diff options
Diffstat (limited to 'pki/specs')
-rw-r--r-- | pki/specs/dogtag-pki-theme.spec | 457 | ||||
-rw-r--r-- | pki/specs/ipa-pki-theme.spec | 183 | ||||
-rw-r--r-- | pki/specs/pki-console.spec | 119 | ||||
-rw-r--r-- | pki/specs/pki-core.spec | 1130 | ||||
-rw-r--r-- | pki/specs/pki-kra.spec | 303 | ||||
-rw-r--r-- | pki/specs/pki-migrate.spec | 137 | ||||
-rw-r--r-- | pki/specs/pki-ocsp.spec | 304 | ||||
-rw-r--r-- | pki/specs/pki-ra.spec | 238 | ||||
-rw-r--r-- | pki/specs/pki-tks.spec | 292 | ||||
-rw-r--r-- | pki/specs/pki-tps.spec | 389 |
10 files changed, 3552 insertions, 0 deletions
diff --git a/pki/specs/dogtag-pki-theme.spec b/pki/specs/dogtag-pki-theme.spec new file mode 100644 index 000000000..eb273ed77 --- /dev/null +++ b/pki/specs/dogtag-pki-theme.spec @@ -0,0 +1,457 @@ +Name: dogtag-pki-theme +Version: 9.0.1 +Release: 1%{?dist} +Summary: Certificate System - Dogtag PKI Theme Components +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Base + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%if 0%{?rhel} +ExcludeArch: ppc ppc64 s390 s390x +%endif + +%global overview \ +Several PKI packages require a "virtual" theme component. These \ +"virtual" theme components are "Provided" by various theme "flavors" \ +including "dogtag", "redhat", and "ipa". Consequently, \ +all "dogtag", "redhat", and "ipa" theme components MUST be \ +mutually exclusive! \ + \ +On Fedora systems, the "dogtag" theme packages are the ONLY available \ +theme components. \ + \ +Similarly, the "ipa" theme packages are ONLY available on RHEL \ +systems, and represent the default theme components. \ + \ +Alternatively, on RHEL systems, if the "dogtag" theme packages are \ +available as EPEL packages, while they may be used as a transparent \ +replacement for their corresponding "ipa" theme package, they are not \ +intended to be used as a replacement for their corresponding "redhat" \ +theme components. \ + \ +Finally, if available for a RHEL system (e. g. - RHCS subscription), \ +each "redhat" theme package MUST be used as a transparent replacement \ +for its corresponding "ipa" theme package or "dogtag" theme package. \ +%{nil} + +%description %{overview} + + +%package -n dogtag-pki-common-theme +Summary: Certificate System - PKI Common Framework User Interface +Group: System Environment/Base + +%if 0%{?rhel} +# EPEL version of Dogtag "theme" conflicts with all versions of Red Hat "theme" +Conflicts: redhat-pki-common-theme +Conflicts: redhat-pki-common-ui + +# EPEL version of Dogtag "theme" ALWAYS replaces ALL versions of IPA "theme" +Obsoletes: ipa-pki-common-theme <= 9999 +Provides: ipa-pki-common-theme = %{version}-%{release} +%endif + +Obsoletes: dogtag-pki-common-ui <= 9 + +Provides: pki-common-theme = %{version}-%{release} +Provides: pki-common-ui = %{version}-%{release} + +%description -n dogtag-pki-common-theme +This PKI Common Framework User Interface contains +the Dogtag textual and graphical user interface for the PKI Common Framework. + +This package is used by the Dogtag Certificate System. + +%{overview} + + +%package -n dogtag-pki-ca-theme +Summary: Certificate System - Certificate Authority User Interface +Group: System Environment/Base + +Requires: dogtag-pki-common-theme = %{version}-%{release} + +%if 0%{?rhel} +# EPEL version of Dogtag "theme" conflicts with all versions of Red Hat "theme" +Conflicts: redhat-pki-ca-theme +Conflicts: redhat-pki-ca-ui + +# EPEL version of Dogtag "theme" ALWAYS replaces ALL versions of IPA "theme" +Obsoletes: ipa-pki-ca-theme <= 9999 +Provides: ipa-pki-ca-theme = %{version}-%{release} +%endif + +Obsoletes: dogtag-pki-ca-ui <= 9 + +Provides: pki-ca-theme = %{version}-%{release} +Provides: pki-ca-ui = %{version}-%{release} + +%description -n dogtag-pki-ca-theme +This Certificate Authority (CA) User Interface contains +the Dogtag textual and graphical user interface for the CA. + +This package is used by the Dogtag Certificate System. + +%{overview} + + +%package -n dogtag-pki-kra-theme +Summary: Certificate System - Data Recovery Manager User Interface +Group: System Environment/Base + +Requires: dogtag-pki-common-theme = %{version}-%{release} + +%if 0%{?rhel} +# EPEL version of Dogtag "theme" conflicts with all versions of Red Hat "theme" +Conflicts: redhat-pki-kra-theme +Conflicts: redhat-pki-kra-ui +%endif + +Obsoletes: dogtag-pki-kra-ui <= 9 + +Provides: pki-kra-theme = %{version}-%{release} +Provides: pki-kra-ui = %{version}-%{release} + +%description -n dogtag-pki-kra-theme +This Data Recovery Manager (DRM) User Interface contains +the Dogtag textual and graphical user interface for the DRM. + +This package is used by the Dogtag Certificate System. + +%{overview} + + +%package -n dogtag-pki-ocsp-theme +Summary: Certificate System - Online Certificate Status Protocol Manager User Interface +Group: System Environment/Base + +Requires: dogtag-pki-common-theme = %{version}-%{release} + +%if 0%{?rhel} +# EPEL version of Dogtag "theme" conflicts with all versions of Red Hat "theme" +Conflicts: redhat-pki-ocsp-theme +Conflicts: redhat-pki-ocsp-ui +%endif + +Obsoletes: dogtag-pki-ocsp-ui <= 9 + +Provides: pki-ocsp-theme = %{version}-%{release} +Provides: pki-ocsp-ui = %{version}-%{release} + +%description -n dogtag-pki-ocsp-theme +This Online Certificate Status Protocol (OCSP) Manager User Interface contains +the Dogtag textual and graphical user interface for the OCSP Manager. + +This package is used by the Dogtag Certificate System. + +%{overview} + + +%package -n dogtag-pki-ra-theme +Summary: Certificate System - Registration Authority User Interface +Group: System Environment/Base + +%if 0%{?rhel} +# EPEL version of Dogtag "theme" conflicts with all versions of Red Hat "theme" +Conflicts: redhat-pki-ra-theme +Conflicts: redhat-pki-ra-ui +%endif + +Obsoletes: dogtag-pki-ra-ui <= 9 + +Provides: pki-ra-theme = %{version}-%{release} +Provides: pki-ra-ui = %{version}-%{release} + +%description -n dogtag-pki-ra-theme +This Registration Authority (RA) User Interface contains +the Dogtag textual and graphical user interface for the RA. + +This package is used by the Dogtag Certificate System. + +%{overview} + + +%package -n dogtag-pki-tks-theme +Summary: Certificate System - Token Key Service User Interface +Group: System Environment/Base + +Requires: dogtag-pki-common-theme = %{version}-%{release} + +%if 0%{?rhel} +# EPEL version of Dogtag "theme" conflicts with all versions of Red Hat "theme" +Conflicts: redhat-pki-tks-theme +Conflicts: redhat-pki-tks-ui +%endif + +Obsoletes: dogtag-pki-tks-ui <= 9 + +Provides: pki-tks-theme = %{version}-%{release} +Provides: pki-tks-ui = %{version}-%{release} + +%description -n dogtag-pki-tks-theme +This Token Key Service (TKS) User Interface contains +the Dogtag textual and graphical user interface for the TKS. + +This package is used by the Dogtag Certificate System. + +%{overview} + + +%package -n dogtag-pki-tps-theme +Summary: Certificate System - Token Processing System User Interface +Group: System Environment/Base + +%if 0%{?rhel} +# EPEL version of Dogtag "theme" conflicts with all versions of Red Hat "theme" +Conflicts: redhat-pki-tps-theme +Conflicts: redhat-pki-tps-ui +%endif + +Obsoletes: dogtag-pki-tps-ui <= 9 + +Provides: pki-tps-theme = %{version}-%{release} +Provides: pki-tps-ui = %{version}-%{release} + +%description -n dogtag-pki-tps-theme +This Token Processing System (TPS) User Interface contains +the Dogtag textual and graphical user interface for the TPS. + +This package is used by the Dogtag Certificate System. + +%{overview} + + +%package -n dogtag-pki-console-theme +Summary: Certificate System - PKI Console User Interface +Group: System Environment/Base + +Requires: java >= 1:1.6.0 + +%if 0%{?rhel} +# EPEL version of Dogtag "theme" conflicts with all versions of Red Hat "theme" +Conflicts: redhat-pki-console-theme +Conflicts: redhat-pki-console-ui +%endif + +Obsoletes: dogtag-pki-console-ui <= 9 + +Provides: pki-console-theme = %{version}-%{release} +Provides: pki-console-ui = %{version}-%{release} + +%description -n dogtag-pki-console-theme +This PKI Console User Interface contains +the Dogtag textual and graphical user interface for the PKI Console. + +This package is used by the Dogtag Certificate System. + +%{overview} + + +%prep + + +%setup -q + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DBUILD_DOGTAG_PKI_THEME:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + +chmod 755 %{buildroot}%{_datadir}/pki/tps-ui/cgi-bin/sow/cfg.pl + + +# NOTE: Several "theme" packages require ownership of the "/usr/share/pki" +# directory because the PKI subsystems (CA, DRM, OCSP, TKS, RA, TPS) +# which require them may be installed either independently or in +# multiple combinations. +# +# Since CA, DRM, OCSP, and TKS subsystems all require the +# "dogtag-pki-common-theme" as well as their individual "themes", +# only "dogtag-pki-common-theme" needs to require this directory. +# +# However, RA and TPS subsystems still require their own individual +# ownership of this directory. + +%files -n dogtag-pki-common-theme +%defattr(-,root,root,-) +%doc dogtag/common-ui/LICENSE +%dir %{_datadir}/pki +%{_datadir}/pki/common-ui/ + + +%files -n dogtag-pki-ca-theme +%defattr(-,root,root,-) +%doc dogtag/ca-ui/LICENSE +%{_datadir}/pki/ca-ui/ + + +%files -n dogtag-pki-kra-theme +%defattr(-,root,root,-) +%doc dogtag/kra-ui/LICENSE +%{_datadir}/pki/kra-ui/ + + +%files -n dogtag-pki-ocsp-theme +%defattr(-,root,root,-) +%doc dogtag/ocsp-ui/LICENSE +%{_datadir}/pki/ocsp-ui/ + + +%files -n dogtag-pki-ra-theme +%defattr(-,root,root,-) +%doc dogtag/ra-ui/LICENSE +%dir %{_datadir}/pki +%{_datadir}/pki/ra-ui/ + + +%files -n dogtag-pki-tks-theme +%defattr(-,root,root,-) +%doc dogtag/tks-ui/LICENSE +%{_datadir}/pki/tks-ui/ + + +%files -n dogtag-pki-tps-theme +%defattr(-,root,root,-) +%doc dogtag/tps-ui/LICENSE +%dir %{_datadir}/pki +%{_datadir}/pki/tps-ui/ + + +%files -n dogtag-pki-console-theme +%defattr(-,root,root,-) +%doc dogtag/console-ui/LICENSE +%{_javadir}/pki/ + + +%changelog +* Fri Feb 4 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.1-1 +- Bugzilla Bug #606944 - Convert TPS to use ldap utilities and API from + OpenLDAP instead of the Mozldap + +* Fri Jan 21 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-3 +- Bugzilla Bug #671030 - Review Request: dogtag-pki-theme - Certificate + System, Dogtag PKI Theme Components +- Augmented overview description. +- Isolated and corrected EPEL information +- Added comment regarding '/usr/share/pki' file ownership +- 'dogtag-pki-common-theme' +- Bugzilla Bug #671058 - ipa2 - ipa-server-install fails on pkisilent - + xml parsing string -- ? +- 'dogtag-pki-ca-theme' +- Bugzilla Bug #564207 - Searches for completed requests in the agent + interface returns zero entries + +* Thu Jan 20 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-2 +- Bugzilla Bug #671030 - Review Request: dogtag-pki-theme - Certificate + System, Dogtag PKI Theme Components +- Added 'java-devel' and 'jpackage' build requirements +- Added 'java' runtime requirement to 'dogtag-pki-console-theme' +- Added file mode change to installation section +- Deleted explicit file mode change from files inventory section + +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0 +- 'dogtag-pki-ca-theme' (formerly 'dogtag-pki-ca-ui') +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on + ECC curve names (not on key sizes). +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- 'dogtag-pki-common-theme' (formerly 'dogtag-pki-common-ui') +- Bugzilla Bug #630126 - clone installation wizard basedn for internal + db should not be changeable +- Bugzilla Bug #533529 - rhcs80 web wizard - broken login page when + using valid pin +- Bugzilla Bug #223336 - ECC: unable to clone a ECC CA +- Bugzilla Bug #528249 - rhcs80 - web pages, css -moz-opacity deprecated +- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection + of signature algorithm; and for ECC curves +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- 'dogtag-pki-console-theme' (formerly 'dogtag-pki-console-ui') +- Bugzilla Bug #607380 - CC: Make sure Java Console can configure all + security relevant config items +- Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple + Certificates from the Same Request +- Bugzilla Bug #451874 - RFE - Java console - Certificate Wizard missing + e.c. support +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- 'dogtag-pki-kra-theme' (formerly 'dogtag-pki-kra-ui') +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- 'dogtag-pki-ocsp-theme' (formerly 'dogtag-pki-ocsp-ui') +- Bugzilla Bug #630121 - OCSP responder lacking option to delete or + disable a CA that it serves +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- 'dogtag-pki-ra-theme' (formerly 'dogtag-pki-ra-ui') +- Bugzilla Bug #533529 - rhcs80 web wizard - broken login page when + using valid pin +- Bugzilla Bug #528249 - rhcs80 - web pages, css -moz-opacity deprecated +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- 'dogtag-pki-tks-theme' (formerly 'dogtag-pki-tks-ui') +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- 'dogtag-pki-tps-theme' (formerly 'dogtag-pki-tps-ui') +- Bugzilla Bug #607373 - add self test framework to TPS subsytem +- Bugzilla Bug #607374 - add self test to TPS self test framework +- Bugzilla Bug #624847 - Installed TPS cannot be started to be configured. +- Bugzilla Bug #630018 - Delete button missing from Edit Profile page. +- Bugzilla Bug #609331 - Should not be able to manually change the status + on a token marked as permanently lost or destroyed - fix confirmation + page +- Bugzilla Bug #533529 - rhcs80 web wizard - broken login page when + using valid pin +- Bugzilla Bug #642692 - TPS UI Admin tab: Remove 'Submit For Approval' + greyed out button from the subsystem connection edit page. +- Bugzilla Bug #646545 - TPS