summaryrefslogtreecommitdiffstats
path: root/base/ca
Commit message (Collapse)AuthorAgeFilesLines
...
* Verify raw profile config before accepting itFraser Tweedale2015-07-061-1/+42
| | | | | | | | | | | | Creating or modifying a profile with bad profile data in the "raw" format succeeds and saves the bad data. After restart, the profile cannot be loaded and attempting to use, modify or delete or recreate the profile will fail. Verify raw profile data by instantiating a temporary profile and attempting to initialise it with the received configuration. Fixes: https://fedorahosted.org/pki/ticket/1462
* Fixed fail-over in HttpConnection.Endi S. Dewata2015-07-021-3/+2
| | | | | | | | | | | The HttpConnection class has been modified to support fail-over and timeout more consistently. The targets are parsed into a list during initialization. All direct calls to HttpClient.connect() are replaced with a method that will connect to the first available target. All connections are now created with a timeout (which by default is 0). https://fedorahosted.org/pki/ticket/891
* Unable to select ECC Curves from EE fix.Jack Magne2015-07-021-1/+80
| | | | | | | | | | | | | | | | Ticket #1446: Without the crypto object, the user is now presented with a very bared bones keygen tag powered UI. ONe can only select a key strength and only use RSA. This fix adds simple UI to make better use of the keygen tag: 1. Allows the use of ECC. 2. Gives simple info on how the key strengths map to RSA key size and ECC curves. When the user selects High, they get RSA 2043, and ECC nistp384. When the user selects Medium, they get RSA 1024, and ECC nistp256.
* Ability to toggle profile usablity in Web vs CLI tools.Jack Magne2015-07-011-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | Ticket #1442. This fix gives the command line enrollment commands the ability to enroll a cert against a profile that has been marked as not visible but "enabled". With the simple fix the following scenarios tested to work: The "caUserCert" Profile was marked as not visible, but enabled. 1. pki -c Secret123 client-cert-request --profile caUserCert uid=jmagne This is the simplest form of user cert enrollment. 2. pki ca-cert-request-profile-show caUserCert --output testuser.xml pki ca-cert-request-submit testuser.xml The first command gives us the profile's xml file, which after modification is used to enroll. 3. pki -d ~/.dogtag/pki -c "" -n "PKI Administrator for localdomain" ca-profile-show caUserCert This one shows that we can view the contents of a non visible profile. Listing is not allowed. We felt this appropiate to allow a command line user to get the details of a non visible profile that they know aobut and want to use.
* Fixed thread leaks during shutdown.Endi S. Dewata2015-06-181-1/+1
| | | | | | | | Various codes have been modified to properly stop threads during shutdown. A new ID attribute has been added to the LDAP connection factory classes to help identify leaking threads. https://fedorahosted.org/pki/ticket/1327
* Fixed typos in Web UI.Endi S. Dewata2015-06-181-1/+1
|
* Mozilla crypto object warning:Jack Magne2015-06-161-0/+7
| | | | | | Provide simple textual warning when the user is using a browser that no longer supports the crypto object, which results in reduced CA certficat enrollment functionality. For simplicity provide the warning at the top of the main index page and at the top of the CA's services page. The services page is where the pkispawn of the CA points the uers after installation. The ticket originally called for a JS warnign but the simple text warning should be less intrusive and repetitive to the user. Ticket #1398 Provide UI Javascript warning for missing Mozilla Crypto Object in the CA.
* NPE when modifying profile without 'action' paramChristian Heimes2015-06-161-0/+5
| | | | | | | In modifyProfileState check the 'action' query paramter for NULL and raise a BadRequestException when the paramater is not set. https://fedorahosted.org/pki/ticket/1361
* Ticket 1412 Should disable the caCrossSignedCACert and caRACert profileChristina Fu2015-06-152-4/+4
|
* Cleaned up links in main page.Endi S. Dewata2015-06-111-2/+1
| | | | | | | | | | | | | The ROOT's index.jsp has been modified to show the links to all subsystems installed on the instance. When opened, it will show the services provided by the subsystem. The pkispawn output has been modified to show the subsystem URL more consistently: https://<hostname>:<port>/<subsystem> In all subsystems except TPS the page will redirect to: https://<hostname>:<port>/<subsystem>/services
* Use SimpleProperties to handle raw profile formatFraser Tweedale2015-05-221-2/+21
| | | | | | | | The store() method of the 'Properties' class escapes '=' and ':' in values, corrupting the profile data. Continue using 'Properties' to read the input (unescaping values) then copy the properties into a 'SimpleProperties' object so that unwanted backslashes do not appear in the output.
