summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Added configuration file for authentication method validation.ticket-477-6Endi Sukma Dewata2013-02-189-8/+47
| | | | | | | | | | The auth.properties have been converted into a configuration file to store the list of allowed authentication methods for each REST method. The old auth.properties have been renamed to acl.properties since it's used to store ACL mappings. Ticket #510
* Added authentication method validation.ticket-477-7Endi Sukma Dewata2013-02-1825-44/+284
| | | | | | | | | | | | | | | A new mechanism has been added to specify the authentication methods that can be used to invoke the REST methods. The AuthMethodMapping annotation maps each REST method to a list of allowed authentication methods. When a client calls a REST method, the AuthMethodInterceptor will intercept the call and verify that the client uses an allowed authentication method. Most REST methods that require authentication have been configured to require client certificate authentication. Authentication using username and password will only be used to get the installation token from security domain. Ticket #477
* Added CLI to manage user membership.Endi Sukma Dewata2013-02-1821-311/+1158
| | | | | | | | New CLI's have been added to search, add, and remove user membership. The group member management code has been refactored into a processor to allow reuse. Ticket #190
* Added certificate status option for cert-find.Endi Sukma Dewata2013-02-123-0/+33
| | | | | | | The cert-find command has been modified to provide an option to search by certificate status. Ticket #501
* Change pkidestroy to get an install token and use admin interface to updateAde Lee2013-02-115-144/+257
| | | | security domain.
* Add updateDomainXML to admin interfaceAde Lee2013-02-113-23/+102
|
* move updateNumberRange to admin interfaceAde Lee2013-02-113-51/+61
|
* remove unneeded getTokenInfo servletAde Lee2013-02-114-71/+0
|
* Fix get cert chain to use admin port onlyAde Lee2013-02-112-3/+11
|
* Additional output attributes for cert-find.Endi Sukma Dewata2013-02-074-17/+213
| | | | | | | | The cert-find command has been modified to include some additional attributes including certificate type and version, key algorithm name and length, validity dates, creation time and issuer. Ticket #498
* Fixed validity duration options for cert-find.Endi Sukma Dewata2013-02-073-33/+66
| | | | | | | | | The cert-find command has been fixed to show better error messages on missing validity duration options. The validity duration unit has been changed to take "day", "week", "month", or "year" and convert it into milliseconds. Ticket #291, #500
* Fixed conflicting security domain hosts.Endi Sukma Dewata2013-02-074-45/+69
| | | | | | | | The SecurityDomainProcessor has been modified to generate the host ID from the subsystem type, hostname, and secure port instead of relying on the user-configurable SubsystemName attribute. Ticket #503
* Fixed date format for cert-find parameters.Endi Sukma Dewata2013-02-072-18/+19
| | | | | | | | All date parameters for cert-find have been modified to use the YYYY-MM-DD date format. Date parsing code in FilterBuilder has been modified not to ignore parsing errors. Ticket #497
* Added interactive subsystem installation.Endi Sukma Dewata2013-02-049-145/+355
| | | | | | | | | | The pkispawn has been modified such that the configuration file and subsystem type are optional. The pkidestroy has been modified such that the instance name and subsystem type are optional. If any of these options are not specified they will enter an interactive mode. Ticket #380
* Fixed getInstallToken() invocation.Endi Sukma Dewata2013-02-043-6/+8
| | | | | | | The configuration code has been modified to use the REST interface to get the installation token and ignore CA cert validation errors. Ticket #476
* Session-based nonces.Endi Sukma Dewata2013-02-0416-238/+258
| | | | | | | | | | | | | | | | | | | | | | | Previously nonces were stored in a global map which might not scale well due to some issues: 1. The map uses the nonces as map keys. There were possible nonce collisions which required special handling. 2. The collision handling code was not thread safe. There were possible race conditions during concurrent modifications. 3. The map was shared and size limited. If there were a lot of users using the system, valid nonces could get pruned. 4. The map maps the nonces to client certificates. This limits the possible authentication methods that can be supported. Now the code has been modified such that each user has a private map in the user's session to store the nonces. Additional locking has been implemented to protect against concurrent modifications. The map now uses the target of the operation as the map key, eliminating possible collisions and allowing the use of other authentication methods. Since this is a private map, it's not affected by the number of users using the system. Ticket #474
* Merged cert-request-review/approve commands.Endi Sukma Dewata2013-02-045-99/+142
| | | | | | | The cert-request-approve has been merged into cert-request-review to ensure that these operations are executed in the same session. Ticket #474
* Bug 903401 - TMS: RSA token enrollment failed : public key decode errorChristina Fu2013-01-262-12/+22
|
* Fixed CLI 'cert-find' clientAuth FQDN hostname issueMatthew Harmsen2013-01-253-10/+92
| | | | * TRAC Ticket #488 - Dogtag 10: Fix CLI 'cert-find' clientAuth issue
* Ticket 419 - REST interface for cert requestsAde Lee2013-01-223-0/+151
|
* https://fedorahosted.org/pki/ticket/362 RFE: CMC ECCChristina Fu2013-01-1514-390/+871
|
* Trac Ticket 481 - Build pki-core 10.0.1Ade Lee2013-01-154-12/+37
|
* Added LDAP exception converter.Endi Sukma Dewata2013-01-152-3/+50
| | | | | | | A utility class has been added to convert LDAP exceptions into PKI exceptions. Ticket #191, #214
* Added nonce validation for certificate revocation.Endi Sukma Dewata2013-01-1510-66/+166
| | | | | | | The certificate REST service has been modified to validate nonce when revoking a certificate. Ticket #213
* Resolved Trac Ticket 367 - pkidestroy does not remove connectorAde Lee2013-01-1522-111/+1064
| | | | | | | | | | | * Added RESTful servlet to add/remove a KRA connector from the CA. * Modified ACL to allow KRA subsystem user to remove connector. * Modified connector code to allow the connector to be replaced without a server restart. * Added functionality to pki CLI to add/remove connector * Added code to pkidestroy to remove the connector (using both pki CLI and sslget) When the issues with pki connection are resolved, we will use that method instead. * Modified sslget to accept HTTP return codes != 200. In this case, we were returning 204 - which is perfectly legitimate.
