| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
New REST service and clients have been added for managing selftests
in all subsystems.
Ticket #652
|
|
|
|
| |
Ticket 97
|
|
|
|
|
|
| |
The exception handler in pkiparser.py has been modified to re-raise
the exception such that it will be handled by the caller instead of
exitting to the system immediately.
|
|
|
|
|
|
|
|
|
|
|
|
| |
The deployment config files used by pkispawn support interpolation as
supplied by ConfigParser. Interpolation uses the '%' character, which
means values that need to contain a '%' character need to be properly
escaped.
This patch detects errors with unescaped '%' characters and reports
a useful message bac kto the user who is running pkispawn. This
patch also adds notes to the pkispawn and pki_default.cfg man pages
to explain that escaping of '%' characters is required.
|
| |
|
| |
|
|
|
|
|
|
| |
These files are no longer needed by pki-core as we are usign the
tomcat unit files, and no longer need to deliver these. Plus,
they wer breaking the TPS build.
|
|
|
|
|
|
|
| |
Previously the CLI authentication could fail because it's using a
fixed default subsystem which may not match the command it's trying
to execute. The CLI has now been modified to use the appropriate
default subsystem depending on the command to be executed.
|
|
|
|
|
|
|
| |
A new REST service and clients have been added to manage the profile
mappings in the TPS configuration file.
Ticket #652
|
|
|
|
|
|
|
| |
The implementation of the TPS connection service has been modified to
use the configuration database to read and write the configuration file.
Ticket #652
|
|
|
|
|
|
|
| |
The implementation of the TPS authenticator service has been modified to
use the configuration database to read and write the configuration file.
Ticket #652
|
|
|
|
|
|
|
|
| |
The REST interface for TPS configuration has been modified to provide access
to TPS general configuration as originally designed. The configuration database
has been modified such that it can be reused by other configuration resources.
Ticket #652
|
|
|
|
|
| |
The CLI framework has been modified to remove duplicate code
in various CLI modules.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides basic support for DRM Transport Key Rotation described
in http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
This patch provides implementation for tickets:
- 729 - CA to include transport certificate when submitting archival request to DRM
- 730 - DRM to detect presence of transport certificate attribute in submitted archival
request and validate transport certificate against DRM's transport key list
- 731 - DRM to provide handling for alternative transport key based on detected
and validated transport certificate arriving as a part of extended archival request
|
|
|
|
|
| |
Also changed permissions to allow admin users to delete a connector
and its associated shared secret.
|
| |
|
|
|
|
|
|
|
|
| |
The self tests and TokenServlet are modified to use the new shared secret
names. A parameter has been added to allow legacy systems to continue running
as-is. With a new system, the TKS self test will not fail on startup if
no shared secret keys are configured. It will fail, however, if the keys are
configured, but the ComputeSessionKey operation fails.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new REST service has been added to the TKS to manage shared secrets.
The shared secret is tied to the TKS-TPS connector, and is created at the
end of the TPS configuration. At this point, the TPS contacts the TKS and
requests that the shared secret be generated. The secret is returned to the
TPS, wrapped using the subsystem certificate of the TPS.
The TPS should then decrypt the shared secret and store it in its certificate
database. This operations requires JSS changes, though, and so will be deferred
to a later patch. For now, though, if the TPS and TKS share the same certdb, then
it is sufficient to generate the shared secret.
Clients and CLI are also provided. The CLI in particular is used to remove the
TPSConnector entries and the shared secret when the TPS is pkidestroyed.
|
|
|
|
|
|
|
|
| |
A new REST service and clients have been added to manage the TPS
configuration in CS.cfg. When the configuration is updated, the
previous configuration will be stored as a backup.
Ticket #652
|
|
|
|
|
|
| |
Up to now, only pkispawn with a config file worked for tomcat-tps
installation. This patch adds the functionality for the interactive
installation.
|
| |
|
|
|
|
|
|
| |
Resteasy 3.0.1 is not populating the @Context parameters if they are
defined in a super class. This is a workaround until that problem is fixed.
See https://issues.jboss.org/browse/RESTEASY-952
|
|
|
|
|
| |
Resteasy 3.0.1 uses apache-commons-io. Also fixed PKIErrorInterceptor
with correct method call and reformatted the interceptors.
|
|
|
|
|
|
|
|
| |
tomcat now uses systemd unit files. We will reuse and customize those
files accordingly. As a result, startup is simplified considerably -
and pkidaemon has been gutted accordingly.
