summaryrefslogtreecommitdiffstats
path: root/base/ca/shared/webapps
Commit message (Collapse)AuthorAgeFilesLines
* Ticket #2757 CMC enrollment profiles for system certificatesChristina Fu2017-07-071-0/+196
| | | | | | | | | | | | | | | | | | | This patch supports CMC-based system certificate requests. This patch contains the following: * The code in CMCAuth (agent-based) to check ssl client auth cert against the CMC signing cert * The cmc-based system enrollment profiles: caCMCauditSigningCert.cfg caCMCcaCert.cfg caCMCkraStorageCert.cfg caCMCkraTransportCert.cfg caCMCocspCert.cfg caCMCserverCert.cfg caCMCsubsystemCert.cfg * new URI's in web.xml as new access points Usage example can be found here: http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29
* Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity ↵Christina Fu2017-05-171-0/+28
| | | | | | proof This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
* Ticket #2717 CMC user-signed enrollment requestChristina Fu2017-04-281-0/+28
| | | | | | | | | | | This patch provides implementation that allows user-signed CMC requests to be processed; The resulting certificate will bear the same subjectDN as that of the signing cert; The new uri to access is /ca/ee/ca/profileSubmitUserSignedCMCFull where the new profile is to be used: caFullCMCUserSignedCert.cfg which utilizes the new authentication plugin: CMCUserSignedAuth and new profile default plugin: CMCUserSignedSubjectNameDefault and new profile constraint plugin: CMCUserSignedSubjectNameConstraint
* Added audit service and CLI to all subsystems.Endi S. Dewata2017-04-041-0/+13
| | | | | | | Previously the audit service and CLI were only available on TPS. Now they have been added to all subsystems. Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
* Added access banner for CA UI.Endi S. Dewata2017-02-24162-33/+1040
| | | | | | | All pages in CA UI have been modified to retrieve access banner and display it once at the beginning of the SSL connection. https://fedorahosted.org/pki/ticket/2582
* Renamed index.html to index.jsp in CA UI.Endi S. Dewata2017-02-2010-2/+2
| | | | | | | The index.html files in CA UI have been renamed to index.jsp such that they can be protected by access banner. https://fedorahosted.org/pki/ticket/2582
* Removed all references to 'xenroll.dll'Matthew Harmsen2016-12-0923-578/+164
| | | | - PKI TRAC Ticket #2524 - Remove xenroll.dll from pki-core
* UdnPwdDirAuth authentication plugin instance is not working.Jack Magne2016-06-171-472/+0
| | | | | | | | Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working. Since this class no longer works, we felt it best to just remove it from the server. This patch removes the references and files associated with this auth method.
* Detect inability to submit ECC CSR on ChromeMatthew Harmsen2016-05-131-0/+11
| | | | - PKI TRAC Ticket #2306 - Chrome Can Not Submit EC Client Cert Requests
* Added Chrome keygen warningMatthew Harmsen2016-05-121-4/+109
| | | | | - PKI TRAC Ticket #2323 - Firefox Warning appears in EE page launched from within Chrome
* Fixed adminEnroll servlet browser import issueMatthew Harmsen2016-05-041-3/+3
| | | | | - PKI TRAC Ticket #1669 - adminEnroll servlet EnrollSuccess.template succeeds but fails on import into browser
* Remove vestiges of NISAuth pluginFraser Tweedale2016-02-162-517/+0
| | | | Fixes: https://fedorahosted.org/pki/ticket/1674
* Use correct textual encoding for PKCS #7 objectsFraser Tweedale2016-02-155-10/+10
| | | | | | | | | | | PKCS #7 objects are being output with the "CERTIFICATE CHAIN" label which is invalid (RFC 7468) and unrecognised by many programs (including OpenSSL). Use the correct "PKCS7" label instead. Also do a drive-by refactor of the normalizeCertAndReq to remove some redundant code. Fixes: https://fedorahosted.org/pki/ticket/1699
* Lightweight CAs: initial supportFraser Tweedale2015-09-261-0/+10
| | | | | | | | | | | | | This commit adds initial support for "lightweight CAs" - CAs that inhabit an existing CA instance and share the request queue and certificate database of the "top-level CA". We initially support only sub-CAs under the top-level CA - either direct sub-CAs or nested. The general design will support hosting unrelated CAs but creation or import of unrelated CAs is not yet implemented. Part of: https://fedorahosted.org/pki/ticket/1213
* Internet Explorer 11 not working browser warning.Jack Magne2015-08-201-11/+38
| | | | | | | | | | | | Related to ticket #1575 Internet Explorer 11: caUserCert request submission fails using the EE page. This patch will only do the following: Detect IE when IE11 is being used. Before this IE11 was mistaken for Firefox. Detect IE11 specifically and warn the user that there is no support. This ticket will live to se we can fix this properly by porting the current VBS script to Javascript to support cert enrollment on IE 11.
