summaryrefslogtreecommitdiffstats
path: root/base/ca/shared
Commit message (Collapse)AuthorAgeFilesLines
...
* Fixed logic for setting admin cert signing algorithmAde Lee2013-10-312-1/+2
| | | | | Should now be SHA256 by default. Bugzilla BZ 1024445
* Stand-alone DRMMatthew Harmsen2013-10-251-2/+2
| | | | * TRAC Ticket #762 - Stand-alone DRM (cleanup tasks)
* Stand-alone DRMMatthew Harmsen2013-10-154-1/+263
| | | | * TRAC Ticket #667 - provide option for ca-less drm install
* Fix correct ACL for profile REST interfaceAde Lee2013-10-091-1/+3
|
* fix auth and authz for Profiles REST APIAde Lee2013-10-091-0/+4
| | | | Ticket 727
* TRAC Ticket #641 - Incorrect interface labels in pkidaemon outputMatthew Harmsen2013-09-041-6/+6
|
* Pre-registration of CA cross signing profileAndrew Wnuk2013-08-291-1/+3
| | | | | | This patch provides pre-registration of CA cross signing profile. Ticket #681.
* CA cross signing profileAndrew Wnuk2013-08-291-0/+92
| | | | | | This patch provides new profile to support CA cross signing enrollment. Ticket #681
* Pre-registration of UserSubjectNameConstraint plug-inAndrew Wnuk2013-08-291-1/+4
| | | | | | This patch provides pre-registration of UserSubjectNameConstraint plug-in. Ticket #682.
* Initial code to configure a TPS in tomcatAde Lee2013-08-131-1/+1
| | | | | This code allows pkispawn to configure a tps in tomcat. It does not include any config using the web UI panels.
* Fix various issues with Profile InterfaceAde Lee2013-07-311-0/+10
| | | | | 1. Fixed REST API as per review. 2. Add output for profile-show and profile-find
* Storing authentication info in session.Endi S. Dewata2013-07-291-1/+3
| | | | | | | | | The authenticator configuration has been modified to store the authentication info in the session so it can be used by the servlets. An upgrade script has been added to update the configuration in existing instances. The SSLAuthenticatorWithFalback was modified to propagate the configuration to the actual authenticator handling the request.
* directory and pin profileAndrew Wnuk2013-06-132-1/+102
| | | | | | This patch adds new directory and pin profile. Bug: 961522
* exportable keyAndrew Wnuk2013-06-071-0/+2
| | | | | | Allows key to be exported. Bug 961522.
* Fixed hard-coded server certificate nickname.Endi Sukma Dewata2013-06-032-3/+2
| | | | | | | | | | | Previously the server certificate name was partially hard-coded as "Server-Cert cert-[PKI_INSTANCE_NAME]". Now in Tomcat-based subsystems it can be fully configured using pki_ssl_server_nickname parameter. In Apache-based subsystems it's left unchanged. Unused serverCertNick.conf files have been removed. Ticket #631
* Replaced PKI_SUBSYSTEM_DIR with PKI_SUBSYSTEM_TYPE.Endi Sukma Dewata2013-05-302-73/+73
| | | | | The PKI_SUBSYSTEM_DIR variable is redundant and can be replaced with PKI_SUBSYSTEM_TYPE.
* Renamed PKI_INSTANCE_ID into PKI_INSTANCE_NAME.Endi Sukma Dewata2013-05-302-18/+18
| | | | | The PKI_INSTANCE_ID variable has been renamed into PKI_INSTANCE_NAME for consistency.
* Renamed SERVER_NAME and PKI_MACHINE_NAME into PKI_HOSTNAME.Endi Sukma Dewata2013-05-304-24/+24
| | | | | The SERVER_NAME and PKI_MACHINE_NAME variables have been renamed into PKI_HOSTNAME for consistency.
* Randomized validityAndrew Wnuk2013-05-141-1/+4
| | | | | | This patch provides plug-in randomizing validity Ticket #607
* random certificate serial numbersAndrew Wnuk2013-04-191-1/+3
| | | | | | This patch adds support for random certificate serial numbers. Bug 912554.
