| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new mechanism has been added to specify the authentication methods that
can be used to invoke the REST methods. The AuthMethodMapping annotation
maps each REST method to a list of allowed authentication methods. When a
client calls a REST method, the AuthMethodInterceptor will intercept the
call and verify that the client uses an allowed authentication method.
Most REST methods that require authentication have been configured to
require client certificate authentication. Authentication using username
and password will only be used to get the installation token from security
domain.
Ticket #477
|
| |
|
|
|
|
|
|
| |
New CLI's have been added to search, add, and remove user membership.
The group member management code has been refactored into a processor
to allow reuse.
Ticket #190
|
| |
|
|
|
|
|
| |
The cert-find command has been modified to provide an option to
search by certificate status.
Ticket #501
|
| |
|
|
| |
security domain.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
The cert-find command has been modified to include some additional
attributes including certificate type and version, key algorithm
name and length, validity dates, creation time and issuer.
Ticket #498
|
| |
|
|
|
|
|
|
|
| |
The cert-find command has been fixed to show better error messages
on missing validity duration options. The validity duration unit
has been changed to take "day", "week", "month", or "year" and
convert it into milliseconds.
Ticket #291, #500
|
| |
|
|
|
|
|
|
| |
The SecurityDomainProcessor has been modified to generate the host
ID from the subsystem type, hostname, and secure port instead of
relying on the user-configurable SubsystemName attribute.
Ticket #503
|
| |
|
|
|
|
|
|
| |
All date parameters for cert-find have been modified to use the
YYYY-MM-DD date format. Date parsing code in FilterBuilder has
been modified not to ignore parsing errors.
Ticket #497
|
| |
|
|
|
|
|
|
|
|
| |
The pkispawn has been modified such that the configuration file
and subsystem type are optional. The pkidestroy has been modified
such that the instance name and subsystem type are optional.
If any of these options are not specified they will enter an
interactive mode.
Ticket #380
|
| |
|
|
|
|
|
| |
The configuration code has been modified to use the REST interface
to get the installation token and ignore CA cert validation errors.
Ticket #476
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously nonces were stored in a global map which might not scale
well due to some issues:
1. The map uses the nonces as map keys. There were possible nonce
collisions which required special handling.
2. The collision handling code was not thread safe. There were
possible race conditions during concurrent modifications.
3. The map was shared and size limited. If there were a lot of
users using the system, valid nonces could get pruned.
4. The map maps the nonces to client certificates. This limits
the possible authentication methods that can be supported.
Now the code has been modified such that each user has a private map
in the user's session to store the nonces. Additional locking has been
implemented to protect against concurrent modifications. The map now
uses the target of the operation as the map key, eliminating possible
collisions and allowing the use of other authentication methods. Since
this is a private map, it's not affected by the number of users using
the system.
Ticket #474
|
| |
|
|
|
|
|
| |
The cert-request-approve has been merged into cert-request-review
to ensure that these operations are executed in the same session.
Ticket #474
|
| | |
|
| |
|
|
| |
* TRAC Ticket #488 - Dogtag 10: Fix CLI 'cert-find' clientAuth issue
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
A utility class has been added to convert LDAP exceptions into PKI
exceptions.
Ticket #191, #214
|
| |
|
|
|
|
|
| |
The certificate REST service has been modified to validate
nonce when revoking a certificate.
Ticket #213
|
| |
|
|
|
|
|
|
|
|
|
| |
* Added RESTful servlet to add/remove a KRA connector from the CA.
* Modified ACL to allow KRA subsystem user to remove connector.
* Modified connector code to allow the connector to be replaced without a server restart.
* Added functionality to pki CLI to add/remove connector
* Added code to pkidestroy to remove the connector (using both pki CLI and sslget)
When the issues with pki connection are resolved, we will use that method instead.
* Modified sslget to accept HTTP return codes != 200. In this case, we were returning
204 - which is perfectly legitimate.
|
| |
|
|
| |
* TRAC Ticket #430 - License for 3rd party code
|
| | |
|
| | |
|
| |
|
|
| |
Trac Ticket #466
|
| |
|
|
|
|
| |
* TRAC Ticket #469 - Dogtag 10: Fix tomcatjss issue in pki-core.spec and
dogtag-pki.spec . . .
* TRAC Ticket #468 - pkispawn throws exception
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Ticket 437. Also moved a bunch of client path parameters to
default.cfg template file.
|
| |
|
|
| |
Ticket 393
|
| |
|
|
| |
Changes provided by Deon Lackey.
|
| |
|
|
|
|
|
|
| |
Previously, we archived the default config file when an instance
was created, and used that file in running pkidestroy. We plan
to replace this mechanism in favor of actually reading the instance's
config files. For now, we return to using the standard default config
template, so that we can change it without breaking pkidestroy.
|
| |
|
|
|
|
|
|
|
|
| |
Tomcat in f17 expects the file under /etc/sysconfig/foo to be a
set of environment variables being set, and parses it that way.
We recently added some logic to source the global pki.conf file.
This works in f18, but breaks instance startup in f17.
While this works in f18, its an indication that we are using the
tomcat config file incorrectly. Reverting to hardcoding resteasy lib.
|
| | |
|
| | |
|
| | |
|
