diff options
| -rw-r--r-- | pki/CMakeLists.txt | 17 | ||||
| -rw-r--r-- | pki/base/CMakeLists.txt | 12 | ||||
| -rwxr-xr-x | pki/scripts/build_dogtag_pki | 40 | ||||
| -rwxr-xr-x | pki/scripts/compose_pki_core_packages | 2 | ||||
| -rwxr-xr-x | pki/scripts/compose_pki_kra_packages | 180 | ||||
| -rwxr-xr-x | pki/scripts/compose_pki_ocsp_packages | 180 | ||||
| -rwxr-xr-x | pki/scripts/compose_pki_tks_packages | 180 | ||||
| -rw-r--r-- | pki/specs/pki-core.spec | 526 | ||||
| -rw-r--r-- | pki/specs/pki-kra.spec | 442 | ||||
| -rw-r--r-- | pki/specs/pki-ocsp.spec | 435 | ||||
| -rw-r--r-- | pki/specs/pki-tks.spec | 421 |
11 files changed, 513 insertions, 1922 deletions
diff --git a/pki/CMakeLists.txt b/pki/CMakeLists.txt index d707abdba..86b914ab9 100644 --- a/pki/CMakeLists.txt +++ b/pki/CMakeLists.txt @@ -24,18 +24,9 @@ elseif (BUILD_PKI_CORE) set(APPLICATION_FLAVOR_PKI_CORE TRUE) # override APPLICATION VERSION set(APPLICATION_VERSION_PATCH "0") -elseif (BUILD_PKI_KRA) - set(APPLICATION_FLAVOR_PKI_KRA TRUE) - # override APPLICATION VERSION - set(APPLICATION_VERSION_PATCH "0") -elseif (BUILD_PKI_OCSP) - set(APPLICATION_FLAVOR_PKI_OCSP TRUE) - set(APPLICATION_VERSION_PATCH "0") elseif (BUILD_PKI_RA) set(APPLICATION_FLAVOR_PKI_RA TRUE) - set(APPLICATION_VERSION_PATCH "0") -elseif (BUILD_PKI_TKS) - set(APPLICATION_FLAVOR_PKI_TKS TRUE) + # override APPLICATION VERSION set(APPLICATION_VERSION_PATCH "0") elseif (BUILD_PKI_TPS) set(APPLICATION_FLAVOR_PKI_TPS TRUE) @@ -89,9 +80,6 @@ endif () # ONLY required for Java-based PKI components if (APPLICATION_FLAVOR_PKI_CORE OR - APPLICATION_FLAVOR_PKI_KRA OR - APPLICATION_FLAVOR_PKI_OCSP OR - APPLICATION_FLAVOR_PKI_TKS OR APPLICATION_FLAVOR_PKI_CONSOLE OR APPLICATION_FLAVOR_PKI_MIGRATE) find_package(Java REQUIRED) @@ -132,10 +120,7 @@ add_custom_target(uninstall # check subdirectories if (APPLICATION_FLAVOR_PKI_CORE OR - APPLICATION_FLAVOR_PKI_KRA OR - APPLICATION_FLAVOR_PKI_OCSP OR APPLICATION_FLAVOR_PKI_RA OR - APPLICATION_FLAVOR_PKI_TKS OR APPLICATION_FLAVOR_PKI_TPS OR APPLICATION_FLAVOR_PKI_CONSOLE OR APPLICATION_FLAVOR_PKI_MIGRATE) diff --git a/pki/base/CMakeLists.txt b/pki/base/CMakeLists.txt index 6230f5688..cd58e3037 100644 --- a/pki/base/CMakeLists.txt +++ b/pki/base/CMakeLists.txt @@ -12,20 +12,14 @@ if (APPLICATION_FLAVOR_PKI_CORE) add_subdirectory(common) add_subdirectory(selinux) add_subdirectory(ca) - add_subdirectory(silent) -endif (APPLICATION_FLAVOR_PKI_CORE) -if (APPLICATION_FLAVOR_PKI_KRA) add_subdirectory(kra) -endif (APPLICATION_FLAVOR_PKI_KRA) -if (APPLICATION_FLAVOR_PKI_OCSP) add_subdirectory(ocsp) -endif (APPLICATION_FLAVOR_PKI_OCSP) + add_subdirectory(tks) + add_subdirectory(silent) +endif (APPLICATION_FLAVOR_PKI_CORE) if (APPLICATION_FLAVOR_PKI_RA) add_subdirectory(ra) endif (APPLICATION_FLAVOR_PKI_RA) -if (APPLICATION_FLAVOR_PKI_TKS) - add_subdirectory(tks) -endif (APPLICATION_FLAVOR_PKI_TKS) if (APPLICATION_FLAVOR_PKI_TPS) add_subdirectory(tps) endif (APPLICATION_FLAVOR_PKI_TPS) diff --git a/pki/scripts/build_dogtag_pki b/pki/scripts/build_dogtag_pki index c79eeb714..7e0de05fc 100755 --- a/pki/scripts/build_dogtag_pki +++ b/pki/scripts/build_dogtag_pki @@ -104,10 +104,7 @@ fi PKI_COMPOSE_SCRIPTS_DIR="${PKI_PWD}/${PKI_DIR}/${PKI_SCRIPTS_DIR}" COMPOSE_DOGTAG_PKI_THEME_PACKAGES="compose_dogtag_pki_theme_packages" COMPOSE_PKI_CORE_PACKAGES="compose_pki_core_packages" -COMPOSE_PKI_KRA_PACKAGES="compose_pki_kra_packages" -COMPOSE_PKI_OCSP_PACKAGES="compose_pki_ocsp_packages" COMPOSE_PKI_RA_PACKAGES="compose_pki_ra_packages" -COMPOSE_PKI_TKS_PACKAGES="compose_pki_tks_packages" COMPOSE_PKI_TPS_PACKAGES="compose_pki_tps_packages" COMPOSE_PKI_CONSOLE_PACKAGES="compose_pki_console_packages" @@ -115,10 +112,7 @@ COMPOSE_PKI_CONSOLE_PACKAGES="compose_pki_console_packages" PKI_PACKAGES_DIR="${PKI_PWD}/packages" PKI_DOGTAG_THEME_PACKAGES_DIR="${PKI_PWD}/packages.dogtag_theme" PKI_CORE_PACKAGES_DIR="${PKI_PWD}/packages.core" -PKI_KRA_PACKAGES_DIR="${PKI_PWD}/packages.kra" -PKI_OCSP_PACKAGES_DIR="${PKI_PWD}/packages.ocsp" PKI_RA_PACKAGES_DIR="${PKI_PWD}/packages.ra" -PKI_TKS_PACKAGES_DIR="${PKI_PWD}/packages.tks" PKI_TPS_PACKAGES_DIR="${PKI_PWD}/packages.tps" PKI_CONSOLE_PACKAGES_DIR="${PKI_PWD}/packages.console" @@ -144,20 +138,14 @@ PKI_COMMON=pki-common${RPM_EXT} PKI_COMMON_JAVADOC=pki-common-javadoc${RPM_EXT} PKI_SELINUX=pki-selinux${RPM_EXT} PKI_CA=pki-ca${RPM_EXT} -PKI_SILENT=pki-silent${RPM_EXT} - -# Establish PKI kra package names PKI_KRA=pki-kra${RPM_EXT} - -# Establish PKI ocsp package names PKI_OCSP=pki-ocsp${RPM_EXT} +PKI_TKS=pki-tks${RPM_EXT} +PKI_SILENT=pki-silent${RPM_EXT} # Establish PKI ra package names PKI_RA=pki-ra${RPM_EXT} -# Establish PKI tks package names -PKI_TKS=pki-tks${RPM_EXT} - # Establish PKI tps package names PKI_TPS=pki-tps${RPM_EXT} @@ -168,10 +156,7 @@ PKI_CONSOLE=pki-console${RPM_EXT} rm -rf ${PKI_PACKAGES_DIR} rm -rf ${PKI_DOGTAG_THEME_PACKAGES_DIR} rm -rf ${PKI_CORE_PACKAGES_DIR} -rm -rf ${PKI_KRA_PACKAGES_DIR} -rm -rf ${PKI_OCSP_PACKAGES_DIR} rm -rf ${PKI_RA_PACKAGES_DIR} -rm -rf ${PKI_TKS_PACKAGES_DIR} rm -rf ${PKI_TPS_PACKAGES_DIR} rm -rf ${PKI_CONSOLE_PACKAGES_DIR} @@ -192,20 +177,6 @@ cp -p ${NOARCH}/*.rpm ${PKI_ARCH}/*.rpm ${PKI_CORE_PACKAGES_DIR}/${RPM_DIR}/${CO cd ${PKI_CORE_PACKAGES_DIR}/${RPM_DIR}/${COMBINED} ${PKI_SUDO} ${YUM_EXE} ${YUM_EXE_OPTIONS} ${PKI_SETUP} ${PKI_SYMKEY} ${PKI_NATIVE_TOOLS} ${PKI_UTIL} ${PKI_UTIL_JAVADOC} ${PKI_JAVA_TOOLS} ${PKI_JAVA_TOOLS_JAVADOC} ${PKI_COMMON} ${PKI_COMMON_JAVADOC} ${PKI_SELINUX} ${PKI_CA} ${PKI_SILENT} -# Compose and install 'pki-kra' packages -cd ${PKI_PWD} -${PKI_COMPOSE_SCRIPTS_DIR}/${COMPOSE_PKI_KRA_PACKAGES} rpms -mv ${PKI_PACKAGES_DIR} ${PKI_KRA_PACKAGES_DIR} -cd ${PKI_KRA_PACKAGES_DIR}/${RPM_DIR}/${NOARCH} -${PKI_SUDO} ${YUM_EXE} ${YUM_EXE_OPTIONS} ${PKI_KRA} - -# Compose and install 'pki-ocsp' packages -cd ${PKI_PWD} -${PKI_COMPOSE_SCRIPTS_DIR}/${COMPOSE_PKI_OCSP_PACKAGES} rpms -mv ${PKI_PACKAGES_DIR} ${PKI_OCSP_PACKAGES_DIR} -cd ${PKI_OCSP_PACKAGES_DIR}/${RPM_DIR}/${NOARCH} -${PKI_SUDO} ${YUM_EXE} ${YUM_EXE_OPTIONS} ${PKI_OCSP} - # Compose and install 'pki-ra' packages cd ${PKI_PWD} ${PKI_COMPOSE_SCRIPTS_DIR}/${COMPOSE_PKI_RA_PACKAGES} rpms @@ -213,13 +184,6 @@ mv ${PKI_PACKAGES_DIR} ${PKI_RA_PACKAGES_DIR} cd ${PKI_RA_PACKAGES_DIR}/${RPM_DIR}/${NOARCH} ${PKI_SUDO} ${YUM_EXE} ${YUM_EXE_OPTIONS} ${PKI_RA} -# Compose and install 'pki-tks' packages -cd ${PKI_PWD} -${PKI_COMPOSE_SCRIPTS_DIR}/${COMPOSE_PKI_TKS_PACKAGES} rpms -mv ${PKI_PACKAGES_DIR} ${PKI_TKS_PACKAGES_DIR} -cd ${PKI_TKS_PACKAGES_DIR}/${RPM_DIR}/${NOARCH} -${PKI_SUDO} ${YUM_EXE} ${YUM_EXE_OPTIONS} ${PKI_TKS} - # Compose and install 'pki-tps' packages cd ${PKI_PWD} ${PKI_COMPOSE_SCRIPTS_DIR}/${COMPOSE_PKI_TPS_PACKAGES} rpms diff --git a/pki/scripts/compose_pki_core_packages b/pki/scripts/compose_pki_core_packages index d84d41da7..2af796054 100755 --- a/pki/scripts/compose_pki_core_packages +++ b/pki/scripts/compose_pki_core_packages @@ -39,7 +39,7 @@ PKI_CORE_VERSION="10.0.0.a1" ## PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_CORE}.spec" -PKI_COMPONENT_LIST="test setup symkey native-tools util java-tools common selinux ca silent" +PKI_COMPONENT_LIST="test setup symkey native-tools util java-tools common selinux ca kra ocsp tks silent" ## diff --git a/pki/scripts/compose_pki_kra_packages b/pki/scripts/compose_pki_kra_packages deleted file mode 100755 index dc4ad1919..000000000 --- a/pki/scripts/compose_pki_kra_packages +++ /dev/null @@ -1,180 +0,0 @@ -#!/bin/bash -# BEGIN COPYRIGHT BLOCK -# (C) 2010 Red Hat, Inc. -# All rights reserved. -# END COPYRIGHT BLOCK - -## -## Include common 'compose' functions -## - -COMPOSE_PWD=`dirname $0` -source ${COMPOSE_PWD}/compose_functions - - -## Always switch into the base directory three levels -## above this shell script prior to executing it so -## that all of its output is written to this directory - -cd `dirname $0`/../.. - - -## -## Retrieve the name of this base directory -## - -PKI_PWD=`pwd` - - -## -## Establish the 'pki-kra' name and version information -## - -PKI_KRA="pki-kra" -PKI_KRA_VERSION="10.0.0.a1" - - -## -## Establish the SOURCE files/directories of the 'pki-kra' source directory -## - -PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_KRA}.spec" -PKI_COMPONENT_LIST="test kra" - - -## -## Establish the TARGET files/directories of the 'pki-kra' source/spec files -## - -PKI_PACKAGES="${PKI_PWD}/packages" -PKI_KRA_BUILD_DIR="${PKI_PACKAGES}/BUILD" -PKI_KRA_RPMS_DIR="${PKI_PACKAGES}/RPMS" -PKI_KRA_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" -PKI_KRA_SPECS_DIR="${PKI_PACKAGES}/SPECS" -PKI_KRA_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" - -PKI_KRA_TARBALL="${PKI_KRA}-${PKI_KRA_VERSION}.tar.gz" -PKI_KRA_SPEC_FILE="${PKI_KRA_SPECS_DIR}/${PKI_KRA}.spec" -PKI_KRA_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_KRA}" -PKI_KRA_PACKAGE_COMMAND="${RPMBUILD_CMD} SPECS/${PKI_KRA}.spec" - -PKI_KRA_STAGING_DIR="${PKI_PACKAGES}/staging" -PKI_KRA_DIR="${PKI_KRA_STAGING_DIR}/${PKI_KRA}-${PKI_KRA_VERSION}" -PKI_KRA_BASE_DIR="${PKI_KRA_DIR}/base" - - -## -## Always create a top-level 'packages' directory -## - -mkdir -p ${PKI_PACKAGES} - - -## -## Always create 'pki-kra' package directories -## - -mkdir -p ${PKI_KRA_BUILD_DIR} -mkdir -p ${PKI_KRA_RPMS_DIR} -mkdir -p ${PKI_KRA_SOURCES_DIR} -mkdir -p ${PKI_KRA_SPECS_DIR} -mkdir -p ${PKI_KRA_SRPMS_DIR} - - -## -## Always start with new 'pki-kra' package files -## - -rm -rf ${PKI_KRA_BUILD_DIR}/${PKI_KRA}-${PKI_KRA_VERSION} -rm -f ${PKI_KRA_RPMS_DIR}/${PKI_KRA}-${PKI_KRA_VERSION}*.rpm -rm -f ${PKI_KRA_SOURCES_DIR}/${PKI_KRA_TARBALL} -rm -f ${PKI_KRA_SPEC_FILE} -rm -f ${PKI_KRA_SRPMS_DIR}/${PKI_KRA}-${PKI_KRA_VERSION}*.rpm - - -## -## Copy a new 'pki-kra' spec file from the -## current contents of the PKI working repository -## - -cp -p ${PKI_SPECS_FILE} ${PKI_KRA_SPECS_DIR} - - -if [ ${USE_PATCH_FILES} -eq 1 ] ; then - Retrieve_Source_Tarball_and_Patches ${PKI_SPECS_FILE} ${PKI_PATCHES_DIR} ${PKI_KRA_SOURCES_DIR} -else - ## - ## Always start with a new 'pki-kra' staging directory - ## - - rm -rf ${PKI_KRA_STAGING_DIR} - - - ## - ## To generate the 'pki-kra' tarball, construct a staging area - ## consisting of the 'pki-kra' source components from the - ## current contents of the PKI working repository - ## - - mkdir -p ${PKI_KRA_DIR} - cd ${PKI_DIR} - for file in "${PKI_FILE_LIST}" ; - do - cp -p ${file} ${PKI_KRA_DIR} - done - find ${PKI_CMAKE_DIR} \ - -name .svn -prune -o \ - -name *.swp -prune -o \ - -print | cpio -pdum ${PKI_KRA_DIR} > /dev/null 2>&1 - cd - > /dev/null 2>&1 - - mkdir -p ${PKI_KRA_BASE_DIR} - cd ${PKI_BASE_DIR} - cp -p ${PKI_BASE_MANIFEST} ${PKI_KRA_BASE_DIR} - for component in "${PKI_COMPONENT_LIST}" ; - do - find ${component} \ - -name .svn -prune -o \ - -name *.swp -prune -o \ - -print | cpio -pdum ${PKI_KRA_BASE_DIR} > /dev/null 2>&1 - done - cd - > /dev/null 2>&1 - - - ## - ## Create the 'pki-kra' tarball - ## - - mkdir -p ${PKI_KRA_SOURCES_DIR} - cd ${PKI_KRA_STAGING_DIR} - gtar -zcvf ${PKI_KRA_TARBALL} \ - "${PKI_KRA}-${PKI_KRA_VERSION}" > /dev/null 2>&1 - mv ${PKI_KRA_TARBALL} ${PKI_KRA_SOURCES_DIR} - cd - > /dev/null 2>&1 - - - ## - ## Always remove the PKI staging area - ## - - rm -rf ${PKI_KRA_STAGING_DIR} -fi - - -## -## Always generate a fresh 'pki-kra' package script -## - -rm -rf ${PKI_KRA_PACKAGE_SCRIPT} -printf "#!