* Ticket #572 - CRL scheduler adds extra CRL generation at midnight for daily ↵Jack Magne2015-05-061-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | schedules. Addresses the complaint of this ticket. Tested to work in a few basic cases. The minor code change was designed to only affect the specific scenario when we have a daily scedule that spans only one day. More Info: How to duplicate and test: Perform a manual crl generate from the agent interface because the code to be tested relies heavily upon the "lastUpdate" which will appear in the logs. Do this to have a nice launching off point. Go to the ca's pkiconsole and select : Certificate Manager -> CRL Issuing Points -> MasterCRL. Check "updateCRL at: " and give a schedule such as : 15:03, 15:10 .. This gives us a chance to watch the two regularly scheduled updates happen. When the first event triggers, have a look at the CA's "debug" log and note the following or similar entry: [CRLIssuingPoint-MasterCRL]: findNextUpdate: Wed May 06 15:10:00 PDT 2015 delay: 86301873 Wait for the 15:00 even to happen. When that triggers at the end of that cycle, we should see one more similar entry. [CRLIssuingPoint-MasterCRL]: findNextUpdate: Wed May 06 15:03 PDT 2015 delay: 86301873 That is the correct behavior after the fix. We want the next update to be at the first entry of the daily schedule , but tomorrow. The current bug would print out this value as something like: Wed May 06 00:00:00 or similar to indicate midnight. This is not what we want.
* Fixed authentication data in audit log.Endi S. Dewata2015-05-051-1/+3
| | | | | | | | | | | The REST methods may be executed by different threads even though they are invoked in the same session. A new interceptor has been added to all subsystems to make sure the SessionContext is created properly for each thread. This will fix the authentication data in the audit log. The SessionContext has also been improved to use ThreadLocal instead of a global Hashtable. https://fedorahosted.org/pki/ticket/1054
* OCSP and CA minor cloning fixesJack Magne2015-05-011-18/+53
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Tickets #1294, #1058 The patch does the following: 1. Allows an OCSP clone to actually install and operate. It also sets a param appropriate for an OCSP clone. Ticket #1058 The controversial part of this one is the fact that I have disabled having OCSP clones register themselves to the CA as publishing target. The master is already getting the updates and we rely upon replication to keep the clones updated. The current downside is the master is on an island with respect to updates and could be considered a single point of failure. Thus my proposal for this simple patch is to get the OCSP clone working as in existing functionality. Then we come back and propose a ticket to allow the installer OCSP clones to set up the publishers in such a way that all clones and master are registered, but when it is actually time to publish, the CRL publisher has the smarts to know that members of a clone cluster are in a group and the first successfull publish should end the processing of that group. 2. Allows the CA clone to set some params to disable certain things that a clone should not do. This was listed as a set of misc post install tasks that we are trying to automate. Code tested to work. 1. OCSP clones can be installed and the CRL were checked to be in sync when an update occured to the master. 2. The CA clone has been seen to have the required params and it looks to come up just fine. Final review minor changes to tickets, 1294, and 1058.
* Ticket #1295 CA: OCSP via GET does not workChristina Fu2015-04-281-0/+5
|
* Remove duplicate prompt on nuxwdog startupAde Lee2015-04-231-1/+1
|
* Parameterized CA templates.Endi S. Dewata2015-04-226-31/+157
| | | | https://fedorahosted.org/pki/ticket/1296
* Moved color settings to CSS.Endi S. Dewata2015-04-2210-11/+16
| | | | | | | The templates have been modified to remove hard-coded background color settings and use the styles defined in a new CSS file. https://fedorahosted.org/pki/ticket/1296
* Added direct deployment for all subsystems.Endi S. Dewata2015-04-224-4/+4
| | | | | | | | The deployment tool has been modified to deploy all subsystems directly from the /usr/share/pki. This will simplify updating the templates in the web applications. https://fedorahosted.org/pki/ticket/499
* Parameterized /ca/agent/header.Endi S. Dewata2015-04-221-2/+23
| | | | https://fedorahosted.org/pki/ticket/1296
* Parameterized /ca/ee/ca/index.html.Endi S. Dewata2015-04-221-6/+24
| | | | https://fedorahosted.org/pki/ticket/1296
* Parameterized CA's services.template.Endi S. Dewata2015-04-221-2/+28
| | | | https://fedorahosted.org/pki/ticket/1296
* Ticket 1316 Allow adding SAN to server cert during the install processChristina Fu2015-04-212-0/+91
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Usage: * under /usr/share/pki/ca/conf, you will find a new file called serverCert.profile.exampleWithSANpattern * copy existing serverCert.profile away and replace with serverCert.profile.exampleWithSANpattern * edit serverCert.profile.exampleWithSANpattern - follow the instruction right above 8.default. - save and quit * cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg - follow the instruction right above policyset.serverCertSet.9 - save and quit * save away and edit the ca config file for pkispawn: (note: you can add multiple SAN's delimited by ',' for pki_san_server_cert - add the following lines, e.g. pki_san_inject=True pki_san_server_cert=host1.Example.com - do the same pkispawn cfg changes for kra or any other instances that you plan on creating * create your instance(s) check the sl sever cert, it should contain something like the following: Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: DNSName: host1.Example.com
* Added support for Tomcat 8.Endi S. Dewata2015-04-215-0/+59
| | | | | | | | | | | | The Dogtag code has been modified to support both Tomcat 7 and 8. All files depending on a specific Tomcat version are now stored in separate folders. The build scripts have been modified to use the proper folder for the target platform. The tomcatjss dependency has been updated as well. The upgrade script will be added in a separate patch. https://fedorahosted.org/pki/ticket/1264
* Add pkispawn config option for ldap profilesFraser Tweedale2015-04-131-1/+1
| | | | | | Add the `pki_profiles_in_ldap' pkispawn config to control whether profiles are stored on the filesystem (old behaviour) or LDAP (new behaviour). The default is file-based profiles.