Agent tab: displays approve list parameter + with last character chopped. +- Bugzilla Bug #528249 - rhcs80 - web pages, css -moz-opacity deprecated +- Bugzilla Bug #532724 - Feature: ESC Security officer work station should + display % of operation complete for format SO card +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface + diff --git a/pki/specs/ipa-pki-theme.spec b/pki/specs/ipa-pki-theme.spec new file mode 100644 index 000000000..4a156e499 --- /dev/null +++ b/pki/specs/ipa-pki-theme.spec @@ -0,0 +1,183 @@ +Name: ipa-pki-theme +Version: 9.0.3 +Release: 7%{?dist} +Summary: Certificate System - IPA PKI Theme Components +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Base + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +Patch0: %{name}-%{version}-r1886.patch +Patch1: %{name}-%{version}-r2161.patch + +%if 0%{?rhel} +ExcludeArch: ppc ppc64 s390 s390x +%endif + +%global overview \ +Several PKI packages require a "virtual" theme component. These \ +"virtual" theme components are "Provided" by various theme "flavors" \ +including "dogtag", "redhat", and "ipa". Consequently, \ +all "dogtag", "redhat", and "ipa" theme components MUST be \ +mutually exclusive! \ + \ +On Fedora systems, the "dogtag" theme packages are the ONLY available \ +theme components. \ + \ +Similarly, the "ipa" theme packages are ONLY available on RHEL \ +systems, and represent the default theme components. \ + \ +Alternatively, on RHEL systems, if the "dogtag" theme packages are \ +available as EPEL packages, while they may be used as a transparent \ +replacement for their corresponding "ipa" theme package, they are not \ +intended to be used as a replacement for their corresponding "redhat" \ +theme components. \ + \ +Finally, if available for a RHEL system (e. g. - RHCS subscription), \ +each "redhat" theme package MUST be used as a transparent replacement \ +for its corresponding "ipa" theme package or "dogtag" theme package. \ +%{nil} + +%description %{overview} + + +%package -n ipa-pki-common-theme +Summary: Certificate System - PKI Common Framework User Interface +Group: System Environment/Base + +Conflicts: dogtag-pki-common-theme +Conflicts: dogtag-pki-common-ui +Conflicts: redhat-pki-common-theme +Conflicts: redhat-pki-common-ui + +Provides: pki-common-theme = %{version}-%{release} +Provides: pki-common-ui = %{version}-%{release} + +%description -n ipa-pki-common-theme +This PKI Common Framework User Interface contains +NO textual or graphical user interface for the PKI Common Framework. + +This package is used by the Certificate System utilized by IPA. + +%{overview} + + +%package -n ipa-pki-ca-theme +Summary: Certificate System - Certificate Authority User Interface +Group: System Environment/Base + +Requires: ipa-pki-common-theme = %{version}-%{release} + +Conflicts: dogtag-pki-ca-theme +Conflicts: dogtag-pki-ca-ui +Conflicts: redhat-pki-ca-theme +Conflicts: redhat-pki-ca-ui + +Provides: pki-ca-theme = %{version}-%{release} +Provides: pki-ca-ui = %{version}-%{release} + +%description -n ipa-pki-ca-theme +This Certificate Authority (CA) User Interface contains +NO textual or graphical user interface for the CA. + +This package is used by the Certificate System utilized by IPA. + +%{overview} + + +%prep + + +%setup -q + + +%patch0 -b .p0 +%patch1 -b .p1 + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DBUILD_IPA_PKI_THEME:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + + +%files -n ipa-pki-common-theme +%defattr(-,root,root,-) +%doc dogtag/common-ui/LICENSE +%dir %{_datadir}/pki +%{_datadir}/pki/common-ui/ + + +%files -n ipa-pki-ca-theme +%defattr(-,root,root,-) +%doc dogtag/ca-ui/LICENSE +%{_datadir}/pki/ca-ui/ + + +%changelog +* Tue Aug 23 2011 Ade Lee <alee@redhat.com> 9.0.3-7 +- Resolves #712931 - CS requires too many ports to be open in the FW, r2161 + +* Wed Mar 9 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-6 +- Resolves: #643543 +- update to the ipa-pki-theme-9.0.3-r1886.patch file + +* Wed Mar 9 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-5 +- Resolves: #643543 + +* Wed Mar 9 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-4 +- Resolves #643543 + +* Wed Mar 9 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-3 +- Resolves 643543 + +* Wed Mar 9 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-2 +- Resolves 643543 +- Resolves #683172 - pkisilent needs to provide option to set + nsDS5ReplicaTransportInfo to TLS in replication agreements + when creating a clone, r1886 + +* Thu Jan 20 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-1 +- Augmented overview description. +- 'ipa-pki-ca-theme' +- Bugzilla Bug #564207 - Searches for completed requests in the agent + interface returns zero entries + +* Thu Jan 20 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.2-1 +- 'ipa-pki-common-theme' +- Bugzilla Bug #671058 - ipa2 - ipa-server-install fails on pkisilent - + xml parsing string -- ? + +* Tue Jan 18 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.1-1 +- Made 'ipa-pki-common-theme' a runtime dependency of 'ipa-pki-ca-theme' +- https://pkgdb.lab.eng.bos.redhat.com/pkg/packages/srpm/5936/ +- Package Wrangler: applied GPLv2 license header to 'xml.vm' + +* Thu Jan 13 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-2 +- Bugzilla Bug #668836 - Review Request: ipa-pki-theme +- Modified overview to pertain more to these packages +- Removed "Obsoletes:" lines (only pertinent to internal deployments) +- Modified installation section to preserve timestamps +- Removed sectional comments + +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + diff --git a/pki/specs/pki-console.spec b/pki/specs/pki-console.spec new file mode 100644 index 000000000..ef99efc28 --- /dev/null +++ b/pki/specs/pki-console.spec @@ -0,0 +1,119 @@ +Name: pki-console +Version: 9.0.0 +Release: 1%{?dist} +Summary: Certificate System - PKI Console +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Base + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: idm-console-framework +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6-12 +BuildRequires: ldapjdk +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: pki-util + +Requires: idm-console-framework +Requires: java >= 1:1.6.0 +Requires: jss >= 4.2.6-12 +Requires: ldapjdk +Requires: pki-console-theme + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The PKI Console is a java application used to administer CS. + +For deployment purposes, a PKI Console requires ONE AND ONLY ONE of the +following "Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_CONSOLE:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + + +%files +%defattr(-,root,root,-) +%doc base/console/LICENSE +%{_bindir}/pkiconsole +%{_javadir}/pki/ + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0 +- Bugzilla Bug #607380 - CC: Make sure Java Console can configure + all security relevant config items +- Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned + by Reason Code - onlySomeReasons ? +- Bugzilla Bug #518241 - pkiconsole does not launch when CA is configured + with ECC +- Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple + Certificates from the Same Request +- Bugzilla Bug #451874 - RFE - Java console - Certificate Wizard missing + e.c. support +- Bugzilla Bug #638377 - Generate PKI UI components which exclude + a GUI interface +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #512496 - RFE rhcs80 - crl updates and scheduling feature +- Bugzilla Bug #662201 - Console: View button for log messages + is not functional. +- Bugzilla Bug #649343 - Publishing queue should recover from CA crash. +- Bugzilla Bug #663546 - Disable the functionalities that are not exposed + in the console +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #642741 - CS build uses deprecated functions + +* Wed Apr 21 2010 Andrew Wnuk <awnuk@redhat.com> 1.3.2-1 +- Bugzilla Bug #493765 - console renewal fix for ca, ocsp, and ssl certificates + +* Mon Feb 08 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.1-1 +- Bugzilla Bug #562986 - Supply convenience symlink(s) for backwards + compatibility (rename jar files as appropriate) + +* Fri Jan 15 2010 Kevin Wright <kwright@redhat.com> 1.3.0-4 +- removed BuildRequires dogtag-pki-console-ui + +* Wed Jan 06 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-3 +- Bugzilla Bug #553487 - Review Request: pki-console +- The Dogtag PKI Console +- Take ownership of directories + +* Mon Dec 14 2009 Kevin Wright <kwright@redhat.com> 1.3.0-2 +- Removed 'with exceptions' from License + +* Thu Oct 15 2009 Ade Lee <alee@redhat.com> 1.3.0-1 +- Bugzilla Bug #X - Packaging for Fedora Dogtag + diff --git a/pki/specs/pki-core.spec b/pki/specs/pki-core.spec new file mode 100644 index 000000000..8b38a6fd2 --- /dev/null +++ b/pki/specs/pki-core.spec @@ -0,0 +1,1130 @@ +Name: pki-core +Version: 9.0.3 +Release: 20%{?dist} +Summary: Certificate System - PKI Core Components +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +# jss requires versioning to meet both build and runtime requirements +# tomcatjss requires versioning since version 2.0.0 requires tomcat6 +# pki-common-theme requires versioning to meet runtime requirements +# pki-ca-theme requires versioning to meet runtime requirements +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6-12 +BuildRequires: ldapjdk +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: openldap-devel +BuildRequires: osutil +BuildRequires: pkgconfig +BuildRequires: policycoreutils +BuildRequires: selinux-policy-devel +BuildRequires: tomcatjss >= 2.0.0 +BuildRequires: velocity +BuildRequires: xalan-j2 +BuildRequires: xerces-j2 + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +Patch0: %{name}-%{version}-r1846.patch +Patch1: %{name}-%{version}-r1860.patch +Patch2: %{name}-%{version}-r1862.patch +Patch3: %{name}-%{version}-r1864.patch +Patch4: %{name}-%{version}-r1875.patch +Patch5: %{name}-%{version}-r1879.patch +Patch6: %{name}-%{version}-r1886.patch +Patch7: %{name}-%{version}-r1908.patch +Patch8: %{name}-%{version}-r2074.patch +Patch9: %{name}-%{version}-r2097.patch +Patch10: %{name}-%{version}-r2103.patch +Patch11: %{name}-%{version}-r2104.patch +Patch12: %{name}-%{version}-r2106.patch +Patch13: %{name}-%{version}-r2112.patch +Patch14: %{name}-%{version}-r2118.patch +Patch15: %{name}-%{version}-r2125.patch +Patch16: %{name}-%{version}-r2126.patch +Patch17: %{name}-%{version}-r2128.patch +Patch18: %{name}-%{version}-r2149.patch +Patch19: %{name}-%{version}-r2151.patch +Patch20: %{name}-%{version}-r2153.patch +Patch21: %{name}-%{version}-r2161.patch +Patch22: %{name}-%{version}-r2163.patch +Patch23: %{name}-%{version}-r2182.patch +Patch24: %{name}-%{version}-r2249.patch + +%if 0%{?rhel} +ExcludeArch: ppc ppc64 s390 s390x +%endif + +%global saveFileContext() \ +if [ -s /etc/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ + FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ + if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \ + cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \ + fi \ +fi; + +%global relabel() \ +. %{_sysconfdir}/selinux/config; \ +FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ +selinuxenabled; \ +if [ $? == 0 -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \ + fixfiles -C ${FILE_CONTEXT}.%{name} restore; \ + rm -f ${FILE_CONTEXT}.%name; \ +fi; + +%global overview \ +================================== \ +|| ABOUT "CERTIFICATE SYSTEM" || \ +================================== \ + \ +Certificate System (CS) is an enterprise software system designed \ +to manage enterprise Public Key Infrastructure (PKI) deployments. \ + \ +PKI Core contains fundamental packages required by Certificate System, \ +and consists of the following components: \ + \ + * pki-setup \ + * pki-symkey \ + * pki-native-tools \ + * pki-util \ + * pki-util-javadoc \ + * pki-java-tools \ + * pki-java-tools-javadoc \ + * pki-common \ + * pki-common-javadoc \ + * pki-selinux \ + * pki-ca \ + * pki-silent \ + \ +which comprise the following PKI subsystems: \ + \ + * Certificate Authority (CA) \ + \ +For deployment purposes, Certificate System requires ONE AND ONLY ONE \ +of the following "Mutually-Exclusive" PKI Theme packages: \ + \ + * ipa-pki-theme (IPA deployments) \ + * dogtag-pki-theme (Dogtag Certificate System deployments) \ + * redhat-pki-theme (Red Hat Certificate System deployments) \ + \ +%{nil} + +%description %{overview} + + +%package -n pki-setup +Summary: Certificate System - PKI Instance Creation & Removal Scripts +Group: System Environment/Base + +BuildArch: noarch + +Requires: perl-Crypt-SSLeay +Requires: policycoreutils +Requires: openldap-clients + +%description -n pki-setup +PKI setup scripts are used to create and remove instances from PKI deployments. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-symkey +Summary: Symmetric Key JNI Package +Group: System Environment/Libraries + +Requires: java >= 1:1.6.0 +Requires: jpackage-utils +Requires: jss >= 4.2.6-12 +Requires: nss + +Provides: symkey = %{version}-%{release} + +Obsoletes: symkey < %{version}-%{release} + +%description -n pki-symkey +The Symmetric Key Java Native Interface (JNI) package supplies various native +symmetric key operations to Java programs. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-native-tools +Summary: Certificate System - Native Tools +Group: System Environment/Base + +Requires: openldap-clients +Requires: nss +Requires: nss-tools + +%description -n pki-native-tools +These platform-dependent PKI executables are used to help make +Certificate System into a more complete and robust PKI solution. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-util +Summary: Certificate System - PKI Utility Framework +Group: System Environment/Base + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: jpackage-utils +Requires: jss >= 4.2.6-12 +Requires: ldapjdk + +%description -n pki-util +The PKI Utility Framework is required by the following four PKI subsystems: + + the Certificate Authority (CA), + the Data Recovery Manager (DRM), + the Online Certificate Status Protocol (OCSP) Manager, and + the Token Key Service (TKS). + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-util-javadoc +Summary: Certificate System - PKI Utility Framework Javadocs +Group: Documentation + +BuildArch: noarch + +Requires: pki-util = %{version}-%{release} + +%description -n pki-util-javadoc +This documentation pertains exclusively to version %{version} of +the PKI Utility Framework. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-java-tools +Summary: Certificate System - PKI Java-Based Tools +Group: System Environment/Base + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-native-tools = %{version}-%{release} +Requires: pki-util = %{version}-%{release} + +%description -n pki-java-tools +These platform-independent PKI executables are used to help make +Certificate System into a more complete and robust PKI solution. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-java-tools-javadoc +Summary: Certificate System - PKI Java-Based Tools Javadocs +Group: Documentation + +BuildArch: noarch + +Requires: pki-java-tools = %{version}-%{release} + +%description -n pki-java-tools-javadoc +This documentation pertains exclusively to version %{version} of +the PKI Java-Based Tools. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-common +Summary: Certificate System - PKI Common Framework +Group: System Environment/Base + +BuildArch: noarch + +%if 0%{?fedora} >= 14 +Requires: apache-commons-lang +Requires: apache-commons-logging +%endif +%if 0%{?rhel} || 0%{?fedora} < 14 +Requires: jakarta-commons-lang +Requires: jakarta-commons-logging +%endif +Requires: java >= 1:1.6.0 +Requires: jss >= 4.2.6-12 +Requires: osutil +Requires: pki-common-theme >= 9.0.0 +Requires: pki-java-tools = %{version}-%{release} +Requires: pki-setup = %{version}-%{release} +Requires: pki-symkey = %{version}-%{release} +Requires: tomcatjss >= 2.0.0 +Requires: %{_javadir}/ldapjdk.jar +Requires: %{_javadir}/velocity.jar +Requires: %{_javadir}/xalan-j2.jar +Requires: %{_javadir}/xalan-j2-serializer.jar +Requires: %{_javadir}/xerces-j2.jar +Requires: %{_javadir}/xml-commons-apis.jar +Requires: %{_javadir}/xml-commons-resolver.jar +Requires: velocity + +%description -n pki-common +The PKI Common Framework is required by the following four PKI subsystems: + + the Certificate Authority (CA), + the Data Recovery Manager (DRM), + the Online Certificate Status Protocol (OCSP) Manager, and + the Token Key Service (TKS). + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-common-javadoc +Summary: Certificate System - PKI Common Framework Javadocs +Group: Documentation + +BuildArch: noarch + +Requires: pki-common = %{version}-%{release} + +%description -n pki-common-javadoc +This documentation pertains exclusively to version %{version} of +the PKI Common Framework. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-selinux +Summary: Certificate System - PKI Selinux Policies +Group: System Environment/Base + +BuildArch: noarch + +Requires: policycoreutils +Requires: selinux-policy-targeted + +%description -n pki-selinux +Selinux policies for the PKI components. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-ca +Summary: Certificate System - Certificate Authority +Group: System Environment/Daemons + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-ca-theme >= 9.0.0 +Requires: pki-common = %{version}-%{release} +Requires: pki-selinux = %{version}-%{release} +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%endif + +%description -n pki-ca +The Certificate Authority (CA) is a required PKI subsystem which issues, +renews, revokes, and publishes certificates as well as compiling and +publishing Certificate Revocation Lists (CRLs). + +The Certificate Authority can be configured as a self-signing Certificate +Authority, where it is the root CA, or it can act as a subordinate CA, +where it obtains its own signing certificate from a public CA. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-silent +Summary: Certificate System - Silent Installer +Group: System Environment/Base + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-common = %{version}-%{release} + +%description -n pki-silent +The PKI Silent Installer may be used to "automatically" configure +the following PKI subsystems in a non-graphical (batch) fashion +including: + + the Certificate Authority (CA), + the Data Recovery Manager (DRM), + the Online Certificate Status Protocol (OCSP) Manager, + the Registration Authority (RA), + the Token Key Service (TKS), and/or + the Token Processing System (TPS). + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%prep + + +%setup -q + + +%patch0 -b .p0 +%patch1 -b .p1 +%patch2 -b .p2 +%patch3 -b .p3 +%patch4 -b .p4 +%patch5 -b .p5 +%patch6 -b .p6 +%patch7 -b .p7 +%patch8 -b .p8 +%patch9 -b .p9 +%patch10 -b .p10 +%patch11 -b .p11 +%patch12 -b .p12 +%patch13 -b .p13 +%patch14 -b .p14 +%patch15 -b .p15 +%patch16 -b .p16 +%patch17 -b .p17 +%patch18 -b .p18 +%patch19 -b .p19 +%patch20 -b .p20 +%patch21 -b .p21 +%patch22 -b .p22 +%patch23 -b .p23 +%patch24 -b .p24 + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_CORE:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + +cd %{buildroot}%{_libdir}/symkey +%{__rm} symkey.jar +%{__ln_s} symkey-%{version}.jar symkey.jar + +cd %{buildroot}%{_jnidir} +%{__rm} symkey.jar +%{__ln_s} %{_libdir}/symkey/symkey.jar symkey.jar + +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d +# generate 'pki-ca.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf +echo "D /var/lock/pki/ca 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf +echo "D /var/run/pki/ca 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf +%endif + + +%pre -n pki-selinux +%saveFileContext targeted + + +%post -n pki-selinux +semodule -s targeted -i %{_datadir}/selinux/modules/pki.pp +%relabel targeted + + +%preun -n pki-selinux +if [ $1 = 0 ]; then + %saveFileContext targeted +fi + + +%postun -n pki-selinux +if [ $1 = 0 ]; then + semodule -s targeted -r pki + %relabel targeted +fi + + +%post -n pki-ca +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-cad || : + + +%preun -n pki-ca +if [ $1 = 0 ] ; then + /sbin/service pki-cad stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-cad || : +fi + + +%postun -n pki-ca +if [ "$1" -ge "1" ] ; then + /sbin/service pki-cad condrestart >/dev/null 2>&1 || : +fi + + +%files -n pki-setup +%defattr(-,root,root,-) +%doc base/setup/LICENSE +%{_bindir}/pkicreate +%{_bindir}/pkiremove +%{_bindir}/pki-setup-proxy +%dir %{_datadir}/pki +%dir %{_datadir}/pki/scripts +%{_datadir}/pki/scripts/pkicommon.pm +%if 0%{?rhel} || 0%{?fedora} < 15 +%dir %{_localstatedir}/lock/pki +%dir %{_localstatedir}/run/pki +%endif + + +%files -n pki-symkey +%defattr(-,root,root,-) +%doc base/symkey/LICENSE +%{_jnidir}/symkey.jar +%{_libdir}/symkey/ + + +%files -n pki-native-tools +%defattr(-,root,root,-) +%doc base/native-tools/LICENSE base/native-tools/doc/README +%{_bindir}/bulkissuance +%{_bindir}/p7tool +%{_bindir}/revoker +%{_bindir}/setpin +%{_bindir}/sslget +%{_bindir}/tkstool +%dir %{_datadir}/pki +%{_datadir}/pki/native-tools/ + + +%files -n pki-util +%defattr(-,root,root,-) +%doc base/util/LICENSE +%dir %{_javadir}/pki +%{_javadir}/pki/pki-cmsutil-%{version}.jar +%{_javadir}/pki/pki-cmsutil.jar +%{_javadir}/pki/pki-nsutil-%{version}.jar +%{_javadir}/pki/pki-nsutil.jar + +%files -n pki-util-javadoc +%defattr(-,root,root,-) +%{_javadocdir}/pki-util-%{version}/ + + +%files -n pki-java-tools +%defattr(-,root,root,-) +%doc base/java-tools/LICENSE +%{_bindir}/AtoB +%{_bindir}/AuditVerify +%{_bindir}/BtoA +%{_bindir}/CMCEnroll +%{_bindir}/CMCRequest +%{_bindir}/CMCResponse +%{_bindir}/CMCRevoke +%{_bindir}/CRMFPopClient +%{_bindir}/ExtJoiner +%{_bindir}/GenExtKeyUsage +%{_bindir}/GenIssuerAltNameExt +%{_bindir}/GenSubjectAltNameExt +%{_bindir}/HttpClient +%{_bindir}/OCSPClient +%{_bindir}/PKCS10Client +%{_bindir}/PKCS12Export +%{_bindir}/PrettyPrintCert +%{_bindir}/PrettyPrintCrl +%{_bindir}/TokenInfo +%{_javadir}/pki/pki-tools-%{version}.jar +%{_javadir}/pki/pki-tools.jar + +%files -n pki-java-tools-javadoc +%defattr(-,root,root,-) +%{_javadocdir}/pki-java-tools-%{version}/ + + +%files -n pki-common +%defattr(-,root,root,-) +%doc base/common/LICENSE +%{_javadir}/pki/pki-certsrv-%{version}.jar +%{_javadir}/pki/pki-certsrv.jar +%{_javadir}/pki/pki-cms-%{version}.jar +%{_javadir}/pki/pki-cms.jar +%{_javadir}/pki/pki-cmsbundle-%{version}.jar +%{_javadir}/pki/pki-cmsbundle.jar +%{_javadir}/pki/pki-cmscore-%{version}.jar +%{_javadir}/pki/pki-cmscore.jar +%{_datadir}/pki/scripts/functions +%{_datadir}/pki/scripts/pki_apache_initscript +%{_datadir}/pki/setup/ + +%files -n pki-common-javadoc +%defattr(-,root,root,-) +%{_javadocdir}/pki-common-%{version}/ + + +%files -n pki-selinux +%defattr(-,root,root,-) +%doc base/selinux/LICENSE +%{_datadir}/selinux/modules/pki.pp + + +%files -n pki-ca +%defattr(-,root,root,-) +%doc base/ca/LICENSE +%{_initrddir}/pki-cad +%{_javadir}/pki/pki-ca-%{version}.jar +%{_javadir}/pki/pki-ca.jar +%dir %{_datadir}/pki/ca +%{_datadir}/pki/ca/conf/ +%{_datadir}/pki/ca/emails/ +%dir %{_datadir}/pki/ca/profiles +%{_datadir}/pki/ca/profiles/ca/ +%{_datadir}/pki/ca/webapps/ +%{_datadir}/pki/ca/setup/ +%dir %{_localstatedir}/lock/pki/ca +%dir %{_localstatedir}/run/pki/ca +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-ca.conf +%endif + + +%files -n pki-silent +%defattr(-,root,root,-) +%doc base/silent/LICENSE +%{_bindir}/pkisilent +%{_javadir}/pki/pki-silent-%{version}.jar +%{_javadir}/pki/pki-silent.jar +%{_datadir}/pki/silent/ + + +%changelog +* Fri Aug 26 2011 Andrew Wnuk <awnuk@redhat.com> 9.0.3-20 +- Resolves #737179 - Need script to upgrade proxy configuration, r2249 + +* Fri Aug 26 2011 Andrew Wnuk <awnuk@redhat.com> 9.0.3-19 +- Resolves #730801 - Coverity issues in native-tools area, r2182 + +* Tue Aug 23 2011 Andrew Wnuk <awnuk@redhat.com> 9.0.3-18 +- Resolves #730801 - Coverity issues in native-tools area, r2163 + +* Tue Aug 23 2011 Ade Lee <alee@redhat.com> 9.0.3-17 +- Resolves #712931 - CS requires too many ports to be open in the FW, r2161 + +* Mon Aug 22 2011 Andrew Wnuk <awnuk@redhat.com> 9.0.3-16 +- Resolves #717643 - Fopen without NULL check and other Coverity issues + +* Mon Aug 22 2011 Andrew Wnuk <awnuk@redhat.com> 9.0.3-15 +- Resolves #717643 - Fopen without NULL check and other Coverity issues + +* Mon Aug 15 2011 Ade Lee <alee@redhat.com> 9.0.3-14 +- Resolves #700522 - pki tomcat6 instances currently running unconfined, + allow server to come up when selinux disabled, r2149 + +* Thu Aug 4 2011 Ade Lee <alee@redhat.com> 9.0.3-13 +- Resolves #698796: Race conditions during IPA installation, r2103 (alee) +- Resolves #708075 - Clone installation does not work over NAT, r2104 (alee) +- Resolves #726785 - If replication fails while setting up a clone it + will wait forever, r2106 (alee) +- Resolves #691076 - pkiremove removes the registry entry for all instances + on a machine, r2112 (mharmsen) +- Resolves #693835 - /var/log/tomcat6/catalina.out owned by pkiuser, r2118 + (mharmsen) +- Resolves #729126 - Increase default validity from 6mo to 2yrs in IPA + profile, r2125 (awnuk) +- Resolves #728651 - CS8 64 bit pkicreate script uses wrong library name + for, r2126 (mharmsen) +- Resolves #700522 - pki tomcat6 instances currently running unconfined, + r2128 (alee) + +* Wed Aug 3 2011 Ade Lee <alee@redhat.com> 9.0.3-12 +- Resolves #689909 - Dogtag installation under IPA takes too much + time - remove the inefficient sleeps, r2097 + +* Fri Jul 22 2011 Andrew Wnuk <awnuk@redhat.com> 9.0.3-11 +- Resolves #722634 - Add client usage flag to caIPAserviceCert, r2074 + +* Tue Mar 22 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-10 +- Resolves #688251 - Dogtag installation under IPA takes too much + time - SELinux policy compilation, r1908 + +* Fri Mar 9 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-9 +- Resolves: bug 645097 +- update to the pki-core-9.0.3-r1886.patch file + +* Wed Mar 9 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-8 +- Resolves 645097 +- Resolves #683172 - pkisilent needs to provide option to set + nsDS5ReplicaTransportInfo to TLS in replication agreements + when creating a clone, r1886 + +* Fri Mar 4 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-7 +- Resolves 645097 + +* Fri Mar 4 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-6 +- Resolves #682021 - pkisilent needs xml-commons-apis.jar in it's classpath + +* Wed Mar 2 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-5 +- Resolves 645097 + +* Wed Mar 2 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-4 +- Resolves #681367 - xml-commons-apis.jar dependency, r1875 + +* Mon Feb 21 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-3 +- Resolves #676873 - Rebase pki-core again to pick the latest features and fixes +- Resolves #676048 - Installation within IPA hangs, r1846 +- Resolves #679173 - uninitialized variable warnings from Perl, r1860 +- Resolves #679174 - netstat loop fixes needed, r1862 +- Resolves #679580 - Velocity fails to load all dependent classes, r1864 + +* Wed Feb 9 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-2 +- 'pki-common' +- Bugzilla Bug #676051 - IPA installation failing - Fails to create CA + instance +- Bugzilla Bug #676182 - IPA installation failing - Fails to create CA + instance + +* Fri Feb 4 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-1 +- 'pki-common' +- Bugzilla Bug #674894 - ipactl restart : an annoy output line +- Bugzilla Bug #675179 - ipactl restart : an annoy output line + +* Thu Feb 3 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.2-1 +- Bugzilla Bug #673233 - Rebase pki-core