summaryrefslogtreecommitdiffstats
path: root/base/ca/src/com/netscape/ca
Commit message (Collapse)AuthorAgeFilesLines
* Lightweight CAs: indicate when CA does not yet have keysFraser Tweedale2016-04-141-7/+17
| | | | | | | | | | When a lightweight CA is created, clones will initialise a local object when the LDAP replication takes place, however, the signing keys will not yet have been replicated. Therefore, indicate CA readiness in authority data and respond appropriately (HTTP 503) when signing operations are attempted. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: set DN based on data from LDAPFraser Tweedale2016-04-141-2/+9
| | | | | | | | | | | | When initialising a lightweight CA, if we do not have the signing cert and key in the NSSDB yet, we do not initialise the DN. This causes NPE in other code that expects getX500Name() to return a value, e.g. REST API to list or show CA. To work around this, when loading lightweight CAs set the DN based on the 'authorityDN' value stored in its LDAP entry. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: monitor database for changesFraser Tweedale2016-04-141-87/+342
| | | | | | | | | | | Implement a thread that performs an LDAP persistent search to keep a running CA's view of lightweight CAs in sync with the database. Signing key replication is not yet supported; this will be implemented in a later patch and will not use the database to propagate keys. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: extract LDAP commit/delete methodsFraser Tweedale2016-04-141-96/+116
| | | | | | | | | LDAP code to add, modify and delete authority entries exists in multiple places. Extract these methods to remove this duplication and provide a cleaner basis for upcoming implementation of replication handling. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: move host authority creation out of load methodFraser Tweedale2016-04-141-17/+25
| | | | | | | | To reduce the amount of code that would be run in the persistent search thread, extract the host authority entry creation out of the 'loadLightweightCAs' method, into 'CertificateAuthority.init'. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: avoid repeat definition of authorities DNFraser Tweedale2016-04-141-12/+11
| | | | Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: use static db connection factoryFraser Tweedale2016-04-141-15/+10
| | | | | | | Use a static database connection factory that is initialised by the host authority and used by all CertificateAuthority instances. Part of: https://fedorahosted.org/pki/ticket/1625
* Lightweight CAs: add exceptions for missing signing key or certFraser Tweedale2016-04-142-7/+29
| | | | | | | | | | Add the CAMissingCertException and CAMissingKeyException classes and throw when signing unit initialisation fails due to a missing object. In CertificateAuthority, store the exception if it occurs for possible re-throwing later. Also add the private 'hasKeys' field for internal use. Part of: https://fedorahosted.org/pki/ticket/1625
* Fixed exception handling in CertificateAuthority.Endi S. Dewata2016-04-122-44/+48
| | | | | | | | The CertificateAuthority.getCACert() has been modified to re-throw the exception instead of ignoring it. All callers have been modified to bubble up the exception. https://fedorahosted.org/pki/ticket/1654
* Do not leak status of certs issued by other CAsFraser Tweedale2016-03-031-1/+18
| | | | | | If an OCSP request includes CertIDs for certificates issued by multiple CAs, return 'unknown' CertStatus for all certificates not issued by the "signing" CA.
