| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
A new findModules() method has been added to the CLI class to find
the list of modules handling a command. The list will be used by the
pki help CLI to find the proper man page for the specified command.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #1446:
Without the crypto object, the user is now presented with a very bared bones
keygen tag powered UI. ONe can only select a key strength and only use RSA.
This fix adds simple UI to make better use of the keygen tag:
1. Allows the use of ECC.
2. Gives simple info on how the key strengths map to RSA key size and
ECC curves.
When the user selects High, they get RSA 2043, and ECC nistp384.
When the user selects Medium, they get RSA 1024, and ECC nistp256.
|
|
|
|
|
| |
- PKI TRAC Ticket #1441 - Lack of Interactive Installation Support
(Cloning, Subordinates, Externals, HSMs, ECC)
|
|
|
|
|
|
|
| |
Ticket #1423 Pin reset operation using tpsclient fails.
Recently we had added a new way to resolve the profile. That new method was
not used in the PinReset Processor. This fix addresses that and allows the Pin Reset operation to complete.
|
|
|
|
|
|
|
|
|
| |
Ticket # 793: Add support for Secure Channel Protocol 02
Properly select the coolkey applet in the "getAppletVersion" routine.
For some reason the gp211 applet revealed this issue.
Tested to work with both gp211 scp02 card and gp201 scp01 card.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #1442.
This fix gives the command line enrollment commands the ability to enroll a cert against a profile
that has been marked as not visible but "enabled".
With the simple fix the following scenarios tested to work:
The "caUserCert" Profile was marked as not visible, but enabled.
1. pki -c Secret123 client-cert-request --profile caUserCert uid=jmagne
This is the simplest form of user cert enrollment.
2. pki ca-cert-request-profile-show caUserCert --output testuser.xml
pki ca-cert-request-submit testuser.xml
The first command gives us the profile's xml file, which after modification is used to enroll.
3. pki -d ~/.dogtag/pki -c "" -n "PKI Administrator for localdomain" ca-profile-show caUserCert
This one shows that we can view the contents of a non visible profile. Listing is not allowed.
We felt this appropiate to allow a command line user to get the details of a non visible profile that
they know aobut and want to use.
|
|
|
|
| |
shared and nonshared tomcat instances
|
|
|
|
|
|
| |
The getCloningData() in SystemConfigService has been renamed to
configureClone(). Redundant try-catch blocks have been removed.
Some exception messages have been modified to include more info.
|
|
|
|
|
|
|
|
|
|
| |
The configure() in SystemConfigService method has been modified to
log only the error message in normal responses but log the full
stack trace when unexpected issues occur.
The validateData() in SystemConfigService has been renamed to
validateRequest() for clarity. The log messages have been modified
to include the invalid values entered in the request.
|
|
|
|
|
|
|
| |
The pki man page has been updated to describe results paging
parameters.
https://fedorahosted.org/pki/ticket/1122
|
|
|
|
|
|
|
| |
The man page for pki-cert has been modified to describe the file
format used to specify the search constraints.
https://fedorahosted.org/pki/ticket/995
|
|
|
|
|
|
|
|
| |
Due to issues with HSM the Modutil.is_security_module_registered()
has been modified to the get the list of all registered modules
and then use it to check if a module is registered.
https://fedorahosted.org/pki/ticket/1444
|
|
|
|
| |
pki ca-user and kra-user tests.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The SelfTestSubsystem has been modified to display a 'successful'
message only if all tests have passed. If a test fails, it will
log a failure, subsequent tests will not be executed, and the
subsystem will shutdown immediately.
The runSelfTest() in various tests have been cleaned up to throw
the original exception to help troubleshooting. The unused
RAPresence test has been removed.
https://fedorahosted.org/pki/ticket/1249
|
| |
|
|
|
|
|
| |
tks-user and tps-user.
