| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
Fixed brc #644056.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1628 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
| |
Fixed brc #644056.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1627 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
| |
Fixed brc #644056.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1626 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1625 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1624 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1622 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1621 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1618 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1617 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
| |
agent and CA when a temporary smart card is issued.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1616 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
| |
This violates STIG requirements
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1614 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
| |
(prevent class replication across jars)
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1612 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1610 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1608 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1607 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
| |
- fix for when new CRL Issuing point is added, default CRL signing alg is SHA2 instead of SHA1
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1606 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
| |
- fix that makes the default alg not SHA1 when new profiles are created from the Console
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1604 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
jakarta-commons-lang.jar is needed by velocity, add that link in
WEB-INF/lib. This dependency first appeared in F13.
We had been providing a link to jakarta-commons-collections.jar in
$pki_instance/common/lib but that link is not necessary since tomcat6
already provide jakarta-commons-collections.jar. So remove the
superfluous link creation, it isn't needed.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1602 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
| |
- changed defaults in CS.cfg's from SHA1 to SHA2
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1601 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1599 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
| |
(Legacy build system changes for compliance)
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1597 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
| |
CS.cfg changes)
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1596 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1594 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
| |
before Security Domain Panel
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1590 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1589 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1588 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1587 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1586 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1583 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1581 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
| |
instead of the Mozldap
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1580 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
| |
instead of the Mozldap
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1579 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1578 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During testing with Ade several issues were discovered which needed
fixing, these included:
Remove connectionTimeout on JSS connectors in the server.xml files due
to JSS bug. We will reenable the timeouts when JSS is fixed.
pki_apache_initscript had chmod & chown wrapped in an echo command
which prevented them from executing, an artifact inadverantly left in
the file during a debug session. The role parameter to runcon which
had been added to facilitate test/debug was removed.
The logfile variables shared between pkicommon, pkicreate and
pkiremove were awkward and resulted in warnings about the use of
uninitialized variables in some circumstances. Some functions were
tweaked and some variables removed to enforce better data hiding and
eliminate the warnings with respect to the logfile.
If the pkicreate script aborted before it completed it would fail to
write the installation manifest which made it impossible to remove the
partial installation via pkiremove. A hander was added so it would run
if Perl executed a "die" (e.g. aborted). The handler writes the
manifest before final exit. The subroutine used to write the manifest
was bullet proofed to avoid referencing uninitialized variables in the
case of non-normal exit.
The copy_directory() subroutine failed to preserve symbolic links in
the source, instead it traversed the source link and copied the target
of the link. copy_directory() and it's support routines were enhanced
to preserve symbolic links. A new subrotine copy_symlink() was added.
pkicreate failed to create a symbolic link to the symkey.jar file, it
now creates the link to symkey.jar.
The passwords written into the two password files were not terminated
with a newline character, now they are.
pkiremove would enter an infinate loop if the -force option was
specified, this is now fixed.
The tomcat6.conf file had been inadvertantly omitted from the tks
subsystem.
References to the deprecated apachectl file were expunged.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1577 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1576 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1575 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
| |
The pki-setup package provides and uses a PRIVATE Perl module
(pkicommon.pm). RPM erroneously believes there should be a requires
perl(pkicommon) from the public perl library path. Use the documented
macros to correct RPM's incorrect automatic dependency generation.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1574 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
| |
Restore crossContext attribute which had been erroneously removed
during merging.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1573 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Earlier in the patch series a change was introduced with respect to
the initscripts. A per instance initscript was created in /etc/init.d
for each instance. This was simply a symlink to the tomcat6 initscript
(using the instance name). The uber initscript, pki-cad, would iterate over
the installed instances and invoke the per instance initscript.
However during the review process it was pointed out that when
removing (erasing) an rpm the per instance initscripts would not be
removed because they are not in the rpm file manifest. This would
leave dangling initscripts. Also it was felt the per instance
initscript in /etc/init.d was confusing when combined with the uber
initscript.
This patch moves the per instance initscript from /etc/init.d to the
instance directory. It retains the same name (i.e. the instance
name). Now instead of the the uber initscript invoking the per
instance initscript in /etc/init.d via the service command it instead
directly invokes initscript in the instance directory.
This patch also fixes a bug discovered from reading the shell code
invoked by the uber initscript (in the pki "functions" library). The
test to determine if a supplied instance name was vaid was
incorrect. The code did this:
if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]
however $PKI_REGISTRY_ENTRIES is a space separated list of all
registry instance files, thus the test only succeeds if there is a
single instance. The test was modified to iterate over the all the
entries in $PKI_REGISTRY_ENTRIES.
This patch also fixed the list_intances() function to list only the
instance name, not the full path the to instance configuration
file. We also replaced the use of /bin/ls with a shell glob.