* Lightweight CAs: lookup correct issuer for OCSP responsesFraser Tweedale2016-03-031-1/+38
|
* Ticket #1963 CRL generation enters loop when CA loses connection to netHSM.Christina Fu2016-03-021-0/+78
| | | | | | | | | | | | | | | | | | | | | | | | | This patch makes a low risk attempt to slow down the loop that could be caused by an unexpected exception caused by the unavailability of a dependant component (e.g. HSM, LDAP) in the middle of CRL generation/update. New configuration parameters are: ca.crl.MasterCRL.unexpectedExceptionWaitTime - the wait time in minutes; default is 30 - normally you want it to be less than ca.crl.MasterCRL.autoUpdateInterval and ca.crl.MasterCRL.cacheUpdateInterval ca.crl.MasterCRL.unexpectedExceptionLoopMax - the max number of tries allowed before the slow down mechanism kicks in; default is 10 When such unexpected failure happens, a loop counter is kept and checked against the unexpectedExceptionLoopMax. If the loop counter exceeds the unexpectedExceptionLoopMax, then the current time is checked against the time of the failure, where the time lapse must exceed the unexpectedExceptionWaitTime to trigger a delay. This delay is the counter measure to mitigate the amount of log messages that could flood the log(s). The delay is calcuated like this: waitTime = mUnexpectedExceptionWaitTime - (now - timeOfUnexpectedFailure);
* Lightweight CAs: enrol cert via profile subsystemFraser Tweedale2016-02-221-10/+56
| | | | | | | | | | | | Enrol new CA certs via the profile subsystem to ensure that the usual audit events are logged and to avoid the nasty ConfigStore hack used to generate the cert via CertUtil. This commit also fixes an issue where the new CA certificate does not have the correct Authority Key Identifier extension. Fixes: https://fedorahosted.org/pki/ticket/1624 Fixes: https://fedorahosted.org/pki/ticket/1632
* Lightweight CAs: ensure disabled CA cannot create sub-CAsFraser Tweedale2016-02-221-0/+3
| | | | Fixes: https://fedorahosted.org/pki/ticket/1628
* CRLIP: omit certs not issued by associated CAFraser Tweedale2015-10-211-4/+14
| | | | | | | | | | | | Lightweight CAs mean that a single database can include certificates from many issuers. Update CRLIssuingPoint to only include certificates issued by its associated CA. For backwards compatibility, if the associated CA is the host CA, certificate records with missing 'issuerName' attribute are also included. Fixes: https://fedorahosted.org/pki/ticket/1626
* Ticket #1648 [RFE] provide separate cipher lists for CS instances acting as ↵Christina Fu2015-10-201-2/+4
| | | | client and server This patch provides subsystem->subsystem cipher configuration when acting as a client
* Lightweight CAs: implement deletion API and CLIFraser Tweedale2015-10-061-0/+75
| | | | | | | Implement lightweight authority deletion including CLI command. To be deleted an authority must be disabled and have no sub-CAs. Fixes: https://fedorahosted.org/pki/ticket/1324
* Fix compilation error in eclipse for caMapAde Lee2015-10-021-23/+23
|
* Ticket #1593 auto-shutdown - for HSM failover supportChristina Fu2015-10-011-0/+13
| | | | | | | | | | | | | | | This is an interim solution for supporting HSM failover by automatically shutting down the server when signing key becomes inaccessible. At auto-shutdown, a crumb fiile will be left in the instance directory for an external daemon to detect and restart, if necessary. Due to limitation of the watch dog (nuxwdog) at present time, the restart option currently only works if started with watch dog (nuxwdog), and it will prompt for passwords on the terminals. The restart counter is to prevent the server from going into an infinite restart loop. Administrator will have to reset autoShutdown.restart.count to 0 when max is reached. (cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1)
* Lightweight CAs: fix caMap synchronizationFraser Tweedale2015-09-301-8/+9
| | | | | | | | | Some access to caMap was not correctly synchronized, with authorities (of which there could be many) acquiring their own intrinsic lock rather than the shared caMap. Use 'Collections.synchronizedSortedMap' to fix this. As a bonus, locking is now more fine-grained.
* Lightweight CAs: initial supportFraser Tweedale2015-09-263-99/+656
| | | | | | | | | | | | | This commit adds initial support for "lightweight CAs" - CAs that inhabit an existing CA instance and share the request queue and certificate database of the "top-level CA". We initially support only sub-CAs under the top-level CA - either direct sub-CAs or nested. The general design will support hosting unrelated CAs but creation or import of unrelated CAs is not yet implemented. Part of: https://fedorahosted.org/pki/ticket/1213
* remove obsolete code from CertificateAuthority classFraser Tweedale2015-08-251-11/+0
|
* Separate range and cert status threadsAde Lee2015-08-121-0/+5
| | | | | | | | | | | | | | We currently disable the cert status maintenance thread on clone CAs because CRL processing should only be done on the master CA. Currently, the maintenance thread also performs other checks on serial number ranges and settings. By disabling the maintenance thread, we disable these checks too. To fix this, we have separated the serial number checks into a different maintenance thread, so that these tasks will occur even if the cert status thread is disabled. Bugzilla # 1251606
* Fixed fail-over in HttpConnection.Endi S. Dewata2015-07-021-3/+2
| | | | | | | | | | | The HttpConnection class has been modified to support fail-over and timeout more consistently. The targets are parsed into a list during initialization. All direct calls to HttpClient.connect() are replaced with a method that will connect to the first available target. All connections are now created with a timeout (which by default is 0). https://fedorahosted.org/pki/ticket/891
