) required to generate and distribute +keys for hardware tokens. TKS provides the security between tokens and an +instance of Token Processing System (TPS), where the security relies upon the +relationship between the master key and the token keys. A TPS communicates +with a TKS over SSL using client authentication. + +TKS helps establish a secure channel (signed and encrypted) between the token +and the TPS, provides proof of presence of the security token during +enrollment, and supports key changeover when the master key changes on the +TKS. Tokens with older keys will get new token keys. + +Because of the sensitivity of the data that TKS manages, TKS should be set up +behind the firewall with restricted access. + +This package is one of the top-level java-based Tomcat PKI subsystems +provided by the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-silent +Summary: Certificate System - Silent Installer +Group: System Environment/Base + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-common = %{version}-%{release} + +%description -n pki-silent +The PKI Silent Installer may be used to "automatically" configure +the following PKI subsystems in a non-graphical (batch) fashion +including: + + the Certificate Authority (CA), + the Data Recovery Manager (DRM), + the Online Certificate Status Protocol (OCSP) Manager, + the Registration Authority (RA), + the Token Key Service (TKS), and/or + the Token Processing System (TPS). + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%prep + + +%setup -q -n %{name}-%{version}%{?prerel} + +%if 0%{?fedora} >= 17 +%patch1 -p2 -b .f17 +%else +%if 0%{?fedora} >= 16 +%patch0 -p2 -b .f16 +%endif +%endif + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_CORE:BOOL=ON -DJAVA_LIB_INSTALL_DIR=%{_jnidir} -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} .. +%{__make} VERBOSE=1 %{?_smp_mflags} all +%{__make} VERBOSE=1 %{?_smp_mflags} test + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + +cd %{buildroot}%{_libdir}/symkey +%{__rm} symkey.jar +%if 0%{?fedora} >= 16 +%{__rm} %{buildroot}%{_jnidir}/symkey.jar +%{__mv} symkey-%{version}.jar %{buildroot}%{_jnidir}/symkey.jar +%else +%{__ln_s} symkey-%{version}.jar symkey.jar +%endif + +%if 0%{?rhel} || 0%{?fedora} < 16 +cd %{buildroot}%{_jnidir} +%{__rm} symkey.jar +%{__ln_s} %{_libdir}/symkey/symkey.jar symkey.jar +%endif + +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d +# generate 'pki-ca.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf +echo "D /var/lock/pki/ca 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf +echo "D /var/run/pki/ca 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf +# generate 'pki-kra.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf +echo "D /var/lock/pki/kra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf +echo "D /var/run/pki/kra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf +# generate 'pki-ocsp.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +echo "D /var/lock/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +echo "D /var/run/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +# generate 'pki-tks.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf +echo "D /var/lock/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf +echo "D /var/run/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf +%endif + +%if 0%{?fedora} >= 16 +%{__rm} %{buildroot}%{_initrddir}/pki-cad +%{__rm} %{buildroot}%{_initrddir}/pki-krad +%{__rm} %{buildroot}%{_initrddir}/pki-ocspd +%{__rm} %{buildroot}%{_initrddir}/pki-tksd +# Create symlink to the pki-jndi-realm jar +mkdir -p %{buildroot}%{_javadir}/tomcat6 +ln -s -f %{_javadir}/pki/pki-jndi-realm.jar %{buildroot}%{_javadir}/tomcat6/pki-jndi-realm.jar +%else +%{__rm} %{buildroot}%{_bindir}/pkicontrol +%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-cad.target.wants +%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-krad.target.wants +%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-ocspd.target.wants +%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-tksd.target.wants +%{__rm} -rf %{buildroot}%{_unitdir} +%endif + +# tomcat6 has changed how TOMCAT_LOG is used. +# Need to adjust accordingly +# This macro will be executed in the postinstall scripts +%define fix_tomcat_log() ( \ +if [ -d /etc/sysconfig/pki/%i ]; then \ + for F in `find /etc/sysconfig/pki/%1 -type f`; do \ + instance=`basename $F` \ + if [ -f /etc/sysconfig/$instance ]; then \ + sed -i -e 's/catalina.out/tomcat-initd.log/' /etc/sysconfig/$instance \ + fi \ + done \ +fi \ +) + +%pre -n pki-selinux +%saveFileContext targeted + + +%post -n pki-selinux +semodule -s targeted -i %{_datadir}/selinux/modules/pki.pp +%relabel targeted + + +%preun -n pki-selinux +if [ $1 = 0 ]; then + %saveFileContext targeted +fi + + +%postun -n pki-selinux +if [ $1 = 0 ]; then + semodule -s targeted -r pki + %relabel targeted +fi + +%if 0%{?rhel} || 0%{?fedora} < 16 +%post -n pki-ca +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-cad || : +%fix_tomcat_log ca + +%post -n pki-kra +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-krad || : +%fix_tomcat_log kra + +%post -n pki-ocsp +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-ocspd || : +%fix_tomcat_log ocsp + +%post -n pki-tks +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-tksd || : +%fix_tomcat_log tks + + +%preun -n pki-ca +if [ $1 = 0 ] ; then + /sbin/service pki-cad stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-cad || : +fi + + +%preun -n pki-kra +if [ $1 = 0 ] ; then + /sbin/service pki-krad stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-krad || : +fi + + +%preun -n pki-ocsp +if [ $1 = 0 ] ; then + /sbin/service pki-ocspd stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-ocspd || : +fi + + +%preun -n pki-tks +if [ $1 = 0 ] ; then + /sbin/service pki-tksd stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-tksd || : +fi + + +%postun -n pki-ca +if [ "$1" -ge "1" ] ; then + /sbin/service pki-cad condrestart >/dev/null 2>&1 || : +fi + + +%postun -n pki-kra +if [ "$1" -ge "1" ] ; then + /sbin/service pki-krad condrestart >/dev/null 2>&1 || : +fi + + +%postun -n pki-ocsp +if [ "$1" -ge "1" ] ; then + /sbin/service pki-ocspd condrestart >/dev/null 2>&1 || : +fi + + +%postun -n pki-tks +if [ "$1" -ge "1" ] ; then + /sbin/service pki-tksd condrestart >/dev/null 2>&1 || : +fi +%else +%post -n pki-ca +# Attempt to update ALL old "CA" instances to "systemd" +if [ -d /etc/sysconfig/pki/ca ]; then + for inst in `ls /etc/sysconfig/pki/ca`; do + if [ ! -e "/etc/systemd/system/pki-cad.target.wants/pki-cad@${inst}.service" ]; then + ln -s "/lib/systemd/system/pki-cad@.service" \ + "/etc/systemd/system/pki-cad.target.wants/pki-cad@${inst}.service" + [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} + ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} + + if [ -e /var/run/${inst}.pid ]; then + kill -9 `cat /var/run/${inst}.pid` || : + rm -f /var/run/${inst}.pid + echo "pkicreate.systemd.servicename=pki-cad@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + /bin/systemctl restart pki-cad@${inst}.service || : + else + echo "pkicreate.systemd.servicename=pki-cad@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + fi + fi + done +fi +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +%fix_tomcat_log ca + + +%post -n pki-kra +# Attempt to update ALL old "KRA" instances to "systemd" +if [ -d /etc/sysconfig/pki/kra ]; then + for inst in `ls /etc/sysconfig/pki/kra`; do + if [ ! -e "/etc/systemd/system/pki-krad.target.wants/pki-krad@${inst}.service" ]; then + ln -s "/lib/systemd/system/pki-krad@.service" \ + "/etc/systemd/system/pki-krad.target.wants/pki-krad@${inst}.service" + [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} + ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} + + if [ -e /var/run/${inst}.pid ]; then + kill -9 `cat /var/run/${inst}.pid` || : + rm -f /var/run/${inst}.pid + echo "pkicreate.systemd.servicename=pki-krad@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + /bin/systemctl restart pki-krad@${inst}.service || : + else + echo "pkicreate.systemd.servicename=pki-krad@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + fi + fi + done +fi +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +%fix_tomcat_log kra + + +%post -n pki-ocsp +# Attempt to update ALL old "OCSP" instances to "systemd" +if [ -d /etc/sysconfig/pki/ocsp ]; then + for inst in `ls /etc/sysconfig/pki/ocsp`; do + if [ ! -e "/etc/systemd/system/pki-ocspd.target.wants/pki-ocspd@${inst}.service" ]; then + ln -s "/lib/systemd/system/pki-ocspd@.service" \ + "/etc/systemd/system/pki-ocspd.target.wants/pki-ocspd@${inst}.service" + [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} + ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} + + if [ -e /var/run/${inst}.pid ]; then + kill -9 `cat /var/run/${inst}.pid` || : + rm -f /var/run/${inst}.pid + echo "pkicreate.systemd.servicename=pki-ocspd@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + /bin/systemctl restart pki-ocspd@${inst}.service || : + else + echo "pkicreate.systemd.servicename=pki-ocspd@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + fi + fi + done +fi +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +%fix_tomcat_log ocsp + + +%post -n pki-tks +# Attempt to update ALL old "TKS" instances to "systemd" +if [ -d /etc/sysconfig/pki/tks ]; then + for inst in `ls /etc/sysconfig/pki/tks`; do + if [ ! -e "/etc/systemd/system/pki-tksd.target.wants/pki-tksd@${inst}.service" ]; then + ln -s "/lib/systemd/system/pki-tksd@.service" \ + "/etc/systemd/system/pki-tksd.target.wants/pki-tksd@${inst}.service" + [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} + ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} + + if [ -e /var/run/${inst}.pid ]; then + kill -9 `cat /var/run/${inst}.pid` || : + rm -f /var/run/${inst}.pid + echo "pkicreate.systemd.servicename=pki-tksd@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + /bin/systemctl restart pki-tksd@${inst}.service || : + else + echo "pkicreate.systemd.servicename=pki-tksd@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + fi + fi + done +fi +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +%fix_tomcat_log tks + +%preun -n pki-ca +if [ $1 = 0 ] ; then + /bin/systemctl --no-reload disable pki-cad.target > /dev/null 2>&1 || : + /bin/systemctl stop pki-cad.target > /dev/null 2>&1 || : +fi + + +%preun -n pki-kra +if [ $1 = 0 ] ; then + /bin/systemctl --no-reload disable pki-krad.target > /dev/null 2>&1 || : + /bin/systemctl stop pki-krad.target > /dev/null 2>&1 || : +fi + + +%preun -n pki-ocsp +if [ $1 = 0 ] ; then + /bin/systemctl --no-reload disable pki-ocspd.target > /dev/null 2>&1 || : + /bin/systemctl stop pki-ocspd.target > /dev/null 2>&1 || : +fi + + +%preun -n pki-tks +if [ $1 = 0 ] ; then + /bin/systemctl --no-reload disable pki-tksd.target > /dev/null 2>&1 || : + /bin/systemctl stop pki-tksd.target > /dev/null 2>&1 || : +fi + + +%postun -n pki-ca +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ "$1" -ge "1" ] ; then + /bin/systemctl try-restart pki-cad.target >/dev/null 2>&1 || : +fi + + +%postun -n pki-kra +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ "$1" -ge "1" ] ; then + /bin/systemctl try-restart pki-krad.target >/dev/null 2>&1 || : +fi + + +%postun -n pki-ocsp +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ "$1" -ge "1" ] ; then + /bin/systemctl try-restart pki-ocspd.target >/dev/null 2>&1 || : +fi + + +%postun -n pki-tks +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ "$1" -ge "1" ] ; then + /bin/systemctl try-restart pki-tksd.target >/dev/null 2>&1 || : +fi +%endif + +%files -n pki-deploy +%defattr(-,root,root,-) +%doc base/deploy/LICENSE +%{_bindir}/pkispawn +%{_bindir}/pkidestroy +#%{_bindir}/pki-setup-proxy +%dir %{python_sitelib}/pki +%{python_sitelib}/pki/_* +%{python_sitelib}/pki/deployment/ +%dir %{_datadir}/pki +%dir %{_datadir}/pki/deployment +%{_datadir}/pki/deployment/config/ +%dir %{_datadir}/pki/deployment/spawn +%{_datadir}/pki/deployment/spawn/ca/ +%{_datadir}/pki/deployment/spawn/kra/ +%{_datadir}/pki/deployment/spawn/ocsp/ +%{_datadir}/pki/deployment/spawn/ra/ +%{_datadir}/pki/deployment/spawn/tks/ +%{_datadir}/pki/deployment/spawn/tps/ +%dir %{_datadir}/pki/deployment/destroy +%{_datadir}/pki/deployment/destroy/ca/ +%{_datadir}/pki/deployment/destroy/kra/ +%{_datadir}/pki/deployment/destroy/ocsp/ +%{_datadir}/pki/deployment/destroy/ra/ +%{_datadir}/pki/deployment/destroy/tks/ +%{_datadir}/pki/deployment/destroy/tps/ +#%dir %{_localstatedir}/lock/pki +#%dir %{_localstatedir}/run/pki +#%if 0%{?fedora} >= 16 +#%{_bindir}/pkicontrol +#%endif +#%{_javadir}/resteasy-jettison-provider-2.3-RC1.jar + + +%files -n pki-setup +%defattr(-,root,root,-) +%doc base/setup/LICENSE +%{_bindir}/pkicreate +%{_bindir}/pkiremove +%{_bindir}/pki-setup-proxy +%dir %{_datadir}/pki +%dir %{_datadir}/pki/scripts +%{_datadir}/pki/scripts/pkicommon.pm +%{_datadir}/pki/scripts/functions +%{_datadir}/pki/scripts/pki_apache_initscript +%dir %{_localstatedir}/lock/pki +%dir %{_localstatedir}/run/pki +%if 0%{?fedora} >= 16 +%{_bindir}/pkicontrol +%endif +%{_javadir}/resteasy-jettison-provider-2.3-RC1.jar + + +%files -n pki-symkey +%defattr(-,root,root,-) +%doc base/symkey/LICENSE +%{_jnidir}/symkey.jar +%{_libdir}/symkey/ + +%files -n pki-native-tools +%defattr(-,root,root,-) +%doc base/native-tools/LICENSE base/native-tools/doc/README +%{_bindir}/p7tool +%{_bindir}/revoker +%{_bindir}/setpin +%{_bindir}/sslget +%{_bindir}/tkstool +%dir %{_datadir}/pki +%{_datadir}/pki/native-tools/ + + +%files -n pki-util +%defattr(-,root,root,-) +%doc base/util/LICENSE +%dir %{_javadir}/pki +%{_javadir}/pki/pki-cmsutil-%{version}.jar +%{_javadir}/pki/pki-cmsutil.jar +%{_javadir}/pki/pki-nsutil-%{version}.jar +%{_javadir}/pki/pki-nsutil.jar + +%files -n pki-util-javadoc +%defattr(-,root,root,-) +%{_javadocdir}/pki-util-%{version}/ + + +%files -n pki-java-tools +%defattr(-,root,root,-) +%doc base/java-tools/LICENSE +%{_bindir}/AtoB +%{_bindir}/AuditVerify +%{_bindir}/BtoA +%{_bindir}/CMCEnroll +%{_bindir}/CMCRequest +%{_bindir}/CMCResponse +%{_bindir}/CMCRevoke +%{_bindir}/CRMFPopClient +%{_bindir}/DRMTool +%{_bindir}/ExtJoiner +%{_bindir}/GenExtKeyUsage +%{_bindir}/GenIssuerAltNameExt +%{_bindir}/GenSubjectAltNameExt +%{_bindir}/HttpClient +%{_bindir}/OCSPClient +%{_bindir}/PKCS10Client +%{_bindir}/PKCS12Export +%{_bindir}/PrettyPrintCert +%{_bindir}/PrettyPrintCrl +%{_bindir}/TokenInfo +%{_javadir}/pki/pki-tools-%{version}.jar +%{_javadir}/pki/pki-tools.jar +%{_datadir}/pki/java-tools/ + +%files -n pki-java-tools-javadoc +%defattr(-,root,root,-) +%{_javadocdir}/pki-java-tools-%{version}/ + + +%files -n pki-common +%defattr(-,root,root,-) +%doc base/common/LICENSE +%{_javadir}/pki/pki-certsrv-%{version}.jar +%{_javadir}/pki/pki-certsrv.jar +%{_javadir}/pki/pki-cms-%{version}.jar +%{_javadir}/pki/pki-cms.jar +%{_javadir}/pki/pki-cmsbundle-%{version}.jar +%{_javadir}/pki/pki-cmsbundle.jar +%{_javadir}/pki/pki-cmscore-%{version}.jar +%{_javadir}/pki/pki-cmscore.jar + +%if 0%{?fedora} >= 16 +# Create symlink to the pki-jndi-realm jar +%{_javadir}/tomcat6/pki-jndi-realm.jar +%endif + +%{_javadir}/pki/pki-jndi-realm-%{version}.jar +%{_javadir}/pki/pki-jndi-realm.jar + +%{_datadir}/pki/setup/ + +%files -n pki-common-javadoc +%defattr(-,root,root,-) +%{_javadocdir}/pki-common-%{version}/ + + +%files -n pki-selinux +%defattr(-,root,root,-) +%doc base/selinux/LICENSE +%{_datadir}/selinux/modules/pki.pp + + +%files -n pki-ca +%defattr(-,root,root,-) +%doc base/ca/LICENSE +%if 0%{?fedora} >= 16 +%dir %{_sysconfdir}/systemd/system/pki-cad.target.wants +%{_unitdir}/pki-cad@.service +%{_unitdir}/pki-cad.target +%else +%{_initrddir}/pki-cad +%endif +%{_javadir}/pki/pki-ca-%{version}.jar +%{_javadir}/pki/pki-ca.jar +%dir %{_datadir}/pki/ca +%{_datadir}/pki/ca/conf/ +%{_datadir}/pki/ca/emails/ +%dir %{_datadir}/pki/ca/profiles +%{_datadir}/pki/ca/profiles/ca/ +%{_datadir}/pki/ca/webapps/ +%{_datadir}/pki/ca/setup/ +%dir %{_localstatedir}/lock/pki/ca +%dir %{_localstatedir}/run/pki/ca +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-ca.conf +%endif + + +%files -n pki-kra +%defattr(-,root,root,-) +%doc base/kra/LICENSE +%if 0%{?fedora} >= 16 +%dir %{_sysconfdir}/systemd/system/pki-krad.target.wants +%{_unitdir}/pki-krad@.service +%{_unitdir}/pki-krad.target +%else +%{_initrddir}/pki-krad +%endif +%{_javadir}/pki/pki-kra-%{version}.jar +%{_javadir}/pki/pki-kra.jar +%dir %{_datadir}/pki/kra +%{_datadir}/pki/kra/conf/ +%{_datadir}/pki/kra/setup/ +%{_datadir}/pki/kra/webapps/ +%dir %{_localstatedir}/lock/pki/kra +%dir %{_localstatedir}/run/pki/kra +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-kra.conf +%endif + + +%files -n pki-ocsp +%defattr(-,root,root,-) +%doc base/ocsp/LICENSE +%if 0%{?fedora} >= 16 +%dir %{_sysconfdir}/systemd/system/pki-ocspd.target.wants +%{_unitdir}/pki-ocspd@.service +%{_unitdir}/pki-ocspd.target +%else +%{_initrddir}/pki-ocspd +%endif +%{_javadir}/pki/pki-ocsp-%{version}.jar +%{_javadir}/pki/pki-ocsp.jar +%dir %{_datadir}/pki/ocsp +%{_datadir}/pki/ocsp/conf/ +%{_datadir}/pki/ocsp/setup/ +%{_datadir}/pki/ocsp/webapps/ +%dir %{_localstatedir}/lock/pki/ocsp +%dir %{_localstatedir}/run/pki/ocsp +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +%endif + + +%files -n pki-tks +%defattr(-,root,root,-) +%doc base/tks/LICENSE +%if 0%{?fedora} >= 16 +%dir %{_sysconfdir}/systemd/system/pki-tksd.target.wants +%{_unitdir}/pki-tksd@.service +%{_unitdir}/pki-tksd.target +%else +%{_initrddir}/pki-tksd +%endif +%{_javadir}/pki/pki-tks-%{version}.jar +%{_javadir}/pki/pki-tks.jar +%dir %{_datadir}/pki/tks +%{_datadir}/pki/tks/conf/ +%{_datadir}/pki/tks/setup/ +%{_datadir}/pki/tks/webapps/ +%dir %{_localstatedir}/lock/pki/tks +%dir %{_localstatedir}/run/pki/tks +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-tks.conf +%endif + + +%files -n pki-silent +%defattr(-,root,root,-) +%doc base/silent/LICENSE +%{_bindir}/pkisilent +%{_javadir}/pki/pki-silent-%{version}.jar +%{_javadir}/pki/pki-silent.jar +%{_datadir}/pki/silent/ + + +%changelog +* Fri Mar 16 2012 Ade Lee <alee@redhat.com> 10.0.0-0.11.a1 +- BZ 802396 - Change location of TOMCAT_LOG to match tomcat6 changes +- Corrected patch selected for selinux f17 rules + +* Wed Mar 14 2012 Matthew Harmsen <mharmsen@redhat.com> 10.0.0-0.10.a1 +- Corrected 'junit' dependency check + +* Mon Mar 12 2012 Matthew Harmsen <mharmsen@redhat.com> 10.0.0-0.9.a1 +- Initial attempt at PKI deployment framework described in + 'http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment'. + +* Fri Mar 09 2012 Jack Magne <jmagne@redhat.com> 10.0.0-0.8.a1 +- Added support for pki-jndi-realm in tomcat6 in pki-common + and pki-kra. +- Ticket #69. + +* Fri Mar 2 2012 Matthew Harmsen <mharmsen@redhat.com> 10.0.0-0.7.a1 +- For 'mock' purposes, removed platform-specific logic from around + the 'patch' files so that ALL 'patch' files will be included in + the SRPM. + +* Wed Feb 29 2012 Endi S. Dewata <edewata@redhat.com> 10.0.0-0.6.a1 +- Removed dependency on OSUtil. + +* Tue Feb 28 2012 Ade Lee <alee@redhat.com> 10.0.0-0.5.a1 +- 'pki-selinux' +- Added platform-dependent patches for SELinux component +- Bugzilla Bug #739708 - Selinux fix for ephemeral ports (F16) +- Bugzilla Bug #795966 - pki-selinux policy is kind of a mess (F17) + +* Wed Feb 23 2012 Endi S. Dewata <edewata@redhat.com> 10.0.0-0.4.a1 +- Added dependency on Apache Commons Codec. + +* Wed Feb 22 2012 Matthew Harmsen <mharmsen@redhat.com> 10.0.0-0.3.a1 +- Add '-DSYSTEMD_LIB_INSTALL_DIR' override flag to 'cmake' to address changes + in fundamental path structure in Fedora 17 +- 'pki-setup' +- Hard-code Perl dependencies to protect against bugs such as + Bugzilla Bug #772699 - Adapt perl and python fileattrs