| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
The RPM spec files have been modified to pass the full RPM version
number to CMake. The version number contains the product version
number, release number, milestone, and platform. The CMake scritps
will parse and use this version number to generate Java manifest
files. The product version number will be used as the specification
version and full version number will be used as the implementation
version.
Ticket #339
|
|
|
|
|
|
|
| |
The pkispawn has been modified such that it will check whether
the package for the subsystem being created has been installed.
Ticket #332
|
| |
|
|
|
|
| |
recovering, wrapping unwrapping keys should be done in the token
|
|
|
|
|
|
|
| |
The GetStatus servlet has been modified to include the server version
number.
Ticket #339
|
|
|
|
|
|
|
|
|
|
|
| |
The CMake scripts have been modified to store the version number
in /usr/share/pki/VERSION and in JAR manifest files. These files
can be read by PKI applications to obtain the version number
without having to query the RPM database.
Fixed warnings in Java.cmake file.
Ticket #339
|
| |
|
|
|
|
|
|
|
| |
The escapeDN() has been renamed into escapeRDNValue() for better
clarity.
Ticket #193
|
|
|
|
| |
client-side and server-side key generation, and key archival)
|
|
|
|
|
|
|
|
|
|
|
|
| |
* TRAC Ticket #338 - Dogtag 10: pkihelper.py directory.set_mode()
does not resolve symlinks correctly
This patch fixes the problem that although top-level symlinks
are correctly identified as symbolic links, symlinks which
exist under a subdirectory are incorrectly identified as files,
and thus the 'chown' and 'chmod' commands are applied to the
symlink which in turn actually get applied to the target file
instead.
|
|
|
|
|
|
|
| |
The scripts to create and remove PKI instances have been moved from
pki-setup into pki-server package.
Ticket #336
|
|
|
|
| |
Ticket 314
|
|
|
|
|
| |
* TRAC Ticket #333 - Increase audit cert renewal range to 2 years
* Bugzilla Bug #843979 - Increase audit cert renewal range to 2 years
|
|
|
|
|
|
|
| |
This patch removes "fixed" year from time based searches for agent and EE interfaces.
It also unifies time selection between search and revocation templates.
Bug 854420.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We create a user that can be used to connect to the database using the
subsystem cert for client auth. We identified this user, using the seeAlso
attribute and provided certmap rules to this effect.
For this user, we used to reuse the uid = user CA-hostname-port, which is already
created for inter-system communication. But this is problematic if more than one
dbuser exists, as the directory server may bind as the incorrect user. In any
replication topology, there must be only one dbuser using the subsystem cert.
To simplify things, we create a new user specifically for this purpose
(pkidbuser), and we remove the seeAlso attribute from the older dbusers.
A script is needed to convert existing dogtag 9 istances to use the new user,
and set the relevant acls. This will be done in a separate commit.
|
| |
|
|
|
|
|
|
|
| |
The ConfigurationUtils has been modified to escape values used in
DN or filter according to LDAP standard.
Ticket #193
|
|
|
|
|
|
|
|
| |
The duplicate methods to escape DN value have been removed. The
codes that used the duplicate methods have been modified to use
LDAPUtil.escapeDN().
Ticket #193
|
|
|
|
|
|
|
| |
The UGSubsystem has been modified to escape values used in DN or
filter according to LDAP standard.
Ticket #193
|
|
|
|
|
|
|
|
|
| |
The <instance>/lib link has been replaced with a real folder
which contains links to the files in /usr/share/tomcat/lib. This
way the log4j.properties can be placed in this folder without
causing conflicts with other instances.
Ticket: #284
|
|
|
|
| |
TMS ECC infrastructure (enrollment with client-side and server-side key generation, and key archival)
|
|
|
|
| |
TMS ECC infrastructure (enrollment with client-side and server-side key generation, and key archival)
|
|
|
|
|
|
|
|
| |
The deployment and init scripts have been fixed to create and check
the link to symkey.jar if a TKS instance is added, and remove the
link if the instance is removed.
Ticket #331
|
|
|
|
| |
* TRAC Ticket #311 - Unable to deregister subsystem in merged instance
|
| |
|
| |
|
|
|
|
|
|
|
| |
* TRAC Ticket #312 - Dogtag 10: Automatically restart any running instances
upon RPM "update" . . .
* TRAC Ticket #317 - Dogtag 10: Move "pkispawn"/"pkidestroy"
from /usr/bin to /usr/sbin . . .
|
|
|
|
|
|
|
| |
Added logging so that we can see what is passed in to server from pkispawn.
Fixed incorrect dbuser specification.
Added required replication config items to pkispawn.
Initial refactoring of construct_pki_configuration_data in pkijython.py
|
|
|
|
|
|
|
|
|
| |
When removing a subsystem the pkidestroy would also remove the SELinux
contexts for the instance regardless of whether there are still other
subsystems in the instance. The code has been fixed such that it's
removing the SELinux contexts when deleting the last subsystem only.
Ticket #89
|
|
|
|
|
|
|
|
|
|
|
| |
The current ROOT webapp will redirect users coming to the root
URL path to the proper path of the subsystem's webapp.