Fixed pki user tests syntax errors.
|
| |
|
|
|
|
|
| |
The Realm interface has changed in recent Tomcat 8 version. The
ProxyRealm class that implements it has been updated accordingly.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Dogtag does not yet have a reliable way to update its schema, but
FreeIPA does need to add the new schema for LDAP-based profiles
during upgrade to 4.2. As a temporary solution until Dogtag can
manage its own schema updates (including when deployed as FreeIPA
CA), FreeIPA will perform the schema upgrade. Provide a schema file
that FreeIPA can use to do this.
|
|
|
|
|
| |
To simplify troubleshooting the pkispawn and pkidestroy have been
modified to show the name of the log file used in each run.
|
|
|
|
|
|
| |
- PKI TRAC Ticket #1426 - pkispawn of KRA on HSM fails (shared instances)
- PKI TRAC Ticket #1427 - pkispawn of OCSP on HSM fails (shared instances)
- PKI TRAC Ticket #1429 - pkispawn of TKS on HSM fails (shared instances)
|
|
|
|
|
|
|
|
| |
Various codes have been modified to properly stop threads during
shutdown. A new ID attribute has been added to the LDAP connection
factory classes to help identify leaking threads.
https://fedorahosted.org/pki/ticket/1327
|
| |
|
|
|
|
|
|
|
| |
The operations script and the server.xml templates have been
modified to display TPS status in pkidaemon.
https://fedorahosted.org/pki/ticket/1278
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
- PKI TRAC Ticket #1415 - nCipher HSM: Add 'pkiuser' to 'nfast' group
|
|
|
|
|
|
|
|
| |
The PKIListener has been modified to verify that all subsystems
are running and to show the command to enable the subsystem if it
was disabled due to errors.
https://fedorahosted.org/pki/ticket/1406
|
|
|
|
|
|
| |
The CRMFPopClient has been modified to use the HttpClient library
to connect to the server, to show the HTTP status code if an error
occurs, and to show the NSS database directory in verbose mode.
|
|
|
|
| |
- PKI TRAC Ticket #1417 - Interactive pkispawn of CA with HSM fails
|
|
|
|
|
|
| |
Provide simple textual warning when the user is using a browser that no longer supports the crypto object, which results in reduced CA certficat enrollment functionality. For simplicity provide the warning at the top of the main index page and at the top of the CA's services page. The services page is where the pkispawn of the CA points the uers after installation. The ticket originally called for a JS warnign but the simple text warning should be less intrusive and repetitive to the user.
Ticket #1398 Provide UI Javascript warning for missing Mozilla Crypto Object in the CA.
|
|
|
|
| |
available for use in the browser.
|
|
|
|
|
|
|
| |
pylint-build-scan.sh doesn't checked the upgrader's Python files yet.
This patch adds the common and server upgrade scripts to
pylint-build-scan.sh. It also fixes a couple of pylint violations,
mostly missing calls to __init__().
|
|
|
|
|
|
|
|
| |
Make the memberID argument of getGroupMember() case insensitive. The
groupID argument is already case insensitive. The groupID string is used
as CN element in an LDAP query, which is case insensitive by definition.
https://fedorahosted.org/pki/ticket/1069
|
|
|
|
|
|
|
| |
The patch implements an updater, that adds the new KRA signed audit
events (#1160) to KRA's CS.cfg.
https://fedorahosted.org/pki/ticket/1382
|
|
|
|
|
|
|
| |
In modifyProfileState check the 'action' query paramter for NULL and
raise a BadRequestException when the paramater is not set.
https://fedorahosted.org/pki/ticket/1361
|
|
|
|
|
| |
The 10.2.3/02-FixBindPWPrompt upgrade scriptlet leaves CS.cfg owned
by root. chown CS.cfg to the instance owner.
|
| |
|
|
|
|
|
|
| |
Dogtag entered a state where an upgrade script failed before it was
trying to chown a file that didn't exist. Add a check that the file
exists.
|
|
|
|
|
|
| |
Some upgrade servlets use attributes loaded when PKIInstance.load()
is invoked, but it may not have been; breakage ensues. Invoke it
before executing upgrade scriptlets.
|
| |
|
|
|
|
| |
- patch ported from https://bugzilla.redhat.com/show_bug.cgi?id=1011984
|
|
|
|
| |
Modified user CA test scripts to check for subsystem installed status.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ROOT's index.jsp has been modified to show the links to all
subsystems installed on the instance. When opened, it will show
the services provided by the subsystem.
The pkispawn output has been modified to show the subsystem URL
more consistently:
https://<hostname>:<port>/<subsystem>
In all subsystems except TPS the page will redirect to:
https://<hostname>:<port>/<subsystem>/services
|
|
|
|
| |
- PKI Trac Ticket #1392 - Remove i686/x86_64 architecture
|
| |
|