| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Previously the config path had to be defined in web.xml, so the web.xml
had to be customized during deployment. The CMSStartServlet code now
has been modified to generate the config path from catalina.base and
webapp's context path by default.
|
|
|
|
|
|
|
|
|
|
| |
The pkispawn has been modified such that the configuration file
and subsystem type are optional. The pkidestroy has been modified
such that the instance name and subsystem type are optional.
If any of these options are not specified they will enter an
interactive mode.
Ticket #380
|
|
|
|
|
|
|
| |
The configuration code has been modified to use the REST interface
to get the installation token and ignore CA cert validation errors.
Ticket #476
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously nonces were stored in a global map which might not scale
well due to some issues:
1. The map uses the nonces as map keys. There were possible nonce
collisions which required special handling.
2. The collision handling code was not thread safe. There were
possible race conditions during concurrent modifications.
3. The map was shared and size limited. If there were a lot of
users using the system, valid nonces could get pruned.
4. The map maps the nonces to client certificates. This limits
the possible authentication methods that can be supported.
Now the code has been modified such that each user has a private map
in the user's session to store the nonces. Additional locking has been
implemented to protect against concurrent modifications. The map now
uses the target of the operation as the map key, eliminating possible
collisions and allowing the use of other authentication methods. Since
this is a private map, it's not affected by the number of users using
the system.
Ticket #474
|
|
|
|
|
|
|
| |
The cert-request-approve has been merged into cert-request-review
to ensure that these operations are executed in the same session.
Ticket #474
|
| |
|
|
|
|
| |
* TRAC Ticket #488 - Dogtag 10: Fix CLI 'cert-find' clientAuth issue
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
A utility class has been added to convert LDAP exceptions into PKI
exceptions.
Ticket #191, #214
|
|
|
|
|
|
|
| |
The certificate REST service has been modified to validate
nonce when revoking a certificate.
Ticket #213
|
|
|
|
|
|
|
|
|
|
|
| |
* Added RESTful servlet to add/remove a KRA connector from the CA.
* Modified ACL to allow KRA subsystem user to remove connector.
* Modified connector code to allow the connector to be replaced without a server restart.
* Added functionality to pki CLI to add/remove connector
* Added code to pkidestroy to remove the connector (using both pki CLI and sslget)
When the issues with pki connection are resolved, we will use that method instead.
* Modified sslget to accept HTTP return codes != 200. In this case, we were returning
204 - which is perfectly legitimate.
|
|
|
|
| |
* TRAC Ticket #430 - License for 3rd party code
|
| |
|
| |
|
|
|
|
| |
Trac Ticket #466
|
|
|
|
|
|
| |
* TRAC Ticket #469 - Dogtag 10: Fix tomcatjss issue in pki-core.spec and
dogtag-pki.spec . . .
* TRAC Ticket #468 - pkispawn throws exception
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Ticket 437. Also moved a bunch of client path parameters to
default.cfg template file.
|
|
|
|
| |
Ticket 393
|
|
|
|
| |
Changes provided by Deon Lackey.
|
|
|
|
|
|
|
|
| |
Previously, we archived the default config file when an instance
was created, and used that file in running pkidestroy. We plan
to replace this mechanism in favor of actually reading the instance's
config files. For now, we return to using the standard default config
template, so that we can change it without breaking pkidestroy.
|
|
|
|
|
|
|
|
|
|
| |
Tomcat in f17 expects the file under /etc/sysconfig/foo to be a
set of environment variables being set, and parses it that way.
We recently added some logic to source the global pki.conf file.
This works in f18, but breaks instance startup in f17.
While this works in f18, its an indication that we are using the
tomcat config file incorrectly. Reverting to hardcoding resteasy lib.
|
| |
|
| |
|
| |
|
|
|
|
| |
Ticket 435
|
|
|
|
| |
Ticket 306
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
* TRAC Ticket #315 - Man pages for pkispawn/pkidestroy.
* Added place-holders for 'pki.1' and 'pki_default.cfg.5' man pages.
|
|
|
|
| |
Ticket #418
|
|
|
|
|
|
|
|
|
| |
The paths to RESTEasy jar files have been modified such that it can
be configured globally at build time using the spec file to support
different distributions, and at deployment time using a system-wide
configuration in /etc/pki/pki.conf.
Ticket #422, #423.
|
|
|
|
|
|
| |
This patch improves number verification.
Bug 864397.
|
|
|
|
| |
* TRAC Ticket #231 - Dogtag 10: Update PKI Deployment to handle external CA
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The default deployment configuration has been renamed and moved to
/etc/pki/default.cfg to make it more accessible to users. The pkispawn
has been modified to archive the default deployment configuration
along with the user-provided configuration in the registry. The
pkidestroy will now use both archived configuration files to ensure
proper removal of the subsystem.
Ticket #399
|
|
|
|
|
|
|
|
|
|
|
| |
We currently run a restorecon on the instance log directory, but not
on the top level log directory. Restorecon is required for the top
level log directory since pkispawn creates it. Without running a
restorecon, it gets the label of the parent directory (var_log_t)
instead of consulting the fcontext rule in the base policy and using
pki_var_log_t.
Ticket #431
|
| |
|
|
|
|
|
|
| |
This patch replaces the code in pkiparser with defaults that are
built up using ConfigParser interpolation. The patch gets most
(but not all) default parameters.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The messages in ProfileList.template in CA EE has been extracted
into a properties file which can be translated separately.
The original messages in the template have been marked as follows:
<span class="message" name="...key...">...message...</span>
When the page is loaded into the browser, the original message will
be replaced with the translated messages.
Ticket #406
|