Since now a single Tomcat instance may have multiple subsystems,
a new ROOT webapp has been added to present the user with a menu
of all available webapps from all subsystems in the instance.
Ticket #89
|
|
|
|
|
|
|
|
|
| |
A new theme webapp has been added to store the theme files for
all PKI webapps. In the future the subsystem webapps can be
modified to use the theme files provided by this common webapp
instead of having to include duplicate files in each webapp.
Ticket #89
|
|
|
|
|
|
|
|
|
| |
To avoid multilib conflicts the spec file has been modified to
depend on redhat-rpm-config. This way the brp-java-repack-jars
will run to repack the JAR files to generate identical files
across architectures.
Ticket: #296
|
|
|
|
| |
internal db in cert status thread.
|
|
|
|
|
| |
* TRAC Ticket #301 - Need to modify init scripts to verify needed
symlinks in an instance (support non-default instance names)
|
|
|
|
|
|
|
| |
The Javadocs for pki-util, pki-java-tools and pki-common have been
merged and packaged into pki-javadoc RPM.
Ticket #295
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CMS engine is a singleton and it's used by PKI realm to authenticate
users accessing the subsystem. Since a Tomcat instance may contain
multiple subsystems, each having separate realm, the PKI JAR links
need to be moved into WEB-INF/lib so that they will run inside
separate class loaders.
Tomcat also requires that the authenticator and realm classes be
available in common/lib. To address this a new package pki-tomcat.jar
has been added. The package contains the authenticator and a proxy
realm. When the subsystems start running, they will register their
own realms into the proxy realms such that the authentications will
be forwarded to the appropriate subsystems.
Ticket #89
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the WAR files were generated at build time, so it would
include theme files that were installed on the build machine.
The code has been changed such that instead of generating WAR files
pkispawn will copy the webapp files from the theme folders and combine
them with subsystem webapp files at deployment time. This way it will
use the actual theme files installed on the deployment machine.
Ticket #89
|
|
|
|
|
|
|
|
| |
The pki-console has been modified to depend on pki-base. This way
it's no longer necessary to include duplicate common classes in
pki-console.
Ticket #113
|
|
|
|
|
|
|
|
|
| |
During subsystem configuration the ConfigurationUtils.importLDIFS()
would generate LDIF files in <instance>/conf folder which may conflict
with files belonging to other subsystems. The code has been modified
to generate the files in <instance>/<subsystem>/conf folder.
Ticket #89
|
|
|
|
| |
This allow server to come up with DS where anon binds are turned off.
|
|
|
|
| |
'Terminated' to be formatted and reused.
|
|
|
|
|
|
|
|
|
| |
The jar() function has been modified to support multiple input dirs
in a single command. This way it's not necessary to define multiple
jar targets for the same jar file. The pki-console build script has
been updated to utilize this functionality.
Ticket #89
|
|
|
|
|
|
|
|
|
|
| |
The pki-client.jar has been split and merged into pki-certsrv.jar
and pki-tools.jar. The REST client classes are now packaged in
com.netscape.certsrv.<component> packages. The REST CLI classes
are now packaged in com.netscape.cmstools.<component> packages.
The "pki" script has been moved into pki-tools RPM package.
Ticket #215
|
|
|
|
|
|
|
|
|
| |
The pki-native-tools and pki-java-tools have been merged into
pki-tools and pki-server will depend on it. Since pki-ra and
pki-tps depends on pki-server they automatically depends on
pki-tools as well.
Ticket #295
|
|
|
|
|
|
|
|
|
| |
The pki-common package has been split such that the common and
client binaries are packaged in pki-base and server binaries are
packaged in pki-server. The pki-util has been merged into pki-base
and the pki-deploy package has been merged into pki-server.
Ticket #295
|
|
|
|
| |
- symkey PK11_Derive.
|
|
|
|
|
|
|
| |
* TRAC Ticket #301 - Need to modify init scripts to verify needed
symlinks in an instance
* TRAC Ticket #303 - Dogtag 10: CS.cfg parameters for Dogtag 9 instance
running under Dogtag 10 packages . . .
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The shutdown() methods in several classes have been fixed to allow
more graceful shutdown and clean restart. There are two types of
object attributes that need to be handled differently.
Attributes that are initialized by the constructor should not be
nulled during shutdown because they won't be reinitialized during
restart. If they require a cleanup (e.g. emptying collections,
closing LDAP connections) it's not necessary to check for null
before calling the cleanup method because they're never null.
For attributes that are initialized during init(), it may not be
necessary to do a cleanup or null the attribute since they might
still be used by other threads and they will be reinitialized
during restart so the old objects will be garbage collected. If
they do need a cleanup they should be checked for null because
they might still be null due to init() failure or initialization
conditionals.
If the attributes are initialized conditionally, the logic has been
modified to ensure the attributes are either initialized or set to
null.
Ticket #247
|
|
|
|
| |
TPS ECC: when TPS server acts as an ECC SSL client to CA, TKS, or DRM, it needs to support ECC ciphers
|
|
|
|
|
|
|
|
| |
generation
This patch calls with the right flags for each supported HSM to the new
certutil that addressed the following bug:
Bug 820684 - certutil support for EC on HSMs - need to call PK11_GenerateKeyPairWithOpFlags()
|