to pick the latest features and fixes +- 'pki-setup' +- Bugzilla Bug #673638 - Installation within IPA hangs +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided + by 'netscape.security.provider' package +- 'pki-common' +- Bugzilla Bug #672291 - CA is not publishing certificates issued using + "Manual User Dual-Use Certificate Enrollment" +- Bugzilla Bug #670337 - CA Clone configuration throws TCP connection + error. +- Bugzilla Bug #504056 - Completed SCEP requests are assigned to the + "begin" state instead of "complete". +- Bugzilla Bug #504055 - SCEP requests are not properly populated +- Bugzilla Bug #564207 - Searches for completed requests in the agent + interface returns zero entries +- Bugzilla Bug #672291 - CA is not publishing certificates issued using + "Manual User Dual-Use Certificate Enrollment" - +- Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided + by 'netscape.security.provider' package +- Bugzilla Bug #672920 - CA console: adding policy to a profile throws + 'Duplicate policy' error in some cases. +- Bugzilla Bug #673199 - init script returns control before web apps have + started +- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI + subsystem instances +- 'pki-selinux' +- 'pki-ca' +- Bugzilla Bug #504013 - sscep request is rejected due to authentication + error if submitted through one time pin router certificate enrollment. +- Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing + information +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of CC interface review +- Bugzilla Bug #672333 - Creation of RA agent fails in IPA installation +- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI + subsystem instances +- 'pki-silent' +- Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided + by 'netscape.security.provider' package + +* Wed Feb 2 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.1-3 +- Bugzilla Bug #656661 - Please Update Spec File to use 'ghost' on files + in /var/run and /var/lock + +* Thu Jan 20 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.1-2 +- 'pki-symkey' +- Bugzilla Bug #671265 - pki-symkey jar version incorrect +- 'pki-common' +- Bugzilla Bug #564207 - Searches for completed requests in the agent + interface returns zero entries + +* Tue Jan 18 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.1-1 +- Allow 'pki-native-tools' to be installed independently of 'pki-setup' +- Removed explicit 'pki-setup' requirement from 'pki-ca' + (since it already requires 'pki-common') +- 'pki-setup' +- Bugzilla Bug #223343 - pkicreate: should add 'pkiuser' to nfast group +- Bugzilla Bug #629377 - Selinux errors during pkicreate CA, KRA, OCSP + and TKS. +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from + OpenLDAP instead of the Mozldap +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #658926 - org.apache.commons.lang class not found on F13 +- Bugzilla Bug #661514 - CMAKE build system requires rules to make + javadocs +- Bugzilla Bug #665388 - jakarta-* jars have been renamed to apache-*, + pkicreate fails Fedora 14 and above +- Bugzilla Bug #23346 - Two conflicting ACL list definitions in source + repository +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- 'pki-symkey' +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #644056 - CS build contains warnings +- 'pki-native-tools' +- template change +- Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from + OpenLDAP instead of the Mozldap +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #644056 - CS build contains warnings +- 'pki-util' +- Bugzilla Bug #615814 - rhcs80 - profile policyConstraintsCritical + cannot be set to true +- Bugzilla Bug #224945 - javadocs has missing descriptions, contains + empty packages +- Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. +- Bugzilla Bug #621338 - Include a server randomly-generated 16 byte + senderNonce in all signed SCEP responses. +- Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade + attack in SCEP +- Bugzilla Bug #621334 - Provide an option to set default hash algorithm + for signing SCEP response messages. +- Bugzilla Bug #635033 - At installation wizard selecting key types other + than CA's signing cert will fail +- Bugzilla Bug #645874 - rfe ecc - add ecc curve name support in JSS and + CS interface +- Bugzilla Bug #488253 - com.netscape.cmsutil.ocsp.BasicOCSPResponse + ASN.1 encoding/decoding is broken +- Bugzilla Bug #551410 - com.netscape.cmsutil.ocsp.TBSRequest ASN.1 + encoding/decoding is incomplete +- Bugzilla Bug #550331 - com.netscape.cmsutil.ocsp.ResponseData ASN.1 + encoding/decoding is incomplete +- Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit + policy extension to 5 only +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #661514 - CMAKE build system requires rules to make + javadocs +- Bugzilla Bug #658188 - remove remaining references to tomcat5 +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #223319 - Certificate Status inconsistency between token + db and CA +- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory + During CRL Generation +- 'pki-java-tools' +- Bugzilla Bug #224945 - javadocs has missing descriptions, contains + empty packages +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1 +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #661514 - CMAKE build system requires rules to make + javadocs +- Bugzilla Bug #662156 - HttpClient is hard-coded to handle only up to + 5000 bytes +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- 'pki-common' +- Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review +- Bugzilla Bug #623745 - SessionTimer with LDAPSecurityDomainSessionTable + started before configuration completed +- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit + logs in the java subsystems +- Bugzilla Bug #615827 - rhcs80 - profile policies need more than 5 + policy mappings (seem hardcoded) +- Bugzilla Bug #224945 - javadocs has missing descriptions, contains + empty packages +- Bugzilla Bug #548699 - subCA's admin certificate should be generated by + itself +- Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA +- Bugzilla Bug #563386 - rhcs80 ca crash on invalid inputs to profile + caAgentServerCert (null cert_request) +- Bugzilla Bug #621339 - SCEP one-time PIN can be used an unlimited + number of times +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of CC interface review +- Bugzilla Bug #629677 - TPS: token enrollment fails. +- Bugzilla Bug #621350 - Unauthenticated user can decrypt a one-time PIN + in a SCEP request +- Bugzilla Bug #503838 - rhcs71-80 external publishing ldap connection + pools not reliable - improve connections or discovery +- Bugzilla Bug #629769 - password decryption logs plain text password +- Bugzilla Bug #583823 - CC: Auditing issues found as result of + CC - interface review +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #586700 - OCSP Server throws fatal error while using + OCSP console for renewing SSL Server certificate. +- Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. +- Bugzilla Bug #621338 - Include a server randomly-generated 16 byte + senderNonce in all signed SCEP responses. +- Bugzilla Bug #607380 - CC: Make sure Java Console can configure all + security relevant config items +- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be + generated on TKS instead of TPS. +- Bugzilla Bug #489342 - + com.netscape.cms.servlet.common.CMCOutputTemplate.java + doesn't support EC +- Bugzilla Bug #630121 - OCSP responder lacking option to delete or + disable a CA that it serves +- Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 +- Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade + attack in SCEP +- Bugzilla Bug #621334 - Provide an option to set default hash algorithm + for signing SCEP response messages. +- Bugzilla Bug #635033 - At installation wizard selecting key types other + than CA's signing cert will fail +- Bugzilla Bug #621341 - Add CA support for new SCEP key pair dedicated + for SCEP signing and encryption. +- Bugzilla Bug #223336 - ECC: unable to clone a ECC CA +- Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned + by Reason Code - onlySomeReasons ? +- Bugzilla Bug #637330 - CC feature: Key Management - provide signature + verification functions (JAVA subsystems) +- Bugzilla Bug #223313 - should do random generated IV param + for symmetric keys +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #630176 - Improve reliability of the LdapAnonConnFactory +- Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on + ECC curve names (not on key sizes). +- Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple + Certificates from the Same Request +- Bugzilla Bug #648757 - expose and use updated cert verification + function in JSS +- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection + of signature algorithm; and for ECC curves +- Bugzilla Bug #451874 - RFE - Java console - Certificate Wizard missing + e.c. support +- Bugzilla Bug #651040 - cloning shoud not include sslserver +- Bugzilla Bug #542863 - RHCS8: Default cert audit nickname written to + CS.cfg files imcomplete when the cert is stored on a hsm +- Bugzilla Bug #360721 - New Feature: Profile Integrity Check . . . +- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports + to talk to CA and complete configuration in DonePanel +- Bugzilla Bug #642359 - CC Feature - need to verify certificate when it + is added +- Bugzilla Bug #653713 - CC: setting trust on a CIMC cert requires + auditing +- Bugzilla Bug #489385 - references to rhpki +- Bugzilla Bug #499494 - change CA defaults to SHA2 +- Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit + policy extension to 5 only +- Bugzilla Bug #649910 - Console: an auditor or agent can be added to + an administrator group. +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for + validity +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1 +- Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with + Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA. +- Bugzilla Bug #661889 - The Servlet TPSRevokeCert of the CA returns an + error to TPS even if certificate in question is already revoked. +- Bugzilla Bug #663546 - Disable the functionalities that are not exposed + in the console +- Bugzilla Bug #661514 - CMAKE build system requires rules to make + javadocs +- Bugzilla Bug #658188 - remove remaining references to tomcat5 +- Bugzilla Bug #649343 - Publishing queue should recover from CA crash. +- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and + pkiCA, obsolete 2252 and 2256 +- Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #661142 - Verification should fail when + a revoked certificate is added +- Bugzilla Bug #642741 - CS build uses deprecated functions +- Bugzilla Bug #670337 - CA Clone configuration throws TCP connection error +- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time + interface is no longer available through console +- 'pki-selinux' +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #667153 - store nuxwdog passwords in kernel ring buffer - + selinux changes +- 'pki-ca' +- Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review +- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit + logs in the java subsystems +- Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA +- Bugzilla Bug #583824 - CC: Duplicate servlet mappings found as part of + CC interface doc review +- Bugzilla Bug #621602 - pkiconsole: Click on 'Publishing' option with + admin privilege throws error "You are not authorized to perform this + operation". +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of CC interface review +- Bugzilla Bug #583823 - CC: Auditing issues found as result of + CC - interface review +- Bugzilla Bug #519291 - Deleting a CRL Issuing Point after edits throws + 'Internal Server Error'. +- Bugzilla Bug #586700 - OCSP Server throws fatal error while using + OCSP console for renewing SSL Server certificate. +- Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. +- Bugzilla Bug #621338 - Include a server randomly-generated 16 byte + senderNonce in all signed SCEP responses. +- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be + generated on TKS instead of TPS. +- Bugzilla Bug #630121 - OCSP responder lacking option to delete or + disable a CA that it serves +- Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 +- Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade + attack in SCEP +- Bugzilla Bug #621334 - Provide an option to set default hash algorithm + for signing SCEP response messages. +- Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned + by Reason Code - onlySomeReasons ? +- Bugzilla Bug #637330 - CC feature: Key Management - provide signature + verification functions (JAVA subsystems) +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on + ECC curve names (not on key sizes). +- Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple + Certificates from the Same Request +- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection + of signature algorithm; and for ECC curves +- Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA + release -- DRM and TKS do not seem to have CRL checking enabled +- Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help + correctly set up CC environment +- Bugzilla Bug #509481 - RFE: support sMIMECapabilities extensions in + certificates (RFC 4262) +- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports + to talk to CA and complete configuration in DonePanel +- Bugzilla Bug #511990 - rhcs 7.3, 8.0 - re-activate missing object + signing support in RHCS +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #489385 - references to rhpki +- Bugzilla Bug #499494 - change CA defaults to SHA2 +- Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit + policy extension to 5 only +- Bugzilla Bug #649910 - Console: an auditor or agent can be