/bin/bash\n\n" > ${PKI_KRA_PACKAGE_SCRIPT} -printf "${PKI_KRA_PACKAGE_COMMAND}\n\n" >> ${PKI_KRA_PACKAGE_SCRIPT} -chmod 775 ${PKI_KRA_PACKAGE_SCRIPT} - - -## -## Automatically invoke RPM/SRPM creation -## - -cd ${PKI_PACKAGES} ; -bash ./package_${PKI_KRA} | tee package_${PKI_KRA}.log 2>&1 - diff --git a/pki/scripts/compose_pki_ocsp_packages b/pki/scripts/compose_pki_ocsp_packages deleted file mode 100755 index 257578f9f..000000000 --- a/pki/scripts/compose_pki_ocsp_packages +++ /dev/null @@ -1,180 +0,0 @@ -#!/bin/bash -# BEGIN COPYRIGHT BLOCK -# (C) 2010 Red Hat, Inc. -# All rights reserved. -# END COPYRIGHT BLOCK - -## -## Include common 'compose' functions -## - -COMPOSE_PWD=`dirname $0` -source ${COMPOSE_PWD}/compose_functions - - -## Always switch into the base directory three levels -## above this shell script prior to executing it so -## that all of its output is written to this directory - -cd `dirname $0`/../.. - - -## -## Retrieve the name of this base directory -## - -PKI_PWD=`pwd` - - -## -## Establish the 'pki-ocsp' name and version information -## - -PKI_OCSP="pki-ocsp" -PKI_OCSP_VERSION="10.0.0.a1" - - -## -## Establish the SOURCE files/directories of the 'pki-ocsp' source directory -## - -PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_OCSP}.spec" -PKI_COMPONENT_LIST="test ocsp" - - -## -## Establish the TARGET files/directories of the 'pki-ocsp' source/spec files -## - -PKI_PACKAGES="${PKI_PWD}/packages" -PKI_OCSP_BUILD_DIR="${PKI_PACKAGES}/BUILD" -PKI_OCSP_RPMS_DIR="${PKI_PACKAGES}/RPMS" -PKI_OCSP_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" -PKI_OCSP_SPECS_DIR="${PKI_PACKAGES}/SPECS" -PKI_OCSP_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" - -PKI_OCSP_TARBALL="${PKI_OCSP}-${PKI_OCSP_VERSION}.tar.gz" -PKI_OCSP_SPEC_FILE="${PKI_OCSP_SPECS_DIR}/${PKI_OCSP}.spec" -PKI_OCSP_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_OCSP}" -PKI_OCSP_PACKAGE_COMMAND="${RPMBUILD_CMD} SPECS/${PKI_OCSP}.spec" - -PKI_OCSP_STAGING_DIR="${PKI_PACKAGES}/staging" -PKI_OCSP_DIR="${PKI_OCSP_STAGING_DIR}/${PKI_OCSP}-${PKI_OCSP_VERSION}" -PKI_OCSP_BASE_DIR="${PKI_OCSP_DIR}/base" - - -## -## Always create a top-level 'packages' directory -## - -mkdir -p ${PKI_PACKAGES} - - -## -## Always create 'pki-ocsp' package directories -## - -mkdir -p ${PKI_OCSP_BUILD_DIR} -mkdir -p ${PKI_OCSP_RPMS_DIR} -mkdir -p ${PKI_OCSP_SOURCES_DIR} -mkdir -p ${PKI_OCSP_SPECS_DIR} -mkdir -p ${PKI_OCSP_SRPMS_DIR} - - -## -## Always start with new 'pki-ocsp' package files -## - -rm -rf ${PKI_OCSP_BUILD_DIR}/${PKI_OCSP}-${PKI_OCSP_VERSION} -rm -f ${PKI_OCSP_RPMS_DIR}/${PKI_OCSP}-${PKI_OCSP_VERSION}*.rpm -rm -f ${PKI_OCSP_SOURCES_DIR}/${PKI_OCSP_TARBALL} -rm -f ${PKI_OCSP_SPEC_FILE} -rm -f ${PKI_OCSP_SRPMS_DIR}/${PKI_OCSP}-${PKI_OCSP_VERSION}*.rpm - - -## -## Copy a new 'pki-ocsp' spec file from the -## current contents of the PKI working repository -## - -cp -p ${PKI_SPECS_FILE} ${PKI_OCSP_SPECS_DIR} - - -if [ ${USE_PATCH_FILES} -eq 1 ] ; then - Retrieve_Source_Tarball_and_Patches ${PKI_SPECS_FILE} ${PKI_PATCHES_DIR} ${PKI_OCSP_SOURCES_DIR} -else - ## - ## Always start with a new 'pki-ocsp' staging directory - ## - - rm -rf ${PKI_OCSP_STAGING_DIR} - - - ## - ## To generate the 'pki-ocsp' tarball, construct a staging area - ## consisting of the 'pki-ocsp' source components from the - ## current contents of the PKI working repository - ## - - mkdir -p ${PKI_OCSP_DIR} - cd ${PKI_DIR} - for file in "${PKI_FILE_LIST}" ; - do - cp -p ${file} ${PKI_OCSP_DIR} - done - find ${PKI_CMAKE_DIR} \ - -name .svn -prune -o \ - -name *.swp -prune -o \ - -print | cpio -pdum ${PKI_OCSP_DIR} > /dev/null 2>&1 - cd - > /dev/null 2>&1 - - mkdir -p ${PKI_OCSP_BASE_DIR} - cd ${PKI_BASE_DIR} - cp -p ${PKI_BASE_MANIFEST} ${PKI_OCSP_BASE_DIR} - for component in "${PKI_COMPONENT_LIST}" ; - do - find ${component} \ - -name .svn -prune -o \ - -name *.swp -prune -o \ - -print | cpio -pdum ${PKI_OCSP_BASE_DIR} > /dev/null 2>&1 - done - cd - > /dev/null 2>&1 - - - ## - ## Create the 'pki-ocsp' tarball - ## - - mkdir -p ${PKI_OCSP_SOURCES_DIR} - cd ${PKI_OCSP_STAGING_DIR} - gtar -zcvf ${PKI_OCSP_TARBALL} \ - "${PKI_OCSP}-${PKI_OCSP_VERSION}" > /dev/null 2>&1 - mv ${PKI_OCSP_TARBALL} ${PKI_OCSP_SOURCES_DIR} - cd - > /dev/null 2>&1 - - - ## - ## Always remove the PKI staging area - ## - - rm -rf ${PKI_OCSP_STAGING_DIR} -fi - - -## -## Always generate a fresh 'pki-ocsp' package script -## - -rm -rf ${PKI_OCSP_PACKAGE_SCRIPT} -printf "#!/bin/bash\n\n" > ${PKI_OCSP_PACKAGE_SCRIPT} -printf "${PKI_OCSP_PACKAGE_COMMAND}\n\n" >> ${PKI_OCSP_PACKAGE_SCRIPT} -chmod 775 ${PKI_OCSP_PACKAGE_SCRIPT} - - -## -## Automatically invoke RPM/SRPM creation -## - -cd ${PKI_PACKAGES} ; -bash ./package_${PKI_OCSP} | tee package_${PKI_OCSP}.log 2>&1 - diff --git a/pki/scripts/compose_pki_tks_packages b/pki/scripts/compose_pki_tks_packages deleted file mode 100755 index 001774e94..000000000 --- a/pki/scripts/compose_pki_tks_packages +++ /dev/null @@ -1,180 +0,0 @@ -#!/bin/bash -# BEGIN COPYRIGHT BLOCK -# (C) 2010 Red Hat, Inc. -# All rights reserved. -# END COPYRIGHT BLOCK - -## -## Include common 'compose' functions -## - -COMPOSE_PWD=`dirname $0` -source ${COMPOSE_PWD}/compose_functions - - -## Always switch into the base directory three levels -## above this shell script prior to executing it so -## that all of its output is written to this directory - -cd `dirname $0`/../.. - - -## -## Retrieve the name of this base directory -## - -PKI_PWD=`pwd` - - -## -## Establish the 'pki-tks' name and version information -## - -PKI_TKS="pki-tks" -PKI_TKS_VERSION="10.0.0.a1" - - -## -## Establish the SOURCE files/directories of the 'pki-tks' source directory -## - -PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_TKS}.spec" -PKI_COMPONENT_LIST="test tks" - - -## -## Establish the TARGET files/directories of the 'pki-tks' source/spec files -## - -PKI_PACKAGES="${PKI_PWD}/packages" -PKI_TKS_BUILD_DIR="${PKI_PACKAGES}/BUILD" -PKI_TKS_RPMS_DIR="${PKI_PACKAGES}/RPMS" -PKI_TKS_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" -PKI_TKS_SPECS_DIR="${PKI_PACKAGES}/SPECS" -PKI_TKS_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" - -PKI_TKS_TARBALL="${PKI_TKS}-${PKI_TKS_VERSION}.tar.gz" -PKI_TKS_SPEC_FILE="${PKI_TKS_SPECS_DIR}/${PKI_TKS}.spec" -PKI_TKS_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_TKS}" -PKI_TKS_PACKAGE_COMMAND="${RPMBUILD_CMD} SPECS/${PKI_TKS}.spec" - -PKI_TKS_STAGING_DIR="${PKI_PACKAGES}/staging" -PKI_TKS_DIR="${PKI_TKS_STAGING_DIR}/${PKI_TKS}-${PKI_TKS_VERSION}" -PKI_TKS_BASE_DIR="${PKI_TKS_DIR}/base" - - -## -## Always create a top-level 'packages' directory -## - -mkdir -p ${PKI_PACKAGES} - - -## -## Always create 'pki-tks' package directories -## - -mkdir -p ${PKI_TKS_BUILD_DIR} -mkdir -p ${PKI_TKS_RPMS_DIR} -mkdir -p ${PKI_TKS_SOURCES_DIR} -mkdir -p ${PKI_TKS_SPECS_DIR} -mkdir -p ${PKI_TKS_SRPMS_DIR} - - -## -## Always start with new 'pki-tks' package files -## - -rm -rf ${PKI_TKS_BUILD_DIR}/${PKI_TKS}-${PKI_TKS_VERSION} -rm -f ${PKI_TKS_RPMS_DIR}/${PKI_TKS}-${PKI_TKS_VERSION}*.rpm -rm -f ${PKI_TKS_SOURCES_DIR}/${PKI_TKS_TARBALL} -rm -f ${PKI_TKS_SPEC_FILE} -rm -f ${PKI_TKS_SRPMS_DIR}/${PKI_TKS}-${PKI_TKS_VERSION}*.rpm - - -## -## Copy a new 'pki-tks' spec file from the -## current contents of the PKI working repository -## - -cp -p ${PKI_SPECS_FILE} ${PKI_TKS_SPECS_DIR} - - -if [ ${USE_PATCH_FILES} -eq 1 ] ; then - Retrieve_Source_Tarball_and_Patches ${PKI_SPECS_FILE} ${PKI_PATCHES_DIR} ${PKI_TKS_SOURCES_DIR} -else - ## - ## Always start with a new 'pki-tks' staging directory - ## - - rm -rf ${PKI_TKS_STAGING_DIR} - - - ## - ## To generate the 'pki-tks' tarball, construct a staging area - ## consisting of the 'pki-tks' source components from the - ## current contents of the PKI working repository - ## - - mkdir -p ${PKI_TKS_DIR} - cd ${PKI_DIR} - for file in "${PKI_FILE_LIST}" ; - do - cp -p ${file} ${PKI_TKS_DIR} - done - find ${PKI_CMAKE_DIR} \ - -name .svn -prune -o \ - -name *.swp -prune -o \ - -print | cpio -pdum ${PKI_TKS_DIR} > /dev/null 2>&1 - cd - > /dev/null 2>&1 - - mkdir -p ${PKI_TKS_BASE_DIR} - cd ${PKI_BASE_DIR} - cp -p ${PKI_BASE_MANIFEST} ${PKI_TKS_BASE_DIR} - for component in "${PKI_COMPONENT_LIST}" ; - do - find ${component} \ - -name .svn -prune -o \ - -name *.swp -prune -o \ - -print | cpio -pdum ${PKI_TKS_BASE_DIR} > /dev/null 2>&1 - done - cd - > /dev/null 2>&1 - - - ## - ## Create the 'pki-tks' tarball - ## - - mkdir -p ${PKI_TKS_SOURCES_DIR} - cd ${PKI_TKS_STAGING_DIR} - gtar -zcvf ${PKI_TKS_TARBALL} \ - "${PKI_TKS}-${PKI_TKS_VERSION}" > /dev/null 2>&1 - mv ${PKI_TKS_TARBALL} ${PKI_TKS_SOURCES_DIR} - cd - > /dev/null 2>&1 - - - ## - ## Always remove the PKI staging area - ## - - rm -rf ${PKI_TKS_STAGING_DIR} -fi - - -## -## Always generate a fresh 'pki-tks' package script -## - -rm -rf ${PKI_TKS_PACKAGE_SCRIPT} -printf "#!/bin/bash\n\n" > ${PKI_TKS_PACKAGE_SCRIPT} -printf "${PKI_TKS_PACKAGE_COMMAND}\n\n" >> ${PKI_TKS_PACKAGE_SCRIPT} -chmod 775 ${PKI_TKS_PACKAGE_SCRIPT} - - -## -## Automatically invoke RPM/SRPM creation -## - -cd ${PKI_PACKAGES} ; -bash ./package_${PKI_TKS} | tee package_${PKI_TKS}.log 2>&1 - diff --git a/pki/specs/pki-core.spec b/pki/specs/pki-core.spec index 48ef1f3e3..01409c22a 100644 --- a/pki/specs/pki-core.spec +++ b/pki/specs/pki-core.spec @@ -7,7 +7,7 @@ Name: pki-core Version: 10.0.0 -Release: %{?relprefix}1%{?prerel}%{?dist} +Release: %{?relprefix}2%{?prerel}%{?dist} Summary: Certificate System - PKI Core Components URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -34,9 +34,13 @@ BuildRequires: velocity BuildRequires: xalan-j2 BuildRequires: xerces-j2 BuildRequires: candlepin-deps >= 0.0.21-1 +%if 0%{?fedora} >= 17 +BuildRequires: junit +%else %if 0%{?fedora} >= 16 BuildRequires: jpackage-utils >= 0:1.7.5-10 BuildRequires: jss >= 4.2.6-19.1 +BuildRequires: junit4 BuildRequires: osutil >= 2.0.2 BuildRequires: systemd-units BuildRequires: tomcatjss >= 6.0.2 @@ -44,15 +48,18 @@ BuildRequires: tomcatjss >= 6.0.2 %if 0%{?fedora} >= 15 BuildRequires: jpackage-utils BuildRequires: jss >= 4.2.6-17 +BuildRequires: junit4 BuildRequires: osutil >= 2.0.1 BuildRequires: tomcatjss >= 6.0.0 %else BuildRequires: jpackage-utils BuildRequires: jss >= 4.2.6-17 +BuildRequires: junit4 BuildRequires: osutil BuildRequires: tomcatjss >= 2.0.0 %endif %endif +%endif Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz @@ -86,31 +93,48 @@ fi; Certificate System (CS) is an enterprise software system designed \ to manage enterprise Public Key Infrastructure (PKI) deployments. \ \ -PKI Core contains fundamental packages