summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Added automatic Tomcat migration.Matthew Harmsen2015-11-016-29/+56
| | | | | | | | | | | | | | | | | The pki-server migrate command has been modified such that if there is no specific Tomcat version specified it will use the current Tomcat version. The top attribute in the CLI class was not functioning properly, so it has been replaced with get_top_module() method. The getopt() invocations in pki-server subcommands have been replaced with gnu_getopt() to allow intermixing options and arguments. https://fedorahosted.org/pki/ticket/1310 (based upon Edewata patch c7bc6eb94aa64c89467f9394554f860dc485ad94)
* Replaced legacy HttpClient.Endi S. Dewata2015-10-235-310/+278
| | | | | | | | | | | | | | The ConfigurationUtils and CertUtil have been modified to use PKIConnection which uses Apache HttpClient instead of the legacy custom HttpClient. The POST request content is now created using MultivaluedMap. The PKIConnection has been modified to provide a get() method to send an HTTP GET request. The post() method was modified to accept a path parameter. https://fedorahosted.org/pki/ticket/342 (cherry picked from commit aaacd71a2f125501645885d3da1de18459782572)
* Removed unused WizardServlet.Endi S. Dewata2015-10-2330-7472/+67
| | | | | | | | | | | The unused configuration wizard servlet has been removed to simplify refactoring other codes. The remaining references in CertUtil and ConfigurationUtils have been removed as well. https://fedorahosted.org/pki/ticket/1120 (cherry picked from commit 60fa66aa04ec61350420d95a554c0cec7834ebbd)
* Checking in under the one line trivial change rule.Matthew Harmsen2015-10-222-2/+2
|
* Fixed user search in PasswdUserDBAuthentication.Endi S. Dewata2015-10-063-73/+50
| | | | | | | | | | The PasswdUserDBAuthentication.authenticate() has been modified such that it uses the UGSubsystem to find the user in the proper LDAP subtree to avoid matching other LDAP entries that contain a uid attribute. https://fedorahosted.org/pki/ticket/1580 (cherry picked from commit 017d582ba50fe4ffc4bedf40a5229fb6aa381b37)
* Added python-nss runtime dependencyMatthew Harmsen2015-10-021-1/+5
| | | | - PKI TRAC Ticket #1623 - Runtime dependency on python-nss is missing
* Ticket #1593 auto-shutdown - for HSM failover supportChristina Fu2015-10-0110-20/+220
| | | | | | | | | | | | | | | This is an interim solution for supporting HSM failover by automatically shutting down the server when signing key becomes inaccessible. At auto-shutdown, a crumb fiile will be left in the instance directory for an external daemon to detect and restart, if necessary. Due to limitation of the watch dog (nuxwdog) at present time, the restart option currently only works if started with watch dog (nuxwdog), and it will prompt for passwords on the terminals. The restart counter is to prevent the server from going into an infinite restart loop. Administrator will have to reset autoShutdown.restart.count to 0 when max is reached. (cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1)
* Added default subject DN for pki client-cert-request.Endi S. Dewata2015-10-012-12/+29
| | | | | | | | | The pki client-cert-request CLI has been modified to generate a default subject DN if it's not specified. The man page has been updated accordingly. https://fedorahosted.org/pki/ticket/1463 (cherry picked from commit 3292de07ed01f6230de34120bf9cd1b8d164610a)
* Added support for directory-authenticated profiles in CLI.Endi S. Dewata2015-09-302-24/+83
| | | | | | | | | The pki cert-request-submit and client-cert-request CLIs have been modified to provide options to specify the username and password for directory-authenticated certificate enrollments. https://fedorahosted.org/pki/ticket/1463 (cherry picked from commit bb2861b5ee8c82bc5cfffa9a9a6f23bb4b3e4e80)
* Refactored certificate processors.Endi S. Dewata2015-09-3010-53/+115
| | | | | | | | | | | | | | The CertProcessor.setCredentialsIntoContext() and CAProcessor. authenticate() methods have been modified such that they can accept credentials provided via the AuthCredentials (for REST services) or via the HttpServletRequest (for legacy servlets). The CertEnrollmentRequest has been modified to inherit from ResourceMessage such that REST clients can provide the credentials via request attributes. https://fedorahosted.org/pki/ticket/1463 (cherry picked from commit 6c5fc90ffedcd7be17a2d014915f8e908e2488d5)
* Relocated legacy cert enrollment methods.Endi S. Dewata2015-09-304-51/+72
| | | | | | | | | | The EnrollmentProcessor.processEnrollment() and RenewalProcessor. processRenewal() methods that take CMSRequest object have been moved into ProfileSubmitServlet because they are only used by the legacy servlet. https://fedorahosted.org/pki/ticket/1463 (cherry picked from commit 0e728a28c1a5515bb7dbf5ee799c093bd6db6813)
* KRA: key archival/recovery via cli - should honor encryption/decryption flags.Jack Magne2015-09-252-30/+138
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ticket # 1597 Currently, KRA allows sites to opt for doing encryption/decryption instead of wrapping/unwrapping for key archival and recovery. The new cli code was later added without such support. We should honor the same flags when cli is called to do key archival and recovery. This feature was due to a specific customer request. Here is what is now supported: 1. When the pki cli tool is used to recover a asymmetric private key, support is there to do so with encrypt / decrypt. 2. The passphrase and generic data facility already uses encrypt / decrypt so nothing here was needed. Calling it out since this will possibly be a customer issue. 3. While under the hood, it made sense to add this functionality to the Symmetric key archival and recovery operations. 4. All tests in DRMTest.java worked successfully when the kra was configured to support this feature and configured to not observe this feature. What is missing: We have since added a method to do a server side key generation of an asymmetric key pair in the kra and also archive it there at the same time. In order to do encrypt / decrypt in this case we need to extract the key contents out of a key object that is used to generate this key. It proved problematic to extract said key. This should be ok since the customer only needs to recover an asymmetric key in their test cases. We could look into doing this later if a pressing need arises. (cherry picked from commit a5a50e95a691587e22335018538b4f578dfee6d1)
* Added support for secure database connection in CLI.Endi S. Dewata2015-09-234-76/+201
| | | | | | | | | | | | | | | | The pki-server subsystem-cert-update has been modified to support secure database connection with client certificate authentication. The certificate and the private key will be exported temporarily into PEM files so python-ldap can use them. The pki client-cert-show has been modified to provide an option to export client certificate's private key. https://fedorahosted.org/pki/ticket/1551 (cherry picked from commit f153bd8a455953698e8af5085cd3cd7b368b1247) Conflicts: base/server/upgrade/10.2.0/01-AddTLSRangeSupport
* Fixed pkidbuser group memberships.Matthew Harmsen2015-09-231-28/+59
| | | | | | | | | | | | | | | | | | Due to a certificate mapping issue the subsystem certificate can be mapped into either the subsystem user or pkidbuser, which may cause problems since the users don't belong to the same groups. As a temporary solution the pkidbuser is now added into the same groups. This way the client subsystem can always access the services regardless of which user the certificate is actually mapped to. Bugzilla Bug #1258634 - CA fails to authenticate to KRA for archival https://fedorahosted.org/pki/ticket/1595 (cherry picked from commit e6f8b52e97926e7b6c30a6ce958a7e590c2e6b76) Conflicts: base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
* Added CLI to update cert data and request in CS.cfg.Endi S. Dewata2015-09-236-81/+720
| | | | | | | | | | A set of new pki-server commands have been added to simplify updating the cert data and cert request stored in the CS.cfg with the cert data and cert request stored in the NSS and LDAP database, respectively. https://fedorahosted.org/pki/ticket/1551 (cherry picked from commit 7ed1e32c574a2ee93a62297d16e07a7071e696d7)
* Ticket 1307 minor fix for - [RFE] Support multiple keySets for different ↵Christina Fu2015-08-241-8/+15
| | | | | | | | | | | cards for ExternalReg - make default keySetMappingResolver work for smart cards out of box The earlier patch works fine for the feature requested. However, the default keySetMappingResolver filter contains keySet extension which would fail smart cards. Although this could be easily worked around, this patch provides the default that would make it easier to play with. (cherry picked from commit ee93ca05ec3a52fcf6239c48c167d8d5566b81cd)
* SC650 format/enroll failsJack Magne2015-08-241-1/+11
| | | | | | Simple fix to correctly identify scp01/gp201 sc650 card. (cherry picked from commit 3158e1279b210d9f409918b24180bf20b0774614)
* Added pki-user-membership man page.Endi S. Dewata2015-08-244-4/+95
| | | | | | | | | A new man page has been added for pki <subsystem>-user-membership commands. The pki-user-cert man page has been modified to fix some errors. https://fedorahosted.org/pki/ticket/1584 (cherry picked from commit 997c8ec32ed483f3af47d692039720e62fa65c94)
* Internet Explorer 11 not working browser warning.Jack Magne2015-08-201-11/+38
| | | | | | | | | | | | | | Related to ticket #1575 Internet Explorer 11: caUserCert request submission fails using the EE page. This patch will only do the following: Detect IE when IE11 is being used. Before this IE11 was mistaken for Firefox. Detect IE11 specifically and warn the user that there is no support. This ticket will live to se we can fix this properly by porting the current VBS script to Javascript to support cert enrollment on IE 11. (cherry picked from commit 0baf14ad496d18991a83f211b4b60d1811e21fb3)
* Ticket 1566 on HSM, non-CA subystem installations failing while trying to ↵Christina Fu2015-08-192-18/+26
| | | | | | join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations (cherry picked from commit 89211b9915e9c3e034d311ac0fa7091e9e08bde8)
* Minor fix to "setpin" fix.Jack Magne2015-08-191-1/+1
| | | | | | | | | | | The routine that sets the password of the "pinmanager" user was not working. A very simple one character fix takes care of it. Ticket # 1546 - Setpin utility doesn't set the pin for users. Checking in under the one line trivial change rule. (cherry picked from commit 6260a6d20c113343dd04cdbed999865ebc1650c9)
* Ticket #1556 Weak HTTPS TLS ciphersChristina Fu2015-08-144-34/+110
| | | | | | | | | | This patch fixes the RSA ciphers that were mistakenly turned on under ECC section, and off under RSA section. A few adjustments have also been made based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info was also created to 1. provide info on the ciphers 2. provide default rsa and ecc ciphers for admins to incorporate into earlier instances (as migration script might not be ideal due to possible customization)
* setpin utility doesn't set the pin for users.Jack Magne2015-08-143-34/+35
| | | | | | | | | | | | | | | | | | | | There were some things wrong with the setpin utility. 1. There were some syntax violations that had to be dealt with or a DS with syntax checking would not be pleased. 2. The back end is expecting a byte of hash data at the beginning of the pin. In our case we are sending NO hash so we want this code at the beginning '-' 3. We also need to prepend the dn in front of the pin so the back end can verify the set pin. Tested to work during both steps of the setpin process: 1) Creating the schema, 2) creating the pin. Tested to work with actual PinBased Enrollment. 4. Fix also now supports the SHA256 hashing method only, with the sha256 being the default hash. The no hash option is supported but puts the pin in the clear. (cherry picked from commit f60846e025ff5492e8c05ccf525fe8df1b59bba6)
* Ticket 1543 portalEnroll authentication does not load during creation from ↵Christina Fu2015-08-141-2/+0
| | | | | | | | | | | | | | | | Console It appears that the PortalEnroll plugin was never converted to work in the Profile Framework. This patch takes out the following line from CS.cfg: auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll so that it cannot be instantiated from the console, nor manually in CS.cfg, unless explicitly put back in. While in CS.cfg.in, I found the NSSAuth auths.impl line having no real implementation, so I remove that too. (cherry picked from commit a62ab357eb759ea59ea5204a046d0cab99126000)
* One-liner fix to conditional for new SerialNumberUpdateTaskAde Lee2015-08-141-2/+2
| | | | (cherry picked from commit de2c76f989adcf79b083c7f324c1b9b68571f83a)
* Fixed missing query parameters in ListCerts page.Endi S. Dewata2015-08-143-31/+37
| | | | | | | | | | The ListCerts servlet and the templates have been fixed to pass the skipRevoked and skipNonValid parameters to the subsequent page. Some debugging messages have been cleaned up as well. https://fedorahosted.org/pki/ticket/1538 (cherry picked from commit 24d7d88bd0d8b79fe5b8b6dfd84238399bc1433c)
* Ticket 1539 Unable to create ECC KRA Instance when kra admin key type is ECCChristina Fu2015-08-142-4/+4
| | | | | | | | This patch changes the relevant CA enrollment admin profiles so that they accept requests for EC certs. The issue actually not just affected KRA, it also affected other non-CA subsystems. (cherry picked from commit 017f4f9d4b3c6051f082b8c2b49d5143fd8450e9)
* Separate range and cert status threadsAde Lee2015-08-142-4/+81
| | | | | | | | | | | | | | | | We currently disable the cert status maintenance thread on clone CAs because CRL processing should only be done on the master CA. Currently, the maintenance thread also performs other checks on serial number ranges and settings. By disabling the maintenance thread, we disable these checks too. To fix this, we have separated the serial number checks into a different maintenance thread, so that these tasks will occur even if the cert status thread is disabled. Bugzilla # 1251606 (cherry picked from commit d3d80046fd6985b809900005a685695d3181d9d3)
* updated dependenciesMatthew Harmsen2015-08-081-3/+23
| | | | | - PKI TRAC Ticket #1530 - Client pki-tools missing tomcat-servlet dependency - PKI TRAC Ticket #1542 - Update tomcatjss dependency on Fedora 23 and later
* Temporary silence InsecureRequestWarningChristian Heimes2015-08-081-0/+24
| | | | https://fedorahosted.org/pki/ticket/1253
* remove more inaccessible URLs from server.xmlMatthew Harmsen2015-08-074-16/+12
| | | | | | | - PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI subsystems which are not accessible - PKI TRAC Ticket #1518 - OCSP ee url returned by pkidaemon status tomcat shows an error page
* Ticket 1531 Directory auth plugin requires LDAP anonymous bindsChristina Fu2015-08-076-12/+131
| | | | | | | | | | | | | | | | | | | | - This patch adds a feature to allow a directory based authentication plugin to use bound ldap conneciton instead of anonymous. Two files need to be edited 1. <instance>/conf/password.conf add a "tag" and the password of the binding user dn to the file e.g. externalLDAP=password123 2. <instance>/ca/CS.cfg add the tag to cms.passwordlist: e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP add the authPrefix of the auths entry for the authentication instance e.g. externalLDAP.authPrefix=auths.instance.UserDirEnrollment add relevant entries to the authentication instance e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=serviceaccounts,dc=EXAMPLE,dc=com auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
* Added in commented out 'javac' command-line options such as "-g" debuggingMatthew Harmsen2015-08-051-0/+3
|
* Fixed missing cert request hostname and address.Endi S. Dewata2015-08-057-47/+46
| | | | | | | | | | | | The CA services have been modified to inject request hostname and address into the certificate request object such that they will be stored in the database. This fixes the problem with requests submitted either via the UI or the CLI. An unused method in CertRequestResource has been removed. Some debug messages have been cleaned as well. https://fedorahosted.org/pki/ticket/1535
* remove extra space from Base 64 encoded cert displaysMatthew Harmsen2015-07-316-18/+18
| | | | | - PKI TRAC Ticket #1522 - CA UI adds extra space in Base 64 encoded certificate display
* Add code to reindex data during cloning without replicationAde Lee2015-07-3116-32/+243
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* Firefox warningJack Magne2015-07-313-15/+7
| | | | | | | | Ticket #1523 Move the dire warning about the crypto object to sections where it applies. Also slightly changed the message due to context.
* Add certutil options for ECCMatthew Harmsen2015-07-285-5/+38
| | | | | - PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for creating ecc admin certificate
* op.format.externalRegAddToToken.revokeCert parameter missing in TPS CS.cfg.Jack Magne2015-07-281-0/+1
| | | | | | | | | It is true that his setting is not present. The generic code that revokes certs for a format checks this value. No harm in putting this value in the CS.cfg and setting it to false by default for the externalRegAddToToken profile. No harm in giving the user the way to use this feature , even if we decide it is not a good idea to revoke certs associated with the external reg feature.
* Ticket 1307 issue: FilterMappingResolver always returns targetChristina Fu2015-07-282-7/+12
|
* TPS UI: After successful key upgrade during pin reset operation the token db ↵Jack Magne2015-07-281-0/+15
| | | | | | | still shows old key Simple matter of not updating the token record at the end of the pin reset operation. Also, make sure the activity log is correct.
* Remove noise file generation codeAde Lee2015-07-282-64/+19
| | | | | | | | Noise file does not actually need to have random data because NSS does not actually use this data. Certutil still needs the file though, so we will put dummy data in there. This solves potential problems with the random() method used and also issues like BZ 1244382
* Fixed previous patch by ALWAYS including 'policycoreutils-python' regardlessMatthew Harmsen2015-07-241-4/+2
| | | | of platform.
* Fix code to add replicationdb password unless already presentAde Lee2015-07-241-1/+1
| | | | | | | | | The replicationdb password is an instance parameter and should be created by the first subsystem in the instance. This should happen independantly of whether replication is being set up in case it is needed to set up replication (as a master) later. Related to Ticket 1414
* Please depend on policycoreutils-python-utilsMatthew Harmsen2015-07-241-1/+12
| | | | | - Bugzilla Bug #1246620 - [PATCH] Please depend on policycoreutils-python-utils [Fedora 23 and later - tradej]
* Fixed ObjectNotFoundException in PKCS12Export.Endi S. Dewata2015-07-201-6/+6
| | | | | | | The PKCS12Export has been fixed to handle ObjectNotFoundException when exporting certificates without private keys. https://fedorahosted.org/pki/ticket/1506
* Updated version number to 10.2.7-0.1Matthew Harmsen2015-07-187-11/+23
|
* Merge branch 'master' of ssh://git.fedorahosted.org/git/pkiMatthew Harmsen2015-07-180-0/+0
|\
| * Update release number for release build (10.2.5-1)Matthew Harmsen2015-07-184-4/+16
| |
* | Update release number for release build (10.2.6-1)Matthew Harmsen2015-07-184-4/+16
|/
generated by cgit (git 2.34.1) at 2024-05-02 06:03:40 +0000