* Update pki-profile CLI commands to work with "raw" formatFraser Tweedale2015-04-071-22/+158
| | | | | | | | Update CLI commands for working with the (now LDAP-based) profiles in the same format as was used by the files, by way of the --raw option. Also add the "edit" command to interactively edit a profile.
* Import profiles when spawning CA instanceFraser Tweedale2015-04-072-0/+117
|
* Add LDAPProfileSubsystem to store profiles in LDAPFraser Tweedale2015-04-071-12/+4
| | | | | | | | | | | | Add the LDAPProfileSubsystem as another IProfileSubsystem implementation that can be used instead of ProfileSubsystem (which stores profiles on the file system) to store files in LDAP so that changes can be replicated. Extract common behaviour in to new AbstractProfileSubsystem superclass. Also address the minor issue #1220.
* Add schema for LDAP-based profilesFraser Tweedale2015-04-071-1/+4
|
* Allow use of secure LDAPS connectionMatthew Harmsen2015-03-131-1/+1
| | | | - PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
* Enable Authority Key Identifier CRL extension by defaultFraser Tweedale2015-01-071-1/+1
| | | | | | | | | | | RFC 5280 states: Conforming CRL issuers are REQUIRED to include the authority key identifier (Section 5.2.1) and the CRL number (Section 5.2.3) extensions in all CRLs issued. Accordingly, update CS.cfg so that the Authority Key Identifier extension is enabled by default.
* Fix-for-Bug-1170867-TPS-Installation-FailedJack Magne2014-12-164-544/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix now includes last review comments where we decided to consolidate 3 of the ldif files: schema.ldif,database.ldif, and manager.ldif. Each one of these 3 files contains the data needed for any subsystem for that file. The subsystem specific files for these 3 go away in the source tree. The first iteration of this fix was copying these 3 files into an undesirable directory. This is no longer the case. Extra code in the python installer allows one to establish a "file exclusion" callback to keep a set of desired files from being copied when the installer does a directory copy. All subsystems have been tested, including TPS with a brand new DS (which was the original reason for this fix), and they appear to work fine. Addressed further review comments: 1. Removed trailing whitespace instances from schema.ldif which had some. 2. Used pycharm to remove the few PEP violations I had previously added to the Python code. 3. Changed the format of the schema.ldif file to make all the entries use the same style. Previously the TPS entries was using an all in one syntax. No more since now each entry is separate. 4. Changed the name of an argument in one of the new Python methods to get rid of a camelCase instance. 5. Tested everything to work as before, including basic TPS operations such as Format. Fixed a method comment string and fixed some typos.
