| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
- patch ported from https://bugzilla.redhat.com/show_bug.cgi?id=1011984
|
|
|
|
| |
Modified user CA test scripts to check for subsystem installed status.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ROOT's index.jsp has been modified to show the links to all
subsystems installed on the instance. When opened, it will show
the services provided by the subsystem.
The pkispawn output has been modified to show the subsystem URL
more consistently:
https://<hostname>:<port>/<subsystem>
In all subsystems except TPS the page will redirect to:
https://<hostname>:<port>/<subsystem>/services
|
|
|
|
| |
- PKI Trac Ticket #1392 - Remove i686/x86_64 architecture
|
| |
|
|\ |
|
| | |
|
|/ |
|
|
|
|
|
|
|
| |
The ROOT's index.jsp has been modified to check each subsystem's
servlet context for null before accessing the value.
https://fedorahosted.org/pki/ticket/1407
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1064
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/849
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/835
|
|
|
|
|
| |
This patch addressed the issue that TPS on independent Tomcat is missing
symlink to symkey.jar and causes all symkey method reference to fail
|
|
|
|
| |
op.format.soCleanSOToken.validateCardKeyInfoAgainstTokenDB=true
|
|
|
|
|
|
|
| |
The pki_pin has been removed from the default.cfg to avoid
overwriting the randomly generated default value.
https://fedorahosted.org/pki/ticket/1393
|
| |
|
|
|
|
| |
Fixed startup script to account for nuxwdog
|
|
|
|
|
|
|
| |
The script to generate Python docs has been cleaned up and
simplified. The python-sphinx configuration files have been
moved into base/common/python. The build artifacts are now
created in the build/base/common/python.
|
|
|
|
|
|
| |
builds to fail
(cherry picked from commit d2c24aff4e9dc6aa27b337479cfee1fac4940994)
|
| |
|
| |
|
|
|
|
| |
the token db cert entry
|
|
|
|
|
| |
- PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an
HSM (and provide recommendation); allow clones to share keys
|
|
|
|
|
|
|
|
| |
New parameters have been added into the default.cfg to specify the
master hostname and port for pki_clone_uri. By default they point
to the security domain. The man page has been updated as well.
https://fedorahosted.org/pki/ticket/1385
|
|
|
|
|
|
|
|
|
|
| |
The CLI has been modified such that when enrolling a certificate
with key archival it will obtain the transport certificate from
the CA instead of KRA because the KRA may not reside on the same
instance. The CA REST service has been modified such that it will
obtain the transport certificate from the KRA connector.
https://fedorahosted.org/pki/ticket/1384
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1372
|
|
|
|
|
|
|
|
| |
The store() method of the 'Properties' class escapes '=' and ':' in
values, corrupting the profile data. Continue using 'Properties' to
read the input (unescaping values) then copy the properties into a
'SimpleProperties' object so that unwanted backslashes do not appear
in the output.
|
|
|
|
| |
different cards for ExternalReg This patch adds support to keyset mapping
|
|
|
|
| |
cards for ExternalReg This patch is mainly refactoring the names of the Mapping Resolver framework in preparation for ticket 1307 to support keySet mapping in addition to the original purpose of resolving tokenType mapping. The reason to separate out refactoring from the real code is for ease of reviewing. TPS is currently a Tech Preview feature, so upgrade is not of consideration at the moment.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Porting this set of fixes over from last downstream release upstream.
Upon further review, decided to fix a few missing things pointed out by the code review and a few other things:
1. Too many copies of escapeJavaScriptString all over the place. Consolidated the two related functions "escapeJavaScriptString" and "escapeJavaScriptStringHTML" methods in the CMSTemplate class to be called everywhere. Removed the duplicated methods in other classes.
2. There were some places where "escapeJavaScriptString" was called, when we really wanted "escapeJavaScriptStringHTML". Fixed that everywhere. One reason for this is a copied version of "escapeJavaScriptString" actually was identical to CMSTemplate.escapeJavaScriptString, which has been removed.