required by Certificate System, \ -and consists of the following components: \ +PKI Core contains ALL top-level java-based Tomcat PKI components: \ \ - * pki-setup \ - * pki-symkey \ - * pki-native-tools \ - * pki-util \ - * pki-util-javadoc \ - * pki-java-tools \ - * pki-java-tools-javadoc \ - * pki-common \ - * pki-common-javadoc \ - * pki-selinux \ * pki-ca \ - * pki-silent \ + * pki-kra \ + * pki-ocsp \ + * pki-tks \ \ -which comprise the following PKI subsystems: \ +which comprise the following corresponding PKI subsystems: \ \ * Certificate Authority (CA) \ + * Data Recovery Manager (DRM) \ + * Online Certificate Status Protocol (OCSP) Manager \ + * Token Key Service (TKS) \ \ -For deployment purposes, Certificate System requires ONE AND ONLY ONE \ -of the following "Mutually-Exclusive" PKI Theme packages: \ +For deployment purposes, PKI Core contains fundamental packages \ +required by BOTH native-based Apache AND java-based Tomcat \ +Certificate System instances consisting of the following components: \ + \ + * pki-native-tools \ + * pki-selinux \ + * pki-setup \ + * pki-silent (required for IPA deployments; optional otherwise) \ + \ +Additionally, PKI Core contains the following fundamental packages \ +required ONLY by ALL java-based Tomcat Certificate System instances: \ + \ + * pki-common \ + * pki-java-tools \ + * pki-symkey (ONLY required for TKS subsystems) \ + * pki-util \ + \ +PKI Core also includes the following components: \ + \ + * pki-common-javadoc \ + * pki-java-tools-javadoc \ + * pki-util-javadoc \ + \ +Finally, for deployment purposes, Certificate System requires ONE AND \ +ONLY ONE of the following "Mutually-Exclusive" PKI Theme packages: \ \ - * ipa-pki-theme (IPA deployments) \ * dogtag-pki-theme (Dogtag Certificate System deployments) \ + * ipa-pki-theme (IPA deployments) \ * redhat-pki-theme (Red Hat Certificate System deployments) \ \ %{nil} @@ -288,7 +312,6 @@ Requires: jettison Requires: pki-common-theme >= 9.0.0 Requires: pki-java-tools = %{version}-%{release} Requires: pki-setup = %{version}-%{release} -Requires: pki-symkey = %{version}-%{release} Requires: %{_javadir}/ldapjdk.jar Requires: %{_javadir}/velocity.jar Requires: %{_javadir}/xalan-j2.jar @@ -413,7 +436,182 @@ The Certificate Authority can be configured as a self-signing Certificate Authority, where it is the root CA, or it can act as a subordinate CA, where it obtains its own signing certificate from a public CA. -This package is a part of the PKI Core used by the Certificate System. +This package is one of the top-level java-based Tomcat PKI subsystems +provided by the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-kra +Summary: Certificate System - Data Recovery Manager +Group: System Environment/Daemons + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-kra-theme >= 9.0.0 +Requires: pki-common = %{version}-%{release} +Requires: pki-selinux = %{version}-%{release} +%if 0%{?fedora} >= 16 +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +%else +%if 0%{?fedora} >= 15 +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%else +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%endif +%endif + +%description -n pki-kra +The Data Recovery Manager (DRM) is an optional PKI subsystem that can act +as a Key Recovery Authority (KRA). When configured in conjunction with the +Certificate Authority (CA), the DRM stores private encryption keys as part of +the certificate enrollment process. The key archival mechanism is triggered +when a user enrolls in the PKI and creates the certificate request. Using the +Certificate Request Message Format (CRMF) request format, a request is +generated for the user's private encryption key. This key is then stored in +the DRM which is configured to store keys in an encrypted format that can only +be decrypted by several agents requesting the key at one time, providing for +protection of the public encryption keys for the users in the PKI deployment. + +Note that the DRM archives encryption keys; it does NOT archive signing keys, +since such archival would undermine non-repudiation properties of signing keys. + +This package is one of the top-level java-based Tomcat PKI subsystems +provided by the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-ocsp +Summary: Certificate System - Online Certificate Status Protocol Manager +Group: System Environment/Daemons + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-ocsp-theme >= 9.0.0 +Requires: pki-common = %{version}-%{release} +Requires: pki-selinux = %{version}-%{release} +%if 0%{?fedora} >= 16 +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +%else +%if 0%{?fedora} >= 15 +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%else +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%endif +%endif + +%description -n pki-ocsp +The Online Certificate Status Protocol (OCSP) Manager is an optional PKI +subsystem that can act as a stand-alone OCSP service. The OCSP Manager +performs the task of an online certificate validation authority by enabling +OCSP-compliant clients to do real-time verification of certificates. Note +that an online certificate-validation authority is often referred to as an +OCSP Responder. + +Although the Certificate Authority (CA) is already configured with an +internal OCSP service. An external OCSP Responder is offered as a separate +subsystem in case the user wants the OCSP service provided outside of a +firewall while the CA resides inside of a firewall, or to take the load of +requests off of the CA. + +The OCSP Manager can receive Certificate Revocation Lists (CRLs) from +multiple CA servers, and clients can query the OCSP Manager for the +revocation status of certificates issued by all of these CA servers. + +When an instance of OCSP Manager is set up with an instance of CA, and +publishing is set up to this OCSP Manager, CRLs are published to it +whenever they are issued or updated. + +This package is one of the top-level java-based Tomcat PKI subsystems +provided by the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-tks +Summary: Certificate System - Token Key Service +Group: System Environment/Daemons + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-tks-theme >= 9.0.0 +Requires: pki-common = %{version}-%{release} +Requires: pki-selinux = %{version}-%{release} +Requires: pki-symkey = %{version}-%{release} +%if 0%{?fedora} >= 16 +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +%else +%if 0%{?fedora} >= 15 +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%else +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%endif +%endif + +%description -n pki-tks +The Token Key Service (TKS) is an optional PKI subsystem that manages the +master key(s) and the transport key(s) required to generate and distribute +keys for hardware tokens. TKS provides the security between tokens and an +instance of Token Processing System (TPS), where the security relies upon the +relationship between the master key and the token keys. A TPS communicates +with a TKS over SSL using client authentication. + +TKS helps establish a secure channel (signed and encrypted) between the token +and the TPS, provides proof of presence of the security token during +enrollment, and supports key changeover when the master key changes on the +TKS. Tokens with older keys will get new token keys. + +Because of the sensitivity of the data that TKS manages, TKS should be set up +behind the firewall with restricted access. + +This package is one of the top-level java-based Tomcat PKI subsystems +provided by the PKI Core used by the Certificate System. %{overview} @@ -494,13 +692,34 @@ echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfile echo "D /var/lock/pki/ca 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf echo "D /var/run/pki/ca 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf +# generate 'pki-kra.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf +echo "D /var/lock/pki/kra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf +echo "D /var/run/pki/kra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf +# generate 'pki-ocsp.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +echo "D /var/lock/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +echo "D /var/run/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +# generate 'pki-tks.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf +echo "D /var/lock/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf +echo "D /var/run/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf %endif %if 0%{?fedora} >= 16 %{__rm} %{buildroot}%{_initrddir}/pki-cad +%{__rm} %{buildroot}%{_initrddir}/pki-krad +%{__rm} %{buildroot}%{_initrddir}/pki-ocspd +%{__rm} %{buildroot}%{_initrddir}/pki-tksd %else %{__rm} %{buildroot}%{_bindir}/pkicontrol %{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-cad.target.wants +%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-krad.target.wants +%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-ocspd.target.wants +%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-tksd.target.wants %{__rm} -rf %{buildroot}%{_unitdir} %endif @@ -532,6 +751,21 @@ fi /sbin/chkconfig --add pki-cad || : +%post -n pki-kra +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-krad || : + + +%post -n pki-ocsp +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-ocspd || : + + +%post -n pki-tks +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-tksd || : + + %preun -n pki-ca if [ $1 = 0 ] ; then /sbin/service pki-cad stop >/dev/null 2>&1 @@ -539,11 +773,49 @@ if [ $1 = 0 ] ; then fi +%preun -n pki-kra +if [ $1 = 0 ] ; then + /sbin/service pki-krad stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-krad || : +fi + + +%preun -n pki-ocsp +if [ $1 = 0 ] ; then + /sbin/service pki-ocspd stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-ocspd || : +fi + + +%preun -n pki-tks +if [ $1 = 0 ] ; then + /sbin/service pki-tksd stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-tksd || : +fi + + %postun -n pki-ca if [ "$1" -ge "1" ] ; then /sbin/service pki-cad condrestart >/dev/null 2>&1 || : fi + +%postun -n pki-kra +if [ "$1" -ge "1" ] ; then + /sbin/service pki-krad condrestart >/dev/null 2>&1 || : +fi + + +%postun -n pki-ocsp +if [ "$1" -ge "1" ] ; then + /sbin/service pki-ocspd condrestart >/dev/null 2>&1 || : +fi + + +%postun -n pki-tks +if [ "$1" -ge "1" ] ; then + /sbin/service pki-tksd condrestart >/dev/null 2>&1 || : +fi %else %post -n pki-ca # Attempt to update ALL old "CA" instances to "systemd" @@ -571,6 +843,88 @@ if [ -d /etc/sysconfig/pki/ca ]; then fi /bin/systemctl daemon-reload >/dev/null 2>&1 || : + +%post -n pki-kra +# Attempt to update ALL old "KRA" instances to "systemd" +if [ -d /etc/sysconfig/pki/kra ]; then + for inst in `ls /etc/sysconfig/pki/kra`; do + if [ ! -e "/etc/systemd/system/pki-krad.target.wants/pki-krad@${inst}.service" ]; then + ln -s "/lib/systemd/system/pki-krad@.service" \ + "/etc/systemd/system/pki-krad.target.wants/pki-krad@${inst}.service" + [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} + ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} + + if [ -e /var/run/${inst}.pid ]; then + kill -9 `cat /var/run/${inst}.pid` || : + rm -f /var/run/${inst}.pid + echo "pkicreate.systemd.servicename=pki-krad@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + /bin/systemctl restart pki-krad@${inst}.service || : + else + echo "pkicreate.systemd.servicename=pki-krad@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + fi + fi + done +fi +/bin/systemctl daemon-reload >/dev/null 2>&1 || : + + +%post -n pki-ocsp +# Attempt to update ALL old "OCSP" instances to "systemd" +if [ -d /etc/sysconfig/pki/ocsp ]; then + for inst in `ls /etc/sysconfig/pki/ocsp`; do + if [ ! -e "/etc/systemd/system/pki-ocspd.target.wants/pki-ocspd@${inst}.service" ]; then + ln -s "/lib/systemd/system/pki-ocspd@.service" \ + "/etc/systemd/system/pki-ocspd.target.wants/pki-ocspd@${inst}.service" + [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} + ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} + + if [ -e /var/run/${inst}.pid ]; then + kill -9 `cat /var/run/${inst}.pid` || : + rm -f /var/run/${inst}.pid + echo "pkicreate.systemd.servicename=pki-ocspd@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + /bin/systemctl restart pki-ocspd@${inst}.service || : + else + echo "pkicreate.systemd.servicename=pki-ocspd@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + fi + fi + done +fi +/bin/systemctl daemon-reload >/dev/null 2>&1 || : + + +%post -n pki-tks +# Attempt to update ALL old "TKS" instances to "systemd" +if [ -d /etc/sysconfig/pki/tks ]; then + for inst in `ls /etc/sysconfig/pki/tks`; do + if [ ! -e "/etc/systemd/system/pki-tksd.target.wants/pki-tksd@${inst}.service" ]; then + ln -s "/lib/systemd/system/pki-tksd@.service" \ + "/etc/systemd/system/pki-tksd.target.wants/pki-tksd@${inst}.service" + [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} + ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} + + if [ -e /var/run/${inst}.pid ]; then + kill -9 `cat /var/run/${inst}.pid` || : + rm -f /var/run/${inst}.pid + echo "pkicreate.systemd.servicename=pki-tksd@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + /bin/systemctl restart pki-tksd@${inst}.service || : + else + echo "pkicreate.systemd.servicename=pki-tksd@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + fi + fi + done +fi +/bin/systemctl daemon-reload >/dev/null 2>&1 || : + + %preun -n pki-ca if [ $1 = 0 ] ; then /bin/systemctl --no-reload disable pki-cad.target > /dev/null 2>&1 || : @@ -578,11 +932,53 @@ if [ $1 = 0 ] ; then fi +%preun -n pki-kra +if [ $1 = 0 ] ; then + /bin/systemctl --no-reload disable pki-krad.target > /dev/null 2>&1 || : + /bin/systemctl stop pki-krad.target > /dev/null 2>&1 || : +fi + + +%preun -n pki-ocsp +if [ $1 = 0 ] ; then + /bin/systemctl --no-reload disable pki-ocspd.target > /dev/null 2>&1 || : + /bin/systemctl stop pki-ocspd.target > /dev/null 2>&1 || : +fi + + +%preun -n pki-tks +if [ $1 = 0 ] ; then + /bin/systemctl --no-reload disable pki-tksd.target > /dev/null 2>&1 || : + /bin/systemctl stop pki-tksd.target > /dev/null 2>&1 || : +fi + + %postun -n pki-ca /bin/systemctl daemon-reload >/dev/null 2>&1 || : if [ "$1" -ge "1" ] ; then /bin/systemctl try-restart pki-cad.target >/dev/null 2>&1 || : fi + + +%postun -n pki-kra +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ "$1" -ge "1" ] ; then + /bin/systemctl try-restart pki-krad.target >/dev/null 2>&1 || : +fi + + +%postun -n pki-ocsp +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ "$1" -ge "1" ] ; then + /bin/systemctl try-restart pki-ocspd.target >/dev/null 2>&1 || : +fi + + +%postun -n pki-tks +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ "$1" -ge "1" ] ; then + /bin/systemctl try-restart pki-tksd.target >/dev/null 2>&1 || : +fi %endif @@ -724,6 +1120,90 @@ fi %endif +%files -n pki-kra +%defattr(-,root,root,-) +%doc base/kra/LICENSE +%if 0%{?fedora} >= 16 +%dir %{_sysconfdir}/systemd/system/pki-krad.target.wants +%{_unitdir}/pki-krad@.service +%{_unitdir}/pki-krad.target +%else +%{_initrddir}/pki-krad +%endif +%{_javadir}/pki/pki-kra-%{version}.jar +%{_javadir}/pki/pki-kra.jar +%dir %{_datadir}/pki/kra +%{_datadir}/pki/kra/conf/ +%{_datadir}/pki/kra/setup/ +%{_datadir}/pki/kra/webapps/ +%dir %{_localstatedir}/lock/pki/kra +%dir %{_localstatedir}/run/pki/kra +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-kra.conf +%endif + + +%files -n pki-ocsp +%defattr(-,root,root,-) +%doc base/ocsp/LICENSE +%if 0%{?fedora} >= 16 +%dir %{_sysconfdir}/systemd/system/pki-ocspd.target.wants +%{_unitdir}/pki-ocspd@.service +%{_unitdir}/pki-ocspd.target +%else +%{_initrddir}/pki-ocspd +%endif +%{_javadir}/pki/pki-ocsp-%{version}.jar +%{_javadir}/pki/pki-ocsp.jar +%dir %{_datadir}/pki/ocsp +%{_datadir}/pki/ocsp/conf/ +%{_datadir}/pki/ocsp/setup/ +%{_datadir}/pki/ocsp/webapps/ +%dir %{_localstatedir}/lock/pki/ocsp +%dir %{_localstatedir}/run/pki/ocsp +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +%endif + + +%files -n pki-tks +%defattr(-,root,root,-) +%doc base/tks/LICENSE +%if 0%{?fedora} >= 16 +%dir %{_sysconfdir}/systemd/system/pki-tksd.target.wants +%{_unitdir}/pki-tksd@.service +%{_unitdir}/pki-tksd.target +%else +%{_initrddir}/pki-tksd +%endif +%{_javadir}/pki/pki-tks-%{version}.jar +%{_javadir}/pki/pki-tks.jar +%dir %{_datadir}/pki/tks +%{_datadir}/pki/tks/conf/ +%{_datadir}/pki/tks/setup/ +%{_datadir}/pki/tks/webapps/ +%dir %{_localstatedir}/lock/pki/tks +%dir %{_localstatedir}/run/pki/tks +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-tks.conf +%endif + + %files -n pki-silent %defattr(-,root,root,-) %doc base/silent/LICENSE @@ -734,6 +1214,12 @@ fi %changelog +* Mon Feb 20 2012 Matthew Harmsen <mharmsen@redhat.com> 10.0.0-0.2.a1 +- Integrated 'pki-kra' into 'pki-core' +- Integrated 'pki-ocsp' into 'pki-core' +- Integrated 'pki-tks' into 'pki-core' +- Bugzilla Bug #788787 - added 'junit'/'junit4' build-time requirements + * Wed Feb 1 2012 Nathan Kinder <nkinder@redhat.com> 10.0.0-0.1.a1 - Updated package version number diff --git a/pki/specs/pki-kra.spec b/pki/specs/pki-kra.spec deleted file mode 100644 index 6e6f3572b..000000000 --- a/pki/specs/pki-kra.spec +++ /dev/null @@ -1,442 +0,0 @@ -# for a pre-release, define the prerel field e.g. .a1 .rc2 - comment out for official release -# also remove the space between % and global - this space is needed because -# fedpkg verrel stupidly ignores comment lines -%global prerel .a1 -# also need the relprefix field for a pre-release e.g. .0 - also comment out for official release -%global relprefix 0. - -Name: pki-kra -Version: 10.0.0 -Release: %{?relprefix}1%{?prerel}%{?dist} -Summary: Certificate System - Data Recovery Manager -URL: http://pki.fedoraproject.org/ -License: GPLv2 -Group: System Environment/Daemons - -BuildArch: noarch - -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) - -# specify '_unitdir' macro for platforms that don't use 'systemd' -%if 0%{?rhel} || 0%{?fedora} < 16 -%define _unitdir /lib/systemd/system -%endif - -BuildRequires: cmake -BuildRequires: java-devel >= 1:1.6.0 -BuildRequires: nspr-devel -BuildRequires: nss-devel -%if 0%{?fedora} >= 16 -BuildRequires: jpackage-utils >= 0:1.7.5-10 -BuildRequires: jss >= 4.2.6-19.1 -BuildRequires: pki-common >= 9.0.15 -BuildRequires: pki-util >= 9.0.15 -BuildRequires: systemd-units -%else -BuildRequires: jpackage-utils -BuildRequires: jss >= 4.2.6-17 -BuildRequires: pki-common -BuildRequires: pki-util -%endif - -Requires: java >= 1:1.6.0 -Requires: pki-kra-theme >= 9.0.0 -%if 0%{?fedora} >= 16 -Requires: pki-common >= 9.0.15 -Requires: pki-selinux >= 9.0.15 -Requires(post): systemd-units -Requires(preun): systemd-units -Requires(postun): systemd-units -%else -%if 0%{?fedora} >= 15 -Requires: pki-common -Requires: pki-selinux -Requires(post): chkconfig -Requires(preun): chkconfig -Requires(preun): initscripts -Requires(postun): initscripts -# Details: -# -# * https://fedoraproject.org/wiki/Features/var-run-tmpfs -# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft -# -Requires: initscripts -%else -Requires: pki-common -Requires: pki-selinux -Requires(post): chkconfig -Requires(preun): chkconfig -Requires(preun): initscripts -Requires(postun): initscripts -%endif -%endif - -Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz - -%description -Certificate System (CS) is an enterprise software system designed -to manage enterprise Public Key Infrastructure (PKI) deployments. - -The Data Recovery Manager (DRM) is an optional PKI subsystem that can act -as a Key Recovery Authority (KRA). When configured in conjunction with the -Certificate Authority (CA), the DRM stores private encryption keys as part of -the certificate enrollment process. The key archival mechanism is triggered -when a user enrolls in the PKI and creates the certificate request. Using the -Certificate Request Message Format (CRMF) request format, a request is -generated for the user's private encryption key. This key is then stored in -the DRM which is configured to store keys in an encrypted format that can only -be decrypted by several agents requesting the key at one time, providing for -protection of the public encryption keys for the users in the PKI deployment. - -Note that the DRM archives encryption keys; it does NOT archive signing keys, -since such archival would undermine non-repudiation properties of signing keys. - -For deployment purposes, a DRM requires the following components from the PKI -Core package: - - * pki-setup - * pki-native-tools - * pki-util - * pki-java-tools - * pki-common - * pki-selinux - -and can also make use of the following optional components from the PKI Core -package: - - * pki-util-javadoc - * pki-java-tools-javadoc - * pki-common-javadoc - * pki-silent - -Additionally, Certificate System requires ONE AND ONLY ONE of the following -"Mutually-Exclusive" PKI Theme packages: - - * dogtag-pki-theme (Dogtag Certificate System deployments) - * redhat-pki-theme (Red Hat Certificate System deployments) - - -%prep - - -%setup -q -n %{name}-%{version}%{?prerel} - - -%clean -%{__rm} -rf %{buildroot} - - -%build -%{__mkdir_p} build -cd build -%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_KRA:BOOL=ON -DJAVA_LIB_INSTALL_DIR=%{_jnidir} .. -%{__make} VERBOSE=1 %{?