This patch also moves some variables which had been identically
defined in both pkicreate and pkiremove into the pkicommon library for
consistency and maintenance sake.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1572 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the strict and warning pragmas informing the Python interpreter we
want to obey the language rules and catch as many errors for us as it
can.
Clean up all the errors that strict reported.
Properly define the scope of all identifiers and use correct import
semantics.
Initialize most global variables to undef so that we can catch the use
of those variables prior to their initialization with defined
values. Previously most had been initialized to the empty string,
which is a perfectly valid value, thus no warnings will be emitted if
they are used before being assigned a value of our choosing.
At this point all variables and functions will have been declared and
assigned reasonable values. We're now protected against things like
misspelled identifier names, silently using undefined values,
referencing things which don't exist, etc.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1571 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1570 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tomcat by default will not read symbolic links under the WEB-INF
directory. This can be overridden by setting the context parameter
allowLinking to True.
We want to symlink to the jars and not copy them because otherwise
when rpms containing the jars are updated with bug fixes or security
fixes we won't benefit from them if we've made private copies of the
jars in the instance. The reason why allowLinking defaults to False is
motivated by security concerns on untrusted web applications. Also
you'll often see in tomcat documentation the recommendation that all
necessary jars are copied into the WAR, this recommendation derives
from deploying a web app on a random server where the presence or
absence of jar or a specific version of a jar can't be
guaranteed. However, that is not our situation, we're not deploying a
WAR on random servers, our tomcat instance is quite controlled and
we'll never deploy unknown/untrusted web applications from it. The use
of symbolic links in this context should be safe and the value in
picking up rpm updates is so important that it justifies the use of
symbolic links in our controlled deployment.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1569 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
| |
It wasn't initialized in some places. Use the same naming convention
in all places.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1568 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1567 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
| |
In some places $uninstall_action was being referenced before it was
initialized and thus generated warnings.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1566 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
| |
Fix return value when dry_run is enabled. Also simplify dry run
conditional syntax by removing unnecessary list parenthesis.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1565 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Some messages were being directly written to stdout or stderr
bypassing the message mechanism, the emit() function. That meant those
messages were not recorded in the log and hence were lost. This patch
uses the emit() function for more messages.
The patch also adds a "warning" level to the message category.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1564 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some functions were being called with the deprecated ampersand
syntax. In Perl the & prefix operator indicates the expression is to
be interpreted as a function, e.g. &foo means foo is a function and if
foo was followed by a list then it means call the function foo. The
list can be parenthesized or not, it could just be comma separated
expressions. Calling functions with this syntax is a hold over from
earlier versions of Perl, but modern Perl has much cleaner syntax
where function calls look like they do in other languages, an
identifier followed by parenthesis. This is the calling style used in
most of the rest of the code. This patch just unifies the calling
syntax so it's consistent and more readable. Also the patch cleans up
the function definition, some of the functions had been defined with
an empty formal parameter list, but that conflicts with function
prototyping introduced in modern Perl, an empty formal parameter list
states the function takes no arguments. It only worked previously
because when the (deprecated) ampersand operator was applied to the
identifier it defeated prototype checking.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1563 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
set_library_path() and get_library_path() were both producing warnings
from Perl about the use of uninitialized variables. This occurred
because get_library_path() returned the value of the LD_LIBRARY_PATH
environment variable, which if it is not set in the envronment is the
undef value. Then the caller of get_library_path() would use the
result to build a new string to use as a new library path. But the use
of undef in the string concatentation was producing warnings. Finally
the caller would reset the library path to what had been orginally
returned by get_library_path(), which set LD_LIBRARY_PATH in %ENV to
the undef value, which is probaly not the best idea, although legal.
To fix this every routine which called get_library_path() would need
to check for undef value as it builds a new replacement path, that's a
lot of code to add in a lot of places.
Instead set_library_path() was modified, instead of accepting a string
containing a new path, it now accepts an array of path values. It
iterates over the array discarding any undef values in the array and
builds a path string from the defined values. This simplifed the
callers of get_library_path() and set_library_path(). It also had the
nice property that if get_library_path() initially returned undef then
subsequently calling set_library_path() with that value produces an
empty string for storing into %ENV which preferable to storing undef.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1562 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is mostly a merge of the tomcat 6 server.xml file with our
existing server.xml file from tomcat 5.
Merge in new comments.
remove org.apache.catalina.storeconfig.StoreConfigLifecycleListener
because it's not part of tomcat6
Parameterize the following based on our template engine:
sslOptions="[TOMCAT_SSL_OPTIONS]"
ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
tls3Ciphers="[TOMCAT_TLS3_CIPHERS]"
Note: After the cipher parameterization was done it was discovered
that the other subsystems do not utilize ECC ciphers, it's not clear
if they should or not. We may need to paramterize the cipher list in
pkicreate or go back to hardcoding the cipher list in the xml file.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1561 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