* Tracking upgrade using existing config files.Endi Sukma Dewata2013-04-171-1/+1
| | | | | | | | | | | The upgrade framework has been modified to use pki.conf to track system upgrade, tomcat.conf to track instance upgrade, and CS.cfg to track subsystem upgrade. The preop.product.version in CS.cfg has been renamed into cms.product.version and is now used to track upgrade. Ticket #544
* Added tokenAuthenticate to admin interfaceAde Lee2013-04-161-0/+18
| | | | | | | Modified code to use this interface by default. Added required migration script code. Ticket 546
* Bug 929043 - updated serverCert.profile with SAN results in ↵Christina Fu2013-04-031-0/+50
| | | | | | SubjectAltNameExtDefault gname is empty, not added in cert ext during configuration Bug 927545 - Transport Cert signing Algorithm doesn't show ECC Signing Algorithms during DRM configuration with ECC
* Added securitydomain.checkIP parameterMatthew Harmsen2013-04-031-0/+1
| | | | * Bugzilla Bug #947524 - Clone installation does not work over NAT
* Bug 904289 - Add ECC Support to Certificate ProfilesChristina Fu2013-03-2514-24/+24
|
* Replaced Tomcat's random number generator.Endi Sukma Dewata2013-03-191-1/+5
| | | | | | | | | | By default Tomcat relies on /dev/random as a random number generator to generate the session ID's. Under certain conditions /dev/random may block, which will block Tomcat as well. To solve the problem all webapps in Tomcat have been configured to use the random number generator provided by JSS. Ticket #524
* Added authentication method validation.Endi Sukma Dewata2013-02-191-3/+3
| | | | | | | | | | | | | | | A new mechanism has been added to specify the authentication methods that can be used to invoke the REST methods. The AuthMethodMapping annotation maps each REST method to a list of allowed authentication methods. When a client calls a REST method, the AuthMethodInterceptor will intercept the call and verify that the client uses an allowed authentication method. Most REST methods that require authentication have been configured to require client certificate authentication. Authentication using username and password will only be used to get the installation token from security domain. Ticket #477
* Add updateDomainXML to admin interfaceAde Lee2013-02-112-1/+25
|
* move updateNumberRange to admin interfaceAde Lee2013-02-111-2/+2
|
* remove unneeded getTokenInfo servletAde Lee2013-02-111-18/+0
|
* https://fedorahosted.org/pki/ticket/362 RFE: CMC ECCChristina Fu2013-01-154-4/+4
|
* Resolved Trac Ticket 367 - pkidestroy does not remove connectorAde Lee2013-01-152-1/+2
| | | | | | | | | | | * Added RESTful servlet to add/remove a KRA connector from the CA. * Modified ACL to allow KRA subsystem user to remove connector. * Modified connector code to allow the connector to be replaced without a server restart. * Added functionality to pki CLI to add/remove connector * Added code to pkidestroy to remove the connector (using both pki CLI and sslget) When the issues with pki connection are resolved, we will use that method instead. * Modified sslget to accept HTTP return codes != 200. In this case, we were returning 204 - which is perfectly legitimate.