_smp_mflags} - - -%install -%{__rm} -rf %{buildroot} -cd build -%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" - -%if 0%{?fedora} >= 15 -# Details: -# -# * https://fedoraproject.org/wiki/Features/var-run-tmpfs -# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft -# -%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d -# generate 'pki-kra.conf' under the 'tmpfiles.d' directory -echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf -echo "D /var/lock/pki/kra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf -echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf -echo "D /var/run/pki/kra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf -%endif - -%if 0%{?fedora} >= 16 -%{__rm} %{buildroot}%{_initrddir}/pki-krad -%else -%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-krad.target.wants -%{__rm} -rf %{buildroot}%{_unitdir} -%endif - -%if 0%{?rhel} || 0%{?fedora} < 16 -%post -# This adds the proper /etc/rc*.d links for the script -/sbin/chkconfig --add pki-krad || : - - -%preun -if [ $1 = 0 ] ; then - /sbin/service pki-krad stop >/dev/null 2>&1 - /sbin/chkconfig --del pki-krad || : -fi - - -%postun -if [ "$1" -ge "1" ] ; then - /sbin/service pki-krad condrestart >/dev/null 2>&1 || : -fi -%else -%post -# Attempt to update ALL old "KRA" instances to "systemd" -if [ -d /etc/sysconfig/pki/kra ]; then - for inst in `ls /etc/sysconfig/pki/kra`; do - if [ ! -e "/etc/systemd/system/pki-krad.target.wants/pki-krad@${inst}.service" ]; then - ln -s "/lib/systemd/system/pki-krad@.service" \ - "/etc/systemd/system/pki-krad.target.wants/pki-krad@${inst}.service" - [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} - ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} - - if [ -e /var/run/${inst}.pid ]; then - kill -9 `cat /var/run/${inst}.pid` || : - rm -f /var/run/${inst}.pid - echo "pkicreate.systemd.servicename=pki-krad@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - /bin/systemctl restart pki-krad@${inst}.service || : - else - echo "pkicreate.systemd.servicename=pki-krad@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - fi - fi - done -fi -/bin/systemctl daemon-reload >/dev/null 2>&1 || : - -%preun -if [ $1 = 0 ] ; then - /bin/systemctl --no-reload disable pki-krad.target > /dev/null 2>&1 || : - /bin/systemctl stop pki-krad.target > /dev/null 2>&1 || : -fi - -%postun -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ "$1" -ge "1" ] ; then - /bin/systemctl try-restart pki-krad.target >/dev/null 2>&1 || : -fi -%endif - -%files -%defattr(-,root,root,-) -%doc base/kra/LICENSE -%if 0%{?fedora} >= 16 -%dir %{_sysconfdir}/systemd/system/pki-krad.target.wants -%{_unitdir}/pki-krad@.service -%{_unitdir}/pki-krad.target -%else -%{_initrddir}/pki-krad -%endif -%{_javadir}/pki/pki-kra-%{version}.jar -%{_javadir}/pki/pki-kra.jar -%dir %{_datadir}/pki/kra -%{_datadir}/pki/kra/conf/ -%{_datadir}/pki/kra/setup/ -%{_datadir}/pki/kra/webapps/ -%dir %{_localstatedir}/lock/pki/kra -%dir %{_localstatedir}/run/pki/kra -%if 0%{?fedora} >= 15 -# Details: -# -# * https://fedoraproject.org/wiki/Features/var-run-tmpfs -# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft -# -%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-kra.conf -%endif - - -%changelog -* Wed Feb 1 2012 Nathan Kinder <nkinder@redhat.com> 10.0.0-0.1.a1 -- Updated package version number - -* Fri Oct 28 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.9-1 -- Bugzilla Bug #737122 - DRM: during archiving and recovering, - wrapping unwrapping keys should be done in the token (cfu) -- Bugzilla Bug #744797 - KRA key recovery (retrieve pkcs#12) fails after - the in-place upgrade( CS 8.0->8.1) (cfu) -- Bugzilla Bug #749945 - Installation error reported during CA, DRM, - OCSP, and TKS package installation . . . (mharmsen) - -* Thu Sep 22 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.8-1 -- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen) -- Bugzilla Bug #699809 - Convert CS to use systemd (alee) -- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - -* Mon Sep 12 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.7-1 -- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . -- Bugzilla Bug #699809 - Convert CS to use systemd (alee) - -* Tue Sep 6 2011 Ade Lee <alee@redhat.com> 9.0.6-1 -- Bugzilla Bug #699809 - Convert CS to use systemd (alee) - -* Tue Aug 23 2011 Ade Lee <alee@redhat.com> 9.0.5-1 -- Bugzilla Bug #712931 - CS requires too many ports - to be open in the FW - -* Thu Jul 14 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.4-1 -- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser - (jdennis) -- Bugzilla Bug #699837 - service command is not fully backwards - compatible with Dogtag pki subsystems (mharmsen) -- Bugzilla Bug #649910 - Console: an auditor or agent can be added to an - administrator group. (jmagne) -- Bugzilla Bug #707416 - CC_LAB_EVAL: Security Domain: missing audit msgs - for modify/add (alee) -- Bugzilla Bug #714068 - KRA: remove monitor servlet from kra (alee) -- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) -- Updated release of 'jss' - -* Tue Apr 26 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-1 -- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser -- Bugzilla Bug #699837 - service command is not fully backwards compatible - with Dogtag pki subsystems - -* Fri Mar 25 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.2-1 -- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) -- Bugzilla Bug #683581 - CA configuration with ECC(Default - EC curve-nistp521) CA fails with 'signing operation failed' -- Bugzilla Bug #684381 - CS.cfg specifies incorrect type of comments -- Require "jss >= 4.2.6-15" as a build and runtime requirement - -* Thu Mar 17 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.1-1 -- Bugzilla Bug #688763 - Rebase updated Dogtag Packages for Fedora 15 (alpha) -- Bugzilla Bug #673638 - Installation within IPA hangs - -* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 -- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0 -- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs - in the java subsystems -- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml - as part of CC interface review -- Bugzilla Bug #583823 - CC: Auditing issues found as result of - CC - interface review -- Bugzilla Bug #607380 - CC: Make sure Java Console can configure - all security relevant config items -- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be - generated on TKS instead of TPS. -- Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable - a CA that it serves -- Bugzilla Bug #504061 - ECC: unable to install subsystems - phase 1 -- Bugzilla Bug #637330 - CC feature: Key Management - provide signature - verification functions (JAVA subsystems) -- Bugzilla Bug #223313 - should do random generated IV param - for symmetric keys -- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and - port fowarding for agent services -- Bugzilla Bug #631179 - Administrator is not allowed to remove - ocsp signing certificate using console -- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of - signature algorithm; and for ECC curves -- Bugzilla Bug #451874 - RFE - Java console - Certificate Wizard missing - e.c. support -- Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA release -- - DRM and TKS do not seem to have CRL checking enabled -- Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help - correctly set up CC environment -- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports - to talk to CA and complete configuration in DonePanel -- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) -- Bugzilla Bug #489385 - references to rhpki -- Bugzilla Bug #649910 - Console: an auditor or agent can be added to - an administrator group. -- Bugzilla Bug #632425 - Port to tomcat6 -- Bugzilla Bug #638377 - Generate PKI UI components which exclude - a GUI interface -- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets - as expected -- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for - validity -- Bugzilla Bug #643206 - New CMake based build system for Dogtag -- Bugzilla Bug #499494 - change CA defaults to SHA2 -- Bugzilla Bug #649343 - Publishing queue should recover from CA crash. -- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and - pkiCA, obsolete 2252 and 2256 -- Bugzilla Bug #223346 - Two conflicting ACL list definitions in source - repository -- Bugzilla Bug #663546 - Disable the functionalities that are not exposed - in the console -- Bugzilla Bug #656733 - Standardize jar install location and jar names -- Bugzilla Bug #661142 - Verification should fail when - a revoked certificate is added -- Bugzilla Bug #668100 - DRM storage cert has OCSP signing extended key usage -- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time - interface is no longer available through console -- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During - CRL Generation - -* Wed Aug 04 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.4-1 -- Bugzilla Bug #608086 - CC: CA, OCSP, and DRM need to add more audit calls -- Bugzilla Bug #527593 - More robust signature digest alg, - like SHA256 instead of SHA1 for ECC -- Bugzilla Bug #528236 - rhcs80 web conf wizard - cannot specify CA signing - algorithm -- Bugzilla Bug #533510 - tps exception, cannot start when signed audit true -- Bugzilla Bug #529280 - TPS returns HTTP data without ending in 0rn per - RFC 2616 -- Bugzilla Bug #498299 - Should not be able to change the status manually - on a token marked as permanently lost or destroyed -- Bugzilla Bug #554892 - configurable frequency signed audit -- Bugzilla Bug #500700 - tps log rotation -- Bugzilla Bug #562893 - tps shutdown if audit logs full -- Bugzilla Bug #557346 - Name Constraints Extension cant be marked critical -- Bugzilla Bug #556152 - ACL changes to CA and OCSP -- Bugzilla Bug #556167 - ACL changes to CA and OCSP -- Bugzilla Bug #581004 - add more audit logging to the TPS -- Bugzilla Bug #566517 - CC: Add client auth to OCSP publishing, and move - to a client-auth port -- Bugzilla Bug #565842 - Clone config throws errors - fix key_algorithm -- Bugzilla Bug #581017 - enabling log signing from tps ui pages causes - tps crash -- Bugzilla Bug #581004 - add more audit logs -- Bugzilla Bug #595871 - CC: TKS needed audit message changes -- Bugzilla Bug #598752 - Common Criteria: TKS ACL analysis result. -- Bugzilla Bug #598666 - Common Criteria: incorrect ACLs for signedAudit -- Bugzilla Bug #504905 - Smart card renewal should load old encryption cert - on the token. -- Bugzilla Bug #499292 - TPS - Enrollments where keys are recovered need - to do both GenerateNewKey and RecoverLast operation for encryption key. -- Bugzilla Bug #498299 - fix case where no transitions available -- Bugzilla Bug #595391 - session domain table to be moved to ldap -- Bugzilla Bug #598643 - Common Criteria: incorrect ACLs (non-existing groups) -- Bugzilla Bug #472597 - Disable policy code,UI -- Bugzilla Bug #504359 - pkiconsole - Administrator Group's Description - References Fedora -- Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing - information -- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml - as part of CC interface review -- Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided by - 'netscape.security.provider' package -- Bugzilla Bug #656662 - Please Update Spec File to use 'ghost' on files - in /var/run and /var/lock -- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem - instances - -* Mon Apr 26 2010 Ade Lee <alee@redhat.com> 1.3.3-1 -- Bugzilla Bug 584917- Can not access CA Configuration Web UI after - CA installation - -* Mon Mar 22 2010 Christina Fu <cfu@redhat.com> 