added to + an administrator group. +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for + validity +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #661128 - incorrect CA ports used for revoke, unrevoke + certs in TPS +- Bugzilla Bug #512496 - RFE rhcs80 - crl updates and scheduling feature +- Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with + Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA. +- Bugzilla Bug #649343 - Publishing queue should recover from CA crash. +- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and + pkiCA, obsolete 2252 and 2256 +- Bugzilla Bug #223346 - Two conflicting ACL list definitions in source + repository +- Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #661142 - Verification should fail when + a revoked certificate is added +- Bugzilla Bug #668100 - DRM storage cert has OCSP signing extended key + usage +- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time + interface is no longer available through console +- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory + During CRL Generation +- 'pki-silent' +- Bugzilla Bug #627309 - pkisilent subca configuration fails. +- Bugzilla Bug #640091 - pkisilent panels need to match with changed java + subsystems +- Bugzilla Bug #527322 - pkisilent ConfigureDRM should configure DRM + Clone. +- Bugzilla Bug #643053 - pkisilent DRM configuration fails +- Bugzilla Bug #583754 - pki-silent needs an option to configure signing + algorithm for CA certificates +- Bugzilla Bug #489385 - references to rhpki +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #640042 - TPS Installlation Wizard: need to move Module + Panel up to before Security Domain Panel +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #588323 - Failed to enable cipher 0xc001 +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #645895 - pkisilent: add ability to select ECC curves, + signing algorithm +- Bugzilla Bug #658641 - pkisilent doesn't not properly handle passwords + with special characters +- Bugzilla Bug #642741 - CS build uses deprecated functions + +* Thu Jan 13 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-3 +- Bugzilla Bug #668839 - Review Request: pki-core +- Removed empty "pre" from "pki-ca" +- Consolidated directory ownership +- Corrected file ownership within subpackages +- Removed all versioning from NSS and NSPR packages + +* Thu Jan 13 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-2 +- Bugzilla Bug #668839 - Review Request: pki-core +- Added component versioning comments +- Updated JSS from "4.2.6-10" to "4.2.6-12" +- Modified installation section to preserve timestamps +- Removed sectional comments + +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + diff --git a/pki/specs/pki-kra.spec b/pki/specs/pki-kra.spec new file mode 100644 index 000000000..302da6e6f --- /dev/null +++ b/pki/specs/pki-kra.spec @@ -0,0 +1,303 @@ +Name: pki-kra +Version: 9.0.0 +Release: 2%{?dist} +Summary: Certificate System - Data Recovery Manager +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6-12 +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: pki-common +BuildRequires: pki-util + +Requires: java >= 1:1.6.0 +Requires: pki-common +Requires: pki-kra-theme +Requires: pki-selinux +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%endif + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The Data Recovery Manager (DRM) is an optional PKI subsystem that can act +as a Key Recovery Authority (KRA). When configured in conjunction with the +Certificate Authority (CA), the DRM stores private encryption keys as part of +the certificate enrollment process. The key archival mechanism is triggered +when a user enrolls in the PKI and creates the certificate request. Using the +Certificate Request Message Format (CRMF) request format, a request is +generated for the user's private encryption key. This key is then stored in +the DRM which is configured to store keys in an encrypted format that can only +be decrypted by several agents requesting the key at one time, providing for +protection of the public encryption keys for the users in the PKI deployment. + +Note that the DRM archives encryption keys; it does NOT archive signing keys, +since such archival would undermine non-repudiation properties of signing keys. + +For deployment purposes, a DRM requires the following components from the PKI +Core package: + + * pki-setup + * pki-native-tools + * pki-util + * pki-java-tools + * pki-common + * pki-selinux + +and can also make use of the following optional components from the PKI Core +package: + + * pki-util-javadoc + * pki-java-tools-javadoc + * pki-common-javadoc + * pki-silent + +Additionally, Certificate System requires ONE AND ONLY ONE of the following +"Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_KRA:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d +# generate 'pki-kra.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf +echo "D /var/lock/pki/kra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf +echo "D /var/run/pki/kra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf +%endif + + +%post +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-krad || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-krad stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-krad || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-krad condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/kra/LICENSE +%{_initrddir}/pki-krad +%{_javadir}/pki/pki-kra-%{version}.jar +%{_javadir}/pki/pki-kra.jar +%dir %{_datadir}/pki/kra +%{_datadir}/pki/kra/conf/ +%{_datadir}/pki/kra/setup/ +%{_datadir}/pki/kra/webapps/ +%dir %{_localstatedir}/lock/pki/kra +%dir %{_localstatedir}/run/pki/kra +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-kra.conf +%endif + + +%changelog +* Fri Aug 5 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-2 +- Bugzilla Bug #693835 - /var/log/tomcat6/catalina.out owned by pkiuser + +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0 +- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs + in the java subsystems +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of CC interface review +- Bugzilla Bug #583823 - CC: Auditing issues found as result of + CC - interface review +- Bugzilla Bug #607380 - CC: Make sure Java Console can configure + all security relevant config items +- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be + generated on TKS instead of TPS. +- Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable + a CA that it serves +- Bugzilla Bug #504061 - ECC: unable to install subsystems - phase 1 +- Bugzilla Bug #637330 - CC feature: Key Management - provide signature + verification functions (JAVA subsystems) +- Bugzilla Bug #223313 - should do random generated IV param + for symmetric keys +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and + port fowarding for agent services +- Bugzilla Bug #631179 - Administrator is not allowed to remove + ocsp signing certificate using console +- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of + signature algorithm; and for ECC curves +- Bugzilla Bug #451874 - RFE - Java console - Certificate Wizard missing + e.c. support +- Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA release -- + DRM and TKS do not seem to have CRL checking enabled +- Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help + correctly set up CC environment +- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports + to talk to CA and complete configuration in DonePanel +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #489385 - references to rhpki +- Bugzilla Bug #649910 - Console: an auditor or agent can be added to + an administrator group. +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #638377 - Generate PKI UI components which exclude + a GUI interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for + validity +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #499494 - change CA defaults to SHA2 +- Bugzilla Bug #649343 - Publishing queue should recover from CA crash. +- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and + pkiCA, obsolete 2252 and 2256 +- Bugzilla Bug #223346 - Two conflicting ACL list definitions in source + repository +- Bugzilla Bug #663546 - Disable the functionalities that are not exposed + in the console +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #661142 - Verification should fail when + a revoked certificate is added +- Bugzilla Bug #668100 - DRM storage cert has OCSP signing extended key usage +- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time + interface is no longer available through console +- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During + CRL Generation + +* Wed Aug 04 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.4-1 +- Bugzilla Bug #608086 - CC: CA, OCSP, and DRM need to add more audit calls +- Bugzilla Bug #527593 - More robust signature digest alg, + like SHA256 instead of SHA1 for ECC +- Bugzilla Bug #528236 - rhcs80 web conf wizard - cannot specify CA signing + algorithm +- Bugzilla Bug #533510 - tps exception, cannot start when signed audit true +- Bugzilla Bug #529280 - TPS returns HTTP data without ending in 0rn per + RFC 2616 +- Bugzilla Bug #498299 - Should not be able to change the status manually + on a token marked as permanently lost or destroyed +- Bugzilla Bug #554892 - configurable frequency signed audit +- Bugzilla Bug #500700 - tps log rotation +- Bugzilla Bug #562893 - tps shutdown if audit logs full +- Bugzilla Bug #557346 - Name Constraints Extension cant be marked critical +- Bugzilla Bug #556152 - ACL changes to CA and OCSP +- Bugzilla Bug #556167 - ACL changes to CA and OCSP +- Bugzilla Bug #581004 - add more audit logging to the TPS +- Bugzilla Bug #566517 - CC: Add client auth to OCSP publishing, and move + to a client-auth port +- Bugzilla Bug #565842 - Clone config throws errors - fix key_algorithm +- Bugzilla Bug #581017 - enabling log signing from tps ui pages causes + tps crash +- Bugzilla Bug #581004 - add more audit logs +- Bugzilla Bug #595871 - CC: TKS needed audit message changes +- Bugzilla Bug #598752 - Common Criteria: TKS ACL analysis result. +- Bugzilla Bug #598666 - Common Criteria: incorrect ACLs for signedAudit +- Bugzilla Bug #504905 - Smart card renewal should load old encryption cert + on the token. +- Bugzilla Bug #499292 - TPS - Enrollments where keys are recovered need + to do both GenerateNewKey and RecoverLast operation for encryption key. +- Bugzilla Bug #498299 - fix case where no transitions available +- Bugzilla Bug #595391 - session domain table to be moved to ldap +- Bugzilla Bug #598643 - Common Criteria: incorrect ACLs (non-existing groups) +- Bugzilla Bug #472597 - Disable policy code,UI +- Bugzilla Bug #504359 - pkiconsole - Administrator Group's Description + References Fedora +- Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing + information +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of CC interface review +- Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided by + 'netscape.security.provider' package +- Bugzilla Bug #656662 - Please Update Spec File to use 'ghost' on files + in /var/run and /var/lock +- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem + instances + +* Mon Apr 26 2010 Ade Lee <alee@redhat.com> 1.3.3-1 +- Bugzilla Bug 584917- Can not access CA Configuration Web UI after + CA installation + +* Mon Mar 22 2010 Christina Fu <cfu@redhat.com> 1.3.2-1 +- Bugzilla Bug #522343 Add asynchronous key recovery mode + +* Tue Feb 16 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.1-2 +- Bugzilla Bug #566059 - Add 'pki-console' as a runtime dependency + for CA, KRA, OCSP, and TKS . . . + +* Mon Feb 08 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.1-1 +- Bugzilla Bug #562986 - Supply convenience symlink(s) for backwards + compatibility (rename jar files as appropriate) + +* Fri Jan 15 2010 Kevin Wright <kwright@redhat.com> 1.3.0-4 +- Removed BuildRequires: dogtag-pki-kra-ui + +* Fri Jan 08 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-3 +- Corrected "|| :" scriptlet logic (see Bugzilla Bug #475895) +- Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . . +- Bugzilla Bug #553842 - New Package for Dogtag PKI: pki-kra + +* Mon Dec 14 2009 Kevin Wright <kwright@redhat.com> 1.3.0-2 +- Removed 'with exceptions' from License + +* Thu Oct 15 2009 Ade Lee <alee@redhat.com> 1.3.0-1 +- Bugzilla Bug #X - Packaging for Fedora Dogtag + diff --git a/pki/specs/pki-migrate.spec b/pki/specs/pki-migrate.spec new file mode 100644 index 000000000..e61f72b5e --- /dev/null +++ b/pki/specs/pki-migrate.spec @@ -0,0 +1,137 @@ +Name: pki-migrate +Version: 9.0.0 +Release: 1%{?dist} +Summary: Red Hat Certificate System - PKI Migration Scripts +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Base + +# Suppress automatic 'requires' and 'provisions' of multi-platform 'binaries' +AutoReqProv: no + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils + +Requires: java >= 1:1.6.0 + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%global _binaries_in_noarch_packages_terminate_build 0 + +%description +Red Hat Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +PKI Migration Scripts are used to export data from previous versions of +Netscape Certificate Management Systems, iPlanet Certificate Management +Systems, and Red Hat Certificate Systems into a flat-file which may then +be imported into this release of Red Hat Certificate System. + +Note that since this utility is platform-independent, it is generally possible +to migrate data from previous PKI deployments originally stored on other +hardware platforms as well as earlier versions of this operating system. + + +%prep + + +%setup -q + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_MIGRATE:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + + +%files +%defattr(-,root,root,-) +%doc base/migrate/LICENSE +%dir %{_datadir}/pki +%{_datadir}/pki/migrate/ + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Updated Dogtag 1.3.x --> Dogtag 2.0.0 (internal) --> Dogtag 9.0.0 + +* Mon Jul 13 2009 Matthew Harmsen <mharmsen@redhat.com> 8.0.0-17 +- Bugzilla Bug #511136 - Integrate EULA file into RHCS +- Release Candidate 4 build + +* Wed Jul 08 2009 Kevin Wright <kwright@redhat.com> 8.0.0-16 +- Bugzilla Bug #510352 - Release Candidate 3 build + +* Thu Jul 02 2009 Kevin Wright <kwright@redhat.com> 8.0.0-15 +- Bugzilla Bug #509447 - Release Candidate 2 build + +* Thu Jun 25 2009 Kevin Wright <kwright@redhat.com> 8.0.0-14 +- Bugzilla Bug #508179 - Remove base_phase ".beta" tag + +* Fri Jun 05 2009 Matthew Harmsen <mharmsen@redhat.com> 8.0.0-13 +- Bugzilla Bug #499496 - pki-migrate package should include only the tools + we support + +* Mon May 18 2009 Ade Lee <alee@redhat.com> 8.0.0-12 +- Bugzilla Bug #493717 - migration scripts required for TPS groups + +* Mon May 04 2009 Kevin Wright <kwright@redhat.com> 8.0.0-11 +- Bugzilla Bug #499030 - Beta 2 Release + +* Fri Mar 27 2009 Matthew Harmsen <mharmsen@redhat.com> 8.0.0-10 +- Bugzilla Bug #492502 - Redefine "base_phase" from ".alpha" to ".beta" + +* Sat Feb 28 2009 Matthew Harmsen <mharmsen@redhat.com> 8.0.0-9 +- Bugzilla Bug #487896 - Introduce optional 'base_phase' release tag to + denote ".alpha", ".beta", etc. + +* Tue Feb 17 2009 Matthew Harmsen <mharmsen@redhat.com> 8.0.0-8 +- Bugzilla Bug #485790 - Need changes made to spec files in various packages + to be able to build in koji/brew + +* Fri Jan 30 2009 Matthew Harmsen <mharmsen@redhat.com> 8.0.0-7 +- Bugzilla Bug #253615 - RFE: migration tool needs to be written for the + serialization changes - Allowed 63ToTxt binaries to be published + +* Sat Nov 29 2008 Matthew Harmsen <mharmsen@redhat.com> 8.0.0-6 +- Aligned RHEL 5, RHEL 4, and Solaris 9 "base_release" numbers +- Bugzilla Bug #445402 - Changed "base_url" from + "http://www.redhat.com/software/rha/certificate" to + "http://www.redhat.com/certificate_system" + +* Sat Nov 22 2008 Matthew Harmsen <mharmsen@redhat.com> 8.0.0-5 +- Bugzilla Bug #472305 - "equality" tests in all spec files need to be fixed +- Bumped "java" and "java-devel" 1.4.2 and 1.5.0 dependencies to 1.6.0 +- Changed "java-sdk" to "java-devel" for consistency + +* Tue Oct 14 2008 Ade Lee <alee@redhat.com> 8.0.0-4 +- bugzilla bug #223361 - added 80 migration scripts + +* Fri Jun 08 2007 Matthew Harmsen <mharmsen@redhat.com> 8.0.0-3 +- bugzilla bug #243480 - added legacy upgrade path + +* Tue Jun 05 2007 Matthew Harmsen <mharmsen@redhat.com> 8.0.0-2 +- bugzilla bug #242575 - Made numerous changes to spec file. + +* Mon May 21 2007 Kevin McCarthy <kmccarth@redhat.com> 8.0.0-1 +- Bump to version 8.0. + +* Thu Apr 05 2007 Thomas Kwan <nkwan@redhat.com> 1.0.0-1 +- Fixed change log to use the correct version + diff --git a/pki/specs/pki-ocsp.spec b/pki/specs/pki-ocsp.spec new file mode 100644 index 000000000..edf57d5c0 --- /dev/null +++ b/pki/specs/pki-ocsp.spec @@ -0,0 +1,304 @@ +Name: pki-ocsp +Version: 9.0.0 +Release: 2%{?dist} +Summary: Certificate System - Online Certificate Status Protocol Manager +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6-12 +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: pki-common +BuildRequires: pki-util + +Requires: java >= 1:1.6.0 +Requires: pki-common +Requires: pki-ocsp-theme +Requires: pki-selinux +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%endif + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The Online Certificate Status Protocol (OCSP) Manager is an optional PKI +subsystem that can act as a stand-alone OCSP service. The OCSP Manager +performs the task of an online certificate validation authority by enabling +OCSP-compliant clients to do real-time verification of certificates. Note +that an online certificate-validation authority is often referred to as an +OCSP Responder. + +Although the Certificate Authority (CA) is already configured with an +internal OCSP service. An external OCSP Responder is offered as a separate +subsystem in case the user wants the OCSP service provided outside of a +firewall while the CA resides inside of a firewall, or to take the load of +requests off of the CA. + +The OCSP Manager can receive Certificate Revocation Lists (CRLs) from +multiple CA servers, and clients can query the OCSP Manager for the +revocation status of certificates issued by all of these CA servers. + +When an instance of OCSP Manager is set up with an instance of CA, and +publishing is set up to this OCSP Manager, CRLs are published to it +whenever they are issued or updated. + +For deployment purposes, an OCSP Manager requires the following components +from the PKI Core package: + + * pki-setup + * pki-native-tools + * pki-util + * pki-java-tools + * pki-common + * pki-selinux + +and can also make use of the following optional components from the PKI Core +package: + + * pki-util-javadoc + * pki-java-tools-javadoc + * pki-common-javadoc + * pki-silent + +Additionally, Certificate System requires ONE AND ONLY ONE of the following +"Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_OCSP:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d +# generate 'pki-ocsp.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +echo "D /var/lock/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +echo "D /var/run/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +%endif + + +%post +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-ocspd || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-ocspd stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-ocspd || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-ocspd condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/ocsp/LICENSE +%{_initrddir}/pki-ocspd +%{_javadir}/pki/pki-ocsp-%{version}.jar +%{_javadir}/pki/pki-ocsp.jar +%dir %{_datadir}/pki/ocsp +%{_datadir}/pki/ocsp/conf/ +%{_datadir}/pki/ocsp/setup/ +%{_datadir}/pki/ocsp/webapps/ +%dir %{_localstatedir}/lock/pki/ocsp +%dir %{_localstatedir}/run/pki/ocsp +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +%endif + + +%changelog +* Fri Aug 5 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-2 +- Bugzilla Bug #693835 - /var/log/tomcat6/catalina.out owned by pkiuser + +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0 +- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs + in the java subsystems +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of CC interface review +- Bugzilla Bug #583823 - CC: Auditing issues found as result of + CC - interface review +- Bugzilla Bug #586700 - OCSP Server throws fatal error while using + OCSP console for renewing SSL Server certificate. +- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be + generated on TKS instead of TPS. +- Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable + a CA that it serves +- Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 +- Bugzilla Bug #504061 - ECC: unable to install subsystems - phase 1 +- Bugzilla Bug #637330 - CC feature: Key Management - provide signature + verification functions (JAVA subsystems) +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and + port fowarding for agent services +- Bugzilla Bug #631179 - Administrator is not allowed to remove + ocsp signing certificate using console +- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of + signature algorithm; and for ECC curves +- Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA release -- + DRM and TKS do not seem to have CRL checking enabled +- Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help + correctly set up CC environment +- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports + to talk to CA and complete configuration in DonePanel +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #489385 - references to rhpki +- Bugzilla Bug #649910 - Console: an auditor or agent can be added to + an administrator group. +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #638377 - Generate PKI UI components which exclude + a GUI interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for + validity +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #499494 - change CA defaults to SHA2 +- Bugzilla Bug #649343 - Publishing queue should recover from CA crash. +- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and + pkiCA, obsolete 2252 and 2256 +- Bugzilla Bug #223346 - Two conflicting ACL list definitions in source + repository +- Bugzilla Bug #663546 - Disable the functionalities that are not exposed + in the console +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #661142 - Verification should fail when + a revoked certificate is added +- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time + interface is no longer available through console +- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During + CRL Generation +- Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing + information +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of the CC interface review +- Bugzilla Bug #656663 - Please Update Spec File to use 'ghost' on files + in /var/run and /var/lock +- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem + instances + +* Wed Aug 04 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.3-1 +- Bugzilla Bug #608086 - CC: CA, OCSP, and DRM need to add more audit calls +- Bugzilla Bug #527593 - More robust signature digest alg, like SHA256 + instead of SHA1 for ECC +- Bugzilla Bug #528236 - rhcs80 web conf wizard - cannot specify CA signing + algorithm +- Bugzilla Bug #533510 - tps exception, cannot start when signed audit true +- Bugzilla Bug #529280 - TPS returns HTTP data without ending in 0rn + per RFC 2616 +- Bugzilla Bug #498299 - Should not be able to change the status manually + on a token marked as permanently lost or destroyed +- Bugzilla Bug #554892 - configurable frequency signed audit +- Bugzilla Bug #500700 - tps log rotation +- Bugzilla Bug #562893 - tps shutdown if audit logs full +- Bugzilla Bug #557346 - Name Constraints Extension cant be marked critical +- Bugzilla Bug #556152 - ACL changes to CA and OCSP +- Bugzilla Bug #556167 - ACL changes to CA and OCSP +- Bugzilla Bug #581004 - add more audit logging to the TPS +- Bugzilla Bug #566517 - CC: Add client auth to OCSP publishing, and move + to a client-auth port +- Bugzilla Bug #565842 - Clone config throws errors - fix key_algorithm +- Bugzilla Bug #581017 - enabling log signing from tps ui pages causes tps + crash +- Bugzilla Bug #581004 - add more audit logs +- Bugzilla Bug #595871 - CC: TKS needed audit message changes +- Bugzilla Bug #598752 - Common Criteria: TKS ACL analysis result. +- Bugzilla Bug #598666 - Common Criteria: incorrect ACLs for signedAudit +- Bugzilla Bug #504905 - Smart card renewal should load old encryption cert + on the token. +- Bugzilla Bug #499292 - TPS - Enrollments where keys are recovered need + to do both GenerateNewKey and RecoverLast operation for encryption key. +- Bugzilla Bug #498299 - fix case where no transitions available +- Bugzilla Bug #595391 - session domain table to be moved to ldap +- Bugzilla Bug #598643 - Common Criteria: incorrect ACLs (non-existing groups) +- Bugzilla Bug #504359 - pkiconsole - Administrator Group's Description + References Fedora + +* Mon Apr 26 2010 Ade Lee <alee@redhat.com> 1.3.2-2 +- Bugzilla Bug 584917- Can not access CA Configuration Web UI + after CA installation + +* Wed Apr 21 2010 Andrew Wnuk <awnuk@redhat.com> 1.3.2-1 +- Bugzilla Bug #493765 - console renewal fix for ca, ocsp, and ssl + certificates + +* Tue Feb 16 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.1-2 +- Bugzilla Bug #566059 - Add 'pki-console' as a runtime dependency + for CA, KRA, OCSP, and TKS . . . + +* Mon Feb 08 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.1-1 +- Bugzilla Bug #562986 - Supply convenience symlink(s) for backwards + compatibility (rename jar files as appropriate) + +* Fri Jan 15 2010 Kevin Wright <kwright@redhat.com> 1.3.0-4 +- BuildRequires: dogtag-pki-ocsp-ui + +* Fri Jan 08 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-3 +- Corrected "|| :" scriptlet logic (see Bugzilla Bug #475895) +- Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . . +- Bugzilla Bug #553844 - New Package for Dogtag PKI: pki-ocsp + +* Mon Dec 14 2009 Kevin Wright <kwright@redhat.com> 1.3.0-2 +- Removed 'with exceptions' from License + +* Thu Oct 15 2009 Ade Lee <alee@redhat.com> 1.3.0-1 - Bugzilla Bug #X +- Packaging for Fedora Dogtag + diff --git a/pki/specs/pki-ra.spec b/pki/specs/pki-ra.spec new file mode 100644 index 000000000..5d1a5d88a --- /dev/null +++ b/pki/specs/pki-ra.spec @@ -0,0 +1,238 @@ +Name: pki-ra +Version: 9.0.0 +Release: 1%{?dist} +Summary: Certificate System - Registration Authority +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: nspr-devel +BuildRequires: nss-devel + +Requires: mod_nss >= 1.0.8 +Requires: mod_perl >= 1.99_16 +Requires: mod_revocator >= 1.0.3 +Requires: pki-native-tools +Requires: pki-ra-theme +Requires: pki-selinux +Requires: pki-setup +Requires: perl-DBD-SQLite +Requires: sqlite +Requires: /usr/sbin/sendmail +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%endif + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The Registration Authority (RA) is an optional PKI subsystem that acts as a +front-end for authenticating and processing enrollment requests, PIN reset +requests, and formatting requests. + +An RA communicates over SSL with a Certificate Authority (CA) to fulfill +the user's requests. An RA may often be located outside an organization's +firewall to allow external users the ability to communicate with that +organization's PKI deployment. + +For deployment purposes, an RA requires the following components from the PKI +Core package: + + * pki-setup + * pki-native-tools + * pki-selinux + +and can also make use of the following optional components from the PKI Core +package: + + * pki-silent + +Additionally, Certificate System requires ONE AND ONLY ONE of the following +"Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q + +cat << \EOF > %{name}-prov +#!