* Increase root CA validity to 20 yearsAde Lee2013-01-072-3/+3
| | | | Trac Ticket #466
* I18n for ProfileList.template.Endi Sukma Dewata2012-12-031-16/+43
| | | | | | | | | | | | | The messages in ProfileList.template in CA EE has been extracted into a properties file which can be translated separately. The original messages in the template have been marked as follows: <span class="message" name="...key...">...message...</span> When the page is loaded into the browser, the original message will be replaced with the translated messages. Ticket #406
* Reorganized CA, KRA, OCSP, TKS templates.Endi Sukma Dewata2012-11-12174-0/+40286
| | | | | | | | | | | All remaining theme files for Tomcat subsystems which include the templates and JS files have been moved from the theme folder at <subsystem>-ui/shared/webapps/<subsystem> into the subsystem webapp folder at base/<subsystem>/shared/webapps/<subsystem>. The deployment tools have been updated to use the new location. Ticket #407
* Added ACLInterceptor.Endi Sukma Dewata2012-11-081-9/+9
| | | | | | | | | Previously ACL checking was done in PKIRealm by matching the URL. This code has been replaced by ACLInterceptor which will intercept RESTEasy method invocations. This allows more precise mapping of REST methods to ACL entries in acl.ldif. Ticket #287
* Updated clearpixel.gif paths.Endi Sukma Dewata2012-11-061-3/+3
|
* Restrict AJP to localhost only by defaultAde Lee2012-10-251-1/+1
| | | | Ticket 369
* Enabled realm authentication for certificate requests.Endi Sukma Dewata2012-10-223-1/+3
| | | | | | | | | The realm authentication on certificate request REST services has been enabled. Since now in the CLI the authentication is done using a separate login operation, it is now possible to POST the approval data without the problem related to chunked message. Ticket #300
* Added REST account service.Endi Sukma Dewata2012-10-223-0/+16
| | | | | | | | | A REST account service has been added to allow client to login to establish a session and to logout to destroy the session. This way multiple operations can be executed using the same session without having to re-authenticate. Ticket #357
* Provide option to install, rather than replicate schema in a cloneAde Lee2012-10-221-1/+1
|
* Reorder VLV indexing for clones to avoid errorsAde Lee2012-10-221-2/+2
|
* Enabled authentication for security domain REST interface.Endi Sukma Dewata2012-10-182-0/+14
| | | | | | | | The REST interface for security domain has been refactored and configured such that it requires authentication. A CLI has been added to get an installation token. Ticket #309
* Using RPM version number in CMake.Endi Sukma Dewata2012-10-012-6/+2
| | | | | | | | | | | | The RPM spec files have been modified to pass the full RPM version number to CMake. The version number contains the product version number, release number, milestone, and platform. The CMake scritps will parse and use this version number to generate Java manifest files. The product version number will be used as the specification version and full version number will be used as the implementation version. Ticket #339
* Audit Cert RenewalMatthew Harmsen2012-09-201-2/+2
| | | | | * TRAC Ticket #333 - Increase audit cert renewal range to 2 years * Bugzilla Bug #843979 - Increase audit cert renewal range to 2 years
* Added common ROOT webapp.Endi Sukma Dewata2012-09-121-0/+2
| | | | | | | | | | | The current ROOT webapp will redirect users coming to the root URL path to the proper path of the subsystem's webapp. Since now a single Tomcat instance may have multiple subsystems, a new ROOT webapp has been added to present the user with a menu of all available webapps from all subsystems in the instance. Ticket #89
* Added proxy realm.Endi Sukma Dewata2012-09-051-0/+31
| | | | | | | | | | | | | | | | | CMS engine is a singleton and it's used by PKI realm to authenticate users accessing the subsystem. Since a Tomcat instance may contain multiple subsystems, each having separate realm, the PKI JAR links need to be moved into WEB-INF/lib so that they will run inside separate class loaders. Tomcat also requires that the authenticator and realm classes be available in common/lib. To address this a new package pki-tomcat.jar has been added. The package contains the authenticator and a proxy realm. When the subsystems start running, they will register their own realms into the proxy realms such that the authentications will be forwarded to the appropriate subsystems. Ticket #89
* Enabled SSL authenticator and PKI realm.Endi Sukma Dewata2012-08-034-1/+48
| | | | | | | | | | | The SSL connection has been configured with clientAuth="want" so users can choose whether to provide a client certificate or username and password. The authentication and authorization will be handled by the SSL authenticator with fallback and PKI realm. New access control rules have been added for users, groups, and certs REST services. Ticket #107
* Moved REST services into separate URLs.Endi Sukma Dewata2012-08-031-3/+5
| | | | | | | | | | | To support different access control configurations the REST services have been separated by roles. Services that don't need authentication will be available under /rest. Services that require agent rights will be available under /rest/agent. Services that require admin rights will be available under /rest/admin. Ticket #107
* ECC directory enrollment profileAndrew Wnuk2012-08-022-1/+102
| | | | | | This patch adds ECC directory enrollment profile. Bug: 748514.
generated by cgit (git 2.34.1) at 2025-09-27 00:48:31 +0000