* Fixed missing query parameters in ListCerts page.Endi S. Dewata2015-08-122-0/+8
| | | | | | | | | The ListCerts servlet and the templates have been fixed to pass the skipRevoked and skipNonValid parameters to the subsequent page. Some debugging messages have been cleaned up as well. https://fedorahosted.org/pki/ticket/1538
* remove extra space from Base 64 encoded cert displaysMatthew Harmsen2015-07-315-16/+16
| | | | | - PKI TRAC Ticket #1522 - CA UI adds extra space in Base 64 encoded certificate display
* Firefox warningJack Magne2015-07-312-6/+7
| | | | | | | | Ticket #1523 Move the dire warning about the crypto object to sections where it applies. Also slightly changed the message due to context.
* Unable to select ECC Curves from EE fix.Jack Magne2015-07-021-1/+80
| | | | | | | | | | | | | | | | Ticket #1446: Without the crypto object, the user is now presented with a very bared bones keygen tag powered UI. ONe can only select a key strength and only use RSA. This fix adds simple UI to make better use of the keygen tag: 1. Allows the use of ECC. 2. Gives simple info on how the key strengths map to RSA key size and ECC curves. When the user selects High, they get RSA 2043, and ECC nistp384. When the user selects Medium, they get RSA 1024, and ECC nistp256.
* Fixed typos in Web UI.Endi S. Dewata2015-06-181-1/+1
|
* Mozilla crypto object warning:Jack Magne2015-06-161-0/+7
| | | | | | Provide simple textual warning when the user is using a browser that no longer supports the crypto object, which results in reduced CA certficat enrollment functionality. For simplicity provide the warning at the top of the main index page and at the top of the CA's services page. The services page is where the pkispawn of the CA points the uers after installation. The ticket originally called for a JS warnign but the simple text warning should be less intrusive and repetitive to the user. Ticket #1398 Provide UI Javascript warning for missing Mozilla Crypto Object in the CA.
* Cleaned up links in main page.Endi S. Dewata2015-06-111-2/+1
| | | | | | | | | | | | | The ROOT's index.jsp has been modified to show the links to all subsystems installed on the instance. When opened, it will show the services provided by the subsystem. The pkispawn output has been modified to show the subsystem URL more consistently: https://<hostname>:<port>/<subsystem> In all subsystems except TPS the page will redirect to: https://<hostname>:<port>/<subsystem>/services
* Ticket #1295 CA: OCSP via GET does not workChristina Fu2015-04-281-0/+5
|
* Parameterized CA templates.Endi S. Dewata2015-04-226-31/+157
| | | | https://fedorahosted.org/pki/ticket/1296
* Moved color settings to CSS.Endi S. Dewata2015-04-2210-11/+16
| | | | | | | The templates have been modified to remove hard-coded background color settings and use the styles defined in a new CSS file. https://fedorahosted.org/pki/ticket/1296
* Added direct deployment for all subsystems.Endi S. Dewata2015-04-222-2/+2
| | | | | | | | The deployment tool has been modified to deploy all subsystems directly from the /usr/share/pki. This will simplify updating the templates in the web applications. https://fedorahosted.org/pki/ticket/499
* Parameterized /ca/agent/header.Endi S. Dewata2015-04-221-2/+23
| | | | https://fedorahosted.org/pki/ticket/1296
* Parameterized /ca/ee/ca/index.html.Endi S. Dewata2015-04-221-6/+24
| | | | https://fedorahosted.org/pki/ticket/1296
* Parameterized CA's services.template.Endi S. Dewata2015-04-221-2/+28
| | | | https://fedorahosted.org/pki/ticket/1296
* Ticket 1180 RFE: show link to request record from cert displayChristina Fu2014-12-161-0/+13
|
* Disable PKI GUI ConfigurationMatthew Harmsen2014-08-281-36/+0
| | | | - PKI TRAC Ticket #1120 - Remove Firefox PKI GUI Configuration Panel Interface
* UI scrubMatthew Harmsen2014-08-223-1/+2
| | | | * PKI TRAC Ticket #567 - ui needs to be scrubbed for missing images
* Removed requestID parameter usage in [un]revoke request.Abhishek Koneru2014-05-161-4/+0
| | | | | | | | | | | | | | | | There seems to be no use of the requestID parameter in both revoke and unrevoke request. Removed requestID attribute in CertRevokeRequest remove the class CertUnrevokeRequest. Also made changes in RevocationProcesor to use the requestID of the request created in it. The setRequestID() is being called in the DoRevoke and DoUnRevoke servlets. Removed the call and a function auditRequesterId in both the classes. The auditRequestorId method tries to get a "requestID" stored as a INPUT field in the reasonToRequest page. The ReasonToRevoke class which generates this page does not set the value.