/bin/sh +%{__perl_provides} $* |\ +sed -e '/perl(PKI.*)/d' -e '/perl(Template.*)/d' +EOF + +%global __perl_provides %{_builddir}/%{name}-%{version}/%{name}-prov +chmod +x %{__perl_provides} + +cat << \EOF > %{name}-req +#!/bin/sh +%{__perl_requires} $* |\ +sed -e '/perl(PKI.*)/d' -e '/perl(Template.*)/d' +EOF + +%global __perl_requires %{_builddir}/%{name}-%{version}/%{name}-req +chmod +x %{__perl_requires} + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_RA:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/admin/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/admin/group/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/admin/user/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/agent/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/agent/cert/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/agent/request/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/ee/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/ee/agent/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/ee/request/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/ee/scep/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/ee/server/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/ee/user/*.cgi + +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d +# generate 'pki-ra.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ra.conf +echo "D /var/lock/pki/ra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ra.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ra.conf +echo "D /var/run/pki/ra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ra.conf +%endif + + +%post +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-rad || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-rad stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-rad || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-rad condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/ra/LICENSE +%{_initrddir}/pki-rad +%dir %{_datadir}/pki/ra +%{_datadir}/pki/ra/conf/ +%{_datadir}/pki/ra/docroot/ +%{_datadir}/pki/ra/lib/ +%{_datadir}/pki/ra/scripts/ +%{_datadir}/pki/ra/setup/ +%dir %{_localstatedir}/lock/pki/ra +%dir %{_localstatedir}/run/pki/ra +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-ra.conf +%endif + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0 +- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs + in the java subsystems +- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports + to talk to CA and complete configuration in DonePanel +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #638377 - Generate PKI UI components which exclude + a GUI interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #499494 - change CA defaults to SHA2 +- Bugzilla Bug #656664 - Please Update Spec File to use 'ghost' on files + in /var/run and /var/lock +- Bugzilla Bug #606943 - Convert RA to use ldap utilities from + OpenLDAP instead of the Mozldap + +* Thu Apr 08 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.1-1 +- Bugzilla Bug #564131 - Config wizard : all subsystems - done panel text + needs correction + +* Tue Feb 16 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-6 +- Bugzilla Bug #566060 - Add 'pki-native-tools' as a runtime dependency + for RA, and TPS . . . + +* Fri Jan 29 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-5 +- Bugzilla Bug #553076 - Apply "registry" logic to pki-ra . . . +- Applied filters for unwanted perl provides and requires +- Restored "perl-DBD-SQLite" runtime dependency + +* Tue Jan 26 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-4 +- Bugzilla Bug #553850 - Review Request: pki-ra - Dogtag Registration Authority +- Per direction from the Fedora community, + removed the following explicit "Requires": + perl-DBI + perl-HTML-Parser + perl-HTML-Tagset + perl-Parse-RecDescent + perl-URI + perl-XML-NamespaceSupport + perl-XML-Parser + perl-XML-Simple + +* Thu Jan 14 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-3 +- Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . . +- Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model +- Bugzilla Bug #553076 - Apply "registry" logic to pki-ra . . . +- Bugzilla Bug #553078 - Apply "registry" logic to pki-tps . . . +- Bugzilla Bug #553850 - Review Request: pki-ra - Dogtag Registration Authority + +* Mon Dec 14 2009 Kevin Wright <kwright@redhat.com> 1.3.0-2 +- Removed 'with exceptions' from License + +* Fri Oct 16 2009 Ade Lee <alee@redhat.com> 1.3.0-1 +- Bugzilla Bug #X - Fedora Packaging Changes + diff --git a/pki/specs/pki-tks.spec b/pki/specs/pki-tks.spec new file mode 100644 index 000000000..3c02c3d7e --- /dev/null +++ b/pki/specs/pki-tks.spec @@ -0,0 +1,292 @@ +Name: pki-tks +Version: 9.0.0 +Release: 2%{?dist} +Summary: Certificate System - Token Key Service +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6-12 +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: pki-common +BuildRequires: pki-util + +Requires: java >= 1:1.6.0 +Requires: pki-common +Requires: pki-selinux +Requires: pki-tks-theme +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%endif + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The Token Key Service (TKS) is an optional PKI subsystem that manages the +master key(s) and the transport key(s) required to generate and distribute +keys for hardware tokens. TKS provides the security between tokens and an +instance of Token Processing System (TPS), where the security relies upon the +relationship between the master key and the token keys. A TPS communicates +with a TKS over SSL using client authentication. + +TKS helps establish a secure channel (signed and encrypted) between the token +and the TPS, provides proof of presence of the security token during +enrollment, and supports key changeover when the master key changes on the +TKS. Tokens with older keys will get new token keys. + +Because of the sensitivity of the data that TKS manages, TKS should be set up +behind the firewall with restricted access. + +For deployment purposes, a TKS requires the following components from the PKI +Core package: + + * pki-setup + * pki-native-tools + * pki-util + * pki-java-tools + * pki-common + * pki-selinux + +and can also make use of the following optional components from the PKI Core +package: + + * pki-util-javadoc + * pki-java-tools-javadoc + * pki-common-javadoc + * pki-silent + +Additionally, Certificate System requires ONE AND ONLY ONE of the following +"Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_TKS:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d +# generate 'pki-tks.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf +echo "D /var/lock/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf +echo "D /var/run/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf +%endif + + +%post +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-tksd || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-tksd stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-tksd || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-tksd condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/tks/LICENSE +%{_initrddir}/pki-tksd +%{_javadir}/pki/pki-tks-%{version}.jar +%{_javadir}/pki/pki-tks.jar +%dir %{_datadir}/pki/tks +%{_datadir}/pki/tks/conf/ +%{_datadir}/pki/tks/setup/ +%{_datadir}/pki/tks/webapps/ +%dir %{_localstatedir}/lock/pki/tks +%dir %{_localstatedir}/run/pki/tks +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-tks.conf +%endif + + +%changelog +* Fri Aug 5 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-2 +- Bugzilla Bug #693835 - /var/log/tomcat6/catalina.out owned by pkiuser + +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0 +- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs + in the java subsystems +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of CC interface review +- Bugzilla Bug #583823 - CC: Auditing issues found as result of + CC - interface review +- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be + generated on TKS instead of TPS. +- Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable + a CA that it serves +- Bugzilla Bug #504061 - ECC: unable to install subsystems - phase 1 +- Bugzilla Bug #637330 - CC feature: Key Management - provide signature + verification functions (JAVA subsystems) +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and + port fowarding for agent services +- Bugzilla Bug #631179 - Administrator is not allowed to remove + ocsp signing certificate using console +- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of + signature algorithm; and for ECC curves +- Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA release -- + DRM and TKS do not seem to have CRL checking enabled +- Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help + correctly set up CC environment +- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports + to talk to CA and complete configuration in DonePanel +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #489385 - references to rhpki +- Bugzilla Bug #649910 - Console: an auditor or agent can be added to + an administrator group. +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #638377 - Generate PKI UI components which exclude + a GUI interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for + validity +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #499494 - change CA defaults to SHA2 +- Bugzilla Bug #649343 - Publishing queue should recover from CA crash. +- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and + pkiCA, obsolete 2252 and 2256 +- Bugzilla Bug #223346 - Two conflicting ACL list definitions in source + repository +- Bugzilla Bug #663546 - Disable the functionalities that are not exposed + in the console +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #661142 - Verification should fail when + a revoked certificate is added +- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time + interface is no longer available through console +- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During + CRL Generation +- Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing + information +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of the CC interface review +- Bugzilla Bug #656665 - Please Update Spec File to use 'ghost' on files + in /var/run and /var/lock +- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem + instances + +* Wed Aug 04 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.3-1 +- Bugzilla Bug #606556 - Add known session key test to TKS self test set +- Bugzilla Bug #608086 - CC: CA, OCSP, and DRM need to add more audit calls +- Bugzilla Bug #527593 - More robust signature digest alg, like SHA256 + instead of SHA1 for ECC +- Bugzilla Bug #528236 - rhcs80 web conf wizard - cannot specify CA signing + algorithm +- Bugzilla Bug #533510 - tps exception, cannot start when signed audit true +- Bugzilla Bug #529280 - TPS returns HTTP data without ending in 0rn + per RFC 2616 +- Bugzilla Bug #498299 - Should not be able to change the status manually + on a token marked as permanently lost or destroyed +- Bugzilla Bug #554892 - configurable frequency signed audit +- Bugzilla Bug #500700 - tps log rotation +- Bugzilla Bug #562893 - tps shutdown if audit logs full +- Bugzilla Bug #557346 - Name Constraints Extension cant be marked critical +- Bugzilla Bug #556152 - ACL changes to CA and OCSP +- Bugzilla Bug #556167 - ACL changes to CA and OCSP +- Bugzilla Bug #581004 - add more audit logging to the TPS +- Bugzilla Bug #566517 - CC: Add client auth to OCSP publishing, and move + to a client-auth port +- Bugzilla Bug #565842 - Clone config throws errors - fix key_algorithm +- Bugzilla Bug #581017 - enabling log signing from tps ui pages causes tps + crash +- Bugzilla Bug #581004 - add more audit logs +- Bugzilla Bug #595871 - CC: TKS needed audit message changes +- Bugzilla Bug #598752 - Common Criteria: TKS ACL analysis result. +- Bugzilla Bug #598666 - Common Criteria: incorrect ACLs for signedAudit +- Bugzilla Bug #504905 - Smart card renewal should load old encryption cert + on the token. +- Bugzilla Bug #499292 - TPS - Enrollments where keys are recovered need + to do both GenerateNewKey and RecoverLast operation for encryption key. +- Bugzilla Bug #498299 - fix case where no transitions available +- Bugzilla Bug #595391 - session domain table to be moved to ldap +- Bugzilla Bug #598643 - Common Criteria: incorrect ACLs (non-existing groups) +- Bugzilla Bug #504359 - pkiconsole - Administrator Group's Description + References Fedora + +* Mon Apr 26 2010 Ade Lee <alee@redhat.com> 1.3.2-1 +- Bugzilla Bug 584917- Can not access CA Configuration Web UI + after CA installation + +* Tue Feb 16 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.1-2 +- Bugzilla Bug #566059 - Add 'pki-console' as a runtime dependency + for CA, KRA, OCSP, and TKS . . . + +* Mon Feb 08 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.1-1 +- Bugzilla Bug #562986 - Supply convenience symlink(s) for backwards + compatibility (rename jar files as appropriate) + +* Fri Jan 15 2010 Kevin Wright <kwright@redhat.com> 1.3.0-4 +- Removed BuildRequires: dogtag-pki-tks-ui + +* Fri Jan 08 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-3 +- Corrected "|| :" scriptlet logic (see Bugzilla Bug #475895) +- Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . . +- Bugzilla Bug #553847 - New Package for Dogtag PKI: pki-tks + +* Mon Dec 14 2009 Kevin Wright <kwright@redhat.com> 1.3.0-2 +- Removed 'with exceptions' from License + +* Fri Oct 16 2009 Ade Lee <alee@redhat.com> 1.3.0-1 +- Bugzilla Bug #X - Packaging