to + changed file 5.10 magics +- 'pki-selinux' +- Bugzilla Bug #795966 - pki-selinux policy is kind of a mess + +* Mon Feb 20 2012 Matthew Harmsen <mharmsen@redhat.com> 10.0.0-0.2.a1 +- Integrated 'pki-kra' into 'pki-core' +- Integrated 'pki-ocsp' into 'pki-core' +- Integrated 'pki-tks' into 'pki-core' +- Bugzilla Bug #788787 - added 'junit'/'junit4' build-time requirements + +* Wed Feb 1 2012 Nathan Kinder <nkinder@redhat.com> 10.0.0-0.1.a1 +- Updated package version number + +* Mon Jan 16 2012 Ade Lee <alee@redhat.com> 9.0.16-3 +- Added resteasy-jettison-provider-2.3-RC1.jar to pki-setup + +* Mon Nov 28 2011 Endi S. Dewata <edewata@redhat.com> 9.0.16-2 +- Added JUnit tests + +* Fri Oct 28 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.16-1 +- 'pki-setup' +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- Bugzilla Bug #737122 - DRM: during archiving and recovering, + wrapping unwrapping keys should be done in the token (cfu) +- 'pki-java-tools' +- 'pki-common' +- Bugzilla Bug #744797 - KRA key recovery (retrieve pkcs#12) fails after + the in-place upgrade( CS 8.0->8.1) (cfu) +- 'pki-selinux' +- 'pki-ca' +- Bugzilla Bug #746367 - Typo in the profile name. (jmagne) +- Bugzilla Bug #737122 - DRM: during archiving and recovering, + wrapping unwrapping keys should be done in the token (cfu) +- Bugzilla Bug #749927 - Java class conflicts using Java 7 in Fedora 17 + (rawhide) . . . (mharmsen) +- Bugzilla Bug #749945 - Installation error reported during CA, DRM, + OCSP, and TKS package installation . . . (mharmsen) +- 'pki-silent' + +* Thu Sep 22 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.15-1 +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen) +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) +- 'pki-setup' +- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS + mode (cfu) +- Bugzilla Bug #737192 - Need script to upgrade proxy configuration (alee) +- 'pki-symkey' +- Bugzilla Bug #730162 - TPS/TKS token enrollment failure in FIPS mode + (hsm+NSS). (jmagne) +- 'pki-native-tools' +- Bugzilla Bug #730801 - Coverity issues in native-tools area (awnuk) +- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS + mode (cfu) +- 'pki-util' +- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS + mode (cfu) +- 'pki-java-tools' +- 'pki-common' +- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS + mode (cfu) +- Bugzilla Bug #737218 - Incorrect request attribute name matching + ignores request attributes during request parsing. (awnuk) +- Bugzilla Bug #730162 - TPS/TKS token enrollment failure in FIPS mode + (hsm+NSS). (jmagne) +- 'pki-selinux' +- Bugzilla Bug #739708 - pki-selinux lacks rules in F16 (alee) +- 'pki-ca' +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW (alee) +- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS + mode (cfu) +- 'pki-silent' +- Bugzilla Bug #739201 - pkisilent does not take arch into account + as Java packages migrated to arch-dependent directories (mharmsen) + +* Fri Sep 9 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.14-1 +- 'pki-setup' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- 'pki-symkey' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- 'pki-native-tools' +- 'pki-util' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- 'pki-java-tools' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- 'pki-common' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- 'pki-selinux' +- 'pki-ca' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) +- 'pki-silent' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . + +* Tue Sep 6 2011 Ade Lee <alee@redhat.com> 9.0.13-1 +- 'pki-setup' +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) +- 'pki-ca' +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) +- 'pki-common' +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) + +* Tue Aug 23 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.12-1 +- 'pki-setup' +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW (alee) +- 'pki-symkey' +- 'pki-native-tools' +- Bugzilla Bug #717643 - Fopen without NULL check and other Coverity + issues (awnuk) +- Bugzilla Bug #730801 - Coverity issues in native-tools area (awnuk) +- 'pki-util' +- 'pki-java-tools' +- 'pki-common' +- Bugzilla Bug #700522 - pki tomcat6 instances currently running + unconfined, allow server to come up when selinux disabled (alee) +- Bugzilla Bug #731741 - some CS.cfg nickname parameters not updated + correctly when subsystem cloned (using hsm) (alee) +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW (alee) +- 'pki-selinux' +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW (alee) +- 'pki-ca' +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW (alee) +- 'pki-silent' + +* Wed Aug 10 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.11-1 +- 'pki-setup' +- Bugzilla Bug #689909 - Dogtag installation under IPA takes too much + time - remove the inefficient sleeps (alee) +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Bugzilla Bug #724861 - DRMTool: fix duplicate "dn:" records by + renumbering "cn=<value>" (mharmsen) +- 'pki-common' +- Bugzilla Bug #717041 - Improve escaping of some enrollment inputs like + (jmagne, awnuk) +- Bugzilla Bug #689909 - Dogtag installation under IPA takes too much + time - remove the inefficient sleeps (alee) +- Bugzilla Bug #708075 - Clone installation does not work over NAT + (alee) +- Bugzilla Bug #726785 - If replication fails while setting up a clone + it will wait forever (alee) +- Bugzilla Bug #728332 - xml output has changed on cert requests (awnuk) +- Bugzilla Bug #700505 - pki tomcat6 instances currently running + unconfined (alee) +- 'pki-selinux' +- Bugzilla Bug #700505 - pki tomcat6 instances currently running + unconfined (alee) +- 'pki-ca' +- Bugzilla Bug #728605 - RFE: increase default validity from 6mo to 2yrs + in IPA profile (awnuk) +- 'pki-silent' +- Bugzilla Bug #689909 - Dogtag installation under IPA takes too much + time - remove the inefficient sleeps (alee) + +* Fri Jul 22 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.10-1 +- 'pki-setup' +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- Bugzilla Bug #719007 - Key Constraint keyParameter being ignored + using an ECC CA to generate ECC certs from CRMF. (jmagne) +- Bugzilla Bug #716307 - rhcs80 - DER shall not include an encoding + for any component value which is equal to its default value (alee) +- 'pki-java-tools' +- 'pki-common' +- Bugzilla Bug #720510 - Console: Adding a certificate into nethsm + throws Token not found error. (jmagne) +- Bugzilla Bug #719007 - Key Constraint keyParameter