summaryrefslogtreecommitdiffstats
path: root/base/ca
Commit message (Collapse)AuthorAgeFilesLines
...
* Store issuer DN in certificate recordsFraser Tweedale2015-10-212-0/+10
| | | | | | | | Lightweight CAs mean that we may wish to filter certificates based on the issuer. Update X509CertImplMapper to store the issuer DN in each certificate record, using exiting schema. Also add indices for the 'issuerName' LDAP attribute.
* Ticket #1648 [RFE] provide separate cipher lists for CS instances acting as ↵Christina Fu2015-10-201-2/+4
| | | | client and server This patch provides subsystem->subsystem cipher configuration when acting as a client
* Lightweight CAs: implement deletion API and CLIFraser Tweedale2015-10-064-4/+109
| | | | | | | Implement lightweight authority deletion including CLI command. To be deleted an authority must be disabled and have no sub-CAs. Fixes: https://fedorahosted.org/pki/ticket/1324
* Fix compilation error in eclipse for caMapAde Lee2015-10-021-23/+23
|
* Ticket #1593 auto-shutdown - for HSM failover supportChristina Fu2015-10-012-0/+18
| | | | | | | | | | | | | | | This is an interim solution for supporting HSM failover by automatically shutting down the server when signing key becomes inaccessible. At auto-shutdown, a crumb fiile will be left in the instance directory for an external daemon to detect and restart, if necessary. Due to limitation of the watch dog (nuxwdog) at present time, the restart option currently only works if started with watch dog (nuxwdog), and it will prompt for passwords on the terminals. The restart counter is to prevent the server from going into an infinite restart loop. Administrator will have to reset autoShutdown.restart.count to 0 when max is reached. (cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1)
* Refactored certificate processors.Endi S. Dewata2015-09-301-0/+2
| | | | | | | | | | | | | The CertProcessor.setCredentialsIntoContext() and CAProcessor. authenticate() methods have been modified such that they can accept credentials provided via the AuthCredentials (for REST services) or via the HttpServletRequest (for legacy servlets). The CertEnrollmentRequest has been modified to inherit from ResourceMessage such that REST clients can provide the credentials via request attributes. https://fedorahosted.org/pki/ticket/1463
* Lightweight CAs: fix caMap synchronizationFraser Tweedale2015-09-301-8/+9
| | | | | | | | | Some access to caMap was not correctly synchronized, with authorities (of which there could be many) acquiring their own intrinsic lock rather than the shared caMap. Use 'Collections.synchronizedSortedMap' to fix this. As a bonus, locking is now more fine-grained.
* Fixup for CS.cfg for authority featureAde Lee2015-09-281-1/+1
| | | | Set enable -> enabled
* Added Features REST API resourceAde Lee2015-09-272-0/+7
| | | | | | | | | This will help us track whether or not a server has a feature either offered or enabled. Ultimately, it could be used by an admin to enable or disable features. The Java client is not included in this commit. Will add in a subsequent commit.
* Lightweight CAs: REST cert request param to specify authorityFraser Tweedale2015-09-262-5/+40
| | | | | | | | Add the optional "ca" query parameter for REST cert request submission. Also update the ca-cert-request-submit CLI command with an option to provide an AuthorityID. Part of: https://fedorahosted.org/pki/ticket/1213
* Lightweight CAs: initial supportFraser Tweedale2015-09-2611-99/+968
| | | | | | | | | | | | | This commit adds initial support for "lightweight CAs" - CAs that inhabit an existing CA instance and share the request queue and certificate database of the "top-level CA". We initially support only sub-CAs under the top-level CA - either direct sub-CAs or nested. The general design will support hosting unrelated CAs but creation or import of unrelated CAs is not yet implemented. Part of: https://fedorahosted.org/pki/ticket/1213
* remove obsolete code from CertificateAuthority classFraser Tweedale2015-08-251-11/+0
|
* Internet Explorer 11 not working browser warning.Jack Magne2015-08-201-11/+38
| | | | | | | | | | | | Related to ticket #1575 Internet Explorer 11: caUserCert request submission fails using the EE page. This patch will only do the following: Detect IE when IE11 is being used. Before this IE11 was mistaken for Firefox. Detect IE11 specifically and warn the user that there is no support. This ticket will live to se we can fix this properly by porting the current VBS script to Javascript to support cert enrollment on IE 11.
* Ticket 1543 portalEnroll authentication does not load during creation from ↵Christina Fu2015-08-121-2/+0
| | | | | | | | | | | | | | Console It appears that the PortalEnroll plugin was never converted to work in the Profile Framework. This patch takes out the following line from CS.cfg: auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll so that it cannot be instantiated from the console, nor manually in CS.cfg, unless explicitly put back in. While in CS.cfg.in, I found the NSSAuth auths.impl line having no real implementation, so I remove that too.