* Ticket #572 - CRL scheduler adds extra CRL generation at midnight for daily ↵Jack Magne2015-05-061-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | schedules. Addresses the complaint of this ticket. Tested to work in a few basic cases. The minor code change was designed to only affect the specific scenario when we have a daily scedule that spans only one day. More Info: How to duplicate and test: Perform a manual crl generate from the agent interface because the code to be tested relies heavily upon the "lastUpdate" which will appear in the logs. Do this to have a nice launching off point. Go to the ca's pkiconsole and select : Certificate Manager -> CRL Issuing Points -> MasterCRL. Check "updateCRL at: " and give a schedule such as : 15:03, 15:10 .. This gives us a chance to watch the two regularly scheduled updates happen. When the first event triggers, have a look at the CA's "debug" log and note the following or similar entry: [CRLIssuingPoint-MasterCRL]: findNextUpdate: Wed May 06 15:10:00 PDT 2015 delay: 86301873 Wait for the 15:00 even to happen. When that triggers at the end of that cycle, we should see one more similar entry. [CRLIssuingPoint-MasterCRL]: findNextUpdate: Wed May 06 15:03 PDT 2015 delay: 86301873 That is the correct behavior after the fix. We want the next update to be at the first entry of the daily schedule , but tomorrow. The current bug would print out this value as something like: Wed May 06 00:00:00 or similar to indicate midnight. This is not what we want.
* Bug1151147 issuerDN encoding correctionChristina Fu2014-10-232-3/+49
|
* Reorganized REST service classes.Endi S. Dewata2014-02-281-107/+0
| | | | | | | | The REST service classes have been moved into org.dogtagpki.server namespace. A new upgrade script has been added to update existing instances. Ticket #114
* Added ACL for TPS authenticators.Endi S. Dewata2013-11-141-3/+4
| | | | | | | | | | New ACL has been added to allow only the administrators to access TPS authenticators. The set of interceptors in each application has been modified to preserve the order. Ticket #652
* Fixed problems finding user and group sub-resources.Endi S. Dewata2013-10-251-6/+0
| | | | | | | Due to a regression RESTEasy is unable to find some sub-resources properly. As a workaround some resources need to be merged into the parent resource. The UserCertResource and UserMembershipResource have been merged into UserResource. The GroupMemberResource has been merged into GroupResource.
* Added audit resource.Endi S. Dewata2013-10-081-0/+4
| | | | | | | A new REST service and clients have been added to manage the audit configuration in all subsystems. Ticket #652
* Added selftest resource.Endi S. Dewata2013-10-081-0/+4
| | | | | | | New REST service and clients have been added for managing selftests in all subsystems. Ticket #652
* Reorganized interceptors.Endi S. Dewata2013-08-201-2/+2
| | | | | | The ACLInterceptor and AuthMethodInterceptor interceptors only run on the server, so they have been moved from the base package into the server package.
* Option to include nextUpdate as an offset to thisUpdateAndrew Wnuk2013-05-141-0/+27
| | | | | | This patch provides an option to generate CRLs with nextUpdate calculated as sum of thisUpdate and an offset. Ticket #571
* Plug resource leaksAde Lee2013-03-081-6/+3
|
* Added authentication method validation.Endi Sukma Dewata2013-02-191-1/+3
| | | | | | | | | | | | | | | A new mechanism has been added to specify the authentication methods that can be used to invoke the REST methods. The AuthMethodMapping annotation maps each REST method to a list of allowed authentication methods. When a client calls a REST method, the AuthMethodInterceptor will intercept the call and verify that the client uses an allowed authentication method. Most REST methods that require authentication have been configured to require client certificate authentication. Authentication using username and password will only be used to get the installation token from security domain. Ticket #477
* Added CLI to manage user membership.Endi Sukma Dewata2013-02-181-0/+2
| | | | | | | | New CLI's have been added to search, add, and remove user membership. The group member management code has been refactored into a processor to allow reuse. Ticket #190
* Session-based nonces.Endi Sukma Dewata2013-02-041-7/+34
| | | | | | | | | | | | | | | | | | | | | | | Previously nonces were stored in a global map which might not scale well due to some issues: 1. The map uses the nonces as map keys. There were possible nonce collisions which required special handling. 2. The collision handling code was not thread safe. There were possible race conditions during concurrent modifications. 3. The map was shared and size limited. If there were a lot of users using the system, valid nonces could get pruned. 4. The map maps the nonces to client certificates. This limits the possible authentication methods that can be supported. Now the code has been modified such that each user has a private map in the user's session to store the nonces. Additional locking has been implemented to protect against concurrent modifications. The map now uses the target of the operation as the map key, eliminating possible collisions and allowing the use of other authentication methods. Since this is a private map, it's not affected by the number of users using the system. Ticket #474
* Resolved Trac Ticket 367 - pkidestroy does not remove connectorAde Lee2013-01-151-0/+4
| | | | | | | | | | | * Added RESTful servlet to add/remove a KRA connector from the CA. * Modified ACL to allow KRA subsystem user to remove connector. * Modified connector code to allow the connector to be replaced without a server restart. * Added functionality to pki CLI to add/remove connector * Added code to pkidestroy to remove the connector (using both pki CLI and sslget) When the issues with pki connection are resolved, we will use that method instead. * Modified sslget to accept HTTP return codes != 200. In this case, we were returning 204 - which is perfectly legitimate.