XSS fixes.
|
|
|
|
| |
REST. This patch addresses: (2) audit needed for getKeyInfo, the 2nd part of this ticket where the key services are missing some auditing.
|
| |
|
|
|
|
|
|
|
|
| |
The pki-server subsystem-enable CLI has been modified to deploy
the subsystem from a custom location if available, or from the
default location otherwise.
https://fedorahosted.org/pki/ticket/1381
|
|
|
|
|
| |
The key-show CLI has been modified to provide an option to find
the active key info using the client key ID.
|
|
|
|
|
| |
- PKI TRAC Ticket #1370 - pkispawn: installation with HSM from external CA
should hold off prepending token name in serverCertNick.conf till phase 2
|
|
|
|
|
|
| |
- (1) REST API auth/authz - this patch addresses the first part of this
ticket where auditing is completely missing for authentication and
authorization at the REST interface.
|
| |
|
|
|
|
|
|
|
| |
The upgrade scripts have been modified to use the uid and gid
provided by PKIInstance object.
https://fedorahosted.org/pki/ticket/1341
|
|
|
|
|
|
|
|
| |
The installation code has been modified such that the admin can
optionally specify passwords for internal token and replication.
Otherwise the code will generate random passwords like before.
https://fedorahosted.org/pki/ticket/1354
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds some new unit files and targets for starting instances
with nuxwdog, as well as logic within the pki-server nuxwdog module to
switch to/from the old and new systemd unit files.
It also corrects some issues found in additional testing of the nuxwdog
change scripts.
To use nuxwdog to start the instance, a user needs to do the following:
1. Create an instance normally.
2. Run: pki-server instance-nuxwdog-enable <instance_name>
3. Start the instance using:
systemctl start pki-tomcatd-nuxwdog@<instance_name>.service
To revert the instance, simply do the following:
1. Run: pki-server instance-nuxwdog-disable <instance_name>
2. Start the instance using:
systemctl start pki-tomcatd@<instance_name>.service
|
|
|
|
|
|
|
|
|
| |
To help troubleshooting installation failures the pkihelper.py has
been modified to display the error code returned by the server before
parsing the error message. If there is a parsing error, the unparsed
message will now be displayed.
The redundant 'raise' and 'return' statements have been removed.
|
| |
|
|
|
|
|
|
| |
set when performing a clone operation.
Tested with a cloned CA and a couple of other subysstems, such as OCSP.
|
|
|
|
|
|
|
|
|
|
| |
The short term solution to this problem was to remove the man page information and all references to the command line module reponsible for this issue.
The installer already has an alternative method to remove a subsystem from the security domain list. We now assume the alternate method and don't even try to find the token at this point.
A user at the command line of the pki command will no longer be able to attempt this as well.
Tested this to verify that the man page for the "securtydomain" command no longer mentions or documents the "get-install-token" variant. Tested to verify that this command can't be manually called from the command line using "pki". This attempt results in an "unknown module". Tested by installing and uninstalling a subsytem. The security domain was kept up to date as expected for each install over remove attempted.
|
|
|
|
|
|
|
| |
The pki.server Python module has been fixed to remove pylint
warnings generated by recent changes.
https://fedorahosted.org/pki/ticket/1353
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
schedules.
Addresses the complaint of this ticket. Tested to work in a few basic cases. The minor code change
was designed to only affect the specific scenario when we have a daily scedule that spans only one day.
More Info:
How to duplicate and test:
Perform a manual crl generate from the agent interface because the code to be tested relies heavily upon the "lastUpdate" which will appear in the logs. Do this to have a nice launching off point.
Go to the ca's pkiconsole and select : Certificate Manager -> CRL Issuing Points -> MasterCRL.
Check "updateCRL at: " and give a schedule such as : 15:03, 15:10 .. This gives us a chance to watch the two regularly scheduled updates happen.
When the first event triggers, have a look at the CA's "debug" log and note the following or similar entry:
[CRLIssuingPoint-MasterCRL]: findNextUpdate: Wed May 06 15:10:00 PDT 2015 delay: 86301873
Wait for the 15:00 even to happen. When that triggers at the end of that cycle, we should see one more similar entry.
[CRLIssuingPoint-MasterCRL]: findNextUpdate: Wed May 06 15:03 PDT 2015 delay: 86301873
That is the correct behavior after the fix. We want the next update to be at the first entry of the daily schedule , but tomorrow. The current bug would print out this value as something like:
Wed May 06 00:00:00 or similar to indicate midnight. This is not what we want.
|
|
|
|
|
|
|
|
| |
The migration tool has been fixed to update the links to Tomcat
libraries in the instance folder to match the current Tomcat
version installed on the system.
https://fedorahosted.org/pki/ticket/1353
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The REST methods may be executed by different threads even though
they are invoked in the same session. A new interceptor has been
added to all subsystems to make sure the SessionContext is created
properly for each thread. This will fix the authentication data in
the audit log. The SessionContext has also been improved to use
ThreadLocal instead of a global Hashtable.
https://fedorahosted.org/pki/ticket/1054
|