* Fixed missing query parameters in ListCerts page.Endi S. Dewata2015-08-122-0/+8
| | | | | | | | | The ListCerts servlet and the templates have been fixed to pass the skipRevoked and skipNonValid parameters to the subsequent page. Some debugging messages have been cleaned up as well. https://fedorahosted.org/pki/ticket/1538
* Ticket 1539 Unable to create ECC KRA Instance when kra admin key type is ECCChristina Fu2015-08-122-4/+4
| | | | | | This patch changes the relevant CA enrollment admin profiles so that they accept requests for EC certs. The issue actually not just affected KRA, it also affected other non-CA subsystems.
* Separate range and cert status threadsAde Lee2015-08-121-0/+5
| | | | | | | | | | | | | | We currently disable the cert status maintenance thread on clone CAs because CRL processing should only be done on the master CA. Currently, the maintenance thread also performs other checks on serial number ranges and settings. By disabling the maintenance thread, we disable these checks too. To fix this, we have separated the serial number checks into a different maintenance thread, so that these tasks will occur even if the cert status thread is disabled. Bugzilla # 1251606
* Fixed missing cert request hostname and address.Endi S. Dewata2015-08-051-10/+5
| | | | | | | | | | | | The CA services have been modified to inject request hostname and address into the certificate request object such that they will be stored in the database. This fixes the problem with requests submitted either via the UI or the CLI. An unused method in CertRequestResource has been removed. Some debug messages have been cleaned as well. https://fedorahosted.org/pki/ticket/1535
* remove extra space from Base 64 encoded cert displaysMatthew Harmsen2015-07-315-16/+16
| | | | | - PKI TRAC Ticket #1522 - CA UI adds extra space in Base 64 encoded certificate display
* Add code to reindex data during cloning without replicationAde Lee2015-07-312-0/+33
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* Firefox warningJack Magne2015-07-312-6/+7
| | | | | | | | Ticket #1523 Move the dire warning about the crypto object to sections where it applies. Also slightly changed the message due to context.
* Removed audit CLI from non-TPS subsystems.Endi S. Dewata2015-07-171-4/+0
| | | | | | | | | | Due to database upgrade issue the pki <subsystem>-audit CLI has been removed from all subsystems except TPS. The AuditModifyCLI has been modified to clarify that the --action and the --input parameters are mutually exclusive. https://fedorahosted.org/pki/ticket/1437
* TPS add phone home URLs to pkidaemon status message.Jack Magne2015-07-161-277/+0
| | | | | | Ticket # 1466 . Also remove some needless copies of server.xml from the code.
* Fixed cert-find performance.Endi S. Dewata2015-07-151-20/+18
| | | | | | | | The CertService.searchCerts() has been modified to use the VLV properly to retrieve just the entries in the requested page, thus reducing the response time and memory requirement. Some classes have been modified to clean up the debugging logs.
* Fixed default cert-find filter.Endi S. Dewata2015-07-061-8/+8
| | | | | | | | To improve the performance the default LDAP filter generated by cert-find has been changed to (certStatus=*) to match an existing VLV index. https://fedorahosted.org/pki/ticket/1449
* Verify raw profile config before accepting itFraser Tweedale2015-07-061-1/+42
| | | | | | | | | | | | Creating or modifying a profile with bad profile data in the "raw" format succeeds and saves the bad data. After restart, the profile cannot be loaded and attempting to use, modify or delete or recreate the profile will fail. Verify raw profile data by instantiating a temporary profile and attempting to initialise it with the received configuration. Fixes: https://fedorahosted.org/pki/ticket/1462
* Fixed fail-over in HttpConnection.Endi S. Dewata2015-07-021-3/+2
| | | | | | | | | | | The HttpConnection class has been modified to support fail-over and timeout more consistently. The targets are parsed into a list during initialization. All direct calls to HttpClient.connect() are replaced with a method that will connect to the first available target. All connections are now created with a timeout (which by default is 0). https://fedorahosted.org/pki/ticket/891
* Unable to select ECC Curves from EE fix.Jack Magne2015-07-021-1/+80
| | | | | | | | | | | | | | | | Ticket #1446: Without the crypto object, the user is now presented with a very bared bones keygen tag powered UI. ONe can only select a key strength and only use RSA. This fix adds simple UI to make better use of the keygen tag: 1. Allows the use of ECC. 2. Gives simple info on how the key strengths map to RSA key size and ECC curves. When the user selects High, they get RSA 2043, and ECC nistp384. When the user selects Medium, they get RSA 1024, and ECC nistp256.