* Added ACLInterceptor.Endi Sukma Dewata2012-11-081-0/+4
| | | | | | | | | Previously ACL checking was done in PKIRealm by matching the URL. This code has been replaced by ACLInterceptor which will intercept RESTEasy method invocations. This allows more precise mapping of REST methods to ACL entries in acl.ldif. Ticket #287
* Fixed synchronization problem in CertificateRepository.Endi Sukma Dewata2012-10-291-1/+25
| | | | | | | | Some synchronized methods in CertificateRepository may block modifyCeritifcateRecord() too long, so they have been moved into CRLIssuingPoint and CertStatusUpdateThread. Ticket #313
* Added conditions for security domain REST service.Endi Sukma Dewata2012-10-231-4/+21
| | | | | | | | The CertificateAuthorityApplication has been modified to deploy the REST service for security domain only if the server has been configured with a new security domain. Ticket #309
* Added REST account service.Endi Sukma Dewata2012-10-221-0/+5
| | | | | | | | | A REST account service has been added to allow client to login to establish a session and to logout to destroy the session. This way multiple operations can be executed using the same session without having to re-authenticate. Ticket #357
* Enabled authentication for security domain REST interface.Endi Sukma Dewata2012-10-181-0/+15
| | | | | | | | The REST interface for security domain has been refactored and configured such that it requires authentication. A CLI has been added to get an installation token. Ticket #309
* Fixed exceptions during shutdown.Endi Sukma Dewata2012-08-281-10/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | The shutdown() methods in several classes have been fixed to allow more graceful shutdown and clean restart. There are two types of object attributes that need to be handled differently. Attributes that are initialized by the constructor should not be nulled during shutdown because they won't be reinitialized during restart. If they require a cleanup (e.g. emptying collections, closing LDAP connections) it's not necessary to check for null before calling the cleanup method because they're never null. For attributes that are initialized during init(), it may not be necessary to do a cleanup or null the attribute since they might still be used by other threads and they will be reinitialized during restart so the old objects will be garbage collected. If they do need a cleanup they should be checked for null because they might still be null due to init() failure or initialization conditionals. If the attributes are initialized conditionally, the logic has been modified to ensure the attributes are either initialized or set to null. Ticket #247
* Reorganized REST common classes.Endi Sukma Dewata2012-08-151-1/+1
| | | | | | | The common classes used by REST client and services have been moved into the com.netscape.certsrv.<component> packages. Ticket #215
* Cleaned up REST common class names.Endi Sukma Dewata2012-08-151-2/+2
| | | | | | | The REST common classes have been renamed for better clarity and consistency. Ticket #259
* Cleaned up REST server class names.Endi Sukma Dewata2012-08-151-18/+18
| | | | | | | The REST server classes have been renamed for better clarity and consistency. Ticket #259
* Use only pluralized REST interface URLsAde Lee2012-07-241-6/+0
|
* Added CMSExceptionMapper class to the Application classesAde Lee2012-07-101-0/+4
|
* Add Application files to list REST resourcesAde Lee2012-07-101-0/+57
|
generated by cgit (git 2.34.1) at 2024-06-10 19:36:03 +0000