* Added third-party license fileMatthew Harmsen2013-01-102-1/+66
| | | | * TRAC Ticket #430 - License for 3rd party code
* Bug 839426 - [RFE] ECC CRL support for OCSPChristina Fu2013-01-091-1/+23
|
* Fix spec file to allow f17 to work with latest tomcatjssAde Lee2013-01-081-2/+2
|
* Increase root CA validity to 20 yearsAde Lee2013-01-074-5/+5
| | | | Trac Ticket #466
* Use tomcatjss 7.1.0 and fix weird errno=0 exceptionMatthew Harmsen2013-01-076-10/+71
| | | | | | * TRAC Ticket #469 - Dogtag 10: Fix tomcatjss issue in pki-core.spec and dogtag-pki.spec . . . * TRAC Ticket #468 - pkispawn throws exception
* Ticket 191 - Mapping HTTP Exception to their proper HTTP error codesAbhishek Koneru2013-01-0420-162/+333
|
* TRAC Ticket #271 - Dogtag 10: Fix 'status' command in 'pkidaemon' . . .Matthew Harmsen2012-12-192-31/+183
|
* fix typo in default.cfgAde Lee2012-12-191-1/+1
|
* Man page addition for parameter pki_client_admin_cert_p12Ade Lee2012-12-191-0/+4
|
* Make admin cert p12 file location configurableAde Lee2012-12-193-61/+18
| | | | | Ticket 437. Also moved a bunch of client path parameters to default.cfg template file.
* pkispawn modified to not relabel when selinux is disabledAde Lee2012-12-193-2/+25
| | | | Ticket 393
* Punctuation and formatting changes in man pagesAde Lee2012-12-184-78/+93
| | | | Changes provided by Deon Lackey.
* Revert to using default config file for pkidestroyAde Lee2012-12-183-12/+2
| | | | | | | | Previously, we archived the default config file when an instance was created, and used that file in running pkidestroy. We plan to replace this mechanism in favor of actually reading the instance's config files. For now, we return to using the standard default config template, so that we can change it without breaking pkidestroy.
* Hardcode setting of resteasy-lib for instanceAde Lee2012-12-183-5/+4
| | | | | | | | | | Tomcat in f17 expects the file under /etc/sysconfig/foo to be a set of environment variables being set, and parses it that way. We recently added some logic to source the global pki.conf file. This works in f18, but breaks instance startup in f17. While this works in f18, its an indication that we are using the tomcat config file incorrectly. Reverting to hardcoding resteasy lib.
* interpolate more pathsAde Lee2012-12-184-250/+63
|
* interpolated jarsAde Lee2012-12-182-300/+94
|
* interpolation for paths part 1Ade Lee2012-12-182-139/+73
|
* Removed duplicate pki_instance_id parameter.Ade Lee2012-12-186-76/+71
| | | | Ticket 435
* Replace file dependencies with package dependenciesAde Lee2012-12-181-6/+8
| | | | Ticket 306
* Updated pki-core spec file to 10.0.0-2Ade Lee2012-12-101-1/+4
|
* More edits to man pages including spell checking provided via 'aspell'.Matthew Harmsen2012-12-104-128/+163
|
* fix typo in spec fileAde Lee2012-12-071-1/+1
|
* Update to rc1 buildAde Lee2012-12-0715-73/+39
|
* Revised 'pki_default.cfg5' man page.Matthew Harmsen2012-12-071-18/+179
|
* Added more detail to man page for pki(1)Ade Lee2012-12-071-27/+171
|