* Ability to toggle profile usablity in Web vs CLI tools.Jack Magne2015-07-011-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | Ticket #1442. This fix gives the command line enrollment commands the ability to enroll a cert against a profile that has been marked as not visible but "enabled". With the simple fix the following scenarios tested to work: The "caUserCert" Profile was marked as not visible, but enabled. 1. pki -c Secret123 client-cert-request --profile caUserCert uid=jmagne This is the simplest form of user cert enrollment. 2. pki ca-cert-request-profile-show caUserCert --output testuser.xml pki ca-cert-request-submit testuser.xml The first command gives us the profile's xml file, which after modification is used to enroll. 3. pki -d ~/.dogtag/pki -c "" -n "PKI Administrator for localdomain" ca-profile-show caUserCert This one shows that we can view the contents of a non visible profile. Listing is not allowed. We felt this appropiate to allow a command line user to get the details of a non visible profile that they know aobut and want to use.
* Fixed thread leaks during shutdown.Endi S. Dewata2015-06-181-1/+1
| | | | | | | | Various codes have been modified to properly stop threads during shutdown. A new ID attribute has been added to the LDAP connection factory classes to help identify leaking threads. https://fedorahosted.org/pki/ticket/1327
* Fixed typos in Web UI.Endi S. Dewata2015-06-181-1/+1
|
* Mozilla crypto object warning:Jack Magne2015-06-161-0/+7
| | | | | | Provide simple textual warning when the user is using a browser that no longer supports the crypto object, which results in reduced CA certficat enrollment functionality. For simplicity provide the warning at the top of the main index page and at the top of the CA's services page. The services page is where the pkispawn of the CA points the uers after installation. The ticket originally called for a JS warnign but the simple text warning should be less intrusive and repetitive to the user. Ticket #1398 Provide UI Javascript warning for missing Mozilla Crypto Object in the CA.
* NPE when modifying profile without 'action' paramChristian Heimes2015-06-161-0/+5
| | | | | | | In modifyProfileState check the 'action' query paramter for NULL and raise a BadRequestException when the paramater is not set. https://fedorahosted.org/pki/ticket/1361
* Ticket 1412 Should disable the caCrossSignedCACert and caRACert profileChristina Fu2015-06-152-4/+4
|
* Cleaned up links in main page.Endi S. Dewata2015-06-111-2/+1
| | | | | | | | | | | | | The ROOT's index.jsp has been modified to show the links to all subsystems installed on the instance. When opened, it will show the services provided by the subsystem. The pkispawn output has been modified to show the subsystem URL more consistently: https://<hostname>:<port>/<subsystem> In all subsystems except TPS the page will redirect to: https://<hostname>:<port>/<subsystem>/services
* Use SimpleProperties to handle raw profile formatFraser Tweedale2015-05-221-2/+21
| | | | | | | | The store() method of the 'Properties' class escapes '=' and ':' in values, corrupting the profile data. Continue using 'Properties' to read the input (unescaping values) then copy the properties into a 'SimpleProperties' object so that unwanted backslashes do not appear in the output.
* Ticket #572 - CRL scheduler adds extra CRL generation at midnight for daily ↵Jack Magne2015-05-061-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | schedules. Addresses the complaint of this ticket. Tested to work in a few basic cases. The minor code change was designed to only affect the specific scenario when we have a daily scedule that spans only one day. More Info: How to duplicate and test: Perform a manual crl generate from the agent interface because the code to be tested relies heavily upon the "lastUpdate" which will appear in the logs. Do this to have a nice launching off point. Go to the ca's pkiconsole and select : Certificate Manager -> CRL Issuing Points -> MasterCRL. Check "updateCRL at: " and give a schedule such as : 15:03, 15:10 .. This gives us a chance to watch the two regularly scheduled updates happen. When the first event triggers, have a look at the CA's "debug" log and note the following or similar entry: [CRLIssuingPoint-MasterCRL]: findNextUpdate: Wed May 06 15:10:00 PDT 2015 delay: 86301873 Wait for the 15:00 even to happen. When that triggers at the end of that cycle, we should see one more similar entry. [CRLIssuingPoint-MasterCRL]: findNextUpdate: Wed May 06 15:03 PDT 2015 delay: 86301873 That is the correct behavior after the fix. We want the next update to be at the first entry of the daily schedule , but tomorrow. The current bug would print out this value as something like: Wed May 06 00:00:00 or similar to indicate midnight. This is not what we want.
