| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Specifically changes to CS.cfg, server.xml and tomcat.conf
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the first of several commits. This adds a LifecycleListener
to call init() on the nuxwdog client before any connectors or webapps
start up, and call sendEndInit() once initialization completes.
Code is also added to prompt for and test required passwords on startup.
All that is required to use nuxwdog is to start the server using nuxwdog.
An environment variable will be set that will trigger creation of the
NuxwdogPasswordStore. We expect tags for the required passwords to be in
cms.passwordList
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Usage:
* under /usr/share/pki/ca/conf, you will find a new file called
serverCert.profile.exampleWithSANpattern
* copy existing serverCert.profile away and replace with
serverCert.profile.exampleWithSANpattern
* edit serverCert.profile.exampleWithSANpattern
- follow the instruction right above 8.default.
- save and quit
* cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg
- follow the instruction right above policyset.serverCertSet.9
- save and quit
* save away and edit the ca config file for pkispawn: (note: you can
add multiple SAN's delimited by ',' for pki_san_server_cert
- add the following lines, e.g.
pki_san_inject=True
pki_san_server_cert=host1.Example.com
- do the same pkispawn cfg changes for kra or any other instances
that you plan on creating
* create your instance(s)
check the sl sever cert, it should contain something like the
following:
Identifier: Subject Alternative Name - 2.5.29.17
Critical: no
Value:
DNSName: host1.Example.com
|
|
|
|
|
|
|
|
|
|
|
|
| |
New pki-server CLI commands have been added to migrate the server
configuration from Tomcat 7 to Tomcat 8 and vice versa. These
commands can be used later during system upgrade to migrate
existing instances from Tomcat 7 in F22 to Tomcat 8 in F23.
The Python CLI framework has been refactored to provide a way to
find other CLI modules by the command names.
https://fedorahosted.org/pki/ticket/1264
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Dogtag code has been modified to support both Tomcat 7 and 8.
All files depending on a specific Tomcat version are now stored
in separate folders. The build scripts have been modified to use
the proper folder for the target platform. The tomcatjss
dependency has been updated as well.
The upgrade script will be added in a separate patch.
https://fedorahosted.org/pki/ticket/1264
|
|
|
|
| |
- PKI TRAC Ticket #1200 - make sure pkispawn works with hsm (passwords)
|
|
|
|
|
|
|
|
| |
Due to possible Tomcat 7 and 8 conflicts on F22 the spec file has
been modified to explicitly require the proper Tomcat packages for
the platform.
https://fedorahosted.org/pki/ticket/1332
|
|
|
|
| |
harmful bit of sanity checking, not needed.
|
|
|
|
| |
TPS Leagcy tests, TPS install tests, MS CA external CA test and other changes to install tests
|
| |
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to edit
raw properties as in the configuration file. This also allows
editing multiple properties at once and also copy & pasting
the properties.
https://fedorahosted.org/pki/ticket/936
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to display the appropriate actions
menu based on the roles of the user. TPS agent can only enable
and disable profiles, and also approve or reject pending requests.
TPS admin can only edit disabled profiles, then submit it for
approval, or cancel the request.
https://fedorahosted.org/pki/ticket/1292
|
|
|
|
|
|
|
|
| |
The REST services have been modified to support submit and cancel
actions. The ACL has been fixed to allow admins and agents to
change the status.
https://fedorahosted.org/pki/ticket/1292
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to customize the navigation menu
based on the roles of the user currently logged in. TPS agents
do not have access to users, groups, config, authenticators,
connectors, profile mappings, audit, and self tests, so the
corresponding menu items will be hidden. TPS admins have
access to all menu items.
https://fedorahosted.org/pki/ticket/1292
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
porting from Bugzilla 1150142
|
|
|
|
| |
- PKI TRAC Ticket #1346 - pkispawn should have an HSM library option
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is the 2nd phase of the externalReg feature, it makes the
following improvements:
* added feature: recovery by keyid (v.s. by cert)
* fixed some auditing message errors
* added some missing ldapStringAttributes needed for delegation to work
properly
* added missing externalReg required config parameters
* made corrections to some externalReg related parameters to allow
delegation to work properly
* added handle of some error cases
* made sure externalReg enrollment does not go half-way (once fails,
bails out)
tested:
* enrollment of the three default TPS profiles (tokenTypes)
* format of the tokens enrolled with the three default tps profiles
* delegation enrollments
* cuid match check
next phase:
* cert/key retention (allow preserving existing certs/keys on the token)
note:
* some of the activity log and cert status related issues that are not
specifically relating to externalReg will be addressed in other more
relevant tickets.
|
| |
|
|
|
|
|
|
| |
Caveat: This changes the order in which profiles are listed, but the
previous order doesn't seem very logical and there doesn't appear to
be any contract for a particular order.
|
|
|
|
|
| |
- PKI TRAC Ticket #1315 - pki-tomcatd fails to start on system boot
- PKI TRAC Ticket #1340 - pkidestroy should not remove /var/lib/pki
|
|
|
|
|
|
|
| |
The formats of XML and JSON responses of the AccountService.login()
have been modified to be more consistent and user-friendly.
https://fedorahosted.org/pki/ticket/1343
|
|
|
|
|
|
| |
Add the `pki_profiles_in_ldap' pkispawn config to control whether
profiles are stored on the filesystem (old behaviour) or LDAP (new
behaviour). The default is file-based profiles.
|
|
|
|
|
|
|
|
| |
Use a persistent query to monitor the database for changes to LDAP
profiles, and update the contents of the ProfileSubsystem according
to the changes (Add/Modify/Delete) that occur.
The monitoring occurs within its own thread.
|
| |
|
|
|
|
|
|
|
|
| |
The <instance>/work/Catalina/localhost/pki folder was owned by
root in Dogtag 10.0.x but now should be owned by pkiuser. An
upgrade script has been added to fix the ownership.
https://fedorahosted.org/pki/ticket/802
|
|
|
|
|
|
|
|
|
| |
All TPS services have been fixed to set the default status of a
new record to Disabled if the client does not provide the initial
status. This will ensure a newly created profile to always have a
status so it can be deleted normally.
https://fedorahosted.org/pki/ticket/1273
|
|
|
|
|
|
|
|
|
|
| |
The base class of ProfileDatabase (i.e. CSCfgDatabase) has been
modified to return the correct default value (i.e. Enabled) if the
status parameter doesn't exist. The TPSProcessor has been modified
to use ProfileDatabase and other TPS codes have also been changed
to use constants instead of string literals to ensure consistency.
https://fedorahosted.org/pki/ticket/1270
|
|
|
|
|
|
|
| |
The "Subsystem Connections" link in the home.html has been fixed
to point to #connectors.
https://fedorahosted.org/pki/ticket/1274
|
|
|
|
|
|
|
| |
The TPS REST service, CLI, and UI have been modified to provide
an interface to search for certificates belonging to a token.
https://fedorahosted.org/pki/ticket/1164
|
|
|
|
|
|
|
|
| |
Update CLI commands for working with the (now LDAP-based)
profiles in the same format as was used by the files, by way of the
--raw option.
Also add the "edit" command to interactively edit a profile.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CA installation process requires starting with the profile
subsystem disabled, then enabling it once profiles have been loaded
into the database. Accordingly, to avoid hacks with hardcoded
offsets, add the "enabled" CS.cfg configuration parameter along with
methods to enable or disable a subsystem based on the subsystem ID.
A disabled subsystem does not have its `init` method called, but it
is still instantiated and added to the registry so that other code
can look up a subsystem by name and find out its class.
Subsystems are enabled by default.
This commit also removes an assumption that the subsystem config
sub-store names are sequential numbers beginning at `0`.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the LDAPProfileSubsystem as another IProfileSubsystem
implementation that can be used instead of ProfileSubsystem (which
stores profiles on the file system) to store files in LDAP so that
changes can be replicated.
Extract common behaviour in to new AbstractProfileSubsystem
superclass.
Also address the minor issue #1220.
|
|
|
|
|
| |
The LDAPConfigStore class is an IConfigStore that reads and writes
its configuration to a given attribute and DN in an LDAP database.
|
| |
|
|
|
|
|
|
|
|
|
| |
The DBSubsystem has been modified to ignore the EPropertyNotDefined
exception in pre-op mode and only display a notification instead of
a stack trace since it's part of a normal operation. The missing
port will be supplied in a later stage of installation.
https://fedorahosted.org/pki/ticket/1293
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Placing 'ldap' on the whitelist was insufficient for the Fedora 22
i686 platform, therefore, ldap was added to 'ignored-modules'.
|
|
|
|
| |
- Reference: http://stackoverflow.com/questions/28437071/pylint-1-4-reports-e1101no-member-on-all-c-extensions
|