summaryrefslogtreecommitdiffstats
path: root/base/ca
Commit message (Collapse)AuthorAgeFilesLines
...
* Added selftest resource.Endi S. Dewata2013-10-081-0/+4
| | | | | | | New REST service and clients have been added for managing selftests in all subsystems. Ticket #652
* TRAC Ticket #641 - Incorrect interface labels in pkidaemon outputMatthew Harmsen2013-09-041-6/+6
|
* Pre-registration of CA cross signing profileAndrew Wnuk2013-08-291-1/+3
| | | | | | This patch provides pre-registration of CA cross signing profile. Ticket #681.
* CA cross signing profileAndrew Wnuk2013-08-291-0/+92
| | | | | | This patch provides new profile to support CA cross signing enrollment. Ticket #681
* Pre-registration of UserSubjectNameConstraint plug-inAndrew Wnuk2013-08-291-1/+4
| | | | | | This patch provides pre-registration of UserSubjectNameConstraint plug-in. Ticket #682.
* Refactored client framework.Endi S. Dewata2013-08-231-1/+2
| | | | | | | | | A new Client class was added as a base for all client classes. The SubsystemClient was added as a base for all subsystem clients. It also provides methods to authenticate against the subsystem. The DRMClient has been renamed to KRAClient to match the actual subsystem name. Ticket #701
* Reorganized interceptors.Endi S. Dewata2013-08-201-2/+2
| | | | | | The ACLInterceptor and AuthMethodInterceptor interceptors only run on the server, so they have been moved from the base package into the server package.
* Initial code to configure a TPS in tomcatAde Lee2013-08-131-1/+1
| | | | | This code allows pkispawn to configure a tps in tomcat. It does not include any config using the web UI panels.
* Fixes for profile REST interface from code review.Ade Lee2013-07-311-5/+5
| | | | Simplified the inputs, outputs for ProfileData
* Fix various issues with Profile InterfaceAde Lee2013-07-312-0/+12
| | | | | 1. Fixed REST API as per review. 2. Add output for profile-show and profile-find
* Storing authentication info in session.Endi S. Dewata2013-07-291-1/+3
| | | | | | | | | The authenticator configuration has been modified to store the authentication info in the session so it can be used by the servlets. An upgrade script has been added to update the configuration in existing instances. The SSLAuthenticatorWithFalback was modified to propagate the configuration to the actual authenticator handling the request.
* Add interfaces for managing profilesAde Lee2013-07-221-90/+48
| | | | | This adds the initial framework for viewing and managing profiles. Also adds CLI code for viewing/adding/deleting and editing profiles.
* directory and pin profileAndrew Wnuk2013-06-132-1/+102
| | | | | | This patch adds new directory and pin profile. Bug: 961522
* exportable keyAndrew Wnuk2013-06-071-0/+2
| | | | | | Allows key to be exported. Bug 961522.
* Fixed hard-coded server certificate nickname.Endi Sukma Dewata2013-06-032-3/+2
| | | | | | | | | | | Previously the server certificate name was partially hard-coded as "Server-Cert cert-[PKI_INSTANCE_NAME]". Now in Tomcat-based subsystems it can be fully configured using pki_ssl_server_nickname parameter. In Apache-based subsystems it's left unchanged. Unused serverCertNick.conf files have been removed. Ticket #631
* Replaced PKI_SUBSYSTEM_DIR with PKI_SUBSYSTEM_TYPE.Endi Sukma Dewata2013-05-302-73/+73
| | | | | The PKI_SUBSYSTEM_DIR variable is redundant and can be replaced with PKI_SUBSYSTEM_TYPE.
* Renamed PKI_INSTANCE_ID into PKI_INSTANCE_NAME.Endi Sukma Dewata2013-05-303-24/+24
| | | | | The PKI_INSTANCE_ID variable has been renamed into PKI_INSTANCE_NAME for consistency.
* Renamed SERVER_NAME and PKI_MACHINE_NAME into PKI_HOSTNAME.Endi Sukma Dewata2013-05-304-24/+24
| | | | | The SERVER_NAME and PKI_MACHINE_NAME variables have been renamed into PKI_HOSTNAME for consistency.