1.3.2-1 -- Bugzilla Bug #522343 Add asynchronous key recovery mode - -* Tue Feb 16 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.1-2 -- Bugzilla Bug #566059 - Add 'pki-console' as a runtime dependency - for CA, KRA, OCSP, and TKS . . . - -* Mon Feb 08 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.1-1 -- Bugzilla Bug #562986 - Supply convenience symlink(s) for backwards - compatibility (rename jar files as appropriate) - -* Fri Jan 15 2010 Kevin Wright <kwright@redhat.com> 1.3.0-4 -- Removed BuildRequires: dogtag-pki-kra-ui - -* Fri Jan 08 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-3 -- Corrected "|| :" scriptlet logic (see Bugzilla Bug #475895) -- Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . . -- Bugzilla Bug #553842 - New Package for Dogtag PKI: pki-kra - -* Mon Dec 14 2009 Kevin Wright <kwright@redhat.com> 1.3.0-2 -- Removed 'with exceptions' from License - -* Thu Oct 15 2009 Ade Lee <alee@redhat.com> 1.3.0-1 -- Bugzilla Bug #X - Packaging for Fedora Dogtag - diff --git a/pki/specs/pki-ocsp.spec b/pki/specs/pki-ocsp.spec deleted file mode 100644 index 813ddc37e..000000000 --- a/pki/specs/pki-ocsp.spec +++ /dev/null @@ -1,435 +0,0 @@ -# for a pre-release, define the prerel field e.g. .a1 .rc2 - comment out for official release -# also remove the space between % and global - this space is needed because -# fedpkg verrel stupidly ignores comment lines -%global prerel .a1 -# also need the relprefix field for a pre-release e.g. .0 - also comment out for official release -%global relprefix 0. - -Name: pki-ocsp -Version: 10.0.0 -Release: %{?relprefix}1%{?prerel}%{?dist} -Summary: Certificate System - Online Certificate Status Protocol Manager -URL: http://pki.fedoraproject.org/ -License: GPLv2 -Group: System Environment/Daemons - -BuildArch: noarch - -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) - -# specify '_unitdir' macro for platforms that don't use 'systemd' -%if 0%{?rhel} || 0%{?fedora} < 16 -%define _unitdir /lib/systemd/system -%endif - -BuildRequires: cmake -BuildRequires: java-devel >= 1:1.6.0 -BuildRequires: nspr-devel -BuildRequires: nss-devel -%if 0%{?fedora} >= 16 -BuildRequires: jpackage-utils >= 0:1.7.5-10 -BuildRequires: jss >= 4.2.6-19.1 -BuildRequires: pki-common >= 9.0.15 -BuildRequires: pki-util >= 9.0.15 -BuildRequires: systemd-units -%else -BuildRequires: jpackage-utils -BuildRequires: jss >= 4.2.6-17 -BuildRequires: pki-common -BuildRequires: pki-util -%endif - -Requires: java >= 1:1.6.0 -Requires: pki-ocsp-theme >= 9.0.0 -%if 0%{?fedora} >= 16 -Requires: pki-common >= 9.0.15 -Requires: pki-selinux >= 9.0.15 -Requires(post): systemd-units -Requires(preun): systemd-units -Requires(postun): systemd-units -%else -%if 0%{?fedora} >= 15 -Requires: pki-common -Requires: pki-selinux -Requires(post): chkconfig -Requires(preun): chkconfig -Requires(preun): initscripts -Requires(postun): initscripts -# Details: -# -# * https://fedoraproject.org/wiki/Features/var-run-tmpfs -# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft -# -Requires: initscripts -%else -Requires: pki-common -Requires: pki-selinux -Requires(post): chkconfig -Requires(preun): chkconfig -Requires(preun): initscripts -Requires(postun): initscripts -%endif -%endif - -Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz - -%description -Certificate System (CS) is an enterprise software system designed -to manage enterprise Public Key Infrastructure (PKI) deployments. - -The Online Certificate Status Protocol (OCSP) Manager is an optional PKI -subsystem that can act as a stand-alone OCSP service. The OCSP Manager -performs the task of an online certificate validation authority by enabling -OCSP-compliant clients to do real-time verification of certificates. Note -that an online certificate-validation authority is often referred to as an -OCSP Responder. - -Although the Certificate Authority (CA) is already configured with an -internal OCSP service. An external OCSP Responder is offered as a separate -subsystem in case the user wants the OCSP service provided outside of a -firewall while the CA resides inside of a firewall, or to take the load of -requests off of the CA. - -The OCSP Manager can receive Certificate Revocation Lists (CRLs) from -multiple CA servers, and clients can query the OCSP Manager for the -revocation status of certificates issued by all of these CA servers. - -When an instance of OCSP Manager is set up with an instance of CA, and -publishing is set up to this OCSP Manager, CRLs are published to it -whenever they are issued or updated. - -For deployment purposes, an OCSP Manager requires the following components -from the PKI Core package: - - * pki-setup - * pki-native-tools - * pki-util - * pki-java-tools - * pki-common - * pki-selinux - -and can also make use of the following optional components from the PKI Core -package: - - * pki-util-javadoc - * pki-java-tools-javadoc - * pki-common-javadoc - * pki-silent - -Additionally, Certificate System requires ONE AND ONLY ONE of the following -"Mutually-Exclusive" PKI Theme packages: - - * dogtag-pki-theme (Dogtag Certificate System deployments) - * redhat-pki-theme (Red Hat Certificate System deployments) - - -%prep - - -%setup -q -n %{name}-%{version}%{?prerel} - - -%clean -%{__rm} -rf %{buildroot} - - -%build -%{__mkdir_p} build -cd build -%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_OCSP:BOOL=ON -DJAVA_LIB_INSTALL_DIR=%{_jnidir} .. -%{__make} VERBOSE=1 %{?_smp_mflags} - - -%install -%{__rm} -rf %{buildroot} -cd build -%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" - -%if 0%{?fedora} >= 15 -# Details: -# -# * https://fedoraproject.org/wiki/Features/var-run-tmpfs -# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft -# -%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d -# generate 'pki-ocsp.conf' under the 'tmpfiles.d' directory -echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf -echo "D /var/lock/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf -echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf -echo "D /var/run/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf -%endif - -%if 0%{?fedora} >= 16 -%{__rm} %{buildroot}%{_initrddir}/pki-ocspd -%else -%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-ocspd.target.wants -%{__rm} -rf %{buildroot}%{_unitdir} -%endif - -%if 0%{?rhel} || 0%{?fedora} < 16 -%post -# This adds the proper /etc/rc*.d links for the script -/sbin/chkconfig --add pki-ocspd || : - - -%preun -if [ $1 = 0 ] ; then - /sbin/service pki-ocspd stop >/dev/null 2>&1 - /sbin/chkconfig --del pki-ocspd || : -fi - - -%postun -if [ "$1" -ge "1" ] ; then - /sbin/service pki-ocspd condrestart >/dev/null 2>&1 || : -fi - -%else -%post -# Attempt to update ALL old "OCSP" instances to "systemd" -if [ -d /etc/sysconfig/pki/ocsp ]; then - for inst in `ls /etc/sysconfig/pki/ocsp`; do - if [ ! -e "/etc/systemd/system/pki-ocspd.target.wants/pki-ocspd@${inst}.service" ]; then - ln -s "/lib/systemd/system/pki-ocspd@.service" \ - "/etc/systemd/system/pki-ocspd.target.wants/pki-ocspd@${inst}.service" - [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} - ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} - - if [ -e /var/run/${inst}.pid ]; then - kill -9 `cat /var/run/${inst}.pid` || : - rm -f /var/run/${inst}.pid - echo "pkicreate.systemd.servicename=pki-ocspd@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - /bin/systemctl restart pki-ocspd@${inst}.service || : - else - echo "pkicreate.systemd.servicename=pki-ocspd@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - fi - fi - done -fi -/bin/systemctl daemon-reload >/dev/null 2>&1 || : - -%preun -if [ $1 = 0 ] ; then - /bin/systemctl --no-reload disable pki-ocspd.target > /dev/null 2>&1 || : - /bin/systemctl stop pki-ocspd.target > /dev/null 2>&1 || : -fi - - -%postun -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ "$1" -ge "1" ] ; then - /bin/systemctl try-restart pki-ocspd.target >/dev/null 2>&1 || : -fi -%endif - - -%files -%defattr(-,root,root,-) -%doc base/ocsp/LICENSE -%if 0%{?fedora} >= 16 -%dir %{_sysconfdir}/systemd/system/pki-ocspd.target.wants -%{_unitdir}/pki-ocspd@.service -%{_unitdir}/pki-ocspd.target -%else -%{_initrddir}/pki-ocspd -%endif -%{_javadir}/pki/pki-ocsp-%{version}.jar -%{_javadir}/pki/pki-ocsp.jar -%dir %{_datadir}/pki/ocsp -%{_datadir}/pki/ocsp/conf/ -%{_datadir}/pki/ocsp/setup/ -%{_datadir}/pki/ocsp/webapps/ -%dir %{_localstatedir}/lock/pki/ocsp -%dir %{_localstatedir}/run/pki/ocsp -%if 0%{?fedora} >= 15 -# Details: -# -# * https://fedoraproject.org/wiki/Features/var-run-tmpfs -# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft -# -%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-ocsp.conf -%endif - - -%changelog -* Wed Feb 1 2012 Nathan Kinder <nkinder@redhat.com> 10.0.0-0.1.a1 -- Updated package version number - -* Fri Oct 28 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.8-1 -- Bugzilla Bug #749945 - Installation error reported during CA, DRM, - OCSP, and TKS package installation . . . - -* Thu Sep 22 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.7-1 -- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen) -- Bugzilla Bug #699809 - Convert CS to use systemd (alee) -- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - -* Mon Sep 12 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.6-1 -- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . -- Bugzilla Bug #699809 - Convert CS to use systemd (alee) - -* Tue Sep 6 2011 Ade Lee <alee@redhat.com> 9.0.5-1 -- Bugzilla Bug #699809 - Convert CS to use systemd (alee) - -* Tue Aug 23 2011 Ade Lee <alee@redhat.com> 9.0.4-1 -- Bugzilla Bug #712931 - CS requires too many ports - to be open in the FW - -* Thu Jul 14 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-1 -- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser - (jdennis) -- Bugzilla Bug #699837 - service command is not fully backwards - compatible with Dogtag pki subsystems (mharmsen) -- Bugzilla Bug #649910 - Console: an auditor or agent can be added to an - administrator group. (jmagne) -- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) -- Updated release of 'jss' - -* Tue Apr 26 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.2-1 -- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser -- Bugzilla Bug #699837 - service command is not fully backwards compatible - with Dogtag pki subsystems - -* Fri Mar 25 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.1-1 -- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) -- Bugzilla Bug #683581 - CA configuration with ECC(Default - EC curve-nistp521) CA fails with 'signing operation failed' -- Bugzilla Bug #684381 - CS.cfg specifies incorrect type of comments -- Require "jss >= 4.2.6-15" as a build and runtime requirement - -* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 -- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0 -- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs - in the java subsystems -- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml - as part of CC interface review -- Bugzilla Bug #583823 - CC: Auditing issues found as result of - CC - interface review -- Bugzilla Bug #586700 - OCSP Server throws fatal error while using - OCSP console for renewing SSL Server certificate. -- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be - generated on TKS instead of TPS. -- Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable - a CA that it serves -- Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 -- Bugzilla Bug #504061 - ECC: unable to install subsystems - phase 1 -- Bugzilla Bug #637330 - CC feature: Key Management - provide signature - verification functions (JAVA subsystems) -- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and - port fowarding for agent services -- Bugzilla Bug #631179 - Administrator is not allowed to remove - ocsp signing certificate using console -- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of - signature algorithm; and for ECC curves -- Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA release -- - DRM and TKS do not seem to have CRL checking enabled -- Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help - correctly set up CC environment -- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports - to talk to CA and complete configuration in DonePanel -- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) -- Bugzilla Bug #489385 - references to rhpki -- Bugzilla Bug #649910 - Console: an auditor or agent can be added to - an administrator group. -- Bugzilla Bug #632425 - Port to tomcat6 -- Bugzilla Bug #638377 - Generate PKI UI components which exclude - a GUI interface -- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets - as expected -- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for - validity -- Bugzilla Bug #643206 - New CMake based build system for Dogtag -- Bugzilla Bug #499494 - change CA defaults to SHA2 -- Bugzilla Bug #649343 - Publishing queue should recover from CA crash. -- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and - pkiCA, obsolete 2252 and 2256 -- Bugzilla Bug #223346 - Two conflicting ACL list definitions in source - repository -- Bugzilla Bug #663546 - Disable the functionalities that are not exposed - in the console -- Bugzilla Bug #656733 - Standardize jar install location and jar names -- Bugzilla Bug #661142 - Verification should fail when - a revoked certificate is added -- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time - interface is no longer available through console -- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During - CRL Generation -- Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing - information -- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml - as part of the CC interface review -- Bugzilla Bug #656663 - Please Update Spec File to use 'ghost' on files - in /var/run and /var/lock -- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem - instances - -* Wed Aug 04 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.3-1 -- Bugzilla Bug #608086 - CC: CA, OCSP, and DRM need to add more audit calls -- Bugzilla Bug #527593 - More robust signature digest alg, like SHA256 - instead of SHA1 for ECC -- Bugzilla Bug #528236 - rhcs80 web conf wizard - cannot specify CA signing - algorithm -- Bugzilla Bug #533510 - tps exception, cannot start when signed audit true -- Bugzilla Bug #529280 - TPS returns HTTP data without ending in 0rn - per RFC 2616 -- Bugzilla Bug #498299 - Should not be able to change the status manually - on a token marked as permanently lost or destroyed -- Bugzilla Bug #554892 - configurable frequency signed audit -- Bugzilla Bug #500700 - tps log rotation -- Bugzilla Bug #562893 - tps shutdown if audit logs full -- Bugzilla Bug #557346 - Name Constraints Extension cant be marked critical -- Bugzilla Bug #556152 - ACL changes to CA and OCSP -- Bugzilla Bug #556167 - ACL changes to CA and OCSP -- Bugzilla Bug #581004 - add more audit logging to the TPS -- Bugzilla Bug #566517 - CC: Add client auth to OCSP publishing, and move - to a client-auth port -- Bugzilla Bug #565842 - Clone config throws errors - fix key_algorithm -- Bugzilla Bug #581017 - enabling log signing from tps ui pages causes tps - crash -- Bugzilla Bug #581004 - add more audit logs -- Bugzilla Bug #595871 - CC: TKS needed audit message changes -- Bugzilla Bug #598752 - Common Criteria: TKS ACL analysis result. -- Bugzilla Bug #598666 - Common Criteria: incorrect ACLs for signedAudit -- Bugzilla Bug #504905 - Smart card renewal should load old encryption cert - on the token. -- Bugzilla Bug #499292 - TPS - Enrollments where keys are recovered need - to do both GenerateNewKey and RecoverLast operation for encryption key. -- Bugzilla Bug #498299 - fix case where no transitions available -- Bugzilla Bug #595391 - session domain table to be moved to ldap -- Bugzilla Bug #598643 - Common Criteria: incorrect ACLs (non-existing groups) -- Bugzilla Bug #504359 - pkiconsole - Administrator Group's Description - References Fedora - -* Mon Apr 26 2010 Ade Lee <alee@redhat.com> 1.3.2-2 -- Bugzilla Bug 584917- Can not access CA Configuration Web UI - after CA installation - -* Wed Apr 21 2010 Andrew Wnuk <awnuk@redhat.com> 1.3.2-1 -- Bugzilla Bug #493765 - console renewal fix for ca, ocsp, and ssl - certificates - -* Tue Feb 16 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.1-2 -- Bugzilla Bug #566059 - Add 'pki-console' as a runtime dependency - for CA, KRA, OCSP, and TKS . . . - -* Mon Feb 08 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.1-1 -- Bugzilla Bug #562986 - Supply convenience symlink(s) for backwards - compatibility (rename jar files as appropriate) - -* Fri Jan 15 2010 Kevin Wright <kwright@redhat.com> 1.3.0-4 -- BuildRequires: dogtag-pki-ocsp-ui - -* Fri Jan 08 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-3 -- Corrected "|| :" scriptlet logic (see Bugzilla Bug #475895) -- Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . . -- Bugzilla Bug #553844 - New Package for Dogtag PKI: pki-ocsp - -* Mon Dec 14 2009 Kevin Wright <kwright@redhat.com> 1.3.0-2 -- Removed 'with exceptions' from License - -* Thu Oct 15 2009 Ade Lee <alee@redhat.com> 1.3.0-1 - Bugzilla Bug #X -- Packaging for Fedora Dogtag - diff --git a/pki/specs/pki-tks.spec b/pki/specs/pki-tks.spec deleted file mode 100644 index 43956de7f..000000000 --- a/pki/specs/pki-tks.spec +++ /dev/null @@ -1,421 +0,0 @@ -# for a pre-release, define the prerel field e.g. .a1 .rc2 - comment out for official release -# also remove the space between % and global - this space is needed because -# fedpkg verrel stupidly ignores comment lines -%global prerel .a1 -# also need the relprefix field for a pre-release e.g. .0 - also comment out for official release -%global relprefix 0. - -Name: pki-tks -Version: 10.0.0 -Release: %{?relprefix}1%{?prerel}%{?dist} -Summary: Certificate System - Token Key Service -URL: http://pki.fedoraproject.org/ -License: GPLv2 -Group: System Environment/Daemons - -BuildArch: noarch - -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) - -# specify '_unitdir' macro for platforms that don't use 'systemd' -%if 0%{?rhel} || 0%{?fedora} < 16 -%define _unitdir /lib/systemd/system -%endif - -BuildRequires: cmake -BuildRequires: java-devel >= 1:1.6.0 -BuildRequires: nspr-devel -BuildRequires: nss-devel -%if 0%{?fedora} >= 16 -BuildRequires: jpackage-utils >= 0:1.7.5-10 -BuildRequires: jss >= 4.2.6-19.1 -BuildRequires: pki-common >= 9.0.15 -BuildRequires: pki-util >= 9.0.15 -BuildRequires: systemd-units -%else -BuildRequires: jpackage-utils -BuildRequires: jss >= 4.2.6-17 -BuildRequires: pki-common -BuildRequires: pki-util -%endif - -Requires: java >= 1:1.6.0 -Requires: pki-tks-theme >= 9.0.0 -%if 0%{?fedora} >= 16 -Requires: pki-common >= 9.0.15 -Requires: pki-selinux >= 9.0.15 -Requires(post): systemd-units -Requires(preun): systemd-units -Requires(postun): systemd-units -%else -%if 0%{?fedora} >= 15 -Requires: pki-common -Requires: pki-selinux -Requires(post): chkconfig -Requires(preun): chkconfig -Requires(preun): initscripts -Requires(postun): initscripts -# Details: -# -# * https://fedoraproject.org/wiki/Features/var-run-tmpfs -# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft -# -Requires: initscripts -%else -Requires: pki-common -Requires: pki-selinux -Requires(post): chkconfig -Requires(preun): chkconfig -Requires(preun): initscripts -Requires(postun): initscripts -%endif -%endif - -Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz - -%description -Certificate System (CS) is an enterprise software system designed -to manage enterprise Public Key Infrastructure (PKI) deployments. - -The Token Key Service (TKS) is an optional PKI subsystem that manages the -master key(s) and the transport key(s) required to generate and distribute -keys for hardware tokens. TKS provides the security between tokens and an -instance of Token Processing System (TPS), where the security relies upon the -relationship between the master key and the token keys. A TPS communicates -with a TKS over SSL using client authentication. - -TKS helps establish a secure channel (signed and encrypted) between the token -and the TPS, provides proof of presence of the security token during -enrollment, and supports key changeover when the master key changes on the -TKS. Tokens with older keys will get new token keys. - -Because of the sensitivity of the data that TKS manages, TKS should be set up -behind the firewall with restricted access. - -For deployment purposes, a TKS requires the following components from the PKI -Core package: - - * pki-setup - * pki-native-tools - * pki-util - * pki-java-tools - * pki-common - * pki-selinux - -and can also make use of the following optional components from the PKI Core -package: - - * pki-util-javadoc - * pki-java-tools-javadoc - * pki-common-javadoc - * pki-silent - -Additionally, Certificate System requires ONE AND ONLY ONE of the following -"Mutually-Exclusive" PKI Theme packages: - - * dogtag-pki-theme (Dogtag Certificate System deployments) - * redhat-pki-theme (Red Hat Certificate System deployments) - - -%prep - - -%setup -q -n %{name}-%{version}%{?prerel} - - -%clean -%{__rm} -rf %{buildroot} - - -%build -%{__mkdir_p} build -cd build -%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_TKS:BOOL=ON -DJAVA_LIB_INSTALL_DIR=%{_jnidir} .. -%{__make} VERBOSE=1 %{?