* Removed config path from web.xml.Endi S. Dewata2014-03-171-2/+0
| | | | | | | | | | | | | | | | | | | | | Previously the CMSStartServlet always requires a cfgPath parameter pointing to the CS.cfg location. By default the parameter points to <instance>/conf/<subsystem>/CS.cfg unless it's manually changed by the admin after installation. Recently the servlet has been modified such that if the parameter is not specified it will generate the default path automatically. So it is no longer necessary to keep the cfgPath parameter in the web.xml templates because it will point to the same location. This patch removes the cfgPath parameters from all web.xml templates. This way newly created subsystems will not have this parameter, which will help direct deployment in the future. An upgrade script has been added to remove the parameter from existing instances if it points to the default location. If the parameter points to a different location that means the subsystem has been customized so it will not be changed. Ticket #748, #499
* Reorganized REST service classes.Endi S. Dewata2014-02-281-1/+1
| | | | | | | | The REST service classes have been moved into org.dogtagpki.server namespace. A new upgrade script has been added to update existing instances. Ticket #114
* Moved web application context file.Endi S. Dewata2013-12-161-37/+0
| | | | | | | | | | | | | | The location of web application context file has been changed from <instance>/webapps/<name>/META-INF/context.xml into <instance>/conf/Catalina/localhost/<name>.xml. This will eventually allow deploying the web application directly from the shared folder. A new upgrade script has been added to move the context files in the existing instances. Ticket #499
* Updated jQuery library.Endi S. Dewata2013-12-051-2/+2
| | | | | | | The jQuery library its internationalization plugin have been replaced with the development version. Ticket #654
* Added ACL for selftests.Endi S. Dewata2013-12-051-0/+13
| | | | | | | New ACL has been added to allow only the administrators in each subsystem to access the selftests. Ticket #652
* Replaced auth.properties with acl.properties.Endi S. Dewata2013-11-201-20/+0
| | | | | | | | | | | | | | The ACL mapping files have been renamed from auth.properties to acl.properties to match the actual content and moved into the subsystem conf folder. The authentication method mapping files have been extracted from the interceptor into actual files. The ACLInterceptor and AuthMethodInterceptors have been modified to read the default mapping first, then overwrite it with custom mapping if it exists in the subsystem folder. The UpdateAuthzProperties upgrade script has been replaced with RemoveAuthProperties that will remove the old auth.properties.
* Updated ACL and auth method mapping names.Endi S. Dewata2013-11-151-11/+11
| | | | | The ACL and auth method mapping names in some resources have been modified to be more consistent with those in other resources.
* Fix correct ACL for profile REST interfaceAde Lee2013-10-091-1/+3
|
* fix auth and authz for Profiles REST APIAde Lee2013-10-091-0/+4
| | | | Ticket 727
* Fix various issues with Profile InterfaceAde Lee2013-07-311-0/+10
| | | | | 1. Fixed REST API as per review. 2. Add output for profile-show and profile-find
* Storing authentication info in session.Endi S. Dewata2013-07-291-1/+3
| | | | | | | | | The authenticator configuration has been modified to store the authentication info in the session so it can be used by the servlets. An upgrade script has been added to update the configuration in existing instances. The SSLAuthenticatorWithFalback was modified to propagate the configuration to the actual authenticator handling the request.
* exportable keyAndrew Wnuk2013-06-071-0/+2
| | | | | | Allows key to be exported. Bug 961522.
* Replaced PKI_SUBSYSTEM_DIR with PKI_SUBSYSTEM_TYPE.Endi Sukma Dewata2013-05-301-1/+1
| | | | | The PKI_SUBSYSTEM_DIR variable is redundant and can be replaced with PKI_SUBSYSTEM_TYPE.
* Renamed SERVER_NAME and PKI_MACHINE_NAME into PKI_HOSTNAME.Endi Sukma Dewata2013-05-301-1/+1
| | | | | The SERVER_NAME and PKI_MACHINE_NAME variables have been renamed into PKI_HOSTNAME for consistency.
* Added tokenAuthenticate to admin interfaceAde Lee2013-04-161-0/+18
| | | | | | | Modified code to use this interface by default. Added required migration script code. Ticket 546
* Replaced Tomcat's random number generator.Endi Sukma Dewata2013-03-191-1/+5
| | | | | | | | | | By default Tomcat relies on /dev/random as a random number generator to generate the session ID's. Under certain conditions /dev/random may block, which will block Tomcat as well. To solve the problem all webapps in Tomcat have been configured to use the random number generator provided by JSS. Ticket #524
* Added authentication method validation.Endi Sukma Dewata2013-02-191-3/+3
| | | | | | | | | | | | | | | A new mechanism has been added to specify the authentication methods that can be used to invoke the REST methods. The AuthMethodMapping annotation maps each REST method to a list of allowed authentication methods. When a client calls a REST method, the AuthMethodInterceptor will intercept the call and verify that the client uses an allowed authentication method. Most REST methods that require authentication have been configured to require client certificate authentication. Authentication using username and password will only be used to get the installation token from security domain. Ticket #477
generated by cgit (git 2.34.1) at 2025-09-26 06:25:31 +0000