* Option to include nextUpdate as an offset to thisUpdateAndrew Wnuk2013-05-141-0/+27
| | | | | | This patch provides an option to generate CRLs with nextUpdate calculated as sum of thisUpdate and an offset. Ticket #571
* Randomized validityAndrew Wnuk2013-05-141-1/+4
| | | | | | This patch provides plug-in randomizing validity Ticket #607
* random certificate serial numbersAndrew Wnuk2013-04-191-1/+3
| | | | | | This patch adds support for random certificate serial numbers. Bug 912554.
* Tracking upgrade using existing config files.Endi Sukma Dewata2013-04-171-1/+1
| | | | | | | | | | | The upgrade framework has been modified to use pki.conf to track system upgrade, tomcat.conf to track instance upgrade, and CS.cfg to track subsystem upgrade. The preop.product.version in CS.cfg has been renamed into cms.product.version and is now used to track upgrade. Ticket #544
* Added tokenAuthenticate to admin interfaceAde Lee2013-04-161-0/+18
| | | | | | | Modified code to use this interface by default. Added required migration script code. Ticket 546
* Bug 929043 - updated serverCert.profile with SAN results in ↵Christina Fu2013-04-031-0/+50
| | | | | | SubjectAltNameExtDefault gname is empty, not added in cert ext during configuration Bug 927545 - Transport Cert signing Algorithm doesn't show ECC Signing Algorithms during DRM configuration with ECC
* Added securitydomain.checkIP parameterMatthew Harmsen2013-04-031-0/+1
| | | | * Bugzilla Bug #947524 - Clone installation does not work over NAT
* Bug 904289 - Add ECC Support to Certificate ProfilesChristina Fu2013-03-2514-24/+24
|
* Replaced Tomcat's random number generator.Endi Sukma Dewata2013-03-191-1/+5
| | | | | | | | | | By default Tomcat relies on /dev/random as a random number generator to generate the session ID's. Under certain conditions /dev/random may block, which will block Tomcat as well. To solve the problem all webapps in Tomcat have been configured to use the random number generator provided by JSS. Ticket #524
* Plug resource leaksAde Lee2013-03-081-6/+3
|
* Added authentication method validation.Endi Sukma Dewata2013-02-192-4/+6
| | | | | | | | | | | | | | | A new mechanism has been added to specify the authentication methods that can be used to invoke the REST methods. The AuthMethodMapping annotation maps each REST method to a list of allowed authentication methods. When a client calls a REST method, the AuthMethodInterceptor will intercept the call and verify that the client uses an allowed authentication method. Most REST methods that require authentication have been configured to require client certificate authentication. Authentication using username and password will only be used to get the installation token from security domain. Ticket #477
* Added CLI to manage user membership.Endi Sukma Dewata2013-02-181-0/+2
| | | | | | | | New CLI's have been added to search, add, and remove user membership. The group member management code has been refactored into a processor to allow reuse. Ticket #190
* Add updateDomainXML to admin interfaceAde Lee2013-02-112-1/+25
|
* move updateNumberRange to admin interfaceAde Lee2013-02-111-2/+2
|
* remove unneeded getTokenInfo servletAde Lee2013-02-111-18/+0
|
* Session-based nonces.Endi Sukma Dewata2013-02-042-8/+43
| | | | | | | | | | | | | | | | | | | | | | | Previously nonces were stored in a global map which might not scale well due to some issues: 1. The map uses the nonces as map keys. There were possible nonce collisions which required special handling. 2. The collision handling code was not thread safe. There were possible race conditions during concurrent modifications. 3. The map was shared and size limited. If there were a lot of users using the system, valid nonces could get pruned. 4. The map maps the nonces to client certificates. This limits the possible authentication methods that can be supported. Now the code has been modified such that each user has a private map in the user's session to store the nonces. Additional locking has been implemented to protect against concurrent modifications. The map now uses the target of the operation as the map key, eliminating possible collisions and allowing the use of other authentication methods. Since this is a private map, it's not affected by the number of users using the system. Ticket #474
* https://fedorahosted.org/pki/ticket/362 RFE: CMC ECCChristina Fu2013-01-154-4/+4
|
* Resolved Trac Ticket 367 - pkidestroy does not remove connectorAde Lee2013-01-153-1/+6
| | | | | | | | | | | * Added RESTful servlet to add/remove a KRA connector from the CA. * Modified ACL to allow KRA subsystem user to remove connector. * Modified connector code to allow the connector to be replaced without a server restart. * Added functionality to pki CLI to add/remove connector * Added code to pkidestroy to remove the connector (using both pki CLI and sslget) When the issues with pki connection are resolved, we will use that method instead. * Modified sslget to accept HTTP return codes != 200. In this case, we were returning 204 - which is perfectly legitimate.