_smp_mflags} - - -%install -%{__rm} -rf %{buildroot} -cd build -%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" - -%if 0%{?fedora} >= 15 -# Details: -# -# * https://fedoraproject.org/wiki/Features/var-run-tmpfs -# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft -# -%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d -# generate 'pki-tks.conf' under the 'tmpfiles.d' directory -echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf -echo "D /var/lock/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf -echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf -echo "D /var/run/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf -%endif - -%if 0%{?fedora} >= 16 -%{__rm} %{buildroot}%{_initrddir}/pki-tksd -%else -%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-tksd.target.wants -%{__rm} -rf %{buildroot}%{_unitdir} -%endif - -%if 0%{?rhel} || 0%{?fedora} < 16 -%post -# This adds the proper /etc/rc*.d links for the script -/sbin/chkconfig --add pki-tksd || : - -%preun -if [ $1 = 0 ] ; then - /sbin/service pki-tksd stop >/dev/null 2>&1 - /sbin/chkconfig --del pki-tksd || : -fi - -%postun -if [ "$1" -ge "1" ] ; then - /sbin/service pki-tksd condrestart >/dev/null 2>&1 || : -fi -%else -%post -# Attempt to update ALL old "TKS" instances to "systemd" -if [ -d /etc/sysconfig/pki/tks ]; then - for inst in `ls /etc/sysconfig/pki/tks`; do - if [ ! -e "/etc/systemd/system/pki-tksd.target.wants/pki-tksd@${inst}.service" ]; then - ln -s "/lib/systemd/system/pki-tksd@.service" \ - "/etc/systemd/system/pki-tksd.target.wants/pki-tksd@${inst}.service" - [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} - ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} - - if [ -e /var/run/${inst}.pid ]; then - kill -9 `cat /var/run/${inst}.pid` || : - rm -f /var/run/${inst}.pid - echo "pkicreate.systemd.servicename=pki-tksd@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - /bin/systemctl restart pki-tksd@${inst}.service || : - else - echo "pkicreate.systemd.servicename=pki-tksd@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - fi - fi - done -fi -/bin/systemctl daemon-reload >/dev/null 2>&1 || : - -%preun -if [ $1 = 0 ] ; then - /bin/systemctl --no-reload disable pki-tksd.target > /dev/null 2>&1 || : - /bin/systemctl stop pki-tksd.target > /dev/null 2>&1 || : -fi - -%postun -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ "$1" -ge "1" ] ; then - /bin/systemctl try-restart pki-tksd.target >/dev/null 2>&1 || : -fi -%endif - - -%files -%defattr(-,root,root,-) -%doc base/tks/LICENSE -%if 0%{?fedora} >= 16 -%dir %{_sysconfdir}/systemd/system/pki-tksd.target.wants -%{_unitdir}/pki-tksd@.service -%{_unitdir}/pki-tksd.target -%else -%{_initrddir}/pki-tksd -%endif -%{_javadir}/pki/pki-tks-%{version}.jar -%{_javadir}/pki/pki-tks.jar -%dir %{_datadir}/pki/tks -%{_datadir}/pki/tks/conf/ -%{_datadir}/pki/tks/setup/ -%{_datadir}/pki/tks/webapps/ -%dir %{_localstatedir}/lock/pki/tks -%dir %{_localstatedir}/run/pki/tks -%if 0%{?fedora} >= 15 -# Details: -# -# * https://fedoraproject.org/wiki/Features/var-run-tmpfs -# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft -# -%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-tks.conf -%endif - - -%changelog -* Wed Feb 1 2012 Nathan Kinder <nkinder@redhat.com> 10.0.0-0.1.a1 -- Updated package version number - -* Fri Oct 28 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.8-1 -- Bugzilla Bug #749945 - Installation error reported during CA, DRM, - OCSP, and TKS package installation . . . - -* Thu Sep 22 2011 Jack Magne <jmagne@redhat.com> 9.0.7-1 -- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) -- Bugzilla Bug #730162 - TPS/TKS token enrollment failure in FIPS mode - (hsm+NSS). (jmagne) -- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen) -- Bugzilla Bug #699809 - Convert CS to use systemd (alee) - -* Mon Sep 12 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.6-1 -- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . -- Bugzilla Bug #699809 - Convert CS to use systemd (alee) - -* Tue Sep 6 2011 Ade Lee <alee@redhat.com> 9.0.5-1 -- Bugzilla Bug #699809 - Convert CS to use systemd - -* Tue Aug 23 2011 Ade Lee <alee@redhat.com> 9.0.4-1 -- Bugzilla Bug #712931 - CS requires too many ports - to be open in the FW - -* Thu Jul 14 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-1 -- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser - (jdennis) -- Bugzilla Bug #699837 - service command is not fully backwards - compatible with Dogtag pki subsystems (mharmsen) -- Bugzilla Bug #649910 - Console: an auditor or agent can be added to an - administrator group. (jmagne) -- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) -- Updated release of 'jss' - -* Tue Apr 26 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.2-1 -- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser -- Bugzilla Bug #699837 - service command is not fully backwards compatible - with Dogtag pki subsystems - -* Fri Mar 25 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.1-1 -- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) -- Bugzilla Bug #683581 - CA configuration with ECC(Default - EC curve-nistp521) CA fails with 'signing operation failed' -- Bugzilla Bug #684381 - CS.cfg specifies incorrect type of comments -- Require "jss >= 4.2.6-15" as a build and runtime requirement - -* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 -- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0 -- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs - in the java subsystems -- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml - as part of CC interface review -- Bugzilla Bug #583823 - CC: Auditing issues found as result of - CC - interface review -- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be - generated on TKS instead of TPS. -- Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable - a CA that it serves -- Bugzilla Bug #504061 - ECC: unable to install subsystems - phase 1 -- Bugzilla Bug #637330 - CC feature: Key Management - provide signature - verification functions (JAVA subsystems) -- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and - port fowarding for agent services -- Bugzilla Bug #631179 - Administrator is not allowed to remove - ocsp signing certificate using console -- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of - signature algorithm; and for ECC curves -- Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA release -- - DRM and TKS do not seem to have CRL checking enabled -- Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help - correctly set up CC environment -- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports - to talk to CA and complete configuration in DonePanel -- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) -- Bugzilla Bug #489385 - references to rhpki -- Bugzilla Bug #649910 - Console: an auditor or agent can be added to - an administrator group. -- Bugzilla Bug #632425 - Port to tomcat6 -- Bugzilla Bug #638377 - Generate PKI UI components which exclude - a GUI interface -- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets - as expected -- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for - validity -- Bugzilla Bug #643206 - New CMake based build system for Dogtag -- Bugzilla Bug #499494 - change CA defaults to SHA2 -- Bugzilla Bug #649343 - Publishing queue should recover from CA crash. -- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and - pkiCA, obsolete 2252 and 2256 -- Bugzilla Bug #223346 - Two conflicting ACL list definitions in source - repository -- Bugzilla Bug #663546 - Disable the functionalities that are not exposed - in the console -- Bugzilla Bug #656733 - Standardize jar install location and jar names -- Bugzilla Bug #661142 - Verification should fail when - a revoked certificate is added -- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time - interface is no longer available through console -- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During - CRL Generation -- Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing - information -- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml - as part of the CC interface review -- Bugzilla Bug #656665 - Please Update Spec File to use 'ghost' on files - in /var/run and /var/lock -- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem - instances - -* Wed Aug 04 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.3-1 -- Bugzilla Bug #606556 - Add known session key test to TKS self test set -- Bugzilla Bug #608086 - CC: CA, OCSP, and DRM need to add more audit calls -- Bugzilla Bug #527593 - More robust signature digest alg, like SHA256 - instead of SHA1 for ECC -- Bugzilla Bug #528236 - rhcs80 web conf wizard - cannot specify CA signing - algorithm -- Bugzilla Bug #533510 - tps exception, cannot start when signed audit true -- Bugzilla Bug #529280 - TPS returns HTTP data without ending in 0rn - per RFC 2616 -- Bugzilla Bug #498299 - Should not be able to change the status manually - on a token marked as permanently lost or destroyed -- Bugzilla Bug #554892 - configurable frequency signed audit -- Bugzilla Bug #500700 - tps log rotation -- Bugzilla Bug #562893 - tps shutdown if audit logs full -- Bugzilla Bug #557346 - Name Constraints Extension cant be marked critical -- Bugzilla Bug #556152 - ACL changes to CA and OCSP -- Bugzilla Bug #556167 - ACL changes to CA and OCSP -- Bugzilla Bug #581004 - add more audit logging to the TPS -- Bugzilla Bug #566517 - CC: Add client auth to OCSP publishing, and move - to a client-auth port -- Bugzilla Bug #565842 - Clone config throws errors - fix key_algorithm -- Bugzilla Bug #581017 - enabling log signing from tps ui pages causes tps - crash -- Bugzilla Bug #581004 - add more audit logs -- Bugzilla Bug #595871 - CC: TKS needed audit message changes -- Bugzilla Bug #598752 - Common Criteria: TKS ACL analysis result. -- Bugzilla Bug #598666 - Common Criteria: incorrect ACLs for signedAudit -- Bugzilla Bug #504905 - Smart card renewal should load old encryption cert - on the token. -- Bugzilla Bug #499292 - TPS - Enrollments where keys are recovered need - to do both GenerateNewKey and RecoverLast operation for encryption key. -- Bugzilla Bug #498299 - fix case where no transitions available -- Bugzilla Bug #595391 - session domain table to be moved to ldap -- Bugzilla Bug #598643 - Common Criteria: incorrect ACLs (non-existing groups) -- Bugzilla Bug #504359 - pkiconsole - Administrator Group's Description - References Fedora - -* Mon Apr 26 2010 Ade Lee <alee@redhat.com> 1.3.2-1 -- Bugzilla Bug 584917- Can not access CA Configuration Web UI - after CA installation - -* Tue Feb 16 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.1-2 -- Bugzilla Bug #566059 - Add 'pki-console' as a runtime dependency - for CA, KRA, OCSP, and TKS . . . - -* Mon Feb 08 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.1-1 -- Bugzilla Bug #562986 - Supply convenience symlink(s) for backwards - compatibility (rename jar files as appropriate) - -* Fri Jan 15 2010 Kevin Wright <kwright@redhat.com> 1.3.0-4 -- Removed BuildRequires: dogtag-pki-tks-ui - -* Fri Jan 08 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-3 -- Corrected "|| :" scriptlet logic (see Bugzilla Bug #475895) -- Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . . -- Bugzilla Bug #553847 - New Package for Dogtag PKI: pki-tks - -* Mon Dec 14 2009 Kevin Wright <kwright@redhat.com> 1.3.0-2 -- Removed 'with exceptions' from License - -* Fri Oct 16 2009 Ade Lee <alee@redhat.com> 1.3.0-1 -- Bugzilla Bug #X - Packaging for Fedora Dogtag - |