being ignored + using an ECC CA to generate ECC certs from CRMF. (jmagne) +- Bugzilla Bug #716307 - rhcs80 - DER shall not include an encoding + for any component value which is equal to its default value (alee) +- Bugzilla Bug #722989 - Registering an agent when a subsystem is + created - does not log AUTHZ_SUCCESS event. (alee) +- 'pki-selinux' +- 'pki-ca' +- Bugzilla Bug #719113 - Add client usage flag to caIPAserviceCert + (awnuk) +- 'pki-silent' + +* Thu Jul 14 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.9-1 +- Updated release of 'jss' +- Updated release of 'tomcatjss' for Fedora 15 +- 'pki-setup' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser + (jdennis) +- Bugzilla Bug #694569 - parameter used by pkiremove not updated (alee) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-symkey' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-native-tools' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #717765 - TPS configuration: logging into security domain + from tps does not work with clientauth=want. (alee) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-util' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-java-tools' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #532548 - Tool to do DRM re-key (mharmsen) +- Bugzilla Bug #532548 - Tool to do DRM re-key (config file and record + processing) (mharmsen) +- Bugzilla Bug #532548 - Tool to do DRM re-key (tweaks) (mharmsen) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-common' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #695403 - Editing signedaudit or transaction, system + logs throws 'Invalid protocol' for OCSP subsystems (alee) +- Bugzilla Bug #694569 - parameter used by pkiremove not updated (alee) +- Bugzilla Bug #695015 - Serial No. of a revoked certificate is not + populated in the CA signedAudit messages (alee) +- Bugzilla Bug #694143 - CA Agent not returning specified request (awnuk) +- Bugzilla Bug #695015 - Serial No. of a revoked certificate is not + populated in the CA signedAudit messages (jmagne) +- Bugzilla Bug #698885 - Race conditions during IPA installation (alee) +- Bugzilla Bug #704792 - CC_LAB_EVAL: CA agent interface: + SubjectID=$Unidentified$ fails audit evaluation (jmagne) +- Bugzilla Bug #705914 - SCEP mishandles nicknames when processing + subsequent SCEP requests. (awnuk) +- Bugzilla Bug #661142 - Verification should fail when a revoked + certificate is added. (jmagne) +- Bugzilla Bug #707416 - CC_LAB_EVAL: Security Domain: missing audit msgs + for modify/add (alee) +- Bugzilla Bug #707416 - additional audit messages for GetCookie (alee) +- Bugzilla Bug #707607 - Published certificate summary has list of + non-published certificates with succeeded status (jmagne) +- Bugzilla Bug #717813 - EV_AUDIT_LOG_SHUTDOWN audit log not generated + for tps and ca on server shutdown (jmagne) +- Bugzilla Bug #697939 - DRM signed audit log message - operation should + be read instead of modify (jmagne) +- Bugzilla Bug #718427 - When audit log is full, server continue to + function. (alee) +- Bugzilla Bug #718607 - CC_LAB_EVAL: No AUTH message is generated in + CA's signedaudit log when a directory based user enrollment is + performed (jmagne) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-selinux' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #720503 - RA and TPS require additional SELinux + permissions to run in "Enforcing" mode (alee) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-ca' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser + (jdennis) +- Bugzilla Bug #699837 - service command is not fully backwards + compatible with Dogtag pki subsystems (mharmsen) +- Bugzilla Bug #649910 - Console: an auditor or agent can be added to an + administrator group. (jmagne) +- Bugzilla Bug #707416 - CC_LAB_EVAL: Security Domain: missing audit msgs + for modify/add (alee) +- Bugzilla Bug #716269 - make ra authenticated profiles non-visible on ee + pages (alee) +- Bugzilla Bug #718621 - CC_LAB_EVAL: PRIVATE_KEY_ARCHIVE_REQUEST occurs + for a revocation invoked by EE user (awnuk) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-silent' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) + +* Wed May 25 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.8-2 +- 'pki-setup' +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Added 'DRMTool.cfg' configuration file to inventory +- 'pki-common' +- 'pki-selinux' +- 'pki-ca' +- 'pki-silent' + +* Wed May 25 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.8-1 +- 'pki-setup' +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Bugzilla Bug #532548 - Tool to do DRM re-key +- 'pki-common' +- 'pki-selinux' +- 'pki-ca' +- 'pki-silent' + +* Tue Apr 26 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.7-1 +- 'pki-setup' +- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser +- Bugzilla Bug #694569 - parameter used by pkiremove not updated +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- 'pki-common' +- Bugzilla Bug #695403 - Editing signedaudit or transaction, system logs + throws 'Invalid protocol' for OCSP subsystems +- Bugzilla Bug #694569 - parameter used by pkiremove not updated +- Bugzilla Bug #695015 - Serial No. of a revoked certificate is not + populated in the CA signedAudit messages +- Bugzilla Bug #694143 - CA Agent not returning specified request +- Bugzilla Bug #695015 - Serial No. of a revoked certificate is not + populated in the CA signedAudit messages +- Bugzilla Bug #698885 - Race conditions during IPA installation +- 'pki-selinux' +- 'pki-ca' +- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser +- Bugzilla Bug #699837 - service command is not fully backwards compatible + with Dogtag pki subsystems +- 'pki-silent' + +* Mon Apr 11 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.6-2 +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + +* Tue Apr 5 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.6-1 +- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) +- Bugzilla Bug #693327 - Missing requires: tomcatjss +- 'pki-setup' +- Bugzilla Bug #690626 - pkiremove removes the registry entry for + all instances on a machine +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Bugzilla Bug #689453 - CRMFPopClient request to CA's unsecure port + throws file not found exception. +- 'pki-common' +- Bugzilla Bug #692990 - Audit log messages needed to match CC doc: + DRM Recovery audit log messages +- 'pki-selinux' +- 'pki-ca' +- 'pki-silent' + +* Tue Apr 5 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.5-2 +- Bugzilla Bug #693327 - Missing requires: tomcatjss + +* Fri Mar 25 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.5-1 +- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) +- Require "jss >= 4.2.6-15" as a build and runtime requirement +- Require "tomcatjss >= 2.1.1" as a build and runtime requirement + for Fedora 15 and later platforms +- 'pki-setup' +- Bugzilla Bug #688287 - Add "deprecation" notice regarding using + "shared ports" in pkicreate -help . . . +- Bugzilla Bug #688251 - Dogtag installation under IPA takes + too much time - SELinux policy compilation +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Bugzilla Bug #689501 - ExtJoiner tool fails to join the multiple + extensions +- 'pki-common' +- Bugzilla Bug #683581 - CA configuration with ECC(Default + EC curve-nistp521) CA fails with 'signing operation failed' +- Bugzilla Bug #689662 - ocsp publishing needs to be re-enabled + on the EE port +- 'pki-selinux' +- Bugzilla Bug #684871 - ldaps selinux link change +- 'pki-ca' +- Bugzilla Bug #683581 - CA configuration with ECC(Default + EC curve-nistp521) CA fails with 'signing operation failed' +- Bugzilla Bug #684381 - CS.cfg specifies incorrect type of comments +- Bugzilla Bug #689453 - CRMFPopClient request to CA's unsecure port + throws file not found exception.(profile and CS.cfg only) +- 'pki-silent' + +* Thu Mar 17 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.4-1 +- Bugzilla Bug #688763 - Rebase updated Dogtag Packages for Fedora 15 (alpha) +- Bugzilla Bug #676182 - IPA installation failing - Fails to create CA + instance +- Bugzilla Bug #675742 - Profile caIPAserviceCert Not Found +- 'pki-setup' +- Bugzilla Bug #678157 - uninitialized variable warnings from Perl +- Bugzilla Bug #679574 - Velocity fails to load all dependent classes +- Bugzilla Bug #680420 - xml-commons-apis.jar dependency +- Bugzilla Bug #682013 - pkisilent needs xml-commons-apis.jar in it's + classpath +- Bugzilla Bug #673508 - CS8 64 bit pkicreate script uses wrong library + name for SafeNet LunaSA +- 'pki-common' +- Bugzilla Bug #673638 - Installation within IPA hangs +- Bugzilla Bug #678715 - netstat loop fixes needed +- Bugzilla Bug #673609 - CC: authorize() call needs to be added to + getStats servlet +- 'pki-selinux' +- Bugzilla Bug #674195: SELinux error message thrown during token + enrollment +- 'pki-ca' +- Bugzilla Bug #673638 - Installation within IPA hangs +- Bugzilla Bug #673609 - CC: authorize() call needs to be added to + getStats servlet +- Bugzilla Bug #676330 - init script cannot start service +- 'pki-silent' +- Bugzilla Bug #682013 - pkisilent needs xml-commons-apis.jar in it's + classpath + +* Wed Feb 9 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-2 +- 'pki-common' +- Bugzilla Bug #676051 - IPA installation failing - Fails to create CA + instance +- Bugzilla Bug #676182 - IPA installation failing - Fails to create CA + instance + +* Fri Feb 4 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-1 +- 'pki-common' +- Bugzilla Bug #674894 - ipactl restart : an annoy output line +- Bugzilla Bug #675179 - ipactl restart : an annoy output line + +* Thu Feb 3 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.2-1 +- Bugzilla Bug #673233 - Rebase pki-core to pick the latest features and fixes +- 'pki-setup' +- Bugzilla Bug #673638 - Installation within IPA hangs +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided + by 'netscape.security.provider' package +- 'pki-common' +- Bugzilla Bug #672291 - CA is not publishing certificates issued using + "Manual User Dual-Use Certificate Enrollment" +- Bugzilla Bug #670337 - CA Clone configuration throws TCP connection + error. +- Bugzilla Bug #504056 - Completed SCEP requests are assigned to the + "begin" state instead of "complete". +- Bugzilla Bug #504055 - SCEP requests are not properly populated +- Bugzilla Bug #564207 - Searches for completed requests in the agent + interface returns zero entries +- Bugzilla Bug #672291 - CA is not publishing certificates issued using + "Manual User Dual-Use Certificate Enrollment" - +- Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided + by 'netscape.security.provider' package +- Bugzilla Bug #672920 - CA console: adding policy to a profile throws + 'Duplicate policy' error in some cases. +- Bugzilla Bug #673199 - init script returns control before web apps have + started +- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI + subsystem instances +- 'pki-selinux' +- 'pki-ca' +- Bugzilla Bug #504013 - sscep request is rejected due to authentication + error if submitted through one time pin router certificate enrollment. +- Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing + information +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of CC interface review +- Bugzilla Bug #672333 - Creation of RA agent fails in IPA installation +- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI + subsystem instances +- 'pki-silent' +- Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided + by 'netscape.security.provider' package + +* Wed Feb 2 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.1-3 +- Bugzilla Bug #656661 - Please Update Spec File to use 'ghost' on files + in /var/run and /var/lock + +* Thu Jan 20 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.1-2 +- 'pki-symkey' +- Bugzilla Bug #671265 - pki-symkey jar version incorrect +- 'pki-common' +- Bugzilla Bug #564207 - Searches for completed requests in the agent + interface returns zero entries + +* Tue Jan 18 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.1-1 +- Allow 'pki-native-tools' to be installed independently of 'pki-setup' +- Removed explicit 'pki-setup' requirement from 'pki-ca' + (since it already requires 'pki-common') +- 'pki-setup' +- Bugzilla Bug #223343 - pkicreate: should add 'pkiuser' to nfast group +- Bugzilla Bug #629377 - Selinux errors during pkicreate CA, KRA, OCSP + and TKS. +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from + OpenLDAP instead of the Mozldap +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #658926 - org.apache.commons.lang class not found on F13 +- Bugzilla Bug #661514 - CMAKE build system requires rules to make + javadocs +- Bugzilla Bug #665388 - jakarta-* jars have been renamed to apache-*, + pkicreate fails Fedora 14 and above +- Bugzilla Bug #23346 - Two conflicting ACL list definitions in source + repository +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- 'pki-symkey' +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #644056 - CS build contains warnings +- 'pki-native-tools' +- template change +- Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from + OpenLDAP instead of the Mozldap +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #644056 - CS build contains warnings +- 'pki-util' +- Bugzilla Bug #615814 - rhcs80 - profile policyConstraintsCritical + cannot be set to true +- Bugzilla Bug #224945 - javadocs has missing descriptions, contains + empty packages +- Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. +- Bugzilla Bug #621338 - Include a server randomly-generated 16 byte + senderNonce in all signed SCEP responses. +- Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade + attack in SCEP +- Bugzilla Bug #621334 - Provide an option to set default hash algorithm + for signing SCEP response messages. +- Bugzilla Bug #635033 - At installation wizard selecting key types other + than CA's signing cert will fail +- Bugzilla Bug #645874 - rfe ecc - add ecc curve name support in JSS and + CS interface +- Bugzilla Bug #488253 - com.netscape.cmsutil.ocsp.BasicOCSPResponse + ASN.1 encoding/decoding is broken +- Bugzilla Bug #551410 - com.netscape.cmsutil.ocsp.TBSRequest ASN.1 + encoding/decoding is incomplete +- Bugzilla Bug #550331 - com.netscape.cmsutil.ocsp.ResponseData ASN.1 + encoding/decoding is incomplete +- Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit + policy extension to 5 only +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #661514 - CMAKE build system requires rules to make + javadocs +- Bugzilla Bug #658188 - remove remaining references to tomcat5 +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #223319 - Certificate Status inconsistency between token + db and CA +- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory + During CRL Generation +- 'pki-java-tools' +- Bugzilla Bug #224945 - javadocs has missing descriptions, contains + empty packages +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1 +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #661514 - CMAKE build system requires rules to make + javadocs +- Bugzilla Bug #662156 - HttpClient is hard-coded to handle only up to + 5000 bytes +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- 'pki-common' +- Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review +- Bugzilla Bug #623745 - SessionTimer with LDAPSecurityDomainSessionTable + started before configuration completed +- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit + logs in the java subsystems +- Bugzilla Bug #615827 - rhcs80 - profile policies need more than 5 + policy mappings (seem hardcoded) +- Bugzilla Bug #224945 - javadocs has missing descriptions, contains + empty packages +- Bugzilla Bug #548699 - subCA's admin certificate should be generated by + itself +- Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA +- Bugzilla Bug #563386 - rhcs80 ca crash on invalid inputs to profile + caAgentServerCert (null cert_request) +- Bugzilla Bug #621339 - SCEP one-time PIN can be used an unlimited + number of times +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of CC interface review +- Bugzilla Bug #629677 - TPS: token enrollment fails. +- Bugzilla Bug #621350 - Unauthenticated user can decrypt a one-time PIN + in a SCEP request +- Bugzilla Bug #503838 - rhcs71-80 external publishing ldap connection + pools not reliable - improve connections or discovery +- Bugzilla Bug #629769 - password decryption logs plain text password +- Bugzilla Bug #583823 - CC: Auditing issues found as result of + CC - interface review +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #586700 - OCSP Server throws fatal error while using + OCSP console for renewing SSL Server certificate. +- Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. +- Bugzilla Bug #621338 - Include a server randomly-generated 16 byte + senderNonce in all signed SCEP responses. +- Bugzilla Bug #607380 - CC: Make sure Java Console can configure all + security relevant config items +- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be + generated on TKS instead of TPS. +- Bugzilla Bug #489342 - + com.netscape.cms.servlet.common.CMCOutputTemplate.java + doesn't support EC +- Bugzilla Bug #630121 - OCSP responder lacking option to delete or + disable a CA that it serves +- Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 +- Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade + attack in SCEP +- Bugzilla Bug #621334 - Provide an option to set default hash algorithm + for signing SCEP response messages. +- Bugzilla Bug #635033 - At installation wizard selecting key types other + than CA's signing cert will fail +- Bugzilla Bug #621341 - Add CA support for new SCEP key pair dedicated + for SCEP signing and encryption. +- Bugzilla Bug #223336 - ECC: unable to clone a ECC CA +- Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned + by Reason Code - onlySomeReasons ? +- Bugzilla Bug #637330 - CC feature: Key Management - provide signature + verification functions (JAVA subsystems) +- Bugzilla Bug #223313 - should do random generated IV param + for symmetric keys +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #630176 - Improve reliability of the LdapAnonConnFactory +- Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on + ECC curve names (not on key sizes). +- Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple + Certificates from the Same Request +- Bugzilla Bug #648757 - expose and use updated cert verification + function in JSS +- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection + of signature algorithm; and for ECC curves +- Bugzilla Bug #451874 - RFE - Java console - Certificate Wizard missing + e.c. support +- Bugzilla Bug #651040 - cloning shoud not include sslserver +- Bugzilla Bug #542863 - RHCS8: Default cert audit nickname written to + CS.cfg files imcomplete when the cert is stored on a hsm +- Bugzilla Bug #360721 - New Feature: Profile Integrity Check . . . +- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports + to talk to CA and complete configuration in DonePanel +- Bugzilla Bug #642359 - CC Feature - need to verify certificate when it + is added +- Bugzilla Bug #653713 - CC: setting trust on a CIMC cert requires + auditing +- Bugzilla Bug #489385 - references to rhpki +- Bugzilla Bug #499494 - change CA defaults to SHA2 +- Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit + policy extension to 5 only +- Bugzilla Bug #649910 - Console: an auditor or agent can be added to + an administrator group. +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for + validity +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1 +- Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with + Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA. +- Bugzilla Bug #661889 - The Servlet TPSRevokeCert of the CA returns an + error to TPS even if certificate in question is already revoked. +- Bugzilla Bug #663546 - Disable the functionalities that are not exposed + in the console +- Bugzilla Bug #661514 - CMAKE build system requires rules to make + javadocs +- Bugzilla Bug #658188 - remove remaining references to tomcat5 +- Bugzilla Bug #649343 - Publishing queue should recover from CA crash. +- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and + pkiCA, obsolete 2252 and 2256 +- Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #661142 - Verification should fail when + a revoked certificate is added +- Bugzilla Bug #642741 - CS build uses deprecated functions +- Bugzilla Bug #670337 - CA Clone configuration throws TCP connection error +- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time + interface is no longer available through console +- 'pki-selinux' +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #667153 - store nuxwdog passwords in kernel ring buffer - + selinux changes +- 'pki-ca' +- Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review +- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit + logs in the java subsystems +- Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA +- Bugzilla Bug #583824 - CC: Duplicate servlet mappings found as part of + CC interface doc review +- Bugzilla Bug #621602 - pkiconsole: Click on 'Publishing' option with + admin privilege throws error "You are not authorized to perform this + operation". +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of CC interface review +- Bugzilla Bug #583823 - CC: Auditing issues found as result of + CC - interface review +- Bugzilla Bug #519291 - Deleting a CRL Issuing Point after edits throws + 'Internal Server Error'. +- Bugzilla Bug #586700 - OCSP Server throws fatal error while using + OCSP console for renewing SSL Server certificate. +- Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. +- Bugzilla Bug #621338 - Include a server randomly-generated 16 byte + senderNonce in all signed SCEP responses. +- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be + generated on TKS instead of TPS. +- Bugzilla Bug #630121 - OCSP responder lacking option to delete or + disable a CA that it serves +- Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 +- Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade + attack in SCEP +- Bugzilla Bug #621334 - Provide an option to set default hash algorithm + for signing SCEP response messages. +- Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned + by Reason Code - onlySomeReasons ? +- Bugzilla Bug #637330 - CC feature: Key Management - provide signature + verification functions (JAVA subsystems) +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on + ECC curve names (not on key sizes). +- Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple + Certificates from the Same Request +- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection + of signature algorithm; and for ECC curves +- Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA + release -- DRM and TKS do not seem to have CRL checking enabled +- Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help + correctly set up CC environment +- Bugzilla Bug #509481 - RFE: support sMIMECapabilities extensions in + certificates (RFC 4262) +- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports + to talk to CA and complete configuration in DonePanel +- Bugzilla Bug #511990 - rhcs 7.3, 8.0 - re-activate missing object + signing support in RHCS +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #489385 - references to rhpki +- Bugzilla Bug #499494 - change CA defaults to SHA2 +- Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit + policy extension to 5 only +- Bugzilla Bug #649910 - Console: an auditor or agent can be added to + an administrator group. +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for + validity +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #661128 - incorrect CA ports used for revoke, unrevoke + certs in TPS +- Bugzilla Bug #512496 - RFE rhcs80 - crl updates and scheduling feature +- Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with + Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA. +- Bugzilla Bug #649343 - Publishing queue should recover from CA crash. +- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and + pkiCA, obsolete 2252 and 2256 +- Bugzilla Bug #223346 - Two conflicting ACL list definitions in source + repository +- Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #661142 - Verification should fail when + a revoked certificate is added +- Bugzilla Bug #668100 - DRM storage cert has OCSP signing extended key + usage +- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time + interface is no longer available through console +- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory + During CRL Generation +- 'pki-silent' +- Bugzilla Bug #627309 - pkisilent subca configuration fails. +- Bugzilla Bug #640091 - pkisilent panels need to match with changed java + subsystems +- Bugzilla Bug #527322 - pkisilent ConfigureDRM should configure DRM + Clone. +- Bugzilla Bug #643053 - pkisilent DRM configuration fails +- Bugzilla Bug #583754 - pki-silent needs an option to configure signing + algorithm for CA certificates +- Bugzilla Bug #489385 - references to rhpki +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #640042 - TPS Installlation Wizard: need to move Module + Panel up to before Security Domain Panel +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #588323 - Failed to enable cipher 0xc001 +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #645895 - pkisilent: add ability to select ECC curves, + signing algorithm +- Bugzilla Bug #658641 - pkisilent doesn't not properly handle passwords + with special characters +- Bugzilla Bug #642741 - CS build uses deprecated functions + +* Thu Jan 13 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-3 +- Bugzilla Bug #668839 - Review Request: pki-core +- Removed empty "pre" from "pki-ca" +- Consolidated directory ownership +- Corrected file ownership within subpackages +- Removed all versioning from NSS and NSPR packages + +* Thu Jan 13 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-2 +- Bugzilla Bug #668839 - Review Request: pki-core +- Added component versioning comments +- Updated JSS from "4.2.6-10" to "4.2.6-12" +- Modified installation section to preserve timestamps +- Removed sectional comments + +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + |