| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
* TRAC Ticket #338 - Dogtag 10: pkihelper.py directory.set_mode()
does not resolve symlinks correctly
This patch fixes the problem that although top-level symlinks
are correctly identified as symbolic links, symlinks which
exist under a subdirectory are incorrectly identified as files,
and thus the 'chown' and 'chmod' commands are applied to the
symlink which in turn actually get applied to the target file
instead.
|
| |
|
|
|
|
|
| |
The scripts to create and remove PKI instances have been moved from
pki-setup into pki-server package.
Ticket #336
|
| |
|
|
| |
Ticket 314
|
| |
|
|
|
| |
* TRAC Ticket #333 - Increase audit cert renewal range to 2 years
* Bugzilla Bug #843979 - Increase audit cert renewal range to 2 years
|
| |
|
|
|
|
|
| |
This patch removes "fixed" year from time based searches for agent and EE interfaces.
It also unifies time selection between search and revocation templates.
Bug 854420.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We create a user that can be used to connect to the database using the
subsystem cert for client auth. We identified this user, using the seeAlso
attribute and provided certmap rules to this effect.
For this user, we used to reuse the uid = user CA-hostname-port, which is already
created for inter-system communication. But this is problematic if more than one
dbuser exists, as the directory server may bind as the incorrect user. In any
replication topology, there must be only one dbuser using the subsystem cert.
To simplify things, we create a new user specifically for this purpose
(pkidbuser), and we remove the seeAlso attribute from the older dbusers.
A script is needed to convert existing dogtag 9 istances to use the new user,
and set the relevant acls. This will be done in a separate commit.
|
| | |
|
| |
|
|
|
|
|
| |
The ConfigurationUtils has been modified to escape values used in
DN or filter according to LDAP standard.
Ticket #193
|
| |
|
|
|
|
|
|
| |
The duplicate methods to escape DN value have been removed. The
codes that used the duplicate methods have been modified to use
LDAPUtil.escapeDN().
Ticket #193
|
| |
|
|
|
|
|
| |
The UGSubsystem has been modified to escape values used in DN or
filter according to LDAP standard.
Ticket #193
|
| |
|
|
|
|
|
|
|
| |
The <instance>/lib link has been replaced with a real folder
which contains links to the files in /usr/share/tomcat/lib. This
way the log4j.properties can be placed in this folder without
causing conflicts with other instances.
Ticket: #284
|
| |
|
|
| |
TMS ECC infrastructure (enrollment with client-side and server-side key generation, and key archival)
|
| |
|
|
| |
TMS ECC infrastructure (enrollment with client-side and server-side key generation, and key archival)
|
| |
|
|
|
|
|
|
| |
The deployment and init scripts have been fixed to create and check
the link to symkey.jar if a TKS instance is added, and remove the
link if the instance is removed.
Ticket #331
|
| |
|
|
| |
* TRAC Ticket #311 - Unable to deregister subsystem in merged instance
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
* TRAC Ticket #312 - Dogtag 10: Automatically restart any running instances
upon RPM "update" . . .
* TRAC Ticket #317 - Dogtag 10: Move "pkispawn"/"pkidestroy"
from /usr/bin to /usr/sbin . . .
|
| |
|
|
|
|
|
| |
Added logging so that we can see what is passed in to server from pkispawn.
Fixed incorrect dbuser specification.
Added required replication config items to pkispawn.
Initial refactoring of construct_pki_configuration_data in pkijython.py
|
| |
|
|
|
|
|
|
|
| |
When removing a subsystem the pkidestroy would also remove the SELinux
contexts for the instance regardless of whether there are still other
subsystems in the instance. The code has been fixed such that it's
removing the SELinux contexts when deleting the last subsystem only.
Ticket #89
|
| |
|
|
|
|
|
|
|
|
|
| |
The current ROOT webapp will redirect users coming to the root
URL path to the proper path of the subsystem's webapp.
Since now a single Tomcat instance may have multiple subsystems,
a new ROOT webapp has been added to present the user with a menu
of all available webapps from all subsystems in the instance.
Ticket #89
|
| |
|
|
|
|
|
|
|
| |
A new theme webapp has been added to store the theme files for
all PKI webapps. In the future the subsystem webapps can be
modified to use the theme files provided by this common webapp
instead of having to include duplicate files in each webapp.
Ticket #89
|
| |
|
|
|
|
|
|
|
| |
To avoid multilib conflicts the spec file has been modified to
depend on redhat-rpm-config. This way the brp-java-repack-jars
will run to repack the JAR files to generate identical files
across architectures.
Ticket: #296
|
| |
|
|
| |
internal db in cert status thread.
|
| |
|
|
|
| |
* TRAC Ticket #301 - Need to modify init scripts to verify needed
symlinks in an instance (support non-default instance names)
|
| |
|
|
|
|
|
| |
The Javadocs for pki-util, pki-java-tools and pki-common have been
merged and packaged into pki-javadoc RPM.
Ticket #295
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CMS engine is a singleton and it's used by PKI realm to authenticate
users accessing the subsystem. Since a Tomcat instance may contain
multiple subsystems, each having separate realm, the PKI JAR links
need to be moved into WEB-INF/lib so that they will run inside
separate class loaders.
Tomcat also requires that the authenticator and realm classes be
available in common/lib. To address this a new package pki-tomcat.jar
has been added. The package contains the authenticator and a proxy
realm. When the subsystems start running, they will register their
own realms into the proxy realms such that the authentications will
be forwarded to the appropriate subsystems.
Ticket #89
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously the WAR files were generated at build time, so it would
include theme files that were installed on the build machine.
The code has been changed such that instead of generating WAR files
pkispawn will copy the webapp files from the theme folders and combine
them with subsystem webapp files at deployment time. This way it will
use the actual theme files installed on the deployment machine.
Ticket #89
|
| |
|
|
|
|
|
|
| |
The pki-console has been modified to depend on pki-base. This way
it's no longer necessary to include duplicate common classes in
pki-console.
Ticket #113
|
| |
|
|
|
|
|
|
|
| |
During subsystem configuration the ConfigurationUtils.importLDIFS()
would generate LDIF files in <instance>/conf folder which may conflict
with files belonging to other subsystems. The code has been modified
to generate the files in <instance>/<subsystem>/conf folder.
Ticket #89
|
| |
|
|
| |
This allow server to come up with DS where anon binds are turned off.
|
| |
|
|
| |
'Terminated' to be formatted and reused.
|
| |
|
|
|
|
|
|
|
| |
The jar() function has been modified to support multiple input dirs
in a single command. This way it's not necessary to define multiple
jar targets for the same jar file. The pki-console build script has
been updated to utilize this functionality.
Ticket #89
|
| |
|
|
|
|
|
|
|
|
| |
The pki-client.jar has been split and merged into pki-certsrv.jar
and pki-tools.jar. The REST client classes are now packaged in
com.netscape.certsrv.<component> packages. The REST CLI classes
are now packaged in com.netscape.cmstools.<component> packages.
The "pki" script has been moved into pki-tools RPM package.
Ticket #215
|
| |
|
|
|
|
|
|
|
| |
The pki-native-tools and pki-java-tools have been merged into
pki-tools and pki-server will depend on it. Since pki-ra and
pki-tps depends on pki-server they automatically depends on
pki-tools as well.
Ticket #295
|
| |
|
|
|
|
|
|
|
| |
The pki-common package has been split such that the common and
client binaries are packaged in pki-base and server binaries are
packaged in pki-server. The pki-util has been merged into pki-base
and the pki-deploy package has been merged into pki-server.
Ticket #295
|
| |
|
|
| |
- symkey PK11_Derive.
|
| |
|
|
|
|
|
| |
* TRAC Ticket #301 - Need to modify init scripts to verify needed
symlinks in an instance
* TRAC Ticket #303 - Dogtag 10: CS.cfg parameters for Dogtag 9 instance
running under Dogtag 10 packages . . .
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The shutdown() methods in several classes have been fixed to allow
more graceful shutdown and clean restart. There are two types of
object attributes that need to be handled differently.
Attributes that are initialized by the constructor should not be
nulled during shutdown because they won't be reinitialized during
restart. If they require a cleanup (e.g. emptying collections,
closing LDAP connections) it's not necessary to check for null
before calling the cleanup method because they're never null.
For attributes that are initialized during init(), it may not be
necessary to do a cleanup or null the attribute since they might
still be used by other threads and they will be reinitialized
during restart so the old objects will be garbage collected. If
they do need a cleanup they should be checked for null because
they might still be null due to init() failure or initialization
conditionals.
If the attributes are initialized conditionally, the logic has been
modified to ensure the attributes are either initialized or set to
null.
Ticket #247
|
| |
|
|
| |
TPS ECC: when TPS server acts as an ECC SSL client to CA, TKS, or DRM, it needs to support ECC ciphers
|
| |
|
|
|
|
|
|
| |
generation
This patch calls with the right flags for each supported HSM to the new
certutil that addressed the following bug:
Bug 820684 - certutil support for EC on HSMs - need to call PK11_GenerateKeyPairWithOpFlags()
|
| |
|
|
|
|
|
|
|
| |
This patch corrects process of attaching OCSP subsystem to CA.
It improves handling of adding subsequent OCSP subsystems to CA.
This patch also prevents DRM connector to be overwritten
by subsequent DRM installations.
Bug 804179.
|
| |
|
|
|
|
|
|
|
|
|
| |
* TRAC Ticket #266 - for non-master CA subsystems, pkidestroy needs to
contact the security domain to update the domain
* Made Fedora 17 rely upon tomcatjss 7.0.0 or later
* Changed Dogtag 10 build-time and runtime requirements for 'pki-deploy'
* Altered PKI Package Dependency Chain (top-to-bottom):
pki-ca, pki-kra, pki-ocsp, pki-tks --> pki-deploy --> pki-common
* Changed TPS to require a build-time dependency of 'httpd-devel >= 2.4.2'
* Clarified RPM build script's usage message
|
| | |
|
| | |
|
| |
|
|
|
| |
The CLI help message has been fixed to show the correct default
port number.
|
| |
|
|
| |
TPS installation wizard: SizePanel needs to support ECC curve selection
|
| |\ |
|
| | |
| |
| |
| |
| |
| | |
Added systemd scripts for RA and TPS. Modified init scripts
and configuration files to use correct directives for httpd 2.4.
TPS and RA subsystems are now installable using pkicreate
|
| |\ \
| |/
|/| |
|