* Ticket 1180 RFE: show link to request record from cert displayChristina Fu2014-12-161-0/+13
|
* Added rangeUnit property to certificate profiles.Endi S. Dewata2014-12-151-2/+3
| | | | | | | | | A new optional property has been added to certificate profiles to specify the range unit. The default range unit is 'day'. The code has been modified to use the Calendar API to calculate the end of validity range based on the range unit. https://fedorahosted.org/pki/ticket/1226
* Bug1151147 issuerDN encoding correctionChristina Fu2014-10-232-3/+49
|
* Fix kra-connector-removeAde Lee2014-09-021-6/+6
| | | | | | | | | | | | | | | | | | | | The code to remove the connector from the pki CLI was found to be broken because of invalid message type (partly due to void returns). On uninstall, we need to remove the kra-connector from all relevant CA's in the security domain. The best way to do this is to keep kra-connector info in LDAP, so that only one call is needed. Until that change has been made, we are adding a hack to remove the connector from all CA's in the secutrity domain (if it exists). Due to issues with proxy configurations, we will continue to use sslget and a url-encoded-form version of the servlet. In addition, it was found that when removing a KRA from a shared subsystem, the updateDomainXML servlet was erroneously returning failure when it was unsuccessful in removing a non-existent user from a group. Ticket 1113
* Disable PKI GUI ConfigurationMatthew Harmsen2014-08-281-36/+0
| | | | - PKI TRAC Ticket #1120 - Remove Firefox PKI GUI Configuration Panel Interface
* UI scrubMatthew Harmsen2014-08-223-1/+2
| | | | * PKI TRAC Ticket #567 - ui needs to be scrubbed for missing images
* Adds a new CLI command pki ca-kraconnector-show.Abhishek Koneru2014-08-141-0/+13
| | | | | | | The new command allows users to view the information about kra connectors registered with the CA. Ticket #479
* Add ability to create database as subtree of existing treeAde Lee2014-07-171-2/+2
| | | | | | | | | | | | | | | | This patch adds the ability to create a subsystem that uses an existing subtree to create the internal basedn. This is useful for instance, for IPA which will use the original o=ipaca as the top level DN for a KRA, which will be situated at o=ipadrm, o=ipaca. The patch also allows such a system to be cloned, but not to setup the replication agreements, on the assumption that the data is already being replicated at the top-level DN or some higher level. The patch also contains some minor cleanups - removing unused imports and removal of an invalid reference in the python code. Ticket 1051
* Remove legacy 'systemctl' filesMatthew Harmsen2014-07-034-141/+0
| | | | - PKI TRAC Ticket #832 - Remove legacy 'systemctl' files . . .
* Backup and Archive CS.cfgMatthew Harmsen2014-07-021-0/+1
| | | | * PKI TRAC Ticket #899 - RFE - ipa-server should keep backup of CS.cfg
* Fix typo in CS.cfg for ca.profiles.defaultSigningAlgsAllowedAde Lee2014-06-251-1/+1
| | | | Ticket 781
* Change LDAP Attributes to allow for tr_TR localeMatthew Harmsen2014-05-202-109/+109
| | | | | * PKI TRAC Ticket #946 - Installation of IPA hangs up when LANG is set to tr_TR.UTF8
* Fixed internal errors in RenewalProcessor.Endi S. Dewata2014-05-191-0/+3
| | | | | | | | | | | | The RenewalProcessor was throwing NumberFormatException if the renewal request contains an empty serial number. The code has been modified to check for null and empty string. If the serial number is unavailable, the code will try to get the serial number from the client certificate. If that is unavailable either, the code has been fixed to return a proper message. Ticket #999
* Removed requestID parameter usage in [un]revoke request.Abhishek Koneru2014-05-162-11/+2
| | | | | | | | | | | | | | | | There seems to be no use of the requestID parameter in both revoke and unrevoke request. Removed requestID attribute in CertRevokeRequest remove the class CertUnrevokeRequest. Also made changes in RevocationProcesor to use the requestID of the request created in it. The setRequestID() is being called in the DoRevoke and DoUnRevoke servlets. Removed the call and a function auditRequesterId in both the classes. The auditRequestorId method tries to get a "requestID" stored as a INPUT field in the reasonToRequest page. The ReasonToRevoke class which generates this page does not set the value.
* Added minimum search keyword length requirement.Endi S. Dewata2014-05-122-3/+0
| | | | | | | | | | Some REST services that accept search keywords have been modified to require a minimum length of 3 characters. The DEFAULT_SIZE constant has been moved into the base PKIService class to reduce multiple declarations. Ticket #920
* Fixed message format for PKIException.Endi S. Dewata2014-05-071-2/+2
| | | | | | | | | | | Previously PKIException was not displayed properly in browser because it doesn't have a writer for HTML. Now the exception mapper will compute the message format properly, and will default to XML. The exception mapper itself has been moved into a server package due to class dependency. The REST application classes have been updated accordingly. Ticket #554
* Refactored SystemConfigService (part 12).Endi S. Dewata2014-04-251-0/+36
| | | | | | | Subsystem-specific configuration codes have been moved from the SystemConfigService into the subsystem-specific installer. Ticket #890
* Refactored SystemConfigService (part 9).Endi S. Dewata2014-04-252-2/+33
| | | | | | | | | New subclasses of SystemConfigService have been added for each subsystem to replace the base installer. Initially these classes are blank, so they are identical to the base class. Later they will store subsystem-specific installation code. Ticket #890
generated by cgit (git 2.34.1) at 2024-06-09 19:22:48 +0000