We'll need to add migration scripts for older instances in a subsequent patch.
|
|
|
|
|
|
|
|
| |
RESTEasy 3.0.1 provides JAX-RS 2.0 interceptors. We need to either use these
or the proprietary ones in order to compile. These ones appear to be working just fine.
It does turn out that the change to getStringHeaders() is not yet implemented in 3.0.1
so we'll have to fix that.
|
|
|
|
|
|
|
|
| |
The TPSCertDatabase has been reimplemented using LDAPDatabase. The
TPSCertRecord has been modified to specify the object class and
attribute mappings.
Ticket #652
|
|
|
|
|
|
|
|
| |
The ActivityDatabase has been reimplemented using LDAPDatabase. The
ActivityRecord has been modified to specify the object class and
attribute mappings.
Ticket #652
|
|
|
|
|
|
|
|
| |
The TokenDatabase has been reimplemented using LDAPDatabase. The
TokenRecord has been modified to specify the object class and
attribute mappings.
Ticket #652
|
|
|
|
|
|
|
| |
A new LDAPDatabase class was added as a base class for LDAP-based
databases. A new DBRecord class was added to provide the default
implementation for record classes. New annotation classes were added
to specify the object class and attribute mappings.
|
|
|
|
|
|
| |
The RenewableCertificateCollection class is in the server package but
it's used by ICertificateRepository in the base package, so the class
has been moved into the base package.
|
|
|
|
|
|
| |
The ProfilePolicy is in the server package but it's used by IProfile
interface in the base package. The interface have been modified to use
IProfilePolicy instead.
|
|
|
|
|
|
| |
Previously there were two TPSSubsystem instances: one created by CMSEngine
and the other created by the static code in TPSSubsystem. The second instance
has been removed since it's a duplicate and not initialized properly.
|
|
|
|
| |
GUI-based configuration
|
| |
|
|
|
|
| |
interface
|
|
|
|
|
|
|
|
|
|
|
|
| |
python-requests now throws a ProxyError if the server is not yet up.
Previously only connect exceptions were seen. To ensure that we are
not broken again when python-requests and the underlying libraries are
changed, we will catch and log all exceptions. If the connection
ultimately fails, we will time out in any case.
Also fixed some new warnings from Pylint 1.0
Ticket 717
|
|
|
|
| |
Ticket 719
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This adds an API call to get a template which can be used to generate an
enrollment request which can be passed into the REST API. The template
is simply a CertRequest with the relevant inputs for that profile added in.
Per code review comments, have added the templates interface to
CertRequestResource instead. This patch now includes /certrequests/profiles
and /certrequests/profiles/{id}. In a subsequent patch, all calls in
ProfileResource will be restricted to admins and agents.
|
|
|
|
|
|
| |
This patch adds initial audit logging to the Profile interface.
A more complete review of audit logging will probably be done for
Common Criteria testing.
|
|
|
|
|
|
|
| |
Filter was incorrectly setting ldap query to revocationReason*
resulting in a reach for revocationReason 1 returning 1 and 10
Ticket 712
|
|
|
|
|
|
|
| |
Also added SuccessExitStatus directive to unit file to ignore exit value 143.
As a result of this setting, exit status 0 is returned.
Ticket 716
|
| |
|
| |
|
|
|
|
|
|
|
| |
A skeleton for TPS authenticator services and the clients have been added.
The service implementation will be added later.
Ticket #652
|
|
|
|
|
|
|
| |
A skeleton for TPS connection services and the clients have been added.
The service implementation will be added later.
Ticket #652
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS classes have been reorganized as follows:
* common: com.netscape.certsrv.tps
* CLI: com.netscape.cmstools.tps
* server: org.dogtagpki.server.tps
TPSConnection and TPSMessage were moved from server package into
common package. The build script and configuration files have been
modified accordingly.
|
|
|
|
|
|
| |
This patch provides pre-registration of CA cross signing profile.
Ticket #681.
|
|
|
|
|
|
| |
This patch provides new profile to support CA cross signing enrollment.
Ticket #681
|
|
|
|
|
|
| |
This patch provides pre-registration of UserSubjectNameConstraint plug-in.
Ticket #682.
|