for Fedora Dogtag + diff --git a/pki/specs/pki-tps.spec b/pki/specs/pki-tps.spec new file mode 100644 index 000000000..61cc0e0b5 --- /dev/null +++ b/pki/specs/pki-tps.spec @@ -0,0 +1,389 @@ +Name: pki-tps +Version: 9.0.0 +Release: 1%{?dist} +Summary: Certificate System - Token Processing System +URL: http://pki.fedoraproject.org/ +License: LGPLv2 +Group: System Environment/Daemons + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: apr-devel +BuildRequires: apr-util-devel +BuildRequires: cyrus-sasl-devel +BuildRequires: httpd-devel +BuildRequires: openldap-devel +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: pcre-devel +BuildRequires: svrcore-devel +BuildRequires: zlib +BuildRequires: zlib-devel + +Requires: mod_nss +Requires: mod_perl +Requires: mod_revocator +Requires: openldap-clients +Requires: pki-native-tools +Requires: pki-selinux +Requires: pki-setup +Requires: pki-tps-theme +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%endif + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%global overview \ +Certificate System (CS) is an enterprise software system designed \ +to manage enterprise Public Key Infrastructure (PKI) deployments. \ + \ +The Token Processing System (TPS) is an optional PKI subsystem that acts \ +as a Registration Authority (RA) for authenticating and processing \ +enrollment requests, PIN reset requests, and formatting requests from \ +the Enterprise Security Client (ESC). \ + \ +TPS is designed to communicate with tokens that conform to \ +Global Platform's Open Platform Specification. \ + \ +TPS communicates over SSL with various PKI backend subsystems (including \ +the Certificate Authority (CA), the Data Recovery Manager (DRM), and the \ +Token Key Service (TKS)) to fulfill the user's requests. \ + \ +TPS also interacts with the token database, an LDAP server that stores \ +information about individual tokens. \ + \ +For deployment purposes, a TPS requires the following components from the \ +PKI Core package: \ + \ + * pki-setup \ + * pki-native-tools \ + * pki-selinux \ + \ +and can also make use of the following optional components from the \ +PKI CORE package: \ + \ + * pki-silent \ + \ +Additionally, Certificate System requires ONE AND ONLY ONE of the \ +following "Mutually-Exclusive" PKI Theme packages: \ + \ + * dogtag-pki-theme (Dogtag Certificate System deployments) \ + * redhat-pki-theme (Red Hat Certificate System deployments) \ + \ +%{nil} + +%description %{overview} + + +================================== +|| ABOUT "CERTIFICATE SYSTEM" || +================================== +${overview} + + +%prep + + +%setup -q -n %{name}-%{version} + +cat << \EOF > %{name}-prov +#!/bin/sh +%{__perl_provides} $* |\ +sed -e '/perl(PKI.*)/d' -e '/perl(Template.*)/d' +EOF + +%global __perl_provides %{_builddir}/%{name}-%{version}/%{name}-prov +chmod +x %{__perl_provides} + +cat << \EOF > %{name}-req +#!/bin/sh +%{__perl_requires} $* |\ +sed -e '/perl(PKI.*)/d' -e '/perl(Template.*)/d' +EOF + +%global __perl_requires %{_builddir}/%{name}-%{version}/%{name}-req +chmod +x %{__perl_requires} + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_TPS:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + +chmod 755 %{buildroot}%{_datadir}/pki/tps/cgi-bin/demo/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/tps/cgi-bin/home/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/tps/cgi-bin/so/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/tps/cgi-bin/sow/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/tps/cgi-bin/sow/cfg.pl + +# This should be done in CMAKE +cd %{buildroot}/%{_datadir}/pki/tps/docroot +%{__ln_s} tokendb tus + +# Internal libraries for 'tps' are present in: +# +# * '/usr/lib/tps' (i386) +# * '/usr/lib64/tps' (x86_64) +# +mkdir %{buildroot}%{_sysconfdir}/ld.so.conf.d +echo %{_libdir}/tps > %{buildroot}%{_sysconfdir}/ld.so.conf.d/tps-%{_arch}.conf + +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d +# generate 'pki-tps.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tps.conf +echo "D /var/lock/pki/tps 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tps.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tps.conf +echo "D /var/run/pki/tps 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tps.conf +%endif + + +%post +/sbin/ldconfig +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-tpsd || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-tpsd stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-tpsd || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-tpsd condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/tps/LICENSE +%{_initrddir}/pki-tpsd +%config(noreplace) %{_sysconfdir}/ld.so.conf.d/tps-%{_arch}.conf +%{_bindir}/tpsclient +%{_libdir}/httpd/modules/* +%{_libdir}/tps/ +%dir %{_datadir}/pki/tps +%{_datadir}/pki/tps/applets/ +%{_datadir}/pki/tps/cgi-bin/ +%{_datadir}/pki/tps/conf/ +%{_datadir}/pki/tps/docroot/ +%{_datadir}/pki/tps/lib/ +%{_datadir}/pki/tps/samples/ +%{_datadir}/pki/tps/scripts/ +%{_datadir}/pki/tps/setup/ +%dir %{_localstatedir}/lock/pki/tps +%dir %{_localstatedir}/run/pki/tps +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-tps.conf +%endif + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0 +- Bugzilla Bug #620863 - saved CS.cfg files should be moved to a subdirectory + to avoid cluttering +- Bugzilla Bug #607373 - add self test framework to TPS subsytem +- Bugzilla Bug #607374 - add self test to TPS self test framework +- Bugzilla Bug #624847 - Installed TPS cannot be started to be configured. +- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs + in the java subsystems +- Bugzilla Bug #547507 - Token renewal: certs on the token is deleted when + one of the certs on the token is outside renewal grace period. +- Bugzilla Bug #622535 - 64 bit host zlib uncompress operation fails when + reading data from token. +- Bugzilla Bug #497931 - CS 8.0 -- Have to download and stall the trust chain + through ESC even if it was already installed in the browser. +- Bugzilla Bug #579790 - errors in ESC communications can leave unusable + tokens and inconsistent data in TPS +- Bugzilla Bug #631474 - Token enrollment with TPS Client fails with error + 'Applet memory exceeded when writing out final token data' +- Bugzilla Bug #488762 - Found HTTP TRACE method enabled on TPS +- Bugzilla Bug #633405 - Tps client unable to perform token enrollment when + tried to load certificates with 2048 bit keys +- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be + generated on TKS instead of TPS. +- Bugzilla Bug #574942 - TPS database has performance problems with a large + number of tokens +- Bugzilla Bug #637982 - some selftest parameters are not properly substituted +- Bugzilla Bug #637824 - TPS UI: Profile state in CS.cfg is Pending Approval + after agent approve and Enable +- Bugzilla Bug #223313 - should do random generated IV param + for symmetric keys +- Bugzilla Bug #628995 - TPS CC requirement: Unused predicates for revocation + controls for TPS enrollment profiles should be removed. +- Bugzilla Bug #642084 - CC feature: Key Management -provide signature + verification functions (TPS subsystem) +- Bugzilla Bug #646545 - TPS Agent tab: displays approve list parameter with + last character chopped. +- Bugzilla Bug #532724 - Feature: ESC Security officer work station should + display % of operation complete for format SO card +- Bugzilla Bug #647364 - CC: audit signing certs for JAVA subsystems fail + CIMC cert verification (expose updated cert verification function in JSS) +- Bugzilla Bug #651087 - TPS UI Admin tab display 'null' string in the + General configuration +- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports + to talk to CA and complete configuration in DonePanel +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #638377 - Generate PKI UI components which exclude + a GUI interface +- Bugzilla Bug #640042 - TPS Installlation Wizard: need to move Module Panel + up to before Security Domain Panel +- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for + validity +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #499494 - change CA defaults to SHA2 +- Bugzilla Bug #661128 - incorrect CA ports used for revoke, unrevoke certs + in TPS +- Bugzilla Bug #223314 - AOL: Better activities logs +- Bugzilla Bug #651001 - TPS does not create a password for entries in ldap. + This violates STIG requirements +- Bugzilla Bug #512248 - Status mismatch for the encryption cert in tps agent + and CA when a temporary smart card is issued. +- Bugzilla Bug #666902 - TPS needs to call CERT_VerifyCertificate() correctly +- Bugzilla Bug #223319 - Certificate Status inconsistency between token db + and CA +- Bugzilla Bug #669055 - TPS server does not re-start when signedAudit + logging is turned ON +- Bugzilla Bug #606944 - Convert TPS to use ldap utilities and API from + OpenLDAP instead of the Mozldap +- Bugzilla Bug #606944 - Convert TPS to use ldap utilities and API from + OpenLDAP instead of the Mozldap +- Bugzilla Bug #614639 - 64k gemalto usb token no longer works properly + after a "logout" request is issued +- Bugzilla Bug #671522 - TPS AuditVerify fails. +- Bugzilla Bug #669804 - on active token re-enroll, TPS does not revoke and + remove existing certs. +- Bugzilla Bug #656666 - Please Update Spec File to use 'ghost' on files + in /var/run and /var/lock + +* Wed Aug 04 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.2-1 +- Bugzilla Bug #601299 - tps installation does not update security domain +- Bugzilla Bug #527593 - More robust signature digest alg, like SHA256 + instead of SHA1 for ECC +- Bugzilla Bug #528236 - rhcs80 web conf wizard - cannot specify CA signing + algorithm +- Bugzilla Bug #533510 - tps exception, cannot start when signed audit true +- Bugzilla Bug #529280 - TPS returns HTTP data without ending in 0rn + per RFC 2616 +- Bugzilla Bug #498299 - Should not be able to change the status manually + on a token marked as permanently lost or destroyed +- Bugzilla Bug #554892 - configurable frequency signed audit +- Bugzilla Bug #500700 - tps log rotation +- Bugzilla Bug #562893 - tps shutdown if audit logs full +- Bugzilla Bug #557346 - Name Constraints Extension cant be marked critical +- Bugzilla Bug #556152 - ACL changes to CA and OCSP +- Bugzilla Bug #556167 - ACL changes to CA and OCSP +- Bugzilla Bug #581004 - add more audit logging to the TPS +- Bugzilla Bug #566517 - CC: Add client auth to OCSP publishing, + and move to a client-auth port +- Bugzilla Bug #565842 - Clone config throws errors - fix key_algorithm +- Bugzilla Bug #581017 - enabling log signing from tps ui pages causes tps + crash +- Bugzilla Bug #581004 - add more audit logs +- Bugzilla Bug #595871 - CC: TKS needed audit message changes +- Bugzilla Bug #598752 - Common Criteria: TKS ACL analysis result. +- Bugzilla Bug #598666 - Common Criteria: incorrect ACLs for signedAudit +- Bugzilla Bug #504905 - Smart card renewal should load old encryption cert + on the token. +- Bugzilla Bug #499292 - TPS - Enrollments where keys are recovered need + to do both GenerateNewKey and RecoverLast operation for encryption key. +- Bugzilla Bug #498299 - fix case where no transitions available +- Bugzilla Bug #604186 - Common Criteria: TPS: Key Recovery needs + to meet CC requirements +- Bugzilla Bug #604178 - Common Criteria: TPS: cert registration needs + to meet CC requirements +- Bugzilla Bug #600968 - Common Criteria: TPS: cert registration needs + to meet CC requirements +- Bugzilla Bug #607381 - Common Criteria: TPS: cert registration needs + to meet CC requirements + +* Thu Apr 08 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.1-1 +- Bugzilla Bug #564131 - Config wizard : all subsystems - done panel text + needs correction + +* Tue Feb 16 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-8 +- Bugzilla Bug #566060 - Add 'pki-native-tools' as a runtime dependency + for RA, and TPS . . . + +* Fri Jan 29 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-7 +- Bugzilla Bug #553852 - Review Request: pki-tps - The Dogtag PKI System + Token Processing System +- Bugzilla Bug #553078 - Apply "registry" logic to pki-tps . . . +- Applied filters for unwanted perl provides and requires +- Applied %{?_smp_mflags} option to 'make' +- Removed manual 'strip' commands + +* Thu Jan 28 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-6 +- Bugzilla Bug #553078 - Apply "registry" logic to pki-tps . . . +- Bugzilla Bug #553852 - Review Request: pki-tps - The Dogtag PKI System + Token Processing System + +* Wed Jan 27 2010 Kevin Wright <kwright@redhat.com> 1.3.0-5 +- Bugzilla Bug #553852 - Review Request: pki-tps - The Dogtag PKI System + Token Processing System +- Per direction from the Fedora community, + removed the following explicit "Requires": + perl-HTML-Parser + perl-HTML-Tagset + perl-Parse-RecDescent + perl-URI + perl-XML-NamespaceSupport + perl-XML-Parser + perl-XML-Simple + +* Thu Jan 14 2010 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-4 +- Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into + pkicreate . . . +- Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model +- Bugzilla Bug #553076 - Apply "registry" logic to pki-ra . . . +- Bugzilla Bug #553078 - Apply "registry" logic to pki-tps . . . +- Bugzilla Bug #553852 - Review Request: pki-tps - Dogtag Certificate System + Token Processing System + +* Mon Dec 14 2009 Kevin Wright <kwright@redhat.com> 1.3.0-3 +- Removed BuildRequires bash - Removed 'with exceptions' from License + +* Mon Nov 02 2009 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-2 +- Bugzilla Bug #X - Packaging for Fedora Dogtag PKI +- Prepended directory path in front of setup_package +- Take ownership of pki tps directory. + +* Fri Oct 16 2009 Matthew Harmsen <mharmsen@redhat.com> 1.3.0-1 +- Bugzilla Bug #X - Packaging for Fedora Dogtag PKI + |