* Increase root CA validity to 20 yearsAde Lee2013-01-072-3/+3
| | | | Trac Ticket #466
* Remove server code from CertSearchRequestAde Lee2012-12-071-2/+3
| | | | Ticket #418
* Parameterizing RESTEasy paths.Endi Sukma Dewata2012-12-061-2/+1
| | | | | | | | | The paths to RESTEasy jar files have been modified such that it can be configured globally at build time using the spec file to support different distributions, and at deployment time using a system-wide configuration in /etc/pki/pki.conf. Ticket #422, #423.
* I18n for ProfileList.template.Endi Sukma Dewata2012-12-031-16/+43
| | | | | | | | | | | | | The messages in ProfileList.template in CA EE has been extracted into a properties file which can be translated separately. The original messages in the template have been marked as follows: <span class="message" name="...key...">...message...</span> When the page is loaded into the browser, the original message will be replaced with the translated messages. Ticket #406
* Misc changes to get rhel 7 build to workAde Lee2012-11-211-0/+1
| | | | | | | 1. Modified cmake dependency 2. Corrected conditionals in spec file 3. Added paths for resteasy-base 4. Added paths to policy for resteasy-base
* Change cmake projects from Java to NONEAde Lee2012-11-202-2/+2
|
* Reorganized CA, KRA, OCSP, TKS templates.Endi Sukma Dewata2012-11-12174-0/+40286
| | | | | | | | | | | All remaining theme files for Tomcat subsystems which include the templates and JS files have been moved from the theme folder at <subsystem>-ui/shared/webapps/<subsystem> into the subsystem webapp folder at base/<subsystem>/shared/webapps/<subsystem>. The deployment tools have been updated to use the new location. Ticket #407
* Added ACLInterceptor.Endi Sukma Dewata2012-11-082-9/+13
| | | | | | | | | Previously ACL checking was done in PKIRealm by matching the URL. This code has been replaced by ACLInterceptor which will intercept RESTEasy method invocations. This allows more precise mapping of REST methods to ACL entries in acl.ldif. Ticket #287
* Updated clearpixel.gif paths.Endi Sukma Dewata2012-11-061-3/+3
|
* Removal of version numbers from jar file namesMatthew Harmsen2012-10-291-12/+2
| | | | * TRAC Ticket #350 - Dogtag 10: Remove version numbers from PKI jar files . . .
* Fixed synchronization problem in CertificateRepository.Endi Sukma Dewata2012-10-291-1/+25
| | | | | | | | Some synchronized methods in CertificateRepository may block modifyCeritifcateRecord() too long, so they have been moved into CRLIssuingPoint and CertStatusUpdateThread. Ticket #313
* Restrict AJP to localhost only by defaultAde Lee2012-10-251-1/+1
| | | | Ticket 369
* Added conditions for security domain REST service.Endi Sukma Dewata2012-10-231-4/+21
| | | | | | | | The CertificateAuthorityApplication has been modified to deploy the REST service for security domain only if the server has been configured with a new security domain. Ticket #309
* Enabled realm authentication for certificate requests.Endi Sukma Dewata2012-10-223-1/+3
| | | | | | | | | The realm authentication on certificate request REST services has been enabled. Since now in the CLI the authentication is done using a separate login operation, it is now possible to POST the approval data without the problem related to chunked message. Ticket #300
generated by cgit (git 2.34.1) at 2025-09-27 19:17:11 +0000