* Fixed authentication data in audit log.Endi S. Dewata2015-05-051-1/+3
| | | | | | | | | | | The REST methods may be executed by different threads even though they are invoked in the same session. A new interceptor has been added to all subsystems to make sure the SessionContext is created properly for each thread. This will fix the authentication data in the audit log. The SessionContext has also been improved to use ThreadLocal instead of a global Hashtable. https://fedorahosted.org/pki/ticket/1054
* OCSP and CA minor cloning fixesJack Magne2015-05-011-18/+53
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Tickets #1294, #1058 The patch does the following: 1. Allows an OCSP clone to actually install and operate. It also sets a param appropriate for an OCSP clone. Ticket #1058 The controversial part of this one is the fact that I have disabled having OCSP clones register themselves to the CA as publishing target. The master is already getting the updates and we rely upon replication to keep the clones updated. The current downside is the master is on an island with respect to updates and could be considered a single point of failure. Thus my proposal for this simple patch is to get the OCSP clone working as in existing functionality. Then we come back and propose a ticket to allow the installer OCSP clones to set up the publishers in such a way that all clones and master are registered, but when it is actually time to publish, the CRL publisher has the smarts to know that members of a clone cluster are in a group and the first successfull publish should end the processing of that group. 2. Allows the CA clone to set some params to disable certain things that a clone should not do. This was listed as a set of misc post install tasks that we are trying to automate. Code tested to work. 1. OCSP clones can be installed and the CRL were checked to be in sync when an update occured to the master. 2. The CA clone has been seen to have the required params and it looks to come up just fine. Final review minor changes to tickets, 1294, and 1058.
* Ticket #1295 CA: OCSP via GET does not workChristina Fu2015-04-281-0/+5
|
* Remove duplicate prompt on nuxwdog startupAde Lee2015-04-231-1/+1
|
* Parameterized CA templates.Endi S. Dewata2015-04-226-31/+157
| | | | https://fedorahosted.org/pki/ticket/1296
* Moved color settings to CSS.Endi S. Dewata2015-04-2210-11/+16
| | | | | | | The templates have been modified to remove hard-coded background color settings and use the styles defined in a new CSS file. https://fedorahosted.org/pki/ticket/1296
* Added direct deployment for all subsystems.Endi S. Dewata2015-04-224-4/+4
| | | | | | | | The deployment tool has been modified to deploy all subsystems directly from the /usr/share/pki. This will simplify updating the templates in the web applications. https://fedorahosted.org/pki/ticket/499
* Parameterized /ca/agent/header.Endi S. Dewata2015-04-221-2/+23
| | | | https://fedorahosted.org/pki/ticket/1296
* Parameterized /ca/ee/ca/index.html.Endi S. Dewata2015-04-221-6/+24
| | | | https://fedorahosted.org/pki/ticket/1296
* Parameterized CA's services.template.Endi S. Dewata2015-04-221-2/+28
| | | | https://fedorahosted.org/pki/ticket/1296
* Ticket 1316 Allow adding SAN to server cert during the install processChristina Fu2015-04-212-0/+91
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Usage: * under /usr/share/pki/ca/conf, you will find a new file called serverCert.profile.exampleWithSANpattern * copy existing serverCert.profile away and replace with serverCert.profile.exampleWithSANpattern * edit serverCert.profile.exampleWithSANpattern - follow the instruction right above 8.default. - save and quit * cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg - follow the instruction right above policyset.serverCertSet.9 - save and quit * save away and edit the ca config file for pkispawn: (note: you can add multiple SAN's delimited by ',' for pki_san_server_cert - add the following lines, e.g. pki_san_inject=True pki_san_server_cert=host1.Example.com - do the same pkispawn cfg changes for kra or any other instances that you plan on creating * create your instance(s) check the sl sever cert, it should contain something like the following: Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: DNSName: host1.Example.com
* Added support for Tomcat 8.Endi S. Dewata2015-04-215-0/+59
| | | | | | | | | | | | The Dogtag code has been modified to support both Tomcat 7 and 8. All files depending on a specific Tomcat version are now stored in separate folders. The build scripts have been modified to use the proper folder for the target platform. The tomcatjss dependency has been updated as well. The upgrade script will be added in a separate patch. https://fedorahosted.org/pki/ticket/1264
* Add pkispawn config option for ldap profilesFraser Tweedale2015-04-131-1/+1
| | | | | | Add the `pki_profiles_in_ldap' pkispawn config to control whether profiles are stored on the filesystem (old behaviour) or LDAP (new behaviour). The default is file-based profiles.
generated by cgit (git 2.34.1) at 2025-09-26 21:12:54 +0000